Tag: Malware Analysis

RMM Abuse in a Crypto Wallet Distribution Campaign

AnuragLeave a comment

Analysis of a Suspicious “Eternl Desktop” MSI Installer Dropping LogMeIn Resolve

Overview

A professionally written announcement email titled “Eternl Desktop Is Live — Secure Execution for Atrium & Diffusion Participants” is currently circulating within the Cardano community.

At first glance, the email appears legitimate and well aligned with Cardano’s governance narrative promoting security, decentralization, and staking incentives. However, deeper inspection of the download mechanism and installer behavior raises significant red flags.

Email Social Engineering Highlights

The email leverages high trust messaging and ecosystem specific incentives.

The email strategically references Atrium and the Diffusion Staking Basket to establish legitimacy within the Cardano ecosystem, while also making enticing claims of NIGHT and ATMA token rewards to drive user interest. It reinforces trust by emphasizing “local-first, non-browser signing,” positioning the application as a more secure alternative to browser based wallets. The overall messaging maintains a polished, professional tone with no visible spelling or grammatical issues, lending credibility to the communication. This is capped with a strong, authoritative call to action “Eternl Desktop is where Cardano decisions are finalized.” designed to create urgency and frame the software as an essential tool for serious Cardano participants.

Download Infrastructure Red Flags

The provided download URL, hxxps://download[.]eternldesktop[.]network, raises immediate concerns, as the domain appears to be newly created and lacks any established historical reputation. There is no independent verification or announcement from official, well known Eternl communication channels to validate its legitimacy. Additionally, the software is distributed as a direct MSI installer without publicly available checksums, digital signature transparency, or formal release notes, preventing users from independently verifying the integrity and authenticity of the installer before execution.

New infrastructure + wallet software + MSI installer is a high-risk combination.

Domain Information

MSI Installer Analysis

File Name: Eternl.msi
File Size: 23.3MB
File Type: Windows Intaller (MSI)
Hash: 8fa4844e40669c1cb417d7cf923bf3e0
Title: LogMeIn Resolve Unattended
Comments: LogMeIn Resolve Unattended v1.30.0.636

Using CFF Explorer, I identified an embedded executable within the MSI file. I then used LessMSI to extract the executable for further analysis.

Extracted Executable File

File Name: unattended-updater.exe
File Type: PE32
File Size: 23.35MB
Original File Name: GoToResolveUnattendedUpdater.exe
File Hash: 3f317e17741122cd4ea30123ba241cd0
File Description: LogMeIn Resolve

During dynamic analysis, the sample was observed writing log files and JSON artifacts to disk.

It also tried to connect to below domains.

  • hxxt://ip.zscaler.com
  • hxxt://zerotrust.services.gotoresolve.com
  • hxxt://dumpster.console.gotoresolve.com/api/live
  • hxxt://sessions.console.gotoresolve.com
  • hxxt://devices-iot.console.gotoresolve.com/
  • hxxps://devices.console.gotoresolve.com/properties
  • hxxps://applet.console.gotoresolve.com
  • hxxps://custombranding.console.gotoresolve.com

The executable is placed within a uniquely identified folder created under “C:\Program Files (x86)\GoTo Resolve Unattended“. All executables, along with JSON configuration files related to the RMM setup, are stored in this directory.

The unattended.json configuration file enables unattended access, allowing a technician to connect to the remote system without the end user being physically present.

The application attempts to connect to hxxps://dumpster.console[.]gotoresolve[.]com/api/sendEventsV2 to transmit event information in JSON format. The connection fails, and the application retries the request multiple times.

Why This Is Concerning

This behavior is concerning because Remote Monitoring and Management (RMM) tools inherently provide powerful capabilities such as remote command execution, system monitoring, persistent access, and unattended control. While legitimate in enterprise environments, these features are frequently abused by threat actors during initial access operations, particularly in crypto themed malware campaigns and fake wallet or airdrop lures, where RMM software is leveraged to establish long-term post exploitation persistence on compromised systems.

While LogMeIn Resolve itself is a legitimate product, its silent delivery inside a wallet installer is not legitimate behavior.

Detection Summary

  • Flagged as PUA / Riskware
  • Behavioral indicators consistent with remote management agents
  • Not a known component of any official Eternl wallet release

Threat Assessment

IndicatorRisk
Newly registered download domainHigh
MSI installer for wallet softwareHigh
Drops RMM toolCritical
PUA classificationConfirmed

HIGHLY SUSPICIOUS – DO NOT INSTALL

This campaign exhibits multiple overlapping indicators consistent with supply-chain abuse and trojanized wallet distribution, combined with pre positioning techniques that leverage RMM tools to establish persistent access. Together, these behaviors suggest preparation for potential follow on activity, including future credential harvesting or cryptocurrency wallet compromise.

Indicators of Compromise (IOCs)

Domains:

  • download[.]eternldesktop[.]network

Files

  • etrnl.msi
  • unattended-updater.exe

Product Identifiers

  • LogMeIn Resolve
  • GoTo Resolve

Hash

  • 8fa4844e40669c1cb417d7cf923bf3e0
  • 3f317e17741122cd4ea30123ba241cd0

This campaign demonstrates how crypto governance narratives are increasingly weaponized to distribute covert access tooling under the guise of professional software.

NanoCore RAT Malware Analysis

Anurag1 Comment

NanoCore is a well-known Remote Access Trojan (RAT) used by threat actors for espionage, data theft, and system control. In this post, I will analyze a NanoCore RAT sample with the hash 18B476D37244CB0B435D7B06912E9193 and explore its behavior, obfuscation techniques, and deobfuscation process.

File Hash MD5: 18B476D37244CB0B435D7B06912E9193
Filename: Sigmanly_0bbff62a45fc9776575ed143af2d7db332e2781d7e3de56eb3ff48c25d0c7b46
File size: 203.00 KB
NanoCore Client Version: 1.2.2.0
VirusTotal Detection Score: 64/72
File download: any.run

Static Analysis

Initial Inspection

Using Detect It Easy (DIE), I identified that the sample is a .NET executable and employs Eazfuscator obfuscation to hinder analysis.

Deobfuscation

To analyze the code effectively, I used de4dot to deobfuscate the executable. de4dot successfully restored readable class and method names, making it easier to understand the malware’s logic.

Below is how the deobfuscated code appears now.

Strings Analysis

Using SysInternals Strings, I extracted various strings from the binary and found the following indicators:

  • “Connecting to {0}:{1}..”
  • “/create /f /tn “{0}” /xml “{1}””
  • “schtasks.exe”
  • “CreateScheduledTask”
  • “/run /tn “{0}””
  • “RunScheduledTask”
  • “Host: {0}”

These strings indicate that the malware uses Windows Task Scheduler for persistence and C2 communication.

Dynamic Analysis

To gain deeper insights, I used dnSpy to debug the code and analyze its behavior in a controlled environment.

Execution Flow Analysis

Startup Routine: NanoCore attempts to achieve persistence by copying itself to a hidden directory and creating a registry entry.

  • During dynamic analysis, I found that it adds saasmon.exe under the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key.
  • It also creates a folder at C:\Program Files (x86)\SAAS Monitor to store its components.
  • Another folder is created at C:\Users\User\AppData\Roaming\81E42A3A-6BA0-4784-B7EC-E653E9E1A8ED, where the SAAS Monitor folder is placed, and saasmon.exe is dropped.

C2 Communication: The RAT connects to a remote Command-and-Control (C2) server, enabling an attacker to issue commands.

  • Wireshark Analysis: The malware attempts to establish connections to:
    • simpletest.ddns.net (Potential C2 domain)
    • 8.8.8.8 (Google DNS, likely used for connectivity checks)
    • Uses port 9632 to communicate with the given IP.
  • Plugin System: NanoCore features a modular plugin system, allowing attackers to load additional capabilities dynamically.
  • Installed Plugins: During dynamic analysis, I found that NanoCore installed the SurveillanceEx plugin, which enhances its spying capabilities.

  • Data Exfiltration: Captures keystrokes, screenshots, and clipboard data, sending them to the attacker.
  • It stores keylogs and clipboard data in C:\Users\User\AppData\Roaming\81E42A3A-6BA0-4784-B7EC-E653E9E1A8ED\logs\users\kbxxxxx.dat.

In the image above, you can see that it is storing clipboard data along with the commands and text I was entering in applications.

Task Scheduler Analysis: The code contains functions to create a scheduled task using schtasks.exe, but during dynamic analysis, no scheduled task was actually created. Below is an image of the relevant code snippet that shows its intent to use Task Scheduler for persistence.

Indicators of Compromise (IOCs)

  • File Hash: 18B476D37244CB0B435D7B06912E9193
  • Network Indicators: (Extracted from dynamic analysis)
    • C2 Domain: simpletest.ddns.net
    • IP Contacted: 8.8.8.8 (Google DNS, may be used for connectivity checks)
    • Port: 9632
  • Registry Changes:
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\saasmon.exe
  • File System Changes:
    • C:\Program Files (x86)\SAAS Monitor\saasmon.exe
    • C:\Users\User\AppData\Roaming\81E42A3A-6BA0-4784-B7EC-E653E9E1A8ED\SAAS Monitor\saasmon.exe
    • C:\Users\User\AppData\Roaming\81E42A3A-6BA0-4784-B7EC-E653E9E1A8ED\logs\users\kbxxxxx.dat (Stores keylogs and clipboard data)

Conclusion

NanoCore RAT remains a persistent threat due to its modularity and extensive feature set. Through deobfuscation with de4dot and debugging with dnSpy, I was able to uncover its core functionalities. Defenders should stay vigilant by leveraging threat intelligence, monitoring network traffic, and applying proactive security controls.

If you found this analysis helpful, feel free to share and stay tuned for more in-depth malware research!

Understanding RedLine Stealer: The Trojan Targeting Your Data

Anurag2 Comments

In the ever-evolving landscape of cybersecurity threats, one name has increasingly become synonymous with stealth and precision: RedLine Stealer. This malicious software, often referred to as a Trojan, is designed to infiltrate systems, silently siphoning off valuable data while remaining largely undetected by its victims. In this blog, we’ll delve into what RedLine Stealer is, how it operates, and what you can do to protect yourself from this insidious threat.

How Does RedLine Stealer Work?

RedLine Stealer typically enters a system through phishing emails, malicious websites, or bundled software downloads. Once installed, it quickly gets to work, scouring the system for valuable information. Here’s a closer look at what it targets:

  • Login Credentials: RedLine can harvest usernames and passwords stored in web browsers, FTP clients, and other software.
  • Autofill Data: Information like addresses, phone numbers, and credit card details saved in browser autofill forms are also at risk.
  • Cryptocurrency Wallets: The Stealer targets cryptocurrency wallets, potentially stealing private keys or wallet credentials.
  • System Information: It gathers detailed information about the infected system, including the operating system, hardware specifications, installed software, and even security measures.
  • Files and Documents: RedLine can search for specific file types, such as documents or spreadsheets, and exfiltrate them to the attacker.

Static And Dynamics Analysis

File Properties:

Hash:
MD5 12d8e993204cd8a39b7b5938ea6369eb
SHA256: 11c350a41232b6adfe9634d8d9e2afacac1e5e06bd20ee1fbc480a3987b83ab03

File Type: Win32 exe
PEiD packer: .NET executable
File size: 2.75 MB

I have downloaded this sample from Any.run. The link is given to download the sample at the end of article.

Get the hash of the file using PowerShell command to confirm its same sample.

Infection Process

The downloaded executable once executed, it will exit immediately and the new process starts as MSBuild.exe’. Malicious code is injected into it.

MSBuild.exe PID is 8160

The sample I have downloaded is obfuscated using Intellilock software.

To deobfuscate the code I have used pe-sieve tool. Its really easy and helpful. To perform this, we need to run executable file and run >pe-sieve /pid <pid> command like below.

deobfuscate file using pe-sieve command.

This will create the folder name PID and will copy the exe file.

400000.MSBuild.exe is deobfuscated file.

I am using dnSpyEx for debugging the executable file 400000.MSBuild.exe. The assembly name of this file is “Forgiving.exe”

Built in configuration

After deobfuscation of code, below are all the modules used in code.

IP address in config file is C2 server IP. Key is used for decoding the data. This is has been initialised in class Arguments. Its in Base64 format.

Built in configuration

While debugging executable, can see the IP address of C2 server is 185.215.113.25 and port 13686

The IP address lookup shows it is from Baie Lazare, Seychelles.

RedLine stealer check regions it is executing in, if the victim is located in one of Commonwealth of Independent States, it exits execution.

Once confirmed the victim is located our of CIS country, its starts collecting all different kind data from victims machine and send to C2 server.

Browser data

It looks for different browsers whether installed on machine and starts collecting browser login data, cookies and browser history.

Browser List:

  • Google Chrome
  • Microsoft Edge
  • Opera
  • Maple Studio, Chrome Plus
  • Iridium
  • 7Star
  • CentBrowser
  • Chedot
  • Vivaldi
  • Kometa
  • Elements Browser
  • Epic Privacy Browser
  • Uran
  • Sleipnir
  • Citrio
  • Coowon
  • liebao
  • QIP Surf
  • Orbitum
  • Comodo
  • Amigo
  • Torch
  • Yandex
  • 360 Browser
  • Maxthon
  • k-melon
  • Sputnik
  • Nichrome
  • CocCoc
  • Chromodo
  • Atom
  • Brave browser
  • Ghost Browser
  • Baidu Browser
  • CryptoTab Browser
  • Lulumi Browser
  • Mozilla
  • QQBrowser
  • WaterFox
  • Ghostery Browser
  • Netscape
  • Flashpeak

Crypto Wallets

Stealer looks for different wallets installed on victims machine.

  • Armory
  • Atomic
  • Binance
  • Coinomi
  • Electrum
  • Etherium
  • Exodus
  • Garuda
  • com.liberty.jaxx
  • Monero

File Collector

It search for different files with extensions on Desktop, Documents folders and upload to C2.

File Types:

  • .txt
  • .doc
  • .key
  • seed
  • wallet

Screen Capture

RedLine stealer captures user screen resolution and takes screenshots and send to C2 server.

System Information

It also collects information from the compromised system.

  • Username
  • hostname
  • Input language and date time
  • Installed antivirus program
  • Running process
  • OS version
  • Monitor size

Download and Execute payload

Redline stealer has classes DownloadUpdate and DownloadAndExecuteUpdate. DownloadUpdate download data using webclient and DownloadAndExecuteUpdate download data using webclient and execute it.

Discord & Telegram

It looks for Discord data and telegram data on victims machine.

NordVPN OpenVPN and ProtonVPN

It looks for configuration files of all three VPN applications.

Filezilla FTP Application

Stealer look for sitemanager.xml file which stores username and password and recentservers.xml which stores information about which FTM servers you have connected to. If its available on victims machines, it will extract and send to C2.

Antivirus

Stealer collect the information about installed anti malware program installed on machine and send it to C2.

Redline stealer use http[:]//tempuri[.]org/Entity/Id[1-24] to communicate to C2 server. When access this URL in browser it redirects to bing.com

VirusTotal score for this RedLine stealer is 60/75

Indicators of Compromise

Hashes:

  • 12d8e993204cd8a39b7b5938ea6369eb
  • 11c350a41232b6adfe9634d8d9e2afacac1e5e06bd20ee1fbc480a3987b83ab03

IP Address:

  • 185.215.113.25
  • 23.45.12.19
  • 217.65.2.14

Protecting Against RedLine Stealer

Given the sophisticated nature of the RedLine Stealer, it’s essential to adopt robust security measures to protect yourself and your organization. Here are some key steps to consider:

Use Up-to-Date Security Software: Ensure that your antivirus and anti-malware software are regularly updated to detect and block the latest threats.

Be Cautious with Emails: Avoid opening attachments or clicking on links in emails from unknown or suspicious sources. Always verify the sender’s identity before taking any action.

Avoid Downloading Software from Untrusted Sources: Only download software from reputable websites or official app stores. Be cautious of freeware or shareware sites, which may bundle malicious software with legitimate applications.

Regularly Update Your Systems: Keep your operating system, software, and applications up to date with the latest security patches to close vulnerabilities that could be exploited by Trojans like RedLine.

Use Strong, Unique Passwords: Utilize strong, unique passwords for different accounts, and consider using a password manager to store them securely.

Enable Two-Factor Authentication (2FA): Wherever possible, enable 2FA for your online accounts to add an extra layer of security, even if your credentials are compromised.

References: