Showing posts with label rat. Show all posts
Showing posts with label rat. Show all posts

Friday, October 4, 2019

Fudcrypt using H-Worm from WSH RAT


Fudcrypt builder, like WSH RAT builder uses HWorm. The last version of the builder from 24th of September provides some interesting insight:

  


In the case of Fudcrypt, compared with WSHRAT, the HWorm payload, in VBS, is not included as a resource, but is pull from a remote URL. This payload is then obfuscated with a routine. The code of the routing is below:



The interesting part is that the plain text payload (HWorm) contains  "live:unknown.sales64". Unknown.sales64 is the actor behind WSHRAT and the skype ID is always in the header of the HWorm in VBS and JS.





The User-agent is also "WSHRAT" .

In terms of the code and functionality of the HWorm used by Fudcrypt, is not the latest version used in WSH RAT. It is possible Fudcrypt actors don't have access to the latest version of the WSHRat where the newer code is used







With Fudcrypt it is also possible to 'crypt' Java files. In order to do that, the builder contains the full Java JRE environment:








The code to create and 'crypts' the  Java code works in a similar way than the VBS.










Publicado por
Etiquetas: , ,

Monday, September 2, 2019

WSH RAT and the link to unknowcrypter and Fudcrypt

There are plenty of malspam campaigns using the the code "MT103" from SWIFT to claim some kind of payments. 

                                      


However, recently there was one in particular using some malicious JavaScript as an attachment quite interesting. Some samples of the campaign can be found here and here 

 The payload in those campaigns delivered the malware "wsh RAT".  This malware family is quite new, however the actor behind is not new at all, but linked to some other crypters services mentioned in this blog.

Analysis of the code - overlap with Uknowncrypter and Fudcrypt

While I did the analyses of the sample here I found several interesting points which I will detail here.

The obfuscation mechanism used is very similar in terms of the 'algorithm' and base64 encoding to the one used in unknowcrypter and Fudcrypter 





The final decoded payload leads to some interesting indicators.



This code is similar  Vjw0rm  which is used by unknowcrypter. Also, the host "unknownsoft.duckdns[.]org" was used by uknowncrypter at some point.  
But the most interesting aspect is the skype ID "unknown.sales64"
The skype ID is linked to the domain http[:]//www.wshsoftware[.]site where WSH RAT is sold.


The capabilities of this RAT are described in the website:



A full video of the capabilities of this RAT is also linked in the main website

https://youtu.be/rdG16vk9qNQ

According to the video and some screenshots the malicious payload can be generated in VBS and JS



Unknowcrypter generates JavaScript code while Fudcrypt VBS code, however the code in essence was the same in both cases, as showed in the post here 

The domain wshsoftware[.]site has been registered with the email address stonexevans@gmail[.]com

This same email address was used to register the domain "fudcrypt[.]com" which was used to sell Fudcrypt service at some point








So "WSH RAT", "unknowcrypter" and "Fudcrypt" are linked between them


In the next blog I will dig into the code and capabilities of the malware

Publicado por
Etiquetas: , , , ,

Sunday, February 3, 2019

Unknowncrypter, the crypter twin of Fudcrypt: another Crypter-as-a-Service for Java and JS

Last week I wrote about a Crypter-as-a-Service named Fudcrypt which obfuscates Java RATs in VBS scripts. However, this is not the only service being used by threat actors to deliver encrypted Java RATs.

A few days ago there was a new "The Story of Manuel’s Java RAT"  which basically linked two different campaigns using same JRAT malware. In one of the campaigns there were JAR files attached to the emails, whereas in the other campaign the attachment were JS (JavaScript) dropping a JAR file. The JS campaign is the interesting part as this is linked to a Crypter-as-a-Service named Unknowcrypter.

 Unknowcrypter and Fudcrypt are strongly linked and either the actor creating both services is the same or they are working together.

Unknowncrypter is announced in several underground forums as a crypter for Java and JS. There is even in Youtube some videos on how to use the crypter.






In order to use the service and encrypt Java/JS files it is necessary to use a windows application and a valid account.



The sample from the campaign "The Story of Manuel’s Java RAT5b7192be8956a0a6972cd493349fe2c58bc64529aa1f62b9f0e2eaebe65829be 
is the perfect candidate to be dissected. 

 Looking at the JS code, the first interesting part is the "obfuscation" function for the payload. 



The variable hp_pavilion is the final payload which it is base64 encoded.

It basically uses the same substitution mechanism than fudcrypt, but written in JS instead of VBS and using different characters and strings.  

Below is the snippet code from fudcrypt:



After decoding the payload stored in hp_pavilion, there is again another round of base64 encoded strings, which are stored in LongText1 and LongText






LongText1 is just a base64 encoded and the output is a JS script which I will analyse later.
LongText is the malicious payload, the Java RAT, which it is base64 encoded but some characters needs to be swapped, in this case "#@>" with "A".  

 This is the exact same behaviour than in Fudcrypt:




Then, the script checks if Java Run Environment is installed. If not, this is download from  hxxp://www.thegoldfingerinc[.]com/images/jre.zip



 Fudcrypt does exactly the same and in the same manner. See the code from fudcrypt


Lastly, the Java RAT is made persistent via the Registry key "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ntfsmgr which it is the same exactly registry key name used by fudcrypt.


The remaining part is the script linked to the LongText1. This is script, after deobfuscation,  leads to a JS script which is a worm name vjw0rm.


 Although this code is not used, it has C2 capabilities.
To summarise: unknowncrypter and fudcrypter are the same crypter service but using to different script languages as output for the obfuscation. The only difference is the C2 capabilities which are gathered by two different malware, one for JS while the other is for VBS.
The analysis of the JavaRAT payload, which it is Adwind, is here
Publicado por
Etiquetas: , , , ,

Sunday, January 27, 2019

Fudcrypt: the service to crypt Java RAT through VBS scripts and Houdini malware

The existence of services to encrypt and obfuscate malware in order to avoid antivirus detection is nothing new at all. In this blog I wrote about a couple of services, qthelegend and qrypter, that obfuscate Java RATs like Adwind.

 A few weeks back there was an interesting campaign against some financial institutions using some Java RAT and some VBS scripts. It turned out that this campaign used some crypt service named fudcrypt. This service is announced in several underground forums as "fully undetected crypt" service and used to have a website where it could be bought for a few dollars.


The are even some youtube videos on how to encrypt files with this crypt service. For example here
The author of this malware claims that he is able to install Java JRE in victims which do not have Java installed so the JAR payload can be executed.

Although the main website fudcrypt[.]com is not anymore active, the service can still be bought via some underground forums.

In order to use the service and to obfuscated the payload, the author provides a windows application. This application checks for a valid license

  

As mentioned before Fudcrypt is still active as a service and some actors are using it so I'm going to analyse how it works with a recent sample 
ef9c50fd15493937d5ee3366a58e41cd3ca1d9fb386fe578aea700c8f54f0f1a. This sample was detected only by a few AV when it was analysed three days ago:

The file is a VBS script which it is 929K and it has a variable named "pillow" which it is the payload.


 The payload is in base64 encoded, but according to some functions in the code there are some characters that need to be swapped before decoding.  This is "#(" with "m".

 The base64 decoded payload is another VBS script which I've uploaded here

 This script contains two other base64 encoded payloads stored in two variables: longText1 and longText.





Both of them are base64 encoded, however for the second one it is necessary (again) to swapped some characters:


It turns out that the second base64 encoded variable is a binary JAR file, which in essence is the final Java Rat payload. The JAR file is stored in %appdata% as ntfsmgr.jar. A copy of the file is here and a dynamic analysis is here. In essence, the payload is Adwind malware and the C2 is in jsbc-pcs.linkpc[.]net:1604
                         

The code checks via some registry keys if Java is already installed. If it is not installed, a copy is downloaded from this URL: hxxp://www.thegoldfingerinc[.]com/images/jre.zip



Then, the dowloaded java is installed and persistence to run the Java RAT is pushed via the registry key  HKCU\Software\Microsoft\Windows\CurrentVersion\Run 


There is still one remaining script which I did not analyse yet. This is the one stored in longText1. This script again has a base64 encoded payload with leads to another VBS script. A copy of both VBS script are here and here

 Looking at the last deobfuscate VBS script, the beginning of the script matches the Houdini Malware. Also the C2 pm2bitcoin[.]com is well known, however this C2 is not the one used, but goz.kingdaddy[.]pw. 




The domain goz.kingdaddy[.]pw is not active but has been registered a few days ago



A good analysis on how the Houdini malware works was done 5 years ago by FireEye/Mandiant here

 In essence this crypt service is using some already known malware, Houdini, Although the final JAR payload is in the initial  obfuscated VBS  it would be possible that payload is pushed via the Houdini VBS script via the C2.









Publicado por
Etiquetas: , , , ,

Wednesday, December 27, 2017

Qrypter Java RAT using Tor

Since the 16th of December, almost in a daily basis, I'm seeing a particular family of Java Remote Access using Tor. 

The samples I took a look are rarely detected by AV




The malware communicates via a Tor proxy with the malware developers website https://vvrhhhnaijyj6s2m.onion.top/


Qrypter seems the name of the product, which is developed by a company named 
"QUAverse Research & Development 2017"

One of the feature, according to the developers is its low rating detection. And indeed this is true :)


There is some recent information about "Qrypter" in Twitter from a researcher https://twitter.com/rcherj/status/940252259363016704 and a post from another company, Certego (http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/)

  




That information links Qrypter to Qarallax / Quaverse RAT. Quaverse, is actually the company who is behind QRypter. According to Malpedia, QRat / QRallax RAT have been in the wild since 2015



There is some information about this QRat/Qarallax/Quaverse in several presentations and posts:



In some other Tweets, some analyst links he same behaviour of Qrypter and Adwind JRat





Actually, doing the analysis of the malware I can see similar behaviour like Adwind. 
(I wrote a bit about how to detect Adwind in here)

¨



The samples I took are heavily obfuscated with several layers of embedded JAR files which reminds to the analysis done by malwarebytes and in this post 

 Actually, after some analysis of the files I ended up with the same MANIFEST.MF pointing to a Main-Class operationl.JRat which matches Adwind.



And with a bit of further analysis, I end up with the same kind of configuration used by Adwind.


So in essence, this Qrypter looks like Adwind with some additional encryption layers.

 By the way, another good analysis of this Adwind malware can be found in this post 
Let's continue taking a look to the specific campaign seen since the 16th of December.

The first sample I detected, which can be found here https://www.virustotal.com/#/file/7e33381a99928f7b346dd613e5712923b6816d1da69b43cf4f12c2d313ed2903/detection already used the domain vvrhhhnaijyj6s2m.onion.top 



The last one the last one detected, at the time of this writing https://www.virustotal.com/#/file/b68eb3096328fa3bfabbeb7a178ea7075539e15ef19fbc65ab3e89f980c60967/detection also used the same domain.

According to PassiveTotal that domain has been active since the 30th of November 2017
The first malicious samples under that domain existed from the 5th of December


But this was not the only domain used by Qrypter, but some other onion domains existed

https://vvrhhhnaijyj6s2m.onion.rip/ - active since 1st of December 2017
https://vvrhhhnaijyj6s2m.onion.to/ - active since 11 of September 2017

 And there are some other which looks very fresh:

 https://buzw55o32jgyznev.onion.link

https://buzw55o32jgyznev.onion.to/
Qrypter uses a tool to control the plugins installed: Qcontroller. This tool also uses Tor to connect to the he developers website.







Several plugins can be used:








QRypter product seems like the evolution or another version of Qarallax/Quaverse.  Besides the obfuscation and the connection via Tor with the developers website, to install additional plugins, there is not much of innovation on this Java RAT.











Publicado por
Etiquetas: , , , ,
Subscribe to: Posts (Atom)