McMcbrad
Level 20
- Oct 16, 2020
- 967
There are new domains and samples correlated today:
And there is another version of klip.exe:
Malware analysis JPHP IceRat analysis
- Thread starter struppigel
- Start date
- Status
- Dec 23, 2014
- 5,629
The website malina1306.zzz.com.ua is alive now, I have possibly opened it before during replacing the content:
The new klip.exe still downloads the same BitCoinMiner as the older version:
hxxp://malina1306[.]zzz[.]com[.]ua/p/Winlogin.exe
I downloaded this file and compared it with OP.
The new klip.exe still downloads the same BitCoinMiner as the older version:
hxxp://malina1306[.]zzz[.]com[.]ua/p/Winlogin.exe
I downloaded this file and compared it with OP.
Last edited:
McMcbrad
Level 20
- Oct 16, 2020
- 967
The newly discovered klip.exe doesn't download the winring driver anymore. Instead it does what I see very frequently nowadays. It downloads a *.cab file from
hxxp://ctldl().windowsupdate().com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?751f87e719573c38
It contains a file named disallowedcert.stl. I am not sure how this is utilised. You mentioned the dwm.exe (spoofing windows process), renamed to winlogin.exe has an invalid signature. Maybe this is trying to block any warnings from Windows not to run the file...
It also downloads additional content, all related to certificates:
Unfortunately I can't download the sample and can't find out.
Last edited:
- Dec 23, 2014
- 5,629
The disallowedcertstl.cab contains disallowedcert.stl:
Something wrong is with the digital certificate.
It was also involved in some malicious activity:
It was also involved in some malicious activity:
Last edited:
McMcbrad
Level 20
- Oct 16, 2020
- 967
The file located at http://crl.microsoft.com/pki/crl/products/WinPCA.crl
Also involved in malicious activity: VirusTotal
The file located at http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
Involved as well: VirusTotal
And lastly, file located at http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
Involved too: VirusTotal
Many of these are cracks, patches and miscellaneous tools though.
Also involved in malicious activity: VirusTotal
The file located at http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
Involved as well: VirusTotal
And lastly, file located at http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
Involved too: VirusTotal
Many of these are cracks, patches and miscellaneous tools though.
Last edited:
McMcbrad
Level 20
- Oct 16, 2020
- 967
I found an early and a lot more basic version of IceRat: https://hybrid-analysis.com/sample/...04ea7339deb1a896020e/5aceaffa7ca3e10b6e2be9cc
And a repository here:
hxxps://www.nhuttruong.com/2018/07/huge-rat-repository-450-rats-nearly.html?m=1[/URL]
And a repository here:
hxxps://www.nhuttruong.com/2018/07/huge-rat-repository-450-rats-nearly.html?m=1[/URL]
Last edited:
- Apr 9, 2020
- 246
No, that's a different malware family. That file above is a .NET file that just happens to have the same name.
The size of the miner downloader (klip.exe) is that big because it is a JPHP EXE file. It contains the whole JPHP runtime alongside of being a Jar2Exe wrapped file. Even a hello world program would be that big.
McMcbrad
Level 20
- Oct 16, 2020
- 967
I’m not a fan of Java and now JPHP was brought to my life
This is probably the first JPHP file that I see.
- Dec 23, 2014
- 5,629
The same is true for AutoIt.
McMcbrad
Level 20
- Oct 16, 2020
- 967
I’ve noticed AutoIT malware executables are rather large. They are usually >3mb.The same is true for AutoIt.
I found myself a task now... hopefully I will be able to decompile some
My guess is that this is a toolkit for sale. Once criminals are being paid and depending on what you’ve ordered, they will register a domain, load it with the necessary files and configuration, and recompile with new link, so distribution can be started.
Effectiveness can then be monitored via data about infected victims, stored in plain text.
I’ve now contacted the hornet nest zzz.com.ua and pointed them to this page, so hopefully this can be disturbed at least temporarily.
Last edited:
- Apr 9, 2020
- 246
I updated the first post. Will be looking more into klient.exe and stel.exe today.
I consider writing a small python script to extract and decompile JPHB code automatically.
I consider writing a small python script to extract and decompile JPHB code automatically.
- Jul 27, 2015
- 4,112
Here is a tiny bit of domain history from the Ukrainian host.
urlhaus.abuse.ch
The Internet archive/Wayback machine didn't come up with anything.
URLhaus | API
The Internet archive/Wayback machine didn't come up with anything.
McMcbrad
Level 20
- Oct 16, 2020
- 967
I just grabbed one of them that felt related (klip.exe is the sample I discovered and clip.zzz.com.ua is the URL). Upon checking on VirusTotal, I can see that it resolves the same IP 95.211.16.66. This is definitely the same group. According to URL Haus, this has been involved in ArkeiStealer attack.Here is a tiny bit of domain history from the Ukrainian host.
URLhaus | API
The Internet archive/Wayback machine didn't come up with anything.
This IP keeps serving content to date and plethora of new domains are registered every day:
In this video we can see a tutorial how to use the toolkit and we can see Russian language again.
I wouldn't be surprised if stel.exe turns out to be related.
It is named "Advanced Password + Wallet Stealer" which confirms what I initially thought - that one of the samples should be ClipBanker.
You can have a look at other videos by the same user, named "Dominant". They are all tutorials for hacktools. We can see that "Dominant" effectively dominates the PHP language. klips.exe and klient.exe are written in JPHP.
Dominant
www.youtube.com
However, this IP is far away from being the only one involved.
5.79.66.145 is another offender, that keeps registering domains on daily bases:
The IP is also owned by AS 60781 ( LeaseWeb Netherlands B.V. ), just like 95.211.16.66. They also abuse the same hosting service, namely zzz.com.ua.
Another URL listed on Abuse.Ch is http://giftm.zzz.com.ua/klipper.exe.
This is now dead, but it has distributed sample named klipper.exe (similar to klip.exe) as early as 2018.
IP resolves to 37.48.72.4 in Netherlands again.
It has distributed a file named
This has been a version of AzoruIt.
If all that is right, then my suspicion and intuition that this whole thing serves purpose, much greater than mining 0.00000001 BTC was totally correct.
Mine and @Andy Ful correlation to AzoruIt and Predator the Thief are also correct.
So now we have the project name, we have the code being on inspection and we also know the group behind all that - CobaltGroup.
Cobalt/Carbanak bank malware gang’s alleged leader arrested
The hackers have made ATMs across Europe spit out cash upon command.
nakedsecurity.sophos.com
Cobalt Group Returns To Kazakhstan - Check Point Research
Introduction Cobalt Group is a financially motivated cyber-crime gang that has been active since at least 2016. The group is mainly interested in carrying out attacks against banks, in an attempt to access the banks’ internal networks and potentially take over sensitive components, such as...
Weekly Threat Briefing: APT Group, Cobalt, COVID-19, Ransomware and More
The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: Data Breach, Lazarus, Spearphishing, Trojan and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs...
www.anomali.com
Sergiu Sechel is a CyberSecurity Researcher at Eyenews. https://twitter.com/sergiusechel?
Last edited:
- Dec 23, 2014
- 5,629
I checked the IPs in the former attacks (data from the last 12 months, dedoLa, see my first post). All attacks that used ZZZ.com.au were called to 37.48.72.4 and 5.79.66.145. The IceRat called to 5.79.66.145. The klip.exe calls to the new IP= 95.211.16.67.
There were several attacks (PredatorTheThief, Azoruit, SupremeMiner, MinerPanel, PonyLoader, DirtJumper) on similar IP=95.211.16.66 (many were from kl.com.ua, some from zzz.com.ua and other domains).
https://exchange.xforce.ibmcloud.com/ip/95.211.16.66
Some examples of SuperMiner, MinerPanel, DirtJumper from ZZZ.com.ua
For now, IBM found the Botnet related to IP=95.211.16.67, but not malware files:
exchange.xforce.ibmcloud.com
Post edited (added VT links).
There were several attacks (PredatorTheThief, Azoruit, SupremeMiner, MinerPanel, PonyLoader, DirtJumper) on similar IP=95.211.16.66 (many were from kl.com.ua, some from zzz.com.ua and other domains).
https://exchange.xforce.ibmcloud.com/ip/95.211.16.66
Some examples of SuperMiner, MinerPanel, DirtJumper from ZZZ.com.ua
- https://exchange.xforce.ibmcloud.com/malware/B7002F59D1F2D3C74F8A11A12C49AAA4
https://www.virustotal.com/gui/file...ee2229a4f998388b5e604269a8b229046ec/detection - https://exchange.xforce.ibmcloud.com/malware/EFE83FC366E4CEFAD65118B83EB36CCE
https://www.virustotal.com/gui/file...ee2229a4f998388b5e604269a8b229046ec/detection - https://exchange.xforce.ibmcloud.com/malware/E12AB48B801CC62A201960F1F577270C
https://www.virustotal.com/gui/file...d9fb4a360cdf47876b3b153005ec9105206/detection - https://exchange.xforce.ibmcloud.com/malware/02A3E7B500313A4E6DA86EFE5836D1AF
https://www.virustotal.com/gui/file...7dbd0a087c2390dc0094833d9fbcc0c0dd5/detection - https://exchange.xforce.ibmcloud.com/malware/8712CEEA541673818A42DF7A3DA36AA0
https://www.virustotal.com/gui/file...81b2b4a8de81e3032832af7a1955ef59e00/detection
For now, IBM found the Botnet related to IP=95.211.16.67, but not malware files:
95.211.16.67 IP Address Report
IBM X-Force Exchange is a threat intelligence sharing platform enabling research on security threats, aggregation of intelligence, and collaboration with peers
exchange.xforce.ibmcloud.com
Post edited (added VT links).
Last edited:
McMcbrad
Level 20
- Oct 16, 2020
- 967
According to a report from Trend Micro found here: CVE-2017-11882 Exploited to Deliver a Loki InfostealerI checked the IPs in the former attacks (data from the last 12 months, dedoLa, see my first post). All attacks that used ZZZ.com.au were called to 37.48.72.4 and 5.79.66.145. The IceRat called to 5.79.66.145. The klip.exe calls to the new IP= 95.211.16.67.
There were several attacks (PredatorTheThief, Azoruit, SupremeMiner, MinerPanel, PonyLoader, DirtJumper) on similar IP=95.211.16.66 (many were from kl.com.ua, some from zzz.com.ua and other domains).
https://exchange.xforce.ibmcloud.com/ip/95.211.16.66
Some examples of SuperMiner, MinerPanel, DirtJumper from ZZZ.com.ua
https://exchange.xforce.ibmcloud.com/malware/B7002F59D1F2D3C74F8A11A12C49AAA4
https://exchange.xforce.ibmcloud.com/malware/EFE83FC366E4CEFAD65118B83EB36CCE
https://exchange.xforce.ibmcloud.com/malware/E12AB48B801CC62A201960F1F577270C
https://exchange.xforce.ibmcloud.com/malware/02A3E7B500313A4E6DA86EFE5836D1AF
https://exchange.xforce.ibmcloud.com/malware/8712CEEA541673818A42DF7A3DA36AA0
For now, IBM found the Botnet related to IP=95.211.16.67, but not malware files:
95.211.16.67 IP Address Report
IBM X-Force Exchange is a threat intelligence sharing platform enabling research on security threats, aggregation of intelligence, and collaboration with peers
LOLSnif – Tracking Another Ursnif-Based Targeted Campaign
Cybersecurity: Tool leaks are very interesting occurrences in cyber security. In his new blog post, Thomas Barabosch analyze a newer version of Ursnif.
www.telekom.com
The Cobalt Strike group is highly sophisticated and is known to deliver extortive malware, but that's just the beginning. The decentralised network employees money mules in Netherlands (where all IPs lead to), Bulgaria and various other Eastern European countries.
LeaseWeb provides cloud hosting, but it looks like this group relies heavily on their services, which is somewhat unique. They must all be related, if not the same.
Last edited:
- Jul 27, 2015
- 4,112
Glad the weekend closing up. No need to read a book when I got MT.
- Dec 23, 2014
- 5,629
I am probably the last one who finally noticed that IceRat.exe and klip.exe are not only similar but in fact the same malware, despite the different hashes (but Vhash and Imphash are the same). They have almost identical sections (except .rsrc which differs only by hash and Chi2, but have the same Virtual Address - Virtual Size - Raw Size - Entropy). Furthermore they have identical Resources.
Last edited:
McMcbrad
Level 20
- Oct 16, 2020
- 967
Another IP
Also, no idea how it ended up there. Who found it and named it IceRat.exe?
Klipper.exe seems to be the first sample, available on urlhaus. It dates back to 2018... This is not a project from yesterday, yet there are no reports over JPHP malware anywhere.
Another thing that I find weird is that, all downloaders, namely cheats.exe and klip.exe are highly sophisticated. However, the content they download is far cry from being a masterpiece in the malware field. The stealer is detected by almost 50 AVs, the driver winring0x64.sys is of unknown use, the Winlogin.exe is an old executable with a digital signature that expired Feb 2020...
klip.exe is a slightly updated version of IceRat.exe, but I am unsure where the IceRat comes from. I am unable to find any data on that, except some minor RAT project, not related to that at all. It might be a project that has remained undetected until now...I am probably the last one who finally noticed that IceRat.exe and klip.exe are not only similar but in fact the same malware, despite the different hashes (but Vhash and Imphash are the same). They have almost identical sections (except .rsrc which differs only by hash and Chi2, but have the same Virtual Address - Virtual Size - Raw Size - Entropy). Furthermore they have identical Resources.
Also, no idea how it ended up there. Who found it and named it IceRat.exe?
Klipper.exe seems to be the first sample, available on urlhaus. It dates back to 2018... This is not a project from yesterday, yet there are no reports over JPHP malware anywhere.
Another thing that I find weird is that, all downloaders, namely cheats.exe and klip.exe are highly sophisticated. However, the content they download is far cry from being a masterpiece in the malware field. The stealer is detected by almost 50 AVs, the driver winring0x64.sys is of unknown use, the Winlogin.exe is an old executable with a digital signature that expired Feb 2020...
Last edited:
- Dec 23, 2014
- 5,629
Yes, it calls different IPs and subdomains, but there can be a built-in choice for several IPs and subdomains. It is hard to update the EXE and preserve such similarity of sections
Post edited.
I examined both binaries in the hex editor. The differences are too big for manual changes in the hex editor. I compared my executables made in AutoIt (slightly different versions of the same program). If one makes the changes in the code, then after compilation the differences are often seen only in the .rsrc section - the values of the section's hash, Virtual Size, Raw Size, and Chi2 will be usually different. If additionally the Virtual Size and Raw Size do not differ, this can suggest that the program was only slightly modified.
Last edited:
McMcbrad
Level 20
- Oct 16, 2020
- 967
When I discovered the klip.exe, it had a detection rate of 3/69, where 2 were Kaspersky and ZoneAlarm, reducing the total number to 2.
All malware hosted in the "hornet nest" had low detection levels, except the Winlogin component, which has an expired signature. Initially, I thought it was 0-day, but now it looks like all these samples are pretty old.
The first klip.exe however, looks like it's been packed. It contains a .upx1 file rather large in size.
http://invalid666.zzz.com.ua/klip.exe - Interactive analysis - ANY.RUN
Interactive malware hunting service. Any environments ready for live testing most type of threats. Without install. Without waiting.
I'm trying to unpack it, but it's saying "not packed by UPX"...
They are only changing what's before .zzz.com.ua and everything else remains same, but they have encoded the URLs into a base64 string... not sure how they change that.
Last edited:
- Status
