FortiGuard Labs discovered an ongoing threat campaign targeting YouTube viewers searching for pirated software earlier this month. Videos advertising downloads of “cracked” (aka pirated) software are uploaded by verified YouTube channels with a large number of subscribers. Victims are led to execute malicious binaries that install multiple malware into their systems focused on harvesting credentials, cryptojacking, and stealing cryptocurrency funds from wallets.
While investigating this campaign, other researchers published a report about it. And although there are overlaps with our findings, this report provides additional observations, such as the deployment of a third malware family being distributed to the victims.
Affected Platforms: Windows Impacted Users: Any organization Impact: Remote attackers steal credentials, sensitive information, and cryptocurrency and perform cryptojacking on systems Severity Level: Critical |
This article describes the entire attack chain and technical details on the malware components that make up this campaign.
YouTube Videos Offering Cracked Software:
The uploaded videos lure users searching for pirated software by using titles such as “Adobe Acrobat Pro dc Crack 2023 free full version / Adobe Acrobat Free Download”. Some videos display tutorials for using the pirated software, although in most cases, they simply display static images often unrelated to the software product (Figure 1).
Figure 1. Screenshot of uploaded videos
For more credibility, the malware campaign utilizes verified YouTube channels with large numbers of followers. In fact, one of the YouTube channels observed has nearly 3 million subscribers (Figure 2). As these YouTube channels have uploaded legitimate videos in the past, we suspect these accounts may have been compromised.
Figure 2: YouTube account with uploaded cracked software videos
Similar comments (likely auto-generated) were posted for some of the videos, which suggests the possibility of an automated video uploading and commenting process (Figure 3).
Figure 3: Auto-generated comments
Potential victims are led to download a password-protected archive from a file-sharing service. The malicious URLs and passwords (usually four numeric digits) are located in the video’s description and the comments section (Figure 4).
Figure 4: Pinned comment from uploader with the malicious link
The videos seem to be uploaded in batches. For instance, one of the accounts uploaded over 50 videos within eight hours, offering different pirated software that all led to the same URL. The videos are deleted after some time, after which the threat actors upload the videos to other accounts.
As shown in Figure 5, after downloading the RAR archive 2O23-F1LES-S0ft.rar via the URL provided in the YouTube video description, the victim must uncompress the archive with the password “1212,” listed together with the URL, and run the Launcher_S0FT-2O23.exe contained within. The archive also contains multiple unused files and directories, possibly to masquerade as a legitimate installer. A detailed analysis of each component is provided in the following sections.
Launcher_S0FT-2O23.exe - Vidar Stealer / Launcher_S0FT-2O23.exe is the Vidar infostealer. It is appended with over 1GB of unused bytes, a technique commonly used to bypass antivirus and sandboxes that do not scan files beyond a specific size due to limited CPU and RAM resources. The SHA256 hash of this file is 820bbfc1f5023af60a7048a0c25e3db51b481afd6986bf1b5ff806cf604c1f4c (original) and e256b5ef66c4e56dac32934594b41e7e8cf432f834046e1c24c0827b120e6ddb (after removing excess bytes).
Once executed, it sends an HTTP GET request to its Command and Control (C2) server at 79.137.206[.]228 to check in and retrieve the stealer configuration (Figure 6). Note the absence of User-Agent and other typical HTTP headers in this GET request.
Figure 6: Vidar registration request
The semicolon delimited configuration can be interpreted as follows:
- The first comma-delimited block contains single-digit flags, denoted by 1 (enable) or 0 (disable), to toggle specific stealer features.
- Based on this configuration, this stealer will collect passwords stored locally (e.g., FTP, SSH), browser cookies and history, Telegram data, and screenshots.
- Cryptocurrency wallet collection is not enabled.
A 32-character hexadecimal string (redacted in Figure 6) is a token generated by the C2 server for use in the subsequent data exfiltration request.
The remaining configuration values are for harvesting files from the infected machine. In this case, the stealer recursively collects files with the .txt extension smaller than 50kb from the Windows desktop directory. Once the sensitive information has been collected and compressed into a ZIP file, the malware will exfiltrate this data to the C2 via an HTTP POST request (Figure 7).
Figure 7: Vidar data exfiltration request
The POST request contains “id”, which represents the stealer and is the same for every infected user, and a “token” previously provided by the C2 server in the check-in request. The “file” contains a Base64-encoded ZIP file with the data collected by the malware. Figure 8 shows the contents of the ZIP file.
Figure 8: Content of ZIP file containing exfiltrated data
Information.txt includes information on the OS, hardware, running processes, and installed software on the infected system (Figure 9).
The C2 server then responds with a list of secondary payloads for the malware to download and execute (Figure 10). This sample downloads files stored as releases in GitHub repositories owned by the user jesus061031r. Similar malicious files with different filenames are scattered among other repositories owned by the same user.
Figure 10: List of secondary payloads
These files are written to %ProgramData% with randomized filenames containing 20 numeric characters and are executed sequentially. Once the payloads are executed, the malware exits and deletes itself. Analyses of the payloads are discussed in the following sections. This sample was identified as Vidar Stealer based on the C2 protocol, the system data format in information.txt, and the organization of the files in the exfiltrated ZIP.
While Vidar is a distinctly different malware family from RecordBreaker observed by other researchers tracking the same campaign, both are infostealers, which indicates the threat actor’s primary interest in stealing credentials to further their malicious objectives.
GUI_MODERNISTA.exe - Crack downloader
GUI_MODERNISTA.exe (SHA256: 62d4caf908b3645281d5f3c0f5b5dc3a4beb410015196f7eaf66ca743f415668) is a relatively small (48KB) .NET application that redirects users to hardcoded URL links to files on file-sharing sites containing the purportedly cracked (and illegal) versions of software, as advertised by the YouTube video. This is the only component displayed to the victim, as the other components of the attack chain run covertly in the background.
During our research, we also collected a Python version (SHA256: ba9503b78bc62d4e5e22e4f8e04b28bb6179e146e1c0a6ba14dd06608facb481) of this application. The UI of both versions is shown in Figure 11.
Vadwax.exe - Laplas Clipper
Vadwax.exe (SHA256: f91d9de259052595946250a1440a2457dbda9ee8aec8add24419ff939f13e003) is 1.17 GB in size but comprised mainly of an overlay of the repeating bytes 0x30, which corresponds to “0” in ASCII (Figure 12).
After removing the unused overlay, we ended up with a much smaller 5.87 MB file (SHA256: 2fcb61da34b259b9b130c0c75525697931b9dff8e7f9b2198f9db21b5193eeba). Like the earlier sample, this artificial inflation is used to circumvent AV solutions. This sample is Laplas Clipper, which attempts to substitute wallet addresses in the user’s clipboard to steal cryptocurrency. It constantly checks the content of the Windows clipboard against regular expressions retrieved from the C2 server. Upon a match, the content of the clipboard is sent to the C2 server, which responds with the threat actor’s wallet address for the appropriate cryptocurrency for replacement. This enables Laplas Clipper to switch the original payee’s wallet address with the threat actor’s and divert the funds to the threat actor instead. This particular sample is protected by the commercial VMProtect packer with heavy use of anti-sandbox and anti-analysis checks. As Laplas Clipper has been described by other researchers, we will just focus on the persistence and C2 communication of this sample.
Persistence: This sample checks to see if it is being run from the %Appdata% directory.
If not, it copies itself at %Appdata%\telemetry\svcservice.exe and appends an overlay containing randomized bytes to the file. It then maintains persistence by adding a registry value named telemetry to the following key:
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Communication: Laplas Clipper first registers with the C2 server using the current machine name and Windows username (guid parameter) and a 64-character hexadecimal string (key parameter) via an HTTP GET request to hxxp://85[.]192[.]40[.]252/bot/online?guid=<machine name>/<username>&key=<hexadecimal string>
After successfully registering with the C2 server, it requests regular expressions from hxxp://85[.]192[.]40[.]252/bot/regex (Figure 13).
Figure 13: Regexes from Laplas Clipper C2
The regular expressions hunt for the addresses of the following cryptocurrencies in the clipboard (ordered alphabetically):
- Binance Coin (BNB)
- Bitcoin (BTC)
- Bitcoin Cash (BCH)
- Cardano (ADA)
- Cosmos (ATOM)
- Dash (DASH)
- Dogecoin (DOGE)
- Ethereum (ETH)
- Litecoin (LTC)
- Monero (XMR)
- Ripple (XRP)
- Ronin (RON)
- Tezos (XTZ)
- Tron (TRX)
- Zcash (ZEC)
Incidentally, the Laplas Clipper C2 panel at laplas[.]app resolves to 85[.]192[.]40[.]252 (Figure 14).
Figure 14: Laplas Clipper C2 panel
Vaxa.exe - Miner Installer
Vaxa.exe (SHA256: 44810cead810cd546a8983e464157a4eb98ebbd518c4f4249e6b99e7f911090f) is an in-memory loader for an embedded miner downloader payload. It is a 32-bit Windows console application masquerading as a program for performing and displaying the results of some simple math operations (Figure 15).
Figure 15: In-memory loader masquerading as math program
It then proceeds to decrypt the shellcode and payload from its body. The shellcode is provided with the path of the application to inject the payload into before execution is redirected to it (Figure 16).
Figure 16: Injector shellcode setup and execution
The shellcode uses process hollowing to inject and execute a .NET assembly named Task32Main (SHA256: 5630c8f0dcd2393daf8477e6e4e419b0d0faf6780b6f1e00ad7a09fd37ddcdd3) within Regsvcs.exe.
Task32Main – Miner Downloader
Task32Main is a .NET downloader and installer for Monero cryptomining components. It provides supporting functionality, such as maintaining persistence and AV evasion. More importantly, it is responsible for installing the watchdog component, which ensures that the miner is kept running in the victim system.
To avoid being detected, it executes encoded PowerShell commands to add the following to the directories on the Windows Defender's scanning exclusion list:
%SystemDrive%
%UserProfile%
%ProgramData%
It then downloads a configuration file from
hxxps://pastebin[.]com/raw/5p5KkdBw to download other malware payloads and their execution parameters (Figure 17).
Figure 17: Pastebin configuration for miner component
A modified copy of this configuration is written as log.uce to the following directories:
- "C:\ProgramData\HostData"
- "C:\Users\TRT-DESKTOP\AppData\Local\Temp"
- "C:\"
This will be used as the configuration file for the watchdog component discussed in the next section.
The above configuration instructs the malware to download additional cryptomining-related payloads from the following URLs:
- hxxps://github[.]com/dwadaxwad/dvsv/releases/download/sdv/WatchNew.exe
- hxxps://github[.]com/dwadaxwad/dvsv/releases/download/sdv/xmrig.exe
The malware creates the directory %ProgramData%\Dllhost and saves the downloaded files as dllhost.exe (miner watchdog) and winlogson.exe (Monero XMRig miner), respectively. The malware then modifies the directory’s permissions to deny access to the current user.
Figure 18: Directory permissions for %ProgramData%\Dllhost
To persist in the victim system, it then adds several scheduled tasks to execute the watchdog dllhost.exe every hour. It does this by executing the following command:
The scheduled task names impersonate legitimate Windows-related software to deter casual detection and are as follows:
SecurityHealthSystray - WindowsDefender
- WmiPrvSE
- AntiMalwareServiceExecutable
- Dllhost
- MicrosoftEdgeUpd
- OneDriveService
- NvStray
- ActivationRule
It also changes the power settings of the system to prevent it from hibernating and sleeping by executing the following command to ensure that its Monero cryptominer component (executed later) is always running while the machine is powered up:
The host file is also modified to resolve security product-related domains to the IP 0.0.0.0 to disable communication by security products, e.g., for downloading updates.
Figure 19: Modified hosts file
Lastly, it executes the watchdog component %ProgramData%\dllhost.exe, which executes the actual cryptominer.
Dllhost.exe - Miner watchdog
Dllhost.exe (SHA256: d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443) is a .NET assembly named Task32Watch. It is a watchdog application that executes the miner component, monitors its process, and ensures it is kept running and uses the latest mining parameters. It reads its own configuration file, log.uce, previously dropped by the installer component Task32Main. It has the same content as the configuration file downloaded by the Task32Main component, excluding the first three lines. Moreover, it includes the Pastebin URL where the configuration file was downloaded as the last line.
Figure 20: Watchdog configuration
This Pastebin URL allows the watchdog to retrieve the latest XMRig mining parameters (e.g., mining pool server, wallet address, worker name “snnssnewte”, etc.). It then executes the miner winlogson.exe located in the same directory with these mining parameters. As a watchdog, it ensures that the miner process is always running by constantly enumerating the processes currently running in the system and then re-running the miner if it is terminated. In addition, to lessen the chance of getting discovered and being terminated by the user, it kills processes related to system diagnostics and analysis tools, such as Task Manager and Process Hacker. Lastly, it also ends games-related processes, which are usually resource-intensive and reduce the CPU resources available for mining.
Figure 21: List of processes to terminate
Conclusion: This campaign highlights the dangers of downloading illegally pirated copies of software because of the tendency of threat actors to prey on such users to steal credentials, sensitive data, or even cryptocurrency. On top of this, the infected machine is also used for cryptojacking to mine Monero for the threat actor. The agility of these threat actors is also a cause for concern, as we observed the threat actor behind this campaign rapidly uploading new copies of similar malware whenever GitHub takes down the malicious repositories.
IOCs:
Files
- 820bbfc1f5023af60a7048a0c25e3db51b481afd6986bf1b5ff806cf604c1f4c
- e256b5ef66c4e56dac32934594b41e7e8cf432f834046e1c24c0827b120e6ddb
- 62d4caf908b3645281d5f3c0f5b5dc3a4beb410015196f7eaf66ca743f415668
- 44810cead810cd546a8983e464157a4eb98ebbd518c4f4249e6b99e7f911090f
- f91d9de259052595946250a1440a2457dbda9ee8aec8add24419ff939f13e003
- 2fcb61da34b259b9b130c0c75525697931b9dff8e7f9b2198f9db21b5193eeba
- d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443
- 21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995
- a0ac98bbd611fc697133ab872f9d978dc1931ea70f8a2374d18aff5754f7c110
- ba9503b78bc62d4e5e22e4f8e04b28bb6179e146e1c0a6ba14dd06608facb481
- 9c5aff1352619f14feb736916374bbed06ef41a7d0cb72d789cb86e8f3906212
- 5630c8f0dcd2393daf8477e6e4e419b0d0faf6780b6f1e00ad7a09fd37ddcdd3
Download URLs:
- hxxps://github[.]com/jesus061031r/mooliik/releases/download/mooliik/2O23-F1LES-S0ft.rar
- hxxps://github[.]com/jesus061031r/mooliik/releases/download/mooliik/vadwax.exe
- hxxps://github[.]com/jesus061031r/mooliik/releases/download/mooliik/GUI_MODERNISTA.exe
- hxxps://github[.]com/jesus061031r/mooliik/releases/download/mooliik/exep.exe
- hxxps://github[.]com/jesus061031r/mooliik/releases/download/mooliik/vaxa.exe
- hxxps://github[.]com/jesus061031r/mooliik/releases/download/mooliik/vdsc.exe
- hxxps://github[.]com/jesus061031r/mooliik/releases/download/mooliik/vdscs.exe
- hxxps://github[.]com/dwadaxwad/dvsv/releases/download/sdv/xmrig.exe
- hxxps://github[.]com/dwadaxwad/dvsv/releases/download/sdv/WatchNew.exe
- hxxps://github[.]com/dwadaxwad/dvsv/releases/download/sdv/lolMiner.exe
- hxxps://github[.]com/bonniebosidaw/bolikgs/releases/download/voollik/2O23-F1LES-S0ft.rar
- hxxps://pastebin[.]com/raw/5p5KkdBw
C2s:
- 137.206[.]228 (Vidar C2)
- 192.40[.]252 (Laplas Clipper C2)
Monero Wallet Address
- 48GSRPwCNzLCkNGCMgUsqfg8BxJq8azyUbMLQM4Dvqh64M8goBjQ2SkVFUokVDzQpqfotv1oDcB8X8qMxuLK6GDBSWU3tp4
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments