{"id":20437,"date":"2024-03-05T16:36:45","date_gmt":"2024-03-05T15:36:45","guid":{"rendered":"https:\/\/www.nextron-systems.com\/?p=20437"},"modified":"2024-08-02T11:33:35","modified_gmt":"2024-08-02T09:33:35","slug":"tales-of-valhalla-march-2024","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2024\/03\/05\/tales-of-valhalla-march-2024\/","title":{"rendered":"Tales Of Valhalla – March 2024"},"content":{"rendered":"

[et_pb_section fb_built=”1″ admin_label=”section” _builder_version=”4.24.2″ da_disable_devices=”off|off|off” global_colors_info=”{}” da_is_popup=”off” da_exit_intent=”off” da_has_close=”on” da_alt_close=”off” da_dark_close=”off” da_not_modal=”on” da_is_singular=”off” da_with_loader=”off” da_has_shadow=”on”][et_pb_row admin_label=”row” _builder_version=”4.16″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ custom_padding=”|||” global_colors_info=”{}” custom_padding__hover=”|||”][et_pb_text admin_label=”Introduction” _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

Every month the Nextron Threat Research Team (NTRT) shares insights into evasive threats that we\u2019ve seen in the wild via our Valhalla service. The aim is to highlight interesting samples our rules detected and have or had very low detection rates as reported by VirusTotal scanning.<\/p>\n

Please note that we are aware that VirusTotal results do not represent the full capabilities of antivirus or EDR Products. The aim is to highlight how Threat Actors are taking into account evasiveness with some of these samples.<\/p>\n

[\/et_pb_text][et_pb_text admin_label=”Threat Overview” _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

Threat Overview<\/b><\/h2>\n

The following table gives an overview of the threats mentioned in this blog. You can use the respective Valhalla page for every threat to get a list of the hashes.<\/p>\n\n\n\n\n\n\n\n
Threat Name<\/b><\/td>\nInitial VT
Detection Rate<\/b><\/td>\n		Rule Name<\/b><\/td>\n<\/tr>\n
MrAgent<\/td>\n0\/62<\/td>\nSUSP_RANSOM_LNX_VmWare_ESX_Indicators_Oct22_1<\/a><\/td>\n<\/tr>\n
HemiGate<\/td>\n3\/68<\/td>\nAPT_MAL_HemiGate_DLL_Loader_Sep23<\/a><\/td>\n<\/tr>\n
GuLoader<\/td>\n0\/70<\/td>\nMAL_GuLoader_Shellcode_Oct22_3<\/a><\/td>\n<\/tr>\n
IronWind<\/td>\n0\/71<\/td>\nAPT_MAL_IronWind_Downloader_Nov23_2<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

[\/et_pb_text][et_pb_text admin_label=”Threat Digest” _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

Threat Digest<\/b><\/h2>\n

MrAgent<\/b><\/h3>\n

The MrAgent sample was first reported by MalwareHunterTeam<\/a> where he pointed it out from a related sample used by RansomHouse.<\/p>\n

[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2024\/03\/Tales1.png” title_text=”Tales1″ admin_label=”MrAgent-Image1″ _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text admin_label=”MrAgent-Text1″ _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

The sample triggered one of our generic Vmware ESX malware rules on the date of the upload last September.<\/p>\n

[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2024\/03\/Tales2.png” title_text=”Tales2″ _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text admin_label=”Text” _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

A couple of months later the Trellix team put out a blog where they dissected the sample in question. Here is an excerpt from the Trellix blog<\/a>.<\/p>\n

\n

MrAgent is a binary designed to run on hypervisors, with the sole purpose of automating and tracking the deployment of ransomware across large environments with a high number of hypervisor systems. The binary connects back to a set of command & control servers, which need to be supplied as a command-line argument.<\/i><\/p>\n<\/blockquote>\n

We\u2019ve only noticed one additional new sample uploaded on the 2024-03-01 that was quickly picked up by multiple vendors (430cbf6d340e3b3ee92a0bca41c349071564a14fd31f810bd1b0702d5df75351<\/a>)<\/p>\n

[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2024\/03\/Tales3.png” title_text=”Tales3″ _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

Guloader Shellcode<\/b><\/h3>\n

Guloader<\/a> is a first stage shellcode based malware that is usually used to download other types of malware such as Agent Tesla, Lokibot and others. It was discovered in 2019 and is still going strong to this day.<\/p>\n

We\u2019re seeing multiple uploads a day to VirusTotal, with almost all of the uploaded samples having 0 detections.<\/p>\n

[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2024\/03\/Tales4.png” title_text=”Tales4″ _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

It turns out that most of these samples are memory dumps uploaded via the VT API. Investigating them would reveal the GuLoader shellcode.<\/p>\n

It is worth noting that we\u2019ve also seen GuLoader ShellCode uploaded directly and some vendors did indeed pick it up directly.<\/p>\n

[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2024\/03\/Tales5.png” title_text=”Tales5″ _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

HemiGate<\/b><\/p>\n

HemiGate is a backdoor used by the threat actor known as Earth Estries. It was first reported<\/a> by TrendMicro last year. Since the initial reporting we\u2019ve tracked 4 samples uploaded to VT over the next months. The most recent one was uploaded early this (January 2024)<\/p>\n

[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2024\/03\/Tales6.png” title_text=”Tales6″ _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

While the first 3 samples uploaded had very high AV matches. The most recent one<\/a> only started with 3 vendors having coverage for it.<\/p>\n

[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2024\/03\/Tales7.png” title_text=”Tales7″ _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

We can see the coverage increased over the next months to reach 34\/70.<\/p>\n

[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2024\/03\/Screenshot-2024-03-05-at-16.31.56.png” title_text=”Screenshot 2024-03-05 at 16.31.56″ _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

This latest sample of the HemiGate backdoor loader, is very similar in nature to the previous ones. It mimics the \u201clibvlc.dll\u201d DLL to achieve DLL sideloading as can be seen by the exported functions.<\/p>\n

[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2024\/03\/Tales9.png” title_text=”Tales9″ _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

All of the exports are empty except for \u201clibvlc_new\u201d which calls the functions that decrypts the encrypted payload (HemiGate backdoor) with RC4.<\/p>\n

[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2024\/03\/Tales10.png” title_text=”Tales10″ _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

From strings found in the sample, it seems highly likely that this was generated via the AheadLib tool<\/a>.<\/p>\n

[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2024\/03\/Tales11.png” title_text=”Tales11″ _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

IronWind<\/b><\/h3>\n

IronWind is an initial access downloader first reported by Proofpoint last November. You can read their analysis for full technical<\/a> details. Since that report we\u2019ve been tracking the IronWind samples being uploaded to VT.<\/p>\n

[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2024\/03\/Tales12.png” title_text=”Tales12″ _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

And we can see, earlier uploads by the end of last year were highly flagged by almost every major vendor. But in recent months the samples we\u2019re monitoring are getting more stealthier and evading AV signatures. A look at the decrypted strings shows potential new capabilities.<\/p>\n

[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2024\/03\/Tales13.png” title_text=”Tales13″ _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text admin_label=”Text” _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

We\u2019ll be releasing a blog in the upcoming weeks detailing the capabilities of this new variant.<\/p>\n

Detection opportunity<\/b><\/h2>\n

HemiGate Sideloading Activity<\/b><\/h4>\n

The following Sigma rule<\/a> can be used to detect potential sideloading of libvlc.dll<\/p>\n

title: Potential Libvlc.DLL Sideloading
id: bf9808c4-d24f-44a2-8398-b65227d406b6
status: test
description: Detects potential DLL sideloading of \"libvlc.dll\", a DLL that is legitimately used by \"VLC.exe\"
references:
    - https:\/\/www.trendmicro.com\/en_us\/research\/23\/c\/earth-preta-updated-stealthy-strategies.html
    - https:\/\/hijacklibs.net\/entries\/3rd_party\/vlc\/libvlc.html
author: X__Junior
date: 2023\/04\/17
tags:
    - attack.defense_evasion
    - attack.persistence
    - attack.privilege_escalation
    - attack.t1574.001
    - attack.t1574.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\\libvlc.dll'
    filter_main_vlc:
        ImageLoaded|startswith:
            - 'C:\\Program Files (x86)\\VideoLAN\\VLC\\'
            - 'C:\\Program Files\\VideoLAN\\VLC\\'
    condition: selection and not 1 of filter_main_*
falsepositives:
     - False positives are expected if VLC is installed in non-default locations
level: medium<\/pre>\n
 <\/p>\n
[\/et_pb_text][et_pb_text _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
Nextron\u2019s Solutions for Enhanced Cybersecurity<\/h1>\n
Nextron steps in where traditional security measures might miss threats. Our digital forensics tools conduct thorough analyses of systems that show signs of unusual behavior. They effectively identify risky software and expose a range of threats that could go unnoticed by standard methods.<\/p>\n
Our signature collection is tailored to detect a variety of security concerns. This includes hacker tools, their remnants, unusual user activities, hidden configuration settings, and legitimate software that might be misused for attacks. Our approach is especially useful in detecting the tactics used in supply chain attacks and identifying tools that evade Antivirus and EDR systems.<\/p>\n
[\/et_pb_text][et_pb_text admin_label=”Authors” _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
Authors<\/p>\n