Wednesday, December 6, 2017

StorageCrypt ransomware, a coinminer and more

Lawrence over at Bleeping Computer posted an interesting blog yesterday:
StorageCrypt Ransomware Infecting NAS Devices Using SambaCry

In that blog, Lawrence pointed out quite some users had issues with a new ransomware, dubbed StorageCrypt, and possibly spread via a worm.

There is a Windows component and a Linux component. We'll briefly take a look at both, hopefully providing some additional insight and indicators.

Windows artifacts

美女与野兽.exe is the Windows component, and as pointed out by Lawrence, translates loosely to 'Beauty and the Beast'.

This executable is packed with ASPack, and appears to to display worm-like and backdoor behaviour, with the additional 'feature' of spreading itself via removable drives. After unpacking the sample, it reveals some interesting strings:

1.vbpSMSS.EXE Success.logyyyymmddmmssTxt Open ,Repair the application! is running, Repair the application from backup. is running, Repair the application from MySelf. running is running, update the application !Get V Data!Read Tname to memory.icoKill icoExtractIcons...Write to Tname...ip addr addedGetFolderFileDate...Replace all attrib.I m here!-->Insert Error : for .dll.dll  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonShellexplorer.exe UserinitHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunWindows9xPacksHKEY_CLASSES_ROOT\txtfile\shell\open\command NOTEPAD.EXE %1HKEY_HKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_PERFORMANCE_DATAHKEY_CURRENT_CONFIGHKEY_DYN_DATAErrorC:\boot_net.datC:\dosnal.exeFind all exe file from Local host*.exeDownload files is accomplish!Run files of download is success![autorun]Download files1 is accomplish!Run files1 of download is success!This program cannot be run in DOS mode.This program must be run under Win32Autorun.infsuccess.txtcmd.exe /C net view command.exe /C net view  to find to Create file.exeopen=.exeGet Local host IP: Rnd IP:DiskC:\dntboot.binip packet too_bigip unload
Whatever was hosted at www.freewebs[.]com, cannot be retrieved as it no longer exists.

In any case, binaries similar as to this one, appear to have been floating the web for quite a while, as can be observed in this analysis result from 2013 by Team Cymru's TotalHash.

I've uploaded the unpacked sample on Hybrid Analysis.

Linux artifacts

The Linux component appears to exist out of a Samba vulnerability, dubbed SambaCry, and assigned CVE-2017-7494 from earlier this year.

There are several components, which are listed in the table below.

Filename Hash Purpose 6b5b4fce04f36101c04c0c5b3f7935ea Downloads ‘sambacry’ 053bb22c2cedf5aa5a089bfd2acd31f6 Downloads ‘sambacry’
sambacry ffe17e314f7b1306b8badec03c36ccb4 Fetch other payloads
httpd1 a5e8cb2e7b84081f5b1f2867f2d26e81 Miner config
minerd32 a016b34ade18626f91d14e46588d6483 Coinminer
watchcat32 ac9ad6bc8cd8118eaeb204c2ebf95441 Watchdog

The 'sambacry' binary will, after one of the .so files has downloaded it, download a set of other files from the C2 server, which is 45.76.102[.]45.

These files are to support the coin mining and, alongside installed, is also what appears to be a watchdog, which monitors the miner process. Additionally, it runs the following in a loop:

while true do  
 ps -ef|grep -E "wget|curl"|grep -v $$|grep -v|awk '{print $2}'|xargs kill -9 

Whoever's behind this campaign is using the email address madhatterss@protonmail[.]com, as defined in the miner configuration:

        "url" : "stratum+tcp://",
        "user" : "",
        "pass" : "x",
        "algo" : "cryptonight"

While analysing both Windows and Linux artifacts, I have not observed any ransomware behaviour, so likely the latter is installed manually later on by the attacker.

If you run a Samba server, patch immediately, as this vulnerability has already been reported in April.


Sunday, December 3, 2017

Notes on Linux/BillGates

In a previous blog post, I wrote some (extensive) notes on Linux/Xor.DDoS, also known as just Xor.DDoS, an interesting type of Linux malware.

You can find that particular blog below, in which I give some history, details, remediation and prevention in regards to the specific threat Xor.DDoS poses:
Notes on Linux/Xor.DDoS

This post will include some notes on Linux/BillGates, hereafter referred to as just 'BillGates', and rather than being very in-depth as the previous blog, I will mostly list high-level notes and remediation or disinfection steps. Additionally, after the conclusion, you will find other resources if necessary. In case of questions, comments or feedback, leave a comment or contact me on Twitter.

What is BillGates?

BillGates is malware designed primarily for Linux, and since it is a botnet, it is mostly used for DDoS purposes.

However, just as Xor.DDoS, it has limited rootkit and backdoor functionality and thus it's possible remote commands are executed as well as additional malware downloaded.

How can I identify BillGates artefacts?

Please find below a table with indicators.

Indicator Notes
/etc/rcX.d/97DbSecuritySpt Where X is a number, usually symlinks to /etc/init.d/DbSecuritySpt
/home/ll2 Identify all files with random names in /home/
/tmp/bill.lock Identify all .lock files in /tmp/
/tmp/bill.lod Contains Process ID (PID) of malware main module
(or gates.lock)
Contains PID of malware main module
(or moni.lock)
Contains PID of malware 'watchdog'
/usr/bin/*.lock Identify all .lock files in /tmp/
/usr/bin/bsd-port/getty/*.lock Identify all .lock files in /usr/bin/bsd-port/getty/
/usr/bin/pojie Identify all files with random names in /usr/bin/
/usr/lib/ Configuration file

How can I identify BillGates DDoS modules?

These modules are usually stored in /etc/, and will have the following names:

  • atddd 
  • cupsdd 
  • cupsddh 
  • ksapdd 
  • kysapdd 
  • sksapdd
  • skysapdd

It may however be useful to use the find command in conjunction with these names, in case they are residing in a different location than /etc/.

How can I identify other modifications BillGates made?

BillGates does create aliases and/or modifies/replaces files which are typically used to monitor processes or the network. The following may be replaced:

  • /bin/lsof
  • /bin/netstat
  • /bin/ps
  • /bin/ss
  • /usr/bin/lsof
  • /usr/bin/netstat
  • /usr/bin/ps
  • /usr/bin/ss
  • /usr/sbin/lsof
  • /usr/sbin/netstat
  • /usr/sbin/ps
  • /usr/sbin/ss

A copy of the legitimate files is normally stored in:

Additionally, check for any potentially created jobs by looking in:
/etc/cron.X where X is a name or folder, for example /etc/cron.daily.

You may also wish to look in:

Removal instructions

While the ps command may be replaced, top is not. Run the top command and verify any illegitimate processes, usually they will be randomly named. Alternatively, identify the *.lod and *.lock files, and use cat for example to read them, and identify the PID of the malware.

Then, use kill to end the malicious process(es), and remove the files or artefacts as indicated in the table above.

Afterwards, use mv to move the legitimate files back to their original location. You can also use a file manager to easily move them, if you have one.

You may also use an anti-virus to identify and remove any malicious files, for example ClamAV does a great job - BillGates is a rather older botnet by now and thus most antiviruses should have coverage for it. Don't forget to update the anti-virus' signatures first, if needed.

This same explanation but step-by-step to make it easy:

  • Identify malicious processes: use top or check the PID in BillGates' config files;
  • Kill malicious processes: use kill -9   to kill any of its processes;
  • Remove malicious files and folders, see the sections above;
  • Replace potentially hijacked files and restore them to their original location, see also above:
  • Identify any malicious tasks and delete them as indicated above;
  • Run top again to verify there are no malicious processes left;
  • Run an anti-virus or anti-malware as a secondary opinion;
  • Change your passwords, better be safe than sorry!


While Linux/BillGates may not be the biggest player on the market anymore, or even not as popular or common nowadays, the threat still exists, just like Xor.DDoS.

Practice proper security hygiene and take appropriate preventative measures.

In the resources section below, you may find additional useful links.


Saturday, November 4, 2017

CrunchyRoll hack delivers malware


There's a Reddit post today with a PSA (Public Service Announcement) about Crunchyroll, a website that offers anime streaming, being hacked:

PSA : Don't enter at the moment, it seems they've been hacked.

As mentioned before, Crunchyroll offers anime streaming, and in their own words:
Enjoy your favorite anime & manga at the speed of Japan

The German Crunchyroll team has additionally issued the following warning:

The official CrunchyRoll Twitter account has tweeted the following:

If you are only interested in how to remove this malware, scroll down to the disinfection/removal section, or click here.

Update:  CrunchyRoll has announced, after a few hours, that the issue is resolved:

However, I still advise you to scroll over to the disinfection or removal section. Any questions, feel free to leave a comment, or contact me on Twitter.


So, what happens when you visit the CrunchyRoll website? Curently, you get a message the website has encountered an error:

Figure 1 - CrunchyRoll error page

Earlier today, the CrunchyRoll website was showing the following:

Figure 2 - Likely hacked CrunchyRoll website (Image source)

While the CrunchyRoll team claims it was a DNS hijack, I have (so far) found no evidence as to the validity of this claim, and it rather appears someone was able to hack the website.

Either way, while this is bad, CrunchyRoll took swift action by taking down the website, and an investigation is under way.

What happens if you click the 'Download now' button? A new file, called CrunchyViewer.exe, will be downloaded from the following IP address:


This IP appears to have hosted fake antivirus software or similar in the past:

Figure 3 - Older resolutions (2010)

The newly download file is seemingly the legitimate CrunchyViewer or Crunchyroll, but, near the end of the file, there is a chunk of Base64 encoded data appended, as seen in Figure 4:

Figure 4 - base64 encoded data (click to enlarge)

Using a Base64 decoder, we get a new file, called svchost.exe. This binary will place a copy of itself in the current user's %appdata%\roaming folder, for example:


This file will periodically call to its C2, or command-and-control server, and wait for any commands:


Currently, it does not appear the C2 responds on that specific port (6969), however, it is online.

There are claims the malware will additionally install ransomware - I have not observed this behaviour, but it is definitely possible once the C2 sends back (any) commands. More likely, it is a form of keylogger - malware that can record anything you type, and send it back to the attacker.

Update: It appears however, thanks to ANY.RUN for the heads-up, (analysis here) that the malware actually downloads Meterpreter, which is a default Metasploit payload.

More information about Meterpreter can be found here, but basically, it can be viewed as a backdoor, as it allows the attacker to completely control your machine. However, it does appear the C2 server only downloaded Meterpreter for a limited amount of time - as port 6969 only responded within a specific time-frame.

Note that the disinfection or removal tips are still applicable in this case.

Svchost.exe will also create an autorun entry:

Figure 5 - newly created run key (click to enlarge)

This basically means the malware will start every time you (re)boot or restart the machine.

Just for fun, it appear that the miscreant's name, or the person responsible for creating the malware is named Ben, as appears from the debug paths:


Taiga is 'A lightweight anime tracker for Windows'. This does not mean they are involved, but rather that 'Ben' has decided to include Taiga in the package.

Update: the developer of Taiga has included a fix for 'CrunchyViewer':

Thus, if you now update or install the official Taiga application, it will prompt you if the malware is found, and is able to remove it.


Disinfection is rather straightforward:

  • Remove the malicious "Java" Run key, by opening Regedit, and browsing to:
  • Delete the 'Java' key;
  • Reboot your machine;
  • Remove the malicious binary, by navigating to:
    %appdata%\Roaming (for exampleC:\Users\Yourusername\AppData\Roaming\)
  • Delete the 'svchost.exe' file.
  • Perform a scan with your installed antivirus product;
  • Perform a scan with an online antivirus, which is different from the one you have. Alternatively, perform a scan with Malwarebytes.
  • Change all your passwords if possible. Better be safe than sorry.


Prevention  advise in general, which also pertains to CrunchyRoll's compromise:

  • Install an antivirus;
  • Keep your browser up-to-date;
  • Install NoScript if you have Firefox;
  • Install a 'well-rounded' ad-blocker, for example uBlock Origin (works with most browsers);
  • If a website you visit frequently suddenly looks completely different, or urges you to download whatever, be safe rather than sorry, and leave the website.
  • Additionally, try to Google or use social media to verify if anyone else is experiencing the same issue.
In this particular case or incident, you may also want to block the two IP addresses as described in this blog post, by adding them in your firewall.


This hack shows that any website or organisation is, in theory, vulnerable to someone hijacking the website, and consequently download and install malware on a user's machine.

While it is uncertain what exactly happened, CrunchyRoll took correct action by taking the website down not too long after. At this point, it is best to monitor their Twitter account, and/or wait for an official statement.

If you have not executed the file, you should be safe. Simply delete the downloaded file.

Note that I can't speak for any second-stage payload that may have been downloaded in the early stage of the attack - however; when I investigated shortly after, I didn't observe any secondary malware.

Update: the second-stage payload was the default Meterpreter by Metasploit. Updated analysis above. This does not affect or change the disinfection or removal steps.

Follow the prevention tips above to stay secure. Any questions or feedback? Feel free to leave a comment, or reach out to me on Twitter.


Wednesday, October 25, 2017

Comparing EternalPetya and BadRabbit

I've created a table comparing the EternalPetya (ExPetr, NotPetya, etc.) outbreak from June, and the BadRabbit ransomware outbreak from yesterday (2017-10-24).

I have decided to not include WannaCry (WanaCrypt0r), as they are not related, while EternalPetya and BadRabbit do seem very closely related, or even developed by (a part of) the same people.

Use freely, as long as you include a link to the original source, which is this blog post.

Comparison table (click to enlarge)

Download the table / comparison sheet

Additionally, you may find this image as a handy spreadsheet (which you can also download in several formats) on Google Docs here:

Note: this table or sheet will be updated continuously.

Purpose of BadRabbit?

Again, this makes you wonder about the actual purpose of ransomware, which you can read more about here: The purpose of ransomware

For BadRabbit in particular, it may be deployed as a cover-up or smokescreen, or for both disruption and extortion.


As for any prevention advise, have a look at the following page I've set up:
Ransomware prevention

Disinfection and decryption

Unfortunately, decryption is likely not possible without the cybercriminal's private key.

You may be able to restore the MBR, or your files, if you catch the ransomware in the act, and shutdown the machine at that point. Reboot in safe mode and copy over or back-up your files.

Then, Restore the MBR, and reinstall Windows.

You may also try to restore the MBR first, and consequently attempt to restore files using Shadow Volume Copies. For example, a tool such as Shadow Explorer can be of assistance, or read the tutorial here.

If that doesn't work either, you may try using a data recovery program such as PhotoRec or Recuva

Any questions, comments or feedback, please do let me know in the comments section below, or send me a message on Twitter. See also my About me page for other contact details.

Saturday, October 14, 2017

Notes on Sage 2.2 ransomware version

Sage, also known as SageCrypt, is an interesting ransomware variant - emerged somewhere in December last year, and is believed to be a variant of the CryLocker ransomware.

There's a good blog post on BleepingComputer on the first version of Sage, id est "Sage 2".

Yesterday, a personal friend of mine reached out, as his "computer started talking" and his files appeared to be encrypted. And indeed, it appears he suffered the latest variant of Sage: Sage 2.2

Sage 2.2 appears to have been out for a while, at least since February of this year:

Some figures of Sage 2.2 follow below:

Figure 1 - Sage 2.2 desktop background

Figure 2 - Sage 2.2 file recovery instructions

The message reads:

You probably noticed that you can not open your files and that some software stopped working correctly.
This is expected. Your files content is still there, but it was encrypted by "SAGE 2.2 Ransomware".
Your files are not lost, it is possible to revert them back to normal state by decrypting.
The only way you can do that is by getting "SAGE Decrypter" software and your personal decryption key.

Typical features of Sage 2.2, include, but are not limited to:

  • Refresh or update of payment pages is possible;
  • Ransom note (!HELP_SOS) and portal, including CAPTCHA;

It speaks! Just like Cerber did at some point, Sage 2.2 has a message for the victim using Microsoft SAPI:

Figure 3 - VBscript which will speak to the victim (click to enlarge)

Interestingly enough, even though the version number still indicates 2.2, there's at least one slight change:
  • Deletion or purge of backup catalog/history by using:
    wbadmin delete catalog -quiet

The portal or decryption pages look as follows, stepping through:

Figure 4 - Sage 2.2 user login portal

Figure 5 - Captcha

Figure 6 - Language selection

Figure 7 - Final portal

The victim can choose from a multitude of languages, and, at the final portal, there is a special price for the decryption, for a selected time (7 days): currently 0.17720 BTC, which is about $1000.

As usual, there's a Payment, Test decryption, Instructions, and even a Support tab:

Figure 8 - Payment tab
Figure 9 - Test Decryption tab

Figure 10 - Instructions tab

Figure 11 - Support requests tab

Sage 2.2 will append the .sage extension to encrypted files and currently, it does not appear files can be decrypted without the cybercriminal's help.

As always, try to restore from a backup if possible, and avoid paying the ransom.

Additionally, have a look at my ransomware prevention page, on how to protect yourself.


Thursday, October 12, 2017

Rick and Morty episode? Nope, another CoinMiner

Last week I got an email from someone requesting help in regards to a possible malware infection: that person downloaded a torrent, and believed it was a legitimate episode of Rick and Morty, an animated series.

A file called Rick.and.Morty.S03E10.HDTV.x264-BATV.MKV.exe (116 MB in filesize) is of our interest and, what you'll notice first is of course the file extension - it's an executable Riiiiiiiiiiiick!

In fact, this file is a self-extracting and password-protected archive which contains two other files:

Figure 1 - two new files in the archive

One file is indeed a legitimate video file, which features the following:

Figure 2 - clip

This short clip has nothing to do with Rick and Morty, but seems to be a promo clip for a new series, called '1922'.

Inside the other file however, another executable, is another self-extracting and password-protected archive, sometimes referred to as 'SFX' with inside ... More archives.

In short, what you actually end up with is a cryptominer or coinminer. In Figure 3 below, you can spot both the passwords used for the archives, as well as the mining pool of interest:

Figure 3 - Passwords, and cryptominer pool (click to enlarge)

The line of interest is as follows, in where the IP points to a US server:

START "{1}" /B /WAIT /LOW "%ALLUSERSPROFILE%\{1}\{1}.exe" -o -u off.x -p off.x -k --nicehash -o -u off.y -p off.y -k -v 0 --donate-level 1 -B

Basically, this is yet another cryptominer or coinminer. This one is rather interesting, for several reasons. If you'd like to know more, feel free to have a play around with the files, they are included as IOCs at the end of this post.


If you've been hit by this, then...:

  • Navigate to C:\ProgramData or %ALLUSERSPROFILE%
  • Search for a folder with random names. If you don't see any, you may want to follow the instructions here. Delete said folder, if possible. If not possible:
  • Open Task Manager, and search for any process with a random name. End the process and repeat step 1 to 2.
  • Perform a scan with your installed antivirus product.
  • Perform a scan with an online antivirus, which is different from the one you have. Alternatively, perform a scan with Malwarebytes.
You may also leave a comment should any difficulties arise.


  • Install an antivirus (free or not).
  • Enable showing file extensions. This is hidden by default by Windows, and will enable you to see if that 'video' is indeed a video, or not. Guide here.
  • Do not download any torrents or at least try to avoid those that are either suspicious-looking, or too good to be true.


Coinminers have been on the rise for a while now, and illegitimately use a person's machine for mining, which may additionally lead to an increased (and undesired) CPU usage.

While coinminers for now are relatively less dangerous than what's usually out there, for example banking trojans, it should not be underestimated - and the sample analysed in this post proves the point, as it employed some rather unique, or at least varied, techniques.

It is likely safe to assume that not only the malicious use of coinminers will increase, but also that other malware may jump aboard - attempting to maximize profits (or vice versa, a coinminer with added persistence or other malware on board). The latter has already been observed, for example, in AdylKuzz.


Thursday, September 21, 2017

Malicious ad/click networks: common or forgotten threat?


Malicious ad/click networks and ad fraud are not entirely a new phenomenon, but it is important to realize the kind of threat it may pose. Is it a common, or forgotten threat? Maybe both.

In this blog post, we'll take a look at how a seemingly innocuous click network and advertiser, is actually showing some rather malicious behavior.

The beginning

It all starts with the following redirect:

Figure 1 - .js download

A 'critical Firefox update' needs to be downloaded and run, with the resulting file having multiple layers of obfuscation. After deobfuscating 2 layers, we get the following:

Figure 2 - malicious script

The script will attempt to download an .flv file from ohchivsevmeste5[.]com, with additional parameters. While I was unable to reproduce what happened afterwards at time of writing, it would likely fetch another heavily obfuscated JavaScript, for clickjacking purposes (and this behaviour can also be deduced from Figure 1, as it persists in the browser).

Clickjacking is not an uncommon phenomenon unfortunately, and is described by Wikipedia as:

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
Basically, what you see is not what you get. In this case, a Firefox update is anything but said update.

The persona

The domain mentioned in figure 2 is hosted on 192.129.215[.]157, which has a ton of other domains, with most of them appearing random. One of these domains is aiwohblackhatx[.]org, which is registered to a person with email address of abdelrahman.a.y.127@gmail[.]com.

This email address is linked to a Facebook page, mltaqaalwza2f2, which claims to be a jobseeker website:

Advertisements for newspapers, newspapers and websites The largest site jobs on Facebook for Jordanians only

Until recently, that page listed a contact email address as ADMIN@ULTIMATECLIXX[.]COM. This has now been changed, and unfortunately I was unable to take a screen capture at that time.

Ultimateclixx sports a flashing website, promising instant payment:

Figure 3 - Ultimateclixx website (at time of writing)

Passive DNS data reveals that the email address mentioned above, has links to other domains, and in particular to a person or persona called 'Mohammed Farajalla'. This persona has multiple email addresses set up, all pointing to click networks:

Figure 4 - Persona (click to enhance)

This initially lead me to believe that Abdelrahman and Mohammed are the same person, and is simply an alias. However, WhoIs data from another domain, aifomtomyam69[.]org, reveals a person named 'Abdelrahman Farajallah' as domain owner.


Figure 5 - Ultimateclix admin forum post (click to enhance)

Brothers or not, it seems that Mohammed is the 'public face' of the company, and Abdelrahman works in the background, registering domains. A well-oiled business scheme, apparently.

In Figure 5 above, you can see a specific post from 'mhmadfarajalla', hereafter referred to as Mohammed, explaining how he joined Goldenclixx from 2013 onwards, and made quite some investments. This reply was motivated by a user questioning their legitimacy:

Figure 6 - concerns in regards to the Ultimateclixx admin (click to enhance)

This was posted in 2015 on the eMoneySpace forum, which is a website created to 'promote or talk about internet money related subjects'. Basically, how to earn money online using ads, which is completely legal.

Link to topic can be found here:

I've also set up a mirror here:

It appears Abdelrahman and Mohammed have been involved in this scheme for a prolonged period of time. While they may have initially started their project or business as a legitimate way to make money, this has definitely shifted. They are likely located in Palestine. (see also his/their Twitter account, and make your own deductions.)

The infrastructure

Earlier, I mentioned that domains involved seemed random. Have a look at these domains:


Notice anything particular? If not, what about the following domains? (includes our initial example)


To clarify, the 2 first characters are the same for a whole set of domains, while the rest does appear to be (at least semi-)random. Just as a visual aid, here are a few other domains:



You may have noticed vahfebankofamerica[.]net in there, it is relatively newly registered (2017-09-12), by a 'Megan Quinn', with email address of qum65@binkmail[.]com. I doubt an actual Ms. Quinn would use this email address. It may try to convince users of its legitimacy, alluding it is part of Bank of America's website. However, nothing could be further from the truth.

Interestingly enough, the domain has hosted a JavaScript at least once, with a familiar pattern:

No doubt this website would also prompt you to download a 'critical security update'. Do I hear redirects mixed with ad or click-fraud and clickjacking? Who doesn't love the smell of that in the morning?

You would not have guessed, but a lot of email addresses seem randomly generated, as well as their personas. Another example includes:

Figure 7 - ohchivsevmeste5[.]com WhoIs info

Everything in the WhoIs info is fake. Not to say an Allan Yates doesn't exist, but he has nothing to do with any of this - rather he was just unlucky. This may have been the result of a 'fake name generator'.

We now have several IP's hosting a bunch of semi-random domains, set up for redirects, ads and likely clickjacking. The initial research started with 192.129.215[.]157, and expanded to/had links to 192.129.215[.]155.

Of course, I decided to take a look at 192.129.215[.]156. Surprise! It turns out it's just as bad. Maybe we should just block the whole subnet?

Some more takeaways from the infrastructure - most of the domains are or have:

  • WhoIs Guard Privacy Protection/Privacy Protect:DomainsByProxy;
  • Behind CloudFlare;
  • A valid SSL cert, issued by Comodo.

What else is there?

Earlier, Mohammed boasted in his forum post about, one of his new websites, and absolutely 'no ponzi scheme strategy'.

Some of the related websites provided by Mohammed are:

Figure 8 - adzbazar[.]com

Figure 9 - clikerz[.]net

I think you can start seeing a pattern here.

Circling back, with our email address abdelrahman.a.y.127@gmail[.]com, I noticed another registered domain, adz2you[.]com. You could zay zomeone likez the letter Z. Either way, using PassiveTotal's host pair functionality, we can find a hostpair with gptplanet. Gptplanet claims to:

Earn money by completing simple tasks online. Everyone can join, it’s absolutely FREE!
As far as I could see, this claim is indeed legit. As far as Mohammed and all his domains go: it didn't take me too long to dig up a forum post with an on-the-point title:

Link to topic can be found here:

I've also set up a mirror here:

The topic on gptplanet also references to eMoneySpace, a forum mentioned earlier, and specifically, several topics are set up about 'referral' websites our dear friend Mohammed has set up.

One user made an excellent remark:

It comes to my realize for a whole year now, is that some people are implementing some malicious scripts onto their advertised ad for a user to click on it.

Nail, head, hitting it. It seems that Mohammed isn't done yet however with both scamming people, and infecting users:

Figure 10 - Offers4all invitation

There is also mention of another person, 'Agony'. This nickname may refer to Abdelrahman.


Prevention in this case is rather short, so here goes:

  • Install an antivirus;
  • Keep your browser up-to-date;
  • Install NoScript if you have Firefox;
  • Install a 'well-rounded' ad-blocker, for example uBlock Origin (works with most browsers).

And, where possible, browse the internet with caution.

Note that the campaign on 192.129.215[.]157 remains highly active, and as such, it is recommended to block or blacklist it, as well as the other domains and IPs, provided at the end of this blog post.


When you get a prompt for download or running a 'Firefox patch' similar to above, or any other pop-ups for that matter - where you not instantiated a download yourself - cancel the download or, if not possible, kill your browser's process. This can be done via Task Manager for example.

While I haven't seen any evidence of other malicious behaviour besides ad, click-fraud and clickjacking, it is recommended to:

  • Uninstall and reinstall your current browser, along with its extensions;
  • Perform a full scan with your installed antivirus product;
  • Perform a full scan with another, online, antivirus product, or with Malwarebytes;
  • Change your passwords.

Additionally, you may check in your firewall or proxy logs, if there was any connection at some point with any of the domains or IPs provided in the Indicators OCompromise section below.


Ad fraud, clickjacking, ad networks, .... There are tons of similar networks out there. While ad networks are usually not malicious, other possibilities exist , such as:

  • An ad network is compromised;
  • An ad is compromised;
  • The ad network is malicious in itself.

Probably, at some point, there should be better security controls for ad networks, in order to prevent an attack or campaign such as the one described in this blog post. Proper security hygiene is necessary for the ad networks, but just as well for any website that serves up ads.

Clickjacking and click-fraud is a common and a very real threat. Are you watching your logs, and acting on them?


Thursday, August 24, 2017

Crystal Finance Millennium used to spread malware

Earlier today, Costin from Kaspersky tweeded the following intriguing tweet:

After some hunting, it was revealed the Crystal Finance Millennium website was indeed hacked, and serving three different flavors of malware. In this short blog post, we'll take a look at the malware variants that were distributed, and provide minimal background.


Crystal Finance Millennium' website is currently taken offline by the hosting provider, but archives of the website exist online.

Figure 1 - "At this moment the site is blocked by the hosting administrator"

From the archived webpage, it becomes apparent they provide accounting software, peronalisation of medical records, blood service and "full automation of the doctor's office" - contrary to what their company name suggests, it appears they are (mostly) focused on medical software.

Figure 2 - archived webpage of CFM's services

Moving on to the malware present on their website:

Smoke Loader

Smoke Loader, also known as Dofoil, Sharik or just 'Smoke', is a botnet with the main purpose of downloading other malware - a downloader. 

Smoke Loader was originally downloaded from:

Additionally, it was also mirrored at:

Smoke Loader drops itself in a random directory inside the user's %appdata% folder, for example:

Additionally, it performs an HTTP POST request to the following domains:

SmokeLoader has a debug path which is likely fake, or automatically generated:

We won't go any further into Smoke Loader here, but there's an excellent blog post by @hasherazade over at Malwarebytes here:
Smoke Loader – downloader with a smokescreen still alive


Chthonic is a banking trojan and derivative of Zeus, well-known banking malware. Zeus, also known as Zbot, was leaked several years ago and has since then spawned multiple new, and often improved, banking trojans.

Chthonic uses a custom encryptor and, as a result, its payload hash will differ every time.

It was observed as a dropper from the following websites:


Additionally, it drops its payload into the user's %appdata% folder; for example:

While Smoke Loader employs totally random filenames, Chthonic tries to hide by looking like a legitimate program.

It performs an HTTP POST request to the following domain:

Interestingly enough, Chthonic was spotted in June targeting a government institution in Ukraine:
Chthonic Trojan is back in nation-state cyberattack against Ukraine

Whoever's behind this Chthonic campaign however, has a sense of humour by sporting the following debug path: C:\postmaster\merge\Peasants\Billy.pdb

Chthonic will also create a simple batch file which goes through a loop and will delete the dropper and the batch file once it has installed the payload.


PSCrypt, which is based on GlobeImposter, another ransomware variant, has been hitting Ukraine in the past:

Interestingly enough, the same PSCrypt campaign was spotted earlier this month by @malwarehunterteam:

This tweet suggests the attacks started as early as the 14th of August.

PSCrypt was originally downloaded from:

PSCrypt will encrypt files and append an extension of .pscrypt - in order to restore your files, which asks for 3500 Hryvnia (~ EUR 115):

Figure 3 - PSCrypt ransom message
PSCrypt provides a fully detailed ransom message on how to send bitcoins to the cybercriminal, as well as a personal ID ("Ваш личный идентификатор"). The ransom note appears to have several spelling mistakes, and may not be original Ukrainian language.

Additionally, PSCrypt will remove RDP related files and registry keys, likely to prevent an administrator to clean an infected machine remotely. It will also clear all event logs using wevtutil:

Figure 4 - Batch file which goes through commands in sequential order

Whoever's behind this PSCrypt campaign also shows sign of humour, indicating an address in the US, pointing to a company called "Unlock files LLC". Such company does not exist:

Figure 5 - Unlock files LLC address

Figure 6 - Companies at the same address

Unfortunately, the Bitcoin address shows a history of already paid ransoms, dating back to the 15th of August: 1Gb4Pk85VKYngfDPy3X2tjYfzvU62oL

At time of writing, a total of 0.0924071 has been received, which is around EUR 328.

Since the first payment was on the 15th of August, this supports the theory of CFM's website being compromised at least before or on the 15th, quite possibly the 14th.

The general recommendation is to NOT pay, but rather restore files from a backup.


While Crystal Finance Millenium's website was hacked, it's possible its software was not affected. In the mean time, I'd advise to not upgrade or update any software belonging to the company, but rather wait for an official statement from their side.

The hacking of a company or personal website can always happen, and as such, it is important to act fast once it's happened - the (hosting) company did the right thing to take the website offline while things are being fixed in the background.

The bigger question here is if it may be a targeted attack - recently, Ukraine has been targeted heavily by not only EternalPetya (also known as NotPetya), but also by Xdata and PSCrypt. Additionally, seemingly targeted attacks had Chthonic as payload, and, as reported in this blog post, another software company in Ukraine has been compromised.

As usual, best is to wait until further data is available before making any judgments.

Prevention advise for ransomware can be found on my dedicated page about ranomware prevention:

And, as always, indicators of compromise (IOCs) can be found below, as well as additional resources.



New Cyberattack wave is launched using officialweb site of the accounting software developer«Crystal Finance Millennium» (PDF)
“Crystal Attack” analysis – behavior analysis of the “load.exe” sample (PDF)