# Warez users fell for Certishell **[decoded.avast.io/danielbenes/warez-users-fell-for-certishell/](https://decoded.avast.io/danielbenes/warez-users-fell-for-certishell/)** by [Daniel BenešApril 21, 202214 min read](https://decoded.avast.io/author/danielbenes/) April 21, 2022 Research of this malware family began when I found a malicious task starting powershell code directly from a registry key within our user base. I wasn’t expecting the surprise I’d arrived at when I began tracking its origins. Living in a smaller country, Czech Republic, it is a rare sight to see someone exclusively targeting the local `Czech/Slovak audience. The` threat actor seems to have been creating malware `since 2015 and appears to be from` Slovakia. The bad actor’s repertoire contains a few `RATs, some packers for` ``` cryptominers and, almost obligatorily, ransomware, and I have named the malware ``` family `Certishell . This person’s malware is spread with illegal copies of songs and` movies and with alleged cracks and keygens of games and common tools ( GTA SA, ``` Mafia, Avast, Microsoft Office ) that were hosted on one of the most popular ``` Czech and Slovak file-sharing services `uloz.to .` The Ceritshell family can be split into three different parts. 1. RAT with a C&C server `sivpici.php5[.]sk (Czech/Slovak slang for “you are` fucked up”), which has AutoIT, C++ and Go versions. 2. Miner downloaded from hacked websites and started with the script `que.vbs from` the task. 3. Miner or ransomware downloaded from hacked websites and launched from a powershell command hidden in registry keys. The command from the registry key is started with the task from the picture above. ----- _The map above shows the risk ratio of users around who were at risk of encountering one_ _of the malware families_ ## Sivpici.php5.sk (2015-2018) The oldest part of the family is a simple RAT with `sivpici.php5[.]sk as the C&C server.` It places all the needed files in the folder `.win inside of the user folder.` The malware installer comes disguised as one of the following: ----- Cracked software, such as `FixmyPC,` Fraud apps, like `SteamCDKeys that share Steam keys,` Music CD unpackers with names like `Extractor.exe or` `Heslo.exe (Heslo means` _password in Czech/Slovak) that come with a password protected archive with music_ files. The malicious executable downloads an executable named UnRAR.exe and a malicious archive that contains a simple RAT written in C++, AutoIT or Go. ### Installer Every executable installing this malware family contains a script similar to the one in the following picture optionally with `curl.exe . This script usually shows the password to` archive or start another application. The malicious part downloads a legitimate RAR extractor `UnRAR.exe and a malicious archive that can be password protected and` unpacks it into the `%UserProfile%\.win\ folder. In the end it registers one of the` unpacked files as a service, starts it and allows one of the binaries in the firewall. I found six different methods used to pack the script into executable binary: ----- 1. Bat2exe 2. Quick Batch File Compiler 3. Compiled AutoIT version 4. Compiled AutoIT version with obfuscated script 5. Compiled AutoIT version with obfuscated script and packed with PELock 6. Compiled AutoIT version with obfuscated script packed with VMProtect ### RAT There are three main variants of this RAT. All of them use the same C&C ``` sivpici.php5[.]sk and similar communication protocol. The most advanced is a ``` compiled AutoIT script. This script comes in 10 different main versions. The second one is written in C++ and we found only one main version and the last one is written in Go also with one main version. The first time it is run, it generates a random alphanumeric string that works as an identificator for the C&C. This identificator is saved into file gen.gen for next start. The communication uses the HTTP protocol. Infected machines send the following back the C&C: `pc` = ComputerName, `os` = content of `SOFTWARE\\Microsoft\\Windows` ``` NT\\CurrentVersion\\ProductName, uniq = generated identifier, saved in \.win\gen.gen ``` ----- with the `GET method to` `start.php .` After a random period of time, the malware starts asking for commands using the `GET` method with the parameter `uniq . The response is a number that has fixed meanings` throughout all the versions. Commands “1” – “7” are implemented as follows: 1. The RAT downloads a URL from `/urlg.php using` `uniq, from this URL it` downloads a file, `packed.rar, then the RAT starts` `run.bat from the installation` phase to UnRaR the package to the `\.win\Lambda folder and restart the RAT. This` allows the RAT to update itself and also download any other file necessary. 2. Create a screenshot and send it with the `POST method to the` `up.php .` 3. Send all file names from all drives to `up.php .` 4. DDoS attack to a chosen IP through `UDP / HTTP / PING .` 5. Get a list of all installed apps from ``` HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall ``` saves it to `/.win/installed.txt and send them to` `up.php .` 6. Get a list of all running processes, save it to `/.win/processes.txt and send them` to `up.php .` 7. Collect log from keylogger, save it to `\.win\log.txt and send it to` `up.php .` The RAT in the form of compiled AutoIT script has the name `Winhost.exe .` ----- ----- There is a comparison of different versions (versioning by the author of the RAT) in the following table. Version Commands Notes debugging 1 Command 2 opens a message box with text 222222 4 1 – 3 Registration of PC happens only once on `reg.php and on` connection it sends only the `uniq and the version of the RAT` to `updaver.php` 6 1 – 4 Opens `/ad.php in a hidden Internet Explorer window once` when the user is not interacting with the PC for at least 5 seconds and closes it after 30 seconds. 7 1 – 5 8 1 – 7 Keylogger starts with the start of the RAT. 9 1 – 7 Keylogger has colored output. 10 1 – 7 Keylogger is separate executable ( `~\.win\1.exe )` Comparission of different version of AutoIT RAT The keylogger in versions eight and nine is copied from the official AutoIT documentation (with a few small changes) [https://www.autoitscript.com/autoit3/docs/libfunctions/_WinAPI_SetWindowsHookEx.htm](https://www.autoitscript.com/autoit3/docs/libfunctions/_WinAPI_SetWindowsHookEx.htm) Version 9 adds coloring of keys, mouse movements and clipboard in the keylogger. The C++ RAT is named `dwms.exe . It uses LibCURL to communicate with the C&C. The` communication protocol is the same. The `uniq` identifier is saved in the `fr.fr file` instead of `gen.gen for the AutoIT version, it also starts communication by accessing` ``` connect.php instead of start.php . ``` I’ve managed to find a debugging version that only has the first command implemented and returns only “Command 2” and “Command 3” to the standard output for the second and third command. After every command it answers the C&C by sending `uniq and` `verzia` (“version” in English) with GET method to `online.php .` The “production” version is labeled as version A. The code is divided into two functions: ``` LLLoad downloads the URL address of the C&C server from the pastebin and tests ``` it by downloading `/exists.txt .` ----- ``` RRRun that contains the first two commands as described above. It also uses /connect/ path for register.php, load.php, online.php and verzia.php . ``` To download newer versions it uses curl called from the command line. Another difference is that screenshots taken are sent via FTP to a different domain: ``` freetips.php5[.]sk/public_html/SHOT.bmp ``` with the username `sivpici and password` `A1B2C3D4 .` The RAT written in Go only has the first command implemented, but it downloads ``` /cnct/ad.txt and it opens URLs contained on victims computer, thus we speculate it ``` could also work as adware. ## IECache, bitly, pastebin (2016-2018) The installation of this coinminer is similar to the RAT in the previous section. Installations use the same folder and the scripts have the same name. It usually comes as an unpacker of illegal copies of music and movies downloaded from `uloz.to . It uses powershell to` download and execute scripts from a bit.ly shortened address. The final stage is coinminer ``` IECache.exe, which is usually XMRig. ### Heslo.txt.exe, Crack.exe… ``` ----- There is a huge variety of programs that download bit.ly-shortened Czech and Slovak sites and execute them. These programs include: GTA SA crack, Mafia, Microsoft Office, Sims, Lego Star Wars, and unpackers for music and movies. These programs usually print a message to the victim and run a malicious script in a hidden window. The unpackers use UnRAR to unpack the archive and show the victim the password of that archive. Unpacker of a music album written in Python and packed with Pyinstaller. It tries to use UnRAR.exe to unpack the music, if unsuccessful, it shows password “1234”. The cracks on the other hand just show an error message. Result of Patcher for Counter-Strike Global Offensive. After downloading and installing the malware from Sourceforge it shows an error from the picture above. All the installation files execute the following command with some bitly shortened site: There are VBA scripts calling it, basic programs possibly written in C, .Net, AutoIT scripts, **Golang programs, Rust programs, Redlang programs, different packers of python and** **batches, some of them use UPX, MPRESS, VMprotect and PELock.** Red language ----- AutoIT Pyinstaller ----- Bat obfuscator Rust ### Downloaded script There are at least two new scripts created by the script from the site hidden behind the ``` bit.ly shortened URL, que.vbs and run.bat . ``` The script also creates one of two services named `Winmgr and` `Winservice that start` ``` que.vbs . Que.vbs only starts run.bat which downloads whats.txt contains a script ``` downloading and starting coinminer `IECache.exe .` ----- **que.vbs hash:** ``` 6f2efc19263a3f4b4f8ea8d9fd643260dce5bef599940dae02b4689862bbb362 ``` **run.bat hash:** ``` 1ad309c8ee17718fb5aacf2587bd51bddb393c0240ee63faf7f890b7093db222 ``` Content of `run.bat` In this case the pastebin contains two lines (the second line is splitted for better readability) content of pastebin ### The miner The miner is saved as `IECache.exe or` `ctfmon.exe .` The first miner (from June, 2018) is just XMRig that includes all command line options inside the binary. ----- Most of the miners of this type I found are packed with `VMProtect` or ``` Themida/Winlicense . ``` The more interesting one (from Jun-Jul 2018) is a compiled AutoIT script packed with ``` VMProtect . Here again, we see that author speaks Slovak: ``` ----- This script contains the XMRig as (in some cases LZMA compressed) Base64 encoded string inside a variable. The miner is decoded and started in memory. ``` ODBASUJ64A is “decode base64” and ODLZMUJA is “LZMA decompress”. ``` In some versions, the script checks user activity and it starts different miners with different options to maximize profit with lower risk of being caught. ----- _PUSTITAM is executes an binary in memory [Newer samples (Since August, 2018) use sRDI or XOR encryption in memory and injection](https://github.com/monoxgas/sRDI) to a suspended process to hide from antivirus software. ### Interesting files **Sourceforge and Github** Some of the samples used Sourceforge and Github to download malicious content, instead of small, possibly hacked websites. It downloaded content from a repository WEB of user W33v3ly on Github and from user Dieworld on Sourceforge. On Github, the attacker once made a mistake and pushed ``` Systemcall.exe and TestDLL.bin to the wrong repository. ``` ----- **Systemcall.exe hash:** ``` e9d96c6de650ada54b3788187132f525094ff7266b87c98d3dd1398c2d5c41a ``` **TestDLL.bin hash:** ``` 1d2eda5525725f919cb4ef4412272f059abf4b6f25de5dc3b0fca4ce6ef5dd8e ``` The `Systemcall.exe is a PE file without “MZ” in the beginning and` `Test.dll contains` some random bytes before the PE file. The dll contains XMRig encrypted with TEA and the ``` Systemcall.exe uses sRDI to load and run the Test.dll. ``` ----- **Steam Giver** This small application written in .Net shows some hacked Steam accounts. ----- The malicious part downloads and installs the following scripts and downloads UnRAR and ``` begin.rar ``` ----- ``` Install.vbs creates a task named WinD2 that starts inv.vbs upon every PC startup. Inv.vbs starts runner.bat, which starts %temp%/Microsoft/NisSrve.exe that is ``` unpacked from `begin.rar with` `UnRAR.exe .` **Free bet tips** Betters are also targeted. We found a malicious file with the following readme file: ----- The binary included only starts a cmd with the script as an argument. ## All from registry keys since 2018 After 2018, I observed an updated version of the malware family. There is no need for any script file if you can have a command as a scheduled task and save enough data into registry keys. The infection vector is the same as in the previous case. The victim downloads and runs an executable that downloads a powershell script from a hacked website whose URL is shortened with bit.ly. This time the script is different, it creates the following task: This task reads the value of the registry key `Shell placed in` `HKLM\Software\a and` executes its content. The script also creates the Registry key. Let’s focus on the value of the registry key `Shell . In the following picture you will find the` value I found on an infected machine. ----- After decoding and decompression we get an obfuscated script: ----- Under two layers of string formatting and replacing we get another compressed base64 encoded script: ----- Inside the base64 string is malicious code that tests the connection and executes code directly from the internet. ----- In total, I found about 40 different values of the `Shell key in the wild that contain similar` code with different URLs and they are obfuscated in the same way or less. ----- Some of the pastebins were alive. For example, one of them contains the following scripts that sends information about graphic cards to the C&C server, which can decide what to install on an infected computer. I have not found any C&C server alive. ## Ransomware Another final stage that runs from the registry keys is ransomware Athos.exe. At first it checks some tactics from [https://blog.sevagas.com/IMG/pdf/BypassAVDynamics.pdf to](https://blog.sevagas.com/IMG/pdf/BypassAVDynamics.pdf) check if it runs in the sandbox. On the sixth start it injects ransomware into another process that gets the id and encryption key from the web page `googleprovider[.]ru . Then it` encrypts all the files with AES-CFB and shows the following message saved on imgur ( https://i.imgur[.]com/cKkSBSI.jpg ). Translation: Your files are encrypted. If you want them back, you need your ID that you can ----- find in Athos_ID.txt on the desktop. Keep your ID secure, if you lose it, your files can t be recovered!!! You can recover your files with the help of the website www.g… We also found AutoIT ransomware King Ouroboros translated to Slovak. The malware was edited to use Windows users’ GUID as encryption key and to download additional content from a different server than the original King Ouroboros. **ransomware hash:** ``` 90d99c4fe7f81533fb02cf0f1ff296cc1b2d88ea5c4c8567142bb455f435ee5b ``` ## Conclusion Most of the methods described in this article are not new, in some cases I was able to find their source. The most interesting method is hiding the powershell script to the registry keys. As I found out, the author is a Slovak speaker, this corresponds with the fact that the infected files were published only on Uloz.to, therefore the victims are only from the Czech Republic and Slovakia. The variation of the final payload is huge. I found three different RATs, a few different packers of coinminers and ransomware that were created by the author and many more that were “available” on the internet. The initial installer, which function was to call only one command, was also created with a huge variety of tools, some of them quite obscure. To protect against this type of threat, it is enough to download software only from [trustworthy sources and use security software, like Avast Antivirus, which will act as a](https://www.avast.com/index) safety net in case you should come across a threat. ## Indicators of Compromise (IoC) Repository: [https://github.com/avast/ioc/tree/master/Certishell](https://github.com/avast/ioc/tree/master/Certishell) List of SHA-256: [https://github.com/avast/ioc/blob/master/Certishell/samples.sha256](https://github.com/avast/ioc/blob/master/Certishell/samples.sha256) URI: [https://github.com/avast/ioc/blob/master/Certishell/network.txt](https://github.com/avast/ioc/blob/master/Certishell/network.txt) [Tagged asanalysis,](https://decoded.avast.io/tag/analysis/) [cryptomining,](https://decoded.avast.io/tag/cryptomining/) [malware](https://decoded.avast.io/tag/malware/) -----