Rust Malware

Once upon a time in a corner of the internet I was looking for an AI browser to gift to the elderly so that they could stop asking me for the simplest tech support. So I went to the ChatGPT website to take a look at their latest browser - ChatGPT atlas. When I went to try and download it, I had noticed that there was only a MacOS download. Just my luck - the elderly people I am trying to assist are running Windows and Linux Mint. However, when I hit the back button to DuckDuckGo, I had noticed that one of the results was... off...

What's this? A ChatGPT Windows Edition. Surely this is a totally legitimate piece of software. And so I clicked the link, and down the rabbit hole I went.

The Github website is already sketchy AF. Why would an official ChatGPT browser have no stars? Why does the source code look like a nodeJS project? Kind of suspicious. The readme.md directs me to download the .exe. Aight. Let's have a go at it. 

Quick Static Analysis

The executable looks.. legit? Except the fact that the description doesn't match at all. Suprisingly, a quick VT scan reveals nothing suspicious (except my comments that I added after my analysis). DIE on the otherhand lights up like a Christmas tree.

Language: RUST!? OH NO! I do NOT want to do Ghidra static analysis on this...  Whatever. Let's do some quick static analysis on strings. 

Nice, there's a reference to some anti_bot.rs code. So we can expect the binary to perform fingerprinting on our machine to detect if it is running in a VM (amongst other things). It's a good thing that my VM passes these checks lolll. Later on we also see an obfuscated powershell command.

Let's decode it!

*Note: we wont actually see this powershell being executed later on because we don't give the program admin rights. It does a check for admin before launching the powershell stuff. 

OK so thats definitely not sus: Adding exclusion paths to Defender and modifying reg keys. What other strings are there which are notable?

• There are strings referring to extracting password protected archives. This is Stager behavior.

• Strings which refer to sending data to Telegram API's.

• Debug strings which seem to detail if the program was successful in elevating privilege and installing other "drivers". 

• Strings which include an HTTP .rs file for downloading things from the internet. Includes references to a function which obtains a password from the server. (likely has something to do with extracting the archive files).  

Another interesting thing is how packed this exe is. There's a bunch of AI generated images inside of the executable, and also a bunch of "copyright text". Another classic technique to make detection and analysis harder: make your binary needlessly big. 

Lets parse them rust strings too. 

Elysian Fields... Isn't that some un-moderated internet forum? Regardless, it seems that the person who compiled this binary has their computer name set to "Root" and also compiled the binary on a windows computer. 

I think we have enough information here. We can probably guess that the application does the following in some order. 

• Attempts to elevate privileges (probably just gonna prompt with UAC)

• Attempts to stage other pieces of malware.

• Use powershell to add exclusions to various folders.

• Fingerprint the computer to detect if it is running in a VM or not. 

Off to Dynamic Analysis!

Dynamic Analysis: Finding the payload

Alright, let's see what this thing can do. After setting up my VM and gateway VM we are ready to see what this thing can do. The first hurdle: Bypassing the VM and Analysis detection. After opening the malware... it immediately QUITS!!! WHATT????

Ok so clearly it is doing some profiling of our environment. But what could it be profiling? Our CPU? Our RAM? Our Disk storage?

Yup, it is doing all of that, but the one that fails first is our running programs! Before I hit run, I had loaded up Procmon and Wireshark, which the program really doesn't like. If we look up the API calls the program makes, we can see that it is doing a classic CreateToolhelp32Snapshot call and then enumerating it's results via Process32Next to iterate through the resulting list of programs. If you want to know more about this, I would recommend looking up the relevant section at https://anti-reversing.com/Downloads/Anti-Reversing/The_Ultimate_Anti-Reversing_Reference.pdf . 

Uhg ok. So it's looking through the programs and finding our analysis programs. If we close out procmon and wireshark then the program runs fine (and we get mega infected). Hmmm, so what do we do to bypass this? 

EZ, we just break on CreateToolhelp32Snapshot and return null 😆😆😆.

Aight so that hurdle was fixed up. NEXT!

Uhggg. Screen XY coordinates, BIOS, Ram.... Whatever man. I do not want to manually bypass all this garbage. There is surely an easier way to trick the stager into staging? What if we just like - don't give the program permission to enumerate these things? What if we just don't allow it to run as admin so that the fingerprinting will fail? What will happen? The answer might suprise you.....

LMAOOO THE PROGRAM WILL JUST KEEP RUNNING!

Success! we have found a way to nuke the fingerprinting. On to the next steps!

Now that the stager has begun staging, one key API call of interest is the getaddrinfo. So we look it up and find information about pastebin.com. In our proxied traffic logs, we can see that the malware is reaching out to multiple pastebin sites. Lets see what they look like. 

WAUWWW Are these the encrypted 7Zip files which where given to us in static analysis a long time ago? It sure seems that way because they are all encrypted. As well as this, it appears we ALSO have the password to them 7z files provided from pastebin! 

And finally after failing to download and extract the files, the stager makes one last request before exiting. 

Take note of the domain and pastebin endpoint, we will do a bit of trolling with this information later. 

Dynamic Analysis: Analyzing the payload

Now that we have the malware that would have been staged, it is time to see what happens when we actually connect to the internet and allow the stager to do its thing. Time to loadup procmon and apimon. 

OK Wow. I take back what I said about this malware maybe bypassing EDR. This thing would light up any endpoint EDR solution like a christmas tree! It's noisy AF!!! 

So, this stager kind of appears to be really amateurish. It just tests which folders in the public directory are accessible, downloads a bunch of other programs & stores them in the Public folder, then runs the programs. If granted admin access it will run powershell to add scan exclusions to the public folder and then run all the stuff. 

OK, so after all the payloads are downloaded, each one of them executes and begins to perform nefarious activities in a modular fashion. What do I mean by this? I mean that each of the payload exe's has a sort of "task". One of the payload exe's is responsible for getting task scheduler to establish persistence, one is responsible for adding new and fun chrome extensions, one is responsible for uploading your files to their evil server (oh wait, that's just Microsoft Defender) etc... Most of them have a very similar DIE signature, so it is very likely that our amateur malware dev also made these modular executables. 

audiocfg.exe: First on the list of our malware bundle is audiocfg.exe. This weird program is 32 bit so it sometimes will evade detection from 64bit analysis programs! I honestly don't really know that this thing does. It kind of just opens, enumerates access to C:\Windows and C:\Program Files and exits. But one thing caught my eye: a check for the env var "DEBUG" Opening strings in ghidra reveals a "Debug mode activated" string. Hmmm. Can we get this thing to activate? No because I don't have time. Looking at the strings of this binary reveals that it does another round of fingerprinting and waits for a couple of user clicks before executing some payload. 

vicontroldb.exe: A 64 bit executable. This is where the fun beings. Interestingly this program initially has a similar strings lookup as audiocfg.exe. After waiting a minute or so, the program begins making outbound requests to Telegram and Steam. Wait what? Steam?! 

Yup! That's right people. The ops are using STEAM as C2 infra now. Everybody is gangsta till the malware starts using steam for C2 😂. 

After this, we see an outbound request bound for telegram. 

(I totally didn't proxy telegram). Last but not least we see an outbound request for the domain specified by the steam profile. 

OK so here's the thing. If we follow the telegram link, we find a similar string which was employed on the steam page, that being r#in trs.whitehallalliance.co[.]uk. Sadly both the links which where referenced in the C2 are down, so we can't get any more information out of it. :( On to the next malware module. 

Persistence Family: If you look at the pastebin link containing the different malware modules, three of them in particular are very similar in name, only differing by the version number. 

cursorcontr.exe is a 64 bit program but DIE heuristics say that there's some C/C++ code within it. Lets have a go at it. An initial strings check reveals that it likely is gonna make some call to telegram, and establish persistence on the system by utilizing schtasks. 

Huh. I wonder what those pastebin links are. Both of them lead to a pastebin that just has the number '0' on it. Maybe it is a placeholder for something? 

Anyways, after actually running the file, it makes some Logging info inside of the temp directory. One called "system_log.txt" and the other called "upd152b_log.txt". 

Wait seriously? Russians?! This doesn't feel like russian malware, it is too sloppy. YandexGPT must have vibe coded this software. Anyways, the first thing the program does after writing to these log locations is call ping.exe on itself (for some reason) and then attempt to copy itself to C:\ProgramData\NetworkController\DeviceAdapter.exe. It promptly fails to do so because we didn't give it admin privs. So it instead copies itself to %APPDATA%Roaming\AudioDriver\IntelController.exe (after checking other places like in \Public). It then opens up schtasks.exe a bunch of times to attempt to run itself. Task names include:

• CacheUpdateTask5135

• TelemetryService7704

• BackgroundTaskHost6760

• DataSyncService4191

• DriverUpdateCheck5360

Yeah, all of the tasks are named [Instert Technical Sounding Thing][4 numbers].

When the copied program is ran from task scheduler, it peforms another "Ping" and then proceeds to attempt to connect to "snippet.host", which appears to be a pastebin alternative. Now for some reason, the program seems to fail after attempting to reach pastebin and snippet.host. Because I do not have time to set up MITMProxy properly, I am gonna move onto the next payload.

updcontrol.exe: is a 64 bit program which basically has the same signature and icon as cursorcontr.exe. Upon first glance it appears to have the same strings as cursorcontr.exe, but the links to pastebin are different, albeit both links lead to a text file just has the number '0' in it. 

claudeupd.exe: is a 64 bit program that is very different in comparison to the other programs. DIE reports that it is a python executable. After loading the strings up in ghidra it becomes clear that we are dealing with a pyinstaller. YAY! It is time to load up pyinstxtractor. 

AUGH! PYARMOR!!! Clearly someone doesn't want us looking at their binary. 

I do NOT want to manually deobfuscate this stuff. Let's just dump the process after pyarmor decrypts it and then strings it. 

Theeere we go. OK so a lot of the pastebins all just contain a textfile with "0" in it but one of the snippet.host links actually has a link in it!

Naturally it is password protected, however none of the previous password attempts appear to work. 

I unfortunately do not have the luxury of time. I am a university student and every minute I spend writing this blog and dissecting this malware is a minute which could have been spent sending my resume out so I do not maintain my semi-unemployed status. So it is time to SPEEDRUN the dismantling of this malware op

After looking at evil endpoints:

• steamhostserver.cc

• clocktok.cfd

• calibrated.cfd

• telegram.me/bul33bt

• fi.derayat.com

• dahis.store

• *.jyhsolucion.ar 

• *..whitehallalliance.co[.]uk

• client.wns.windows.com.... oh wait. 

It was time to put an end to the evil operation. The github was reported and taken offline, and the dev.azure.com distribution endpoints where reported to Microsoft. As for the telegram account? It received some messages regarding the One Piece!