{ "id": "8eeec956-1579-41ee-b0c6-9ac1ac81e9b1", "created_at": "2026-04-10T03:21:43.757708Z", "updated_at": "2026-04-10T03:22:18.669582Z", "deleted_at": null, "sha1_hash": "87512a2ed85e1a65818eb7bc815e80b87e7daab1", "title": "Campaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1602482, "plain_text": "Campaign Abusing Legitimate Remote Administrator Tools Uses\r\nFake Cryptocurrency Websites\r\nBy Jaromir Horejsi ( words)\r\nPublished: 2021-11-29 · Archived: 2026-04-10 03:15:06 UTC\r\nIntroduction\r\nWe have been tracking a campaign involving the SpyAgent malware that abuses well-known remote access tools\r\n(RATs) — namely TeamViewer — for some time now. While previous versions of the malware have been covered\r\nby other researchers, our blog entry focuses on the malicious actor’s latest attacks.\r\nWe’ve observed a new cryptocurrency related campaign that abuses a legitimate Russian RAT known as Safib\r\nAssistant via a newer version of the malware called SpyAgent. This involves the exploit of a DLL sideloading\r\nvulnerability, which causes a malicious DLL to load. This DLL hooks and patches various API functions called by\r\nthe RAT. This results in the RAT windows being hidden from a user.\r\nThe malicious DLL then begins reporting the RAT’s ID, which the malware operator needs to connect to and\r\ncontrol the infected machine. The malware sets the access password to a fixed one, so that merely knowing the\r\nRAT’s ID is enough for the attacker to successfully connect to the infected machine.\r\nInfection vector\r\nThe malware dropper of SpyAgent is distributed via fake cryptocurrency-related websites that are usually in the\r\nRussian language. The dropper poses as a fake cryptocurrency wallet, miner, or surfing plug-in. Figures 1 to 4 are\r\nsome examples of these fake websites.\r\nhttps://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html\r\nPage 1 of 12\n\nFigure 1. Fake cryptocurrency wallets in Russian\r\nhttps://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html\r\nPage 2 of 12\n\nFigure 2. Fake cryptocurrency miners in Russian\r\nhttps://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html\r\nPage 3 of 12\n\nFigure 3: Fake surfing plug-in to earn dogecoin\r\nFigure 4. Fake surfing plug-ins to earn bitcoin\r\nWhen a user visits one of these websites, a file-downloading dialog box (offering to download a SpyAgent\r\ndropper) usually appears immediately, after which the victim is prompted to save and run the executable file.\r\nHow a victim winds up on these fake websites varies. One kind of social engineering technique that we observed\r\ninvolves advertisements published on “earn cryptocurrency for browsing” websites, such as the ad in Figure 5. It\r\nshould be noted that not all websites offering cryptocurrency in exchange for views are necessarily malicious. In\r\nthe following screenshot, however, the screenshot shows a malicious website that promotes a fake cryptocurrency-related website.\r\nhttps://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html\r\nPage 4 of 12\n\nFigure 5. Malicious advertisement leading to the malicious website\r\nAfter opening the link, the victim is immediately redirected to one of the fake cryptocurrency websites where a\r\ndialog box for saving the fake application immediately appears.\r\nFigure 6. Website with a fake bitcoin bot\r\nSocial media is also used as an infection vector, as shown in the tweet in Figure 7. Interestingly, the Twitter\r\naccount behind it seems to be legitimate, although possibly compromised.\r\nhttps://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html\r\nPage 5 of 12\n\nFigure 7. User spreading a link to a fake website via Twitter\r\nDue to search engine optimization (SEO), simply searching for the right keywords might result in the inclusion of\r\nthese websites in search results.\r\nFigure 8. Search engine returning the link to a fake “Doge Miner” website\r\nDropper analysis\r\nThe dropper is usually created using the Nullsoft Scriptable Install System (NSIS) installer (although in the past\r\nwe have seen variants created with Inno Setup), a powerful tool for creating scriptable program installers. The\r\ndropper (NSIS installer) file contains just one randomly named encrypted binary file.\r\nFigure 9. Installer with one randomly named binary file\r\nThe NSIS installer script then calls Microsoft CryptoAPIs to decrypt the binary file, which then becomes a 7-Zip\r\narchive that will extract the files. Figure 10 shows a string (tno7wul0zusmglmdl) used for deriving the decryption\r\nkey on line 578.\r\nhttps://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html\r\nPage 6 of 12\n\nFigure 10. Code showing a password to derive the RC4 decryption key used to decrypt random\r\nbinary files\r\nFigure 11. MD5 hashing of the password\r\nFigure 12. Deriving RC4 key\r\nThe dwFlags parameter (see value 0x280011) tells us the length of the key modulus in bits, which is set with the\r\nupper 16 bits (0x28 / 8 = 40 / 8 = 5 bytes ). Lower 16 bits are flags CRYPT_EXPORTABLE and\r\nCRYPT_NO_SALT.\r\nTherefore, the first five bytes of the MD5 of the string for key derivation is the RC4 key used to decrypt the 7-Zip\r\narchive. \r\nFigure 13. Documentation explaining the computation of the length of the key\r\nThe extracted 7-Zip archive contains several files, most of which are legitimate non-malicious files belonging to\r\nthe RAT. In Figure 14, only those files in red indicate the additions by malware developers.\r\nThe batch file (.bat) is a starter of the main executable (Assistant, ast.exe) file, while the Config file (.cfg) contains\r\nencrypted configuration. The bitmap file (.bmp) is used for deriving the key to decrypt the config file. Finally, the\r\nquartz.dll is the malicious DLL containing the malware that is sideloaded by ast.exe. Although the real length of\r\nthe quartz DLL is several dozens of kilobytes, its length is artificially inflated by appending a huge overlay of\r\nzeroes. This is likely to prevent or discourage some security solutions from uploading these large files for further\r\nanalysis.\r\nhttps://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html\r\nPage 7 of 12\n\nFigure 14. Contents of the 7-Zip archive with the RAT. The files in red are the ones added by the\r\nmalware developer.\r\nAnalysis of the sideloaded DLL\r\nThe DLL is responsible for decrypting the config file. Initially, the first byte of the config file is checked. If its\r\nvalue is 0x01, it means that the malware runs for the first time and the config file is encrypted with a key derived\r\nfrom the bitmap file.\r\nOtherwise, if the value of the first byte in the config file is 0x00, it means that the config file is encrypted with a\r\nkey derived from the SOFTWARE\\Microsoft\\Cryptography\\MachineGuid value.\r\nThe key derivation has four steps:\r\n1) The CRC32 checksum of the input (.bmp file) is computed.\r\n2) The checksum is converted to a hexadecimal string (eight characters), and all characters are converted to\r\nuppercase.\r\n3) The MD5 hash is computed.\r\n4)  The hexadecimal string representation of the hash (32 characters) is used as the RC4 password to decrypt the\r\nconfig file.\r\nAfter decryption, the configuration file contains the URL address of the command-and-control (C\u0026C) server.\r\nFrom this URL address, the domain part is used as a key for another decryption — this time the decryption of part\r\nof the DLL’s executable code, since a part of the DLL is a self-modifying code. \r\nhttps://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html\r\nPage 8 of 12\n\nFigure 15. Function call to the encrypted code before decryption (top) and after decryption (bottom)\r\nThe first decrypted function is responsible for resolving the API function addresses, while the second decrypted\r\nfunction is responsible for hooking various functions and altering the default behavior of the RAT.\r\nThe following table shows the important hooked functions and their effects on the RAT:\r\nFunction Details\r\nRegCreateKeyEx Changes the registry using the RAT configuration from \\ast\\SS to \\ast\\SS1\r\nRegSetValueKeyEx\r\nExtracts the RAT’s ID when it is saved to the registry. It then starts two threads, a C\u0026C\r\ncommunication thread and an idleness monitoring thread.\r\nFindWindow Ensures that the RAT’s window is not shown\r\nRegisterClass Ensures that the RAT’s window is not shown\r\nShowWindow    Disables showing the RAT’s windows\r\nCreateFile           Disables the log file that the RAT creates by default\r\nGetCommandLine Sets command-line parameters to start the RAT as a hidden process in the background,\r\nsets the connection password stored in registry to a known fixed password, and starts a\r\nhttps://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html\r\nPage 9 of 12\n\nthread responsible for killing task manager and process explorer\r\nTable 1. The important hook functions of the decrypted function\r\nWhen the RAT is run normally and is not hijacked by malware, a window like the screenshot shown in Figure 17\r\nwill appear. It is important to note the nine-digit number (captured by the hook of RegSetValueKeyEx) and the\r\nfour-digit number (overridden by the registry setting set by the hook of GetCommandLine). This window is not\r\nshown at all as an effect of hooking FindWindow, RegisterClass, and ShowWindow.\r\nFigure 16. The RAT’s window when it is run normally. The nine-digit number is the ID and the\r\nfour-digit number is the password.\r\nFinally, we will analyze the two threads. The C\u0026C communication thread regularly makes a GET request to\r\n\u003cC\u0026C domain\u003e/\u003cC\u0026C path\u003e?id=\u003c9digit number\u003e\u0026stat=\u003cenvironment hash\u003e. The environment hash is\r\ncomputed as an MD5 hash of string created by concatenating the following five values:\r\nhttps://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html\r\nPage 10 of 12\n\nValue 1 = to_uppercase(crc32(HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid))\r\nValue 2 = to_uppercase(crc32(HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\ProductName))\r\nValue 3 = to_uppercase(crc32(user name))\r\nValue 4 = to_uppercase(crc32(computer name))\r\nValue 5 = concatenate Value1 Value2 Value3 Value4\r\nIt might receive a response in the following format:\r\n!lexec;\u003curl to download\u003e\r\nrestart\r\ndelproc\r\nThe idleness monitoring thread monitors pressed keys and selecting or dragging movements. If the user is idle for\r\nmore than one minute, it sends a sidl(start idle) request with the time when the user became idle:\r\n\u003cC\u0026C domain\u003e/\u003cC\u0026C path\u003e?id=\u003c9digit number\u003e\u0026stat=\u003cenvironment hash\u003e\u0026sidl=\u003ctime\u003e\r\nThe length of idleness is then regularly submitted in a cidl (count of idle) parameter:\r\n\u003cC\u0026C domain\u003e/\u003cC\u0026C path\u003e?id=\u003c9digit number\u003e\u0026stat=\u003cenvironment hash\u003e\u0026cidl=\u003cnumber of seconds\u003e\r\nWhen the user becomes active again, the malware sends an eidl (end of idle) request:\r\n\u003cC\u0026C domain\u003e/\u003cC\u0026C path\u003e?id=\u003c9digit number\u003e\u0026stat=\u003cenvironment hash\u003e\u0026eidl=\u003ctime\u003e\u0026cidl=\u003cnumber of\r\nseconds\u003e\r\nThe idleness monitoring thread allows the malware operator to choose the proper time when the victim is not\r\npresent in order to stay unnoticed.\r\nAssociated malware\r\nSpyAgent usually downloads other malware to perform additional tasks such as stealing important data.\r\nWe noticed using SpyAgent downloading the following commodity stealers:\r\nRedLine Stealer\r\nDucky stealer\r\nAZOrult\r\nCypress Stealer\r\nClipper (a clipboard replacer that replaces various cryptocurrency addresses with those controlled by the\r\nmalicious actor)\r\nWe also noticed other RATS being used in the campaign, such as:\r\nRemcos RAT\r\nNanoCore\r\nhttps://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html\r\nPage 11 of 12\n\nnjRAT\r\nAsyncRAT\r\n \r\nConclusion\r\nThe threat actor behind this malware seems to have a straightforward financial motivation and typically aims to\r\nsteal credentials and cryptocurrency wallets while also replacing cryptocurrency addresses shared via clipboard.\r\nFortunately, defending oneself against these attacks is also straightforward. Given the malicious actor’s use of\r\ntraditional social engineering techniques such as fake websites, malicious advertisements, and spurious social\r\nmedia posts, users should practice due diligence and avoid selecting any suspicious links or visiting dubious\r\nwebsites. We also encourage users to perform security best practices such as bookmarking trusted sites and\r\npracticing caution when visiting new websites, especially those that are prone to being abused for social\r\nengineering attacks.\r\nIndicators of Compromise (IOCs)\r\nThe IOCs used in this analysis can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html\r\nhttps://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html" ], "report_names": [ "campaign-abusing-rats-uses-fake-websites.html" ], "threat_actors": [], "ts_created_at": 1775791303, "ts_updated_at": 1775791338, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/87512a2ed85e1a65818eb7bc815e80b87e7daab1.pdf", "text": "https://archive.orkl.eu/87512a2ed85e1a65818eb7bc815e80b87e7daab1.txt", "img": "https://archive.orkl.eu/87512a2ed85e1a65818eb7bc815e80b87e7daab1.jpg" } }