TA551 Targeted Malicious Campaign Breakdown

UPDATE: Menlo Labs would like to clarify that the original analysis for this work was conducted in November 2021. During this time the TTPs mentioned in this article were being associated to TA551. Other examples of analysis during this time was conducted by SANS – which can be found in its Internet Storm Center both here and here. We are aware that in 2022 some of these same TTPs are being linked to TA578. Recent analysis pointing to this has been conducted by Palo Alto's Unit42. We're continuing to monitor both threat actors to establish clear attribution.

Executive Summary

Menlo Labs is tracking a new targeted campaign from threat group TA551. TA551 is a financially motivated criminal threat group that is said to have been operating a malware distribution service since about 2016. It appears that this group puts some focus on the recon phase of their attack, based on their phishing attack methods. The group has been leveraging the Sliver malware in targeted attacks. Because the malicious payload is served from a well-known cloud storage provider, it is able to evade malicious link analysis. Thus, the team classifies this campaign as a Highly Evasive Adaptive Threat (HEAT).

To date, Menlo Labs has prevented two attempts to use Sliver to infect a victim. The first attack was part of the TA551 “Stolen Images Evidence” phishing campaign, and the second attack was part of their fake “Client Proposal” campaign.

Sliver malware is a Red Team and adversary simulation framework being used by TA551 to push malicious payloads. TA551 has previously distributed malware payloads that include Ursnif, IcedID, Qbot, and Emotet. TA551 has been known to use these threats, tactics, and procedures (TTPs) to ultimately deliver ransomware to its victims.

Stolen Images Evidence phishing campaign

In this first attack, TA551 sends emails that are generated through contact forms on various websites. These contact forms allow site visitors to communicate with the company, mostly removing the need to use an email address. TA551 is leveraging these forms, which in some cases are on the victim’s own infrastructure, along with using legitimate Google Drive links. This allows them to bypass protections, making this threat highly evasive.

These form-submitted emails include a malicious Google Drive link in the message body. The email misleads the user into clicking the link by suggesting they will receive proof of stolen images that resulted in a copyright violation. However, clicking the link delivers a zipped JavaScript file that downloads a malicious Windows .dll.

Client Proposal campaign

In the second attack, TA551 sends two different emails. The first email from the attacker is meant to look like a potential new client inquiry. Based on our assessment, this email is used to validate that the targeted inbox is monitored. Once confirmed (by the victim responding to the email), the attacker sends another email with a subject line that reads “(USERNAME) sent you files (project details) with TransferNow.” This campaign then sends an email to the victim that includes a malicious link in the message body. The email misleads the user into clicking the link by suggesting a potential client has sent them project information. However, clicking the link delivers a malicious ISO file that contains a malicious shortcut LNK file and a malicious .dll.

Infection Vector

Stolen Images Evidence attack

1. Attackers are sending a malicious link via email that appears to be a shared Google file/drive.
2. The email subjects are “Stolen Images Evidence,” “Critical Errors Report,” and “Alert: Contact Us Form Submission.”
3. When users click the link, it takes them to a fake Google Drive landing page. When the user lands on this page, they are presented with an image of the Google Drive logo and a link to download the shared file.
4. Clicking on the Download button downloads a malicious .zip file that contains a malicious JavaScript file inside.
5. If the user runs the script, it will download a malicious .dll and run it.
6. The .dll is 10.06MB and will be saved to “AppData\Local\Temp\riuQtga.dat” (Qxioyfdvub.dll).
7. The malicious .dll will make a C2 connection.
8. While there was no apparent sign of persistence (rebooting the computer ended this infection), if the computer is left running, the attacker could use the malware to download more malware and establish or maintain a presence in the victim’s environment.

Client Proposal attack

1. The attackers are impersonating Saudi Aramco’s American branch by sending out spoofed emails claiming to want to have a product consultation.
2. Inspection of the email header reveals the true email is coming from a “porkbun[.]com” domain.
3. After the victim responds to the initial request, attackers send a malicious link via email that appears to be a shared file.
4. The email subject is “(USERNAME) sent you files (project details) with TransferNow.”
5. When the victim clicks the link, it takes them to a download file landing page.
6. Clicking on the download button downloads a malicious .iso file that contains a malicious .lnk file and a malicious .dll (store.dll).
7. If the victim double-clicks the shortcut .lnk file or runs the .iso file, this will cause the malicious .dll file to run.
8. The malicious .dll is named “Store.dll” and the export that is loaded to run it is “StoreApp.”
9. The .dll is 10.06MB and may be installed in the “C:\programdata\” file location.
10. When run, the file will attempt to connect to a C2.

Technical Analysis

We will now take a further look into the Sliver malware by comparing both malicious .dll samples used in these attacks. The first thing we noticed was the files’ similarity in size. The second thing we noticed was that both samples use the entry point listed as export, ordinal 1. The rest of the exports appeared to be randomized. We assess the large number of them to be an anti-analysis tactic.

Second, we looked at the way the files were “packed.” We assess this to be a custom packer. Both files appear to use XOR encryption in lieu of a common packer. The XOR key is not hardcoded. Below is a screenshot of the main unXOR loops. After this, you will be able to see Golang references.

Each file goes through the same unpacking mechanism before getting to the payload. Once the file is at the payload, you can see all of the mentions of the Sliver framework. We assess that the biggest differences in these payloads were the URL callouts. Otherwise, we found the “unpacking” routine to be fairly identical.

When we examined the networking information from both files, we noticed the following:

• Both used port 443.
• Both used the same Autonomous System Label:
• LEASEWEB-USA
• Both had the same URL paths:
• /bootstrap.min.js?_=(#ID)
• /js/bootstrap.min.js?_=(#ID)
• /dist/underscore.min.js?_=(#ID)
• /js/jquery.min.js?_=(#ID)
• /jquery.min.js?_=(#ID)

Conclusion

TA551 may continue to conduct targeted attacks against the known victim, and Menlo Labs will continue to monitor the situation. At this time, all attacks have been blocked, and we used this opportunity to share our findings with the community.

This entire chain of infection appeared to be highly evasive, and we assess that TA551 will likely continue to use this custom packer and Sliver malware because it has had low and more slowly increasing detection rates on VirusTotal (able to avoid AV detections) compared with previously used malware.

Further, we assess that TA551 will likely continue to use the victims’ own infrastructure to assist in attacks.

IOCS

FILE HASHES:

lnk: AD2908988CB585D6FB1DC583C8F943C5BF5B4CEDD4B4BC90FD56C3FBBCD0A3CC

store.dll: ACF838CF0FE15C20F3321EEA5156E74410376542C17B22A194798CD0E054BF5D

iso: EB83CD63B575E15173D7F117D2A890982A536D4E641AFDF52720AD00983A047F

Qxioyfdvub.dll: 60a83accaa83f6db250a3529a12e916b8f1e61d3ade506fa79aa9cc3d360db21

Stolen Images Evidence.js: 4894d2c2635f5186c8ca3ab79cdb6235f805e9e0ca056c5c53d70b782a92f5c3

LANDING PAGES:

1. hxxps[://]www[.]transfernow[.]net/en/dltransfer?utm_source=20211112J294PIlV&utm_medium=FjaYmYdy
2. hxxps://storage.googleapis.com/m4b38h10cm38.appspot.com/gdrive/folders/0/public/d/490vfj4nvbf984.html?s=592801411871709187
3. hxxps://storage.googleapis.com/m4b38h10cm38.appspot.com/gdrive/folders/0/public/d/49dfjn49vfjm.html?id=906799687552139923
4. Malicious domain called by the above Google URLS:
5. 104.21.91[.]115 - bacionera[.]top

Stolen Images Evidence.js traffic:

104.21.65[.]22 - sobolpand[.]top/333g100/index.php

104.21.65[.]22 - sobolpand[.]top/333g100/main.php

Qxioyfdvub.dll C2:

23.81.246[.]193 - nopogew[.]com:443:443 - GET /sample.txt?_=24307128

23.81.246[.]193 - nopogew[.]com:443 - GET /info.txt?_=43639523

23.81.246[.]193 - nopogew[.]com:443 - POST /admin/login.jsp?_=34297139

23.81.246[.]193 - nopogew[.]com:443 - GET /underscore.min.js?_=14130295

23.81.246[.]193 - nopogew[.]com:443 - POST /rest/login.php?_=29759540

23.81.246[.]193 - nopogew[.]com:443 - GET /static/underscore.min.js?_=34644478

23.81.246[.]193 - nopogew[.]com:443 - GET /js/underscore.min.js?_=429465

23.81.246[.]193 - nopogew[.]com:443 - GET /underscore.min.js?_=42953899

23.81.246[.]193 - nopogew[.]com:443 - GET /jquery.min.js?_=98185060

23.81.246[.]193 - nopogew[.]com:443 - GET /static/underscore.min.js?_=92424842

23.81.246[.]193 - nopogew[.]com:443 - GET /dist/underscore.min.js?_=99992372

23.81.246[.]193 - nopogew[.]com:443 - GET /js/underscore.min.js?_=83694471

23.81.246[.]193 - nopogew[.]com:443 - GET /bootstrap.min.js?_=23925416

23.81.246[.]193 - nopogew[.]com:443 - GET /jquery.min.js?_=69790205

23.81.246[.]193 - nopogew[.]com:443 - GET /underscore.min.js?_=66973448

23.81.246[.]193 - nopogew[.]com:443 - GET /static/bootstrap.min.js?_=16343884

23.81.246[.]193 - nopogew[.]com:443 - GET /dist/bootstrap.min.js?_=66112726

STORE DLL C2:

172.241.27[.]209 - hxxps[://]kirute[.]com:443 - GET /bootstrap.min.js?_=12990835

172.241.27[.]209 - hxxps[://]kirute[.]com:443 - GET /js/bootstrap.min.js?_=25686874

172.241.27[.]209 - hxxps[://]kirute[.]com:443 - GET /dist/underscore.min.js?_=77257874

172.241.27[.]209 - hxxps[://]kirute[.]com:443 - GET /js/jquery.min.js?_=61206031

172.241.27[.]209 - hxxps[://]kirute[.]com:443 - GET /jquery.min.js?_=57202607

EMAIL:

abdul.jabbar@porkbun[.]com