While analyzing one of the affiliate programs, Doctor Web’s researchers discovered a unique piece of malware with clicker functionality and called it a Trojan.ChimeraWire. This malware targets computers running Microsoft Windows and is based on the open-source projects zlsgo and Rod for automated website and web application management.
Trojan.ChimeraWire allows cybercriminals to simulate user actions and boost a website's behavioral ranking by artificially increasing its search engine rankings. For this, the malicious app searches for target Internet resources on Google and Bing, then loads them. It also imitates user actions by clicking links on the loaded sites. The Trojan performs all malicious actions in the Google Chrome web browser, downloading them from a specific domain and launching them in debug mode over the WebSocket protocol.[1]
Trojan.ChimeraWire infects computers via several malicious downloaders. They use various privilege-escalation techniques that exploit DLL Search Order Hijacking vulnerabilities, as well as anti-debugging techniques, to avoid detection. Their anti-virus laboratory has tracked at least 2 infection chains involving these malicious programs. In one of them, the malicious script Python.Downloader.208 takes center stage. In the other, the centerpiece is Trojan.DownLoader48.61444, whose operating principle is similar to that of Python.Downloader.208; in fact, this downloader is an alternative to the malicious script. In this study, the Doctor will cover the features of Trojan.ChimeraWire and the malicious apps that deliver it to users’ devices. First infection chain:
A scheme that illustrates the first infection chain
The first infection chain starts with Trojan.DownLoader48.54600. This malware verifies whether it is operating in an artificial environment and terminates if it detects signs of a virtual machine or debug mode. If no such signs exist, the Trojan downloads the ZIP archive python3.zip from the C2 server. It contains the malicious script Python.Downloader.208 along with some additional files that it needs to operate, e.g., the malicious library ISCSIEXE.dll (Trojan.Starter.8377). Trojan.DownLoader48.54600 extracts the archive and runs the script. The latter is the second infection stage and represents the downloader that receives the next stage from the C2 server.
Python.Downloader.208’s behavior depends on the rights it has when executed. If the script is running without administrator privileges, it tries to obtain them. For this, Trojan.Starter.8377 (extracted along with it) is copied to the directory %LOCALAPPDATA%\Microsoft\WindowsApps.
Moreover, a script runs.vbs is created that will later be used to re-launch Python.Downloader.208.
Next, Python.Downloader.208 launches the system app %SystemRoot%\SysWOW64\iscsicpl.exe. Because a DLL Search Order Hijacking class vulnerability is present, it automatically loads the trojan library ISCSIEXE.dll, whose name matches that of a legitimate Windows component.
In turn, Trojan.Starter.8377 runs the VBS script runs.vbs, which then executes Python.Downloader.208 again, but already as administrator.
When executed with the necessary privileges, Python.Downloader.208 downloads the password-protected archive onedrive.zip from the C2 server. It contains the next infection stage, which is the Trojan.DownLoader48.54318 (it comes as the library UpdateRingSettings.dll) and the additional files required for it to operate (for instance, the legitimate app OneDrivePatcher.exe, which is part of the OneDrive software from the Windows OS and has a valid digital signature).
After extracting the archive, Python.Downloader.208 creates a System Scheduler task for running the app OneDrivePatcher.exe at system boot. Next, it launches this program. Because it has a DLL Search Order Hijacking vulnerability, the app automatically loads the malicious library UpdateRingSettings.dll, whose name matches the name of the OneDrive software component.
Once Trojan.Downloader48.54318 gains control, and it checks whether it has launched in an artificial environment. If it detects any sign that it is operating on a virtual machine or in debug mode, it terminates. If such signs are not detected, the Trojan library tries to download the payload from the C2 server as well as the keys for its decryption.
The decrypted payload is a ZLIB container with a shellcode and an executable file. After decrypting the container, it is a Trojan.DownLoader48.54318 tries to unpack it. If it fails to do so, the Trojan deletes itself and terminates its active process. If the unpacking is successful, control is handed to the shellcode, whose task is to unzip the executable that comes with it. This file represents the final infection stage, which is the target Trojan.ChimeraWire.
Second infection chain - The second stage starts with the Trojan.DownLoader48.61444 malware. When launched, it verifies whether it has administrator rights and attempts to obtain them if it does not. The Trojan uses the Masquerade PEB technique to bypass the security system, disguising itself as a legitimate process explorer.exe.
Next, it patches the system library %SystemRoot%\System32\ATL.dll. To do so, Trojan.DownLoader48.61444 reads its contents, adds a decrypted bytecode to it along with the path to the trojan’s file, and then saves the modified copy as the file dropper in the same directory where it is located. After that, the Trojan initializes the COM model objects of the Windows Shell for the service %SystemRoot%\System32\wbem and the modified library. If this initialization is successful, Trojan.DownLoader48.61444 tries to obtain administrator rights by using the CMSTPLUA COM interface, exploiting a vulnerability that is typical for some old COM interfaces.
If successful, the modified library dropper is copied to the directory %SystemRoot%\System32\wbem as the file ATL.dll. After that, Trojan.DownLoader48.61444 launches the Windows Management Instrumentation WmiMgmt.msc. As a result, a DLL Search Order Hijacking vulnerability is exploited in the system app mmc.exe, and it automatically loads the patched library%SystemRoot%\System32\wbem\ATL.dll. In turn, this library launches the Trojan.DownLoader48.61444 again, but this time—with administrator rights.
A scheme illustrating Trojan.DownLoader48.61444’s operation when administrator rights are not available
When running as administrator, Trojan.DownLoader48.61444 executes several PowerShell scripts for downloading the payload from the C2 server. One of the downloaded objects is the ZIP archive one.zip. It contains the duplicate files from the onedrive.zip archive in the first infection chain (in particular, the legitimate app OneDrivePatcher.exe and the malicious library UpdateRingSettings.dll, which is Trojan.DownLoader48.54318).
Trojan.DownLoader48.61444 extracts the archive and creates a System Scheduler task for running OneDrivePatcher.exe at system boot. The Trojan also launches this app. Just as in the first chain, a DLL Search Order Hijacking vulnerability is exploited in OneDrivePatcher.exe at launch, and the trojan library UpdateRingSettings.dll is automatically loaded. After that, the infection chain repeats the first scenario.
At the same time, Trojan.DownLoader48.61444 also downloads the second ZIP archive two.zip. It contains the malicious script Python.Downloader.208 (update.py) as well as the files necessary for its execution. Among them is Guardian.exe, a renamed version of pythonw.exe, the Python console interpreter.
After extracting the archive, Trojan.DownLoader48.61444 creates a System Scheduler task for launching Guardian.exe at system boot. Moreover, it directly executes the malicious script Python.Downloader . 208 through this app.
By partially duplicating the first infection chain, threat actors apparently sought to increase the likelihood of successfully downloading the Trojan.ChimeraWire onto target systems.
A scheme illustrating Trojan.DownLoader48.61444 operating with administrator rights
Trojan.ChimeraWire - Trojan.ChimeraWire got its name from combining the words “chimera”—a mythical creature with the body parts of several animals and “wire”. The word "chimera” describes the hybrid nature of the attackers’ techniques: the use of Trojan downloaders written in different programming languages, anti-debugging techniques, and privilege escalation during the infection process. Moreover, it reflects that the Trojan is a combination of various frameworks, plugins, and legitimate software through which hidden traffic control is carried out. And this is where the second word “wire” comes from: it refers to the Trojan’s invisible and malicious network operation.
Once on the target computer, Trojan.ChimeraWire downloads the archive chrome-win.zip from a third-party website. This archive contains the Google Chrome browser for Windows. It should be noted that this Internet resource also stores archives of Google Chrome builds for other operating systems, such as Linux and macOS, including builds for various hardware platforms.
The website with various Google Chrome builds from which the trojan downloads the necessary archive
When the browser is downloaded, it is a Trojan.ChimeraWire tries to covertly install the add-ons NopeCHA and Buster. Designed for automated CAPTCHA solving, these add-ons will be used by the malware further along in its operation.
Next, it launches the browser in debug mode with a hidden window, allowing malicious activity to occur without the user noticing. After that, a connection is established to the automatically selected debugging port via the WebSocket protocol.
The Trojan then proceeds to obtain tasks. It sends a request to the C2 server and receives a base64 string in response. This string contains the JSON configuration encrypted with AES-GCM.
Example of the configuration that the trojan receives from the C2 server
It contains tasks and the parameters related to them:
the target search engine (the Google and Bing search platforms are supported);
the key phrases for searching websites in the target search engine and for their consequent loading;
the maximum number of sequential transitions between webpages;
random distributions for performing automated clicks on webpages;
the wait time for loading pages;
the target domains.
To more effectively simulate the activity of a real user and bypass systems that monitor constant activity, the configuration also includes parameters responsible for pauses between work sessions.
Simulating user mouse clicks - Trojan.ChimeraWire can perform the following types of clicks:
for navigating search results;
for opening found relevant links in new background tabs.
First, using the target search engine, Trojan.ChimeraWire searches websites by the domains and key phrases specified in the configuration. It then opens the websites listed in the search results and locates every HTML element on each that defines a hyperlink. The Trojan puts these elements into a data array and shuffles it so that all the objects are listed in a different order than on the webpage. This is to bypass the website's anti-bot protection that can track the order of clicks.
Next, Trojan.ChimeraWire checks whether the links it has found and the strings within them match the template in the configuration, then calculates the number of matches. Depending on this number, the malware then uses different operating algorithms.
If a sufficient number of suitable links are found on the page, Trojan.ChimeraWire scans the page and sorts the detected links by their relevance (the links that most closely match key phrases are listed first). After that, a click is performed on one or multiple suitable links.
If the number of matches with the given template is insufficient or none exist, the malware uses a probabilistic behavior model algorithm that imitates real human behavior as closely as possible. Based on the configuration parameters, Trojan.ChimeraWire uses a weighted distribution to determine how many links to open. For example, the distribution ["1:90", "2:10"] means that the Trojan will click 1 link with 90% probability and two links with 20% probability. Thus, the malware is highly likely to open 1 link. The Trojan randomly selects a link from the data array it created earlier and clicks it.
Every time the Trojan opens a link from the search results and performs clicks on the loaded webpage, it either returns to the previous browser tab or proceeds to the next one, depending on the task. These actions are repeated until the click limit for the target websites is exhausted.
Below are examples of websites that the Trojan was commanded to interact with in tasks received from the C2 server:
For detailed technical descriptions of the ChimeraWire trojan and the malware used to download it, please refer to the PDF version of the study or visit the Doctor Web virus library.
More details about Trojan.ChimeraWire
More details about Trojan.DownLoader48.54600
More details about Trojan.Starter.8377
More details about Python.Downloader.208
More details about Trojan.DownLoader48.54318
More details about Trojan.DownLoader48.61444
Conclusion - As of now, Trojan.ChimeraWire's malicious activity essentially boils down to performing simple click tasks to boost website popularity. At the same time, the functionality of the tools on which the trojan is based enables it to perform a broader range of tasks, including automated actions masquerading as real user activity. For instance, malicious actors can use it to fill out web forms on various sites, including those that conduct surveys for advertising purposes. In addition, they can use the Trojan to read the contents of webpages and take screenshots of them, both for cyber espionage and for automated data collection to build various databases (e.g., email addresses, phone numbers, etc.).
Thus, we can expect a new Trojan.ChimeraWire versions to emerge in the future, in which these and other features will be fully implemented. Doctor Web’s specialists continue to monitor the trojan’s evolution.
MITRE ATT&CK®
Doctor Web analyzed Trojan.ChimeraWire uses the MITRE ATT&CK® framework, a matrix that describes the tactics and techniques cybercriminals use to attack information systems. The following key techniques were identified:
|
Stage |
Technique |
|
Execution |
User Execution (T1204) |
|
Persistence |
Registry Run Keys / Startup Folder (T1547.001) |
|
Privilege Escalation |
Hijack Execution Flow: DLL (T1574.001) |
|
Defense Evasion |
Encrypted/Encoded File (T1027.013) |
|
Command and Control |
Bidirectional Communication (T1102.002) |
0
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators-of-compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
Comments