Bitcoin Investment Scam Leads to an AutoIT Malware
Today I've noticed a mail in my spam box in my gmail account, I've decided to check what it is all about out of curiosity.
The email looks like this:
As I said earlier it is kind of obvious what is going on here, the script read obfuscated data, which is most likely an encoded executable which might be the final payload of this attack chain.
This can be further seen in figure 14, as there are binary and byte manipulation functions scattered across the script.
The final payload can be as Suricata alerted, a NanoCore RAT, could be some other RAT or some information stealer, I don't have time currently to try to fully de-obfuscate the AutoIT script, perhaps in another blog post.
If you want to check if you were affected, perhaps check the following IoC as it is clear indication to a connection to this campaign:
Stay Safe!
The email looks like this:
Fig 1: BTC Investment Mail
First of all, I have never invested in Bitcoin, and I have no idea who is this "Tuan Son Le" persona, which is most likely a fake name.
Secondly, there is no "to:" address in the mail, I am only bcc'd, which is also alarming.
Lastly, if all of the above is not obvious signs of scam and malicious activity, the PNG image in the signature is not view-able, and this "Investor" asked us to look at it, to see his company performance.
This is actually done on purpose, to lure us onto trying to click on that supposed to be image, as the attached image, which has the same filename as the non view-able image, is actually a link to download a file from dropbox.
The hidden link goes to the following URL: https://www.dropbox.com/s/84qkf6t18tr2hxk/BITCOIN_TRANSACTION.UUE?dl=1
The downloaded file is allegedly an UUE file, but this is just a simple zip archive, this meant to avoid detection and lower suspicion: https://www.winzip.com/uue-file.htm
If we open this file, we will find the malware inside the archive.
Fig 2: MD5 Hashes of the Malicious Files and their Types
I was hoping this would be some kind of ransomware, so I sent this file to an online sandbox service after I couldn't find the hashes on VirusTotal.
The Sandbox results were somewhat interesting, as I mentioned earlier, hash not found on VirusTotal, CrowdStrike Falcon said it is clean... but the sandbox gave it 100/100 malicious score if you didn't believe me yet. There was loads of malicious activity and indicators, but it wasn't a ransomware, couldn't see precisely what was the final payload, so I had to go deeper, although there was a Suricata alert saying it could be NanoCore RAT.
Fig 3: Suricata Alerts on Possible NanoCore RAT Traffic
Fig 4: The Cute Koala Icon is Misleading, This is Malware
The sandbox analysis also showed the file contain a PDB path which is: "d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb".
If this not enough, the sandbox also identified the executable file as RAR SelF eXtracting archive (SFX).
Obviously, I extracted it and started to get a grasp of what is going on here.
Fig 5: Extracting the SFX Present Gibberish
If you haven't worked with SFX files before you might find this confusing, what is Eminem doing on my screen when I extract???
SFX files contain a comment section, which also includes instructions for the installer/extractor, this gibberish text is also a decoy so perhaps we won't find the instructions... this is useless as F.
As seen in figure 6 above, the files are being extracted to Windows's temp folder under a predefined directory (Path=%temp%\53481935), after the extraction completes the "Setup" variable instructs what to execute, which in our case is "vsm.exe tew=ppg".
What is vsm.exe? lets inspect the extracted files:
Fig 7: Extracted Files List
As seen in figure 7 above, there are a lot of small files with different extensions, as well as the vsm.exe executable and the "tew=ppg" file which is passed as parameter.
If you didn't recognize the icon of vsm.exe, it is the icon of AutoIT, if you haven't heard about it, it is a scripting language, you can read more about it in this link.
Fig 8: vsm.exe is Actually AutoIT
The obvious deduction is that the "tew=ppg" file is the actual script that AutoIT will execute, lets inspect it, shall we :)
Fig 9: Few Lines of the "tew=ppg" Script
As can be seen in figure 9 above, the first ~200 lines are just repetitive includes to all the weird files that are seen in figure 7, except on line 210 there is variable that being assigned a value of one specific filename. This specific file "noc,mp3" has the size of 639KB while the other files are less than 1KB.
Fig 10: The Contents of "noc.mp3"
You might already figured yourself what is going on here, but let's continue going over the "tew=ppg" Script.
Fig 11: AV Detection
About 100 lines of repetitive includes and we can see the script checks if Avast AV exists (figure 11) on the system. I will spare you another screenshot as the instructions of the "If" condition are located about 100 line below those repetitive includes, if Avast exist, the script will "Execute("Sleep(20000)")".
After hundreds of more repetitive includes, there are different calls to read some information from the "noc.mp3" file which was assigned as variable in figure 9.
Fig 13: Contents of "S3tting" from "noc.mp3"
Fig 14: Data Manipulations Functions Inside "tew=ppg" Script
This can be further seen in figure 14, as there are binary and byte manipulation functions scattered across the script.
The final payload can be as Suricata alerted, a NanoCore RAT, could be some other RAT or some information stealer, I don't have time currently to try to fully de-obfuscate the AutoIT script, perhaps in another blog post.
If you want to check if you were affected, perhaps check the following IoC as it is clear indication to a connection to this campaign:
Fig 15: IP & DNS of C&C Server
Comments
Post a Comment