A few weeks back there was an interesting campaign against some financial institutions using some Java RAT and some VBS scripts. It turned out that this campaign used some crypt service named fudcrypt. This service is announced in several underground forums as "fully undetected crypt" service and used to have a website where it could be bought for a few dollars.
The are even some youtube videos on how to encrypt files with this crypt service. For example here.
The author of this malware claims that he is able to install Java JRE in victims which do not have Java installed so the JAR payload can be executed.
Although the main website fudcrypt[.]com is not anymore active, the service can still be bought via some underground forums.
In order to use the service and to obfuscated the payload, the author provides a windows application. This application checks for a valid license
As mentioned before Fudcrypt is still active as a service and some actors are using it so I'm going to analyse how it works with a recent sample
ef9c50fd15493937d5ee3366a58e41cd3ca1d9fb386fe578aea700c8f54f0f1a. This sample was detected only by a few AV when it was analysed three days ago:
The file is a VBS script which it is 929K and it has a variable named "pillow" which it is the payload.
The payload is in base64 encoded, but according to some functions in the code there are some characters that need to be swapped before decoding. This is "#(" with "m".
The base64 decoded payload is another VBS script which I've uploaded here
This script contains two other base64 encoded payloads stored in two variables: longText1 and longText.
Both of them are base64 encoded, however for the second one it is necessary (again) to swapped some characters:
It turns out that the second base64 encoded variable is a binary JAR file, which in essence is the final Java Rat payload. The JAR file is stored in %appdata% as ntfsmgr.jar. A copy of the file is here and a dynamic analysis is here. In essence, the payload is Adwind malware and the C2 is in jsbc-pcs.linkpc[.]net:1604
The code checks via some registry keys if Java is already installed. If it is not installed, a copy is downloaded from this URL: hxxp://www.thegoldfingerinc[.]com/images/jre.zip
Then, the dowloaded java is installed and persistence to run the Java RAT is pushed via the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run
There is still one remaining script which I did not analyse yet. This is the one stored in longText1. This script again has a base64 encoded payload with leads to another VBS script. A copy of both VBS script are here and here
Looking at the last deobfuscate VBS script, the beginning of the script matches the Houdini Malware. Also the C2 pm2bitcoin[.]com is well known, however this C2 is not the one used, but goz.kingdaddy[.]pw.
The domain goz.kingdaddy[.]pw is not active but has been registered a few days ago
A good analysis on how the Houdini malware works was done 5 years ago by FireEye/Mandiant here.
In essence this crypt service is using some already known malware, Houdini, Although the final JAR payload is in the initial obfuscated VBS it would be possible that payload is pushed via the Houdini VBS script via the C2.
