upnorth

Moderator
Verified
Staff member
Malware Hunter
Attackers are constantly reinventing ways of monetizing their tools. Cisco Talos recently discovered a complex campaign with several different executable payloads, all focused on providing financial benefits for the attacker in a slightly different way. The first payload is a Monero cryptocurrency miner based on XMRigCC, and the second is a trojan that monitors the clipboard and replaces its content. There's also a variant of the infamous AZORult information-stealing malware, a variant of Remcos remote access tool and, finally, the DarkVNC backdoor trojan.

WHAT'S NEW?

Embedding an executable downloader in an ISO image file is a relatively new method of delivery for AZORult. It's also unusual to see attackers using multiple methods to make money.

HOW DID IT WORK?

The infection chain starts with a ZIP file, which contains an ISO disk image file. When the user opens the ISO file, a disk image containing an executable loader is mounted. When the loader is launched, it deobfuscates malicious code which downloads the first obfuscated PowerShell loader stage that kickstarts the overall infection, disables security tools and Windows update service and downloads and launches the payloads.
PE Payloads

bf2f3f1db2724b10e4a561dec10f423d99700fec61acf0adcbb70e23e4908535 - Remcos payload
42525551155fd6f242a62e3202fa3ce8f514a0f9dbe93dff68dcd46c99eaab06 - AZORult payload
2014c4ca543f1cc946f3b72e8b953f6e99fbd3660edb4b66e2658b8428c0866d - 64 bit XMRigCC
bde46cf05034ef3ef392fd36023dff8f1081cfca6f427f6c4894777c090dad81 - DarkVNC main
1c08cf3dcf465a4a90850cd256d29d681c7f618ff7ec94d1d43529ee679f62f3 - DarkVNC 64 bit DLL
a02d761cbc0304d1487386f5662a675df3cc6c3ed199e8ed36f738e9843ccc1b - RunPE loader for AZORult, Remcos and DarkVNC
2f1668cce3c8778850e2528496a0cc473edc3f060a1a79b2fe6a9404a5689eea - Clipboard Crypto currency stealer unpacked
9e3a6584c77b67e03965f2ae242009a4c69607ea7b472bec2cba9e6ba9e41352 - 32 bit XMRigCC
29695ca6f5a79a99e5d1159de7c4eb572eb7b442148c98c9b24bdfdbeb89ffc0 - 32 DarkVNC dll
aca587dc233dd67f5f265bfda00aec2d4196fde236edfe52ad2e0969932564ed - Clipboard Crypto currency stealer

Droppers

598c61da8e0932b910ce686a4ab2fae83fa3f1b2a4292accad33ca91aa9bd256 - Main Executable loader
d88ed1679d3741af98e5d2a868e2dcb1fa6fbd7b56b2d479cfa8a33d8c4d8e0b - ISO image distributeted in a ZIP file
HTML apps connected with XMRigCC
936fbe1503e8e0bdc44e4243c6b498620bb3fefdcbd8b2ee85316df3312c4114
57f1b71064d8a0dfa677f034914e70ee21e495eaab37323a066fd64c6770ab6c
f46a1556004f1da4943fb671e850584448a9521b86ba95c7e6a1564881c48349
b7c545ced7d42410c3865faee3a47617f8e1b77a2365fc35cd2661e571acdc06

PowerShell scripts

2548072a77742e2d5b5ee1d6e9e1ff9d67e02e4c96350e05a68e31213193b35a
14e956f0d9a91c916cf4ea8d1d581b812c54ac95709a49e2368bd22e1f0a32ca - XMRigCC loader
cea286c1b346be680abbbabd35273a719d59d5ff8d09a6ef92ecf75689b356c4 - deobfuscated PowerShell Downloader
35b95496b243541d5ad3667f4aabe2ed00066ba8b69b82f10dd1186872ce4be2 - cleanup script
ef9fc8a7be0075eb9372a2564273b6c1fffdb4b64f261b90fefea1d65f79b34e - part of XMRigCC support
3dd5fbf31c8489ab02cf3c06a16bca7d4f3e6bbc7c8b30514b5c82b0b7970409 - Main PowerShell loader variant
q5fdc4103c9c73f37b65ac3baa3cceae273899f4e319ded826178a9345f6f4a00 - Main PowerShell loader variant

URLS
hxxp://195[.]123[.]234[.]33/win/checking[.]hta
hxxp://195[.]123[.]234[.]33/win/checking[.]ps1
hxxp://195[.]123[.]234[.]33/win/del[.]ps1
hxxp://195[.]123[.]234[.]33/win/update[.]hta
hxxp://answerstedhctbek[.]onion
hxxp://asq[.]r77vh0[.]pw/win/checking[.]hta
hxxp://jthnx5wyvjvzsxtu[.]onion[.]pet
hxxp://qlqd5zqefmkcr34a[.]onion[.]pet/win/checking[.]hta
hxxps://answerstedhctbek[.]onion
hxxps://answerstedhctbek[.]onion[.]pet
hxxps://asq[.]d6shiiwz[.]pw/win/checking[.]ps1
hxxps://asq[.]d6shiiwz[.]pw/win/hssl/d6[.]hta
hxxps://asq[.]r77vh0[.]pw/win/checking[.]ps1
hxxps://asq[.]r77vh0[.]pw/win/hssl/r7[.]hta
hxxps://darkfailllnkf4vf[.]onion[.]pet
hxxps://dreadditevelidot[.]onion[.]pet
hxxps://fh[.]fhcwk4q[.]xyz/win/checking[.]ps1
hxxps://fh[.]fhcwk4q[.]xyz/win/hssl/fh[.]hta
hxxps://qlqd5zqefmkcr34a[.]onion[.]pet/win/checking[.]hta
hxxps://runionv62ul3roit[.]onion[.]pet
hxxps://rutorc6mqdinc4cz[.]onion[.]pet
hxxps://thehub7xbw4dc5r2[.]onion[.]pet
hxxps://torgatedga35slsu[.]onion
hxxps://torgatedga35slsu[.]onion[.]pet
hxxps://torrentzwealmisr[.]onion[.]pet
hxxps://uj3wazyk5u4hnvtk[.]onion[.]pet
hxxps://vkphotofqgmmu63j[.]onion[.]pet
hxxps://xmh57jrzrnw6insl[.]onion[.]pet
hxxps://zqktlwiuavvvqqt4ybvgvi7tyo4hjl5xgfuvpdf6otjiycgwqbym2qad[.]onion[.]pet
hxxps://zzz[.]onion[.]pet
hxxp://memedarka[.]xyz/ynvs2/index.php

DOMAINS

dfgdgertdvdf[.]online - DarkVNC and Remcos C2
dfgdgertdvdf[.]xyz - Remcos C2
memedarka[.]xyz - AZORult C2

CRYPTOCURRENCY WALLETS

855vLkzTFwr82TrfPKLH6w3UB19RGdHDsGY1etmdyZjZChbhyghtiK66ZVXoVayJXVNydca7KZqE53Dn2Hsk8WdKDmjq3bu - Monero
XrchZULVyJPAFro13627cyKdfb6ojerRwv - Dash
3Csd9Zq4r16dVQuREs52y5eJFgYEqQjAx1 - Bitcoin
0x51664e573049ab1ddbc2dc34f5b4fc290151cdb4 - Ethereum
LS2GBEJEzgDy14hVHFp4JJzjKoiMgkbZAY - Litecoin
D6yFAuCDoMkCftyXTWY8m267PzxeoaiMX7 - Doge-coin
 
Top