Today we will be taking a look at RevCode.eu, a very very legal malware backed by a .eu domain and a very very long Term of Service that was used in CEO Fraud, as seen below. Who would’ve thought such legal software being advertised on the benign forums dubbed “HackForums” would be used for such notorious cybercriminal purposes?
— Benkow moʞuƎq (@benkow_) July 26, 2017
First of all, we would like to note that despite being blatantly coded in VB6, a language from 2005, the developer claims that it is coded in “C/C++” (which shows how he does not know the differences between C and C++)
As we can see, the feature “RAM dump” is present. I am sure nobody has the intention of using this for PoS fraud and other very illegal things.
Let’s take a look at their website.
First of all, VB6 is not a revolution any more, it was created in 2005 and could be considered depracated. Second of all, why would you say “since 2017” when it is in fact, 2017? The “since” is used to demonstrate experience and longevity on the market, which is exactly what you lack here.
Revcode is anything but P2P, not only do clients connect to a CnC but the CnC of all customers are shared under the domain “RevCode.eu” (each customer get a subdomain).
There are many more things I would like to say about this legal software, however I will move on to analysing the binary itself.
File size: 521.5 KB
File type: Generic CIL Executable
Initial analysis shows that the file is obfuscated with SmartAssembly.
After using de4dot on the binary, we get this at the entrypoint:
Note the lines
byte_ = Convert.FromBase64String(s);
string_ = “gggggggesasasasasasasasasasasasasasa”;
byte byte_2 = Class22.smethod_17(string_, byte_);
Inspecting smethod_17 reveals that it in fact is the decryption code.
After setting the breakpoint and executing, it is clear that byte_2 is in fact the decrypted binary.
We dump the file and get the payload.
File size: 336.0 KB
File type: MS Visual Basic 5.0-6.0 EXE
Since the file is VB6, we easily use VB Decompiler Pro to decompile it. After decompilation, we get all of the project files.
One of the first functions called is APP_INIT. As it turns out the author has no idea what encrypting string in a binary is, despite boasting AES encrypted connection.
As we can see, some of the functions called are Proc_2_136_41CB4C, Proc_2_14_421824 and Proc_2_35_418D50.
Proc_2_136_41CB4C is simply a wrapper for SHGetFolderPathW as it turns out, Proc_2_14_421824 is a function for writing file which uses the APIs CreateFileW and WriteFile. Proc_2_35_418D50 executes the installed binary and exits, nothing interesting.
Scrolling down in APP_INIT, we can finally see the connection code.
We will focus on the following snippet of code:
After cleaning the code up a bit, we get this:
First, Proc_4_1_41F2CC() is a simple wrapper for the capGetDriverDescription API. Other data such as the computer name (Proc_2_38_41E858), username of the current user (Proc_2_37_41EFA8), the current windows (Proc_2_11_41D598). Proc_2_127_420F8C is a copy paste of this MSDN entry.
RevCode also features a very HQ startup that is totally not runtime detected!
I mean have you ever heard of the Run registry key? I haven’t. In addition to that, using “On Error Resume Next” is terrible practice (thanks to TazzyOpz for pointing this out).
Let’s look at the config decryption code now.
As we can see, it is simply stored as a string and then decrypted. No checksums, no anti crack, no anti analysis whatsoever.
Let’s look at how Revcode handles their password recovery. Unfortunately the binary is no longer active, however we can still easily see how copy pasted their Password Recovery is straight from their site.
List of recovered email clients from the website:
List of recovered email clients from NirSoft’s site:
This blatantly violates NirSoft’s license against commercial usage of Nirsoft’s utilities.
So much for their legality efforts, now they are going to have to deal with copyright issues as well.
Next, I was about to write a memory scanner that detects RevCode and removes it, however apparently they provided the tool themselves LOL? It could be downloaded from hxxps://revcode.eu/removal-tool/ and is also coded in VB6. So much for their self proclaimed C/C++ stub, VB6 base and .NET modules are found all over the places.
The memory signature provided by Revcode themselves:
Summary: Boring copy pasted VB6 malware that claims to be in “C/C++”, also has .NET dependencies for some modules. Provides a killer for self in an attempt to look legal but violates copyright laws so I guess not.