It will additionally write an identifier for an Alternate Data Stream into the same location. This could be in an attempt to make the folder look official, as that folder does contain GUID folders, but using invalid characters to ensure it doesn’t conflict with an existing folder.
The folder name is written in the format of a Globally Unique Identifier (GUID), but with invalid random characters. Once this process starts, it will write a copy of itself into the ProgramData folder using a randomly generated character string for the folder name, and a name of a running process as the filename. Notably, the embedded metadata, shown below, notes that the files were originally compiled with the name “netcommunity.exe”.
IS SILENT INSTALL BUILDER MALWARE SOFTWARE
Code hiding, anti-analysis, anti-sandbox, and import table modification are some of the features available with the commercially available Enigma Protector software protection tool. The net4contor.exe (named as control.exe in Figure 1) is a PE file written in Delphi that is protected by the Enigma Protector.
The overall process flow can be seen below.įigure 3: Process diagram from VMware Carbon Black Cloud Enterprise EDR Supreme Botnet Mining Client Once the HTTP connection is established, control.exe, replacer.exe and network.exe files (shown in Figure 1) from the open directory are downloaded to the users %TEMP% folder and executed as net4contor.exe, net4replacer.exe, and net4network.exe respectively. During the investigation a new domain with the same builder page was brought online using the domain name dvirossmabitru, which at the time of writing, points to an IP address located in Hesse, Germany. This coincides with the dropper PE file date/time compilation date of 27 June 2020, which suggests that the malware, as well as the infrastructure to support it, has been built very recently. This domain was registered on 26 June 2020. Note that there are references to “NetHitBot” and “BTCHit”.
IS SILENT INSTALL BUILDER MALWARE DOWNLOAD
This includes instructions for contacting the bot operator via Telegram, and selecting additional functions, in order to build and download the client component. As the HTTP request made was an unauthenticated request over port 80, a quick look at the source sub-domain revealed the following open directory listing hosting several malicious files.įigure 1: Malicious files hosted in an open directory listingĪs this sub-domain was open and accessible, a further lookup of the root domain revealed the following builder page shown below. At the time of analysis this domain was found to originate from an IP address in Moscow. When the downloader first starts it retrieves the system time, gets the users temp folder location, and then makes an outbound HTTP GET request to the domain downloadbtchitme. NET and has 28 out of 72 detections in VirusTotal at the time of writing. This report includes analysis of a recently discovered clipper malware targeting Windows, through which it delivers the Supreme botnet mining client and the Poullight information stealer. Although clipper malware isn’t necessarily a new threat, there have been limited public reports focused on clipper malware found in mobile applications. This stealthy technique is designed to silently trick the victim when making what appears to be a legitimate cryptocurrency transaction, which results in the attacker becoming the new recipient of that transaction.
Clipper malware is designed to steal cryptocurrency from victims by replacing wallet addresses in the victim’s clipboard with wallet addresses that belong to the attacker.