UAC-0184 Abuses Python in DLL Sideloading for XWORM Distribution

Key Takeaways  关键要点

• Cyble Research and Intelligence Labs (CRIL) recently came across a malware campaign involving a malicious lnk file associated with the UAC-0184 threat actor group.
  Cyble Research and Intelligence Labs （CRIL） 最近遇到了一个恶意软件活动，涉及与 UAC-0184 威胁参与者组织相关的恶意 lnk 文件。
• Previously, UAC-0184 targeted Ukrainian entities in Finland, utilizing the Remcos RAT in their operations.
  此前，UAC-0184 针对在芬兰的乌克兰实体，在其行动中使用 Remcos RAT。
• In their latest campaign, there are signs suggesting the group may be focusing on Ukraine, using disguised lure documents to distribute the XWorm RAT.
  在他们最新的活动中，有迹象表明该组织可能专注于乌克兰，使用伪装的诱饵文件来分发 XWorm RAT。
• When the LNK shortcut file is executed, it triggers a PowerShell script that downloads a ZIP file containing both legitimate and malicious Python components, including an encrypted payload.
  执行 LNK 快捷方式文件时，它会触发一个 PowerShell 脚本，该脚本下载包含合法和恶意 Python 组件（包括加密有效负载）的 ZIP 文件。
• The current attack employs DLL sideloading and Shadowloader to execute the XWorm RAT as the final payload.
  当前的攻击使用 DLL 旁加载和 Shadowloader 来执行 XWorm RAT 作为最终有效负载。
• Ultimately, the XWorm RAT malware attempts to connect to a Command-and-Control (C&C) server for remote access activities. At the time of analysis, the C&C server was inactive, resulting in no observed malicious activities.
  最终，XWorm RAT 恶意软件会尝试连接到命令和控制 （C&C） 服务器进行远程访问活动。在分析时，C&C 服务器处于非活动状态，因此未观察到任何恶意活动。

Overview  概述

CRIL recently observed a malware campaign targeting Ukraine using the Remote Access Trojan (RAT) known as XWorm. Upon investigation, it was found that this campaign is associated with the Threat Actor (TA) group UAC-0184. Previously, UAC-0184 has targeted Ukrainian entities in Finland, employing the Remcos RAT in their operations. They have utilized techniques such as steganographic image files and the IDAT Loader (SHADOWLADDER, GHOSTPULSE) to distribute malware payloads. 
CRIL 最近观察到使用称为 XWorm 的远程访问木马 （RAT） 针对乌克兰的恶意软件活动。经调查，发现该活动与威胁参与者 （TA） 组织 UAC-0184 有关。此前，UAC-0184 针对在芬兰的乌克兰实体，在其行动中使用了 Remcos RAT。他们利用隐写图像文件和 IDAT 加载程序（SHADOWLADDER、GHOSTPULSE）等技术来分发恶意软件有效负载。

At the end of May, CRIL observed a campaign in which the TA is using Python-related files as part of its strategy to evade detection. The exact initial attack method is still unknown, but it may involve dissemination through phishing or spam emails with ZIP attachments. 
5月底，CRIL观察到TA使用Python相关文件作为其逃避检测策略的一部分的活动。确切的初始攻击方法仍然未知，但它可能涉及通过带有 ZIP 附件的网络钓鱼或垃圾邮件进行传播。

Our investigation commences with an analysis of the .lnk file found within the ZIP archive. Upon execution of the LNK shortcut, it initiates a PowerShell script that downloads an additional ZIP file and lure document. This ZIP file houses several items, including a genuine Python executable, a malicious Python DLL, and an encrypted payload binary. The infection technique employs DLL sideloading and Shadowloader to execute the final payload, identified as XWorm RAT.  
我们的调查从分析ZIP存档中发现的.lnk文件开始。执行 LNK 快捷方式后，它会启动一个 PowerShell 脚本，该脚本会下载额外的 ZIP 文件和诱饵文档。此ZIP文件包含多个项目，包括正版Python可执行文件，恶意Python DLL和加密的有效负载二进制文件。感染技术使用 DLL 旁加载和 Shadowloader 来执行最终有效载荷，标识为 XWorm RAT。

The figure below depicts the infection chain of the UAC-0184 TA to deliver the XWorm payload. 
下图描述了 UAC-0184 TA 传递 XWorm 有效载荷的感染链。

Figure 1 – Infection chain
图 1 – 感染链

Technical Analysis  技术分析

When extracting the contents of the ZIP file, revealing an LNK shortcut file named “NewCopy.xlsx.lnk.” If the user incorrectly assumes this LNK file is a real Excel worksheet and double-clicks on it, a deceptive Excel file will appear, as illustrated in the figure below. 
解压ZIP文件的内容时，显示名为“NewCopy.xlsx.lnk”的LNK快捷方式文件。如果用户错误地认为这个LNK文件是一个真正的Excel工作表，并双击它，将出现一个欺骗性的Excel文件，如下图所示。

Figure 2 – Lure Excel document
图 2 – 诱饵 Excel 文档

The content of the Excel worksheet does not reveal the victim of this campaign. When the lure document is displayed to the user, the LNK shortcut file executes in the background, launching the embedded PowerShell command from %appdata%, as shown in the figure below. 
Excel 工作表的内容不会显示此活动的受害者。当诱饵文档显示给用户时，LNK 快捷方式文件在后台执行，从 %appdata% 启动嵌入式 PowerShell 命令，如下图所示。

Figure 3 – Command-line of the LNK shortcut file
图3 — LNK快捷方式文件的命令行

The PowerShell script is designed to download two files named pkg.zip and NewCopy.xlsx from the below URL to the current directory: 
PowerShell 脚本旨在将两个名为 pkg.zip 和 NewCopy.xlsx 的文件从以下 URL 下载到当前目录：

• hxxp://88.151.192[.]128/djfhu34u9983234s3fnvmxxzpkg.zip
• hxxp://88.151.192[.]128/djfhu34u9983234s3fnvmxxzcip/NewCopy.xlsx

Initially, the script downloads “pkg.zip,” extracts its contents, and creates a folder named “SecurityCheck” in %appdata%. It then saves the extracted files in the folder and proceeds to execute “pythonw.exe” using the start command. 
最初，脚本下载“pkg.zip”，提取其内容，并在 %appdata% 中创建名为“SecurityCheck”的文件夹。然后，它将提取的文件保存在文件夹中，并使用 start 命令继续执行“pythonw.exe”。

Following this, the script downloads “NewCopy.xlsx” (a lure Excel document) and initiates its execution with the start command, as shown in the code snippet below. CRIL has noted that the TA UAC-0184 utilized a similar PowerShell script in a previous campaign, as mentioned by CERT-UA. 
在此之后，脚本下载“NewCopy.xlsx”（诱饵 Excel 文档）并使用 start 命令启动其执行，如下面的代码片段所示。CRIL 指出，正如 CERT-UA 所提到的，TA UAC-0184 在之前的活动中使用了类似的 PowerShell 脚本。

Figure 4 – Code snippet of the PowerShell script
图 4 – PowerShell 脚本的代码片段

The figure below illustrates the presence of the downloaded files “pkg.zip” and “NewCopy.xlsx,” along with the extracted files saved within the “% appdata%SecurityCheck” and “% appdata%ZY_Manage_testv4” directories. 
下图说明了下载的文件“pkg.zip”和“NewCopy.xlsx”的存在，以及保存在“% appdata%SecurityCheck”和“% appdata%ZY_Manage_testv4”目录中的提取文件。

Figure 5 – Downloaded files
图5 — 下载的文件

Upon execution of “pythonw.exe,” it duplicates all files from that location and stores them in a new folder named “%appdata%\ZY_Manage_testv4\”. It then proceeds to execute “pythonw.exe” from this newly created directory, as shown in the below process tree figure. 
执行“pythonw.exe”后，它会复制该位置的所有文件，并将它们存储在名为“%appdata%\ZY_Manage_testv4\”的新文件夹中。然后，它继续从这个新创建的目录执行“pythonw.exe”，如下图所示。

Figure 6 – Process tree
图6 — 工艺树

DLL Sideloading  DLL 旁加载

The “pythonw.exe” loads the malicious DLL named “python310.dll” through the DLL side-loading method, which in turn creates a cmd.exe process that initiates a suspended MSBuild process. Then, the loader decrypts the file named “daikon.tif” (which is Shadowladder) and injects the shellcode into the previously created “MSBuild.exe” using the Process Hollowing technique. The figure below illustrates the process in which pythonw.exe loads python310.dll and injects shellcode from daikon.tif. 
“pythonw.exe”通过 DLL 旁加载方法加载名为“python310.dll”的恶意 DLL，这反过来又会创建一个cmd.exe进程，该进程启动挂起的 MSBuild 进程。然后，加载器解密名为“daikon.tif”的文件（即 Shadowladder），并使用 Process Hollowing 技术将 shellcode 注入到先前创建的“MSBuild.exe”中。下图说明了 pythonw.exe 加载python310.dll并从 daikon.tif 注入 shellcode 的过程。

Figure 7 – DLL sideloading method
图7 – DLL旁加载方法

XWorm  XWorm的

The injected content, identified as XWorm, then proceeds to perform malicious operations on infected systems. XWorm is categorized as commodity malware, designed to be easily accessible to threat actors, even those with limited technical expertise, who can purchase and use it for various cybercrimes. This versatile malware offers a wide range of capabilities, including data theft, DDoS attacks, cryptocurrency address manipulation, ransomware deployment, and downloading additional malware onto compromised systems. Cyble Research & Intelligence Labs (CRIL) has conducted a thorough analysis of XWorm and previously shared detailed insights about this malware on our blog. 
然后，注入的内容（标识为 XWorm）继续对受感染的系统执行恶意操作。XWorm 被归类为商品恶意软件，旨在让威胁行为者轻松访问，即使是那些技术专长有限的人，他们也可以购买并将其用于各种网络犯罪。这种多功能恶意软件提供了广泛的功能，包括数据盗窃、DDoS 攻击、加密货币地址操纵、勒索软件部署以及将其他恶意软件下载到受感染的系统上。Cyble Research & Intelligence Labs （CRIL） 对 XWorm 进行了彻底的分析，并之前在我们的博客上分享了有关此恶意软件的详细见解。

Figure 8 – Presence of XWorm strings in the injected MSBuild exe
图8 — 注入的MSBuild exe中存在XWorm字符串

After execution, XWorm drops a VB Script file with a random name into the %temp% folder and runs it. This script then connects to the Command-and-Control (C&C) server, as shown below. 
执行后，XWorm 会将一个名称随机的 VB 脚本文件放入 %temp% 文件夹并运行它。然后，此脚本连接到命令和控制 （C&C） 服务器，如下所示。

Figure 9 – C&C server
图9 — C&C服务器

In mid-June, we came across other files in the campaign by the same threat actor, indicating a focus on Ukraine based on the lure. In this campaign, we have observed the LNK shortcut file exhibiting similar behavior as previously mentioned. However, unlike the earlier file that used an Excel worksheet as a lure document, this one uses a document viewer application as bait. The LNK shortcut file is named “Відомості про кредитора.dvs.”  
6 月中旬，我们在同一威胁行为者在活动中遇到了其他文件，表明基于诱饵将重点放在乌克兰。在此活动中，我们观察到 LNK 快捷方式文件表现出与前面提到的类似的行为。但是，与使用 Excel 工作表作为诱饵文档的早期文件不同，此文件使用文档查看器应用程序作为诱饵。LNK 快捷方式文件名为“Відомості про кредитора.dvs”。

When the user executes the LNK shortcut file, disguised as a .dvs file (possibly representing “document viewer software”), they will be confronted with a misleading GUI named “Державна виконавча служба: система документообігу,” which translates to State Executive Service: Document Management System, as shown below. The .dvs extension may be specific to the software employed by the State Executive Service for handling and displaying documents. We’ve noticed that the TA has employed a similar deceptive GUI in their past campaigns. 
当用户执行伪装成 .dvs 文件（可能代表“文档查看器软件”）的 LNK 快捷方式文件时，他们将面临一个名为“Державна виконавча служба： система документообігу”的误导性 GUI，翻译为国家行政服务：文档管理系统，如下所示。.dvs扩展名可能特定于国家行政服务局用于处理和显示文件的软件。我们注意到，TA 在过去的活动中使用了类似的欺骗性 GUI。

Figure 10 – Lure document viewer application
图 10 — Lure 文档查看器应用程序

The following image displays another deceptive document from the campaign, which uses an electricity bill theme to target Ukrainians. 
下图显示了该活动的另一份欺骗性文件，该文件使用电费单主题来针对乌克兰人。

Figure 11 – Lure word document
图 11 – 诱饵 word 文档

The following figure displays a code snippet of a PowerShell script executed when launching the LNK shortcut file named “Відомості про кредитора.dvs.”
下图显示了在启动名为“Відомості про кредитора.dvs”的 LNK 快捷方式文件时执行的 PowerShell 脚本的代码片段。

Figure 12 – Code snippet of the PowerShell script
图 12 – PowerShell 脚本的代码片段

In this case, the TA deploys the XWorm payload by leveraging IObit Driver Booster files instead of Python-related files. Here, RttHlp.exe (the IObit Driver Booster executable) loads a malicious DLL named vcl120.bpl via DLL side-loading. This DLL then spawns a cmd.exe process, which subsequently initiates a suspended MSBuild process. Following this, the loader decrypts a file named “bacteriostat.flac” and injects shellcode into the running “MSBuild.exe” process using the Process Hollowing technique. 
在这种情况下，TA 通过利用 IObit Driver Booster 文件而不是 Python 相关文件来部署 XWorm 有效负载。在这里，RttHlp.exe（IObit 驱动程序助推器可执行文件）通过 DLL 旁加载加载名为 vcl120.bpl 的恶意 DLL。然后，此 DLL 生成一个 cmd.exe 进程，该进程随后启动挂起的 MSBuild 进程。在此之后，加载程序解密一个名为“bacteriostat.flac”的文件，并使用进程空心化技术将 shellcode 注入正在运行的“MSBuild.exe”进程中。

Conclusion  结论

UAC-0184 is relentlessly carrying out a malware campaign against Ukraine, continually refining its techniques to better evade detection. Notably, it leverages Python-related files to avoid detection in this campaign. The deployment of the final payload XWorm RAT in this campaign indicates a primary objective of establishing remote access to compromised systems. UAC-0184’s operations demonstrate a sustained effort to infiltrate Ukrainian targets for strategic purposes. 
UAC-0184 正在无情地对乌克兰进行恶意软件攻击，不断改进其技术以更好地逃避检测。值得注意的是，它利用与 Python 相关的文件来避免在此活动中被发现。在此活动中部署最终有效载荷 XWorm RAT 表明了建立对受感染系统的远程访问的主要目标。UAC-0184 的行动表明，出于战略目的，他们一直在努力渗透乌克兰目标。

Our Recommendations  我们的建议

• The initial breach may occur via spam emails. Therefore, it’s advisable to deploy strong email filtering systems to identify and prevent the dissemination of harmful attachments.
  最初的违规行为可能通过垃圾邮件发生。因此，建议部署强大的电子邮件过滤系统来识别和防止有害附件的传播。
• When handling email attachments or links, particularly those from unknown senders, exercising caution is crucial. Verify the sender’s identity, particularly if an email seems suspicious.
  在处理电子邮件附件或链接时，尤其是来自未知发件人的电子邮件附件或链接时，谨慎行事至关重要。验证发件人的身份，尤其是在电子邮件看起来可疑的情况下。
• Consider disabling or limiting the execution of scripting languages on user workstations and servers if they are not essential for legitimate purposes.
  如果脚本语言对于合法目的不是必需的，请考虑在用户工作站和服务器上禁用或限制脚本语言的执行。
• Implement application whitelisting to ensure only approved and trusted applications and DLLs can execute on your systems.
  实施应用程序白名单，以确保只有经过批准和信任的应用程序和 DLL 才能在系统上执行。
• Deploy strong antivirus and anti-malware solutions to detect and remove malicious executable files.
  部署强大的防病毒和反恶意软件解决方案，以检测和删除恶意可执行文件。
• Enhance system security by creating strong, distinct passwords for each account and, whenever feasible, activating two-factor authentication.
  通过为每个帐户创建强而独特的密码，并在可行的情况下激活双因素身份验证来增强系统安全性。
• Set up network-level monitoring to detect unusual activities or data exfiltration by malware. Block suspicious activities to prevent potential breaches.
  设置网络级监控，以检测恶意软件的异常活动或数据泄露。阻止可疑活动以防止潜在的违规行为。
• Regularly back up data to guarantee the ability to recover it in case of an infection and keep users informed about the most current phishing and social engineering methods cybercriminals employ.
  定期备份数据，以确保在发生感染时能够恢复数据，并让用户了解网络犯罪分子采用的最新网络钓鱼和社会工程方法。

MITRE ATT&CK® Techniques
MITRE ATT&CK® 技术

Indicators of Compromise (IOCs)
妥协指标 （IOC）

References  引用

• https://cyble.com/blog/evilcoder-project-selling-multiple-dangerous-tools-online/
• https://cert.gov.ua/article/6278521
• https://1275.ru/ioc/3249/uac-0184-apt-iocs/
• https://detect.fyi/messengers-and-dating-sites-new-methods-of-attacks-social-engineering-threats-c2db029e27ea
• https://blog.morphisec.com/unveiling-uac-0184-the-remcos-rat-steganography-saga
• https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/

原文始发于cyble：UAC-0184 Abuses Python in DLL Sideloading for XWORM Distribution