Hackers Mimic Popular VPN Download page to Deliver Malware

As per reports, threat actors have been using domestic VPN installation files for distributing SparkRAT malware which leads to MeshAgent infection on the victim systems. The difference between previous incidents and the current one is that previously Sliver C2 was instead of SparkRAT.

Further investigations revealed that all of the VPN programs were developed by the same developer. Threat actors have spoofed the certificate of the corresponding developer for distributing the malware.

It was concluded that threat actors had attacked the developer of the program for these malware file distributions. These kinds of attacks have been ongoing since the first half of 2023.

SparkRAT – Technical Analysis

SparkRAT is a remote access trojan that is available open-source and written in the Go language. It is capable of controlling the infected system with command execution, information stealing, and control processes.

Normal Installation file during Malicious Installation (Source: ASEC)

The initial stages of attack for this threat vector involve the installation of a malicious VPN file that was developed in .NET, which executes the installation of the VPN and the SparkRAT malware.

Previously, threat actors used droppers for installing malicious codes, which are now replaced by downloader and injector malware. The malicious codes are obfuscated to evade threat detection software.

Abundant Usage of Go Language

In addition to this information, it was also found that the SparkRAT, injector, downloader malware, and the command and control server Sliver C2 were all developed in the Go language. The threat actor selected Go language for creating malware instead of other programming languages.

During the installation, the malware communicates with the C2 server to download the encrypted settings data, which consists of the conditions for downloading the Sliver C2. Once the conditions are met, Sliver C2 is downloaded from the settings server “hxxps://status.devq[.]workers.dev/”.

Encrypted Condition (Source: ASEC)

Other malicious installation files also check for the currently running processes which is compared with the list of processes mentioned in the malware for further exploitation. The threat actor installed SparkRAT, Sliver C2, and MeshAgent in order to keep control of the infected system and perform various actions.

A complete report has been published by AhnLab Security Emergency Response Center (ASEC) which mentions the initial infiltration, exploitation, and command and control of this malware and the threat actor.

Indicators of Compromise and C2 Servers

The servers from which Sliver was downloaded are as follows,

  • Sliver C2 download address : hxxps://config.v6[.]army/sans.woff2
  • Sliver C2 Name : PRETTY_BLADDER
  • C&C address of Sliver C2 : hxxps://panda.sect[.]kr
  • C&C address of MeshAgent : speed.ableoil[.]net:443

File Diagnosis

– Trojan/Win.MeshAgent.C5457071 (2023.07.18.03)

– Trojan/Win.MeshAgent.C5459839 (2023.07.24.03)

– Downloader/Win.Agent.C5459845 (2023.07.24.03)

– Downloader/Win.Agent.C545985 1 (2023.07.24.03)

– Data/BIN.EncPe (2023.07.25.00)

Behavioural Diagnosis

– Persistence/MDP.RunKey.M1038

MD5 Hashes

– e84750393483bbb32a46ca5a6a9d253c : 악성 인스톨러
– eefbc5ec539282ad47af52c81979edb3 : 악성 인스톨러 (31254396_hzczvmfw_….vpn1.1.1.exe)
– 10298c1ddae73915eb904312d2c6007d : 악성 인스톨러 (31254396_LO38iuSd_….Setup1.2.1.exe)
– b4481eef767661e9c9524d94d808dcb6 : 악성 인스톨러 (31254396_a7z34P10_….Install2.1.7.exe)
– 70257b502f6db70e0c75f03e750dca64 : 악성 인스톨러 (167775112_v17MGr85_167775039_EvimzM59_….VPNSetup1.0.4.4.exe)
– 1906bf1a2c96e49bd8eba29cf430435f : 악성 인스톨러 (167774990_A5TinsS6_….VPNInstaller1.0.4_230710.exe)
– 499f0d42d5e7e121d9a751b3aac2e3f8 : 악성 인스톨러 (31254396_ORZNvfG9_….Fax1.0.0.exe)
– b66f351c35212c7a265272d27aa09656 : 악성 VPN 프로그램
– ea20d797c0046441c8f8e76be665e882: 악성 VPN 프로그램
– 73f83322fce3ef38b816bef8fa28d37b : Encrypted Sliver C2 (sans.font2)
– 5eb6821057c28fd53b277bc7c6a17465 : MeshAgent (preMicrosoft.exe)
– 95dac8965620e69e51a1dbdf7ebbf53a : MeshAgent ( Microsoft.exe)
– 23f72ee555afcd235c0c8639f282f3c6 : MeshAgent (registrys.exe)
– 27a24461bd082ec60596abbad23e59f2 : Webcam capture malware (m.exe)

Download address

– hxxps://status.devq[.]workers.dev/ : Configuration data
– hxxps://config.v6[.]army/sans.woff2 : Encrypted Sliver C2

C&C address

– panda.sect[.]kr:443 : Sliver C2
– speed.ableoil[.]net:443 : MeshAgent

Stay up-to-date with the latest Cyber Security News; follow us on GoogleNewsLinkedinTwitterand Facebook.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.