We have written a python script to decrypt the encrypted payload, which can be found in Appendix I. CyberGate allows an attacker to browse and manipulate files, devices, and settings on the victim's machine as well as download and execute additional malware.
It also has a wide range of information stealing abilities, such as keyloggers, screen capture, and remote enabling of webcams. The unique bot ID is created by adding the username, computer name, and the serial number of the victim machine and calculating the MD5 hash.
The complete traffic is compressed with zlib compression and encrypted with RC4 with the hardcoded key present in the binary. We have seen this marker in the previous version of Cybergate RAT. In the first request, the command will send the calculated unique bot ID to the server. The second command will search for the stored credentials in the Chrome and Firefox browser profiles.
If it matches the parameters, then it sends the credentials to the server along with the machine info, including socket name, user name, computer name, product name, and bot ID. It then downloads and stores the specified file inside and executes it. It can be found in Appendix II. The final payload is the. NET binary file of RedLine stealer. Proofpoint published a blog about that campaign. After collecting the data as per the configuration, it sends all the data back to the server.
The observed indicators in this attack were successfully blocked by the Zscaler Cloud Sandbox. Jul 17, Nov 30, Read Me. View code. Releases No releases published. Packages 0 No packages published. You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Figure 10 shows how this exploit is used.
Figure 11 shows the hidden decompression path for triggering the exploit and placing the malware in the Windows Startup folder so that the next time the user logs into the system the decompressed file will be executed. Those include:.
The fake document contained in the phishing zip, for example, is packed by AutoIt twice. The actor packed Predator malware with CypherIT, and then packed the output again in order to add a dummy document to the executable. The following figure shows the first-stage AutoIt script.
We found that the script is more obfuscated in the malicious payload that was placed in the startup folder via the WinRAR exploit. In Figure 13, the main part of the script is shown. It is used for calling the function to decode and execute the Predator the Thief stealer.
As the de-obfuscated script shows, it reads and decodes the resource, then it loads the shellcode for injecting the decoded payload — which is Predator the Thief malware.
It replaces all the files on removable devices with the malware and tries to deceive its victims into executing the malware. If we recheck the AutoIt script created by the actor, we find something interesting in its path.
The script author has left behind install paths from his system. We found interesting strings within these paths. Combined with a document name written in Russian, we can be fairly certain sure that the actor behind this campaign is a Russian-speaker. First, we found an AutoIt script sample which is almost the same as the one we analyzed in the previous section:.
In addition, the actor has a habit of compiling malware in debug mode of Visual Studio. In June of , he compile the XMR miner. After researching his previous activity, we found several samples to be buggy — their decryption component was broken and the malware was not able to properly unpack itself. We found out that the campaign actor has been active since last June, The actor possibly collected his malware from one of the hacking forums or chats and prepared at least one template for his phishing campaign.
He also uses simple but effective phishing techniques to make victims execute the malware. Predator the Stealer in this campaign has not change much from previous versions, but we have found several new tricks the actor uses for spreading this malware.
He uses fake zips and documents. Sometimes very specifically targeted to a victim, and even uses the WinRAR exploit to spread the malware.
The payload was packed using a third-party packing tool that utilizes the AutoIT scripting language. Predator the Thief Predator the Thief was first observed by us in July of , and it is one of the various stealer malware variants sold on hacking forums. Figure 1. Advertisement for the malware. Figure 2. User sett9 in Telegram and his public chats. Figure 3.
0コメント