Introduction
In the quest for the right software, users often visit websites and torrent trackers that seem safe, download programs, install, and use them. But are these programs really safe? With pirated software, one can “catch” threats of any level: from miners to complex rootkits. The problem of spreading malware through pirated software is not new and has a global scale today. Let’s discuss it through the example of a specific attack investigation.
In August 2023, our SOC detected anomalous network activity using MaxPatrol SIEM. The incident response team (PT CSIRT) was involved. As a result of processing the incident, it was established that a user from company X was compromised by relatively simple but previously unknown malware. During the investigation, no traces of phishing, external perimeter hacking, or other techniques were found—the user had merely installed a program downloaded via torrent.
The malware behaved quite noisily: collecting information about the victim’s computer, installing RMS (remote management software) and the XMRig miner, archiving the contents of the user’s Telegram folder (tdata)—and these are just the most destructive actions. The malware sent the collected information to a Telegram bot, which acted as a control server.
As a result of a detailed study of the malware, the infection chain, and the Telegram bot, our team managed to identify a large number of victims worldwide and determine the likely author of the malware, which we named autoit stealer.
Victims
We recorded over 250,000 infected devices in 164 countries. The majority (over 200,000) are in Russia, Ukraine, Belarus, and Uzbekistan. The top 10 countries also include India, the Philippines, Brazil, Poland, and Germany.
Most victims are non-corporate users who download pirated software from websites to their home computers. However, among the victims, we found government agencies, educational institutions, oil and gas companies, medical institutions, construction and mining companies, retail, IT, and others. All identified companies received appropriate notifications.
Infection Chain
The malware reaches the user’s machine through a torrent client; the torrent file is downloaded from the site topsoft[.]space.
The site topsoft[.]space was re-registered in October 2022 with a Ukrainian registrar.
After downloading the torrent, the infected installer of the program that the user wanted to get ends up on the victim’s computer. In addition to the legitimate program, the installer also contains a malicious component, which consists of many separate programs, mostly compiled AutoIt scripts, additionally covered with the Themida packer. The implementation of the malware does not look complicated; it is made somewhat “by the book” and uses simple attack implementation tactics. The infection chain performs the following actions (the most important points will be accompanied by screenshots from MaxPatrol SIEM).
- Environment check. The malware terminates if any of the following conditions are true:
- The username matches one of the following: Peter Wilson, Acme, BOBSPC, Johnson, John, John Doe, Rivest, mw, me, sys, Apiary, STRAZNJICA.GRUBUTT, Phil, Customer, shimamu.
- The computer name matches one of the following: RALPHS-PC, ABC-WIN7, man-PC, luser-PC, Klone-PC, tpt-PC, BOBSPC, WillCarter-PC, PETER-PC, David-PC, ART-PC, TOM-PC.
- Files with the following names are present on the current user’s desktop: secret.txt, report.odt, report.rtf, Incidents.pptx.
- The current OS is Windows XP.
- System preparation: The malware disables the display of files with both “hidden” and “system” attributes (the value 0 is set for the key HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedShowSuperHidden). Subsequently, all directories created by this script are assigned SuperHidden attributes (“hidden” + “system”). Created directories: C:ProgramDataWindowsTask, C:ProgramDataReaItekHD, C:ProgramDataReaItekHD, C:ProgramDataSetup.
- Persistence through Task Scheduler:
- Task MicrosoftWindowsWindowsBackupBackUpFiles: runs the process C:ProgramDataReaItekHDtaskhost.exe every minute.
- Task MicrosoftWindowsWindowsBackupCheckUP: runs the process C:ProgramDataReaItekHDtaskhostw.exe every two minutes.
- Task MicrosoftWindowsWindowsBackupGlobalData: runs the process C:WindowsSysWOW64unsecapp.exe every minute.
- Task MicrosoftWindowsWindowsBackupWinlogonCheck: runs the process C:ProgramDataReaItekHDtaskhost.exe at each user logon.
- Task MicrosoftWindowsWindowsBackupOnlogonCheck: runs the process C:ProgramDataReaItekHDtaskhostw.exe at each user logon.
This activity was detected by MaxPatrol SIEM using the Schtasks_Commandline rule, which detects suspicious work with scheduled tasks.
- Disabling AppLocker: PowerShell.exe -command “Import-Module applocker” ; “Set-AppLockerPolicy -XMLPolicy C:ProgramDataWindowsTasknew.xml”
- Installing the RMS client: C:ProgramDatawindows tasks servicewinserv.exe.
- Persistence of the RMS client:
- Task MicrosoftWindowsWininetwinser—runs the process C:ProgramDataWindows Tasks Servicewinserv.exe every minute.
- Task MicrosoftWindowsWininetwinser—runs the process C:ProgramDataWindows Tasks Servicewinserv.exe at each system logon.
- Attempt to create a local user John and add him to the groups:
- Administrators,
- Remote Desktop Users,
- Administrators,
- Remote Desktop Users.
The Add_new_user_in_commandline rule detected events of adding a new user and working with user groups through the command line interpreter, which triggered the alert.
- Setting access restrictions for the current user and the SYSTEM user to the following folders and files (likely to counteract endpoint protection tools):
- C:Program Files (x86)Microsoft JDX
- C:Program FilesCommon FilesSystemiediagcmd.exe
- C:WindowsFontsMysql
- C:Program FilesInternet Explorerbin
- C:Program FilesByteFence
- C:Program Files (x86)360
- C:ProgramData360safe
- C:Program Files (x86)SpyHunter
- C:Users[USERNAME]DesktopAV_block_remover
- C:Users[USERNAME]DownloadsAV_block_remover
- C:Program FilesHitmanPro
- C:Program FilesMalwarebytes
- C:Program FilesCOMODO
- C:Program FilesEnigma Software Group
- C:Program FilesSpyHunter
- C:Program FilesAVAST Software
- C:Program Files (x86)AVAST Software
- C:ProgramDataAVAST Software
- C:Program FilesAVG
- C:Program Files (x86)AVG
- C:ProgramDataNorton
- C:ProgramDataKaspersky Lab Setup Files
- C:ProgramDataKaspersky Lab
- C:ProgramDataKaspersky Lab Setup Files
- C:Program FilesKaspersky Lab
- C:Program Files (x86)Kaspersky Lab
- C:Program FilesDrWeb
- C:Program FilesBitdefender Agent
- C:Program FilesCommon FilesDoctor Web
- C:Program FilesCommon FilesAV
- C:ProgramDataDoctor Web
- C:ProgramDatagrizzly
- C:Program Files (x86)Cezurity
- C:Program FilesCezurity
- C:ProgramDataMcAfee
- C:Program FilesCommon FilesMcAfee
- C:Program FilesRainmeter
- C:Program FilesLoaris Trojan Remover
- C:ProgramDataAvira
- C:Program FilesProcess Lasso
- C:Program Files (x86)GRIZZLY Antivirus
- C:Program FilesESET
- C:Program FilesRavantivirus
- C:ProgramDataEvernote
- C:ProgramDataWavePad
- C:ProgramDataRobotDemo
- C:ProgramDataPuzzleMedia
- C:ProgramDataBookManager
- C:ProgramDataESET
- C:ProgramDataFingerPrint
- C:Program Files (x86)Panda Security
- C:Program Files (x86)IObitAdvanced SystemCare
- C:Program Files (x86)IObitIObit Malware Fighter
- C:Program Files (x86)Transmission
The utility icacls.exe was used to work with user rights, so this activity was detected by the Permission_Groups_Discovery rule.
- Hiding the local user john from the welcome screen: the registry key softwaremicrosoftwindows ntcurrentversionwinlogonspecialaccountsuserlistjohn is set to 0, which is detected by the Hide_Account_from_Logon_Screen rule.
- Creating and running the file C:ProgramDatardpwinst.exe with the parameter -i (RDP Wrapper installer).
- Adding exceptions to Windows Defender.
- Paths:
- 1. C:ProgramData
- 2. C:ProgramDatawindows tasks servicewinserv.exe
- 3. C:ProgramDatareaitekhdtaskhost.exe
- 4. C:ProgramDatawindowstaskmicrosofthost.exe
- 5. C:ProgramDatawindowstaskappmodule.exe
- 6. C:ProgramDatawindowstaskaudiodg.exe
- 7. C:Windowssyswow64unsecapp.exe
- 8. C:ProgramDatawindowstaskamd.exe
- 9. C:Program Filesrdp wrapper
- 10. C:Windowssystem32
- Processes:
- 1. C:ProgramDatareaitekhdtaskhost.exe
- 2. C:ProgramDatawindows tasks servicewinserv.exe
- 3. C:Windowssyswow64unsecapp.exe
- 4. C:ProgramDatawindowstaskmicrosofthost.exe
- 5. C:ProgramDatawindowstaskaudiodg.exe
- 6. C:ProgramDatawindowstaskappmodule.exe
- 7. C:ProgramDatawindowstaskamd.exe
- 8. C:Windowssyswow64unsecapp.exe
- 9. C:ProgramDatardpwinst.exe
- Paths:
- Disabling Windows Defender components. This activity is accompanied by changes in the corresponding registry branches, triggering the Windows_Defender_Disable rule.
- Deleting services related to Malwarebytes antivirus software (mbamservice, bytefenceservice).
- Deleting the shadow copy service (swprv).
- Changing Windows Firewall rules.
- Allowing incoming connections for processes:
- 1. C:ProgramDataWindowsTaskAppModule.exe,
- 2. C:ProgramDataWindowsTaskAMD.exe.
- Blocking other incoming connections on ports 139, 445.
- Allowing incoming connections for processes:
- Creating and executing the script C:ProgramDatainstalldelete.bat to clean up traces.
- Archiving Telegram client data and sending it to the attackers’ Telegram bot. Files *.exe, .*bat, *.lnk, directories emoji, tdummy, user_data are excluded from the final archive: 7z.exe a “C:ProgramDataSetup[USERNAME]_[COMPUTERNAME].7z” “C:Users[USERNAME]AppDataRoamingTelegram Desktoptdata*” -r -x!*. -x!*.exe -x!*.bat -x!*.lnk -x!dumps* -x!emoji* -x!tdummy* -x!user_data*
- Clearing the DNS cache: ipconfig /flushdns
- If the current operating system is Windows 7, the following actions are performed: a password-protected SFX archive (password naxui) scaner.dat is extracted from one of the stages, which is saved to the file C:ProgramDataRunDLLsc.exe. This archive contains the files Eternalblue-2.2.0.exe, Doublepulsar-1.3.1.exe, which implement the corresponding exploits. The script only extracts them without launching. Then an unknown executable file, encrypted with the RC2 algorithm (key bc216a5ae848fab1d2dbd8e7b5a91142), is downloaded from the FTP server. It is saved to the file C:ProgramDataRunDLLscupdate.exe, which is subsequently launched. FTP access credentials: IP 193.32.188.10, login alex, password easypassword. The script also gets FTP access credentials from the URL:
- http://unsecapp.xyz/blue/Login.html,
- http://unsecapp.xyz/blue/Password.html,
- http://unsecapp.xyz/blue/Server.html.
- Installing the XMRig miner.
- In an infinite loop, the system clipboard is scanned, and strings that may represent
For detecting such actions, MaxPatrol SIEM has the Data_Compression rule, which triggers when utilities for creating archives are used.
