Carding 4 Carders
Professional
- Messages
- 2,724
- Reaction score
- 1,579
- Points
- 113
Sophos X-Ops researchers have uncovered an attack on the supply chain, in which an attacker hacked the official CloudChat server and modified the Windows installer to distribute malware.
However, CloudChat for Android, Mac, iOS, and Linux were not affected. Nothing has changed in the app code itself, but an additional import library has been added — d3lib1.dll (code1.dll and code3.dll).
Malicious program downloaded during the app installation process d3lib1.dll It contains an encrypted payload that connects back to the C2 server to download and run the next stage of malware.
First, the DLL scans processes to find specific strings: 360 (possibly linked to Quihoo); xagt (a FireEye agent); and falcon (CrowdStrike). If there is a match, it tries to terminate the corresponding process.
Next, the DLL connects to the intermediate server and downloads a BMP file that contains data encrypted with RC4, which the DLL decrypts using the hard-coded key fdjYUGYb&%53321.
The decrypted content is a data structure and shellcode that forms an intermediate-level payload. The data structure includes an XOR key for deobfuscating intermediate device payloads and other necessary parameters.
The DLL then creates a small object containing various APIs that it will need later, using ROR12 API hashing to resolve the API directly from the PEB.
The DLL then decompresses the intermediate-level payload using LZNT1. The stager shellcode creates an lks2x mutex, then binds to the C2 defined in the configuration, which is also encrypted with RC4 with the same key. In this case, the IP address of C2 is 103.169.91.16, port 443.
It is unclear how long the Trojan installer was distributed, but Sophos noticed the incident in August and immediately notified the vendor, who has not given any feedback to date.
However, now the official site has the original installer without malicious functionality, and the campaign can be considered completed.
In turn, Sophos has published IOCs related to this campaign on its GitHub here: https://github.com/sophoslabs/IoCs/blob/master/CloudChat-IOCs.csv
However, CloudChat for Android, Mac, iOS, and Linux were not affected. Nothing has changed in the app code itself, but an additional import library has been added — d3lib1.dll (code1.dll and code3.dll).
Malicious program downloaded during the app installation process d3lib1.dll It contains an encrypted payload that connects back to the C2 server to download and run the next stage of malware.
First, the DLL scans processes to find specific strings: 360 (possibly linked to Quihoo); xagt (a FireEye agent); and falcon (CrowdStrike). If there is a match, it tries to terminate the corresponding process.
Next, the DLL connects to the intermediate server and downloads a BMP file that contains data encrypted with RC4, which the DLL decrypts using the hard-coded key fdjYUGYb&%53321.
The decrypted content is a data structure and shellcode that forms an intermediate-level payload. The data structure includes an XOR key for deobfuscating intermediate device payloads and other necessary parameters.
The DLL then creates a small object containing various APIs that it will need later, using ROR12 API hashing to resolve the API directly from the PEB.
The DLL then decompresses the intermediate-level payload using LZNT1. The stager shellcode creates an lks2x mutex, then binds to the C2 defined in the configuration, which is also encrypted with RC4 with the same key. In this case, the IP address of C2 is 103.169.91.16, port 443.
It is unclear how long the Trojan installer was distributed, but Sophos noticed the incident in August and immediately notified the vendor, who has not given any feedback to date.
However, now the official site has the original installer without malicious functionality, and the campaign can be considered completed.
In turn, Sophos has published IOCs related to this campaign on its GitHub here: https://github.com/sophoslabs/IoCs/blob/master/CloudChat-IOCs.csv
