Avira researchers uncovered a new spyware named ValleyFall, identified in the wild in late April this year. This malware can infect people with a remote-control component also focused on password stealing and keylogging.
In the course of our daily malware detection activities, we’ve discovered a Remote Access Trojan (RAT) in the wild. This RAT is delivered through a downloader and is capable of stealing user passwords by logging their keyboard activities. Following an in-depth investigation, Avira researchers successfully pinpointed the malicious components of this newly-identified malware family, along with their respective servers dispersed worldwide. The majority of these malicious servers have been operational since early April, with one notable exception. This exception was a server that was active from December 22, 2022, which contained several test malware samples. However, this server was swiftly taken offline after we identified it. In this blog post, we aim to discuss the impact of this malware in the wild, provide a technical analysis of the main sample, and narrate the full story behind it. Avira actively detects this new malware family and remains committed to helping our customers protect their data from a variety of threats.
Impact in the wild:
Based on our telemetry, the following image shows the geographical distribution of the ValleyFall malware. On the left we can observe that United States was found to be more affected by this malware, followed by European and Asian countries, while on the right we have the malware server’s distribution, showing the origin of the servers that were used for command and control or malware hosting.
Infection kill chain:
Features
- Keylogger
- Spyware
- Backdoor
- Remote Administration Tool
- Downloader
- Virtualization/Sandbox Evasion
- Security Software Discovery
Technical analysis:
1. The Downloader
The attack commences with a downloader that necessitates elevated privileges, deceptively posing as a significant image. The malware adopts the guise of a small image icon, typically from a graduation certificate (although other variants use resident identification cards or various images), to mislead victims into mistakenly identifying the file as a harmless image. Upon executing it, the malware will download three files in a new directory named C:\Program Files (x86)\Microsoft Silverlight Update\ as it follows: – hosteye.exe – Which is a clean application that is loading a Dynamic Link Library (DLL) named nw_elf.dll and calls its SignalChromeElf exported method. – nw_elf.dll – Which is a malformed version of the original nw_elf.dll file, containing an embedded payload that is loaded into memory when the SignalChromeElf method is called. – ooco.jpg – Which is a clean image, usually the full-size version of the original icon of the downloader, that pops into the victim’s Desktop to make it seem like only an image was opened and nothing else happened.
The downloader also creates persistence for hosteye.exe via Task Scheduler.
The previously described tactics are known to aid in evading detection. They do so by masquerading as Microsoft software and utilizing a legitimate application as the root process. This root process then loads the malicious DLL further.
2. The malicious nw_elf.dll loaded into memory
The clean application hosteye.exe normally loads nw_elf.dll into memory and calls its exported function SignalChromeElf. A legitimate nw_elf.dll would normally be associated with NWJS, which was previously known as node-webkit, used for developing modern desktop applications with Node.js features and third-party modules. Instead, the nw_elf.dll version downloaded at the previous step contains the following exported function which is used to decode an embedded payload that will further be loaded into memory.
As we can observe in the previous image, the payload is decoded via a XOR with 0x7b followed by a subtraction arithmetic that calculates two’s complement.
After decoding the payload, we were able to identify that it uses a shellcode for loading multiple functions from Kernel32.dll such as Sleep, LoadLibraryA, VirtualAlloc, VirtualProtect, FlushInstruction, GetNativeSystemInfo, RtlAddFunctionTable and use them to load and execute another DLL into memory, that is also present in the payload.
While analyzing the DLL embedded in the decoded payload, we have identified the name of the PDB leading to the ValleyFall family name:
3. The ValleyFall malware
We confirmed that this malware family is a new threat in the wild by identifying a version function that was present in the ValleyFall DLL. This function returns the value “2023. 4” which stands for April 2023 as shown in the following image.
In the course of our analysis, we noted numerous malicious functionalities including keylogging, gathering data on the victim, establishing a connection with a command-and-control center, scrutinizing for security software installed on the victim’s machine, and much more. We also observed that the malware scans for virtualization processes in an effort to elude detection and impede further analysis. It accomplishes this by cycling through the current processes and seeking “VMwareService.exe”, “VMwareTray.exe”, and “VMwareUser.exe”. These specific processes are frequently active on virtual machines managed by the VMWare hypervisor.
Further, the security software discovery is done by iterating through all active processes and determining whether the mentioned executable is found to be running. If the executable is present as a running process, the security software is added to a list. The list is then checked for whether it is empty or not, and if it is found to be not empty, the malware then exits. Moreover, the malware identifies security software by cycling through all active processes to discern whether a specific security executable is running. The software name is added to a list if the targeted executable is detected. This list is subsequently checked to see if it is empty. If the list isn’t empty—indicating the presence of security software—the malware ceases to operate.
The keylogging stage is managed with a mutual exclusion object (mutex), locking the logging session for only the currently executing thread, to avoid multiple instances of the malware creating duplicates in the logged keys.
In addition to the aforementioned functionalities, this malware also pilfers critical computer information. This includes details about the graphics devices, disk and Random Access Memory (RAM) size, the version of Windows installed, the hardware profile, the processor’s specifications, the list of active processes, essential file paths, and more.
Furthermore, this malware contains the functionality to download a PE file on command and execute it on the victim’s machine. This functionality enables the possibility to download another malware that is present on the identified servers.
The downloaded file is then run via a call to the CreateProcessW Win32 API. After it downloads and runs the desired file, it is also capable of creating persistence for said file in the victim’s registry, via the usual Run key.
In the end, for all the previously mentioned capabilities to make sense, this malware connects to one of its Command and Control (C&C) servers to get the stolen data and send commands to be executed on the infected machine. First, it gets the required IP and port, by reversing some values present in plaintext in the decoded payload (the values represent the IP, port and some verification value used by this malware).
From the image above, we can see that there are 3 connections, namely 103.39.231.7:7780, 127.0.0.1:8888 and 127.0.0.1:80. The last 2 will be used to generate traffic to hinder the analysis process. Moving on, it then obtains the appropriate virtual function table (vftable) for the connection protocol to be used (local traffic is made via UDP, whilst traffic towards the C&C is made via TCP), obtained from the vftable attribute of the CTcpSocket class, respectively from CUdpSocket.
After the aforementioned actions, it connects to the C&C.
Malware servers:
While tracking and establishing the malware network, we’ve identified numerous malicious servers associated with the ValleyFall family. Furthermore, we were able to pinpoint various threats stored on these servers. These range from clean files that are exploited to load malicious DLLs—as depicted in our research—to other variants of nw_elf.dll and numerous recognized backdoor payloads. Some files appeared as simple text files, but their contents were in fact malicious PE files intended for loading on the target machine. We observed that the oldest active server dates back to late December 2022, but the malware was first detected in the wild in early April.
Some of the identified servers had the number of hits present. This information is useful as it depicts the number of downloads that were initiated from those servers. We observed that a main backdoor payload was downloaded over 670.000 times in a timeframe of 17 days, showing the prevalence and the impact of this new malware family.
Conclusions:
Emerging threats, novel malware families, and spyware attacks are persistent risks. At Avira’s Vulnerability and PE Detection lab, we tirelessly monitor malicious activities and analyze the latest malware trends. Our goal is to equip our customers with superior protection and detection capabilities.
Throughout this article, we’ve delved into the intricate workings of a new malware family which emerged in the wild and had a significant impact in a short period. Primarily targeting the US user base, most of the malware servers are located in China/Hong Kong. This new malware family, which we’ve termed ValleyFall, has been classified as a Backdoor/Remote Access Trojan. Its capabilities encompass keyboard logging, virtualization detection, security software detection, information gathering, and communication with a Command-and-Control server, among others. Our investigation began with a single dubious sample, leading us to unearth a multitude of servers related to this malware. Each server housed different versions of ValleyFall, along with other test samples and well-known backdoor payloads.
How to prevent infection and stay safe online:
- It is always good to double check the files that you download from the internet.
- Avoid executing files on your device if you are unsure about their provenience.
- Double check a file extension before executing it, for as we have presented in this research, the ValleyFall malware was delivered by a downloader masquerading as an image.
- If you receive files in emails, check the spelling of the product name/mail subject, even if you think that the mail has been sent by official product sellers.
- Avoid clicking on links in emails you received from an unknown sender.
MWhen opening email attachments, especially executables, Office documents, HTML pages, ZIP and RAR archives, make sure you expected to receive this document and that it is trustworthy, otherwise we advise you to not open it before scanning said file with a strong cyber safety solution.
- Use a strong cyber safety solution such as Norton, Avast, or Avira to make sure you are protected against these types of malware.
MITRE ATT&CK:
Downloader
| TACTIC | ID | TECHNIQUE |
| Defense Evasion | T1036.005 | Masquerading: Match Legitimate Name or Location |
| Persistence | T1053 | Scheduled Task/Job |
| Execution | T1053 | Scheduled Task/Job |
| Discovery | T1518 | Software Discovery |
| T1057 | Process Discovery | |
| T1012 | Query Registry |
Loader DLL (nw_elf.dll)
| TACTIC | ID | TECHNIQUE |
| Defense Evasion | T1036.005 | Masquerading: Match Legitimate Name or Location |
| T1112 | Modify Registry | |
| T1027 | Obfuscated Files or Information | |
| T1027.009 | Obfuscated Files or Information: Embedded Payloads | |
| T1140 | Deobfuscate/Decode Files or Information | |
| T1055 | Process Injection | |
| T1574.001 | Hijack Execution Flow: DLL Search Order Hijacking | |
| Discovery | T1083 | File and Directory Discovery |
| T1012 | Query Registry | |
| Persistence | T1574.001 | Hijack Execution Flow: DLL Search Order Hijacking |
ValleyFall
| TACTIC | ID | TECHNIQUE |
| Defense Evasion | T1112 | Modify Registry |
| T1027 | Obfuscated Files or Information | |
| T1497 | Virtualization/Sandbox evasion | |
| T1518.001 | Software Discovery: Security Software Discovery | |
| Persistence | T1547.001 | Boot or Logon AutoStart Execution: Registry Run Keys / Startup Folder |
| Discovery | T1622 | Debugger Evasion |
| T1518 | Software Discovery | |
| T1518.001 | Software Discovery: Security Software Discovery | |
| T1010 | Application Window Discovery | |
| T1083 | File and Directory Discovery | |
| T1057 | Process Discovery | |
| T1012 | Query Registry | |
| T1082 | System Info Discovery | |
| T1614 | System Location Discovery | |
| T1016 | System Network Configuration Discovery | |
| T1033 | System Owner/User Discovery | |
| Collection | T1056.001 | Input Capture: Keylogging |
| Credential Access | T1056.001 | Input Capture: Keylogging |
| Command and Control | T1102 | Web Service |
| T1095 | Non-Application Layer Protocol | |
| T1132.001 | Data Encoding: Standard Encoding | |
| T1041 | Exfiltration Over C2 Channel |
IOCs:
Samples:
f8799e81793e0d919898dc80a44c248fa862e3b0755d95d51da43451e03f57c9
2cecf1443c1143d075c5d96d61b4934bd2d2d005e35dbef7cad7354ee09560bb
c562cc6a81af6ea0d1b74b8e8576c73f0c46b68b30125e186288e84fb560fe42
2de0b642d772bcc0d834928a4113c5b5a044fa81cfce5967a420671bd912e561
10d8fcdc432cbc2a14e3598095cdde4e86ef078292fe8bbfc44347c5e5d23ba4
043d92cc731d2823e4b0feac84e99b4c3fd3044fc763dc996d0de379d1a63572
96239abb6a77841316a37f59a5f3baeda2185261d6fdc85be4d898eedf42278e
883299572d924ae0e80b9e444188e7a29547bb95ddbce19e556237da3fbe3768
d0f338290ae4f4445c6b304106e98a5e2ecf8a26b7fdf72d55aaed73b0ab6405
09bcc6c0bdbe1c11e3f3ecfe825ce35722b4b869e84d1a2f04dfdc9f086297a7
0a62d54d9fce314751e98d0c9f5a8ab9fd8187e2e8254f2b49811751bc7b91d1
0bf44ab95c084855ec5363dedd17f3f2c14a0b7fed45352efe4d9ab5e5edfbd1
0ca299333c426db2bfcffdc028fedf5005380b7926035b760f5b3affcbba5909
0d577bb6c870455c8bb166cfa4508d18e81c5f9b1338064c8bfa868f230d7dad
0d928df99d07ed945b8327920640cf95de1b2900be474caa040ddb59d22fed7b
0da154c7e09aa27ff7c70a4151bd35402ed7ae27cc2318d10c13154b18b8adfb
10fc0899b6099a8742fae90c8b8474de8b82b7143318cc42bd7728f1a2b3dc94
121bd9579ca5cf8fa0b93441200d9b2e2ca9bea4a0edd4a51499f7cccf502c79
12a52ec149e294cc8e1a989ead8cb37497a886543b36edc1d52884bb675b916a
13a4e455ade1b0cde380a8f560e7bcbafd327b6e35ce239a7c0cb7669955b117
13ed381a1fa7f6a8aaefc505c27307b3dc3ececde48b07ad213fc58854064179
1669b0f0570fceee6fafa4b86e96d254fc483fc368016cd49105008aed82364d
1676f9a1e21819526f999809b6b300df468fbe9ca2437f7a649e200d920729df
17e783993b09a75f1c1ea19bcbb5b298e6b062bbb9f0ff9ae1acd319fcff4dab
1b5d262984549cab8d95b59e9d77a85aec5c439def572ed96d52618634e377c7
1c81c28fce551611ed8b2ab7ee554432ca893afcd4530af8bd6c717e637281de
1f077ae0f82a4212cfd8cd8e16e8fe8d0e2544e97a4c081d26d0473e094f9720
2089fcb447eaea80b003120a1c648212915e80f2757c774fb6f31d194004adb4
214e4cfe445bfd6675cd945942021eea3c7d95846bda7c3e73ff055c0b48b51c
21d150bc6d82e59ef6c34286c4ad08503f0fcb4a9573508000fa76a82cce54b1
2287f7e8ed16a506eb4a8810121b714af72a2dd334d189df98a29055b6252f55
2370947fa551aef0d201e018691d9a50287b50428248d3ef1db41256ec24f743
24e4082fb4cd192483d55d58b7514beab7241fd6f9ef332d85e176fa088a6433
257ca2e93a7d32c1504c9c0c713c591d63584497e32eee709bb36dc2874730df
26a07825fbf7b1fd7d231e48aac8b5740e7202fba72c99056bff0dc93ab942aa
26c6f6dc94f166e4d4b6fcafb63d6ce558d051e3cc59a29fadadcebd855004af
272c4436dd737d134612f171f7517bba5e795fd671095cad6df61651974a678d
27e1ab30bb0ab32ee2e2daf6ce965c2d8afaf2378d4f297e068d66a065f02133
27e2209e0cabe20812b7e2534cddee820519367b4826b04054c52c339cfad49b
28b8c95ec7aed1aee960f600251885f1da9555d077b359f2c2f73c7f615e6b50
295e1501b715fe8996844aa78c189eabdb2066e70bc7873104af6a387c334201
29662d73077f6b1354ca3fb9148d6acf20a651d9957a55abbc9a1058314b8cbb
2b254d492b1257da02499b9507c091d5bb462e667488b93a6dbf50b8eaad944b
2e0afc6c7a4b11c0928b6c1ccbc03c241a8820005ea9f00b08868ca7e7fb7bb0
2e0f4a3fca4fbd851c6eeb8589742a5617627b8cde440ae037739f5d0b5f385a
2f8dab77cb4b125c126b6164bfe06df474c832676d9817787b7b67bdefe53201
2f93657ad814e3de0adb5c1e2509a175d6187a8b7321625f2ccaf493ee251839
303514c661c0c4d00e24a6d4c08eed2b291aa0c12a539a824a08a7050a7e5573
30c69aa08b43f898f6531bbe2cb5dbcdc44ae444dfb214fe509808f1240fda3a
319b5f1d1b75dd8dd4e43240ae5b1214a9affef5b26f8adf267ee585e744d1eb
3218b4ecc2f4ad48de0c3efebe46324a1cef7fc6ea986fc7c3642164f02408e0
32a02267f8e2b2cb8efd153e60af8572703fb6a17107c34ecb7a56bdfe1b0286
32f5ba97e616e15a0a73ea90b787abc3b4d89775c3f39c154cd2929e4b9c5b7b
33be63331bd9065b44f819c1f9226b6045a9fabde809cafb444253a50d457493
33cec7575d1f72b0d5915a95d45add54788a6888fadcc43eb554f4fd6fc17e84
34c01f925ec95c4cb04c0454b96211a24eb5d82d3765245a2a53543ea8a1d1f5
34f223fc8483ac2b89c45df5d8922721b8318de6149ac6abb60c06b2345eca58
36fd8acc95b73a1de5879cccce688a869e9cdd81d63906123b32dab81b46837a
370aedccbecde5d13b3509d0a3f2d4f86a735b8b0983623fc9d5273dd21442a6
38948bb6958f868e9230f2ad5035630922e682cbdf74b079e472d7deb6acba15
3a1592fbe6d336f44f1c56ea81acc1658e1a7c36621a0d0d0778e4c2d8340aba
3ae72a75ef7108882726eaab527ce87e6d18d205192db1bf0a17a45b878a05b2
3b2d7b88f9604b4f73f207437bb32c0bd1e22ef07ca9c8fed568413b31702c51
3ce093de0f24d77d5dab086c2f5d831113f4b56df48d6ec42037a13beddcd2c8
3d0596c64cd1b735d21c9579839967fdfabee597709e95a5ab397b749bf942f1
3d78b64d9ccfe4d8518aef4f0e63f426253fb50208efcd91b29f16d948f9d93a
3e23e82f6d727a4cad22b17f10536e88e7711bb0494f295beb505673224f010f
3e35a9885d9e62b80bb25a6ad078f3176dbdf4bc62fb6b71d9896b6b56b9b740
3eb96bd0e6b40a7cf37653b9cb72c74eab703815a44e2a0e65e1c6da4f9f0b9a
3ede4afc3a8e0979cf130d6576d9025955e648d41780cb3567d9cb171bd8db72
3ff1b206571d53958ff15c108d88e54d50f5907278e3b28728867c2ab5896872
42408dce9714ac7056bb45dabe41b2797f192cc5666b67f8acb29a00cba58d28
435aaf93c553515a546abbe4a1a78ac27a27ea21d73cd54400e4e88ce10daac0
45434e98f72a789d739473ecf3d4d03507b4720aed720d0464505adc1c9340e2
45e5df9c5892ec0289cdce8f5bc851698b244e9fdbf7eb08cc29f47feb5794f3
46b2610ef21a2cd3cd93d7a0b81260d51686bf3fa3685e3e362a850acb942938
46cb66529693f50e26c4569368d85a12c3288e32bd29f602d3297b596281dcff
4baf080f9a35fb100e4c6215b0a693ae2eba571635e8655916e3aa86a523a266
4c299cc0954232ee1c11699945c87e5bb19a48993ba1087693d49e53544ae4ed
4db19139799c05554a4c584a25657a3121d1c4f991b87b55c0c02c4f275d0f14
4ea076f59793cacfe5f52f1a0275e70692e78cd8d7f457f7441a2bdd1eaab5b3
4f8837262577b5c05c226dd36ffc575b44b29d66c47b92a247dccfed2fdd68c7
50544792b3c7e0f3bbdb10e481b98583b7a29b92ff2eb05a9a68ffc6eb351f5b
50ceb10eeab27a7ed43ef4aff6109afac4f200b6dce196b24ed6192b8dd50bf0
526f476a5a2aee65b3b4065d2e363e475c6d66d86ba3f43666b0112f7795b6ac
52e113c4bc1e4d4ee83533485a6f70acf390cb172a93cb2d1802eac3eeca3cb5
549dbe17563a3a70b8d6662720cad74ac9fd6099dfb0db88ba48b22fc44d039b
55426430302560516b290d9205c71f8c609c6dad29a67e985c0a39cd3d04e0bf
55d6c2d439de990999b562a57d94a3a681042bff6b9ac039f277f56b14258e51
569ffc187ff40ecb82cf0cd75ca9b2f02c194c7cde3c4dcdd3dbe22000f29f37
576115fc080db2a0e18526041cd8eaff0c7635657b3ec04aa7e44ca3a4717285
58ac51e69afa908b28fee6fdd1fa548193d7381b59ccad79a2a4ed955a2fd32d
59119736919a631d6afa375d61232087137cdff30387ccba836ab542ff8e16b8
59efdaac1b80fbfdeaf4574f6bca4dce238aa531b928b2ef1cba75b60ec1c37d
5d7d61c1e1fbfbe4c251da020c4cecd7b188f5ec003960c8b7901bb168613fa1
5e4198c7edd797329ad1b85085a224d9dd2d2a1ce3df799d661417852182514f
5ebed534433c2de25477346b1e61bfeccdc1194b6d7f9330d042b0cf62e2510b
60f88fe176e882a68c67293bd8b2e494bb69d9e6d04ed36756e209e1f2744711
6182928aab5a412dee19afc93f0e6f860e18fba19963594deab647836e8e95a7
62212d2960bebd980e4147dad4fb4456eae7e034bb4f7506a9000c8b88e9240d
6288e86b12e6064ba9f823edc05c2122f976419a809c5c507a17618c39e40ad2
630e88f34b94e8825dc5fa4464ca51e5ecae2d93f7989d494489acd3b870714a
6348d21a31c3e683ca59c931cd62ab09d725b9f871f2ee8f218f69bacfcf5a2a
634a2471d16b152cdf4459ca1f53c3d0e0d9076f01f1d9188dfbe4f5c7e3e095
63e9cfcf6823591131a76fa4daf317f939a260052c69102b2a19e290133637e7
648c66d65981e1cc846606db35b905998dbccdf6f339a9f6a89dafb46b3d32cd
6631768c49325246bba3360bd723624555f368cb2c45613e13bf10d87ebfd0bf
66eaff20e898cab8b477eec9a723ea0a3a4cb1b8503b38700260bb3deb55efaa
680feab4f6007402223873488585356602c7b18521898cf856a3f6ea67655439
681461e77ae6630104fc25967803830f09ce065b4387f3d1ba178a38601885d5
68d319051175b7fbf05aa179eec8900abf092e0681009cfffcbb2c7bcd91f0d5
6aa343bcdce8cb2d625ae14892345b2ea2adafda51f04fd85f83d6ee020728bf
6aa860be9f6652479151e5d47fff417039192f532fe686cd940438b86e3c5ef7
6c0cfe71bd71a3e3086ce27d09b7a53d2671269232bda7e5db9fd7ff5e5f0061
6c1ce3e68691d3cc5eb43842b5b11f1f62165be801171c1c16832c2a79ac9b56
6d5e452d29019337ceb120ad838264584492036e82721dd6f0ec6552262e9566
6eb4866dafb60c1a37f0628372c302fd2fa38ef0accb8bea5b439c30c96bc01e
6fac35439dd4a335a548dbdc6d085acf4c2654b35f3b24b7510e4ee293d7f389
70b96760ef68c0f15e16164d1890418da4e91dfb0f05faf872de787b3a3e683b
75e621a62586e144d3b51c4ae28ace13ab5a3dd6f192b9b24f41a284537851ab
7662da9bd460ad4fb98586fcae3e39adaf1da19a63033cdb167dc4b224ebdfc8
76ca4196ad9defe669bde91b90bb8df572d929960677dc2121cd84d061372cb7
77b91a326dd107cc34b3b5722f36d308862cb89c16658d3e1c6c02aaf82b3b0d
797f962018f3f75aece59225e2c6723fc7cc80f65c26c935944046b0c75d5daa
7a37b3cfaee7fb18e265b607267d946f9d81bae8aec9f495404e4958a297701b
7a6cf04c8b66532c0823235da90954cbe0b719ca34095db163333e2f2778bd5a
7ab0f3f6a3e4df69dce878bf472b3cf26f6c1e1ee3845fc7d460ffd800bb6b81
7ac7fdfb412e0637799a9ecf18aeacd9a9936abd4c5a82ef119951c011c9a01c
7ce236c3ec9ba67b5e02ee9657cba76fd807f80f2bf6dc99c9d10cb53bae18c6
7cfbbe1f8b275d7f38a86ac7a8a8f6f2cebb8c792c9fef80d17f2cb518838dbc
7e6b803fd7b817b89116b7c89365cbfdb0968926408246d1c6269e02ee9aefaa
7eb8563951ba19d4eb307a35cc8680750c2b4bc9d6fd1fe03455d12a96fbdd3d
813c2abebcf6e72f22e2ee3f4b19c2026ecac6d9a7a8612461ca07443fa8dd99
820b117ebe32ae0f189898d92dfb622fc1c50dce0c8da25f74244f21f843e95c
838cfdf97751823541e7a9006a6d7677cafc8b0ef2cdcca4cd74ad6b80409ecb
838fe841727b0d74b86e12b4d066b2abae2e631b80f71db4b7e68dd19366e540
85559d2003eb2bb02ede89acf967602d87b566f4e43c54fc66c7a7d6758d8b78
85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d
862c71777632354b975894c0d21dece78ff0dba6847ed21c7faf05e270278b1b
875a795e1bc7aafa1ad29e006d9b82860d79f37b4d12e323e582fae4910b792b
876df9aaacbc164a20a2259a801cc62bde2dab868fd62c07b872a905d17e28f5
87a74e2360dd0152f76e9b0f6d89fc19bb720483ed0a56b8773d14df4c495042
880a26cbf91497e93461d2fac60bc620da269a3e20a47136982c50e13f6098fa
8a821bf10a4846f0930cab8e2e620847c92d88357c0f72d7c63dd480967fd6e7
8aaf5ca2f4eaa7146ae91067ae31e4e5c83ab41d4d4e990b6dc678492e29b378
8b1996650dfdcc91bacd61c995e472fdf05174fe1e3f27c86423b598bff8ad5e
8b3c1c2ad5254c4512ca50b60c2a052238431b4de0ac4a3f92fa10a9ac6d95c3
8b6d0742130bb5e9c89b72c0c7f4b54bcd5583b8fa16a7874345769c86ab0aa7
8c86f7661d732b22244dca49e34fe133034ae23145854625ca53cfd6877c88f9
8d7c5ed0ac8e011a865ff362128d4492544d274f7f78ed2203d4a34309dc194c
8e3578f7049a0c2e24b4929208dec3caa1e0f26b7d3516f9cf75b66e50b7f779
8e7cd6d177aee7f90ea3833544a8e35bd5e39b077ddd06e52bd26806f768c63b
94bf0868b5911fc8e820cfb203b667fe2990d3594c0c6ea393bf73c8964f72f9
9715fd829b0203e8ce87f5c83f9226270578d5431fb8bff894bff5e2aec779f1
9745a06bed39d5497179b09ac77e358eaa361a2d2ed2ab4110df203cd714ddde
9ad3907f87cfe9463cbaa10890feaeca2d20135ebcbbe9837f6f250a66d2b03c
9bbed77abd848307a1294ceb34208401dad1b1b532ff47b65d7521953a73827b
9e066a4517eab0fa66eb33eacf2f198a3f68c0df6a2263019c0e1383e3a040f0
a327a5b3e07df12d68e834ad0b70d740a8b28ce12d203af1e3863b835cb499f1
a363a97587bff557662a7a55a03ba6909e0825d6eafe857a94fb3cf9e7d46145
a4242b16fa8a4c529e1b6128931dfc214bb6484501c2a721433128cdf1bedcbf
a4a6d4257ba42d31c48c812d75de7eeab54a986c31e666c448c74f44909a23c8
a5ff88ebe597aa7cc16f28670a666f7df22d0382434b52eee7129ea144c860ed
a684cf813e14e62901de00c6b965db5945d5c88f4ee31574298bafab0c2b2f38
a6d7cedcc3bd6ed169d401de43f71bf70ddb330c3e135edf7524e85249db59d6
a76f1e0943f70f8b49c4e92e0b8ffa54d9e8b9ee4a5a4d715274f57989ce1eb1
a81d9abc1a3500b6cf51146e27c4976bc0ae538d3acd843249a31b2f7661d55a
a8896269dbc4c785be5d7fed6d1cb137106ed9ea0e7d9a748b4e5b286d8b7347
a88ddeebb2b700e1dba8c9a01bfcd04e51d7f10a7819aeb72a9303064a7f3234
a94586dd7e839c903bf4f0d94ae7bc6468a398bdd0a60357e7c42a8a14f58f61
a98bcb1cf3dda7bd88f01f2fed77f563aa809fa45d35c83395c18290a596f592
aa2f5dc1bec646283a138c937a8ae9fd315271349d3ed76033a6544ac84a124a
ac3cd2a1975b2e9372163b2fbffec59c5da16199146d42e999cd52f4b13427cd
ad42f605167a4accf1c4f7b44f061d4539a24c83a1ed741c4e3564f4db51f934
ae729381c3771fe6c025b1cd90f49d42f2035b14e1340410c2132b60f8ecf94c
af03ee9641ff60b84b708a77c5007f8686c18c99d1c39cc25c55e06705b608bc
b01aaf613a1a23658d02eab0160fc95628d6977dcb1f452c3c159b97c49eb8e6
b5a7d6b4fde24ae736d2a7eee13d0b26984e8f1f3baa3188a785df11085af787
b5afd1866c09d96af5a938a442842700d8ece9f09f9f27fe6004c9380284189f
b692de29a822feb6204cd3d2e301ea1034ca1a73a441ff6d0370f47021f41743
b7321687a3d066ae75dee349ce8eaf88c06e7dd4723a73e9f8082cef9a301cb4
b89d9d03d9746d1e3988eed2e85242044ce0d94fb680249642f3147eead3deab
b919a8623a4ddda12265d379d6b820ec6bfa60a7e9ff884fb8ecf6d05673e4b3
b93834de12180b49c9de32fbf6d1da2d1c4250431d7b7b73e956a9d255df4608
bac6eae6aa5bec55538fd4f0cd3fd2823983295f2adc788cb952942f5f88a787
bcc6a0f860043e9475b2239dd35d7cd2892e59e2b15fe1665ca6b97cdf83178d
bcdda151c8a4a956e7734330d331fcaeefa68fafbce05a9b541004721a7fb1d1
bddda8bd6654d80eb4103e4228515fff8fb07d3b3581d6b9d84274123c5cb016
be754a961a1af834f0fde1cb8c63bac5fa695ae6bcee8787a7e01665ed68cfd5
bf004d25ca0bd4822f08e39fec7cd0e5333097795448ee918990dcd0e2cfe262
c0610cb5290c6ce7dc3383f1311cb8817c46b144bd4511f6eb3b32d69fe47017
c41a47252eed431dcdce05d23c29c9e1037cda650fa85d2cc31551343ce9bd74
c6b96cffb08eb4d7e5088a3bfed22caff0d8ea0b4be2361b78254af073ce0039
c70e8867fe9a63a147588a53e26c6e68753157326c5e759742333ad6d5c5dcc2
c8c1e0c881492502754582f37c799d0613bb1636ee799fb87ec113e2fa9f69b7
cb675bd75f843b237d92a9bbf8d0b35c988e6acc6410e7f4022eeab14dbb9019
cb95fbe6485211140c5837c853b51d8456aa53975cb59bb0f1085cfaa45e10da
cbce146280884ff11bb6791d7f2af38b293befa97f09182a4a79b4345392b7c9
cc68a3c712ef27326e73e2ab6a4222a238700d8cbebc1f1dd4c2955ddc058a75
ccce10e576ecb3a77a20b95e2a740bacfa60c14be59c49e7f2dcae02b09dbef6
ce83e43fe7395512316d716042d06dc6b7ff389483734a7804859f00acd057a7
cf9b13d66428ca7f7b0e00248a17f3f6966266c4db44546f986da783d7ecfc09
cfc094f38d7931e2f1a43e13eb34afe2b1ea99c3b6bef48fc595729472ec23ca
d00ebe9ac3ca9de0e52d92bc7d5959ce2da39dc7c7bdb087625222b55d504f81
d03c89d227b13aad4a5f89da82963a28021a03942bce5aec81b1d2e58ca2df9e
d05a6c87a65e49297104d660149924a7780cecf02d976a02b8127f66ec19e47b
d0b60979068add59737a16b5923340b67d1592afae53aa5986911d2f8fb9d175
d0c69d77e9c360537d093de534824b48153279deeb01c906e3207e46946af040
d21cac7c12279b49da933845313c9e59d148af07a5454c5c7a26a8112bd41092
d34192a865550670b4617daf1d5df2309d27e1e12eb91acb11ca44339473367d
d3754313665867629aab5ebe18303e1e6da5ff0ecf9e6e1ec03ec19a91e0521f
d3b7f9c58de66710bafceee5452ab787d0421c77b9ac7cf16f73eb9face51329
d3b8c0c0c83767d07065c8bc0cbca0c46de55727fcfd238597acf007759f8d10
d4e3f9352c9c7f874f70863bd9a1502e64db813324c985e367ce0ab66a1e8e69
d59c6dad08670919623adcc7307c02f15920036c361d210cc0cdefa6764e3a97
d9d6bde1ade8ae154331b7f7e50564ad17bf9368728959a0a74764ae60bec618
da132cce171e8576315d52ffd8cfbf5e4012e8cda87991f1216fac8ad277fac8
da553c9ad94e59897fc206d3f877c968d7b71a55a508a0ca2c8f0ad821152277
dafa8a40a9454f411f46bc17b7e6a3f17a3aa34e8b6ab63d1fc94d023126749f
dc1028224a82056cc34a53bbc84a2b04e968d232a071ba5bf5e8c0d29966f9df
e01b77ea0724e3f30aaa724017b74b80d1e04ed6d6386b364750bf6c5112488f
e2859ca261cba7c1c4c66cc6e5a238c0fe2582d1956f64d65c6e9fd5ba68ce15
e4df1d05c6086b6adc369631e28f3f6809fb0045d2bd01004b7b8b9f69e77ecf
e6c753dd41db15b801cc7965f46e9e60484f880441b76eb7b5f8450dcd917729
e8e7f1a43f7889ac72988394fcd9e41cf3c6fe91d7e3141c07cb3857f0fb280b
eaa33b965e4291db8cdaafd90d96bd0a9720aecf773b3f09fa2f0caffe00f09c
eaf97bdfc99b58230e545ed752c08d8aace38048e5c4721e3e42f29af497ea41
eb1d426b3c4b7c7bd092b8102e840323c6fefedd7b76fc3e6e13157dde5dab79
ec211b53ed5c2a2cba5bd4b218f37f5c1965a2652bfa1cbbecd11406b2cb55ec
ecbcb1daaf6ebd51c3719c5655357709d87dedc60e834ea3050edea5478c29d3
ecd39b02c1a4962528d4d6241bae665bc37c16ec798ef4f1a428f32f1c226707
ecd9363f563a9ca4e48bb8c330d20147f6e841157540fbdaf20c04778f842233
edcf50273f5831b4a6e0011b6694e4bd48b06d08d5d08b54ba783409fbbc5a1e
ee4d1d45463ac36a5736d4ba8d53bc768ebb36aaabea72dda0f65529f1265f06
ee5b99cf8418204a1089cf4e8c62925606fb423dd1379cf91780124c13d45058
ef7309c479b0e16578e6e35deb84937b82584c9f5f1d20eaf80e350ce2963106
efe6874825791c22d581ce3f5e6bf2aac64bb5e92986c992dd68e1f66283a106
f030b1ffaeabcce9589dca26c12327fb9bf7d12267a44749305df0a9683205e7
f11526a1840ae996b57f59f6d09b0dbdca55733581510481bf9a6acc709dcff1
f2765e4ce3530d95d499ecce56b14e534a6530b768efc3395ad6e0d9122c57a8
f2d14475ca1404f8eccc3b19db0edd1c53957b388ba55e763ca711e907be70b6
f52e2fd604630b0d1f0ab54ff1a0e2de7baabc83df615a05989d4ec9575ea7d5
f71c7559f58f2ee7bd2e568e063ef5c9afb176425924e7a6990ca3c4d8994ea2
f7fb25c291a539b7a4b80c4f2fbe9ce11897f5c34084a2bf112cd7b3518719cd
f8cc1706d895299cda34ba28f2fe9060498eacc929db52bfb4255bd2fdd6969f
f9ee2d41fd48ae8393bb1ea1d5061dbe0eebc3e6ed10f60cd95848bef1f5e968
fd50dd7027b79229e268479844455f417c68921ced61caaed8d874de1e18b4d2
fde84b86365d93307eee3e66ac13aca163735290a6469781a2bf1c5a38d5d215
ff15ae0017b68270dc2d2aaabd953f251915848ec9451fd64fc3d41d05915413
ff5159e77be4e2df15eb35e995d97776eea749f1e08e9b543790157773ab42b3
ff5ad78801426320ce7948f00b3be4cc0896591330d37a52bfd98f2b3976e70f
Servers:
43.249.31.3:9751
43.249.30.55
43.249.172.222:9751
45.195.149.177
45.204.71.133
45.204.1.206
45.205.1.7
45.205.1.30
47.96.38.160:8160
47.98.133.57:3357
103.39.229.124:9751
103.39.231.7
103.44.244.84
103.148.186.124
104.233.220.14:9996
https://4-27.oss-cn-hangzhou.aliyuncs.com/ (106.14.229.114)
107.148.10.3:9751
112.124.64.7:4647
119.91.142.14:9751
121.199.161.215:1215
https://oss-cn-hangzhou.aliyuncs.com (121.199.204.177)
139.224.13.184
http://bluest.cc:6121/down/ (107.148.55.56:6121)
129.226.222.90
154.12.79.129
154.39.250.164
154.39.251.140
154.39.251.179
154.55.135.17
154.55.135.37
154.55.135.84
154.55.135.186
175.27.230.178:888
192.74.237.20:9751
202.79.168.210:9751
202.95.11.66
202.95.14.162
202.95.14.185
202.95.14.154
goou56.xqwjhtz.com:9751
goou56.xqwjhtz.com:6121
goou56.xqwjhtz.com:9752
About the authors:
Marian Gusatu (Specialist Threat Researcher), discovered this new threat and together with Alexandru-Cristian Bardas (Specialist Threat Researcher), and Stefan Nicula (Senior Threat Researcher), efficiently worked on this complete research, including hunting for other variants of this malware, building up the server hive, the malware analysis process and detection enhancements against this newly emerged threat. They work together for GenDigital in Romania and their expertise lies in reverse engineering, malware analysis and vulnerability research from both offensive and defensive perspectives.