Introduction
In January 2022, the ThreatLabz research team identified a crypto scam, which we've dubbed "FreeCryptoScam." In this scam, the threat actor targets crypto users by luring them with an offer of free cryptocurrency. When the victim downloads the payload, it leads to installation of multiple malware payloads on the victim's system, allowing the threat actor to establish backdoors and/or steal user information. In this campaign, we see the Dark Crystal RAT ("DCRat") being downloaded which further leads to Redline and TVRat being downloaded and executed onto the victim’s system.
This blog aims to explain various aspects of the campaign that the ThreatLabz team has uncovered during the investigation and technical analysis of the dropped payloads.
Website Analysis
In this campaign, threat actors host their malicious payload on either a new (Figure 1) or an old compromised web domain (Figure 2 & Figure 3). They use the below mechanisms to successfully drop the payload to the victim machine:
- As soon as the user visits the website, the below javascript under a “script” tag gets executed to drop a payload:
“setTimeout(document.location.href=<link of the payload>, <milliseconds>)” - As soon as the user clicks on the button, the “href” property is used to drop the payload that consists of the payload link.
Figure 1: Newly spun up website hosting malicious payloads
Figure 2: Old compromised websites used for hosting malicious payload
It should be noted that:
- The threat actor uses social engineering to drive successful payload execution, luring victims to install the dropped payload by using a message offering free cryptocurrency.
- The attack works across browsers, with the mechanism running the same way in Chrome, Internet Explorer, and Firefox. Depending on the browser settings, the payload will be automatically downloaded, or a pop-up window will ask the user to save the application on the system.
- From the whois record, it is clear that the second domain (shown in Figure 2) is an old domain that has likely been compromised.
Figure 3: Whois report of the second domain [Credit: DomainTools]
Attack Chain
The figure below depicts the attack chain of two scenarios:
Figure 4: Attack chain
Technical Analysis
As shown in the above figure, we found two types of payload:
- In Scenario 1, the payload was a downloader that connected to another malicious domain hosting second stage payloads—backdoors and stealers. In most cases, the downloaded files were DCRat, Redline, and TVRat.
- In Scenario 2, the payload served the DCRat malware directly.
[+] Scenario 1: Downloader DCRatLoader
For the purposes of analysis, we will look at the payload with MD5 hash: D3EF4EC10EE42994B313428D13B1B0BD which was protected by a well-known packer named Asprotect and given a fake certificate (as shown in the figure below).
Figure 5: Version information and digital certificate
After unpacking the file, we get a 48KB .NET executable file (MD5 = 469240D5A3B57C61F5F9F2B90F405999). This is a downloader consisting of base64 encoded urls and file paths (as shown in the figure below ).
Figure 6: Code of Unpacked file
These base64 encoded strings represent the URL paths for downloading stage 2 payloads as well as the file paths where these payloads will be dropped on the victim system.
Figure 7: URLs and File paths
Scenario 2: DCRat
The second scenario involved direct download of the DCRat payload which was also protected by Asprotect. Upon unpacking, we get a 664KB .NET executable file (MD5= 37F433E1843602B29EC641B406D14AFA) which is the DCRat malware (shown in the figure below).
Figure 8: Strings found in memory
Network Traffic:
Figure 9: Network traffic observed
Figure 10: Get request sent to C&C
In addition to the DCRat code, we also found stealer code inside the unpacked binary. This part of the code exhibited stealer characteristics, which are often used to exfiltrate sensitive user information. Not only did it steal the information from the infected system, but also disabled the antivirus protection (if found enabled). The code in the figure below showcases the type of data being exfiltrated:
Figure 11: Stealer code
Figure 12: Checks for antiviruses installed and disable them.
We saw the sample created a mutex, named, "\Sessions\1\BaseNamedObjects\865218dd0bef38bd584e8c4ea44a4b7e295cb6f3" where 865218dd0bef38bd584e8c4ea44a4b7e295cb6f3 is the SHA1(hash value) of the string "DCR_MUTEX-BZrxW3QvqgtvhEFCpLSr" and “DCR_MUTEX” is symbolic of DCRat malware.
Figure 13: Configuration of the DCRat
Zscaler Sandbox Detection
Downloader Payload
DCRat payload
In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to the campaign at various levels with the following threat names:
- Win32.Downloader.DCRat
- Win32.Downloader.Redline
- Win32.Downloader.TVrat
- Win32.Backdoor.Dcrat
- Win32.Backdoor.Redline
- Win32.Backdoor.Tvrat
We haven't categorized this campaign in association with any particular family because it's a generic downloader that downloads other backdoors or stealers.
MITRE ATT&CK AND TTP Mapping
ID |
Tactic |
Technique |
T1189 |
Drive-by Compromise |
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. |
T1140 |
Deobfuscate/Decode Files or Information |
Strings and other data are obfuscated in the payload |
T1082 |
System Information Discovery |
Sends processor architecture and computer name |
T1083 |
File and Directory Discovery |
Upload file from the victim machine |
T1005 |
Data from Local System |
Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. |
T1222 |
File Directory Permissions Modification |
Change directory permission to hide its file |
T1555 |
Credentials from password store |
Steal stored password |
T1056 |
Keylogging |
Keylog of infected machine |
T1055 |
Process Injection |
Inject code into other processes |
Indicators of Compromise
[+] MD5 Hashes
d3ef4ec10ee42994b313428d13b1b0bd
469240d5a3b57c61f5f9f2b90f405999
6bc6b19a38122b926c4e3a5872283c56
3da7cbb5e16c1f02522ff5e49ffc39e7
fdec732050d0b59d37e81453b746a5f3
d27dba475f35ee9983de3541d4a48bda
67364aac61276a7a4abb7b339733e72c
2e30e741aaa4047f0c114d22cb5f6494
22c4c7c383f1021c80f55ced63ed465c
1c5cf95587171cc0950a6e1be576fedc
37f433e1843602b29ec641b406d14afa
A6718d7cecc4ec8aeef273918d18aa19
fa80b7635babe8d75115ebcc3247ffff
e6d174dd2482042a0f24be7866f71b8d
53be54c4311238bae8cf2e95898e4b12
[+] Network Indicators:
wetranszfer[.]com
dogelab[.]net
verio-tx[.]net
benbest[.]org
gorillaboardwj[.]com
dogelab[.]net
d0me[.]net
pshzbnb[.]com
ghurnibd[.]com
theagencymg[.]com
gettingtoaha[.]com
squidgame[.]to
178[.]20[.]44[.]131:8842
92[.]38[.]241[.]101:36778
mirtonewbacker[.]com
94[.]103[.]81[.]146/php/Cpu4pythonserver/37Game/Video74Local/processtraffic.php?