The ASEC analysis team previously introduced a phishing site distributing malware disguised as a utility program. When searching the name of the utility program with a Google search keyword, the malware is shown relatively on the top list. It is being actively distributed even now, and the infection process has been changing continually. In this post, the team will explain the infection process of the recently distributed malware file which is globally known as CryptBot.
Figure 1 and Figure 2 show the phishing sites that distribute malware disguised as utility programs. There are also websites that were translated into Korean.
The malware is downloaded in the zip format. Within the compressed file are another zip file that contains the info-leaking malware and a txt file that contains the unzip password. When the password is entered and the file unzipped, a portable executable named Mainsetupv1.0.exe that is archived with 7zip is revealed, and this is the actual malware.
Upon being run, Mainsetupv1.0.exe creates four files in the ‘7ZipSfx.000’ directory as shown in Figure 4 and runs the malicious BAT file created as the disguised filename of Naso.avi. The features and identities of the four created files can be roughly summarized as shown below.
- Naso.avi: Executes malicious BAT file and malicious AutoIt script
- Pensato.avi: Normal Autoit.exe file of manipulated extension (.avi)
- C: Runs CryptBot info-stealer malware (Sento.avi) encoded with malicious AutoIt script
- Sento.avi: Encoded CryptBot info-stealer malware
Figure 5 is the content of the BAT file that belongs to the first execution process. The BAT file changes the normal Autoit.exe of the manipulated extension (.avi) to the one that can be run (.com) and runs the malicious AutoIt script (C).
Figure 6 is the content of the malicious AutoIt script (C). It is obfuscated to make interpretation impossible.
Figure 7 is a part of the unobfuscated AutoIt script that bypasses the analysis environment. Through GettickCount, the malware checks and validates data of before and after to see if Sleep is carried out normally. If it’s not the expected value, the malware is terminated.
Figure 8 shows the main feature of the unobfuscated AutoIt script. It loads explorer.exe through LoadLibraryExW API to allocate memory space. The script then injects the CryptBot info-stealer malware’s payload — created by processing the first created data of the Sento.avi file — to the allocated memory space.
Figure 9 shows a certain part of the code of CryptBot, an info-stealing malware that is executed ultimately. It is a feature which downloads additional malicious files. Records show that the following Clipbanker malware was downloaded through the feature.
AhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:
[File Detection]
– Trojan/Win.Infostealer (2021.05.15.00)
[Behavior Detection]
– Execution/MDP.Scripting.M3728
[IOC]
- MD5: abd35d575a95891bac53ec57e8d33ccd
- Phishing Sites
ko.augalai[.]info
rarpc[.]co
- C&C
– http[:]//morjgs02.top/index[.]php - Download PE
– http[:]//sulsxq03.top/download[.]php?file=lv.exe
Categories:Malware Information