$2 MILLION DOLLARS STOLEN in Bitcoin/Ethereum - JScript Malware Analysis

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everybody and welcome back welcome back to some og original john hammond content you know where we kind of just do it live we got the screen capture going on and we're all hanging out we're having some good time doing uh nerdy computer stuff so i'll hop over to my desktop here and i'll show you what we're looking at today i'm in this directory i'm in this directory called spicy because this is uh this is a spicy one it's a little bit of an onion and uh let's check out what we got here we have the original command that we're going to take a look at and stage1.js now you know me right when you see a js extension you typically think oh that's javascript and you would be right right sometimes right the thing is right if this is going to end up being malware or if it's going to be some malicious code that ends up on an end user computer or victim target host and machine that is typically going to end up running windows right so windows has its own interpreter the wscript.exe or cscrip.exe depending on whether or not you want it to be in window or console c script and those will end up executing typically visual basic script or mshta would be used for like a hypertext application thing that microsoft and windows has their own rendition of like an html language sort of thing that was a horrible explanation but jscript right is the microsoft dialect of javascript and that uses some other functions and functionality that kind of come from inherent to windows right that's enough boilerplate let's get into it right we've got the stage1.js and uh let's take a gander at what we've got in here now uh this is a big file right uh it is jscript and that it's javascript so it's gonna have javascript like syntax uh you can see a try statement here and bringing me all the way all the way to the very end where i accidentally clicked on it people keep yelling at me john you gotta use word wrap so here you go this is what it looks like with word wrap on with large ginormous text and if i were to set the syntax here to javascript in sublime text the line is so long that it like doesn't like render it or it doesn't recognize and end up doing it uh so obviously there is a lot of obfuscated javascript kind of in this code that we can see and it is all compressed to one line minified so we should end up beautifying this now normally i tend to do this and you've seen me do this in other videos i kind of do this manually and i use that as a means to understand and read the code as i'm going through it a lot of people whine complain you know they write in the comments which is great keep up the engagement youtube algorithm stuff uh they say john why don't you just go ahead and like use a beautifier or some tool to be able to beautify things and i mean you're right you're totally right you have a point we can go use some online tool like an online javascript beautifier i'm on beautifier.io right here and we could just go ahead paste the code in slap it right there and now it's beautified so we can kind of make sense of this so i will copy this and i will go ahead and put that in a new file that we'll call like stage one beautified dot js there we go and now we have our syntax highlighting it's all on different lines it's not minified it's not compressed etc etc we have some random variable names and seemingly random arbitrary base64 encoded comments which aren't helpful and i don't think these actually decode to literally anything so i'll just dump that in there uh i will pipe this to base64 trying to type tag d and yeah it's a lot of nonsense so there's that uh let's get back to the code it has this function r it does some erase string things etc clamp where's ook nib right uh we got zy2k game 6m etc etc some randomly named functions and some functionality to deal with strings etc etc but eventually we start to notice some like encryption like stuff some cryptography things kind of in the mix so reading through this and just kind of getting a general glance as to all right we are working with blocks and there is as we scroll down more and more some functionality that will set like a block size and an iv or an initialization vector and the key length etc etc so there i think just kind of looking at this with my eyeballs this is going to end up doing some form of encryption very very likely aes or i guess the advanced encryption standard is what that acronym acronym acronym is so uh yeah you can see key size some hasher some iterations we have an algorithm that is going to end up using some different names but notice all this and it will kind of get things out in base 64. key size iv size encryption and decryption modes stream cipher blah blah blah we don't exactly need to dive through all of this because when we get down to the very very end we realize that there was some ginormous humongous base64 in here uh clever trick is that this base64 is reversed or you know spelled out backwards uh there's a telltale sign here that the equal signs that you normally use to identify base 64 is typically at the very end of the random assortment of capital letters and numbers and lowercase letters etc um in this case it's kind of at the front you still see the forward slash you still see the plus you still see more and more things that will kind of indicate okay this is this is very likely base64 it's using that same character set now if i were to scroll all the way down the very very end you'll notice there is a lot of base64 there again i'll turn on word wrap and you can see the sidebar here that's a lot of base64. so eventually we get to the end and we do something peculiar let me let me turn off word wrap so we can kind of make sense of this linearly here we create all of that base64 inside some wrapped function that apparently splits it on nothing reverses it kind of as we said that base64 is backwards joins it all together i think it has to do this because it probably has the reverse function in the functionality for like an array or list not simply a string so there's that and then it passes it after it's created this variable to this ga5 g m n g z f a l y c n uh with other stuff in it using this function i'm assuming to end up decrypting it or doing whatever it needs to do and that's actually an interesting thing if we were to kind of tinker with this i will uh show you let me nerf out this line because this function that ga5g blah blah blah is going to end up essentially being eval it's essentially going to run code that's passed to it as if it were a string so you can see that right in the function definition it takes in the argument but the argument is going to end up being cast to its own function and then called and executed right so we know that we're gonna end up having more jscript or javascript coming from this uh we don't want that to detonate so we aren't going to actually let that run i think i think that's a good idea right uh i am of course in a virtual machine i am of course behind a proxy and a virtual private network and we're being safe guys don't you worry about me i'm okay uh so let's try and display out and i'll use node to go ahead and execute this i'll display out the contents of this variable doing nothing else right trusting that there's nothing else in this code here but we've done our analysis so now we have this stage one beautified and i guess we should kind of rename that to like our testing playground but if i were to use nodejs to run that you get all of this more base64 right a lot of base64 now is this the base64 that we saw present in this original string that that code that we saw that was kind of reversed we can take a look i see that yes so it's corrected it that's the base 64. if we were to try and i guess decode this what do we get i'm running a base64 attack d command right there non-printable characters right because hey we have this understanding that this is encrypted or something is done with it let's actually read that redirect that out to a something file and that tells me oh this is openssl encrypted with a salted password and you can verify that by just taking a look at something that that file and you can see the salted kind of a header here the signature right at the very very start of that file telling us yeah that is it is in fact open ssl encrypted data so what does this code do that decodes it or decrypts it right and then execute it executes it because of this i'll call this gag 5 even though that's not what that's called but but gag 5 function it uses the function calls that it's already defined with this variable of all that base64 included it but it does finally do something specific to jscript it does finally do something specific to the windows realm and that operating system because we're going to end up using the w script object and checking out the arguments that are present now i could hop over to um a i think i have a windows virtual machine here i'll drag that guy over and i clicked on ubuntu like a dummy let's fire up that windows 10 virtual machine hopefully it doesn't take too long and i can explain and show you that that w script at argument zero is exactly what you think it's going to end up being a list of arguments that are supplied to this program and it you know will do something with that specific argument uh if we wanted to examine what came out of this or what the code ended up being we kind of need to figure out okay what is that because that may very well be the key to decrypting this code now let's take that line i'll comment that out here again and i'll do a console.log for all of that with this again completely useless comment removing some of the parentheses here and making sure that we don't actually execute it with this function that we know is eval that we know is execute so let's nerf that out remove one of those parentheses here the problem is because i'm testing this in ubuntu because i'm testing this in linux it doesn't know what w script is node.js that interpreter that i was using to run and execute this javascript jscript code uh it doesn't know what that is so if i were to try and go ahead and run our node.js with our stage one beautified it doesn't do anything and it caught me off guard for a second because this is all inside of a try catch statement if we were to modify this and do a little console.log oof we errored i like all those suggested absolutely nonsense variable names and then we could console log out the e variable or the error itself it will tell us a we errored and it doesn't know what w script is fair enough fair enough that's totally understandable that's totally cool so if we were to go do this in windows log in with a little password here awkward silence because i was like oh let's just randomly do this demonstration it'll get the point across trust me i'm sure you believe me at this point that it is going to end up being the argument that's applied but uh i'll pause the video and let this thing go so i can show that oh geez come on cortana get out of here whatever uh i have already kind of tinkered with this a little bit so i have this testing.js and if i were to delete this so that i can show you it from the the real real view let's do a testing okay kind of remove my focus there testing.js creating a empty file let's edit it with notepad and let's do a wscript dot echo to display out wscript.arguments zero right if i were to try and just click on this and run it it'll error because of the subscript out of range there weren't any arguments that were passed along to it so let's open up command prompt right and i will hop over to my desktop where i created that file and i will use wscript.exe to call that testing.js again you'll see subscript out of range now this is what i was kind of discussing where you use wscript versus cscript w script creates that window while c script displays it out in the console uh and it has that error so let's actually supply an argument here um we'll do a please subscribe and now that displays that just like that w script of course you can see it as the window so we need to know what was the argument that was supplied to this malicious code to this javascript jscript file and remember we have our good friendly original.cmd where we kept track of the original command prompt that ran this so this calls wscript.exe and it's using the slash e tag to specify the language that it's going to end up using and if we take a look at uh the help file for w script you can see that hey that's actually something that you can use w scripts we'll do a slash question mark and the e engine specify use the engine for executing script and you can specify the specific one i'll do that with c script so it's a little bit more visual engine use the engine for executing script it could be either cscript or ws.exe as the interpreter but the engine will be kind of the programming language to interpret and run this from so jscript in our case back to that original command we'll run jscript to run this file which is interestingly enough called adobe color cr extra settings 1 0 mul dot zip it was originally trying to you know fool us with the facade and the deception masquerading as a zip file it is not an archive file it's it's not so wscript.exe e key hhz rtsm etc etc this thing is the argument right if we were to take this original command go back to kind of our windows playground if i were to run this uh you can see that it errors and my new lines are getting in the way so let's not do that and let's get back to it clear the screen paste this all in now we're going to end up using the w script ej script to testing.js with that argument supplied you can see it pops out this full string wscript.exe etc etc etc again if we were to do that with cscript it will display it just out on the console but it totally knows how to do that so there's our key that is what we need to go ahead and replace inside of our little beautified code here rather than using the wscript argument zero so let's nerf that and just replace it with that string that we know it's going to be now trying to run this with node.js it should behave and give us something new let's go ahead and find out i'll run node.js on what the heck did we call this stage one beautified crank now we have more code now we have more seemingly base64 etc etc etc a lot of nonsense let's just kind of redirect that out to a new file we will call it stage 2 dot js and let's open that up and it is the exact same sort of structure of course all compressed and minified so let's bring this to our good friend beautifier.io slap that in grab the beautified code and create a new file where we call this stage 2 beautified dot js okay there we go now if you notice this is the exact same functionality this is the exact same structure and setup with some different variable names here uh different randomness for those things that it tries to kind of hide and obfuscate but at the end of the day it's all the exact same code again using some base64 encryption encoding uh not encryption but a yes or some encryption type that will kind of hide and bundle up this file uh turns out if we go all the way to the very very end of the file kind of as we did previously check it out the exact same setup where we have a new function that's going to act as our eval to execute the code and the reverse base64. so let's do the exact same thing again where we will not execute this but we will display it out on the screen and rather than the w script argument 0 we're going to end up using our original command key which we have all the way over here slap that in and now we can execute this so uh i pivoted to windows when i didn't need to we want to get back to our console in linux let's run node.js on our stage to beautify.js here we go again redirecting this out to a stage 3 dot js i'm sure you can kind of get the picture here we are once again going to have the very same obfuscated code that we will de-obfuscate and find it is again going to be the exact same structure windows get out of here i want to stay in linux please uh let's call this stage three beautified dot js and yes you know what's coming it is once again the very very same setup and structure let's nerf this line clean it display it out onto the screen and correct the w script on arguments now at this point you might be thinking and i was thinking like oh this is going to be some neat neato you know little uh uh matryoshka doll right or how many layers of this are we gonna have to peel back before we get to something else interesting or worthwhile uh and i thought hey at this point we should probably start to like script this out we should probably start to figure out something that could do this on the fly no matter how many layers there were it would be able to drill down and carve all these out if i run this though we finally have different output so i'm like hmm are we maybe on to something are we doing something new here so i redirected this to stage four dot js and now we're at stage four again compressed minified all on one line poop it into our little beautifier here now we have new syntax and structure which we are we should be excited to see we'll call that stage four beautified dot js and now we have this right a little stub kind of tiny little thing here but of course this should stick out like a sore thumb we have a new function being defined where we take in the arguments consider it to be code wrap a function around it and then execute it this is yet again another eval setup and this function is seemingly called but it has some comments all the way over here in fact there's more comments added to it other comments that kind of get in the way so at that point i'm like all right uh we need to get rid of all these nonsense comments the way that we can do that is of course some regular expressions find and replace magic in sublime text uh you can see i just used a forward slash and then an asterisk we'll have to escape that out with a backslash to note we literally want to interpret that then we'll use the dot star to glob everything and we'll make that lazy right so add the question mark so it doesn't eat the entire line that happens to be starting with the forward slash star uh just the portion the minimal amount that it can get then we'll have again another literal star backslash there and a closing forward slash so replace those all with nothing now we no longer have that garbage kind of getting in the way of the code that we're trying to run even though this is already garbage code right so eval function calling more code with another eval function building it out from a character code from all of these ascii values that will represent characters that we need to go figure out what they might be uh let's nerf those so this doesn't again detonate but just display this out so we'll grab that string character code sequence and of course toss that into console.log so we can figure out what is supposed to come from this again that line is way too long so sublime text doesn't register and add in the syntax highlighting but that's okay we can trust it we can know and what was that was that stage four beautified yeah so let's nodejs stage four beautified and we have this again again so let's redirect that to stage5.js let's open that bad boy up and uh now we have this thing so let's once more give this to beautifier we should really get to a point we can automate this i'd love i'd love to kind of like build out some kind of tool that could do this sort of thing um what is it stage five now yeah stage five beautifier maybe like take katana like take our kind of original engine and change it up to like beautify things or de-obfuscate and reverse things like languages like this but it might need like some abstract syntax tree and other things that i just haven't kind of made the time to particularly do yet you know life everything kind of gets in the way so now we have new functionality right this is not the exact same identical code that we saw previously uh it is however still doing things with strings i'm going to assume looking at this that it's doing some interesting like custom base64 encoding just like with the language that it defines inside of this code i thought that was kind of neat so it could encrypt or encode right some base64 functionality and scrolling down we have other convenience functions or other helpers to encode and decode utf-8 but eventually we get to a legitimate eval we get straight up eval function cool that's that's all good that's all fine and dandy but we have all these nonsense variables uh replacing i'm assuming what's going to end up being like yeah they're faking padding by having extra crap in here equal signs to replace that out equal signs to replace that out and all of this will then go into eval after this function handles all of this base64 so we know what to do we know the procedure let's just let the language let's just let the code kind of de-obfuscate reverse unravel this all on its own and let's see what it comes up with so back to our linux shell let's once again run node node.js on stage five beautify i call that beautifier or rhythm beautified whatever and let's bring that to stage six dot js here we go uh you might notice that this now becomes seemingly readable somewhat code and you're totally right i think at this point we've made it to the end uh i was going to call that a powershell script my bad stage six dot js oh beautified beautified beautified not beautifiered but beautified there we go okay and here we are i'm assuming at the final layer the final piece of the onion here right so we define some activex objects so we can do window specific stuff w script dot shell scripting file system object a split or maybe a delimiter character to note backslashes and then ver ss which displays backend soft 1.0.1.9 and getserial which looks like a function that will probably be defined later startup is a function that will grab the environment variable app data and add in okay the rest of the path to get to the startup folder same thing for all users profile that's kind of handy this will likely end up creating persistence it determines the temporary directory desktop app data and then it knows this full script name so let's uh this script full name and then this script name there we go udex is kind of declared delay set to 20 powershell for powershell batch file vbsf pss i haven't actually seen that extension before i'm not a thousand percent positive what that might be l k for of course a startup file and then modini sks is a function that we end up calling that's all in a try statement and then if we catch we fail okay we don't we don't bother but then we do continue with a little do statement likely to do while we try to send something with a send http and we get some commands seemingly from that where we split up those things it looks like ex will evaluate and actually execute more jscript or javascript code cmd as some of these command messages that this might end up using that will go ahead and run a command like with with w script.shell it'll execute a program right d this script name probably would have been wn so download exe i'm going to assume dwnl download exe it will down file which probably is another function that's going to end up being called adding that into the temporary directory and then having command.exe start that oh man we really butchered it we really we really nerfed this when i ended up typing dw wn with uh the script name my bad oh geez it's everywhere why did we do this let's let's replace this script name with wn we'll fix it up only rather than executing it will still save it whether you want it in the temporary directory or the desktop etc if it's an exe then down file and it will run it which is interesting self remove unmonk sec uh another function that we'll end up finding here update s maybe update script because it looks like it will download something and overwrite itself or the the path to this potentially or just get a new script and update and run that and then we have a funk cret functionality that's called let's go see what that is but before we get down to it we do have this send http function which has the syntax and boilerplate code to be able to send web requests right within jscript or javascript we're going to end up using microsoft xml http and we call out to this bad boy api backend.com 8880 connect ooh okay little indicator compromise there something fun we can play with in poke at later we add in our user agent from a getuseragent little method or function here adding the x header for vn and looks like the getuseragent function checks if like vbc exists and this is is that the visual basic compiler yeah digital basic command line compiler so if you have a net framework that will very very likely end up being on your machine and it checks whether or not it's nt with that makes sense uh and then we gather more information like the computer name the username and then get system get os version get anti-v i'm assuming anti-virus neat get env of course we'll get an environment variable get serialed we'll get the serial number for each hard drive get system we'll get the operating system name or the caption here using wmi the windows management instrumentation same thing with the os version and enav i'm not positive what that is enav enabled disabled is that get enabled av maybe i think that makes sense get enabled av because defender could be in those couple different states uh but this this function i think is neat funk cret um has this mizu variable has this etho variable and bch variable it creates an html file object where it grabs the text from clipboard data and replaces stuff out of it and then pat t looks like it's looking for a pattern right a regular expressions pattern it tests if inside the clipboard data that has that pattern if it does hey are we looking for results of et or pat bch that looks for bitcoin cash bch reg or bch test if it finds these results it will send klib based off of these variable names now you can probably already determine that's a bitcoin address that's an ethereum address and if it's working with the clipboard is this trying to do some like crypto hijacking is it going to replace and modify hey if you were end up pacing in or if you had bitcoin like addresses in your clipboard would it go ahead and replace them with this bad actors like with this hackers and this threat actor here are they trying to swipe and steal and snarf bitcoin and cryptocurrency and these are the addresses like right kind of kind of cool kind of crazy sendclib this next function literally does that it will check the operating system with get system uh it will check if windows 10 is present if windows 10 is present inside of that string or excuse me if it's not present i believe i think that's right i'm not exactly positive when i use clip on my windows vm it does deal with the clipboard uh it'll run powershell with scb which i think is set clipboard to whatever is passed in being one of these addresses or it'll pipe it and hide it into clip so let me show you that right if i were to echo out hello please subscribe pipe it into clip there we go if i right click to paste that that we we've just modified the clipboard contents and that's how you can do it guys programmatically from the command line with those commands nice has a convenience function to get a hexadecimal string continues to look for antivirus products with again wmi uh look for instances of antivirus products carving all of these out adding them into what it will end up using inside of that user agent thing that it calls back to the c2 server with and this modaney sks or whatever looks like it's setting up the persistence here it adds in the app data with the file name of this script as we know that wn variable is and it has some other functionality here checking for like visual basics here but this is commented out i'm not a thousand percent positive why but you can see that code and it again basically just calls and runs itself and then cleans itself up removing that w shell object so persistence right if it exists if that if that file system thing if that file doesn't exist it sleeps for a little bit of time and then copies that in to add it into that directory within app data for your user same thing with the shortcut odd if it doesn't exist already will add in its own persistence old modini sks again powershell script using the same kind of startup as previously clean string looks like it replaces a literal backslash with something uh we noticed that how it was using kind of the backslash for the limiter when it was calling back with the user agent back to the c2 server and then unmonk sec as we saw was going to end up being used if this would have like a remove self command so this is like the kill switch right this is like deleting everything that and cleaning up its tracks trying to remove its fingerprints by deleting del that command delete this script out of app data delete the link file of the shortcut file and the script full name and the visual basic script file etc etc we do of course have down file as another function that's going to end up using some powershell syntax to download files it uses redirects which is neat maybe we can do that and know that when we're taking a look at that endpoint or the http we download a file based off of what's passed in and we wait create file another convenience function to actually write this out to a file create shortcut this is peculiar because you can literally see it checking it's the antivirus stuff hey is avast enabled is it anti-virus internet security avg uh how many do we have in here avg internet security more avast more avast and that's kind of it but windows defender is also checked which is peculiar and then i mentioned hey mshta or the engine and interpreter on windows to be able to interpret and execute hta files this syntax is again set up in here creating the shortcut adding its persistence doing doing and creating all the breadcrumbs that we already saw you can literally see the key again that would have encrypted and decrypted this code and all those layers and that rabbit hole that we went down of different stages and payloads kind of neat i like that it literally grabs a an icon it grabs the shell 32 uh dll to grab an icon out of it closes it and saves it very crazy and then runs it right or else running this code running that shortcut boom that's it not a ton to this thing like what we we went through that in a couple minutes and maybe it's under 300 lines but it hides itself with a hide file trying to set the attributes to hidden and uh that that's the end of that line but i think the craziness here obviously command and control right obviously a rat a trojan where hey it can run and execute commands based off of like a cmd dot exe or command prompt command or more jscrip code and the i i just i'm blown away by this crypto coin stealing technique or that that like little crypto jacking so if we google around for this where is this found or seen is is this modani sks or kind of these other function names are these things that are well known uh so malwarebytes has an ad for me looks like hybrid analysis has seen this before cc.vbs so they saw the visual basic script rendition tries to hide wmi queries um not positive about all of those what else is in the analysis uh okay that has oh that it has all of the functionality for deleting itself right or was able to pick up on that and catch that oh and there's more okay there's there's a heck of a lot more yeah yeah yeah yeah the visual basics remediation might be kind of interesting what else is in here cyber threat report tg soft uh cyber threat report janio 2021 oh this is in a language that i do not speak truthfully um vipersoft x rat oh but this is like the exact same code the obvious gated portion of it right yeah yeah yeah like a craps on a base64 or those random comments in there oh and it goes through different layers of obfuscation right original obfuscation layer two layer three layer four layer pilots they had eight do they have a dif they must have a different sample i i think i don't know so they carved this thing out which oh oh this has the exact same setup shell file system var spl var ch but their v-e-r-s-s says viper soft x when ours says back-end soft yeah so once they beautify the code yeah same look as what ours is but it they have the viper softx so is that v e v-e-r-s-s like a legitimate version string yeah there's the same modern key thing control command and control with a do while loop funcret oh totally this absolutely has to be and it sends bitcoin and ethereum via infected clipboard yeah yeah delay with the weird capital l the same sort of command functionality send http uh this callback server is seco.vipers.pw88880 oh connect slash connect just like we saw that's out of france we can go explore the address that we have with the clean structure all of this all of this looks the very very same it's just like a different version a different rendition to it all the same code straight up exact same code but it captures the bitcoin or ethereum that's craziness oh they have different addresses do they bitcoin one prmm et cetera et cetera what does ours look like cret uh let's get back to that function yeah those are different addresses oh finding some bad guys in action and is this like a full code no there's a conclusion here and other stuff okay oh twitter what do we got here sorry light mode everybody cover your eyes you stinking vampires fall malware analysis of vipersoft x and vj worm buren with de-obfuscated code traffic and samples for your detection pleasure um um hello what else is in this pure dns references nothing else for that is is vipersoftx like a known thing oh yeah yeah yeah fortinet has some stuff out jscript malware obfuscated vipersoft x variant lnk file c2 that same domain we saw earlier commands ex for eval command download exe wait wait wait what is the what is the self remove uninstall itself that's funny uh ooh herm some kind of cnc running up at api back in app dot behind cloudflare no less it looks like looks like a variant of vipersoftx now using the user agent back-end soft different version number but the same version the same version string back end fusek noob what did you see march 10th this is uh april 5th at the time recording what did you see who are you i gotta comment on us i gotta be like yo dude yo we got the same stuff bro go fish trading card game trading malware game i want to look at this fortinet article because fortinet's gotta have good stuff yeah except the cookies whatever um windows recently 40 guard labs leveraging the adr endpoint protection detected and blocked a new highly sophisticated malware and large of a uh environment this newly discovered javascript based remote access trojan cryptocurrency steeler yeah cryptocurrency stealer due to a hard-coded string used by its creator became notably active towards the end of 2019 and remains with the time of writing well look we're seeing it in april with uh back and back back up soft whatever the heck was this called back end soft not viper soft in this case viper soft unravels eight layers of code obfuscation before executing its actual payload yup i saw the same uh not exactly eight in my case maybe there are three different types of obfuscation techniques being being employed aes decryption yep only used in the first layer though we saw it through a couple other iterations converting character arrays we saw that utf decoding most recurring de-obfuscation layer persistence yep adds itself to app data as we saw rat functionality tries to go to that domain slash connect just like we saw and it adds everything that we saw as part of the user agent and x header gotcha breakdown of the function names output of the commands are not returned by the server uh interesting note the x command indicates a malware author and we continue adding additional javascript based payloads the developer feels more comfortable using javascript as his go-to programming language is that so i'm kidding all you javascript fanboys you know you you know you have a special place you know there's a special place in hell for you replacing crypto wallets yeah it then checks to see if the concept matches either to regex patterns that match either a bitcoin or ethereum address in case of a match and if the address are different from the address is hard-coded it sets the clipboard data to its own addresses that's literally like crypto dragon click jacking that's so cool it's obviously evil and horrific but so cool changing clipboard data is done based on the operating system version yep windows 10 uses powershell otherwise it runs the old school command okay um after examining these bitcoin ethereum addresses hardcoded in the malware oh that's a good idea the current total sum of all the above mentioned stands at 32 000 u.s dollars well this is not a significant amount and this is only the one campaign of the newly discovered threat which is only operated for a short while and may only be to start a bigger more successful campaigns oh wow ethereum graphs conclusions yeah functionality is rather simple but it is stealing money like real money i mean cryptocurrency so c2 domains bitcoin address ethereum address and those are different but they're the same as the one that we saw in the other article um what are ours uh let's use the bitcoin address is there a way to like look up a bitcoin address lookup yeah is that a thing i am not by any means like a cryptocurrency guy i'm not a i haven't uh bought into the bitcoin yet um oh wow this address has transacted eight times in the bitcoin cash blockchain it has received a total of 72 bitcoin 44 000 ladies and gentlemen okay oh wow uh all you criminals out there oh wait these transactions are like 2020 december december 2020 december 2020. so this has to be like a new address and obviously it might be different because it's it's not viper soft x it's back end soft but uh forty four thousand dollars it's not it's not nothing to scoff at you know i wouldn't kick that off the table if it were me uh ethereum address lookup is that a thing slap that in get that in there oh zoomed in a little too much sorry sorry eight aetherium seventeen thousand dollars okay um what are we doing on youtube guys what are we doing over here why are we i'm just kidding i'm just kidding i am not advocating or insinuating any change of career to to this i don't know what this mizu one is i i gotta be honest mizu is that a cryptocurrency is that a thing uh stimulus checks mizuho j coin j coin mizu if i just slap the address in do people note it is cryptocurrency i'm cool if i google cryptocurrency i'm automatically cool uh that is not the address that i typed but then it has it there btc sniffer click on that click on that take me there uh where am i the address that you're checking is this yep okay so that is the right address but again obviously you can kind of tell i don't exactly know what i'm doing so bitcoin receives stuff xp.org that looks like the same link eat my cookies i'm sorry that was uncalled for this address has been sent to 85 times and spent 94 times leaving negative nine outputs unspent little graph here report bad hmm might have to do that not gonna lie stop the bad guys from being bad um i don't know what else to pour into this oh the vj worm though i'd like to see and i want to know about our little uh whatever the noob guy was cerberus guardian of malware hell cool that's a great that's incredible name i actually give you props for that uh looks like he wrote about it back in february wait of last year oh with the responses that we saw last year where is our full segment it was last year oh no so this is still kicking back in soft is still up in action but um there's a little bit of research already out about this looks like fire or fortiguard has some great stuff on it um it is kicking around in hybrid analysis and i think like a joe's sandbox like if i look for funk cret is that getting the other hits um more of his twitter posts that's it lame-o okay um let's let's let's take a look at our good friend api.backendapp.com on port 88 this thing is he still you know doing business is he is he still open are you guys working overtime oh it responded all right what are the headers that you come back with i thought it had mentioned yeah yeah x powered by express so node node.js well javascript kind of back end um sus now if i go to connect what do we got it it doesn't return anything but it didn't give me that error help cannot get help is there anything we could like we could we could tinker with this um let's let's try that connect with the put because it did put something uh what if i tried that username i could make it like real real messy and add in the username but useragent is going to be getuseragent based off of this thing um let's add in that string and see if he behaves a will add in a user agent for me yeah oh gosh capital a that guy there still does not respond i'm not adding all of the code in there like all the things that it would have exfiltrated or like tracked down but it still like doesn't return anything okay um how how uh how well is this thing known like if i go to virus total and try to kick this in there what do you got let's choose a file let's get our spicy original stage one from the very very beginning one security vendor flag this is malicious okay looks like back in august of 2020 yep adobe color cr extra settings one multiple the exact same little zip masquerading thing that we saw eset picked it up though eset dude he said esa's always a hard hitter in this game if we drill down to the stage six on its own does that light up a little bit more please like people should know uh i gotta look into that vj worm though or whatever whatever it said it called uh eset's got it on the money nano antivirus i don't think i'm not i'm not familiar with them i'll be honest where's my boy defender where's windows defender where's where's microsoft defender are you with me let me just squeeze right by power to the people give them their free antivirus engines um defender is a formidable flow now everybody defeater defender defender defender bit defender oh no it has it hasn't gone through windows defender yet it's still going ah i've been talking for 50 seconds trying to cover you virus total your the people are going to fall asleep oh holy crap i'm gonna pause the video and let this thing stinking finish i'm sorry he's gotta be oh my gosh okay it finished ah two two security vendors flagged this as malicious so uh we could we could we could do some work we could uh try and amp this up spread the word everybody pump the stock trying to try and showcase this video where we're diving into back-end soft which looks like an either a new rendition uh this new this version number is is higher than the one that we saw on twitter back in march 2020 but uh obviously this is going through a certain amount of material nested onion payloads uh working through all those different little launchers and stages to eventually get to this which is very very clearly little rat commanding control server and crypto coin stealer and hey now you know the addresses so uh look out for those and make sure that those don't make their way into your ledger or or whatever i don't know i don't know bitcoin words and stuff but uh that's that i think we we had a lot of fun in this i hope i hope you had fun i know i had fun there was uh i i thought it was very very cool to literally see the functionality for swiping and like slight a hand switching up bitcoin addresses because that is something i've heard of right obviously in conversations and in theory but like doing this kind of through the clipboard is is again neat but scary and uh hey it can be done right and that's that's the danger and that sort of thing the thing about cryptocurrency is that like once you send something once you make a payment it's gone it's it's forever replenished or it is it has been sent out into the ether no no pun intended or the void so but who am i who am i what am i saying i don't know anything about cryptocurrency so whatever i'm kidding i i like to think that i'm a little professional i hope but that's beautifier really handy you're totally right you can use it when you want to do your own little obfuscation you don't want to exactly go through it all by hand because obviously checking out stage1.js manually would have sucked so good to automate that and maybe we can have some fun with some tooling and sort of thing but i hope you had fun in this video i've been talking for way too long and we should probably tune out so thank you so much i hope you enjoyed this video hope we still had some fun energy and we were having a good time here with some uh little malware vipersoft x redux 2.0 remix uh for back end soft so uh thanks so much for watching everybody if you enjoyed this video please do all those youtube algorithm things i would love to see you like the video please please please thank you i would love to see you leave a comment let me know what you think let me know uh what you thought of this now or if you've ever seen anything like this if you have malware of your own or some peculiar shady code you'd like to send along i have repeatedly said it and i will continue to say it please send me malware like please please and it's going to be on my tombstone it's my yearbook quote please send me malware i have fun with this and it helps grow the youtube content farm and hit the bell subscribe i would be super duper grateful i'd love to see you kind of keep track of the content and thanks so much thanks so much everybody thanks so much for watching i love you i'll see you in the next video take care [Music] with [Music] with
Info
Channel: John Hammond
Views: 137,056
Rating: undefined out of 5
Keywords:
Id: k-nFdF5FEwA
Channel Id: undefined
Length: 59min 28sec (3568 seconds)
Published: Tue Apr 06 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.