Affected Platforms: Windows
Impacted Users: Any organization
Impact: Remote attackers steal credentials, sensitive information, and cryptocurrency and perform cryptojacking on systems
Severity Level: Critical

FortiGuard Labs came across an ongoing threat campaign targeting YouTube viewers searching for pirated software earlier this month. Videos advertising downloads of “cracked” (aka pirated) software are uploaded by verified YouTube channels with a large number of subscribers. Victims are led to execute malicious binaries that install multiple malware into their systems focused on harvesting credentials, cryptojacking, and stealing cryptocurrency funds from wallets.

While investigating this campaign, other researchers published a report about it. And although there are overlaps with our findings, this report provides additional observations, such as the deployment of a third malware family being distributed to the victims.

This article describes the entire attack chain and technical details on the malware components that make up this campaign.

YouTube Videos Offering Cracked Software

The uploaded videos lure users searching for pirated software by using titles such as “Adobe Acrobat Pro dc Crack 2023 free full version / Adobe Acrobat Free Download”. Some videos display tutorials for using the pirated software, although in most cases, they simply display static images often unrelated to the software product (Figure 1).

The videos seem to be uploaded in batches. For instance, one of the accounts uploaded over 50 videos within eight hours, offering different pirated software that all led to the same URL. The videos are deleted after some time, after which the threat actors upload the videos to other accounts.

Attack Chain

As shown in Figure 5, after downloading the RAR archive 2O23-F1LES-S0ft.rar via the URL provided in the YouTube video description, the victim must uncompress the archive with the password “1212,” listed together with the URL, and run the Launcher_S0FT-2O23.exe contained within. The archive also contains multiple unused files and directories, possibly to masquerade as a legitimate installer. A detailed analysis of each component is provided in the following sections.

Launcher_S0FT-2O23.exe - Vidar Stealer

Launcher_S0FT-2O23.exe is the Vidar infostealer. It is appended with over 1GB of unused bytes, a technique commonly used to bypass antivirus and sandboxes that do not scan files beyond a specific size due to limited CPU and RAM resources. The SHA256 hash of this file is 820bbfc1f5023af60a7048a0c25e3db51b481afd6986bf1b5ff806cf604c1f4c (original) and e256b5ef66c4e56dac32934594b41e7e8cf432f834046e1c24c0827b120e6ddb (after removing excess bytes).

Once executed, it sends an HTTP GET request to its Command and Control (C2) server at 79.137.206[.]228 to check in and retrieve the stealer configuration (Figure 6). Note the absence of User-Agent and other typical HTTP headers in this GET request.

The semicolon delimited configuration can be interpreted as follows:

• The first comma-delimited block contains single-digit flags, denoted by 1 (enable) or 0 (disable), to toggle specific stealer features.

Based on this configuration, this stealer will collect passwords stored locally (e.g., FTP, SSH), browser cookies and history, Telegram data, and screenshots.

Cryptocurrency wallet collection is not enabled.

• A 32-character hexadecimal string (redacted in Figure 6) is a token generated by the C2 server for use in the subsequent data exfiltration request.
• The remaining configuration values are for harvesting files from the infected machine. In this case, the stealer recursively collects files with the .txt extension smaller than 50kb from the Windows desktop directory.

Once the sensitive information has been collected and compressed into a ZIP file, the malware will exfiltrate this data to the C2 via an HTTP POST request (Figure 7).

These files are written to %ProgramData% with randomized filenames containing 20 numeric characters and are executed sequentially. Once the payloads are executed, the malware exits and deletes itself. Analyses of the payloads are discussed in the following sections.

This sample was identified as Vidar Stealer based on the C2 protocol, the system data format in information.txt, and the organization of the files in the exfiltrated ZIP.

While Vidar is a distinctly different malware family from RecordBreaker observed by other researchers tracking the same campaign, both are infostealers, which indicates the threat actor’s primary interest in stealing credentials to further their malicious objectives.

GUI_MODERNISTA.exe - Crack downloader

GUI_MODERNISTA.exe (SHA256: 62d4caf908b3645281d5f3c0f5b5dc3a4beb410015196f7eaf66ca743f415668) is a relatively small (48KB) .NET application that redirects users to hardcoded URL links to files on file-sharing sites containing the purportedly cracked (and illegal) versions of software, as advertised by the YouTube video. This is the only component displayed to the victim, as the other components of the attack chain run covertly in the background.

During our research, we also collected a Python version (SHA256: ba9503b78bc62d4e5e22e4f8e04b28bb6179e146e1c0a6ba14dd06608facb481) of this application. The UI of both versions is shown in Figure 11.

Vadwax.exe - Laplas Clipper

Vadwax.exe (SHA256: f91d9de259052595946250a1440a2457dbda9ee8aec8add24419ff939f13e003) is 1.17 GB in size but comprised mainly of an overlay of the repeating bytes 0x30, which corresponds to “0” in ASCII (Figure 12).

After removing the unused overlay, we ended up with a much smaller 5.87 MB file (SHA256: 2fcb61da34b259b9b130c0c75525697931b9dff8e7f9b2198f9db21b5193eeba). Like the earlier sample, this artificial inflation is used to circumvent AV solutions.

This sample is Laplas Clipper, which attempts to substitute wallet addresses in the user’s clipboard to steal cryptocurrency. It constantly checks the content of the Windows clipboard against regular expressions retrieved from the C2 server. Upon a match, the content of the clipboard is sent to the C2 server, which responds with the threat actor’s wallet address for the appropriate cryptocurrency for replacement. This enables Laplas Clipper to switch the original payee’s wallet address with the threat actor’s and divert the funds to the threat actor instead. This particular sample is protected by the commercial VMProtect packer with heavy use of anti-sandbox and anti-analysis checks. As Laplas Clipper has been described by other researchers, we will just focus on the persistence and C2 communication of this sample.

Persistence:

This sample checks to see if it is being run from the %Appdata% directory. If not, it copies itself at %Appdata%\telemetry\svcservice.exe and appends an overlay containing randomized bytes to the file. It then maintains persistence by adding a registry value named telemetry to the following key:

            HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Communication:

Laplas Clipper first registers with the C2 server using the current machine name and Windows username (guid parameter) and a 64-character hexadecimal string (key parameter) via an HTTP GET request to hxxp://85[.]192[.]40[.]252/bot/online?guid=<machine name>/<username>&key=<hexadecimal string>

After successfully registering with the C2 server, it requests regular expressions from hxxp://85[.]192[.]40[.]252/bot/regex (Figure 13).

The regular expressions hunt for the addresses of the following cryptocurrencies in the clipboard (ordered alphabetically):

• Binance Coin (BNB)
• Bitcoin (BTC)
• Bitcoin Cash (BCH)
• Cardano (ADA)
• Cosmos (ATOM)
• Dash (DASH)
• Dogecoin (DOGE)
• Ethereum (ETH)
• Litecoin (LTC)
• Monero (XMR)
• Ripple (XRP)
• Ronin (RON)
• Tezos (XTZ)
• Tron (TRX)
• Zcash (ZEC)

Incidentally, the Laplas Clipper C2 panel at laplas[.]app resolves to 85[.]192[.]40[.]252 (Figure 14).

Vaxa.exe - Miner Installer

Vaxa.exe (SHA256: 44810cead810cd546a8983e464157a4eb98ebbd518c4f4249e6b99e7f911090f) is an in-memory loader for an embedded miner downloader payload.

It is a 32-bit Windows console application masquerading as a program for performing and displaying the results of some simple math operations (Figure 15).

The shellcode uses process hollowing to inject and execute a .NET assembly named Task32Main (SHA256: 5630c8f0dcd2393daf8477e6e4e419b0d0faf6780b6f1e00ad7a09fd37ddcdd3) within Regsvcs.exe.

Task32Main – Miner Downloader

Task32Main is a .NET downloader and installer for Monero cryptomining components. It provides supporting functionality, such as maintaining persistence and AV evasion. More importantly, it is responsible for installing the watchdog component, which ensures that the miner is kept running in the victim system.

To avoid being detected, it executes encoded PowerShell commands to add the following to the directories on the Windows Defender's scanning exclusion list:

• %SystemDrive%
• %UserProfile%
• %ProgramData%

It then downloads a configuration file from hxxps://pastebin[.]com/raw/5p5KkdBw to download other malware payloads and their execution parameters (Figure 17).

A modified copy of this configuration is written as log.uce to the following directories:

• "C:\ProgramData\HostData"
• "C:\Users\TRT-DESKTOP\AppData\Local\Temp"
• "C:\"

This will be used as the configuration file for the watchdog component discussed in the next section.

The above configuration instructs the malware to download additional cryptomining-related payloads from the following URLs:

• hxxps://github[.]com/dwadaxwad/dvsv/releases/download/sdv/WatchNew.exe 
• hxxps://github[.]com/dwadaxwad/dvsv/releases/download/sdv/xmrig.exe 

The malware creates the directory %ProgramData%\Dllhost and saves the downloaded files as dllhost.exe (miner watchdog) and winlogson.exe (Monero XMRig miner), respectively. The malware then modifies the directory’s permissions to deny access to the current user.

The scheduled task names impersonate legitimate Windows-related software to deter casual detection and are as follows:

• SecurityHealthSystray
• WindowsDefender
• WmiPrvSE
• AntiMalwareServiceExecutable
• Dllhost
• MicrosoftEdgeUpd
• OneDriveService
• NvStray
• ActivationRule

It also changes the power settings of the system to prevent it from hibernating and sleeping by executing the following command to ensure that its Monero cryptominer component (executed later) is always running while the machine is powered up:

Lastly, it executes the watchdog component %ProgramData%\dllhost.exe, which executes the actual cryptominer.

Dllhost.exe - Miner watchdog

Dllhost.exe (SHA256: d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443) is a .NET assembly named Task32Watch. It is a watchdog application that executes the miner component, monitors its process, and ensures it is kept running and uses the latest mining parameters.

It reads its own configuration file, log.uce, previously dropped by the installer component Task32Main. It has the same content as the configuration file downloaded by the Task32Main component, excluding the first three lines. Moreover, it includes the Pastebin URL where the configuration file was downloaded as the last line.

This Pastebin URL allows the watchdog to retrieve the latest XMRig mining parameters (e.g., mining pool server, wallet address, worker name “snnssnewte”, etc.).

It then executes the miner winlogson.exe located in the same directory with these mining parameters.

As a watchdog, it ensures that the miner process is always running by constantly enumerating the processes currently running in the system and then re-running the miner if it is terminated.

In addition, to lessen the chance of getting discovered and being terminated by the user, it kills processes related to system diagnostics and analysis tools, such as Task Manager and Process Hacker. Lastly, it also ends games-related processes, which are usually resource-intensive and reduce the CPU resources available for mining.

Conclusion

This campaign highlights the dangers of downloading illegally pirated copies of software because of the tendency of threat actors to prey on such users to steal credentials, sensitive data, or even cryptocurrency. On top of this, the infected machine is also used for cryptojacking to mine Monero for the threat actor.

The agility of these threat actors is also a cause for concern, as we observed the threat actor behind this campaign rapidly uploading new copies of similar malware whenever GitHub takes down the malicious repositories.

FortiGuard Labs will continue to monitor and report on updates to this threat campaign.

Fortinet Protections

Fortinet customers are already protected from this malware through FortiGuard’s Web Filtering, AntiVirus, FortiMail, FortiClient, and FortiEDR services, as follows:

The following (AV) signature detects the malware samples mentioned in this blog:

• W32/Vidar.FGLT!tr.spy
• W32/LaplasClipper.FGLT!tr
• MSIL/CoinMiner.FGLT!tr
• W64/CoinMiner.PO!tr
• W32/Injector.ESSM!tr
• MSIL/Agent.VFA!tr
• MSIL/Krak.FGLTA!tr
• MSIL/Krak.FGLTB!tr

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Fortinet EPP customers running current AntiVirus updates are also protected.

FortiGuard Labs provides IPS signatures to detect malware traffic.

• LaplasClipper.Botnet
• Vidar.Botnet

The FortiGuard Web Filtering Service blocks the C2 servers and download URLs.

The FortiGuard IP Reputation and Anti-Botnet Security Service proactively blocks these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources., MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.

If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

IOCs

Files

820bbfc1f5023af60a7048a0c25e3db51b481afd6986bf1b5ff806cf604c1f4c

e256b5ef66c4e56dac32934594b41e7e8cf432f834046e1c24c0827b120e6ddb

62d4caf908b3645281d5f3c0f5b5dc3a4beb410015196f7eaf66ca743f415668

44810cead810cd546a8983e464157a4eb98ebbd518c4f4249e6b99e7f911090f

f91d9de259052595946250a1440a2457dbda9ee8aec8add24419ff939f13e003

2fcb61da34b259b9b130c0c75525697931b9dff8e7f9b2198f9db21b5193eeba

d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

a0ac98bbd611fc697133ab872f9d978dc1931ea70f8a2374d18aff5754f7c110

ba9503b78bc62d4e5e22e4f8e04b28bb6179e146e1c0a6ba14dd06608facb481

9c5aff1352619f14feb736916374bbed06ef41a7d0cb72d789cb86e8f3906212

5630c8f0dcd2393daf8477e6e4e419b0d0faf6780b6f1e00ad7a09fd37ddcdd3

Download URLs

hxxps://github[.]com/jesus061031r/mooliik/releases/download/mooliik/2O23-F1LES-S0ft.rar

hxxps://github[.]com/jesus061031r/mooliik/releases/download/mooliik/vadwax.exe

hxxps://github[.]com/jesus061031r/mooliik/releases/download/mooliik/GUI_MODERNISTA.exe

hxxps://github[.]com/jesus061031r/mooliik/releases/download/mooliik/exep.exe

hxxps://github[.]com/jesus061031r/mooliik/releases/download/mooliik/vaxa.exe

hxxps://github[.]com/jesus061031r/mooliik/releases/download/mooliik/vdsc.exe

hxxps://github[.]com/jesus061031r/mooliik/releases/download/mooliik/vdscs.exe

hxxps://github[.]com/dwadaxwad/dvsv/releases/download/sdv/xmrig.exe

hxxps://github[.]com/dwadaxwad/dvsv/releases/download/sdv/WatchNew.exe

hxxps://github[.]com/dwadaxwad/dvsv/releases/download/sdv/lolMiner.exe

hxxps://github[.]com/bonniebosidaw/bolikgs/releases/download/voollik/2O23-F1LES-S0ft.rar

hxxps://pastebin[.]com/raw/5p5KkdBw

C2s

79.137.206[.]228 (Vidar C2)

85.192.40[.]252 (Laplas Clipper C2)

Monero Wallet Address

48GSRPwCNzLCkNGCMgUsqfg8BxJq8azyUbMLQM4Dvqh64M8goBjQ2SkVFUokVDzQpqfotv1oDcB8X8qMxuLK6GDBSWU3tp4