CrowDoor

"However, in some instances, WMIC may be used in its place to achieve similar results."

"A set of batch files will then be copied and executed to perform the extraction, installation, and execution of the malware."

Additionally, the same approach was used for both: leveraging a legitimate executable file vulnerable to DLL search-order hijacking, which would load a malicious DLL dropped into the same path as the legitimate executable.

The Crowdoor payload from this chain stays active by creating a Windows service named WinStore, which is used as the service name, display name and description.

If creation of the service fails, the payload uses the registry auto-start extensibility point (ASEP) at HKCU\Software\Microsoft\Windows\CurrentVersion\Run with the value WinStore to persist.

When executed, it injects itself into the colorcpl.exe process with the command-line argument “2”... The main loading functionality was designed to execute a legitimate msiexec.exe process, then inject the next stage by writing into its remote address space and creating a remote thread to execute it.

The Crowdoor payload from this chain stays active by creating a Windows service named WinStore, which is used as the service name, display name and description.

If creation of the service fails, the payload uses the registry auto-start extensibility point (ASEP) at HKCU\Software\Microsoft\Windows\CurrentVersion\Run with the value WinStore to persist.

When executed, it injects itself into the colorcpl.exe process with the command-line argument “2”... The main loading functionality was designed to execute a legitimate msiexec.exe process, then inject the next stage by writing into its remote address space and creating a remote thread to execute it.

This function implements the main functionality for this loader, decrypting the shellcode for the next stage from a memory buffer inside the datastate.dll file using a variant of the RC4 stream cipher.

In this incident, our telemetry points to the malware export being called using the rundll32 command from the a.bat file.

Additionally, the same approach was used for both: leveraging a legitimate executable file vulnerable to DLL search-order hijacking, which would load a malicious DLL dropped into the same path as the legitimate executable.

"In later stages of the attack, the backdoors may be used directly to perform lateral movement."

"Collect ComputerName,Username, OS version and hostnet or IP information"

"Search File"

"Earth Estries uses PSExec to laterally install its backdoors and tools... by copying the CAB files... and a batch file to perform the installation"

"archived using the tar command"; "Earth Estries utilizes RAR for collecting information of interest"

When executed, it injects itself into the colorcpl.exe process with the command-line argument “2” and tries to contact a C2 server that is hardcoded in the payload using its configuration (blog.techmersion[.]com on port 443).

The attackers then started dropping various samples on this server, notably a dropper that was pushing more compiled variants carrying the same functionality... The attackers tried to drop additional post-exploitation tools to achieve their main objectives.