MortiAgent Malware and Palo Alto

Thank you so much for your valuable information.

Yes, absolutely I m agree that even I could not able to find it,

Let me share the briefly about the MortiAgent Malware,

OVERVIEW

Based on reports from our threat Intel partners, there has been observed, an ongoing

campaign targeting government organizations in various sectors including that of healthcare,

education, diplomacy and telecommunication among others. The campaign involves the

spread of backdoors targeted at agencies within these high value sectors.

One among the many backdoors, dubbed MoriAgent - allows attackers to list and fetch victim’s files,

download other files from the C2, and run arbitrary commands on the victim’s machine.

The backdoor was earlier associated with the TEMP.Zagros activity targeting the Afghan

communications provider - but the latest reports is indicative of them spreading wings to the

entire Middle East.

THREAT DETAILS

Technical Details

According to researchers, MORIAGENT is a fully functional backdoor written in native C++. It

uses statically linked custom libraries to make analysis more difficult. In a recent update to the

malware, a 200 MB random resource was added to avoid anti-virus scans and sandboxes.

Debug messages containing paths were also removed in this version.

Also noted is that the malware uses a unique dictionary for Base64 encoding and a specific

implementation of the LZMAT compression library. The command and control (C&C)

configuration of the malware and its ID are written to the registry by the dropper.

Researchers have listed spear-phishing email as the most likely method of delivery of the

backdoor.

There are three stages to the working of this backdoor

 First stage involves the user of a downloader to obtain the other components and stage

them in memory. It contains a number of obfuscation and anti-analysis techniques.

Once the Loader finds that it is running in a safe environment, it decodes the C2 URL

that was hardcoded in the binary - resulting in a URL as per the below syntax, which is

then queried in a loop to obtain orders:

http://[host]/[page].php?c=[backdoor identifier]

 Second stage DLL Dropper: Operated by the loader, it is invoked using an export

function named ‘init’ as the entry point. A compressed, custom-encoded file is

grabbed from the C&C, based on the file internal ID on the server and hash. The file is

dropped to a location chosen by the attacker. A callback table with commands is

prepared for executing the final payload.

 Third Stage Payload (MoriAgent😞 This final stage embodies a simple remote

administration tool written in C++, which supports several commands to control the

victim’s machine. After installation, the attacker is capable of listing and fetching

victims files, as well as downloading other files from the C2 and running arbitrary

commands on the machine using a “cmd.exe” shell.

During this phase, two types of requests are used.

The first is a ‘beacon’ request, which is sent periodically once per minute and intended

to keep a steady heartbeat to the C2 server, the request has the following format:

http://domain[.]com/Index.php?i=%Info_value%&t=t

The second is a ‘beam’ request, which is sent once every 20 beacons and is used to

convey information on the contacting implant, the request has the following pattern

for file execution:

http://domain[.]com/Index.php?i=%Info_value%&t=u&cv=64&ch=%hash_of_a_file%

Additionally the backdoor POWERSTATS has also been observed as part of the same

campaign. This version of POWERSTATS achieves self-persistence by creating a registry key or

a scheduled task named GoogleUpdateNT. This involved the execution of a JScript file to pass

the flow to Windows’ Management Interface (WMI) in order to execute an inline Powershell

command.

After the installation of MoriAgent and Powerstats, the attacker would most likely be able to

perform lateral movement within the target network.

IMPACT

MoriAgent has the capability to remotely control affected devices and steal data. The

information gained through a successful infection could lead to follow-up attacks - including

unauthorized access to a victim’s network, privilege escalation, data exfiltration, data

modification/destruction, and denial of service.

RECOMMENDATIONS

Monitor and block malicious samples/traffic associated with the IOCs in the appendix

Implement least privileges policy within the organization:

Reduce adversaries’ ability to escalate privileges or pivot laterally to other hosts.

Control creation and execution of files in important directories.

Deploy and update firewalls and configure rules to detect similar patterns

Review systems logs and Deploy file monitoring to detect changes to files in web

              directories of a web server.

Review system logs and investigate any anomalies, suspicious behavior, or unusual

              login activity such as unorthodox work hours or outside of geographic region.

Search for infections with an updated endpoint detection system.

Spread awareness among employees to be cautious while vising websites or opening emails.

Ensure a secure configuration of web servers. All unnecessary services and ports should

              be disabled or blocked.

The below SNORT rule can be used to detect the MoriAgent Beacon.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:" MoriAgent Beacon

HTTP Request"; content:"/Index.php?i="; depth:200; content:"&t="; within:64;

content:"HTTP/1.1"; within:64; content:"Content-Type: application/json"; within:32;

content:"Content-Length: 0"; within:90; threshold:type limit,track by_src,count

1,seconds 120; sid:1000001; rev:001;)

Below are YARA rules to detect POWERSTATS.

YARA rule to detect the substitution table used in PowerShell code.

rule SubstitutionTable_in_PowerShell {

meta:

description = "Detect the substitution table used in PowerShell code (2019-2020)"

hash = "A18016AF1E9ACDA5963112EE8BEEB28B"

strings:

$a1 = "Replace('(','a'"

$a2 = "Replace(')','b'"

$a3 = "Replace('{','c'"

$a4 = "Replace('}','d'"

$a5 = "Replace('[','e'"

$a6 = "Replace(']','f'"

condition:

$a1 and

$a2 in (@a1..@a1+200) and

$a3 in (@a1..@a1+200) and

$a4 in (@a1..@a1+200) and

$a5 in (@a1..@a1+200) and

$a6 in (@a1..@a1+200) and

filesize < 100000

}

YARA

YARA rule to detect PowerStats backdoor.

rule POWERSTATS_JscriptLauncher {

meta:

description = "POWERSTATS Jscript Launcher"

hash = "6C97A39A7FFC292BAF8BE1391FCE7DA0"

strings:

$a1 = "$s=(get-content"

$a2 = "Get('Win32_Process').Create(cm"

$a3 = "var cm="

condition:

all of them and filesize < 600

}

YARA rule to detect PowerStats de-obfuscated

rule POWERSTATSLite {

meta:

hash = "A18016AF1E9ACDA5963112EE8BEEB28B"

strings:

$a1 = "$global:key"

$a2 = "$global:time"

$a3 = "webreq = [System.Net.WebRequest]::Create($url)"

condition:

all of them and filesize < 3000

}

YARA rule to detect MoriAgent implant

rule MoriAgent {

meta:

description = "C++ MuddyWater implant"

hash = "12755B210EC1171045144480ACD05AA8"

strings:

$f1 = "|x7d873iqq" ascii fullword

$f2 = "ljyfiiwnskt" ascii fullword

$f3 = "htssjhy" ascii fullword

$f4 = "kwjjfiiwnskt" ascii fullword

$f5 = "hqtxjxthpjy" ascii fullword

$f6 = "\\XFXyfwyzu" ascii fullword

$f7 = "\\XFHqjfszu" ascii fullword

$f8 = "ZmilXzwkm{{Umuwz" ascii fullword

$f9 = "^qz|}itXzw|mk|" ascii fullword

$f10 = "_zq|mXzwkm{{Umuwz" ascii fullword

$content = "Content-Type: application/json" ascii fullword

condition:

uint16(0) == 0x5A4D and filesize < 2MB and

$content and 5 of ($f*)

}

YARA rule to detect PowerStats Implants

rule POWERSTATS_Implants

{ meta:

description = "Detects all POWERSTATS implants"

hash = "A18016AF1E9ACDA5963112EE8BEEB28B"

hash = "409558610BE62655FBA0B1F93F2D9596" hash =

"DD32B95F865374C31A1377E31FA79E87" strings:

$a1 = "if ($resp -ne $null){"

$a2 = "out = $_.Exception.Message"

$a3 = "IEX $cmd -ErrorAction SilentlyContinue"

condition:

all of them and filesize < 50000

}