king99 0 Posted June 25, 2023 Share Posted June 25, 2023 (edited) hi i found this malware like 5 years ago when i download vbox and for some reason the version downloaded was with invalid sig i uploaded the file to vt nothing came up i re uploaded the sample now after 5 years still undetected by all by some kind of evasion technique because of the large size i'm going to link the vt https://www.virustotal.com/gui/file/a172b1c18045400e459a2353de8f250c9ab36c72b30057feb9c2db894f39e568 a172b1c18045400e459a2353de8f250c9ab36c72b30057feb9c2db894f39e568 i think this a part of targeted attack further analysis and feedback is welcomed thanks in advance Edited June 25, 2023 by king99 some typing error corrected Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,088 Posted June 25, 2023 Administrators Solution Share Posted June 25, 2023 To me the only difference between the original VirtualBox installer and this one with a broken signature is missing data between offset 0x4fadd1a and 0x4fbc47c. Removing some data from a file won't make it malicious. king99 1 Link to comment Share on other sites More sharing options...
king99 0 Posted June 25, 2023 Author Share Posted June 25, 2023 i uploaded the file to intezer platform and it says it's 100 percent malicious could it be a false positive because of just a broken download ??? https://analyze.intezer.com/analyses/0bd6495e-4aa6-4522-a025-baf5ad79938c thanks for the reply Link to comment Share on other sites More sharing options...
itman 1,667 Posted June 25, 2023 Share Posted June 25, 2023 1 hour ago, king99 said: i uploaded the file to intezer platform and it says it's 100 percent malicious could it be a false positive because of just a broken download ??? Looks like the detection was an Avast behavior based one. One possibility is this download was tampered with as indicated by the invalid signature. Also, this "Dirty Moe" malware does install a signed kernel mode mini-port driver. king99 1 Link to comment Share on other sites More sharing options...
itman 1,667 Posted June 25, 2023 Share Posted June 25, 2023 (edited) A few other comments about "Dirty Moe" malware. It is deployed via exploiting; Quote The DirtyMoe malware uses a simple idea of how to be modularized, undetectable, and untrackable at the same time. The aim of this malware is focused on Cryptojacking and DDoS attacks. DirtyMoe is run as a Windows service under system-level privileges via EternalBlue and at least three other exploits. https://decoded.avast.io/martinchlumecky/dirtymoe-1/ The Virtual Box sample referenced at VT dates to 2018. There was a vulnerability in VB at that time that was being ignored by Oracle. A researcher was so frustrated with Oracle for ignoring the vulnerability, he created his own POC exploit code and released it publicly: https://www.bleepingcomputer.com/news/security/virtualbox-zero-day-vulnerability-details-and-exploit-are-publicly-available/ . Putting it all together, appears this VB sample was altered to include either the exploit code and possibly, the Dirty Moe malware code or dropper code to download it from attack C&C server. -EDIT- Forgot this "tidbit" which is why Dirty Moe is referenced as undetectable; Quote All the while, attackers used VMProtect and the malware’s own encryption algorithm to hide what they were doing. They also employed rootkit techniques for concealing the botnet and a multi-level network communication architecture to hide their servers. https://securityintelligence.com/news/dirtymoe-botnet-returns-undetectable-threat-profile/ Edited June 25, 2023 by itman king99 1 Link to comment Share on other sites More sharing options...
king99 0 Posted June 26, 2023 Author Share Posted June 26, 2023 thanks for the help itman i really appreciate it I clearly remember downloading the vbox back in 2018 from the original website does that mean that vbox site was compromised at that time ? or it was a mitm attack ? to make the situation more bizarre i just found in the download folder of Patchmypc an oracle cert which is extremely odd reported it to Patchmypc no response yet https://www.virustotal.com/gui/file/75e96bab78e894c582d115f74392d87213222e3356f858161d33f0f9719a05e9/detection could it be the malware evolved from 2018 to hide it self with compromised digital signatures please bear with me little I'm a noob in the malware world Link to comment Share on other sites More sharing options...
itman 1,667 Posted June 26, 2023 Share Posted June 26, 2023 7 hours ago, king99 said: I clearly remember downloading the vbox back in 2018 from the original website does that mean that vbox site was compromised at that time ? or it was a mitm attack ? My best guess is that the VirtualBox 2018 download will not install currently on Win 10/11. Assumed is the cert. for the download is SHA-1 signed. Microsoft disallowed SHA-1 certs. in 2019: https://support.microsoft.com/en-us/topic/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus-64d1c82d-31ee-c273-3930-69a4cde8e64f . I just downloaded VB ver. 7.0.8 from here: https://www.virtualbox.org/wiki/Downloads. The download is validly signed with a SHA-2 cert.. Of note is the old SHA-1 cert. dating to 2014 is still shown. It is also shown as invalid due to not being validly countersigned. My best guess at this point is your VirtualBox 2018 download is showing as invalidly signed for the above reasons. At this point, it is impossible to determine how you downloaded a malicious version of VB. 7 hours ago, king99 said: to make the situation more bizarre i just found in the download folder of Patchmypc an oracle cert I suspect that Oracle cert. is for manually signing VB Win kernel modules to remove conflict w/Win 10/11 Secure Boot processing as noted here: https://gist.github.com/reillysiemens/ac6bea1e6c7684d62f544bd79b2182a4 king99 1 Link to comment Share on other sites More sharing options...
king99 0 Posted June 27, 2023 Author Share Posted June 27, 2023 wow thanks Really thorough analysis i really appreciate the help Regards Link to comment Share on other sites More sharing options...
Recommended Posts