Kremlin RATs from Nigeria

Analysis of these campaigns revealed that the threat actor used phishing emails with malicious attachments to gain initial access. Office documents exploiting vulnerabilities in Microsoft Office products, as well as malicious macros were used as attachments. Group-IB discovered more than 100 phishing email samples distributed en masse.

Depending on the geographical distribution of the targets the cybercriminals altered the email contents and language. Phishing emails were accompanied by fake purchasing orders and other financial documents, used COVID-19 as a theme sometimes and were made to look like legitimate communications from banks or well-known logistics companies.

The unconventional naming pattern for the domains used to deliver malware (*kremlin, *crimea, *putin) might be an amateurish attempt to imitate Russian speaking cybercriminals to throw researchers off track and complicate attribution.

Nevertheless, during further analysis of the adversary infrastructure and the TTPs employed, as well as a set of malicious software used in conjunction with DDNS services Group-IB researchers attributed the campaigns with high confidence to a previously unknown threat actor from Nigeria.

The post examines three threat actor's campaigns carried out in 2019 and 2020, analyzes the adversary's infrastructure and TTPs and provides recommendations and mitigation techniques to thwart the threat.

The initial list of domains that caught our attention was:

● crimea-kremlin[.]duckdns.org
● kremlin-afghan[.]duckdns.org
● kremlin-crimea[.]duckdns.org
● kremlin-turbo[.]duckdns.org

These domains were registered to the same IP address (79.134.225[.]43) on June 15, 2020. According to the Group-IB network graph, there are about 30 different malicious files associated with these four domains. The decoys found suggest that the campaign targeted users in Poland, Turkey, Italy, Germany, and Bulgaria.

Further analysis showed that most of the files had been uploaded to public sources from June 25, 2020. The most common names were "Potwierdzenie transakcji.xls", "İşlem makbuzu", "WACKER - 000160847.xls", and "Potwierdzenie operacji.xls". One of these files (SHA1: 95A6A416F682A9D254E76EC38ADE01CE241B3366) is a decoy document in Polish supposedly sent from one of the local banks.

After the macros in this document are enabled, a PowerShell script is executed to extract the second-stage command from the lab.jpg file located on a remote server:

This code reads the contents of the file http://officeservicecorp[.]biz/rnp.txt, which contains a payload.

As a result of this sequence of PowerShell scripts, the infamous NetWire RAT is loaded and executed. The tool connects to its C&C server (kremlin-crimea[.]duckdns.org) on port 3396.

If we insert the original domains into the graph in increments of 2, we will see not only these domains, but also the rest of the associated infrastructure that was involved in all the infection stages.

It is interesting to note that files that connected office-service-tech[.]info also performed network connections to ahjuric[.]si. One of these files (SHA1 a3816c37d0fbe26a87d1cc7beff91ce5816039e7) was a decoy document in Turkish with the logo of a state-owned bank in Turkey.

This document contains a malicious macro that executes a PowerShell script. The latter reads Code.txt from a remote server and runs a chain of obfuscated PS scripts.

Executing the obfuscated PS script leads to another Base64-encoded script being executed. The latter will ultimately execute the payload in the form of NetWire RAT from office-service-tech[.]info/pld.txt.

The C&C server of this sample is crimea-kremlin.duckdns[.]org.

We also found files that make network connections simultaneously to kremlin-turbo.duckdns[.]org and wshsoft[.]company. The latter domain name brings to mind the WSH RAT, which is based on the Houdini code. One of these files (SHA1: b42a3b8c6d53a28a2dc84042d95ce9ca6e09cbcf) is a RAT sample that sends requests such as /is-ready to the C&C server kremlin-turbo.duckdns[.]org:3397. WSHRAT is indicated as its UA.

At this stage, it is important to note that some of the domains used in this campaign were registered to the email address tetragulf@yahoo[.]com.

While examining all other related infrastructure, we came across domains registered to asetonly@yahoo[.]com. Since early 2020, the following domains have been registered to this email address:

1. nitro-malwrhunterteams[.]com
2. office-data-labs[.]com
3. putin-malwrhunterteams[.]com
4. kremlin-malwrhunterteam[.]info
5. skidware-malwrhunterteams[.]com
6. screw-malwrhunterteams[.]com
7. screw-malwrhunterteam[.]com
8. office-services-labs[.]com
9. office-cloud-reserve[.]com
10. office-clean-index[.]com
11. office-cleaner-indexes[.]com

We collected over 130 different malware samples from various sources associated with these domains. Judging by the names and content of these samples, the spring 2020 campaign targeted users in Europe and CIS countries. Group-IB experts uncovered decoy documents in Ukrainian, Belarusian, Kazakh, Russian and Greek.

The campaign's first files were uploaded to public sandboxes on March 23, 2020. One of these files was named "Аналіз проекту.docx" (SHA1-d8826efc7c0865c873330a25d805c95c9e64ad05) and was distributed as an attachment to the email "Електронна розсилка_ Змінене замовлення.eml" (SHA1-7f1fdf605e00323c055341919173a7448e3641fb), which was uploaded to VirusTotal via a web interface from Ukraine.

The document's content doesn't spark much interest and looks like a scanned invoice. However, the document exploits the CVE-2017-0199 vulnerability, which executes a command that loads the payload http://office-cloud-reserve[.]com/hydro.exe.

The payload is the AgentTesla spyware . A legitimate compromised domain (ftp.centredebeautenellycettier[.]fr) was used as a server for data exfiltration.

Another analyzed file (SHA1- 19324fc16f99a92e737660c4737a41df044ecc54) called "Байланысорталықтары.img" was distributed as an attachment to COVID-19-themed emails (SHA1: 403c0f9a210f917e88d20d97392d9b1b14cbe310) in Kazakh.

This attachment is an .iso image. In some cases, it is named "Байланыс орталықтары.img". The file is mounted to the system as an image which contains one obfuscated VBS file (SHA1: fd274f57e59c8ae3e69e0a4eb59a06ee8fd74f91) named "Денсаулық сақтау бойынша анықтамалық жәнедеректер базасы.vbs". The file is a loader that executes an obfuscated PS code. After that, the file http://office-cleaner-indexes[.]com/loud.jpg is read.

As a result, AgentTesla is loaded and executed, which also exfiltrates the data through ftp.centredebeautenellycettier[.]fr

Another document (SHA1: c992e0a46185bf0b089b3c4261e4faff15a5bc15) named "Συμφωνία 060520.xls" was distributed via email in Greek. Its content looks the same as all others in this campaign, but in Greek. Its NanoCore Rat payload connects to screw-malwrhunterteams[.]com.

Further analysis of the infrastructure related to tetragulf@yahoo[.]com revealed that in 2019 only four domains were registered to this email address, two of which were registered in late February and were involved in one campaign distributing malicious documents.
List of registered domains (those confirmed as malicious are underlined):

• east-ge[.]com
• mariotkitchens[.]com
• sommernph[.]com
• kingtexs-tvv[.]com

The first files associated with these domains were first uploaded to public sandboxes on June 18, 2019.

Most of these files are RTF documents that exploit the CVE-2017-11882 vulnerability, while others are the executable payload. While investigating this campaign, we found emails and decoys in Ukrainian, Russian, Greek, Spanish, and Czech.

One of the first documents in this campaign was distributed via email under various names: "CNC 0247.doc", "ЧПУ 0247.doc" (SHA1: 443c079b24d65d7fd74392b90c0eac4aab67060c).

According to our graph, this document connects to http://68.235.38[.]157/ava.hta and kingtexs-tvv[.]com

We found this host interesting and uncovered additional files that established network connections to http://68.235.38[.]157. Some of these files, "Estos son los documentos adjuntos de junio.doc" (SHA1: 02799b41c97b6205f1999a72cef8b8991d4b8092) and "New Order.doc" (SHA1: 25abf0f75c56516134436c1f836d9db1e770ff30), exploit vulnerability CVE-2017-11882. At startup, they establish a connection to http://68.235.38[.]157/oyii.hta.

This file contains a Visual Basic code, which performs a Base64-encoded PowerShell command to download payload from the public file storage system https://m.put[.]re/Qm8He5E4.exe (SHA1: 523c5e0a1c9bc6d28f08500e96319571b57e4ba7) and stores it to the temp directory under the name "avantfirewall.exe".

The payload reads the content from https://paste[.]ee/r/rSrae, which results in the Async RAT being executed. The tool connects to the C&C server kizzoyi.duckdns[.]org on port 8808. Another document from this campaign is named "таблиці.doc" (SHA1-1230acfd1f6f5b13a218ff8658a835997d1f0774). It was distributed via emails in Ukrainian.

Once the document is run, the critical vulnerability CVE-2017-11882 allows malicious code contained in the wd32PrvSE.wmf OLE object to be executed without any user interaction.

As a result of code execution from OLE objects, the Async RAT is loaded and executed.

Below you will find adversary techniques and defensive measures mapped against MITRE ATT&CK and MITRE Shield, which we recommend using to prevent similar incidents.

All mitigation techniques are implemented in Group-IB products to ensure that our clients are protected at all attack stages. If you have any questions or suspicions about an emerging incident, please email us at response@cert-gib.com.

You can find more information about Group-IB products and services and request a demo at https://www.group-ib.com.