# New Iranian Espionage Campaign By “Siamesekitten” - Lyceum ## August 2021 ##### TLP:WHITE © All rights reserved to ClearSky Cyber Security ltd. 2021 [www.clearskysec.com](http://www.clearskysec.com/) # New Iranian Espionage Campaign ----- ##### \\ Contents Executive Summary ................................................................................................................................................ 3 Attack Tools .............................................................................................................................................................. 5 MITRE ATT&CK Categories ..................................................................................................................................... 6 Analyzing the Attack................................................................................................................................................ 7 TTPs ....................................................................................................................................................................... 7 Social Engineering .......................................................................................................................................... 7 Lure Files ........................................................................................................................................................ 10 Milan Backdoor ............................................................................................................................................. 14 Shark Backdoor ............................................................................................................................................ 18 DanBot RAT.................................................................................................................................................... 23 Attack Infrastructure ............................................................................................................................................. 24 Indicators of Compromise ................................................................................................................................... 27 Hashes ............................................................................................................................................................ 27 Domains ......................................................................................................................................................... 28 ____________________________________________________________________________________________________ © All rights reserved to ClearSky Cyber Security ltd. 2021 [info@clearskysec.com](mailto:info@clearskysec.com) [www.clearskysec.com](http://www.clearskysec.com/) **TLP:WHITE** ----- #### Introduction ##### Executive Summary At the beginning of May 2021, we detected the first attack by Siamesekitten on an IT company in Israel. Siamesekitten (also named Lyceum/Hexane) is an Iranian APT group active in the Middle east and in Africa that is active in launching supply chain attacks. To this end Siamesekitten established a large infrastructure that enabled them to impersonate the company and their HR personnel. We believe that this infrastructure was built to lure IT experts and penetrate their computers to gain accesses to the company’s clients. In July 2021, we detected a second wave of similar attacks against additional companies in Israel. In this wave, Siamesekitten upgraded their backdoor malware to a new version called “Shark” and it replaced the old version of their malware called “Milan”. Details of both versions are included in our report. This report summarizes our findings regarding the latest Siamesekitten attacks and reviews the attack patterns and malware used in this campaign. We believe that during the past several months Siamesekitten APT has been trying to penetrate into many Israeli organizations, using supply chain tools. The attack sequence of Siamesekitten’s attacks that was uncovered by our researchers includes the following phases: 1. Identifying the potential victim (employee). 2. Identifying the human resources department employee who may be impersonated. 3. Establishing a phishing website that impersonates the targeted organization. 4. Creating lure files compatible with the impersonated organization. 5. Setting up a fraudulent profile on LinkedIn, impersonating the mentioned HR department employee. 6. Contacting potential victims with an "alluring" job offer, detailing a position in the impersonated organization 7. Sending the victim to a phishing website with a lure file. 8. The Milan backdoor malware infects the computer or server after one or more lure files are downloaded. As a result, a connection is established between the infected machine and the C&C server using DNS and HTTPS. 9. The DanBot RAT is downloaded to the infected system. ____________________________________________________________________________________________________ © All rights reserved to ClearSky Cyber Security ltd. 2021 [info@clearskysec.com](mailto:info@clearskysec.com) [www.clearskysec.com](http://www.clearskysec.com/) **TLP:WHITE** ----- 10. Through the infected machine, the group gathers data, conducts espionage, and attempts to spread within the network. The Iranian attack group Siamesekitten (also named Lyceum/Hexane) has been active since 2018[1]. In the past, the group has mainly targeted oil, gas, and telecom companies. In 2018, the group primarily attacked several African countries, and in 2019, they began attacking Middle Eastern [2] countries as well. In the first quarter of 2021 the group focused on attacks in Tunisia[3]. According to research conducted by Dragos researchers, the group establishes a foothold on the machines they infect to facilitate continued activities on the network. Additionally, Dragos stated that the group primarily employs lure documents as an initial attack vector. Several security companies were able to detect a partial resemblance between Siamesekitten’s activities and activities conducted by two other Iranian groups – APT33 and APT34. After establishing persistence on the infected machine, the group uses DanBot, a Remote Access Trojan (RAT) that enables downloading and uploading files from and to the C&C server. This campaign is similar to the North Korean "job seekers" campaign, employing what has become a widely used attack vector in recent years - impersonation. Many attack groups are executing this type of campaign, such as the North Korean Lazarus campaign we exposed in the summer of 2020 (Dream Job) and the Iranian OilRig campaign (APT34) that targeted Middle Eastern victims in the first quarter of 2021. The group offers the potential victim an “alluring” job offer in a known company that they are impersonating. The victim will be referred to a website hosted on the impersonating server, where they will find details concerning jobs in Israel, France, and the UK. The website also presents two lure files – an Excel file that unloads the backdoor using a malicious Macro, and an executable that unloads the same backdoor onto the machine. After unloading the backdoor, a connection is established between the infected machine and the C&C server, which will eventually lead to the download of a RAT to the victim's computer. This dual infection is another development of the group's attack methods. We believe that these attacks and their focus on IT and communication companies are intended to facilitate supply chain attacks on their clients. According to our assessment, the group's main goal is to conduct espionage and utilize the infected network to gain access to their clients’ networks. As with other groups, it is possible that espionage and intelligence gathering are the first steps toward executing impersonation attacks targeting ransomware or wiper malware. 1 dragos.com/threat/hexane/ 2 secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign 3 securelist.com/apt-trends-report-q1-2021/101967 / ____________________________________________________________________________________________________ © All rights reserved to ClearSky Cyber Security ltd. 2021 [info@clearskysec.com](mailto:info@clearskysec.com) [www.clearskysec.com](http://www.clearskysec.com/) **TLP:WHITE** ----- ##### Attack Tools In the Siamesekitten campaign, we discovered several malicious files which the attackers used to gain initial access to infected computers. The tools and techniques are divided into three categories: 1. Social engineering techniques – Siamesekitten used social engineering techniques to lure the potential victim into downloading malicious files: a. Siamesekitten created fake profiles on social networks (mainly LinkedIn). b. Siamesekitten created phishing sites impersonating the company that allegedly offers the alluring jobs. 2. Lure files – Siamesekitten used two types of lure files that do the same thing - download the group's malware to the machine: a. Excel file that includes details concerning the various job offers that appeared on the impersonating website. A malicious, password protected Marco is embedded inside this excel, designed to download the malware onto the victim's machine. b. A Portable Executable (PE) file that allegedly includes a 'catalog' of products used by the impersonated organization. After executing the file, the malware will be downloaded onto the machine. 3. Attack files and methods of communicating with the C&C server a. Siamesekitten used a backdoor that was unloaded to the machine after the victim opened one of the lure files. Later, the DanBot RAT was downloaded to the machine, followed by the group's new “Shark” backdoor. b. The malicious backdoor “Milan” that enables communications between the C&C server and the infected machine over DNS queries. c. Communications over DNS Tunneling – communications with the different C&C servers is conducted using DNS queries. We detected C&C server addresses hard coded to the files. d. RAT files – the DanBot RAT, used by the group for several years. ____________________________________________________________________________________________________ © All rights reserved to ClearSky Cyber Security ltd. 2021 [info@clearskysec.com](mailto:info@clearskysec.com) [www.clearskysec.com](http://www.clearskysec.com/) **TLP:WHITE** ----- ##### MITRE ATT&CK Categories The following table depicts the attack scenario using MITRE ATT&CK: MITRE Phase Techniques, Title MITRE ATT&CK Tools and Procedures Siamesekitten establishes Resource several servers for DNS Procedures Acquire Infrastructure – T1583 Development Tunneling, and several servers for the fraudulent website Siamesekitten sends a spear phishing link to the victim via Spear phishing Link – Initial Access Techniques impersonated social media T1566.002 profile Siamesekitten uses a Command and Scripting malicious office Macro written Tools Interpreter: Visual Basic – in Visual Basic to install the T1059 malware Command and Scripting Siamesekitten uses CMD Execution Tools Interpreter: Windows commands to gain a foothold Command Shell – T1059.003 Siamesekitten uses malicious files (Excel and Portable User Execution: Malicious File Tools Executable) to drop the – T1204.002 malware Persistence Procedures Scheduled Task Scheduled Task - T1053.005 Siamesekitten encodes their data in Base64, and uses Deobfuscate/Decode Files or Defense Evasion Techniques passwords for files and Information – T1140 macros Siamesekitten uses DNS Application Layer Protocol: Techniques Tunneling to communicate DNS – T107.004 Command and with the malware Control Siamesekitten encodes the Data Encoding: Non-Standard Techniques data that is sent to the C2 Encoding – T1132.002 based on their own protocol ____________________________________________________________________________________________________ © All rights reserved to ClearSky Cyber Security ltd. 2021 [info@clearskysec.com](mailto:info@clearskysec.com) [www.clearskysec.com](http://www.clearskysec.com/) **TLP:WHITE** |MITRE Phase|Techniques, Tools and Procedures|Title|MITRE ATT&CK| |---|---|---|---| |Resource Development|Procedures|Siamesekitten establishes several servers for DNS Tunneling, and several servers for the fraudulent website|Acquire Infrastructure – T1583| |Initial Access|Techniques|Siamesekitten sends a spear phishing link to the victim via impersonated social media profile|Spear phishing Link – T1566.002| |Execution|Tools|Siamesekitten uses a malicious office Macro written in Visual Basic to install the malware|Command and Scripting Interpreter: Visual Basic – T1059| ||Tools|Siamesekitten uses CMD commands to gain a foothold|Command and Scripting Interpreter: Windows Command Shell – T1059.003| ||Tools|Siamesekitten uses malicious files (Excel and Portable Executable) to drop the malware|User Execution: Malicious File – T1204.002| |Persistence|Procedures|Scheduled Task|Scheduled Task - T1053.005| |Defense Evasion|Techniques|Siamesekitten encodes their data in Base64, and uses passwords for files and macros|Deobfuscate/Decode Files or Information – T1140| |Command and Control|Techniques|Siamesekitten uses DNS Tunneling to communicate with the malware|Application Layer Protocol: DNS – T107.004| ||Techniques|Siamesekitten encodes the data that is sent to the C2 based on their own protocol|Data Encoding: Non-Standard Encoding – T1132.002| ----- ##### Analyzing the Attack This chapter reviews the group's attack scenario in detail, beginning with initially contacting the victim through LinkedIn and ending with the final phase of the attack – unloading the RAT onto the victim's machine. Notably, this is a dual attack scenario, entailing two lure files that accompany the phishing website. ###### TTPs Social Engineering Approaching the Victim The victim is contacted through social media. In this instance, the profile is impersonating a manager from ChipPc’s HR department, an Israeli technology company. Conversing with the company corroborated that an HR manager with this name was employed in 2007. This indicates that the attackers thoroughly researched the subject of impersonation to generate a convincing social engineering array. ____________________________________________________________________________________________________ © All rights reserved to ClearSky Cyber Security ltd. 2021 [info@clearskysec.com](mailto:info@clearskysec.com) [www.clearskysec.com](http://www.clearskysec.com/) **TLP:WHITE** ----- When the group contacts the victim, they use a fake profile to offer a significant position in the company’s IT and technology fields. The victim is then directed to a website that is embedded with malware and is designed to impersonate the company’s legitimate website. ###### Impersonating Websites We estimate that the group is employing a focused social engineering format. We have detected two prominent websites over the past six months that we associate with this infrastructure: Softwareagjob[.]com The company Software AG is a large-scale German technology company. A website impersonating this company was continuously active during February. Throughout this attack, the group used the fake website to offer a position in the company. The impersonating webpage included a link to an XLS lure document that allegedly provides a resume format: ____________________________________________________________________________________________________ © All rights reserved to ClearSky Cyber Security ltd. 2021 [info@clearskysec.com](mailto:info@clearskysec.com) [www.clearskysec.com](http://www.clearskysec.com/) **TLP:WHITE** ----- Jobschippc[.]com This is the group’s primary website as of the end of May 2021. The website impersonates ChipPc, the previously mentioned Israeli IT company, and exhibits the group’s new dual attack scenario – using two lure documents simultaneously. When the victim visits the website, they arrive at a page detailing three positions in the company: one position in Rehovot (a city in Israel), concerning project management, HR, and sales, and two additional positions in France and the United Kingdom (Paris and London respectively) concerning sales and development. In addition to reading the wording, the victim is requested to download two files that each refer to a different aspect of the job offer. The first file is an XLS that details the requirements for each of the offered positions, and the second is an executable that allegedly details the company’s capabilities in various fields. The files will be elaborated upon below. The website also seemingly offers a .docx file for download that is named “invitation.docx”, but this segment is not operational at this point. ____________________________________________________________________________________________________ © All rights reserved to ClearSky Cyber Security ltd. 2021 [info@clearskysec.com](mailto:info@clearskysec.com) [www.clearskysec.com](http://www.clearskysec.com/) **TLP:WHITE** ----- When examining the fake website’s file server, it appears that the files were uploaded on May 18[th], a day after they were generated. The website itself was already prepared on May 6[th], several days before it went “live” on May 11[th]: ###### Lure Files XLS File The Excel file, named “Capabilities.xls”, contains information concerning the different positions and their requirements. For example: ____________________________________________________________________________________________________ © All rights reserved to ClearSky Cyber Security ltd. 2021 [info@clearskysec.com](mailto:info@clearskysec.com) [www.clearskysec.com](http://www.clearskysec.com/) **TLP:WHITE** ----- The Excel file was generated on May 17[th], approximately six days after the fake website was created. The file is embedded with a malicious, password protected macro that provides a layer of defense from researchers, and its OLE data indicates editors named Fred and Jonathon. We were able to overcome the encryption and encoding. Once editing is enabled and the malicious macro is executed, a malicious backdoor named MsNpENg is extracted to several folders with the same name: As seen in the source code, a scheduled task is generated to establish persistence on the targeted server. This is the familiar Siamesekitten scenario that they have been employing since 2018. ____________________________________________________________________________________________________ © All rights reserved to ClearSky Cyber Security ltd. 2021 [info@clearskysec.com](mailto:info@clearskysec.com) [www.clearskysec.com](http://www.clearskysec.com/) **TLP:WHITE** ----- ###### Executable File This file is a new addition to the group’s methods. The website contains a password protected ZIP archive (the password is the domain impersonating the legitimate company) as well as the Excel file. The archive contains three additional files: - An executable named “companycatalog”. - A configuration file named “companycatalog.exe.config”. - A dynamic library that generates a scheduled task to execute the malware. Notably, all three files must be extracted to successfully run the malware, as evident from the executable: Even though the malware seems like it was written in .NET, a closer inspection reveals that it was written in C++: ____________________________________________________________________________________________________ © All rights reserved to ClearSky Cyber Security ltd. 2021 [info@clearskysec.com](mailto:info@clearskysec.com) [www.clearskysec.com](http://www.clearskysec.com/) **TLP:WHITE** ----- The configuration file’s contents: The executable allegedly provides details concerning the products ChipPc specializes in, emphasizing three primary products: Citrix, Microsoft, and VMware. A link leading to the product’s legitimate developer is added alongside the provided details: When executing the aforementioned file, while extracting the rest of the archived files, the backdoor is extracted again. This time, the backdoor is extracted with the name “ChipPc.exe”, though it still uses the COM component to generate a scheduled task. ____________________________________________________________________________________________________ © All rights reserved to ClearSky Cyber Security ltd. 2021 [info@clearskysec.com](mailto:info@clearskysec.com) [www.clearskysec.com](http://www.clearskysec.com/) **TLP:WHITE** ----- ###### Milan Backdoor Malware Analysis Despite the previously presented names (ChipPc for example) the original file was named Milan.exe, as can be seen in the file’s properties: This may also be learned from the malware’s PDB path: C:\Users\kernel\Desktop\milan\Release\Milan.pdb The malware’s Debugger Stamp date is May 18[th], indicating that the malware was newly created a day after the Excel file: The malware executes several CMD commands that are hard coded to the malware's source code: - C:\Windows\system32\cmd.exe /c cmd /c ipconfig /all 2>&1 - C:\Windows\system32\cmd.exe /c cmd /c dir c:\users\ /s 2>&1 - C:\Windows\system32\cmd.exe /c ping 1.1.1.1 -n 1 -w 3000 > Nul & rmdir /s /q "%s" & schtasks /delete /tn Optimize Machine Analysis /f ____________________________________________________________________________________________________ © All rights reserved to ClearSky Cyber Security ltd. 2021 [info@clearskysec.com](mailto:info@clearskysec.com) [www.clearskysec.com](http://www.clearskysec.com/) **TLP:WHITE** ----- - C:\Windows\system32\ cmd.exe /c ping 4.2.2.4 -n 1 -w 4000 > Nul & del /f /q "%s" & waitfor a 4 & copy "%s" "%s" & schtasks /Run /TN "SystemTask" As mentioned previously, when one of the lure documents is executed, a folder is generated in “Program Data” containing the malware. Another folder named “log” is generated in this folder, alongside a text file named “current” and files with the suffix MDF (disk). The text file contains a short string – “config:1251”. After the malware is executed, this file will be deleted. The malware gathers information concerning the machine, such as the machine’s name, what users are registered on it, and more. The contents are encoded and saved in files with the suffix MDF. In accordance with Siamesekitten’s familiar attack scenario, folders meant to receive or upload files are generated in the “log” folder. Each folder’s name begins with the character sequence “a9850d2f”and ends with a single different character that signifies the folder’s function. For example, the folder named “a9850d2fd” is used to receive files sent from the C&C server through DNS Tunneling. The letters d, f, g, and s are used to differentiate the folders: The servers the malware contacts are hard coded to its code: ____________________________________________________________________________________________________ © All rights reserved to ClearSky Cyber Security ltd. 2021 [info@clearskysec.com](mailto:info@clearskysec.com) [www.clearskysec.com](http://www.clearskysec.com/) **TLP:WHITE** ----- ###### Communication with the Server Communications are performed using two methods. Initially, HTTP requests are sent to the C&C domain to download a malicious payload. The requests are sent with a pre-defined user agent: The requests’ contents are the following: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727) The C&C server contacted by the malware was previously used by other Iranian attack groups, such as APT39: Following this, the malware attempts to send DNS queries. If the queries are successful, they are directed to C&C servers operated by the group. In the following example, communications over DNS were successful, and were directed to C&C servers situated in Russia, the Ukraine, or Nigeria as a result. These are apparently either compromised servers used by the group or VPN\VPS servers. If the communications fail, the digit “0” is returned in response. If they are successful, a signal containing four characters alongside some additional content is returned in response. ____________________________________________________________________________________________________ © All rights reserved to ClearSky Cyber Security ltd. 2021 [info@clearskysec.com](mailto:info@clearskysec.com) [www.clearskysec.com](http://www.clearskysec.com/) **TLP:WHITE** ----- After eight characters, a .bin suffix is received as a signal: The responses are eventually united to a single payload – f5cf9869.bin. This file is saved in the relevant folder (specified by the letter “d”): C:\ProgramData\MsNpENg\Log\a9850d2fd\f5cf9869.bin Alternatively, the server may respond with complete words, such as “yes”: It appears that communications are directed at several different C&C servers, specifically defenderlive[.]com and dnsstatus[.]org in the following instance: ____________________________________________________________________________________________________ © All rights reserved to ClearSky Cyber Security ltd. 2021 [info@clearskysec.com](mailto:info@clearskysec.com) [www.clearskysec.com](http://www.clearskysec.com/) **TLP:WHITE** ----- We have identified various communication formats. The preliminary communications that generate the connection are characterized as the following: Query Domain IP yciw-fbrleh1-ezbroemoectjecqmz6frgxqlzutrxsmuux dnsstatus / defender 35.35.35[.]35 yciw-fbrleh1w-s-g-a-jet1-s-qtahecnuecpl dnsstatus 48.32.32[.]32 yciw-sgpoet5w-s-g-a-ueh5-s-qtahecnuecpl dnsstatus 48.32.32[.]32 yciw-fgapec1w-s-g-a-nem1-s-qtahecnuecpl dnsstatus 48.32.32[.]32 yciw-strkdqoj-s-g-a-heo5-s-qtahecnuecpl defedner 48.32.32[.]32 yciw-qgroem6j-s-b-a-hem5-s-qtahecnuecpl defedner 48.32.32[.]32 ###### Shark Backdoor Malware Analysis In July 2021, indicators associated with this attack were shared with us by colleague researchers. Through cross-referencing findings from the campaign, we identified this malware as a substitute for DanBot. According to one of the files’ PDB path, the malware is named “Shark”, a name we adopted (like in Milan’s case): C:\Projects\Shark\Shark\obj\Debug\Shark.pdb In addition, we were able to detect other PDB paths containing the name” Shark”, but the file name was changed to appear more legitimate. Here are the two additional paths: D:\source\repos\Shark\Shark\obj\Release\audioddg.pdb C:\Users\David\Desktop\sharkkkkkk\Shark\obj\Release\Winlangdb.pdb Unlike the Milan malware, these files were written in .NET instead of C ++. The malware requires the use of a parameter that contains part of the executed file’s name. The malware will generate a Mutex with the file’s name as its value to make sure that the malware does not run on the infected machine more than once. Executing the malware is also conditioned by the screen width being more than 600 pixels. ____________________________________________________________________________________________________ © All rights reserved to ClearSky Cyber Security ltd. 2021 [info@clearskysec.com](mailto:info@clearskysec.com) [www.clearskysec.com](http://www.clearskysec.com/) **TLP:WHITE** |the connection are characterized as the following:|Col2|Col3| |---|---|---| |Query|Domain|IP| |yciw-fbrleh1-ezbroemoectjecqmz6frgxqlzutrxsmuux|dnsstatus / defender|35.35.35[.]35| |yciw-fbrleh1w-s-g-a-jet1-s-qtahecnuecpl|dnsstatus|48.32.32[.]32| |yciw-sgpoet5w-s-g-a-ueh5-s-qtahecnuecpl|dnsstatus|48.32.32[.]32| |yciw-fgapec1w-s-g-a-nem1-s-qtahecnuecpl|dnsstatus|48.32.32[.]32| |yciw-strkdqoj-s-g-a-heo5-s-qtahecnuecpl|defedner|48.32.32[.]32| |yciw-qgroem6j-s-b-a-hem5-s-qtahecnuecpl|defedner|48.32.32[.]32| ----- Next, the malware will activate a function called ‘redus’. This function produces an encrypted G-ZIP file with a preset configuration which is encoded within the malware. This configuration file contains two C&C servers and various malware functions, which will be detailed below. The following is the relevant code snippet: The configuration file will be encoded using a 0x2a XOR key. The malware will generate four folders according to the relevant functions named ‘D1’, ‘U1’, ‘D2’ and ‘U2’ - like the folders created when the Milan backdoor is installed. Random numbers between 0 and 1,000,000 will be added before and after the predefined folder names. ____________________________________________________________________________________________________ © All rights reserved to ClearSky Cyber Security ltd. 2021 [info@clearskysec.com](mailto:info@clearskysec.com) [www.clearskysec.com](http://www.clearskysec.com/) **TLP:WHITE** ----- The following is an analysis of the parameters we detected in the configuration: Field Purpose S1 C&C server 1 S2 C&C server 2 T1 DNS traffic pause intervals T2 HTTP traffic pause intervals D1 Determines the path that will store files downloaded through DNS communication D2 Determines the path that will store files downloaded through HTTP communication U1 Determines the path that will store files to be uploaded to the C&C through DNS communication U2 Determines the path that will store files to be uploaded to the C&C through HTTP communication ID Defines a unique identifier for the infected machine SH If empty - receive information via DNS queries If not empty - send information through HTTP requests HS If 0 - send information through DNS queries If 1 - receive information via HTTP requests Di / Hi Unknown (apparently, these are communication parameters) To establish a foothold on the machine, the malware will save the infected machine’s GUID and paste it into the configuration ID. In addition, the machine creates four main functions that indicate communications with the C&C server (over HTTP and DNS). DNS communications are sent using a unique Domain Generation Algorithm. Alongside another function called ‘E’, the functions run as an infinite thread, allowing the malware to continue running as long as the machine is turned on. The five distinct functions are ‘HT’, ‘HT_SEND’, ‘DN’, ‘DN_SEND’, and ‘E’. The E function is responsible for managing files in the D1 and D2 folders. These folders contain data downloaded to the infected machine from the C&C server. The malware initially searches for ZIP files, saving their content to the memory and deleting the files. If the file’s suffix is TMP.ZIP, it is assumed to contain commands and is extracted and decrypted using the Reject function, like the configuration file. The results of executing the commands will be stored in the folders U1 or U2 to be uploaded to the C&C, matching the D1 or D2 folders in which they originated. Notably, some of the commands require CMD to activate. The malware constructs CMD commands from the file downloaded from the C&C and transfers them to a file named dmp.bat. The malware then searches for dmp.bat and attempts to execute it through CMD. The following is a processing of the ‘Reject’ function: ____________________________________________________________________________________________________ © All rights reserved to ClearSky Cyber Security ltd. 2021 [info@clearskysec.com](mailto:info@clearskysec.com) [www.clearskysec.com](http://www.clearskysec.com/) **TLP:WHITE** |Field|Purpose| |---|---| |S1|C&C server 1| |S2|C&C server 2| |T1|DNS traffic pause intervals| |T2|HTTP traffic pause intervals| |D1|Determines the path that will store files downloaded through DNS communication| |D2|Determines the path that will store files downloaded through HTTP communication| |U1|Determines the path that will store files to be uploaded to the C&C through DNS communication| |U2|Determines the path that will store files to be uploaded to the C&C through HTTP communication| |ID|Defines a unique identifier for the infected machine| |SH|If empty - receive information via DNS queries If not empty - send information through HTTP requests| |HS|If 0 - send information through DNS queries If 1 - receive information via HTTP requests| |Di / Hi|Unknown (apparently, these are communication parameters)| ----- |Command|Purpose| |---|---| |s1:|Update the configuration of the new C&C server S1| |s2:|Update the configuration of the new C&C server S1| |t1: