Despite the previous takedown of BotSquad’s leaders’ communication network (which is based on the P2P encrypted network known as “Discord” and “YouTube”), BotSquad has once more made a comeback. This time, they are still using the same communication protocols, however they have added new cybersoldiers to their arsenals, namely “CORRUPT”, a malware developer based in Ukraine. Today we will be discussing “PcCrasher”, a dangerous part of BotSquad’s APT kit.
Case study: From Shamoon to StoneDrill and NewsBeef, and now PcCrasher?
After penetrating through 4 layers of PGP encrypted messages and seizing a CnC located in Kiev, we managed to recover a malicious artifact from the neural P2P network utilized by BotSquad for communication. The sample is an CIL executable with the size of 9kb, truly APT grade.
File Type: Generic CIL Executable
As noted by the brilliant researchers at GReAT, the similarities between Shamoon and Stonedrill are as follow:
- Targets high-profile Saudi Arabian targets (Potentially King, the creator of the Exterbyte APT?)
- Payload is stored as an encrypted resource and is executed by a loader
- Compiled October to November 2016
And the similarities between Shamoon and NewsBeef:
- Common WinMain code
- Backdoor and CnC connection
- String Decryption routine
- CnC Names
We have strong reasons to believe that the new PcCrasher RAM Wiper is related to the creators of Shamoon, StoneDrill and NewsBeef, as it is extremely similar to NewsBeef.
First of all, let’s take a look at the sample. The attacker left some artifacts that could be used to attribute them to an APT group, such as the PDB pathway.
The username is “Owner”. This shows how diverse the group is, and how they are on a separate network with unique hostnames based on the role of the member of the APT group. We’ve confirmed through infiltrations that the developer of “PcCrasher” is in fact an administrator of BotSquad.
Opening up the executable in the AntiAPT kit known as “DnSpy”, we could analyze it’s functions. Looking at the entrypoint, we could confirm Kaspersky’s finding of the group’s tendency to reuse code, the Main() function is very similar to many other malware.
During Form1()’s initialization, a timer is loaded. Could this be timing attacks used to detect analysis attempts?
Fortunately for us, it is nothing of the sort. The timer is designed to overload the machine’s RAM and therefore wipe all the data on RAM via forcing a reboot. A very advanced technique that was never seen before used to destroy unsaved works of their targets.
We could see something very strange, the second parameter of the MessageBox is “Herwo” instead of “Hello”. Herwo is often a phrase used to describe how Asians and other non-caucasians pronounces “Hello”. This confirms the case, PcCrasher is created by the same attacker who created Shamoon, StoneDrill and NewsBeef.
This investigation was performed by the Krabs Investigation Team (K.I.T) and the AntiNanomen sector of KrabsOnSecurity. Join the KrabsOnSecurity discord and the AntiNanomen discord to stay up to date with the latest information discovered by K.I.T. This is only a partial report on the APT group, full disclosure is available to customers of the Krabs Intelligence Service.