McMcbrad
Level 20
- Oct 16, 2020
- 967
There are new domains and samples correlated today:
And there is another version of klip.exe:
The newly discovered klip.exe doesn't download the winring driver anymore. Instead it does what I see very frequently nowadays. It downloads a *.cab file fromThe website malina1306.zzz.com.ua is alive now, I have possibly opened it before during replacing the content:
View attachment 249334
No, that's a different malware family. That file above is a .NET file that just happens to have the same name.I found an early and a lot more basic version of IceRat: https://hybrid-analysis.com/sample/...04ea7339deb1a896020e/5aceaffa7ca3e10b6e2be9cc
I’m not a fan of Java and now JPHP was brought to my lifeNo, that's a different malware family. That file above is a .NET file that just happens to have the same name.
The size of the miner downloader (klip.exe) is that big because it is a JPHP EXE file. It contains the whole JPHP runtime alongside of being an ExeToJar wrapped file. Even a hello world program would be that big.
The same is true for AutoIt.No, that's a different malware family. That file above is a .NET file that just happens to have the same name.
The size of the miner downloader (klip.exe) is that big because it is a JPHP EXE file. It contains the whole JPHP runtime alongside of being a Jar2Exe wrapped file. Even a hello world program would be that big.
I’ve noticed AutoIT malware executables are rather large. They are usually >3mb.The same is true for AutoIt.![]()
I just grabbed one of them that felt related (klip.exe is the sample I discovered and clip.zzz.com.ua is the URL). Upon checking on VirusTotal, I can see that it resolves the same IP 95.211.16.66. This is definitely the same group. According to URL Haus, this has been involved in ArkeiStealer attack.Here is a tiny bit of domain history from the Ukrainian host.
URLhaus | API
urlhaus.abuse.ch
The Internet archive/Wayback machine didn't come up with anything.
According to a report from Trend Micro found here: CVE-2017-11882 Exploited to Deliver a Loki InfostealerI checked the IPs in the former attacks (data from the last 12 months, dedoLa, see my first post). All attacks that used ZZZ.com.au were called to 37.48.72.4 and 5.79.66.145. The IceRat called to 5.79.66.145. The klip.exe calls to the new IP= 95.211.16.67.
There were several attacks (PredatorTheThief, Azoruit, SupremeMiner, MinerPanel, PonyLoader, DirtJumper) on similar IP=95.211.16.66 (many were from kl.com.ua, some from zzz.com.ua and other domains).
https://exchange.xforce.ibmcloud.com/ip/95.211.16.66
Some examples of SuperMiner, MinerPanel, DirtJumper from ZZZ.com.ua
https://exchange.xforce.ibmcloud.com/malware/B7002F59D1F2D3C74F8A11A12C49AAA4
https://exchange.xforce.ibmcloud.com/malware/EFE83FC366E4CEFAD65118B83EB36CCE
https://exchange.xforce.ibmcloud.com/malware/E12AB48B801CC62A201960F1F577270C
https://exchange.xforce.ibmcloud.com/malware/02A3E7B500313A4E6DA86EFE5836D1AF
https://exchange.xforce.ibmcloud.com/malware/8712CEEA541673818A42DF7A3DA36AA0
For now, IBM found the Botnet related to IP=95.211.16.67, but not malware files:
95.211.16.67 IP Address Report
IBM X-Force Exchange is a threat intelligence sharing platform enabling research on security threats, aggregation of intelligence, and collaboration with peersexchange.xforce.ibmcloud.com
The Cobalt hacking group was one of the first to promptly and actively exploit CVE-2017-11882 (patched last November) in their cybercriminal campaigns. We uncovered several others following suit in early December, delivering a plethora of threats that included Pony/FAREIT, FormBook, ZBOT, and Ursnif. Another stood out to us: a recent campaign that used the same vulnerability to install a “cracked” version of the information-stealing Loki.
This Ursnif variant makes use of LOLBins (as also pointed out in this blog). For instance, LOLBins are utilized to start the malware from the registry (mshta.exe + powershell.exe). Furthermore, LOLSnif is capable of download and execute further modules as well as payloads. For instance, a recent blog post mentions that the associated actor dropped a Cobalt Strike BEACON as well as a legitimate TeamViewer VNC client.
klip.exe is a slightly updated version of IceRat.exe, but I am unsure where the IceRat comes from. I am unable to find any data on that, except some minor RAT project, not related to that at all. It might be a project that has remained undetected until now...I am probably the last one who finally noticed that IceRat.exe and klip.exe are not only similar but in fact the same malware, despite the different hashes (but Vhash and Imphash are the same). They have almost identical sections (except .rsrc which differs only by hash and Chi2, but have the same Virtual Address - Virtual Size - Raw Size - Entropy). Furthermore they have identical Resources.![]()
Yes, it calls different IPs and subdomains, but there can be a built-in choice for several IPs and subdomains. It is hard to update the EXE and preserve such similarity of sectionsAnother IP
klip.exe is a slightly updated version of IceRat.exe, but I am unsure where the IceRat comes from. I am unable to find any data on that, except some minor RAT project, not related to that at all. It might be a project that has remained undetected until now...
Also, no idea how it ended up there. Who found it and named it IceRat.exe?
When I discovered the klip.exe, it had a detection rate of 3/69, where 2 were Kaspersky and ZoneAlarm, reducing the total number to 2.Yes, it calls different IPs and subdomains, but there can be a built-in choice for several IPs and subdomains. If so, then one could probably make modifications in a hex editor by changing the values of some bytes. I doubt if anything else was changed.