LinkedIn
Twitter
About the Finding Malware Series
"Finding Malware," is a blog series from the Mandiant Managed Defense team that can empower the Google Security Operations community to detect emerging and persistent malware threats. Happy hunting!
About EMPTYSPACE
Also known as: Vetta Loader, BrokerLoader
EMPTYSPACE is a malware downloader that uses HTTP to communicate with its command-and-control (C2) server. The C2 server sends JSON-formatted commands instructing the malware to download and execute additional payloads on the host.
Mandiant's research has uncovered several variations of EMPTYSPACE, often disguised under the name "Runtime Broker.exe". These variants have been developed in Node.js, .NET, and Python programming languages.
Mandiant observed EMPTYSPACE being utilized to deliver secondary malware payloads such as Coin Miners, and QUIETBOARD backdoor which has capabilities such as cryptocurrency theft, USB/removable drive infection, screenshotting, system information gathering, and communication with the command-and-control server.
Mandiant Managed Defense has been tracking UNC4990, a threat cluster that heavily uses USB devices for the initial infection leading to EMPTYSPACE deployment. UNC4990 primarily targets users based in Italy and is likely motivated by financial gain. Our research shows this campaign has been ongoing since at least 2020.
Attack Lifecycle
Initial Compromise
The infection begins by tricking the victim into double-clicking a malicious LNK file disguised on a USB drive. These files were cleverly named to resemble legitimate USB device shortcuts, such as "KINGSTON (32GB).lnk" or "D (32GB).lnk," using either the vendor name or drive label.
Upon double clicking, a PowerShell script named explorer.ps1 is executed via the following LNK shortcut target:
C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -NoProfile -nologo -ExecutionPolicy ByPass -File explorer.ps1
Established Foothold
In its attempt to download EMPTYSPACE, the script will first fetch encoded/encrypted intermediary payloads hosted on 3rd party websites such as Github, Gitlab, Vimeo, Ars Technica, or Wordpress.
These payloads are then processed by explorer.ps1, resulting in the final URL where EMPTYSPACE is hosted.
Once explorer.ps1 executes, EMPTYSPACE, masquerading as Runtime Broker.exe is dropped on the host in the TEMP directory, and depending on which variant has been downloaded and executed, the malware ensures that only one instance of EMPTYSPACE is running at a given time by either using a named pipe (\\?\pipe\installSrvUniqID) in the NODE.JS version or a mutex (cinstaller_2022) in the .NET one.
Maintain Persistence
If the malware is not already running with elevated privileges, it tries to gain administrative permissions by setting the registry value HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Node_Run to its own path. This persistence mechanism is only present in the NODE.JS version. The other variants did not employ any persistence techniques.
Escalate Privileges
The .NET variant is the only one displaying this capability. It can receive a command from the C2 server containing the argument elevated_true, which will make the malware attempt to restart itself with elevated privileges.
Move Laterally
Although not a direct capability of EMPTYSPACE, the downloaded QUIETBOARD backdoor has the capability to list available drives and infect them with the explorer.ps1 script.
Internal Reconnaissance
Through its ability to execute payloads received from the C2 server, gathering system information would be a trivial task for EMPTYSPACE. Moreover, QUIETBOARD also contains a module for gathering system information, including available drives, WiFi and geolocation.
Command and Control
EMPTYSPACE communicates with the C2 domain only if running with elevated privileges. It will send a Base64 encoded beacon via an HTTP POST request to its C2 server. The beacon contains host information such as username, hostname and localtime, in a JSON form with the following structure:
{
"from": "CINSTALLER1",
"path": "Malware path",
"username": "<current user's Windows username>",
"cwd": "<current working directory>",
"time": "<number of seconds since Unix epoch (January 1, 1970)>",
"temp": "Temporary path",
"programs": "Program Files path"
}
EMPTYSPACE then receives a JSON-formatted response which may contain a list of additional files to be downloaded and executed on the host. Within the communication it sends to the remote server, EMPTYSPACE identifies itself as CINSTALLER1. The response can also contain commands specifying that EMPTYSPACE should delete the downloaded files after execution.
The Python variant of EMPTYSPACE (bootstrap.pyc) is a simpler downloader than the other two variants, solely designed to send data to one of the multiple embedded C2 servers, receive, parse and execute the commands sent from the remote server.
Mission Complete
The purpose of EMPTYSPACE is to provide an initial foothold which will allow the attackers to deploy any other malware on the host to achieve their objectives.
Crypto wallet hijacking and coin mining are the main outcomes observed so far as a result of an EMPTYSPACE infection. For example, QUIETBOARD, a payload actively tracked by Mandiant, is capable of replacing clipboard data with wallet addresses for cryptocurrencies like Ethereum, Bitcoin, Monero, and Dogecoin.
Detection Through Google Security Operations
Enterprise and Enterprise Plus customers will benefit from these detections being applied automatically through curated detections. Standard customers can create single or multi-event rules to detect the malware.
- This rule detects the initial compromise by the EMPTYSPACE malware infection.
rule EMPTYSPACE_EXPLORER_PS1
{
meta:
author = "Mandiant"
description = "This rule matches the powershell execution launched after the user interacts with the lnk file on the USB drive."
mitre_attack_tactic = "Execution"
mitre_attack_technique = "User Execution: Malicious File"
mitre_attack_url = "https://attack.mitre.org/techniques/T1204/002/"
mitre_attack_version = "v15.1"
severity = "High"
priority = "High"
platform = "Windows"
type = "hunt"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
re.regex($e.target.process.file.full_path, `powershell\.exe$`) nocase and
re.regex($e.principal.process.file.full_path, `explorer\.exe$`) nocase and
re.regex($e.target.process.command_line, `\-windowstyle hidden \-NoProfile \-nologo \-ExecutionPolicy ByPass \-File explorer\.ps1`) nocase
condition:
$e
}
- This rule detects the persistence mechanisms used by the EMPTYSPACE malware infection.
rule EMPTYSPACE_PERSISTENCE
{
meta:
author = "Mandiant"
description = "This rule matches the persistence locations and the binaries used in an EMPTYSPACE infection."
mitre_attack_tactic = "Persistence"
mitre_attack_technique = "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
mitre_attack_url = "https://attack.mitre.org/techniques/T1547/001/"
mitre_attack_version = "v15.1"
severity = "High"
priority = "High"
platform = "Windows"
type = "hunt"
events:
(
$e.metadata.event_type = "FILE_CREATION" or
$e.metadata.event_type = "FILE_MODIFICATION" or
$e.metadata.event_type = "REGISTRY_CREATION" or
$e.metadata.event_type = "REGISTRY_DELETION" or
$e.metadata.event_type = "REGISTRY_MODIFICATION"
) and
(
re.regex($e.target.file.full_path, `RuntimeBroker\s\.exe`) nocase or
re.regex($e.target.file.full_path, `\\Windows\\RuntimeBroker \.exe`) nocase or
re.regex($e.target.file.full_path, `Temp\\Runtime Broker\.exe`) nocase or
re.regex($e.target.file.full_path, `WinSoft Update Service`) nocase or
re.regex($e.target.registry.registry_key, `HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Node_Run`) nocase
)
condition:
$e
}
- This rule detects network indicators observed during and after an EMPTYSPACE malware infection
rule EMPTYSPACE_NETWORK_INDICATORS
{
meta:
author = "Mandiant"
description = "This rule matches the remote resources accessed during the infection for downloading additional payloads and communicating to the C&C server."
mitre_attack_tactic = "Command and Control"
mitre_attack_technique = "Ingress Tool Transfer"
mitre_attack_url = "https://attack.mitre.org/techniques/T1105/"
mitre_attack_version = "v15.1"
severity = "High"
priority = "High"
platform = "Windows"
type = "hunt"
events:
(
$e.metadata.event_type = "NETWORK_CONNECTION" or
$e.metadata.event_type = "NETWORK_DNS" or
$e.metadata.event_type = "NETWORK_HTTP"
) and
(
(
$e.target.hostname = `bobsmith.apiworld.cf` nocase and
re.regex($e.target.url, `license\.php`) nocase and
$e.network.http.method = `POST` nocase
) or
(
re.regex($e.target.url, `/updater\.php\?from=USB1`) nocase and
(
$e.target.hostname = `evinfeoptasw.dedyn.io` nocase or
$e.target.hostname = `wjecpujpanmwm.tk` nocase
)
) or
(
re.regex($e.principal.process.file.full_path, `powershell\.exe$`) nocase and
(
re.regex($e.target.hostname, `vimeo\.com`) nocase or
re.regex($e.target.hostname, `arstechnica\.com`) nocase or
re.regex($e.target.hostname, `rur9\.wordpress\.com`) nocase
)
) or
(
re.regex($e.principal.process.file.full_path, `powershell\.exe$`) nocase and
(
$e.network.dns.questions.name = `vimeo.com` nocase or
$e.network.dns.questions.name = `arstechnica.com` nocase or
$e.network.dns.questions.name = `rur9.wordpress.com` nocase
)
)
)
condition:
$e
}
Beyond the Blog: Empower Your SecOps with Mandiant Hunters
Organizations do not have to face cybersecurity threats alone. Attacks are complex, and finding attackers can feel like searching for a needle in a haystack.
As a Managed Defense or Mandiant Hunt customer, you benefit from our constant threat hunting across your environment. We leverage our frontline experience to ensure you are protected from the latest emerging threats. We use advanced techniques to uncover hidden threats within your Google Security Operations data, ensuring your environment remains secure.
Customers receive regular, scheduled updates on our threat hunting activities, including what we're looking for and what we find. This ensures complete transparency and provides actionable insights into our proven methodologies and findings, all mapped to the MITRE ATT&CK® framework!
Above is a glimpse into the Managed Defense portal, showcasing our comprehensive threat hunting methodologies applied to your data to uncover potential breaches. As a customer, you will receive daily updates on our hunting activities, ensuring complete transparency and peace of mind.
