Trojan Dropper Remcos

[Nightowl 202]

https://www.virustotal.com/gui/file/b1afbce51ad052f936b989214964d56e2290a7fb5548763273c1fc4382cd5c1c

This is not being detected by ESET , but ESET is picking it up through Advanced Memory Scanner after being ran because it came through Skype as a 1.5mb shortcut pif , i kept a copy of it inside a passworded archieve , I sent the shortcut also for Analysis through right click and submit for analysis

a variant of Win32/Spy.Agent.QGW trojan

C7552D69B8A7257A489BCDC31BAD099F5C2D67EA

a variant of Win32/Rescoms.B trojan

D00E62B42CEE99EFF56C604CF7190E2F68B3F86E

Those are files that the dropper drops them , but ESET memory scanner and startup scanner picks .dlls from Appdata\local\temp\threat.dll

 

Edited March 20, 2023 by Nightowl

[itman 1,659]

35 minutes ago, Nightowl said:

https://www.virustotal.com/gui/file/b1afbce51ad052f936b989214964d56e2290a7fb5548763273c1fc4382cd5c1c

Appears to be an old hacked version of TrueCrypt.exe . It's signed but the sigs are invalid. The  behavior of the bugger: https://www.virustotal.com/gui/file/b1afbce51ad052f936b989214964d56e2290a7fb5548763273c1fc4382cd5c1c/behavior is pretty nasty.

[Nightowl 202]

14 minutes ago, itman said:

Appears to be an old hacked version of TrueCrypt.exe . It's signed but the sigs are invalid. The  behavior of the bugger: https://www.virustotal.com/gui/file/b1afbce51ad052f936b989214964d56e2290a7fb5548763273c1fc4382cd5c1c/behavior is pretty nasty.

Yes it's targeting financial areas , it will come as a financial file for you , it isn't me , I worked to clean the person PC , shortcut isn't detected so it's made new also , the shortcut is what was got uploaded to virustotal , but virustotal takes to truecrypt.exe , but i believe the 1.5 shortcut is something hidden , it will just become something else

 

you can see it here also : https://any.run/report/b1afbce51ad052f936b989214964d56e2290a7fb5548763273c1fc4382cd5c1c/f26fd95b-3cc1-4578-abf1-17289380ebe5

Edited March 20, 2023 by Nightowl

[Nightowl 202]

[itman 1,659]

9 minutes ago, Nightowl said:

you can see it here also : https://any.run/report/b1afbce51ad052f936b989214964d56e2290a7fb5548763273c1fc4382cd5c1c/f26fd95b-3cc1-4578-abf1-17289380ebe5

It's a .exe; i.e.MerchantSticpayAgreements.pif.exe , just hidden as .pif file.

[Nightowl 202]

Just now, itman said:

It's a .exe; i.e.MerchantSticpayAgreements.pif.exe , just hidden as .pif file.

yea i noticed that now when i got into anyrun link

[itman 1,659]

Assuming you downloaded MerchantSticpayAgreements.pif.exe, was it sent to LiveGuard?

[Nightowl 202]

6 minutes ago, itman said:

Assuming you downloaded MerchantSticpayAgreements.pif.exe, was it sent to LiveGuard?

I didn't notice that , I sent manually , the product on PC is ESET Endpoint Security

I think Endpoint Security doesn't have LiveGuard yet , it's only available on Smart Security

And file came through Skype to the affected machine.

Edited March 20, 2023 by Nightowl

[Marcos 5,070]

The file is currently blocked by LiveGrid, will be detected as Win32/TrojanDownloader.Rugmi.AAI trojan.

\TrueCrypt.exe - Suspicious Object

Quote

I think Endpoint Security doesn't have LiveGuard yet , it's only available on Smart Security

It depends on what plan / bundle you have purchased.

Advanced Threat Defense includes ESET LiveGrid Advanced and is available in ESET PROTECT Advanced and ESET PROTECT Complete:

[Nightowl 202]

4 minutes ago, Marcos said:

The file is currently blocked by LiveGrid, will be detected as Win32/TrojanDownloader.Rugmi.AAI trojan.

\TrueCrypt.exe - Suspicious Object

It depends on what plan / bundle you have purchased.

Advanced Threat Defense includes ESET LiveGrid Advanced and is available in ESET PROTECT Advanced and ESET PROTECT Complete:

Thank you Marcos , ITMAN

It isn't my business account , I just worked to clean the PC because I was asked to , and ESET was there for my luck

I will inform if I was asked about LiveGuard.

Edited March 20, 2023 by Nightowl

[itman 1,659]

I will also note there appears to be renewed interest of late by attackers of injecting explorer.exe and then running a cmd.exe script from it as done in this attack.

I have revised my HIPS rules to now always alert at cmd.exe startup whereas in the past, I excluded explorer.exe startup of cmd.exe. It's a slight inconvenience to answer the alert but it's better to be safe than sorry.

[Nightowl 202]

I sent 2 more remenants that aren't detected , but looked Suspicious , I cleaned the system scheduler it had a vlc and python commands to run at startup and at 7PM

The remenants are here :

https://www.virustotal.com/gui/file/e9262441ef8e401acce28d13100c63e90e3de2ffb0ec6763611eebdc1aa60dbd/detection/f-e9262441ef8e401acce28d13100c63e90e3de2ffb0ec6763611eebdc1aa60dbd-1679390226

https://www.virustotal.com/gui/file/e7754d8e4c33b35b85d85554488069fe731190201fa9e42d1b53f38c843025a3/detection/f-e7754d8e4c33b35b85d85554488069fe731190201fa9e42d1b53f38c843025a3-1679390159

Unsigned files for Python and VLC , It looked suspicious to scanners.

This is a rememnant also not detected but I wasn't able to send it , I deleted it by mistake :

https://www.virustotal.com/gui/file/65327e1555994dacee595d5da9c9b98967d1ea91ccb20e8ae4195cd0372e05a0

   ssl3.dll
      Size . . . . . . . : 132,712 bytes
      Age  . . . . . . . : 4.9 days (2023-03-17 12:42:24)
      Entropy  . . . . . : 6.1
      SHA-256  . . . . . : 65327E1555994DACEE595D5DA9C9B98967D1EA91CCB20E8AE4195CD0372E05A0
      Product  . . . . . : Network Security Services
      Publisher  . . . . : Mozilla Foundation
      Description  . . . : NSS SSL Library
      Version  . . . . . : 3.11.5
      RSA Key Size . . . : 2048
      LanguageID . . . . : 1033
      Authenticode . . . : Invalid
    > SurfRight  . . . . : Mal/Generic-S
      Fuzzy  . . . . . . : 122.0

Scheduler :

I made a restart now , I willl check if it comes back , I believe the Scheduler is what revived it and ESET kept removing it as Spy Agent in Advanced Memory Scanner.

I sent the 2 examples to ESET the same way I did for first post , Right click > ESET > Submit for Analysis.

Edited March 22, 2023 by Nightowl

[Qarmosh 1]

great value and info new virus, even after the cleaning by eset still the files in schedule.
also Kaspersky don't catch this virus.

Nightowl thanks 

[Peter Randziak 1,130]

Hello @Nightowl,

thank you for a nice analysis 😉

I contacted the Detections team, the files e9262441ef8e401acce28d13100c63e90e3de2ffb0ec6763611eebdc1aa60dbd,  65327e1555994dacee595d5da9c9b98967d1ea91ccb20e8ae4195cd0372e05a0 and e7754d8e4c33b35b85d85554488069fe731190201fa9e42d1b53f38c843025a3 will be added to detection.

Can you please provide us with files "mozilla.md5", "idea.mp3" and "tree.mp4" to check them further?
Please send them to me in an encrypted archive via a private message, with the encryption password included 🙂

Peter

[Nightowl 202]

1 hour ago, Peter Randziak said:

Hello @Nightowl,

thank you for a nice analysis 😉

I contacted the Detections team, the files e9262441ef8e401acce28d13100c63e90e3de2ffb0ec6763611eebdc1aa60dbd,  65327e1555994dacee595d5da9c9b98967d1ea91ccb20e8ae4195cd0372e05a0 and e7754d8e4c33b35b85d85554488069fe731190201fa9e42d1b53f38c843025a3 will be added to detection.

Can you please provide us with files "mozilla.md5", "idea.mp3" and "tree.mp4" to check them further?
Please send them to me in an encrypted archive via a private message, with the encryption password included 🙂

Peter

Hello Peter

I have attached the whole folder of fake VLC and fake Firefox and attached them to 7z archive and passworded them with "malware" , I sent through ESET GUI , with my email address , I have confirmed that they have reached through Events logs but I kept a backup incase they didn't reach , I was having a trouble cleaning the python39.dll because it kept telling me it's running somewhere , something held it but I didn't catch it , I restarted it , what held it , stopped , I tried to archieve it , but ESET got it it seems that it received updates. so I didn't pack the .dll because ESET already knows it

I think what held it is Task Scheduler somewhere , I made sure it didn't come back in Task Scheduler

What I noticed , I had hands on 2 infections , one with W10 and one with W11

The only difference I saw that in W10 it was able to make a startup entry , in W11 it didn't , I will double check to make sure.

Thanks to all also , it's my pleasure

 

[itman 1,659]

4 hours ago, Nightowl said:

I believe the Scheduler is what revived it

Of interest here is how the attacker created python.exe in C:\Users\xxxxxx\AppData\Roaming\Adobe directory.

I block all python execution via registry debugger assignment. However, Eset again needs to provide global wildcard capability; e.g. *\python.exe, in the HIPS to prevent attacks like this.

Edited March 22, 2023 by itman

[Nightowl 202]

3 minutes ago, itman said:

Of interest here is how the attacker created python.exe in C:\Users\xxxxxx\AppData\Roaming\Adobe directory.

I block all python execution via registry debugger assignment. However, Eset again needs to provide global wildcard capability; e.g. *\python.exe, to prevent attacks like this.

I worked with HIPS to see who reads and writes , but once I wasn't able to stop it , remove it or archieve it , I thought it's better to block the whole place, I blocked and restarted PC , and I removed it

I believe when you run the malicious exe that is hidden as pif , it asks for admin? I don't know , I didn't ask

I saved also the XMLs for Schedulers

And the PC doesn't have anything to belong to Adobe , but I believe the virus will gain admin somewhere with VLC and CMD

Edited March 22, 2023 by Nightowl

[Qarmosh 1]

nightowl very good info, very detailed and explaining how you face the issue and what you done to pass it. 

@Peter Randziak and @ Marcos 

promote Nightowl if you can to higher level. his explaining and describing the issue are very helpful to others.  

[Marcos 5,070]

59 minutes ago, Qarmosh said:

promote Nightowl if you can to higher level. his explaining and describing the issue are very helpful to others.  

We appreciate a lot Nightowl's, itman's and other active users' contribution and help in our forum. The ranking system is automated and users are promoted to a higher level based on the number of kudos they've received from the others. Moreover, we promote active users to "Most valued members" group.

[Marcos 5,070]

2 hours ago, Nightowl said:

I sent through ESET GUI , with my email address

We have received the files, however, there was no email address associated with the tickets. Couldn't it be that you checked the box to submit the file anonymously? I've made a test myself using the latest Endpoint 10 as well and a ticket was associated with my email so I don't expect it to be caused by a bug.

[Nightowl 202]

19 minutes ago, Marcos said:

We have received the files, however, there was no email address associated with the tickets. Couldn't it be that you checked the box to submit the file anonymously? I've made a test myself using the latest Endpoint 10 as well and a ticket was associated with my email so I don't expect it to be caused by a bug.

It should be received from another endpoint , no I don't think there is a bug.

because i sent examples from 2 endpoints , one without email , one with email.

I will send in PM.

Edited March 22, 2023 by Nightowl

[itman 1,659]

13 hours ago, Nightowl said:

I believe the Scheduler is what revived it

A comment about the scheduled tasks behavior. They all employed; e.g.:

C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\python39.dll",#1

That is rundll32.exe spawning a copy of itself to run a malicious .dll. As far as I am aware of, I know of nothing that does likewise. I am adding a HIPS rule to alert when rundll32.exe starts itself.

[Nightowl 202]

13 hours ago, itman said:

A comment about the scheduled tasks behavior. They all employed; e.g.:

C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\python39.dll",#1

That is rundll32.exe spawning a copy of itself to run a malicious .dll. As far as I am aware of, I know of nothing that does likewise. I am adding a HIPS rule to alert when rundll32.exe starts itself.

This is what runs the malicious Python in Adobe in Scheduler:

Quote

      <Command>C:\Users\xxxxxxx\AppData\Roaming\Adobe\python.exe</Command>
      <Arguments>--yoky=66585 --uapb --vgb --mgxfde</Arguments>

And this what runs the malicious VLC in Scheduler :

Quote

      <Command>C:\Users\xxxxxxx\AppData\Roaming\36c011cd\vlc.exe</Command>
      <Arguments>-cbriqvr</Arguments>

 

Edited March 23, 2023 by Nightowl

[itman 1,659]

7 hours ago, Nightowl said:

This is what runs the malicious Python in Adobe in Scheduler:

Quote

      <Command>C:\Users\xxxxxxx\AppData\Roaming\Adobe\python.exe</Command>
      <Arguments>--yoky=66585 --uapb --vgb --mgxfde</Arguments>

And this what runs the malicious VLC in Scheduler :

Quote

      <Command>C:\Users\xxxxxxx\AppData\Roaming\36c011cd\vlc.exe</Command>
      <Arguments>-cbriqvr</Arguments>

I don't believe either of the above .exe's are really what they are named as.

It appears to me they are actually renamed versions of pyinstaller.exe. Note that the command line string used in both starts with "--" which is the format used by Pyinstaller.

Pyinstaller allows for creation of a Win based .exe using an existing Python script. It adds all the needed Python run-time components plus the code contained in the script resulting in a fully functional Win .exe without the need to have Python installed. 

[Nightowl 202]

11 minutes ago, itman said:

I don't believe either of the above .exe's are really what they are named as.

It appears to me they are actually renamed versions of pyinstaller.exe. Note that the command line string used in both starts with "--" which is the format used by Pyinstaller.

Pyinstaller allows for creation of a Win based .exe using an existing Python script. It adds all the needed Python run-time components plus the code contained in the script resulting in a fully functional Win .exe without the need to have Python installed. 

I believe they are normal versions of the EXE , the .dlls are just hijacked

fake firefox that came with it , had an icon from older versions of firefox , you can notice it's an old version of firefox.

vlc also it looked like the real one , but the .dlls are hijacked , this is why scanners aren't picking the them , python.exe , firefox.exe , vlc.exe , because I think they are legit , just the .dlls are messed up.

I believe Python.exe is needed to be able to run the Python script that is hidden somewhere , since there is no Python installed on PC.

If they were edited or messed up , then I would have got an indicator that the exes aren't signed properly. tampered or edited.

Edit :

Quote

Pyinstaller allows for creation of a Win based .exe using an existing Python script. It adds all the needed Python run-time components plus the code contained in the script resulting in a fully functional Win .exe without the need to have Python installed. 

I didn't read properly , yes it could explain it what you have said , and could be those aren't real executables and just made by the script

I sent them to ESET the whole packs of the fake stuff , but I removed the python.exe actually , and I don't think I can get it back , because at that time , ESET picked it's python39.dll , and I still believe somehow that the python.exe is a normal one.

I believe , the fake stuff , firefox vlc python all were real but versions that have vulnerabilities and can be changed,modified , that's why they all packed with hijacked DLLs and weird file types that would just change after execution.

Edited March 23, 2023 by Nightowl