🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Identify and counter malicious links and phishing attempts effectively with CloudSEK XVigil Fake URLs and Phishing module, bolstering your defense against cyber threats
Schedule a DemoA recent campaign is spreading malware embedded in pirated copies of popular summer blockbusters like Shang-Chi and the Legend of the Ten Rings. Threat actors have been shipping malware embedded in pirated movies that are easily available on Torrent networks. In such campaigns, corrupted movie files trick users into running a batch program that downloads a compatible CODEC for the video file.
In some cases, the video file stops during playtime and prompts the user to execute the provided batch program to install the missing CODECS. In other cases, the downloaded file includes a README file instructing the user to run the same batch file. The dropper malware masquerades as a .srt file (a legit file type that holds subtitles of the video file, which in this case is a hexadecimal encoded dropper file written in C++ [-1-] ).
In the above screenshot, the subtitle file named ‘75095_VTS.srt’ contains the encoded payload, and the file named ‘Ultra XVid Codec Setup.bat’ contains the loader batch program of the malware.
The loader batch program file has two parts:
1. UAC elevation: The code segment below is responsible for running the batch program as administrator, bypassing Windows UAC. The exact code is available on stack overflow. [-2-]
The code segment given below is part of the same batch program, however, it gets executed with admin privilege after the elevation of privilege. It then executes 2 Powershell commands to exclude file types: ‘.exe’ and ‘.srt’ from security monitoring
The ‘ping’ command is used as a sleep mechanism.
2. Malware deployment: The final delivery of payload is via the ‘certutil’ application on Windows. Certutil has been abused by adversaries as a ‘living off the land’ tactic for deploying malware stagers and loaders.
The batch program decodes the hexadecimal encoded payload with the .srt extension to another .srt file, which can be executed after decoding. The command used for decoding is:
certutil -decodehex -f 75095_VTS.srt 75095_VTS_tmp.srt
Finally, the batch program launches the malware by executing the decoded .exe file using the following command: start 75095_VTS_tmp.srt
The final executable payload can be easily detected by over 60 security vendors.
Our analysis has revealed that:
Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Thus, the key-value points to route.exe file in the C:\Users\SYM\AppData\Local\Route0\ directory thereby surviving, and the system restarts.
A quick Google search of the filenames linked to this campaign reveals a plethora of domains hosting the same malicious files with similar names. Since these domains have high page rankings they appear at the top of Google’s search results. This is not a coincidence, but rather a devious strategy for threat actors to dupe unsuspecting users into accessing infected domains and downloading corrupted files.
Attackers target sites running on common and popular CMSs (Content Management Systems) and then take control of the application to host their infected files. In peer-to-peer networks such as Torrent, it is not uncommon to see pirated movies used as bait to lure users into downloading infected files.
Malicious torrent files are hosted on compromised domains that have high SEO and page ranks. Attackers exploit popular and trending movie titles to link to files that aren’t even valid movie files, such as a corrupted video file that, when played, displays an error box and forces the user to run a malicious script, included with the pirated movie to resolve the missing CODEC issue.
Sources that host malicious files
C2 | 81.89.133.248
20.50.102.62 |
IP Addresses | DNS |
|
|
Explore the escalating wave of cyber threats on platforms like Google Groups and Usenet, uncovering the pivotal role of cybersecurity in safeguarding online discussion forums.
Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.
A detailed blog on Analysis of the Global Malware Trend: Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password Reset.
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
min read
The Shang-Chi Malware Campaign: Is your pirated copy of the summer blockbuster laced with a RAT?
A recent campaign is spreading malware embedded in pirated copies of popular summer blockbusters like Shang-Chi and the Legend of the Ten Rings. Threat actors have been shipping malware embedded in pirated movies that are easily available on Torrent networks. In such campaigns, corrupted movie files trick users into running a batch program that downloads a compatible CODEC for the video file.
In some cases, the video file stops during playtime and prompts the user to execute the provided batch program to install the missing CODECS. In other cases, the downloaded file includes a README file instructing the user to run the same batch file. The dropper malware masquerades as a .srt file (a legit file type that holds subtitles of the video file, which in this case is a hexadecimal encoded dropper file written in C++ [-1-] ).
In the above screenshot, the subtitle file named ‘75095_VTS.srt’ contains the encoded payload, and the file named ‘Ultra XVid Codec Setup.bat’ contains the loader batch program of the malware.
The loader batch program file has two parts:
1. UAC elevation: The code segment below is responsible for running the batch program as administrator, bypassing Windows UAC. The exact code is available on stack overflow. [-2-]
The code segment given below is part of the same batch program, however, it gets executed with admin privilege after the elevation of privilege. It then executes 2 Powershell commands to exclude file types: ‘.exe’ and ‘.srt’ from security monitoring
The ‘ping’ command is used as a sleep mechanism.
2. Malware deployment: The final delivery of payload is via the ‘certutil’ application on Windows. Certutil has been abused by adversaries as a ‘living off the land’ tactic for deploying malware stagers and loaders.
The batch program decodes the hexadecimal encoded payload with the .srt extension to another .srt file, which can be executed after decoding. The command used for decoding is:
certutil -decodehex -f 75095_VTS.srt 75095_VTS_tmp.srt
Finally, the batch program launches the malware by executing the decoded .exe file using the following command: start 75095_VTS_tmp.srt
The final executable payload can be easily detected by over 60 security vendors.
Our analysis has revealed that:
Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Thus, the key-value points to route.exe file in the C:\Users\SYM\AppData\Local\Route0\ directory thereby surviving, and the system restarts.
A quick Google search of the filenames linked to this campaign reveals a plethora of domains hosting the same malicious files with similar names. Since these domains have high page rankings they appear at the top of Google’s search results. This is not a coincidence, but rather a devious strategy for threat actors to dupe unsuspecting users into accessing infected domains and downloading corrupted files.
Attackers target sites running on common and popular CMSs (Content Management Systems) and then take control of the application to host their infected files. In peer-to-peer networks such as Torrent, it is not uncommon to see pirated movies used as bait to lure users into downloading infected files.
Malicious torrent files are hosted on compromised domains that have high SEO and page ranks. Attackers exploit popular and trending movie titles to link to files that aren’t even valid movie files, such as a corrupted video file that, when played, displays an error box and forces the user to run a malicious script, included with the pirated movie to resolve the missing CODEC issue.
Sources that host malicious files
C2 | 81.89.133.248
20.50.102.62 |
IP Addresses | DNS |
|
|