The Nitol botnet was recently observed employing new evasion techniques in distribution attacks that leverage malicious macro-based documents, Netskope security researchers warn.
Historically, malware authors have been using various methods to bypass sandbox analysis, yet those behind the Nitol botnet have found a novel, smart technique for that. They are using both the obfuscation of the macro code and a multi-stage attack methodology to ensure that endpoint machines are compromised.
According to Netskope Threat Research Labs, the malicious macro-enabled documentsobserved in said distribution attacks were password protected, meaning that they would bypass sandbox entirely. Because the process of entering the password is complex and requires user interaction, automated analysis technology can’t easily emulate the event, the security researchers explain.
Additionally, the malicious code was using delayed execution to evade detection, but not the usual sleep or stalling methods seen in other malware. Instead, these macro-based malware documents were using the “ping” utility to delay the execution: the malware would invoke the “ping 184.108.40.206 -n 250” command and would wait for the ping process to complete the execution, which could take up to 5 minutes, enough to bypass sandboxes that are configured with a lower time threshold for executing samples.
While the use of the ping command isn’t new, it mostly served as means to ensure that Internet connectivity was available. However, using the ping command to delay the execution of a malware variant is a novel technique, researchers say.
The macro code used in this attack would download and execute a VBScript (VBS) file, which in turn downloads and executes second stage payload. The VBScript file was obfuscated, but analysis revealed not only that it was responsible for launching the “ping” utility for execution delay, but also that it would connect to the “hxxp://doktrine.fr/mg.txt” domain to download the second stage payload and save it to the disk with a “.qsb” extension.
The payload is XOR encoded, but the VBScript decodes it and writes its content to a file with “.fyn” extension (a Windows executable file - PE), after which it executes it. The code checks if the execution environment is VMware using process enumeration, and also checks for active debugging using GetTickCount.
Next, the code searches for the default browser, after which it creates a browser process in suspended mode, and unmaps and writes the browser process memory with a UPX compressed file. This UPX file, Netskope security researchers have discovered, is the Nitol botnet binary.
Nitol is an old botnet that had its command and control (C&C) servers sinkholed before, but which was seen active earlier this year, when it fueled a record-breaking 8.7 gigabits per second (Gbps) layer 7 distributed denial of service (DDoS) attack.
According to Netskope, the Nitol binary observed in the recent attack attempted to connect to d.googlex.me, a domain currently inactive. However, the same C&C server was observed earlier this year being used by the Hydracrypt ransomware. What remains to be seen, researchers say, is whether the Nitol binaries are used as a placeholder for future threats or cybercriminals are only testing a new attack methodology.