Breaking Badness Episode 15: Two Truths and a Lie

Two Truths and a Lie

Coming up this week on Breaking Badness. Today we discuss: License and Exfiltration, Please, I Smell A RAT, and A Bleak Outlook on an Office 365 Phishing Scam.

Here are a few highlights from each article we discussed:

License and Exfiltration, Please
  • Perceptics is one of the biggest manufacturers of license plate reader technology (it even has its own acronym, so you can start dropping “LPR” to sound cool with the kids these days). Their stuff is used in particular at the US borders with Canada and Mexico.
  • According to The Register in the UK, it was perpetrated by an actor who goes by the identity “Boris Bullet-Dodger.” Around 65k files amounting to hundreds of GB of data.
  • The types of files included in the dump include the common ones you’d expect…zip, txt, doc, xls…but also mp3.
  • There’s lots of potential privacy loss in the data that this company has, because of not just seeing whose car was where and when, but also stuff like commercial vehicle inspection data, border security data, etc–lots of different kinds of data.
I Smell A RAT
  • APT10 aka Stone Panda group has been pretty active throughout the years. Most notably, they are likely responsible for the Cloud Hopper campaign, in which the group compromised MSPs (managed service providers) in order to gain access to their clients’ networks. In that incident, the group used spear phishing emails to deliver several different types of remote access trojans (RATs). In fact, in December 2018, two Chinese nationals were indicted for being associated with this activity according to the FBI.
  • This newest campaign was discovered by enSilo. In this case, they abused a legitimate exe (jjs.exe) to side-load the DLL.The malicious DLL maps the data file, svchost.bin, to memory and decrypt it. The decrypted content is a shellcode that is injected into svchost.exe and contains the actual malicious payload. The payload itself is a modified version of the Quasar RAT that contains SharpSploit to get passwords from the infected machine. In addition, the machine is also infected with PlugX, to get system information such as computer name, username, OS version, RAM usage, network interfaces and resources. The group used typosquatted domains masquerading as Microsoft and Kaspersky for C2 communications.
  • As far as tying this activity to APT10, enSilo lists 4 overlapping TTPs between this campaign and previous campaigns attributed to the group:
    • Bundle of legitimate executable to sideload a custom DLL along with storing the payload in a separate, encrypted file.
    • Use of typosquatting domain names similar to real, legitimate tech companies.
    • Unique malware families both developed by, and associated with, the group.
    • Using C&C servers located in South Korea.
  • The first malicious payload is Quasar RAT, specifically a modified version of it that includes SharpSploit. It is downloaded when the injected shellcode tries to run conhost.exe from C:\Users\Public\Documents or download it from ffca[.]caibi379[.]com. This executable is a downloader written in .NET and disguised as a legitimate system executable – which is, in fact, the Quasar RAT.
  • The second malicious payload is PlugX. Following the injection to svchost.exe by the loader, the shellcode decrypts another part of itself and use RtlDecompressBuffer API to further unpack the PlugX DLL. The DOS and NT headers magic values, MZ and PE respectively, were replaced with VX, a typical behavior for PlugX payloads. This is meant to prevent from security products and automated tools to identify the executable headers when performing memory scans. Additionally, the malware authors attempted to hide the malware’s functionality by wrapping it with calls to the GetForegroundWindow API. Additionally, the malware attempts to remove any sign of McAfee’s email proxy service from the infected machine. Besides killing the process, it also makes sure to delete any related keys in the registry, and recursively deletes any related files and directories on the machine.
A Bleak Outlook on an Office 365 Phishing Scam
  • A new phishing campaign purported to be from the “Office 365 Team” warns victims that their email account will be cancelled unless you respond to the email within the hour.
  • The landing page of the phishing campaign is hosted on, the site is secured with a certificate signed by Microsoft, which adds legitimacy to the landing page.
  • However, the word survey in the URL would have been your best clue that the site wasn’t legitimate.
  • A note from Emily Hacker: Use 2FA!
This Week’s Hoodie Scale

License and Exfiltration, Please
: 3/10 Hoodies
[Emily]: 4/10 Hoodies

I Smell A RAT
 5/10 Hoodies
5/10 Hoodies

A Bleak Outlook on an Office 365 Phishing Scam
 1/10 Hoodies
[Emily]: 1.5/10 Hoodies

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included in our blog. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!

3 thoughts

Comments are closed.