CrypterPig is a new rising crypting service on the deepweb cyberweapon forums dubbed “HackForums”. Costing a tremendous amount of $4/crypt, this crypter poses a huge threat by allowing APTs such as Darkcomet and Babylon to bypass AV solutions. But is there more behind the service? Today, the KrabsOnSecurity Investigation Team (K.I.T) will explore the story behind CrypterPig and the links between CrypterPig and the Indian Tech Support Scam Network.
First of all, looking at the sales thread of CrypterPig, we could see this.
The SHA1 hash of the file displayed is a6b98fab07bc8c8cf32234722fa46581112e8349. Using KrabsMagic™ and a bit of determination, we were able to obtain the file.
Scanning the file on VirusTotal reveals one unexpected detection: DarkComet by Jiangming AV. AVs often detect packers as whatever the payload is, so this successfully shows us that the CrypterPig crew directly supports the DarkComet APT and are sponsoring dangerous 0day attacks world wide.
Let’s now look at the file. According to ExeInfo PE, the file is compiled with GCC: GNU 4.x.2. Based on this information, we boot our Windows XP VM and open the file up in OllyDbg.
After searching for all intermodular calls, we see this blob of code.
Setting a breakpoint on all GetProcAddress calls, we execute the payload, which in turn rapes the CPU.
The first API resolved is exactly what we need, WriteProcessMemory.
Stepping over with F8 and following the value of EAX in Dissassembler, we enter WriteProcessMemory and set a breakpoint inside it at the very beginning. We then remove all the breakpoints on GetProcAddress and let the file run until the breakpoint hits. Following the first value of the stack in dump, we hit the jackpot.
Next, we open the process up in Process Hacker and go to the same address in memory. We then dump the region.
We then open the dump up in HxD, and search for MZ. We then delete all the bytes before it.
We finally use ExeInfo PE’s Overlay tool to trunk the overlay of the file. The final executable’s SHA1 is 28D3FB40ABB645F276B5E002A964DDC8201A16AE. Scanning the file on VirusTotal reveals that it is a Neurevt, aka Betabot payload. So the CrypterPig teams uses their own crypter with Betabot. However, their Term of Service explicitly says that the use of Betabot is disallowed.
Breaking their own ToS? Very strange, indeed, and does this mean that the owner’s access to CrypterPig should be removed? Let’s recall an article from a while back, which is now only available on the archived version of the old site (available at old.krabsonsecurity.com starting on June 12th), the article on The Grim and BlackShadow. We could see that The Grim owned a group commonly known as “IndiaGang”, which is notorious for selling buyins and kicking their customers after 2 days for inactivity. The same concept goes for CrypterPig, in which customers purchase token for a guaranteed FUD crypt, which turns out to be 10/40.
As we can see, the owner himself admits that the crypter is detected, and displays how popular his crypter is amongst AV companies, who knows it very very well. The buyers received no refunds, and sales goes on. Astonishingly similar to IndiaGang’s buy in program.
In conclusion, we could see CrypterPig as a threat to the cyber world, as it is very well protected (taking more than 3 minutes to unpack!), loads API dynamically using GetProcAddress and GetModuleHandle (which completely bypasses AV’s heuristic engines) and is modeled after IndiaGang’s policy. Additionally, CryperPig powers the Cometmen APT group, which is a very dangerous group spread wide over the world that is involved in Ice Cream Fraud (more on Ice Cream Fraud in the next article).