StealthMutant (Dropper) – Malware

Overview

StealthMutant is a sophisticated piece of malware that has emerged as a significant tool in cyberespionage campaigns, notably those attributed to the Earth Baku group, also known as APT41. This malware variant is a C# implementation of StealthVector, another malware developed by the same group, and shares many of the core functionalities of its predecessor. However, StealthMutant introduces several enhancements and new techniques designed to make it even more evasive and harder to detect. By leveraging advanced evasion methods and robust encryption, StealthMutant is able to infiltrate, maintain persistence, and execute malicious payloads while remaining largely undetected by traditional security measures.

One of the key features of StealthMutant is its use of process hollowing, a technique commonly employed by advanced malware to inject malicious code into the address space of legitimate processes. This allows StealthMutant to execute its payload in memory without creating any suspicious files or leaving obvious traces in the file system, making it difficult for security systems to detect the malware during routine scans. By executing malicious code within a trusted process, StealthMutant can evade detection by bypassing many of the security mechanisms that focus on file-based threats, ensuring its persistence within compromised systems.

Targets

Information

Manufacturing

Transportation and Warehousing

How they operate

One of the key techniques employed by StealthMutant is process hollowing, a method in which the malware injects its code into the address space of a legitimate, trusted process. This allows StealthMutant to execute malicious code in memory without leaving any trace on the file system, significantly reducing the likelihood of detection by file-based antivirus scanners. The injected code runs within the legitimate process, making it appear as if the trusted process itself is executing the malicious payload. This approach is particularly effective in bypassing security mechanisms that focus on detecting suspicious files and activities on the system.

StealthMutant’s payloads are highly encrypted to prevent detection and analysis. The malware uses AES-256-ECB encryption to protect its payloads, though earlier versions have been seen utilizing XOR encryption. The encrypted payloads are stored in memory and decrypted by the malware once it has successfully injected itself into a process. This encryption not only protects the integrity of the malicious code but also hinders reverse engineering efforts by making it difficult for security researchers to analyze the payload without decryption keys. The use of robust encryption techniques is a hallmark of advanced malware, allowing StealthMutant to remain concealed from security tools until it is ready to execute its primary malicious functions.

In addition to encryption, StealthMutant incorporates anti-forensic techniques to further evade detection. One such method is the disabling of Event Tracing for Windows (ETW), a logging feature in Windows that allows security tools to monitor system activities. By disabling ETW, StealthMutant prevents its actions from being logged, making it more challenging for security software to identify its presence. This evasion tactic is particularly important for maintaining persistence in a target environment, as it reduces the chance that an intrusion detection system (IDS) or security information and event management (SIEM) system will flag its activities.

StealthMutant also utilizes command-and-control (C2) communication to maintain its connection with the attackers. The malware communicates with its C2 server using HTTP/S protocols, which are commonly used for web traffic and difficult to distinguish from legitimate traffic. This use of standard application layer protocols allows StealthMutant to blend in with regular network traffic and avoid triggering alerts in network monitoring systems. Through the C2 channel, attackers can issue commands to the compromised system, download additional payloads, exfiltrate data, or perform other malicious activities.

Another notable feature of StealthMutant is its modular design, allowing it to interact with other tools in the Earth Baku malware ecosystem. For example, StealthMutant can deploy ScrambleCross, a backdoor that provides attackers with remote access to the infected system. This modularity enables the attackers to expand their control over the system and deploy additional malware or conduct data exfiltration without needing to manually access the compromised network.

In summary, StealthMutant operates as a highly advanced malware tool, leveraging techniques like process hollowing, encryption, and anti-forensic measures to remain undetected while delivering malicious payloads. Its use of robust evasion tactics, including the disabling of ETW and encryption of payloads, makes it a formidable tool in Earth Baku’s cyberespionage campaigns. The malware’s modular design and C2 communication capabilities allow for ongoing control and manipulation of compromised systems, making it a significant threat to organizations targeted by APT41. As cyber threats become increasingly sophisticated, understanding how malware like StealthMutant operates is crucial for developing effective defenses against such attacks.

MITRE Tactics and Techniques

Initial Access:

Exploit Public-Facing Application (T1190): StealthMutant is often delivered through vulnerabilities such as the Microsoft Exchange ProxyLogon vulnerability (CVE-2021-26855), which is leveraged for initial access into a target system.

Phishing (T1566): StealthMutant may also be distributed through malicious email attachments or links, a common method for initial access.

Execution:

Command and Scripting Interpreter (T1059): StealthMutant, being written in C#, utilizes PowerShell or command-line tools like InstallUtil.exe to execute its payloads and perform initial setup on compromised machines.

Process Hollowing (T1091): A key feature of StealthMutant is its use of process hollowing, where it injects malicious code into the address space of a legitimate process to evade detection by traditional security systems.

Persistence:

Registry Run Keys/Startup Folder (T1547): StealthMutant can achieve persistence by modifying the system’s registry or adding tasks to ensure it runs on system boot or on a scheduled task.

Privilege Escalation:

Exploitation for Privilege Escalation (T1068): Although not always the primary method, StealthMutant can leverage other techniques to escalate privileges within the target system after initial access is achieved.

Defense Evasion:

Disable or Modify Tools (T1562): StealthMutant can disable Event Tracing for Windows (ETW) to prevent logging of its activities, helping it avoid detection by security tools.

Obfuscated Files or Information (T1027): The malware’s encrypted configuration, often using AES-256-ECB or XOR encryption, ensures that its payload and operational data remain obfuscated from security tools during analysis.

Credential Access:

Credential Dumping (T1003): While not always a primary focus, StealthMutant may facilitate the collection of credentials through its backdoor capabilities or while using process injection techniques.

Command and Control (C2):

Application Layer Protocol (T1071): StealthMutant communicates with its command-and-control (C2) server through application layer protocols, typically using HTTP/S for stealthy and encrypted communication.

Exfiltration:

Exfiltration Over Command and Control Channel (T1041): Data exfiltration may occur over the same C2 channel, allowing attackers to retrieve sensitive information from compromised systems.

Impact:

Data Encrypted for Impact (T1486): While StealthMutant itself may not be a direct ransomware, its integration with other malware like ScrambleCross enables attackers to potentially deploy additional tools that could encrypt files for exfiltration or destruction purposes.

References:

• Earth Baku Returns