Learn how hybrid work is fueling ransomware attacks and what to do about it.
Traditional security approaches are flawed, costly, and overwhelming for security teams. Menlo Security is different. It’s the simplest, most definitive way to secure work—making online threats irrelevant to your users and your business.
Our platform invisibly protects users wherever they go online. So threats are history and the alert storm is over.
Traditional network security wasn’t built to address today’s complex enterprise environments. SASE fixes that problem.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise. The collective is made up of elite security researchers that put a spotlight on the threats you know and don’t know about.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise.
Share this article
UPDATE: Menlo Labs would like to clarify that the original analysis for this work was conducted in November 2021. During this time the TTPs mentioned in this article were being associated to TA551. Other examples of analysis during this time was conducted by SANS – which can be found in its Internet Storm Center both here and here. We are aware that in 2022 some of these same TTPs are being linked to TA578. Recent analysis pointing to this has been conducted by Palo Alto’s Unit42. We’re continuing to monitor both threat actors to establish clear attribution.
Menlo Labs is tracking a new targeted campaign from threat group TA551. TA551 is a financially motivated criminal threat group that is said to have been operating a malware distribution service since about 2016. It appears that this group puts some focus on the recon phase of their attack, based on their phishing attack methods. The group has been leveraging the Sliver malware in targeted attacks. Because the malicious payload is served from a well-known cloud storage provider, it is able to evade malicious link analysis. Thus, the team classifies this campaign as a Highly Evasive Adaptive Threat (HEAT).
To date, Menlo Labs has prevented two attempts to use Sliver to infect a victim. The first attack was part of the TA551 “Stolen Images Evidence” phishing campaign, and the second attack was part of their fake “Client Proposal” campaign.
Sliver malware is a Red Team and adversary simulation framework being used by TA551 to push malicious payloads. TA551 has previously distributed malware payloads that include Ursnif, IcedID, Qbot, and Emotet. TA551 has been known to use these threats, tactics, and procedures (TTPs) to ultimately deliver ransomware to its victims.
In this first attack, TA551 sends emails that are generated through contact forms on various websites. These contact forms allow site visitors to communicate with the company, mostly removing the need to use an email address. TA551 is leveraging these forms, which in some cases are on the victim’s own infrastructure, along with using legitimate Google Drive links. This allows them to bypass protections, making this threat highly evasive.
In the second attack, TA551 sends two different emails. The first email from the attacker is meant to look like a potential new client inquiry. Based on our assessment, this email is used to validate that the targeted inbox is monitored. Once confirmed (by the victim responding to the email), the attacker sends another email with a subject line that reads “(USERNAME) sent you files (project details) with TransferNow.” This campaign then sends an email to the victim that includes a malicious link in the message body. The email misleads the user into clicking the link by suggesting a potential client has sent them project information. However, clicking the link delivers a malicious ISO file that contains a malicious shortcut LNK file and a malicious .dll.
We will now take a further look into the Sliver malware by comparing both malicious .dll samples used in these attacks. The first thing we noticed was the files’ similarity in size. The second thing we noticed was that both samples use the entry point listed as export, ordinal 1. The rest of the exports appeared to be randomized. We assess the large number of them to be an anti-analysis tactic.
Second, we looked at the way the files were “packed.” We assess this to be a custom packer. Both files appear to use XOR encryption in lieu of a common packer. The XOR key is not hardcoded. Below is a screenshot of the main unXOR loops. After this, you will be able to see Golang references.
Each file goes through the same unpacking mechanism before getting to the payload. Once the file is at the payload, you can see all of the mentions of the Sliver framework. We assess that the biggest differences in these payloads were the URL callouts. Otherwise, we found the “unpacking” routine to be fairly identical.
When we examined the networking information from both files, we noticed the following:
TA551 may continue to conduct targeted attacks against the known victim, and Menlo Labs will continue to monitor the situation. At this time, all attacks have been blocked, and we used this opportunity to share our findings with the community.
This entire chain of infection appeared to be highly evasive, and we assess that TA551 will likely continue to use this custom packer and Sliver malware because it has had low and more slowly increasing detection rates on VirusTotal (able to avoid AV detections) compared with previously used malware.
Further, we assess that TA551 will likely continue to use the victims’ own infrastructure to assist in attacks.
Stolen Images Evidence.js: 4894d2c2635f5186c8ca3ab79cdb6235f805e9e0ca056c5c53d70b782a92f5c3
Stolen Images Evidence.js traffic:
104.21.65[.]22 – sobolpand[.]top/333g100/index.php
104.21.65[.]22 – sobolpand[.]top/333g100/main.php
23.81.246[.]193 – nopogew[.]com:443:443 – GET /sample.txt?_=24307128
23.81.246[.]193 – nopogew[.]com:443 – GET /info.txt?_=43639523
23.81.246[.]193 – nopogew[.]com:443 – POST /admin/login.jsp?_=34297139
23.81.246[.]193 – nopogew[.]com:443 – GET /underscore.min.js?_=14130295
23.81.246[.]193 – nopogew[.]com:443 – POST /rest/login.php?_=29759540
23.81.246[.]193 – nopogew[.]com:443 – GET /static/underscore.min.js?_=34644478
23.81.246[.]193 – nopogew[.]com:443 – GET /js/underscore.min.js?_=429465
23.81.246[.]193 – nopogew[.]com:443 – GET /underscore.min.js?_=42953899
23.81.246[.]193 – nopogew[.]com:443 – GET /jquery.min.js?_=98185060
23.81.246[.]193 – nopogew[.]com:443 – GET /static/underscore.min.js?_=92424842
23.81.246[.]193 – nopogew[.]com:443 – GET /dist/underscore.min.js?_=99992372
23.81.246[.]193 – nopogew[.]com:443 – GET /js/underscore.min.js?_=83694471
23.81.246[.]193 – nopogew[.]com:443 – GET /bootstrap.min.js?_=23925416
23.81.246[.]193 – nopogew[.]com:443 – GET /jquery.min.js?_=69790205
23.81.246[.]193 – nopogew[.]com:443 – GET /underscore.min.js?_=66973448
23.81.246[.]193 – nopogew[.]com:443 – GET /static/bootstrap.min.js?_=16343884
23.81.246[.]193 – nopogew[.]com:443 – GET /dist/bootstrap.min.js?_=66112726
STORE DLL C2:
172.241.27[.]209 – hxxps[://]kirute[.]com:443 – GET /bootstrap.min.js?_=12990835
172.241.27[.]209 – hxxps[://]kirute[.]com:443 – GET /js/bootstrap.min.js?_=25686874
172.241.27[.]209 – hxxps[://]kirute[.]com:443 – GET /dist/underscore.min.js?_=77257874
172.241.27[.]209 – hxxps[://]kirute[.]com:443 – GET /js/jquery.min.js?_=61206031
172.241.27[.]209 – hxxps[://]kirute[.]com:443 – GET /jquery.min.js?_=57202607
Menlo Labs on Jun 10, 2022
To talk to a Menlo Security expert, complete the form, or call us at (650) 695-0695.