SkinnyBoy Backdoor

SkinnyBoy is a backdoor and information stealer, with command and control (C2) capabilities which steals user and system information.

Threat ID:: CC-3880
Category:: Backdoor
Threat Severity:: Medium
Threat Vector:: Spear phishing
Published:: 8 June 2021 2:09 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

SkinnyBoy is a backdoor and information stealer, with command and control (C2) capabilities which steals user and system information.

Affected platforms

The following platforms are known to be affected:

Versions: all supported

Microsoft Windows

Threat details

Introduction

First observed in March 2021, SkinnyBoy is a backdoor and information stealer which is distributed via spear phishing email campaigns. SkinnyBoy is linked to the APT28 threat actor group also known as Fancy Bear. The emails have been delivered within the European Union and the United States. Once executed, it uses C2 to steal system and user information.

Delivery

SkinnyBoy is delivered via a spear phishing email which contains a Word document with a name relating to an international conference. The Word document contains a macro, which when executed will extract a downloader in the form of a dll. This then downloads SkinnyBoy which is a tdp1.exe file.

Activities

Once downloaded, SkinnyBoy creates persistence via a Windows shortcut under the Windows Startup folder. It then drops a payload to extract two files on the system - devtmrn.exe and TermSrvClt.dll - and then deletes itself. As there is persistence, this allows for the two extracted files to be executed at a later stage. Once the system is rebooted, the Windows shortcut launches the main payload SkinnyBoy (TermServClt.dll) and exfiltrates information about the infected system by executing two Windows utilities - systeminfo.exe and tasklist.exe - which gather information about the system and the running processes. The information extracted is delivered to the C2 server and is decoded in Base64 format and encrypts the POST request to avoid static detection.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network Indicators

5[.]149[.]253[.]45
194[.]33[.]40[.]72

Domains

getstatpro[.]com
updaterweb[.]com

Host Indicators

SHA1 hashes

45d607109d1a12a279664eec8f4bd604287b62c7
a13cb50e2405440ec984dd3fc340bceea4a81cfc
e15c665f02fb288fc4bdef9d23b2dc802b3aca0d
efa4fa5ddee99853c32b321496f9369f2db119eb

SHA256 hashes

04e1772997b884540d5728a2069c3cc93b8f29478e306d341120f789ea8ec79e
12331809c3e03d84498f428a37a28cf6cbb1dafe98c36463593ad12898c588c9
2a652721243f29e82bdf57b565208c59937bbb6af4ab51e7b6ba7ed270ea6bce
4ff1f8a052addbc5a0388dfa7f32cc493d7947c43dc7096baa070bfc4ae0a14e
ae0bc3358fef0ca2a103e694aa556f55a3fed4e98ba57d16f5ae7ad4ad583698

MD5 hashes

3537ed6d4038ca7dbc054308c40fc3e3
4f3ac4c7b5932f11662d4d22fa5d88ec
ae1e587d19250deb40e92587b8a2188c
fa4b1efd428bbf47f9c8395ca91eff25

Filenames

devtmrn.lnk
systeminfo.exe
tasklist.exe
tdp1.exE

Filename paths

C:\Users\%username%\AppData\Local\devtmrn.exe
C:\Users\%username%\AppData\Local\Microsoft\TerminalServerClient\TermSrvClt.dll

YARA Rules

SkinnyBoy Dropper

rule APT28_SkinnyBoy_Dropper: RUSSIAN THREAT ACTOR {
meta:
author = "Cluster25"
hash1 = "12331809c3e03d84498f428a37a28cf6cbb1dafe98c36463593ad12898c588c9"
strings:
$ = "cmd /c DEL " ascii
$ = " \"" ascii
$ = {8a 08 40 84 c9 75 f9}
$ = {0f b7 84 0d fc fe ff ff 66 31 84 0d fc fd ff ff}
condition:
(uint16(0) == 0x5A4D and all of them)
}

SkinnyBoy Launcher

rule APT28_SkinnyBoy_Launcher: RUSSIAN THREAT ACTOR {
meta:
author = "Cluster25"
hash1 ="2a652721243f29e82bdf57b565208c59937bbb6af4ab51e7b6ba7ed270ea6bce"
strings:
$sha = {F4 EB 56 52 AF 4B 48 EE 08 FF 9D 44 89 4B D5 66 24 61 2A 15 1D 58 14 F9 6D 97 13 2C 6D 07 6F 86}
$l1 = "CryptGetHashParam" ascii
$l2 = "CryptCreateHash" ascii
$l3 = "FindNextFile" ascii
$l4 = "PathAddBackslashW" ascii
$l5 = "PathRemoveFileSpecW" ascii
$h1 = {50 6A 00 6A 00 68 0C 80 00 00 FF ?? ?? ?? FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 6A 00
56 ?? ?? ?? ?? 50 FF ?? ?? ?? FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ??}
$h2 = {8B 01 3B 02 75 10 83 C1 04 83 C2 04 83 EE 04 73 EF}
condition:
uint16(0) == 0x5a4d and filesize < 100KB and ($sha or (all of ($l*) and all of ($h*)))
}

SkinnyBoy Implant

import "pe"
rule APT28_SkinnyBoy_Implanter: RUSSIAN THREAT ACTOR {
meta:
author= "Cluster25"
date= "2021-05-24"
hash= "ae0bc3358fef0ca2a103e694aa556f55a3fed4e98ba57d16f5ae7ad4ad583698"
strings:
$enc_string = {F3 0F 7E 05 ?? ?? ?? ?? 6? [5] 6A ?? 66 [6] 66 [7] F3 0F 7E 05 ?? ?? ?? ?? 8D 85 [4] 6A ?? 50 66 [7] E8}
$heap_ops = {8B [1-5] 03 ?? 5? 5? 6A 08 FF [1-6] FF ?? ?? ?? ?? ?? [0-6] 8B ?? [0-6] 8?}
$xor_cycle = { 8A 8C ?? ?? ?? ?? ?? 30 8C ?? ?? ?? ?? ?? 42 3B D0 72 }
condition:
uint16(0) == 0x5a4d and pe.is_dll() and filesize < 100KB and $xor_cycle and $heap_ops and
$enc_string
}

Last edited: 9 June 2021 1:40 pm