Goal: Reverse-engineer Iranian threat group update “Chafer” payload installer focusing on its persistence Autoit and PowerShell techniques.
3-22-2018: Iranian threat group #Chafer (thanks: @ClearskySec 👍) #malware
$userver = “j-alam[.com”+/update.php?req= (nslookup DNS/TXT)
PowerShell DL exec / registry & task scheduler
Local C2: 107.191.62[.45:7023/update.php
Intel: https://t.co/8IFNrm1zy6 pic.twitter.com/BL6qPf3FSk
— Vitali Kremez (@VK_Intel) March 22, 2018
- Payload fake Microsoft installer “Windows-KB3101246.exe” (MD5: 804460a4934947b5131ca79d9bd668cf; Original timestamp: Monday, July 31, 2017, 19:33:49 UTC)
- PowerShell script dntx.ps1 (MD5: 5cc9ba617a8c53ae7c5cc4d23aced59d)
- PowerShell script dnip.ps1 (MD5: 8132c61c0689dbcadf67b777f6acc9d9)
- nsExec.dll (MD5: b38561661a7164e3bbb04edc3718fe89)
- Autoit script “App.au3” (MD5: 263bc6861355553d7ff1e3848d661fb8) Original timestamp: Saturday, December 2, 2017, 11:08:48 UTC
While investigating payload from the Iranian actor group “Chafer”, I decided to dive deeper into the chain to observe and document some of the interesting persistence and anti-evasive behavior, deployed by the group (thanks to @ClearskySec for the sample).
I. Malware install
As of March 25, 2018, the initial malware binary masking as Windows-KB3101246.exe” notably appears to carry low detection ratio of 6/63 as displayed on VirusTotal. The binary is also bulky, packed with NSIS with over 1.8 MB of size containing the Autoit3.exe script along with the PowerShell command, and the embedded nsExec[.]dll.
The malware scripts left various clues as to the original operation and contains well-commented code. Additionally, the operators left commented out what appears to be the original server hxxp://107.191.62[.]45:7023/update[.]php
The malware contains various functions, including the following (the original orthography is preserved):
By and large, the malware primarily leverages the directory “%APPDATA%\Local\Microsoft\Taskbar\” (as from the original script: “Local $HOME = @UserProfileDir & “\appdata\local\microsoft\Taskbar\”)for log and script storage.
A. The malware achieves persistence via task scheduler leveraging command-line arguments after its initial drop in %TEMP% leveraging Autoit binary freeware BASIC-like scripting language with the custom script “App.au3.” The binary drops the Autoit3.exe execution along with the script to compile that runs via the schtasks feature.
The original malware Autoit persistence script is as follows writing the log file “Ex.log”:
B. Additionally, the binary launches itself also via batch leverage Windows Update Standalone Installer (wusa.exe), launched via dropped batch script “RunMSU” from the same “%APPDATA%\Local\Microsoft\Taskbar\”
C. Additionally, the malware achieves registry persistence as follows creating “UMe” and “UT”:
1. Monitor %APPDATA%\Local\Microsoft\Taskbar\ for possible artifacts related to Autoit scripts and PowerShell script, linked t the group.
2. Monitor for possible communications to suspicious domains, launched via PowerShell on URI patterns update-[.]php?req=.
3. Monitor for possible scheduler task “SC Scheduled Scan.”
4. Block C2: j-alam[.]com