A Catalog of Hazardous AV Sites – A Tale of Malware Hosting

Executive summary

In mid-April 2024, Trellix Advanced Research Center team members observed multiple fake AV sites hosting highly sophisticated malicious files such as APK, EXE and Inno setup installer that includes Spy and Stealer capabilities. Hosting malicious software through sites which look legitimate is predatory to general consumers, especially those who look to protect their devices from cyber-attacks. The hosted websites made to look legitimate are listed below.

Sites hosting malwares

  • avast-securedownload.com (Avast.apk)
  • bitdefender-app.com (setup-win-x86-x64.exe.zip)
  • malwarebytes.pro (MBSetup.rar)

Malicious Trellix binary

We also observed that, there’s a malicious Trellix binary that pretends to be Legit (We will be also investigating this in this Blog)

  • Malicious Trellix Binary, Pretending to be Legit (AMCoreDat.exe)

avast-securedownload.com

Figure 1 Fake Avast site

Figure 1: Fake Avast site

bitdefender-app.com

Figure 2 Fake Bitdefender Site

Figure 2 :Fake Bitdefender Site

malwarebytes.pro

Figure 3 Fake Malwarebytes site

Figure 3: Fake Malwarebytes site

Malicious intent

#1 avast-securedownload.com (A sophisticated APK)

The site is hosting “Avast.apk” when we try to click any of the links there.

The most important place to start investigating is to look at “AndroidManifest.xml” where the permissions are declared, along with other package related information.

By looking at the permissions required, we realized this was a spy/stealer with the capability to: 

  • Install/Delete packages 
  • Reading: call logs, SMS, contacts, storage data, phone state
  • Access: Network state, Wi-Fi state, change Wi-Fi state, record audio, disable keyguard, wallpaper
Figure 1.1 Permissions

Figure 1.1: Permissions

# Taking a screenshot

Figure 1.2 Screenshot Callback

Figure 1.2: Screenshot Callback

# Recorder/touch activity tracker & update capabilities

The indicator hidden inside replaceable content has been used later in the exfiltrated file.

Figure 1.3 Audio recorder & touch activity logger

Figure 1.3: Audio recorder & touch activity logger

It also looks for the touches and their X and Y axis matrix to track the button placement when the user visits any application.

Figure 1.4 Identifying position of screen touches

Figure 1.4: Identifying position of screen touches

Updated capabilities allow an attacker to install any program automatically by looking at wakeup screen features.

Figure 1.5 Click tracker update for installing programs from C2C

Figure 1.5: Click tracker update for installing programs from C2C

Figure 1.6 Screen wakeup activity tracker

Figure 1.6: Screen wakeup activity tracker

# Coin miner & location tracker

The malware is also doing a coin miner activity where it supports several Bitcoins as shown below and as follows, this is also tracking the location of the device.

Figure 1.7 Screen wakeup activity tracker

Figure 1.7: Screen wakeup activity tracker

# Exfiltration

All contents gathered have been stored into respective files as below:

Figure 1.8 Exfiltration – Files

Figure 1.8: Exfiltration – Files

# Configurations

Configuration hard coded in base64 encoded format includes C2C, Port number, Type, Icon properties, Uninstall and application name.

Figure 1.9 Malware configurations – C2C & APP name

Figure 1.9: Malware configurations – C2C & APP name

#2 bitdefender-app.com (setup-win-x86-x64.exe.zip – Lumma stealer, the sophisticated encryption)

The site delivers a zip file – having an EXE inside with the name of setup-win-x86-x64.exe. Seeing the filename with double extension before extension and since the legitimate software never downloads the file with double extensions, we became curious to investigate this file more, 

Figure 2.1 Bitdefender Downloaded File

Figure 2.1: Bitdefender Downloaded File

While investigating the file structure, we came to know that the file has a TLS callback where it can perform its activity before going to the Entry Point of the file. This is where all the obfuscated strings were decoded as shown below and injected to “BitLockerToGo.exe” from Windows Directory.

Figure 2.2 Obfuscated strings hard coded

Figure 2.2: Obfuscated strings hard coded

Figure 2.3 TLS callback function Before main

Figure 2.3: TLS callback function Before main

The file is also checked for the presence of debugger by API key “IsDebuggerPresent”.

Figure 2.4 Is a program running under Debugger?

Figure 2.4: Is a program running under Debugger?

After de-positioning all the characters in hard coded string, we got binary bytes where it is injected into BitLockerToGo.exe present inside “C:\Windows\BitLockerDiscoveryVolumeContents”, although it is deprecated but still supported. Which is responsible for reading of BitLocker-Protected removable drives as well as for encrypting them. Below are the footprints showing the injecting or decoded bytes into the target process by creating thread-suspend-resume.

Figure 2.5 Injecting into BitLockerToGo.exe

Figure 2.5: Injecting into BitLockerToGo.exe

The malware looks for sensitive information and makes it to one text file which is later zipped. Below are some details which this stealer looks for:

  • PC name
  • Username
  • HWID
  • Screen Resolution
  • CPU
  • Installed Memory
  • Running process
  • Login data
  • History
  • Cookies
  • Tokens
  • User profile information

#3 malwarebytes.pro (MBSetup.rar – StealC)

The site delivers a RAR file – a bundle of Inno Setup, readme and some other legitimate DLLs which looks very authentic to convince the consumer as shown below:

Figure 3.1 Malwarebytes downloaded File.

Figure 3.1: Malwarebytes downloaded File.

# .Net assembly decrypting the main payload

While investigating the .Net payload, we came to know that the file has suspicious resources within it – it appeared to be obfuscated with some mechanism. We took the runtime call to call resource manifest, we found that the resource had been encrypted with an AES algorithm with hardcoded keys as shown below.

Here we have two different payloads that have been encrypted in the same resource with different keys. One is .Net and another one is compiled with C++. Where, the .Net assembly is nothing but to call the actual payload of C++ compiled binary along with some dummy arguments “[Stubcry.NIKBINARY32bit].nik5ra

Figure 3.2 Resource decryption

Figure 3.2: Resource decryption

Figure 3.3 Invoking a decrypted binary from the resource.

Figure 3.3: Invoking a decrypted binary from the resource.

# Actual C++ compiled payload [Exfiltration]

This is where the actual “StealC” payload comes into the picture. The payload has all of the API function calls hardcoded and they were encrypted with XOR, decryption sequence and the hardcoded strings below:

Figure 3.4 C++ compiled binary – Actual payload & Its decryption of API
        function.

Figure 3.4: C++ compiled binary – Actual payload & Its decryption of API function.

Decrypting further, we found the C2C (185.161.248.78) server has also been encrypted in the same way, The C2C server also hosted a sqlite3 library which will be used later to exfiltrate the logins and credentials from browser Dbs.

Figure 3.5 C2C & Configs

Figure 3.5: C2C & Configs

All the exfiltrated contents have been compressed in gzip to send it to the C2C server that is already established. But before that, the malware also created an event with the name in the format of “HAL9TH_ComputerName_UserName” to ignore the duplication of again sending the same machine’s details.

Figure 3.6 Packing into ZIP for sending it to C2C.

Figure 3.6: Packing into ZIP for sending it to C2C.

Below are the details stolen through this threat:

  • Account tokens.
  • Steam tokens.
  • Saved Card details.
  • System profiles
  • Telegram logins.
  • List of running process names
  • Installed browser lists & their version.
  • Credentials from the browser “User Data” folder, Local DB an autofill
  • Cookies from the browser
  • List of folders in C drive
  • Some common system information:
    IP, Keyboard layout, System Info, Architecture, CPU, RAM, Cores, Running path, Username, Network Info, Computer Name, UTC timing.

#4 Malicious Trellix binary (AMCoreDat.exe)

We also found that there are some malicious Trellix binaries which are related to content updates for end-point users. The highly sophisticated obfuscation method makes the payload to be evaded as explained in figure: 4.1.

As we debugged inside the AMCoreDat.exe, we found that the binary creates multiple files inside %appdata% (As shown in the figure: 4.2), Later writing them with the payload by splitting them into pieces of codes – which ended up as each file has the piece of content. This might evade AV detection as it tries to concatenate the piece of content from each file later and makes a new binary (compiled by AutoIt3).

Figure 4.1 Decoded AutoIt script

Figure 4.1: Decoded AutoIt script

Figure 4.2 Piece of codes & Compiled AutoIt3

Figure 4.2: Piece of codes & Compiled AutoIt3

Investigating dropped au3 and compiled binary of it, the payload looks for the process name “avastui.exe”, If the process exists the It terminates itself.

And the attacker uses a highly sophisticated method for obfuscating the actual payload which steals the victim’s information and sends them to the C2C server.

Figure 4.3 AutoIt Binary, the actual payload

Figure 4.3: AutoIt Binary, the actual payload

The list of information it tries to send back to the C2C:

  • PC name
  • Username
  • Installed Memory
  • Running process
  • Login data, Browser
  • Browsing History
  • Cookies
  • Tokens
  • User profile information

# IOC

MD5FileNameFamilyTrellix Detections
6103676bd7647fdde675acd3ea9fb92fAvast.apkSpynoteTrojan.Android.SpyNote
15d4539dfdbd297d19e859551e1ea648MBSetup.rarStealCGen:Variant.MSILHeracles
1a3657ef519e3d20930f400dd781dbb2setup-win-x86-x64.exeLumma StealerMalware.Artemis
a76529cfb85956fa07f896b957c34c34AMCoreDat.exeLumma StealerTrojan.GenericKD

# C2C servers

C2CFamily
45.138.16.85:7544Spynot
185.161.248.78StealC
alcojoldwograpciw.shop/api
alcojoldwograpciw[.]shop/api
productivelookewr[.]shop/api
tolerateilusidjukl[.]shop/api
shatterbreathepsw[.]shop/api
shortsvelventysjo[.]shop/api
incredibleextedwj[.]shop/api
liabilitynighstjsko[.]shop/api
demonstationfukewko[.]shop/api

tirechinecarpett[.]pw/api
freckletropsao[.]pw/api
fanlumpactiras[.]pw/api
occupytapsessijk[.]pw/api
ownerbuffersuperw[.]pw/api
musclefarelongea[.]pw/api
Lumma

How to protect against this

  • Always double check on links before clicking on them.
  • Be aware of the Websites you are visiting and make sure it is legitimate.
  • Use strong cybersecurity solutions to ensure you are protected against these types of malicious behaviors.
  • Never go for pirated version softwares which leads to downloading fake/ Malicious binaries.
  • Do double check of the software’s legitimacy you are downloading with your End-Point provider

Don’t Stop Here

More To Explore

Infostealers Webinar – Hudson Rock

Learn about Infostealers with actual real life breaches caused by Infostealer infections with Leonid Rozenberg, Hudson Rock’s Head of Partnerships & Integrations. To discover how

favicon__1_ removebg-png

BE THE FIRST TO KNOW

Stay informed with the latest insights in our Infostealers weekly report.

Receive immediate notification if your email is involved in an infostealer infection.

No Spam, We Promise

favicon__1_ removebg-png

BE THE FIRST TO KNOW

Stay informed with the latest insights in our Infostealers weekly report.

Receive immediate notification if your email is involved in an infostealer infection.

No Spam, We Promise