Malware Analysis - Infinity Gauntlet

Posted:
07/27/2021
| By:
Stuart Gonzalez

While threat hunting for suspicious Windows PowerShell in the Perch SIEM, we came across a combination of interesting command strings that warranted further investigation. After cleaning up the code, we began looking around for known malware showing similar characteristics. This activity led us to find more information around the .NET remote access trojan (RAT) called Solarmarker. As a result, the ConnectWise CRU discovered new intelligence we thought would be great to share with the security community.

The .NET malware goes by different names among different research groups: Yellow Cockatoo (Red Canary), Jupyter Infostealer (Morphisec), Solarmarker (Crowstrike), Mars Diemos (Binary Defense), and Polazert (Malwarebytes). It’s a remote access tool (RAT) that tries to collect and exfiltrate sensitive information from the infected device. The different names have been attributed to different versions of the same code each group discovered and analyzed.

We, the ConnectWise CRU, wanted to join in on the [fun/chaos] of the malware variant naming circus. We have ironically dubbed the variant found as Infinity Gauntlet due to the colorful naming various researchers have given this malware. That said, Solarmarker is probably the most appropriate name for this malware in general. We’ll find out why later on in the review of its code.

If you are interested in reading more about the other variants, the research groups previously mentioned have more articles with detailed info:

Infinity Gauntlet Analysis

According to Morphisec, legitimate software like InnoSetup was used as the initial vector in dropping malicious files. In a recent publication by Malwarebytes, another infection vector was through SEO-poisoning. In this instance, we were not able to see the initial infection vector – we found the file while performing hunting exercises and sifting through suspicious Powershell activity.

Infinity-Gauntlet-image-1.png

The backdoor is created through the cmd file ’jhpuvmdx.cmd,’ which contained Powershell commands to create a shortcut .lnk file in “%AppData%\microsoft\windows\start menu\programs\startup\”. It then uses the xor_string to reconstruct the binary file,’ GAiYwIautWlcxLmqgohFUvNQnJXDbHMOkEVTCesfydjRpzSrBKZP,’ via two for loops.

Once the for loops unpack the binary file, it is then loaded into memory via System.Reflection.Assembly. The variants have been identified in the different analysis write-ups based on the last command provided in the cmd file and correlate to the namespace within the .NET binary. Our file contained the [z.z] variant, [z.z]::run().

Researchers from Binary Defense laid out how to write the binary to file instead of loading it into memory. The hash of the dumped binary was found in Virustotal. The first time this variant was seen in the wild was six months ago.

Infinity-Gauntlet-image-2.png

After analyzing the cmd file, we performed a static and dynamic analysis of the .NET backdoor in a local sandbox. We captured data through Procmon, Process Hacker 2, and Dnspy.

Reading through the code, we find that unlike other variants of Solarmarker, Infinity Gauntlet has less built-in functionality for harvesting sensitive data and mostly relies on importing the executables/scripts and PowerShell commands to perform those tasks.

The RAT begins by dropping the file, solarmarker.dat, which contains a unique ID that maps to its hardware identity, which is used later in C2 communications. The path and file are seen across all variants of this malware. This being the most consistent file naming scheme among all the variants, it makes the most sense the name of the malware would be Solarmarker.

Infinity-Gauntlet-image-3.png

We can see confirmation of the process writing to solarmarker.dat and .lnk files.

Infinity-Gauntlet-image-4.png

The C2 host is hardcoded into the variant.

Infinity-Gauntlet-image-5.png

An XOR key, a 36-character alphanumeric string, is used to encrypt the data before exfiltration to the C2 host.

Infinity-Gauntlet-image-6.png

Found in the strings output from memory, the initial payload created for HTTP traffic is XOR with the key above and then Base64 encoded.

Infinity-Gauntlet-image-7.png

JSON payload breakdown of the initial ping request payload.

Key Value
action Possible actions sent to the receiving C2 server include ping, get_file, and change_status.
hwid Hardware Identity is a unique value to manage infection progress. Value returned from the solarmarker.dat file.
pc_name Machine name
os_name Operating System
arch CPU Architecture values are either x64 or x86.
rights ‘Admin’ or ‘User’ level rights.
version Version of the malware (2.1).
workgroup Workgroup name | Domain/Workgroup name
dns Returns 0 or 1 if the computer is part of a domain.
protocol_version Protocol version used by C2 server.

After the ping message, the C2 could send instructions to the infected host to download further files or run more PowerShell commands, to which the following actions can take place on the device through the running malicious process:

First, the “status” field within the C2 response is checked for values containing either ‘file’ or ‘command’.

Infinity-Gauntlet-image-8.png

If the status value is set to ‘command’, the C2 will send the command string for the process to be executed.

Infinity-Gauntlet-image-9.png

If the status value is set to ‘file’, it checks whether the file type is an executable (.exe) or PowerShell script (ps1).

Infinity-Gauntlet-image-10.png

Then, the process constructs a payload to request the executable or script from the C2 server.

Infinity-Gauntlet-image-11.png

Both the executable and PowerShell script are saved to the same location under %TEMP%.

Infinity-Gauntlet-image-12.png

Infinity-Gauntlet-image-13.png

After the files are saved, the process runs the files from the saved location in %TEMP%.

Infinity-Gauntlet-image-14.png

Finally, upon completing the previous task, the process generates a status update response for the C2 server.

Infinity-Gauntlet-image-15.png

Confirmation that the process attempted to reach out to the C2 but never successfully connected from the sandbox. It is possible the current C2 for this variant is not active.

Infinity-Gauntlet-image-16.png

Indicators of Compromise

Files

Name Description Details
Raw Binary %userprofile%\ AppData\Roaming[a-zA-Z]{4}[a-zA-Z]{52} SHA256: 98674f1284d283300c2d859a522334ea0bcd9a4520ebb924467c83accbcf141d
CMD File %userprofile%\AppData\Roaming[a-z]{8}.cmd SHA256: b211ad94e3ebe0d4790b4b11c71856adad6e210d3e210958a9bab9b9fccbe2a8
Unpacked Binary backdoor.bin SHA256: 7895f429911a9256f33b87db8bc56f33747548e55630418c012925a1076af856
Hardware Identity File %userprofile%\AppData\Roaming\solarmarker.dat Hardware Identity
C2 File Drops %TEMP%*.ps1 C2 Powershell scripts
  %TEMP%*.exe C2 Executables

Network

Name Description
C2 Host 195.54.161.84

PowerShell Strings

Name Description
Initial CMD Powershell Drop “-w hidden –command” AND “new-object -comobject wscript.shell” AND “system.io.file” AND “-bxor”
C2 commands “-ep bypass -command \”iex(get-content "
Perch Detection

SIEM Alerts

  • [Windows][CRU] Suspicious Process Write to Startup
  • [Windows][CRU] SolarMarker.dat Identity File
  • [Windows][CRU] SolarMarker Powershell Load into Memory
  • [Windows][CRU] SolarMarker C2 Powershell Commands

IDS Signatures

alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"[ConnectWise CRU] Infinity Gauntlet (Solarmaker) Outbound C2 Traffic"; flow:established, to_server; http.method; content:"POST"; http.host; content:"195.54.161.84"; http.content_type; content:"application/json"; tag:session,5,packets; reference:url, https://perchsecurity.com/perch-news/malware-analysis-infinity-gauntlet/; classtype:trojan-activity; sid:900395; rev:1; metadata: created_at 2021-07-23, updated_at 2021-07-23;)

 

Recommended