Research of this malware family began when I found a malicious task starting powershell code directly from a registry key within our user base. I wasn’t expecting the surprise I’d arrived at when I began tracking its origins. Living in a smaller country, Czech Republic, it is a rare sight to see someone exclusively targeting the local
Czech/Slovak audience. The threat actor seems to have been creating malware
since 2015 and appears to be from Slovakia. The bad actor’s repertoire contains a few
RATs, some packers for
cryptominers and, almost obligatorily,
ransomware, and I have named the malware family
Certishell. This person’s malware is spread with illegal copies of songs and movies and with alleged cracks and keygens of games and common tools (
Microsoft Office) that were hosted on one of the most popular Czech and Slovak file-sharing services
The Ceritshell family can be split into three different parts.
- RAT with a C&C server
sivpici.php5[.]sk(Czech/Slovak slang for “you are fucked up”), which has AutoIT, C++ and Go versions.
- Miner downloaded from hacked websites and started with the script
que.vbsfrom the task.
- Miner or ransomware downloaded from hacked websites and launched from a powershell command hidden in registry keys. The command from the registry key is started with the task from the picture above.
The map above shows the risk ratio of users around who were at risk of encountering one of the malware families
The oldest part of the family is a simple RAT with
sivpici.php5[.]sk as the C&C server. It places all the needed files in the folder
.win inside of the user folder.
The malware installer comes disguised as one of the following:
- Cracked software, such as
- Fraud apps, like
SteamCDKeysthat share Steam keys,
- Music CD unpackers with names like
Heslo.exe(Heslo means password in Czech/Slovak) that come with a password protected archive with music files.
The malicious executable downloads an executable named UnRAR.exe and a malicious archive that contains a simple RAT written in C++, AutoIT or Go.
Every executable installing this malware family contains a script similar to the one in the following picture optionally with
curl.exe. This script usually shows the password to archive or start another application. The malicious part downloads a legitimate RAR extractor
UnRAR.exe and a malicious archive that can be password protected and unpacks it into the
%UserProfile%\.win\ folder. In the end it registers one of the unpacked files as a service, starts it and allows one of the binaries in the firewall.
I found six different methods used to pack the script into executable binary:
- Quick Batch File Compiler
- Compiled AutoIT version
- Compiled AutoIT version with obfuscated script
- Compiled AutoIT version with obfuscated script and packed with PELock
- Compiled AutoIT version with obfuscated script packed with VMProtect
There are three main variants of this RAT. All of them use the same C&C
sivpici.php5[.]sk and similar communication protocol. The most advanced is a compiled AutoIT script. This script comes in 10 different main versions. The second one is written in C++ and we found only one main version and the last one is written in Go also with one main version.
The first time it is run, it generates a random alphanumeric string that works as an identificator for the C&C. This identificator is saved into file gen.gen for next start. The communication uses the HTTP protocol. Infected machines send the following back the C&C:
os= content of
uniq= generated identifier, saved in
GET method to
After a random period of time, the malware starts asking for commands using the
GET method with the parameter
uniq. The response is a number that has fixed meanings throughout all the versions. Commands “1” – “7” are implemented as follows:
- The RAT downloads a URL from
uniq, from this URL it downloads a file,
packed.rar, then the RAT starts
run.batfrom the installation phase to UnRaR the package to the
\.win\Lambdafolder and restart the RAT. This allows the RAT to update itself and also download any other file necessary.
- Create a screenshot and send it with the
POSTmethod to the
- Send all file names from all drives to
- DDoS attack to a chosen IP through
- Get a list of all installed apps from
saves it to
/.win/installed.txtand send them to
- Get a list of all running processes, save it to
/.win/processes.txtand send them to
- Collect log from keylogger, save it to
\.win\log.txtand send it to
The RAT in the form of compiled AutoIT script has the name
There is a comparison of different versions (versioning by the author of the RAT) in the following table.
|debugging||1||Command 2 opens a message box with text 222222|
|4||1 – 3||Registration of PC happens only once on
|6||1 – 4||Opens
|7||1 – 5|
|8||1 – 7||Keylogger starts with the start of the RAT.|
|9||1 – 7||Keylogger has colored output.|
|10||1 – 7||Keylogger is separate executable (
The keylogger in versions eight and nine is copied from the official AutoIT documentation (with a few small changes) https://www.autoitscript.com/autoit3/docs/libfunctions/_WinAPI_SetWindowsHookEx.htm
The C++ RAT is named
dwms.exe. It uses LibCURL to communicate with the C&C. The communication protocol is the same. The
uniq identifier is saved in the
fr.fr file instead of
gen.gen for the AutoIT version, it also starts communication by accessing
connect.php instead of
I’ve managed to find a debugging version that only has the first command implemented and returns only “Command 2” and “Command 3” to the standard output for the second and third command. After every command it answers the C&C by sending
verzia (“version” in English) with GET method to
The “production” version is labeled as version A. The code is divided into two functions:
LLLoaddownloads the URL address of the C&C server from the pastebin and tests it by downloading
RRRunthat contains the first two commands as described above. It also uses
To download newer versions it uses curl called from the command line.
Another difference is that screenshots taken are sent via FTP to a different domain:
with the username
sivpici and password
The RAT written in Go only has the first command implemented, but it downloads
/cnct/ad.txt and it opens URLs contained on victims computer, thus we speculate it could also work as adware.
IECache, bitly, pastebin (2016-2018)
The installation of this coinminer is similar to the RAT in the previous section. Installations use the same folder and the scripts have the same name. It usually comes as an unpacker of illegal copies of music and movies downloaded from
uloz.to. It uses powershell to download and execute scripts from a bit.ly shortened address. The final stage is coinminer
IECache.exe, which is usually XMRig.
There is a huge variety of programs that download bit.ly-shortened Czech and Slovak sites and execute them. These programs include: GTA SA crack, Mafia, Microsoft Office, Sims, Lego Star Wars, and unpackers for music and movies. These programs usually print a message to the victim and run a malicious script in a hidden window.
The unpackers use UnRAR to unpack the archive and show the victim the password of that archive.
The cracks on the other hand just show an error message.
All the installation files execute the following command with some bitly shortened site:
There are VBA scripts calling it, basic programs possibly written in C, .Net, AutoIT scripts, Golang programs, Rust programs, Redlang programs, different packers of python and batches, some of them use UPX, MPRESS, VMprotect and PELock.
There are at least two new scripts created by the script from the site hidden behind the
bit.ly shortened URL,
The script also creates one of two services named
Winservice that start
que.vbs. Que.vbs only starts
run.bat which downloads
whats.txt contains a script downloading and starting coinminer
In this case the pastebin contains two lines (the second line is splitted for better readability)
The miner is saved as
The first miner (from June, 2018) is just XMRig that includes all command line options inside the binary.
Most of the miners of this type I found are packed with
The more interesting one (from Jun-Jul 2018) is a compiled AutoIT script packed with
VMProtect. Here again, we see that author speaks Slovak:
This script contains the XMRig as (in some cases LZMA compressed) Base64 encoded string inside a variable. The miner is decoded and started in memory.
In some versions, the script checks user activity and it starts different miners with different options to maximize profit with lower risk of being caught.
Newer samples (Since August, 2018) use sRDI or XOR encryption in memory and injection to a suspended process to hide from antivirus software.
Sourceforge and Github
Some of the samples used Sourceforge and Github to download malicious content, instead of small, possibly hacked websites.
It downloaded content from a repository WEB of user W33v3ly on Github and from user Dieworld on Sourceforge. On Github, the attacker once made a mistake and pushed
TestDLL.bin to the wrong repository.
Systemcall.exe is a PE file without “MZ” in the beginning and
Test.dll contains some random bytes before the PE file. The dll contains XMRig encrypted with TEA and the
Systemcall.exe uses sRDI to load and run the Test.dll.
This small application written in .Net shows some hacked Steam accounts.
The malicious part downloads and installs the following scripts and downloads UnRAR and
Install.vbs creates a task named WinD2 that starts
inv.vbs upon every PC startup.
runner.bat, which starts
%temp%/Microsoft/NisSrve.exe that is unpacked from
Free bet tips
Betters are also targeted. We found a malicious file with the following readme file:
The binary included only starts a cmd with the script as an argument.
All from registry keys since 2018
After 2018, I observed an updated version of the malware family. There is no need for any script file if you can have a command as a scheduled task and save enough data into registry keys.
The infection vector is the same as in the previous case. The victim downloads and runs an executable that downloads a powershell script from a hacked website whose URL is shortened with bit.ly. This time the script is different, it creates the following task:
This task reads the value of the registry key
Shell placed in
HKLM\Software\a and executes its content. The script also creates the Registry key.
Let’s focus on the value of the registry key
Shell. In the following picture you will find the value I found on an infected machine.
After decoding and decompression we get an obfuscated script:
Under two layers of string formatting and replacing we get another compressed base64 encoded script:
Inside the base64 string is malicious code that tests the connection and executes code directly from the internet.
In total, I found about 40 different values of the
Shell key in the wild that contain similar code with different URLs and they are obfuscated in the same way or less.
Some of the pastebins were alive. For example, one of them contains the following scripts that sends information about graphic cards to the C&C server, which can decide what to install on an infected computer. I have not found any C&C server alive.
Another final stage that runs from the registry keys is ransomware Athos.exe. At first it checks some tactics from https://blog.sevagas.com/IMG/pdf/BypassAVDynamics.pdf to check if it runs in the sandbox. On the sixth start it injects ransomware into another process that gets the id and encryption key from the web page
googleprovider[.]ru. Then it encrypts all the files with AES-CFB and shows the following message saved on imgur (
We also found AutoIT ransomware King Ouroboros translated to Slovak. The malware was edited to use Windows users’ GUID as encryption key and to download additional content from a different server than the original King Ouroboros.
Most of the methods described in this article are not new, in some cases I was able to find their source. The most interesting method is hiding the powershell script to the registry keys.
As I found out, the author is a Slovak speaker, this corresponds with the fact that the infected files were published only on Uloz.to, therefore the victims are only from the Czech Republic and Slovakia.
The variation of the final payload is huge. I found three different RATs, a few different packers of coinminers and ransomware that were created by the author and many more that were “available” on the internet. The initial installer, which function was to call only one command, was also created with a huge variety of tools, some of them quite obscure.
To protect against this type of threat, it is enough to download software only from trustworthy sources and use security software, like Avast Antivirus, which will act as a safety net in case you should come across a threat.
Indicators of Compromise (IoC)
- Repository: https://github.com/avast/ioc/tree/master/Certishell
- List of SHA-256: https://github.com/avast/ioc/blob/master/Certishell/samples.sha256
- URI: https://github.com/avast/ioc/blob/master/Certishell/network.txt