Getting your hands on malware C2s (for vulnerability research) isn’t easy without financing cybercrime groups. Thankfully, there’s a cheap solution: leaks! It isn’t exactly legal, but no threat actor would be brave/stupid enough to sue so it’s pretty safe. Scouring various barren forums is time-consuming, thankfully I have my own secret mushroom patch with an abundant supply of fresh malware (that I discovered thanks to @c3rb3ru5d3d53c on Twitter).

As shown in the screenshot above, the leaked tools are backdoored “for seacurity reason”. This blog post will detail the analysis of this backdoor.

TL;DR #

The leaked tools come in the form of SFX archives bundled with a generic Clipper that is run when the archives are executed. The malware attempts to replace legitimate BTC, XMR and ETH addresses saved in the users’ clipboard with its own. WinRAR/unrar can be used to extract the contents of the SFX archive without running the Trojan.

Infection chain #

IOCs #

SHA256(crack.exe): c3a6f41b0991f67f2a9cb77abea87ee06fb8e5c0f6db9b1ce6bc833dbe45c96c 

Mutex: pqdXXeEmLRGXHCg1

Crypto addresses 
- BTC: 1H8M6uYCSAquJuZjTjy33ruXs23hZy72E9
- XMR: 8AFcmXsQttSXuBeYCL9fpa2rn5JrDwwoihMerrwF48V7Ar1EKNTZyGa6G2tMFMhEZNEReroTLe2gPSMQw6VZLSD65AyBqzD
- ETH: 0x9e60ca775c5c6c65e900795782be58e0de549615

Extracting the backdoor #

Leaked tools come in the form of RAR archives containing a single eponymous PE file. This file is, in fact, a Self-extracting RAR archive (SFX).

An SFX (SelF-eXtracting) archive is an archive merged with an executable module, which is used to extract files from the archive when executed. SFX archives come in either the RAR or ZIP format. A configuration file can be passed to the archive detailing commands to run when executed.

Thus, packaging malware in Self-extracting archives is analogous to regular droppers and is a technique that is far from recent.

Extraction of a 7zip SFX malware has been documented in this blog post by Tony Lambert and the analysis of a WinRAR SFX malware has been posted on the 0x00sec forum (sadly the images are no longer available).

The configuration file of SFX RAR archives can be viewed with WinRAR on Windows (Open with WinRAR) and unrar on Linux (unrar l archive.sfx | less). From the screenshot below we can see the leaked tools are packaged with a shortcut (harmless, used only for advertising) and a PE file (crack.exe). The SFX archive’s Setup runs this executable before extracting the archive so it must be the backdoor.

Extracting the leaked tool without infecting oneself is as simple as running WinRAR/unrar twice: once on the original RAR archive and a second time on the SFX executable.

Analyzing the backdoor #

DIE indicates the backdoor is a small (18kb) .NET PE32 executable.

The malware lights VirusTotal up like a Christmas tree and gets recognised as Trojan.Generic and TrojanBanker. The backdoor’s Assembly Name (Crypto.exe) and the fact it calls AddClipboardFormatListener seem to indicate the malware is a Clipboard Hijacker.

A Clipper/Clipboard Hijacker is a malware that replaces cryptocurrency wallet addresses saved in users’ clipboards with others owned by cyber criminals.

Opening the malware in dnSpy reveals that the code is completely unobfuscated. On execution, the malware performs two preliminary actions before running. It first checks if a mutex exists (green), this is to ensure that only one instance of the malware can run at a given time. It then establishes persistence (blue) by copying itself to the Startup directory. After that, the program instantiates a ClipboardNotification.NotificationForm and passes it to Application.Run (red).

The NotificationForm sets the window as Message-Only with a call to SetParent (here’s are the different HWND constants) and subscribes to clipboard events.

The NotificationForm overrides the WndProc function (responsible for processing messages sent to a window) and waits for a Message with an ID number equal to 0x31D (WM_CLIPBOARDUPDATE). When it receives one, it checks if the clipboard contains a BTC address, if so it replaces it with its own address. This step is repeated for the Monero and Ethereum addresses.

The Clipboard overrides both the GetText and SetText methods of the System.Windows.Forms.Clipboard class to have them run in a new thread before returning. The SetText method however also exfiltrates the target address and the address it was changed with to a C2 via a GET request.

The different addresses, mutex value, C2 URL and configuration data are stored unencrypted in the Addresses class.

The second blog post in this series will be about coding a static config extractor for the Clipper. Stay tuned !