Malware reverse – RAT backdoor

Hello again.
After a few tested files, I found something good to analyze.
On hacking or warez forums, you find a lot of infected files.
Today I analyzed a program used by hackers to hide their viruses. A program that combines two files, and in use one is visible and the other runs hidden.

Although the one who posted the software announced it is a cracked version, it still seems strange that the name is Celeste instead of Celesty, and the details are completely missing.

After a brief analysis I realized that the software already contains two files and both executables, that is, exactly what the Celest software should do.

The executables seem to be the Celesty software and something called Encrypt and if we remember the role of the binder, we understand that Celesty will appear on the screen and Encrypt will be hidden.

Analyzed in more detail, we can see that Celest’s resources are exactly the two hidden files.

OK. If you think things have become complicated … wait a little longer.
Moving to more advanced techniques, I’ve been able to discover what’s going on beyond that first downloadable software.
Do you remember how it all started?
A .rar file … An .exe extracted from it … Two hidden files.
Now look at my reverse malware folder!

Quite interesting!

I double click as a victim and let the executables do what they want.
Now that everything seems quiet, I can see that the file OrcusWatchdog does not want to stop, even if you can stop it “Keep alive” it brings it back to life.

Okay, let’s see what’s going on.
Celest_Binder looked ok at first, but what it brings with it is not good for the computer.
Drops executables files:

OrcusWatchdog.exe
CELESTY.EXE
ENCRYPT.EXE
svchost_.exe
sbziixqt.dll
RESD05E.tmp

ENCRYPT file

Creates fake process: Users\vchost\svchost.exe

Creates new process: AppData\OrcusWatchdog.exe

Writes data to a remote process:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

OrcusWatchdog
Playng with:

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config

svchost_

Contains ability to manipulate the desktop.
Password stealing functions.
Recording the keyboard strokes.

So, let’s not mess up so much, I can tell you it’s a *remote administration tool that can do the following:

Control

Basic information about the client (operating system, language, privileges, path, ip address, …)
Uninstall, Kill, Make Admin
Computer

Get a lot of information about the client’s pc
Categories: Operating System, System, Bios, Hardware (Processor, Videocard), Software, Network (local addresses, geo location data), Drives

Passwords

Recover passwords from famous applications (Google Chrome, Mozilla Firefox, FileZilla, Internet Explorer, JDownloader, Opera, Thunderbird, WinSCP, Pidgin, …)
Recover cookies from webbrowsers (Google Chrome, Mozilla Firefox, Yandex)
File Explorer

Interface like the Windows file explorer
Download, rename, create or remove files and directories
Download directly to the server
Execute files with arguments, verbs and other settings
Show properties of files (size, dates, details like size of a picture or bitrate of a video) and calculate hash values (MD5, SHA1, SHA256, SHA512)
Upload files
Open Console here
Go back/forward
Pinned folders of the client’s system are directly added to the tree view (Dropbox, OneDrive, Creative Cloud Files, etc.)
Support for special folders like the recycle bin
Search for files in the current folder
Enter path directly or select the path with autocomplete and drop down

Programs

Receive all installed programs
Start uninstaller of a program
Open path in File Explorer

… and a lot *more!
That’s the situation!
Things are not as you want and do not forget!
When something is free, you are not the customer but the product!

Have fun & Stay Safe!!!

*Orcus Remote Admin

Are you a lucky cybercrime victim?

Many Internet users download certain programs, even if they know they are illegal or even dangerous. Without clear statistics, I tend to think that only 5% of them know how to protect themselves so they will not become victims of hackers.

Sometimes, victims quickly realize that they have something dangerous on the computer, sometimes they do not know what is happening beyond the screen. A great deal of support comes from the installed antivirus, if it is upgraded, but it also often does not see the infected file.

 I’m one of those who deliberately download infected files to analyze, learn, and discover hacking news, thousands of files. Since 2008, I have seen many viruses, more or less dangerous, stealing and leaving, staying and registering, remaining and using the computer of the victim.
In general, the processing, transmission and shock of hacking information is done through a host, email or IP, so the hacker does not have direct connection with the victim.

E.g:

– Remote Administration Tool – Remote computer control, and this is done with a host, whose IP connects to the victim.

– Keylogger – The keyboard is stored on the victim’s computer and then sent to a host or email.

– Password Stealer – Data stored in your computer is collected and sent to a host or email.

– Silent miner – The computer becomes a hidden worker and is permanently connected to a host to do his job.

– Botnet – The victim’s computer is a slave waiting for the hacker’s commands, and is connected to a host to be controlled.

What many do not know is that all of these connections are not permanent. They can be blocked, reported, expired, deleted, etc. More specifically, the virus exists on the Internet, it is active, but everything it does is useless, because it does not have the hacker connection anymore.

And for everybody to understand, I’ll explain. The virus accesses the computer, steals everything he knows, but sends all the data to an address that does not exist anymore, and that’s a good thing for… YOU!
So you’re a lucky victim?

Websites mining using users CPU power – Cyber security research

Many of us are trying to make money online from home. One solution would be the websites that offer some software and if you keep it running you can earn money.
 

 
   

I do not care if it works, but I want to show you something.So i will try it!
In may way!
I always use Extract here for rar archive… never double click on it!


How you can see, now i have a rar archive and a application on my folder. I’m still suspicios and with right click on the application i will find the properties … or more ..then that.



So my application is more then a simple .exe file, how you can see there is another Extract here. That means the ”application” is a SFX 7-Zip Archive with 117 total files.



Watch that… alot of files and there somewere i have the real installer EarnMoney.exe.
It’s not ok, but let’s install it!

 
   
 

With some issues starts. I see it on running applications… on Process Hacker… seems ok.
But i have some problems during the installation process..

 
  
  

After some errors… i have it installed!



Let’s start to collect some informations!



The application is closed.. but stil runs underground, connected with:




TCP Connections on 443:

94.130.129.235

 

 

144.76.114.98

 

 
 


This is strange? Wait….
Remember… the software is closed!!!
At the first minutes:
Total CPU usage: 4.30%
Aplication CPU: 0.00%
Private bytes: 28.32 MB



I reduce the CPU usage closing some applications an then…
Total CPU usage: 44.26%
Aplication CPU: 40.93%
Private bytes: 158.06 MB



Like every silent miner… works better when you are not doing anything on your computer…
And i wait to see changes … and here they are:
Total CPU usage: 44.93%
Aplication CPU: 41.43%
Private bytes: 234.56 MB



So here we are at the end of this crazy winning money process.
Now you know… learn the basic to safe online!
Have fun & Stay safe!!!

Silent miner backdoored – Malware reverse

Today i found new backdoored hacking tool to play with.
A new Silent Miner made to infect with remote access some ”hackers”.
The exe it is binded with some files to work underground.

taskhost.exe
original filename: canhost.exe

HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY“; Key: “DISABLESECURITYSETTINGSCHECK
netsh firewall add allowedprogram “%APPDATA%\taskhost.exe
http://120988.myq-see.com
178.137.146.32 – Ukraine
41.226.243.30:1337

Temp1.exe
C:\Users\mourad\Documents\Visual Studio 2012\Projects\canhost\canhost\obj\Debug\canhost.pdb
HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY”; Key: “DISABLESECURITYSETTINGSCHECK
netsh firewall add allowedprogram “%APPDATA%\taskhost.exe
http://120988.myq-see.com
178.137.146.32 – Ukraine
41.226.243.30:1337

Temp2.exe
original filename: BcnSilentminerBytcoin.exe
stratum+tcp://mine.p2pool.com:9327
http://www.bitcoin-adder.com
\visual studio 2012\Projects\Bcn Silent miner Bytcoin\Bcn Silent miner Bytcoin\obj\Debug\Bcn Silent miner Bytcoin.pdb

The antivirus software’s… hmmmm…  31/68 ?!?

Payload Security Team was there to.

And reported in the forum i found it!

Have fun & Stay safe!!!
Prodefence Team