An analysis of Razor Crypter, a HackForums product

Today we are going to take a look at Razor Crypter V2, it is a well-known crypter on HackForums. It is one of the biggest and oldest crypters that are still running. It was started 3 years ago as Razor Crypter V1 (I may cover it in a later post) and it is written in AutoIt, a language commonly used to develop malware as it is very easy to program and reFUD.

On execution, Razor Crypter’s stub creates a random number, creates a loop that add 1 to the number, check if it is prime, if it is it adds an “x” to a Variable, if not the loop is restarted. This is repeated until the number is somewhere between 10000 and 90000.

After this, the variable “NUMS” get splitted with the delimiter “x” and saved into an array called “EXP” :

 

The script will next take 2 random numbers from “EXP” and adds a random number.

This junk code is most likely done to prevent detection by AV, since after this the variable “EXP” is not used again.

When everything is done,it will drop another AutoIt script,and execute it via the AutoIt parameter “AutoIt3ExecuteScript”. However, the dropped script is detected by 90% of all AVs. Even though this crypter has such a big reputation on HackForums, it is just a poorly written crypter.

Another obfuscation technique employed is the renaming of pre-defined Functions. This is done using defining new functions that do nothing except for calling the pre-defined function. A very interesting method of obfuscation, however, it is easily thwarted by renaming all of the functions.

 

String Reverse was also renamed, however, it is custom coded. A funny thing is that the code looks copy & pasted, so I am not really sure that is a point for the coder or not.

 

 

 

However, since the crypter is written in AutoIt, and the coder has a lot of time on his/her hand, to reFUD the crypter, it is often FUD and it is very popular among non-skilled hackers (aka Skids). The encryption is also very weak, as Base64 is used, and since Base64 is a keyless kind of encryption (And the function was named _winapi_base6decode), it would be trivial to unpack the stub.

Virustotal link of the stub.

Conclusion:

  • The crypter uses bad ways to be undetected, however it is updated often which means it is hard for AVs to keep up with the Scantime detections.
  • All stubs are the same, containing barely any difference.
  • Just because a crypter is old and famous doesn’t mean it is good.
  • Don’t use Base64, at least use RC4, XXTEA, AES or something with a key.
 

Some more analysis of AutoIt crypted malware sample

If you haven’t read my first post about this malware, please do check it out.

So today I got bored and decided to browse through my files, and was suddenly reminded of the sample I was analyzing earlier. It is barely obfuscated, and many original function names are still available. At least most custom functions are obfuscated. Another sad thing about this malware, is that the encryption key is stored in plain text, and in plain sight. Some obfuscation/encryption would have been nicer.

Encryption key of malware stored in plain sight.

So in this case, the stub simply drops the encrypted stub into the Temp Dir, and then decrypt it through reading the file. vmqjobbhqfbf is simply an obfuscated version of _Crypt_DecryptData, and 26128 stands for AES256 encryption. It was too easy to create a small snippet to decrypt the stub. The decrypted stub is 305 kb in size. However, this is the part where the malware execution goes wrong. As you can see in the screenshot, the variable $hcwywahhpctofanxhtdimbanbldxbax set to “%NATIVE%”. Closer inspection shows that Native is to indicate whether the original stub is in .NET or is it without dependencies. However, the author of the crypter made a mistake, since in the variable it is “%NATIVE%”, but in the actual injection function it is 1,2,3 or 4. Another sad mistake was that the original stub was coded in .NET, and therefore is not native at all. So even if the crypter is working properly, the built stub won’t since it will be injecting into the wrong process.

 

The startup uses the name “Microsoft Cooperation ZGIJJTiKhPcKTTZX”, which is located under either Run or RunOnce of HKCU. An interesting thing about the startup is that if it senses apvui.exe (Which is Kaspersky Antivirus’s process), it will choose not to modify the registry, and instead using the Startup Directory to install itself. This is probably done since KAV’s HIP detection is pretty accurate.Malware startup

The original stub is coded in .NET, and have some decent features based on the Malwr analysis: https://malwr.com/analysis/NmJhNzYzZGVlZWI5NDM2MWFhYjc2ZDNmMGNlODAzOTU/

It is fairly well detected and was easily decompiled with de4dot, however, I was not able to deobfuscate it since I am currently only a beginner at .NET (Surprised that I admitted this?). Based on what I saw, the real deal is stored inside a resource called Testing.Resources.rsx which is decrypted on the go. Because of the hooking, I suspect this might not be a RAT/Botnet and might be just a keylogger from HF(Some that uses .NET are Volt and HawkEye, but correct me if I am wrong).

So that is it for this malware analysis. If have any questions, feel free to comment down below and I will answer them. Send your malware my ways if you have any.

 

Malwr showing false positives with MP4 files

During my recent tests with MP4 files, I discovered a very interesting fact: Malwr is not compatible with MP4 files and will show false positives such as detecting shellcodes, startup and HTTP connections.

Malwr uses the standard Windows XP for analyzing malware. However, the Windows Media Player in Windows XP is not able to open MP4 files, and will therefore open Microsoft’s shell page, and perform a few other activities. One of them is detected as a startup method, however it actually isn’t.

Here are some of the Malwr links that are false positives (Found using Malwr’s search button):

https://malwr.com/analysis/ZmY4MGE4MzU3NjM1NGRiZWFkNmU2OTUxMTFkZGVhZDU/

https://malwr.com/analysis/NzY1OTMxNWE5ODVkNDA3NGIxMjhlNDEwMmIwOWI2OGU/

https://malwr.com/analysis/YjM3ZGFiNmY3YjA1NDg3ZWFmNzZlNjczNjlkNmNjYzI/

https://malwr.com/analysis/YjY4M2EwZDhhYjliNDI1YThhZTk0MDlhMTcwNjE5YzA/

https://malwr.com/analysis/MTBiOWI0Zjc5ZjRhNDBjODk2N2QzNzEzOTU0N2ZhODY/

 

Why there is no need for Microsoft Office

Microsoft Office is installed on almost every computer running Windows nowadays. However, the security aspect of it is pretty worrisome.  If you are to browse around Hackforums, you will find many people selling Word Exploits, silent and macro, available at very cheap prices. Some of the recent cyber attacks against Ukraine’s  power system have been delivered with the help of these exploits. So it is not really the best idea to open any Microsoft Word, Excel, or Powerpoint document. At least not with Microsoft Office.

A much more secure way to open these documents is to upload all of them to Google Drive, and then open them. This way none of the possible malicious scripts and macros are opened on your computer. And don’t worry, Google Drive won’t be harmed, since the macros are not processed by their system.

Just some small tips from me to those who do not wish to get malware on their system.

 

Analysis of Plasma RAT’s source code

I recently was browsing HackHound, when I found the source code for Plasma RAT. Plasma RAT’s stub is fairly advanced, having many robust features. Some of the features include botkilling, Cryptocurrencies Mining (CPU and GPU), persistence, anti-analysis, torrent seeding, AV killer, 7 DDoS methods and a keylogger. The RAT is coded in VB.Net. There is also a Botnet version of it (Plasma HTTP), which is pretty similar to the RAT version. An analysis of the Botnet can be found on McAfee’s blog.

The AntiVM is not really the best. It searches for VM files, but does not search for the processes, the Hard Disk name, and so on. And in case a VM is detected, the AntisFound() function is called.

vmdetected

The Chrome stealer uses a module coded by RockingWithTheBest, who is a HackForums member, a link to the thread is here. The link is Google Webcache, since sadly HackForums seems to think that my country is not one that is worth serving (jk, I know there are many skids here who use LOIC).

stealer rockingwiththebest

The FTP password stealer simply steals FileZilla’s password through reading the file \FileZilla\recentservers.xml, which has password and server details in plain text.

The Torrent Seeder might be promising for malware spreaders who are interested in spreading with torrent. However, it requires Vuze, BitTorrent or uTorrent to be installed on the host machine. This would be a very powerful feature if the spreader is using Torrent as a spreading method, since victims would be guaranteed to have these torrent clients, and it would help the spreader gets more bots.

torrentseed

The process itself is heavily protected. It first set Access Right so that attempts to kill it will result in Access Denied, and also it sets itself as critical so the system goes into BSOD when the process is killed. The folder and the files are set the the user does not have access to them, as well as being hidden.

The Condis attack is new to me, I have never seen it before. After some research it turned out to be an attack that works by rapidly opening new connection and disconnecting (Hence the name ConDis), and it is primarily used to target game servers and TeamSpeak server. Slowloris, GET and POST flood, ARME attack, and UDP flood is also present. The GET and POST attack does not seem to have any user-agent string however, and the GET attack simply downloads the file. There also is Bandwidth Flood, which often is not really the most powerful kind of attack.

Inside the source, there is a resource called “a” that looks like a binary. The file is not detected by any AV at the time I am writing this (VT scan). The file’s Malwr indicates that it is malicious, since it adds itself to startup.  It might be a part of Plasma RAT, it might not be, since the source was leaked and maybe this is the leaker’s backdoor.

a resource

There is also a Hard Botkiller, which claims to be able to kill highly persistent bots such as BetaBot. It deletes the startup registry keys, and have a module that forces the deletion of a file,… The AV killer uses the Image File Execution method to get rid of the AV, and in case Admin Privilege is not presence, it attempts to social engineer the victim to accept the UAC prompt.

social engineer uac

The normal botkill attempts to identify which startup entry is malicious and which is not through several indicator. First, if it is Plasma RAT’s executable or the Miner executable, then it is not malicious. If it has a digital signature, then it is not. If it contains “cmd” or “wscript” in it’s name, then it is malicious. If it is located in  AppData, then it is. If the file attribute is Hidden or System, then it is flagged as malicious as well.

botkill

Now let’s go to the builder. As always, there is a very nice and detailed Term of Service in order to prevent the creator from being held responsible

tos

This RAT was originally a sold bot, since SealInitialize and Seal.RunHook and other NetSeal functions were found. The source was I found was as clear as daylight, so either the creator did not obfuscate the builder, or the builder was obfuscated with public obfuscators that are easily deobfuscated. When you are creating a commercial product, it is always a must to protect your source with a strong obfuscator, and sometimes heavy encryption that is decrypted runtime would work as well. This is where crypters can be used for reasons other than encrypting the stub.

So this is it for the analysis of Plasma RAT. Good bye and see you again.

 

Megalodon HTTP, Skidware and copy pasted code.

I recently obtained a copy of Megalodon HTTP’s web panel and builder(cracked). However, the builder turned out to be malicious, so I decided to look at the modules in the panel instead. Since Megalodon relies on downloading plug-ins, and almost nothing is placed inside the stub, this should be enough to show the details of Megalodon HTTP.

Megalodon HTTP’s panel had no obfuscation and no protection at all. The legendary miner turned out to be BFGMiner, which is in a folder called ‘out’. None of the files are renamed, and therefore I can work with it more easily. An interesting thing is that Megalodon kept all of the .txt files in the miner, including README, News,… which shows how this malware was made without care. Megalodon, instead of downloading all of the files directly, instead relies on a downloader to obtain the files from the server.

miner downloader

Conveniently, inside the bin folder, the output files are also not renamed. When I attempted to change the file extension from .bin to .exe for analysis, I got a few pop ups from Kaspersky Antivirus, of which one was very interesting:

stealer stolen

Megalodon used NetPass for password recovery! Seriously, there are much better password recovery modules that are publicly available, but I guess since NetPass is popular, the developers chose it. The only advantage of using NetPass instead of other modules that I could think of is that it is very lightweight.

Using JetBrains dotPeek to reverse engineer the bins, I found them completely unobfuscated. For example, the Slowloris module uses the user agent “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36” and simply have no other header, which might causes WAF to check the browser/show a CAPTCHA.

slowloris source

Megalodon also feature an XML-RPC attack that uses the pingback function in XML-RPC to reflect the attack on other sites. This amplification method is a public one and is commonly used. The user-agent is not different from the above. While there is not much amplification in this attack, it does help masking the bot’s IP.

The ARME attack is also utilized. However, unlike the other attacks, the ARME attack does not send an user-agent with it, and therefore could be easily prevented by a WAF. Also, since botnets on HF are often bought by 11 years old wanting to boot of a friend’s Minecraft server or his/her school’s online grade book, the end user will probably not know that the ARME attack is only effective on Apache server, and useless on NGINX. The header used should be challenged with Javascript or a CAPTCHA to prevent the attack: “\r\nRange:bytes=5-1300\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n”

The Botkiller uses the worst technique I have ever seen. It checks under the Run registry key that points to an executable file that contains “conhost.exe”, if any is found, it will attempt to kill the process and remove the registry key. If you refer to my previous post about common malware process name, there are many other names such as Windows Update, Security Service,… However, it is better than nothing I guess.

botkill

 

The uninstaller simply deletes all of the registry keys under Run, and then exit. This is not really a smart idea, since the malware process will not be eliminated until the next reboot. Not good at all if you found out you are being analyzed.

uninstaller

Flood.bin file is the only find I found that was obfuscated. However, it is done with Confuser 1.9.0.0, which could easily be deobfuscated through public tools. Like seriously, if you are developing malware, you should do something along the line of manual obfuscation, then obfuscation using a private obfuscator. Confuser is old and obsolete, and unless you mod it, it is useless. However, the obfuscation gives me suspicions that this module is coded by someone else.

The Syn attack tool is also weak, as it uses only 5 threads. While this does not consume much resources and therefore less noticeable, it also does not oppose much power on the target.

syn attack

There are a few other attack methods, however, they are obfuscated, and therefore I will attempt to deobfuscate them later on.

Another interesting module is the Homepage Changer. It is capable of changing the homepage of only Mozilla Firefox and Google Chrome. Well it is good enough for HF anyway, since these are the 2 most popular browsers. And seriously, if you are still using Internet Explorer and browsing my website, you should seriously consider an upgrade to Chrome/Firefox, or better yet, Tor browser and Epic browser.

So this is it for my analysis of Megalodon HTTP.  I will be analyzing more malware in the future soon, and remember to share, like and tweet about this blog post!

And also since you read to the end of the post, I will give you a very interesting thing I found while browsing through the panel files: This error log shows us in plain text the username of the hosting account Bin4ry used for his site (bin4ry.com): http://www.zunzutech.com/blog/wp-content/uploads/2016/03/errors.txt

Interesting, right?

 

Common things in most malware

Malware might varies in style, programming language, encryption and obfuscation method, as well as many other factors. However, they all have 1 similarities (Excluding cryptolockers): They attempt to look as similar to legit application as possible.
1. Process name

Most malware will try to look like common processes. Sometimes they will try to impersonate a system process. Some of the common names are conhost.exe, windowsupdate.exe, winupdateclient.exe,… When you see a process that seems suspicious because of these signs, you should run an AV scan and attempt to find any suspicious activities on your computer. If your AV solution does not detect anything, open up Task Manager, right click on the process, select “Open File Location”, and copy the file to your desktop. After that, you can upload it and forward it to me.

2. Installation Directory

This is the similarity in most malware. They will install themselves to a directory, so even if you delete the original file, the malware is still on the system. Some popular place for installation of such malware is the AppData folder, the Windows folder and the Temp folder. The Temp folder is the least popular of the three, since it is cleared regularly in order to preserve disk space. However, it is still commonly used.

3.  Attempts to hide process

Malware DON’T want to be spotted. So they try to hide their task from the Task Manager. Some might do this by attempting to replace the Task Manager, which could be done simply through a registry key, some might try to launch it from a different user, which isn’t really effective, or some just try to kill the task manager process.

So that is it for this post. I know it is kinda short, but that is because I am analyzing a RAT, which is somewhat unique since it uses PHP for connection.