Adr.exe
Gibert Chisholm
The attack involves various components, including PowerShell scripts, batch files, Go-based binaries, and vulnerable drivers. The TA appears to be planning a Windows BYOVD attack using the Terminator (Spyboy) driver, which was not executed during the initial infection but may be executed after gaining a remote connection.
The initial infection begins with a Zip archive containing a shortcut (.lnk) file. When executed, this shortcut file downloads and runs an obfuscated PowerShell script. The .lnk file executes the following command:
Suppose UAC is disabled or the value of isUACOpen is set to 0, indicating that the administrator can perform operations requiring elevation without consent or credentials. In that case, the script executes the command mentioned in the figure below.
This command starts the Command Prompt with elevated (administrator) privileges. Within the elevated Command Prompt, powershell.exe is run with specific parameters to hide its window and bypass execution policies.
If the UAC is enabled and the operations cannot be performed without consent or credentials, this script runs an indefinite loop to execute the same PowerShell commands mentioned above. It uses exception handling to ensure the script runs successfully even if there are initial failures and retries every 2 seconds after an exception is met.
This PDF contains a detailed guide about future cryptocurrency trading on the CoinDCX platform. CoinDCX is a cryptocurrency exchange platform based in India, so we suspect that the target might be from India.
After executing the preceding operations, the loader dynamically generates a batch script named in the format script_.bat. This script is created and saved in the %temp% directory, as illustrated in the figure below. Once the script is created, it is executed, and upon successful execution, it is deleted to eliminate any traces of the infection.
It renames adr.exe and main.exe to a random numeric string before saving and executing them. This script does not contain the code to execute the Terminator.sys file. The figure below shows the batch script.
This is a 64-bit GoLang binary sourced from an open-source project named GoDefender on GitHub. It offers robust functionality to detect and defend against various debugging tools and virtualization environments.
This is a legitimate Windows driver. Due to vulnerabilities in its counterparts, zam32.sys and zam64.sys, this version is often associated with various bypasses or malware. Terminator is reportedly capable of bypassing 24 different antivirus (AV), Endpoint Detection and Response (EDR), and Extended Detection and Response (XDR) security solutions, including Windows Defender, on devices running Windows 7 and later. Terminator drops a legitimate, signed Zemana anti-malware kernel driver named zamguard64.sys or zam64.sys.
The main.exe acts as an installer for RDPWrapper and configure TailScale. Upon execution, it runs a PowerShell script, as shown in the figure below. It sets up a PowerShell command to execute it using the os_exec_Command() function. The PowerShell command is encoded in Base64.
This PowerShell script initially configures the system to facilitate multiple concurrent Remote Desktop sessions per user and to relax the security policy for using blank passwords, as shown in the figure below.
After this, it disable various notification systems, restricts certain system functionalities for the current user, and prevents specific services from running by making changes to the following registry entries:
Once an attacker gains Remote Desktop Protocol (RDP) access, they have significant control over the connected device. They can deploy malware and ransomware, leading to data loss, financial theft, and service disruption. They can steal sensitive information, including personal data, business secrets, and intellectual property. The compromised system can also serve as a launchpad for further attacks within the network, allowing the attacker to pivot to other devices, escalate privileges, or move laterally. Additionally, the attacker can execute commands on the compromised system, potentially compromising other systems or performing reconnaissance.
A new sophisticated campaign has been discovered targeting individuals involved in the cryptocurrency market. This campaign utilizes a multi-stage approach, primarily leveraging RDPWrapper and Tailscale to facilitate unauthorized access and establish control over victim systems.
According to Cyble Research and Intelligence Labs (CRIL), a unique aspect of this campaign is the exploitation of legitimate tools such as RDPWrapper and Tailscale. RDPWrapper enables multiple Remote Desktop Protocol (RDP) sessions per user, circumventing the default Windows restriction of one session per PC. This capability allows threat actors to maintain persistent access to compromised systems discreetly.
The attackers have tailored their approach with geographic and industry-specific targeting in mind. Evidence suggests a focus on Indian users within the cryptocurrency ecosystem, as indicated by the deployment of a decoy PDF related to cryptocurrency futures trading on CoinDCX, a prominent Indian exchange platform.
Following initial infection, the malware drops and executes a Go-based loader that performs anti-virtualization and anti-debugging checks. It then downloads additional payloads, including GoDefender (adr.exe) and potentially malicious drivers like Terminator.sys. These payloads are designed to evade detection and enhance control over the compromised system.
Furthermore, the malware configures the system to allow for multiple concurrent RDP sessions using RDPWrapper. It also manipulates system registries and installs software like Tailscale to maintain persistent access and facilitate further malicious activities.
Once established, RDP access grants threat actors significant control over compromised devices. They can execute commands, deploy ransomware, exfiltrate sensitive data, or pivot to other systems within the network, potentially causing severe operational and financial damage.
To mitigate the risks of sophisticated cyber campaigns targeting cryptocurrency users, Cyble recommends proactive measures. Monitoring should include detection of base64-encoded PowerShell scripts and unauthorized software installations like RDP wrappers.
Enhanced security configurations involve strengthening UAC settings, monitoring Defender exclusion paths, and implementing strong authentication for RDP sessions. Network segmentation is crucial to isolate critical systems and minimize the impact of potential compromises.
Suhail Khalid is a cybersecurity professional with a Master of Science in Information Technology (Cyber Security). With a passion for ensuring robust information security practices, Suhail brings extensive expertise to his role at the Dubai Electronic Security Center.
As a Lead Auditor ISO/IEC 27001 Information Security certified professional, Suhail has demonstrated proficiency in implementing and managing information security management systems (ISMS). His meticulous approach to auditing ensures compliance with the ISR controls and related information security best practices , providing organizations with the assurance needed to safeguard their sensitive data.
With over 8 years of experience as an ISR (Information Security Regulation) auditor, Suhail has played a pivotal role in assessing and enhancing the security posture of various government entities. His in-depth understanding of regulatory requirements enables him to effectively evaluate and mitigate cybersecurity and information security risks, ensuring compliance with industry regulations and standards.
Eng. Dina Al.Salamen is the Vice President and Head of Cyber and Information Security. She has worked for international organizations including Arab Bank and Bank ABC for more than 17 years. Recently, she has been selected to be part of EC-Council International Advisory Board (CISO Program).
She also gives keynote speeches on cybersecurity and has a genuine love for innovative technologies such as blockchain, big data, and artificial intelligence. She took part in a number of international conferences, including LEAP 2024 in Riyadh, Blackhat MEA 2023 in Riyadh, MENA Cyber Security Summit in Riyadh, and GISEC 2023 in Dubai.
She has been specializing in information security for more than 20 years now and her experience is augmented by several leadership roles in both public and private sectors, including Financial, Telecom, Public Sector, Consulting firm, Energy sector and other State-owned entities. She
Sithembile is also a mentor, international speaker and serving as an advisory board member. She is passionate about cybersecurity and enabling organisations to achieve their business objectives in a secure manner to fulfil their mandates. Besides her extensive experience in other information/cyber security domains, she has also played a pivotal role in defining and implementing robust information security strategies to protect organisations against the increased attack surface, in support of the swift digital migration initiatives and hybrid mode of working, including artificial intelligence and machine learning.
In her current capacity, she is responsible for developing Standards and Policies related to Cyber Security in alignment with the Dubai Cyber Security Strategy. Having worked in various government and federal entities in the UAE, Irene has contributed to Cybersecurity strategic planning and mapping of local standards against international standards.
Irene is a Co-founder of the Women in Cyber Security Middle East (WiCSME) and is highly engaged in activities supporting and mentoring women and girls in their professional growth. She has received several accolades locally, regionally, and internationally.
Ellis, the Managing Director of AsiaGulf Synergy Ventures, brings over 30 years of executive experience and excels in digital technology leadership for business growth. Focused on leveraging Asian tech solutions for Gulf market expansion, he aims to establish holistic business ecosystems and craft integrated investment strategies. With a versatile background spanning CTO to CEO roles in renowned international firms such as Intel, Mashreq Bank, Alibaba, Google, and McKinsey, Ellis is recognized for driving digital transformation across diverse industries, including digital banking, eCommerce, EV, and Flying Car technologies.
c80f0f1006