Living off the Land—Malware in the 21st Century
By Gabriel Cirlig | During the Middle Ages, a vital aspect of any war was the ability to feed your troops. While the soldiers were mostly encouraged to forage and rely on the rations, they would often supplement their meals by stealing from local villages. This created chaos, incited hatred towards the advancing army and the warlords. Over time, the more disciplined armies asked soldiers to pay the peasants and had better logistics for feeding the troops.
On the digital battlefield, things have also changed over the years. While early malware would sow chaos on the computer they were infecting, the more modern kits have started adopting a stealthier approach. They try to only use tools that come preinstalled on operating systems, generally whitelisted by antivirus engines. This has come to be known as “living off the land”.
Leethax for every kid
One such tool is AutoHotkey, also known in the gaming community as AHK. Initially, gamers use it to script monotonous tasks, to gain an edge over their opponents, from targeting assist in MOBAs to AIMBOTs in shooters. However, recently its interpreter has been bloated with sophisticated tools to access underlying apps.
AHK - BLESSING AND CURSE
AutoHotkey is an open-source scripting language for Windows, originally aimed at providing easy ways for users of most levels of computer skill to automate tasks in Windows applications—through keyboard shortcuts, fast macro-creation, and software automation. But its list of features doesn’t stop there. It can set up Windows Event Hooks, inject VBScript/JScript, and even inject DLLs in other process’ memory. Being a reputable tool, it has gathered over the years a sizeable community that has been able to push its interpreter (an 800KB binary blob) into the whitelists of most of the antivirus vendors.
However, it has also attracted the attention of the wrong type of crowd. Malware authors have started using this scripting engine to fly under the radar and drop a varied range of payloads without triggering any antivirus (AV) alarms.
Random miner
Looking at 59fd56e2334dcc1614225127d6c2dc4d4816556fe6c7e5d748ab8757035b6cec, notice that the file only has 5 detections. This is actually the packer, which leads us to 17f5e0ca54fc2d69b3be5f9a970b8748d9ad477b78d43f507d9dacd4b9226066. Again, we can find a binary with only 5 detections on the AV radar.
Contents of a binary packed with AHK
There we see how the logic is split over a VBS file, a batch file, and a mysterious text file. Peeking inside the text file, we see that it represents the entry point for the scripts inside:
AHK script for dropping the main payload
After a bit more poking, we find another script that solves the Rar.exe mystery packed inside the resource named “a” in the screenshot above:
Using the Rar.exe binary provided in the initial package and the password supplied above, we can finally get to the juicy payload which is…
A miner
Funny thing, all the dropping logic is written plainly in AHK (the developer got bored in the meantime) and although no evasion technique was used, it still netted a 50% detection rate on a suite of modern antivirus engines.
But what if the developer wasn’t bored, and instead bought the dropper as a kit from somewhere deep down the dark web? (shame on him, he only got a couple of bucks off this miner). The theory holds, especially when we examine the following malware creators.
HIGH-TECH CON ARTISTS
While exploring the daily plethora of AHK scripts, we found some eerily similar snippets of code. Turns out all of them are based on a popular script for clipbankers roaming in the wild. The principle of operation for this malware is simple: it stays resident in memory and listens for any activity in your clipboard. When it contains anything resembling a crypto wallet, it replaces the content with its own wallet address, thus tricking you into sending funds to him instead.
Clipboard hijacker written in AHK
As you can see, the script has a battery of wallets hardcoded that override anything the user might paste. If the transaction is not double-checked, then the funds would be sent to the attacker, rather than to the intended destination. Whenever funds would be deposited into the hackers account, he would quickly withdraw them and leave his target penniless.
IT’S GOOD TO BE BAD
Following up, we can find another script from a different attacker that has the same structure, but has an extra target in its sights: Steam. The Steam trading platform is quite robust and may conduct millions of transactions per day. While technically it is not possible to cash out on your transactions (you can do that only if you plan on purchasing games/items on the Steam store), a lot of black markets are available for the intrepid trader who wants to get rich by selling his inventory.
A small fortune for virtual bling
Thus, every time somebody copies and pastes a transaction and not validate it by hand, the items involved in the transaction end up in the attacker’s possession. However, Steam accounts can be a huge hole in your operations security (OPSEC) if care is not taken.
The same structure, a new platform to steal from
When making transactions, the Steam partnerID is presented to the other party to provide an inventory to which the transaction contents will be delivered. Fortunately, only other Steam scammers fall prey to this, as nobody in their right mind initiates a trade with somebody without asking something in exchange.
Scammers ask you to send them your items so they can dupe them
We can extract a valid steamID from the partnerID and use that to look up the user behind the malware.
Who are you, highleymatt74?
Kudos to “Matt” for his OPSEC. With an inactive account, we can’t do anything other than stare blankly at the screen and curse him.
Another day, another chance to scroll through endless lists of autohotkey scripts, only to find something similar to our beloved clipboard hijacker. Fortunately, we soon find somebody who also put his partnerID in his script code as well.
Jackpot!
After redoing the correlation procedure between the partnerID and the steamID, we finally find the person behind the malware:
An active steam profile <3
Logging into Steam and searching for the username nets us the following page:
We now have a foothold in building the profile for our guy. An avid gamer, passionate about crypto, he wants to make a bit of extra money/Steam bling on the side. Unfortunately for him, he was a bit greedy/lazy and also put his own steam ID inside the malware, leading us to him.
GIT GOOD OR DIE TRYING
But the saga of AHK does not stop here. Digging through the various scripts we encounter, we’ve found our most serious OPSEC offender. Unpacking e52c1f69f680aabf8e6d263660745743960a414fd04d61df337300414d6d4401 yields us a script that looks like this:
Entry point for the cryptominer
How do you bypass most firewalls and filters? Use only the most reputable hosting, of course. GitHub provides us with just that. Inside, we can find a lot of other projects with different mining clients that are being dropped onto the unsuspecting user. Notice that everything is being hosted under the vvolf2 username.
Miners for all flavors
Using his GitHub user and the good old trusty Google foo, we discover that behind this nickname hides a real person. After a bit more digging on the internets, we finally arrive to his VK page. Unfortunately, the post was deleted, but with some Google magic we managed to snoop this from the cached pages:
Complaining on the internets about rigs
Passionate about crypto, scripts, and everything in between
But what if he only wants to automate his work and deploy the miner to all his rigs using AHK? Surely there are still legitimate users of these kinds of tools. Fortunately for us, a quick correlation between one of the SHAs that point to his GitHub account and the filename led us to an especially shady website that confirmed the malicious intent:
THE SOLUTION
There isn’t any. The Romans once had a saying, “Est modus in rebus”, which basically means “Be moderate in everything you do.” The developers are the front line of defense when it comes to malware like this. Be mindful of what tools you write and always be aware of how they are being used. If need arises, take a step back, look at what you have created, and put checks and bounds on the features that are being mischievously used.
LEVERAGE SUBSCRIPTION SERVICE TO STAY AHEAD OF ATTACKS
The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia test platforms.