“Netbounce” Threat Actor Tries to Evade Detection

On the 12th of February, FortiGuard Labs got a solicitation through email from an individual representing an organization called Packity Networks asking to whitelist their software. The sender guaranteed it to be a false-positive that causes a critical effect on their business. At that point, the file at the link was named malevolent only by Fortinet and Dr.Web sandbox. 

Despite the fact that, from the start, the solicitation appeared to be innocent, and basically no other security vendor had flagged the file, FortiGuard said it generally investigates such demands thoroughly before complying. The investigation prompted the disclosure of another group called “Netbounce” and it uncovered their malware delivery infrastructure. What made this stand apart among others is their one-of-a-kind set of tools and techniques. FortiGuard was able to discover a few variations created in-house by this group, each serving a different purpose. 

The background checks directed by FortiGuard on Secured Network Stack and Packity Networks Inc. yielded no outcomes; there were no enrolled organizations or official references to these elements, nor could they discover any employee profiles online. However, based on a Twitter account, Packity appears to have had some online presence other than their site for at least two years, and they found reviews for the software.

Despite the fact that the executables were signed with the same certificate, FortiGuard saw that the certificate was issued with an unrelated email address, [email protected]. The certificate was issued on September 2nd, 2020, so they looked for more seasoned certificates utilized by Packity and tracked down an older installer. Looking at the more seasoned signature affirmed that the contact data is indeed unrelated to the organization. In spite of the fact that it might appear to be odd that an alternate email was utilized, the new certificate was issued precisely when the previous certificate expired, on September 3rd, 2020, which may indicate it’s not vindictive. 

The signature with the new certificate doesn’t have a timestamp countersignature. This is highly uncommon when signing code, and the “official” setup file from the site has a timestamp. Along these lines, FortiGuard’s suspicions were still not resolved.