The ASEC analysis team discovered a phishing site that distributes info-stealer malware by disguising it as a crack program of a normal utility. As shared in the post posted on June 29th (https://asec.ahnlab.com/ko/1339/), the phishing site appears in the top results when the utility program name is searched along with “Crack” on Google. It is assumed that many users were infected when they accessed the said site to download the crack of the utility program.
As shown in Figure 2, the post is created and decorated with images of the actual utility program, which makes the site look quite legit. When the user accesses the website and clicks the download link shown in Figure 3, the user gets redirected to the malware distribution source, resulting in the download of the archive file that contains malware.
The malware gets downloaded with the form of utility name_specific hash value.zip. The archive file has SetupFile-86x-64xen.zip file that contains the info leaking malware, a .txt file containing the archive password, and a ReadMe.txt file that runs the malware.
Upon opening the ReadMe document, it asks the user to close currently running Anti-Virus, firewall, etc. as shown in Figure 5. It may look like it’s asking as ordinary keygen and cracks are usually detected as malicious programs, but since this file only has a feature of malware, it is likely that the text was stated to bypass the malware detection.
If the password “77788899” is entered to extract SetupFile-86x-64xen.zip, malware (SetupFile-86x-64xen.exe) gets generated.
When the malware is run, a regular AutoIt script run program (lsass.com from Figure 7) and an encoded malicious PE file are dropped into the “%temp%\IXP000.TMP” folder. Afterward, “c:\windows\system32\attrib.exe” is run, decodes the encoded PE, and continues with injection.
The decoded PE is an info leaking malware that has a feature of Anti-SandBox. The malware checks the following information and, and if any of the condition is met, it terminates its process.
- Screen verification feature using GetSystemMetrics API (If horizontal axis of the current screen is smaller than 1027)
- Number of CPU cores verification feature using GetSystemInfo API (If the number of CPU core is 1)
- Use the registry key info as a reference, and terminates the process if the name of the CPU is “Xeon.”
- Physical memory verification feature using GlobalMemoryStatusEx API (If physical memory is less than 2GB)
Once the SandBox environment verification is over, it leaks the following info from the user’s PC, compresses it as a zip file, and sends it to the C&C server.
- Browser password info
- Web browser cookie info
- Cryptocurrency related wallet info
- Screenshot of user PC’s desktop
- CPU, RAM, OS, keyboard layout info of PC
- List of installed SW
An interesting note on these phishing sites is that all the cracks of other utilities (Adobe Photoshop CC 2020, DLL Files Fixer, etc.) uploaded to this site redirects to the same malware distribution source, and ultimately running the same malware.
The ASEC analysis team believes that there are many other variants of this phishing site that distribute info leaking malware, therefore it is recommended that users refrain from accessing any illegal crack websites and aim to use genuine software.
AhnLab’s anti-malware product V3 detects the malware above using the aliases below.