Log in
E-mail
Password
Show password
Remember
Forgot password ?
Become a member for free
Sign up
Sign up
New member
Sign up for FREE
New customer
Discover our services
Settings
Settings
Dynamic quotes 
OFFON
  1. Homepage
  2. Equities
  3. Japan
  4. Japan Exchange
  5. Trend Micro
  6. News
  7. Summary
    4704   JP3637300009

TREND MICRO

(4704)
  Report
SummaryQuotesChartsNewsRatingsCalendarCompanyFinancialsConsensusRevisions 
SummaryMost relevantAll NewsOther languagesPress ReleasesOfficial PublicationsSector news

Trend Micro Incorporated : Campaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites

11/29/2021 | 07:01am EST
Introduction

We have been tracking a campaign involving the SpyAgent malware that abuses well-known remote access tools (RATs) - namely TeamViewer - for some time now. While previous versions of the malware have been covered by other researchers, our blog entry focuses on the malicious actor's latest attacks.

We've observed a new cryptocurrency related campaign that abuses a legitimate Russian RAT known as Safib Assistant via a newer version of the malware called SpyAgent. This involves the exploit of a DLL sideloading vulnerability, which causes a malicious DLL to load. This DLL hooks and patches various API functions called by the RAT. This results in the RAT windows being hidden from a user.

The malicious DLL then begins reporting the RAT's ID, which the malware operator needs to connect to and control the infected machine. The malware sets the access password to a fixed one, so that merely knowing the RAT's ID is enough for the attacker to successfully connect to the infected machine.

Infection vector

The malware dropper of SpyAgent is distributed via fake cryptocurrency-related websites that are usually in the Russian language. The dropper poses as a fake cryptocurrency wallet, miner, or surfing plug-in. Figures 1 to 4 are some examples of these fake websites.

Figure 1. Fake cryptocurrency wallets in Russian
Figure 2. Fake cryptocurrency miners in Russian
Figure 3: Fake surfing plug-in to earn dogecoin
Figure 4. Fake surfing plug-ins to earn bitcoin

When a user visits one of these websites, a file-downloading dialog box (offering to download a SpyAgent dropper) usually appears immediately, after which the victim is prompted to save and run the executable file.

How a victim winds up on these fake websites varies. One kind of social engineering technique that we observed involves advertisements published on "earn cryptocurrency for browsing" websites, such as the ad in Figure 5. It should be noted that not all websites offering cryptocurrency in exchange for views are necessarily malicious. In the following screenshot, however, the screenshot shows a malicious website that promotes a fake cryptocurrency-related website.

Figure 5. Malicious advertisement leading to the malicious website

After opening the link, the victim is immediately redirected to one of the fake cryptocurrency websites where a dialog box for saving the fake application immediately appears.

Figure 6. Website with a fake bitcoin bot

Social media is also used as an infection vector, as shown in the tweet in Figure 7. Interestingly, the Twitter account behind it seems to be legitimate, although possibly compromised.

Figure 7. User spreading a link to a fake website via Twitter

Due to search engine optimization (SEO), simply searching for the right keywords might result in the inclusion of these websites in search results.

Figure 8. Search engine returning the link to a fake "Doge Miner" website
Dropper analysis

The dropper is usually created using the Nullsoft Scriptable Install System (NSIS) installer (although in the past we have seen variants created with Inno Setup), a powerful tool for creating scriptable program installers. The dropper (NSIS installer) file contains just one randomly named encrypted binary file.

Figure 9. Installer with one randomly named binary file

The NSIS installer script then calls Microsoft CryptoAPIs to decrypt the binary file, which then becomes a 7-Zip archive that will extract the files. Figure 10 shows a string (tno7wul0zusmglmdl) used for deriving the decryption key on line 578.

Figure 10. Code showing a password to derive the RC4 decryption key used to decrypt random binary files

This string is then hashed with MD5 algorithm (see constant 0x00008003).

Figure 11. MD5 hashing of the password
Figure 12. Deriving RC4 key

The dwFlags parameter (see value 0x280011) tells us the length of the key modulus in bits, which is set with the upper 16 bits (0x28 / 8 = 40 / 8 = 5 bytes ). Lower 16 bits are flags CRYPT_EXPORTABLE and CRYPT_NO_SALT.

Therefore, the first five bytes of the MD5 of the string for key derivation is the RC4 key used to decrypt the 7-Zip archive.

Figure 13. Documentation explaining the computation of the length of the key

The extracted 7-Zip archive contains several files, most of which are legitimate non-malicious files belonging to the RAT. In Figure 14, only those files in red indicate the additions by malware developers.

The batch file (.bat) is a starter of the main executable (Assistant, ast.exe) file, while the Config file (.cfg) contains encrypted configuration. The bitmap file (.bmp) is used for deriving the key to decrypt the config file. Finally, the quartz.dll is the malicious DLL containing the malware that is sideloaded by ast.exe. Although the real length of the quartz DLL is several dozens of kilobytes, its length is artificially inflated by appending a huge overlay of zeroes. This is likely to prevent or discourage some security solutions from uploading these large files for further analysis.

Figure 14. Contents of the 7-Zip archive with the RAT. The files in red are the ones added by the malware developer.
Analysis of the sideloaded DLL

The DLL is responsible for decrypting the config file. Initially, the first byte of the config file is checked. If its value is 0x01, it means that the malware runs for the first time and the config file is encrypted with a key derived from the bitmap file.

Otherwise, if the value of the first byte in the config file is 0x00, it means that the config file is encrypted with a key derived from the SOFTWAREMicrosoftCryptographyMachineGuid value.

The key derivation has four steps:

1) The CRC32 checksum of the input (.bmp file) is computed.

2) The checksum is converted to a hexadecimal string (eight characters), and all characters are converted to uppercase.

3) The MD5 hash is computed.

4) The hexadecimal string representation of the hash (32 characters) is used as the RC4 password to decrypt the config file.

After decryption, the configuration file contains the URL address of the command-and-control (C&C) server. From this URL address, the domain part is used as a key for another decryption - this time the decryption of part of the DLL's executable code, since a part of the DLL is a self-modifying code.

Figure 15. Function call to the encrypted code before decryption (top) and after decryption (bottom)

The first decrypted function is responsible for resolving the API function addresses, while the second decrypted function is responsible for hooking various functions and altering the default behavior of the RAT.

The following table shows the important hooked functions and their effects on the RAT:

Function

Details

RegCreateKeyEx

Changes the registry using the RAT configuration from astSS to astSS1

RegSetValueKeyEx

Extracts the RAT's ID when it is saved to the registry. It then starts two threads, a C&C communication thread and an idleness monitoring thread.

FindWindow

Ensures that the RAT's window is not shown

RegisterClass

Ensures that the RAT's window is not shown

ShowWindow

Disables showing the RAT's windows

CreateFile

Disables the log file that the RAT creates by default

GetCommandLine

Sets command-line parameters to start the RAT as a hidden process in the background, sets the connection password stored in registry to a known fixed password, and starts a thread responsible for killing task manager and process explorer

Table 1. The important hook functions of the decrypted function

When the RAT is run normally and is not hijacked by malware, a window like the screenshot shown in Figure 17 will appear. It is important to note the nine-digit number (captured by the hook of RegSetValueKeyEx) and the four-digit number (overridden by the registry setting set by the hook of GetCommandLine). This window is not shown at all as an effect of hooking FindWindow, RegisterClass, and ShowWindow.

Figure 16. The RAT's window when it is run normally. The nine-digit number is the ID and the four-digit number is the password.
Finally, we will analyze the two threads. The C&C communication thread regularly makes a GET request to <_c26_c domain="">/<_c26_c path="">?id=<9digit number>&stat=. The environment hash is computed as an MD5 hash of string created by concatenating the following five values:

Value 1 = to_uppercase(crc32(HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyMachineGuid))
Value 2 = to_uppercase(crc32(HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionProductName))
Value 3 = to_uppercase(crc32(user name))
Value 4 = to_uppercase(crc32(computer name))
Value 5 = concatenate Value1 Value2 Value3 Value4

It might receive a response in the following format:

!lexec;
restart
delproc

The idleness monitoring thread monitors pressed keys and selecting or dragging movements. If the user is idle for more than one minute, it sends a sidl(start idle) request with the time when the user became idle:

<_c26_c domain="">/<_c26_c path="">?id=<9digit number>&stat=&sidl=

The length of idleness is then regularly submitted in a cidl (count of idle) parameter:

<_c26_c domain="">/<_c26_c path="">?id=<9digit number>&stat=&cidl=

When the user becomes active again, the malware sends an eidl (end of idle) request:

<_c26_c domain="">/<_c26_c path="">?id=<9digit number>&stat=&eidl=&cidl=

The idleness monitoring thread allows the malware operator to choose the proper time when the victim is not present in order to stay unnoticed.

Associated malware

SpyAgent usually downloads other malware to perform additional tasks such as stealing important data.

We noticed using SpyAgent downloading the following commodity stealers:

  • RedLine Stealer
  • Ducky stealer
  • AZOrult
  • Cypress Stealer
  • Clipper (a clipboard replacer that replaces various cryptocurrency addresses with those controlled by the malicious actor)

We also noticed other RATS being used in the campaign, such as:

  • Remcos RAT
  • NanoCore
  • njRAT
  • AsyncRAT
Conclusion

The threat actor behind this malware seems to have a straightforward financial motivation and typically aims to steal credentials and cryptocurrency wallets while also replacing cryptocurrency addresses shared via clipboard.

Fortunately, defending oneself against these attacks is also straightforward. Given the malicious actor's use of traditional social engineering techniques such as fake websites, malicious advertisements, and spurious social media posts, users should practice due diligence and avoid selecting any suspicious links or visiting dubious websites. We also encourage users to perform security best practices such as bookmarking trusted sites and practicing caution when visiting new websites, especially those that are prone to being abused for social engineering attacks.

Indicators of Compromise (IOCs)

The IOCs used in this analysis can be found here.

Disclaimer

Trend Micro Inc. published this content on 29 November 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 29 November 2021 12:00:04 UTC.


ę Publicnow 2021
All news about TREND MICRO
07:35aTREND MICRO : Earth Lusca Employs Sophisticated Infrastructure, Varied Tools and Technique..
PU
01/14CYBERSECURITY FOR INDUSTRIAL CONTROL : Part 1
PU
01/14CODEX EXPOSED : How Low Is Too Low When We Generate Code?
PU
01/14TREND MICRO : Analyzing an Old Bug and Discovering CVE-2021-30995
PU
01/11LORAWAN'S PROTOCOL STACKS : The Forgotten Targets at Risk
PU
01/10TREND MICRO INCORPORATED : Uncovering and Defending Systems Against Attacks With Layers of..
PU
01/07CODEX EXPOSED : Exploring the Capabilities and Risks of OpenAI's Code Generator
PU
01/07TREND MICRO INCORPORATED : This Week in Security News - January 7th, 2022
PU
2021Nikkei retreats from 1-month high as chip stocks track U.S. peers lower
RE
2021TREND MICRO INCORPORATED : Ex-dividend day for final dividend
FA
More news
Financials
Sales 2021 188 B 1 641 M 1 641 M
Net income 2021 34 962 M 305 M 305 M
Net cash 2021 182 B 1 588 M 1 588 M
P/E ratio 2021 23,0x
Yield 2021 3,30%
Capitalization 810 B 7 067 M 7 064 M
EV / Sales 2021 3,34x
EV / Sales 2022 3,07x
Nbr of Employees 6 975
Free-Float -
Chart TREND MICRO
Duration : Period :
Trend Micro Technical Analysis Chart | MarketScreener
Full-screen chart
Technical analysis trends TREND MICRO
Short TermMid-TermLong Term
TrendsBearishNeutralNeutral
Income Statement Evolution
Consensus
Sell
Buy
Mean consensus HOLD
Number of Analysts 12
Last Close Price 5 800,00 JPY
Average target price 6 983,64 JPY
Spread / Average Target 20,4%
EPS Revisions
Managers and Directors
Yi Fen Chen President, Group CEO & Representative Director
Mahendra Negi Group CFO, Representative Director & VP
Ming Jang Chang Chairman
Max Cheng Chief Information Officer & Executive VP
Kevin Simzer Chief Operating Officer
Sector and Competitors
1st jan.Capi. (M$)
TREND MICRO-9.23%6 990
MICROSOFT CORPORATION-7.77%2 328 976
SEA LIMITED-21.76%98 356
ATLASSIAN CORPORATION PLC-22.00%75 166
DASSAULT SYSTÈMES SE-13.07%68 339
SYNOPSYS INC.-11.49%50 045