Overview During March-May the Blue Mockingbird group infected thousands of computer systems, mainly in the enterprise environment. There are known incidents in which they exploited the CVE-2019-18935 vulnerability in Telerik Web UI for ASP.NET, then they used various backdoors and finally, they deployed XMRig-based CoinMiners for mining Monero cryptocurrency. Interesting about these cases is the persistence which they used for CoinMiners - lot of techniques including scheduled tasks, services, but also WMI Event Subscription and COR Profilers.
Background A few days ago, we detected a PDF file with a non-zero detection score on VirusTotal, however, almost all the detections have only a kind of “generic” results. Moreover, further investigation revealed that the same file was two weeks ago without any detections on VirusTotal. We continued with a deeper analysis of this document and its behavior to determine if this is only a false-positive alert, or if it can be a serious problem for those, who already opened this PDF document.
Introduction In the post about GandCrab String Decryption I use very simple heuristic for identifying the function for string decryption. Because this kind of funtion is usually heavily used, I made an assumption that the scting decryption function is the most used function in our sample. This assumption is correct for GandCrab v5.1 DLL files, but it turns out that it is not true for GandCrab v5.2 and v.53. EXE samples.
Introduction In the last arcitle about Ursnif campaign have been presented the ursnif powershell downloader, which was also able to download the GandCrab payload. This payload was injected as DLL library into the running process and during the last analysis I have extracted it. Now, it is time to look more closely at this GandCrab sample. Obfuscated strings After a quick look at the disassembly we can notice many calls to one particular function, in our case named by IDA as sub_10009E69.
Introduction In the first part of this analysis have been presented the two types of macro-enabled documents with powershell downloader spreading via emails in recent campaign. The powershell downloaders and/or the macros were slightly obfuscated, however, it was easy to defeat this obfuscation and reveal their purpose. Unfortunately, during my analysis the downloaded content was not present on the involved servers and also in the most cases it was not available even during the analysis on sandboxes like Any.