NanoCore RAT Malware Analysis

February 10, 2025February 12, 2025 Anurag Gawande1 Comment

NanoCore is a well-known Remote Access Trojan (RAT) used by threat actors for espionage, data theft, and system control. In this post, I will analyze a NanoCore RAT sample with the hash 18B476D37244CB0B435D7B06912E9193 and explore its behavior, obfuscation techniques, and deobfuscation process.

File Hash MD5: 18B476D37244CB0B435D7B06912E9193
Filename: Sigmanly_0bbff62a45fc9776575ed143af2d7db332e2781d7e3de56eb3ff48c25d0c7b46
File size: 203.00 KB
NanoCore Client Version: 1.2.2.0
VirusTotal Detection Score: 64/72
File download: any.run

Static Analysis

Initial Inspection

Using Detect It Easy (DIE), I identified that the sample is a .NET executable and employs Eazfuscator obfuscation to hinder analysis.

Deobfuscation

To analyze the code effectively, I used de4dot to deobfuscate the executable. de4dot successfully restored readable class and method names, making it easier to understand the malware’s logic.

Below is how the deobfuscated code appears now.

Strings Analysis

Using SysInternals Strings, I extracted various strings from the binary and found the following indicators:

“Connecting to {0}:{1}..”
“/create /f /tn “{0}” /xml “{1}””
“schtasks.exe”
“CreateScheduledTask”
“/run /tn “{0}””
“RunScheduledTask”
“Host: {0}”

These strings indicate that the malware uses Windows Task Scheduler for persistence and C2 communication.

Dynamic Analysis

To gain deeper insights, I used dnSpy to debug the code and analyze its behavior in a controlled environment.

Execution Flow Analysis

Startup Routine: NanoCore attempts to achieve persistence by copying itself to a hidden directory and creating a registry entry.

During dynamic analysis, I found that it adds saasmon.exe under the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key.
It also creates a folder at C:\Program Files (x86)\SAAS Monitor to store its components.
Another folder is created at C:\Users\User\AppData\Roaming\81E42A3A-6BA0-4784-B7EC-E653E9E1A8ED, where the SAAS Monitor folder is placed, and saasmon.exe is dropped.

C2 Communication: The RAT connects to a remote Command-and-Control (C2) server, enabling an attacker to issue commands.

Wireshark Analysis: The malware attempts to establish connections to:
- simpletest.ddns.net (Potential C2 domain)
- 8.8.8.8 (Google DNS, likely used for connectivity checks)
- Uses port 9632 to communicate with the given IP.

Plugin System: NanoCore features a modular plugin system, allowing attackers to load additional capabilities dynamically.
Installed Plugins: During dynamic analysis, I found that NanoCore installed the SurveillanceEx plugin, which enhances its spying capabilities.

Data Exfiltration: Captures keystrokes, screenshots, and clipboard data, sending them to the attacker.

It stores keylogs and clipboard data in C:\Users\User\AppData\Roaming\81E42A3A-6BA0-4784-B7EC-E653E9E1A8ED\logs\users\kbxxxxx.dat.

In the image above, you can see that it is storing clipboard data along with the commands and text I was entering in applications.

Task Scheduler Analysis: The code contains functions to create a scheduled task using schtasks.exe, but during dynamic analysis, no scheduled task was actually created. Below is an image of the relevant code snippet that shows its intent to use Task Scheduler for persistence.

Indicators of Compromise (IOCs)

File Hash: 18B476D37244CB0B435D7B06912E9193
Network Indicators: (Extracted from dynamic analysis)
- C2 Domain: simpletest.ddns.net
- IP Contacted: 8.8.8.8 (Google DNS, may be used for connectivity checks)
- Port: 9632
Registry Changes:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\saasmon.exe
File System Changes:
- C:\Program Files (x86)\SAAS Monitor\saasmon.exe
- C:\Users\User\AppData\Roaming\81E42A3A-6BA0-4784-B7EC-E653E9E1A8ED\SAAS Monitor\saasmon.exe
- C:\Users\User\AppData\Roaming\81E42A3A-6BA0-4784-B7EC-E653E9E1A8ED\logs\users\kbxxxxx.dat (Stores keylogs and clipboard data)

Conclusion

NanoCore RAT remains a persistent threat due to its modularity and extensive feature set. Through deobfuscation with de4dot and debugging with dnSpy, I was able to uncover its core functionalities. Defenders should stay vigilant by leveraging threat intelligence, monitoring network traffic, and applying proactive security controls.

If you found this analysis helpful, feel free to share and stay tuned for more in-depth malware research!

Fake SBI Reward APK Targets Victims with Trojan via WhatsApp

January 20, 2025January 24, 2025 Anurag Gawande5 Comments

Cybercriminals continue to exploit unsuspecting users through cleverly crafted phishing campaigns. Recently, I encountered a forwarded message in a WhatsApp group that immediately raised suspicion. The message read as follows:

Dear Valued Customer,

Your SBI BANK 🏦 Reward Points (Rs 9980.00) will expire today. Now Redeem through SBI BANK🏦 REWARD App install & Claim Your Reward by Cash Deposit Your Account.

Thank-You 👇 team-SBI BANK

Attached to the message was an Android APK file, supposedly the “SBI BANK REWARD App,” which promised users a reward of Rs. 9980. Given the prevalence of similar scams, I decided to investigate the file’s legitimacy through static and dynamic analysis.

Initial Observations

Suspicious Language and Presentation:
- The message contained grammatical errors, with misspellings like “Value Customer” instead of “Valued Customer.”
- Overuse of emojis (🏦 and 👇) and inconsistent formatting further indicated it was likely a scam.
Hash Check:
- I extracted the file hash and searched for it on VirusTotal (VT) and Any.Run. Surprisingly, no results were available for this hash.
- This indicated that the file was either new or not widely distributed yet.

File Details

File Hash: 7f6e053f3551db9cb209fa5c05952a3e
File Type: Android .apk
File Size: 4.20MB
File Name: SBl REWARDZ POINT 1.apk

Static Analysis

Using JADX tool, I decompiled the APK to analyse its internal structure and code. Below are some findings:

Manifest Analysis

The APK requested excessive permissions, including access to SMS, Contacts, Call Logs, and Storage. These are common indicators of malicious intent.

The AndroidManifest.xml file revealed several critical points:

The manifest file defines activities and services such as BackgroundService, SmsReceiver, and BootBroadcastReceiver, which are typically used in malicious apps to intercept SMS and run processes at system boot.

Publicsuffixes.gz File

During the analysis, I found a file named publicsuffixes.gz. Upon extraction, it contained unrelated Chinese text, which did not directly link to the malicious APK but raised questions about the APK’s origin or development process.

Below is the translation of Chinese text from the publicsuffixes file.

The 1989 Tiananmen event was held in Beijing, capital of China, on July 28, 2013. The event was held on July 28, 2013. The 1989 event was held on July 28, 2013. The event was held on July 28, 2013. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle-aged and young people in the middle of the Yangtze River, and the rise of middle-aged and young people in the middle of the Yangtze River. The 10,000-square-foot (1,000-square-foot) 2,000-square-foot (1,000-square-foot) 2,000-square-foot (1,000-square-foot) 2,000-square-foot (1,000-square-foot) 4,000-square-foot (1,000-square-foot) 2,000-square-foot (1,000-square-foot) 4,000-square-foot (1,000-square-foot) The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle-aged and young people in Hong Kong, and also the rise of middle-aged and young people in Hong Kong. The 20th anniversary celebration of the founding of the Peoples' Republic of China, the 20th anniversary celebration of the founding of the Peoples' Republic of China, and the 20th anniversary celebration of the founding of the Peoples' Republic of China, will be held on the 14th of the 14th anniversary celebration of the founding of the Peoples' Republic of China. The 20th anniversary celebration of the founding of the Peoples' Republic of China, the 20th anniversary celebration of the founding of the Peoples' Republic of China, and the 20th anniversary celebration of the founding of the Peoples' Republic of China, will be held on the 21st anniversary of the founding of the Peoples' Republic of China. I sincerely hope that you will not be disappointed with the results of this project. I hope you will be happy with the results of this project. In this regard, the development of the industry has entered a new stage, and the development of the industry has entered a stage of rapid development. The 1984 World Cup has been held in Hong Kong since 1989. The 1984 World Cup has been held in Hong Kong since 1989. The 1984 World Cup has been held in Hong Kong since 1989. The 1984 World Cup has been held in Hong Kong since 1989. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle-aged and young people, and the rise of the middle-aged and young people. The wisdom of the people is the same as the practice of the traditional Chinese medicine. Customs of the West⹭Customs of the West⹭Customs of the West⹭Customs of the West⹭Customs of the West⹮Customs of the West⹮Customs of the West⹰Customs of the West⹲Customs of the West⹲Customs of the West⹳Customs of the West⹴Customs of the West⹴Customs of the West⹵Customs of the West⹵Customs of the West⹶Customs of the West⹺Customs of the West⹺Customs of the West⹺Customs of the West⹺Customs of the West⹮Customs of the West⹲Customs of the West⹤Customs of the West ⹢The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle-aged and young, and the rise of middle-aged and young people. It was a period of rapid development, and it was a period of rapid development. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle-aged and young people in Hong Kong, and also the rise of middle-aged and young people in Hong Kong. ⹯ The animal husbandry system is a system that allows animals to be picked up and eaten by locals. ⹯ The animal husbandry system is a system that allows animals to be picked up and eaten by locals. ⹯ The animal husbandry system is a system that allows animals to be picked up and eaten by locals. ⹯ In this regard, the development of the Internet has become a new trend, and the development of the Internet has become a new trend. In the future, the development of the Internet will continue to accelerate. The development of the Internet will continue to accelerate. ⹴The wisdom of the people is the wisdom of the people. The wisdom of the people is the wisdom of the people. The wisdom of the people is the wisdom of the people. The wisdom of the people is the wisdom of the people. Hunting 牶敩汬 considered捥⹡knock溇橩 contention玱慦晩挭捯湴牯 nitrogen 慥牯੡楲⹭畳 enemy洊慩狠敳੡楲 volume慦琮慥牯੡楲The scenery is the best. The lintel pile is the only one that has been built. The lintel pile is the only one that has been built. The lintel pile is the only one that has been built. The lintel pile is the only one that has been built. The lintel pile is the only one that has been built. I am alone, I am worried about my career, I am happy to be alone, I am alone.瀊怂楳 Zhuang浡⹴潫祯⹪怊怂楴愮怂楴愮橰੡歩瑡⹪瀊怂Step alone椤桯歫慩真⹪怊怂浵潫瑡⹮溇The 2014 World Economic Forum has selected 100 million nitrogen-containing foods and 10 million nitrogen-containing foods for sale in Hong Kong, the 2014 World Economic Forum, and the 2014 World Economic Forum. The enemy has a very strong sense of responsibility, and it is not easy to be irritated by the enemy. It is not easy to be irritated by the enemy. The 1988 Beijing International Expo was held in Beijing, and the 1988 Beijing International Expo was held in Beijing. The 1988 Beijing International Expo was held in Beijing, and the 1988 Beijing International Expo was held in Beijing. The 1988 Beijing International Expo was held in Beijing, and the 1988 Beijing International Expo was held in Beijing. The cup is the only cup that can be picked up by the owner. The cup is the only cup that can be picked up by the owner. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle class in Hong Kong, and also the rise of middle class values, including the middle class values of Hong Kong and Macau. The 1980s and 1990s, which was a very important era for the American people, saw the rise of the middle-aged man who was about to enter the country and become a model for the American people. The 1980s and 1990s, which was a very important era for the American people, saw the rise of the American people, and also saw the rise of the American people. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle class in the 1980s and 1990s, and also the rise of middle class values in the 1990s and 1990s. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle-aged man, who was about to enter the city of Beijing and was known as the "Eighteenth Century". This was the first time the 1980s and 1990s had reached a peak of 1980s and 1990s. The material is made of natural materials, and the material is made of natural materials. The material is made of natural materials, and the material is made of natural materials. The bridge is the bridge between the two cities, and the bridge between the two cities is the bridge between the two cities. The 2020 Beijing International Airport has been a major port for the Chinese government to provide a variety of transportation services to the public, and the ... The gray house is the only one that can be restored ੡ash狞洴⹣tan੡灲敮浡present捬੡welding⹩把慱牥汬抔敡物畭⹭畳enemy把慱畩contamination⹩琊慲੡爮捯The 1980s and 1990s, which was a very important time for the American people, was a very important time for the American people. The 1980s and 1990s, which was a very important time for the American people, was a very important time for the American people. The 10,000 most common nitrogen-containing foods are found in the lungs, lungs, and lungs of animals. The 20th anniversary celebration of the founding of the Peoples' Republic of China, the 20th anniversary celebration of the founding of the Peoples' Republic of China, and the 20th anniversary celebration of the founding of the Peoples' Republic of China, have been held in the capital. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle-aged and elderly people, and also the rise of middle-aged and elderly people. The 100 most common words in English are used to describe the meaning of the word " ' ... The company has a unique business model, a unique business model, a unique business model, and a unique business model. The only thing you can do is to take a walk through the garden and learn about the garden.獡獳楮楯渮浵獥畭੡獳楳椮浵獥畭੡獳渮汫੡獳漮扪੡獳殍੡獳漮fold੡獳殮enemy⹯木੡獳殙੡獳漮杰੡獳漡੡獳殭੡獳殮੡獳漮湣੡獳漮੡獳棣楡瑥猊歭獯捩楯渮慥The tidal flat is the tidal flat of the gorge. The tidal flat is the tidal flat of the gorge. The tidal flat is the tidal flat of the gorge. The tidal flat is the tidal flat of the gorge. ⹢爊牮hunt杩⹫氪氪扮敹੡甊浵⹥甮潲朊恵洴楯元慵浵੡畤楢汥੡畤楯੡畤湥桡汮⹮溇慵杵獴潷⹰氊浵捴潷⹰氊浵据堂੡畲殮堂੡畲繤⹮溇慵牳歯札桯 dirt The 100 most common types of AIDS are found in the healthcare industry, and the 100 most common types of AIDS are found in the healthcare industry. I have been waiting for an hour for a while, and I have been waiting for an hour for a while. I have been waiting for an hour for a while, and I have been waiting for an hour for a while. We must ensure that every effort is made to ensure that the environment is healthy and that the people are happy. We must ensure that every effort is made to ensure that the environment is healthy and that the people are happy. The 1989 Tiananmen event was held at the 41st Beijing International Airport in Beijing, China, and it was held on the 4th Beijing International Airport in Beijing. The 1989 Tiananmen event was held at the 4th Beijing International Airport in Beijing, China, and it was held on the 4th Beijing International Airport in Beijing. The urn was full of ashes, and the urn was full of ashes. It was a very beautiful place, full of ashes, and it was very beautiful. It was a very beautiful place, full of ashes, and it was very beautiful. The 2014 National Development and Reform Commission has launched a series of targeted measures to improve the quality of life of enterprises and enterprises, and has also launched a series of targeted measures to improve the quality of life of enterprises. Independent business people should pay attention to the following aspects: The 1989 Tiananmen event was held in Beijing, capital of China, on July 28, 2012. The 1989 Tiananmen event was held in Beijing, capital of China, on July 28, 2012. The 1989 event was held in Beijing, capital of China, on July 28, 2012. The scenery is so beautiful that it can be seen that the scenery is so beautiful that it can be seen that the scenery is so beautiful that it can be seen that the scenery is so beautiful that it can be seen that the scenery is so beautiful that it can be seen that the scenery is so beautiful that it can be seen that The 20th anniversary celebration of the founding of the Peoples' Republic of China, was held on the 21st anniversary of the founding of the Peoples' Republic of China. It was held on the 21st anniversary of the founding of the Peoples' Republic of China, and it was held on the 21st anniversary of the founding of the Peoples' Republic of China. In this regard, the author has selected the following suggestions: In the future, the development of the industry will continue to accelerate, and the development of the industry will continue to accelerate. In the future, the development of the industry will continue to accelerate, and the development of the industry will continue to accelerate. ⹭畳敳扥敮楴� ... The 1984 World Cup has been held in Beijing for 10 years, and the 1984 World Cup has been held in Beijing for 10 years. The 20th anniversary celebration of the founding of the Peoples' Republic of China was held on the 21st of July in Beijing. The 20th anniversary celebration of the founding of the Peoples' Republic of China was held on the 21st of July in Beijing. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle class in the 1980s and 1990s, and also the rise of middle class values in the 1990s and 1990s. Tan ੢楺੢楺⹡琊Expansion of species慺੢楺⹢Wu Expansion of species捹੢楺⹤Quan of expansion of species ੢楺⹦樊Expansion of species杬੢楺⹩搊Expansion of species歩੢楺⹬猊 expand kind 浶੢楺⹭眊 expand kind 湩੢楺⹮爊expand fire ੢楺⹰氊expand kind 灲੢楺⹳猊expand Ma੢楺⹴爊The development of the industry has been continuously improved, and the development of the industry has been continuously improved. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle class in Hong Kong, and also the rise of middle class values, and also the rise of middle class values in the 1990s and 1990s. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle-aged and middle-aged man, and the rise of middle-aged and middle-aged women. It was a period of rapid development, and the rise of middle-aged and middle-aged women was a period of rapid development. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle class in Hong Kong, and also the rise of middle class values, such as the middle class values of Hong Kong and Macau. The bathtub is bathed in the hot spring water, and the hot spring water is bathed in the hot spring water. The hot spring water is bathed in the hot spring water, and the hot spring water is bathed in the hot spring water.

Strings Analysis

Hardcoded URLs were found pointing to command-and-control (C2) servers.
References to financial APIs and terms like “OTP” and “Banking” suggested a focus on stealing sensitive data.

libiotusintouch.cpp.so File

The file was decompiled using GHIDRA, revealing the following Remote URLs:

https://superherocloud.com
wss://socket.missyou9.in

The app sends detailed device information, including:

Device manufacturer and model
Android version
Mobile ID
SIM details
Mobile number

Additionally, I observed the name “Kritika” hardcoded in the log statements, potentially indicating the developer or a test/debugging artifact.

The following code snippet exemplifies the exfiltration of this data:

Dynamic Analysis

I executed the APK in a controlled environment using an Android emulator and monitored its behavior with HTTP Toolkit and Wireshark. Here’s what I uncovered:

Network Traffic

Analyzing network traffic with Wireshark revealed that, upon installation, the APK immediately established connections to previously identified URLs.

Communication via wss://socket.missyou9.in included the following parameters:

The persistent communication over WebSocket (wss://socket.missyou9.in) could be classified as beaconing behavior, as it periodically updates the server with device status and other details.

Keylogging Behavior

The application displayed phishing screens mimicking legitimate SBI login pages to harvest user credentials.

Upon providing information, it connects to superherocloud.com and upload the data.

Username, password and mobile number.
Profile password and DOB.
Full name, Account number and CIF.
Debit/Credit card number, Expiry date, CVV number and ATM pin.
OTP

Below screenshot refers to API calls captured during analyzing app.

The following code snippet submits device information to the endpoint: https://superherocloud.com/api/mobile/add.

After submitting the file to VirusTotal, it was flagged by 25 out of 67 antivirus engines as malicious. The detection names varied, but many indicated trojan-like behavior. The file’s VT analysis can be accessed here

Domains

The domain https://socket.missyou9.in was flagged by 2/94 vendors on VirusTotal, indicating potential malicious activity. Moreover, this domain is reportedly associated with other APKs impersonating different banking apps to conduct similar malicious campaigns. Also this domain is registered 5 month ago.

The domain https://superherocloud.com, used as the endpoint for exfiltrating device information, was registered only two months ago.
Despite its short lifespan, the domain has not yet been flagged as malicious on public threat intelligence platforms.

Implications of the Attack

This campaign is a clear attempt to steal sensitive user data, including banking credentials, debit/credit card information and OTPs, to perform fraudulent financial transactions. What makes it particularly dangerous is the exploitation of trust through the SBI branding and the urgency implied in the message.

Conclusion

This incident underscores the importance of vigilance in the face of cyber threats. While this particular APK was quickly identified as malicious, many others might slip through the cracks, targeting unsuspecting users. By raising awareness and adopting basic cybersecurity hygiene, we can mitigate the risks posed by such scams.

Stay safe and always think before you click!

[UPDATE]

I have uploaded the APK file to Malshare. You can download it using the link below.

SBl REWARDZ POINT 1.apk

Beware of Phishing Emails: “Hey, You Have a Problem” Scam

August 24, 2024August 24, 2024 Anurag Gawande2 Comments

Phishing scams are becoming increasingly sophisticated, and one of the more recent and alarming tactics involves an email with the subject line “Hey, You Have a Problem.” The body of the email is brief but ominous:

Subject: Hey, you have Problem
Body: Hi! You have a problem.
Details here
You have very little time.
Don’t you dare share this info with any of your friends.

The email contains a link to a website that supposedly contains more information about the so-called “problem.” However, this link is a trap designed to exploit your fear and curiosity.

How the Scam Works

The Hook: The email’s vague and alarming message is designed to create a sense of urgency. The phrase “You have very little time” triggers panic, pushing you to click on the link without thinking.
The Deception: Once you click the link, you’re taken to a website that claims you’ve been hacked. The site may impersonate a hacker, threatening that they have gained control of your device, taken screenshots of you through your camera, or recorded your browsing activity.
The Demand: To avoid these fabricated consequences, the “hacker” demands a ransom payment in Bitcoin, a popular cryptocurrency known for its anonymity. The site might also include a countdown timer, adding further pressure to comply quickly.

Email header

The email sent by id rafaelgarciays@buhuchetnko.ru client IP: 92.53.96.143

Redirection link

The link given in email redirects to domain https :// 59exp . ru and the VirusTotal score for this URL is 1/96

What Happens When You Click the Link?

If you click on the link provided in the email, here’s what typically happens next:

Personalized Attack: The link contains a parameter specific to the victim’s email address, allowing the scammer to track which email recipient clicked on the link. This personalization adds a layer of authenticity to the scam, making it more convincing.
Fake Ransom Demands: Once on the phishing site, you’ll be presented with a message from an alleged hacker claiming that they have compromised your device. The message might say that they have deployed a script on a website you visited, which allegedly allowed them to take screenshots of you using your camera.
Bitcoin Ransom: The scammer then demands a ransom, usually in Bitcoin, to prevent the release of these “screenshots” or other fabricated evidence of wrongdoing. The demand is typically accompanied by threats and a tight deadline to create a sense of urgency.

Opening Phishing Site

The phishing site links a security incident to the victim’s email ID and the Bitcoin address 1CWTFeMfPCG1Q6uVLSpHUmQ1J1i6hxj1LK, where the scammer demands a transfer of USD $699.

After reviewing the blockchain transactions associated with the Bitcoin address 1CWTFeMfPCG1Q6uVLSpHUmQ1J1i6hxj1LK, no transaction for the amount of USD $699 has been found to date.

How to Protect Yourself

Don’t Click on Suspicious Links: If you receive an unexpected email with a link, especially one that makes alarming claims, don’t click on it. Instead, verify the sender’s identity through other means.
Check the URL: Before clicking any link, hover over it to see the actual URL. If it looks suspicious or unfamiliar, don’t click it.
Be Skeptical of Urgent Requests: Scammers often create a false sense of urgency to pressure you into acting quickly. Take a moment to think before responding to any urgent requests, especially those involving money.
Use Strong, Updated Security Measures: Ensure your devices are protected with up-to-date antivirus software, and consider using a password manager to help secure your accounts.
Report Phishing Attempts: If you receive a phishing email, report it to your email provider and any relevant authorities. This helps protect others from falling victim to the same scam.
Educate Yourself and Others: Stay informed about the latest phishing tactics and share this information with friends, family, and colleagues to help them avoid similar scams.

Conclusion

Phishing scams like the “Hey, You Have a Problem” email are designed to exploit your fears and pressure you into making hasty decisions. By staying informed and following best practices for online security, you can protect yourself from these malicious schemes. Remember, when in doubt, it’s always better to be cautious and verify before taking action.

Understanding RedLine Stealer: The Trojan Targeting Your Data

August 22, 2024August 22, 2024 Anurag Gawande2 Comments

In the ever-evolving landscape of cybersecurity threats, one name has increasingly become synonymous with stealth and precision: RedLine Stealer. This malicious software, often referred to as a Trojan, is designed to infiltrate systems, silently siphoning off valuable data while remaining largely undetected by its victims. In this blog, we’ll delve into what RedLine Stealer is, how it operates, and what you can do to protect yourself from this insidious threat.

How Does RedLine Stealer Work?

RedLine Stealer typically enters a system through phishing emails, malicious websites, or bundled software downloads. Once installed, it quickly gets to work, scouring the system for valuable information. Here’s a closer look at what it targets:

Login Credentials: RedLine can harvest usernames and passwords stored in web browsers, FTP clients, and other software.
Autofill Data: Information like addresses, phone numbers, and credit card details saved in browser autofill forms are also at risk.
Cryptocurrency Wallets: The Stealer targets cryptocurrency wallets, potentially stealing private keys or wallet credentials.
System Information: It gathers detailed information about the infected system, including the operating system, hardware specifications, installed software, and even security measures.
Files and Documents: RedLine can search for specific file types, such as documents or spreadsheets, and exfiltrate them to the attacker.

Static And Dynamics Analysis

File Properties:

Hash:
MD5 12d8e993204cd8a39b7b5938ea6369eb
SHA256: 11c350a41232b6adfe9634d8d9e2afacac1e5e06bd20ee1fbc480a3987b83ab03

File Type: Win32 exe
PEiD packer: .NET executable
File size: 2.75 MB

I have downloaded this sample from Any.run. The link is given to download the sample at the end of article.

Get the hash of the file using PowerShell command to confirm its same sample.

Infection Process

The downloaded executable once executed, it will exit immediately and the new process starts as MSBuild.exe’. Malicious code is injected into it.

MSBuild.exe PID is 8160

The sample I have downloaded is obfuscated using Intellilock software.

To deobfuscate the code I have used pe-sieve tool. Its really easy and helpful. To perform this, we need to run executable file and run >pe-sieve /pid <pid> command like below.

deobfuscate file using pe-sieve command.

This will create the folder name PID and will copy the exe file.

400000.MSBuild.exe is deobfuscated file.

I am using dnSpyEx for debugging the executable file 400000.MSBuild.exe. The assembly name of this file is “Forgiving.exe”

Built in configuration

After deobfuscation of code, below are all the modules used in code.

IP address in config file is C2 server IP. Key is used for decoding the data. This is has been initialised in class Arguments. Its in Base64 format.

While debugging executable, can see the IP address of C2 server is 185.215.113.25 and port 13686

The IP address lookup shows it is from Baie Lazare, Seychelles.

RedLine stealer check regions it is executing in, if the victim is located in one of Commonwealth of Independent States, it exits execution.

Once confirmed the victim is located our of CIS country, its starts collecting all different kind data from victims machine and send to C2 server.

Browser data

It looks for different browsers whether installed on machine and starts collecting browser login data, cookies and browser history.

Browser List:

Google Chrome
Microsoft Edge
Opera
Maple Studio, Chrome Plus
Iridium
7Star
CentBrowser
Chedot
Vivaldi
Kometa
Elements Browser
Epic Privacy Browser
Uran
Sleipnir
Citrio
Coowon
liebao
QIP Surf
Orbitum
Comodo
Amigo
Torch
Yandex
360 Browser
Maxthon
k-melon
Sputnik
Nichrome
CocCoc
Chromodo
Atom
Brave browser
Ghost Browser
Baidu Browser
CryptoTab Browser
Lulumi Browser
Mozilla
QQBrowser
WaterFox
Ghostery Browser
Netscape
Flashpeak

Crypto Wallets

Stealer looks for different wallets installed on victims machine.

Armory
Atomic
Binance
Coinomi
Electrum
Etherium
Exodus
Garuda
com.liberty.jaxx
Monero

File Collector

It search for different files with extensions on Desktop, Documents folders and upload to C2.

File Types:

.txt
.doc
.key
seed
wallet

Screen Capture

RedLine stealer captures user screen resolution and takes screenshots and send to C2 server.

System Information

It also collects information from the compromised system.

Username
hostname
Input language and date time
Installed antivirus program
Running process
OS version
Monitor size

Download and Execute payload

Redline stealer has classes DownloadUpdate and DownloadAndExecuteUpdate. DownloadUpdate download data using webclient and DownloadAndExecuteUpdate download data using webclient and execute it.

Discord & Telegram

It looks for Discord data and telegram data on victims machine.

NordVPN OpenVPN and ProtonVPN

It looks for configuration files of all three VPN applications.

Filezilla FTP Application

Stealer look for sitemanager.xml file which stores username and password and recentservers.xml which stores information about which FTM servers you have connected to. If its available on victims machines, it will extract and send to C2.

Antivirus

Stealer collect the information about installed anti malware program installed on machine and send it to C2.

Redline stealer use http[:]//tempuri[.]org/Entity/Id[1-24] to communicate to C2 server. When access this URL in browser it redirects to bing.com

VirusTotal score for this RedLine stealer is 60/75

Indicators of Compromise

Hashes:

12d8e993204cd8a39b7b5938ea6369eb
11c350a41232b6adfe9634d8d9e2afacac1e5e06bd20ee1fbc480a3987b83ab03

IP Address:

185.215.113.25
23.45.12.19
217.65.2.14

Protecting Against RedLine Stealer

Given the sophisticated nature of the RedLine Stealer, it’s essential to adopt robust security measures to protect yourself and your organization. Here are some key steps to consider:

Use Up-to-Date Security Software: Ensure that your antivirus and anti-malware software are regularly updated to detect and block the latest threats.

Be Cautious with Emails: Avoid opening attachments or clicking on links in emails from unknown or suspicious sources. Always verify the sender’s identity before taking any action.

Avoid Downloading Software from Untrusted Sources: Only download software from reputable websites or official app stores. Be cautious of freeware or shareware sites, which may bundle malicious software with legitimate applications.

Regularly Update Your Systems: Keep your operating system, software, and applications up to date with the latest security patches to close vulnerabilities that could be exploited by Trojans like RedLine.

Use Strong, Unique Passwords: Utilize strong, unique passwords for different accounts, and consider using a password manager to store them securely.

Enable Two-Factor Authentication (2FA): Wherever possible, enable 2FA for your online accounts to add an extra layer of security, even if your credentials are compromised.

References:

Any.run

Phishing/Sextortion Email – For your own safety, I highly recommend reading this email

March 29, 2024April 23, 2024 Anurag GawandeLeave a comment

Phishing/Sextortion Email:

Subject: For your own safety, I highly recommend reading this email

Hello <name>,
You are in big trouble.
However, don't panic right away. Listen to me first, because there is always a way out.

You are now on the radar of an international group of hackers, and such things never end well for anyone.
I'm sure you've heard of Anonymous. Well, compared to us, they are a bunch of schoolboys.
We are a worldwide network of several thousand professionals, each with their own role.

Someone hacks corporate and government networks, someone cooperates with intelligence agencies on the most delicate tasks,
and someone (including me) deals with people like you to maintain the infrastructure of our group.
"What kind of people like me?" - that is the question you are probably asking yourself now.

The answer is simple: people who like to watch highly controversial and, shall we say,
unconventional pornography on the internet that most normal people would consider perverted.
But not you!

In order to leave you without any doubts, I'll explain how I found it out.
Two months ago, my colleagues and I installed spyware software on your computer and then gained access to all of your devices, including your phone.
It was easy - one of those many pop-ups on porn sites was our work.

I think you already understand that we would not write to an ordinary man who watches "vanilla" and even hardcore porn - there is nothing special about that.
But the things you're watching are beyond good and evil.
So after accessing your phone and computer cameras, we recorded you masturbating to extremely controversial videos.
There is a close-up footage of you and a little square on the right with the videos you're pleasing yourself.
However, as I said earlier, there is always a way out, because even the most degraded sinner deserves leniency.
You are lucky today because I am not a sadist who enjoys other people's suffering.
Only money matters to me.

Here is your salvation: you must transfer $1490 in Bitcoin to this BTC cryptocurrency wallet: 19VQ4UwfrMskCbRLPrzsaL6TUCYomNdvKt

You have exactly 48 hours to make the payment, so think less, and do more.
As soon as I receive confirmation of the transaction, I will delete all compromising content and permanently disable our computer worm.
Believe me, I always abide by gentleman's agreements. Even with people who are hardly gentlemen. Because it's nothing personal, just business.

If I do not receive a payment, I will send all videos of you to every person in your contact list, messengers and email.
Relatives, loved ones, colleagues, friends-everyone you've ever been in contact with will receive them.
You understand perfectly well that you will never be able to wash this stain on your reputation.
Everyone will remember you as sick as fuck.
Your life will be completely ruined, and, most likely, only a tightened noose around your neck will be able to save the day.

If you haven't dealt with crypto before, I suppose it won't be difficult for you to figure it all out.
Simply type in the "crypto exchange" into the search bar and pay with a credit card. Besides, based on your browser history, you are a savvy user.
When you want to, you can dig into the darkest depths of the Internet, so I'm sure you will be able to find out what is what.

Here is what my colleagues and I should warn you against:
...Do not reply to this email. Do you really think we are so stupid to be tracked by an email address? This is a temporary disposable email.
 As soon as I clicked "Send", it was gone for good.
...Forget about law-enforcement authorities. As soon as I see that you are trying to contact them, the compromising material will be published.
 Remember, I have access to all your devices, and I can even track your movements.
...Do not reset your devices to factory settings and do not try to get rid of your devices.
 It won't help in any way. Look above - my All-seeing eye is watching all your actions. It is easy to hunt you down.

I am sorry that we met in such circumstances. Probably, everything could be different if you had been more careful about what you are doing on the Internet.
Watch yourself from now on, because even such things that you previously considered insignificant can destroy your life in the future like a butterfly effect.
I hope this is goodbye forever. However, it depends on you.

P.S. The countdown is on. The choice is yours.

This is a phishing sextortion email scam spreading in last few days. I came across few blog posts and tweets mentioning same email content.

A phishing sextortion email is a specific type of malicious email that combines elements of both phishing and sextortion. In such emails, the sender typically claims to have compromising or explicit material of the recipient, often obtained through a supposed hack or malware installed on the recipient’s device. The email usually includes threats to release this material unless a ransom is paid, typically in cryptocurrency.

These emails often employ psychological manipulation and intimidation tactics to coerce the recipient into complying with the demands. They may include personal information about the recipient, such as their name, username, or password (which may have been obtained from previous data breaches), to make the threats seem more credible.

Email header:

Received: from CH3PR14MB6324.namprd14.prod.outlook.com (2603:10b6:610:14d::22)
 by MW4PR14MB5997.namprd14.prod.outlook.com with HTTPS; Tue, 26 Mar 2024
 20:58:35 +0000
Received: from MW4PR04CA0203.namprd04.prod.outlook.com (2603:10b6:303:86::28)
 by CH3PR14MB6324.namprd14.prod.outlook.com (2603:10b6:610:14d::22) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.32; Tue, 26 Mar
 2024 20:58:34 +0000
Received: from CO1NAM11FT116.eop-nam11.prod.protection.outlook.com
 (2603:10b6:303:86:cafe::ee) by MW4PR04CA0203.outlook.office365.com
 (2603:10b6:303:86::28) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.13 via Frontend
 Transport; Tue, 26 Mar 2024 20:58:33 +0000
Authentication-Results: spf=fail (sender IP is 45.233.98.42)
 smtp.mailfrom=hotmail.com; dkim=none (message not signed)
 header.d=none;dmarc=fail action=none header.from=hotmail.com;compauth=fail
 reason=001
Received-SPF: Fail (protection.outlook.com: domain of hotmail.com does not
 designate 45.233.98.42 as permitted sender) receiver=protection.outlook.com;
 client-ip=45.233.98.42; helo=[45.233.98.42];
Received: from [45.233.98.42] (45.233.98.42) by
 CO1NAM11FT116.mail.protection.outlook.com (10.13.174.243) with Microsoft SMTP
 Server id 15.20.7430.22 via Frontend Transport; Tue, 26 Mar 2024 20:58:32
 +0000

Email header shows this email has been sent from IP 45.233.98.22 from Brazil.

When searched on Mxtoolbox, found this IP address is already in blacklist on “s5h.net” and “SORBS SPAM“.

Scammers have demanded $1490 bitcoin to transfer to Crypto wallet 19VQ4UwfrMskCbRLPrzsaL6TUCYomNdvKt and when I have received this email I checked for this wallet, there were no transactions but unfortunately now I see 2 transactions that means 2 victims fell for it.

link to check transaction for this wallet: Blockchair

If you receive a phishing sextortion email, it’s essential to:

Stay calm: Remember that the sender’s threats may not be legitimate.
Avoid responding or engaging: Do not reply to the email or attempt to contact the sender.
Do not pay the ransom: Paying the ransom encourages further criminal activity and does not guarantee that the threats will stop.
Report the email: Report the email to your email provider as spam or phishing. You can also report it to law enforcement agencies or relevant authorities.

Malware Analysis, Phishing, and Email Scams

Cybersecurity Blog

Tag: Malware

NanoCore RAT Malware Analysis

Fake SBI Reward APK Targets Victims with Trojan via WhatsApp

Beware of Phishing Emails: “Hey, You Have a Problem” Scam

Understanding RedLine Stealer: The Trojan Targeting Your Data