Threat Report

Thursday December 5th 2019

In this week’s usually weekly threat report we have a bunch of new attacker tools which covers the Buer loader, CStealer malware, CallerSpy mobile malware, and PyXie Remote Access Trojan (RAT). We’ve also got a cautionary tale for the threat actors that create and operate these tools with the takedown of a RAT from Down Under.

Buer loads up baddies with new loader tool

Since late August 2019, a new downloader, Buer, has appeared recently in a variety of threat campaigns. These campaigns include malvertising leading to exploit kits, as a secondary payload via Ostap, and as a primary payload downloading malware such as The Trick banking Trojan.

The new loader has robust geotargeting, system profiling, and anti-analysis features and is currently being marketed on underground forums with value-added setup services. The Russian-speaking author(s) is actively developing the downloader with sophisticated control panels and a rich feature set, making the malware competitive in underground markets.

The downloader is written in C while the control panel is written in .NET core, indicating optimization for performance and small download footprint, as well as the ability to easily install the control panel on Linux servers. Built-in support for Docker containers will further facilitate its proliferation on rented hosts used for malicious purposes and potentially for compromised hosts as well. The latter capability is included in its advertised features and release notes.

Notably, the software will not run in the CIS (former Soviet states, such as Russia). The underground market ad describes the following features for the server and control panel:

  • The control panel is advertised as also being written in .NET Core, noting easy installation on Ubuntu / Debian Linux server systems.
  • The server provides statistics including counters for online, living, dead, and total bots; a real-time update for the list of bots; a file download counter; and an ability to filter systems by type of operating system, access rights of installed bots, and number of logical CPU cores.

  • Downloaded files from the infected systems are stored in encrypted form on the server, with access granted by a token.

  • The server does not process API requests sent from within CIS-member countries.

  • Launching the loader consists of three steps – if the first two steps are unsuccessful on the infected system, and the injection into the surrogate process fails (for example, due to incompatibility with the crypt itself), the loader will execute under its own process instead.

  • API access is accomplished using HTTPS with support for self-signed certificates.

  • Ability to create a task by bot ID. Very suitable for point loads.

  • The control panel supports Docker container deployments.

Many of these features were disclosed within release notes. This demonstrates that the malware is under active, professional development.

  • The loader has acquired a new method for launching External for local files. The advantages of the method are uniqueness and no CreateProcess / ShellExecute through the loader. The launch produces a trusted process without any commands to it.

  • The panel has the ability to tag all bots that have performed a specific task. This will allow the user to distribute the payload to certain groups of bots.

The following indicators were released with the report.

URLs

http://45.76.247[.]177:8080/api/update/
https://173.212.204[.]171/api/update/
http://134.0.119[.]53:8080/api/update/
https://garrisontx[.]us/api/update/
https://185.130.104[.]187/nana/kum.php?pi=18b

Domains

garrisontx[.]us
ffload01[.]top

IPs

185.125.58[.]11
185.186.141[.]129

CStealer targets your Chrome credentials

A new malware dubbed “CStealer” was observed by the Malware Hunter Team that steals passwords stored in the Google Chrome browser. Once the malware steals Google Chrome passwords, it will connect directly to a remote MongoDB database and use it to store the stolen credentials. This is done by utilizing the MongoDB driver as a client library to connect to the database. The attackers used this method in an attempt to store the stolen credentials that can be used for later attacks. Researchers note that anyone can retrieve the hardcoded credentials and can use them to gain access to the stolen credentials.

CallerSpy Mobile Malware

A new malware dubbed “CallerSpy,” observed by the Trend Micro security team, was found disguised as an application called “Chatrious” to hide its malicious behavior from the victims. Once the malware is installed on the victim’s device, it will initiate a connection to the malware’s command-and-control server to monitor upcoming commands to start scheduling jobs to steal information including call logs, SMS, contacts, and files on the device. In addition to the malware stealing capability, it also receives commands from the command-and-control server to take screenshots, which it sends back to the server.

Researchers noted that all of the stolen information is first collected and stored in a local database before being uploaded to the command-and-control server periodically. At the time of this writing, it is unclear what specific industries are targeted and it concludes that this campaign is the initial phase of the attacks. Users should always keep the device operating system and applications up to date to prevent potential attacks. The following indicators of compromise were released with the report.

IPs

3.95.71[.]123
18.206.105[.]66
52.21.5[.]241
40.114.109[.]69

Tetris game trojanized with PyXie

A new remote access trojan dubbed “PyXie” was observed by the Cylance security team that targets the healthcare and education industries. PyXie RAT has been active since at least 2018 and is being delivered in the new campaign through a Trojanized open-source Tetris game to load and execute the Cobalt Strike beacons and a custom loader. The attacks consist of three stages.

First is the use of a sideloading technique to load the first stage components of the malware, the “LogMeln” or Google binary. The second stage is the installation and persistence that fingerprints the targeted machine by generating a hardware ID hash to inject the third stage payload. The third stage payload features the “Cobalt Mode” downloader, with a primary function of connecting to the command-and-control server, downloading an encrypted payload, decrypting the payload, mapping and executing the payload, and spawning a new process for the code injection.

Researchers note that PyXie RAT operators take a number of steps to obfuscate key components. To prevent potential attacks, users, and organizations are recommended to keep the computer systems and software up to date. The following indicators of compromise were released with the report.

IPs

104.200.67[.]173
192.52.167[.]241
185.82.202[.]109

Domains

benreat[.]com
floppys[.]bit
teamchuan[.]com
fearlesslyhuman[.]org
athery[.]bit
tedxns[.]com
sarymar[.]com
babloom[.]bit
hwartless[.]bit
c1oudflare[.]com
planlamaison[.]com
dopearos[.]com
foods-pro[.]com

Imminent Monitor down for the count

On November 29, law enforcement agencies announced the takedown of the infrastructure of the “Imminent Monitor” remote access trojan (RAT) with 14 arrests across eight countries, including the tool’s creator in Australia.

According to a press release from Europol, the operation spanned two stages. The first occurred in June 2019, when Australian and Belgian police searched the homes of the malware author and one of his employees. The second stage occurred earlier this week, when authorities took down the tool’s website and arrested the malware’s author and 13 of its most prolific users. Arrests occurred in Australia, Colombia, Czechia, the Netherlands, Poland, Spain, Sweden, and the United Kingdom.

Following this takedown, “licensed Imminent Monitor builders will no longer be able to produce new client malware nor can the controllers access their victims,” and although cracked versions of Imminent Monitor “already exist and will continue to circulate, they can’t benefit from bug fixes, feature enhancements, support, or efforts to improve their undetectability.”

Imminent Monitor was developed by a threat actor named “Shockwave™,” who registered the domain imminentmethods[.]info in 2012, and in April 2013 started selling Imminent Monitor on online forums. Advertisements of Imminent Monitor professed legitimacy but features like log encryption and a fully undetectable crypter revealed otherwise. Imminent Monitor’s control panel includes standard features of a remote access trojan, including file manager, process manager, command prompt, remote webcam monitoring, password recovery, and more.

In 2014, Imminent Monitor expanded in functionality with the introduction of supporting third-party plugins. Imminent Monitor was originally licensed to each customer for $25. Throughout the years, the price remained the same, but new multi-license options were made available over time ($40 for small business license, $100 for medium business license). These features and accessible pricing made Imminent Monitor widely available and easily accessible to cybercriminals regardless of skill level.

Paul Scott

Paul Scott
Has 6 Gold Stars
LinkedIn