Malware that are being distributed disguised as cracks are evolving.
In the past, malware was simply distributed as the executable itself. However, there was a gradual shift towards also including normal files within a compressed file. More recently, there was a sample where a normal installer was downloaded and executed.
If the malware is executed in an ordinary user environment, the encrypted malware file is downloaded from the threat actor’s server and executed. The malware in this instance is the RecordBreaker (Raccoon Stealer V2) Infostealer.
However, in a virtual environment, a .NET update installer is downloaded from the official Microsoft website instead of the malware. After the installer is downloaded, it is then executed and terminated. The following windows may be displayed depending on the installation status of .NET Framework.
Figure 1. Upon executing .NET installerThus, it is highly likely that this file will be categorized as being normal when in analysis environments like sandboxes. It can be seen that the .NET installer has been executed after bypassing the sandboxes of VirusTotal.
Figure 2. Analysis information from VirusTotalThe compressed file that is being distributed is managing to deceive users since it also has several normal files and folders compressed inside of it. The figure below shows the files that are created after decompressing the RAR file that was downloaded from the distribution page. Only the “setup.exe” file is the malware while the rest are commonly used files unrelated to the malware.
Figure 3. Malware folderThis particular sample differs from previously distributed malware as it was written in Rust. Furthermore, the file size was not bloated in this distribution, with its size of about 20 to 50 MB. Compared to the previous samples where the file was bloated up to 3 GB, this is much smaller in size.
Additionally, several analysis disruption techniques were applied. The following is a list of the features that have been identified, most of which involve virtual environment detection.
- Scan debugging status
- Scan for strings related to virtual environment in the memory
- Scan PC and user name
- Scan for driver (.sys) related to virtual environment
- Scan file/folder name
- Scan running processes
- System information (Disk size, process information, memory size, etc.)
Figure 4. Anti-VM string
Figure 5. Anti-Sandbox stringIf not in a virtual environment, a PowerShell command is used to delay the execution before an encrypted malware file is ultimately downloaded from the C2.
| “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAANQA= |
| -enc Start-Sleep -s 5 |
C2 : http://89.185.85[.]117/bmlupdate.exe
The file downloaded from the C2 is encrypted with XOR and the key is “Fm6L4G49fGoTN5Qg9vkEqN4THHncGzXRwaaSuzg2PZ8BXqnBHyx9Ppk2oDB3UEcY”.
The downloaded file is decrypted and an injection is carried out after the normal process (addinprocess32.exe) is executed. The decrypted file is the RecordStealer malware and it does not employ any separate packing techniques. However, the code section of the malware contains a significant number of unnecessary API call codes to obstruct analysis.
MD5: 9fed0b55798d1ffd9b44820b3fec080c (Infostealer/Win.RecordStealer, 2023.06.02.03)
Figure 6. (Left) Encrypted binary (Right) Decrypted binary
Figure 7. Unnecessary API call codesIf a virtual environment is detected during the above scan process, a normal .NET installer is downloaded from the following address and executed.
hxxps://download,visualstudio,microsoft[,]com/download/pr/1f5af042-d0e4-4002-9c59-9ba66bcf15f6/124d2afe5c8f67dfa910da5f9e3db9c1/ndp472-kb4054531-web,exe
Therefore, the following difference between process trees occurs in virtual environments and normal environments.
Figure 8. Process tree structure comparison (Left) Virtual environment (Right) Normal environmentThe ultimately executed RecordBreaker steals various sensitive information from users according to the configuration value received from the server. It then sends this information to the C2 before terminating itself.
Figure 9. RecordBreaker C2 communicationC2: 94.142.138[.]74
User-Agent: Zadanie
More details about RecordBreaker can be found in the post below.
The threat actor is actively creating new variants to bypass detection. Users should avoid using illegal tools such as cracks or keygens and use installers that are officially provided by their developers. In particular, if a file that was downloaded from an unknown website is either a password-protected compressed file or contains an executable with the name setup, activate, or install, it should be treated as suspicious.
AhnLab Security Emergency response Center (ASEC) is thoroughly monitoring malware that is being distributed in this way through an automated system. Relevant information can be confirmed in real-time through the AhnLab TIP service.
Figure 10. AhnLab TIP – Live C&C service[File Detection]
Infostealer/Win.RecordStealer.R579433 (2023.05.19.02)
Infostealer/Win.RecordStealer.R581333 (2023.05.25.03)
Infostealer/Win.Vidar.R582891 (2023.05.30.03)
Infostealer/Win.RecordStealer.R583862 (2023.06.02.03)
Infostealer/Win.RecordStealer.R583865 (2023.06.02.03)
[IOC]
| MD5 | Distribution Date | Download C2 | RecordBreaker C2 |
| 8248d62ec402f42251e5736b33da1d4d | 2023-05-18 | hxxp://89.208.103[.]225/client14/enc2no.exe | hxxp://94.142.138[.]246/ |
| 19e491dfe1ab656f715245ec9401bdd1 | 2023-05-19 | hxxp://85.192.40[.]245/fol1paf2nyg0/bn1.exe | hxxp://94.142.138[.]247/ |
| 21a8a6cfa229862eedc12186f0139da0 | 2023-05-19 | hxxp://85.192.40[.]245/fol1paf2nyg0/bn2.exe | hxxp://94.142.138[.]246/ |
| a494e9ff391db7deac7ad21cadf45cca | 2023-05-19 | hxxp://85.192.40[.]245/fol1paf2nyg0/bn1.exe | hxxp://94.142.138[.]247/ |
| bc127d20aa80e7834c97060c1ce5d7f3 | 2023-05-19 | hxxp://85.192.40[.]245/fol1paf2nyg0/bn2.exe | hxxp://94.142.138[.]246/ |
| ac449f0e00b004b3bba14c37f61d1e85 | 2023-05-19 | hxxp://85.192.40[.]245/fol1paf2nyg0/bn1.exe | hxxp://94.142.138[.]247/ |
| 14eb67caa2c8c5e312e1bc8804f7135f | 2023-05-20 | hxxp://85.192.40[.]245/fol1paf2nyg0/bn1.exe | hxxp://94.142.138[.]247/ |
| 2802aaea098b45cf8556f7883bf5e297 | 2023-05-21 | hxxp://85.192.40[.]245/fol1paf2nyg0/bn1.exe | hxxp://94.142.138[.]247/ |
| 0c34e053a1641c0f48f7cac16b743a82 | 2023-05-21 | hxxp://85.192.40[.]245/fol1paf2nyg0/bn2.exe | hxxp://94.142.138[.]246/ |
| a383055244f546ca4f7bd0290b16d9c9 | 2023-05-22 | hxxp://85.192.40[.]245/fol1paf2nyg0/bn1.exe | hxxp://94.142.138[.]247/ |
| 986bc66f125aae71d228eeecf3efe321 | 2023-05-23 | hxxp://85.192.40[.]245/fol1paf2nyg0/bn1.exe | hxxp://94.142.138[.]247/ |
| 97fbfaf2b454b3a9b3b4d4fd2f9a7cb9 | 2023-05-23 | hxxp://85.192.40[.]245/fol1paf2nyg0/bn2.exe | hxxp://94.142.138[.]246/ |
| 660f72ddf06bcfa4693e29f45d3e90b0 | 2023-05-23 | hxxp://85.192.40[.]245/fol1paf2nyg0/bn1.exe | hxxp://94.142.138[.]247/ |
| 894ce52199f7e633306149708c1b288b | 2023-05-24 | hxxp://85.192.40[.]245/fol1paf2nyg0/bn1.exe | hxxp://94.142.138[.]247/ |
| bdda7ef4439954a392c9b5150a6c6213 | 2023-05-24 | hxxp://85.192.40[.]245/fol1paf2nyg0/bn2.exe | hxxp://94.142.138[.]246/ |
| 8b6ff39df70b45bb34c816211cbc2af8 | 2023-05-24 | hxxp://85.192.40[.]245/fol1paf2nyg0/bn1.exe | hxxp://94.142.138[.]247/ |
| b5e9f861213e7148491ba6c13972a8ba | 2023-05-25 | hxxp://85.192.40[.]245/fol1paf2nyg0/bn2.exe | hxxp://94.142.138[.]246/ |
| 5254fc5d6990d2d58a9ef862503cc43d | 2023-05-25 | hxxp://85.192.40[.]245/fol1paf2nyg0/bn1.exe | hxxp://94.142.138[.]247/ |
| 45613d3339b9f45366218362f2e6b156 | 2023-05-26 | hxxp://85.192.40[.]245/fol1paf2nyg0/bn1n.exe | hxxp://94.142.138[.]247/ |
| f2c6fec557daa2596b5467026f068431 | 2023-05-26 | hxxp://85.192.40[.]245/fol1paf2nyg0/bn1n.exe | hxxp://94.142.138[.]247/ |
| 7523a30c60fb7d2c02df18fa967f577d | 2023-05-28 | hxxp://79.137.202[.]161/7yd0ymt74ny7qbuk/Pangl.exe | hxxp://77.91.73[.]11:2705/ |
| 3215b2bd3aeaea84f4f696c7ba339541 | 2023-05-29 | hxxp://79.137.202[.]161/7yd0ymt74ny7qbuk/Pangl.exe | hxxp://78.46.248[.]198/ |
| 8e40018360068a2c0cb94a514b63a959 | 2023-05-30 | hxxp://89.185.85[.]33/pctupdate.exe | hxxp://79.137.203[.]217/ |
| 24960b3a4fb29a71445b7239cd30bbce | 2023-05-30 | hxxp://79.137.202[.]161/7yd0ymt74ny7qbuk/Pangl.exe | hxxp://78.46.248[.]198/ |
| 83432cfda6a30f376d00eba4e1e6c93f | 2023-05-30 | hxxp://79.137.202[.]161/7yd0ymt74ny7qbuk/Pangl.exe | hxxp://78.46.248[.]198/ |
| 73239203bc4cdf249575de358281fe82 | 2023-06-01 | hxxp://89.185.85[.]33/pctupdate.exe | hxxp://94.142.138[.]60/ |
| d367b73118fa966b5f5432bbbf35bae5 | 2023-06-02 | hxxp://89.185.85[.]117/bmlupdate.exe | hxxp://94.142.138[.]74/ |
| 6a834288fd96008cbe3fc39c61d21734 | 2023-06-02 | hxxp://89.185.85[.]33/pctupdate.exe | hxxp://94.142.138[.]60/ |
| 972748e60f696333dd8b4b12f9f3a7af | 2023-06-02 | hxxp://89.185.85[.]117/bmlupdate.exe | hxxp://94.142.138[.]74/ |
| 0c819835aa1289985c5292f48e7c1f24 | 2023-06-04 | hxxp://89.185.85[.]117/bmlupdate.exe | hxxp://94.142.138[.]74/ |
| ebd8eeac32292f508b1c960553202750 | 2023-06-05 | hxxp://89.185.85[.]117/bmlupdate.exe | hxxp://94.142.138[.]74/ |
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post RecordBreaker Infostealer Disguised as a .NET Installer appeared first on ASEC BLOG.
Article Link: RecordBreaker Infostealer Disguised as a .NET Installer - ASEC BLOG