The title isn’t very good, I apologise I don’t have any catchy names that come to mind, but hey, it’s Sunday! I was looking through VirusTotal shifting through the god awful comments; yes, to VirusTotal community, pull yourself together with comments. #malware doesn’t help anyone. At all. When I find this fairly interesting address, seems like someone didn’t put an index here..
So I downloaded all of the files just to be sure, and half were AutoIt, the other were c# (I’m not counting the .bat I mean come on). As we can see some of these are only two days old, so its a fairly fresh setup. The main components of the malware are fairly well detected 34/56, could be better I know. And the only real interesting things are the c# applications. The .bat files are changing the attrib of the files so no one knows what’s going on, the AutoIt files are simply downloaders that grab information from the server. I’ve redacted information about where this all goes due to me being unsure if they are responsible, I do think it’s a YouTube traffic service by its debug information (Thanks PEStudio)
Debug Info
It Imports a .dll to control volume so that the user doesn’t notice on this window. As we’re going to be opening it ourselves we can just mute this application and make sure the user doesn’t notice anything strange (Form1.WaveOutSetVolume(IntPtr.Zero, 0)). The WaveOutSetVolume function imports winmml.dll and sets the entrypoint to WaveOutSetVolume. It then proceeds to delete history, cookies and everything a normal instance would hold with ClearMyTracksProcess 4351 I’m guessing they want to have it so that there is no cache issues possibly? We then proceed to creating a Web Client.
The 3 links here make it really easy to work out something, we’re about to look at a lot of links, one evidently creates a referrer, another creates a user agent and another creates a link for us to visit. Once this process is done we visit the page with our referrer and user agent.
Didn’t really need to include this, but I thought as I haven’t showed the server side of any of it. So that’s the basics of it, there’s another loop with a delay but it’s nothing too amazing. The domain is registered at Namecheap, whois shows it was registered on November, but nothing else. I did get lucky though, there was a time where it used a link shortener to forward some traffic bit.do, if anyone doesn’t know, you can view stats very easily with these sort of services. I managed to grab an xls of the IP’s that are infected. I thought I’d add them on pastebin, so you can go get them here (over 600 views on one link, not bad). Most infections seem to be based in Turkey/Vietnam which is usually poor quality World Mix loads.
View Infected list: here
View Referrers: here
SHA256: b5c17b763cc6b94d4fd52932a90bbac3ab4b87c976723f17cddb3f87efd46268
this guy is a legend