Sailing the MalSpam Ocean: A Journey Through Threat Hunting and Uncovering Malware Activity

8 min read1 day ago

Where do I get started?

I focus on email threats like phishing, spam, and malware, so I’m sailing in the MalSpam ocean daily! Discovering new malware I haven’t encountered before is always exciting.

During my daily routine as a malware enthusiast, I came across a sample that stood out because of its unusually small size — around 10 KB. It caught my eye immediately.

There are many ways to observe and identify malware, such as analyzing URL patterns, file sizes, PDB strings, IPs, and domains. In my case, I simply picked the smallest file in my malware collection, curious about what made it so small. Sometimes, those seemingly insignificant details can lead us to new discoveries, groundbreaking research, or even something unexpected…though we certainly hope not a breakup!

My Journey of Threat Hunting

1. Analyzing the First Sample

Upon closer inspection, I discovered that the sample was a loader designed to download two files from a specified site. It appeared to target MSBuild.exe as the injection object. MSBuild.exe is a common target for process injection due to its legitimate use in Windows systems.

Loader will download payloads from download sites

Additionally, there was a decryption function named “KhfuDecrypt,” which was responsible for decrypting the downloaded payload.

2. Create Yara Rule for Threat Hunting

I decided to write a simple YARA rule to hunt for more similar samples, as shown below:

rule MalSpam_Khufu_1
{
   meta:
      hash = "a4961f7f110abdd1226d7997d0d35930"
      rev = 1

   strings:
     $ss1 = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe" ascii wide
     $ss2 = "schtasks.exe" ascii wide
     $ss3 = "Invoke" ascii wide
     $ss4 = "set_UseShellExecute" ascii wide
     $ss5 = "KhufuKeys" ascii wide
     $ss6 = "KhufuDecrypt" ascii wide
     $ss7 = "/Create /SC MINUTE /MO 5 /TN \"{0}\" /TR \"{1}\" /ST {2}" ascii wide
  
   condition:
      5 of ($ss*)
}

After hunting, I identified 16 samples. Through these samples, I discovered additional features, such as varying PDB strings.

This malware — or rather, I should call it a “Crypter,” though some also refer to it as a loader — is typically used to drop the final malware. As you might expect, threat actors use crypters to encrypt or obfuscate their final payloads, often generating an output folder, as suggested by the PDB strings.

In this case, we might speculate that the actors have multiple co-workers or operate in various environments to build the payloads. Below is the list of PDB strings I collected from 247 samples between April and August:

3. Threat Hunting Map

After identifying additional PDB strings, I used them as another path for threat hunting. By searching for these different PDB strings, I uncovered more samples and discovered other associated domains.

Additionally, I noticed that some correlated samples did not match my YARA rules due to variations in their decryption methods and features. Based on my analysis, the figure below illustrates my initial threat hunting map.

4. Hunting Mechanism

Based on my observations this year, this malware activity began in April and ended around mid-August. Using the method outlined in the previous step, I applied this hunting mechanism to gather additional samples and valuable intelligence.

Concept of Malware Activity Flow

During the research, it became evident that the malicious payloads were distributed via phishing emails and cracked or fake software based on the executable file names and related email. These spoofed names included titles such as IPTV, PiratesTvPlus, IPTVnator-Setup, and FlixGrab Premium, even though the python3 installer.

The crypter was designed to download the injector module and the final-stage malware, which included threats like AgentTesla, Xworm, Remcos, and Quasar. Both the injector module and the final-stage malware were encrypted using custom encryption techniques. Once the crypter successfully downloaded these components, it decrypted the binary files and loaded them into memory for execution.

The execution flow of this malware activity is illustrated in the figure below.

Malware Analysis

1. The Earliest Activity on April 11th

Tracing its evolution, I discovered the earliest malware sample from this year, dated April 11th. This crypter was designed to download the injector module and payload from two separate websites. Unfortunately, these websites had been compromised and were being used to host malicious payloads.

After successfully downloading the files, the crypter invoked the function ConvertHexStringToByteArray to decrypt the payloads. As shown in the figures below, the downloaded payload was encoded as a hex string, which required decryption before execution.

I was curious about the injector module, so I manually decrypted it and analyzed it using PeStudio. The file turned out to be a DLL with the internal name “PacTicToe.”

If you load the file into the dnSpy debugger and inspect the code, you’ll notice that it is obfuscated. After de-obfuscating it with de4dot, the results revealed that the injector was protected using Cryptor Obfuscator.

The injector was protected using Cryptor Obfuscator.

The injector module utilized a technique known as RunPE, or Process Hollowing, a method commonly employed in crypters and various malware activities.

Injectors were using process hollowing to inject the final payload into legitimate processes.

2. Variety of the Crypter

The earliest activity observed in April used basic string encoding to conceal the injector and payload. However, later samples began employing more advanced encryption and decryption techniques. For example, methods like XOR, AES, padding, and bit rotation were used to decrypt the downloaded binaries before injecting them into the targeted process.

3. Obfuscator of Injector

I observed and gathered information about the obfuscators used to obfuscate the injector module. As shown in the table below, threat actors utilized tools like Spices.Net, Crypto Obfuscatorand .NET Reactor. Interestingly, some of these obfuscators were unregistered or evaluation versions.

4. Injecting Targeted Process

Numerous crypters have been observed abusing legitimate processes to execute the final RATs. In this activity, as shown below, MSBuild.exe was the most frequently abused legitimate process, accounting for 63.79%; followed by RegAsm.exe at 11.64% and CasPol.exe at 11.21%. These legitimate processes can serve as valuable indicators for creating detection rules or filters in your SIEM system.

5. Malware Families Distribution

Malspam typically delivers a variety of malware families. In this case, AgentTesla emerged as the most widely distributed malware family, accounting for 18.31%, followed by QuasarRAT at 15.49% and Remocos at 14.08%. An interesting finding from this activity was the emergence of newer stealers, such as StyStealer and PhemedroneStealer, both of which were discovered in early 2024. If you’re curious abouStyStealer, I recommend reading Check Point’s threat report :Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove

Infrastructure

1. Download Site Domain Active Time

I first detected this malware activity in mid-May. Through threat hunting and correlation analysis, I created a timeline of the domains used for downloading injectors and payloads. The timeline, as shown below, provides an overview of the active periods for each domain involved in this activity.

Timeline of Domain Activity for Malware Downloads.

2. Cloudflare and CyberPanel

The majority of these download sites were hosted on Cloudflare, with several of them utilizing CyberPanel for their management.

Other Findings — Suspicious Actors in Multiple Languages

1. Variety of Attack Method

While investigating the download site, I uncovered additional artifacts linked to this activity. One such artifact was a PDF file containing a malicious link that redirected to a download site, retrieving a batch file and PowerShell payload. Other artifacts included JavaScript files, RTF documents, and XLS files.

This discovery indicates that the threat actors were actively exploring various methods to spread malware, utilizing diverse file types to enhance their reach and effectiveness.

This PDF file contains a malicious link leading to a batch file and PowerShell payload.

2. The Threat Actor Might from Multiple Country

An interesting thing was that the threat actors might be from not only one country. For example, I found a PDB string was: C:\Users\frede\OneDrive\Ambiente de Trabalho\Outputs\Empoha.pdb

I used Google Translate to check what “Ambiente de Trabalho” means and what language it would be. The result shows Portuguese. This finding raises the possibility that the operation involves threat actors from Portuguese-speaking regions or those leveraging systems configured in Portuguese.

One of threat actor might speak in Portuguese.

Other findings, such as debug messages and comments in Turkish, are shown in the figure below. These findings also suggest a potential involvement of Turkish-speaking individuals or systems configured in Turkish within the threat actor’s operation.

Debug Messages and Comments in Turkish Highlighted in the Code.

Conclusion

In the beginning, I didn’t expect the outcomes of analyzing this malware activity. Threat hunting offers a wide range of methods and approaches, and this journey has shown how effective they can be. By documenting these findings, I hope to contribute valuable insights to the ongoing efforts to combat cybercrime and inspire others to explore innovative ways to uncover hidden threats.

Indicators of Compromise (IOCs)

The full list of IOCs can be found here .