Unpacking GhostCrypter, a not really stealthy crypter.

So today I will be unpacking GhostCrypter. This crypter is currently sold on  HackForums for $12 per month, and seems to be pretty popular. Please note that I was given this file, and I have no idea if this is actually GhostCrypter. So let’s get started.

GhostCrypter is coded in AutoIt, so MyAutToExe should be able to decompile it fairly easily. It is not packed with UPX, so there is no need to unpack anything. There are quite a few files packed inside it, which explains the 1.6mb file size. Dropping is not really stealthy after all.

ab9a02d0d7a8fe69a95e993b00dc50dcd2c359cf4c23d8a47602880278804ebc

The decompiled au3 file contains #endregion at the top, which is a common method to stop Exe2Aut.  It is all capitalised and the first 2 functions seemed to belong to Crypt.au3 and had all of the variables changed.`

The decompiled code can be found here: http://pastebin.com/nQtuDZx1 After decrypting and deobfuscating all of the variables and removing the flow obfuscation, the resulting code is fairly short. It was only 6 lines and was fairly disappointing to look at. And instead of running like that, why don’t you use ShellExecute?

c2dc037a7184375a93088718e44776ef

OK so let’s now look at the files that were dropped. The file that was dropped as a .CMD file appears to be Microsoft Visual C++ v.10. When we look into the file that is used as an option, turns out it is an AutoIt source file. The .cmd file turned out to be the AutoIt base, as it was signed by AutoIt Consulting LTD.It is obfuscated with Flow Obfuscation, using Call() to stop strippers from working, and all of the good stuffs. The whole process of manual deobfuscation took quite long and was kinda boring (to describe) to be honest, so I will just talk about Before and After deobfuscation here.

So before deobfuscation, this is what the file looked like:

70b0f93a1a4fe4d2c423aebf76798abc

One of the very funny thing about the script is that it uses _Crypt_DecryptData to decrypt strings, however next to the line, there are comments which tell us what the encrypted strings are. However it could be meant for deception, so I will just create an automated tool to decrypt the data and removing the flow obfuscation that was applied.

So after deobfuscation, the script is 232 lines in length and is fairly plain. It looks like the variable $encrypted declares the path to the encrypted file, which is decrypted, and then injected using a shellcode. Simply using FileWrite and _Crypt_DecryptData with the same parameter extracted the original file. The original file is an MZ Executable file, if you don’t know what that is, Google it.

529a496ca7e905ce96d39f32c054d717

One of the runtime techniques used by GhostCrypter is dynamic Startup. Normally, GhostCrypter uses the RunOnce startup key to hide from MSConfig, but this often prompts for confirmation on AVs such as Kaspersky, 360 Security,… So when processes such as mbam, avpui GhostCrypter creates a .lnk file inside the startup directory instead. The anti analysis is also fairly bad, it only detects 3 processes, 1 for VMWare, 1 for VirtualBox and 1 for SandBoxie. Furthermore, it stores the file in a variable, not use it at all, and use the _Crypt_DecryptData function with the first parameter of FileRead(@AppDataDir & “\QHWXHYbdLYDG”) instead of the $encrypted variable which shows the path to the file. And after being used, the variables are not set to Null to free up memory. Bad coding practices here.
That is my take on GhostCrypter. If you have any other malware samples, feel free to send them to me and I will take a look at them.

 

Inside the panel of the Andromeda Botnet

Recently, I have managed to obtain myself a stub of a still active Andromeda Botnet, and have sucessfully obtained access to the panel (Don’t ask how, even though when you are a botmaster you really should be getting a strong password xD). The botnet is hosted on a seemingly BulletProof server, and the Domain Registrar refused to sinkhole the domain name due to them ‘Not being able to monitor the traffic, as they are not the web host’. So I guess I can’t really sinkhole it except for killing the bots, and changing the encryption key and password to mess up the current progress by the botmaster.

Andromeda is a pretty old botnet from 2012, but is still commonly used. The botnet has a Rootkit, a Formgrabber, as well as a Socks Proxy plugin. But what I will be going in today is not the functionalities, but the interesting things about the stats of the botnets.

The compromised Andromeda Panel

The compromised Andromeda Panel

First of all, most of these bots are 32 bit, and not 64 bit. This clearly shows how the infection focused mostly on not so new machines, and probably not tech-savvy users. Windows 7 contains around 80% of the bots, and there are still Vista and XP bots. Also most of the bots are from third world countries such as Vietnam, Indonesia,… In fact, 1 third of the bots are from Vietnam.

stats by country

Interesting stats

You see, these countries are not rich countries, and therefore their cyber-defense and education budget is not really large. Parents here are generally not computer experts either, and therefore are easily tricked into installing malware on their system. Kids are not really educated about cyber security, so there is a high chance that search queries for game hacks will probably not end well.

There currently is only one task, and it is to download a file called XD.exe from the server. Closer looks will be taken at it in the next post. Good bye and see you again.

 

 

An analysis of Razor Crypter, a HackForums product

Today we are going to take a look at Razor Crypter V2, it is a well-known crypter on HackForums. It is one of the biggest and oldest crypters that are still running. It was started 3 years ago as Razor Crypter V1 (I may cover it in a later post) and it is written in AutoIt, a language commonly used to develop malware as it is very easy to program and reFUD.

On execution, Razor Crypter’s stub creates a random number, creates a loop that add 1 to the number, check if it is prime, if it is it adds an “x” to a Variable, if not the loop is restarted. This is repeated until the number is somewhere between 10000 and 90000.

After this, the variable “NUMS” get splitted with the delimiter “x” and saved into an array called “EXP” :

 

The script will next take 2 random numbers from “EXP” and adds a random number.

This junk code is most likely done to prevent detection by AV, since after this the variable “EXP” is not used again.

When everything is done,it will drop another AutoIt script,and execute it via the AutoIt parameter “AutoIt3ExecuteScript”. However, the dropped script is detected by 90% of all AVs. Even though this crypter has such a big reputation on HackForums, it is just a poorly written crypter.

Another obfuscation technique employed is the renaming of pre-defined Functions. This is done using defining new functions that do nothing except for calling the pre-defined function. A very interesting method of obfuscation, however, it is easily thwarted by renaming all of the functions.

 

String Reverse was also renamed, however, it is custom coded. A funny thing is that the code looks copy & pasted, so I am not really sure that is a point for the coder or not.

 

 

 

However, since the crypter is written in AutoIt, and the coder has a lot of time on his/her hand, to reFUD the crypter, it is often FUD and it is very popular among non-skilled hackers (aka Skids). The encryption is also very weak, as Base64 is used, and since Base64 is a keyless kind of encryption (And the function was named _winapi_base6decode), it would be trivial to unpack the stub.

Virustotal link of the stub.

Conclusion:

  • The crypter uses bad ways to be undetected, however it is updated often which means it is hard for AVs to keep up with the Scantime detections.
  • All stubs are the same, containing barely any difference.
  • Just because a crypter is old and famous doesn’t mean it is good.
  • Don’t use Base64, at least use RC4, XXTEA, AES or something with a key.
 

Some more analysis of AutoIt crypted malware sample

If you haven’t read my first post about this malware, please do check it out.

So today I got bored and decided to browse through my files, and was suddenly reminded of the sample I was analyzing earlier. It is barely obfuscated, and many original function names are still available. At least most custom functions are obfuscated. Another sad thing about this malware, is that the encryption key is stored in plain text, and in plain sight. Some obfuscation/encryption would have been nicer.

Encryption key of malware stored in plain sight.

So in this case, the stub simply drops the encrypted stub into the Temp Dir, and then decrypt it through reading the file. vmqjobbhqfbf is simply an obfuscated version of _Crypt_DecryptData, and 26128 stands for AES256 encryption. It was too easy to create a small snippet to decrypt the stub. The decrypted stub is 305 kb in size. However, this is the part where the malware execution goes wrong. As you can see in the screenshot, the variable $hcwywahhpctofanxhtdimbanbldxbax set to “%NATIVE%”. Closer inspection shows that Native is to indicate whether the original stub is in .NET or is it without dependencies. However, the author of the crypter made a mistake, since in the variable it is “%NATIVE%”, but in the actual injection function it is 1,2,3 or 4. Another sad mistake was that the original stub was coded in .NET, and therefore is not native at all. So even if the crypter is working properly, the built stub won’t since it will be injecting into the wrong process.

 

The startup uses the name “Microsoft Cooperation ZGIJJTiKhPcKTTZX”, which is located under either Run or RunOnce of HKCU. An interesting thing about the startup is that if it senses apvui.exe (Which is Kaspersky Antivirus’s process), it will choose not to modify the registry, and instead using the Startup Directory to install itself. This is probably done since KAV’s HIP detection is pretty accurate.Malware startup

The original stub is coded in .NET, and have some decent features based on the Malwr analysis: https://malwr.com/analysis/NmJhNzYzZGVlZWI5NDM2MWFhYjc2ZDNmMGNlODAzOTU/

It is fairly well detected and was easily decompiled with de4dot, however, I was not able to deobfuscate it since I am currently only a beginner at .NET (Surprised that I admitted this?). Based on what I saw, the real deal is stored inside a resource called Testing.Resources.rsx which is decrypted on the go. Because of the hooking, I suspect this might not be a RAT/Botnet and might be just a keylogger from HF(Some that uses .NET are Volt and HawkEye, but correct me if I am wrong).

So that is it for this malware analysis. If have any questions, feel free to comment down below and I will answer them. Send your malware my ways if you have any.

 

Analysis of Plasma RAT’s source code

I recently was browsing HackHound, when I found the source code for Plasma RAT. Plasma RAT’s stub is fairly advanced, having many robust features. Some of the features include botkilling, Cryptocurrencies Mining (CPU and GPU), persistence, anti-analysis, torrent seeding, AV killer, 7 DDoS methods and a keylogger. The RAT is coded in VB.Net. There is also a Botnet version of it (Plasma HTTP), which is pretty similar to the RAT version. An analysis of the Botnet can be found on McAfee’s blog.

The AntiVM is not really the best. It searches for VM files, but does not search for the processes, the Hard Disk name, and so on. And in case a VM is detected, the AntisFound() function is called.

vmdetected

The Chrome stealer uses a module coded by RockingWithTheBest, who is a HackForums member, a link to the thread is here. The link is Google Webcache, since sadly HackForums seems to think that my country is not one that is worth serving (jk, I know there are many skids here who use LOIC).

stealer rockingwiththebest

The FTP password stealer simply steals FileZilla’s password through reading the file \FileZilla\recentservers.xml, which has password and server details in plain text.

The Torrent Seeder might be promising for malware spreaders who are interested in spreading with torrent. However, it requires Vuze, BitTorrent or uTorrent to be installed on the host machine. This would be a very powerful feature if the spreader is using Torrent as a spreading method, since victims would be guaranteed to have these torrent clients, and it would help the spreader gets more bots.

torrentseed

The process itself is heavily protected. It first set Access Right so that attempts to kill it will result in Access Denied, and also it sets itself as critical so the system goes into BSOD when the process is killed. The folder and the files are set the the user does not have access to them, as well as being hidden.

The Condis attack is new to me, I have never seen it before. After some research it turned out to be an attack that works by rapidly opening new connection and disconnecting (Hence the name ConDis), and it is primarily used to target game servers and TeamSpeak server. Slowloris, GET and POST flood, ARME attack, and UDP flood is also present. The GET and POST attack does not seem to have any user-agent string however, and the GET attack simply downloads the file. There also is Bandwidth Flood, which often is not really the most powerful kind of attack.

Inside the source, there is a resource called “a” that looks like a binary. The file is not detected by any AV at the time I am writing this (VT scan). The file’s Malwr indicates that it is malicious, since it adds itself to startup.  It might be a part of Plasma RAT, it might not be, since the source was leaked and maybe this is the leaker’s backdoor.

a resource

There is also a Hard Botkiller, which claims to be able to kill highly persistent bots such as BetaBot. It deletes the startup registry keys, and have a module that forces the deletion of a file,… The AV killer uses the Image File Execution method to get rid of the AV, and in case Admin Privilege is not presence, it attempts to social engineer the victim to accept the UAC prompt.

social engineer uac

The normal botkill attempts to identify which startup entry is malicious and which is not through several indicator. First, if it is Plasma RAT’s executable or the Miner executable, then it is not malicious. If it has a digital signature, then it is not. If it contains “cmd” or “wscript” in it’s name, then it is malicious. If it is located in  AppData, then it is. If the file attribute is Hidden or System, then it is flagged as malicious as well.

botkill

Now let’s go to the builder. As always, there is a very nice and detailed Term of Service in order to prevent the creator from being held responsible

tos

This RAT was originally a sold bot, since SealInitialize and Seal.RunHook and other NetSeal functions were found. The source was I found was as clear as daylight, so either the creator did not obfuscate the builder, or the builder was obfuscated with public obfuscators that are easily deobfuscated. When you are creating a commercial product, it is always a must to protect your source with a strong obfuscator, and sometimes heavy encryption that is decrypted runtime would work as well. This is where crypters can be used for reasons other than encrypting the stub.

So this is it for the analysis of Plasma RAT. Good bye and see you again.

 

Megalodon HTTP, Skidware and copy pasted code.

I recently obtained a copy of Megalodon HTTP’s web panel and builder(cracked). However, the builder turned out to be malicious, so I decided to look at the modules in the panel instead. Since Megalodon relies on downloading plug-ins, and almost nothing is placed inside the stub, this should be enough to show the details of Megalodon HTTP.

Megalodon HTTP’s panel had no obfuscation and no protection at all. The legendary miner turned out to be BFGMiner, which is in a folder called ‘out’. None of the files are renamed, and therefore I can work with it more easily. An interesting thing is that Megalodon kept all of the .txt files in the miner, including README, News,… which shows how this malware was made without care. Megalodon, instead of downloading all of the files directly, instead relies on a downloader to obtain the files from the server.

miner downloader

Conveniently, inside the bin folder, the output files are also not renamed. When I attempted to change the file extension from .bin to .exe for analysis, I got a few pop ups from Kaspersky Antivirus, of which one was very interesting:

stealer stolen

Megalodon used NetPass for password recovery! Seriously, there are much better password recovery modules that are publicly available, but I guess since NetPass is popular, the developers chose it. The only advantage of using NetPass instead of other modules that I could think of is that it is very lightweight.

Using JetBrains dotPeek to reverse engineer the bins, I found them completely unobfuscated. For example, the Slowloris module uses the user agent “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36” and simply have no other header, which might causes WAF to check the browser/show a CAPTCHA.

slowloris source

Megalodon also feature an XML-RPC attack that uses the pingback function in XML-RPC to reflect the attack on other sites. This amplification method is a public one and is commonly used. The user-agent is not different from the above. While there is not much amplification in this attack, it does help masking the bot’s IP.

The ARME attack is also utilized. However, unlike the other attacks, the ARME attack does not send an user-agent with it, and therefore could be easily prevented by a WAF. Also, since botnets on HF are often bought by 11 years old wanting to boot of a friend’s Minecraft server or his/her school’s online grade book, the end user will probably not know that the ARME attack is only effective on Apache server, and useless on NGINX. The header used should be challenged with Javascript or a CAPTCHA to prevent the attack: “\r\nRange:bytes=5-1300\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n”

The Botkiller uses the worst technique I have ever seen. It checks under the Run registry key that points to an executable file that contains “conhost.exe”, if any is found, it will attempt to kill the process and remove the registry key. If you refer to my previous post about common malware process name, there are many other names such as Windows Update, Security Service,… However, it is better than nothing I guess.

botkill

 

The uninstaller simply deletes all of the registry keys under Run, and then exit. This is not really a smart idea, since the malware process will not be eliminated until the next reboot. Not good at all if you found out you are being analyzed.

uninstaller

Flood.bin file is the only find I found that was obfuscated. However, it is done with Confuser 1.9.0.0, which could easily be deobfuscated through public tools. Like seriously, if you are developing malware, you should do something along the line of manual obfuscation, then obfuscation using a private obfuscator. Confuser is old and obsolete, and unless you mod it, it is useless. However, the obfuscation gives me suspicions that this module is coded by someone else.

The Syn attack tool is also weak, as it uses only 5 threads. While this does not consume much resources and therefore less noticeable, it also does not oppose much power on the target.

syn attack

There are a few other attack methods, however, they are obfuscated, and therefore I will attempt to deobfuscate them later on.

Another interesting module is the Homepage Changer. It is capable of changing the homepage of only Mozilla Firefox and Google Chrome. Well it is good enough for HF anyway, since these are the 2 most popular browsers. And seriously, if you are still using Internet Explorer and browsing my website, you should seriously consider an upgrade to Chrome/Firefox, or better yet, Tor browser and Epic browser.

So this is it for my analysis of Megalodon HTTP.  I will be analyzing more malware in the future soon, and remember to share, like and tweet about this blog post!

And also since you read to the end of the post, I will give you a very interesting thing I found while browsing through the panel files: This error log shows us in plain text the username of the hosting account Bin4ry used for his site (bin4ry.com): http://www.zunzutech.com/blog/wp-content/uploads/2016/03/errors.txt

Interesting, right?

 

New malware sample, crypted in AutoIt

VirusTotal scan: https://www.virustotal.com/en/file/fad4dc6268d03bcae8dbe2ff079798eff4ecb380233677b243bcd50d96273180/analysis/1456238541/

Download of file (INFECTED): nevergreen.net/6no

Decompiled with Exe2Aut.

So when I first obtained the sample, I tried to analyze it on malwr but I was unable to due to the fact that malwr was down (Probably due to a cyber attack). It was able to evade Anubis (https://anubis.iseclab.org/?action=result&task_id=1409319bac3c15d44bda1818b345394de&format=html) so my next thought was Hybrid Analysis but due to the long wait I am doing static analysis first. In the VirusTotal scan, I noticed the fact that a file called Au1.tmp is created, which means this file probably is an AutoIt script! According to my source, this file was crypted using a crypter, and this explains it. I quickly threw it in my VM, and decompiled it. The source is available to researchers, if you want it send me a request at [me1234@zunzu43te3ch.com removing all of the numbers from it].

The source is obfuscated manually and while it uses some of the methods I mentioned in my previous post, it was not very well done. Only basic StringReverse and variables were used, and the variables were not divided up at all.

Activity analysis based on code:

  • Installs itself to AppData\ZGIJJTiKhPcKTTZX.exe
  • Removes ZoneId
  • Set file attribute to hidden and system
  • Uses both StartupDir and Registry keys for startup (HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Cooperation and HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Cooperation)
  • Detects VBox, Sandboxie, VmWare
  • Drops  to Microsoft .NET folder RegAsm.exe

More analysis will be done soon after Hybrid-Analysis complete analyzing the file.