Malware descriptions

Making money from a website promotion system

A user discovered potential malware on his computer the other day – the files “autorun.exe” and “autorun.inf” on the C: drive which, the user claims, reappear after being deleted.

After an initial analysis it was found that a number of files are downloaded, including .NET FrameWork, which is quietly installed in the background. That was quite a surprise – it’s been a while since I’ve seen malware cheeky enough to install .NET. So I decided to investigate this sample in full. It turned out to be very interesting both in terms of the malicious functionality and the method used to install its components.

The autorun.exe source file is an SFX archive created using WinRK, an archive utility that is not currently very widespread. After it is run a whole chain of various files are executed:

Autorun.exe -> .exe -> !.bat -> start.vbs -> .bat -> Hidden Start inst.bat -> evntstart.exe;

The interesting thing about this sequence is that it uses only standard, legitimate software:

  • “Autorun.exe” – WinRK SFX;
  • “.exe” – BatToExe;
  • “inst.bat” – launched using Hidden Start;
  • “evntstart.exe” – WinRK SFX;

The malicious functionality at this stage is limited to the installation of the service in the registry that launches evnstart.exe when the system starts up, the copying of unpacked files to the system folder and the termination of SafeSurf processes. SafeSurf and its role in all this will be described below. The inst.bat file calls system utilities such as taskkill, net, regedit, etc.

Then the following takes place:

Evntstart.exe -> msexec.bat -> jnwmon.bat -> zrgutsp.bat -> ai.bat -> build.bat -> spidermod.bat -> .NET Setup -> SafeSurf start;

Let me say a little about each .bat file:

  • “zrgutsp.bat” – adds users with administrator’s rights, opens the TCP port 3389 for RDP using netsh and other similar activity;
  • “ai.bat” – installs RAdmin in hidden mode, uses two libraries and an executable file which were stored in the SFX archive;
  • “build.bat” – assembles autorun.exe “on the fly” using the main file of the WinRK archiver;
  • “spidermod.bat” – continuously removes autorun.inf from all disk roots and copies it there again;
  • “.NET Setup” – secretly installs .NET on the user’s machine from the jnwmon.bat file and is implemented as follows:

    if exist %SystemRoot%Microsoft.NETFrameworkv2.0.50727Accessibility.dll goto end
    dotnetfxupdt.exe -download http://download.microsoft.com/download/5/6/7/567758a3-759e-473e-bf8f-52154438565a/dotnetfx.exe dotnetfx.exe
    dotnetfx.exe /q:a /c:”install /q”

No malicious programs were used at the second stage either: RAdmin, netsh, net, dotnetfx, WinRK are all legal programs, including system programs. Now let us look at the JetSwap system in more detail.

The following information is given at http://www.jetswap.com/full.htm:

The JetSwap system was created to ease the process of promoting new Internet projects. After the project has been created all that is need is the allocation of one or more system codes (maximum effect is achieved if all codes are installed) and a small initial group of visitors. Several people browsing the pages of the site every day are enough to attract other visitors. System codes designed to be installed on the website enable the automated receipt of credits to promote the site. You will receive credits from your visitors. You don’t need to take any action other than simply monitoring the process.

During the final stage the malware installs SafeSurf on the user’s computer, which works with the JetSwap system and launches its “automatic surfing” in hidden mode. As the unwitting user clicks on sites, the owner of the account is earning credits. It seems that the cybercriminal didn’t even bother to cover his tracks – his data is openly available in the *.reg file.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREJetSwap]

“autocr”=”1”
“v2″=”1”
“splash”=”1”
“v3″=”1”
“v4″=”0”
“v5″=”1”
“vhd”=”1”
“msurf”=”0”
“surfhide”=”0”
“asurf”=”1”
“minw”=”0”
“login”=”jackmen”
“passh”=”7458bab36c82e74839639c48b9e64a05”

I launched the program with the data in the registry but without the other malicious components and saw the main SafeSurf window. And even pressed the button to check the balance, which the screenshot clearly shows.

SafeSurf screenshot with parameters indicated by the viruswriter in the .reg file

At the beginning of my post I said that this malware was interesting because of its functionality and its installation method, so now let me explain. All the components are legal and the installation process is carried out using only legitimate programs, .bat files, scripts and registry files. Only some of the batch files can actually be considered malicious. Even the autorun.exe source file detected on the user’s computer is a WinRK SFX archive. The method for making money is also interesting – installing software to promote sites.

Currently the malware is detected by Kaspersky Lab as Trojan-Clicker.Win32.FrusEfas. Special thanks to Oleg Zaytsev for providing material.

Making money from a website promotion system

Your email address will not be published. Required fields are marked *

 

Reports

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Subscribe to our weekly e-mails

The hottest research right in your inbox