A major method through which threat actors distribute malware is by uploading them to sites disguised as cracks or illegal software. After a threat actor uploads their malware disguised as a crack or serial keygen for some paid software, users become infected by the malware while installing this illegal software.
The ASEC analysis team is monitoring malware that is being distributed through illegal software like software cracks or serial keygens. Many of the malware distributed in this way are Infostealers like Vidar, CryptBot, and RedLine. The ASEC analysis team has recently discovered Pybot DDoS being distributed with illegal software.
The program used as bait by the threat actor is a token generator called Nitro Generator. Nitro is a paid Discord service with various benefits which can be seen below in Figure 1. Nitro Generator is a tool that generates codes that can be used for free access to Nitro.
1. Overview
Pybot is an open-source DDoS Bot malware developed with Python. A characteristic of PYbot that distinguishes it from ordinary DDoS Bot malware is that Pybot is only capable of performing DDoS attacks. Of course, there are malware like Mirai, Gafgyt, and Tsunami that have DDoS attacks as their main feature, but they also have basic features like providing the minimum malware update and executing commands from the threat actor.
Also, these types target vulnerable IoT devices with unpatched vulnerabilities or are inadequately managed, instead of targeting Windows systems. Among the malware that target Windows systems, RAT-type malware are mostly the ones that have a DDoS attack feature. However, the ability to remote control infected systems is the main feature of RAT.
The currently identified PYbot is being distributed to Windows systems, but it could also be used to target Linux systems because programs written in Python can also be run in Linux.
2. Malware Disguised as a Discord Nitro Generator
The first distributed malware is an installer type malware created using DRPU Setup Creator. It is speculated that the threat actor distributed the installer using filenames such as “nitrogen.exe” or “ntrg.exe”.
This installer creates the following files in the Program Files path. “NitroGenerator.exe” is a downloader malware responsible for installing additional malware from an external source.
As shown in Figure 5, the downloader was developed with .NET and has a simple structure. It downloads and executes “p.exe” and “n.exe” in the %TEMP% path and creates a shortcut in the startup folder so that “p.exe,” which is the PYbot, can run even after rebooting.
“n.exe” is an installer for a program called FireDragon’s Nitro Generator. When the installation process is finished, an illegal program that generates codes for the paid Discord service, Nitro, is created in the following path.
3. PYbot DDoS Bot
PYbot is a Python malware, but the threat actor distributed the malware after building it into a Windows executable file through PyInstaller. PyInstaller is a tool that allows Python scripts to run in an environment where Python is not installed by packing the required modules for script execution into a Windows executable file. Fundamentally, PyInstaller is a tool similar to Bat2exe which converts scripts to executable files. However, unlike batch files which can run in default Windows environments, Python scripts need Python to be installed to run. So a characteristic of PyInstaller is that it includes multiple modules that allow the execution of Python scripts.
Extracting each module within the executable file to analyze the binaries created with PyInstaller reveal a compiled Python script “bot (1)” and multiple Python modules, as shown below.
Next is the result of decompiling the compiled “bot (1)” Python script. It shares almost the same source code as the open-source PYbot, but there are differences. A download routine that uses curl does not exist within PYbot, but the PYbot currently used in attacks include a routine that downloads an additional payload from an external source. It can be assumed that malware is installed since the domain of the download address is the same as the C&C server, but the exact malware cannot be identified since it is currently impossible to download.
The DDoS Bot malware PYbot supports various DDoS attack features, allowing it to not only handle basic layer 4 attacks like TCP Flood, TCP SYN Flood, and UPD Flood, but also VSE Flood and HTTP GET Requese Flood attacks. Additionally, VSE is an acronym for Valve Source Engine. VSE Flood is a type of DDoS attack where multiple queries are sent to a particular game server.
4. Conclusion
Recently, PYbot has been distributed alongside an illegal program related to a paid Discord service called Nitro. When infected with PYbot, user systems can be used as DDoS bots that receive commands from the threat actor to perform DDoS attacks against specific targets.
Using illegal software such as cracks and keygens for paid software to distribute malware is one of the main methods used by threat actors. Users must be wary when running executables downloaded from unknown sources, and it is recommended to download products such as utility programs and games from their official websites. Also, V3 should be updated to the latest version so that malware infection can be prevented.
File Detection– Trojan/LNK.Runner (2023.02.08.02)
– Dropper/Win.Agent.C5377911 (2023.02.08.02)
– Dropper/Win.Agent.C5377914 (2023.02.08.02)
– Downloader/Win.Agent.R557327 (2023.02.08.02)
– Trojan/Win.PYbot.C5377916 (2023.02.08.02)
– Trojan/Win.PYbot.C5377984 (2023.02.08.02)
IOC
MD5
– 7e7694cfecf3e0809bcf28009cab4adb : Dropper (nitrogen.exe)
– 1cf392ce0c7fd5b56da8888c43a03be3 : Dropper (ntrg.exe)
– 8fa445bbc93c43d5769038e56aeca84f : Downloader (NitroGenerator.exe)
– 827c83f08d1c139e4b6698bdcf386da8 : PYbot (p.exe)
– 493b3bd39f89ed0d2f5ec3f175490b43 : PYbot (p.exe)
– 4db2035a98b270d485b95ea7cf417898 : Shortcut (Windows_Defender.lnk)
Download URL– hxxp://75.119.139[.]66/p.exe : PYbot
– hxxps://cdn.discordapp[.]com/attachments/1063947830827421708/1069081977828937728/Windows_Defender.lnk : Shortcut
– hxxp://cnc.dotxyz[.]cf/Windows%20Defender.exe : Additional malware
C&C URL
– cnc.dotxyz[.]cf:666 : PYbot
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Malware Information
[…] 参考記事(外部リンク):PYbot DDoS Malware Being Distributed Disguised as a DiscordNitro Code Generatorasec.ahnlab.com/en/47789/ […]