AVTOKYO2022

Transcript

1. Undetectable Threats: Spreading Node.js based Malware with Phishing Mizuho Mori

   AVTOKYO2022 1

2. Who am I? Mizuho MORI a.k.a morimolymoly Threat Intelligence Analyst

   HP: https://morimolymoly.com/ Captain of Security Team DCDC and DC2INTEL MITOU Super Creator(2019) 2

3. Agenda 1. Introduction 2. Overview of Node.js based Malware 3.

   Ecosystem of Malware 4. Technical detail and how to reveal it's functionality 5. Case studies a. Bby Stealer b. 1337 stealer c. Pulse(not a Node.js malware!) 6. Dual Hook 7. Conclusion 3

4. Introduction • Discord is very important tool for young ages,

   crypto currency community, gamers ◦ AVTOKYO also use DIscord • Nowadays, New Gen Malware is spreading and steal important information from PC with Phishing and it was not detected by AVs 4

5. 5

6. Overview of Node.js based Malware • It’s an info stealer

   written in JavaScript ◦ and also called as a token grabber • It uses Node.js to run their scripts • Most of them uses Discord’s Webhook to send stolen data to threat actors • Malware injects malicous JavaScript code into Discord itself ◦ Discord has Credit Card Number, Tokens, Email, Password, etc… • Right now, infection vector is only phishing. ◦ No ExploitKit or Loaders. 6

7. Overview of Node.js based Malware • First generation of malware

   uses Electron ◦ Easy to analyze, just unpack ASAR file and you can see source code ◦ Source code is obfuscated tho • Second generation of malware uses Vercel pkg ◦ Hard to analyze ◦ Malware, binary itself contains various GZipped binary ◦ Static analysis is very hard • For anti-analysis and scams, JavaScript based Malware evolved like this! • I forget when it did, Novel JavaScript based Malware, BbyStealer and others banned debuggers and capture tool same time 7

8. Ecosystem of Malware • Everything is done in Discord server

   and Telegram • Build, Lure, Infection, Steal, Manage stolen data • Malicious Discord server is suddenly banned by Discord Abuse Response Team • Telegram is used in a way to notify new Discord server • Details are on section of “Case study2 - 1337 stealer” 😉 8

9. Technical detail and how to reveal it's functionality • First

   generation is easy as I told ◦ Electron based malware ◦ Unpack(asar command) and you can get source code ◦ Source code is obfuscated but you can defeat it! • Second generation is hard ◦ Vercel pkg based malware ◦ Static analysis is impossible! ◦ Dynamic analysis works ◦ Run malware and dump memory and analyze it and you can find IoCs! • We take a look into Second generation of malware! 9

10. Technical detail and how to reveal it's functionality • Vercel

    pkg is https://github.com/vercel/pkg • Source code is completely disappeared • When you binwalk malware, you can see lots of junk files is contained!!!! ◦ You can not ungzip it also • This is totally brainfucked 10

11. 11

12. Technical detail and how to reveal it's functionality • Flare-FLOSS

    does not work ◦ We can not get IoCs • Online Free Sandbox is not working because file size is larger than 2MB and it needs Discord app to kick in • I used dynamic analysis ◦ Run malware and terminate and dump memory ◦ This memory image contains IoCs and important string ◦ And also part of source code • After I get part of source code, I deobfuscate source code and analyzed it ◦ also dynamic deobfuscation is useful in this stage! • I used Process Hacker, x64dbg and some forensics tool 12

13. Case Studies • I did OSINT, HUMINT, Malware Analysis for

    three malware ◦ BbyStealer ◦ 1337Stealer ◦ Pulse • I penetrated into one group 13

14. Case study1 - Bby Stealer • The King of token

    grabber • Bby team has a stressor, Bby Network(DDoS service) • Do reselling • Admin is brunxkd 14

15. Case study1 - Bby Stealer (Functionality) • C2 Endpoints ◦

    hxxps://wearenotbbystealer.nl/<KEY> - discord info grabbing ◦ hxxps://wearenotbbystealer.nl/<KEY>/str - payload ◦ hxxps://wearenotbbystealer.nl/<KEY>/strex - payload ◦ hxxps://wearenotbbystealer.nl/<KEY>/tokens - token grabbing ◦ hxxps://wearenotbbystealer.nl/<KEY>/wallets - wallet grabbing • C2 needs User-Agent: potatochipscandy1337 and Key • Infected Discord has payload in app-<version>/resources/app(when unzipped Discord binary) • I launched Bby and capture network communications 15

16. 16

17. Case study1 - Bby Stealer (Functionality) • Bby network is

    developped(DDoS Service) 17

18. Case study1 - Bby Stealer(HUMINT) • I tweeted analyzed results

    of Bby • Some guy who was in same school with brunxkd is contacted to me • I teached how to analyze Bby Stealer • Then, he respect me and told everything about brunxkd • He is also hostile to brunxkd with money 18

19. Case study1 - Bby Stealer (OSINT) • He sells stolen

    credentials at Forums • He sells Bby as MaaS 19

20. Case study1 - Bby Stealer (OSINT) • I revealed infra

    of Bby. • wearenotbbystealer[.]nl(C2) and superfurrycdn[.]nl and rustlercoppy[.]nl are owned by same actor • wearenotbbystealer[.]nl has link to hxxps[:]//superfurrycdn/[.]nl/assets/favicon.png • superfurrycdn is a distributer of malware • superfurrycdn is also linked to rustlercoppy[.]com 20

21. Case study1 - Bby Stealer (OSINT) Same design is used

    on superfurrycdn and wearenotbby[.]nl 21

22. Case study2 - 1337 Stealer • 1337 stealer group has

    1337 stealer and RedFinger stealer and 1337 Network • First generation of 1337 stealer is sooooo shit • This has a vulnerability • I reported this vuln and got reputation and admin loves me ◦ It is time to HUMINT!!!!!!!!!!!!!!!!!! 22

23. Case study2 - 1337 Stealer (Vuln) • First Gen Binary

    itself contains a Discord tokens and MongoDB Username/Password as a plain text • My friend researcher from US dumped Mongo and wiped out and used Discord token and nuked their server 23

24. Case study2 - 1337 Stealer (Vuln) 24

25. Case study2 - 1337 Stealer (HUMINT and Penetrated) • I

    talked with Blue, 1337 admin and he admitted me to join Discord server and got privilege to build malware • I could see the ecosystem of malware! • 25

26. Case study2 - 1337 Stealer (HUMINT and Penetrated) 26

27. Case study2 - 1337 Stealer (HUMINT and Penetrated) 27

28. Case study2 - 1337 Stealer (HUMINT and Penetrated) 28

29. Case study2 - 1337 Stealer (HUMINT and Penetrated) 29

30. Case study2 - 1337 Stealer (HUMINT and Penetrated) 30

31. Case study2 - 1337 Stealer (HUMINT and Penetrated) 31

32. Case study2 - 1337 Stealer (HUMINT and Penetrated) 32

33. Case study3 - Pulse(not a Node.js malware!) • Pulse is

    a reselling of cracked version of Remcos RAT • Remcos RAT is sold by BreakingSecurity 33

34. Case study3 - Pulse(not a Node.js malware!) • Pulse is

    packed RemcosRAT and larger than 2.3MB(real Remcos is 465K) 34

35. Case study3 - Pulse(not a Node.js malware!) • Threat actor

    is reselling cracked version of another malware • Size is so big but Pulse is not detected by AV • There is some actor which sell malware packed with cryptor as a new malware 35

36. Dual Hook • Dual Hook is a scam method •

    By dual hook, if you logged victims, malware author also get information of victims • This is a big issue in a scene • There are servers to verify new logger 36

37. Conclusion • Token grabber(Baby Info stealer) is made by Node.js

    and not detected by most of AVs • Most of actors are kids • They does not have loaders or EK to spread ◦ No injection, no hollowing, no nothing ◦ So, AVs can not detect it as suspicious • They are immature cybercriminals • If we carefully observe them, we can get some information of future of cybercrime 37

38. THANK YOU!!!! 38