Sunday, January 27, 2019

Fudcrypt: the service to crypt Java RAT through VBS scripts and Houdini malware

The existence of services to encrypt and obfuscate malware in order to avoid antivirus detection is nothing new at all. In this blog I wrote about a couple of services, qthelegend and qrypter, that obfuscate Java RATs like Adwind.

A few weeks back there was an interesting campaign against some financial institutions using some Java RAT and some VBS scripts. It turned out that this campaign used some crypt service named fudcrypt. This service is announced in several underground forums as "fully undetected crypt" service and used to have a website where it could be bought for a few dollars.

The are even some youtube videos on how to encrypt files with this crypt service. For example here
The author of this malware claims that he is able to install Java JRE in victims which do not have Java installed so the JAR payload can be executed.

Although the main website fudcrypt[.]com is not anymore active, the service can still be bought via some underground forums.

In order to use the service and to obfuscated the payload, the author provides a windows application. This application checks for a valid license


As mentioned before Fudcrypt is still active as a service and some actors are using it so I'm going to analyse how it works with a recent sample 
ef9c50fd15493937d5ee3366a58e41cd3ca1d9fb386fe578aea700c8f54f0f1a. This sample was detected only by a few AV when it was analysed three days ago:

The file is a VBS script which it is 929K and it has a variable named "pillow" which it is the payload.

The payload is in base64 encoded, but according to some functions in the code there are some characters that need to be swapped before decoding.  This is "#(" with "m".

The base64 decoded payload is another VBS script which I've uploaded here

This script contains two other base64 encoded payloads stored in two variables: longText1 and longText.

Both of them are base64 encoded, however for the second one it is necessary (again) to swapped some characters:

It turns out that the second base64 encoded variable is a binary JAR file, which in essence is the final Java Rat payload. The JAR file is stored in %appdata% as ntfsmgr.jar. A copy of the file is here and a dynamic analysis is here. In essence, the payload is Adwind malware and the C2 is in jsbc-pcs.linkpc[.]net:1604


The code checks via some registry keys if Java is already installed. If it is not installed, a copy is downloaded from this URL: hxxp://www.thegoldfingerinc[.]com/images/

Then, the dowloaded java is installed and persistence to run the Java RAT is pushed via the registry key  HKCU\Software\Microsoft\Windows\CurrentVersion\Run 

There is still one remaining script which I did not analyse yet. This is the one stored in longText1. This script again has a base64 encoded payload with leads to another VBS script. A copy of both VBS script are here and here

Looking at the last deobfuscate VBS script, the beginning of the script matches the Houdini Malware. Also the C2 pm2bitcoin[.]com is well known, however this C2 is not the one used, but goz.kingdaddy[.]pw. 

The domain goz.kingdaddy[.]pw is not active but has been registered a few days ago

A good analysis on how the Houdini malware works was done 5 years ago by FireEye/Mandiant here

In essence this crypt service is using some already known malware, Houdini, Although the final JAR payload is in the initial  obfuscated VBS  it would be possible that payload is pushed via the Houdini VBS script via the C2.