Thank you so much for your valuable information. Yes, absolutely I m agree that even I could not able to find it, Let me share the briefly about the MortiAgent Malware, OVERVIEW Based on reports from our threat Intel partners, there has been observed, an ongoing campaign targeting government organizations in various sectors including that of healthcare, education, diplomacy and telecommunication among others. The campaign involves the spread of backdoors targeted at agencies within these high value sectors. One among the many backdoors, dubbed MoriAgent - allows attackers to list and fetch victim’s files, download other files from the C2, and run arbitrary commands on the victim’s machine. The backdoor was earlier associated with the TEMP.Zagros activity targeting the Afghan communications provider - but the latest reports is indicative of them spreading wings to the entire Middle East. THREAT DETAILS Technical Details According to researchers, MORIAGENT is a fully functional backdoor written in native C++. It uses statically linked custom libraries to make analysis more difficult. In a recent update to the malware, a 200 MB random resource was added to avoid anti-virus scans and sandboxes. Debug messages containing paths were also removed in this version. Also noted is that the malware uses a unique dictionary for Base64 encoding and a specific implementation of the LZMAT compression library. The command and control (C&C) configuration of the malware and its ID are written to the registry by the dropper. Researchers have listed spear-phishing email as the most likely method of delivery of the backdoor. There are three stages to the working of this backdoor First stage involves the user of a downloader to obtain the other components and stage them in memory. It contains a number of obfuscation and anti-analysis techniques. Once the Loader finds that it is running in a safe environment, it decodes the C2 URL that was hardcoded in the binary - resulting in a URL as per the below syntax, which is then queried in a loop to obtain orders: http://[host]/[page].php?c=[backdoor identifier] Second stage DLL Dropper: Operated by the loader, it is invoked using an export function named ‘init’ as the entry point. A compressed, custom-encoded file is grabbed from the C&C, based on the file internal ID on the server and hash. The file is dropped to a location chosen by the attacker. A callback table with commands is prepared for executing the final payload. Third Stage Payload (MoriAgent😞 This final stage embodies a simple remote administration tool written in C++, which supports several commands to control the victim’s machine. After installation, the attacker is capable of listing and fetching victims files, as well as downloading other files from the C2 and running arbitrary commands on the machine using a “cmd.exe” shell. During this phase, two types of requests are used. The first is a ‘beacon’ request, which is sent periodically once per minute and intended to keep a steady heartbeat to the C2 server, the request has the following format: http://domain[.]com/Index.php?i=%Info_value%&t=t The second is a ‘beam’ request, which is sent once every 20 beacons and is used to convey information on the contacting implant, the request has the following pattern for file execution: http://domain[.]com/Index.php?i=%Info_value%&t=u&cv=64&ch=%hash_of_a_file% Additionally the backdoor POWERSTATS has also been observed as part of the same campaign. This version of POWERSTATS achieves self-persistence by creating a registry key or a scheduled task named GoogleUpdateNT. This involved the execution of a JScript file to pass the flow to Windows’ Management Interface (WMI) in order to execute an inline Powershell command. After the installation of MoriAgent and Powerstats, the attacker would most likely be able to perform lateral movement within the target network. IMPACT MoriAgent has the capability to remotely control affected devices and steal data. The information gained through a successful infection could lead to follow-up attacks - including unauthorized access to a victim’s network, privilege escalation, data exfiltration, data modification/destruction, and denial of service. RECOMMENDATIONS Monitor and block malicious samples/traffic associated with the IOCs in the appendix Implement least privileges policy within the organization: Reduce adversaries’ ability to escalate privileges or pivot laterally to other hosts. Control creation and execution of files in important directories. Deploy and update firewalls and configure rules to detect similar patterns Review systems logs and Deploy file monitoring to detect changes to files in web directories of a web server. Review system logs and investigate any anomalies, suspicious behavior, or unusual login activity such as unorthodox work hours or outside of geographic region. Search for infections with an updated endpoint detection system. Spread awareness among employees to be cautious while vising websites or opening emails. Ensure a secure configuration of web servers. All unnecessary services and ports should be disabled or blocked. The below SNORT rule can be used to detect the MoriAgent Beacon. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:" MoriAgent Beacon HTTP Request"; content:"/Index.php?i="; depth:200; content:"&t="; within:64; content:"HTTP/1.1"; within:64; content:"Content-Type: application/json"; within:32; content:"Content-Length: 0"; within:90; threshold:type limit,track by_src,count 1,seconds 120; sid:1000001; rev:001;) Below are YARA rules to detect POWERSTATS. YARA rule to detect the substitution table used in PowerShell code. rule SubstitutionTable_in_PowerShell { meta: description = "Detect the substitution table used in PowerShell code (2019-2020)" hash = "A18016AF1E9ACDA5963112EE8BEEB28B" strings: $a1 = "Replace('(','a'" $a2 = "Replace(')','b'" $a3 = "Replace('{','c'" $a4 = "Replace('}','d'" $a5 = "Replace('[','e'" $a6 = "Replace(']','f'" condition: $a1 and $a2 in (@a1..@a1+200) and $a3 in (@a1..@a1+200) and $a4 in (@a1..@a1+200) and $a5 in (@a1..@a1+200) and $a6 in (@a1..@a1+200) and filesize < 100000 } YARA YARA rule to detect PowerStats backdoor. rule POWERSTATS_JscriptLauncher { meta: description = "POWERSTATS Jscript Launcher" hash = "6C97A39A7FFC292BAF8BE1391FCE7DA0" strings: $a1 = "$s=(get-content" $a2 = "Get('Win32_Process').Create(cm" $a3 = "var cm=" condition: all of them and filesize < 600 } YARA rule to detect PowerStats de-obfuscated rule POWERSTATSLite { meta: hash = "A18016AF1E9ACDA5963112EE8BEEB28B" strings: $a1 = "$global:key" $a2 = "$global:time" $a3 = "webreq = [System.Net.WebRequest]::Create($url)" condition: all of them and filesize < 3000 } YARA rule to detect MoriAgent implant rule MoriAgent { meta: description = "C++ MuddyWater implant" hash = "12755B210EC1171045144480ACD05AA8" strings: $f1 = "|x7d873iqq" ascii fullword $f2 = "ljyfiiwnskt" ascii fullword $f3 = "htssjhy" ascii fullword $f4 = "kwjjfiiwnskt" ascii fullword $f5 = "hqtxjxthpjy" ascii fullword $f6 = "\\XFXyfwyzu" ascii fullword $f7 = "\\XFHqjfszu" ascii fullword $f8 = "ZmilXzwkm{{Umuwz" ascii fullword $f9 = "^qz|}itXzw|mk|" ascii fullword $f10 = "_zq|mXzwkm{{Umuwz" ascii fullword $content = "Content-Type: application/json" ascii fullword condition: uint16(0) == 0x5A4D and filesize < 2MB and $content and 5 of ($f*) } YARA rule to detect PowerStats Implants rule POWERSTATS_Implants { meta: description = "Detects all POWERSTATS implants" hash = "A18016AF1E9ACDA5963112EE8BEEB28B" hash = "409558610BE62655FBA0B1F93F2D9596" hash = "DD32B95F865374C31A1377E31FA79E87" strings: $a1 = "if ($resp -ne $null){" $a2 = "out = $_.Exception.Message" $a3 = "IEX $cmd -ErrorAction SilentlyContinue" condition: all of them and filesize < 50000 }
... View more