Posted By muhan , September 14, 2023

Downloader Disguised With Contents on Violation of Intellectual Property Rights (Detected by MDS)

On August 28, AhnLab Security Emergency response Center (ASEC) discovered circumstances of a downloader in distribution disguised with contents regarding the violation of intellectual property rights, targeting unspecified masses in Korea. The distributed malware included a code that detects virtual environments to evade sandbox-based security solutions and was a .NET-type that downloads the MainBot malware. Judging from the file information collected by AhnLab Smart Defense (ASD) and VirusTotal, it seems that Korea and Taiwan were the target destinations for distribution.

Filename

Video Image Regarding Violation of Intellectual Property Rights.exe

Detailed Video.exe

Data on Piracy-00 Entertainment.exe

Video Image Regarding the Violation of Intellectual Property Rights.exe)

Product Error Video and Image.exe

ReaderPDFWindowFile.exe

Table 1. Filenames in distribution

With filenames related to intellectual property rights and file icons made to look like a PDF, the malware disguised itself and tricked the users into thinking that it was a PDF document.

Figure 1. PDF icon image used by the malware

[C2 Communication Method]

The malware downloads basic config information from the threat actor’s shared Google Docs page including the Telegram token, chat ID, and the download URL for MainBot.

Figure 2. Malware’s code for saving config using a shared Google Docs document

Figure 3. The address of the shared Google Docs document encoded with Base64

URL decoded with Base64: hxxps://docs.google.com/document/export?format=txt&id=10bTqbc6WMebYNQEZy86Uy_3YnIynx3VNnFD-wF1EH6E&includes_info_params=true&usp=sharing&cros_files=false&inspectorResult=%7B%22pc%22%3A1%2C%22lplc%22%3A12%7D&showMarkups=true
* ‘id’ is the threat actor’s unique Google Docs ID where the config information is saved

As shown in Figure 2, the malware parses the threat actor’s shared document page and obtains the threat actor’s Telegram server information before using the received message as a base to send commands to the infected PC such as MainBot installation and execution, file name change, and termination. At the time of analysis, MainBot could not be collected.

[Anti-VM]

The malware had six conditions that checked for virtual environments to evade detection from sandbox-based malware detection solutions.

Checks if the number of anti-virus products in the running system is 0.
Performs the “SELECT * FROM WmiMonitorBasicDisplayParams” WMI query and checks if all monitors linked to the computer in question have 0 default display parameters (to check for physical connection to monitors)
Using the Win32_Keyboard WMI class, it checks if there is USB keyboard information (to check for physical connection to a keyboard)
Checks if the RAM is less than 4 GB
Checks if the disk capacity is less than 128 GB
Checks if there are no subsidiary keys to HKLM\SOFTWARE\WOW6432Node\Clients\StartMenuInternet or only has either “IEXPLORE.EXE” or “Microsoft Edge”

Figure 4. The code that checks for virtual environment

If three or more of the six conditions are met, it determines the environment to be a virtual environment. The malware then sends the following string to the threat actor’s server and calls the Sleep function in the host every 5 seconds, just waiting indefinitely until the [HWID]-SKIP VM command is received from the threat actor’s server.

Figure 5. The code to check for the -SKIP VM command every 5 seconds

⛔ DETECT VM,SANBOX: Number of detected conditions
To continue please write the content: [HWID]-SKIP VM
We are still active until victime shuts down!

[The string sent to the Telegram server when VM is detected]

Afterward, when it receives the string [HWID]-SKIP VM through the Telegram server, it downloads and installs MainBot on the PC.

[Detection by MDS]

AhnLab MDS detects this type of malware with the detection name “Execution/MDP.Event.M11291” in sandbox environments.

Figure 6. Malware detected using AhnLab MDS (1)

Figure 7. Malware detected using AhnLab MDS (2)

On top of threat actors adding anti-VM techniques in malware to evade detection by security products, a growing number of cases show that there are also malware leveraging normal servers such as Telegram and Google Docs for command control, as seen in the case covered in this post. Because commands are carried out through communications with a normal server, it is difficult for even network solutions to detect such malware. Therefore, security managers should use not only network and APT solutions but also EDR products to monitor abnormal behaviors occurring in endpoint environments and prevent security incidents from occurring in the company in advance.

[IoC]
[MD5]
– 411f04a6b60d02072a67a7bbddf9b752
– 187ce0c69ae10fcc93e546e02a4c9bb9

[File Detection]
– Trojan/Win.Agent.C5478091 (2023.08.29.02)
– Malware/Win.Generic.C5479395 (2023.09.01.00)

[Behavior Detection]
– Execution/MDP.Event.M11291

AhnLab MDS detects and responds to unknown threats by performing sandbox-based dynamic analysis. For more information about the product, please visit our official website.