Three disparate campaigns between March and June 2022 have been found to utilize the same techniques and malware as each other to deliver Remote Access Trojans and cryptocurrency miners to compromised systems. One key feature of these campaigns is the use of ModernLoader, a .NET Remote Access Trojan that has been around since 2019, as the primary Command and Control (C2) channel.
The infection chain of these campaigns used fake Amazon gift card lures to distribute malware that was hosted on compromised WordPress sites. The first stage downloads an encrypted HTA payload that, when executed, downloads additional PowerShell code to run. This PowerShell code performs two tasks: it disables AMSI scanning on the system, and then it injects the final stage payload into a newly created svchost.exe process via process hollowing. This final payload is an instance of ModernLoader, which then automatically collects and sends information about the system to the C2 server. This information includes things such as: the Active Directory or workgroup name, the external IP address of the system, operating system version details, user privileges, anti-virus products installed on the system, and so on. The RAT is then set up to receive commands from the C2 server to execute on the system. In these campaigns, further malware was seen being delivered by ModernLoader, such as XMRig for cryptocurrency mining and other RATs such as DCRat.
These campaigns have been attributed to a previously undocumented Russian-speaking threat actor, potentially targeting users in Eastern European regions. The advancements made between campaigns shows a threat actor that is experimenting with different tools and techniques, but that primarily uses open-source code or off-the-shelf tools in their infection chains.
It is highly recommended to use and maintain appropriate endpoint security controls on all systems in an environment. Due to this threat actor’s use of well-known tooling and techniques, it is highly likely that multiple stages of this infection chain could be prevented from executing by most EDR solutions. It is also recommended to implement and maintain appropriate logging and monitoring on all devices, in those instances where preventative measures may fail. The infection chains from these campaigns exhibit several suspicious behaviors that can be detected and alerted upon. Activity such as mshta.exe making external connections to unknown IP addresses, suspicious auto-start Registry keys and scheduled tasks being created by unknown processes, and powershell.exe injecting into an svchost.exe process are just some of the behaviors that these campaigns exhibit that can be alerted upon within an environment. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.