BlackSoul Malware Description
A new hassle of RAT (Remote Access Trojan) malware has been detected being deployed through what is believed to be a spear-phishing campaign targeting government entities. The malware was named BlackSoul by infosec researchers who detected the operation. Due to similarities in the malware tool's code and the overall TTPs (Techniques, Tactics, and Procedures) of the campaign, the experts determined that the threat actors most likely responsible for it is the hacker group ReconHellcat.
The attack begins with a fake lure email carrying a compromised CAB archive. The archive and the file inside it have an identical name - '1-10-22-hb44_final.' The implication is that the attachment is a document from the National Institute of Standards and Technology (NIST), which could be information of interest for targeted individuals.
The executable file contained in the archive carries the first-stage loader. The malware is equipped with obfuscation techniques that are consistent with previous threatening tools attributed to the ReconHellcat group. Upon establishing a connection with the Command-and-Control (C2, C&C) infrastructure, the loader will fetch and show the final payload in the form of two new files. It also attempts to hide its activity by presenting the target user with a legitimate Microsoft Word window with the legitimate document from the NIST Website. The two files dropped onto the compromised machine by the loader are an executable named 'blacksoul' and a DLL file named 'blacksoulLib.'
The BlackSoul payload itself is a comparatively simple RAT with a limited amount of functions and actionable commands. It recognizes only four commands received from the C2 servers, but they are more than enough. BlackSoul can execute arbitrary commands, fetch additional files, drop them onto the infected system, and exfiltrate files from it. To avoid detection, the RAT has been equipped with several obfuscation techniques. Mainly, it constructs strings on the stack dynamically and then uses a number of different mechanisms such as a fixed XOR cipher and a Caesar cipher using variable shift values to deobfuscate them.
As for the DLL library file, when invoked by BlackSoul, it attempts to gather data from the Chrome, Firefox, and Opera Web browsers. If such data cannot be obtained, the program ends its operation prematurely. It also helps with the initial connection to the C2 servers by decoding the C2 URL and the Cloudflare DNS-over-HTTPS (DoH) URL. In addition, it generates the necessary login information and returns the gathered data to the BlackSoul Malware in a JSON format.
ReconHellcat appears to be following their pattern of launching attack campaigns against government organizations. In previous operations, the hackers have been documented, attempting to infiltrate diplomatic organizations and defense government bodies.