Cryptoshuffler/TURS Agent - Malware Analysis Lab

19 minute read

Technical Analysis of a backdoored Wasabi Wallet installer

Overview (AI generated from video):

Summary

The video script discusses the analysis of a fake Wasabi wallet malware that was downloaded from Malware Bazaar. It explores the behavior, domain, installation, and execution process of the malware, revealing its malicious activities and potential impact on the system.

Timestamps

0:09 ⏱️ Ninj Catcher uploaded a fake Wasabi wallet malware to Malware Bazaar.
0:32 ⏱️ The malware reaches out to a different domain to execute an MSI file.
1:45 ⏱️ The malicious installer’s certificate authority is invalid or incorrect.
4:51 ⏱️ The Java archive file in the malware seems to be a backdoor with network and file manipulation capabilities.
9:17 ⏱️ The malware establishes persistence and connects back to a command and control server.
13:43 ⏱️ The malware downloads additional files and executes them on the infected system.
16:10 ⏱️ The malware remains undetected by most antivirus engines.

Key Insights

💡 The fake Wasabi wallet malware masquerades as a legitimate application but carries out malicious activities, highlighting the importance of verifying software sources.
💡 The malware uses various techniques, such as MSI files and Java archives, to execute its malicious code and establish persistence on the infected system.
💡 The malware connects back to a command and control server, allowing attackers to remotely control and deploy additional malware on the compromised system.
💡 The Java archive file in the malware serves as a backdoor, providing capabilities for network communication, file manipulation, and potential data exfiltration.
💡 The malware’s low detection rate by antivirus engines emphasizes the need for advanced threat detection techniques, such as behavior analysis and threat intelligence.
💡 The malware’s use of obfuscated strings, random file names, and domain squatting techniques demonstrates the sophistication of modern malware campaigns.
💡 Analyzing and reverse-engineering malware helps researchers understand its behavior, identify potential threats, and develop countermeasures to protect against similar attacks.

Transcript (AI generated from video):

00:00:00	let's take a look at some new malware uploaded to malware Bazaar so this has been uploaded by ninj Catcher And they say it is a fake Wasabi wallet that's been downloaded from this Wasabi wallet. let's take a look at what it does if we take a look on virus total we can see from the behavior tab it seems to actually reach out to a different domain to execute a MSI file now this is an MSI file itself which gets proxied by the Microsoft installer executable also known as MSI EXA this was was downloaded
00:00:31	from files clubspot tocom and if we look at that URL hey something amazing will be constructed here I believe that this is a website website that is just hosting the Mau we can see that it is hosting the Wasabi MSI file that was mentioned here let's take a look at what it does because this isn't likely to be the legitimate Wasabi wallet I'm going to run faket as a starting point I do have a copy of the legitimate one as well so this is a legitimate installer and you can see that it has the author
00:01:01	ZK snacks and it says it is the Privacy focused Bitcoin wallet which is wasabi that has come from this particular domain this particular URL this Wasabi wallet.io the release of it has actually come from their GitHub because this is open source and this is where it comes out now you will notice that this website is masquerading as Wasabi wallet and this is wasabi wallet. now Wasabi wallet. is not Wasabi wallet.io so we know some masquerading has gone on here to domain Squat and pretend to be this legitimate wallet if
00:01:36	we actually go to the mware which we have here it's only 2 MB now the legitimate one is actually 74 MGB so there's something strange going on there straight away now if we run the legitimate installer it runs and it says hey do you want to run this no worries you go through the installer we click install yes okay we get prompted no worries and it copies and it installs Wasabi wallet that's it that's all that happens but if we run the malicious installer and we click install we can see the certificate Authority is invalid
00:02:11	or incorrect and now this is specifying another MSI file that's sitting at ZK snack files.com Wasabi b. MSI this is going to be a MSI that actually gets run as well so I'm just going to stop the installation of this particular one and take a look at stage two now I don't know where these are being deployed on the system when they get installed I know that from the installation there is a Wasabi wallet that gets installed this is the legitimate one in program files so what I want to do is actually just extract
00:02:46	these now to extract the MSI files what I'm going to do is use MSI exact so if I run MSI exact what I can do is get the parameters that can be passed this tool it does say that there is an a for administrative install and this says that it installs a product on the network with that comes a parameter that can be given so there are options so we could say that we just want a basic user interface we could say that we want it to be a full user interface I do want to know where this is going to be installed
00:03:21	one of the things that we can do is give it a property parameter now the property parameter that we can give it is a target directory I'm going to create a new folder here to store the payloads and we're just going to call this output so now what I'm going to do is run a command prom MSI EXA I'm going to say that I want it to be a quiet install I want to specify the administrative package to install is this Wasabi and this is the malicious one now I'm going to specify a Target directory and we are
00:03:51	going to specify the full path of our output directory and now if we' run that it seems like okay maybe it hasn't really done much and it could be because that it errored out with the Quiet let's remove that and see what happens if we do it just this way without the quiet we can see okay we get this Setup Wizard we go next it's saying hey do you want to install this to this location and we say yes that's what we wanted we want to hit install and it says media table not found or empty so this is apparently
00:04:24	required for installation of files that tells me that there's some sort of issue with the MSI in itself self and how it's been created now if I was to use something like 7zip in order to extract the file you will see that we get a binary error name with this AI package chainer exe and a check some error and so really I'm going to now start focusing my efforts on the second stage so if I was to instead open up this second stage MSI file and use the same kind of installation method I want to install wasabi
00:05:00	[Music] bmsi and we're specifying the same output directory okay we have the installer here okay it says that it's done straight away let's click finish and look at the output so the output seems to now have Wasabi wallet in it and so this actually looks like this might be the legitimate Wasabi wallet what I'm going to do is run the malware the extracted one from the MSI file and just see if there's anything strange that happens and if we run it we can see that there is a request to daily news page channel so this is a bit
00:05:32	interesting to me if we actually look at our running processes that Spawn from it we also see something else of Interest this Wasabi wallet seems to be using tour so maybe that's not as interesting but this Java process that runs that's now sitting in the roaming directory is definitely of Interest we can see that it runs a jar file that's sitting now jql doj so this is something that I really want to analyze I'm also going to kill the entirety of this process tree cuz we know exactly where we want to
00:06:04	focus our efforts so we have the legitimately installed Wasabi at program files Wasabi wallet Wasabi so we run this file and sure it seems to be making some connections on tour yeah all stuff that seems legitimate we do see the Wasabi wallet that is starting we go get started okay but not seeing the outbound connections to those suspicious domains the Wasabi executable in this particular directory isn't reaching out and it also hasn't spawned a child process which is that Java archive so it does look like
00:06:46	whatever that Java archive is is being deployed on your system if you run this trojanized version of Wasabi so let's go ahead and look at this Java file because this really looks like it's going to be some sort of back door that gets get deployed when this executable runs what I'm going to do is I'm going to open up BTL now it looks like there seems to be or. key so maybe this is some sort of authentication and a release file now this release file doesn't really tell me much so if I look further into this
00:07:15	directory we have the binary directory and this is where we saw the Java archive file running from now there seems to be a lot of executables and things in this directory and they might be there just to put off analysis or some of these could be malicious but because we saw this Java archive running let's take a look at what this Java archive is now there is a particular piece of software that I like to use when I'm analyzing Java archive files and that is known as recaf so I'm going to go ahead and open recaf up and
00:07:45	now what I can do is I can throw in the Java class or Java archive and it will begin to decompile it you can think about this as kind of like the DN spy of java classes there is JD goey as well but this is quite old and dated and I think that recaf does a better job at getting us what we want taking a look into it it does look like there are these standard files the standard com class that we need to look at three named com classes after this htb cray and Sun now sun doesn't mean a lot to me this is more of something that is likely
00:08:22	classes that are used by Sun Micro Systems or associated with Java classes that come under that package so it's not something that I necessarily want to focus my efforts on but if we look at cray and we look at htb then we begin to see a little bit more under cray we have the first signs of our classes so there is HP HT and hu all kind of suspiciously named classes now if we look at the HP class dwa uh D aw and all things that probably don't make a lot of sense and kind of look like gibberish under the HT
00:08:56	section we begin to see the first signs of a network connection as there is mention of a user agent now the user agent here is being masqueraded so we immediately get an understanding that this is likely doing something malicious this says that it is Milla 5.0 but this isn't a legitimate user agent and it's also not something that we would expect to be seeing from a Java archive running I've got a good idea that this is malicious and this is something that's not supposed to be on the system we can
00:09:26	see that it makes the connections and it specifies that use AG to be used and it does look like it makes some post request but we don't know exactly where it's going to be connecting back to so let's take a look at hu and we can see now reference of send and file so maybe this has capabilities to send and receive files from an external server so fetching and sending off files to some sort of command and control server now if we dig into computer there seems to be or execute get window info Reg system
00:10:00	utils and title check if we look at the orth first it seems like there's a random string that gets specified okay maybe not a lot of information here but maybe this is used to authenticate or provide some sort of validation that what's connecting to the command and control server is actually the rat now there is get file or which is a bit interesting so it seems like there's create or and get file or now if it's create or it seems like it is writing to a file and this might be unique identifier for an infected system so it
00:10:34	knows what is tasked for any one given infected system and it does seem like if there is the orth file on disk it's going to just use that so there is this or exists and I'm guessing this do or. exists is going to be specifying the file so we have file here nothing actually telling us that it is that file of interest but that might actually come up later down the line now if we examine the execute function we can see this is to do with actually running this so it seems like if what you are telling it to
00:11:09	run has a Java archive extension it's going to make sure that it is run with Java so this makes sense this has some arbitrary kind of execution of whatever payloads you push down or whatever you want to run on this system and if it has an exe extension it's going to instead tell it to start the executable now if we look at the get window function it's trying to identify what window is open through the Explorer process for example so this is a good indication that it's tracking what someone is looking at so
00:11:41	it might be that this is sending back to the command and control evidence to say the user is currently looking at Firefox or the user is currently looking at Java for example if they had the Java executable in their Vision as the active window now if we look at the registry aspect there seems to be evidence of this specifying that persistent should be created so there is create registry key in the H Key current users run key directory to specify that this should run probably at stup and this is likely
00:12:14	a way of establishing persistence with the payloads that get pushed down onto the system or potentially this Java archive itself now if we look at system Ms there seems to be evidence of getting the host name of the system that is infected in addition to the local IP address and some more information associated with it there is also this delete itself which is very interesting where it pings the local host for 6 seconds and then it redirects to null and deletes the Java archive now this to me seems to be some sort of
00:12:48	self-destruct function or some sort of command that you can push down to this to say uninstall it from the system and if you do that it will delete itself to try to remain undetected now I still haven't seen evidence of what particular Java malare family this is if we look at the title check we can see that it's looking at the window which was active now I'm not sure what this check download get client downloads is but let's take a look further if we look in the Handler package we can see that there is this domain constants this is
00:13:20	where we see evidence of what we have seen previously there is this daily newspage channel.com now if you were to SC scan the base URL of daily newspage channel.com what it does is redirect you to New York dailynews.com so it's essentially trying to remain hidden and saying maybe this domain is just set up to redirect to the New York daily Pages legitimate domain but that's not the case at all we can see that this is associated with command and control now if we look at the download section of it
00:13:53	it does seem like this is going to run out and fetch a particular file so we can see that it has a URL which is the domain Source that's specified and it gets an input Stream So this to me tells me that this is malware that can be used to deploy other bits of malware on the system now if we were to go and look at the HTTP Handler aspect we can see more evidence of number one there seems to be this window open specified a frame here so this to me tells me it's something to do with Java where it's creating a Java
00:14:28	frame and it's naming the window this Tiki z355 Z2 345s and it's making it so that this is not visible and then it's using that for some of its follow-on activity so if we go down we can see evidence of this checking for Threads and starting new threads in processes and we can also see that it is checking the registry so this seems to be checking to see whether the persistence has been established otherwise it creates a run key for this Java archive so the Java archive runs it startup for this user now we also see
00:15:06	the get or function finally so we can see that it goes out and it connects to this API directory of daily newspage channel.com and it's sending the orth code that is contained in this orth key file and it's checking to see if this exists or not now if it does exist there has been a clash in the identifier and it runs the function again until it gets a unique identifier that doesn't exist now if it doesn't exist it then creates the orth code and I believe this create or code is going to be where it's
00:15:39	writing it to that or file so that is now indicating that this is the identifier for this infected system now we can see that under Start HTTP it's checking to download so check startup download so when the malware starts does it need to go out and fetch any kind of files that it needs to download and run this seems to be all it's really doing so it is likely a deployer of malware like we've come to the conclusion before now we can see that it is checking after it makes a connection back using this or
00:16:10	code that is passed to see whether it has been tasked to download any files and if there's no download available it doesn't do anything otherwise if there's no startup download available it doesn't do anything but if it does it seems to pull that file so it downloads it is going to then specify if it contains the value HTTP maybe this is where it's saying download the file from so they can task it you should now download this malware from this other URL and it goes off and fetches that now we can actually
00:16:44	see that under check client it's getting the window names as well as the or code and your Mac address your PC name all of that information and it's then sending that off to client.php so this is likely establishing that initial connection to say this is the infected client and that goes off to the command and control server now if we look under interrupt there are a few different classes here the first one is to do with querying process memory by the looks of things and it doesn't seem to have a lot new it
00:17:17	seems to be a supporting function now I actually haven't seen anywhere that this downloader has been mentioned before but I am going to upload it to virus total just to see if there's any kind of hits on it so I have gone ahead and upload this to malare bizar and it's currently only got two AV detections now look the behavior of it means that it is probably likely going to be detected by other tools such as EDR but in this case the actual static or heuristic or behavioral detections associated with the Java
00:17:46	archive itself means that it has a very low detection rate also does it run without all the other DLS and all the other executables that are in that directory now I'm just going to go ahead and run the Java archive with without anything else and it seems like it does still Beacon to daily newspage channel.com and everything else in that directory is completely irrelevant by the looks of things this is going to run regardless of whether or not it has been set up with everything else in that directory so we now have an active
00:18:17	infection once again and if we look at our running processes we can see Java has been run from explorer.exe and the malware is running and connecting back to the domain and we could even go to our properties of this um begin to look at how it looks in memory but we already have an idea of what the m is doing cuz we've actually gone over and looked at it and if we filter for strings for example we can see the Daily News Channel and the sockets associated with that and the or code that's being delivered so it's even gone out and got
00:18:49	that or code again and checked to make sure it's in the location where it should be when it's run it obviously establishes persistence in that known directory it has gone and found that or file and been able to send that out as well so we can actually see some of the network connections this has been making such as check startup downloads and get client downloads as well to wrap up this malware hasn't been detected by anything at the moment under particular Yara signatures this is a downloader and
00:19:19	invoker of particular malware and currently this is configured to connect back to daily newspage channel.com that's all I wanted to share with you today let me know your thoughts feeling comments anything else in the comment section below and if you do know the family of malware and this has another name please let me know as well thanks so much I will catch you next time [Music]