Early November, we identified a new variant of sLoad downloader delivering Ramnit malware. sLoad is a sophisticated PowerShell downloader, usually in the form of an LNK file. It is known to perform different fingerprinting actions, such as using geofencing, to allowing the attackers to choose targets of interest for the payloads of their choice.
The campaign we analyzed contains a few interesting technical features that were not a part of the sLoad downloader before. The main and most interesting feature is embedding a part of the PowerShell code in the ZIP parent file itself. That feature makes it impossible to run the malware separately from the ZIP parent, as most sandbox tools do today.
Stage 1 - ZIP FileThe first stage of the attack consists of a ZIP file with 3 files archived inside of it- 2 PNG files and 1 LNK file.
In the picture below, we can see the ZIP's end-of-file. Right after the end-of-file, we see the PowerShell sthe script is using.
In this code, we see that the PowerShell is using bitsadmin program to access the URL artisbond[.]org/arti/bond.
Stage 2 - Downloaded Powershell Script ExecutionFrom this URL, another PowerShell code is downloaded, this time checking for the existence of monitoring tools such as windbg, tcpdump etc. and kills those processes.
After stopping the monitoring processes, it creates a directory in AppData with the name of the computer's UUID. The PowerShell script then drops the payload files- two ini files, a VBS file, and a PS1, which were hidden obfuscated inside of it. Before finishing its run, the Powershell script disables scheduled tasks related to OneDrive, and creates it's own scheduled task, named "AppRunLog".
The initial file analyzed in this campaign was a ZIP file containing 2 PNG files and 1 LNK file.
We began analyzing the files, domains, and IPs related to this sample and discovered a wide infrastructure, containing a variety of campaigns with similar attributes to our campaign, for the last several months.
we used VT graph feature to map the connections between the different campaigns
In the graph above, we can identify 2 IP addresses that related to all samples:
Looking at the indicators of the attack, it seems to be related to a campaign covered by Proofpoint
The Proofpoint analysis focused on an LNK sample is parsing a PowerShell script that starts from the LNK end-of-file.
In our sample, we saw that the PowerShell script is parsed from the ZIP end-of-file, Which is the main difference between these campaigns.