MasterMana Campaign Combines Stealth, Free Services and Old Malware

An ongoing cybercrime campaign that started as early as December 2018, has avoided widespread detection through a combination of stealth tactics and hiding in plain sight. Called MasterMana, the threat is sufficiently sophisticated to avoid automatic detections during infection, but not so sophisticated that it attracts the eye of the APT threat hunters.

Researchers at cyber intelligence firm Prevailion, who detected and named the campaign, avoid direct attribution to specific attacker groups. Nevertheless, they point to some similarities between MasterMana and the tactics, techniques, and procedures (TTPs) of the Gorgon Group, which is thought to originate in Pakistan. In 2018, Palo Alto’s Unit 42 research arm described the Gorgon Group as ‘slithering between nation state and cybercrime’. This is a reasonable description of the MasterMana campaign — the attackers likely have advanced capabilities, but have consciously chosen not to use them here.

In September, Prevailion disclosed a North Korean-linked summer campaign that it called Autumn Aperture targeting U.S. Entities.

MasterMana attacks start with phishing and an attached weaponized Office document. The samples found and reported by Prevailion use Excel, but references within the code suggest that the group might have also trojanized Word, PowerPoint and Publisher file formats. The phishing has to trick the victim into enabling macros. Once this is done, the VBS script reaches out to a Bitly link, which leads to an actor-controlled Blogspot (myownteammana[.]blogspot[.]com). The Microsoft macro highlights the actors’ stealth approach, while the Blogspot URL shows the ‘hiding in plain sight’ element of the attack.

The same Blogspot hostname was used by multiple campaigns within MasterMana, with each campaign correlating with different URLs. In just one mini-campaign from late July through September, the Bitly link statistics show the link was clicked by victims around the world approximately 1,500 times (for example, 161 times from China, 50 times from Australia, and 27 times from the UK). While the visited page looks benign, it contains further malicious JavaScript.

This JavaScript connects to a Pastebin URL and runs mishta.exe (obfuscated VBScript using string reversals and unnecessary concatenations to avoid detection). This script kills any running instances of Word, Excel, PowerPoint and Publisher. “Next,” say the researchers, “it would attempt to create scheduled tasks and modify a registry key to obtain the next payload.” A time delay on the scheduled task would seek to avoid sandbox detection. From the end of September, this process was modified to use three scheduled tasks set for six minutes, then five hours and then ten hours, attempting to ensure the registry instance would persist after a reboot.

Once created, the scheduled tasks and registry keys were populated with the contents of another Pastebin URL comprising another obfuscated PowerShell script. The purpose this time was to download a fully functional RAT. At first, this was Revenge Rat. From 15 September, this changed to Azorult. Although old, Azorult can be purchased from Russian forums at prices ranging up $100 and is cheap and effective. It is primarily geared toward stealing credentials from email accounts, messenger apps, and cryptocurrency wallets, and web cookies and browser history.

It can also upload and download files from a hard-coded IP address (examples include hxxp://216.170.126[.]146/2ky/index.php and hxxp://23.249.163.135/index.php) and take screenshots. It would be possible for the attacker to deploy additional malware such as cryptominers or ransomware.

Overall, the campaign is interesting in its combination of newer approaches such as stealth (macros and PowerShell), its use of third party websites such as Bitly, Blogspot and Pastebin (to appear less suspicious and make it easy to update/change the scripts), and old RAT malware. 

The third-party websites provide their own statistics, making it relatively easy for researchers to track the success of the campaigns. “For example,” say the researchers, “we observed that the URL that hosted the Revenge Rat sample had been viewed over 3300 times. This suggests that there are 3300 machines that were affected by this campaign.” But while the stealth and use of third-party websites seems to be successful, the use of old malware would likely ultimately fail against ‘victims’ with a mainstream and up-to-date anti-malware defense. 

The Prevailion researchers have two primary conclusions on the methodology used in MasterMana. Firstly, the cost to the threat actors is virtually non-existent, using the free services of third-party providers and an old and inexpensive malware. But secondly, this was all done as a conscious choice: “The campaign showed a very specific level of sophistication, tailored intentionally to evade detection.”

The researchers believe that this mix of evasion and low-tech methods account for the longevity of the campaign. Researchers in general tend to be looking for the latest bad malware — such as Emotet — rather than old malware such as Azorult. And although many infections will fail at the last hurdle of anti-malware detection, the low cost and large scale of the campaign nevertheless provides an effective ROI for the criminals.

“This campaign’s threat actors saw an opportunity and appear to have carved out a nice niche for themselves,” say the researchers.

Related: AZORult Variant Can Establish RDP Connections 

Related: Extensive ‘Living Off the Land’ Hides Stealthy Malware Campaign 

Related: Macro Malware Has Returned: Intel Security 

Related: Microsoft Blocks Risky Macros in Office 2016