Report: Digitally signed rootkit in crack software

Discussion in 'Serious Discussion' started by harkaz, Aug 27, 2017.

  1. harkaz

    harkaz MDL Novice

    Dec 27, 2012
    31
    57
    0
    #1 harkaz, Aug 27, 2017
    Last edited: Aug 28, 2017
    I've came across a recently created rootkit, not yet detectable by many AV programs.

    This is part of an application "cracking" scam zip. That's not interesting, obviously.
    What's really interesting is that the main rootkit file (which installs itself as a Windows service) is digitally signed. Its icon is the same as the Process Explorer one (https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer).

    The rootkit seems to be related to cryptocurrency mining (first glance, not yet analyzed).

    Here is the digital certificate:

    upload_2017-8-27_17-58-29.png

    upload_2017-8-27_18-5-11.png

    upload_2017-8-27_18-5-24.png

    I may have some time to analyze the thing and post a full analysis here. For reference, I'm posting the virus file in an encrypted zip file. Password: "virus" (Without the quotes)

    DO NOT OPEN THE FILE INSIDE, IT IS MALWARE!! ONLY DO SO IF YOU KNOW WHAT YOU'RE DOING (e.g analyze the thing in a protected environment)!

    (Link removed to prevent non-legitimate use)
     
  2. R29k

    R29k MDL GLaDOS

    Feb 13, 2011
    4,650
    4,228
    150
    So why didn't you submit this to the malware companies ?
     
  3. Mr.X

    Mr.X MDL Guru

    Jul 14, 2013
    5,566
    12,993
    180
    Perhaps he loves MDL sooooooooooooooooooooooooooo much! :p

    No seriously, it's a good idea to submit this to anti-malware firms
     
  4. R29k

    R29k MDL GLaDOS

    Feb 13, 2011
    4,650
    4,228
    150
    I don't see what purpose it serves to release potentially unknown malware on here so it can be reused by some unknown mdl lurker to do who knows what !
     
  5. Tiger-1

    Tiger-1 MDL Guru

    Oct 18, 2014
    2,510
    2,553
    90
    @ harkaz hmm thanks for the heads up but I don't need it
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    10,938
    10,475
    340
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Katzenfreund

    Katzenfreund MDL Expert

    Jul 15, 2016
    1,334
    766
    60
    Out of curiosity whether my AV would detect it, I tried to access the download yesterday on the day of posting, but was blocked for some reason. I didn't insist, as it wasn't a good idea in the first place.
     
  8. Joe C

    Joe C MDL Guru

    Jan 12, 2012
    2,174
    1,163
    90
    Do not forget that curiosity killed the cat
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Tiger-1

    Tiger-1 MDL Guru

    Oct 18, 2014
    2,510
    2,553
    90
    :D no dude Katz don't forget never I'm sure :D:p
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. harkaz

    harkaz MDL Novice

    Dec 27, 2012
    31
    57
    0
    I already did. I uploaded the file to VirusTotal (which sends it to AV companies for analysis).

    I'm not very experienced with this, thanks for the link. I will try to report the certificate (don't know how to fill in the "Website where the certificate is located or can be downloaded" field, since the malware is inside another file).

    I found the company's profile. It's not stolen, it's a shadow company: https://beta.companieshouse.gov.uk/company/10843206

    I'm not a member of a security-related forum (yet). This is why I posted the file here, so that any pro/hobbyist is able to analyze it and learn more about its functionality. On second thoughts, however, there is the possibility of non-legitimate use, so I will remove the file. For the same reason, I've decided not to publish in full detail any analysis of the malware I may be able to make.

    UPDATE: My AV software (COMODO) does recognize the malware now. Hope they've already submitted the cert for revocation.
     
  11. John Sutherland

    John Sutherland MDL Senior Member

    Oct 15, 2014
    476
    627
    10
    This thread reminds me of the time someone asked me "Here, try this yogurt, I think it might have gone bad." :biggrin:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. Katzenfreund

    Katzenfreund MDL Expert

    Jul 15, 2016
    1,334
    766
    60
    Then there was the electrician who asked his young assistant, "Touch this wire". The assistant did. The electrician then said, "OK, now be careful not to touch the other one next to it, because it's electrified".

    And once I saw in a German computer mag a list of warez sites with the warning, “Don’t get any free stuff from these, as it’s illegal”.
     
  13. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    10,938
    10,475
    340
    You may post any details of analyses here. You've mentioned it is cryptocurrency mining related.
    I wonder what it really does since mining usually is made on ASIC chips---or maybe it is just designed to steal crypto coins.

    BTW: There is malware that is specially designed to steal private keys and certificates. Also CAs were attacked.
    And there is a way to inject code into the non signed area (end of certificate table) and execute it from a PE 'loader'.
    https://www.blackhat.com/docs/us-16...are-From-A-Digitally-Signed-Executable-wp.pdf
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. Joe C

    Joe C MDL Guru

    Jan 12, 2012
    2,174
    1,163
    90
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. Tiger-1

    Tiger-1 MDL Guru

    Oct 18, 2014
    2,510
    2,553
    90
    Hi Joe C thanks for vey uselful and interesting links :) unfortunately things go very bad ;)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    10,938
    10,475
    340
    Before the EternalBlue exploit appeared as wannacry which encrypts data the same SMB exploit has been used to spread Adylkuzz a mining malware.
    It's no ransomeware like wannacry but takes silently benefit of your CPU power.
    They mostly mine coins with less difficulty like Monero, anyway mining requires a high CPU/GPU usage/load.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. harkaz

    harkaz MDL Novice

    Dec 27, 2012
    31
    57
    0
    OK, I will post all details then. I just need to find some free time to start debugging. Probably this weekend.
     
  18. MS_User

    MS_User MDL Guru

    Nov 30, 2014
    2,548
    377
    90
    #18 MS_User, Sep 12, 2017
    Last edited: Sep 12, 2017
    it sounds like that trojan certificate is design to steal bit coins accounts. they been getting hack a lot as of lately....i bet theirs a good possibility that certificate came from russia or china.
     
  19. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    10,938
    10,475
    340
    Certificates are either stolen from a server (private part to sign) or legitimately signed 'software' is used for malicious code injection...

    The malicious soft does then either mine coins itself..or steal the wallet while a properly encrypted wallet is actually useless.
    You'd need malicious software that checks the virtual memory to spot the place and time when the private certificates (which authenticate your public BTC addresses) are decrypted and can be stolen and sent away..when using a cold wallet such malicious code is useless though.

    Mining code can be spotted by high CPU usage.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  20. MS_User

    MS_User MDL Guru

    Nov 30, 2014
    2,548
    377
    90
    i bet the regular end user would never realize hes digital wallet is being hack or notice high cpu usage.