Fortgale has been tracking an Italian Threat Actor, internally dubbed as Nebula Broker, since March 2022.
The actor uses self-made malware (BrokerLoader) to compromise Italian systems. Further analysis revealed that the attacker has been operating since the end of 2020. Although this threat is not well-known, the number of compromises is particularly extensive. Indeed, Fortgale has observed several cases of this malware’s presence in companies across various sectors, such as Transport and Aeronautics.
Given these findings, we believe that the attacker is not conducting targeted offensive activities, especially considering the malware’s USB propagation capabilities. A notable aspect of the offensive activity is the use of unique and curious Tactics, Techniques, and Procedures (TTPs) that have evolved over time. These include unique obfuscation and encoding techniques, such as using empty spaces and tabs in an intermediate file hosted on GitHub, and the use of platforms like Vimeo and ArsTechnica to host code.
A detailed analysis of the threat follows.
For any further information, contact us at firstname.lastname@example.org
Attack Flow Evolution
N-Broker is following a precise pattern of tactics, techniques, and procedures (TTPs). Recently, after a brief period of limited activities, its operations started rising again.
We are releasing an analysis and comparison of the activites between March 2022 and November 2023. Over the last few days, a new variant has been observed, with small new changes as reported here. These changes are also reported in the table below.
|Powershell (explorer.ps1): RuntimeBroker.exe download (external file on GitHub)
|PowerShell (explorer.ps1): Download and execution of PowerShell code from Vimeo
|PowerShell (explorer.ps1): Download and execution of PowerShell code from ArsTechnica
|Powershell: RuntimeBroker.exe Download
|Powershell: RuntimeBroker.exe Download
We provide a technical analysis of the entire compromise chain, comparing each step of the March 2022 and November 2023 campaigns.
The infection vector is an USB drive, containing a .lnk file.
March 2022 & November 2023
The file “penndrivename.lnk” (where “pendrivename” varies with the USB device used) is located within the removable USB device. This file holds the inital command for the compromise in its Destination field.
From the properties of the link, it can be observed that the file “KINGSTON (124GB).lnk” executes the PowerShell command for the initiation of the explorer.ps1 script:
|C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -nologo -NoProfile -ExecutionPolicy ByPass -File explorer.ps1
The PowerShell script executed by the .lnk file contains a series of instructions on a single line. The values of the variables used are encoded in base64 to evade any checks by protection software.
Content of the script duly formatted for better reading:
The variables $d, $f, and $aa contain the information of the system paths where the Worm places the malicious files. These have been obfuscated to prevent the identification of compromise indicators by protection software.
Their content is used for the creation of the variables $bb, $h, and $mn. By executing the first 9 lines of the script, it is possible to obtain the decoded content of the final variables:
Upon examining the content of the variable $bb, it is possible to notice an “empty” character at the end of the path (highlighted in yellow). Following the way the path is constructed, it is possible to trace back to the invisible value in the variable $aa. The initial value is the base64 string “44wk”. Decoding the value yields the Unicode Hangul Filler character (U+3164).
The path contained in the variable $bb is therefore valid as it contains a character “rendered” by an “empty space”. This technique allows the attacker to hide elements in the system from the Windows graphical interface and makes identification from the command line difficult.
The second part of the script performs a check on the actual presence of the hidden folder in the system. If the folder is present, the default action is invoked, which is the opening of the same via explorer.exe. In this way, the victim user actually sees the folder containing the data saved on the device.
Subsequently, a file is downloaded and saved to the path specified by the variable $mn. The URL of the file is created from a string, which in turn is downloaded from the URL contained in the variable $f: “src.txt” contained in a GitHub repository (which is no longer available as of today, hxxps://eldi8[.]github.io/src.txt).
The content of the file appears empty. However, it contains a series of spaces, tabs, and “newline” characters:
The “empty” spaces in the document are replaced by the script with the characters “0”, “1”, and ” ” (space):
The downloaded content, on which substitutions are applied, appears to be a series of binary strings. The decoding process involved several steps: From Base 2 to Base 10, and then to ASCII String. Continuing with the decoding, we obtain the following URL: hxxps://wjecpujpanmwm[.]tk/updater.php?from=USB1
After downloading and saving the malicious executable, the script halts its execution for 5 seconds (Start-Sleep -s 5), checks for the presence of the file C:\Program Files (x86)\WinSoft Update Service\pythonw.exe (the variable $h), and if the check is negative, it executes the just downloaded file. At the end of the execution, the script again halts its execution for 1 second (Start-Sleep -s 1) and re-executes the file if the previously checked path still does not exist. These last steps are repeated indefinitely, until the file C:\Program Files (x86)\WinSoft Update Service\pythonw.exe is created.
In the most recent version of the malware, the content of the file is entirely encoded in base64. The content is decoded and executed upon opening.
The executed script is the following:
Once deobfuscated, its functionalities can be evaluated:
In this version, the script downloads the metadata of a video present on the Vimeo streaming platform in JSON format from which to extract additional PowerShell code to execute. Below is the decrypted and deobfuscated content.
Several similarities can be noticed with the script from the previous year. In particular, the final stage consists of executing a file called RuntimeBroker.exe, and the domain wjecpujpanmwm[.]tk is present in both files.
The behavior of the malware from the execution of RuntimeBroker.exe is almost identical to the behavior identified the previous year, as it is reported below.
During the execution of the PowerShell of explorer.ps1, a file is downloaded from the link hxxps://wjecpujpanmwm[.]tk/updater.php?from=USB1, which is then saved as “Runtime Broker.exe” at the path specified by the variable $mn.
Technical information about the malicious file:
Once RuntimeBroker.exe is deobfuscated, it is possible to highlight some fundamental characteristics of the malware.
The malware performs a check for its presence on the machine and, if not found, it may create a Mutex. Then it enumerates the content of the connected removable devices to search for a folder with the same name as the removable device in which it is located.
The malware downloads, loads into memory, and executes an additional payload.
After the payload is downloaded and the commands are executed, any results are sent to the server along with some information about the host and the currently executing payload. The configuration is downloaded from the URL hxxps://bobsmith[.]apiworld[.]cf/license[.]php, to which information about the host is sent.
We consider this malware, dubbed internally as “BrokerLoader”, to have been specifically created by Nebula Broker for use in campaigns targeting Italy.
During the past years, domains related to the malware remained substantially the same.
In the last registered incident, instead, was noted a complete substitution of the domains used to download RuntimeBroker and the final payload.
Threat Actor Attribution
Fortgale, with a substantial degree of certainty, identifies Nebula Broker as an italian-speaking threat actor. This conclusion is drawn based on several pieces of supporting evidence:
In the following section, we will delve into a detailed analysis of the RuntimeBroker’s features:
The manifest file of RuntimeBroker.exe generated by Visual Studio is in Italian, indicating that an Italian version of the development suite was used.
With a low level of uncertainty, it can be assumed that the person who compiled the malware is of Italian language. There are several other elements that create a strict link between the threat actor and Italy, such as open-source intelligence (OSINT) information we collected by analyzing the GitHub repository used in the March 2022 campaign.
With a high level of confidence, we consider N-Broker to be a group of e-crime actors of Italian language. It targets Italian companies and individuals with large-scale and non-targeted malware campaigns, that are evolving over time.
Indicators of Compromise
Domains & URLs
Domains & URLs