Introduction
FortiSandbox seamlessly integrates with various Security Fabric platform products, offering a straightforward approach to safeguarding against breaches. Upon detecting malicious code, FortiSandbox promptly responds by assigning risk ratings and instantly sharing local intelligence with Fortinet Security Fabric, Fabric-Ready Partners, and other security solutions.
Recently, FortiSandbox identified an info stealer specifically targeting European users. This article detail how FortiSandbox detects and captures the behavior of this malware. The malware targets German-, Italian-, Polish-, and Spanish-speaking users, aiming to steal email login data from Microsoft Outlook and Mozilla Thunderbird mail clients. The stolen data is then sent to its command-and-control (C2) server, granting the threat actor access to the victim's email credentials.
The discovered info stealer arrives as an obfuscated JavaScript file. Once executed, it uses Microsoft tools like PowerShell to copy itself into the user directory, and then utilizes certutil to decode its payload and ultimately execute the 64-bit PE file. This sophisticated sequence allows it to bypass security measures and deliver its payload effectively.
FortiSandbox excels in identifying and analyzing such threats by executing malware within a control environment that mimics-real-world-user scenarios. This method allows us to observe the malware's behavior in detail and understand its attack vectors. All the information in this article is based on the Job Detail Report generated by FortiSandbox. A reverse engineering of the malware was also conducted to explore other capabilities and provide a deeper understanding of its operations. Through this exploration, readers will gain insights into the robust detection mechanisms of FortiSandbox and its vital role in protecting against sophisticated malware threats.
Analysis
The purpose of this article is to demonstrate how FortiSandbox detects, mitigates, and documents the behaviors and to provide visual aid for the analyzed JavaScript file (MD5: 41751e784af9225d8e489e2980efc3e1). A tree view diagram (Figure 1) illustrates the sequence of execution, outlining the chronological order in which various actions and processes occur within the info stealer. The visual representation offers valuable insights into the JavaScript code behavior, allowing us to trace the flow of operations and understand how the malware operates.
Figure 1. Chain of execution run inside FortiSandbox
Additionally, suspicious indicators triggered during the analysis were recorded (Figure 2), providing further context and aiding in the identification of potentially malicious activities. FortiSandbox classified the malware as "High Risk Exploit" as observed in Figure 3, emphasizing its severity.
Figure 2. FortiSandbox indicators with severity ratings
Figure 3. FortiSandbox Classification of the Analyzed Malware Sample
FortiSandbox identifies the sample as a JavaScript file and initiates wscript.exe to execute the malware. Upon execution, the malware copies itself to the %USERPROFILE% directory with the filename enchantedlongingbrave.bat. FortiSandbox has classified this activity as High Risk, as shown in Figure 4.
Figure 4. Copying itself onto %USERPROFILE% directory under the filename enchantedlongingbrave.bat
Upon examining the content of enchantedlongingbrave.bat, we discovered some intriguing strings. Initially, the file was heavily obfuscated as depicted in Figure 5, which obscured its content and required manual decryption to reveal the content of the actual script, shown in Figure 6. However, FortiSandbox can trace and analyze the sequence of processes initiated by the malicious script directly, thus eliminating the need for decryption (Figure 7).
Figure 5. The original obfuscated script, before decryption and analysis
Figure 6. Decrypted strings showing the processes created by the malware
Figure 7. FortiSandbox tracing the sequence of processes initiated by the malware, highlighting key steps in the malware's execution flow
The info stealer begins by checking the operating system language using the WMIC command:
wmic path win32_operatingsystem get oslanguage
It then verifies if the code is 1049, which indicates the system language is Russian. If the code is 1049, the malware terminates. Otherwise, it proceeds to execute the command:
findstr /v routechiefreflective "%USERPROFILE%\enchantedlongingbrave.bat"
This command searches through the file enchantedlongingbrave.bat for lines that do not contain the string routechiefreflective and excludes them from the commands' output. Subsequently, the resulting output is copied into a file named deskfoundinicky (MD5: adad6d9cfe18550132bab5a73dbe25ea). When examining its content, we noticed that it contains a base64-encoded string as illustrated in Figure 8.
Figure 8. File named deskfoundinicky containing a base64-encoded string
Next, the malware aims at decoding the base64-encoded file using the Microsoft tool certutil, a command-line utility in Windows known for decoding such files. According to the indicator provided by FortiSandbox in Figure 9, the malware will attempt to decode the base64-encoded file deskfoundinicky and save the decoded content to bedroomwastestrong.ico (MD5: 4a9a7c9e67ca4efe786f873c743d02bd).
Figure 9. Using certutil to decode base64-encoded file
Finally, the info stealer leverages PowerShell to execute the regsvr32 command-line utility and register bedroomwastesstrong.ico,which is presented as a DLL (Dynamic Link Library) file. This technique is utilized to achieve persistence, execution of malicious activities, and evade detection by security measures.
Figure 10. The info stealer using PowerShell to register bedroomwastestrong.ico as a DLL via regsvr32 for persistence and evasion
During the analysis, FortiSandbox was operating with an English keyboard. Since English was not one of the targeted languages, the info stealer likely terminated its execution wihtout exhibiting behaviors. This prompted the need to reverse engineering to gain further insights into its operations.
Based on Figure 11, we noticed that the info stealer employs a targeted approach based on keyboard language settings to selectively infect systems that match certain criteria. Using the Windows API function GetKeyboardLayout, the info stealer retrieves the keyboard language configured on the user's system. In then checks if the retrieved language matches any of the predefined target languages.
Figure 11. Using the Windows API GetKeyboardLayout to Retrieve Keyboard Language Settings
If the user's keyboard language corresponds to one of the targeted languages, the info stealer proceeds with its infection routine. However, if the keyboard language does not match any of the predefined target languages, the malware terminates its execution. This strategy ensures that the info stealer operates on systems that meet its language criteria. Table 1 details the targeted languages
Hex |
Country Code |
Meaning |
403 |
ca - ES |
Catalan - Spain |
407 |
de - DE |
German - Germany |
40A |
es - ES |
Spanish - Spain |
410 |
it - IT |
Italian - Italy |
415 |
pl - PL |
Polish - Poland |
42D |
eu - ES |
Basque - Spain |
C0A |
es - ES |
Spanish - Spain |
Table 1. Table Detailing the Languages Targeted by the Info Stealer
As shown in Figure 13, the malware attempts to steal confidential information from the Mozilla Thunderbird mail client. If the path for
Thunderbird\Profiles\.*
is found, it searches for two specific files: logins.json and key4.db. The logins.json file stores login credentials including usernames and password for Thunderbird email accounts and services, while the key4.db file contains cryptographic keys which are used to encrypt and decrypt the data in logins.json.
Figure 13. Info Stealer Attempting to Search for Thunderbird Files logins.json and key4.db
The second mail client targeted is Microsoft Outlook. The malware attempts to access the Windows registry key:
SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Within this registry path, the malware seeks to extract values corresponding to the IMAP Server, IMAP User, and IMAP Password, aiming to gather sensitve information related to the user's email accounts and shown in Figure 14.
Figure 14. Info Stealer Accessing Microsoft Outlook Registry Key to Extract IMAP Server, User and Password Values
Once the data has been gathered from the infected systems, the malware attempts to connect to its remote server at
45[.]9[.]74[.]176\server.php
to transmit the stolen data as illustrated in Figure 15.
Figure 15. Info Stealer Connecting to Remote Server to Transmit Stolen Data
Threat Mitigation
FortiSandbox serves as a crucial component in fortifying organizations against cyber threats by swiftly identifying and mitigating potential breaches. Through its seamless integration with Security Fabric platform products, FortiSandbox protects via inline scanning and enhances collaborative threat intelligence sharing, enabling rapid response to emerging threats.
MITRE ATT&CK
Note: The indicators in observed activity to each MITRE technique are relevant to analyzed campaigns and may change in future campaigns.
TA0002 - Execution
| Technique ID | Technique Description | Observed Activity |
| T1059.001 | PowerShell | Malware using PowerShell to register 'bedroomwastestrong.ico' as a DLL via command-line utility tool: regsvr32 |
| T1059.003 | Command and Script Interpreted: Windows Command Shell | Using CMD to get OS language through WMIC and search file 'enchantedlongingbrave.bat' for lines that do not contain the word 'routechiefreflective' |
TA0005 - Defense Evasion
| Technique ID | Technique Description | Observed Activity |
| T1140 | Deobfuscate/Decode Files or Information | Using certutil to decode base64-encoded file 'deskfoundinicky' into 64-bit executable; 'bedroomwastestrong.ico' |
| T1036.005 | Masquerading: Match Legitimate Name or Location | Suspicious file, %USERPROFILE%\enchantedlongingbrave.bat installed in system folder |
IOC
|
Indicator Description
|
Indicator |
Indicator Type |
Associated Tactic |
Notes |
First Observed |
|
Initial JavaScript File |
41751e784af9225d8e489e2980efc3e1 |
MD5 hash |
Installation |
Malicious JavaScript file |
2024-06-20 |
|
3670b2efb54a4890e6f47af9319d280480a811b085a176e91e7d4fb90d5a0e08 |
SHA256 hash |
||||
|
Malicious JavaScript File |
41751e784af9225d8e489e2980efc3e1 |
MD5 hash |
Installation |
Copy of the original JavaScript file with the extension .bat |
2024-06-20 |
|
3670b2efb54a4890e6f47af9319d280480a811b085a176e91e7d4fb90d5a0e08 |
SHA256 hash |
||||
|
Malicious base64-encoded file |
adad6d9cfe18550132bab5a73dbe25ea |
MD5 hash |
Installation |
Malicious Base64-encoded file |
2024-06-20 |
|
743a97413f9d301ff5dbe0560546d8172dce8e8ca90d2d349e63dbc040533a45 |
SHA256 hash |
||||
|
Malicious Executable |
4a9a7c9e67ca4efe786f873c743d02bd |
MD5 hash |
Installation |
Base64-decoded file, Malicious 64-bit executable |
2024-06-20 |
|
87a9b079af706268bb8f7bc95e0d0ed16092bfc620ffc118e907fd6fd8da1c0c |
SHA256 hash
|
||||
|
Command-and-Control Remote Server |
45[.]9[.]74[.]176/server.php |
IP address |
Command and Control |
Remote server for the analyzed malware |
2024-06-20 |
