By Uriel Kosayev (@MalFuzzer)
We at MalwareAnalysis.co have detected an anomalous torrent that is uploaded by malware distributors to the torrent site of The Pirate Bay.
Uploading the extracted file of Setup.exe to VirusTotal shows the following detection rates:
Threat Intelligence
We found a direct connection to a dropped file dubbed as irsetup.exe which is a dropper for targeted Adware campaigns:
Searching for well-known used names in this variant, shows the name of suf_rt.exe which is used by other trojan variants:
Also, the use of urlmon.dll to download next stage files is an activity we see a lot in trojanized applications:
There is a contact to URL of hxxps://pastebin.com/raw/rT66cTc6 and other suspicious locations:
One of the IP addresses that the sample contacts 104.18.21.226:
The following shows the relations between malicious files and the IP of 104.18.21.226:
Extracted IoCs as the following IoC connects to the Vitallia Trojan:
__IRCT:3″ “__IRTSS:0” “__IRSID:S-1-5-21-2052111302-484763869-725345543-1003
IRAOFF:1790722
An example of the connection between the above mentioned extracted IoC and the Vitallia trojan:
Executive Summary
The following is the general execution flow of the malware which will end up in our case installing an application dubbed as “takemyfiles.exe”:
The following is the message that will be presented at the end of the installation:
This will be accompanied by Google chrome and Bing configured as the default search engine for its adware operations of making money on ads.
There will be an option to upload files by right-clicking on them and uploading them to a remote server over an HTTP server.
Also, a VPN client dubbed MaskVPN will be deployed on victim clients to tunnel all the data through the attacker’s controlled attack infrastructure. Below is a screenshot of the MaskVPN client deployment:
And below is the VPN tunnel in action:
And a service-based persistence mechanism:
Malware Analysis
Stage 1 – Setup.exe
SHA-256 Hash: 58B15AA8D3B96E1A3FA318F7A862A61C4B5AD5C7887E46D65D60279ED9ECDCE4
The following is the “requestedExecutionLevel” of “requireAdministrator” in the first stage of Setup.exe:
The Setup.exe file, which is not packed is based on an installer dubbed as Setup Factory as can be seen below:
Link to the official website of Setup Factory: https://setupfactory.com/
Setup.exe drops irsetup.exe into a folder named with a predefined naming convention of _ir_sf_temp_[0-9] under %temp%:
Drops files irsetup.exe and lua5.1.dll and executes irsetup.exe using the ShellExecuteA function with the open parameter:
Stage 2 – irsetup.exe
SHA-256 Hash: B15D67B4A57184E5202DF3C25E20DC0B7F853F4D527D148B337138900989824A
The file of irsetup.exe is packed with UPX:
As can be seen in the following screenshot, the irsetup.exe file is indeed an obfuscated code with some loops without normal functions that IDA can identify:
Also, there is a very low rate of Windows API function which is yet another indicator of packing:
The unpacking in this case is made easy using the upx.exe -d option provided as part of the UPX packer:
After unpacking irsetup.exe, we can see normal sections, strings, imports, and overall normal functionality:
Note: The number of strings and a specific link found in this particular sample, leads to a company named IndigoRose which seems to somehow be connected with this file. Maybe because it’s connected to the Setup Factory package installer which is developed by IndigoRose:
hxxp://www.indigorose.com/route.php?pid=suf9buy
Other indications of IndigoRose corporation (seems like they are the frontend of the Adware spreading operation):
And more indicators:
This is how the malicious installer looks like:
When executing the irsetup.exe and clicking on the “Next >” button, information is enumerated from victim endpoints such as the system certificates as can be seen below:
Read of cookies:
Check of the “hosts” file under C:\Windows\System32\drivers\etc:
Furthermore, the malware checks in which country endpoint of the victim resides using ip-api.com:
Note: In our research, we needed to change our country using a VPN solution to get the last payload.
The executed irsetup.exe process drops and executes a randomly upper-case letter named file which in our case is OPHXPIJH.exe:
The following is the detection results after uploading the randomly named file to VirusTotal:
Relations of the file provided in the VirusTotal’s report:
Related files:
Link to the VT results:
The following is some drill-down to OPHXPIJH.exe (randomly named file).
The following is the subroutine of sub_401F88 which will contain the installer’s main functionality:
The operations of the above-mentioned function are comprised in the screenshot below:
Under the subroutine of sub_D618AE, the folder of the next irsetup.exe is created like in the previous stages:
After this function returns, the next stage will be executed under the subroutine of sub_401BAF:
After the return from the sub_401F88 subroutine and before OPHXPIJH.exe (randomly named file) is terminated, the Sleep() function is used to sleep for 10 seconds, then deletion of previously dropped files if exists and finally OPHXPIJH.exe is terminated:
The following are some registry enumerations regarding proxy settings done by OPHXPIJH.exe before terminating:
And finally, immediately after reading cookies, drops another stage of another file dubbed as irsetup.exe:
The second created stage of irsetup.exe followed with the lua5.1.dll file:
The second irsetup.exe enumerates system languages:
Fingerprinting MachineGUID:
Stage 3 – installerapp.exe
Hash: B945185DC04126878956EBC6246CB62391EDBA6E64D954F3F33CE767E74238E7
After executing the installer, the following processes are created:
Execution parameters of msiexec.exe:
“C:\Windows\system32\msiexec.exe” /i “C:\Users\Terminator\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager – Postback Johan.msi” /qn CAMPAIGN=1981 AI_SETUPEXEPATH=C:\Users\TERMIN~1\AppData\Local\Temp\installerapp.exe SETUPEXEDIR=C:\Users\TERMIN~1\AppData\Local\Temp\ EXE_CMD_LINE=”/exenoupdates /forcecleanup /wintime 1619345143 /qn CAMPAIGN=””1981“” ” CAMPAIGN=”1981“
Note: campaign number 1981 is used a lot. Seems the attackers divide their infections based on targeted Adware / Trojan campaigns.
Uploading the MSI file to VT gives the following results:
Notice that this MSI file is a very odd one and also has a Sigma rule matched to it although no security vendor detects it.
Also, connection to the downloaded driver file named INA9F89.tmp under the path %temp%:
Which has high relations to malicious files:
Eventually, crucial data is exfiltrated from the host machine over HTTP-TLS encrypted channel.
The Windows version is sent via an encrypted HTTP POST request:
Victim’s Windows operating system service pack level:
The physical memory space used in our machine:
And other interesting information such as the screen resolution, language pack, office, PowerShell versions, and more.
Based on the enumerated and exfiltrated information, the C2 of the attacker decides which payload to deliver the victim with as shown in the executive summary section.
To Summarize
This malware was seen a lot around 2017-2018 and now seems that the threat actor behind this malware tries to spread through infection vectors such as downloaded torrents. The malware employs several evasion techniques like packing, network encryption such as the use of VPN, and encrypting the exfiltrated data from victim machines with TLS encrypted packets to evade security systems like IDS / IPS, Firewall, Antivirus, and EDR systems.