🚨Malware distributed via Steam

Fancy a bit of after work gaming? Beware of infostealer malware distributed via the Steam store!

Using @SteamDB we managed to visually identify a very suspicious file in the game files. Luckily, we managed to retrieve a sample for analysis, which will follow in this thread.

The game, which was aptly named "PirateFi", was supposedly Free-to-Play and included web3 / blockchain references, likely as a lure for this specific player base. Steam removed the game from its store yesterday. Approximately 800 to 1500 users have reportedly downloaded PirateFi.

🆘 If you are one of the players who downloaded this "game": Consider the credentials, session cookies and secrets saved in your browser, email client, cryptocurrency wallets etc. compromised. Change passwords for all affected accounts and use Multi-Factor-Authentication where possible. The "game" files will have to be removed from your computer (Steam Libary, %Temp%).

Now onto the malware analysis. The sample of "Pirate.exe" that we managed to dig up is 693MB in size. This property is commonly found with infostealer malware as a low-effort aporach to detection evasion by Anti-Virus and sandboxes. We found that the file contains an InnoSetup installer, which we will have to unpack.

#cybersecurity #infosec #steam #malware

#100DaysOfYARA

Today: Detecting the "qBit Stealer" exfiltration tool

qBit Stealer was developed by the "qBit #Ransomware-as-a-Service" group to exfiltrate victim data to the MEGA file sharing service. It is implemented in #Golang.

About two months ago the source code of qBit Stealer was published on BreachForums for anyone to use and repurpose (Image 1).

Based on the source code and the sample shared by @1ZRR4H (https://twitter.com/1ZRR4H/status/1751656174515098023), we created a YARA rule to look for qBit Stealer samples (Image 2).

Interestingly, most of the in-the-wild samples contain build artifacts of the "XFiltr8" variant, compiled by a user named "187ir".
We only found two other public samples that contain different path artifacts (Image 3).

Paths and hashes:
C:/Users/187ir/Golang-Projects/XFiltr8/Builder/XFiltr8.go
089ba2fb4eaa13b572ba558288592ed9
de2e25d217d28d1f360068048b5e4d54
bef9a0031387e0841166d41b047f8a13
fec2f286abc06554f68e5586a44662d5
03a18e5842e08a32d08703fe0c563687
e3211f650d932848a544d4da6f9fd599
1e6dca21cb0249525375e87358ff4fbc
4738ddef9cc4cd33dbbd616c722d5f46
97d87da8e4b22863681ef8eeef685826

C:/Users/benign_os/Desktop/malware_samples/3086/SMW3086/payloads/windows/qBitStealer/qBitStealer.go
f06c4a0af2181eb43a7b3763e8f5d5ea

C:/Users/lilia/Downloads/Telegram Desktop/qBitStealer/qBitStealer.go
b4247d41d89972d3a3cf34bca30c16f1

Samples will be shared via @abuse_ch Malware Bazar
The rules will be pushed to the 100DaysOfYARA and our detection repo :)
🍪

#infosec #cybersecurity

#100DaysOfYARA
Today: Detecting a .NET reverse shell used in targeted attacks

Two of the samples were first covered by @h2jazi (https://twitter.com/h2jazi/status/1747334436805341283). We found a third sample, here are the #IoC:

c914343ac4fa6395f13a885f4cbf207c4f20ce39415b81fd7cfacd0bea0fe093
C2: 192.121.162[.]228:8888
🇯🇵 M247 Tokyo

7581b86dd1d85593986f1dd34942d007699d065f2407c27683729fa9a32ae1d6
C2: 2.58.15[.]85:443
🇳🇱 Gwy It / Crowncloud

8920021af359df74892a2b86da62679c444362320f7603f43c2bd9217d3cb333
C2: 85.239.61[.]53:443
🇬🇧 Clouvider / BlueVPS

Samples will be made available through @abuse_ch Malware Bazaar as usual.

The implementation of the attack chain and malware itself are rather unsophisticated, you can find an overview of the latter in the second screenshot. It differs slightly from sample to sample.

We are not making an attempt at attributing this reverse shell to a specific threat group due to a lack of context/further information.

#infosec #cybersecurity

#100DaysofYARA

Today: Hunting for a code signing certificate issued to "D2innovation Co.,LTD"

Malicious use of this certificate have been attributed to #Kimsuky #APT by @asdasd13asbz (https://twitter.com/asdasd13asbz/status/1744279858778456325)

We currently can't confirm whether this is a stolen certificate, an impersonation or a shell/front corporation. The website for "d2innovation[.]jp" has been inactive/HTTP403 since early 2023 according to the Internet Archive.

So far we have found five samples signed with this certificate. The earliest compilation timestamps go back to the 13th of December 2023. One sample has a header timestamp set to 0 (1970-01-01). Using a cutoff date in the rule might limit hunting results.

Some samples are already available on @abuse_ch Malware Bazaar. We'll share the missing ones in a minute.

#IOC
27ef6917fe32685fdf9b755eb8e97565
88f183304b99c897aacfa321d58e1840
87429e9223d45e0359cd1c41c0301836
7b6d02a459fdaa4caa1a5bf741c4bd42
7457dc037c4a5f3713d9243a0dfb1a2c

Samples can be found here: https://bazaar.abuse.ch/browse.php?search=serial_number:8890cab1cd510cd20dab4ce5948cbc3a

#infosec #cybersecurity

#100DaysOfYARA
Today: Detecting use of "hXOR-Packer"

hXOR is an executable Packer/Crypter that, as the name hints at, uses Huffman encoding and simple XOR.

Another rule contribution for http://unprotect.it cc @fr0gger_

https://unprotect.it/technique/hxor-packer/

We generated test binaries for all settings supported by the Crypter and referred to the source code for more detection opportunities. Since open-source Crypters can be easily customized we opted to make most of the string matches "optional".

Two interesting points about the rule condition:

- The "AFIF" magic used to indicate the start of the payload is searched for in a range after the stub

- The Crypter uses a DOS Header reserved field at 0x28 to store a payload offset, we check that it is populated

The use of " in range" and the "none" keyword require yara version 4.2.0+.

During rule QA we found well over 1k true positive matches, we'll be investigating a few of those further.

A ping for @cyb3rops seems like there is no rule for hXOR present in Valhalla yet.

#infosec #cybersecurity

#100DaysofYARA
Today: Detecting use of "ScrubCrypt"

Our first contribution to the http://unprotect.it project by @fr0gger_
and @darkcodersc
(PR will be in shortly).

Check out the thread below for more details on the Crypter/Technique and the #YARA rule

First of all, here are three previous publications about ScrubCrypt that aided the creation of this rule:

@PerceptionPo1nt
➡️ https://perception-point.io/blog/the-rebranded-crypter-scrubcrypt/

@0xToxin
➡️ https://0xtoxin.github.io/threat%20breakdown/ScrubCrypt-Rebirth-Of-Jlaive/

@FortiGuardLabs
➡️ https://fortinet.com/blog/threat-research/old-cyber-gang-uses-new-crypter-scrubcrypt

ScrubCrypt targets Windows exclusively and generates obfuscated Batch files, which include the following payload stage as a Base64 encoded, AES-128-CBC encrypted and gzip compressed blob. Usually this next stage is an obfuscated .NET payload, which is reflectively loaded.

Our YARA rule picks up on the stray character obfuscation and unusual Shannon entropy of the batch scripts. We tested this rule against a large file corpus and found no false-positive detections.

Samples:
afc404744033ca5e03ffe249d6977fcb
7d8a84813d06c036c7df72e36d152fac
6df9c41c8d2abb352d32cd0cbc76e305

Below you can see a preview of our http://unprotect.it contribution ⬇️

Thanks for reading the thread 🍪
#infosec #cybersecurity