Researchers thwarted a phishing attack targeting SharePoint users, where the attack leveraged a spoofed email mimicking a legitimate file share, complete with Microsoft branding.
The engine detected this by identifying brand impersonation through visual analysis of the logo and malicious content, suspicious file types linked within the email, sender domain discrepancies, failed SPF authentication, and language designed to trick users into revealing credentials, which combined with the high attack score, triggered the system to block the attack.
Discovery of a suspicious .zip file containing an AutoIT executable, as decompilation revealed obfuscated code within the executable and after removing obfuscation and decoding the embedded data, researchers identified it as potential shellcode.
Analysis with Speakeasy confirmed the code’s executability, but it immediately terminated after employing anti-analysis techniques, suggesting the presence of evasion mechanisms designed to hinder dynamic analysis in emulated environments.
During Ghidra’s analysis of document.exe, researchers discovered a malicious AutoIT script containing shellcode, where initial execution attempts failed, prompting to analyze the shellcode in Ghidra.
Sublime Security identified numerous stack strings, including a sequence containing “lecheries,” and redirected the analysis to the shellcode’s beginning (FUN_00000000), as observed API hashes within the shellcode, likely used to locate Windows APIs.
By comparing these hashes to documented values, it was confirmed that the use of CRC32 hashing, a technique also observed in the TrickGate shellcode-based loader.
While CRC32 usage alone does not definitively confirm TrickGate, the presence of these hashes in another shellcode-based file and TrickGate’s known use of AutoIT and similar payloads strongly suggest a connection to this malware family.
Static reverse engineering of the shellcode using Ghidra but shifted to dynamic analysis with x32dbg to expedite the process. Debugging revealed key APIs like CreateProcessW and injection-related functions, suggesting a loader.
Breakpoints were set to capture API resolutions, identifying CreateProcessW as spawning svchost.exe as the injection target, while svchost.exe uncovered a second ntdll.dll instance and a suspicious netsh.exe process with no command-line arguments.
Inspecting netsh.exe’s memory revealed an RWX section containing potential shellcode.
A broader system scan with hollows_hunter flagged explorer.exe as suspicious, uncovering another RWX section with shellcode-like characteristics.
String analysis of this section using Detect It Easy revealed a domain, URL, user agent, and “PKT2” prepended base64 data, strongly suggesting a connection to the Xloader malware.
PKT2 malware revealed strong indicators of Xloader infection, as the use of base64-encoded registration packets appended to the string “PKT2” was consistent with documented Xloader behavior.
Xloader uses a method to avoid detection, which involves loading two instances of the ntdll.dll file within the svchost process of the computer.
A multi-stage injection sequence, beginning with svchost.exe, progressing to netsh.exe, and culminating in explorer.exe, mirrors the documented injection patterns of Xloader, which strongly suggest that the observed malware exhibits significant similarities to the Xloader variant.