Roboto Condensed Delivers Downloader Which Downloads a CoinMiner

My first post on the Roboto Condensed social engineering scheme can be seen HERE. BleepingComputer.com also wrote an article on this.

The pages presented to both Chrome and Firefox users can be seen below:




Here is an image of the page source:

Edited page source

The binary file, fontpackupd60.exe, is being hosted on a compromised website in the /plugins/ directory.  The threat actor(s) behind this social engineering scheme have used different payloads for Chrome and Firefox however this time they were identical.

Executing fontpackupd60.exe generated the following HTTP events:

HTTP traffic

The first HTTP traffic we see are POST requests to api.highwrite.ru (resolves to 144.76.173.214):

tcp stream 1 edited

The first POST request is to /2.0/method/checkConnection. The server responds with a 200 OK and the string c3VjY2Vzcw==. This base64 encoded string decodes to “success”.

We then see a POST request to /2.0/method/error containing profile=[profile number].

You can also see that the connections to api.highwrite.ru use Opera/8.53 (Windows 98; U; en) as the User-Agent.

The next set of HTTP connections to api.highwrite.ru are shown below:

api.highwrite.ru tcp stream edited

In this TCP stream you can see system information being POSTed back to /2.0/method/installSuccess. Information includes the buildID, profile, os, platform, processor, and videocard. The server responds with a 200 OK containing the ID number.

The next HTTP connections are shown below:

tcp stream 3

The server responds to the POST request with a 302 Found pointing to hxxps://github[.]com/Melicano01/wiwi/raw/master/upd.exe. You can see that for this GET request the User-Agent is Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729).

The GitHub repo containing upd.exe is shown below:

github.com melicano01 wiwi repo

All executables located here:

The file being downloaded, upd.exe (aka “lsass.exe”), is being identified as a Coin Miner by Hybrid-Analysis and by my friend @Antelox.

The next set of HTTP connections are shown below:

stream 4 edited

After a successful connection check and our id number being POSTed back to the server. The server responds with a 200 OK containing the base64 encoded string Rk1BUC5leGU=, which decodes to “FMAP.exe”.

This is followed by a POST request to /2.0/method/get, which returns another 200 OK containing the base64 encoded string:

aHR0cHM6Ly9naXRodWIuY29tL01lYXR5QmFuYW5hL01lYXR5QmFuYW5hL3Jhdy9tYXN0ZXIvRk1BUC5leGU7Rk1BUC5leGU7

This string decodes to:

hxxps://github[.]com/MeatyBanana/MeatyBanana/raw/master/FMAP.exe;FMAP.exe;

This is yet another GitHub repo containing various payloads:

github MeatyBanana

All executables located here:

Something to note, the Hybrid-Analysis report showed that the sandbox tried downloading MeatyBanana.exe:

hybrid analysis meaty bananas

Following the instructions to download FMAP.exe from the GitHub repo is another POST request to /2.0/method/config. The server responds with a 200 OK containing the following base64 encoded string:

LW8geG1yLnBvb2wubWluZXJnYXRlLmNvbTo0NTU2MCAtdSBpbXBlcmlvcm1heEBnbWFpbC5jb20gLXAgeCAtayAtdCA=

This decodes to:

-o xmr.pool.minergate.com:45560 -u [email protected] -p x -k -t

This is the Monero MinerGate pool address.

The last POST request to api.highwrite.ru is shown below:

stream 5 edited

The POST request is to /2.0/method/setOnline and the server responds with a 200 OK containing another base64 encoded string:

b3Blbl91cmw7aHR0cDovL2FkdHJhY2sxLndhdy5wbC9nby5waHA/YV9haWQ9NTliYWFmNTc1YzM0MA==

This decodes to:

open_url;hxxp://adtrack1[.]waw[.]pl/go.php?a_aid=59baaf575c340

It should be noted that the infected machine made a POST request to /2.0/method/setOnline every 10 minutes.

The URLs returned by the server kick off a chain of redirections that eventually results in the browser loading an .html page from brieb.blob.core.windows.net:

Complete download (2)

The landing pages attempt to trick users into download and running the file “Setupexe“. The file is downloaded from subdomains using the .bid TLD. For example:

Below is an example of a GET request for setupexe.exe:

GET

downloads from

Hybrid-Analysis has categorized this file as a backdoor. It generates a lot of ad traffic so I’m thinking it could be adware. The Hybrid-Analysis report also shows post-infection GET requests to .bid TLD’s like fun.losscook.bid (216.137.61.147) and build.zebraexpansion.bid (34.253.150.26) using the User-Agent “InstallCapital”.

Below are images of the setup wizard:




File System

Multiple files are created in %ProgramData%:

ProgramData

FMAP

drive dat

System32 Isass exe


Modifies auto-execute functionality by setting/creating a value in HKCU\Software\Microsoft\Windows\CurrentVersion\Run:

Registry Run

Network Based IOCs
  • 144.76.173.214 – api.highwrite.ru
  • 69.61.56.126 – adtrack1.waw.pl
  • 69.61.56.66 – zagala-11.waw.pl
  • 69.61.56.66 – xeno17.waw.pl
  • 69.61.56.66 – zagala-7.waw.pl
  • 54.192.7.76 – curve.groundhook.bid
  • 52.85.87.70 – idea.micecherries.bid
  • 52.85.87.6 – coach.ironsilver.bid
  • 34.202.192.87 – ec2-34-202-192-87.compute-1.amazonaws.com
  • 54.192.7.23 – business.throatsleep.bid
  • 52.85.87.70 – flowers.caryard.bid
  • 52.85.87.251 – dinosaurs.currentwomen.bid
  • 52.239.152.132 – brieb.blob.core.windows.net
Hashes and Reports

SHA256: 099f824f5b05b828ebd9b2e55868386fc7b030a177dfd647c2bf83ae881706e4
File name: fontpackupd60.exe
Hybrid-Analysis Report

SHA256: 635389d99e5946dfe509d88c5a30431784d486a84ba08193ce0b0408465450dd
File name: MeatyBanana.exe
Hybrid-Analysis Report

SHA256: 7f021020dc316d706d8383c3682390c723fd79556f386a6b0a2728f2771ca16a
File name: FMAP.exe
Hybrid-Analysis Report

SHA256: 014b1ebc3da9a6acfcdbe3d8ccc2832c87408635a6dbf4c612a46d8cd29108b0
File name: Isass.exe (aka upd.exe)
Hybrid-Analysis Report

SHA256: 3d045e8c77fc28092a2131c3b1006ed37a3059801246623b22fd186b59d4fc95
File name: minerd.exe

SHA256: a4028e27520a8f4bde3333b9b90c2a70e1522da51a51b8ed892c280132872e85
File name: 1.exe

SHA256: 335a7e5b32e3fc4b0de6d47f48d48c7330ebb20ea1e7a5be4a944feedde3a51c
File name: FMAP.exe

SHA256: 2f2500b43a198d3f1f36683e2210fa5e304b4e9553ccf972ddefa361ded1d0f9
File name: FMAP64.exe

SHA256: b47f5e2c5095a3eaeca20a8dc3675b6c877fd1871d4ee8ee34686edf4b915410
File name: setupQQ.exe

SHA256: fe35d5d08404cc39cd78b8d755781ad42900652ee0304e178d6256494b4e4eb3
File name: setupQW.exe

SHA256: 3624a09ba133227ba799e9cc8f6913647f6a33a9fead5a06a20a91fd88d415bc
File name: 1234.exe

SHA256: 049f05888cd6de6032fa3f4107eb09049cd89b70b22a0aca0ff08879d7ae888e
File name: 123456789.exe

SHA256: b853a67f04fe5df0fe30db5052b2577912b77a3ed9b42797382695ade761e30c
File name: MeatyBanana.exe

SHA256: c4e671bbdc3722c161fc0263f68b2310f3cd4f46b5531710aa40033451bdf155
File name: San9.exe

SHA256: 35bac22c3147af6d3d5c412f9c4ccfd5461a6e08c0abdece0132874fca9d7841
File name: updat.exe

SHA256: 58235477cd566a17a2274ac8efe3f16ccb6c9f4b8df322f3ec14fbe51fbfe1d4
File name: update.exe

SHA256: f4e29e60c1af1c6541a5c6d5b352faaa7ee006f6b79d23a4b61c0e40d74c5ab5
File name: Setupexe.exe
Hybrid-Analysis Report

Downloads

Malicious Artifacts
Password is “infected”

Sample PCAP files
Password is “infected”

Until next time!

Article Link: https://malwarebreakdown.com/2017/10/01/roboto-condensed-delivers-downloader-which-downloads-a-coinminer/