Cybercriminals have modified the standard “phishing email + remote access” combo with an unexpected hook — the leveraging of legitimate Russian software. BI.ZONE CESP has detected and prevented one such attack that targeted hospitality organizations. We are taking an in-depth look at the attack to explain why the potential victims weren’t able to detect it on their own.
- Phishing emails remain a weapon of choice for getting initial access in targeted attacks
- File extensions are hidden, given the default settings in the Windows OS, which is why attackers can camouflage executables as regular files
- The threat actors use rare yet legitimate remote access software to bypass traditional defenses
The perpetrators were sending out phishing emails under the disguise of OOO Federal Hotel Service. The emails contained a link to an archive with a malicious file (Fig. 1).
The archived file was the Inno Setup installer with the following files:
- Assistant software components
- creates the folder
- pastes into it all the files from the temporary folder by means of xcopy
del /f /qto delete the running script
- launches the Assistant app (
rd /s /qto purge the temporary folder
The Assistant application loads the malicious file
quartz.dll, which contains the next stage. The latter is encrypted in RC4, where the key is an MD5 checksum calculated from the CRC32 checksum from the C2 server address. This address is stored in the file
whu3.cfg, also encrypted in RC4. The key is an MD5 checksum calculated from the CRC32 checksum from the file
The second stage replaces the import of
GetCommandLine with its own initialization function to perform the following actions:
- record the MD5 checksum from the password known to the cybercriminals to
- assign the Hidden and System attributes to all files in the current directory
- enable Assistant to start automatically by creating the parameter tip in
- create a unique user identifier by calculating an MD5 checksum from the total of the CRC32 checksums from the OS version, the user name, and the computer name
- obtain an Assistant user identifier from
- repeatedly send GET requests containing an Assistant user identifier and the unique user identifier to the C2 server
- submit the
ast.exeparameters -AHIDE и -ASTART for a hidden launch
The Assistant software enables attackers to hijack control over the compromised system, block input devices, copy files, modify the registry, use the Windows command line, etc.
Quartz Wolf continues the trend of using legitimate software as a tool for remote access to compromised systems. As this approach consistently demonstrates its effectiveness, organizations should be very careful when working with remote access solutions and watch closely over their processes.
How to trace the presence of Quartz Wolf
- Pay attention to the Assistant software files stored outside of what should be their standard directories
- Trace network communications with
id.ассистент\[.\]рфat the hosts where Assistant should not be installed
- Monitor the mass copying of files into the subfolders
Indicators of compromise: