Insights and Research

FreeCryptoScam - A New Cryptocurrency Scam That Leads to Installation of Backdoors and Stealers

FreeCryptoScam attack poses as a cryptocurrency giveaway

Introduction

In January 2022, the ThreatLabz research team identified a crypto scam, which we've dubbed "FreeCryptoScam." In this scam, the threat actor targets crypto users by luring them with an offer of free cryptocurrency. When the victim downloads the payload, it leads to installation of multiple malware payloads on the victim's system, allowing the threat actor to establish backdoors and/or steal user information. In this campaign, we see the Dark Crystal RAT ("DCRat") being downloaded which further leads to Redline and TVRat being downloaded and executed onto the victim’s system.

This blog aims to explain various aspects of the campaign that the ThreatLabz team has uncovered during the investigation and technical analysis of the dropped payloads.

 

Website Analysis

In this campaign, threat actors host their malicious payload on either a new (Figure 1) or an old compromised web domain (Figure 2 & Figure 3). They use the below mechanisms to successfully drop the payload to the victim machine:

  1. As soon as the user visits the website, the below javascript under a “script” tag gets executed to drop a payload:
    setTimeout(document.location.href=<link of the payload>, <milliseconds>)
  2. As soon as the user clicks on the button, the “href” property is used to drop the payload that consists of the payload link.

 

Figure 1: Newly spun up website hosting malicious payloads

 

Figure 2: Old compromised websites used for hosting malicious payload

It should be noted that:

  • The threat actor uses social engineering to drive successful payload execution, luring victims to install the dropped payload by using a message offering free cryptocurrency. 
  • The attack works across browsers, with the mechanism running the same way in Chrome, Internet Explorer, and Firefox. Depending on the browser settings, the payload will be automatically downloaded, or a pop-up window will ask the user to save the application on the system.
  • From the whois record, it is clear that the second domain (shown in Figure 2) is an old domain that has likely been compromised.

Figure 3: Whois report of the second domain [Credit: DomainTools]

 

Attack Chain

The figure below depicts the attack chain of two scenarios:

Figure 4: Attack chain

 

Technical Analysis

As shown in the above figure, we found two types of payload:

  1. In Scenario 1, the payload was a downloader that connected to another malicious domain hosting second stage payloads—backdoors and stealers. In most cases, the downloaded files were DCRat, Redline, and TVRat.
  2. In Scenario 2, the payload served the DCRat malware directly. 

[+] Scenario 1: Downloader DCRatLoader

For the purposes of analysis, we will look at the payload with MD5 hash: D3EF4EC10EE42994B313428D13B1B0BD which was protected by a well-known packer named Asprotect and given a fake certificate (as shown in the figure below).

Figure 5: Version information and digital certificate 

After unpacking the file, we get a 48KB .NET executable file (MD5 = 469240D5A3B57C61F5F9F2B90F405999). This is a downloader consisting of base64 encoded urls and file paths (as shown in the figure below ).

Figure 6: Code of Unpacked file

These base64 encoded strings represent the URL paths for downloading stage 2 payloads as well as the file paths where these payloads will be dropped on the victim system.

Figure 7: URLs and File paths

 

Scenario 2: DCRat

The second scenario involved direct download of the DCRat payload which was also protected by Asprotect. Upon unpacking, we get a 664KB .NET executable file (MD5= 37F433E1843602B29EC641B406D14AFA) which is the DCRat malware (shown in the figure below). 

Figure 8: Strings found in memory

Network Traffic:

Figure 9: Network traffic observed

Figure 10: Get request sent to C&C

In addition to the DCRat code, we also found stealer code inside the unpacked binary. This part of the code exhibited stealer characteristics, which are often used to exfiltrate sensitive user information. Not only did it steal the information from the infected system, but also disabled the antivirus protection (if found enabled). The code in the figure below showcases the type of data being exfiltrated:

Figure 11: Stealer code 

 

Figure 12: Checks for antiviruses installed and disable them. 

 

We saw the sample created a mutex, named, "\Sessions\1\BaseNamedObjects\865218dd0bef38bd584e8c4ea44a4b7e295cb6f3" where 865218dd0bef38bd584e8c4ea44a4b7e295cb6f3 is the SHA1(hash value) of the string "DCR_MUTEX-BZrxW3QvqgtvhEFCpLSr" and “DCR_MUTEX” is symbolic of DCRat malware.

Figure 13: Configuration of the DCRat

 

Zscaler Sandbox Detection

Downloader Payload

 

DCRat payload

In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to the campaign at various levels with the following threat names:

  • Win32.Downloader.DCRat
  • Win32.Downloader.Redline
  • Win32.Downloader.TVrat
  • Win32.Backdoor.Dcrat
  • Win32.Backdoor.Redline
  • Win32.Backdoor.Tvrat

We haven't categorized this campaign in association with any particular family because it's a generic downloader that downloads other backdoors or stealers.

 

MITRE ATT&CK AND TTP Mapping

 

ID

Tactic

Technique

T1189 

Drive-by Compromise

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. 

T1140

Deobfuscate/Decode Files or Information

Strings and other data are obfuscated in the payload

T1082

System Information Discovery

Sends processor architecture and computer name

T1083

File and Directory Discovery

Upload file from the victim machine

T1005 

Data from Local System 

Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. 

T1222

File Directory Permissions Modification

Change directory permission to hide its file 

T1555

Credentials from password store

Steal stored password

T1056

Keylogging

Keylog of infected machine 

T1055

Process Injection

Inject code into other processes

 

 

Indicators of Compromise

 

[+] MD5 Hashes

d3ef4ec10ee42994b313428d13b1b0bd

469240d5a3b57c61f5f9f2b90f405999

6bc6b19a38122b926c4e3a5872283c56

3da7cbb5e16c1f02522ff5e49ffc39e7

fdec732050d0b59d37e81453b746a5f3

d27dba475f35ee9983de3541d4a48bda

67364aac61276a7a4abb7b339733e72c

2e30e741aaa4047f0c114d22cb5f6494

22c4c7c383f1021c80f55ced63ed465c

1c5cf95587171cc0950a6e1be576fedc

37f433e1843602b29ec641b406d14afa

A6718d7cecc4ec8aeef273918d18aa19

fa80b7635babe8d75115ebcc3247ffff

e6d174dd2482042a0f24be7866f71b8d

53be54c4311238bae8cf2e95898e4b12

 

[+] Network Indicators:

wetranszfer[.]com

dogelab[.]net

verio-tx[.]net

benbest[.]org

gorillaboardwj[.]com

dogelab[.]net

d0me[.]net

pshzbnb[.]com

ghurnibd[.]com

theagencymg[.]com

gettingtoaha[.]com

squidgame[.]to

178[.]20[.]44[.]131:8842 

92[.]38[.]241[.]101:36778 

mirtonewbacker[.]com 

94[.]103[.]81[.]146/php/Cpu4pythonserver/37Game/Video74Local/processtraffic.php?

Stay up to date with the latest digital transformation tips and news.

By submitting the form, you are agreeing to our privacy policy.