Seqrite Labs APT-Team has recently found a campaign targeting the Czech Republic. The campaign targets government and military officials with multiple lures aimed at the relationship between NATO and the Czech Republic. The entire malware ecosystem is involved in this campaign, starting from the loader to a well-known Command-and-Control framework known as HavocC2 and Freeze programmed in Rust, a lucrative,compiled programming language widely adopted by threat actors in the wild.
This blog explores the sophistication and technical details of the campaign we encountered during our analysis. We will examine the various stages of this campaign, starting with a deep dive into the decoy documents and then the malicious batch and LNK payloads, which further help the rust loader inject malicious DLL. We will end with a final overview covering the campaign.
Initial Findings
On August 4th 2024, our team found a malicious ZIP file, which surfaced on various sources like VirusTotal, where it has been used as a preliminary source of infection. The file contained various decoys with PDF and LNK file extensions. The same file was found by other threat researchers the very next day.
The ZIP contains a malicious LNK file named “The importance of and outlook for the Czech Republic in NATO.pdf.lnk,” which is responsible for running another malicious batch script named “AdobeAcrobatReader.bat.” This is responsible for spawning the decoy document “Postup_zmeny_hesla_z_IMO.pdf “and then renaming a masqueraded PDF file called “NatoDoc.PDF “to a portable executable. This is copied to the startup folder upon execution, acting as a mechanism for the persistence of the malicious payload. Let us look into the two decoy documents.
Looking into the decoy-document – I
Upon diving into the first document, Postup_zmeny_hesla_z_IMO.pdf, we see the heading is written in Czech, translating to “Password Change from the Internal Network of the Ministry of Defense (IMO)” in English.
The first page of the decoy mentions steps to navigate to the URL hxxps://x.army.cz, where one changes their passwords. The other page image mentions ways to change passwords by adhering to specific guidelines, such as proper password length and other artifacts like avoiding guessable passwords.
Now, the final page of this decoy document contains a message that translates to “Information for local administrators: To access the page hxxps://x[.]army[.]cz, an exception must be set,” with guides on setting up a proper proxy network. Overall, this decoy document acts as a lure for the target to immediately change their passwords and provides guidelines for doing so, which is completely irrelevant to the name of the initial ZIP file.
Looking into the decoy-document – II
Like the previous document, we have another decoy document: The importance of and outlook for the Czech Republic in NATO. This document clearly mentions various reasons for the importance of relations between the Czech Republic and NATO, as well as multiple aspects of geopolitical advantages and history.
The next page mentions the current security issues and discusses strengthening relations between all NATO nations for prosperity, growth, and modernization. Overall, this document discusses relations and goals between NATO and the Czech Republic, which makes this lure document relevant to the name of the initial ZIP file.
Infection Chain
Technical Analysis
We will break down the analysis into four different parts.
Stage 1 – Malicious Batch & LNK Script.
The ZIP contains a malicious LNK file known as 1.The importance of and outlook for the Czech Republic in NATO.pdf.lnk. Looking into its contents, we see its sole purpose is spawning another malicious batch script known as AdobeAcrobatReader.bat.
Upon, analyzing the malicious batch script we found the following:
① Initially, the batch script spawns the first decoy document onto the screen.
② Next, it changes the attributes for the second decoy document and the masqueraded PDF, which is an executable.
③ Then, it goes ahead and renames the masqueraded PDF to AdobeReader.exe and uses xcopy to copy it to the Startup folder for execution.
④ Lastly, it modifies file attributes to set the shortcut and payload files as hidden, read-only, and system files. This ensures that the malicious LNK file and associated payload are concealed from typical user visibility and protected against unauthorized modification or deletion.
In the next section, we will look into the malicious payload. From this initial stage, it is evident that the batch script and the LNK were responsible for deploying the payload.
Stage 2 – Malicious Rust Loader.
A malicious x64 executable payload is present in the ZIP File.
During the initial analysis, we found that the payload is actually a Rust-based loader known as Freeze. Researchers at Optiv created this evasive toolkit for red-team emulation-oriented exercises, such as bypassing EDRs using suspended processes, direct syscalls, etc. Next, we navigated the file to IDA, a binary analysis tool for further reverse engineering and payload extraction.
Upon looking into the code, we see that the loader is performing ETW Patching, as it is one of the features supported by Freeze.
Next, the loader spawns the notepad.exe process in a suspended mode and then performs the DLL’s unhooking by loading a fresh copy of NTDLL from memory and replacing the hooked .text section with the fresh copy of .text section from the unhooked NTDLL.
Post unhooking, it repatches the ETW.
Finally, the compressed and encoded shellcode is obtained via Base64 decoding and LZMA decompression.
Now, after the shellcode is decoded, crypto algorithms like AES/RC4 are used to decrypt it. Once the shellcode is decrypted, using NTAPIs, it is written into memory.
Next, we set a breakpoint on the NTAPIs to extract the shellcode from the loader. The shellcode turned out to be a malicious Havoc DLL, which we will look into in the next section.
Stage 3 – Malicious Havoc Demon.
Initial analysis of this DLL file points it to Demon DLL, a payload that is part of the post-exploitation framework known as Havoc.
Upon analysis, we found that the DLL payload contains 4 important subroutines (renamed on IDA for convenience), which are responsible for the facilitation of payload’s activities, which are as follows:
① DemonInit.
② DemonConfig.
③ DemonMetadata.
④ DemonRoutine.
Now, let us dive into each one of the functions, looking into some key artifacts.
The DemonInit function is responsible for loading modules like ntdll.dll and kernel32.dll via PEB (Process-Environment Block). It then resolves or retrieves the functions from those loaded modules and finally calls another subroutine, DemonConfig.
Extracted Configuration:
Spawn:
– x86: C:\Windows\SysWOW64\notepad.exe
– x64: C:\Windows\System32\notepad.exe
Method: POST
Host[Command & Control] : 206.188.197.113
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
The DemonConfig function parses the configuration stored in the .data section. Once parsed, it is further used in the program. The DemonConfig function also contains multiple parsing-oriented functions.
The DemonMetadata function generates unique metadata for the demon payload, which contains artefacts like Demon ID, User-name, Process Architecture, OS Info, Domain info, and similar information.
The final DemonRoutine function employs various other things, like connecting to the Command and Control Server, which it does by using the PackageTransmitNow function, which then decrypts the data using AES encryption. Then, it uses the CommandDispatcher routine to perform the tasking routine and, in the end, uses Sleep Obfuscation via the function, which uses various techniques like Ekko, Zilean, and WaitForSingleObjectEx.
Hunting and Infrastructure
Upon analysis of the loader payload, we found a unique PDB path linked to the binary C:\TOOL\Freeze.rs-main\target\release\AdobeReader\target\release\deps\AdobeReader.pdb , which helped us to hunt for similar loaders, used by the same threat actor. So, upon hunting, we found two similar samples.
- File-Name: vihu.exe
- PDB-Path: C:\TOOL\Freeze.rs-main\target\release\vihu\target\release\deps\vihu.pdb
- Timestamp: 2024-07-24
- File-Name: gnobya.exe
- PDB-Path: C:\TOOL\Freeze.rs-main\target\release\gnobya\target\release\deps\gnobya.pdb
- Timestamp: 2024-05-22
Once we extracted the shellcode from both the loaders, the shellcode extracted was a similar demon.x64.dll from the first file vihu.exe while the shellcode extracted from the second file turned out to be a URL, which is further downloading a custom Sliver Stager. The C2 and the User-Agent found in this Havoc Demon are:
C2: 195.123.225.88
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_5 like Mac OS X) AppleWebKit/531.2 (KHTML, like Gecko) CriOS/52.0.879.0 Mobile/29C842 Safari/531.2
The ZIP archive was submitted from the Czech Republic whereas the last two payloads found through PDB path were uploaded from Russia. The informational details of Havoc C2:
| IP | ASN | Geolocation |
| 206.188.197.113 | AS399629 (BL Networks) | Netherlands |
| 195.123.225.88 | AS59729 (Green Floid LLC) | Bulgaria |
“Based on the heavy usage of post-exploitation frameworks like Havoc, Sliver & Freeze and keeping in mind the ongoing tensions in the geopolitics, with respect to Russian interests in the Czech Region, we attribute the threat actor possibly could be of Russian origin with medium confidence.”
Conclusion
We have found that a threat actor is targeting the Czech Military using NATO-themed lure where they are heavily dependent on open-source offensive tooling, starting from Rust-based loader to the final DLL payload. Analyzing the overall campaign and TTPs employed by the threat actor, we can conclude that the threat actor started targeting a few months back in May 2024.
Seqrite Protection
- FreezeL
- Havocp.S33863897
- CRCampaign.49004.GC
IOCs
| Hashes[SHA-256] | File-Name | |
| 9549d3d2b8e8b4e8f163a8b9fa3b02b8a28d78e4b583baccb6210ef267559c6e | CZ_army_NATO_cooperation.zip | |
| 436994d4a5c8d54acb2b521d0847d77e6af6c2c0e40468248b1dd019c6dafa84 | 1.The importance of and outlook for the Czech Republic in NATO.pdf.lnk | |
| ace33243994a9da0797601bdd4191e25967a1da2644f0d0b530e26c71854d5d9 | AdobeAcrobatReader.bat | |
| a05d053174b52a9b158a5ec841c1a7633b9368c4ac2da371a11a9364f8a8dc60 | NatoDoc.pdf | |
| 1dbcade04333b9dc81ba0746bc604d12489da49b9b65fcb5b1f61d139dc5949c | vihu.exe | |
| 38da8d1576bdd0a03e649e8e6543594b35a423aa5b0a0c4081fc477c8e487e09 | gnobya.exe | |
| b29ed89e0428ba476459adabb5630c8d29f7fee5905c5de10d792fe3a02e52a6 | x64.demon.dll | |
| 6e0d12cd0252599fd1dec7aa460cae7a12a1b2e322b6664e64c773c23627d1b4 | x64.demon.dll | |
| ed6775184051ef36c3049e24167471ab42bd4301e99631c8423d4d753cdad455 | Inter-Regular.woff | |
| PDB Paths | ||
| · C:\TOOL\Freeze.rs-main\target\release\vihu\target\release\deps\vihu.pdb | ||
| · C:\TOOL\Freeze.rs-main\target\release\gnobya\target\release\deps\gnobya.pdb | ||
| · C:\TOOL\Freeze.rs-main\target\release\AdobeReader\target\release\deps\AdobeReader.pdb | ||
| IP Addresses | ||
| · hxxps://206.188.197.113/ | ||
| · hxxps://195.123.225.88/ | ||
| Hashes [SHA-256] | File-Name [Lure Document] | |
| fda71a7de6d473826465bb83210107501e66a5d96e533772444b3b24806286fd | The importance of and outlook for the Czech Republic in NATO.pdf | |
| 8820e0c249305ffa3d38e72a7f27c0e2195bc739d08f5d270884be6237eea500 | Postup_zmeny_hesla_z_IMO.pdf | |
MITRE TTPs
| Tactic | Technique ID | Name |
| Initial Access | T1566.001 | Phishing: Spear phishing Attachment
|
| Execution | T1204.002
T1059.005 |
User Execution: Malicious File
Command and Scripting Interpreter: Visual Basic |
| Persistence | T1547.001 | Registry Run Keys / Startup Folder |
| Defense Evasion | T1562.001
T1562.006 T1055 T1055.002 T1140 T1027.007 |
Impair Defenses: Disable or Modify Tools
Indicator Blocking. Process Injection. Process Injection: Portable Executable Injection De-obfuscate/Decode Files or Information Obfuscated Files or Information: Dynamic API Resolution |
| Discovery | T1033 | System Owner/User Discovery |
Authors
- Sathwik Ram Prakki
- Subhajeet Singha
