RSS Analysis Reports from National Cyber Awareness System
NotificationThis report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp. SummaryDescriptionThis Malware Analysis Report (MAR) is the result of analytic efforts by the Cybersecurity and Infrastructure Security Agency (CISA) to provide detailed analysis of files associated with HyperBro, a Remote Access Trojan (RAT). CISA obtained HyperBro malware samples during an on-site incident response engagement at a Defense Industrial Base (DIB) Sector organization compromised by advanced persistent threat (APT) actors. CISA analyzed 4 files associated with HyperBro malware. The files creates a backdoor program that is capable of uploading and downloading files to and from the system. The RAT is also capable of logging keystrokes and executing commands on the system. For more information on the confirmed compromise, see Joint CSA: Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization. Download the STIX version of this report: MAR-10365227-2.v1 249B Submitted Files (4)52072a8f99dacd5c293fccd051eab95516d8b880cd2bc5a7e0f4a30d008e22a7 (vftrace.dll) df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348 (msmpeng.exe) f1a2791eebaea183f399110c9e8ae11c67f5bebf93a5573d1ac3c56fc71b2230 (config.ini) f2ba8b8aabf73020febd3a925276d52ce88f295537fe57723df714c13f5a8780 (thumb.dat) IPs (1)104.168.236.46 Findingsdf847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348Tagsloader Details
AntivirusNo matches found. YARA RulesNo matches found. ssdeep MatchesNo matches found. PE Metadata
PE Sections
Packers/Compilers/Cryptors
Relationships
DescriptionThis artifact is a version of vf_host.exe from Viewfinity. The file is used to side-load the malicious dynamic-link library (DLL), vftrace.dll. The program is also capable of bypassing User Account Controls (UAC) on the system by disabling Admin Approval Mode in User Account Controls Group Policy in HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem. This can allow the malware to run with Admin privileges, or allow remote logon (RDP) with full Admin privileges. 52072a8f99dacd5c293fccd051eab95516d8b880cd2bc5a7e0f4a30d008e22a7Tagstrojan Details
Antivirus
YARA RulesNo matches found. ssdeep MatchesNo matches found. PE Metadata
PE Sections
Packers/Compilers/Cryptors
Relationships
DescriptionThis DLL is side-loaded by df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348 detailed in this report. When the DLL is executed it will create a Globally Unique Identifier (GUID) to identify the system to the command and control (C2) during communication. The GUID is written to a file called 'Config.ini' and placed in the current directory. The program will decrypt and read a configuration file called 'thumb.dat' that instructs it to spawn a new instance of the Service Host Process (svchost.exe) and inject itself into the new instance. Svchost.exe is run with the -k netsvcs parameter to allow the malware to connect to its C2. The malware collects the following information to send to the C2 via POST when establishing a connection. ---Begin Collected Information--- During analysis, the malware attempted to connect to the Uniform Resource Identifier (URI), hxxps[:]//104.168.236.46/api/v2/ajax using the fixed User-Agent string Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36. To achieve persistence on the system, the program creates a service in the registry called ‘Windows Defenders Service’ that starts automatically when the user logs on. ---Begin Registry Settings--- It may also create an autorun entry in the registry at HKLMSoftwareMicrosoftWindowsCurrent VersionRun. The malware creates a hidden folder called ‘windefenders’ in the path C:Program Files (x86)Common Files where it will copy the PE file ‘msmpeng.exe’ along with the GUID file, ‘config.ini’, the malicious library ‘vftrace.dll’, and the encrypted configuration file ‘thumb.dat’. A second hidden folder called ‘windefenders’ is also created in the path C:ProgramData. This folder holds another instance of the PE file. The program is capable of logging keystrokes, uploading and downloading files, and will also invoke RpcServerListen to wait for incoming Remote Procedure Call (RPC) connections. It will also open a pipe called ‘DeviceNamedPipetestpipe’ that it uses to pass commands from its daemon to any worker processes it may set up. 104.168.236.46Tagscommand-and-control URLs
Ports
WhoisDomain Name: HOSTWINDSDNS.COM Domain name: hostwindsdns.com Relationships
DescriptionDuring analysis, the file vftrace.dll attempted to connect to this domain. f1a2791eebaea183f399110c9e8ae11c67f5bebf93a5573d1ac3c56fc71b2230Details
AntivirusNo matches found. YARA RulesNo matches found. ssdeep MatchesNo matches found. Relationships
DescriptionThis artifact contains a GUID that is generated by the malware to uniquely identify the system during communication with the C2. f2ba8b8aabf73020febd3a925276d52ce88f295537fe57723df714c13f5a8780Tagsbackdoorkeylogger Details
AntivirusNo matches found. YARA RulesNo matches found. ssdeep MatchesNo matches found. Relationships
DescriptionThis artifact is the encrypted configuration data that is read by 52072a8f99dacd5c293fccd051eab95516d8b880cd2bc5a7e0f4a30d008e22a7 detailed in this report. The decrypted strings in the configuration are listed below: ---Begin Decrypted Strings--- ---End Decrypted Strings--- This configuration allows the malware to connect to its C2, create persistence on the system, log keystrokes and telemetry data, and execute commands from the command line. Relationship Summary
ConclusionThe following MITRE ATT&CK tactics and techniques were observed during analysis of these samples. T1543.003 Persistence: Create or Modify System Process. Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg. T1574.002 Hijack Execution Flow: DLL Side-Loading. Adversaries may execute their own malicious payloads by side-loading DLLs. Side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s). T1567.000 Exfiltration: Exfiltration Over Web Service. Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services. T1560.000 Collection: Archive Collected Data. An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. RecommendationsCISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops". Contact Information
CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/ Document FAQWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk. Can I submit malware to CISA? Malware samples can be submitted via three methods:
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov. |
Initial Publication: September 29, 2022
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |