The Morphisec Labs team has been tracking an ongoing RAT delivery campaign that started in February this year. This campaign is unique in its heavy use of the AutoHotKey scripting language—a fork of the AutoIt language frequently used for testing purposes.
Starting in February, we identified at least four versions of the RAT delivery campaign, each of which includes multiple advancements and adaptations over the past three months.
In this blog post, we dive into the details of each attack chain, highlighting interesting and rare techniques the attackers use, including:
- Manifest flow hijack through VbsEdit manipulation
- UAC bypass
- Emulator bypass
- Tampering with Microsoft Defender and other antivirus products
- In-place compilation
- Delivery through text share services
The RAT delivery campaign starts from an AutoHotKey compiled script. This is a standalone executable that contains the following: the AHK interpreter, the AHK script, and any files it has incorporated via the FileInstall command. In this campaign, the attackers incorporate malicious scripts/executables alongside a legitimate application to disguise their intentions.
Figure 1: Malicious scripts alongside legitimate executables
We observed various RATs distributed via a simple AHK compiled script. We also identified several attack chains linked to this campaign, all of which start with an AHK executable that leads to the different VBScripts that eventually load the RAT. In this blog, we are going to cover the technical details for each of the observed attack chains shown in the below figure.
Figure 2: Possible attack chains.
The attack chain that delivers the VjW0rm and Houdini RAT is the first one we saw using this Loader. This attack chain was first used utilizes thein February 2021 and is still in use as of today. We observed several changes over time and we will describe them below:
First seen: February 17, 2021
Figure 3: The first version of the AHK script
First, the AHK script drops a legitimate application to the %appdata% directory and executes it. Next, it drops two files into the %programdata% directory. The first file is called conhost.exe and the second file is called conhost.exe.manifest (malicious manifest). Then the script executes the legitimate conhost.exe application, which leads to the execution of the malicious manifest through a path hijack.
Those files are the outcome of a tool called VbsEdit. The attacker uses VBsEdit to convert the VjW0rm and Houdini VBScript into an executable.
Figure 4: A VbsEdit tool used to convert to script
The tool creates a manifest (XML) file that holds the base64 encoded VBScript and information about how to execute the script. This manifest file needs to be located alongside the launcher (called conhost.exe). The launcher itself is a legitimate tool without any detections in VirusTotal.
Figure 5: The manifest file
First seen: March 31, 2021
In this version, the attacker wrapped the dropped RAT with an additional AHK executable. They also added the ability to disable Microsoft Defender by dropping a Batch script and an LNK file pointing to that script.
Figure 6: Added the ability to disable Defender
When executing the LNK file, the Batch script starts to perform several Powershell commands.
Figure 7: The script used to disable Defender
The commands download a known hacking tool that disables Defender (DefenderControl.exe v1.7) through an additional Powershell script that performs a known disk cleanup UAC bypass technique. This bypass allows the attacker to gain the higher privileges necessary to disable Microsoft Defender (assuming the user is also an administrator).
Figure 8: Disk Cleanup UAC bypass
Once Defender has been disabled, the AHK drops an additional AHK executable(CONHOSTHOST.exe). This AHK executable utilizes the VBS launcher technique shown in previous versions.
Figure 9: The second AHK executable.
First seen: April 8, 2021
Two more capabilities were added in this version:
- The first drops and executes a VBScript that blocks connections to popular Antivirus solutions by manipulating the victim’s C:\Windows\System32\drivers\etc\hosts file. This manipulation denies the DNS resolution for those domains by resolving the localhost IP address instead of the real one.
Figure 10: The data written to the host’s file.
- The second drops and executes a VBScript that terminates wscript.exe processes to clean traces of a failed attempt to perform the previous VBScript.
First seen: May 2, 2021
In this version, the attacker added directory-creation spamming that creates around 10 directories and subdirectories, then overrides the call numerous times. Though the attacker's intentions are not clear at this point, this might be a technique to introduce noise or to spam an emulator.
Figure 11: Directory-creation spamming
Additionally, a new VBScript is dropped into %ProgramData%\kellvbs.vbs. This script leads to a new variant of our previously researched HCrypt. It ends up delivering njRAT with the same C2 address as the Vjw0rm that has been dropped by the VBScript launcher.
In the second stage, AHK drops a Batch script that hides the manifest file, so that only the benign VBS launcher called conhost.exe will be visible to the victim.
Figure 12: Hiding the manifest file
Powershell loader chain
This attack chain first appeared in late April 2021. It has a strong resemblance to the previously described chain, except for the delivery technique and the RAT distribution used. In this chain, we have observed LimeRAT and RevengeRAT loaded as the final payload. Both of the delivered RATs communicate to the same C2 address - gamers2020.ownip[.]net.
First seen: April 26, 2021
Figure 13: The AHK second chain script.
The RAT is delivered by an obfuscated VBScript (as shown in Figure 14) that is dropped to the victims %ProgramData% directory. This script deobfuscates a PowerShell command that downloads the next stage from a Pastebin-like sharing platform service called stikked.ch.
Figure 14: Obfuscated VBScript downloads and executes PowerShell from a Pastebin service.
The Powershell stage from the paste embeds the next stage as a C# source code represented in a hexadecimal encoded blob ($Win32Runpe in Figure 15). To execute the next stage, the Powershell decodes the blob, compiles and saves it into the %temp% directory under the name RegAsm.exe, then executes the compiled executable.
We notice that the author compiled the executable with `GenerateExecutable=true` which is uncommon for attackers, as he could compile the executable in memory by setting the flag `GenerateInMemory=true`. This might be an evasion attempt as many solutions are looking for this flag.
Figure 15: PowerShell script from stikked.ch Pastebin.
The C# source code embeds the RAT payload as an AES encrypted blob (Buffer in Figure 16). The keys are embedded in the source code as well. In order to execute the RAT payload, it decrypts the blob, reflectively loads the decrypted payloads, then invokes it.
Figure 16: C# source code.
First seen: April 26, 2021
In this version, the attacker added a hexadecimal obfuscation layer to the VBScript and used a different PowerShell paste (hxxps://stikked[.]ch/view/raw/5d4df3b8) to load the RAT.
The PowerShell script used in this attack is a notorious one that is observed in several other RAT campaigns (1, 2, 3). It holds two hexadecimal blobs. The first one is a .NET DLL that is used for injecting the second hexadecimal payload, which is the RAT.
Figure 17: PowerShell script from stikked.ch Pastebin.
First seen: April 21, 2021
This chain is slightly different from the others, as the AHK script bundled files have different naming conventions and don’t include the VBS launcher. We will explain the connection and similarity to this campaign in the next section.
Similar to previous chains, the AHK script drops and executes a legitimate application. Next, it drops and executes a VBScript that downloads and executes an in-memory PowerShell script that leads to HCrypt. HCrypt is known as a RAT loader. In this campaign, we observed AsyncRAT as the loaded RAT.
Figure 18: The VBScript that leads to HCrypt.
Fingerprinting the campaign
In this campaign, we described various attack chains. We can attribute them to the same actor based on the following:
- They all drop a legitimate application before performing any malicious activity.
- They have the same resource naming convention across all of the versions: *.MP4, KELLVBS.VBS, CONHOST.EXE, etc.
- The AHK script has a strong resemblance across all of the chains, using the same commands: FileInstall, run, sleep, and drop the files to the %ProgramData% directory.
- In several attack chains, we observed the same directory spamming technique.
- They use the same scripts and UAC bypass technique to disable the Defender (in different stages).
As threat actors study baseline security controls like emulators, antivirus, and UAC, they develop techniques to bypass and evade them. The technique changes detailed in this report did not affect the impact of these campaigns. The tactical goals remained the same. Rather, the technique changes were to bypass passive security controls. A common denominator among these evasive techniques is the abuse of process memory because it's typically a static and predictable target for the adversary.
We still need these baseline controls to keep the automated attacks at bay. But the manual tradecraft employed by innovative attackers like this one requires a modern approach to security. Morphisec Guard offers control and visibility of these baseline controls while adding advanced breach prevention for in-memory exploits and evasive fileless techniques like those used in these campaigns. If you are experiencing a breach or would like a proactive audit of your critical assets, Morphisec’s team of researchers is available to assist.
Disabling Defender & UAC bypass URLs