In a recent report by security firm NSFOCUS, details of a new threat actor emerged. Named AtlasCross by researchers, the attack campaign was discovered when researchers discovered suspicious documents that formed part of a phishing campaign.
Upon further investigation, researchers believed they stumbled on a new advanced persistent threat actor who is both skilled and cautious in their attack approach.
Along with discovering a new threat actor, two new trojans, DangerAds and AtlasAgent, have also been discovered.
The discovered phishing campaign used a supposed American Red Cross blood drive as its lure. Once the document is opened, a prompt message is presented to the victim, asking them to enable editing of the document.
The prompt enables macros functionality, allowing the threat actor to begin the infection process. A document about the blood drive is shown, complete with American Red Cross branding to keep the victim on the hook.
The document hides malicious code that will be executed when the victim enables macros. It should be noted that last year, Microsoft blocked macros by default to prevent malicious MS Office documents from being used as the initial infection method.
However, organizations and software updates have a checkered past, meaning that, for the moment, this attack method is still viable.
The document will run the malicious macro with three tasks: releasing payload, setting scheduled tasks, and uploading basic information about the victim host. Once that malicious script is run, the loader trojan portion of the malware is run.
This program is a loader Trojan, whose main function is to detect the host environment and execute a built-in shellcode in its process. The shellcode is used to load the final payload of the third stage.
It is worth noting that the Trojan will execute malicious code only when it detects that the user name or local domain name of the victim host contains a specific string. This design indicates that the attacker uses this attack process for intra-domain penetration after successfully intruding into the target network.
AtlasAgent and DangerAds
DangerAds performs the function of acting as the loader mentioned above. The malware's major features include detecting the host environment and executing a built-in shellcode. The built-in shellcode is also used to load the other trojan payload, AtlasAgent.
Regarding DangerAds, researchers stated,
DangerAds writes major malicious code to the .NET dll program’s HelpText method, so it starts when an external program invokes Help from that dll program. It should be noted that the user name and local domain name of the host will be collected before the main malicious functions of DangerAds are executed, and subsequent codes will be executed only when one of these two names contains the keyword “danger” or “ads-wcf”. Therefore, it can be judged that this attack is a targeted attack against the domain or user name containing “ads-wcf”.
The main functions of AtlasAgent are to obtain host information, process information, prevent the opening of multi-programs, inject specified shellcodes, and download files from command-and-control servers.
The Trojan communicates with the command-and-control servers through HTTP protocol, encrypts communication data using Base64 encoding after RC4 encryption, and encrypts key APIs using two encryption methods simultaneously.
While the use of custom malware trojans exhibits some of the threat actor's skills, the group's tactics show what the threat actor is truly capable of. Persistence is maintained by creating scheduled tasks to load the malicious DLL malware components.
This prevents the main malicious component from being detected when exported and prevents some dynamic detection products from forcibly starting the malicious code of the DLL program through export functions, helping prevent malware analysis.
In further efforts to remain undetected for as long as possible, AtlasAgent can be injected into CPU threads of other processes. AtlasAgent can inject shellcode into the thread of the selected process itself or a newly created thread of the process without using any API function calls, removing one more method security researchers could use to detect the malware.
While AtlasAgent is capable of process injection, DangerAds is capable of reflective loading and is again used by the threat actor to escape detection.
Taking all this into account, NSFOCUS concluded,
On the one hand, this attacker can actively absorb various hacker technologies and integrate them into its own technology stack and tool development process; on the other hand, it has chosen the most conservative route in environmental detection, execution strategy, network facility selection, etc., reducing its exposure risks at the expense of efficiency. In addition, the residual debug code in AtlasCross self-developed Trojan can also prove that this attacker is still improving the attack process…These characteristics reflect the high-level threat nature of this attacker, who may continue to organize other cyberattack activities against key targets after this attack.
It is hard to argue with the conclusion made by security researchers. The use of MS Office document macros to grant initial access is perhaps the one weakness in the infection chain, seeing that they are now disabled by default by Microsoft.
This is yet another reminder of why keeping software packages up to date is so important.