





















The following sections cover Attack Chain 1 and Attack Chain 2, which ThreatLabz observed in-the-wild during this campaign. Attack Chain 1 uses a split architecture with two components, a worker module (TWINTASK) and a C2 orchestrator (TWINTALK), that coordinate through a file-based polling mechanism. Attack Chain 2 consolidates the same functionality into a single binary (GHOSTFORM).
Attack Chain 1 is delivered in a password-protected RAR archive named mofa-Network-code.rar. The password for this archive is: 92,110-135_118-128. A 32-bit .NET binary, disguised as a WinRAR application, is present inside this archive and starts the attack chain on the endpoint. This binary functions as a dropper and ThreatLabz named it SPLITDROP because it drops two modules that we named TWINTASK and TWINTALK.
Upon being launched, SPLITDROP displays a dialog box prompting the victim to enter a password to extract an archive file. SPLITDROP checks for the presence of C:\ProgramData\PolGuid.zip; if the file already exists, SPLITDROP does not continue execution. If the file does not exist and the correct password is entered in the password form, SPLITDROP proceeds to decrypt an embedded resource named CheckFopil.PolGuid.zip. Before decrypting the resource, SPLITDROP displays a message box stating, “The download did not complete successfully,” to distract the victim while it operates in the background.
Because the embedded resource is encrypted using AES-256 in CBC mode with PKCS7 padding, SPLITDROP derives the salt, initialization vector (IV), and ciphertext as follows:
A key derivation function (KDF) is then used to derive the encryption key from the password entered by the victim in the password form. The KDF uses PBKDF2 with HMAC-SHA1 as the pseudorandom function, 10,000 iterations, and a 256-bit key size. The decrypted resource is written to the archive file at C:\programData\PolGuid.zip, and the contents of the ZIP archive are extracted to C:\programData\PolGuid\.
The figure below shows the directory structure after extraction.
.png)
Figure 1: Contents of C:\programData\PolGuid\ after extraction.
Finally, a legitimate VLC.exe (the popular open source media player) binary is executed from C:\programData\PolGuid\VLC\VLC.exe to continue to the next stage of the attack chain.
Upon being launched, VLC.exe sideloads the malicious DLL libvlc.dll which was extracted alongside VLC.exe in the same directory by SPLITDROP. ThreatLabz named this malicious component TWINTASK.
TWINTASK functions as a worker module, and its main purpose is to poll a file for new commands available for execution and run them using PowerShell. TWINTASK enters an infinite loop and performs the following actions every 15 seconds:
C:\ProgramData\PolGuid\in.txt to determine whether the file is empty.TWINTASK captures the script output and any errors in C:\ProgramData\PolGuid\out.txt.
When TWINTASK is launched, in.txt comes prepopulated with commands that are used to establish persistence on the machine and initiate the next stage of the attack chain. Below are the initial decoded contents of in.txt.
"C:\ProgramData\PolGuid\WingetUI\WingetUI.exe";New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'VLC' -Value 'C:\ProgramData\PolGuid\VLC\vlc.exe' -PropertyType String;New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'WingetUI' -Value 'C:\ProgramData\PolGuid\WingetUI\WingetUI.exe' -PropertyType String;Below are the key functions of the PowerShell script that TWINTASK runs on first launch:
WingetUI.exe from C:\ProgramData\PolGuid\WingetUI\WingetUI.exe.HKCU:\Software\Microsoft\Windows\CurrentVersion\Run for persistence and sets the value to C:\ProgramData\PolGuid\VLC\vlc.exe to ensure vlc.exe is launched upon system restart and thereby sideloads the malicious DLL, libvlc.dll, to start TWINTASK.WingetUI under the key HKCU:\Software\Microsoft\Windows\CurrentVersion\Run and sets the value to C:\ProgramData\PolGuid\WingetUI\WingetUI.exe to ensure that the binary WingetUI.exe is launched upon system restart.Once WingetUI.exe (a legitimate graphical interface application for package managers) is launched by the worker module, it sideloads the malicious DLL hostfxr.dll that is present alongside WingetUI.exe in the same directory. ThreatLabz named this malicious component TWINTALK.
TWINTALK is a 32-bit .NET DLL and functions as a C2 orchestrator whose main purpose is to poll the C2 server for new commands, coordinate with the worker module, and exfiltrate the results of command execution to the C2 server. The C2 orchestrator works in parallel with the previously described worker module to implement a file-based polling mechanism used for code execution.
Upon execution, TWINTALK enters a beaconing loop and delays execution by a random interval before polling the C2 server for new commands. It uses a preconfigured base delay of 120 seconds with jitter that randomizes the delay by generating a random number between -10% and +50% of the base delay (108 seconds to 180 seconds). To implement the delay, TWINTALK creates a nonsignaled unnamed event object using CreateEvent and calls WaitForSingleObject with the randomized delay value calculated above. If the event object cannot be created, TWINTALK falls back to Thread.Sleep() to create the delay. TWINTALK then sends a GET request to the C2 server with the parameters listed in the table below.
Parameter | Description |
|---|---|
URI path | For each request, TWINTALK constructs a unique URI path at runtime to evade pattern-based detections. It generates a random 10-character hex string ([0-9a-f]), computes a 6-character checksum (of the 10-character hex string) using a custom algorithm seeded with 0xABCDEF, and concatenates them. The checksum allows the C2 to verify the request is from a valid bot rather than a URL analysis engine. |
User-Agent | TWINTALK uses a hardcoded User-Agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Edg/135.0.0.0 to mimic legitimate browser traffic. |
Authentication token | TWINTALK generates a JSON Web Token (JWT) at runtime and sends it in the Authorization: Bearer header; the JWT iat (issued at) field stores the bot ID and bot version, as shown in the code example below. |
Table 1: Description of HTTP request headers and URI format used by TWINTALK.
{"iat": ,"version": }TWINTALK generates a bot ID by checking for the presence of programTemp.log in its execution directory. If the file exists, TWINTALK reads its contents and uses that value to populate the JWT iat field. If the file does not exist, TWINTALK generates a unique random 10-digit ID at runtime, writes it to programTemp.log, and sends it in the JWT iat field. Note that in the TWINTALK samples analyzed by ThreatLabz, the bot version has been set to 0.0.0.0.
Notably, the iat field in a standard JWT represents a Unix epoch timestamp. By storing a 10-digit, randomly generated bot ID in the iat field, the malware can make the request appear more legitimate. The JWT is signed using the HS256 algorithm with a very weak secret (an "_" character).
TWINTALK deserializes a cleartext JSON object returned by the server to extract C2 commands. Notably, it parses fields by position rather than by JSON key name. During analysis, the server was observed randomizing JSON key names on each response, an evasion method intended to evade pattern-matching–based detection used by network security products. The table below summarizes how TWINTALK maps positional fields.
Position | Name | Description |
|---|---|---|
0 | Transaction ID | An ID generated server-side used to synchronize the request and response. |
1 | Command type | The type of C2 command. |
2 | Command body | The command body, based on the type of C2 command. |
3 | Sleep timer | The duration for which the bot should sleep. |
Table 2: Mapping between JSON key positions and their functionality for TWINTALK.
TWINTALK supports the following command types.
File download (type 1): TWINTALK decodes the command body to obtain the destination file path. It then uses the transaction ID to build the download URL:
{c2_server}/{10-hex-chars+checksum}/{transaction_id}TWINTALK downloads the file from this URL, decodes it, and writes it to the specified path.
Attack Chain 2 consolidates all the functionality of Attack Chain 1 into a single binary. It uses in-memory PowerShell script execution to execute the commands received from the C2 server, reducing the filesystem footprint. Unlike Attack Chain 1, a split architecture with DLL sideloading is not used. ThreatLabz named the second attack chain GHOSTFORM based on its usage of an invisible Windows form for delayed execution and its use of Google Forms as a social engineering lure.
Below are the key differences between Attack Chain 1 and Attack Chain 2.

Figure 2: Google Form displayed by GHOSTFORM to the victim as a social engineering lure.
ShowInTaskBar property to false so the form does not appear in the Windows task bar.NOTE: The nature of the bot version numbers seems to indicate that they were generated randomly and a meaningful versioning scheme was not used.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。