In April 2020, a new player came on the cybercrime scene: the group called Vendetta. It has been observed that they are a prolific group focused on email campaigns mainly based on the Covid-19.
Their targets are distributed all over the world and their attacks have been detected in countries such as Australia, Mexico, Egypt, Romania, Austria or China. Vendetta chooses targets from the technological, business and government sectors that handle sensitive information. They have showed remarkable skills during this phase, since they select and analyse their targets.
Their standard attack procedure consists of sending malicious email attachments containing a malware that allows full control and theft of information from the victim’s system. The highly-accurate design of phishing emails, including details as well and a well-studied and targeted message, takes into account the global context on which the deception is based.
The malware used is not entirely self-developed, but it contains commercial software as well. It is versatile and with a low detection rate thanks to the use of packers and final payloads in memory. Malware weapon installs access point (usually .NET samples) using unknown and known packers in multiple layers that injects different modular RATS in memory. Finally, malware enables the intruder to gain total control and persistent access to target network via C2C. This group also performs additional delivery using hacked websites and proprietary infrastructure.
Vendetta Covid-19 Campaign
We have analysed the campaign of attacks carried out by this group during the period 03-05-2020 to 09-05-2020 and within the Covid-19 context. Below, we describe the analysis of a phishing email attack impersonating the director of the Taiwanese CDC. As a result of the analysis, we discovered more than 134 malware samples, multiple URLs and domains with strong links related to the Vendetta group.
Initial Discovery: Taiwan CDC Director Impersonation Attack
The email was first analysed 2020-05-03T22:43:15 from Taiwan. Antivirus detections over the email were very low. As we can read in the mail, the letter appears to be signed by Chou Jih-haw, General Director of the Taiwan Centers for Disease Control and Prevention. Within the text we observe that it is an attack aiming citizens of Taiwan, given the language used and the content. They are urged to carry out a Covid-19 tests at a Taiwan Centers for Disease. Given the behaviour of this group when selecting their victims, it may be thought that it was targeted against the Taiwanese CDC itself.
Translated the email, we can read:
It must be noted the quality and attention to detail of the email, a characteristic feature of the Vendetta group that it is quite unusual in regular phishing campaigns, usually with typographical errors, grammar mistakes, etc. This proves how specifically the attack was targeting Taiwan CDC and the effort the Vendetta group made to perform its attacks.
Within the attachments, we get a cdc.pdf.iso file containing the malware that the attackers used to infect the victims.
| TYPE | INDICATOR | NAME | DESCRIPTION |
| SHA256 | 0aa87ed22e193e1c6aa9944cf1b9e88ec4ae6a5b3f975e3fb72c0f5b06b864f2 | 1349628.eml | Email with malware attachment |
| SHA256 | 51B0165FBA9CF8E0B7BFEBDC33E083ECC44D37CDBB15B5159B88B71E52B0255B | cdc.pdf.iso | Zipped file containing malware |
Malicious Content Analysis
Once the malicious file cdc.pdf.iso has been decompressed, we obtain the file cdc.exe, a file developed in .NET and packed using an unknown packer. This threat is called RoboSki.
As we can see in the following screenshot, the malware uses a section of the binary to hide other components used by this threat. This is a method commonly used by Vendetta for creating its threats.
Once the sample is executed, the malware creates in memory a .DLL file containing a .png image, which in turn contains the shellcode encrypted in the pixels of the image.
When the shellcode has been executed, the malware will drop in memory the next payload. We can see ReZer0 Malware, packed using Eazfuscator.
After a series of memory dumps of different obfuscated payloads and after being unpacked and analysed, we concluded that the final payload contains the malware Nanocore RAT, as you can read on the project name.
| TYPE | INDICATOR | NAME | DESCRIPTION |
| SHA256 | 0aa87ed22e193e1c6aa9944cf1b9e88ec4ae6a5b3f975e3fb72c0f5b06b864f2 | 1349628.eml | Email with malware attachment |
| SHA256 | 51B0165FBA9CF8E0B7BFEBDC33E083ECC44D37CDBB15B5159B88B71E52B0255B | cdc.pdf.iso | Zipped file containing malware |
| SHA256 | d5d3cf535b3313077956d5708225cf8029b039ed0652ee670ce25ea80d2b00c0 | Cdc.exe | .NET packed PE file containing malware RoboSky attributed to Vendetta Group |
| SHA256 | 19B5353BF8A69A64536C865A4890B69EE1DCD59445968E1CFD94C62E1A97B11E | Cdc.exe_unpacked.exe | Unpacked .NET packed PE file containing Nanocore malware |
| IP | 172.111.188.199 | C2C |
Links with Vendetta group
The malicious attachment has been attributed to the Vendetta group due to the following factors:
- The tree attack observed to Vendetta group always includes the same pattern:
- High quality crafting phishing email
- .NET Malware RoboSki as first stage of malware
- Memory observation of Rezer0 Malware
- Rezer0 drops in memory the next stage of the attack, in this case Nanocore RAT
- C2C IP: 172.111.188.199 used previously by this group.
- Pdb path that contains a username named Vendetta:
- Common resources in the samples used by this group. The project CxFlatUI (this project can be found on GitHub and belongs to “HuJinguang” user) is used by Vendetta group as code base to create their threats.
- As a result of the use of CxFlatUI project as code base, EXIF metadata with CompanyName and FileDescription values match with other samples belonging to this group:
- Analysis genetic malware database Intezer: It has been possible to identify genes and strings belonging to Vendetta group in the sample analysed.
Performing the pivoting phase through the CompanyName, ProductDescription, extracted payload from memory, etc. it has been possible to detect 134 samples that could be directly related to Vendetta. The group used them initially (they have been seen for the first time) during the time range from the 3rd to the 9th May 2020.
The tools used by the Vendetta group are tools such as Nanocore RAT, AgentTesla, Remcos and Formbook, ReZer0 but we can also find Azolurt, Warzone RAT (Ave Maria) or Hawkeye and also to some extent generic malware samples. They use different manual packers and known ones such as ConfuserEx, Eazfuscator, IntelliLock or iLProtector.
The following picture shows the cluster graph resulting from the genetic analysis of the 134 samples related to Vendetta. We can see how this group uses of the different types of RATS that we have identified as belonging to the Vendetta arsenal.
We found a sample that does not meet the usual pattern, since this time it is not an executable compiled using PE32 executable for MS Windows .Net. Instead we found a MZ for MS-DOS. The language detected in the resources of this binary includes UK English and US English, when generally that value is neutral in the samples analysed in .NET.
As far as the certificate is concerned, there is a chain of certificates, but it ends in an unreliable root certificate.
| TYPE | INDICATOR | NAME | DESCRIPTION |
| SHA256 | 080ff06496d8b6b5e6307059e378ed7052e381a6f130d89385c778edf32ae996 | Vdnoenr.exe | Predator the Thief |
| SHA256 | 9fbb3df3c9b58626be3f9e66e8b4abd811a8069839374ade15cc405eb3b4d816 | sr3S0CjtBE.exe | Vdnoenr.exe unpacked |
| MUTEX | cjF0OHM0 | Mutex Created | |
| MUTEX | IESQMMUTEX_0_208 | Mutex Created | |
| DOMAINS | bbc-news-uk1.space | DNS Resolution |
We also found text strings related to AutoIt, a widely used trend to build the initial dropper for its anti-virus evasion features.
“AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.”
“AutoIt has detected the stack has become corrupt.”
Once it has been analysed, we observe it has been packaged using mpress_packer 2.19 containing a large amount of the Predator the Thief malware code, a very versatile commercial infostealer both for its wide number of features and for its modular design.
After the analysis of the communications made by the 134 related binaries, several indicators of compromise belonging to the Vendetta’s malicious infrastructure have been obtained. The complete list of associated indicators can be found in Annex 1.
Conclusions
After the analysis, we can conclude that the Vendetta group stands out, not so much for the use of very new pieces of malware, since they generally work with commercial products from the malware market, but rather they place special emphasis on the recognition and preparation phases. They select targets for specific campaigns, not addressing mass distribution and allowing the context used, in this case the one caused by the Covid-19, to play in their favour.
They prepare emails with great attention to the details and care, both visually and in terms of the content, using different languages and with a tone of urgency and authority that undoubtedly increases the chances of success in this type of attack.
Annex 1: IOC related to Vendetta group
| bcaf5698e3d5291c284e0ea40deec27e69c4942049f1c90a4e334e066485dfa9 |
| b2bccd13743ac9153a8b731af82d6b19fa7395dd16596a3b5f783f1092419c3a |
| 92632fa88b730e2593837c7d51884384dcf8c887fd4b8d3cc6741d12ae9cd347 |
| c068b1a7379f95ee883cd4ed9639bb2b28c380934f3bc0e0c7be97ad808c7b8a |
| 147e92a20eaa350aef112cd3110af132aa9667af4e8eb90d345d4b7da8cea95c |
| b26960e8083466e40ebbfcc6dfe93c4080a516d6260e1a2900ce7649fc44442e |
| c315112980543e9046f7b3167586d3a5ba25734aac85679542adaca7867f3ef7 |
| 713c780c42db40b3456b797e578c889f19a915441a428277aaa8235dfecd0142 |
| 20eb672944019e3a3520f9c3bac67acbfff3700fa27aec05bfe96129a77b6437 |
| bbf20efcdbae1950b49b4f121f17baee19a5d638983e96a954bd6e602fb35b16 |
| 0f525a06128b217d0081ee6d81a2d2fe04e9ecd20cf0e0fa7c99aaa9ed83154d |
| f4f76522a5a1a8f056d53bfea97293f503b6bc703cf37ff60dd8b47f47ecaaaa |
| dcaf6aed333996a431610306d24a90e7bb27035cdeb93901c1e1b00626877e78 |
| 736d65eea1acec603391ea9dc50b880c83a1ef4de69cdc6649e79dab9eeea392 |
| 12025c0f03e21ce62c476f6d5a95d3de80ef8ad59fc3a552550d0c9e927458e4 |
| 42e7b0bc64037556ec415d6f869b09205a85d746550ad196c07d4be7ae739155 |
| 2fdeeae131f4bc6dd0fb7e2ebdcc379fadf314203f0de0e2b1e4a90aabf20b1f |
| 1eda6158b488a4f6635255b406b59933d4dc6877e1cac1bb85e1d9bfd9cd7f62 |
| e4bb158234319609a3d891e08f7ae6d6deee7fac7138639a8954dae5f281eea8 |
| 90a9045fefcc8463e698c79a594247fa002b0badf6846b200eef6a8bf47ca53d |
| 170914b423f415bdf562a5ee3eff48808d4b0731013bcdf870bfdf2bcded8caa |
| 8e9d9d8dfe961ede4406310aefed0eab63e52f29ad2c557eed012e298e644a43 |
| e67f30ee8be83b021b5ba3ebe65e610fc1a50ce3f3cb1c081f62ada165d84186 |
| 7f84806700f99b46ccda77e5a87922e88cb5bf5694624455cc040324524a6f86 |
| 6e53e6f7bd88850c3771be189fb16601e0f2bcbf6f80a7baa7990bbc77e28491 |
| d65c09f664bfd72f66e988c6a83bb29f94ab3c22968f76977f3d30500848f621 |
| 3e7e66fbf0442436122d17de23a4ff3b217edd9111c97eec4e05e22b2fe72046 |
| 123d231401b30d6f5ea191832456133eba46c1d77ac5717ee4a3abe050f1664b |
| cd41beb4d2b564bf1a91656755247e37487c7dd24d22cae84c9de2428535c7c0 |
| 9a09ddc92cdd2f9ef6f019b075c62ea781778ac50850b5c79dc9f5a000a2da8b |
| 148cadfe967abcc303b8deecbbb030efd3ee9b49424246b8975f8f7e54ae2c36 |
| f37fbb193f6ba57d318e7f5333fa7870282de9b3322e024c65d89977d2ec594c |
| 0360c343788f8fe1ec3e57514ee4ced37503c9271741ce3688afe5086135f8f0 |
| 7e9657bb8f4920565b2cbdc1add6d78026fc4e8047632ba077463e5991e105ee |
| 60ad4364f4a6c17082d929b810116a71e6730ed7ad0ca750624976b043f04499 |
| 4203720a4d4d988958a592e89d937e987e95fe7d8b7417a70d88ff62c5dbd77b |
| e64c94e34a8b4174fe920c0968019f46574d172bc270a424d66a80295694a7d7 |
| 060a16518824101a132d9816abde0b03fec08b29beb9415c217ec0e1f2cf7793 |
| 20edc5b15578c2714fd64a6577a5bd1fbbb13434dc2e900e3b7c568537206050 |
| 0eb506623215bfd28e3f1b9f7f34b0fc254b0a2fe8a91f5cd0a62f26bd739169 |
| 1a1025e072db46f1c469e3d9758147a97a57bc33da3ab2c0e2d93c52759176bf |
| 73521003fe09aecd04a3b01d252a3c49037c35c188c8a19624fe6367a6f2cc00 |
| 539900a999853a6783c7e700987248efd3307604d5ca3cc4bdc3e69cf3489e06 |
| 8fae14da82a6d0df4b14d205e91bb068cb57c79c8267b8a50fc12a07da395b50 |
| 0b44ede8d91f14918ec469990ff81f496d85fed73b744f317928f1bfb92463d1 |
| 766f2988c9aae96c380e1628fefdd981c84ce9cf7fbbdd8dc03c365377443c2c |
| 286add28a79440668077a7d762ee81ee169f1c08daa27bc680dbf8c8832d2785 |
| d5f347be26d404ab0fb1ea2eb8b2d4d3fd308306952129c871e03bd916818c8d |
| e30672336261f66449f9e3e1f7e4fd6ba381e6046cdb5c9ba0088c576aca5176 |
| 1d748a0cc73a641e1d10a372a2f47901527f759cbe540109068323315a2f63c0 |
| d5d3cf535b3313077956d5708225cf8029b039ed0652ee670ce25ea80d2b00c0 |
| 219760dead477932b0a969b38ecc8d7ee41b2da4de72f32700f905cd705c340f |
| f4ad5a582c73b80900d35c87421f1d6076cd4fe994b65417223aedaab76b806e |
| 2f9b92ba539de2cd1fdd35725fb144f72e4809d9c43dd79a6e2fb403ea07001c |
| 774cabba771d38532276d09fea65d562a9eac297737d74e937695877d21f1958 |
| 5a67dee45b2e60de47e22739c8be8614f31cdb4acbaf554f37d06ea41ddd8762 |
| 97b8bdb2c3d831301d68b883fea274703bd497462caa192f6a09130a0f42d10c |
| 201aab86deb0b609b895f6934d5a87b56384cdf01dbfce5e5bb2e970f91bb919 |
| 4e59193170ad7a1da7d91bea0028bb8107a3a305cd91a353822e23924ceda25b |
| 2a07d219f5444c0bdf0942f2157f623efc400dcba8594d3eafa2f5dc0fd5836b |
| 5521ef291f90c10acfd6e796a6ad2cb099a14da80bd09c6e8ffe0710c8eb547c |
| f57374520bfbf5f5afbbfe8c8cf762f95e05cf050fe959d731d49b77f4776cba |
| e2d6119bb484c9e5f5a7107b4687553416208badbb881df4328bec5146d08509 |
| 0598b4ce2460676755245bad49490a9c94ae85a074c2242adfa65c52b0ad3796 |
| 3eeedb9932e7f8b09dfb11dd48a50cb473ec777e1c7d0cf1ce6c21623e86549a |
| d6a03be138abc31b13e2c70092dfd8ee73e59a52c5881fe2ac477f9c9cec539e |
| e16ba0ace7b0abc8bf1cd0d89ecb591ce94210cb2192196a756fe1c554e03d62 |
| 705e6b3291082ab445e179e9e65464f3d7809f266ca5644707f67b59c531ab43 |
| 3996059fe34930b9d9f584bda6d7e784a2295ae3d988255e97857b9928b5c955 |
| 424ffe0e02a6f89682d55c7e051538705a067dbb87ad5daa9379ac70593da268 |
| 016b1bc90d2a25f17ae03f0a29bf8297dfd33fd718e02e318f4a64d192fceb60 |
| 5de3d93e65bc78582772de69a6663ccef69fa056f9cf7fe44cd3011d03104b59 |
| af9ff2feb141ada2c8ca807fb12326dcb0d377d372d13955c33ca6aef378b387 |
| d3ccfc7eefe685bc703f2975cde7560c851f7e28f8fac127baf54b24ede4ca91 |
| 199528b69b42d1af70f525973be5e53bcd16c19b39a117cfaa27ba1a515723f8 |
| b3347d03d6ab008c67cb3c819b545ea82fd5d0eb8e92050af7daebb35c803ad4 |
| 5a0e68a086ea94b7601121e52f03bb29faab5d1da95ced80a11218034e8d2944 |
| 01c7dd686988aded4a1730159eaaa2f4ecfb9f53dc93a3f9ba0503b7698aa454 |
| 2ae8f7e54b2c1568faa2071facfbab5f1f66e77cca38fd755c66c56f048abab3 |
| 7f98aba8439fcc1f2b54cbb1a12f1a8f4752d65e0fb8ee7fbdd206e2f0db5b99 |
| 6c22a397528ff1fe394044d94134af1d81ab8ef5ce82dd65283586ac6d9319c0 |
| d79ff402299dcf2d71c104beb763f0e3893eb857622cc07d8969aa08541950f9 |
| 15b7b01be91b632db911f41473c68e5d3d1e705f1738214aa2827b8f6b060b87 |
| cf27ba547b3b778e771324406fd4e95b992a1664826d179cf7af0d4f8dd1bc0a |
| 43ca549fc5b4e817a872ea9d53f1a17949a7a2d80d67a2b2f37907b021da818b |
| a563a898ce1c8dcac374ef8a468e39a185ca3b010f1a41b60731a7beac23f846 |
| 4c886afcf091e440b12ade502e4b8dcd2e9995cb2c10d7c0f8fd16e736d6fca6 |
| 2e268914ba79bc7c7ac43a39b6dc463d56e32f6e43ff8cfb4aa19e43aefd8ffb |
| 3363075fd1a09ada8858a47b099c702028f26705c5967633ee92f341817db3b3 |
| 14e7b4f4f4e98ecb3aad0e67857b3fbbca1d314ecdaa0b1aab122e1d97954977 |
| eddcaacc8947b326dd6998c90175846c76375ee953074668354ac72dba27ffdf |
| f9155082e1d12e318287a25bb73036feab7c75b7f0c3c1c30f457cbecaf9763a |
| 388b67c9e243a4156343e3f2c6b640df04f1803a2eed2b66ff88ee698e348880 |
| 44e50aaa49e93786e5e228983b0b1daddf8ad88baacc627e7667ea749d64cdfe |
| 5b6b8e78568b828610d9d85128e14e34938614f7fc2885569995834678da14b2 |
| fe376b2372b224037d4ab183527213a3731e8a141a74cbdabd1c00eb52da6323 |
| cd9b154f848a6f37a110de136034cbf5190600da5687bb6259f19addf2e2759a |
| 82d3edc9ad7ba25feca5ef08641b0f030d92faa5dec17f3148e062b727a0240c |
| b590b1181625df5cc62b8716449c07faf158411381babca4d22988c5d852aafa |
| bacaaa40e0f3b6cba3fc498dfbd6f2d198a767453cd8513acdbafa9fefaeed2a |
| c1b451ce8ae3ab62b5cdfd52793c5cf4e57efbc39012c4139d1b8958b202f6d1 |
| 895225b53f54d122a60d52a692acfe09a4fb64fbc2bea01746d2ec3f12e3a564 |
| 0627b6c0e68d720dbeafde9231c6a2a1652a7c6e1d7b8816fc8c829e793c0847 |
| 26ff94fc13fe6281062a8b36abed5e25e350dd441a31b8acc910292fd67c4805 |
| 6ff9969b0b9d452a37be71de3c3cb1773a4ce604068bdb715ee3f2742d0e3898 |
| 67669c698454edaee7a64ddeb26eea619e2946939a4d71b5299b9fef7c4252a1 |
| f3eb876bdd52d2f6fb8a8dfe28fcff50129a1fd88f76b3e99c500357c36ff862 |
| bb8510a80af2965bdca1fdb2218ebfaa2a72402c0b767c3fde6b7807baa647b5 |
| 0756d1e1046fc633cd6796b320ba230db24e73c238c7ceb4dd20096ff366502b |
| 246366b847f40185b79d4b7dccd159a0ea49b16043baa6c2898ad6dc88fcf0a0 |
| 4e4b0f2b45295ae88dc7cd1e2846788f54a22905bf6cf289519f609e41dda2a4 |
| eceba2e6a2c1be781eaa0dd185fae4061a47c5cda10934672723f9ce06332ff4 |
| 7b5e89ca46752ad31a046d9b1ef6ab2ceb8289e1dcf8c68556df0a2b27f8acb1 |
| 230768a8b1c1a0f8ee13a9d91a67742f3c0dac9d1bb5218a59362b6ddfd07284 |
| 5456f58b7112cbc0cccb10f8da3b6edb96712a08dfc09729aad2f60bd62be4fc |
| 28240d3260b1ea8df33747d3d6c9be6685f83dbc4c40d6c90b2622054dd79b4b |
| 38540db35f6786084fa896cb52297141625d5e8da335e8b539fda1683cda5f86 |
| a9d9dd9c8a720a43790c0218adfc255ef41a3b5f1be8b1e0d0e9931a24225493 |
| 47dcbf01785cbe9d614186a2fa97706470ef31008ce7d09f2bbcae8d96c073f0 |
| 2656b3ff415a282bab5d844689e62e93e2f6ff089529bda9377bbb58cce17880 |
| 59674d38de995cca06bb45e523d6c080eae1d717ec632932d28c0dd648b1086d |
| d3db87b88e8b020f212e9707d8efb3888eccf436fd30658966e6db0e90e46f04 |
| 7dac4a54cfc927b195a3b35b031b7653622dc95706324122e39c6ed1f1767259 |
| 0245bb4c69fc027f53b3f5c41ed13a515a81c9b0bb12700df6688554ce248d70 |
| d4d23638d8c40ac1f052c82c4302aa3403378afdb65cab1bc582396c2ae7757a |
| 32ae82bfe98d50ecd5d6a7267854c8e09f353c980d4bd526de6128202b884cb2 |
| 080ff06496d8b6b5e6307059e378ed7052e381a6f130d89385c778edf32ae996 |
| 4791a5bcad2a0ea8e525bf24dc5c480ead507f0a888b31134fc26799167a2f94 |
| 1745870e72b522d26907dd2a6b9005804bf5aa390df6cc9cac32d3cd1d118cfc |
| 795f59666238d3e1d5ae55f2f43b4b85e040488444865f23f3d3d43b26451203 |
| 1cadbfc60a4a24b71e3024cec9bcb7a451f6dc2ac61f714e060925e927e41d2d |
| 1c964f7b4a1f588cab0f3a68eb987905b9d5b4d3121db07af0e26b291db6f1b7 |
| 0513703f3cdd9baff067432764336311825131de68252c8e20392e08e55c15f7 |
