An unknown attacker is using a complex and powerful new malware loader in relatively unsophisticated and low-reward attacks, indicating they may not realize the potential capabilities of the malware they are deploying.
The malware, Trojan.Verblecon, is being used in attacks that appear to have installing cryptocurrency miners on infected machines as their end goal. There are some indications the attacker may also be interested in stealing access tokens for chat app Discord. However, the capabilities of this malware indicate that it could be highly dangerous if leveraged in ransomware or espionage campaigns.
Verblecon was first spotted by analysts from Symantec, a division of Broadcom Software, in January 2022. This blog will detail the capabilities of the malware.
The malware is loaded as a server-side polymorphic JAR file. The fact that the file is polymorphic means that, due to encryption and obfuscation, the code of the malware payload looks different each time it is downloaded. Attackers generally pack malware in this way in an effort to evade detection by security software.
The malware samples analyzed by Symantec were fully obfuscated, in the code flow, strings, and symbols. The samples themselves may be based on publicly available code.
Once started, the malware checks its command-line arguments. It requires at least one command-line argument to execute, which could be the infection or campaign ID initially e.g.
"CSIDL_SYSTEM_DRIVE\program files\java\jre1.8.0_301\bin\javaw.exe" -jar "CSIDL_PROFILE\appdata\local\temp\rpvbh.jar" masonkhonsari
"CSIDL_SYSTEM_DRIVE\program files\java\jre1.8.0_301\bin\javaw.exe" -jar "CSIDL_PROFILE\appdata\local\temp\rpvbh.jar" 923ec15ffa4474ca7bf200bfb90e782d
Additionally, it also attempts to determine if its own process is being debugged by checking for the following Java command-line arguments:
Next, it attempts to detect if it is being opened in a virtual or sandbox environment, which would indicate it is likely being opened on a security researcher’s machine.
First, it checks for the following directories:
- "%ProgramFiles(X86)%\VMware\VMware Tools"
- "%ProgramFiles(X86)%\Oracle\VirtualBox Guest Additions"
It also obtains the machine MAC address and attempts to check for the following prefixes, which may indicate the file is being opened on a virtual machine:
Following those checks, it executes the following command to obtain a list of running processes:
- tasklist.exe /fo csv /nh
It then appears to check these processes against a set list:
It then also checks for the following files:
Next, it appears to check the user name against the following:
- java.lang.System.getProperty("user.name") == "WDAGUtilityAccount"
Then it executes the following command:
- reg query "HKU\S-1-5-19"
It is unclear how the output is processed, however, there are some strings that could be related to this or other registry checks:
- "SOFTWARE\Microsoft\Virtual Machine\Guest\"
- "SOFTWARE\VMware, Inc.\"
- "VirtualBox Guest Additions"
- "VMware Tools"
If satisfied with these checks, it may copy itself as one of the following files:
And then create one of the following files to use as a loadpoint:
[INFECTION_ID] is computed as follows:
Then it periodically attempts to connect to the following URLs:
[DGA_NAME] is apparently generated using the following method:
The traffic generated by the malware looks like this:
The server response appears as the below. Some of the strings in this response indicate that the attacker may be leveraging legitimate Cloudflare infrastructure to host some of their C&C infrastructure.
The server response body above is an encrypted blob that contains a URL signed with an RSA key. This blob can be decrypted and validated as follows:
The malware then starts communicating with the decoded URL by sending details about the infected computer:
The request body contains the following information about the infected machine in encrypted form:
- "id" is [INFECTION_ID
- "os" is OS version, e.g. "Windows 10"
- "pv" is "Admin" when running with Administrator privileges
- "ip" is JAR pathname
- "cn" is "[USER_NAME]@[COMPUTERNAME]"
- "lr" has value "00:00:00"
- "ct" has value "0"
- "bv" has value "v1.0.0"
The server has been observed to respond as follows:
Where the response body can be decrypted as follows:
The last term above contains the following string:
Some samples of the malware are seen communicating with the following servers:
Communication between the malware and servers is over HTTP or HTTPS and this communication appears to culminate with victims being directed to connect to the following:
The payload is downloaded from the URL observed earlier:
The payload is obfuscated in a similar way to the other samples, and also contains similar techniques to detect the virtualization environment, as well as other functionality.
The core functionality is to download and execute a binary blob from the following URL:
The blob is decrypted along with *.bin artifacts from the same host. The downloaded blob is then cached on the local filesystem (in re-encrypted form) and injected into %Windows%\SysWow64\dllhost.exe for execution.
The injection is performed using com.sun.jna and doesn't use usual APIs for injection.
The final payload (hardwick.bin) contains the following embedded URL pointing to a configuration file for a cryptocurrency miner:
This indicates that the purpose of this activity was to install cryptocurrency mining software on victim machines.
What is the goal of this campaign?
The evidence found on victim networks appears to indicate that the goal of the attacker was to install cryptocurrency mining software on victim machines. This would appear to be a relatively low-reward goal for the attacker given the level of effort that would have been required to develop this sophisticated malware.
There are also indications that the attacker may be stealing Discord tokens and using these to advertise Trojanized videogame applications.
We suspect they were stealing Discord tokens because some of the obfuscated strings refer to pathnames that are apparently related to Discord clients, specifically:
- "AppData\Roaming\discordcanary\Local Storage\leveldb"
- "AppData\Roaming\discordptb\Local Storage\leveldb"
- "Library\Application Support\discord\Local Storage\leveldb"
- "Library\Application Support\discordcanary\Local Storage\leveldb"
- "Library\Application Support\discordptb\Local Storage\leveldb"
- ".config\discordcanary\Local Storage\leveldb"
- ".config\discordptb\Local Storage\leveldb"
Discord is a group chatting app that is particularly popular among the gaming community. Advertising Trojanized videogame applications via Discord is likely a redistribution channel for Trojan.Verblecon.
Could this be used to distribute ransomware?
Most of the infections we saw where this malware was used were on non-enterprise machines; we rarely see ransomware deployed on non-enterprise machines.
Previous reports have connected related domains to a single occurrence of ransomware, but the infrastructure may be shared with an unrelated actor. The similarities between that incident and the activity we observed includes:
- The use of “verble” in the domain name
- The downloading of shellcode for execution
- Similar obfuscation
However, we do not have enough evidence to draw a definitive link between both these sets of activity.
Power in the hands of an inexperienced actor?
The activity we have seen carried out using this sophisticated loader indicates that it is being wielded by an individual who may not realize the capabilities of the malware they are using. However, if it fell into the hands of a more sophisticated actor the potential is there for this loader to be used for more serious attacks, including potentially ransomware and espionage campaigns.
For the latest protection updates, please visit the Symantec Protection Bulletin.
Indicators of Compromise (IoCs)
If an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.
We encourage you to share your thoughts on your favorite social platform.