Status
Not open for further replies.

struppigel

Moderator
Verified
Staff member
This sample was found @McMcbrad
We, that is @upnorth, @McMcbrad and me, have already started looking into this. We decided to continue in a public forum thread. I will use this first post as compilation what we found so far and keep updating it with new information.

@McMcbrad extracted the following URL from a weaponized document which is were the sample is from: VirusTotal
Unfortunately we don't have this document. The first part of the infection chain that I found is a dropper.

The malware has a rather long infection chain. Outline:

Code:
Browes --> 1.exe --> cheats.exe --> klient.exe --> stel.exe
              |                        |    
           CryptoTabSetup              klip.exe --> Winlogin.exe
                                       |       \
                                  MMMMMM.MMMM  WinRing0x64.sys


1. Trojan Dropper: Browes.exe
Overview
VT: VirusTotal
File type: PE32, SFX file
Compile time: 2020-03-26 10:02:47
First submission: 2020-10-26 07:57:33

Behaviour
Dropper for 1.exe

2. Trojan Dropper: 1.exe
Overview
VT: VirusTotal
File type: Windows Cabinet file
Compile time: 2013-10-14 06:48:22
First submission: 2020-10-26 11:33:06

Behaviour
Dropper for cheats.exe and a CryptoTab Setup file

CryptoTab setup: VirusTotal
^This file is not malicious and probably used as a lure.

3. Downloader cheats.exe
Overview
VT: VirusTotal
File type: PE 32
Compiler: JPHP
Any.run: cheats.exe (MD5: DAE90AE7FE103FC7E1866B4E13389101) - Interactive analysis - ANY.RUN
SHA256: 0161540edfceb643389a28ebe7d1092639596325e8f40defe52192ab999d3d36

Behaviour
Downloads klient.exe, saves it in :
  • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\<random_name>.exe
  • %TEMP%\<random_name>.exe
The <random_name> is chosen from this list:
  • System
  • WindowsShell
  • exploler
  • antiDrw
  • antiSsl
  • ADB
  • Microsoft
  • system

4. Backdoor klient.exe
Overview

URL: hxxp://malina1306.zzz(.)com.ua/klient(.)exe
File type: PE 32
Compiler: JPHP
Compilation date: 2020-10-17 10:55:16
SHA256: cebee34d5f0292befca058537bf2320dd1492afa26fb9af471155c9332046320
VT: (3/71) VirusTotal
Malware type: Backdoor, controlled via C&C
C&C servers: hxxp://malina1306.zzz.com(.)ua and hxxp://bests.zzz.com(.)ua

Behaviour
Will check files on C&C server and do actions depending on their contents.
Downloads, among others, klip.exe (coinminer downloader) and stel.exe (stealer).

Similar samples
VT relations tab shows that at least 2 more files have been provided by that URL. They are slightly different versions of the same threat.
Files provided by hxxp://malina1306.zzz(.)com.ua/klient(.)exe
(3/69) VirusTotal
(4/69) VirusTotal

5. Coinminer downloader klip.exe
Overview
This was the first sample we analyzed, but it is not the main sample.

Hosting URL: hxxp://malina1306.zzz(.)com.ua/klip.exe
File type: PE 32
Compiler: JPHP
Compilation date: 2020-11-05 19:28:34
SHA256: 06a10cf99cc7c2d2ebc3e41300404e8f5816eb31a869d22835ade3a381199c0b
Any.Run: Malware type: Coinminer downloader

Behaviour
The sample downloads and drops this coinminer: VirusTotal
The download URL: hxxp://malina1306.zzz(.)com.ua/p/Winlogin(.)exe
The drop location: %TEMP%/Winlogin.exe

Downloads the coinminer's config (JSON file):
MMMMMM.MMMM --> c0a3b67b4056aeefd086edbe0c6ccb5fa7835505ef4ebe6220e5f914012e9e32

Also downloads and drops WinRing0.sys VirusTotal
Download URL: hxxp://malina1306.zzz(.)com.ua/p/WinRing0x64(.)sys
This file is no malware in itself but it seems to be abused by malware.

6. Stealer stel.exe
Overview
VT: (49/70) VirusTotal
Hosting URL: hxxp://malina1306.zzz(.)com.ua/stel.exe
File type: PE 32
Compiler: PyInstaller
Compilation date: 2020-08-08 12:30:37
Contact URLs: rudy.zzz(.)com.ua and malina1306.zzz(.)com.ua
Malware type: Credential stealer

Behaviour
Steals credentials:
  • Firefox
  • Yandex browser
  • Filezilla
  • Chrome
  • Amigo
  • kometa
  • Orbitum
  • Chromium
  • K-Melon

7. Attribution
@upnorth suspects a relationship to Olympic Destroyer due to the file name for the dropped file: Winlogin.exe
Comparing with Checkpoint research: New Strain of Olympic Destroyer Droppers - Check Point Research

Note: I removed attribution info that has no proof for a connection.

8. Older versions
klip.exe:
http://invalid666.zzz.com.ua/klip.exe - Interactive analysis - ANY.RUN

IceRat.exe:
hxxp://quarini.zzz.com(.)ua/Ice/
--> we took the name of this malware from this sample



JPHP Decompilation Notes
JPHP is a PHP implementation for the Java VM. Github page: jphp-group/jphp
There is no decompiler for this, afaik.

What I found out you can do:
  • Use 7zip to extract contents
  • open files with .phb extension in a hex editor
  • delete data up to the 0xCAFEBABE magic bytes, save result as .class file
  • use, e.g., Fernflower to decompile .class files to Java code


9. Hosting Domain
URL: hxxp://malina1306.zzz(.)com.ua
WHOIS: Whois Lookup Captcha
Translation of picture below (see spoiler):
Enter User
Download miner (v1)
Download miner (v2)
manila_panel.png
More files hosted on that page:
hosted_files.png

I freshly downloaded those:

visa.txt: empty
min.exe: NA
1.exe: (2/71) VirusTotal
klient.exe: (3/71) VirusTotal
klip.exe: 06a10cf99cc7c2d2ebc3e41300404e8f5816eb31a869d22835ade3a381199c0b (our sample)
winlogin.exe: NA
Winlogin.exe: (41/72) VirusTotal (coinminer)
stel.exe: (49/70) VirusTotal (PyInstaller compiled stealer)
MMMMMM.MMMM: c0a3b67b4056aeefd086edbe0c6ccb5fa7835505ef4ebe6220e5f914012e9e32 (JSON file with miner configuration)

dow_klip.txt: ba049d910ceccfd69af1df754fa4d9a23c7b9165cb2eb66b375ca195531bee2a (infected client data)
pr.txt: dd34bde50b956333b0d154ef88036b5b596b3952311ac46d8b98470590da96e2 (infected client data)
--> both files contain a listing with tuplets of of MAC address, operating system, RAM, processor, username (a lot of them Russian). I suspect these are infected clients.
listing.png
 
Last edited:

upnorth

Moderator
Verified
Staff member
Malware Hunter
For those that don't know what the Olympic Destroyer was/is I can highly recommend watch it here :
 

struppigel

Moderator
Verified
Staff member
I found the main code of the application (took me a while, since I didn't know how JPHP saves its files)
You see that Base64 string? That's the download URLs for the miner, miner config and WinRing0x64.sys.
main_code.png

Will update the first post with my findings later.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter

Andy Ful

Level 65
Verified
Trusted
Content Creator
The Ukrainian web hosting company ZZZ.com.ua was several times used to host malware for spam attacks:
https://www.avira.com/en/blog/forfiles-used-in-a-living-off-the-land-attack-to-spread-ransomware
related to Locdoor ransomware (DryCry)

https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
related to Win.Malware.Arkei-9753125-1

related to LoadPCBanker

http://dedola.eu/malware.php
page=7, 20, 25, 34, 36, 43, 47, 48, 56, 57, 59-66, etc.
related to AzoRuit, PredatorTheThief, Evrial, and Coinminers

https://vulners.com/rst/RST:09E24F97-3B5B-3C28-B679-7CBD716C9AEA
https://www.threatcrowd.org/ip.php?ip=5.79.66.145

Here is a very interesting event of putting a Backdoor in a Ruby Password Strength Checking Library (on RubyGems) related to smiley.zzz.com[.]ua.
https://www.cyclonis.com/hackers-put-backdoor-in-ruby-password-strength-checking-library/
 

McMcbrad

Level 10
I’ll publish more information in few hours or so. The hosting service is abused because registration is free and requires minimum amount of data, which from my test yesterday, can be all fake.
I suspect this is a an updated version of ClipperBanker due to various unique behaviours. I went as far as executing this nasty piece of malware on a real machine, as it detects virtual machines. The 0% CPU usage of the threat that it maintains most of the time is an indicator that this is not a miner at all - we know this is a resource-intensive process. The threat tries to stay as quiet and unnoticed as possible, which is indication of infostealing.
Stay tuned.
 

McMcbrad

Level 10

struppigel

Moderator
Verified
Staff member

McMcbrad

Level 10
From the very beginning I knew it was a RAT and not a coinminer. It looks too sophisticated to perform just one simple action. I am unable to discover any information about a project called Ice Rat. It seems like we are looking at something that may have remained undetected until now?

Update:
Unfortunately, both the weaponised document, as well a version of the same threat (cheats.exe) and plenty of other files were all hosted on http://bests(.)zzz.com(.)ua/
Versions of LockerGoga as well as versions of Wacatac/Death Ransom were also hosted there and the domain was active until late last night.
I performed analysis of cheats.exe on the 17th of November and this can be seen here: cheats.exe (MD5: DAE90AE7FE103FC7E1866B4E13389101) - Interactive analysis - ANY.RUN
 
Last edited:

struppigel

Moderator
Verified
Staff member
To be exact: The sample klip.exe 06a10cf99cc7c2d2ebc3e41300404e8f5816eb31a869d22835ade3a381199c0b
is only a coinminer downloader.

However, the sample klient.exe cebee34d5f0292befca058537bf2320dd1492afa26fb9af471155c9332046320
Has some command and control abilities. I did not see remote control in the sense of being able to move the mouse etc. It's a backdoor but not a RAT.
This file may also download stel.exe (the python stealer).
There are 2 server addresses:
server.assign("hxxp://malina1306.zzz.com(.)ua");
aserver.assign("hxxp://bests.zzz.com(.)ua");
The commands seem to be triggered by availability and contents of certain files on the server. See image below. If the file dow_stil.txt is available, it will download and persist the stealer. Same can be done with a clipbanker and a keylogger. The main purpose seems to be gathering credentials.

down_stil.png

I am still making the code more readable and also writing detection signatures.
 
Last edited:

McMcbrad

Level 10
To be exact: The sample klip.exe 06a10cf99cc7c2d2ebc3e41300404e8f5816eb31a869d22835ade3a381199c0b
is only a coinminer downloader.

However, the sample klient.exe cebee34d5f0292befca058537bf2320dd1492afa26fb9af471155c9332046320
Has some command and control abilities. I did not see remote control in the sense of being able to move the mouse etc. It's a backdoor but not a RAT.
This file may also download stel.exe (the python stealer).
There are 2 server addresses:

The commands seem to be triggered by availability and contents of certain files on the server. See image below. If the file dow_stil.txt is available, it will download and persist the stealer.
Same can be done with a clipbanker.


I am still making the code more readable and also writing detection signatures.
At least one of the samples or any of the files they download should have the ability to monitor the clipboard
The first version of the threat I discovered comes from zzz.com.ua again and dates back to August, 2019.
It has supported only x64 architecture. It's been a variant of ClipBanker and behaviour is very similar according to hybrid analyses report.
Behaviours such as drawing an overlay and installing hooks are indeed very typical for backdoors/infostealers
 
Last edited:

McMcbrad

Level 10
Last edited:

upnorth

Moderator
Verified
Staff member
Malware Hunter
The hosting service is abused because registration is free and requires minimum amount of data, which from my test yesterday, can be all fake.

The IceRat sample :

 

McMcbrad

Level 10
Do you still have those saved somewhere?
I didn't save them, because I did all with the purpose to find malicious domains for the test seen here:

I really didn't expect that I will come across something so interesting. It's good I decided to then test AVG layer by layer and this sample immediately grabbed my attention first with its size. This size is rather large for malware. I then executed the sample with Shadow Defender running and noticed winlogon.exe downloaded and I was unable to click some portions of my screen, like the browser scrollbar. I then realised there is an overlay drawn on top of my screen or some hooks installed. This is when I started to become suspicious over what this is.

Information over relation to Olympics Destroyer from my side is very limited, but hosting versions of LockerGoga which is also known to be from a Ukrainian cybercrime group might mean that this is just another way for the same group to get profit. But of course, more investigation is needed.

This is what I found today: CyberCrime
I can see plenty of malicious siblings, but there 3 main projects behind them: Predator the Thief: Predator the Thief - Check Point Research
Azorult: Kaspersky Threats — Azorult
And coinminer (which is more or less what we are dealing with). All these might have the same group behind.

It might all be part of the Smoninru botnet, one of the largest, if not the largest mining bot operation ever.

Predator the Thief has also been distributed via documents according to this article:

In March 2019, FortiGuard Labs discovered a running campaign against Russian-speakers using a new version of “Predator the Thief” stealer malware. The same actor was using one set of dummy files to deliver the stealer via different forms of phishing, including Zipped files, fake documents, fake pdfs, and the WinRAR exploit described in CVE-2018-20250.
This is similar to how our sample was delivered.
Predator the Thief also includes "module clipper"

This is the transcript of the Telegram message which describes changes in Predator v.3.3.0, the sample we obtained:

Update v.3.3.0 as of 19.08.2019:

Module Clipper

* new module clipper, price is $100

Module Loader

* added option “random filename” for methods ShellExecute and CreateProcess
Module Clipper could be the ClipBanker. The first and original sample of Klip.exe that has been analysed on any.run in Aug 2019 is a variant of ClipBanker.

Currently Predator is offered on another Russian forum as well as on the Telegram channel. Its price is $150, plus an additional $100 may be paid for the Clipper module which allows the buyer to customize stealing options for crypto-wallets.
This is the exact behaviour of ClipBanker.

Other attacks that have used zzz.com.ua are Arkei: Threat Roundup for September 11 to September 18
Eredel: Eredel (Malware Family)
And the Pony downloader: Loki and Downloader.Pony | Botnet C&C
Pony was used to distribute Loki.
It looks like all malware hosted on zzz.com.ua is a form of backdoor/infostealer.
 
Last edited:

Andy Ful

Level 65
Verified
Trusted
Content Creator
It seems that klip.exe is a downloader as @struppigel has noticed. The downloaded & executed files seem very suspicious:
  • winring0x64.sys is used in legal software but this version is very old (2008-07-26) so using it for anything is very suspicious.
  • winlogin.exe is a BitCoinMiner (original name dwm.exe from Yandex) but there is something wrong with the digital signature.
The IP 95.211.16.67 points to 58 subdomains of ZZZ.com.ua:
The malina1306.zzz.com.ua is now dead so this suggests a phishing subdomain. I have not investigated others, yet.
 
Last edited:

McMcbrad

Level 10
It seems that klip.exe is a downloader as @struppigel has noticed. The downloaded & executed files seem very suspicious:
  • winring0x64.sys is used in legal software but this version is very old (2008-07-26) so using it for anything is very suspicious.
  • winlogin.exe is a BitCoinMiner (original name dwm.exe from Yandex) but there is something wrong with the digital signature.
The IP 95.211.16.67 points to 58 subdomains of ZZZ.com.ua:
The malina1306.zzz.com.ua is now dead so this suggests a phishing subdomain. I did not investigate others, yet.
But why have such a large file only for a downloader? It seems very suspicious. The bitcoin mining component could still be part of smominru.
The behaviour of the file is just too phishy for a downloader. I’ve never seen a loader act this way. This sample goes long way to evade analyses and remain stealthy. This is different from downloaders that usually tend to be either fileless, obfuscated or self-terminating.
This might be the winring0x64.sys driver purpose:

I checked the malina1306.zzz.com.ua and it seems to be still active.
The page has 2 buttons saying "Download Miner 1" and "Download Miner 2". But who would want to use a miner that doesn't have a visible window and can't be linked to a cryptowallet? All very strange.
 
Last edited:
Status
Not open for further replies.