Skip to main content

Return of Domen? Mysterious Zip file

1. Overview

On March 17, Waseda University announced that its sports newspaper club's website(https://wasedasports[.]com/) had been infected with malware. At the time of my research the final payload was common malware called BitRAT, but there are several interesting points in its infection chain.

A portion of the infection chain is shown below. The compromised site finally trigger download of the zip file. There is nothing interesting about the infection chain after this. You can refer to the IoC section for more information on infecting malware if necessary.

Now, what is interesting? In my opinion, the interesting points of this attack are as follows.
・Using Domen social engineering toolkit: This toolkit was used around 2019-2020, but not recently.
・Mysteriously structured zip file: The file name in this zip file is depending on the archiver used for decompression.

2. Domen social engineering toolkit

Domen is social engineering toolkit and was used for fake update campaigns. This leads target to install malware as an update to their browser or Flash Player. For more details, Malwarebytes has written an excellent article.
https://www.malwarebytes.com/blog/news/2019/09/new-social-engineering-toolkit-draws-inspiration-from-previous-web-campaigns

In fact, fake update is now a common web threat and is not unusual. However, Domen is tool that has not been reported for about the last 4 years. In short, the use of Domen is interesting, but it appears that little has changed. The snippet of Domen code is shown below.
The font version and useragent blacklist have not changed at all. But the browser version to be displayed is slightly different. The browser version was only changed to 123 for the major version, and the minor version remained the same. That makes sense because 123 is the latest version of Chromium and Firefox.

The destination of the communication that take place when the compromised site is accessed are shown below. The pattern "/admin/target" is still the same as the old Domen. The pattern "/admin/target?secret=" can be used for hunting.
However, testdomen.xyz was not assigned IP address in this attack. It is possible that the name testdomen indicates that the attacker was testing Domen.

3. Mysteriously structured zip file

The Browser_Update.zip downloaded by Domen had two interesting points.
The first interesting point is that the name of the unzipped file changes depending on the archiver. This zip file contains "Browser Update.txt" or "Browser Update.js". Why does this happen? My first idea was the Double Loaded Zip File presented by Trustware. Therefore I opened this file with 010Editor. https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/double-loaded-zip-file-delivers-nanocore/
Different file names are recorded in the local fiel record and central directory record. The zip file records the name of the stored file in two locations. Therefore, the name of the unzipped file change depending on which the archiver refers to as the file name. Antivirus products that change the way they scan by extension may miss this file due to the built-in archiver.

The second interesting point is the difference between the extension in the archiver's view and the extension that is unzipped. When this file is opened with WinRAR, it appears to contain js file. However, the icon indicates that this file is not js file.
The reason for this is simple! Because the filename contains a trailing space, it recognizes the extension of this file as ".js ".
Then why does the unzipped file have ".js" extension? This is because trailing spaces in filenames are removed by RtlGetFullPathName_Ustr function, which is called in CreateFileW function. (CreateFileW -> CreateFileInternal -> RtlDosPathNameToRelativeNtPathName_U_WithStatus -> RtlpDosPathNameToRelativeNtPathName -> RtlGetFullPathName_Ustr)
This technique also appears to be aimed at deceiving the antivirus about the extension. In conclusion, this file looks like the following table

ArchiverView fileExtract file
Explorer「Browser Update.js 」「Browser Update.js」
WinRAR「Browser Update.js 」「Browser Update.js」
7-Zip 15.05「Browser Update.txt」「Browser Update.txt」
7-Zip 24.01「Browser Update.js 」「Browser Update.js_」

By the way, there is one more interesting. The overlay area of this file contained RAR data. The contents are harmless data, so perhaps this is some kind of trick.

4. IoC

IoCDescription
https://www.qama[.]fr/cache/jquery.jsMalicious Javascript
https://0x80[.]info/oDomen Javascript
http://193.233.132[.]136/a/z.pngMalicious Powershell code
http://193.233.132[.]136/a/0x.pngMalicious VBS code
http://193.233.132[.]136/a/a.pngPowershell payload with BitRAT
193.233.132[.]136:4404BitRAT C2
1669f175d53dd4afca317bccac9bc4880d267773e0dc6b5aac2a2469f6fc5a2cBrowser_Update.zip SHA256 hash
Labels:

Comments

Post a Comment

Popular posts from this blog

.NET in JavaScript, Fake PDF Converter

1. Overview I found a site that distributes curious PDF converter. The executable file distributed at this site appears to be malicious and have several interesting features. ・ .NET Anti-Analysis ・ Execution of external JavaScript payload with WebView2 ・ .NET object manipulation from JavaScript code This post will mention these techniques. The execution flow of this executable is shown below. 2. .NET Anti-Analysis PdfConverters.exe analyzed in this article was created with .NET Core. .NET Core allows developer to embed runtime and libraries into a single executable file. This executable also contains a number of files, which are extracted at execution time into a folder under %TEMP%\PdfConverters. A good way to know the role of these files is to look at [AppName].deps.json. app.deps.json reveals that main functionality of this executable exists in app.dll. [app.deps.json] ... "app/1.0.0": { "dependencies": { "Microsoft.
Post a Comment
Read more

CommandLine rewriting and Reflective loading

1. Overview This article describes the following topics. ・Commandline rewriting technique ・Applying new command line to reflective loaded PE file's context My goal was to develop loader that load PE file from URL and launch PE file in memory with new commandline context. This is stealth since it leaves no final payload on filesystem. Since this is a topic that has been described exhaustively, this post does not describe downloading PE file and reflective load. This article does not show the full code to prevent abuse. 2. Commandline rewriting When this loader starts, loader's commandline is "loader.exe [c2url] [newcommand]". This loader needs to load the PE file into memory and patch memory so that [newcommand] is handled as the first argument. The commandline is included in RTL_USER_PROCESS_PARAMETERS structure, which is pointed to by ProcessParameters member of PEB structure. PEB is very important structure in the process. I believe it will work
Post a Comment
Read more

ShimCache (AppCompatCache) Internals

1. Overview ShimCache (AppCompatCache) is artifact that exists in Windows SYSTEM registry. This artifact records program execution but not execution time. Nevertheless, it is valuable artifact on Windows Server hosts where prefetch is not recorded by default or Windows hosts where prefetch has been removed. This article describes the following topics. ・Information in ShimCache (Forensics) ・Reverse engineering on ShimCache mechanism (Redteaming) 2. Information in ShimCache Shimcache is recorded under following subkey. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCompatCache Shimcache data is binary format and composed of 52 byte header and multiple entries in Windows 10 (ver 2004). The format of the entry is as follows. Field Type Offset Description Signature DWORD 0x00 31 30 74 73 (10ts) CRC32 Hash DWORD 0x04 Entry Size DWORD 0x08 Path Size WORD 0x0C Path field's data length Path WString 0x0E PE file path Modified Time FILETIME NTFS $SI mo
Post a Comment
Read more