We are often asked how targets are infected with malware. Our answer is nearly always the same: (spear) phishing. There will be exceptions, naturally, as we will encounter RCE vulnerabilities every now and then, or if the attacker is already on the network, they will use tools like PsExec. But that’s it — most of the time, anyway.
Last month, we focused on infection methods used in various malware campaigns: methods that we do not see used very often. In this blog post, we provide excerpts from these reports.
For questions or more information on our crimeware reporting service, please contact email@example.com.
BlackBasta: a new propagation method
BlackBasta, the notorious ransomware we have written about before, recently received an update. It now has a second optional command line parameter: “-bomb”.
When that parameter is used, the malware does the following:
Code snippet showing the LDAP functionality
The benefit of using an in-built propagation method is that it leaves fewer traces in the system and it is stealthier than using public tools. For example, one of the attackers’ favorite tools, PsExec, is easily detected on the network. The new method leaves the network defenders with fewer possibilities of detecting the malicious activity.
CLoader: infection through malicious torrents
Cybercriminals seldom use malicious torrents to infect their targets. Nevertheless, it is an infection method that should not be ruled out, as evidenced by CLoader.
CLoader was discovered in April 2022. It used cracked games and software as bait to trick users into installing malware. The downloaded files were NSIS installers, containing malicious code in the installation script.
The malicious script: the parts in red indicate the malware download code
In total, we observed six different payloads that were downloaded:
- Microleaves malicious proxy: works as a proxy on the infected machine,
- Paybiz malicious proxy: works as a proxy on the infected machine,
- MediaCapital downloader: may install further malware in the system,
- CSDI downloader: may install further malware in the system,
- Hostwin64 downloader: may install further malware in the system,
- Inlog backdoor: installs the legitimate NetSupport application for remote access to the machine.
When we look at the victimology, we see that users all over the world are infected, but mostly in the US, Brazil, and India.
OnionPoison: infections through a fake TOR Browser
In August 2022, we discovered a campaign that had been running since at least January, focusing on Chinese-speaking users. A popular Chinese-language YouTube channel on online anonymity published a video with instructions for installing the Tor browser. That is hardly odd in itself, as the Tor browser is blocked in China. However, if the user clicks on the link in the description, an infected version of the Tor browser is downloaded.
The infected version is almost identical to the original, so that the user does not notice any difference. The difference from the benign version is:
- The installer lacks a digital signature;
- One of the DLLs that comes with the original version (freebl3.dll) is completely different, as it contains backdoored code;
- A new file is included (freebl.dll), which is the same as the original freebl3.dll;
- The Firefox binary that comes bundled with TOR differs by one byte from the original, namely one character in the URL used for updates. This way the attackers prevent the browser from updating itself;
- The browser configuration file is changed to provide less anonymity. For example, browsing history is now stored on disk.
The functionality of the backdoored Freebl3.dll is quite simple. It proxies all the functionality to the original DLL and also downloads an additional DLL from the C2.
The downloaded DLL contains most of the malicious functionality. Among other things, it is capable of:
- executing commands in the system,
- sending TOR browsing history to the C2,
- sending the victim’s WeChat and QQ account IDs to the C2.
AdvancedIPSpyware: backdoored and signed benign tool
Adding malicious code to benign software in order to hide illegal activity and trick the user is a technique we encounter more often. What we do not see that often is the backdoored binary being signed. This is precisely the case with AdvancedIPSpyware, which is a backdoored version of the legitimate Advanced IP Scanner tool used by network admins to control LANs. The certificate used to sign the malware is most likely stolen. The malware was hosted on two sites, whose domains were almost identical to the legitimate Advanced IP Scanner website, differing only by one character in the URL. Furthermore, the websites look the same. The only difference is the “free download” button on the malicious websites.
The legitimate vs malicious signed binary
Another uncommon feature of AdvancedIPSpyware is its architecture which is modular. Typically, a modular architecture is seen with nation state-sponsored, not with criminal malware. We observed the following three modules that communicate with one another via IPC:
- main module: updates or deletes itself, or spawns another instance,
- command execution module: typical spyware functionality, such as information gathering, command execution, etc.,
- network communication module: handles all network-related functionality (heartbeat messages, etc.).
The AdvancedIPSpyware campaign has a broad victimology. We have detected several victims in Latin America, Africa, Western Europe, South Asia, Australia, and the CIS. The overall count of victims infected over the course of the campaign is about 80.
Even though malicious actors rely on email as the primary infection vector, other methods should not be ruled out. Domain typosquatting and cracked software downloadable via torrents are just two of the alternative tricks that criminals use to lure victims into installing the malware on their systems.
Ransomware developers keep updating their malware. This time, BlackBasta added functionality that makes forensics and detection more difficult, as the malware can now propagate through the network itself.
If you want to stay up to date on the latest TTPs used by criminals or have questions about our private reports, please contact firstname.lastname@example.org.