Over the past few years, ransomware has been hitting all the headlines. Group-IB’s recently-published Hi-Tech Crime Trends 2022/2023 report named ransomware the top cyber threat for businesses and organizations; the third year in a row that this particular threat has held this dubious honor. One of the key trends in the ransomware industry over the past five years has been big game hunting, which sees sophisticated threat actors attack medium- and large-sized companies and demand ever-growing ransom amounts.
However, the growing proliferation of various ransomware-as-a-service programs and initial access brokers (IABs) has lowered the barrier of entry for threat actors. Now, would-be cybercriminals can leverage a whole suite of cheap (or free) publicly available tools to try their hands at breaching a company’s security perimeter, giving less-skilled threat actors the chance to join the action.
In recent months, Group-IB has also seen an increasing turn by small-scale cybercriminals to target individuals, which could be done in the hope of infecting a personal device that an employee uses for work as a backdoor into stealing corporate files and credentials to then gain access to the network of the victim’s employer. With the help of off-the-shelf tools, launching a cyberattack has never been easier.
So, what tools are these cybercriminals using? Dubai-based researchers from Group-IB’s Digital Forensics and Incident Response (DFIR) team found that malicious actors, instead of simply infecting a computer with ransomware, have taken to packaging a whole host of malicious files into what we call malware bundles. A bundle is a term from the marketing sphere, whereby product bundling is a technique in which several products are grouped together and sold as a single unit for one price. This strategy has been credited for encouraging customers to buy more products. Resourceful cybercriminals appear to have monitored these trends, and thought, “how can we do something similar?” As a result, malware bundles are yet another example of how the cybercriminal industry bears ever-increasing resemblance to the IT sector, as malicious actors turn to adopting techniques from legitimate businesses for malicious purposes.
Malware bundles are often contained in phishing emails or disguised as legitimate files on download sites. Group-IB’s DFIR team has detected numerous malware bundle infections over the past year as a result of our presence in Europe, the Middle East, and Africa (EMEA). With this experience, Group-IB analysts leveraged the company’s proprietary Managed XDR to detonate the malicious files in a controlled environment after discovering similar cases in our clients’ infrastructure, along with Threat Intelligence to conduct further data-driven research.
During their analysis, Group-IB researchers found that a single downloadable file could contain a whole host of malware, including:
- Downloaders: Downloaders prepare the scene, then drop and run more malicious files on the victim’s host.
- Remote Access Trojans (RATs): RATs perform initial reconnaissance, evaluate assets, gain persistence, and can be used to sell access to backdoored endpoints. As remote or hybrid working continues to be the norm, companies are at huge risk if one of their employees’ personal devices is compromised.
- Information stealers: Stealers steal credentials and exfiltrate them to command-and-control servers (C2) managed by cybercriminals, who often sell them on dark web forums and marketplaces.
- Other payloads, such as miners, spam botnets, keyloggers, and ransomware.
Malware bundles have been around for a while, but their recent usage by cybercriminals reveals some interesting trends. First, it highlights how threat actors, with their ever-growing appetite for cash, create new approaches for monetization. Secondly, their usage can reveal insights into the interactions between low-skilled threat actors and their more sophisticated counterparts. An entry-level cybercriminal can leverage a malware bundle to gain access to a single computer, but they are also able to sell this access to a more-skilled threat actor who is able to move laterally from a single device to an entire corporate network.
Malware bundles are especially threatening to companies given the continued shift towards hybrid or remote working following the emergence of COVID-19 in early 2020. According to a 2022 survey by jobseeker service FlexJobs, 87% of workers would prefer to carry out their duties remotely or in a hybrid format. This trend has raised multiple questions over employees’ use of their personal computers or smartphones for work.
Multi-factor authentication solution provider Beyond Identity found recently that roughly half of employees use one or more personal devices for work. These devices may have unpatched or out-of-date off-the-shelf antivirus solutions as their only protection; an acute risk if the user is accessing corporate documents through unsecured networks. This creates a wealth of opportunities for cybercriminals to potentially gain access to entire corporate networks by tricking individuals into interacting with spear-phishing emails or mistakenly downloading files, which they believe to be resources such as Windows updates or media files, but in fact contain malware bundles.
This blog post summarizes our experience in recent months and sheds light on initial infection vectors. It contains insights from our investigations into affected companies in Egypt, South Africa, Saudi Arabia, Turkey, Morocco, UAE, Kenya, Israel, Pakistan, India, and Germany. We discuss channels of delivery, malware attribution, tactics, techniques and procedures (TTPs), and bundled parts and roles, all in reference to the MITRE ATT&CK® (Adversarial Tactics, Techniques & Common Knowledge) framework, in order to detail how the cybercriminals gained initial access and secured persistence.
We recommend this blog to IT directors, heads of cybersecurity teams, SOC analysts, and incident response specialists. Our goal is to underscore the importance of raising cybersecurity benchmarks among all members of a company and organization, and emphasize how one infected personal device can cause great financial and reputational damage.
In the concluding section of this blog, our DFIR team gives its recommendations on how to secure your networks and protect against the growing threat of malware bundles. We are committed to sharing our knowledge and expertise to greater protect the digital space.
Unpacking the malware bundle
Firstly, it’s crucial to note that every malware bundle Group-IB analyzed comprised a unique mixture of different malware types. Some of the bundles included ransomware, others did not. Some contained a Remote Access Trojan (RAT), and others did not. Additionally, one bundle would contain one particular information stealer, and another bundle had a completely different stealer. As a rule, most malware bundles contain an information stealer, RAT, and downloader, although they can also contain some other interesting pieces of malware such as miners.
Figure 1: What goes into a malware bundle?
Let us start by introducing the main protagonists of our research. It is no secret that info stealers are particularly popular on dark web forums and marketplaces. More and more threat actors are interested in stealing user data that they can sell on. This is one of the reasons why stealers have become an integral part of malware bundles. Group-IB researchers found that malware bundles often contained one of two highly popular stealers, RedLine Stealer and Vidar. As published in Group-IB’s recent Hi-Tech Crime Trends 2022/2023 report, Group-IB Threat Intelligence detected more than 35 million RedLine Stealer logs online in H2 2021 – H1 2022, with the malware responsible for compromising more than 75 million passwords. Vidar was the second most prominent stealer on the market in this period, as Group-IB detected 8.6 million Vidar logs online. In addition to these two widely-used stealers, the malware bundles also contained the lesser-known Amadey stealer.
Another component of malware bundles is DJVU/STOP ransomware. By mid-summer 2022, in 70% of the cases analyzed by Group-IB, this payload was loaded along with RedLine Stealer and PrivateLoader. Although the combination was highly effective, since mid-July, RedLine has increasingly been combined with miners, keyloggers, and a Trojan that recruits compromised systems to the Tofsee spam botnet. DJVU/STOP ransomware itself is seen to be used increasingly often together with Arkei Stealer and various RATs.
Figure 2: Group-IB Threat Intelligence dark web search engine detailing online enquiries for information stealers.
In order to gain initial access on an individual’s device, cybercriminals often deliver malware bundles to their desired endpoint via phishing and hidden downloads. Malicious links are distributed via email, Twitter and Facebook posts, replies on Q&A forums, and the descriptions of YouTube videos.
Figure 3: Tweet with malicious link to download malware bundle
Often the malware masquerades as patches, cracks, themes, and updates for Windows 11, and popular computer games, but the malware bundles can also be disguised as media files such as books. These delivery methods infect the personal device of an individual user, but this can have a devastating impact for their employer, should they use their personal device for work. Over the past few months, Group-IB Managed XDR has detected and prevented downloads of malware bundles on the devices of employees at various companies in Europe and the Middle East.
We couldn’t let this go unexamined.
Initial access vector
In all the malware bundles that were detected, the download of a file containing the package of malicious files was preceded by the user actively browsing and searching for specific files, including articles, books, and reports.
Figure 4: Browsing history of individual prior to downloading malware bundle.
While searching for information, users encountered a large number of insecure websites, often redirecting to third-party resources that required registration using an email address and phone number, as well as file-sharing resources that claimed to be offering the opportunity to download the sought-after files.
Figure 5: File-sharing page with link to download malicious file.
The files often appeared as an archive with a simple password, and an additional link leading to the content delivery network (CDN) of the messaging app Discord was provided to download them. In general, Discord’s CDN has long been closely associated with the distribution of various malware, from adware and stealers to Trojans and ransomware. In our case, the CDN was used to deliver an entire bundle, but we will say more on that later.
Our research revealed that malicious archives were downloaded from the following websites:
- https://digitalfitsoft[.]com
- https://installmentloan7vrt[.]org
- https://directdexchange[.]comhttps://soft-you[.]com
- https://speednetpc[.]com
- https://clubfiletyc[.]com
- https://aditmedia.g2afse[.]com
After unpacking an archive, users received an executable file, which was then used as the initial dropper.
Initial activity
A user-initiated dropper performs network activity while interacting with various URLs and IP addresses. The IP addresses used include those belonging to the infrastructure of various information stealers and ransomware.
Figure 6: Markers related to malicious dropper activity as shown by Group-IB’s Malware Detonation Tool embedded into Threat Intelligence and Managed XDR.
The dropper checks the victim’s supported languages and external IP address, reads the computer name and Windows organization settings, modifies Windows certificates, and disables Windows Defender by setting the following registry keys:
- HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
- HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
- HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
- HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification
- HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
- HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
While it is in operation, the dropper retrieves executables and configuration files from both C2 servers and Discord’s CDN. New files can be found in the user’s temporary internet files and the following locations:
- C:\Users\<user>\AppData\Local\Temp\
- C:\Users\<user>\Documents\
- C:\Users\<user>\AppData\Roaming\
- C:\Users\<user>\Pictures\Adobe Films\
- C:\Program Files\PowerControl\
To prevent detection, the creation date and time of some files are timestomped. The code in the files is often obfuscated, such as in the following example below.
Some executable files masquerade as images and have a .bmp extension.
Figure 7: An executable found in one malware bundle analyzed by Group-IB researchers that contained a .bmp extension.
After downloading the files, the dropper immediately launches most of the executable files. The main location used to store these files is C:\Users\<user>\Pictures\Adobe Films\.
The most commonly found files in the malware bundles include: RedLine Stealer, Vidar Stealer (v52.7, v52.9), Amadey Stealer (v3.21), PrivateLoader, and DJVU/STOP ransomware.
RedLine Stealer activity
RedLine was the most popular information stealer on the underground market in H2 2021 – H1 2022. Logs from RedLine Stealer made up more than 37% of the total number of stealer logs available online in this period. The stealer is constantly updated and can easily be found on underground forums at an affordable price of $100-150 for the standalone version and $150 per month оn a subscription basis. The official seller of RedLine Stealer actively uses Telegram for sending important announcements and communicating with clients, and there is a separate Telegram bot for buying the stealer. Any information about updates is first published on dark web forums.
Figure 8: RedLine update notification parsed from dark web.
RedLine targets not only data from various browsers, but also information about the user, the system, any installed software, and, of course, credentials from files, FTP, VPN applications, Telegram, Discord, and cryptocurrency wallets.
The information is gathered according to the configuration file received from C2.
The main fields that can be highlighted in the configuration file are:
- C2: IP addresses and URLs of C2 servers
- Botnet: Name of the botnet
- Auth_value: Authentication value
- US: Immediate configuration, including data to be collected, as well as whitelisted countries
The list of countries where the stealer does not work often includes the following:
- Armenia
- Azerbaijan
- Belarus
- Kazakhstan
- Kyrgyzstan
- Moldova
- Tajikistan
- Uzbekistan
- Ukraine
- Russia
Some parameters in the configuration are encoded in Base64 — for example, the list of cryptocurrency wallets.
Part of RedLine Stealer’s configuration:
After decoding, we get the names of more than 30 cryptocurrency wallets. All collected data is converted to XML and transmitted via SOAP Message either fully or partially to the C2. Starting with RedLine Stealer v22, NetTcpBinding provided by Windows Communication Foundation is used for communication. This makes it possible to generate a communication stack at runtime as well as use transport security, TCP for message delivery and binary message encoding.
During our research, we found the following С2:
- net.tcp://193.106.191[.]81:23196/
- net.tcp://193.124.22[.]7:35632/
- net.tcp://185.215.113[.]70:21508/
- net.tcp://ushatamaiet[.]xyz:80/
- net.tcp://adinoreiver[.]xyz:80/
- net.tcp://qulyneanica.com:80/
Vidar activity
According to Group-IB’s annual report into the top cyber threats, Vidar was the second most popular information stealer on the market, responsible for 9% of logs detected online in H2 2021 – H1 2022. Depending on its configuration, Vidar can target the browser’s autofill data, history, downloads, cookies, credit card and wallet data, Telegram data, credentials in files, and screen captures. In addition, Vidar users can specify files to be collected in the following format:
<Output path>;<Target path>;<File name list>;<Maximum file size>
For example, the string describing the files to be collected can look like this:
Unless otherwise specified, by default, the collected data is saved to the folder C:\ProgramData\ and packed in a .zip archive before being exfiltrated to C2.
C:\ProgramData\ also contains the DLLs downloaded from C2 that are required by Vidar for it to carry out its malicious activity. The creation date and time of these DLLs are overwritten with earlier ones.
In one case seen by Group-IB, Vidar used Telegram channels to obtain the addresses of C2 servers. In the static Vidar configuration, the following parameters were specified:
Profile: 517
Version: 52.7
URL1: https://t[.]me/tg_superch
URL2: https://climatejustice[.]social/@olegf9844
URL marker: hello
The stealer queries the specified pages and parses the description looking for a marker.
C2 description format: <marker> <IP address> |
The threat actors are able to create as many Telegram channels as they need in order to share C2 data. Old channels close down, and new ones open with staggering regularity. In Hi-Tech Crime Trends 2022/2023, Group-IB researchers noted that cybercriminals are already replacing traditional C2 servers with Telegram bots and other exfiltration channels, and this trend is only going to intensify. This is already apparent from our research into malware bundles. If for any reason it is not possible to get C2 credentials from Telegram, an additional URL linking to profiles in various social networks and communities is used.
Figure 9: Social media profile with C2 IP address in description.
Interestingly, cybercriminals are now leveraging the highly popular social network Mastodon for their malicious activity, underscoring their ability to harness new techniques and pathways. For example, two of the resources that the threat actors used for C2 purposes were mas[.]to and mastodon[.]social. They also used the domains climatejustice[.]social, ieji[.]de, koyu[.]space.
The following profiles were obtained from the samples discovered: https://mastodon[.]social/@olegf9844e, https://climatejustice[.]social/@olegf9844.
After collecting user data and sending it to the C2 server, Vidar deletes all traces of its presence.
Figure 10: Deletion of persistence traces, as shown by Group-IB’s Malware Detonation Tool embedded into Threat Intelligence and Managed XDR.
DJVU/STOP EMEA Ransomware
Our special guest was DJVU/STOP ransomware. The initial dropper prepared everything necessary for its appearance by disabling Windows Defender and running the loader.
The cryptor itself is loaded in several stages using Process Hollowing. The loader launches its own executable file with the parameters –Admin IsNotAutoStart IsNotTask:
"C:\Users\<user>\Pictures\Adobe Films\<sample name>" --Admin IsNotAutoStart IsNotTask
The final payload is then injected into the created process and launched.
The first thing the payload does after being launched is collect data about the victim. It does so by querying https://api.2ip[.]ua/geo.json. The format of the data is as follows:
{
"ip":"X.X.X.X",
"country_code":"AE",
"country":"United arab emirates",
"country_rus":"Объединенные Арабские Эмираты",
"country_ua":"Об'єднані Арабські Емірати",
"region":"Dubayy",
"region_rus":"Дубай",
"region_ua":"Дубай",
"city":"Dubai",
"city_rus":"Дубай",
"city_ua":"Дубай",
"latitude":"XX.XXXXX",
"longitude":"XX.XXXXX",
"zip_code":"-",
"time_zone":"+04:00"
}
The information obtained is used to check if the country is on the whitelist. The countries that have been whitelisted are Russia (RU), Belarus (BY), Ukraine (UA), Azerbaijan (AZ), Armenia (AM), Tajikistan (TJ), Kazakhstan (KZ), Kyrgyzstan (KG), Uzbekistan (UZ), and Syria (SY), and users based in these countries will not be attacked.
If the victim is not in any of the countries in the whitelist, DJVU/STOP creates a folder with the name generated from the victim’s UUID in C:\Users\<user>\AppData\Local\ and puts a copy of its executable file there. This file is later used for persistence via Run key, in which the SysHelper value is created:
Value name: SysHelper Value type: RegExpandSz Value: "C:\Users\<user>\AppData\Local\<sample path>\<sample name>" --AutoStart
Windows API functions are used to modify the registry key.
The same executable file is also used to create a “Time Trigger Task” in the scheduler by creating a COM object. Some parameters of these task are:
<Interval>PT5M</Interval> <Duration>PT10M</Duration> <WaitTimeout>PT5M</WaitTimeout> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Actions Context="Author"> <Command>C:\Users\<user>\AppData\Local\<sample path>\<sample name></Command> <Arguments>--Task</Arguments>
Next, the icacls utility is used to deny user permissions to a folder with malicious content.
icacls "C:\Users\<user>\AppData\Local\<sample path>" /deny *S-1-1-0:(OI)(CI)(DE,DC)
In all cases, one or more of the parameters below are used to explicitly specify the launch method:
| Parameter | Description |
| – – Admin IsAutoStart|IsNotAutoStart IsTask|IsNotTask | Run as administrator
IsAutoStart: Creation of the “SysHelper” parameter in the Run registry key to start the ransomware IsTask: Creation of the “Time Trigger Task” scheduled task to launch the ransomware |
| – – AutoStart | Execution via Run key |
| – – Task | Execution via Scheduled task |
| – – ForNetRes {PUB_KEY} {RANSOM_ID} IsAutoStart|IsNotAutoStart IsTask|IsNotTask | Intended to be used to run on another host on the local network
PUB_KEY: RSA public key RANSOM_ID: Ransom ID IsAutoStart: Creation of the “SysHelper” parameter in the Run registry key IsTask: Creation of a scheduled task |
| – – Service {PID} {PUB_KEY} {RANSOM_ID} | Waiting for the specified process to complete and creating a “SysHelper” parameter in the Run registry key
PID: Process identifier PUB_KEY: RSA public key RANSOM_ID: Ransom ID |
Depending on the launch method, the execution flow can vary.
The ransomware targets files located on local drives and network shares. After verifying the victim’s geolocation, the ransomware attempts to download files using the URLs specified in the configuration file and run them. The sample also attempts to download JSON data with the RSA public key and Ransom ID, which it saves in the text file “bowsakkdestx.txt”. If the download fails, hardcoded values of the RSA public key and Ransom ID are taken from the configuration.
Each configuration data parameter is contained in 10 or 16 blocks (block size is 151 bytes). The blocks are encrypted using a byte-by-byte XOR operation with a value of 80h.
| Parameter | Value |
|---|---|
| URL used to download JSON data with public RSA key and Ransom ID (10 blocks) | http://acacacap[.]org/test3/get.php |
| Time-out for “Time Trigger Task” to be launched (10 blocks) | “700” |
| Text of the ransom note (10 blocks) | “ATTENTION!
Don’t worry, you can return all your files! … To get this software you need write on our e-mail: support@bestyourmail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0505Jhyjd” |
| Extension of encrypted files (10 blocks) | “.lloo” |
| List of substrings skipped during encryption (10 blocks) | “ntuser.dat|ntuser.dat.LOG1|ntuser.dat.LOG2|ntuser.pol|.sys|.ini|.DLL|.dll|.blf|.bat|.lnk|.regtrans-ms|C:\SystemID\|C:\Users\Default User\|C:\Users\Public\|C:\Users\All Users\|C:\Users\Default\|C:\Documents and Settings\|C:\ProgramData\|C:\Recovery\|C:\System Volume Information\|C:\Users\%username%\AppData\Roaming\|C:\Users\%username%\AppData\Local\|C:\Windows\|C:\PerfLogs\|C:\ProgramData\Microsoft\|C:\ProgramData\Package Cache\|C:\Users\Public\|C:\$Recycle.Bin\|C:\$WINDOWS.~BT\|C:\dell\|C:\Intel\|C:\MSOCache\|C:\Program Files\|C:\Program Files (x86)\|C:\Games\|C:\Windows.old\|D:\Users\%username%\AppData\Roaming\|D:\Users\%username%\AppData\Local\|D:\Windows\|D:\PerfLogs\|D:\ProgramData\Desktop\|D:\ProgramData\Microsoft\|D:\ProgramData\Package Cache\|D:\Users\Public\|D:\$Recycle.Bin\|D:\$WINDOWS.~BT\|D:\dell\|D:\Intel\|D:\MSOCache\|D:\Program Files\|D:\Program Files (x86)\|D:\Games\|E:\Users\%username%\AppData\Roaming\|E:\Users\%username%\AppData\Local\|E:\Windows\|E:\PerfLogs\|E:\ProgramData\Desktop\|E:\ProgramData\Microsoft\|E:\ProgramData\Package Cache\|E:\Users\Public\|E:\$Recycle.Bin\|E:\$WINDOWS.~BT\|E:\dell\|E:\Intel\|E:\MSOCache\|E:\Program Files\|E:\Program Files (x86)\|E:\Games\|F:\Users\%username%\AppData\Roaming\|F:\Users\%username%\AppData\Local\|F:\Windows\|F:\PerfLogs\|F:\ProgramData\Desktop\|F:\ProgramData\Microsoft\|F:\Users\Public\|F:\$Recycle.Bin\|F:\$WINDOWS.~BT\|F:\dell\|F:\Intel\ “ |
| Parameter is not used (10 blocks) | “Select Dec…” |
| Name of the text file with ransom note (10 blocks) | “_readme.txt” |
| List of URLs used to download files (16 blocks). If the substring “$run” is present after the URL, the downloaded file will also be executed.
Files are loaded to the %LOCALAPPDATA%\{UUID} directory, where UUID is the generated UUID |
“http://rgyui[.]top/dl/build2.exe$run http://acacaca[.]org/files/1/build3.exe$run” |
| Public RSA key in PEM format with character escaping (16 blocks) | Public Key RSA-2048
” —–BEGIN PUBLIC KEY—–\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvl+JOPkrW9VTv\/JiZrdb\\nLEm7qMCOlxSKL7GNqByzs8MBqaFYv3Hrfp8a8aiFttOTCmebqruweFD8\/5FJr9TV\\nXlc5WRN2qZ9plAjalgMpiRghV76fBZpvxMOf\/d5IgW88c0OgidqlDGzd8W9BMNUL\\np2C\/R\/jKB62S9UEvbyYbim2JC4Am7luAjgqn\/LVsFJw\/kz+RO7pHNMYml7BI\/ITc\\n+dRJk6ciR7oRNq\/amRb\/fRCf2MI0JBPyjx7XR0tvJCm0xxSGqYjPStTR7WZYhqtc\\nx4OG6RQP4SzI0WB\/4fA4CsiKMsyj4ndmMkXsRbs8RQieHgLuQi5mmaojsXu0tYn7\\nyQIDAQAB\\n—–END PUBLIC KEY—–“ |
| Ransom ID identifier (16 blocks) | “YfcXKGLzjXMjQRwrhUHzsXjmASQ6mo4zjmEj9st1” |
It is worth noting that DJVU/STOP tries to encrypt “I:\5d2860c89d774.jpg” before actually encrypting user files.
Files are encrypted in multiple threads. The Salsa20 encryption algorithm is used to encrypt file contents. To get the encryption key and nonce Salsa20 for each file, a string with UUID is used. This string is generated using the Windows API functions UuidCreate and UuidToStringA. No more than 153,600 bytes are encrypted, starting from the 5th byte of the file data (counting from 0). Next, the line with UUID is encrypted with the RSA public key and appended to the end of the encrypted file along with the Ransom ID and the encrypted file token “{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}”. As mentioned above, the RSA public key and Ransom ID can be preloaded via a URL specified in the ransomware configuration. When offline RSA key and Ransom ID values are used, the likelihood of decrypting files increases.
The ransomware creates a text file “_readme.txt” with the ransom demand in each processed directory, and additionally saves the Ransom ID in the text file “C:\SystemID\PersonalID.txt”.
Figure 11: DJVU/STOP ransom note.
The cost of decrypting files is currently $980, a ransom sum that suggests that the cybercriminals are targeting individuals. However, there is a likelihood that the cybercriminals can also play the role of initial access brokers for more sophisticated threat actors.
The victim is also offered a 50% discount if they pay within 72 hours. Victims could try to find a decryptor on the Internet and decrypt the files by themselves, but they should be careful if they do. A large number of fake decryptors have appeared recently, and they are more likely to bring extra malware rather than decrypt files.
Other activity
We tried to focus on the most interesting pieces of the bundle, but there were many others. Thanks to the number of loaders, we landed the jackpot: a huge collection of malicious files. The most interesting of these are highlighted below.
Amadey Stealer (v3.21)
Amadey is a simple stealer that collects information from different mail agents using cred.dll launched via rundll32.exe. To obtain persistence, Amadey adds itself to Startup and creates a scheduled task.
cmd.exe /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\<user>\AppData\Local\Temp\62eca45584\ schtasks.exe /Create /SC MINUTE /MO 1 /TN bguuwe.exe /TR "C:\Users\<user>\AppData\Local\Temp\62eca45584\bguuwe.exe" /F
The following C2 was used during the stealer’s operation: 185.215.113[.]15/Lkb2dxj3/index.php.
Glupteba/RanumBot
The above sample is a Remote Access Trojan, which Group-IB observed in summer 2022, that exfiltrates system information and spreads itself using EternalBlue exploits. It hides behind the name “csrss.exe” and consists of different components:
- Winmon.sys: Rootkit to hide processes
- WinmonFS.sys: Rootkit to hide files and folders
- WinmonProcessMonitor.sys: Rootkit to monitor and stop processes
- injector.exe: Utility to inject DLLs into specified processes, used to inject NtQuerySystemInformationHook.dll into process of taskmgr.exe and hide malicious processes in Task Manager
The main module adds a firewall rule using a network shell (netsh) to allow incoming connections and uses a scheduled task to obtain persistence:
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
Rootkits are installed as kernel drivers. Glupteba logs are sent to the following URL: https://sofolisk[.]com/api/log.
PrivateLoader.Downloader (v0.8)
This downloader proved helpful in our investigation. It used a proxy retrieved from the URL http://212.193.30[.]45/proxies.txt and IP addresses of C2 retrieved from:
- http://212.193.30[.]29/server.txt
- https://pastebin[.]com/raw/A7dSG1te
- http://wfsdragon[.]ru/api/setStats.php
- softs-portal[.]com/api/registerUser.php
The default C2 IP address 212.193.30[.]21 was also used.
One more URL was used to retrieve updates: https://vipsofts[.]xyz/files/mega.bmp.
This tiny sample helped us obtain not only additional samples of RedLine Stealer, Vidar Stealer, and DJVU/STOP, but also the following:
1. ModiLoader/DBatLoader. Downloader
Extracted URLs:
- https://onedrive.live[.]com/download?cid=E8A357DC635F5F11&resid=E8A357DC635F5F11%21496&authkey=APDdIv0SZVO3OZw
- https://ej2a0q.db.files.1drv[.]com
2. Downloader GCleaner
Extracted URLs:
- http://212.192.246[.]99
- http://31.210.20[.]149
- http://212.192.241[.]16
- http://203.159.80[.]49
3. PrivateDownloader. Downloader, Stealer
Extracted URLs:
- http://193.233.185[.]125/download/NiceProcessX64.bmp
- http://193.233.185[.]125/download/NiceProcessX32.bmp
- https://cdn.discordapp[.]com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
- https://c.xyzgamec[.]com/userdown/2202/random.exe
- http://193.56.146[.]76/Proxytest.exe
- http://www.yzsyjyjh[.]com/askhelp23/askinstall23.exe
- http://91.241.19[.]125/pub.php?pub=one
- http://privacy-tools-for-you-780[.]com/downloads/toolspab3.exe
- http://luminati-china[.]xyz/aman/casper2.exe
- https://innovicservice[.]net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
- http://tg8.cllgxx[.]com/hp8/g1/yrpp1047.exe
- https://cdn.discordapp[.]com/attachments/910842184708792331/930849718240698368/Roll.bmp
- https://cdn.discordapp[.]com/attachments/910842184708792331/930850766787330068/real1201.bmp
- https://cdn.discordapp[.]com/attachments/910842184708792331/930882959131693096/Installer.bmp
- http://185.215.113[.]208/ferrari.exe
- https://cdn.discordapp[.]com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
- https://cdn.discordapp[.]com/attachments/910842184708792331/931285223709225071/russ.bmp
- https://cdn.discordapp[.]com/attachments/910842184708792331/932720393201016842/filinnn.bmp
- https://cdn.discordapp[.]com/attachments/910842184708792331/933436611427979305/build20k.bmp
- http://mnbuiy[.]pw/adsli/note8876.exe
- http://sarfoods[.]com/index.php
- https://suprimax.vet[.]br/css/fonts/OneCleanerInst942914.exe
- http://tg8.cllgxx[.]com/hp8/g1/ssaa1047.exe
- https://www.deezloader[.]app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
- https://www.deezloader[.]app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
- https://cdn.discordapp[.]com/attachments/910281601559167006/911516400005296219/anyname.exe
- https://cdn.discordapp[.]com/attachments/910281601559167006/911516894660530226/PBsecond.exe
- https://cdn.discordapp[.]com/attachments/910842184708792331/914047763304550410/Xpadder.bmp
- https://iplogger[.]org/2BTmf7
- https://iplogger[.]org/2BAmf7
- https://iplogger[.]org/2BDmf7
- https://iplogger[.]org/2BFmf7
- https://iplogger[.]org/2s2pg6
- https://iplogger[.]org/2s3pg6
- https://iplogger[.]org/2s4pg6
- https://iplogger[.]org/2s5pg6
- https://iplogger[.]org/2s6pg6
- https://iplogger[.]org/2s7pg6
- https://cdn.discordapp[.]com/attachments/978284851323088960/991390417943797810/asp_correct.bmp
- http://64.227.67[.]0/searchApp.exe
Finally, to obtain persistence, PrivateLoader.Downloader created a scheduled task using schtasks.exe.
Figure 12: How Group-IB’s Malware Detonation Platform Tool, embedded in Threat Intelligence and Managed XDR, tracks creation of scheduled tasks by PrivateLoder.Downloader
Final thoughts
Thanks to the different downloaders, we had a lot to analyze. The cherry on top of this beautiful malicious cake was the injection of a meterpreter into svchost. Seeing meterpreter, a classic in its own right, was a surprise for us. Meterpreter is part of Metasploit’s post-exploitation framework, which results in a malicious payload being injected into legitimate processes, allowing the threat actors to interact with the victim’s machine. Once widely used, Metasploit has, to a large extent, been replaced by Cobalt Strike, which is why its reemergence in these malware bundles was of great interest.
It is worth mentioning that stealers, which make up a major part of the bundle, can collect credentials for IABs. As noted in Hi-Tech Crime Trends 2022/2023, the number of advertisements describing compromised networks on underground forums more than doubled year-on-year in H2 2021 – H1 2022 to 2,348, and this trend is likely to continue as IABs play a greater role in the underground market. As seen with malware bundles, this could lead to more sophisticated threat actors gaining access to infected machines; not to mention the fact that such access can be granted directly by the meterpreter, which can also be injected by some of the malware found in the bundle. In such cases, the potential damage could be far greater than the initial ransom demand of $980 requested by the low-level threat actors leveraging DJVU/STOP ransomware, as access to an employee’s personal device gets passed up the cybercriminal food chain to more seasoned actors who could go on to penetrate an entire corporate network.
Our study of malware bundles sheds light on their variety. All of the malware packages examined by Group-IB were unique, and future bundles are sure to contain ever-more dangerous concoctions of malicious files. All this goes to show the danger that malware bundles pose to individuals across the globe, along with the companies and organizations they work for. One individual deciding to download a file on their personal computer, which they also use for work, could result in significant disruption and financial loss for the company. Malware bundles are not new, but the threat they pose is often underestimated by companies. Their circulation also underscores the potential damage that even rudimentary cybercriminals can bring to an organization.
Protecting against malware bundle – Recommendations
The recent spread of malware bundles in EMEA demonstrates how crucial it is for workplaces to foster a culture of cybersecurity and provide sufficient training to employees on how to spot phishing emails or malicious files hosted on file sharing sites. It’s also essential that companies provide employees with guidance and policies on how to work from home safely, such as maintaining up-to-date antivirus solutions and mandating the use of a secure corporate VPN that expands the organization’s security umbrella to personal devices.
- Be cautious about downloaded apps and files from untrusted sources. Pay particular attention to executable files and archives.
- Do not store credentials in web browsers or files — use password managers instead.
- Enable Credential Guard in Windows Defender.
- Make sure that your Windows OS is the latest available version and is supported by the vendor.
- Make sure you have an activated reliable antivirus solution, and that the antivirus platform is updated to the most recent version and that the signature base is the latest one available.
- Back up your most valuable data using cloud resources or keep offline copies of your data.
- If your files become encrypted, reinstall the OS and change all your passwords that were stored in browsers, mail agents, and other places.
- Use Managed XDR or EDR solutions to detect and prevent malware attacks. Make sure you cover 100% of hosts using this security control
- Use Threat Intelligence solutions to stay up-to-date and be aware of all current threats.
- Regularly update your OS.
- Do not store credentials in web browsers or files — use password managers instead.
- Enable Credential Guard in Windows Defender.
- Backup your most valuable data using best practices (cloud backup, offline backup or 3-2-1 model).
- Train your employees to identify malicious resources with cybersecurity awareness training. Enhance your cybersecurity team’s skills through our training programs for technical specialists.
- If your files become encrypted, scope all passwords that were stored in the OS, browsers, mail agents, etc. and change them immediately. Reinstall OS afterwards.
In line with Group-IB’s mission of fighting cybercrime, we will continue to explore the methods, tools, and tactics used by cybercriminals of varying motivations. We will also continue to inform and warn targeted organizations worldwide. We always strive to ensure that organizations under attack are notified as quickly as possible to help reduce potential damage. We also consider it our responsibility to share our findings with the cybersecurity community and encourage researchers to study different threats, share data, and use our technologies to combat cybercrime — together.
If you are interested in what we do and would like to become an expert in the same field, you can take our Technical training programs. We also welcome applications to join the Group-IB team. Please check our vacancies on the website.
MITRE ATT&CK®
| Tactic | Technique | Description |
| TA0001 Initial Access | T1566 Phishing | Adversaries share malicious links and files via social media, forums, and specific websites |
| TA0002 Execution | T1204 User Execution | Adversaries rely on users to download and run malicious files |
| T1059 Command and Scripting Interpreter | PowerShell and CMD are used to execute commands and launch modules | |
| T1053.005 Scheduled Task | System utility schtasks is used to execute malicious modules and files via scheduled tasks | |
| T1106 Native API | DJVU/STOP uses Windows API to run a new process before hollowing it | |
| TA0003 Persistence | T1547.001 Registry Run Keys / Startup Folder | New values are created in the Run registry key and malicious files are added to startup |
| T1176 Browser Extensions | Some stealers might add malicious extensions to obtain persistence and steal user information | |
| T1053.005 Scheduled Task | Scheduled tasks are created in order to obtain persistence | |
| T1547.009 Shortcut Modification | Some stealers might change browser-related shortcuts | |
| TA0004 Privilege Escalation | T1053.005 Scheduled Task | Some scheduled tasks are created with /rl HIGHEST option |
| T1055 Process Injection | Meterpreter is injected into the svchost.exe process | |
| TA0005 Defense Evasion | T1070.004 File Deletion | Some files are deleted after execution |
| T1070.006 Timestomp | Timestamps of specific files are changed to earlier ones | |
| T1036 Masquerading | Initial files masquerade as legitimate ones. Moreover, file extensions are changed to avoid detection | |
| T1014 Rootkit | Some samples in the bundle might deploy rootkits to hide malicious activity | |
| T1027 Obfuscated Files or Information | PowerShell commands are encoded in Base64. Some malicious files contain obfuscated code | |
| T1222.001 Windows File and Directory Permissions Modification | DJVU/STOP modifies permissions to prevent users from accessing malicious files | |
| T1564.003 Hidden Window | Some PowerShell commands are executed with the “-WindowStyle Hidden” option | |
| T1562.001 Disable or Modify Tools | Windows Defender real-time protection is disabled | |
| T1562.004 Disable or Modify System Firewall | Firewall rules are changed to allow programs with specific extensions | |
| T1055.012 Process Hollowing | Process Hollowing is used by DJVU/STOP to deploy its final payload | |
| T1218.011 Rundll32 | Rundll32 is used to launch malicious DLLs | |
| TA0007 Discovery | T1057 Process Discovery | Some samples obtain information about running processes |
| T1012 Query Registry | Information about the system, installed certificates, and configuration is obtained by querying specific registry keys | |
| T1614 System Location Discovery | Information about the system language and time zone is requested | |
| T1033 System Owner/User Discovery | Information about the system owner is discovered | |
| T1007 System Service Discovery | Tasklist utility is used to obtain information about installed services | |
| T1135 Network Share Discovery | DJVU/STOP checks network shares for further encryption | |
| T1083 File and Directory Discovery | Some samples try to discover specific files and locations | |
| TA0009 Collection | T1560 Archive Collected Data | Vidar puts collected data into a zip archive |
| T1119 Automated Collection | Browser cookies and profile data, wallets, credentials, and user files are collected automatically | |
| T1005 Data from Local System | Data are collected from the local system | |
| T1074.001 Local Data Staging | Vidar stages collected data in specific folders | |
| T1114.001 Local Email Collection | Some samples collect information from Outlook | |
| T1113 Screen Capture | Some samples create screenshots | |
| TA0011 Command and Control | T1071.001 Web Protocols | HTTP and HTTPS are used to communicate with C2 |
| T1105 Ingress Tool Transfer | Additional files are transferred from C2 and file-sharing resources | |
| T1095 Non-Application Layer Protocol | RedLine uses net.tcp protocol provided by WCF | |
| T1102.001 Dead Drop Resolver | Vidar uses Telegram channels and social media profiles to extract IP address of C2 | |
| TA0010 Exfiltration | T1020 Automated Exfiltration | Collected data are exfiltrated automatically |
| T1041 Exfiltration Over C2 Channel | Stealers send collected data to their C2 | |
| TA0040 Impact | T1486 Data Encrypted for Impact | Files on the local host, connected drives, and network shares are encrypted |
