Well, hello there.
Today we are going to focus on the “good”, old malware campaign first observed by us around May 2020 while it was actively distributing Redline stealer. Although it is gone through some updates over years, the scheme it works remained similar.
Download
Searching through the Internet, we came across a kind, independent blogger who offers us to download a free cracked software. Let’s proceed!
We can see that the blog references to the website fpn-stp[.]ru which redirects us to the well-known framework also related to PrivateLoader campaigns. This framework of unknown name leverages unique links that expire after a few minutes to block scans and avoid being blacklisted. Each link it generates consists of three parts: likely a md5 hash, 34 random characters and salt at the end.
After being authorized with hCaptcha and User-Agent check which should be MSEdge, we are being welcomed with download page:
Notice that this exact framework with slight JS modifications on the client side was distributing PrivateLoader on xiuty[.]com, arakusus[.]com, oyndr[.]com any many others fake url shorteners. (More about this in the referring articles, at the bottom of the page.)
After clicking the DOWNLOAD button, a new page opens and the file download starts. It is a ZIP archive built automatically by the framework at the time of link generation.
Unzipping it with password 123 gives us 2 files: the loader, password file containing md5 hash of empty string. This time it is not the case, but there are occurrences of a hidden file which is a legitimate, random software installer.
The loader
The loader itself is an Inno Setup compiled installation wizard. The installer is secured with a password but it turns out that it is not much of a problem for us. Analyzing the EXE content, we encounter a strangely looking string — d12b62a585bd739f0.
Now when we managed to find the password, nothing stops us from extracting whatever they embedded in there.
The stub
There are a bunch of DLLs and one EXE in extracted content. The EXE seems to be malformed but it lacks only the MZ signature. After adding it manually we receive the stub we were looking for. Now let’s see what this build actually does.
The final payload needs to be provided with a CMD argument, normally passed by the IS installer. We can get it from the ISS file we extracted. In this case it’s b6f1fac98787e9069ae49deb884cabb8. We’ll launch the file providing the argument.
Immediately PayPerInst[.]com Download Assistant window appears and the program downloads executables or crashes. Unlike previous detonations
(e.g. https://www.virustotal.com/gui/file/2e8e59eb04b473054402a130152a2e666f57cd07c6a7116edf4a4ea5ec20b271), it doesn’t drop Redline anymore, however potentially unwanted content is still present. This time it is Snetchball adware. Then it performs a POST request to hxxp://start7345724.ru/new/net_api with hexadecimal data that has been encrypted with RC4. 67e28dd86f5af1211607f81c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa48e8889b5e4fa9281ae978fe71ea771795af8e05c645db22f31dfe339426fa11a167c657adb719a9577e55b8603e983a608ef719c0e6909939 Path of the API which the installer uses keeps changing over time, although each one remains accessible:/v2/events => /v3/api => /new/net_api
This C2 communication is overwhelmingly similar to the one that is leveraged by SOCKS5SYSTEMZ proxy botnet (see also https://www.bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey). Moreover, the loader and DLL libraries that it contains are exactly the same.
DLLs
The DLL libraries aren’t malicious in this case. In fact the EXE does not even interact with them. What is interesting however, is that the actors are bundling those DLLs in their builds continuously, so we can investigate large number of connections with VirusTotal relations page:
https://www.virustotal.com/gui/file/16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660/relations
Conclusion
While the campaign appears to be somewhat dormant for now, it might pose a serious threat when put into action at any time, compromising data of thousands of people across the world.
URLs active at the time of writing:
Suspicious blog: hxxp://flstudio12–20.ru/
Blog referral: hxxps://fpn-stp.ru/file/1/14ec560
Framework domains:
ska4aservece[.]ru
cononspace24[.]ru
somenoxezowa[.]ru
C2: hxxp://start7345724.ru/new/net_api
VT:
Inno Setup loader: https://www.virustotal.com/gui/file/a4fef05ccd386520f7dc03ea1e03f060401ba2dadfe2b3db2046489bdb34f2b5
File dropped by the IS loader: https://www.virustotal.com/gui/file/a9f26b84f45f15e5fbe607ba1430282eafdd6d2c6546cfa0ea0149065307366f
Inno Setup loader (SOCKS5SYSTEMZ): https://www.virustotal.com/gui/file/acc63db2e500e557b2c06294a21aabcce70dc599604d6c6a414f0d62977a37ad
sqlite3.dll: https://www.virustotal.com/gui/file/16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660/relations
References:
bitsight.com
virustotal.com
https://jfrog.com/ja/blog/attacks-on-docker-with-millions-of-malicious-repositories-spread-malware-and-phishing-scams/
https://www.zscaler.com/de/blogs/security-research/surge-fake-fifa-world-cup-streaming-sites-targets-virtual-fans
https://medium.com/@g0njxa/privateloader-installskey-rewind-2023-c1ce027cbe65
