Researchers specializing in cybersecurity have discovered a new malware campaign known as SHADOW#REACTOR, in which a group of malware designers builds what it calls the “multi-stage infection chain,” which allows Remote Admin Tools (RATs) to be installed and executed remotely by users.
As described in a recent Securonix technical report, SHADOW#REACTOR leverages a layered attack methodology that relies on several types of scripts executed in memory via trusted Windows binaries, thereby establishing a means of persistent and covert connection, by consistently avoiding detection through traditional security methods.
Multi-Layered Attack Methodology Avoiding Detection
The SHADOW#REACTOR attack path is initiated when a user executes a highly obfuscated Visual Basic Script using the command scripter (WScript), and the initial trigger for this action is the user clicking on a link from an email or text message that directs the user to the download page of the malicious software.
This initial script creates a PowerShell downloader, which is a Base64-encoded PowerShell script that downloads a fragmented text-based version of the final payload from a remote hosted site. This downloader receives the fragmented text files from the server and is then validated for integrity (to verify that the file was successfully downloaded), so any files that weren't downloaded completely will not be processed.
After this final validation of all the fragments, a complete payload is constructed in memory and is stored in a custom-built loader (which was protected using the commercial obfuscation tool .NET Reactor to prevent reverse-engineering of the payload).
The Campaign Uses Living-off-the-Land to Hide Itself
In the final stage of the campaign, MSBuild.exe is exploited by the attacker to run the encoded payload. This technique is called “living-off-the-land binary” (LOLBin) abuse, and it allows the malware to perform its functions as if it were a legitimate activity on the system.
Once executed, the REMCOS RAT is now installed, allowing the attacker to control the system remotely, take data from it, and keep access to it for an extended period.
Wrapper scripts are created to continuously restart the original VBS script and thereby maintain the attacker's persistence throughout reboots to the infected system.
Resiliency and Stealth
One of the most unique features of the SHADOW#REACTOR is that it uses intermediate stagers in the form of plain text and the ability to reconstruct the original binary using PowerShell and reflective loading techniques. As such, these techniques reduce the number of traditional malware sightings that antivirus engines see and make it difficult for antivirus software to detect it in a sandbox.
Beyond just using a loader that minimizes malware sightings, the loader also contains many different types of anti-analysis techniques, such as anti-debugging and anti-virtual machines, to minimize the risk of detection during automated testing.
Who’s Behind the Campaign?
The project exhibits a centralized approach with aggressive objectives aimed towards enterprise and middle size businesses. Though this activity has not yet been traced to a particular Threat Actor, the tools used and HOW this group is operating indicates that they are most likely an Initial Access Broker – individuals or organizations who exploit network vulnerabilities to obtain access that can be sold (exploited) to the malicious hacker community.
The researchers have indicated that the modularity of this framework indicates that it is still being actively developed and is likely was engineered to function across multiple Campaigns.
Why Does This Matter?
SHADOW#REACTOR further demonstrates how cybercriminals are attempting to become less visible when carrying out attacks, as they continue to focus more towards building out their attack chains using "low noise," "scripted" attack chains, using non-malware (Legitimate OS Components) whenever possible.
The combination of using Payloads in text, executing in memory, and the abuse of LOLBin (Living Off The Land Binaries), the detection of these types of attacks is rapidly becoming more complicated, especially within environments where behavioral monitoring is limited.
Source: The Hacker News