Let me start with the TL;DR; - there's an adware network that's been running since at least 2015, and is still active today. I start pulling on the thread by analyzing an infected file from 2018.

Every now and then I stumble upon some old piece of malware, which has tagged along for years without anyone really caring, especially if it no longer works.

This downloader has proliferated on torrent sites for years, especially in keygens which traditionally have a high false positive rate. Needless to say, AV vendors tend to not care about false positives in warez.

The sample I'm analyzing is a keygen for some software - SHA256: f9dcc16f68be2a69df7bcbab6be54a87daaafa1f2b49ca3557da732abb12b8f8. Here is the VirusTotal report.

Digging in

A quick glance at the binary shows that it's based on NSIS. Using a special build of 7zip you can decompile the NSIS script, to try to find out what it's doing.

7zip can also extract files from an NSIS installer, which means we get to see what's inside - it's incredibly bare, with three files inside $PLUGINSDIR. Two DLLs,

  • nsisdl.dll (A1E09FB1739EF7557D18104B0D6A4C7725E1EC293F5404C80402F57FF9EBB9D0)
  • System.dll (A0CAC4CF4852895619BC7743EBEB89F9E4927CCDB9E66B1BCD92A4136D0F9C77)

are genuine DLLs from NSIS 3.03. There is a file named "B" in this directory as well, helpfully carrying a modification date showing when infection occurred. 2018-10-07, in my sample.

The NSIS script is relatively simple, with some obfuscation we can basically ignore as it's only for decoding the information retrieved from the Command and Control servers, which are long down. The flow is basically as follows:

  1. The scripts uses nsisdl to attempt to download a payload descriptor to $PLUGINSDIR\<10 random characters>, first http://strong.girlsmist.online/lvx7.php?p=sevenzip&tid=...&pid=...&n=...&b_typ=pe and then http://pepper.cobwebdesign.host/lvx7.php?p=sevenzip&tid=...&pid=...&n=...&b_typ=pe. There's a timeout of 5 seconds on each, and the installer gracefully continues if both fail.
  2. The payload descriptor is decoded in that obfuscated snippet of code to a URL for the payload, and a flag for how to handle the payload.
  3. Depending on the flag, it performs the following:
    • If the flag is boot, the URL is downloaded to $TEMP/<10 random characters>.exe and a "Windows Refresh" key is placed in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, pointing to the exe. This will make the payload run on boot. After this the "B" file is renamed to "setup.exe" and executed.
    • If the flag is first, the URL is downloaded to $PLUGINSDIR\<10 random characters>, and executed. After this the "B" file is renamed to "setup.exe" and executed.
    • If the flag is only, the URL is downloaded to $PLUGINSDIR\<10 random characters>, and executed. The "B" file is never executed.
    • If the flag is last, the URL is downloaded to $PLUGINSDIR\<10 random characters>, the "B" file is renamed to "setup.exe" and executed, and then, finally, the earlier downloaded payload is executed.

Helpfully, my sample contained another sample. No clue why - could be to double dip on payments for dropping malware/adware, or a genuine mistake. This was great for figuring out what's random and what's constant, however.

Indicators

There's a very obvious indicator for compromise - binaries named <10 random characters>.exe running under %TEMP%, so I'll focus on identifying infected files instead, and specifically this strain of this family. This is all byte sequences or strings found in the infected binary on disk.

  1. 03 9A 80 5C 42 2D 3E 03 9A 80 5C 73 65 74 75 70 2E 65 78 65 ("$PLUGINSDIR\B -> $PLUGINSDIR\setup.exe" rename string in NSIS script)

  2. 53 4F 46 54 57 41 52 45 5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 6F 77 73 5C 43 75 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 52 75 6E 4F 6E 63 65 00 57 69 6E 64 6F 77 73 20 52 65 66 72 65 73 68 00 (SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce and "Windows Refresh" next to each other in the NSIS script string table)

  3. 03 99 80 5C ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 2E 65 78 65 00 and 03 9A 80 5C ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 2E 65 78 65 00 ($TEMP\??????????.exe and $PLUGINSDIR\??????????.exe in NSIS script string table - the unknown bytes are the same in both entries)

  4. 03 9A 80 5C ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ($PLUGINSDIR\?????????? in NSIS script string table - unknown bytes are different from the ones that would be used above)

  5. http://strong.girlsmist.online/lvx7.php?p=sevenzip (C2 server 1)

  6. http://pepper.cobwebdesign.host/lvx7.php?p=sevenzip (C2 server 2)

  7. .php?p=sevenzip&tid= or .php?p=sevenzip&pid= (Generic detection of all strains I've found so far)

Unwrapping an infected file

It's relatively trivial to recover the original file that's been infected - just open the infected file with 7zip, and extract $PLUGINSDIR\B. Note that there could be multiple layers of infection, so you should check if the file you extracted also contains a $PLUGINSDIR\B.

So, where did this come from?

As far as I can tell, this is not the first strain of its kind, nor its last.

In early 2017, TrendMicro analyzed something similar as 'CRCK_KEYGEN.SM', given it is said in the technical details that it tries to connect to similar servers (same parameters). Once again, we see that whole "AV vendors doesn't care about that side of the internet" thing - I'd put "tries to download and run arbitrary code" above "is a keygen", but c'est la vie.

There's a pcap from a 2015 relative available, as well.

To my surprise, this campaign is still active - I can find samples still calling URLs with a related set of parameters, now to pe-mainin.com. Thanks to AlienVault keeping old whois data around, we can see that it's Wakenet AB who's most likely behind it. Very conventiently, pe-sixi.com, also linked to Wakenet, is hosting a fake 7zip download page at the moment, calling it "SevenZip". Through this, it's related to "C4DL Media", and P2Pcontrol.

Where next?

There's a lot of unanswered questions. Who is/was infecting a ton of keygens and uploading them, for example?

While I wish I could go into more depth on more recent samples, I don't have access to download samples from VirusTotal or Hybrid Analysis, by virtue of doing this on my spare time.