Question Steamunlocked malware?

likeastar20 · Aug 30, 2023

This Nulloy folder is dropped by another .exe as far as i know. Recently, I've seen some people get infected by this Nulloy malware. The original file seems to come from a steamunlocked redirect(not the actual downloded cracked game). BITRJLW.tmp & NvStTest.exe seem interesting. Asking @struppigel to take a look. On the VT community tab for NvStTest.exe, a community member says "Malware, usually associated with some kind of attempt to download a font that is an .exe"

e5f4bab8de0352d77e4648c98ca00e17e0a97763d3a6b91dc0134e526836375d | Triage

Check this report malware sample e5f4bab8de0352d77e4648c98ca00e17e0a97763d3a6b91dc0134e526836375d, with a score of 7 out of 10.

tria.ge

VirusTotal

www.virustotal.com

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

EDIT1: The file that dropped the Nulloy folder may have been this: VirusTotal
I only have the hash.

Sandbox Breaker · Aug 30, 2023

Just looking at the reports you posted on phone and it seems like an injector. Also fetches a 7zip encrypted payload DLL that must be decrypted in MEM. That's also a hell of a lot of Evasion for 1 file lol. @likeastar20 I know you asked for the King to analyse your file but forgive me... I couldn't resist. I'm in waiting room on my phone and it peeked my interest.

Xeno1234 · Aug 30, 2023

likeastar20 said:
This Nulloy folder is dropped by another .exe as far as i know. Recently, I've seen some people get infected by this Nulloy malware. The original file seems to come from a steamunlocked redirect(not the actual downloded cracked game). BITRJLW.tmp & NvStTest.exe seem interesting. Asking @struppigel to take a look. On the VT community tab for NvStTest.exe, a community member says "Malware, usually associated with some kind of attempt to download a font that is an .exe"

e5f4bab8de0352d77e4648c98ca00e17e0a97763d3a6b91dc0134e526836375d | Triage

Check this report malware sample e5f4bab8de0352d77e4648c98ca00e17e0a97763d3a6b91dc0134e526836375d, with a score of 7 out of 10.

tria.ge

VirusTotal

VirusTotal

www.virustotal.com

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

EDIT1: The file that dropped the Nulloy folder may have been this: VirusTotal
I only have the hash.

Could you put the file into Intellix and Opentip?

Xeno1234 · Aug 30, 2023

Placing this folder into Intellix, it appears to be marked as clean via Dynamic Analysis.

SkeletalDemise · Aug 30, 2023

Hello,
@likeastar20 posted this for me as I didn't have an account. I'm the one who originally discovered this malware in FRST logs from two infected people. Both had been infected by malicious steamunlocked redirects. They both had adware named Chromstera and this Nulloy folder which I thought was suspicious. Nulloy is an open source music player: GitHub - nulloy/nulloy: Music player with a waveform progress bar

My initial thoughts were that the malware was using Nulloy to load itself and I was right. In the FRST logs there was this startup entry:

[HKEY_USERS\S-1-5-21-1023096371-1434211140-3977317714-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nulloy"="C:\Users\user\AppData\Roaming\Nulloy\Plugins\platforms\NvStTest.exe 4a4hJ"

It runs NvStTest.exe with the arg "4a4hJ"
There are some articles talking about malware using legitimate programs like NvStTest to load itself:

Latin American Javali trojan weaponizing Avira antivirus legitimate injector to implant malware

Latin American Javali trojan weaponizing Avira antivirus legitimate injector to implant malware ____________________

securityaffairs.com

Pervasive Brazilian Financial Malware Targets Bank Customers in Latin America and Europe

Cybereason’s Nocturnus team mapped out the multi-stage malware distribution infrastructure behind Brazilian financial malware and found that Brazilian-made malware have become pervasive and target over 60 banks in nearly a dozen countries throughout Latin America, Spain and Portugal.

www.cybereason.com

I have two separate samples of this malware, the only difference between them are two suspicious .tmp files that I'm pretty sure contain the payload.
For the one on triage, the payload is in "BITRJLW.tmp" It's URL encoded base64. Decoding it reveals a high entropy string so it seems to be encrypted using modern encryption like AES. RC4, etc.

You can see in the triage report that it connects to a C2. The domain was recently registered.

VirusTotal

www.virustotal.com

VirusTotal

www.virustotal.com

One of my friends sent the zipped Nulloy folder to Bitdefender and they claimed it was clean.
Also, @Sandbox Breaker the 7zip activity in triage is benign. I had to unzip the folder to run it.

likeastar20 · Aug 31, 2023

Comodo said Nulloy.zip is clean.

@struppigel @Sandbox Breaker EDIT1: this seems to be the main file that drops Nulloy

1a183eca8f1b9e38872cdb3bf114568334acf750e520fd78409050ef6c3a2c63 | Triage

Check this report malware sample 1a183eca8f1b9e38872cdb3bf114568334acf750e520fd78409050ef6c3a2c63, with a score of 7 out of 10.

tria.ge

VirusTotal

www.virustotal.com

EDIT2: interesting https://www.unpac.me/results/8758e177-d928-4c49-ac6e-ca1b2fb9f0a7

SkeletalDemise · Aug 31, 2023

Norton said the installer is clean.

It's clean on opentip as well.

Kaspersky Threat Intelligence Portal

Kaspersky Threat Intelligence Portal allows you to scan files, domains, IP addresses, and URLs for threats, malware, viruses

opentip.kaspersky.com

Xeno1234 · Aug 31, 2023

I’d call this file clean if Bitdefender analysis comes out as clean, and so does many cloud sandboxes.

SkeletalDemise · Aug 31, 2023

I'm confident it's not clean. It connects to various newly registered domains; I've seen different samples connect to different domains. Please note that Bitdefender called the zip folder clean, not the installer. The zip folder is harder to analyze as the payload only runs if you run NvStTest.exe 4a4hJ which the installer does automatically. If you run it in a VM, you can see the NvStTest.exe process taking up all your CPU and RAM.

I've tested both the real Nulloy installer and the real NvStTest.exe from NVIDIA. Neither of them connects to any sketchy domains or runs in the background. This malware is tricky; the installer is signed, and it downloads a real copy of Nulloy except with additional files. You can compare the folder with a real copy from Nulloy. Everything in Nulloy\Plugins\platforms besides qwindows.dll is from the malware.

likeastar20 · Aug 31, 2023

Xeno1234 said:
I’d call this file clean if Bitdefender analysis comes out as clean, and so does many cloud sandboxes.

Kaspersky said the file is malicious

"Dear customer,

A new malicious software has been found in the file sent. Its detection will be included in the next update.

We remain always at your disposal.

If the suggested solution did not solve the problem or if you need more information, please reply to this email leaving the subject unchanged. If you have no further questions and the issue has been resolved, you can ignore this message, in which case we will close the request within 15 days."

Xeno1234 · Aug 31, 2023

likeastar20 said:
Kaspersky said the file is malicious

"Dear customer,

A new malicious software has been found in the file sent. Its detection will be included in the next update.

We remain always at your disposal.

If the suggested solution did not solve the problem or if you need more information, please reply to this email leaving the subject unchanged. If you have no further questions and the issue has been resolved, you can ignore this message, in which case we will close the request within 15 days."

Well, in that case, it definitely is evasive, bypassing Opentip, Intellix, and a lot of human researchers.

I myself don’t know how to code, nor really know how malware works, but how could it bypass human researchers?

Also, which file was it? I checked the opentip link someone sent and it’s currently listed as clean on Opentip with 1,000 users.

Xeno1234 · Aug 31, 2023

Apparently this file was detected by Kaspersky without signatures yesterday by Behavior Blocking, as when checking Opentip it has a UDS detection and a BSS detection, which isn’t a detection given by signatures.

VirusTotal

www.virustotal.com

likeastar20 · Aug 31, 2023

Xeno1234 said:
Apparently this file was detected by Kaspersky without signatures yesterday by Behavior Blocking, as when checking Opentip it has a UDS detection and a BSS detection, which isn’t a detection given by signatures.

VirusTotal

VirusTotal

www.virustotal.com

Why was it not detected today? I ran the file in a VM. Bitdefender detected it in the VM with ATC.SuspiciousBehavior, even though their analysts said it's clean.

Xeno1234 · Aug 31, 2023

likeastar20 said:
Why was it not detected today?

Cloud detection takes a while on VT, as the way it works is on execution blocking, rather than scanning it without running. Eventually it’s added to static scan, but it takes a day or two I believe

likeastar20 · Aug 31, 2023

Xeno1234 said:
Cloud detection takes a while on VT, as the way it works is on execution blocking, rather than scanning it without running. Eventually it’s added to static scan, but it takes a day or two I believe

Edited my post above, check again.

Xeno1234 · Aug 31, 2023

likeastar20 said:
Why was it not detected today? I ran the file in a VM. Bitdefender detected it in the VM with ATC.SuspiciousBehavior, even though their analysts said it's clean.

Well, it’s fully possible it’s a FP, maybe. I’m not sure at all.

With Kaspersky, it’s blocked via Behavioral Signatures instead of Machine Learning.

SkeletalDemise · Aug 31, 2023

Kaspersky added signatures for NvStTest.exe

Kaspersky Threat Intelligence Portal

Kaspersky Threat Intelligence Portal allows you to scan files, domains, IP addresses, and URLs for threats, malware, viruses

opentip.kaspersky.com

As for why it's so hard to detect:
• the installer is signed
• the payload is encoded and encrypted
• it uses a legitimate NVIDIA program to load the malware (although it appears to be modified)
• it installs a legitimate music player and runs it (Nulloy.exe is not malicious, it's the same exe from the release on GitHub)

I found the same version of NvStTest.exe online and it's signed by NVIDIA.
You can look at the differences.
Legitimate exe:

VirusTotal

www.virustotal.com

Modified exe dropped and used by the malware:

VirusTotal

www.virustotal.com

Sandbox Breaker · Aug 31, 2023

It's not clean lol.

Xeno1234 · Aug 31, 2023

Sandbox Breaker said:
It's not clean lol.

In that case, the analysis is wrong and Kaspersky and Bitdefender nagged the malware.

Sandbox Breaker · Aug 31, 2023

I only looked on my phone but I pretty sure.

Question Steamunlocked malware?

Level 8

Level 9

Attachments

Level 14

Level 14

New Member

Attachments

Level 8

New Member

Attachments

Level 14

New Member

Level 8

Level 14

Level 14

Level 8

Level 14

Level 8

Level 14

New Member

Level 9

Level 14

Level 9

Similar threads