The aforementioned cracked applications are one of the easiest ways for malicious actors to get to users’ computers. Thus, even in the absence of incoming commands from the C2, the program was still capable of inflicting significant damage on the user by stealing their cryptowallets. There were also updates to the functional code that had to be made by humans (see the images below). These were apparently updated automatically inside the script as soon as the server IP address changed, which happened approximately every 10–20 minutes. In particular, the developers had changed the “metadata” stored at the beginning of the program and containing the C2 server IP address and domain name, and the program GUID and version. So, we downloaded the third-stage Python script again, only to find that the new version contained changes. The blank “ver” field that presumably would be used for sending information about the payload versionĪt the time of our investigation, the server notably returned no commands and later stopped responding altogether.The blank “av” field presumably would be populated with information about the presence of antimalware programs in subsequent versions.The decrypted message contained the following Python script.īesides executing commands, the script harvested and sent to the server the following information: The ciphertext was AES-encrypted in CBC mode. Each record was a Base64-encoded ciphertext fragment whose first byte contained a sequence number, which was removed during assembly. The response from the DNS server contained three TXT records, which the program later processed to assemble a complete message. The exact third-level domain name was irrelevant as long as it was part of the request. We tried every possible combination of the hardcoded words, which were the same for every sample we studied, to find only one functional domain name: imohubnet. TXT records could contain miscellaneous domain details that the application might require, so a request like that looked perfectly normal per se. This was a fairly interesting and unusual way of contacting a command-and-control server and hiding activity inside traffic, and it guaranteed downloading the payload, as the response message came from the DNS server. With this URL, the sample made a request to a DNS server as an attempt to get a TXT record for the domain. The program obtained the C2 URL by stringing together words from two hardcoded lists and adding a random sequence of five letters as a third-level domain name. A downloaderĪ completed “patching” kicked off the main payload, with the sample reaching out to its C2 for an encrypted script. The trick was that the malicious actors had taken pre-cracked application versions and added a few bytes to the beginning of the executable, thus disabling it to make the user launch Activator. The app amusingly started working and appeared to have been cracked. Next, it “patched” the downloaded app: tool compared the first 16 bytes of the modified executable with a sequence hardcoded inside Activator and removed them in the case of a match:Ĭhecking the first 16 bytes of the executable Once running, tool checked the system for an installed copy of Python 3, and if it did not find one, it installed that which it had previously copied to /tmp/. To enable this, Activator employed the now-obsolete AuthorizationExecuteWithPrivileges function, which brought up the window with the admin password prompt.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |