The VBScript is executed through a scheduled task. GoldFinder is another Go malware used by attackers to access a hardcoded command-and-control C2 server by logging the route or hops that a packet takes like an HTTP tracer tool. Sibot Trojan used by UNC Picus Labs May 11, Keep up to date with latest blog posts. Share this:. GoldMax proceeds to parse the data structure depicted above and uses the values within to initialize its runtime settings and variables used by its different components.
If the configuration file is not present on the system, i. It then uses the same AES encryption methodology to encrypt the data structure. It then creates a configuration file on the file system e. After loading its configuration data, GoldMax checks the current date-time value of the compromised system against the activation date from the configuration data.
Figure 3. If an activation date-time value is specified in the configuration data i. Otherwise, GoldMax terminates and continues to do so until the activation date is reached. If no activation date is specified in the configuration data i.
However, through its command-and-control feature, the operators can dynamically update the activation date using a specific C2 command, in which case the new activation date is stored in the configuration file and is checked each time GoldMax runs. GoldMax is equipped with a decoy network traffic generation feature that allows it to surround its malicious network traffic with seemingly benign traffic.
This feature is meant to make distinguishing between malicious and benign traffic more challenging. Figure 4. As shown above, some of the decoy URLs point to the domain name of the actual C2 e. The Referer value for each decoy HTTP request is also pseudo-randomly selected from a list of four legitimate domain names. For example, we have seen the following in various combinations to make up lists of four domains: www[. The next step in the execution cycle involves establishing a secure session key between GoldMax and its C2 server.
The Cookie value is comprised of the following dynamically generated and hardcoded values:. Figure 6. Figure 7. The Referer value is pseudo-randomly selected from a list of four legitimate domain names using various combinations of the following: www[. The seemingly random-looking string is typically bytes long after all leading and trailing white space has been removed.
If GoldMax does not receive the expected string, it sleeps for a random amount of time and repeats indefinitely the process described above to obtain the expected string from its C2 server, or until the GoldMax process is terminated. After receiving the expected string, GoldMax sleeps for up to 14 seconds before proceeding.
If the decoy traffic option is enabled in the configuration data, GoldMax issues a pseudo-random number of HTTP GET requests as described under the decoy network traffic section above. Figure 8. J4yeUYKyeuNa2 from the second request above. Decode and parse using x GoldMax uses rsa. From this point on, the session key is used to encrypt data sent between GoldMax and its C2 server.
After establishing a session key, GoldMax reaches out to its C2 server to receive, decrypt AES , parse, and execute commands. Figure 9. The command is encrypted using the session key established between GoldMax and its C2 server. After decoding and decrypting the C2 command, GoldMax proceeds to parse the C2 command. It is worth noting that all observed versions of GoldMax were compiled with the Go compiler version 1. Sibot is a dual-purpose malware implemented in VBScript.
It is designed to achieve persistence on the infected machine then download and execute a payload from a remote C2 server. The VBScript file is given a name that impersonates legitimate Windows tasks and is either stored in the registry of the compromised system or in an obfuscated format on disk.
The VBScript is then run via a scheduled task. Sibot reaches out to a legitimate but compromised website to download a DLL to a folder under System This simplistic implementation allows for a low footprint for the actor, as they can download and run new code without changes to the compromised endpoint by just updating the hosted DLL.
The compromised website used to host the DLL is different for every compromised network and includes websites of medical device manufacturers and IT service providers. The registry key referenced in this command-line contains the second-stage script. The purpose of the second-stage script is to download and run a payload from a remote server.
The script can be customized with the following parameters:. The next step of the second-stage script is to check if the machine is configured to use proxies, and if so, to get the address of a proxy. In both versions of the script, the request is GET. Any chance this will be published for x86?
Great bot! Amazing community. Existing user? Or sign in with one of these services Sign in with Microsoft. Sign in with Facebook. Sign in with Twitter. Sign in with Google. NET Automatic Build By Kaphotics Find their other files. Share More sharing options Followers 7. NET; compiled and ready to run 64 bit!
0コメント