Iron cybercrime group uses a new Backdoor based on HackingTeam’s RCS surveillance sw

Security experts at security firm Intezer have recently discovered backdoor, associated with the operation of the Iron cybercrime group, that is based on the leaked source code of Remote Control System (RCS).

The Remote Control System (RCS) is the surveillance software developed by the HackingTeam, it was considered a powerful malware that is able to infect also mobile devices for covert surveillance. RCS is able to intercept encrypted communication, including emails and VOIP voice calls (e.g. Skype), the mobile version, available for all the OSs (Apple, Android, Symbian, and Blackberry), is also able to completely control the handset and its components, including the camera, the microphone and GPS module.

The Iron cybercrime group has been active since at least 2016, is known for the Iron ransomware but across the years it is built various strain of malware, including backdoors, cryptocurrency miners, and ransomware to target both mobile and desktop systems.

“In April 2018, while monitoring public data feeds, we noticed an interesting and previously unknown backdoor using HackingTeam’s leaked RCS source code.” states the report published by Intezer. 

“We discovered that this backdoor was developed by the Iron cybercrime group, the same group behind the Iron ransomware (rip-off Maktub ransomware recently discovered by Bart Parys), which we believe has been active for the past 18 months.”

Thousands of victims have been infected by malware used by the crime gang.

The new backdoor analyzed by the experts uses an installer protected with VMProtect and compressed using UPX, the malicious code is able to determine if it is running in a virtual machine.

The malware first drops and installs a malicious Chrome extension, creates a scheduled task, creates a mutex to ensure only one instance of itself is running, drops the backdoor dll to %localappdata%\Temp\\<random>.dat, then checks OS version to determine the backdoor to launch.

The malware halts its execution if detect the presence of Qhioo360 products. It also installs a malicious certificate to sign the backdoor binary as root CA, then creates a service pointing back to the backdoor.

The analysis of the backdoor revealed it uses two main functions in their IronStealer and Iron ransomware families, the VM detection code that was borrowed from the HackingTeam’s “Soldier” implant and the DynamicCall module from HackingTeam’s “core” library.

The malware used a patched version of the popular Adblock Plus chrome extension to inject both the in-browser crypto-mining module (based on CryptoNoter) and the in-browser payment hijacking module.

The extension constantly runs in the background, as a stealth host based crypto-miner. Every minute, the malware checks if Chrome is running, and can silently launch it if it doesn’t.

“The malicious extension is not only loaded once the user opens the browser, but also constantly runs in the background, acting as a stealth host based crypto-miner. The malware sets up a scheduled task that checks if chrome is already running, every minute, if it isn’t, it will “silent-launch” it” continues the analysis.

The backdoor also includes Adblock Plus for IE that is capable of injecting remote JavaScript, a functionality, however, is no longer automatically used.

The malware automatically decrypts a hard coded shellcode that loads Cobalt Strike beacon in-memory, and fetches a payload URL from a hardcoded Pastebin address.

The malicious code is able to drop two malware. a variant of “JbossMiner Mining Worm” tracked as Xagent and the Iron ransomware.

The group used the malware to stealing cryptocurrency from the victim’s workstation, the Iron backdoor drops the latest voidtool Everything search utility and silently installs it to use it for finding files likely containing cryptocurrency wallets.

“IronStealer constantly monitors the user’s clipboard for Bitcoin, Monero & Ethereum wallet address regex patterns. Once matched, it will automatically replace it with the attacker’s wallet address so the victim would unknowingly transfer money to the attacker’s account,” explained the experts.

Further details, including the IoCs are reported in the blog post published by the researchers.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  Hacking Team, Surveillance)

[adrotate banner=”5″]

[adrotate banner=”13″]