Question Steamunlocked malware?

Please provide comments and solutions that are helpful to the author of this topic.

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
369
This Nulloy folder is dropped by another .exe as far as i know. Recently, I've seen some people get infected by this Nulloy malware. The original file seems to come from a steamunlocked redirect(not the actual downloded cracked game). BITRJLW.tmp & NvStTest.exe seem interesting. Asking @struppigel to take a look. On the VT community tab for NvStTest.exe, a community member says "Malware, usually associated with some kind of attempt to download a font that is an .exe"


-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

EDIT1: The file that dropped the Nulloy folder may have been this: VirusTotal
I only have the hash.
 
Last edited:

Sandbox Breaker

Level 9
Well-known
Jan 6, 2022
433
Screenshot_20230830-184433.png

Screenshot_20230830-184541.png
Just looking at the reports you posted on phone and it seems like an injector. Also fetches a 7zip encrypted payload DLL that must be decrypted in MEM. That's also a hell of a lot of Evasion for 1 file lol. @likeastar20 I know you asked for the King to analyse your file but forgive me... I couldn't resist. I'm in waiting room on my phone and it peeked my interest.
 

Attachments

  • Screenshot_20230830-184320.png
    Screenshot_20230830-184320.png
    383 KB · Views: 123
Last edited by a moderator:

Xeno1234

Level 14
Jun 12, 2023
684
This Nulloy folder is dropped by another .exe as far as i know. Recently, I've seen some people get infected by this Nulloy malware. The original file seems to come from a steamunlocked redirect(not the actual downloded cracked game). BITRJLW.tmp & NvStTest.exe seem interesting. Asking @struppigel to take a look. On the VT community tab for NvStTest.exe, a community member says "Malware, usually associated with some kind of attempt to download a font that is an .exe"


-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

EDIT1: The file that dropped the Nulloy folder may have been this: VirusTotal
I only have the hash.
Could you put the file into Intellix and Opentip?
 

SkeletalDemise

New Member
Aug 30, 2023
5
Hello,
@likeastar20 posted this for me as I didn't have an account. I'm the one who originally discovered this malware in FRST logs from two infected people. Both had been infected by malicious steamunlocked redirects. They both had adware named Chromstera and this Nulloy folder which I thought was suspicious. Nulloy is an open source music player: GitHub - nulloy/nulloy: Music player with a waveform progress bar

My initial thoughts were that the malware was using Nulloy to load itself and I was right. In the FRST logs there was this startup entry:
[HKEY_USERS\S-1-5-21-1023096371-1434211140-3977317714-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Nulloy"="C:\Users\user\AppData\Roaming\Nulloy\Plugins\platforms\NvStTest.exe 4a4hJ"
It runs NvStTest.exe with the arg "4a4hJ"
There are some articles talking about malware using legitimate programs like NvStTest to load itself:

I have two separate samples of this malware, the only difference between them are two suspicious .tmp files that I'm pretty sure contain the payload.
For the one on triage, the payload is in "BITRJLW.tmp" It's URL encoded base64. Decoding it reveals a high entropy string so it seems to be encrypted using modern encryption like AES. RC4, etc.

You can see in the triage report that it connects to a C2. The domain was recently registered.

One of my friends sent the zipped Nulloy folder to Bitdefender and they claimed it was clean.
Also, @Sandbox Breaker the 7zip activity in triage is benign. I had to unzip the folder to run it.
 

Attachments

  • nvsttest.png
    nvsttest.png
    69.8 KB · Views: 118
  • c2.png
    c2.png
    27 KB · Views: 99
  • payloads.png
    payloads.png
    121.5 KB · Views: 104
  • the_payload.png
    the_payload.png
    38.7 KB · Views: 114

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
369
Last edited:

SkeletalDemise

New Member
Aug 30, 2023
5
I'm confident it's not clean. It connects to various newly registered domains; I've seen different samples connect to different domains. Please note that Bitdefender called the zip folder clean, not the installer. The zip folder is harder to analyze as the payload only runs if you run NvStTest.exe 4a4hJ which the installer does automatically. If you run it in a VM, you can see the NvStTest.exe process taking up all your CPU and RAM.

I've tested both the real Nulloy installer and the real NvStTest.exe from NVIDIA. Neither of them connects to any sketchy domains or runs in the background. This malware is tricky; the installer is signed, and it downloads a real copy of Nulloy except with additional files. You can compare the folder with a real copy from Nulloy. Everything in Nulloy\Plugins\platforms besides qwindows.dll is from the malware.
 

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
369
I’d call this file clean if Bitdefender analysis comes out as clean, and so does many cloud sandboxes.
Kaspersky said the file is malicious

"Dear customer,

A new malicious software has been found in the file sent. Its detection will be included in the next update.

We remain always at your disposal.


If the suggested solution did not solve the problem or if you need more information, please reply to this email leaving the subject unchanged. If you have no further questions and the issue has been resolved, you can ignore this message, in which case we will close the request within 15 days."
 

Xeno1234

Level 14
Jun 12, 2023
684
Kaspersky said the file is malicious

"Dear customer,

A new malicious software has been found in the file sent. Its detection will be included in the next update.

We remain always at your disposal.


If the suggested solution did not solve the problem or if you need more information, please reply to this email leaving the subject unchanged. If you have no further questions and the issue has been resolved, you can ignore this message, in which case we will close the request within 15 days."
Well, in that case, it definitely is evasive, bypassing Opentip, Intellix, and a lot of human researchers.

I myself don’t know how to code, nor really know how malware works, but how could it bypass human researchers?

Also, which file was it? I checked the opentip link someone sent and it’s currently listed as clean on Opentip with 1,000 users.
 

Xeno1234

Level 14
Jun 12, 2023
684
Apparently this file was detected by Kaspersky without signatures yesterday by Behavior Blocking, as when checking Opentip it has a UDS detection and a BSS detection, which isn’t a detection given by signatures.

 
  • Like
Reactions: oldschool

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
369
Apparently this file was detected by Kaspersky without signatures yesterday by Behavior Blocking, as when checking Opentip it has a UDS detection and a BSS detection, which isn’t a detection given by signatures.

Why was it not detected today? I ran the file in a VM. Bitdefender detected it in the VM with ATC.SuspiciousBehavior, even though their analysts said it's clean.
 
  • Like
Reactions: oldschool

likeastar20

Level 8
Thread author
Verified
Mar 24, 2016
369
Cloud detection takes a while on VT, as the way it works is on execution blocking, rather than scanning it without running. Eventually it’s added to static scan, but it takes a day or two I believe
Edited my post above, check again.
 

Xeno1234

Level 14
Jun 12, 2023
684
Why was it not detected today? I ran the file in a VM. Bitdefender detected it in the VM with ATC.SuspiciousBehavior, even though their analysts said it's clean.
Well, it’s fully possible it’s a FP, maybe. I’m not sure at all.

With Kaspersky, it’s blocked via Behavioral Signatures instead of Machine Learning.
 
  • Like
Reactions: oldschool

SkeletalDemise

New Member
Aug 30, 2023
5
Kaspersky added signatures for NvStTest.exe

As for why it's so hard to detect:
• the installer is signed
• the payload is encoded and encrypted
• it uses a legitimate NVIDIA program to load the malware (although it appears to be modified)
• it installs a legitimate music player and runs it (Nulloy.exe is not malicious, it's the same exe from the release on GitHub)

I found the same version of NvStTest.exe online and it's signed by NVIDIA.
You can look at the differences.
Legitimate exe:
Modified exe dropped and used by the malware:
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top