Today we will take a look at Anon Hacks, a new threat that only arrived in Early 2017. The threat can be found at hxxps://www.youtube.com/channel/UCTgfS2E9Pll8HZjIEmvEyPw. We will look at one of the APTs distributed by this threat actor today, Anon Booter.exe

Sample information:
MD5: 6e202a803b6f139206d1afbc70962f5e
SHA1: 2a7fb32ad232e37c4eb267971193d5616c304bd8
File Type: x86 .NET Assembly
Virustotal: https://www.virustotal.com/en/file/f7ad57f7b4339be5d153be997a77d98c8217c47aa9112ad0892104764f462b77/analysis/1499839535/

After a scan with Exeinfo PE, we could easily see that the module is obfuscated with SmartAssembly, a strong indicator of the evergrowing APT known as “CyberSeal”. In order to unpack, we follow the HQ tutorial that can be found on the KrabsOnSecurity Youtube Channel.

In this case, the line where we break would be line 254 of class #G in the namespace #A. Stepping over it reveals the binary.

Dumping it reveals a very spooky file.

Scanning the file on VirusTotal reveals just about nothing, however it is most likely a sample of Quasar RAT due to the binded libraries as well as the fact that it depends on the .NET 4.0 framework. xClient is the name of an old version of Quasar RAT which was kept on the latest version however, so we can conclude that the sample is indeed Quasar, as confirmed by other reverse engineers.

However we are not here today to discuss this sample. We are here today to discuss Anon Hacks.

First of all Anon Hacks did very great getting first place on the youtube query “booter download”.

However that is ruined by the detection rate of the payload he used (as shown above in the VirusTotal scan).

He most likely paid a lot for the obviously botted comments:

But then again it is detected even by MSE

Also he DDoSed his own IP as proof?

Which brings forth a lot of confusion. He also performed the attack on port 80.

I am 100% sure that port 80 is open due to the fact that the creator of this video is most likely not capable of configuring Apache and therefore had no need to portforward port 80. Why didn’t the sites load you may ask? Most likely due to the fact that the “booter” was raping his CPU by opening thousands of sockets.

Despite all these mistakes, he enlightened us with a few things. First, the illiteracy of Youtube’s wannabe hackers.

Second, Anon Hacks showed us that Youtube is in fact a bulletproof webhosting service catering cybercriminals worldwide, as with the amount of comments saying that the file is infected, the video normally would be gone already, which is not the case.

Finally, Anon Hacks displayed how easy it is to start a malware campaign that will get you 3 Indonesian hackers onto your Sub7 RAT. We advise caution when downloading malware and we advise extreme caution when executing them.