An analysis of the malware used in the recent cyber-attacks targeting Albania

Introduction

On December the 25th, on Christmas day, a hacking group known as HomeLand Justice revealed in their telegram account that they had successfully compromised a well-known telecommunication company and the Albanian Parlament. One of the images showed images of what appeared to be access to VSphere which is a virtualization system.

Image from HomeLand Justice showing access to vSphere

In another video, HomeLand Justice showed how they were performing a wiping attack which was initiated from an Exchange server which potentially could have been the entry point of the compromise.

Image from HomeLand Justice showing access to Exchange-SRV1 as user t0.admin

On one of the videos, the attackers were showing the execution of a Powershell script, which appeared to remotely deploy a file named NACL.exe which is believed to be the wiper malware.

HomeLand Justice executing p.ps1 PowerShell Script

As no samples were made public, ClearSky, a Cyber Security company managed to identify the malware based on the filenames and file content.

ClearSky Tweet

https://twitter.com/clearskysec/status/1740003566431940983

Both samples that may have been featured in the video were also identified on VirusTotal. The files were retrieved from VirusTotal, and the entire analysis is grounded in the examination of these two files.

https://www.virustotal.com/gui/file/36cc72c55f572fe02836f25516d18fed1de768e7f29af7bdf469b52a3fe2531f https://www.virustotal.com/gui/file/c8b72d6416df83ee44134c779f70125cf1713d8797b0128ef591a7fe15674ac8

p.ps1 - Analysis

The PowerShell script shown in the video is named “p.ps1” and is pretty easy to reverse engineer as there is no obfuscation, it has comments and uses common documented functionality such as WMI and WinRM.

The script has several function but the most interesting ones are outlined below:

  • TestConnection - this is a wrapper function against Test-Connection function on Powershell.
  • TestWSManEnabled - another wrapper function for the Test-WSMan function on Powershell
  • TryToEnableWinRM This function accepts three parameters: the remote computer, username, and password. It then creates a PSCredential object with the specified credentials, and uses the Invoke-WmiMethod function to execute a command on the remote computer.
function TryToEnableWinRM

{

param($computerName, $Password, $UserName)

  

$SecurePassword = ConvertTo-SecureString $Password -AsPlainText -Force

$Credentials = New-Object System.Management.Automation.PSCredential ($Username, $SecurePassword) -ErrorAction SilentlyContinue -ErrorVariable Crederror

$result = Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "powershell.exe Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\services\WinRM' -Name 'Start' -Value 2; Start-Service WinRM; Enable-Psremoting -SkipNetworkProfileCheck -force" -ComputerName $computerName -ErrorAction SilentlyContinue -Credential $Credentials

if($result)

{

return $true

}

else

{

return $false

}

}

The Invoke-WMI function will connect to the remote computer and using the Win32_Process class will execute the following commands:

powershell.exe Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\services\WinRM' -Name 'Start' -Value 2; Start-Service WinRM; Enable-Psremoting -SkipNetworkProfileCheck -force

The first command will set a registry key to configure the WinRM service to start automatically when the system boots. It will then start the WinRM service on the system and by using the Enable-Psremoting command, enables Powershell remoting.

  • CreateSession This function is responsible for setting up the connections to the remote computers using Powershell Remoting. If successful, it will return the session which is than later used to upload and execute executables.
if ($Username -and $Password)

{

$SecurePassword = ConvertTo-SecureString $Password -AsPlainText -Force

$Credentials = New-Object System.Management.Automation.PSCredential ($Username, $SecurePassword) -ErrorAction SilentlyContinue -ErrorVariable Crederror

if($Crederror.length -gt 0)

{

Add-Content -Path $env:Temp\$machine.txt -Value "[UnSuccess][$machine]:: [Error(CreateSession)] : $Crederror"

return $false

}

$Session = New-PSSession -ComputerName $Remotecomputer -Credential $Credentials -ErrorAction SilentlyContinue -ErrorVariable e

}

else

{

$Session = New-PSSession -ComputerName $Remotecomputer -ErrorAction SilentlyContinue -ErrorVariable e

}
  • ActionOnOpenMachine This function is one of the most important ones as is the one responsible for uploading the malicious files and executing them.

To copy files, it uses the Copy-Item function

Copy-Item -Path $SourcePath -Destination $DestPath -ToSession $Session -Force

After copying the item successfully, it will use the Invoke-Command function to execute the uploaded file.

Invoke-Command -Session $Session -ScriptBlock { Start-Process $using:DestPath -ArgumentList $using:ExecutableArgs -NoNewWindow }

To conclude, the Powershell script will read a target list that is specified by the operator and perform the following actions:

  • Will check if machine is online
  • Will check if WinRM is enabled, if not, it will enable it
  • Creates a PowerShell remoting session
  • Copies the specified file on the remote machine and execute it if run is specified as an argument

NACL.exe Analysis

The video showed HomeLand Justice group deploying a binary NACL.exe through the previously analyzed script. On the video, the file was named NACL.exe, but the original filename that it was compiled is Ptable.exe

PE file information

What was interesting in this case is that the binary was signed with a valid Code-Signing certificate as can be seen from the following image:

NACL.exe Signing Information

It is highly likely that the attackers either stole the code-signing certificates or bought them using fake companies.

Loading the NACL.exe binary in a disassembler, the binary was pretty small and mainly contained standard libraries functions. All the malicious code was located on address 0x00401010

Main function disassembly

Firstly the code defines some variables and function pointers. It loads the kernel32.dll library using LoadLibraryW. After that, it uses GetProcAddress to find the addresses of several function and load them to the function pointers that were defined earlier. It will then use a function that calls ___stdio_common_vswprintf_p and construct the following string \\.\c:. The malware will then call the CreateFileW function to open a handle to that path and store it on the v5 variable. And finally it will check if the handle is invalid, if not, it will call DeviceIoControl with the previously opened handle and the flag 0x7c100. The flag 0x7c100 stands for IOCTL_DISK_DELETE_DRIVE_LAYOUT which is used to delete the partition table and drive layout information on a disk.

Conclusions and Recommendations

While these attacks can be highly destructive, they are entirely preventable. Ensuring that externally exposed systems are updated in a timely manner and maintaining a robust security posture can significantly thwart attackers. It is crucial to disable any unused services, implement proper privilege separation, and leverage effective security solutions to proactively detect and prevent potential attacks.

References

https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/ https://www.virustotal.com/gui/file/36cc72c55f572fe02836f25516d18fed1de768e7f29af7bdf469b52a3fe2531f/details https://x.com/clearskysec/status/1740003566431940983?s=48&t=NMUlnWhWEekWk7W7mjpYBg

Updated:

You May Also Enjoy

Introducing Office 365 Attack Toolkit

During our red team operations, we frequently come in contact with organisations using Office 365. The present tooling targeted at this environment is somewh...

A journey on APT34 PoisonFrog C2 Server

In the recent years APTs have been the center of infosec. Mainly because of the public coverage by the media, glorifying by security companies and many more ...