New hacker group Quartz Wolf leverages legitimate software to attack the hospitality industry
- Phishing emails remain a weapon of choice for getting initial access in targeted attacks
- File extensions are hidden, given the default settings in the Windows OS, which is why attackers can camouflage executables as regular files
- The threat actors use rare yet legitimate remote access software to bypass traditional defenses
The perpetrators were sending out phishing emails under the disguise of OOO Federal Hotel Service. The emails contained a link to an archive with a malicious file (Fig. 1).
Fig. 1. Phishing email sent to potential victims
The archived file was the Inno Setup installer with the following files:
- Assistant software components
quartz.dllroh2w3.bmpwhu3.cfgzs3eu.bat
The zs3eu.bat script
- creates the folder
C:\Users\\[user\]\AppData\Roaming\tip - pastes into it all the files from the temporary folder by means of xcopy
- uses
del /f /qto delete the running script - launches the Assistant app (
ast.exe) - uses
rd /s /qto purge the temporary folder
The Assistant application loads the malicious file quartz.dll, which contains the next stage. The latter is encrypted in RC4, where the key is an MD5 checksum calculated from the CRC32 checksum from the C2 server address. This address is stored in the file whu3.cfg, also encrypted in RC4. The key is an MD5 checksum calculated from the CRC32 checksum from the file roh2w3.bmp.
The second stage replaces the import of GetCommandLine with its own initialization function to perform the following actions:
- record the MD5 checksum from the password known to the cybercriminals to
HKEY_CURRENT_USER\Software\safib\ast\SS— Security.FixPass - assign the Hidden and System attributes to all files in the current directory
- enable Assistant to start automatically by creating the parameter tip in
Software\Microsoft\Windows\CurrentVersion\RunOnce - create a unique user identifier by calculating an MD5 checksum from the total of the CRC32 checksums from the OS version, the user name, and the computer name
- obtain an Assistant user identifier from
HKEY_CURRENT_USER\Software\safib\ast\SS—your_id - repeatedly send GET requests containing an Assistant user identifier and the unique user identifier to the C2 server
- submit the
ast.exeparameters -AHIDE и -ASTART for a hidden launch
Fig. 2. Assistant software screenshot
The Assistant software enables attackers to hijack control over the compromised system, block input devices, copy files, modify the registry, use the Windows command line, etc.
Quartz Wolf continues the trend of using legitimate software as a tool for remote access to compromised systems. As this approach consistently demonstrates its effectiveness, organizations should be very careful when working with remote access solutions and watch closely over their processes.
- Pay attention to the Assistant software files stored outside of what should be their standard directories
- Trace network communications with
id.ассистент\[.\]рфat the hosts where Assistant should not be installed - Monitor the mass copying of files into the subfolders
C:\Users\\[user\]\AppData\Roamingvia xcopy
| Tactic | Technique | Procedure |
|---|---|---|
| Initial Access | Phishing: spearphishing link |
Quartz Wolf uses phishing links to get initial access |
| Execution | User execution: malicious file |
The victim needs to open the malicious file to commence the compromise process |
Command and∇scripting interpreter: Windows command shell |
Quartz Wolf uses the Windows command line to run scripts |
|
| Persistence | Boot or logon autostart execution: registry run keys / startup folder |
Quartz Wolf uses |
| Defense Evasion | Hide artifacts: hidden files and directories |
Quartz Wolf assigns Hidden and System attributes to files |
Hijack execution flow: DLL search order hijacking |
Quartz Wolf uses DLL Search Order Hijacking to launch a malicious library |
|
Indicator removal: file deletion |
Quartz Wolf deletes files and folders during installation |
|
Modify registry |
Quartz Wolf records the password to Assistant in the registry |
|
Obfuscated files or information |
Quartz Wolf uses RC4 to obfuscate files |
|
| Command and Control | Application layer protocol: web protocols |
Quartz Wolf uses HTTP to communicate with the C2 server |
Remote access software |
Quartz Wolf uses Assistant to interact with the compromised system |
hXXp://firstradecare[.]website/7oxr/update.php
a7a1618ba69033848f690bcb7b022cd3d3a9f2850d896a611b1cb76cf6faba5d
adc3f6169d0b16746d5c9542c4cd2be8f12bf367a4bca5373f1e425eed794dad
Phishing emails remain a weapon of choice for getting initial access in targeted attacks. To protect against them, we recommend using dedicated solutions that block spam and malicious emails. One of such solutions is BI.ZONE CESP. To recognize and tame new threats in a timely fashion, companies can consider continuous monitoring solutions, such as BI.ZONE TDR.