sLoad Malware Delivery Through Phishing Campaigns in Ukraine

Phishing campaign targets Ukraine, delivering sLoad malware through fake PDF links in .rar files, with advanced obfuscation and reconnaissance tactics.

sLoad Malware Delivery Through Phishing Campaigns in Ukraine

Introduction

StrikeReady Labs recently reported an ongoing phishing campaign in Ukraine that uses malicious .rar files to deliver the sLoad malware. This malware, hidden within a series of disguised files, employs several reconnaissance techniques to gather information about the infected system and ultimately installs the banking trojan Ramnit.

sLoad Malware: A Breakdown

sLoad is a PowerShell-based downloader primarily used to deliver the Ramnit banking trojan. It performs extensive reconnaissance on the compromised system, including gathering information on running processes, identifying Outlook and Citrix files, and capturing screenshots. It even examines the DNS cache for specific domains, such as banking sites, to prepare for targeted attacks. Additionally, sLoad can download and execute external binaries, extending its capabilities within the infected system.

Attack Overview

Phishing Email and File Structure

The phishing email impersonates Ukraine's Security Service (SBU) and demands the recipient provide documentation by a specific deadline, threatening account suspension for non-compliance. The email includes a .rar file attachment that, when downloaded and unzipped, reveals a .pdf.lnk file disguised as a legitimate PDF document.

  • Email Content: The message, written in Ukrainian, is designed to appear urgent and authoritative, pressuring the recipient to open the attached file. The English translation of the email reads:
    "Good day! Please provide the list of documents by November 5, 2024; otherwise, your activity will be suspended."

Screenshots from VirusTotal show that the .rar file is already flagged as malicious by several detection engines.

File Analysis

The запит.rar File: Upon saving and unzipping the .rar file, users find an additional zip file that, when extracted, reveals a .lnk file (a Windows shortcut) misleadingly named as a PDF.

Malicious .lnk File: VirusTotal reports indicate that this .lnk file is packed with malicious PowerShell code, which can identify debugging environments, potentially hindering attempts to analyze or sandbox the file.

File Properties and PowerShell Code: Examining the .lnk file’s properties, we see that it uses PowerShell in the "Target" field to execute a command that downloads a VBS file (GB.vbs) from an external server.

Below is the full command which can be found inside the "Target" field.

Since we know the URL where the file is hosted, we can use wget or curl to manually download and save the file.

The VBScript File

The downloaded VBScript (GB.vbs) is heavily obfuscated. It employs numerous techniques to obscure its function, such as random variable names and multiple layers of code designed to make analysis difficult.

As we examine the code further, meaningful functions start to appear, providing insight into how to reverse engineer it. For instance, the function go.replace is used to replace every # character with A.

The Unfmatronlike function specifically checks if the computer name starts with "MAA1" or includes "-PC," effectively preventing the code from running on specific systems.

TimeSerial() function introduces a delay in code execution, potentially bypassing detection by sandbox environments and automated analysis tools.

Step-by-Step De-Obfuscation

To begin de-obfuscation, we start by replacing all # symbols with A in the code and consolidating certain function calls.

With these modifications, it becomes clearer that the script executes PowerShell commands and assigns a base64-encoded string to a variable named codigo.

Using CyberChef, we decode the base64 string to reveal the next stage of the code.

The first section downloads two image files from a Bitbucket repository.

https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417
https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?

The second section extracts a base64-encoded string from within these images. The string is located between markers <<BASE64_START>> and <<BASE64_END>>.

An additional hidden URL, written in reverse, links to a text file in another Bitbucket repository. The code looks for a method called la in a type (like a class) stored in a variable called $type.

From the snippet we can confirm that the the method being invoked involves a registration process using RegAsm. This could mean that it registers a /NET assembly to allow it to be used by other applications or components.

https://bitbucket.org/rulmerurk/ertertqw/downloads/AgFShda.txt

Reviewing the repository gives us insight into how the malicious code is staged. We can also see the number of downloads and the repository's creation date (2024-10-11).

By reversing and decoding the text downloaded from the URL, we identify a PE (Portable Executable) file, confirmed by the "MZ" magic header signature.

Using Detect It Easy (DIE), we verify that the PE file is a 32-bit binary.

When we run strings on this file, we find references to PuTTY, revealing that the malware is a trojanized version of the popular SSH client, modified to exploit infected systems.

Summary

This phishing campaign targeting Ukraine underscores the evolving sophistication of phishing and malware delivery methods. By embedding malware within disguised .lnk files and using layered obfuscation techniques, attackers have created a resilient delivery mechanism that leverages PowerShell, base64 encoding, and public repositories for staging malicious payloads.

IOCs

Name:
SHA256: cdee8ed8ea8f4068ab96b1039ac7d0d7c875b34b85b2caf7895f2b7188a3e8f9

Name: запит.zip
SHA256: d059b37e302e7a5328ecdabe9fc38adac4dfc7430d72b4b24bcddeb2600b69e5

Name: запит.rar
SHA256: 717184f8dcae50b9e8f35630bf645c78ece73b0d9b627df9b8601f34edce9e46

Name: Запит_СБУ_8473784.pdf.lnk
SHA256: 06561b823184eb243a781bdf8db1cbd36ab8ed1bf60fb9204d07557d077c9453

URLs
=====================================================
hxxps[://]bitbucket[.]org/adssgfdsg/testing/downloads/img_test[.]jpg?144417
hxxps[://]raw[.]githubusercontent[.]com/santomalo/audit/main/img_test[.]jpg?
hxxps[://]bitbucket[.]org/rulmerurk/ertertqw/downloads/AgFShda[.]txt

IP
=====================================================
66[.]63[.]187[.]150