Various Types of Threats Disguised as Software Download Being Distributed

Through multiple posts, the ASEC analysis team has mentioned CryptBot that is searched through keywords such as cracks and serials of commercial software, urging users to take caution.

CryptBot malware is the one that is usually distributed from such malicious websites, but other types are occasionally distributed as well. This post will discuss other malware programs of the same type besides CryptBot.

As mentioned in previous posts, the malware is distributed from malicious webpages exposed on the top search page when users search illegal keywords such as crack, serial, keygen, and license of commercial software.

The following shows examples of such malicious websites. It looks like the users can download normal tools, but what they actually download are compressed files that have malware. Check the post below for more details.

Figure 1. Examples of websites distributing malware

The types of malware distributed from such websites can be largely divided into two.

One is NSIS dropper and the other is Autoit Loader.

NSIS dropper drops multiple types of malware simultaneously upon being run. When an anti-malware product detects the malware, it is not dropped, so it was not discussed in this post. Yet if the malware is somehow executed, the system is infected with various types of malware to an extent that it is impossible to be restored. It usually executes about 10 types of malware after dropping them. As there are downloader-type malware programs, the actual number of malware infections becomes even higher. The types of malware that usually infect the system through the dropper are as follows.

BeamWinHTTP, RedLine, YAHOOYLO, Socelars Stealer, ClipBanker, Backstage Stealer, Androm, and many more

The characteristic of the threat is that the executable file that is finally decompressed has the default NSIS icon. Inside the file is a 7zSFX executable named “setup_installer.exe.” After decompressing internal files in a particular directory upon being run, the executable runs the “setup_install.exe” file which executes txt files created in the same directory.

The majority of txt files inside the directory are malware programs disguised as txt files. As they did not go through encoding or encryption processes, V3 product will immediately detect and block them upon being decompressed.

Figure 2. Execution flow of NSIS Dropper malware

When Autoit loader is executed, it runs files related to Autoit after creating them. The CryptBot malware mentioned in previous blog posts falls under this category. As the malware mainly distributes CryptBot, AhnLab is responding by labeling the packing type as “CryptLoader” as its alias. The malware distributes CryptBot which downloads and runs ClipBanker most of the time, but sometimes other types of malware are distributed.

Malware programs that were recently distributed for about a month of this type except for CryptBot are as follows. The following samples were either directly downloaded from malicious webpages or additionally created by the samples of the attack type such as CryptBot or NSIS Dropper.


1. RedLine

RedLine is malware built with .NET language. It steals various user information and send it to C2, as well as running additionally downloaded malware and deleting self. The way it performs is similar to that of CryptBot malware, but it has more various features. It has a small size of about 100KB.

After it is executed, the malware runs the RegAsm.exe process through the shellcode inside the Autoit script and operates inside the process with the hollowing technique.

Figure 3. Process tree of RedLine malware

The malware operates by being injected into RegAsm.exe with the hollowing technique. Yet when the internal binary is extracted, there is a valid certificate as you can see below. Unlike other types of .NET malware, this malware is barely obfuscated.

Figure 4. Signature information

Figure 5. List of internal methods

Various confidential information such as accounts and passwords saved in browsers, cryptocurrency wallet files, messenger tokens such as that of Discord, FTP client information, and VPN information become targets to be stolen. There have been cases of the malware distributed through YouTube.

C2: gimpimageeditor.com


2. Vidar

Vidar is also a type of Infostealer. This sample runs the nslookup.exe process and operates with the process hollowing technique.

Figure 6. Process tree of Vidar malware

The WinMain function of the original binary that can be extracted from the malware includes garbage codes that perform the role of anti-disassembly. Disassembly is possible only after you remove the codes. Anti-disassembly is one of the major analysis disruption techniques.

Figure 7. Anti-disassembly codes

One characteristic of Vidar is that it connects to C2 and downloads various libraries needed to collect information. To get the C2 URL, it attempts to connect to the URL of the Tumblr webpage created by the attacker. The attacker’s Tumblr has the actual C2 URL of Vidar in its internal source code as shown below.

Figure 8. Attacker’s Tumblr webpage

The ASEC team once uploaded a post about the Vidar that updates the C2 information by exploiting game platforms such as Faceit. As you can see, there are now more cases of attackers using normal domains to update their C2s.

The malware compresses the stolen information and sends it to C2. It can then perform additional malicious behaviors by the commands given by C2.

C2: shpak125.tumblr.com / 116.202.183.50


3. Remcos

Remcos is a remote access trojan that collects and leaks various user information including keylogging and can perform various commands given by the attacker. It is sold from its developer’s websites as a tool for remote management, but it is usually exploited as malware.

Like Vidar, this sample also operates by running nslookup.exe and then getting injected inside the process with the hollowing technique.

Figure 9. Process tree of Remcos malware

When it is run, it creates a mutex named “Remcos_Mutex_Inj.”

Figure 10. Code for creating mutex

The malware can perform various malicious behaviors such as privilege escalation, keylogging, stealing various information, recording webcams and microphones, stealing clipboards, and sending screens real-time as well as remote controlling.

Figure 11. Code for privilege escalation

The version of Remcos used in this sample is “3.2.0 Pro.” The string related to the version is hard-coded in the rdata area. The version is the latest one released on July 30th, 2021.

Figure 12. Remcos version information

Among recently distributed Remcos samples, there were cases where the internal files had gone additional packings. The malware packed with packers such as UPX or Mpress is injected inside the normal process with the hollowing technique. It appears that the attacker had various tests to bypass detection.

Figure 13. Original sample, UPX-packed sample, and Mpress-packed sample

C2: 146.0.72.170:9094


4. Raccoon Stealer

Raccoon Stealer which was recently distributed used the packer of the MalPE type. In the past, the team uploaded a post about the distribution of the MalPE type which is not the Autoit Loader type. The MalPE type malware has been occasionally distributed since then. It is the packing type that is also actively used in distributions through emails and exploit kits.

As you can see, this packing type has many icons inside a single file and has random strings in the resource area.

Figure 14. Icons in sample internal resource

Raccoon Stealer is also an Infostealer. To know the actual C2 URL, it attempts to access the Telegram URL of the attacker. The URL has the encrypted string as shown below. The malware decrypts the string to know the C2 URL.

Figure 15. Attacker’s Telegram webpage

By cutting the front and back of the string displayed on the attacker’s Telegram webpage in a form that fits the standard, the malware decrypts the string using the RC4 algorithm after going through the Base64 decoding process. The key value for RC4 is hard-coded inside the rdata area of the sample file. Using this method, the attacker can continually change the C2 of the sample that is already distributed.

Figure 16. RC4 decryption key

Figure 17. Decryption result

C2: telete.in/inosradioworld / 5.181.156.60

Besides the types of malware mentioned above, there have been cases where non-info-stealer malware programs were distributed. As you can see, it appears that attackers are distributing various types of malware and testing their effects. As other types of malware can be distributed anytime in the future, users need to take caution and should not run files downloaded from untrusted websites.


[IOC Info]

a5bc136c227ab70ed77e3bebe6e4bc6d
21be2e389bc3d34f6a20dad828aa80b2
2349e8337b649af297fe9ef6b99deae5
8680a71a54f5eb063aedc7d8922e031c

gimpimageeditor.com
shpak125.tumblr.com
116.202.183.50
146.0.72.170:9094
telete.in/inosradioworld
5.181.156.60


Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

5 1 vote
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments