Hacker group Quartz Wolf leverages legitimate software for cyberattacks

Cybercriminals have modified the standard “phishing email + remote access” combo with an unexpected hook — the leveraging of legitimate Russian software. BI.ZONE CESP has detected and prevented one such attack that targeted hospitality organizations. We are taking an in-depth look at the attack to explain why the potential victims weren’t able to detect it on their own.

Key findings

• Phishing emails remain a weapon of choice for getting initial access in targeted attacks
• File extensions are hidden, given the default settings in the Windows OS, which is why attackers can camouflage executables as regular files
• The threat actors use rare yet legitimate remote access software to bypass traditional defenses

Campaign

The perpetrators were sending out phishing emails under the disguise of OOO Federal Hotel Service. The emails contained a link to an archive with a malicious file (Fig. 1).

Fig. 1. Phishing email sent to potential victims

The archived file was the Inno Setup installer with the following files:

• Assistant software components
• quartz.dll
• roh2w3.bmp
• whu3.cfg
• zs3eu.bat

The zs3eu.bat script

• creates the folder C:\Users\\[user\]\AppData\Roaming\tip
• pastes into it all the files from the temporary folder by means of xcopy
• uses del /f /q to delete the running script
• launches the Assistant app (ast.exe)
• uses rd /s /q to purge the temporary folder

The Assistant application loads the malicious file quartz.dll, which contains the next stage. The latter is encrypted in RC4, where the key is an MD5 checksum calculated from the CRC32 checksum from the C2 server address. This address is stored in the file whu3.cfg, also encrypted in RC4. The key is an MD5 checksum calculated from the CRC32 checksum from the file roh2w3.bmp.

The second stage replaces the import of GetCommandLine with its own initialization function to perform the following actions:

• record the MD5 checksum from the password known to the cybercriminals to HKEY_CURRENT_USER\Software\safib\ast\SS — Security.FixPass
• assign the Hidden and System attributes to all files in the current directory
• enable Assistant to start automatically by creating the parameter tip in Software\Microsoft\Windows\CurrentVersion\RunOnce
• create a unique user identifier by calculating an MD5 checksum from the total of the CRC32 checksums from the OS version, the user name, and the computer name
• obtain an Assistant user identifier from HKEY_CURRENT_USER\Software\safib\ast\SS—your_id
• repeatedly send GET requests containing an Assistant user identifier and the unique user identifier to the C2 server
• submit the ast.exe parameters -AHIDE и -ASTART for a hidden launch

Fig. 2. Assistant software screenshot

The Assistant software enables attackers to hijack control over the compromised system, block input devices, copy files, modify the registry, use the Windows command line, etc.

Conclusions

Quartz Wolf continues the trend of using legitimate software as a tool for remote access to compromised systems. As this approach consistently demonstrates its effectiveness, organizations should be very careful when working with remote access solutions and watch closely over their processes.

How to trace the presence of Quartz Wolf

1. Pay attention to the Assistant software files stored outside of what should be their standard directories
2. Trace network communications with id.ассистент\[.\]рф at the hosts where Assistant should not be installed
3. Monitor the mass copying of files into the subfolders C:\Users\\[user\]\AppData\Roaming via xcopy

MITRE ATT&CK

Indicators of compromise:

hXXp://firstradecare[.]website/7oxr/update.php

a7a1618ba69033848f690bcb7b022cd3d3a9f2850d896a611b1cb76cf6faba5d

adc3f6169d0b16746d5c9542c4cd2be8f12bf367a4bca5373f1e425eed794dad