00:00:00 let's take a look at some new malware uploaded to malware Bazar so this was uploaded by Rex CZ and Rex actually hit me up on LinkedIn and said hey I've got this bit of malware that I was sent on Discord do you want to take a look at it and reverse it with me and he's put a comment in here with the password which is molu beta and because this was distributed via Discord my thoughts immediately went to this is likely one of those electron or node type samples that are posing as a game and as you can
00:00:27 see here he's also given the link that it came from let's take a look at the link oh Molino game nice it's it's a beautiful game about a person getting food or fruit or look I don't even know exactly what this is but it's not a game it's Ma so let's dive into it so I've downloaded the sample here and we've got molu game and it is an archive so let's extract this and we're going to give it the password molu beta and quite often a lot of these scams are going to use the game name plus beta or Alpha as the
00:00:58 password because it's pretty easy to remember and it's a way that they can continuously have a universal type of password that they send to people so we got the game and we got the game set up here now as well now let's zoom into this you might notice we have nsis so that is an installer that we can extract using szip so let's go ahead and use szip and extract this installer onto the endpoint now we extract the installer now we get the plugins directory and we also get the uninstaller here let's go
00:01:29 into the plugins directory we have done this before if you haven't seen my initial video on Discord malware being transmitted take a look I'll leave a link in the description so you can check that one out but we've got the app here and that is the szip archive we can just once again extract that szip archive and now we've got our files and M game here you can see once again it's an electron application and this is going to have zero virus total detections it says it's come from you know Unreal Engine this is
00:01:57 going to use the resources that we have here though so we can actually look at the resources and you can see there is an unpacked version here that's come with it and the node modules interestingly enough this has only got two modules SQ light 3 and ioving cats now I've never heard of I loving cats before so let's give this a sus we're going to open it up and it does look like it's using a number of other files it does look like it's using a number of other dependencies as well and it's available on the npm website
00:02:30 so if we take a look at the distribution that comes with this this index.js you'll notice that this is using Dey so immediately I begin to think hey maybe this is going to be getting the master key that's used to secure credentials on an endpoint something that we want to be aware of we can see no jip build and in the source we can see number of C++ classes particularly the Dey classes and the main one here and we can see that this is using protect and unprotect data functions yes this is going to be used
00:03:03 to get the key used to encrypt and decrypt credentials on a system definitely something that's interesting and not something you would want to see in the context of an electron game so let's dive into this a bit further so taking a look at the npm package I loving cats there was actually an advisory that got put out two days ago that anything that's using this node package should be considered compromised it looks like maybe the malware author has created this package and put it on node package manager not necessarily to
00:03:33 just make a malicious package there but to try to obfuscate the use of the deppy package I'm not 100% sure but either way it's been taken down basically now what we're going to do is we're going to use npx to run an electron package of Asar and then use that to extract the code that we have here so in our resources we have the app. Asar and if you've seen my previous video you'll know how this works but let's run through it again we're going to use npx we're going to do electron whoopsy Daisy we're going to
00:04:03 use npx we're going to do electron we're going to do as we're going to do extract we're going to specify app. As and we're just going to put it into a folder called extracted and you can see that successfully completed so now we've got the folder code extracted and we really have the Crux of what we want to see here so there's the node packages that this relies on and you can see there is quite a lot of different node packages in here you will notice that there's not actually uh deppy by the looks of things
00:04:34 yes so you can see it doesn't actually directly import the deppy package and we also have this JavaScript now this has a unique name to say the least and the package Json file we'll first look at the package Json file and we can see that it's using these dependencies including the I loving cats version 1.3.1 or higher and we can see that when it runs it's going to run this as the main application so we want to understand what's in that JavaScript so if we look at this JavaScript and we edit this oh dear it's obfuscated
00:05:10 JavaScript it's dirty it's ugly it's hideous and it does look like there's some breaking up of perhaps a basic C4 encoded string here at the end let's see what we can do with this there's a good chance that they're not actually doing anything kind of unique in the way that they're obfuscating this and they've used a publicly available obvious Gator so let's see if we can de obvious Gat it using that so I've gone to the obvious gator. de obvious Gator and I'm just going to plunk this in and hit de
00:05:39 obfuscate and it's running through performing a lot of the deobfuscation functions and after a short period of time we do have the output here H interesting let's see what we've got to work from so I've saved the file called deob 1 now it does look like most of the script is actually in this space 64 encoded block but it doesn't seem to be just B 64 because this is passed with a few other parameters here so we're going to have to dive into this to try to get the last part of the script and understand what
00:06:12 it's doing so one of the things I immediately notice here is what seems to be some level of encryption the reason being is because we have this pbkdf2 sync and create Cipher IV we also have reference to aes256 CBC here which definitely makes me think that this is in using AES now if I was to look up those classes we can actually see that pbkdf2 Sync has a number of parameters that are passed to it and create Cipher IV also has a number of parameters that are passed to it so let's actually see if we can perform the description of
00:06:45 this and get some more script that we can actually understand so I've opened up three instances of cybershift and the reason being is because I really want one that is deriving the PB kdf key one that is using the PB kdf key for the decryption and one that's just a bit of a scratch pad in case I need to convert any kind of numbers from base 16 to base 10 or so forth so let's see what we can do here so it does look like there are a number of functions number one we have this constant variable defined so we can
00:07:15 see that that function has a number of parameters 1 2 3 4 being passed to it this first parameter if we look at what this is seems to be referencing a variable here that is looking at Bay 64 and UTF so probably something to do with the decryption there this one is going to be the actual PB kdf key so definitely something of Interest this one is going to be uh also used in that same function and I'm assuming the other one is as well yep so the other one is down here with AES as well let's first look at deriving the pbdf key now to do
00:07:53 that we need to know a password assault the iterations key length and digest so let's actually start with this pbkdf2 sync and see what's being passed to it so we have pbkdf2 sync now this would be the first value being passed to it these would be the next values and so on and so forth so this value here is defined as the second one that's passed to this function and if we look at this function it's this so it's going to be the second value that's passed to it here so if I scroll all the way down the first value
00:08:24 seems to be this blob this B 64 encoded blob the second value seems to be this so this is going to be let's just see it's going to be the password that we used to derive the pbdf key so we're going to do PB kdf derive PB kdf key and we're going to use that as the pass phrase and this does look like it was utf8 now we have the second value being passed to it the second value is going to be base 64 from this and this is going to be the third value passed so the third value passed here is is going
00:09:00 to be this one right here so this is going to be our salt and this is going to be in base 64 and we can tell that now we go back and we're just going to work through this logically one step at a time so now we have so we have the first value the second value from base 64 we have the third value here now the third value in the P pbkdf2 sync is going to be the number of iterations so this in basic 16 the number of iterations here though is not in B 16 we actually have to convert that so let's go over here and we're going to
00:09:36 make this two base uh we'll change it to base 10 and we get the value 10,000 so 10,000 is going to be the number of iterations that we're using here now let's take a look at the key size and the hashing function so we do have 0x20 and Sh 512 so sh 512 is going to be the hashing function 0x20 is going to be 30 2 so that's the size of the key that we should be getting by the end of our output here now this is actually in HEX a decimal so even though this has an output length here of 32 this output
00:10:13 length it actually has to be double that which means this key size should actually be 256 so now we get this output which is 64 in length it is in heximal that is the output which means that this is a 32 size key and if we actually go back and we're not too sure about this we need to remember that this is using as 256 so it needs to be 256 so now let's go over to our AES decryption we're going to take our key which we just got then we know that is in hexadecimal we're going to have it in CBC we're going to have the
00:10:46 input as raw we'll do raw which means we will need to do base 64 from base 64 because we can see base 64 is what's being fed into it with that large blob the initialization Vector we have to look at here now so the create Cipher the third value is the initialization Vector so the third value in create Cipher 1 2 3 we have this as the buffer this is the final value that's being passed to that function so the final value here is this one so let's take that we're going to put this in we're going to make it base 64
00:11:23 because that's what it is and now you'll see that it's not coming up with an error but we're not actually getting any output because we haven't given at that blob yet we know that blob has to be the last thing that's being passed to this so let's take this data and see if we can do a successful decription here so nothing else seems to be done with this so it's not like it's going through any more changes before it's put in and bada bing bada boom we actually get some script output so let's take the script
00:11:47 output and see what we're left with so I'm going to create a new file I'm going to put this in and it does look like there's more things starting to look like they're in English but there's still a level of obfuscation now let's see if we can just run that same de gation tool because we know that they were using publicly available obvious Gator here for the first iteration so maybe they're doing it for the second iteration let's take it in here let's replace this the obious gate and just like that it looks like we
00:12:15 have the malware we have the militia script so let's dive into this let's actually see now that we can read it and understand what it's doing now this is actually like 3,000 lines so let's see how fast we can go through it we can see that there's some constants defined exec exec file XX sync XX born so it does look like this has the ability to run child processes that are passed down to it so that's the rat capability it does look like it's probably got some hardcoded IP addresses this could be C2
00:12:43 or it could actually be that these are known IP addresses for sandboxes you can see the there's a constant here mentioned as well where it's specifying that depy is coming from the I loving cats module which is what we saw before so based on some of these names it could be that these are known to be in particular sandbox environments you can see that there's a number of tools for analysis Dynamic analysis so if you've got Postman toic Fiddler you've got x640 bug binary ninja these are kind of like
00:13:15 hard coded or you know ones that they've included in this script that if any of these processes are found to say no it doesn't want to run there is also this message saying this program does not run on Virtual machines kind of funny uh because we don't need it to run we can just look at the script thank you very much there is also a fake error capability which says error executing BB script and then a message so I'm guessing this is a way to just throw people off the scent that maybe it's not been able to run the game properly these
00:13:44 system names are fairly interesting it could be yeah that these are just known sandboxes and these IP addresses we can actually see where this constant's being used so we can do a contrl f and you can see Yep this is a blacklisted IP address so if this doesn't IP lookup and it's from known sandboxes or known devices that they said no this is blacklisted or block listed we do not want this to run that's it it's going to then run this function which I'm assuming is it just terminating itself here's the definition
00:14:15 so you can see if it's detected any of those things it's going to give that fake message when it exits itself to say hey there was an error executing the Visual Basic script so there are particular usernames that it doesn't want so if this includes that so we have to look at this uh so that's the wdh utility account and Runner admin so if anyone with those usernames are running it's going to say no and we can assume that all these are going to be anti-vm or anti-analysis type checks you can also see it's looking at whether it's
00:14:51 running on hyperv whether it's got any kind of gpus it's also looking at particular operating systems this is running on things that maybe just aren't quite right the total memory assigned to it so there's so many an anti- virtual machine or anti-analysis techniques that are built into this script to try to stop sandboxes and Antivirus products and reverse Engineers from actually picking up on what this is doing we can see it does have a number of locations where cookies and browser credentials
00:15:25 would be stored for a number of different pieces of software so brave browser Yandex brow browser we also have Google Chrome etc etc and you can see that it is getting cookies from those browsers so it definitely wants to be stealing that it also looks like it's uh stealing Roblox sessions cookies so maybe it's stealing access to people's Roblox accounts you know a lot of script kitties or less skilled individuals are using this type of malware so it's not surprising that maybe they want to be stealing access to people's video game
00:16:00 accounts as well and obviously this being transmitted over Discord means that is hitting their target victim demographic there as well uh stealing Milla Firefox cookies and login data credentials getting all the stuff that automatically is saved to your browser so if you are logging on with your browser and you say save my credentials or Auto whenever I go to this website it's stealing that as well we also see evidence of it doing the deppy decryption required to get those passwords what else do we have here yep
00:16:35 your autof fil data that's where that one is stealing cookies uh killing browsers not entirely sure why it's killing browsers here maybe it is unable to gain access to certain things while the browsers are running it's also storing something in your temp directory in a folder TMP that is likely going to have all the data that it's extracting and getting ready to xill so your autofill your cookies your passwords Etc CU you can see it is storing this in a zip archive and then it's uploading them to different locations and here we
00:17:11 actually see the first evidence of what malware family this is perpetrating to be so this is Le stealer now there is a lot of overlap with other things that I've seen here and reported on you know for example lots of these electron application pieces of malware there's Le Steeler there's duvet Steel you know Celestial Steeler there's hexon I believe it is as well and so many more that are all just being transmitted and communicated on through telegram channels and you can really just find out what these are and what they are
00:17:43 doing in those telegram channels and so not surprisingly if I go to a telegram viewer I can see reference to Le Steeler as one of the channels and there is Le here with the clown emoy you see 359 subscribers it just says leite and it's not surprising and this is almost certainly uh Elite stealer cuz we can see the clown Emoji here as well is nice because there are particular you know C2 information and apis that are mentioned here including Keys used to access them so I definitely wouldn't recommend
00:18:12 anyone use that key to access uh this Discord bot and if I take a look at the particular subdomain on the I want to eatc cats.com I want to eat cats man come on you said you said you love cats I love in cats now you say you want to eat cats I I am shook um and we can actually see a community Co comments saying this guy's going around sending Rats on Discord part of his C2 exfiltration infrastructure I guess you are not wrong there hello 1 2 3 451 you are not wrong at all and it's pretty interesting uh we
00:18:48 can actually see that on Digi press. club which I believe yeah it looks like I hosted instance of masteron it looks like someone was talking about this on this masteron instance ah F fairly well-known individual so they have been talking about this malware as well and talking a little bit about what it's doing I guess yep there's I want to eat cat site sets up auto run on next boot also grabs an npm package for unknown reasons obious skated and encrypted decrypts itself on run the encrypted code is also obious gated yep is does
00:19:25 most of the stealing Yep looks like they were actually the individual uh or for this individual here maybe as well were the ones that got the I loving cats repository taken down so fair play well done I appreciate your work let's continue checking out exactly what this does so it's sending data to this send Discord URI there is also mention here yep uploading the files stealing data once again stealing data same API Keys being included cookies other than those in cremium bypass so try the cookies in
00:19:57 the folder I mentioned if they do not work there's a problem with the victim there's not a problem with the victim there's a problem with you people for targeting the victims there not a problem with the victim anyway we can see it's killing so it's using task kill to kill particular processes so any of these particular processes it's going to kill them does look like it's exfiltrating to particular Services here so gof file.io uploading files to there file. IO uploading files to there catbox.moe
00:20:25 no idea what catbox.moe is maybe this is another publicly available service or maybe something run by the same person that keeps talking about loving cats or wanting to eat cats you know whoever is uh using this particular piece of malware and we have it here looking once again at different directories we do have Discord so this is likely to be impacting your Discord instance to steal your Discord credentials as well and maybe even embedding a level of MFA Bypass or script within that to be able
00:20:58 to steal your MFA prompts if they're there as well we can see discord. txt we can see it getting information about the user they have infected so this is going to be used to actually send back to the C2 to say hey here's their Discord details username discriminator email phone number whether they've got MFA enabled etc etc all pulled from the Discord API now we also have reference yep similar references to what we saw before Discord Discord billing information you know any tokens that can be used whether
00:21:32 they've got Nitro whether they you know what the IP address phone number tied to it is as well any HQ detail so really you know interested in like Gamers here with this stealer right but I mean it's not the only thing they're stealing you can see it is stealing stuff from their browsers as well so it's not just stealing from their Discord instance so yeah this is uh looks to be this Le stealer once again we have it posting making the request here seems to be a few cyclic things here doing similar
00:22:02 things this is interpreting if they've got PayPal set up for their Discord Nitro this is getting their externally facing IP address so my external ip.com I mean is this being used to infer whether they've got that IP address for whether it's on the block list hang on I just want to see something so we've got this this is being used here why are they using multiple API Services unless they've ripped off some code from some other you know repository or they have some level of redundancy involved here
00:22:37 cuz here they're getting the publicly facing IP address from api. ii.com what we saw before they're actually not getting it from IP fi.com at all they're getting it from my external ip.com so it's pretty interesting that they're using two different you know web services to enumerate their publicly facing IP address yeah I can't see the real reason of doing that unless they you know wanted to have that level of redundancy if it couldn't get out to one of those but it doesn't even look like it's been set up like that either kind
00:23:08 of just looks like they've ripped off the code from someone else which is not surprising to be honest a lot of these just copy code from everyone else and they're all doing similar things they're all stealing similar types of information what else have we got yep all stuff to do with Discord Nitro etc etc Firefox this looks like it's actually getting crypto wallets that they've got as well you know these information Steelers go after whatever they can so it's looking at extensions on your browsers and if those extensions
00:23:36 for particular crypto wallets are there it's probably going to be trying to grab that data so then it can get access to your seeds and get access to your crypto wallets as well this is funny what is this being used for these look like really common passwords like I love you and Batman and Hello 123 so I'm just wondering what this is actually used for returning that password what's this read file sync what is it so it reads something and then it returns it and hold up and if it can't split it it
00:24:05 returns that array so it's it's joining so it's joining all your stuff into a file called this this is a hardcoded file name X X7 etc etc etc and if that fails it's just like writing this array of just passwords why I don't know got stuff in other languages here as well like I can't tell who this is supposed to be here like has this been code once again that's been ripped off from someone else like what does this even translate to first 16 byes of the file in Turkish so why have they got debug messages in Turkish when their
00:24:41 other debug messages are in English like pick a pick a language here that you're working with unless you're just yeah like I said ripping off code from other malware authors that are doing the same kind of thing Turkish again password tried password tried H interesting maybe it's actually trying to use these ah that' be interesting maybe it's it's writing them to this file because this file may then be used in a Brute Force attempt so if that exists it reads that file splits them and that is going to be
00:25:16 stored there that is going to be returned for this so this is used uh where constants this and this is for that yeah so for this in this so this is for every entry that's in that file it's going to be based on this debug message password attempted attempting to use that password in some way shape or form uh I'm guessing that this is the function that's actually doing it yeah so it looks like it's returning something trying to decrypt the data with the two variables that I given so this is SEO file so it's using that and
00:25:58 it's using Crypt data so the first value that's given and the second value that's given the first value that's given is this this is reading from this and that's your seed path it's so it actually takes the passwords that it gathered from your browser splits them up and it's trying to use them to brute force your seed for your crypto wallets and if you don't have any passwords it's actually just going to try really really basic ones that are that are configured here so if your crypto wallets use any
00:26:31 of these passwords it's still going to be successful even if it wasn't able to extract that in the previous attempt interesting so they got some brute forcing of your crypto wallets have the exfiltration of data they have click to view profile yeah so this is all being pumped up to their C2 as well to say here's the games that they own here's the account when it was created etc etc kind of funny that there's some hardcoded names here grotopia mineecraft epic games launcher WhatsApp tegram so probably once again trying to
00:27:04 get data associated with those applications if they're on the computer does it goes yep no worries found them upload them Le stealer the reason why you'll see this repeated is because they don't know how to use one constant value and function and actually just reuse it it just looks like they they're throwing out yeah at least in the decrypted JavaScript here they're just throwing out and redefining the same things that they want to say so they want to say you know found files and here's your your
00:27:32 username when in fact they could just make this method pass it the value that's stolen and be like found X or Y and not redefine this over and over and over again but I digress that like I said they're just likely ripping off code from other malware authors and publicly available projects like Epsilon stealer so they're going through zeroed out token database file cool cool cool cool I want to eat cats that's nice interesting enough this is a little bit different so this has got download and panel and it's getting a stream from
00:28:10 that so that would actually be interesting to know what that brings down because it does look like this is maybe bringing down another executable because it is defining random byes and then giving it an exe extension very interesting data pipe finish error and then this is where it's actually running it so this would be it deploying some sort of executable from that C2 server on the endpoint as well so this is the ability to run those extra executables and extended functionality by pushing down whatever
00:28:47 they want from the command and control server so I just want to see if this is the same Turkish language Portuguese now why like what is the what is the debugging messages here is it important Portuguese is it in Turkish is it in English they can't decide this is interesting they are spawning an instance with this remote debugging Port specified with remote allow origin specified as well this is a way to spawn a chromium session now that chromium has the app based level of encryption to prevent people from stealing the cookies
00:29:22 what thread actors have started to do is spawning headless sessions of the Chrome instance with a debugger that they can then connect to that debugger web socket and dump out all those cookies and sessions directly from the browser itself and you can see it actually happening here it's really kind of interesting that we've got this in a script format because it just makes it so much easier to actually see what they're doing they're spawning an instance of it on Local Host they're connecting to it they're connecting to
00:29:49 the web socker and then they're stealing it and it could be that these debug messages are literally because they copied this code from someone else right it's not hard to plagiarize JavaScript code from another individual Network getting all the cookies and there you go cookies got and then Roblox sessions once again premium bypass Opera bypass starting a browser session and cookie look I love that that's in English why have you swapped back to English processing browser stealing the cookies session ID is undefined yep
00:30:21 Roblox once again trying to get the Roblox session and then we can see it's actually doing stuff to do with Roblox as well probably checking how much iname money they have for that as well yeah you can see all the purchases that it's enumerating here uploading the file and once again let's just redefine this constant variable because why not posting yep once again don't put this in any kind of you know variable that you can reference just keep specifying it over and over in your script Minecraft us a c must be to do
00:30:56 with Minecraft name MC so that's name Minecraft maybe in Minecraf heads. net so maybe this is actually used to enumerate their Minecraft user information by the way it's stealing Minecraft stuff T kill killing Minecraft processes Luna client Minecraft Minecraft Minecraft Minecraft sessions sending to the Discord Minecraft session blah blah blah once again app. as so this is actually bringing in another as module by the looks of things Atomic as and then it looks like it's mentioning Exodus wallet so maybe it's got
00:31:32 something to do with that as well exodus. as maybe these are used for stealing stuff from those crypto wallets like there's just so much that it's pulling down right uh DC inject message H not sure what the DC is meant to be referencing here but you can see injection injection successful injection so it's using this key to pull down what's required to do some level of injection possibly I'm not actually seeing where the injection occurs at the moment URL is not responding that so this pulls it down that is data pipe
00:32:10 await new promise pipe on that error finish I sure what this uh new promise is maybe this is how the injection is occurring by the way the debug messages kind of give you a good idea on what it's doing browser processes fetching web sockets once again killing Pro processes once again stealing cookies once again SQ Lights opening up SQ light databases probably for Opera get DSC tokens what is DNC kill DC this Discord oh of course it's Discord yeah so I don't necessarily think it's injecting into the Discord
00:32:47 process it could be but it's more likely to be injecting into the Discord client some level of JavaScript like I said that then is going to be able to be used to get the MFA tokens and intercept particular messages that are sent through it or particular you know authentication tokens that are prompted for in that as well yeah I reckon that's what we are we're looking at here so stealing Discord tokens and killing Discord Discord info Etc so downloading exe added to start up successfully so this is where it's establishing
00:33:16 persistence on the endpoint uh and this is the execution of all the tasks when it seems to start so it goes ahead runs all these different functions does all these different things and here we are that is the end of the stealer here so we know that that was LE Steeler it was pretty easy to analyze once we knew what we were doing once we had the decryption capability in play and it just gave us everything that we needed so whilst the installer for the game is beginning to get AV detections it does look like it's
00:33:45 also been classed as Le stealer by none other than kasperski but if we're just looking at the game executable completely undetected very large 164 because the malicious code once again is in that script it's in the electron application code that gets interpreted by this executable this isn't just one of these there's so many of these that carbon copy rip each other off steel code compete with one another on these telegram channels and whenever they come out with a new variant of their game here that they send to people on Discord
00:34:22 it's largely undetected by AV vendors except for AV vendors that probably have a level of heuristic or have a level of analysis that's being done on the electron scripts themselves when they occur in memory and are done in an environment that is not already being block listed by the scripts being executed thanks so much as always let me know your thoughts feelings comments anything else in the comment section below and I will catch you next time [Music]
