Morphisec identified a new campaign targeting German clients, characterized by the download of an Osiris client with the ability to communicate via Tor with the command-and-control server (C2).
This is a feature that is already present in the Kronos banking trojan, initially detected on the black market around 2014. It is being used - as in other cases - to download other malware.
Figure 1 – Download message for victims. Source: Morphisec.com
Similarities Among Samples
Samples of the malware used for the campaign identified by Morphisec are being linked to the Kronos family. At the time of writing this post, there are about 20 samples similar to that of Osiris, the oldest from 2019.
The greatest similarities are in the domains, 14 of which use the domain api.ipify.org to obtain the victim's IP address. In the samples, we can also see similar URLs, some of which have the words "tor" or "onion", with the string “tor/status-vote/current/consensus” being easily identifiable in a dynamic analysis in the laboratory.
Figure 2 - View of similarities for 20 samples
Observables During Execution
When the malware initiates its communication with the Tor network, a series of connections occur during its execution.
Figure 3 - Successive captures of the properties of the malicious process
Figure 4 - Initial steps in Tor communication - request for consensus file
Regarding the GeX64BIT.exe file that we can see that's related to the samples that can be linked to the sample in VirusTotal, it is only generated on 64-bit systems for a few seconds, during which time it creates a file that is later destroyed, along with the executable itself.
Therefore, its function could be designed to enable execution on 64-bit systems. In fact, this behavior observed in the binary may differ from the infections reported by Morphisec.
Figure 5 - View of one of the VirusTotal samples and the file generated as part of the GetX64BTIT.exe malware execution
Figure 6 – GeX64BIT.exe behavior
These are not new techniques, and there are common patterns that can aid in their detection. Again, the initial hook is via phishing techniques. It appears that the campaign could be extended not only to German clients but also to the United States and Korea. This highlights, once again, the importance of awareness campaigns and training in cybersecurity.
As for the process hollowing and doppelgänging techniques, they are a common resource for malware creators in order to hide the execution of processes. Protection with respect to this point would come from implementing security solutions in clients that control the execution of processes. In addition, it should be noted that this operation has been linked to other attacks, which use PDF files as a hook. In these cases, the persistence modes described above could vary, but the observed communication operation is maintained.