In January 2022, the ThreatLabz research team identified a crypto scam, which we've dubbed "FreeCryptoScam." In this scam, the threat actor targets crypto users by luring them with an offer of free cryptocurrency. When the victim downloads the payload, it leads to installation of multiple malware payloads on the victim's system, allowing the threat actor to establish backdoors and/or steal user information. In this campaign, we see the Dark Crystal RAT ("DCRat") being downloaded which further leads to Redline and TVRat being downloaded and executed onto the victim’s system.
This blog aims to explain various aspects of the campaign that the ThreatLabz team has uncovered during the investigation and technical analysis of the dropped payloads.
In this campaign, threat actors host their malicious payload on either a new (Figure 1) or an old compromised web domain (Figure 2 & Figure 3). They use the below mechanisms to successfully drop the payload to the victim machine:
Figure 1: Newly spun up website hosting malicious payloads
Figure 2: Old compromised websites used for hosting malicious payload
It should be noted that:
Figure 3: Whois report of the second domain [Credit: DomainTools]
The figure below depicts the attack chain of two scenarios:
Figure 4: Attack chain
As shown in the above figure, we found two types of payload:
[+] Scenario 1: Downloader DCRatLoader
For the purposes of analysis, we will look at the payload with MD5 hash: D3EF4EC10EE42994B313428D13B1B0BD which was protected by a well-known packer named Asprotect and given a fake certificate (as shown in the figure below).
Figure 5: Version information and digital certificate
After unpacking the file, we get a 48KB .NET executable file (MD5 = 469240D5A3B57C61F5F9F2B90F405999). This is a downloader consisting of base64 encoded urls and file paths (as shown in the figure below ).
Figure 6: Code of Unpacked file
These base64 encoded strings represent the URL paths for downloading stage 2 payloads as well as the file paths where these payloads will be dropped on the victim system.
Figure 7: URLs and File paths
Scenario 2: DCRat
The second scenario involved direct download of the DCRat payload which was also protected by Asprotect. Upon unpacking, we get a 664KB .NET executable file (MD5= 37F433E1843602B29EC641B406D14AFA) which is the DCRat malware (shown in the figure below).
Figure 8: Strings found in memory
Figure 9: Network traffic observed
Figure 10: Get request sent to C&C
In addition to the DCRat code, we also found stealer code inside the unpacked binary. This part of the code exhibited stealer characteristics, which are often used to exfiltrate sensitive user information. Not only did it steal the information from the infected system, but also disabled the antivirus protection (if found enabled). The code in the figure below showcases the type of data being exfiltrated:
Figure 11: Stealer code
Figure 12: Checks for antiviruses installed and disable them.
We saw the sample created a mutex, named, "\Sessions\1\BaseNamedObjects\865218dd0bef38bd584e8c4ea44a4b7e295cb6f3" where 865218dd0bef38bd584e8c4ea44a4b7e295cb6f3 is the SHA1(hash value) of the string "DCR_MUTEX-BZrxW3QvqgtvhEFCpLSr" and “DCR_MUTEX” is symbolic of DCRat malware.
Figure 13: Configuration of the DCRat
In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to the campaign at various levels with the following threat names:
We haven't categorized this campaign in association with any particular family because it's a generic downloader that downloads other backdoors or stealers.
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
Deobfuscate/Decode Files or Information
Strings and other data are obfuscated in the payload
System Information Discovery
Sends processor architecture and computer name
File and Directory Discovery
Upload file from the victim machine
Data from Local System
Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
File Directory Permissions Modification
Change directory permission to hide its file
Credentials from password store
Steal stored password
Keylog of infected machine
Inject code into other processes
[+] MD5 Hashes
[+] Network Indicators: