Started Tracking this activity when observed the encoded payload (f9ee2a922e43f7e080d14019a42d983004313499d2cb1fd3619d0d6eba417be1) that translates to the empty script similar to that in the Unit42 Blog about Aggah Campaign (https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/).
Was interesting to see the Detections for this script.
Observed that the Pastebin account belonged to HAGGA
Began tracking the related URLs in VT and observed that new script 6415b77dd8ef17f29b7758994b8c3dec5bcfb096ebe9e59ec7e32ebcfc734ed5 (JS with encoded VBS) is been uploaded to some of the links (mentioned below) which previously had the self.close script.
Decoded 6415b.. ,debugged the VBS and observed that an obfuscated powershell code gets executed.
After further debugging, we get the below Powershell Script
This script checks internet connection by pinging google and will only get run if it’s successful.
Payload downloaded from the below 2 links are Obfuscated data which gets converted to PE files in the End-Point.
91b594c4bb8b47756b7b2456b7d567b4bede30e1f0258f674af42f1394f04c9a gets downloaded which deobfuscated to DLL File.
Import Table Hash is dae02f32a21e03ce65412f6e56942daa
This DLL is obfuscated with ConfuserEx v1.0.0 and is a Code Injector.
ec623b38162bba0b68d307f2b8c7f5b11bddc40d5d12f76049afbb8de5aa01fb gets downloaded which decodes to e5094102e9c84fe312bd252fb618fba77a9b9aafc924f5462774b1dd915ecb88 , this is Azorult.
Import Table Hash is 6d1f2b41411eacafcf447fc002d8cb00
This sample is written in Borland Delphi and we can see the information stealing capability upon analysis. Sample tries to steal data associated with multiple cryptocurrency wallets, bowser information, steam, telegram, skype etc..
Upon Analysis we can see that the sample initiates a C2 connection by sending a POST request to hxxp://216[.]170[.]126[.]146/done/index[.]php
Sample also creates directory %AppData%\Local\Temp\2fda dumps multiple DLLs (from C2). It also tries to get the country of infected machine by connecting to hxxp://ip-api[.]com. Sample also deletes itself after infecting.
I’m not going into details regarding the detailed analysis of this sample here.
Note: Azorult was observed during the 4th week of September (2019), this link is down now.