“SkidSquad” investigation.

Posted on

Hello fellow WormMen.

Today we will be taking a look at some more malware found on the YT EK.

(A brief thank you to Eugene Kaspersky for directing this sample to K.I.T.)

KEY: “Chomp” = “byte”

This malwareman has won “War of the architecutres” by forcing a 32 bit processor to successfully run a 64 bit Windows release!

We shall now create a domain and force Virustotal to ‘scan’ said domain.

As we can see, this spooky domain has been detected as a “Botsquid Variant.” Not good.

So, we shall now take a look at this illegal malware.

This class seems to have some very odd features indeed (For a game hack.)

Here we have an attempt to lower detections (& maybe “anti RE”?) by replacing the all ‘A’ chomps with ‘,’, ‘B’ chomps with ‘.’ & ‘v’ chomps with ‘=’.
We can either manually replace said chomps, or just add a cheeky little snippet of code.

The chomp payload has been set!

After setting a breakpoint at line 63 (Powershell payload,) we can steal the chomp array from memory.

This chompware seems to be created using Delphi. Could we be dealing with a cometman here?

Manifesto time.

————————————————————————

CompanyName = Microsoft Corp. // An unsigned tool released by microsoft?
FileDescription = Remote Service Application // I’m sure this is just for when Microsoft decide to help me fix an issue. (DC Sig x1)
FileVersion = 1, 0, 0, 1
InternalName = MSRSAAP // DC Sig x2
LegalCopyright = Copyright (C) 1999 // 1999????????
LegalTradeMarks = ***
OriginalFilename = MSRSAAP.EXE // DC Sig x3
ProductName = Remote Service Application // DC Sig x4
ProductVersion = 4, 0, 0, 0
Comments = Remote Service Application DC Sig x5
————————————————————————

Lets take a look at some of the strings of said Delphiware.

Now why would a game cheat need network access?

And why would a rootkit be required for a browser based game?

Oh noes! Infections, startup, PasswordAndData… : ( I thought this was a cheat?

Now I’m mad! Lets locate this malwareman.

As procmon suggests(FUCK ONLINE SANDBOXES,) this game cheat is making TCP connections to “191.96.6.55.”

The port (1605) is ooooone value above the default DC port. Did the ISP block port 1604 from being opened?
Sadly, this internet pineapplecol is a Brazilian server 🙁

The question today is: Why use ‘evasive’ techniques (refer to the Powershell payload with dodgy base64) to load VERY detected malware onto a machine?

“SkidSquad” is currently under investigation by the K.I.T Task Force Dorito 1.

 

Bayside RAT – Analysis of BildungIstSuper’s new malware

Posted on

Hello, today I would like to discuss a new malware known to the public as “Bayside RAT”. Bayside RAT is attributed to “BildungIstSuper”, a German malware developer who started a malware group known as “BotSquad”.

BildungIstSuper is known for releasing malware that either (1) doesn’t function or (2) are backdoored and doesn’t function. Some of his previous creations include “BotSquad RAT”. Bayside (also known to some as BotSquad RAT v2.0), is a new version of BotSquad RAT that has some major changes to it.

Sample information:
SHA256: 735a3db863fe7f739d30dec424da4cd3481477c13b98d7cc665bfa47bc59c5ef
File Type: Generic CIL Executable
VirusTotal: https://www.virustotal.com/#/file/735a3db863fe7f739d30dec424da4cd3481477c13b98d7cc665bfa47bc59c5ef/detection

From the first glance, we could see that the sample is detected as “MSIL.Backdoor.Bladabindi.a” by multiple AV vendors. This is due to the fact that Bayside RAT is 99% pasted (which we will discuss later on). Let’s take a look at the sample itself. Preliminary analysis reveals that the sample is packed with Crypto Obfuscator, which de4dot is easily able to handle. We proceed to deobfuscate it and continue with our analysis.

 

Deobfuscated/Unpacked sample information:
SHA256: 83586da5c319d51c409480ba8494e51fa5249b833f9a2b9a3a4f674df23e85e8
File Type: Generic CIL Executable
VirusTotal: https://www.virustotal.com/#/file/83586da5c319d51c409480ba8494e51fa5249b833f9a2b9a3a4f674df23e85e8/detection

The first thing we noticed when opening the deobfuscated file in DnSpy is the class names.

What could this be but a blatant indicator of pasted code from Plasma HTTP, an ancient malware from 2014?

Opening Form1_load(), we notice something strange…

The file stores configuration data in the file overlay/EOF and using a string delimeter. This technique is very old and is no longer used by any malware developer as it makes crypting effectively impossible. The data is also strangely stored in plaintext, which shows the developers’ incompetence and renders the usage of an obfuscator useless.

The next thing we noticed is that, well, there’s a backdoor inside Bayside RAT. This allows the coder, BildungIstSuper to seize control of all the bots obtained by his customers by updating a pastebin entry.

At the time of this post, the pastebin entry is not officially inside the code yet, as we can see in the snippet above, however it is clear that the intention of such code is for no reason other than botjacking. The URL to the direct executable results in a 404.

The next thing we notice is the hardcoded installation path. Not only is the hardcoding of such a bad idea but naming one’s malware “svchost.exe” and putting it in %appdata%\Microsoft\svchost.exe without any variations again shows the incompetence of the developer.

The malware uses the typical run key for startup.

One would normally think that malware are used to gain profit. But no, the author of Bayside RAT decided to add features that are of no use, such as the folder bombing feature. This miraculous feature creates 150 directories inside the main paths (such as Desktop, Document, etc) and even the C drive (which is hardcoded, which means anyone who renames their partition to D:\ or something else are immune to this).

What else does Bayside RAT have to offer? Well, it’s none other than a specially pasted keylogger from NjRAT, guaranteed runtime detection by major AV vendors. Bayside also uses a static path for saving logs, which further provides a detection vector and

In conclusion to this public report, we will conclude with the following checklist of things we discovered while analyzing Bayside RAT:

Pasted? ✔
Backdoored? ✔
Detected? ✔
Uncryptable? ✔
.NET? ✔
Incompetent dev? ✔
Terrible practices? ✔
Pretty much a scam? ✔

This investigation was performed by the Krabs Investigation Team (K.I.T) and the AntiNanomen sector of KrabsOnSecurity. Join the KrabsOnSecurity discord and the AntiNanomen discord to stay up to date with the latest information discovered by K.I.T. 

Revcode WebMonitor – The Legal Malware used in CEO Fraud

Posted on

UPDATE: On 11 August, 2018, the author of Revcode contacted me and threatened to sue me for libel. I wish him the best of luck in this venture.

The file came in via this archive containing fake agreements for bank transfer as well as malicious executable files (Facture1.exe and Facture.exe). The revcode sample is Facture.exe.

Today we will be taking a look at RevCode.eu, a very very legal malware backed by a .eu domain and a very very long Term of Service that was used in CEO Fraud, as seen below. Who would’ve thought such legal software being advertised on the benign forums dubbed “HackForums” would be used for such notorious cybercriminal purposes?

First of all, we would like to note that despite being blatantly coded in  VB6, a language from 2005, the developer claims that it is coded in “C/C++” (which shows how he does not know the differences between C and C++)

As we can see, the feature “RAM dump” is present. I am sure nobody has the intention of using this for PoS fraud and other very illegal things.

Let’s take a look at their website.

First of all, VB6 is not a revolution any more, it was created in 2005 and could be considered depracated. Second of all, why would you say “since 2017” when it is in fact, 2017? The “since” is used to demonstrate experience and longevity on the market, which is exactly what you lack here.

Revcode is anything but P2P, not only do clients connect to a CnC but the CnC of all customers are shared under the domain “RevCode.eu” (each customer get a subdomain).

There are many more things I would like to say about this legal software, however I will move on to analysing the binary itself.

SHA256: f5d102961183552e759d54c5c7b0e4ec37b10e399a8e90dd98a5136ab0c3eae5
File size: 521.5 KB
File type: Generic CIL Executable

Initial analysis shows that the file is obfuscated with SmartAssembly.

After using de4dot on the binary, we get this at the entrypoint:

Note the lines

byte_ = Convert.FromBase64String(s);
string_ = “gggggggesasasasasasasasasasasasasasa”;
byte[] byte_2 = Class22.smethod_17(string_, byte_);

Inspecting smethod_17 reveals that it in fact is the decryption code.

After setting the breakpoint and executing, it is clear that byte_2 is in fact the decrypted binary.

We dump the file and get the payload.

SHA256: 021c739a365bbdab97df0945a535cb9c4b5128a5ef77c8ce8f274ac9e4ff8d2d
File size:  336.0 KB
File type: MS Visual Basic 5.0-6.0 EXE

Since the file is VB6, we easily use VB Decompiler Pro to decompile it. After decompilation, we get all of the project files.

One of the first functions called is APP_INIT. As it turns out the author has no idea what encrypting string in a binary is, despite boasting AES encrypted connection.

As we can see, some of the functions called are Proc_2_136_41CB4C, Proc_2_14_421824 and  Proc_2_35_418D50.

Proc_2_136_41CB4C is simply a wrapper for SHGetFolderPathW as it turns out, Proc_2_14_421824  is  a function for writing file which uses the APIs CreateFileW and WriteFile. Proc_2_35_418D50 executes the installed binary and exits, nothing interesting.

Scrolling down in APP_INIT, we can finally see the connection code.

We will focus on the following snippet of code:

After cleaning the code up a bit, we get this:

First, Proc_4_1_41F2CC() is a simple wrapper for the capGetDriverDescription API. Other data such as the computer name (Proc_2_38_41E858), username of the current user (Proc_2_37_41EFA8), the current windows (Proc_2_11_41D598). Proc_2_127_420F8C is a copy paste of this MSDN entry.

RevCode also features a very HQ startup that is totally not runtime detected!

I mean have you ever heard of the Run registry key? I haven’t. In addition to that, using “On Error Resume Next” is terrible practice (thanks to TazzyOpz for pointing this out).

Let’s look at the config decryption code now.

As we can see,  it is simply stored as a string and then decrypted. No checksums, no anti crack, no anti analysis whatsoever.

Let’s look at how Revcode handles their password recovery. Unfortunately the binary is no longer active, however we can still easily see how copy pasted their Password Recovery is straight from their site.

List of recovered email clients from the website:

List of recovered email clients from NirSoft’s site:

This blatantly violates NirSoft’s license against commercial usage of Nirsoft’s utilities.

So much for their legality efforts, now they are going to have to deal with copyright issues as well.

Next, I was about to write a memory scanner that detects RevCode and removes it, however apparently they provided the tool themselves LOL? It could be downloaded from hxxps://revcode.eu/removal-tool/ and is also coded in VB6. So much for their self proclaimed C/C++ stub, VB6 base and .NET modules are found all over the places.

The memory signature provided by Revcode themselves:

Summary: Boring copy pasted VB6 malware that claims to be in “C/C++”, also has .NET dependencies for some modules. Provides a killer for self in an attempt to look legal but violates copyright laws so I guess not.

Unpacking fudPE – A new crypter

Posted on

fudPE is not your ordinary malware packer. Unlike the malware we normally analyze on this blog, fudPE did not originate from the private criminal youtube-exploit-kit-distributing malwarehole dubbed “HackForums”. fudPE only appeared on HF after having established a presence on other underground forums such as exploit.in. Today we will analyze a payload packed with fudPE that’s found thanks to Malware Traffic Analysis.

Sample information:

MD5: 5C93EA890E0D02187193EC7ED5149F49
Filetype: Portable Executable 32
VirusTotal scan: https://www.virustotal.com/en/file/261e2d1eab2af48a416252416a1a1d529fc48d939e09fd7d43609505ee1336ec/analysis/1500568298/

First we will discuss how to recognize a fudPE sample with both static and dynamic analysis. Statically, we could see that ALL fudPE crypted executables are wrapped with Nullsoft.

We then proceed to dynamic analysis and execute the file in a controlled environment (aka a sandbox or a VM). After running and immediately suspending the file, we could see that a DLL is dropped with a random name and loaded (in this case parrels.dll is the name)

The process then hollow another copy of itself to execute the payload and then exit. That is pretty much the basic way of identifying a fudPE packed payload. Let us proceed to the unpacking process. In order to unpack, we open the file up in OllyDbg.

Searching for intermodular calls, we could see a call to CreateProcessA. Keep in mind that this is a part of Nullsoft’s stub, not a part of the actual fudPE code. However we use it as a pivoting point to get to the real code.

Pressing enter after selecting the call, we get into the CreateProcessA function. Here, we set a breakpoint in order to intercept fudPE’s process creation.

We let the file run until the breakpoint is hit. As we can see from the stack, the CREATE_SUSPENDED flag is used, which pretty much indicates that this is a runPE/Process Hollowing attempt.

We step out of the call and into the real malicious code. As we can see, we are in the parrels module.

We could see from the call located at 003E250D that GetProcAddress is used in order to resolve API names. We then step into the call like we did with CreateProcessA and set a breakpoint.

We let the file run and check the stack everytime the breakpoint was hit until we see the API WriteProcessMemory or NtWriteVirtualMemory (in the case of fudPE it is the first) being resolved.

We step over until we hit the RET instruction. The address of WriteProcessMemory is now in EAX, and we can follow it in the dissasembler by right clicking the value of EAX and selecting “Follow in Dissasembler” and set a breakpoint inside the function just like we did GetProcAddress and CreateProcessA. We let the executable run until the breakpoint is hit.

According to the MSDN page for WPM, the parameters for the function call are

HANDLE hProcess,
LPVOID lpBaseAddress,
LPCVOID lpBuffer,
SIZE_T nSize,
SIZE_T *lpNumberOfBytesWritten

lpBuffer is what we are looking for and is the third parameter, so we shall take a look at the third value in stack which is 00194C40. We right click, select “Follow in Dump” and got a very nice PE header. Just what we are looking for.

Next, we open Process Hacker up and double click the main process. We could easily see that the largest value in the memory tab that is less than the address above is 0x170000 (which also happens to be the Heap).

We expand 0x170000.

As we can see, 0x1a2000 is larger than  the value we are looking for (0x194c40), so we right click 0x170000 and save it. We open the saved memory file up in HxD.

We then search for the location of the payload using the search feature.

Once found, we select all the bytes before MZ and remove them. Save the file and you have your original payload with some overlay data added.

We proceed to use ExeinfoPE to remove the overlay data.

And voila, we have the payload, which in this case is the Godzilla Loader. The fact that this is a Godzilla Loader sample tells a lot about the customer base of fudPE, since Godzilla is a very pricy loader @ around $600 per build and is not sold on HF. With this information we could safely assume that HF is a secondary marketplace for fudPE only while the main marketplaces are forums like exploit.in. A very dangerous threat indeed, however now with this information reverse engineering binaries protected by fudPE will prove to be easier for our dear readers.

A small side note:

I would like to remind our readers (and Armada) that the term “unlike” when used like this shows that the later noun group (in this case “your .NET trashware”) is not what is being reverse engineered, but rather the prior noun group (in this case “some proper malware”), which renders Armada’s response invalid.

 

Edit: Right after the posting of this article, the cybercriminal forums HackForums went down  for maintainence. Coincidence? I think not.

Anon Hacks, another distributor of malware packed with CyberSeal on Youtube

Posted on

Today we will take a look at Anon Hacks, a new threat that only arrived in Early 2017. The threat can be found at hxxps://www.youtube.com/channel/UCTgfS2E9Pll8HZjIEmvEyPw. We will look at one of the APTs distributed by this threat actor today, Anon Booter.exe

Sample information:
MD5: 6e202a803b6f139206d1afbc70962f5e
SHA1: 2a7fb32ad232e37c4eb267971193d5616c304bd8
File Type: x86 .NET Assembly
Virustotal: https://www.virustotal.com/en/file/f7ad57f7b4339be5d153be997a77d98c8217c47aa9112ad0892104764f462b77/analysis/1499839535/

After a scan with Exeinfo PE, we could easily see that the module is obfuscated with SmartAssembly, a strong indicator of the evergrowing APT known as “CyberSeal”. In order to unpack, we follow the HQ tutorial that can be found on the KrabsOnSecurity Youtube Channel.

In this case, the line where we break would be line 254 of class #G in the namespace #A. Stepping over it reveals the binary.

Dumping it reveals a very spooky file.

Scanning the file on VirusTotal reveals just about nothing, however it is most likely a sample of Quasar RAT due to the binded libraries as well as the fact that it depends on the .NET 4.0 framework. xClient is the name of an old version of Quasar RAT which was kept on the latest version however, so we can conclude that the sample is indeed Quasar, as confirmed by other reverse engineers.

However we are not here today to discuss this sample. We are here today to discuss Anon Hacks.

First of all Anon Hacks did very great getting first place on the youtube query “booter download”.

However that is ruined by the detection rate of the payload he used (as shown above in the VirusTotal scan).

He most likely paid a lot for the obviously botted comments:

But then again it is detected even by MSE

Also he DDoSed his own IP as proof?

Which brings forth a lot of confusion. He also performed the attack on port 80.

I am 100% sure that port 80 is open due to the fact that the creator of this video is most likely not capable of configuring Apache and therefore had no need to portforward port 80. Why didn’t the sites load you may ask? Most likely due to the fact that the “booter” was raping his CPU by opening thousands of sockets.

Despite all these mistakes, he enlightened us with a few things. First, the illiteracy of Youtube’s wannabe hackers.

Second, Anon Hacks showed us that Youtube is in fact a bulletproof webhosting service catering cybercriminals worldwide, as with the amount of comments saying that the file is infected, the video normally would be gone already, which is not the case.

Finally, Anon Hacks displayed how easy it is to start a malware campaign that will get you 3 Indonesian hackers onto your Sub7 RAT. We advise caution when downloading malware and we advise extreme caution when executing them.