Hacker group Quartz Wolf leverages legitimate software for cyberattacks
Cybercriminals have modified the standard “phishing email + remote access” combo with an unexpected hook — the leveraging of legitimate Russian software. BI.ZONE CESP has detected and prevented one such attack that targeted hospitality organizations. We are taking an in-depth look at the attack to explain why the potential victims weren’t able to detect it on their own.
Key findings
- Phishing emails remain a weapon of choice for getting initial access in targeted attacks
- File extensions are hidden, given the default settings in the Windows OS, which is why attackers can camouflage executables as regular files
- The threat actors use rare yet legitimate remote access software to bypass traditional defenses
Campaign
The perpetrators were sending out phishing emails under the disguise of OOO Federal Hotel Service. The emails contained a link to an archive with a malicious file (Fig. 1).
The archived file was the Inno Setup installer with the following files:
- Assistant software components
quartz.dll
roh2w3.bmp
whu3.cfg
zs3eu.bat
The zs3eu.bat
script
- creates the folder
C:\Users\\[user\]\AppData\Roaming\tip
- pastes into it all the files from the temporary folder by means of xcopy
- uses
del /f /q
to delete the running script - launches the Assistant app (
ast.exe
) - uses
rd /s /q
to purge the temporary folder
The Assistant application loads the malicious file quartz.dll
, which contains the next stage. The latter is encrypted in RC4, where the key is an MD5 checksum calculated from the CRC32 checksum from the C2 server address. This address is stored in the file whu3.cfg
, also encrypted in RC4. The key is an MD5 checksum calculated from the CRC32 checksum from the file roh2w3.bmp
.
The second stage replaces the import of GetCommandLine
with its own initialization function to perform the following actions:
- record the MD5 checksum from the password known to the cybercriminals to
HKEY_CURRENT_USER\Software\safib\ast\SS
— Security.FixPass - assign the Hidden and System attributes to all files in the current directory
- enable Assistant to start automatically by creating the parameter tip in
Software\Microsoft\Windows\CurrentVersion\RunOnce
- create a unique user identifier by calculating an MD5 checksum from the total of the CRC32 checksums from the OS version, the user name, and the computer name
- obtain an Assistant user identifier from
HKEY_CURRENT_USER\Software\safib\ast\SS
—your_id - repeatedly send GET requests containing an Assistant user identifier and the unique user identifier to the C2 server
- submit the
ast.exe
parameters -AHIDE и -ASTART for a hidden launch
The Assistant software enables attackers to hijack control over the compromised system, block input devices, copy files, modify the registry, use the Windows command line, etc.
Conclusions
Quartz Wolf continues the trend of using legitimate software as a tool for remote access to compromised systems. As this approach consistently demonstrates its effectiveness, organizations should be very careful when working with remote access solutions and watch closely over their processes.
How to trace the presence of Quartz Wolf
- Pay attention to the Assistant software files stored outside of what should be their standard directories
- Trace network communications with
id.ассистент\[.\]рф
at the hosts where Assistant should not be installed - Monitor the mass copying of files into the subfolders
C:\Users\\[user\]\AppData\Roaming
via xcopy
MITRE ATT&CK
Indicators of compromise:
hXXp://firstradecare[.]website/7oxr/update.php
a7a1618ba69033848f690bcb7b022cd3d3a9f2850d896a611b1cb76cf6faba5d
adc3f6169d0b16746d5c9542c4cd2be8f12bf367a4bca5373f1e425eed794dad