A C#-based malware loader, Trammy.dll, obfuscated with ConfuserEx, is part of a complex infection chain initiated by an ISO image email, which uses AppDomain Manager Injection to execute malicious code and writes obfuscated logs to infected machines.
The malicious ISO contains a LNK file disguised as a PDF icon, which executes a malicious executable with an XML file as input, which likely leverages the Microsoft Build Engine (MSBuild) to build and execute malicious code, exploiting the legitimate tool for malicious purposes.
Malicious C# code in an XML file is compiled by MSBuild.exe on the fly, creating a .NET DLL, which displays a decoy PDF, drops persistence mechanisms, and leverages a UAC bypass to execute a hidden DLL for further malicious actions.
The AppDomain Manager Injection technique involves declaring a malicious class as the AppDomainManager in the configuration file, which overrides the standard InitializeNewDomain() method, which is executed when a new AppDomain is created, allowing the execution of malicious code within the isolated environment.
A Python script extracts potential string decoding keys from an obfuscated .NET DLL (Trammy.dll) using dnlib, which searches for patterns of constant integer instructions followed by call instructions within methods and returns the constant integer values.
The script loads the modified DLL and resolves the string decoding method using its token, and then dynamically invokes the method for each key in the array, providing the key as an argument and capturing the returned string.
It deobfuscates strings in a .NET assembly using a pre-built key-value mapping, which iterates through methods, replaces calls to string decoding functions with the actual deobfuscated strings, and saves the modified assembly.
The Trammy.dll malware initiates by opening a decoy PDF and then checks for a non-existent file and Brazilian IP address. If these conditions are met, it proceeds to execute malicious code, ensuring the malware runs only once in Brazil to evade detection by automatic sandbox systems.
According to G DATA, it gathers system information like OS version, computer name, and serial numbers using WMI, which appends ‘VM’ to null serial numbers to detect virtual machines. Additionally, it collects antivirus software details and sends all this data to a remote server.
The malware downloads a password-protected ZIP archive from a remote server, which contains a DLL file that is added to Windows Defender’s exclusions. The password for the archive is known and is used to extract the relevant files, which prevents the malware from being detected by the antivirus software.
The malicious ZIP archive contains files that install CCProxy, a network traffic monitoring tool, and a fake explorer.exe compiled using Delphi. CCProxy is configured to disguise communication with a CnC server. The fake explorer.exe is executed after a system reboot and displays a fake license expiration warning.