TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
INTRODUCTION:
Identified by Proofpoint as the threat actor behind the Contact Forms campaign, TA578 also appears to be pushing ISO files for Bumblebee malware through thread-hijacked emails. These threat-hijacked emails either have links to storage.googleapis.com URLs similar to those used in the Contact Forms campaign, or they have password-protected zip attachments. Either method delivers an ISO file containing files to install Bumblebee malware.
Today's diary compares two examples of ISO files for Bumblebee malware from Monday 2022-05-09 that appear to be from TA578.
Shown above: Infection chains from TA578 on Monday 2022-05-09.
INFECTION CHAIN COMPARISON: LINK TO 'DOCUMENT' DOWNLOAD PAGE:
Shown above: TA578 Thread-hijacked email with malicious storage.googleapis.com link.
Shown above: TA578 'document' download page hosted on storage.googleapis.com URL delivers malicious ISO file for Bumblebee malware.
Shown above: Contents of downloaded document.iso file.
INFECTION CHAIN COMPARISON: PASSWORD-PROTECTED ZIP ATTACHMENT:
Shown above: TA578 email with password-protected zip attachment.
Shown above: Malicious ISO file for Bumblebee malware extracted from password-protected zip attachment.
ISO FILE COMPARISON:
SHA256 hash: 330b01256efe185fc3846b6b1903f61e1582b5a5127b386d0542d7a49894d0c2
- File size: 2,883,584 bytes
- File name: document.iso
- File description: malicious ISO file sent by 'documents' download page
SHA256 hash: e9084037805a918e00ac406cf99d7224c6e63f72eca3babc014b34863fb81949
- File size: 2,883,584 bytes
- File name: invoice_pdf_49.iso
- File description: malicious ISO file extracted from password-protected zip attachment
ISO CONTENT COMPARISON:
SHA256 hash: 22e033c76bb1070953325f58caeeb5c346eca830033ffa7238fb1e4196b8a1b9
- File size: 1,612 bytes
- File name: documents.lnk
- File description: Windows shortcut in both document.iso and invoice_pdf_49.iso
- Shortcut: %windir%\system32\rundll32.exe ramest.dll,SjVjlixjPb
SHA256 hash: e6357f7383b160810ad0abb5a73cfc13a17f4b8ea66d6d1c7117dbcbcf1e9e0f
- File size: 1,390,592 bytes
- File name: ramest.dll
- File description: Bumblebee 64-bit DLL in document.iso
SHA256 hash: f398740233f7821184618c6c1b41bc7f41da5f2dbde75bbd2f06fc1db70f9130
- File size: 1,3900,80 bytes
- File name: ramest.dll
- File description: Bumblebee 64-bit DLL in invoice_pdf_49.iso
Note: Both of the above ramest.dll files have the same import hash (imphash) of 66356a654249c4824378b1a70e7cc1e5
SIMILARITIES TO CONTACT FORMS CAMPAIGN:
TA578 'document' download pages are similar to 'Stolen Images Evidence' pages used for the Contact Forms campaign. Both are hosted on storage.googleapis.com pages with appspot.com in the URL. Both generate traffic to a malicious URL ending in logo.jpg that returns script with base64 text used to generate a malicious ISO file for download.
The following are 4 examples of URLs generated by 'document' download pages for malicious ISO files in May 2022:
- hxxps://baronrtal[.]com/img/logo.jpg
- hxxps://bunadist[.]com/img/logo.jpg
- hxxps://omnimature[.]com/img/logo.jpg
- hxxps://vorkinal[.]com/img/logo.jpg
The following are 4 examples of URLs generated by 'Stolen Images Evidence' pages for malicious ISO files in May 2022:
- hxxps://bunadist[.]com/images/logo.jpg
- hxxps://curanao[.]com/images/logo.jpg
- hxxps://goranism[.]com/images/logo.jpg
- hxxps://olodaris[.]com/images/logo.jpg
As seen above, 'Stolen Images Evidence' pages generate URLs ending in /images/logo.jpg, while 'document' download pages generate URLs ending in /img/logo.jpg.
URLs hosted on storage.googleapis.com for 'Stolen Images Evidence' pages end with ?l= or ?h= or similar strings ollowed by a numeric value. For example, hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/fWpa4HT4ck6v6.html?l=827470894993112750 is a URL for a recent 'Stolen Images Evidence' page.
URLs hosted on storage.googleapis.com for 'document' download pages end in .html. For example: hxxps://storage.googleapis[.]com/pz3ksj5t45tg4t.appspot.com/q/pub/file/0/filejBWdkst6Ua3s.html is a URL for a recent 'document' download page.
FINAL WORDS:
The Contact Forms campaign switches between pushing ISO files for Bumblebee malware, or pushing ISO files for IcedID (Bokbot) malware, and I've seen both during the same week. Since February 2022, TA578 has been noted pushing both families of malware. And in recent weeks, TA578 has been using thread-hijacked emails to distribute ISO files for Bumblebee malware. TA578 might also distribute IcedID using the same type of thread-hijacked messages.
While the malware may be different, I occasionally find Cobalt Strike from either Bumblebee or IcedID when testing samples in Active Directory (AD) environments. Cobalt Strike can lead to ransomware or other malicious activity.
If TA578 activity is caught and stopped in its early stages, potential victims might avoid more serious harm.
---
Brad Duncan
brad [at] malware-traffic-analysis.net
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago