Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
Pirated software and its consequences: an analysis of the oldest and simplest viral foothold on the Internet
Message
<blockquote data-quote="Ghosthunter" data-source="post: 501" data-attributes="member: 6"><p>And the information here is just identical to what we saw when analyzing Raccoon, so much so that the specified compile time is the same. (This leads me to believe that the author/authors of Raccoon and Vidar are either collaborating or the same people.) In addition, the sample is a PE file, and Microsoft Visual C/C++(2008-2010) was used for compilation. This miracle is written in C / C++.</p><p></p><p>Just for fun, the sample was uploaded to VirusTotal, and the results of the scan shocked me, because most popular antivirus applications ignore the obvious and unmasked threat. The detection rate was 20 out of 56. The Avast, ESET NOD32, Kaspersky, and Yandex apps did not respond in any way.</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/263/b46/84f/263b4684f096b18f9982a7a39fae53fa.png" alt="263b4684f096b18f9982a7a39fae53fa.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>Well, let's move on to a deeper analysis, Hydra refused to work with PE files. Not surprisingly, but once again. Therefore, IDA PRO will help us out here, with the help of which we will be able to examine the malware in detail. Let's get started.</p><p></p><p>Once initiated on the victim's device, the malware performs the following actions:</p><ul> <li data-xf-list-type="ul">Import libraries.</li> <li data-xf-list-type="ul">Checking or creating a mutex.</li> <li data-xf-list-type="ul">Deobfuscate values and check communication with the command server.</li> <li data-xf-list-type="ul">Loading additional legal DLL files.</li> <li data-xf-list-type="ul">Request configuration data from the C&C server.</li> <li data-xf-list-type="ul">Direct data theft.</li> <li data-xf-list-type="ul">Installing additional malware.</li> <li data-xf-list-type="ul">Self-destruct. ( Yes, it is not active all the time, but operates according to the “stole and left, called found”method).</li> </ul><p></p><h4>1. Import libraries</h4><p>The first and most striking difference from Raccoon is the reduced table of imports. The malware is implemented exclusively in two system DLLs — Kernell32.dll and User32.dll.</p><p></p><p>Kernel32.dll -dynamically linked library that is the core of all versions of Microsoft Windows OS.</p><p></p><p>User32.dll -it is part of the window and user interface management subsystem.</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/fbf/b6a/852/fbfb6a8528eba3e5bb9584dc6677e3bc.png" alt="fbfb6a8528eba3e5bb9584dc6677e3bc.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>I can only say that this does not limit its functionality in any way. Using only two system dlls, it is able to collect all the necessary information for operation and fully function.</p><p></p><p>As in the case of Raccoon, this import is not masked in any way and is represented by the following code snippet:</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/f86/c74/279/f86c74279f985d61a9ced09ef2ec164d.png" alt="f86c74279f985d61a9ced09ef2ec164d.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><h4>2. Checking or creating a mutex</h4><p>This stage and actions are completely copied from the Raccoon code and are no different. Banal copy-paste. If someone has not read the previous analysis, then I will leave here explanations for the term “mutex " so that no questions arise.</p><p></p><p>A mutex is a synchronization primitive that provides mutual exclusion of execution of critical code sections.</p><p></p><p>In very simple terms, this is a simple check whether the virus process is already running on this device or not. If the mutex already exists — the process is terminated, otherwise the malware creates it and continues working.</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/739/c1b/ee0/739c1bee01617c55a017e74e7f1be892.png" alt="739c1bee01617c55a017e74e7f1be892.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><h4>3. Deobfuscate values and check communication with the command server</h4><p>The mechanism is very similar to the one that we have already seen before, but with minor differences, which we will now talk about.</p><p></p><p>Like Raccoon, Vidar first decodes the strings used to communicate with the C&C server. Compared to the previous test subject, there are much fewer of them here and there are no obscene expressions. They are similarly represented as RC4 and Base64 encryption. Communication with the command server is not encrypted in any way.</p><p></p><p>RC4 is a stream cipher that is widely used in various information security systems in computer networks. The cipher was developed by RSA Security. The RC4 algorithm, like any stream cipher, is built on the basis of a pseudorandom bit generator.</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/9b9/867/a81/9b9867a81deee51af17f27d1357c156e.png" alt="9b9867a81deee51af17f27d1357c156e.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>Next, the process of checking the connection to the command server takes place, as in Raccoon, this happens in a banal way by pinging.</p><p></p><p>The most interesting thing is that if you decipher these lines, they will go to the public game service FACEIT, namely to its API.</p><p></p><p>FACEIT is an esports platform founded in London in 2011. The company has established leagues for games such as Counter-Strike: Global Offensive, League of Legends, Rocket League, Tom Clancy's Rainbow Six Siege, Dota 2, and Team Fortress 2.</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/7ea/9e5/d97/7ea9e5d976e382cf71f5176fe3e69213.png" alt="7ea9e5d976e382cf71f5176fe3e69213.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>And the method of using the FACEIT API has many advantages, for example: faceit.com you can't block it because it's a normal site.</p><p></p><p>According to the method used by Rakkun, if the command server is blocked or disabled, the malware becomes completely useless. Vidar is immune to such things. </p><p></p><p></p><p>After decrypting this string, the virus connects to the address:</p><p></p><p><a href="https://api.faceit.com/core/v1/nicknames/vlad25vladiSlave" target="_blank">https://api.faceit.com/core/v1/nicknames/vlad25vladiSlave</a></p><p></p><p>This is the page that contains the very primary configuration of the malware, that is, basic instructions. They may vary depending on the attacker's preferences.</p><p></p><p>They have the following form:</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/fec/ab8/a45/fecab8a455717ffe30114e25c1d7ae8f.png" alt="fecab8a455717ffe30114e25c1d7ae8f.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>Also in this list there is a link to download additional DLL files.</p><p></p><h4>4. Download additional legal DLL files</h4><p>The further I analyze this malware, the more I am convinced that the developers of Vidar and Raccoon are the same people. You will see confirmation of this later.</p><p></p><p>After successful completion of the previous step, the virus starts the process of downloading additional legal DLL files that will be used to implement malicious functions. Their list practically does not differ from the previous subject in any way:</p><ol> <li data-xf-list-type="ol">freebl3.dll</li> <li data-xf-list-type="ol">mozglue.dll</li> <li data-xf-list-type="ol">msvcp140.dll</li> <li data-xf-list-type="ol">nss3.dll</li> <li data-xf-list-type="ol">softokn3.dll</li> <li data-xf-list-type="ol">vcruntime140.dll</li> <li data-xf-list-type="ol">msvcp140.dll</li> </ol><p>It is also noteworthy that the downloaded DLL files will be saved in a separate folder created by the malware. It is located at the following path:</p><p></p><p>C:\ProgramData\local\dekddss\hyper\v\</p><p></p><p>As you can see, the file is missing here sqlite3.dll, because stiller doesn't implement the method of data theft via SQL queries.</p><p></p><p>Then stiller will make a request to the C&C server to get a more detailed configuration of the work, this is implemented by the same request to the FACEIT API page.</p><p></p><p>It will contain 12 values separated by“*”.:</p><p></p><p>1,1,1,1,1,1,1,1,1,1,250,Default;%DESKTOP%\;*.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*auth*.*:*google*.*:*utc*.*:*UTC*.*:*crypt*.*:*key*.*;50;true;movies:music:mp3;</p><p></p><p>This page may change depending on the attacker's preferences, but in most cases it is not modified.</p><p></p><p>If you read the previous article, you can guess that the process of collecting information about the victim's host will follow. Stiller will collect the following data:</p></blockquote><p></p>
[QUOTE="Ghosthunter, post: 501, member: 6"] And the information here is just identical to what we saw when analyzing Raccoon, so much so that the specified compile time is the same. (This leads me to believe that the author/authors of Raccoon and Vidar are either collaborating or the same people.) In addition, the sample is a PE file, and Microsoft Visual C/C++(2008-2010) was used for compilation. This miracle is written in C / C++. Just for fun, the sample was uploaded to VirusTotal, and the results of the scan shocked me, because most popular antivirus applications ignore the obvious and unmasked threat. The detection rate was 20 out of 56. The Avast, ESET NOD32, Kaspersky, and Yandex apps did not respond in any way. [IMG alt="263b4684f096b18f9982a7a39fae53fa.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/263/b46/84f/263b4684f096b18f9982a7a39fae53fa.png[/IMG] Well, let's move on to a deeper analysis, Hydra refused to work with PE files. Not surprisingly, but once again. Therefore, IDA PRO will help us out here, with the help of which we will be able to examine the malware in detail. Let's get started. Once initiated on the victim's device, the malware performs the following actions: [LIST] [*]Import libraries. [*]Checking or creating a mutex. [*]Deobfuscate values and check communication with the command server. [*]Loading additional legal DLL files. [*]Request configuration data from the C&C server. [*]Direct data theft. [*]Installing additional malware. [*]Self-destruct. ( Yes, it is not active all the time, but operates according to the “stole and left, called found”method). [/LIST] [HEADING=3]1. Import libraries[/HEADING] The first and most striking difference from Raccoon is the reduced table of imports. The malware is implemented exclusively in two system DLLs — Kernell32.dll and User32.dll. Kernel32.dll -dynamically linked library that is the core of all versions of Microsoft Windows OS. User32.dll -it is part of the window and user interface management subsystem. [IMG alt="fbfb6a8528eba3e5bb9584dc6677e3bc.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/fbf/b6a/852/fbfb6a8528eba3e5bb9584dc6677e3bc.png[/IMG] I can only say that this does not limit its functionality in any way. Using only two system dlls, it is able to collect all the necessary information for operation and fully function. As in the case of Raccoon, this import is not masked in any way and is represented by the following code snippet: [IMG alt="f86c74279f985d61a9ced09ef2ec164d.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/f86/c74/279/f86c74279f985d61a9ced09ef2ec164d.png[/IMG] [HEADING=3]2. Checking or creating a mutex[/HEADING] This stage and actions are completely copied from the Raccoon code and are no different. Banal copy-paste. If someone has not read the previous analysis, then I will leave here explanations for the term “mutex " so that no questions arise. A mutex is a synchronization primitive that provides mutual exclusion of execution of critical code sections. In very simple terms, this is a simple check whether the virus process is already running on this device or not. If the mutex already exists — the process is terminated, otherwise the malware creates it and continues working. [IMG alt="739c1bee01617c55a017e74e7f1be892.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/739/c1b/ee0/739c1bee01617c55a017e74e7f1be892.png[/IMG] [HEADING=3]3. Deobfuscate values and check communication with the command server[/HEADING] The mechanism is very similar to the one that we have already seen before, but with minor differences, which we will now talk about. Like Raccoon, Vidar first decodes the strings used to communicate with the C&C server. Compared to the previous test subject, there are much fewer of them here and there are no obscene expressions. They are similarly represented as RC4 and Base64 encryption. Communication with the command server is not encrypted in any way. RC4 is a stream cipher that is widely used in various information security systems in computer networks. The cipher was developed by RSA Security. The RC4 algorithm, like any stream cipher, is built on the basis of a pseudorandom bit generator. [IMG alt="9b9867a81deee51af17f27d1357c156e.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/9b9/867/a81/9b9867a81deee51af17f27d1357c156e.png[/IMG] Next, the process of checking the connection to the command server takes place, as in Raccoon, this happens in a banal way by pinging. The most interesting thing is that if you decipher these lines, they will go to the public game service FACEIT, namely to its API. FACEIT is an esports platform founded in London in 2011. The company has established leagues for games such as Counter-Strike: Global Offensive, League of Legends, Rocket League, Tom Clancy's Rainbow Six Siege, Dota 2, and Team Fortress 2. [IMG alt="7ea9e5d976e382cf71f5176fe3e69213.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/7ea/9e5/d97/7ea9e5d976e382cf71f5176fe3e69213.png[/IMG] And the method of using the FACEIT API has many advantages, for example: faceit.com you can't block it because it's a normal site. According to the method used by Rakkun, if the command server is blocked or disabled, the malware becomes completely useless. Vidar is immune to such things. After decrypting this string, the virus connects to the address: [URL]https://api.faceit.com/core/v1/nicknames/vlad25vladiSlave[/URL] This is the page that contains the very primary configuration of the malware, that is, basic instructions. They may vary depending on the attacker's preferences. They have the following form: [IMG alt="fecab8a455717ffe30114e25c1d7ae8f.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/fec/ab8/a45/fecab8a455717ffe30114e25c1d7ae8f.png[/IMG] Also in this list there is a link to download additional DLL files. [HEADING=3]4. Download additional legal DLL files[/HEADING] The further I analyze this malware, the more I am convinced that the developers of Vidar and Raccoon are the same people. You will see confirmation of this later. After successful completion of the previous step, the virus starts the process of downloading additional legal DLL files that will be used to implement malicious functions. Their list practically does not differ from the previous subject in any way: [LIST=1] [*]freebl3.dll [*]mozglue.dll [*]msvcp140.dll [*]nss3.dll [*]softokn3.dll [*]vcruntime140.dll [*]msvcp140.dll [/LIST] It is also noteworthy that the downloaded DLL files will be saved in a separate folder created by the malware. It is located at the following path: C:\ProgramData\local\dekddss\hyper\v\ As you can see, the file is missing here sqlite3.dll, because stiller doesn't implement the method of data theft via SQL queries. Then stiller will make a request to the C&C server to get a more detailed configuration of the work, this is implemented by the same request to the FACEIT API page. It will contain 12 values separated by“*”.: 1,1,1,1,1,1,1,1,1,1,250,Default;%DESKTOP%\;*.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*auth*.*:*google*.*:*utc*.*:*UTC*.*:*crypt*.*:*key*.*;50;true;movies:music:mp3; This page may change depending on the attacker's preferences, but in most cases it is not modified. If you read the previous article, you can guess that the process of collecting information about the victim's host will follow. Stiller will collect the following data: [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
Pirated software and its consequences: an analysis of the oldest and simplest viral foothold on the Internet
Top