We have been tracking a campaign involving the SpyAgent malware that abuses well-known remote access tools (RATs) - namely TeamViewer - for some time now. While previous versions of the malware have been covered by other researchers, our blog entry focuses on the malicious actor's latest attacks.
We've observed a new cryptocurrency related campaign that abuses a legitimate Russian RAT known as Safib Assistant via a newer version of the malware called SpyAgent. This involves the exploit of a DLL sideloading vulnerability, which causes a malicious DLL to load. This DLL hooks and patches various API functions called by the RAT. This results in the RAT windows being hidden from a user.
The malicious DLL then begins reporting the RAT's ID, which the malware operator needs to connect to and control the infected machine. The malware sets the access password to a fixed one, so that merely knowing the RAT's ID is enough for the attacker to successfully connect to the infected machine.
The malware dropper of SpyAgent is distributed via fake cryptocurrency-related websites that are usually in the Russian language. The dropper poses as a fake cryptocurrency wallet, miner, or surfing plug-in. Figures 1 to 4 are some examples of these fake websites.
Figure 1. Fake cryptocurrency wallets in Russian
Figure 2. Fake cryptocurrency miners in Russian
Figure 3: Fake surfing plug-in to earn dogecoin
Figure 4. Fake surfing plug-ins to earn bitcoin
When a user visits one of these websites, a file-downloading dialog box (offering to download a SpyAgent dropper) usually appears immediately, after which the victim is prompted to save and run the executable file.
How a victim winds up on these fake websites varies. One kind of social engineering technique that we observed involves advertisements published on "earn cryptocurrency for browsing" websites, such as the ad in Figure 5. It should be noted that not all websites offering cryptocurrency in exchange for views are necessarily malicious. In the following screenshot, however, the screenshot shows a malicious website that promotes a fake cryptocurrency-related website.
Figure 5. Malicious advertisement leading to the malicious website
After opening the link, the victim is immediately redirected to one of the fake cryptocurrency websites where a dialog box for saving the fake application immediately appears.
Figure 6. Website with a fake bitcoin bot
Social media is also used as an infection vector, as shown in the tweet in Figure 7. Interestingly, the Twitter account behind it seems to be legitimate, although possibly compromised.
Figure 7. User spreading a link to a fake website via Twitter
Due to search engine optimization (SEO), simply searching for the right keywords might result in the inclusion of these websites in search results.
Figure 8. Search engine returning the link to a fake "Doge Miner" website
The dropper is usually created using the Nullsoft Scriptable Install System (NSIS) installer (although in the past we have seen variants created with Inno Setup), a powerful tool for creating scriptable program installers. The dropper (NSIS installer) file contains just one randomly named encrypted binary file.
Figure 9. Installer with one randomly named binary file
The NSIS installer script then calls Microsoft CryptoAPIs to decrypt the binary file, which then becomes a 7-Zip archive that will extract the files. Figure 10 shows a string (tno7wul0zusmglmdl) used for deriving the decryption key on line 578.
Figure 10. Code showing a password to derive the RC4 decryption key used to decrypt random binary files
Figure 11. MD5 hashing of the password
Figure 12. Deriving RC4 key
The dwFlags parameter (see value 0x280011) tells us the length of the key modulus in bits, which is set with the upper 16 bits (0x28 / 8 = 40 / 8 = 5 bytes ). Lower 16 bits are flags CRYPT_EXPORTABLE and CRYPT_NO_SALT.
Therefore, the first five bytes of the MD5 of the string for key derivation is the RC4 key used to decrypt the 7-Zip archive.
Figure 13. Documentation explaining the computation of the length of the key
The extracted 7-Zip archive contains several files, most of which are legitimate non-malicious files belonging to the RAT. In Figure 14, only those files in red indicate the additions by malware developers.
The batch file (.bat) is a starter of the main executable (Assistant, ast.exe) file, while the Config file (.cfg) contains encrypted configuration. The bitmap file (.bmp) is used for deriving the key to decrypt the config file. Finally, the quartz.dll is the malicious DLL containing the malware that is sideloaded by ast.exe. Although the real length of the quartz DLL is several dozens of kilobytes, its length is artificially inflated by appending a huge overlay of zeroes. This is likely to prevent or discourage some security solutions from uploading these large files for further analysis.
Figure 14. Contents of the 7-Zip archive with the RAT. The files in red are the ones added by the malware developer.
Analysis of the sideloaded DLL
The DLL is responsible for decrypting the config file. Initially, the first byte of the config file is checked. If its value is 0x01, it means that the malware runs for the first time and the config file is encrypted with a key derived from the bitmap file.
Otherwise, if the value of the first byte in the config file is 0x00, it means that the config file is encrypted with a key derived from the SOFTWAREMicrosoftCryptographyMachineGuid value.
The key derivation has four steps:
1) The CRC32 checksum of the input (.bmp file) is computed.
2) The checksum is converted to a hexadecimal string (eight characters), and all characters are converted to uppercase.
3) The MD5 hash is computed.
4) The hexadecimal string representation of the hash (32 characters) is used as the RC4 password to decrypt the config file.
After decryption, the configuration file contains the URL address of the command-and-control (C&C) server. From this URL address, the domain part is used as a key for another decryption - this time the decryption of part of the DLL's executable code, since a part of the DLL is a self-modifying code.
Figure 15. Function call to the encrypted code before decryption (top) and after decryption (bottom)
The first decrypted function is responsible for resolving the API function addresses, while the second decrypted function is responsible for hooking various functions and altering the default behavior of the RAT.
The following table shows the important hooked functions and their effects on the RAT:
Table 1. The important hook functions of the decrypted function
Changes the registry using the RAT configuration from astSS to astSS1
Extracts the RAT's ID when it is saved to the registry. It then starts two threads, a C&C communication thread and an idleness monitoring thread.
Ensures that the RAT's window is not shown
Ensures that the RAT's window is not shown
Disables showing the RAT's windows
Disables the log file that the RAT creates by default
Sets command-line parameters to start the RAT as a hidden process in the background, sets the connection password stored in registry to a known fixed password, and starts a thread responsible for killing task manager and process explorer
When the RAT is run normally and is not hijacked by malware, a window like the screenshot shown in Figure 17 will appear. It is important to note the nine-digit number (captured by the hook of RegSetValueKeyEx) and the four-digit number (overridden by the registry setting set by the hook of GetCommandLine). This window is not shown at all as an effect of hooking FindWindow, RegisterClass, and ShowWindow.
Figure 16. The RAT's window when it is run normally. The nine-digit number is the ID and the four-digit number is the password.
Finally, we will analyze the two threads. The C&C communication thread regularly makes a GET request to <_c26_c domain="">/<_c26_c path="">?id=<9digit number>&stat=. The environment hash is computed as an MD5 hash of string created by concatenating the following five values:
Value 1 = to_uppercase(crc32(HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyMachineGuid))
Value 2 = to_uppercase(crc32(HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionProductName))
Value 3 = to_uppercase(crc32(user name))
Value 4 = to_uppercase(crc32(computer name))
Value 5 = concatenate Value1 Value2 Value3 Value4
It might receive a response in the following format:
The idleness monitoring thread monitors pressed keys and selecting or dragging movements. If the user is idle for more than one minute, it sends a sidl(start idle) request with the time when the user became idle:
<_c26_c domain="">/<_c26_c path="">?id=<9digit number>&stat=&sidl=
The length of idleness is then regularly submitted in a cidl (count of idle) parameter:
<_c26_c domain="">/<_c26_c path="">?id=<9digit number>&stat=&cidl=
When the user becomes active again, the malware sends an eidl (end of idle) request:
<_c26_c domain="">/<_c26_c path="">?id=<9digit number>&stat=&eidl=&cidl=
The idleness monitoring thread allows the malware operator to choose the proper time when the victim is not present in order to stay unnoticed.
SpyAgent usually downloads other malware to perform additional tasks such as stealing important data.
We noticed using SpyAgent downloading the following commodity stealers:
Clipper (a clipboard replacer that replaces various cryptocurrency addresses with those controlled by the malicious actor)
We also noticed other RATS being used in the campaign, such as:
The threat actor behind this malware seems to have a straightforward financial motivation and typically aims to steal credentials and cryptocurrency wallets while also replacing cryptocurrency addresses shared via clipboard.
Fortunately, defending oneself against these attacks is also straightforward. Given the malicious actor's use of traditional social engineering techniques such as fake websites, malicious advertisements, and spurious social media posts, users should practice due diligence and avoid selecting any suspicious links or visiting dubious websites. We also encourage users to perform security best practices such as bookmarking trusted sites and practicing caution when visiting new websites, especially those that are prone to being abused for social engineering attacks.
Indicators of Compromise (IOCs)
The IOCs used in this analysis can be found here.