X-Industry

NYANxCAT is a prolific hacker who programs new pieces and versions of malware, shares it widely, and records blackhat hacker educational YouTube videos which has over 150,000 views.  He uses GitHub repository, sells his hacker tools and services using PayPal and Bitcoin.  In this report, we discuss some of the samples of NYANXCat malware, his business models, and possible Kuwaiti identity.

NYANxCAT Hacker Profile

Name:         possible name: Hmoud [Humooud] Meshal Aljraid [Al-Jerid].

                  Possible name in Arabic: حمود الجريّد.

Location:     Likely location: Kuwait.

possible location: ST 58 HOUSE# 8, Jahra, Kuwait

Aliases:       NYANxCAT, NYAN-x-CAT, NYAN_x_CAT, NYAN CAT, nyancat, NC, humooud.m, HumoudMJ, hmj_7, bomish3l.

Email:         humooud.m@gmail.com, NYANxCAT@protonmail.com, NYANxCAT@pm.me

Profiles:       github[.]com/NYAN-x-CAT “NYAN CAT”.

twitter[.]com/NYAN_x_CAT “n”, joined June 2016, posts starting July 2019.

twitter[.]com/HumoudMJ, joined December 2009.

Google ID: 106720573170316530671.

youtube[.]com/c/NYANCATx/about, started in Nov 20, 2018.

youtube[.]com/c/Bomish3l/, active 2013-2017.

pastebin[.]com/u/NYANxCAT PRO account started January 2018.

sellix[.]io/NYANxCAT.

Discord: NYANxCAT#0662 (Lime Server: 388 members).

Bitcoin:        12DaUTCemhDEzNw7cAFg9FndzcWkYZt6C8, 1jVe7d8GQB8z2ZqK6U8SCYAgeCJuYxaFo.

Hacker forums: hackforums[.]net, cracked[.]to.

Programming languages: C#, Visual Basic .NET, JavaScript

Programmed:        LimeCrypter, VBS-Shell, Bitcoin Address Grabber v0.3.5, Lime-Miner, Lime-Dropper-1, Dropless-Malware v0.1,  Csharp-Loader, Anti Analysis v0.2,                                                                     Disable Windows Defender v1.1.

Edited/improved:   Revenge-RAT v0.3, Neshta 1.0.

Languages:          English, Arabic.

Details

NYANxCAT Possible Identity

NYANxCAT stays under the radar for Google/Youtube, PayPal, Github and other services, as he claims his blackhat hacking videos, tools, and malware are only “for educational purposes.”  At the same time, NYANxCAT hides his real-life identity behind aliases.  During his recent hacker career, he was also using semi-private tools such as Protonmail for communication and Bitcoin for donations and payments.  Despite these measures, Red Sky Alliance analysts were able to analyze NYANxCAT’s communications and identify a possible hint to his real identity:

Figure 2. NYANxCAT hacking video and a PayPal donation link

Some of the NYANxCat’s hacking videos had a Paypal donation link given via an URL shortener: bit[.]ly/2B07Jaa (Figure 2).[1]  This link is connected to Paypal hosted button id UEAXKSXDFJ2X6 and exposes email address humooud.m@gmail.com (Figure 3).

Figure 3. NYANxCAT linked PayPal page exposes his personal Gmail address

Analysis of the past uses of humooud.m@gmail.com shows that this email was used in 2017 to register domain odin-samsung[.]com. These records expose possible NYANxCAT identity as Hmoud Aljraid and his possible address in Jahra, Kuwait (Table 1).

Table 1. WHOIS historic record includes NYANxCAT’s email address

Note that “Humooud” and “Hmoud” are likely the same Arabic name that could be written in English in more than two ways.

Additional research on humooud.m@gmail.com reveals that it is connected to Google User ID 106720573170316530671. That is listed as Humoud Meshal and is active leaving Google reviews in the vicinity of Kuwait City in the last 3 years, and Sri Lanka 6 years ago (Figure 4).[2]

Figure 4. Humoud Meshal’s locations in Kuwait and Sri Lanka

Kuwaiti location matches cases when NYANxCAT actually put Kuwait as his country on his accounts (e.g. Github).[3]  Past Sri Lankan location matches the nature of his past domain registration activity (Table 1).  Most of NYANxCAT persona content is in English, but he is still able to have a conversation in Arabic as could be seen in some of his Youtube threads (Figure 5).

Figure 5. NYANxCAT is proficient in Arabic, Youtube comments

The search for Humoud Meshal’s user picture reveals connection to technical Arabic blog bomish3l[.]com.  This blog references additional Youtube “Bomish3l” and Twitter @HumoudMJ accounts (Figure 6).

Figure 6. Humoud’s photo on Twitter (left) and on his autotranslated blog (right)

Humoud’s Twitter account, @HumoudMJ follows a number of exploit-related accounts.   He lists his name in Arabic, that autotranslates as Hammoud Al-Jerid which matches the historic WHOIS record (Table 1).

Humoud’s Youtube account had videos on a couple of topics including Android and hacking, e.g. video, “Hacking devices in wireless networks using your Android phone”.[4]  It is interesting that that YouTube account was posting videos since 2013, last one was in 2017.  But in 2018, we see another YouTube channel becoming active: NYANxCAT.[5]

Humoud Meshal aka Humoud Aljraid uses aliases like HumoudMJ or hmj_7, so it is logical that Meshal is his middle name (M), while Aljraid/Al Jerid is his last [J].[6]

As NYAnxCAT and Humoud accounts are connected via the used PayPal and Gmail accounts, Kuwaiti location, hacking interest, and language capabilities, we assess with medium confidence that Humoud is the real NYANxCAT identity (see The NYANxCAT Hacker Profile above).

From Donations to Services

NYANxCAT was trying to monetize his notoriety in various ways.  He would often include donation links into his source code and educational videos – often it was his Bitcoin addresses, sometimes PayPal donation link (see above, Figure 2,3).

Figure 7. NYANxCAT hacker shop at Sellix as of July 2020

NYANxCAT created a personal shop page at Sellix.  Earlier this year, he was selling three items: his C# hacking tools and malware coding services, his hacker tool Lime Crypter, and his malware Mass Logger (Figure 7).  Later in October 2020, NYANxCAT removed the offer of the programming services, leaving the malware and the hacking tool for sale.

NYANxCAT Samples

We analyze various malicious samples associated with NYANxCAT – mostly recent ones from September 2020. These samples cover different stages of malicious attacks, some of them are source code and crypters used for weaponization – preparation of the attack.  Some are the delivery mechanism for later stage malware.  Others are installation artifacts. See the brief description below and the Indicators table attached. We also included some personal strings: emails, cryptocurrency addresses, aliases.  Those are useful for the profile building, but they are also helping find new samples in the wild as they often have strings with NYANcCAT aliases or his Github page. When listing indicators, we do not include “NYAN CAT” alias as it brings some true positives, but also bring many false positive as it was an original popular meme name that was adopted by this hacker.

LimeCrypter

NYANxCAT programmed and is promoting and distributing his hacker tool called LimeCrypter (also Lime-Crypter).  One of the latest LimeCrypter version seen in the wild is 2.0.7552.41963, executable sample hash:

f55a23559bb981f9a054297b003293b890b8caa2b7abccef9464b817787352a6.[7]

This hacker tool calls to NYANxCAT hidden paste on Pastebin for the list of recent upgrades and added features.  It claims a first release date of 18 July 2020, and the last update as of this writing, 8 October 2020.[8]  NyanxCAT Github shows that he was working on the LimeCrypter since at least August 2019, possibly since 2018.[9]

Figure 8. NYANxCAT’s Youtube video shows LimeCrypter made a malware undetectable

Since August 2020, NYANxCAT posted four videos explaining and promoting this hacker tool, showcasing how it helps to avoid antivirus detections (Figure 8).[10]

RATs

AsyncRAT by NYANxCAT can often be seen among samples in the wild.  Executable sample hash:

22096a0846ab1399647bb2cc5596c649fa6508d2bd09db05476b27acd9d4eea2.[11] Async RAT can be detected using Yara rule win_asyncrat by Johannes Bader @viql.[12]

Archived sample containing another NYANxCAT-related RAT, Revenge-RAT v3, could be found using the following hash: 2cf26e5fe9f31386d57170cc51ec46d6e4b73e4760826d65ca1a7afc8c82acc2.[13]

Downloaders

A few small NYANxCAT related samples in the wild represent various downloaders (droppers).  Those include JS Downloader, VBS Shell, and a number of unidentified droppers (see Indicators Table attached below).  A sample of JS Downloader code with payload URL could be found using this hash:

5747ad762067a8a6617d2a4362304c24e11b21d6deed2da2adb31b8d55a4607c.[14]

Miners

Some of the NYANxCAT-related malware has cryptomining capabilities.   One example is NYANxCAT-branded Lime Miner, executable sample hash:

74de28d70ee4bd414597561b696f865cb3c88fd3626161d36c423d35154e11a5.[15] Another example is a case of AsyncRAT.exe with Monero cryptocurrency mining capability (see Indicators below).

Modifications

It was also common for NYANxCAT to take an old piece of malicious code and to adapt/modify it for more malicious potential.  Examples are Revenge-RAT v0.3, Neshta 1.0 – modified and branded by NYANxCAT.[16]

Waiving Responsibility

NYANxCAT often includes a waiver that his code is not for malicious use. But examining samples of code signed by NYANxCAT we can see them dropping ransomware, backdoors, and other kind of malware.[17] Moreover, studying NYANxCAT videos confirms those are not just sandbox exercises, but involve actual victims.

Conclusion

NYANxCAT started his blackhat hacker career in at least 2018.  While he is not the most advanced, his opportunistic behavior and abuse of legitimate services such as YouTube and Github allows him to rapidly expand his criminal network and is negatively affecting the number of his victims.

Indicators

Download indicators in CSV format: IR-20-292-001_Hmoud Aljraid NYANxCAT.csv

Appendix A. Additional Imagery

Figure 9. Humoud’s Soundcloud Profile Picture

Serial: IR-20-292-001

Country: KW, US

Report Date: 20201018

Industries: All

--- 

Red Sky Alliance has been tracking hacker threats for the past 7 years.  We are a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.  

Red Sky Alliance can help protect with attacks such as these.  We provide both internal monitoring in tandem with RedXray notifications on ‘external’ threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.

https://www.wapacklabs.com/redxray

Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com

• Reporting: https://www.redskyalliance.org/
• Website: https://www.wapacklabs.com/
• LinkedIn: https://www.linkedin.com/company/64265941 

[1] www.youtube[.]com/watch?v=N16d_zvIgTg

[2] google[.]com/maps/contrib/106720573170316530671/reviews/

[3] github[.]com/NYAN-x-CAT

[4] youtube[.]com/watch?v=30BV5U9OGv0, Jun 11, 2014.

[5] youtube[.]com/c/Bomish3l/videos

and youtube[.]com/c/NYANCATx/about

[6] soundcloud[.]com/hmj_7/

[7] virustotal[.]com/gui/file/f55a23559bb981f9a054297b003293b890b8caa2b7abccef9464b817787352a6/

[8] Pastebin[.]com/raw/WJD0PWxV

[9] github[.]com/NYAN-x-CAT/Lime-Crypter

[10] www[.]youtube[.]com/watch?v=_dYngLbXUno

[11] virustotal[.]com/gui/file/22096a0846ab1399647bb2cc5596c649fa6508d2bd09db05476b27acd9d4eea2/details

[12] virustotal[.]com/gui/file/504fc502fef2fceaae027edb0e037e4e39a0ee62ca9f15ab316c70e8d6e5b740/details

[13] virustotal[.]com/gui/file/2cf26e5fe9f31386d57170cc51ec46d6e4b73e4760826d65ca1a7afc8c82acc2/details

[14] virustotal[.]com/gui/file/5747ad762067a8a6617d2a4362304c24e11b21d6deed2da2adb31b8d55a4607c/content/strings

[15] virustotal[.]com/gui/file/74de28d70ee4bd414597561b696f865cb3c88fd3626161d36c423d35154e11a5/details

[16] virustotal[.]com/gui/file/e7eb31d13152158739d663eeabf2dfde8455deb4a4ffa0587e45676583e5f7e7/details

[17] 6450208e47c71ac8bfb8dc35e3c37fbeb01c02c021b162352fc8eb44e03af3e6

and virustotal[.]com/gui/url/922efd801fc095b488126248f7c55d3d897fc14376d4d22a48966427ee8a421a/detection

and 165749a5f359e0316396cddd2e461f14f11756b62f786561019de99ded742af1