# Blog #### Cybersecurity DNA ----- leaked RCS source code. We discovered that this backdoor was developed by the Iron cybercrime group, the same group behind the Iron ransomware (rip-off Maktub ransomware recently discovered by Bart Parys), which we believe has been active for the past 18 months. During the past year and a half, the Iron group has developed multiple types of malware (backdoors, crypto-miners, and ransomware) for Windows, Linux and Android platforms. They have used their malware to successfully infect, at least, a few thousand victims. In this technical blog post we are going to take a look at the malware samples found during the research. ##### Technical Analysis: ###### Installer: _** This installer sample (and in general most of the samples found) is_ _protected with VMProtect then compressed using UPX._ ###### Installation process: 1. Check if the binary is executed on a VM, if so – ExitProcess 2. Drop & Install malicious chrome extension _%localappdata%\Temp\chrome.crx_ 3. Extract malicious chrome extension to %localappdata%\Temp\chrome & create a scheduled task to execute %localappdata%\Temp\chrome\sec.vbs. 4. Create mutex using the CPU’s version to make sure there’s no ----- .If Version > Windows XP -Invoke ‘Launch’ export -Check if Qhioo360 – only if not proceed, Install malicious certificate used to sign Iron Backdoor binary as root CA.Then create a service called ‘helpsvc’ pointing back to Iron Backdoor dll. ----- ###### Using the leaked HackingTeam source code: [Once we Analyzed the backdoor sample, we immediately noticed it’s](https://analyze.intezer.com/#/) partially based on HackingTeam’s source code for their Remote [Control System hacking tool, which leaked about 3 years ago. Further](https://thehackernews.com/2015/07/Italian-hacking-team-software.html) ----- directly from HackingTeam’s “Soldier” implant leaked source code. This piece of code supports detecting Cuckoo Sandbox, VMWare product & Oracle’s VirtualBox. Screenshot: 2. Dynamic Function Calls: Iron Backdoor is also using the [DynamicCall module from HackingTeam’s “core” library. This module](https://github.com/hackedteam/core-win32/blob/master/DynamiCall/dynamic_import.cpp#L407) is used to dynamically call external library function by obfuscated the function name, which makes static analysis of this malware more complex. In the following screenshot you can see obfuscated “LFSOFM43/EMM” ----- _For a full list of obfuscated APIs you can visit obfuscated_calls.h._ ###### Malicious Chrome extension: [A patched version of the popular Adblock Plus chrome extension is](https://chrome.google.com/webstore/detail/adblock-plus/cfhdojbkjhnklbpkdaibdccddilifddb) used to inject both the in-browser crypto-mining module (based on [CryptoNoter) and the in-browser payment hijacking module.](https://github.com/cryptonoter) _**patched include.preload.js injects two malicious scripts from the_ _attacker’s Pastebin account._ The malicious extension is not only loaded once the user opens the browser, but also constantly runs in the background, acting as a stealth host based crypto-miner. The malware sets up a scheduled task that checks if chrome is already running, every minute, if it isn’t, it will “silent-launch” it as you can see in the following screenshot: ----- injecting remote javascript. It seems that this functionality is no longer automatically used for some unknown reason. ###### Persistence: Before installing itself as a Windows service, the malware checks for the presence of either 360 Safe Guard or 360 Internet Security by reading following registry keys: _.SYSTEM\CurrentControlSet\Services\zhudongfangyu._ _.SYSTEM\CurrentControlSet\Services\360rp_ If one of these products is installed, the malware will only run once without persistence. Otherwise, the malware will proceed to installing rouge, hardcoded root CA certificate on the victim’s workstation. This fake root CA supposedly signed the malware’s binaries, which will make them look legitimate. _Comic break: The certificate is protected by the password ‘caonima123’,_ _which means “f*ck your mom” in Mandarin._ ###### IronStealer (.dat): Persistent backdoor, dropper and cryptocurrency theft module. 1. Load Cobalt Strike beacon: The malware automatically decrypts hard coded shellcode stage-1, which in turn loads Cobalt Strike beacon in-memory, using a reflective loader: ----- _Beacon: hxxp://dazqc4f140wtl.cloudfront[.]net/ZZYO_ 2. Drop & Execute payload: The payload URL is fetched from a hardcoded Pastebin paste address: We observed two different payloads dropped by the malware: [1. Xagent – A variant of “JbossMiner Mining Worm” – a worm written](https://yq.aliyun.com/articles/558034) in Python and compiled using PyInstaller for both Windows and Linux platforms. JbossMiner is using known database vulnerabilities to spread. “Xagent” is the original filename Xagent.exe whereas seems to be the version of the worm. The last version observed was version 6 (Xagent6.exe). ----- _**Xagent versions 4-6 as seen by VT_ 2. Iron ransomware – We recently saw a shift from dropping Xagent [to dropping Iron ransomware. It seems that the wallet & payment](https://bartblaze.blogspot.co.il/2018/04/maktub-ransomware-possibly-rebranded-as.html) portal addresses are identical to the ones that Bart observed. Requested ransom decreased from 0.2 BTC to 0.05 BTC, most likely [due to the lack of payment they received.](https://blockchain.info/address/1cimKyzS64PRNEiG89iFU3qzckVuEQuUj) ----- _**Nobody paid so they decreased ransom to 0.05 BTC_ 3. Stealing cryptocurrency from the victim’s workstation: Iron [backdoor would drop the latest voidtool Everything search utility and](https://www.voidtools.com/) actually silent install it on the victim’s workstation using msiexec. After installation was completed, Iron Backdoor uses Everything in order to find files that are likely to contain cryptocurrency wallets, by filename patterns in both English and Chinese. Full list of patterns extracted from sample: _– Wallet.dat_ _– UTC–_ _– Etherenum keystore filename_ _– *bitcoin*.txt_ _– *比特币*.txt_ _– “Bitcoin”_ _– *monero*.txt_ _– *门罗币*.txt_ ----- _– *Ethereum*.txt_ _– *以太币*.txt_ _– “Ethereum”_ _– *miner*.txt_ _– *挖矿*.txt_ _– “Mining”_ _– *blockchain*.txt_ _– *coinbase*_ 4. Hijack on-going payments in cryptocurrency: IronStealer constantly monitors the user’s clipboard for Bitcoin, Monero & Ethereum wallet address regex patterns. Once matched, it will automatically replace it with the attacker’s wallet address so the victim would unknowingly transfer money to the attacker’s account: ###### Pastebin Account: As part of the investigation, we also tried to figure out what additional information we may learn from the attacker’s Pastebin account: ----- The account was probably created using the mail [fineisgood123@gmail[.]com – the same email address used to](https://community.riskiq.com/search/whois/email/fineisgood123@gmail.com) register blockbitcoin[.]com (the attacker’s crypto-mining pool & malware host) and swb[.]one (Old server used to host malware & leaked files. replaced by u.cacheoffer[.]tk): 1. Index.html: HTML page referring to a fake Firefox download page. 2. crystal_ext-min + angular: JS inject using malicious Chrome extension. 3. android: This paste holds a command line for an unknown backdoored application to execute on infected Android devices. This [command line invokes remote Metasploit stager (android.apk) and](https://www.virustotal.com/#/file/fc37713a25e32cee8a2748b8d8fde641f4a67a1987c5a26f8ec7951b091f634e) [drops cpuminer 2.3.2 (minerd.txt) built for ARM processor.](https://www.virustotal.com/#/file/3b92f3b878112fc093392421281aff4449aac0ade84b840b044dee824592f2d5) Considering the last update date (18/11/17) and the low number of views, we believe this paste is obsolete. 4. androidminer: Holds the cpuminer command line to execute for unknown malicious android applications, at the time of writing this post, this paste received nearly 2000 hits. ----- Aikapool[.]com is a public mining pool and port 7915 is used for DogeCoin: The username (myapp2150) was used to register accounts in several [forums and on Reddit. These accounts were used to advertise fake](https://www.reddit.com/user/myapp2150) “blockchain exploit tool”, which infects the victim’s machine with Cobalt Strike, using a similar VBScript to the one found by [Malwrologist (ps5.sct).](https://twitter.com/sS55752750/status/989180154994884608) [XAttacker: Copy of XAttacker PHP remote file upload script.](https://github.com/Moham3dRiahi/XAttacker/blob/master/XAttacker.php) miner: Holds payload URL, as mentioned above (IronStealer). FAQ: How many victims are there? It is hard to define for sure, , but to our knowledge, the total of the attacker’s pastes received around 14K views, ~11K for dropped ----- We suspect that the person or persons behind the group are Chinese, due in part to the following findings: . There were several leftover comments in the plugin in Chinese. . Root CA Certificate password (‘f*ck your mom123’ was in Mandarin) We also suspect most of the victims are located in China, because of the following findings: . Searches for wallet file names in Chinese on victims’ workstations. . Won’t install persistence if Qhioo360(popular Chinese AV) is found IOCS: blockbitcoin[.]com pool.blockbitcoin[.]com ssl2.blockbitcoin[.]com xmr.enjoytopic[.]tk down.cacheoffer[.]tk dzebppteh32lz.cloudfront[.]net dazqc4f140wtl.cloudfront[.]net androidapt.s3-accelerate.amazonaws[.]com androidapt.s3-accelerate.amazonaws[.]com winapt.s3-accelerate.amazonaws[.]com swb[.]one bitcoinwallet8[.]com blockchaln[.]info 6350a42d423d61eb03a33011b6054fb7793108b7e71aee15c198d3480653d8b7 a4faaa0019fb63e55771161e34910971fd8fe88abda0ab7dd1c90cfe5f573a23 ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9 654ec27ea99c44edc03f1f3971d2a898b9f1441de156832d1507590a47b41190 980a39b6b72a7c8e73f4b6d282fae79ce9e7934ee24a88dde2eead0d5f238bda 39a991c014f3093cdc878b41b527e5507c58815d95bdb1f9b5f90546b6f2b1f6 a3c8091d00575946aca830f82a8406cba87aa0b425268fa2e857f98f619de298 0f7b9151f5ff4b35761d4c0c755b6918a580fae52182de9ba9780d5a1f1beee8 ea338755e8104d654e7d38170aaae305930feabf38ea946083bb68e8d76a0af3 4de16be6a9de62b1ff333dd94e63128e677eb6a52d9fbbe55d8a09a2cab161f1 ----- f1cbacea1c6d05cd5aa6fc9532f5ead67220d15008db9fa29afaaf134645e9de 1d34a52f9c11d4bf572bf678a95979046804109e288f38dfd538a57a12fc9fd1 2f5fb4e1072044149b32603860be0857227ed12cde223b5be787c10bcedbc51a 0df1105cbd7bb01dca7e544fb22f45a7b9ad04af3ffaf747b5ecc2ffcd8c6dee 388c1aecdceab476df8619e2d722be8e5987384b08c7b810662e26c42caf1310 0b8473d3f07a29820f456b09f9dc28e70af75f9dec88668fb421a315eec9cb63 251345b721e0587f1f08f54a81e26abac075acf3c4473a2c3ba8efcedc3b2459 b1fe223cbb01ff2a658c8ff51d386b5df786fd36278ee081c714adf946145047 2886e25a86a57355a8a09a84781a9b032de10c3e40339a9ad0c10b63f7f8e7c7 1d17eb102e75c08ab6f54387727b12ec9f9ee1960c8e5dc7f9925d41a943cabf 5831dabe27e0211028296546d4e637770fd1ec5f2c8c5add51d0ea09b6ea3f0d 85b0d44f3e8fd636a798960476a1f71d6fe040fbe44c92dfa403d0d014ff66cc 936f4ce3570017ef5db14fb68f5e775a417b65f3b07094475798f24878d84907 484b4cd953c9993090947fbb31626b76d7eee60c106867aa17e408556d27b609 1cbd51d387561cafddf10699177a267cd5d2d184842bb43755a0626fdc4f0f3c e41a805d780251cb591bcd02e5866280f8a99f876cfa882b557951e30dfdd142 b8107197469839a82cae25c3d3b5c25b5c0784736ca3b611eb3e8e3ced8ec950 b0442643d321003af965f0f41eb90cff2a198d11b50181ef8b6f530dd22226a7 657a3a4a78054b8d6027a39a5370f26665ee10e46673a1f4e822a2a31168e5f9 5977bee625ed3e91c7f30b09be9133c5838c59810659057dcfd1a5e2cf7c1936 9ea69b49b6707a249e001b5f2caaab9ee6f6f546906445a8c51183aafe631e9f 283536c26bb4fd4ea597d59c77a84ab812656f8fe980aa8556d44f9e954b1450 21f1a867fa6a418067be9c68d588e2eeba816bffcb10c9512f3b7927612a1221 45f794304919c8aa9282b0ee84c198703a41cc2254fe93634642ada3511239d2 70e47fdff286fdfe031d05488bc727f5df257eacaa0d29431fb69ce680f6fb0c ce7161381a0a0495ef998b5e202eb3e8fa2945dfdba0fd2a612d68b986c92678 b8d548ab2a1ce0cf51947e63b37fe57a0c9b105b2ef36b0abc1abf26d848be00 74e777af58a8ee2cff4f9f18013e5b39a82a4c4f66ea3e17d06e5356085265b7 cd4d1a6b3efb3d280b8d4e77e306e05157f6ef8a226d7db08ac2006cce95997c 78a07502443145d762536afaabd4d6139b81ca3cc9f8c28427ec724a3107e17b 729ab4ff5da471f210a8658f4a7b2a30522534a212ac44e4d76f258baab19ccb ca0df32504d3cf78d629e33b055213df5f71db3d5a0313ebc07fe2c05e506826 fc9d150d1a7cbda2600e4892baad91b9a4b8c52d31a41fd686c21c7801d1dd8c bf2984b866c449a8460789de5871864eec19a7f9cadd7d883898135a4898a38a 9d817d77b651d2627e37c01037e13808e1047f9528799a435c7bc04e877d70b3 ----- 506647c5bfad858ff6c34f93c74407782abbac4da572d9f44112fee5238d9ae1 194362ce71adcdfa0fe976322a7def8bb2d7fb3d67a44716aa29c2048f87f5bc 3652ea75ce5d8cfa0000a40234ae3d955781bcb327eecfee8f0e2ecae3a82870 97d41633e74eccf97918d248b344e62431b74c9447032e9271ed0b5340e1dba0 a8ab5be12ca80c530e3ef5627e97e7e38e12eaf968bf049eb58ccc27f134dc7f 37bea5b0a24fa6fed0b1649189a998a0e51650dd640531fe78b6db6a196917a7 7e750be346f124c28ddde43e87d0fbc68f33673435dddb98dda48aa3918ce3bd fcb700dbb47e035f5379d9ce1ada549583d4704c1f5531217308367f2d4bd302 b638dcce061ed2aa5a1f2d56fc5e909aa1c1a28636605a3e4c0ad72d49b7aec6 f2e4528049f598bdb25ce109a669a1f446c6a47739320a903a9254f7d3c69427 afd7ab6b06b87545c3a6cdedfefa63d5777df044d918a505afe0f57179f246e9 9b654fd24a175784e3103d83eba5be6321142775cf8c11c933746d501ca1a5a1 e6c717b06d7ded23408461848ad0ee734f77b17e399c6788e68bc15219f155d7 e302aa06ad76b7e26e7ba2c3276017c9e127e0f16834fb7c8deae2141db09542 d020ea8159bb3f99f394cd54677e60fadbff2b91e1a2e91d1c43ba4d7624244d 36104d9b7897c8b550a9fad9fe2f119e16d82fb028f682d39a73722822065bd3 d20cd3e579a04c5c878b87cc7bd6050540c68fdd8e28f528f68d70c77d996b16 ee859581b2fcea5d4ff633b5e40610639cd6b11c2b4fc420720198f49fbd1d31 ef2c384c795d5ca8ce17394e278b5c98f293a76047a06fc672da38bb56756aec bd56db8d304f36af7cb0380dcbbc3c51091e3542261affb6caac18fa6a6988ec 086d989f14e14628af821b72db00d0ef16f23ba4d9eaed2ec03d003e5f3a96a1 f44c3fd546b8c74cc58630ebcb5bea417696fac4bb89d00da42202f40da31354 320bb1efa1263c636702188cd97f68699aebbb88c2c2c92bf97a68e689fa6f89 42faf3af09b955de1aead2b99a474801b2c97601a52541af59d35711fafb7c6d 6e0adfd1e30c116210f469d76e60f316768922df7512d40d5faf65820904821b eea2d72f3c9bed48d4f5c5ad2bef8b0d29509fc9e650655c6c5532cb39e03268 1a31e09a2a982a0fedd8e398228918b17e1bde6b20f1faf291316e00d4a89c61 042efe5c5226dd19361fb832bdd29267276d7fa7a23eca5ced3c2bb7b4d30f7d 274717d4a4080a6f2448931832f9eeb91cc0cbe69ff65f2751a9ace86a76e670 f8751a004489926ceb03321ea3494c54d971257d48dadbae9e8a3c5285bd6992 d5a296bac02b0b536342e8fb3b9cb40414ea86aa602353bc2c7be18386b13094 49cfeb6505f0728290286915f5d593a1707e15effcfb62af1dd48e8b46a87975 5f2b13cb2e865bb09a220a7c50acc3b79f7046c6b83dbaafd9809ecd00efc49a 5a5bbc3c2bc2d3975bc003eb5bf9528c1c5bf400fac09098490ea9b5f6da981f 2c025f9ffb7d42fcc0dc8d056a444db90661fb6e38ead620d325bee9adc2750e ----- ### Register to our free community T ae366fa5f845c619cacd583915754e655ad7d819b64977f819f3260277160141 9b40a0cd49d4dd025afbc18b42b0658e9b0707b75bb818ab70464d8a73339d52 57daa27e04abfbc036856a22133cbcbd1edb0662617256bce6791e7848a12beb 6c54b73320288c11494279be63aeda278c6932b887fc88c21c4c38f0e18f1d01 ba644e050d1b10b9fd61ac22e5c1539f783fe87987543d76a4bb6f2f7e9eb737 21a83eeff87fba78248b137bfcca378efcce4a732314538d2e6cd3c9c2dd5290 2566b0f67522e64a38211e3fe66f340daaadaf3bcc0142f06f252347ebf4dc79 692ae8620e2065ad2717a9b7a1958221cf3fcb7daea181b04e258e1fc2705c1e 426bc7ffabf01ebfbcd50d34aecb76e85f69e3abcc70e0bcd8ed3d7247dba76e By Omri Ben Bassat Ex-officer in the IDF-CERT. Malware analyst and Reverse Engineer with vast experience in dealing with Nation-sponsored cyber attacks. | omri@intezer.com Tags: [backdoor](https://www.intezer.com/tag/backdoor/) [bitcoin](https://www.intezer.com/tag/bitcoin/) [china](https://www.intezer.com/tag/china/) Share: [cryptominer](https://www.intezer.com/tag/cryptominer/) [cybercrime](https://www.intezer.com/tag/cybercrime/) [iron](https://www.intezer.com/tag/iron/) [malware](https://www.intezer.com/tag/malware/) [ransomware](https://www.intezer.com/tag/ransomware/) ### Register to our free community ----- -----