One Article Review
| Source |  Fortinet ThreatSignal |
|---|---|
| Identifiant | 6478466 |
| Date de publication | 2022-08-22 20:09:54 (vue: 2022-08-23 05:05:37) |
| Titre | Widespread Redlnk Malware Hides Its Code In .NET Metadata |
| Texte | FortiGuard Labs has found an active and widespread attack campaign that distributes a malware it dubs "RedInk", using the RegAsm.exe LOLBIN for execution and sandbox Evasion. The attack is carried out in three stages, in which the final stage, acting as both Remote Access Trojan (RAT) and botnet component, is installed on the victim's machine. What is this Significant?This is significant because FortiGuard Labs observed widespread distribution of Redlnk malware in an ongoing campaign. The final payload observed is a Remote Access Trojan (RAT) that enables a remote attacker to take control of the victim's machine.How Widespread is the Campaign?We have observed more than 3,600 unique samples of the first stage, with new samples being constantly served to evade detection from security solutions. FortiGuard Labs observed Redlnk malware distributed to Canada, Australia, the UK, and Japan. How does the Attack Work?While the initial infection vector has not been found, FortiGuard Labs observed the first stage malware were downloaded from the internet.The campaign's first stage is a 6 KB small .NET loader, manipulated to be able to run properly only using Regasm.exe. Some of the samples of the first stage found (from 3600 in total) hide part of the crucial malicious logic inside the metadata of the file: By using this way, the base64 encoded data isn't part of the .NET strings of the file and enables the attacker to partially evade detection.The aforementioned samples are compiling the following code at runtime (decoded from the "AssemblyDescription" base64) in order to download the next payload: The next stage we observed, called "loader.dll" by the attackers, is mainly used to kill the previous stage and load the next stage, encrypted, using a randomly generated AES key, from the server. The third stage, called "client.core" is a fully fledged malicious toolkit, functioning as both RAT and botnet component, able to install VNC on the victim to enable remote control of the computer by the attacker. Why Can only Regasm.exe Run the Redlnk Malware?RedInk doesn't have a standard DLL entry point, but rather a "ComUnregisterFunction", which rundll does not call, but RegAsm (T1218.009) does. This technique is useful both for sandbox evasion (T1497) and to bypass application control (UAC - T1548.002). What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against the malware samples used in the campaign:• MSIL/Cerbu.CA89!tr• MSIL/Dropper.E5B0!tr• MSIL/GenericKDZ.5CA8!tr• MSIL/Tedy.1448!tr• W32/Dloader.X!tr• W32/PossibleThreat• MSIL/Asbit.C!trAll network IOCs associated with this attack are blocked by the WebFiltering client.FortiEDR blocks the first stage of RedInk upon the initiation of a network connection: FortiEDR Threat Hunting customers can additionally query for it using the following query:Source.Process.Name:Regasm.exe AND Source.Process.CommandLine:*.txt* |
| Envoyé | Oui |
| Condensat | 002 009 1448 3600 5ca8 600 able access acting active additionally aes aforementioned against application are assemblydescription associated attack attacker attackers australia base64 because been being blocked blocks both botnet but bypass ca89 call called campaign campaign:• can canada carried client code commandline:* compiling component computer comunregisterfunction connection: constantly control core coverage crucial customers data decoded detection distributed distributes distribution dll does doesn download downloaded dubs e5b0 enable enables encoded encrypted entry evade evasion exe execution file file: final first fledged following fortiedr fortiguard found from fully functioning generated has have hide hides how hunting infection initial initiation inside install installed internet iocs isn its japan key kill labs load loader logic lolbin machine mainly malicious malware manipulated metadata more msil/asbit msil/cerbu msil/dropper msil/generickdz msil/tedy name:regasm net network new next not observed ongoing only order out part partially payload payload: point previous process properly provides query query:source randomly rat rather redink redlnk regasm remote run rundll runtime samples sandbox security served server significant small solutions some source stage stages standard status strings t1218 t1497 t1548 take technique than third threat three toolkit total trall trojan tr• txt* uac unique upon used useful using vector victim vnc w32/dloader w32/possiblethreat• way webfiltering what which why widespread work |
| Tags | Threat Malware |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.