Campaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites
Finally, we will analyze the two threads. The C&C communication thread regularly makes a GET request to <C&C domain>/<C&C path>?id=<9digit number>&stat=<environment hash>. The environment hash is computed as an MD5 hash of string created by concatenating the following five values:
Value 1 = to_uppercase(crc32(HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyMachineGuid))
Value 2 = to_uppercase(crc32(HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionProductName))
Value 3 = to_uppercase(crc32(user name))
Value 4 = to_uppercase(crc32(computer name))
Value 5 = concatenate Value1 Value2 Value3 Value4
It might receive a response in the following format:
!lexec;<url to download>
restart
delproc
The idleness monitoring thread monitors pressed keys and selecting or dragging movements. If the user is idle for more than one minute, it sends a sidl(start idle) request with the time when the user became idle:
<C&C domain>/<C&C path>?id=<9digit number>&stat=<environment hash>&sidl=<time>
The length of idleness is then regularly submitted in a cidl (count of idle) parameter:
<C&C domain>/<C&C path>?id=<9digit number>&stat=<environment hash>&cidl=<number of seconds>
When the user becomes active again, the malware sends an eidl (end of idle) request:
<C&C domain>/<C&C path>?id=<9digit number>&stat=<environment hash>&eidl=<time>&cidl=<number of seconds>
The idleness monitoring thread allows the malware operator to choose the proper time when the victim is not present in order to stay unnoticed.
SpyAgent usually downloads other malware to perform additional tasks such as stealing important data.
We noticed using SpyAgent downloading the following commodity stealers:
- RedLine Stealer
- Ducky stealer
- AZOrult
- Cypress Stealer
- Clipper (a clipboard replacer that replaces various cryptocurrency addresses with those controlled by the malicious actor)
We also noticed other RATS being used in the campaign, such as:
- Remcos RAT
- NanoCore
- njRAT
- AsyncRAT
The threat actor behind this malware seems to have a straightforward financial motivation and typically aims to steal credentials and cryptocurrency wallets while also replacing cryptocurrency addresses shared via clipboard.
Fortunately, defending oneself against these attacks is also straightforward. Given the malicious actor’s use of traditional social engineering techniques such as fake websites, malicious advertisements, and spurious social media posts, users should practice due diligence and avoid selecting any suspicious links or visiting dubious websites. We also encourage users to perform security best practices such as bookmarking trusted sites and practicing caution when visiting new websites, especially those that are prone to being abused for social engineering attacks.
The IOCs used in this analysis can be found here.