Yellow Liderc ships its scripts and delivers IMAPLoader malware

Author: PwC Threat Intelligence

Introduction

Yellow Liderc is an Iran-based threat actor that has been active since at least 2018. As previously reported in our 2020 Year in Retrospect publication, Yellow Liderc is an Islamic Revolutionary Guard Corp. (IRGC) aligned threat actor, which focuses on targeting Aviation, Automotive, Aerospace and Defense, Logistics, Maritime and Information Technology organisations. Geographically, the threat actor focuses on targeting organsiations throughout the Middle East, Europe, both North and South America and parts of South Asia. In 2021, open source reporting documented alleged connections between the threat actor and the IRGC,⁴ which also aligns with our previous reporting.⁵

Yellow Liderc is known for a variety of tactics and techniques, including phishing, social engineering and strategic web compromises. The threat actor uses both custom and off-the-shelf malware including PowerShell backdoors and infostealers in order to gather information about victim systems. The threat actor has previously used macro enabled documents that drop a VBS script, commonly referred to as LEMPO, which establishes persistence, performs reconnaissance, and exfiltrates sensitive information. The threat actor often favours exfiltration of sensitive information to an actor-controlled email account via SMTPS or IMAP, and has been observed using both dedicated mailboxes and third party services for their email accounts.⁷⁸

Strategic Web Compromises

Since 2022 Yellow Liderc has frequently compromised legitimate websites and inserted malicious JavaScript,^9,10,11 often referred to as a watering hole attack or strategic web compromise. The JavaScript is used by the threat actor to fingerprint website visitors by capturing user location, device, time of visits, etc. The script enables the actor to infect specific user systems, matching a target fingerprint, with malware and gain access to the organisation’s network.

This activity has heavily focused on the maritime, shipping and logistics sectors within the Mediterranean. Previous open source reporting has described some of this specific targeting by the threat actor.^12,13 PwC has observed the following domains being actively used by Yellow Liderc throughout 2022 and 2023 in various watering hole attacks:

• ztransportorganizationil[.]xyz
• cdnpakage[.]com
• hotjar[.]info
• fastanalizer[.]live
• fastanalytics[.]live

In some attacks, the threat actor would serve malware to their targets upon visiting the infected websites because their fingerprints apparently indicated they could be a high value target. PwC observed a new sample of malware used in those later stages, which we have named IMAPLoader. We assess that IMAPLoader is a replacement to a Python-based IMAP implant the actor used in late 2021 and early 2022.¹⁴ The overall functionality is similar to past malware leveraged by the threat actor, but IMAPLoader uses a new injection technique not previously seen with Yellow Liderc, and is detailed below.
 

IMAPLoader

The following sample is a DLL written in .NET and acts as a downloader, leveraging email communication as a means of command and control (C2) communication.

In order to run, IMAPLoader uses an injection technique known as ‘AppDomain Manager Injection’,¹⁵ which was first publicly disclosed in a proof of concept in 2020. The injection forces a Microsoft .NET application to load a specially crafted .NET assembly (IMAPLoader in this case). Upon execution, IMAPLoader extracts the full path to itself, and makes the Windows Console Window that is created when the application is started hidden from view. This is achieved by directly importing the Windows DLLs kernel32.dll and user32.dll and calling the GetConsoleWindow and ShowWindow APIs respectively.

The malware then queries the IMAP accounts (email addresses) hardcoded in the DLL which are both decimal encoded. These include two email addresses and passwords, which once decoded, show Yandex email addresses, a common email provider used by this threat actor:

• leviblum[@]yandex.com; and
• brodyheywood[@]yandex.com.

The malware then runs a WMI query to determine the operating system version, followed by scheduling tasks depending on the version identified. One of those tasks is to check for specific mailbox folders in a folder misspelled by the threat actor. Messages in the "Recive" folder are likely to contain further payloads as attachments. IMAPLoader proceeds to compile a list of unseen messages in this folder and prepare for attachment extraction via the hard coded Yandex email addresses.

Depending on which Yandex account successfully logged in to, a new object imapClient3 is created which can interact with the remote email. By calling WMI class Win32_ComputerSystemProduct, IMAPLoader extracts the system UUID strings. This is later converted into a SHA-256 hash value and the first 21 characters (converted to uppercase) are used as an identifier in any further communication with the IMAP account. This likely indicates the Yandex accounts are intended for use across multiple victims, in contrast to their previous Python-based IMAP implant.

The briefly mentioned extraction of attachments uses the Ux.Attachment method to return a dictionary object, where the first entry is the name of the attachment (stored as a string), and the second entry stores the raw attached file as a byte object. The attachment is subsequently stored in the same location on disk as IMAPLoader. We also observed in the code that there is a persistence mechanism via Ux.EditTask. This method ensures persistence on the system for the new retrieved payload, which we assess is likely to be a PE executable file. The method is used to edit the Windows task (previously created by IMAPLoader as StreamingUX Updater [version number]) by updating the path to point to the new payload.

In the last chain of actions, the new payload is executed, by calling the ProcessStartInfo class. Finally, a new thread is created in the context of IMAPLoader which is used to fingerprint the system and exfiltrate collected content by sending an email to the same IMAP account used to retrieve the payload. While we have previously observed the threat actor developing .NET malware which uses similar email-based C2 channels and hard-coded commands to gain information about the victim's environment, IMAPLoader is executed via the 'AppDomain Manager Injection' technique, a technique we have not observed Yellow Liderc using before, which shows an evolution of this threat actors tools and techniques.

An early version of IMAPLoader

We detected another sample from September 2022 which we assess is an earlier version of IMAPLoader:

Although saveImapMessage.exe is an EXE file rather than a DLL, this shares a similar .NET file structure. It also contains the same functionality as our original sample (StreamingUX.dll) which in this case is located in a namespace called ‘downloader’. We also found a .NET DLL named JobTitle.dll which shares a partial PDB path with saveImapMessage.exe (F:\\vsp\) and drops a version of IMAPLoader to the victim’s system.

The infection chain for IMAPLoader is composed of three stages, using a decoy Excel document and legitimate Microsoft application for injection as seen in Figure 3.

Stage 1

The first stage is distributed as an Excel-DNA XLL plugin,¹⁷ an open source library that enables .NET integration into Microsoft Excel files. One of its resources is called JOBTITLE which stores the 2nd stage component of the multi-part infection chain.

Stage 2

As soon as JobTitle.dll is executed, it writes a C# source code file named source.cs to disk. This is subsequently compiled into a .NET DLL file called sign.dll, a version of IMAPLoader, by leveraging the native C# compiler tool csc.exe.

Three additional files extracted by JobTitle.dll from its resources are also written to disk: a benign Microsoft Excel document, a modified Microsoft Windows application and an associated configuration file.

• The decoy document used by the threat actor to avoid raising victim suspicion during the execution chain;
• A configuration file used to trigger the injection of the IMAPLoader component into AppVStreamingUX.exe by leveraging the AppDomain Manager Injection technique previously mentioned; and,
• AppVStreamingUX.exe appears to be a legitimate Microsoft Windows app that has been modified by the threat actor as the compilation timestamp is set to a future date. A new Windows Task called MicrosoftEdgeCrashFixsTaskMachineUA, is created and configured to load AppVStreamingUX.exe, which leads to the process self injection and the execution of the sign.dll binary, the third and last stage of the infection chain.

Stage 3

The last DLL has the same functionality as discussed in the earlier StreamingUX.dll IMAPLoader analysis. The email addresses used for C2 communication also match our earlier analysis indicating the threat actor has likely reused its infrastructure for different victims. As per the previous sample, host fingerprinting is performed at every new payload execution, by creating a new process and executing cmd.exe with the same parameters as before.

Additional phishing activity

Pivoting on the strategic web compromise infrastructure shows links to infrastructure we assess is likely used by Yellow Liderc in their phishing operations. For example, both ztransportorganizationil[.]xyz and officemicrosoftsign[.]com shared a resolution at IP 138.124.183[.]100. Many similar domains can be identified from additional pivots made on this threat actor's infrastructure that have been active since at least 2022, such as the one shown in Figure 4.

All of this assessed phishing activity is likely aimed at a wider target audience, rather than solely focused on the maritime or shipping sectors within the Mediterranean. Some of the domains are generically themed around Microsoft accounts which can be used against a wide variety of targets, while other domains are specifically aimed at the travel and hospitality sectors within Europe.

In some cases, the threat actor is likely credential harvesting based on observations of the phishing pages being served. For example, Figure 5 below, shows a generic Microsoft login page that Yellow Liderc is using to trick targets into entering their credentials. It is assessed that the likely delivery method of this and similar domains described throughout are sent via spear phishing emails.

In other cases, malware is served to targets upon visiting the phishing website. For example, the threat actor served a macro-enabled Excel document that drops a VBScript. The use of macro-enabled documents that drop VBScripts is very similar to past Yellow Liderc activity which we have reported on privately,¹⁸ alongside open source reporting.¹⁹

Upon opening, the macro-enabled Excel document contains a custom message requesting the user to enable macros. Once enabled, the user is presented with a decoy document. The macro itself writes several files to disk including a chain of scripts that set up a registry run key for persistence, a Python payload, and a local copy of Python 3.11.

Conclusion

Yellow Liderc is a highly persistent threat that remains active in targeting organisations with the described strategic compromise tactics and phishing activity. Analysis of IMAPLoader shows an evolution of the threat actor's tools which will likely continue to evolve, as the threat actor stays focused on targeting a variety of sectors and regions which align with its strategic interests.

Overview of TTPs

PwC recommends searching historical logs and configuring alerting for the indicators or detection content provided in this report. If any of these indicators are discovered, or detection content generates alerts, we recommend organisations investigate their origin and conduct forensic analysis. If there are no significant findings, we recommend blocking the provided malicious indicators.

More detailed information on each of the techniques used in this report, along with detection and mitigations, can be found on the following MITRE pages:

Indicators of Compromise

^{1 PwC Cyber Threats 2020: A Year in Retrospect}

^{2 PwC Cyber Threats 2022: A Year in Retrospect}

^{3 PwC Cyber Threats 2022: A Year in Retrospect}

^{4 https://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/}

^{5 CTO-TIB-20210211-02A - Caught in a .NET}

^{6 https://www.proofpoint.com/uk/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media}

^{7 CTO-TIB-20210211-02A - Caught in a .NET}

^{8 CTO-TIB-20220628-02A - Three varieties of Liderc}

^{9 CTO-TIB-20221208-01A - Yellow Liderc ships its scripts}

^{10 CTO-QRT-20230815-01A - Yellow Lidercs recent script activity}

^{11 CTO-QRT-20230418-01A - Yellow Liderc strikes again}

^{12 https://www.mandiant.com/resources/blog/suspected-iranian-actor-targeting-israeli-shipping}

^{13 https://www.clearskysec.com/fata-morgana/}

^{14 CTO-TIB-20220628-02A - Three varieties of Liderc}

^{15 ‘AppDomain Manager Injection: New Techniques For Red Teams’, Rapid7, https://www.rapid7.com/blog/post/2023/05/05/appdomain-manager-injection-new-techniques-for-red-teams/ (5th May 2023)}

^{16 GitHub, ‘netbiosX/GhostLoader’, https://github.com/netbiosX/Ghostloader}

^{17 Excel-DNA, ‘Excel-DNA’, https://excel-dna.net/}

^{18 CTO-TIB-20210730-01A - Eat, Sleep, Liderc, Repeat}

^{19  https://www.proofpoint.com/uk/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media}