Cyber Security Blogs
Keylogger and Gh0st RAT Variant deployed to spy on Users
Threat actors (TAs) have been relentlessly employing diverse techniques to propagate malware by leveraging counterfeit websites of renowned applications. Cyble Research and Intelligence Labs (CRIL) reported on a trojanized version of Telegram specifically aimed at Chinese users. Telegram is a widely used application, and due to its unavailability in China, TAs exploit this condition to deceive users by providing fake Chinese-language versions of the software.
Recently, CRIL found a phishing site, hxxps://telagarm[.]top spreading a malicious Telegram installer. We believe that this installer file targets Chinese users as the default language used in the installer is Chinese.
The figure below shows the phishing site.
Figure 1 – Phishing Site
This sophisticated malware operates through multiple stages and employs advanced evasion techniques to avoid detection. Unlike typical downloaders that directly fetch payloads, this downloader, used in the current campaign, follows a sequence of requests to obtain the URL for the final stage. The ultimate payload, in turn, utilizes a combination of techniques, including process injection, DLL sideloading, and encrypted shell code, to achieve execution.
While investigating this campaign, we found evidence linking it to the same Threat Actor (TA) behind the SiMay RAT attacks in 2022. The TA uses an updated version of the downloader and final stage payloads in this campaign.
Technical Analysis
This phishing site is distributing a malicious installer file in the form of a .msi file. The language used by default in the installer file (SHA256: 8013a2e9bde9dcfd3f49cc09d5842ad55d21962d7a1216897121ff4d0f344558) is Chinese, suggesting that the TA could be targeting Chinese-speaking users. This installer disguises itself as a legitimate Telegram file while simultaneously dropping and executing a downloader file in the background.
The figure below shows the installer window.
Figure 2 – Installer User Interface
The .msi file consists of two distinct files within it. The first file (iii.exe) contained within the .msi package is a malicious downloader that downloads and executes the next stage payloads. This file is dropped by the installer in the “Documents” folder.
The second file (tsetupx64.4.8.3.exe) is a seemingly legitimate Telegram setup, which appears to be the installation package for the popular messaging application Telegram. This is meant to deceive users into thinking they are downloading and installing authentic Telegram software.
The figure below shows the content of the .msi file.
Figure 3 – Files Contained in Installer File
The figure below shows the process tree.
Figure 4 – Process Tree
Downloader
The downloader file (SHA256: 17c2faa7d7e5ecefd6f33a991cd60e9c033b589dd27023bb820cb4ba52ba0c5c) is a 32-bit executable targeting the Windows operating system.
The figure below shows the file details.
Figure 5 – File Details
The downloader, upon execution, starts connecting to IP addresses “59.111.183.194”, which resolves to a Chinese cloud service provider.
The figure below shows the network TCP requests made by the downloader.
Figure 6 – TCP Requests
Using the InternetReadFile() function, this malware fetches the content from a specific URL: “hxxps[:]//”. The content retrieved from this URL is then loaded into a buffer, as shown in the figure below.
Figure 7 – Fetching JSON Data
The content mentioned above is in the form of a JSON object. An analysis of this response identified an email address associated with the threat actor (TA). Delving deeper into the investigation, we found that the same email address was previously linked to a TA mentioned in a report released by K7 researchers in 2022.
Drawing connections from this discovery, it is suspected that the identical TA responsible for the SiMay RAT attacks reported in 2022 is the one executing these current attacks.
The sharetime mentioned in the JSON data, “1685768121180,” resolves to “June 3, 2023,” suggesting that the threat actor (TA) has restarted their attack campaign. In the previous campaign, the share was activated in 2021.
The figure below shows the email ID present in the JSON object.
Figure 8 – TA Profile
This downloader utilizes the key values obtained from the previously fetched JSON object to construct URLs for upcoming requests. Now it retrieves content from the URL:
hxxps[:]//note.youdao[.]com/yws/public/notebook/9fa9db02d7c790b6f9709e3b1605c6cc/subdir/WEB400eaebc293ddb0f58dcafa44f8b74c2
The fetched content is in the form of another JSON object, as shown in the figure below. This JSON object contains crucial details regarding “.dat” files, which are scheduled to be downloaded in the next step of the process.
Figure 9 – Fetch Details of .dat files
The TA has hosted three “.dat” files on hxxps://note.youdao[.]com/ynoteshare/index.html?id=9fa9db02d7c790b6f9709e3b1605c6cc&type=notebook&_time=1686584769284. These .dat files contain a Base64 encoded URL and other details related to next stage payload. These “.dat” files are named using “DU” followed by a number.
The figure below shows the “.dat” files.
Figure 10 – .dat files
Now this downloader downloads the “DU_3.dat” file from “hxxps://note.youdao.com/yws/api/personal/file/WEB7645e55f5ee27c0802c56881c4c5f356?method=download&shareKey=9fa9db02d7c790b6f9709e3b1605c6cc”
The downloader creates a folder with a random name formed by combining a sequence of 6 characters which contains alphanumeric characters and an underscore under the “C:\Users\Public\Music” directory.
After creating the folder, it saves the “DU_3.dat” file in this folder and sets the file’s attributes to hidden. The “CreateFileA” function is called for this purpose.
Figure 11 – CreateFileA
The figure below shows the Base64 decoded content of the “DU_3.dat” file. It contains the URL for the next stage, the name of the payload, and the name of the directory to save the payload.
Figure 12 – Decoded Content of .dat File
After analyzing all the “.dat” files shown in the figure above, we found that they point to a different URL, as highlighted in the figure below.
dat
hxxps[:]//note.youdao[.]com/ynoteshare/index.html?id=d04da3da6f8f011be18e9fe893ed2cfb&type=notebook&_time=1688618867666
dat
hxxps[:]//note.youdao[.]com/ynoteshare/index.html?id=164394dd79b3bea74a76eb8e95976513&type=notebook&_time=1687346123857
dat
hxxps[:]//note.youdao[.]com/ynoteshare/index.html?id=9f3f644a14316db6b64924e92a813e15&type=notebook&_time=1685772858275
Figure 13 – Links Referred by all .dat files
Now, the downloader performs requests in a manner similar to how it downloaded the “.dat” file. It initiates the process by making a request to the following URL:
hxxps://note.youdao[.]com/yws/api/personal/share?method=get&shareKey=d04da3da6f8f011be18e9fe893ed2cfb
The content received from this initial URL is then utilized to form the URL for the next request, as highlighted in the figure below. It makes a request to the following URL to fetch details of files hosted on the server.
hxxps://note.youdao[.]com/yws/public/notebook/d04da3da6f8f011be18e9fe893ed2cfb/subdir/WEB4c64cfb83b69382247b8bc37425e47ac
