Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
Pirated software and its consequences: an analysis of the oldest and simplest viral foothold on the Internet
Message
<blockquote data-quote="Ghosthunter" data-source="post: 499" data-attributes="member: 6"><p><h4>2. Deobfuscate values and check communication with the command server</h4><p>Then the malware starts deobfuscating (decrypting) the strings used to configure communication with the C&C host. At first glance, the incomprehensible character sets are strings encrypted using the RC4 stream cipher, which are stored in base64 format.</p><p></p><p>RC4 is a stream cipher that is widely used in various information security systems in computer networks. The cipher was developed by RSA Security. The RC4 algorithm, like any stream cipher, is built on the basis of a pseudorandom bit generator.</p><p></p><p>It's funny that the lines after decoding are solid obscene expressions in Russian, written in transliteration. And they are used as commands that the malware receives from the C&C server. For obvious reasons, they are covered up in the screenshots.</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/cc6/989/7ca/cc69897ca79fc8b208d5765a8f80d189.jpeg" alt="cc69897ca79fc8b208d5765a8f80d189.jpeg" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>After that, the stiller checks the connection with the command server, simply pinging it, by the way, the communication channel is not encrypted in any way, which, again, indicates the unique simplicity of Raccoon relative to modern stillers.</p><p></p><p>In principle, I also managed to find the IP address of the host that the malware contacted, it was stored as a regular base64:</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/05d/072/b24/05d072b24ee72644de227797df75e127.png" alt="05d072b24ee72644de227797df75e127.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><h4>3. Creating a mutex</h4><p>First, you need to explain what a mutex is, as many people may have questions about it.</p><p></p><p>A mutex is a synchronization primitive that provides mutual exclusion of execution of critical code sections.</p><p></p><p>In very simple terms, this is a simple check whether the virus process is already running on this device or not. If the mutex already exists — the process is terminated, otherwise the malware creates it and continues working.</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/7d5/a52/77a/7d5a5277a0e5df425bad42285192798e.png" alt="7d5a5277a0e5df425bad42285192798e.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>It is worth noting that this is the only stop system in the virus code that can interrupt its execution.</p><p></p><h4>4. Checking the privileges of your own process</h4><p>This is quite an important element, since if the stiller failed to get the necessary privileges in the system, then its functionality is significantly limited.</p><p></p><p>A large sector of code is responsible for this check, and it looks, to put it mildly, slightly incomplete, since even if Raccoon has not received the necessary privileges, it will still continue to work.</p><p></p><p>So, the malware checks the privileges of its process and returns a value of zero if the SID (Security IDentifier) means NT Authority\System. But similarly, it will return zero if it can't read its process ID.</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/402/bf2/b5d/402bf2b5d278857e0e357283e4b2c89d.png" alt="402bf2b5d278857e0e357283e4b2c89d.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>If the process permission is not NT Authority\System, the malware does not perform the next function and simply skips this step. Since the malware is still under development, such errors can occur. The coder just didn't figure out what to do when the process didn't get the proper privileges.</p><p></p><h4>5. Communication with the C&C server</h4><p>Connecting to the control and monitoring tool is quite interesting and consists of several stages that are worth considering.</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/cf5/918/242/cf591824223be211bf3751185fa70dbb.png" alt="cf591824223be211bf3751185fa70dbb.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>First, the malware accesses the Windows registry using the following path to get the system ID::</p><p></p><p>HKLM:\SOFTWARE\Microsoft\Cryptography\MachineGuid</p><p></p><p>Then it accesses the Adavapi32 library to get the user name from it, which looks like this:</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/175/67e/d8a/17567ed8a9923bd7cda3e73911cac7e0.png" alt="17567ed8a9923bd7cda3e73911cac7e0.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>This data is combined into the following structure and sent to the command server in the form of a POST request, the address of which, I remind you, was encrypted in base64 format in Stiller code:</p><p></p><p>machineId=<MachineGuid>|<UserName>&configId=<RC4 key></p><p></p><p>The command server responds with the usual list, without any encodings or anything else. This list contains the following information (but may differ in some cases):</p><ul> <li data-xf-list-type="ul">URLs for downloading additional DLLs;</li> <li data-xf-list-type="ul">Collecting device information<ul> <li data-xf-list-type="ul">Screenshot of the screen</li> <li data-xf-list-type="ul">Investigating the cache of the Telegram desktop app</li> </ul></li> <li data-xf-list-type="ul">Browser extensions for finding the necessary information for Stiller</li> <li data-xf-list-type="ul">Search for cryptographic wallets</li> </ul><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/d4b/24d/62a/d4b24d62adb8850fcc40b7fd01523ec5.png" alt="d4b24d62adb8850fcc40b7fd01523ec5.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><h4>6. Installing additional DLL libraries and collecting information about the victim's device</h4><p>As mentioned earlier, the response from the management server contains a list containing links to download additional DLLs. They are completely harmless and there is nothing malicious in them. Raccoon will simply use them to collect additional information about the device and steal data from an unsuspecting user.</p><p></p><p>Here's a list of them:</p><ul> <li data-xf-list-type="ul">nss3.dll</li> <li data-xf-list-type="ul">nssdbm3.dll</li> <li data-xf-list-type="ul">msvcp140.dll</li> <li data-xf-list-type="ul">vcruntime140.dll</li> <li data-xf-list-type="ul">mozglue.dll</li> <li data-xf-list-type="ul">freebl3.dll</li> <li data-xf-list-type="ul">softokn3.dll</li> <li data-xf-list-type="ul">sqlite3.dll</li> </ul><p>Next, the stiller starts the process of collecting information about the host, as all the preparatory work is completed, and finally the fun begins.</p><p></p><p>Raccoon collects the following information about the victim's host::</p><ul> <li data-xf-list-type="ul">username,</li> <li data-xf-list-type="ul">operating system version,</li> <li data-xf-list-type="ul">time zone and system time</li> <li data-xf-list-type="ul">technical information: name of the processor, video card, and amount of RAM,</li> <li data-xf-list-type="ul">installed applications and display tools (web cameras, monitors, etc.).</li> </ul><p>The following code snippet is responsible for this magic::</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/970/b10/4d7/970b104d7cb8d7d3565f29ea7e40c73d.png" alt="970b104d7cb8d7d3565f29ea7e40c73d.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/b2b/d42/9aa/b2bd429aaf4eb90acb27d84c531433a8.png" alt="b2bd429aaf4eb90acb27d84c531433a8.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>The collected information is saved in the "System" file. Info.txt", which is sent to the command server.</p><p></p><h4>6. Direct data theft</h4><p>So, even if this virus is primitive and not refined at some points, it is still able to perform its functions, and it does it quite well. The process of data theft has many options and can be transformed depending on the preferences of the criminal(the most interesting ones will be described below):</p><ol> <li data-xf-list-type="ol">Using the browser's own DLL mozglue3.dll the malware can request the logins. json file containing Firefox cookies. By the way, in the previous step, the Raccoon collected information about installed apps. Now you can clearly see why. The attacker knows in advance which browser is installed on the device, and does not waste time in vain.</li> <li data-xf-list-type="ol">Using another one of their extra DLLs sqlite3.dll, the virus can also steal cookies from other browsers.</li> <li data-xf-list-type="ol">Search for a file named wallet. dat. This file contains the seed phrase and other information about the cryptographic wallet. This is only relevant for users of applications from crypto companies.</li> <li data-xf-list-type="ol">Raccoon can also explore and steal the cache from the Telegram app.</li> <li data-xf-list-type="ol">Monitor your desktop using screenshots.</li> <li data-xf-list-type="ol">Ability to download another virus app to your device. That is, it is able to perform the functions of a dropper.</li> </ol><p>In the case of using the Firefox browser DLL, everything looks quite boring: a simple request to the logins.jscon file. I don't see the point in describing this in detail, so let's pay attention to sqlite3.dll. This is a dynamic SQL server library usually used for correct database operation.</p><p></p><p>The developers of Stiller found another use for it-stealing cookies from browsers such as Google Chrome, Edge and Opera, as well as to search for files that store data about saved bank cards.</p><p></p><p>This is implemented using SQL queries and looks like this in the malware code:</p><p></p><p>Explaining on your fingers-the malware simply searches for files with the appropriate extension, then analyzes and sends them to the command server. The only notable thing about this is that the criminals added a reassignment of "GetProcAddress" imports for each function that uses the loaded DLLs. What for? My guess is that this is done to obfuscate traces when trying to analyze the virus. This creates an additional redirect every time the function uses the dll.</p><p></p><p>When it comes to wallets, Raccoon will similarly search for files with the extension.dat, and then check whether these files belong to the cryptographic wallet or not.</p><p></p><p>In principle, there is nothing more to analyze here. The remaining functions are banal and not worth talking about. Let's move on to dynamic analysis.</p><p></p><h4>Dynamic malware analysis: what it really looks like</h4><p>All tests are performed on the VM. In any case, do not repeat this yourself, especially on the main one.</p></blockquote><p></p>
[QUOTE="Ghosthunter, post: 499, member: 6"] [HEADING=3]2. Deobfuscate values and check communication with the command server[/HEADING] Then the malware starts deobfuscating (decrypting) the strings used to configure communication with the C&C host. At first glance, the incomprehensible character sets are strings encrypted using the RC4 stream cipher, which are stored in base64 format. RC4 is a stream cipher that is widely used in various information security systems in computer networks. The cipher was developed by RSA Security. The RC4 algorithm, like any stream cipher, is built on the basis of a pseudorandom bit generator. It's funny that the lines after decoding are solid obscene expressions in Russian, written in transliteration. And they are used as commands that the malware receives from the C&C server. For obvious reasons, they are covered up in the screenshots. [IMG alt="cc69897ca79fc8b208d5765a8f80d189.jpeg"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/cc6/989/7ca/cc69897ca79fc8b208d5765a8f80d189.jpeg[/IMG] After that, the stiller checks the connection with the command server, simply pinging it, by the way, the communication channel is not encrypted in any way, which, again, indicates the unique simplicity of Raccoon relative to modern stillers. In principle, I also managed to find the IP address of the host that the malware contacted, it was stored as a regular base64: [IMG alt="05d072b24ee72644de227797df75e127.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/05d/072/b24/05d072b24ee72644de227797df75e127.png[/IMG] [HEADING=3]3. Creating a mutex[/HEADING] First, you need to explain what a mutex is, as many people may have questions about it. A mutex is a synchronization primitive that provides mutual exclusion of execution of critical code sections. In very simple terms, this is a simple check whether the virus process is already running on this device or not. If the mutex already exists — the process is terminated, otherwise the malware creates it and continues working. [IMG alt="7d5a5277a0e5df425bad42285192798e.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/7d5/a52/77a/7d5a5277a0e5df425bad42285192798e.png[/IMG] It is worth noting that this is the only stop system in the virus code that can interrupt its execution. [HEADING=3]4. Checking the privileges of your own process[/HEADING] This is quite an important element, since if the stiller failed to get the necessary privileges in the system, then its functionality is significantly limited. A large sector of code is responsible for this check, and it looks, to put it mildly, slightly incomplete, since even if Raccoon has not received the necessary privileges, it will still continue to work. So, the malware checks the privileges of its process and returns a value of zero if the SID (Security IDentifier) means NT Authority\System. But similarly, it will return zero if it can't read its process ID. [IMG alt="402bf2b5d278857e0e357283e4b2c89d.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/402/bf2/b5d/402bf2b5d278857e0e357283e4b2c89d.png[/IMG] If the process permission is not NT Authority\System, the malware does not perform the next function and simply skips this step. Since the malware is still under development, such errors can occur. The coder just didn't figure out what to do when the process didn't get the proper privileges. [HEADING=3]5. Communication with the C&C server[/HEADING] Connecting to the control and monitoring tool is quite interesting and consists of several stages that are worth considering. [IMG alt="cf591824223be211bf3751185fa70dbb.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/cf5/918/242/cf591824223be211bf3751185fa70dbb.png[/IMG] First, the malware accesses the Windows registry using the following path to get the system ID:: HKLM:\SOFTWARE\Microsoft\Cryptography\MachineGuid Then it accesses the Adavapi32 library to get the user name from it, which looks like this: [IMG alt="17567ed8a9923bd7cda3e73911cac7e0.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/175/67e/d8a/17567ed8a9923bd7cda3e73911cac7e0.png[/IMG] This data is combined into the following structure and sent to the command server in the form of a POST request, the address of which, I remind you, was encrypted in base64 format in Stiller code: machineId=<MachineGuid>|<UserName>&configId=<RC4 key> The command server responds with the usual list, without any encodings or anything else. This list contains the following information (but may differ in some cases): [LIST] [*]URLs for downloading additional DLLs; [*]Collecting device information [LIST] [*]Screenshot of the screen [*]Investigating the cache of the Telegram desktop app [/LIST] [*]Browser extensions for finding the necessary information for Stiller [*]Search for cryptographic wallets [/LIST] [IMG alt="d4b24d62adb8850fcc40b7fd01523ec5.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/d4b/24d/62a/d4b24d62adb8850fcc40b7fd01523ec5.png[/IMG] [HEADING=3]6. Installing additional DLL libraries and collecting information about the victim's device[/HEADING] As mentioned earlier, the response from the management server contains a list containing links to download additional DLLs. They are completely harmless and there is nothing malicious in them. Raccoon will simply use them to collect additional information about the device and steal data from an unsuspecting user. Here's a list of them: [LIST] [*]nss3.dll [*]nssdbm3.dll [*]msvcp140.dll [*]vcruntime140.dll [*]mozglue.dll [*]freebl3.dll [*]softokn3.dll [*]sqlite3.dll [/LIST] Next, the stiller starts the process of collecting information about the host, as all the preparatory work is completed, and finally the fun begins. Raccoon collects the following information about the victim's host:: [LIST] [*]username, [*]operating system version, [*]time zone and system time [*]technical information: name of the processor, video card, and amount of RAM, [*]installed applications and display tools (web cameras, monitors, etc.). [/LIST] The following code snippet is responsible for this magic:: [IMG alt="970b104d7cb8d7d3565f29ea7e40c73d.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/970/b10/4d7/970b104d7cb8d7d3565f29ea7e40c73d.png[/IMG] [IMG alt="b2bd429aaf4eb90acb27d84c531433a8.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/b2b/d42/9aa/b2bd429aaf4eb90acb27d84c531433a8.png[/IMG] The collected information is saved in the "System" file. Info.txt", which is sent to the command server. [HEADING=3]6. Direct data theft[/HEADING] So, even if this virus is primitive and not refined at some points, it is still able to perform its functions, and it does it quite well. The process of data theft has many options and can be transformed depending on the preferences of the criminal(the most interesting ones will be described below): [LIST=1] [*]Using the browser's own DLL mozglue3.dll the malware can request the logins. json file containing Firefox cookies. By the way, in the previous step, the Raccoon collected information about installed apps. Now you can clearly see why. The attacker knows in advance which browser is installed on the device, and does not waste time in vain. [*]Using another one of their extra DLLs sqlite3.dll, the virus can also steal cookies from other browsers. [*]Search for a file named wallet. dat. This file contains the seed phrase and other information about the cryptographic wallet. This is only relevant for users of applications from crypto companies. [*]Raccoon can also explore and steal the cache from the Telegram app. [*]Monitor your desktop using screenshots. [*]Ability to download another virus app to your device. That is, it is able to perform the functions of a dropper. [/LIST] In the case of using the Firefox browser DLL, everything looks quite boring: a simple request to the logins.jscon file. I don't see the point in describing this in detail, so let's pay attention to sqlite3.dll. This is a dynamic SQL server library usually used for correct database operation. The developers of Stiller found another use for it-stealing cookies from browsers such as Google Chrome, Edge and Opera, as well as to search for files that store data about saved bank cards. This is implemented using SQL queries and looks like this in the malware code: Explaining on your fingers-the malware simply searches for files with the appropriate extension, then analyzes and sends them to the command server. The only notable thing about this is that the criminals added a reassignment of "GetProcAddress" imports for each function that uses the loaded DLLs. What for? My guess is that this is done to obfuscate traces when trying to analyze the virus. This creates an additional redirect every time the function uses the dll. When it comes to wallets, Raccoon will similarly search for files with the extension.dat, and then check whether these files belong to the cryptographic wallet or not. In principle, there is nothing more to analyze here. The remaining functions are banal and not worth talking about. Let's move on to dynamic analysis. [HEADING=3]Dynamic malware analysis: what it really looks like[/HEADING] All tests are performed on the VM. In any case, do not repeat this yourself, especially on the main one. [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
Pirated software and its consequences: an analysis of the oldest and simplest viral foothold on the Internet
Top