An Odd Certutil Download Spurs Investigation from Huntress

Category: Malware Campaign | Industry: Global | Level: Tactical | Source: Huntress

A scrutinized download from certutil unravels a suspicious payload with sinister intentions. The alert was received in a Huntress-secured environment on February 2nd, 2023, stimulated by suspicions of mischief due to "a combination of certutil using the urlcache flag to retrieve a remote resource and follow-on scheduled task creation." The downloaded payload was a DLL file and is flagged as a malicious file on VirusTotal. Huntress researchers attempted to pull down the file for analysis however, the resource was no longer accessible from the hosted server. Further examination of the affected host found the downloaded DLL payload was dropped into the 'C:\users\Public' directory and executed with rundll32. The DLL proceeded to create "very specifically named Scheduled Tasks used as persistence to execute the malicious DLL," based on the naming convention the tasks attempted to masquerade as NVIDIA crash reports. Many behavioral samples were found observed with this malware and Truebot downloader malware. Huntress suspects the threat actors exploited the remote code execution vulnerability associated with GoAnywhere MFT software to gain access to the host. This analysis aligns with the service account (GoAnywhereSvcAcct) being tied to the events observed on the host. Due to the payload displaying similar behaviors with Truebot, Huntress assesses the attackers responsible for the campaign to be linked to the Silence group and the TA505 threat group.

Anvilogic Scenario:

• Suspicious Download from Certutil Establishes Persistence

Anvilogic Use Cases:

• Certutil File Download
• Suspicious Executable by CMD.exe
• Rare Scheduled Task

‍