Recently, Volon Threat Research identified a malware sample that was uploaded to Public File scanning service on Dec 23, 2019, and was able to acquire the malware and perform further research. Our analysis indicates that the malware appears to be targeting hosts that run LANDesk Management Agent. Public reporting on the malware suggests, based on the code reuse and identification of five reused strings which links the malware sample to Iranian group APT34, (also known as OilRig and HelixKitten). The report will focus on Volon Research on malware.
The section will cover the technical analysis performed by Volon Threat Research. Below is the summary of the analysis,
- The sample appears to be PowerShell-based malware.
- Checks for user systems installed with LANDesk Management Agent.
- Only executes on systems with Administrative privileges.
- On identification with LANDesk Management Agent, the malware connects to the C&C (Command and Control) server to download the second-stage payload.
- The C&C server throws ‘403 Forbidden message (Request forbidden by administrative rules)’.
- No further information about the second-stage payload.
(Static PE information)
The above screenshot displays, the malware to be coded in C++ compatible for x86 and x64 architecture with memory protections disabled.
(PE Assembly information)
In the dry run, the malware prompts for UAC (User Access Control) popup. Attackers generally do this to gain maximum possible privileges. UAC is a component of the Microsoft Windows ecosystem which helps mitigate the impact of malware on the current user.
In this scenario, the Administrator privileges are necessary to run powershell script and endure its actions to enumerate ‘LanDesk’.
(Powershell Script inside resource)
The binary includes hidden encoded powershell script inside the resource section of itself, making it stageless. With the help of FindResource and LoadResource, the resource is loaded inside the memory.
(MSDN implementation of FindResourceA and LoadResource)
File Creation Routine:
(File Creation using CreateFileA)
Once the binary is executed, the file is created inside the temp directory with a random name in each execution followed by the powershell script which is also saved with a random name inside it.
File Writing Routine:
(MSDN implementation of WriteFile)
(Buffer being written to powershell file created using WriteFile)
X64 dbg debugger analysis indicates a ‘do while’ loop which keeps decoding the poweshell script hidden inside resource until it’s completely decoded. From this, we observed that the payload does nothing but decode and execute a powershell script. Further, we added breakpoint on “WriteFile” function and waited till malware execution flow decodes powershell script stored inside resource section for further executions.
(Execution operation flow)
The above graph displays, if the “WriteFile” function fails to write the decoded powershell script into file, it automatically deletes the empty powershell script file using DeleteFileA.
(IDA Flowchart graph in the debugger)
Inside function ‘sub_4077CA’, WriteFile reveals all the required parameter along with the following information:
- The handle to the file which is being written to the respective path
- Decrypted ps1 script in data
- Its buffer length
(ShellExecuteA in IDA Flowchart)
On the other hand, if the file successfully writes the decoded powershell script inside the file, the powershell script is executed using `ShellExecute` Win32API in a separate child thread, as shown in the above screenshot.
(Extracted Powershell Script)
The powershell script, first checks, if the host system is installed with LANDesk, and then sends a post request to defined C&C with results. If the results seem favorable, it downloads the second stage payload and continues its job.
Here is the command executed by the binary:
“C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” –NoProfile -ExecutionPolicy Bypass -File C:\Users\john\AppData\Local\Temp\.tmp\.ps1
APT34 (also known as OilRig and HelixKitten) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets.
MITRE ATT&CK group tracking: https://attack.mitre.org/groups/G0049/
LANDesk is an asset management software system used to remotely inventory and manage desktop computers. It has the ability to report on installed software and hardware, allow remote assistance, and install operating system security patches.
The malware is tracked by the name ‘PowDesk’, a PowerShell-based malware. Based on the functionality of the malware, we assess the attacker’s interest is to target IT sector, specifically MSP (Managed Service Providers) who uses LANDesk Management Agent to take remote control of their customer’s network to manage systems desktop computers. Since the C&C domain URL throws ‘403 Forbidden message’, we are not able to get any further information on the second stage payload. However, we recommend organization(s) running LANDesk Management Agent across enterprise network systems should block the IoC’s attached with this report.
Although it’s unclear how the first stage malicious binary was delivered, however, from the malware sample name, we suspect the attackers are sending phishing emails containing the malicious binary and tricking users to ‘REINSTALL’ the LANDesk Management Agent.