RedLine Stealer spreading through OneNote

 Recently OneNote files are being abused a lot to carry malware and users are being tricked to execute the same. This count has increased in the last couple of weeks.

The sample under consideration was a .one file in the wild carrying the RedLine info stealer.
Figure 1 – VT detection
The .one file just had a simple dialog box saying ‘Double click to view’.
Figure 2 – Batch file hiding behind the dialog box
However, when we drag that dialog box we see a batch file named xxx.bat under it. Placing the cursor over it shows the desktop name of the machine where it was inserted into the .one file.
Figure 3 – Malicious batch file
The contents of the batch file are not straight forward. Variables present were combined during the runtime into the actual command to be executed.
Figure 4 – Contents of the batch file
The following are the commands that are decoded at the run time.
Figure 5 – Decoded commands
After this, in the following section of the file another command that gets decoded in the runtime which shows that the batch file copies the PowerShell application and renames into ‘xxx.bat.exe’ and pastes it in the current directory.
Figure 6 – Copying & renaming PowerShell to the name of the batch file
Next in the batch file we can see some base64 encoded content in the middle which is a PE file.
Figure 7 – Encoded RedLine stealer in the batch file
Finally at the end of the file there is another command which executes the copied PowerShell to process the data that we have seen in the middle of the file.
Figure 8 – Decryption key, IV and decompression code
The commands from the figure 8 indicate that the data from the batch file gets base64 decoded then decrypted using the key and IV. At the end, data gets decompressed using Gzip.
We replicated this using Cyberchef and got the payload. The payload is a .NET file which belongs to the RedLine stealer family. In dnSpy we can see that the filename is tmp5217.
We can see a lot of base64 strings that are passed into a certain function which decrypts using the key and IV that are passed as arguments.
Figure 9 – Decompiled code of RedLine stealer
The decoded strings are as follows.
Figure 10 – Decrypted strings that are used in the code
The strings can be decoded using CyberChef. This is explained very well here. The payload.exe is the resource in the RedLine malware. The payload.exe is decrypted using the previously mentioned function.
Figure 11 – Resource named payload.exe
The original name of the resource is pestle.exe which has a class named ‘Arguments’ that contains an IP address, key which is base64 encoded and is decrypted using XOR function.
Figure 12 – Encrypted IP and XOR key for decryption
The decrypted IP address is 172.245.45.213, which was up at the time of writing the blog. Once the ip is decrypted it makes a connection and transfers the data which we will discuss further in this blog.
Figure 13 – Making a connection after decrypting IP
Once the connection is started, we can observe the traffic through Wireshark.
Figure 14 – Sending SYN to initiate the TCP connection
Figure 15 – Information asked by C2
The C2 asks for files with the extensions .txt, .doc and file name containing key, wallet & seed from Desktop, Documents. Then it asks for different browser data that are stored in the AppData folder.
It also asks the host for crypto wallet information if any present in the host machine.
Then the host responds to the C2 by sending data. It first sends information about the host.
Figure 16 – Time & OS information
After that it sends information about the host’s hardware.
Figure 17 – Hardware information
Then it sends information about the software in the host.
Figure 18 – Software information
And then the information about the current running processes are sent to the C2.
Figure 19 – Current running processes
The host then sends information about the browsers installed in the host.
Figure 20 – Installed browser details
After that it sends every file with the extensions .txt and .doc to the C2. We tested it by creating a dummy .txt file and we can see it in the Wireshark capture.
Figure 21 – Sending the decoy text file to the C2
We at K7 labs provide detection against such threats. Users are advised to use a reliable security product such asK7 Total Securityand keep it up-to-date so as to safeguard their devices.

IOCs

File Name: Love men w.one
Hash : f510047d3e06f51cc81d0ad54c5fe079
Detection Name : Trojan ( 0059ec2a1 )

Comments

Post a Comment

Popular posts from this blog

AMOS (MacOS Stealer)

  In the last week of April 2023, it was reported on twitter , that through a telegram channel a new malware was being offered as “Atomic MacOS Stealer”. Many samples of this malware were found on the internet. Figure 1 – Atomic MacOS Stealer Most of these samples were masquerading as an installer of various applications like Tor browser, Photoshop CC, Notion, FL studio. Figure 2 – Amos DMGfiles masquerading as different applications These are delivered as a DMGfile(Disk Image) which is the common format for software distribution & installation packages on macOS. We identified the Tor browser DMG file for the analysis. When we execute the DMG file it gets mounted and we can see the resulting window advises the user to execute the application by right clicking. Figure 3 – Tor Browser These fake applications are created by using Appify , which is used to create applications just by having the executable alone. The icons can be customised. That’s why these applications are in dif...
Read more

CVE-2023-21716: A new Office Exploit

Image
 In Feb-2023, Microsoft (MS) patched a vulnerability in Microsoft Word which, if successfully exploited, could allow an attacker to execute remote code without authentication on victims’ machines. This vulnerability has been assigned CVE-2023–21716 and has a CVSS score of 9.8, making it a critical issue. This vulnerability impacted MS word and the Outlook Preview Pane as well. Microsoft along with the patch released a work around for the vulnerability but did not release details about the vulnerability. While we were analysing to identify what was patched, on 06-March, the researcher who reported the bug released a PoC on Twitter . In this blog, we will be taking a look at some internals of CVE-2023–21716. So far there is no evidence to suggest exploitation of this vulnerability in the wild. Rich Text Format (RTF) is a document file format published by Microsoft. It uses control words to define various sections and properties of the document. CVE-2023–21716 exists in the way MS Wo...
Read more

MuddyWater Back with DarkBit

  Recently, we came across a tweet about DarkBit ransomware. An Iranian APT group, named MuddyWater, is reportedly behind the DarkBit ransomware. In this blog we will explore the ransomware’s initial access method, the use of Cobalt Strike and the final ransomware payload. Initial Access Method The initial lure was delivered as an ISO file. Figure 1 – ISOFile The payload included a shortcut file (with a .doc extension) and a zip file. Figure 2 – Contents Inside ISO File The shortcut was using PrintBrm.exe to unpack the HR-Update.zip and run it as shown below. PrintBrm.exe is a windows inbuilt command line tool . Figure 3 – Shortcut File cmd.exe /c xcopy .\HR-Update.zip %TEMP% /h /y && PrintBrm.exe -r -f %TEMP%\HR-Update.zip -d %TEMP%\unzip & %TEMP%\unzip\HR-Update.exe Figure 4 – HR-Update.exe Running HR-Update.exe was a Cobalt Strike beacon. Cobalt Strike, a penetration testing tool, can also be used by attackers for gaining a foothold in the system. The final ran...
Read more