As malware and its authors continue to evolve, deciphering the purpose of specific malware-driven attacks has become more challenging. While some malware still has a feature-specific design such as DDoS tools or spam bots, it is becoming increasingly common for malware to have multiple uses for different missions. Recent banking trojans for example are likely to support remote access, which is not typically required to deliver web injects and steal credentials.
In some cases, the functionality of the malware suggests the actor’s intent: A sample of a malware family known to engage in spam campaigns is unlikely to have been used as part of a targeted espionage attack. Vice versa, a malware with pure surveillance functionality likely does not fit a botnet-like monetization technique that relies on large-scale distributed activities such as sending spam or denial of service. For example, short-term financial gain is a recurring motive for typical cybercrime actors while the theft of intellectual property and business information usually reflects a different kind of actor.
Numerous examples of recent years highlight that the boundaries between commodity and targeted attack malware blur. Variants of Black Energy, a malware family known to have been used for distributed denial-of-service (DDoS) attacks around 2010 were then adapted for targeted attacks. While publicly well-known for its banking fraud and the distribution of additional malware such as Cryptolocker, the peer-to-peer-based Gameover Zeus botnet was leveraged to search for information regarding foreign intelligence services of Russia’s neighbouring countries. In short, some crimeware tools have turned into targeted attack malware and no longer allow a precise classification in either categories.
The RecJS Case
Recently, a malware family named RecJS caught our attention as it contains functionality that is typical for a Remote Access Tool (RAT), including file transmission, taking a screenshot, and command execution. While previous variants had a hard-coded Command-and-Control (C2) server IP address in the code, recent samples implement a Domain Generation Algorithm (DGA) to locate the C2 server. Stepping up from hard-coded C2 information to a DGA indicates a dedicated evasion interest by the operator, which made us curious to take a closer look at this malware.
Unpacking the embedded files takes place in several steps. First, the installer binary extracts from itself the 7-Zip compression utility, consisting of the 7-Zip executable (7z.exe) and a required library (7z.dll). Interestingly, the two files are not dropped as a whole, but in the form of multiple fragment files. Each of the two files is reassembled from these fragments using Windows’ copy utility. For example, the file 7z.dll is concatenated as follows:
copy /b 388f + 2c + 33 + c0952 + 2e8defc + 2e8def 7z.dll
To persist across reboots, the RAT creates a shortcut in the user’s Startup folder named Windows Application Manager.lnk with the invocation command from above as target.
Command and Control
Once launched, the RAT downloads a configuration update from the C2 server, in this case via HTTPS, from https://qkmakein.endofinternet.net/related/?action=get_config&guid=<ID>&version=700.
The C2 domain is generated using a time-seeded domain generation algorithm that yields a unique dynamic domain name every hour that is a subdomain of one of the following (all served by Dynamic Network Services, Inc.):
The subdomain part is generated from a set of 53 terms using a custom algorithm. Based on the current time, four items from the list of terms are derived and concatenated to form the subdomain that is prepended to one of the three domains provided above.
The set of commands implemented by the RAT spans the following:
|screenshot||Take a screenshot and upload it to the C2 server|
|debug_log||Upload a debug log to the C2 server|
|update||Update the RAT|
|download_and_exec||Download a binary from a provided URL and execute it|
|update_config||Update the RAT’s configuration|
|restart||Restart the RAT|
|die||Uninstall and terminate the RAT|
|uninstall||Alias for the command “die”|
|stop||Terminate the RAT (but leave startup link so that the RAT starts on the next boot)|
The malware gathers extensive system information including the username; domain name; amount of RAM memory; code page; Windows properties such as the architecture, OS version, install date, language, and Windows serial number; and installed anti-virus products. The malicious code contains what appears to represent a campaign ID, with this specific instance carrying a value of 700. This number is sent in the query string of C2 requests and is also present in the installer’s filename, which indicates that the binary was built for a specific campaign and that the operator is interested in campaign tracking.
This malware exhibits typical RAT functionality. The command set is well suited to allow for remote access and rudimentary surveillance of specific targets. The initial beacon provides the operator with various system information that is helpful when deciding whether an infected system is of interest or just unintended bycatch. A screenshot can be taken when instructed to by the C2 server so that the operator also has a visual impression of the victim’s desktop.
At this point, the functionality of the malware is clear: A typical remote access tool. While this functionality may be interpreted to indicate a targeted attack, it does not disclose the actor’s intent. Thus, the following section sheds light on the distribution of the malware and the victimology.
Infection Vector and Victimology
Variants of the RecJS malware are believed to have been distributed since at least April 2014. On 30 April 2014, a RecJS sample was dropped as part of a drive-by infection of visitors to webmasters.ru, a Russian forum dealing with web development topics. When browsing the main site, a CVE-2012-1723 exploit that leveraged a vulnerability in certain Java versions was served. This exploit triggered the download and execution of a RecJS installer binary with the filename s5b_484.exe. The C2 communication of this sample carries the campaign ID 484, which matches part of the dropper filename and indicates that it was specifically built for this campaign.
The fairly broad drive-by infection strategy was originally associated with a cybercriminal business model that builds on scale rather than specific targets and is still extremely popular in the form of exploit kits. Consequently, the set of infected entities in a recent RecJS campaign is diverse in nature. While the infection vector of this campaign hints toward non-targeted cybercriminal activity, it is difficult to draw a precise conclusion at this point. Recently, sophisticated targeted attacks have increasingly relied on a web-based infection vector. In addition, it is possible that the infection vector has changed over time and may have been adapted depending on the target.
Based on the source IP addresses of infected hosts, by far most of the victims are in Russia, with a tendency to its neighboring countries, including Ukraine, Poland, Kyrgyzstan, Romania, Serbia, Czech Republic, and Hungary. However, western countries are also prominently represented, e.g., the United States, the United Kingdom, Canada, Germany, the Netherlands, France, Australia, Austria, and Denmark. The following figure shows a heat map generated from unique source IP addresses with a syntactically valid C2 request. The set of source IP addresses may be biased due to IP churn. In order to filter out unlikely victims such as research systems, behavior which is atypical of a RecJS infection was removed.
The regional distribution of victims with Russia ranking first aligns with the infection vector outlined above. In addition, past variants of the malware have been observed to communicate with the C2 servers 126.96.36.199, which is assumed to be located in Kyrgyzstan, and 188.8.131.52, which is located in Russia. Both suggest a nexus to the Russian-speaking area.
Interestingly, a few high-profile targets have been identified, including government institutions, financial institutions, and entities in the education sector. Among the diverse set of victims, we spotted the ministry of foreign affairs of a European government, several banks, and the logistics base of the United Nations.
Assessing the Actor’s Intent
Incidents like this involving RecJS are a clear example that malware analysis alone hardly answers the question of the actor’s intent. Even with contextual information such as the distribution vector and victimology, there is no obvious explanation whether this is a targeted attack.
Based on the broad infection strategy of the drive-by scenario and the comparatively small number of victims, the heavy ratio of high-profile to inconsequential victims is unexpected. The actor may have started out using a broad targeting without a specific victimology or monetization in mind: Once launched and depending on the infection success, those victims that appear suitable for a specific monetization technique may be capitalized. Alternatively, IT personnel such as web developers and administrators might have been targeted on purpose as outlined in the example above involving the drive-by infection of a webmaster forum. Infected systems could be leveraged to steal credentials for corporate infrastructures. These credentials may serve as a stepping stone to infiltrate the infrastructure of specific institutions or allow for targeted spear phishing.
The challenge of attribution extends far beyond technical analysis, this is where the reverse engineer must see through the eyes of an intelligence analyst, making and testing hypothesis about the intentions of the actor. This is a difficult and often uncomfortable task for those who live in the binary space of code, one that the analysts at CrowdStrike deal with every day.
For more information on the RecJS malware, feel free to contact us at firstname.lastname@example.org. If you think you are up to the challenge of analyzing the motivations of malicious adversaries, check our job listings to join the mission!