Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,176
- Points
- 113
F.A.C.C.T. experts analyzed tools and connections of cybercriminals attacking Russian accountants.
Despite a significant increase in cyber attacks by pro-government groups and hacktivists, the financial motivation of cybercriminals, of course,has not disappeared. And, in addition to the numerous groups of ransomware operators that we cover in some detail in our blogs, there are several iconic lone characters in the cybercrime world who, for various reasons, have managed to avoid publicity for a long time. It's time to fix this.
Starting in 2020, F.A.C.C.T. specialists have been tracking attacks by the VasyGrek attacker, who has been attacking Russian companies since at least 2016. As an initial attack vector, VasyGrek uses emails sent ostensibly on behalf of the accounting department on financial topics: "Reconciliation Report", "Payment order", "1C".
In its numerous attacks, VasyGrek uses infected modifications of legitimate remote system management tools-RMS (Remote Utilities) , malware developed by PureCoder (PureCrypter, PureLogs, etc.), as well as other VPO available for purchase in the public space, such as MetaStealer, WarzoneRAT (Ave Maria), RedLine Stealer, etc.
In March 2024, experts from BI.ZONE told about the activity of the VasyGrek attacker, using the name Fluffy Wolf for this cluster of activity, but much remains behind the scenes.
In this article, we will talk about the current threats to Russian companies from the attacker VasyGrek, analyze its activity on forums, as well as communication with the malware developer Mr. Burns, who sells his developments based on the use of legitimate remote system management tools. In this article, we will describe the current variation of the BurnsRAT tool, as well as information about its developer — Mr. Burns.
The infection chain may differ in specific attacks. For example: in some attacks, instead of a nested archive, a URL is used to download the archive when clicked. VasyGrek can also use different amounts of PureCrypter. Downloader, thus changing the number of malicious tools uploaded to the infected system.
VasyGrek has been using emails as the initial vector of initialization of its attacks since at least 2017 and until the time of writing this article.
The subjects of emails sent by VasyGrek contain requests for signing reconciliation reports, payment orders, and so on. In most cases, emails are sent on behalf of the accounting department. They contain a password-protected attached archive. The password is located in the name of the archive itself. The executable file is located inside the archive. The executables we examined were classified as PureCrypter.Downloader.
For example: in the April 2, 2024 attack, the docx_1C_02_04_2024 archive (PASSWORD 123). rar contains an executable file docx_1C_02_04_2024.PDF.com (SHA1: f9737d2ada4de632e0213d09fd90d329113918f1), classified by us as PureCrypter. Downloader, whose task is to download and launch the next stage — PureCrypter.Injector. The method of transmitting the payload may change. We found both cases of file transfer with reverse byte order and encrypted files where the Triple DES algorithm was used for encryption. After the file is converted to a valid form, it will be loaded into memory and executed in the context of the current process. PureCrypter.Injector is a library based on .NET, whose tasks are to launch the next stage and an additional malicious module. The additional module will be executed in the process memory, without saving it to the system, and the next stage will be written to the system memory, and then it will be launched on the infected device.
It is important to note that variations of malicious modules may depend on the specific attack. These may be malicious tools developed by PureCoder or MetaStealer. It is worth noting that earlier in 2024, VasyGrek used malicious tools RedLine and WarzoneRAT (Ave Maria) in its attacks. Another distinctive feature of VasyGrek is the use of C2 addresses in additional modules that lead to a single server and differ only in a dedicated port for each malicious tool. For example: in the 2024 attacks, additional modules communicate with the command server via an IP address 91[.]246[.]41[.]200, where are dedicated ports used for various HPE?: 7702, 5554, 56001, 56002, 56003, 58001, 58002, 58003.
As we indicated in the diagram above, VasyGrek can use PureCrypter. Downloader several times to run additional malicious modules on an infected system. In the vast majority of attacks, the final stage of the infection chain that we discovered is an infected modification of the Remote Utilities system management software (aka RMS). This malware is classified by F. A. C. C. T. specialists as BurnsRAT. For more information about this tool, see the BurnsRAT section.
According to our data, after BurnsRAT is installed on the affected system, VasyGrek sends the following commands: cmdv start {URL}. These commands are used to display a web page with the URL specified by the attacker in the browser on the infected system. In the studied cases, the links contained a landing page with a fake form of authorization to the business account of banking services. VasyGrek has been using web pages containing fake forms since at least 2022.
During the attacks from May to December 2020, VasyGrek used malware BurnsRAT.TV (infected modification of TeamViewer), which contained the C2 addresses of 360mediashare [.] com:
The detected WarzoneRAT sample contains the C2 address: 95.217.100.156:5541, from which the hxxps://trianglimsk [link was received.] ru/_Release.exe used to load the next stage — BurnsRAT.TV (SHA1: 49d95a7cc045171acbf7512585b0b985f2853e60).
The resulting BurnsRAT build.TV contains the C2 address hxxp://360mediashare[.]com/2/command.php. When accessing the domain 360mediashare[.]com an open directory was found that contained directories "1", "2", "cgi-bin" and panel_vasy files.zip and tg.php. Free access to the root directory was probably due to technical errors in the server configuration.
The panel_vasy file.zip is an archive containing files from directories "1" and "2", as well as a configuration file tg.php. File tg.php contains the token (individual key required for operation) of the @GREK2020bot telegram bot (ID 990668955) and commands for the bot to work with the database.
Further investigation revealed the messages sent and received by this bot. Only two users interacted with the bot: @vasy2020grek (ID 273306959) and @goga_seksi (ID 295688215). Judging by the messages received, after sending the standard /start command to the bot, users received data from infected devices containing the victims IP addresses and connection IDs. The logs contain the Type: field, which has two values: TV and RMS, depending on the variation of the BurnsRAT malware used.
Based on the bot logs, it can be argued that the administrators of the studied HPE are users with telegram accounts @vasy2020grek (ID 273306959) and @goga_seksi (ID 295688215), since information about infected devices is sent only to them.
Next, we will provide the results of our research on each of these users and describe in more detail their activity on the forums, as well as their areas of activity.
On February 4, 2021, the telegram account @vasy2020grek appeared in the message of the user mts2015stm on the shadow forum exploit.in.
The next day, October 11, 2016, this user created the topic " Buy programs for remote access!", where a message was published about finding remote access tools.
In the future, he actively participated in discussions on the forum exploit.in questions related to buying or selling malware based on legitimate remote management tools, such as RMS or TeamViewer.
Also, while studying the activity of mts2015stm, we found his messages with thanks in the topics dedicated to the following HPE:
The last message of the user mts2015stm was sent on February 4, 2021 on the forum exploit.in in my own topic "I'll buy a Loader, or I'm looking for someone who can do builds".
We have recorded correlations of the start dates of the mts2015stm user's activity on forums with the dates of attacks committed by the VasyGrek attacker. So, we have indicators based on which the attacks of this attacker start from December 2016, where the attacker distributed modified RMS. The essence of the modification is that after its initialization, RMS sends information for connecting to the infected system to the mail controlled by the attacker.
VasyGrek hosted its HPE samples on a server, from where they were uploaded using XLS files (example file Reconciliation Report.xls-SHA1: 942d9edeada9547014c163120429831d126d9747) containing VBA scripts. Then, as a result of executing the scripts, the modified RMS was loaded. It is also worth noting that since 2016, VasyGrek has been using accounting document terminology in the names of its files, which contains keywords such as "reconciliation report", "payment order", "1C" , etc.
The first detected domain from which the modified RMS were distributed is mts2015stm [.] ru. It is noteworthy that the domain name matches the alias VasyGrek on the forums (mts2015stm). However, the first emails found that were attributed to the VasyGrek attacker were sent on June 27, 2017.
Here we also note that the subject names of emails used by the VasyGrek attacker during the entire period of their attacks remain unchanged.
As we noted earlier, we are aware of cases of VasyGrek attacks using various malware that is sold on shadow forums. Oddly enough, mts2015stm also left comments on the forums in topics about the sale of this HPE.
An example of such a "matched" VPO used by VasyaGrek is given below:
Thus, we can claim that VasyGrek has been a client / partner of this malware developer for more than five years.
In the description of the telegram account @goga_seksi (ID 295688215), a Jabber account was specified mrburns@exploit.im.
A search for the pseudonym mrburns revealed several accounts with almost the same name (Mr. Burns) on various shadow forums. As further investigation revealed, they all belong to the same malware developer. Mr. Burns is a true long-lived darkweb user: his first posts on shadow forums date back to 2010. Most of the programs created by Mr. Burns are based on legitimate remote management tools, such as TeamViewer, RMS (Remote Utilities), LiteManager, and others.
Since the very first posts in 2010 on the forums hpc.name, antichat.ru and prologic.su Mr. Burns was interested in and actively participated in the discussion of programming, exploits, sniffers, and ways to bypass antivirus programs. The main area of its activity has always been the creation of malware, but for a long time all developments were published in the public domain without commercial benefits.
Mr. Burns first published self-written malware in August 2010 on the Antichat and prologic forums. It was a "Fake Mail.Ru Agent 5.7" - a styler that simulates the agent's authorization page Mail.ru checks the validity of the data entered by the user and sends it to the command center.
September 3, 2011 by another forum user xaker.name the topic "RMS 5.1 with sending ID and pass to the mail" was created (https://xak [.] guru/threads/23230/) about building the remote management tool RMS 5.1 with the ability to work covertly. The topic received a great response from forum participants and received more than 1,900 comments. It was thanks to this topic that Mr. Burns became interested in developing remote access Trojans and started publishing his own RMS builds in June 2013. During the year, he was publicly engaged in changing and improving the quality of HPE.
In 2014, Mr. Burns published his own topic dedicated to the modified version of RMS 5.6 that he created (title: "Portable version of RMS 5.6"). In this topic, we found a description of the assembly and a link to download it, published by the author-Mr. Burns.
Since then, all further published developments of Mr. Burns have been modifications of various remote control tools. In the posts describing the assemblies, it was not hidden that they were created as malicious software. At the same time, Mr. Burns posted all the first versions of his RAT-type HPE in public access, and did not sell them.
Over time, recognition from the virus writing community also came. On March 19, 2021, the user Mr. Burns was appointed moderator of the Malware section on the shadow forum exploit.in.
The first case we found of selling our own Mr. Burns tools was a forum topic exploit.in "[RENT] RAT Hidden TeamViewer / Hidden TeamViewer". The first message with information about the build was published on August 19, 2021.
After the publication of the topic with the sale of HPE, the forum activity of Mr. Burns almost stopped. It continues to publish only rare updates to its commercial themes.
Forum topics exploit.in, where the recent activity of Mr. Burns was observed:
Almost all profiles with the name Mr. Burns found on shadow forums have the ICQ number 610047 as a contact for communication. This confirms that, despite the dubious attribution of the name of a character from the popular animated series "The Simpsons", all these profiles belong to the same attacker.
The same ICQ number was indicated by sponkey users on the forums xss.is and searchengines.guru and Propeller on the searchengines.guru forum.
According to our data, some of these accounts are registered to sonofabitch@ua email accounts.fm and sonofabitch@ukr.net.
To your email address sonofabitch@ukr.net currently, a blocked page in the social network "VKontakte" is registered in the name of P'yatnochka Volodimir, Ternopil, but earlier a page was registered in the name of Andriy R******, Ternopil).
Now this page is registered to your email address sluter@ukr.net. Initially, this VKontakte page was linked to a phone number 380********* (Kyivstar, Ukraine). But now another page with the same name is registered to this number — Andriy P*******, Ternopil, and an account in the Skype Sluter_ua messenger with the specified date of birth.
In 2006 on the resource Midi.ru user Andrey R****** indicated the same phone number 380********* as contact information. Andrey's profile mentions the date of birth **.**.1986, which coincides with the date from Skype user Sluter_ua, and the city of Ternopil.
Based on the totality of the collected data, it is safe to say that the developer of the malware with the pseudonym Mr. Burns is a citizen of Ukraine Andrey R*** * * * (Andriy R*******) **.**.1986 year of birth from the city of Ternopil.
Below we will present a description of BurnsRAT, taking as a basis the assembly that was used in one of the VasyGrek attacks.
Information about the analyzed BurnsRAT build file:
An executable file is a self-extracting archive that contains the following files:
However, in some cases, NSIS installers can be used instead of SFX archives. In this case, the library will be used instead of the standard 7-zip utility. nsis7z.dll, which allows you to apply the features of 7-zip in the context of NSIS scenarios.
After running, the executable file unpacks the Silverlight.Configuration archive.7z to the directory C:\ProgramData\Silverlight.Configuration\Old and runs the executable file Silverlight.Configuration.exe (Microsoft Silverlight configuration utility). The directory to which the files will be extracted depends on the specific build, but in most cases it is associated with the name of the legitimate tools involved in the BurnsRAT startup chain. Examples of file paths:
%SYSTEMROOT%\system32\svchost.exe -k \»USBSafeManagerGrp\» -svcr \»{BURNS_RAT_FULL_PATH}\»
In addition to the service, BurnsRAT creates a registry key in the HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce branch named Silverlight.Configuration.exe and a value as the file path to the Silverlight tool.
Before you start interacting with the command server, the following data will be collected:
The data returned by the server is also encrypted using the RC4 encryption algorithm, where the key used to communicate with the command server is the domain name. In the response from the server, in addition to commands, you will receive a spare C2 address and a path through which interaction will take place if the main server becomes unavailable. At the time of writing, the C2 server returns the address hxxp://vip23newtop [.] fun/framework/.
doc_7815651a08547.PDF(ПАРОЛЬ 123).rar
kopiya_skrinchot_1C.pdf.rar
docx_1C_02_04_2024 (PASSWORD 123). rar
Doc20032024. PDF (PASSWORD 123). rar
Doc_11032024_1C_98347r483df2grg5tg.rar
Akt_09283_1C_oplata.PDF.rar
doc_034_25_01_2024_1C.PDF.rar
16_04_2024_doc_1C (PASSWORD 123). rar
koriya_akt_upd_1C.PDF.rar
BLD.exe
22012024BUILD.exe
2024bldrms.exe
BUILD.exe
msimg32.dll
msimg32.dll
msimg32.dll
msimg32.dll
Doc_27052024_1c_047856232.com
27052024.exe
doc_7815651a08547.PDF.scr
vncrms.exe
kopiya_skrinchot_1C.pdf.scr
rmsvnc.exe
docx_1C_02_04_2024.PDF.com
STILKRIP.exe
Doc20032024.PDF.com
Bzciazly.exe
Doc_11032024_1C_98347r483df2grg5tg.com
Akt_09283_1C_oplata.PDF.com
vncrmskript.exe
doc_034_25_01_2024_1C.PDF.com
Akt_sverka_1C_29022024.PDF.exe
MetaKript.exe
doc_05_03_2024_1C_PDF.exe
metakript.exe
Oplata13032024.PDF.exe
LoaderVNC.exe
vncKript.exe
VNCBLD.exe
doc24.04.2024_1C.pdf.exe
Source
Despite a significant increase in cyber attacks by pro-government groups and hacktivists, the financial motivation of cybercriminals, of course,has not disappeared. And, in addition to the numerous groups of ransomware operators that we cover in some detail in our blogs, there are several iconic lone characters in the cybercrime world who, for various reasons, have managed to avoid publicity for a long time. It's time to fix this.
Starting in 2020, F.A.C.C.T. specialists have been tracking attacks by the VasyGrek attacker, who has been attacking Russian companies since at least 2016. As an initial attack vector, VasyGrek uses emails sent ostensibly on behalf of the accounting department on financial topics: "Reconciliation Report", "Payment order", "1C".
In its numerous attacks, VasyGrek uses infected modifications of legitimate remote system management tools-RMS (Remote Utilities) , malware developed by PureCoder (PureCrypter, PureLogs, etc.), as well as other VPO available for purchase in the public space, such as MetaStealer, WarzoneRAT (Ave Maria), RedLine Stealer, etc.
In March 2024, experts from BI.ZONE told about the activity of the VasyGrek attacker, using the name Fluffy Wolf for this cluster of activity, but much remains behind the scenes.
In this article, we will talk about the current threats to Russian companies from the attacker VasyGrek, analyze its activity on forums, as well as communication with the malware developer Mr. Burns, who sells his developments based on the use of legitimate remote system management tools. In this article, we will describe the current variation of the BurnsRAT tool, as well as information about its developer — Mr. Burns.
Key findings
- Analysis of the infection chain of the VasyGrek attacker attacking Russian companies.
- Forum activity of VasyGrek since 2016 and its connection with the infrastructure of its attacks.
- Link between the VasyGrek attacker and the malware developer Mr. Burns.
- History of the HPE developer Mr. Burns, starting in 2010.
- Description of the current version of the BurnsRAT malware sold on forums and used in attacks on Russian companies.
Timeline of attacks 2022-2024
The presented timeline shows the dates of malicious mailings detected by us, which relate to the VasyGrek attacker.The infection chain may differ in specific attacks. For example: in some attacks, instead of a nested archive, a URL is used to download the archive when clicked. VasyGrek can also use different amounts of PureCrypter. Downloader, thus changing the number of malicious tools uploaded to the infected system.
VasyGrek has been using emails as the initial vector of initialization of its attacks since at least 2017 and until the time of writing this article.
The subjects of emails sent by VasyGrek contain requests for signing reconciliation reports, payment orders, and so on. In most cases, emails are sent on behalf of the accounting department. They contain a password-protected attached archive. The password is located in the name of the archive itself. The executable file is located inside the archive. The executables we examined were classified as PureCrypter.Downloader.
For example: in the April 2, 2024 attack, the docx_1C_02_04_2024 archive (PASSWORD 123). rar contains an executable file docx_1C_02_04_2024.PDF.com (SHA1: f9737d2ada4de632e0213d09fd90d329113918f1), classified by us as PureCrypter. Downloader, whose task is to download and launch the next stage — PureCrypter.Injector. The method of transmitting the payload may change. We found both cases of file transfer with reverse byte order and encrypted files where the Triple DES algorithm was used for encryption. After the file is converted to a valid form, it will be loaded into memory and executed in the context of the current process. PureCrypter.Injector is a library based on .NET, whose tasks are to launch the next stage and an additional malicious module. The additional module will be executed in the process memory, without saving it to the system, and the next stage will be written to the system memory, and then it will be launched on the infected device.
It is important to note that variations of malicious modules may depend on the specific attack. These may be malicious tools developed by PureCoder or MetaStealer. It is worth noting that earlier in 2024, VasyGrek used malicious tools RedLine and WarzoneRAT (Ave Maria) in its attacks. Another distinctive feature of VasyGrek is the use of C2 addresses in additional modules that lead to a single server and differ only in a dedicated port for each malicious tool. For example: in the 2024 attacks, additional modules communicate with the command server via an IP address 91[.]246[.]41[.]200, where are dedicated ports used for various HPE?: 7702, 5554, 56001, 56002, 56003, 58001, 58002, 58003.
As we indicated in the diagram above, VasyGrek can use PureCrypter. Downloader several times to run additional malicious modules on an infected system. In the vast majority of attacks, the final stage of the infection chain that we discovered is an infected modification of the Remote Utilities system management software (aka RMS). This malware is classified by F. A. C. C. T. specialists as BurnsRAT. For more information about this tool, see the BurnsRAT section.
According to our data, after BurnsRAT is installed on the affected system, VasyGrek sends the following commands: cmdv start {URL}. These commands are used to display a web page with the URL specified by the attacker in the browser on the infected system. In the studied cases, the links contained a landing page with a fake form of authorization to the business account of banking services. VasyGrek has been using web pages containing fake forms since at least 2022.
Strong (male) bond
This section is dedicated to investigating one of the attacks conducted by VasyGrek in 2020. A mistake made when setting up the command server led us to the connection of two attackers, whose interaction lasts more than five years.During the attacks from May to December 2020, VasyGrek used malware BurnsRAT.TV (infected modification of TeamViewer), which contained the C2 addresses of 360mediashare [.] com:
- hxxp://360mediashare[.]com/1/command.php
- hxxp://360mediashare[.]com/2/command.php
The detected WarzoneRAT sample contains the C2 address: 95.217.100.156:5541, from which the hxxps://trianglimsk [link was received.] ru/_Release.exe used to load the next stage — BurnsRAT.TV (SHA1: 49d95a7cc045171acbf7512585b0b985f2853e60).
The resulting BurnsRAT build.TV contains the C2 address hxxp://360mediashare[.]com/2/command.php. When accessing the domain 360mediashare[.]com an open directory was found that contained directories "1", "2", "cgi-bin" and panel_vasy files.zip and tg.php. Free access to the root directory was probably due to technical errors in the server configuration.
The panel_vasy file.zip is an archive containing files from directories "1" and "2", as well as a configuration file tg.php. File tg.php contains the token (individual key required for operation) of the @GREK2020bot telegram bot (ID 990668955) and commands for the bot to work with the database.
Further investigation revealed the messages sent and received by this bot. Only two users interacted with the bot: @vasy2020grek (ID 273306959) and @goga_seksi (ID 295688215). Judging by the messages received, after sending the standard /start command to the bot, users received data from infected devices containing the victims IP addresses and connection IDs. The logs contain the Type: field, which has two values: TV and RMS, depending on the variation of the BurnsRAT malware used.
Based on the bot logs, it can be argued that the administrators of the studied HPE are users with telegram accounts @vasy2020grek (ID 273306959) and @goga_seksi (ID 295688215), since information about infected devices is sent only to them.
Next, we will provide the results of our research on each of these users and describe in more detail their activity on the forums, as well as their areas of activity.
VasyGrek
As a result of a search on the @vasy2020grek telegram account, a message was found about the search for RAT-type malware in the telegram chat Market.ms.On February 4, 2021, the telegram account @vasy2020grek appeared in the message of the user mts2015stm on the shadow forum exploit.in.
Forum activity
Based on data from our F. A. C. C. T. Threat Intelligence platform, the activity of a user with the pseudonym mts2015stm on the forum exploit.in it started on October 10, 2016. The first message found was sent in the topic "requires RMS (reverse engineering)" with an offer to sponsor and buy a ready-made RMS builder.The next day, October 11, 2016, this user created the topic " Buy programs for remote access!", where a message was published about finding remote access tools.
In the future, he actively participated in discussions on the forum exploit.in questions related to buying or selling malware based on legitimate remote management tools, such as RMS or TeamViewer.
Also, while studying the activity of mts2015stm, we found his messages with thanks in the topics dedicated to the following HPE:
- various Android Trojans (exploit.in — 2017, hackforums.net — 2019);
- Azorult (exploit.in — 2017);
- MinerBot (exploit.in — 2017);
- WarzoneRAT (hackforums.net — 2019);
- Raccoon Stealer (exploit.in — 2019).
The last message of the user mts2015stm was sent on February 4, 2021 on the forum exploit.in in my own topic "I'll buy a Loader, or I'm looking for someone who can do builds".
Linking forum activity to attacks
Although the mts2015stm user stopped being active on the forums three years ago, the VasyGrek attacks have only gained momentum since then and continue to this day. This can be confirmed by the timeline of attacks and examples of emails from the description of the infection chain, which we indicated above.We have recorded correlations of the start dates of the mts2015stm user's activity on forums with the dates of attacks committed by the VasyGrek attacker. So, we have indicators based on which the attacks of this attacker start from December 2016, where the attacker distributed modified RMS. The essence of the modification is that after its initialization, RMS sends information for connecting to the infected system to the mail controlled by the attacker.
VasyGrek hosted its HPE samples on a server, from where they were uploaded using XLS files (example file Reconciliation Report.xls-SHA1: 942d9edeada9547014c163120429831d126d9747) containing VBA scripts. Then, as a result of executing the scripts, the modified RMS was loaded. It is also worth noting that since 2016, VasyGrek has been using accounting document terminology in the names of its files, which contains keywords such as "reconciliation report", "payment order", "1C" , etc.
The first detected domain from which the modified RMS were distributed is mts2015stm [.] ru. It is noteworthy that the domain name matches the alias VasyGrek on the forums (mts2015stm). However, the first emails found that were attributed to the VasyGrek attacker were sent on June 27, 2017.
Here we also note that the subject names of emails used by the VasyGrek attacker during the entire period of their attacks remain unchanged.
As we noted earlier, we are aware of cases of VasyGrek attacks using various malware that is sold on shadow forums. Oddly enough, mts2015stm also left comments on the forums in topics about the sale of this HPE.
An example of such a "matched" VPO used by VasyaGrek is given below:
- WarzoneRAT starting in 2019 (example C2: 146.185.195[.]28:5541).
- AZORult in 2017 (example C2: 181.215.235.180).
- Miner software in 2017 (example SHA1 file: 9dd39d2c4def476e987e77f6593e7b6feff86dda).
| C2-BurnsRAT address | Date of use |
| vip22gr[.]ru | April 2022-Present |
| natgeo[.]pro | February-October 2021 |
| 360mediashare[.]com | May 2020-February 2021 |
| office360share[.]com | February-May 2020 |
| msupdate[.]icu | October-December 2019 |
| office360[.]icu | August-September 2019 |
| windowsactivate[.]link | August 2019 |
| liveupdate[.]online | February-August 2019 |
Thus, we can claim that VasyGrek has been a client / partner of this malware developer for more than five years.
Mr. Burns
Let's return to the telegram account @goga_seksi, which also received messages about compromised devices, as well as @vasy2020grek, owned by the attacker VasyGrek.In the description of the telegram account @goga_seksi (ID 295688215), a Jabber account was specified mrburns@exploit.im.
A search for the pseudonym mrburns revealed several accounts with almost the same name (Mr. Burns) on various shadow forums. As further investigation revealed, they all belong to the same malware developer. Mr. Burns is a true long-lived darkweb user: his first posts on shadow forums date back to 2010. Most of the programs created by Mr. Burns are based on legitimate remote management tools, such as TeamViewer, RMS (Remote Utilities), LiteManager, and others.
Since the very first posts in 2010 on the forums hpc.name, antichat.ru and prologic.su Mr. Burns was interested in and actively participated in the discussion of programming, exploits, sniffers, and ways to bypass antivirus programs. The main area of its activity has always been the creation of malware, but for a long time all developments were published in the public domain without commercial benefits.
Mr. Burns first published self-written malware in August 2010 on the Antichat and prologic forums. It was a "Fake Mail.Ru Agent 5.7" - a styler that simulates the agent's authorization page Mail.ru checks the validity of the data entered by the user and sends it to the command center.
September 3, 2011 by another forum user xaker.name the topic "RMS 5.1 with sending ID and pass to the mail" was created (https://xak [.] guru/threads/23230/) about building the remote management tool RMS 5.1 with the ability to work covertly. The topic received a great response from forum participants and received more than 1,900 comments. It was thanks to this topic that Mr. Burns became interested in developing remote access Trojans and started publishing his own RMS builds in June 2013. During the year, he was publicly engaged in changing and improving the quality of HPE.
In 2014, Mr. Burns published his own topic dedicated to the modified version of RMS 5.6 that he created (title: "Portable version of RMS 5.6"). In this topic, we found a description of the assembly and a link to download it, published by the author-Mr. Burns.
Since then, all further published developments of Mr. Burns have been modifications of various remote control tools. In the posts describing the assemblies, it was not hidden that they were created as malicious software. At the same time, Mr. Burns posted all the first versions of his RAT-type HPE in public access, and did not sell them.
Over time, recognition from the virus writing community also came. On March 19, 2021, the user Mr. Burns was appointed moderator of the Malware section on the shadow forum exploit.in.
The first case we found of selling our own Mr. Burns tools was a forum topic exploit.in "[RENT] RAT Hidden TeamViewer / Hidden TeamViewer". The first message with information about the build was published on August 19, 2021.
After the publication of the topic with the sale of HPE, the forum activity of Mr. Burns almost stopped. It continues to publish only rare updates to its commercial themes.
Forum topics exploit.in, where the recent activity of Mr. Burns was observed:
- [RAT] RMS BTS Edition-RAT+HRDP based on legitimate software (February 2023-present).
- [RENT] RAT Hidden TeamViewer /Hidden TeamViewer (September-August 2021).
- Hidden TeamViewer (August 2021).
- Hidden LiteManager of analogs for RMS RAT + src (March 2021).
Who is hiding under the mask?
By the way, not a big disclaimer: For ethical reasons, we do not disclose personal data, but all information collected during the research is passed on to law enforcement agencies.Almost all profiles with the name Mr. Burns found on shadow forums have the ICQ number 610047 as a contact for communication. This confirms that, despite the dubious attribution of the name of a character from the popular animated series "The Simpsons", all these profiles belong to the same attacker.
The same ICQ number was indicated by sponkey users on the forums xss.is and searchengines.guru and Propeller on the searchengines.guru forum.
According to our data, some of these accounts are registered to sonofabitch@ua email accounts.fm and sonofabitch@ukr.net.
To your email address sonofabitch@ukr.net currently, a blocked page in the social network "VKontakte" is registered in the name of P'yatnochka Volodimir, Ternopil, but earlier a page was registered in the name of Andriy R******, Ternopil).
Now this page is registered to your email address sluter@ukr.net. Initially, this VKontakte page was linked to a phone number 380********* (Kyivstar, Ukraine). But now another page with the same name is registered to this number — Andriy P*******, Ternopil, and an account in the Skype Sluter_ua messenger with the specified date of birth.
In 2006 on the resource Midi.ru user Andrey R****** indicated the same phone number 380********* as contact information. Andrey's profile mentions the date of birth **.**.1986, which coincides with the date from Skype user Sluter_ua, and the city of Ternopil.
Based on the totality of the collected data, it is safe to say that the developer of the malware with the pseudonym Mr. Burns is a citizen of Ukraine Andrey R*** * * * (Andriy R*******) **.**.1986 year of birth from the city of Ternopil.
BurnsRAT
Selling on the forum
Currently, the author leads the topics "[RAT] RMS BTS Edition-RAT+HRDP based on legitimate software "on exploit.in and "[RAT] RMS (BTS Edition — RAT based on legitimate software" on xss.is, where it sells malicious modifications of RMS. This tool, developed by Mr. Burns, is classified by us as BurnsRAT.Below we will present a description of BurnsRAT, taking as a basis the assembly that was used in one of the VasyGrek attacks.
Information about the analyzed BurnsRAT build file:
- File Name: 22012024BUILD.exe
- MD5: 2302efee7f01875df7afa6b03301b93e
- SHA1: 02af288ea97c1f2c5cda007556541865614f9651
- SHA256: b2193cb3f8bd13c8a5769d5ce499a36b9c44e2eb2800bcdf22320525beaf9586
Startup process
The software built by Mr. Burns uses the DLL Hijack technique, where legitimate software is distributed along with an infected library that will be loaded by a legitimate remote management tool. When running it twice, the technique of intercepting the execution order is used. After that, the malicious library will be loaded into memory.An executable file is a self-extracting archive that contains the following files:
- Silverlight. Configuration. 7z (path and name can be changed) — archive containing SilverLight assemblies, Remote Utilities, and a modified library msimg32.dll.
- 7z.exe — 7-Zip utility.
However, in some cases, NSIS installers can be used instead of SFX archives. In this case, the library will be used instead of the standard 7-zip utility. nsis7z.dll, which allows you to apply the features of 7-zip in the context of NSIS scenarios.
After running, the executable file unpacks the Silverlight.Configuration archive.7z to the directory C:\ProgramData\Silverlight.Configuration\Old and runs the executable file Silverlight.Configuration.exe (Microsoft Silverlight configuration utility). The directory to which the files will be extracted depends on the specific build, but in most cases it is associated with the name of the legitimate tools involved in the BurnsRAT startup chain. Examples of file paths:
- {ProgramData}\Silverlight.Configuration\Old\
- {ProgramData}\Usoris\Remote Utilities\Backup\
- {ProgramData}\RUTs\Logs\
Initialization
Initialization of the Trojan is located in the DllMain function, which will be launched after loading this library into the process memory. If the HKCU\SOFTWARE\Usoris\Backup registry key is missing, BurnsRAT initialization will be performed. Initialization consists of obtaining the necessary data about the system and process, as well as assigning hook functions that will ensure the operation of a modified version of the legitimate remote system management tool. Basically, function overrides are tied to hiding the work of RMS and avoiding errors when trying to access the original file names, registry keys, and events. However, one of the function overrides (CreateWindowExW) contains functionality for creating a thread that is responsible for interacting with the server, as well as receiving and processing commands. List of functions that will be overridden during initialization:- OutputDebugStringW
- FindFirstFileW
- GetModuleFileNameW
- CreateToolhelp32Snapshot
- GetFileAttributesW
- CreateFileW
- CreateProcessW
- CreateEventW
- GetCommandLineW
- CreateWindowExW
- NtUserSetWindowPos
- NtUserShowWindow
- MessageBoxA
- MessageBoxW
- SetForegroundWindow
- BringWindowToTop
- NtUserSetFocus
- Shell_NotifyIconW
- SHGetSpecialFolderLocation
- bind
- connect
- PlaySoundW
- sndPlaySoundW
- WTSSendMessageW
- RegCreateKeyExW
- RegOpenKeyExW
- OpenServiceW
- CreateServiceW
- CheckTokenMembership
- GetNamedSecurityInfoW
- SetNamedSecurityInfoW
- CreateProcessAsUserW
- CreateProcessWithLogonW
- WinVerifyTrust
Pinning in the system
To achieve pinning in the system, BurnsRAT creates a service called USBSafeManager and the display name USB Safe Manager. This service will execute a command that has the following template::%SYSTEMROOT%\system32\svchost.exe -k \»USBSafeManagerGrp\» -svcr \»{BURNS_RAT_FULL_PATH}\»
In addition to the service, BurnsRAT creates a registry key in the HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce branch named Silverlight.Configuration.exe and a value as the file path to the Silverlight tool.
Network interaction
BurnsRAT communicates with the command server using the standard HTTPS protocol. Traffic is encrypted using the RC4 algorithm, where the key is the domain name that communicates with the server (example: vip22gr [.] ru). The user-Agent has the following template: Mozilla/5.0 (Windows NT {OsMajorVersion}.{OsMinorVersion}) Firefox/78.0.Before you start interacting with the command server, the following data will be collected:
- Whether the UsbManager service is installed (0 or 1).
- Bit depth of the running process (0 — x86, 1 — x64).
- Whether administrator rights are obtained (0 or 1).
- Whether the process is running as an administrator (0 or 1).
- CRC32 от %USERNAME%%COMPUTERNAME%%SID%2.
- System version (major, minor, build number).
- Username.
- Computer name.
- Domain name.
- System language.
- Name of the active window.
- Path to the active window process file.
- InternetId and RMS password.
- Screenshot of the screen.
The data returned by the server is also encrypted using the RC4 encryption algorithm, where the key used to communicate with the command server is the domain name. In the response from the server, in addition to commands, you will receive a spare C2 address and a path through which interaction will take place if the main server becomes unavailable. At the time of writing, the C2 server returns the address hxxp://vip23newtop [.] fun/framework/.
BurnsRAT Panel
When you click on the C2 address, a panel will be displayed with fields for entering your username and password, as well as a CAPTCHA and the text "Welcome from here". Previously, this panel contained the TVRAT Panel 2.0 header.BurnsRAT Teams
In the investigated version of BurnsRAT, 14 processed commands were detected. BurnsRAT hides the name of the commands by using CRC32 values for each of them. Below is a table that contains a description for each of the teams and their names in cases where we were able to identify them.| CRC32-value | Title | Description |
| 0x7295669 | kill | Self-deletion. Deletes the directory, registry keys, and service |
| 0xb95616b6 | stop | Stops the service, closes the RMS window, and terminates the execution process. |
| 0xe7f92207 | restart | Performs an RMS restart |
| 0xe6b25bf7 | poweroff | Performs a system shutdown |
| 0xc153848c | reboot | Performs a system restart |
| 0x94e578ac | dwl | Uploads a file to the infected system. This command has two parameters: URL and relative path for the file |
| 0xb3fdf526 | dwlr | Similar to the previous command, however, in addition to downloading, it runs the downloaded file |
| 0x2f5c1cc0 | cmd | Executes the cmd command. The command will be executed with the SW_HIDE flag |
| 0xf7426131 | cmdr | Executes the cmd command and sends the result to the server. Uploading is performed by writing the result to pipe. After the command is completed, information from pipe will be sent to the server |
| 0xf02fa528 | cmdv | Executes the cmd command. The command will be executed with the SW_SHOWNORMAL flag. |
| 0x872895be | cmdw | Executes the cmd command. The command will run with the SW_HIDE flag and wait for the thread to complete for 15 minutes |
| 0x473a8d9a 0x29268c4d | cmdwv cmdvw | Executes the cmd command. The command will run with the SW_SHOWNORMAL flag and wait for the thread to complete for 15 minutes |
| 0x194fed4b | — | Performing an RMS window closure |
Conclusions
VasyGrek has been conducting attacks targeting financial employees of Russian companies for a long time. In this article, we wanted to show how long-lasting such threats can be and how long a single attacker can perform attacks while maintaining their distinctive features. Mr. Burns is a fairly well-known malware developer on the forums. For a long time, it remains committed to the same type of HPE, which is based on legitimate remote system management tools.Recommendations
To prevent and protect against potential cyberattacks by a VasyGrek attacker, F. A. C. C. T. Threat Intelligence experts recommend::- Track suspicious services created on endpoints.
- Check the corresponding branches of the registry to detect VPO that is fixed in the system in this way.
- Use state-of-the-art email security measures to prevent initial hacking. We recommend that you learn how F. A. C. C. T. Business Email Protection can effectively resist these types of attacks.
- Train your employees regularly to make them less susceptible to phishing in all its forms.
- Use modern tools to detect and eliminate cyber threats. We recommend that you learn how F. A. C. C. T. Managed XDR provides exceptional capabilities for threat detection and response through the use of multiple sources of telemetry and advanced machine learning technologies.
- Use F. A. C. C. T. Threat Intelligence data to detect and proactively search for threats.
Compromise indicators for 2024
Links
- hxxp://vip22gr[.]ru/framework/
- hxxps://web-whatsap[.]online/kopiya_skrinchot_1C.pdf.rar
- hxxps://downlod-bussines[.]ru/koriya_akt_upd_1C.PDF.rar
- hxxps://doc2024[.]ru/2024bldrms.exe
- hxxps://bussines-raff[.]fun/BLD.exe
- hxxps://bussines-raff[.]fun/MetaKript.exe
- hxxps://saitraif[.]ru/22012024BUILD.exe
- hxxps://bussines-raff[.]fun/22012024BUILD.exe
- hxxps://doc-1c[.]fun/panel/uploads/Hnxuy.vdf
- hxxps://saitraif[.]ru/panel/uploads/Lexhwif.pdf
- hxxps://saitraif[.]ru/panel/uploads/Qxudsj.mp4
- hxxps://saitraif[.]ru/panel/uploads/Qzvldxefss.mp4
- hxxps://saitraif[.]ru/panel/uploads/Hyfhtwkc.mp3
- hxxps://saitraif[.]ru/panel/uploads/Awrxzkoc.mp3
- hxxps://saitraif[.]ru/panel/uploads/Xkwjbhibh.dat
- hxxps://saitraif[.]ru/panel/uploads/Kjpdz.mp4
- hxxps://saitraif[.]ru/panel/uploads/Asvchn.wav
- hxxps://saitraif[.]ru/panel/uploads/Ahjhcuubue.mp3
- hxxps://sk-krona[.]fun/panel/uploads/Fhzcvdiuu.wav
- hxxps://sk-krona[.]fun/panel/uploads/Vgnaahn.mp3
- hxxps://sk-krona[.]fun/panel/uploads/Xzkxso.mp3
- hxxps://sk-krona[.]fun/panel/uploads/Ljncj.dat
- hxxps://sk-krona[.]fun/panel/uploads/Wfbitmtjlzd.dat
- hxxps://sk-krona[.]fun/panel/uploads/Tvmjmv.mp4
- hxxps://sk-krona[.]fun/panel/uploads/Zofrj.dat
- hxxps://sk-krona[.]fun/panel/uploads/Nsvozql.mp4
- hxxps://sk-krona[.]fun/panel/uploads/Wllyqo.mp4
- hxxps://sk-krona[.]fun/panel/uploads/Cvevg.mp3
- hxxps://sk-krona[.]fun/panel/uploads/Seancczvbv.wav
- hxxps://sk-krona[.]fun/panel/uploads/Oguqs.mp4
- hxxps://sk-krona[.]fun/panel/uploads/Vfqegoe.dat
- hxxps://sk-krona[.]fun/panel/uploads/Etqslnpm.mp4
- hxxps://sk-krona[.]fun/panel/uploads/Awdiaz.pdf
- hxxps://sk-krona[.]fun/panel/uploads/Fxeiroo.mp3
- hxxps://sk-krona[.]fun/panel/uploads/Dscxqvi.mp4
- hxxps://sk-krona[.]fun/panel/uploads/Dzyhmzjdtpz.wav
- hxxps://sk-krona[.]fun/panel/uploads/Qydultut.dat
- hxxps://downlod-bussines[.]ru/panel/uploads/Yppohxqf.vdf
- 91.246.41[.]200:7702
- 91.246.41[.]200:5554
- 91.246.41[.]200:56001
- 91.246.41[.]200:56002
- 91.246.41[.]200:56003
- 91.246.41[.]200:58001
- 91.246.41[.]200:58002
- 91.246.41[.]200:58003
Files
Archives
Doc_27052024_1c (PASSWORD 123). rar- MD5: f75f4caba62e00381830e0f868737eac
- SHA1: 1a112352b29beb301569db5aa3a68ba25444ca40
- SHA256: 7da756b08230bd426defeaea35588b899057228ac19f3a21625582038e405c76
doc_7815651a08547.PDF(ПАРОЛЬ 123).rar
- MD5: b4a9522a14bf3dcfbccaa46ec30bdc04
- SHA1: 5bb8e9ed257652a014d886b22d2813b5c91e4b2d
- SHA256: 382031a229aad519f8d243923e504e8dedf0106f4ce274ab9640ce55542b962d
kopiya_skrinchot_1C.pdf.rar
- MD5: b91a1ac8f85543ff0aeb329e639ebfba
- SHA1: 568a3145a417a581ba1a598bfc32532f3f7b1389
- SHA256: 2ef38ea449b172cef5e1015bc4b5e37de8ece7d4be087b6bdded5a992493e7aa
docx_1C_02_04_2024 (PASSWORD 123). rar
- MD5: b17b57f48e086e4b42788500378439b9
- SHA1: 6ce51b3292808cb2eb799765ed38473ab99e6b80
- SHA256: e360674d2abf0bea085d01bc3595e19efb3ac061ab8090a32d0c579c621c46f6
Doc20032024. PDF (PASSWORD 123). rar
- MD5: 2369d0794f9187a3e26d96cba5efad87
- SHA1: 170936e8bb0416bb981203120fd1cbdf52dc895e
- SHA256: 14f5ef72472f64edee2e852d1c677ad4f61b780c3ac93649835c4cc30f5c5b2f
Doc_11032024_1C_98347r483df2grg5tg.rar
- MD5: 7bdaafec94c18e94c67629a8617167b4
- SHA1: 241d2b9fdb8574575a9f2f3bc2961e0ed55a0492
- SHA256: 950bdf0842e513180c42ab3809e57c0779456c51a53e41ce8e833ed36880230e
Akt_09283_1C_oplata.PDF.rar
- MD5: beb42f19b0176e111f76e4d7d8afa57e
- SHA1: 973124cd723f1d7d6b94a59f97dfa7fb5020c4ea
- SHA256: 03b11a7319a44c8848d239b8ce49ebb43ebe90dfb9927771a2258bbe3d0e655e
doc_034_25_01_2024_1C.PDF.rar
- MD5: 39560b75207987740cff07366cc0a065
- SHA1: 984c74fcf8bb3a60ea950000193b36d07f702c4c
- SHA256: 1304a1ec426aa4d39c255aef059bc5b2cb9fef096cd6d136c63ddf8a3b936b96
16_04_2024_doc_1C (PASSWORD 123). rar
- MD5: 6fdc656c8bcfe6f4658b3fa3216ab9d2
- SHA1: 323af4cac603074f692985844d01cb26c86f3522
- SHA256: 2e4d3cf89636072438deb7e690ea376e8433c5dc59d8befedc0f5b79ea9a6b7d
koriya_akt_upd_1C.PDF.rar
- MD5: 674a9b5e930b050364b04b8a5a1c3698
- SHA1: 8837178f21e0948850ce4c5ba4f5a1779ea0e858
- SHA256: 8b7e5a040f0e468eb540211a3ac73dadd6628177dc09eaff06bfbce10c6eeab9
RMS Builds
BUILD14052024.exe- MD5: 396457dacbfd2a64e92e331fc0fdf668
- SHA1: bed38e377263954e5948193ccd55e8ba59e5372a
- SHA256: 92d65e200d729beac212563a7559fbdc657a4832d462e02dab4d937b5571983c
BLD.exe
- MD5: 68eb514040a2e8de71c3baeda73a532a
- SHA1: 9b4ee2ec7c44ad294b083afbba283a7ca8f200f9
- SHA256: 0576a15f1331d220336163510cc71deb37d1ae0b57ff6ad661c5e547086b57e2
22012024BUILD.exe
- MD5: 2302efee7f01875df7afa6b03301b93e
- SHA1: 02af288ea97c1f2c5cda007556541865614f9651
- SHA256: b2193cb3f8bd13c8a5769d5ce499a36b9c44e2eb2800bcdf22320525beaf9586
2024bldrms.exe
- MD5: 795e591f905ffb771eea7118407e823a
- SHA1: 775ce50b7f006437298dcdd57683f60292ce9a32
- SHA256: 2a82f3e9fc83a6e14c8ff13ed5d450580235981958a7bd262c7ea597e1c94078
BUILD.exe
- MD5: 4c3fbe8680b7884411a9309fd5f83041
- SHA1: 6a8f24a31de20027a9f4ba5b6adf9e661edf7480
- SHA256: 7930b4271172eb69e63349282bfe62a111a6e0a8bc8b23ae8729ab6be006ecf5
Modified libraries msimg32.dll
msimg32.dll- MD5: 2c49f46aceb1c8b62f8c47711b381f5c
- SHA1: b8a9479f9031b7106915d40a0a1ec733e192be0a
- SHA256: 702db5ce9f9ce7af433146796263c795dfdf065b10e914bc54fd23af5d33e793
msimg32.dll
- MD5: 2408a9f118f416e0afafa0a087c13919
- SHA1: 03738a14c114e3943e71d759370d3cf101d3b0be
- SHA256: bf9fc94905d75ccf3640d35899d533e50c7ba8bdce396443ae2d0507657a9e81
msimg32.dll
- MD5: 6ccc365c4292f53b65325a9b72fd29b6
- SHA1: 80b18e38a2ab147e66985767a5b79dda0cdc920f
- SHA256: 892a92ce83ed1c9e67c8f7ab0120d1f28e1dfd3a93146da3fde6e9226e22222b
msimg32.dll
- MD5: 47fe2868fa59d70b1c615b46f02e27a0
- SHA1: 76a60f60240e89d7d2c2546f8f88e6909b13cb3b
- SHA256: f7878a67c6de2ff26c79ab890e4a60b76c67a7583c6a24bd96cd93a5f4a0e0aa
msimg32.dll
- MD5: fc8e27119efd36aa6c0b392ec24c2330
- SHA1: 7748abc3eb9af0cfce0572ad7bed3ff06f952a6d
- SHA256: bbad7c6e8f0d7ae94941257e7ece4d2b144aad56e25760c8876b808f3e8420e6
Executable files
16_04_2024_doc_1C.PDF.com- MD5: 62405fd0301bff88cc14af75572c92c4
- SHA1: 9e3853f0ab22f3de04ff7763610ebb4a3a1e6aff
- SHA256: a5eff95e877e7e5e1b8a57e3169cb6f545ae353ed1908840dabb9554ff001500
Doc_27052024_1c_047856232.com
- MD5: aec2bf913aa709a117324629aa61a06f
- SHA1: cb5b0c2f596d5e8f62d5c9ed07e1f18260acdf03
- SHA256: 90e6c0aed978271769f4fface9a27edbb8d72cd463cfd57b443710aa703a1f98
27052024.exe
- MD5: 822d07d8923b178ccc860507241a27e0
- SHA1: decbf9e9b2893379710687b8db4baac25553e9d7
- SHA256: ab90f80eee37e16cb3c94f524e2fde3fe13669386512ea36b4ad6ac4d9fbf773
doc_7815651a08547.PDF.scr
- MD5: 61a4082007b8319b8b747a3a7ddd447b
- SHA1: 765923456afd71ec15a2b9c6cfbffb043bc1e5ef
- SHA256: c2f97483f8a5a96fa39e8bd3d3458093ac527a8c8efd662e838d95a9bc2354fb
vncrms.exe
- MD5: 2590bce206b06ca1fa45cc216eb8f6b0
- SHA1: 295eb9c2a473ff1538326db149b35e04008ea596
- SHA256: ae9df2b98a9e5561c749cc96a4e24f9d5bb0451889a3924fd7ed73436466495f
kopiya_skrinchot_1C.pdf.scr
- MD5: 41d7820cf6e3b3ce7596d3be4288342f
- SHA1: a2e55e3699e86ecaa4114aca86e91031f7ad68dc
- SHA256: 7a79bb8b4c55f11b463efee0c8cbfaf24c85daac04b67f4f4c25f6851dda57df
rmsvnc.exe
- MD5: cb66d957827558cf1da14a7b1540be18
- SHA1: 1244a28c79de7b7c7397f5528ca61bb70063616c
- SHA256: 20a77d76f250b75309e8ccaf1470d9729dc99b95168085ff30b1e46be6ce2138
docx_1C_02_04_2024.PDF.com
- MD5: b29a40737e23a194b02f26cca6676d6e
- SHA1: f9737d2ada4de632e0213d09fd90d329113918f1
- SHA256: d79d130aa4f0b207e741909c45be613a1e3720cb82a0578012cc508c28da6bad
STILKRIP.exe
- MD5: cd4c9b1f46e779b910cdccc3abbc5926
- SHA1: 9dd6485f1d25bc3f9d6858b9f3b3707cf0901660
- SHA256: ebdce7eae3a77ed05ed6279c46a8be8c560085f82ce0f9e4de0ad8c700c16fc4
Doc20032024.PDF.com
- MD5: 1025ca24a5aee6ae898adf31ac936f82
- SHA1: c39bfe69da4f01c1fdee76bcab255f78953c944a
- SHA256: 1dbce4f525f428cfce626726209ca973f2fdb93cd905a94a1bc538f75e0a16ca
Bzciazly.exe
- MD5: b7caee106dd0930f0d8997847ac20752
- SHA1: 9ac45907fafefd800d3f8bcc3829a6d64d29c488
- SHA256: af8018b310bf030f6feca0f6f23d3e65f8926114d7cd493573badae24f5da0d1
Doc_11032024_1C_98347r483df2grg5tg.com
- MD5: a0cdd68d18c64290d15b212d2d97d2c7
- SHA1: b605d04601280a904de71581901479d7c2b34bf5
- SHA256: ba629f7ee519379f1a5a8a4683ee9a48d1b0996268bfaf1162e4bf0f2b792b77
Akt_09283_1C_oplata.PDF.com
- MD5: 4e0ef11e1d050f98ee93a7d06ea870e0
- SHA1: 7d870123308a441ddcdd98322298df01476a4ed3
- SHA256: 1fd5a9570a894c751610c1b49b2f2f00c0c618d365be14a4980f1266a3772c90
vncrmskript.exe
- MD5: 92e369d9f73725dc37120c07aaa2266e
- SHA1: 932465c82e28ebb3b3959567340f157d3aaf83b2
- SHA256: 3bced24274a35cd08a3698e32623a14a319fbb60f4f9a950d41834710393c32f
doc_034_25_01_2024_1C.PDF.com
- MD5: 7d387e6c53133c0685ea924d384a275d
- SHA1: 0f33cd7f5590b21cbee1903b6d7bf23116b10e4b
- SHA256: 3b8672b2cd5c53f3f4e823ed3873d930b5786a05cc7f2d49b07cb5bda21d933e
Akt_sverka_1C_29022024.PDF.exe
- MD5: 81b461acf35d806e837998e03f998411
- SHA1: b497ec56e8a3237457868c0b3760712f41211307
- SHA256: 5f31759d1ac833df5b990b436dabb88cf3e85ba7495440a62364723bc8490907
MetaKript.exe
- MD5: ad2d13ce6ad39c20cd75864f0a7afe2c
- SHA1: 1d037180c68a2ec137072eca680a606d7371d0ff
- SHA256: 4c88348d1ef0ff6857f48761ac82d8455661849b34e4f4a6bc07a765818361a3
doc_05_03_2024_1C_PDF.exe
- MD5: 6e3328ba891a8325e2ff4e7af7bfc609
- SHA1: 6d0f2e87292b7c030e95eb7835e8cc5c3841ada3
- SHA256: 6e463e3aafb12ec1fd7ff347038b3df15a93b3b2c506c9d670498b0937d6dce7
metakript.exe
- MD5: b6c680597e614011b43f2f038d6a5c63
- SHA1: b6e45d958e870ee770284578a761df9628c2ed36
- SHA256: 5170542754aaa8a8585e4d7c12f77deb7fc0cb24ec6626d53e3fa9997e303e77
Oplata13032024.PDF.exe
- MD5: 18851fd2d0d031743f6bf27201e8a914
- SHA1: 776ac3ff6c2a03cf2a34643baec5d2acc5b453d2
- SHA256: 8e379068eb7e9f9e5635531526dacdc03bf505e67775dd186edba27b33a93805
LoaderVNC.exe
- MD5: 6108c4dfc40c5059db5851144367ada3
- SHA1: adad70901e50be0d5bae17f493bf4b1565cb6113
- SHA256: 6a69e0ebb331aa21614ccc0c4028b5cde242f0710300fe7b441b2017c71a8e16
vncKript.exe
- MD5: 0496ec9393b9228f1cf3439046309cf0
- SHA1: c3f51e15b43b521d2e68efd353849ebd03e937ee
- SHA256: e4a91db9e43655931fd3926ec00dbe8a063fbe0d3f0af7d902fd3b9d8281fb3d
VNCBLD.exe
- MD5: abb08e75460981a042d68990b90416e6
- SHA1: 8f54ccc1f2256516d146e2e709d75e949fdf6695
- SHA256: 05406c5e034be68b6514fc3ae1b31f603ec7d1865963fe0716ed48605af0fd98
doc24.04.2024_1C.pdf.exe
- MD5: e29390d236e45d2eff2511d5cc945848
- SHA1: 262a18976fa412c22b37c726e74b9e3032da5d86
- SHA256: 2bcfbb053ec4936bded589848b8429cd37b0a7bf5bf85e5e3ace494f4512bfa9
MITRE ATT&CK
| Tactics | Technic | Procedure |
| Initial Access (TA0001) | Phishing: Spearphishing Attachment (T1566.001) | VasyGrek uses emails with attached archives in most of its attacks |
| Phishing: Spearphishing Link (T1566.002) | VasyGrek uses emails with links in some attacks. When you click on the link, the archive will be uploaded to the system | |
| Execution (TA0002) | User Execution: Malicious File (T1204.002) | VasyGrek uses archives in its attacks that contain an executable file that must be run by the user |
| System Services: Service Execution (T1569.002) | VasyGrek uses the BurnsRAT malware, which creates a service to achieve pinning in the infected system | |
| Command and Scripting Interpreter: Windows Command Shell (T1059.003) | VasyGrek uses the BurnsRAT malware, which can execute commands in the Windows command interpreter | |
| Persistence (TA0003) | Create or Modify System Process: Windows Service (T1543.003) | VasyGrek uses the BurnsRAT malware, which creates a service to achieve pinning in the infected system |
| Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) | VasyGrek uses the BurnsRAT malware, which creates a registry key in the HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce branch, to achieve pinning in the infected system | |
| Hijack Execution Flow (T1574) | VasyGrek uses the BurnsRAT malware, which is launched by executing a legitimate Silverlight tool file to launch RMS by changing the RMS file name to the name of the system utility wuapihost.exe | |
| Hijack Execution Flow: DLL Search Order Hijacking (T1574.001) | VasyGrek uses the BurnsRAT malware, which uses the execution flow interception technique to load an infected version of the system library msimg32.dll as a result of running a legitimate RMS tool file | |
| Privilege Escalation (TA0004) | Process Injection: Portable Executable Injection (T1055.002) | VasyGrek uses PureCrypter, which has the ability to run malicious files in the memory of its own process |
| Create or Modify System Process: Windows Service (T1543.003) | VasyGrek uses the BurnsRAT malware, which creates a service to achieve pinning in the infected system | |
| Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | VasyGrek uses the BurnsRAT malware, which creates a registry key in the HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce branch, to achieve pinning in the infected system | |
| Hijack Execution Flow (T1574) | VasyGrek uses the BurnsRAT malware, which is launched by executing a legitimate Silverlight tool file to launch RMS by changing the RMS file name to the name of the system utility wuapihost.exe | |
| Hijack Execution Flow: DLL Search Order Hijacking (T1574.001) | VasyGrek uses the BurnsRAT malware, which uses the execution flow interception technique to load an infected version of the system library msimg32.dll as a result of running a legitimate RMS tool file | |
| Defense Evasion (TA0005) | ||
| Hijack Execution Flow (T1574) | VasyGrek uses the BurnsRAT malware, which is launched by executing a legitimate Silverlight tool file to launch RMS by changing the RMS file name to the name of the system utility wuapihost.exe | |
| Hide Artifacts: Hidden Window (T1564.003) | VasyGrek uses the BurnsRAT malware, which hides the execution of the RMS tool, including the tool window | |
| Indicator Removal: File Deletion (T1070.004) | VasyGrek uses the BurnsRAT malware, which can self-delete from the system | |
| Masquerading: Masquerade Task or Service (T1036.004) | VasyGrek uses the BurnsRAT malware, which creates a service called USBSafeManager and the display name USB Safe Manager | |
| Masquerading: Match Legitimate Name or Location (T1036.005) | VasyGrek uses the BurnsRAT malware, which is mainly located in the directories of legitimate tools used during the launch and operation of BurnsRAT (Silverlight and Remote Utilities) | |
| Masquerading: Double File Extension (T1036.007) | VasyGrek uses double extensions in the names of executable files that are located in archives | |
| Obfuscated Files or Information: Software Packing (T1027.002) | VasyGrek uses the PureCoder developer tools, as well as the MetaStealer VPO, which are distributed in packaged form | |
| Process Injection: Portable Executable Injection (T1055.002) | VasyGrek uses PureCrypter, which has the ability to run malicious files in the memory of its own process | |
| Virtualization/Sandbox Evasion: System Checks (T1497.001) | VasyGrek uses the MetaStealer malware, which checks user and computer names. If it matches the values from the list stored inside the image, MetaStealer will terminate its work | |
| Credential Access (TA0006) | Credentials from Password Stores: Credentials from Web Browsers (T1555.003) | VasyGrek uses the MetaStealer malware, which can steal data from an infected system, including files from browser directories |
| Unsecured Credentials: Credentials In Files (T1552.001) | VasyGrek uses MetaStealer malware that can steal data from Discord, Telegram, FTP, and IM clients | |
| Discovery (TA0007) | Browser Information Discovery (T1217) | VasyGrek uses the MetaStealer malware, which can steal data from an infected system, including files from browser directories |
| File and Directory Discovery (T1083) | VasyGrek uses malware called MetaStealer and PureLogs Stealer, which can steal files from an infected system | |
| Software Discovery: Security Software Discovery (T1518.001) | VasyGrek uses the MetaStealer malware, which uses WMI queries to check for antivirus software on an infected system | |
| System Information Discovery (T1082) | VasyGrek uses the BurnsRAT malware, which collects information about the infected system: user name, computer name, domain name, system language and version | |
| System Location Discovery: System Language Discovery (T1614.001) | VasyGrek uses the BurnsRAT malware, which collects information about the language of the infected system | |
| System Owner/User Discovery (T1033) | VasyGrek uses the BurnsRAT malware, which collects the username and computer of the infected system | |
| Virtualization/Sandbox Evasion: System Checks (T1497.001) | VasyGrek uses the MetaStealer malware, which performs user and computer name verification. If it matches the values from the list stored inside the image, MetaStealer will terminate its work | |
| Collection (TA0009) | Data from Local System (T1005) | VasyGrek uses the MetaStealer malware, which can steal data from an infected system by using special templates in its configuration |
| Screen Capture (T1113) | VasyGrek uses the BurnsRAT malware, which collects a screenshot of the screen | |
| Command and Control (TA0011) | Application Layer Protocol: Web Protocols (T1071.001) | VasyGrek uses the BurnsRAT malware, which interacts with the server over the HTTP protocol |
| Encrypted Channel: Symmetric Cryptography (T1573.001) | VasyGrek uses the BurnsRAT malware, which uses the RC4 algorithm to encrypt network traffic | |
| Ingress Tool Transfer (T1105) | VasyGrek uses the BurnsRAT malware, which has the ability to upload additional malicious files to the infected system | |
| Non-Application Layer Protocol (T1095) | VasyGrek uses the MetaStealer malware, which communicates with the command server using the TCP protocol | |
| Non-Standard Port (T1571) | VasyGrek uses malware developed by PureCoder (for example, PureLogs Stealer), which uses non-standard interaction ports | |
| Remote Access Software (T1219) | VasyGrek uses the BurnsRAT malware, which is an infected modification of the legitimate remote system management software-RMS | |
| Exfiltration (TA0010) | Exfiltration Over C2 Channel (T1041) | VasyGrek uses such malware as MetaStealer and PureLogs Stealer, which interacts with the command server and performs data exfiltration |
Source
