During the period between January 15 and 20, Morphisec identified a significant campaign targeting multiple German customers from the manufacturing industry. Targeted personnel were redirected to compromised websites that were, and still are, delivering advanced fileless downloaders that eventually lead to an Osiris client with a bundled mini-Tor communicating to a C2 onion Tor panel.
Following an additional investigation and sharing some of the TTPs with the community, we were notified of additional targeted countries such as the United States and Korea, which were delivered REvil and other payloads using the same delivery mechanism as described in the report.
In this blog, we will go over every stage of the attack chain in the German campaign.
The attack chain is composed of five main stages;
- A fileless .NET loader that’s mapped from the registry and decodes to a new .NET hollower in-memory executable, which is responsible for hollowing the Osiris trojan into a legitimate Windows process.
- Osiris connects to its C2 with the help of a mini-Tor bundle.
Figure 1: The Osiris attack chain.
The victim receives a link to a compromised website that contains a download link to a malicious zip file, which then contains a JS file. , the web page and the file name translates to “collective agreement on-call remuneration ig metal.”
The download as well as the rest of the attack chain communication will be available only to an IP located in Germany.
Figure 2: The compromised website.
The screen shot above is taken from the compromised website.
Figure 6: The "prove" variable.
Figure 7: The three compromised domains the code communicates with.
The parameter for ‘search’ is also unique per download. The script identifies if the machine is located in a domain by expending the environment variable %USERDNSDOMAIN%. Depending on what it receives, it sends a different get request to the compromised website with a high possibility for a different malware.
Powershell - reflective loading
The executed Powershell command reflectively loads the next stage .NET executable from registry represented by “HKCU:\SOFTWARE\<username>1”, but not before applying a minimalistic deobfuscation replacement algorithm on the value of the registry :
Figure 10: Reflective loading of the next stage.
A simple search in VirusTotal that is based on the replacement function “chba” will lead to previous versions of the Powershell that are dependent on “HKCU:\SOFTWARE\<machine name>1.”
Figure 11: The .NET loader
The .NET loader will add additional persistence and is responsible for decoding the next step .NET hollower variant, which is located under “HKCU:\SOFTWARE\<machine name>” (without the 1).
Figure 12: The .NET hollower variant.
The .NET code under <username> is obviously much larger than the loader as it includes both the hollowing functionality and the Osiris code.
Figure 13: The .NET code containing hollowing and Osiris.
This .NET hollower injects the Osiris executable into a legitimate “ImagingDevice” executable that comes preinstalled with Windows as part of the Windows Photo Viewer software.
Figure 14: The .NET hollower injecting Osiris.
Following the hollowing, the Osiris executable uses its bundled mini-Tor component to communicate with a Tor panel. As can be seen below, the banking trojan still implements many of its original banker functionalities.
Figure 15: The Osiris executable uses a bundled mini-Tor.
Figure 16: Osiris retains some banker functionality.
Figure 17: Some banker functionality in Osiris.
Artifact file - bundled mini-Tor.
Figure 18: A bundled mini-Tor.
The Osiris trojan attacking German IP addresses continues the trojan’s historical use. The Morphisec platform blocks Osiris with a zero-trust default-deny approach to endpoint security, powered by moving target defense. Customers of Morphisec are thus protected from Osiris, regardless of what defense evasion techniques the authors deploy.
EC936B6BB7497FFB11577C14A9AB2860EC1DD705DC18225BBDAB5BF57804BDBC - JS
72C5EEB8807A4576340485377CACC582A3CA651C4632DB06903C125BE6692968 - .NET module <username1>
63C62D6086A6CF2FCBB22A16C06EB0BC870CDB2F0BB029390D3BC815C06A6C6B - .NET module <username>
2FC970B717486762F6C890F525329962662074EB632F0827C901FB1081CBD98F - Osiris
91F1023142B7BABF6FF75DAD984C2A35BDE61DC9E61F45483F4B65008576D581 - Minitor www.underregnbuen[.]dk/?p=5739 - the compromised website
hxxp://ylnfkeznzg7o4xjf[.]onion/kpanel/connect.php - Osiris C2