The Telecommunications and Technology Crime Suppression Division Computer Emergency Response Team (TTC-CERT) has conducted an analysis of several suspicious files received from a cybersecurity agency in Thailand. Upon investigation, it was discovered that these files were dangerous and designed for remote access control of targeted computers, with evidence indicating that this attack is part of the BangkokShell cyber espionage campaign. The main targets of this campaign are security-focused organizations in Thailand. The malware used in this attack is a complex loader called LTDIS13n.dll, which contains an obfuscated payload that deobfuscates into a dangerous shellcode. The shellcode is injected into the computer’s main memory without creating files on the filesystem, making it difficult to detect.
The discovered shellcode is a Remote Access Trojan (RAT) that utilizes stackstrings to embed URL values for command and control (C2) purposes. Of particular interest is that the C2 domain names closely resemble domain names used within the internal network of the targeted security organizations. Once the shellcode is activated, it establishes a connection to the C2 through HTTPS protocol on port 443, receiving and executing commands on the targeted computer. The command data is obfuscated with an XOR cipher and deobfuscated through three XOR operations with a unique XOR key in each round. The shellcode is capable of executing commands through LOLBins such as Windows Command Shell (CMD) and PowerShell, showcasing its ability to bypass detection.
This malware, named Trishul RAT by TTC-CERT, poses a significant threat to the cybersecurity of organizations. Therefore, TTC-CERT has analyzed the suspicious files, extracted Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs), and created detection rules in both YARA and Sigma formats. These rules can be used by organizations for monitoring, hunting, and incident response in their networks. Furthermore, if an organization is connected to TTC-CERT’s MISP system, the IOCs, YARA rules, and Sigma rules will be automatically sent to the organization’s MISP.
For more detailed analysis from TTC-CERT, refer to the AMAR-231199-1.v1 – BangkokShell Malware Analysis Report. Users can also download the YARA rules for this analysis from TTC-CERT’s GitHub repository under the names bangkokshell_trishul_rat and bangkokshell_dll_loader_v3. Additionally, the Sigma rule titled “BangkokShell Operation, DLL Side-loading leveraging Windows Service” can also be downloaded from the same repository. MISP users can download the MISP event for this analysis from TTC-CERT’s GitHub repository.
TLDR: TTC-CERT has discovered dangerous files related to the BangkokShell cyber espionage campaign targeting security organizations in Thailand. The malware uses a complex loader and shellcode to gain remote access and execute commands. TTC-CERT has created detection rules and offers detailed analysis for organizations to enhance their cybersecurity measures.
Leave a Comment