Report: Digitally signed rootkit in crack software

Discussion in 'Serious Discussion' started by harkaz, Aug 27, 2017.

  1. harkaz

    harkaz MDL Novice

    Dec 27, 2012
    41
    71
    0
    #1 harkaz, Aug 27, 2017
    Last edited: Aug 28, 2017
    I've came across a recently created rootkit, not yet detectable by many AV programs.

    This is part of an application "cracking" scam zip. That's not interesting, obviously.
    What's really interesting is that the main rootkit file (which installs itself as a Windows service) is digitally signed. Its icon is the same as the Process Explorer one (https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer).

    The rootkit seems to be related to cryptocurrency mining (first glance, not yet analyzed).

    Here is the digital certificate:

    upload_2017-8-27_17-58-29.png

    upload_2017-8-27_18-5-11.png

    upload_2017-8-27_18-5-24.png

    I may have some time to analyze the thing and post a full analysis here. For reference, I'm posting the virus file in an encrypted zip file. Password: "virus" (Without the quotes)

    DO NOT OPEN THE FILE INSIDE, IT IS MALWARE!! ONLY DO SO IF YOU KNOW WHAT YOU'RE DOING (e.g analyze the thing in a protected environment)!

    (Link removed to prevent non-legitimate use)
     
  2. R29k

    R29k MDL GLaDOS

    Feb 13, 2011
    4,706
    4,313
    150
    So why didn't you submit this to the malware companies ?
     
  3. Mr.X

    Mr.X MDL Guru

    Jul 14, 2013
    6,002
    13,573
    210
    Perhaps he loves MDL sooooooooooooooooooooooooooo much! :p

    No seriously, it's a good idea to submit this to anti-malware firms
     
  4. R29k

    R29k MDL GLaDOS

    Feb 13, 2011
    4,706
    4,313
    150
    I don't see what purpose it serves to release potentially unknown malware on here so it can be reused by some unknown mdl lurker to do who knows what !
     
  5. Tiger-1

    Tiger-1 MDL Guru

    Oct 18, 2014
    3,806
    4,114
    120
    @ harkaz hmm thanks for the heads up but I don't need it
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,250
    11,063
    340
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Katzenfreund

    Katzenfreund MDL Expert

    Jul 15, 2016
    1,372
    811
    60
    Out of curiosity whether my AV would detect it, I tried to access the download yesterday on the day of posting, but was blocked for some reason. I didn't insist, as it wasn't a good idea in the first place.
     
  8. Joe C

    Joe C MDL Guru

    Jan 12, 2012
    2,561
    1,401
    90
    Do not forget that curiosity killed the cat
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Tiger-1

    Tiger-1 MDL Guru

    Oct 18, 2014
    3,806
    4,114
    120
    :D no dude Katz don't forget never I'm sure :D:p
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. harkaz

    harkaz MDL Novice

    Dec 27, 2012
    41
    71
    0
    I already did. I uploaded the file to VirusTotal (which sends it to AV companies for analysis).

    I'm not very experienced with this, thanks for the link. I will try to report the certificate (don't know how to fill in the "Website where the certificate is located or can be downloaded" field, since the malware is inside another file).

    I found the company's profile. It's not stolen, it's a shadow company: https://beta.companieshouse.gov.uk/company/10843206

    I'm not a member of a security-related forum (yet). This is why I posted the file here, so that any pro/hobbyist is able to analyze it and learn more about its functionality. On second thoughts, however, there is the possibility of non-legitimate use, so I will remove the file. For the same reason, I've decided not to publish in full detail any analysis of the malware I may be able to make.

    UPDATE: My AV software (COMODO) does recognize the malware now. Hope they've already submitted the cert for revocation.
     
  11. John Sutherland

    John Sutherland MDL Addicted

    Oct 15, 2014
    628
    896
    30
    This thread reminds me of the time someone asked me "Here, try this yogurt, I think it might have gone bad." :biggrin:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. Katzenfreund

    Katzenfreund MDL Expert

    Jul 15, 2016
    1,372
    811
    60
    Then there was the electrician who asked his young assistant, "Touch this wire". The assistant did. The electrician then said, "OK, now be careful not to touch the other one next to it, because it's electrified".

    And once I saw in a German computer mag a list of warez sites with the warning, “Don’t get any free stuff from these, as it’s illegal”.
     
  13. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,250
    11,063
    340
    You may post any details of analyses here. You've mentioned it is cryptocurrency mining related.
    I wonder what it really does since mining usually is made on ASIC chips---or maybe it is just designed to steal crypto coins.

    BTW: There is malware that is specially designed to steal private keys and certificates. Also CAs were attacked.
    And there is a way to inject code into the non signed area (end of certificate table) and execute it from a PE 'loader'.
    https://www.blackhat.com/docs/us-16...are-From-A-Digitally-Signed-Executable-wp.pdf
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. Joe C

    Joe C MDL Guru

    Jan 12, 2012
    2,561
    1,401
    90
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. Tiger-1

    Tiger-1 MDL Guru

    Oct 18, 2014
    3,806
    4,114
    120
    Hi Joe C thanks for vey uselful and interesting links :) unfortunately things go very bad ;)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,250
    11,063
    340
    Before the EternalBlue exploit appeared as wannacry which encrypts data the same SMB exploit has been used to spread Adylkuzz a mining malware.
    It's no ransomeware like wannacry but takes silently benefit of your CPU power.
    They mostly mine coins with less difficulty like Monero, anyway mining requires a high CPU/GPU usage/load.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. harkaz

    harkaz MDL Novice

    Dec 27, 2012
    41
    71
    0
    OK, I will post all details then. I just need to find some free time to start debugging. Probably this weekend.
     
  18. MS_User

    MS_User MDL Guru

    Nov 30, 2014
    2,771
    453
    90
    #18 MS_User, Sep 12, 2017
    Last edited: Sep 12, 2017
    it sounds like that trojan certificate is design to steal bit coins accounts. they been getting hack a lot as of lately....i bet theirs a good possibility that certificate came from russia or china.
     
  19. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,250
    11,063
    340
    Certificates are either stolen from a server (private part to sign) or legitimately signed 'software' is used for malicious code injection...

    The malicious soft does then either mine coins itself..or steal the wallet while a properly encrypted wallet is actually useless.
    You'd need malicious software that checks the virtual memory to spot the place and time when the private certificates (which authenticate your public BTC addresses) are decrypted and can be stolen and sent away..when using a cold wallet such malicious code is useless though.

    Mining code can be spotted by high CPU usage.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  20. MS_User

    MS_User MDL Guru

    Nov 30, 2014
    2,771
    453
    90
    i bet the regular end user would never realize hes digital wallet is being hack or notice high cpu usage.