The Shang-Chi Malware Campaign: Is your pirated copy of the summer blockbuster laced with a RAT?

The Shang-Chi Malware Campaign: Is your pirated copy of the summer blockbuster laced with a RAT?

October 12, 2021
Green Alert
Last Update posted on
February 3, 2024
Don't let your brand be used to trap users through fake URLs and phishing pages

Identify and counter malicious links and phishing attempts effectively with CloudSEK XVigil Fake URLs and Phishing module, bolstering your defense against cyber threats

Schedule a Demo
Table of Contents
Author(s)
No items found.

A recent campaign is spreading malware embedded in pirated copies of popular summer blockbusters like Shang-Chi and the Legend of the Ten Rings. Threat actors have been shipping malware embedded in pirated movies that are easily available on Torrent networks. In such campaigns, corrupted movie files trick users into running a batch program that downloads a compatible CODEC for the video file.

In some cases, the video file stops during playtime and prompts the user to execute the provided batch program to install the missing CODECS. In other cases, the downloaded file includes a README file instructing the user to run the same batch file. The dropper malware masquerades as a .srt file (a legit file type that holds subtitles of the video file, which in this case is a hexadecimal encoded dropper file written in C++ [-1-] ).

Screenshot of the files downloaded along with the corrupted movie
Screenshot of the files downloaded along with the corrupted movie

In the above screenshot, the subtitle file named ‘75095_VTS.srt’ contains the encoded payload, and the file named ‘Ultra XVid Codec Setup.bat’ contains the loader batch program of the malware.

 

Technical Analysis

The loader batch program file has two parts:

1. UAC elevation: The code segment below is responsible for running the batch program as administrator, bypassing Windows UAC. The exact code is available on stack overflow. [-2-]

Screenshot of the code responsible for running the batch program as administrator
Screenshot of the code responsible for running the batch program as administrator

The code segment given below is part of the same batch program, however, it gets executed with admin privilege after the elevation of privilege. It then executes 2 Powershell commands to exclude file types: ‘.exe’ and ‘.srt’ from security monitoring

Screenshot of the code running the batch program within admin privileges
Screenshot of the code running the batch program within admin privileges

The ‘ping’ command is used as a sleep mechanism.

2. Malware deployment: The final delivery of payload is via the ‘certutil’ application on Windows. Certutil has been abused by adversaries as a ‘living off the land’ tactic for deploying malware stagers and loaders.

The batch program decodes the hexadecimal encoded payload with the .srt extension to another .srt file, which can be executed after decoding. The command used for decoding is:

certutil -decodehex -f 75095_VTS.srt 75095_VTS_tmp.srt

Properties of the decoded executable file
Properties of the decoded executable file

Finally, the batch program launches the malware by executing the decoded .exe file using the following command: start 75095_VTS_tmp.srt

The final executable payload can be easily detected by over 60 security vendors.

Screenshot displaying the detection of the payload by 61 security vendors
Screenshot displaying the detection of the payload by 61 security vendors

 

Detailed Analysis

Our analysis has revealed that:  

  • The final payload shows the characteristics of a very generic RAT (Remote Access Trojan).
  • Droppings: Files are dropped to C:\Users\SYM\AppData\Local\Route0\ directory. And among the dropped files are two executable files: route.exe and zroute.exe. 
  • Persistence: The malware modifies the registry of the victim machine to have persistence on the system by adding the value “11f86284” to the following key: 

    Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Thus, the key-value points to route.exe file in the C:\Users\SYM\AppData\Local\Route0\ directory thereby surviving, and the system restarts.

    Screenshot displaying changed value of key
    Screenshot displaying changed value of key

     

    Campaign History

    A quick Google search of the filenames linked to this campaign reveals a plethora of domains hosting the same malicious files with similar names. Since these domains have high page rankings they appear at the top of Google’s search results. This is not a coincidence, but rather a devious strategy for threat actors to dupe unsuspecting users into accessing infected domains and downloading corrupted files.

    Attackers target sites running on common and popular CMSs (Content Management Systems) and then take control of the application to host their infected files. In peer-to-peer networks such as Torrent, it is not uncommon to see pirated movies used as bait to lure users into downloading infected files. 

    Malicious torrent files are hosted on compromised domains that have high SEO and page ranks. Attackers exploit popular and trending movie titles to link to files that aren’t even valid movie files, such as a corrupted video file that, when played, displays an error box and forces the user to run a malicious script, included with the pirated movie to resolve the missing CODEC issue.

    Sources that host malicious files 

Sources hosting malicious files attached with movie files from google search
Sources hosting malicious files attached with movie files from google search

 

Sources hosting malicious files attached with movie files from google search
Sources hosting malicious files attached with movie files from google search

References

[-1-]-https://www.seedr.cc/zip/131251833?st=582eb00e4f3474cc78843f78d711032d370e6045ff20ac01cf9850764c620c0e&e=1630886510

[-2-]-https://stackoverflow.com/questions/7044985/how-can-i-auto-elevate-my-batch-file-so-that-it-requests-from-uac-administrator

 

Indicators of Compromise

 

C2 81.89.133.248

20.50.102.62

 

IP Addresses DNS
  • 51.38.234.101:443 (TCP) 
  • 78.47.158.89:443 (TCP) 
  • 173.254.250.226:443 (TCP) 
  • 46.252.18.74:443 (TCP) 
  • 198.54.115.171:443 (TCP) 
  • 136.243.92.92:443 (TCP) 
  • 162.0.232.138:443 (TCP) 
  • 128.65.195.243:443 (TCP) 
  • 34.102.136.180:443 (TCP) 
  • 91.204.46.43:443 (TCP) 
  • 198.187.31.41:443 (TCP) 
  • 103.13.112.27:443 (TCP) 
  • 66.218.84.137:443 (TCP) 
  • 172.67.204.60:443 (TCP) 
  • 74.6.231.20:443 (TCP) 
  • 69.147.65.252:443 (TCP) 
  • 69.147.65.251:443 (TCP) 
  • 216.113.181.254:443 (TCP) 
  • 162.219.224.22:443 (TCP) 
  • 207.241.224.2:443 (TCP) 
  • 104.17.29.92:443 (TCP) 
  • 74.6.231.14:443 (TCP) 
  • 184.72.170.20:443 (TCP) 
  • 50.18.134.149:443 (TCP) 
  • 172.253.114.132:443 (TCP) 
  • 74.124.200.140:443 (TCP) 
  • 199.60.103.2:443 (TCP) 
  • 151.139.128.11:443 (TCP) 
  • 40.121.155.219:443 (TCP) 
  • 18.216.252.130:443 (TCP) 
  • 208.80.153.224:443 (TCP) 
  • 52.85.79.57:443 (TCP) 
  • 192.124.249.14:443 (TCP) 
  • 54.244.95.93:443 (TCP) 
  • 54.88.188.66:443 (TCP) 
  • 54.225.165.130:443 (TCP) 
  • 18.208.82.203:443 (TCP) 
  • 65.8.49.35:443 (TCP) 
  • 128.119.50.91:443 (TCP) 
  • 162.159.129.87:443 (TCP) 
  • 128.32.10.243:443 (TCP) 
  • 199.60.103.30:443 (TCP) 
  • 13.57.92.51:443 (TCP) 
  • 34.117.59.81:443 (TCP) 
  • 151.101.1.140:443 (TCP) 
  • 198.167.126.39:443 (TCP) 
  • 168.68.64.32:443 (TCP) 
  • 52.207.29.196:443 (TCP) 
  • 52.85.79.54:443 (TCP) 
  • 69.167.157.6:443 (TCP) 
  • 3.140.222.188:443 (TCP) 
  • 13.226.15.82:443 (TCP) 
  • 128.227.68.224:443 (TCP) 
  • 151.101.1.69:443 (TCP) 
  • 164.64.199.14:443 (TCP) 
  • 128.193.164.152:443 (TCP) 
  • 63.34.116.85:443 (TCP) 
  • 174.128.43.81:443 (TCP) 
  • 153.90.170.2:443 (TCP) 
  • 129.93.169.107:443 (TCP) 
  • 52.5.24.1:443 (TCP) 
  • 3.226.11.114:443 (TCP) 
  • 209.140.148.240:443 (TCP) 
  • 35.172.73.102:443 (TCP) 
  • 104.21.51.62:443 (TCP) 
  • 54.164.191.133:443 (TCP) 
  • 52.44.29.217:443 (TCP) 
  • 97.107.138.119:443 (TCP) 
  • 66.228.55.50:443 (TCP) 
  • 104.26.14.32:443 (TCP) 
  • 151.101.2.137:443 (TCP) 
  • 68.66.226.86:443 (TCP) 
  • 192.94.173.55:443 (TCP) 
  • 13.249.137.47:443 (TCP) 
  • 141.211.186.141:443 (TCP) 
  • 128.193.164.171:443 (TCP) 
  • 52.85.79.16:443 (TCP) 
  • 35.190.16.47:443 (TCP) 
  • 75.2.33.159:443 (TCP) 
  • 128.104.1.207:443 (TCP) 
  • 185.34.32.93:443 (TCP) 
  • 104.16.55.16:443 (TCP) 
  • 34.227.238.166:443 (TCP) 
  • 104.16.41.93:443 (TCP) 
  • 192.0.72.24:443 (TCP) 
  • 104.16.19.6:443 (TCP) 
  • 128.227.24.28:443 (TCP) 
  • 104.16.40.93:443 (TCP) 
  • 104.199.114.61:443 (TCP) 
  • 162.159.130.81:443 (TCP) 
  • 50.87.224.250:443 (TCP) 
  • 151.101.2.152:443 (TCP) 
  • 8.192.40.65:443 (TCP) 
  • 35.190.46.56:443 (TCP) 
  • 13.226.15.84:443 (TCP) 
  • 3.225.1.37:443 (TCP) 
  • 151.101.128.194:443 (TCP) 
  • 192.0.78.25:443 (TCP) 
  • 151.101.0.203:443 (TCP) 
  • 192.0.78.13:443 (TCP) 
  • 192.252.144.10:443 (TCP) 
  • 192.0.78.17:443 (TCP) 
  • 162.144.21.109:443 (TCP) 
  • 74.125.129.147:443 (TCP) 
  • 204.79.197.200:443 (TCP) 
  • 172.217.219.103:443 (TCP) 
  • 209.85.234.190:443 (TCP) 
  • 23.198.6.60:443 (TCP) 
  • 172.217.219.105:443 (TCP) 
  • 23.203.113.116:443 (TCP) 
  • 173.194.194.136:443 (TCP) 
  • 23.213.27.61:80 (TCP) 
  • 31.13.65.36:443 (TCP) 
  • 104.17.27.92:443 (TCP) 
  • 3.218.27.124:443 (TCP) 
  • 184.169.246.182:443 (TCP) 
  • 74.6.143.18:443 (TCP) 
  • 52.8.112.55:443 (TCP) 
  • 216.113.179.36:443 (TCP) 
  • 104.19.215.102:443 (TCP) 
  • 173.201.135.48:443 (TCP) 
  • 37.187.131.152:443 (TCP) 
  • 172.67.221.179:443 (TCP) 
  • 5.255.157.132:443 (TCP) 
  • 65.8.48.47:443 (TCP) 
  • 52.86.133.10:443 (TCP) 
  • 172.67.71.55:443 (TCP) 
  • 76.76.21.21:443 (TCP) 
  • 192.0.78.24:443 (TCP) 
  • 192.0.78.12:443 (TCP) 
  • 192.0.78.9:443 (TCP) 
  • 104.21.26.189:443 (TCP) 
  • 52.201.22.185:443 (TCP) 
  • 151.101.1.2:443 (TCP) 
  • 40.65.135.126:443 (TCP) 
  • 104.21.14.5:443 (TCP) 
  • 54.197.224.147:443 (TCP) 
  • 192.0.78.238:443 (TCP) 
  • 216.239.32.21:443 (TCP) 
  • 3.234.104.255:443 (TCP) 
  • 69.195.85.143:443 (TCP) 
  • 54.230.18.40:443 (TCP) 
  • 172.67.218.214:443 (TCP) 
  • 157.150.185.69:443 (TCP) 
  • 172.67.136.85:443 (TCP) 
  • 50.16.49.81:443 (TCP) 
  • 151.101.1.47:443 (TCP) 
  • 209.51.188.148:443 (TCP) 
  • 172.67.199.124:443 (TCP) 
  • 217.36.67.162:443 (TCP) 
  • 45.79.165.60:443 (TCP) 
  • 45.223.18.106:443 (TCP) 
  • 192.124.249.10:443 (TCP) 
  • 128.32.42.199:443 (TCP) 
  • 198.185.159.144:443 (TCP) 
  • 128.208.97.64:443 (TCP) 
  • 65.8.48.72:443 (TCP) 
  • 151.101.2.125:443 (TCP) 
  • 172.67.138.93:443 (TCP) 
  • 13.249.130.59:443 (TCP) 
  • 104.196.67.245:443 (TCP) 
  • 3.208.95.235:443 (TCP) 
  • 198.54.115.163:443 (TCP) 
  • 35.175.60.16:443 (TCP) 
  • 217.6.19.243:443 (TCP) 
  • 151.101.1.52:443 (TCP) 
  • 54.192.120.70:443 (TCP) 
  • 65.8.48.28:443 (TCP) 
  • 3.226.160.222:443 (TCP) 
  • 64.233.185.132:443 (TCP) 
  • 85.159.207.239:443 (TCP) 
  • 202.40.166.225:443 (TCP) 
  • 54.230.18.31:443 (TCP) 
  • 103.209.96.176:443 (TCP) 
  • 81.169.145.150:443 (TCP) 
  • 50.200.43.189:443 (TCP) 
  • 148.251.77.238:443 (TCP) 
  • 88.99.69.19:443 (TCP) 
  • 148.66.137.120:443 (TCP) 
  • 172.67.154.225:443 (TCP) 
  • 78.46.9.47:443 (TCP) 
  • 217.160.0.8:443 (TCP) 
  • 195.201.13.5:443 (TCP) 
  • 87.230.41.84:443 (TCP) 
  • 144.76.151.243:443 (TCP) 
  • 162.55.68.135:443 (TCP) 
  • 157.90.155.121:443 (TCP) 
  • 185.12.50.35:443 (TCP) 
  • 176.9.36.202:443 (TCP) 
  • 192.169.223.13:443 (TCP)
  • www.hoboleaks.space
  • search.yahoo.com
  • 130.165.225.54.in-addr.arpa
  • 130.252.216.18.in-addr.arpa
  • 92.92.243.136.in-addr.arpa
  • 22.224.219.162.in-addr.arpa
  • 109.165.114.104.in-addr.arpa
  • pages.ebay.it
  • 243.2317.10.32.128.in-addr.arpa
  • archive.org
  • tiktokreactions.com
  • 89.158.47.78.in-addr.arpa
  • 69.1.101.151.in-addr.arpa
  • www.jiskha.com
  • meltacardz.com
  • www.yahoo.com
  • 196.249.167.52.in-addr.arpa
  • good-deeds-day.org
  • labs.waterdata.usgs.gov
  • missionhealth.org
  • 188.222.140.3.in-addr.arpa
  • real.rotation.guce.aws.oath.cloud
  • 1611177g27.secure0020.hubspot.net
  • domyown.com
  • xsolidgoldbysarden.store
  • c1140.campuspress.com
  • 41.31.187.198.in-addr.arpa
  • www.nodalninja.com
  • dclsu.bepress.com
  • catalog.extension.oregonstate.edu
  • new-fp-shed.wg1.b.yahoo.com
  • blog.hubspot.com
  • www.ebay.com
  • 1611177.group27.sites.hubspot.net
  • cbsparts.ca
  • us-east-1.lb.campuspress.com
  • 219.155.121.40.in-addr.arpa
  • 20.231.6.74.in-addr.arpa
  • www.canr.msu.edu
  • marketing-prod-lb-1479136046.us-west-1.elb.amazonaws.com
  • 101.234.38.51.in-addr.arpa
  • ag.umass.edu
  • www.verizonmedia.com
  • 171.115.54.198.in-addr.arpa
  • 180.136.102.34.in-addr.arpa
  • 81.43.128.174.in-addr.arpa
  • ds-global3.l7.search.ystg1.b.yahoo.com
  • prda.aadg.msidentity.com
  • betteritemspro.com
  • 30.103.60.199.in-addr.arpa
  • www.lib.berkeley.edu
  • mastergardener.osu.edu
  • pages.ebay.com
  • cdn.ymaws.com
  • 254.121.249.8.in-addr.arpa
  • www.gmpartsdirect.com
  • www.gmpartsdirect.co
  • 116.113.203.23.in-addr.arpa
  • ifs-vip-node-prod1.ifas.ufl.edu
  • 54.79.85.52.in-addr.arpa
  • www.ebay.it
  • tp.6ca7af544-frontier.amazon.it
  • groummwine.com
  • 105.219.217.172.in-addr.arpa
  • digitalcommons.lsu.edu
  • www.youtube.com
  • www-amazon-it.amazon.map.fastly.net
  • 152.164.193.128.in-addr.arpa
  • edis.ifas.ufl.edu
  • 81.59.117.34.in-addr.arpa
  • nginx-prod-243.lib.berkeley.edu
  • theworldnews.net
  • nginx-prod.lib.berkeley.edu
  • 6.157.167.69.in-addr.arpa
  • 243.195.65.128.in-addr.arpa
  • edge.gycpi.b.yahoodns.net
  • 14.249.124.192.in-addr.arpa
  • advertising.yahoo.com
  • 60.6.198.23.in-addr.arpa
  • guce.yahoo.com
  • 252.164.114.104.in-addr.arpa
  • 140.200.124.74.in-addr.arpa
  • 196.29.207.52.in-addr.arpa
  • acsess.onlinelibrary.wiley.com
  • 2.224.241.207.in-addr.arpa
  • wallbox.com
  • www.albanehundevad.com
  • extension.umass.edu
  • www.oath.com
  • v4-edge.gycpi.b.yahoodns.net
  • 224.153.80.208.in-addr.arpa
  • group27.sites.hscoscdn20.net
  • weedlygreen.com
  • blogspot.l.googleusercontent.com
  • onlinelibrary.wiley.com
  • www-pinterest-com.gslb.pinterest.com
  • lib-saapp1.library.oregonstate.edu
  • reddit.map.fastly.net
  • 140.1.101.151.in-addr.arpa
  • 132.114.253.172.in-addr.arpa
  • issuu.com
  • www.princeedwardisland.ca
  • dnr.wisconsin.gov
  • 39.126.167.198.in-addr.arpa
  • nebnewspapers-prod.unl.edu
  • 20.170.72.184.in-addr.arpa
  • 60.204.67.172.in-addr.arpa
  • en.wikipedia.org
  • ir.library.oregonstate.edu
  • 136.194.194.173.in-addr.arpa
  • 251.65.147.69.in-addr.arpa
  • www.wildlife.state.nm.us
  • 1.24.5.52.in-addr.arpa
  • security.stackexchange.com
  • yahoo.uservoice.com
  • 203.82.208.18.in-addr.arpa
  • sxh.yimg.com
  • srk.shib.live
  • www.dekalbasgrowdeltapine.com
  • ds-oob-fo-media-router1.prod.media.g01.yahoodns.net
  • www.sixandflow.com
  • varni-rLoad-1731Z147IHXTT-5d002958b8033a2b.elb.us-east-1.amazonaws.com
  • www.pinterest.com
  • uae-queendatabase.site
  • www.gardeningknowhow.com
  • blogs.cornell.edu
  • extension.psu.edu
  • 53.group3.sites.hubspot.net
  • nimesphoneexpress.com
  • prod-rotation-v2.guce.aws.oath.cloud
  • 114.11.226.3.in-addr.arpa
  • 51.92.57.13.in-addr.arpa
  • 254.55.248.8.in-addr.arpa
  • finance.yahoo.com
  • 254.181.113.216.in-addr.arpa
  • www.good-deeds-day.org
  • 14.199.64.164.in-addr.arpa
  • virginia-db5.us-east-1.lb.campuspress.com
  • 82.15.226.13.in-addr.arpa
  • 66.188.88.54.in-addr.arpa
  • host.io
  • 147.129.125.74.in-addr.arpa
  • krgroups.net
  • scholar.harvard.edu
  • venezia-giorno-per-giorno.blogspot.com
  • helloorganicbd.com
  • 85.116.34.63.in-addr.arpa
  • 57.79.85.52.in-addr.arpa
  • nodalninja.com
  • 2.170.90.153.in-addr.arpa
  • scholarworks.montana.edu
  • 200.197.79.204.in-addr.arpa
  • albanehundevad.com
  • www.reddit.com
  • 87.129.159.162.in-addr.arpa
  • nebnewspapers.unl.edu
  • 43.46.204.91.in-addr.arpa
  • 32.64.68.168.in-addr.arpa
  • 107.169.93.129.in-addr.arpa
  • 11.128.139.151.in-addr.arpa
  • epage.g.ebay.com
  • sports.yahoo.com
  • 92.29.17.104.in-addr.arpa
  • webhosting-webnode-lb-731081414.us-east-2.elb.amazonaws.com
  • plombiermirabel.ca
  • www.golfdom.com
  • 14.231.6.74.in-addr.arpa
  • www.gmpartsonline.net
  • 149.134.18.50.in-addr.arpa
  • 226.250.254.173.in-addr.arpa
  • lb-az.mrp.usda.gov
  • 74.18.252.46.in-addr.arpa
  • 103.219.217.172.in-addr.arpa
  • 190.234.85.209.in-addr.arpa
  • produ-loadb-14qlqnvqs58to-caf651f80372dfb2.elb.us-east-1.amazonaws.com
  • gbksoft.com
  • 137.84.218.66.in-addr.arpa
  • media-router1.prod.media.yahoo.com
  • 252.65.147.69.in-addr.arpa
  • www.wibs-tirol.at
  • www.amazon.it
  • x1.i.lencr.org
  • 243.10.32.128.in-addr.arpa
  • jewishelpaso.org
  • climateactiontool.org
  • dyna.wikimedia.org
  • group3.sites.hscoscdn00.net
  • www.macoy.com
  • dfi09q69oy2jm.cloudfront.net
  • 35.49.8.65.in-addr.arpa
  • mattsmaskmaking.blogspot.com
  • 27.112.13.103.in-addr.arpa
  • cloudflare-resolve-to.c1140.campuspress.com
  • www.domyown.com
  • 93.95.244.54.in-addr.arpa
  • 224.68.227.128.in-addr.arpa
  • www.aphis.usda.gov
  • 138.232.0.162.in-addr.arpa
  • 91.50.119.128.in-addr.arpa
  • 2.103.60.199.in-addr.arpa
  • www.albanehundevad.com
  • 4.4.8.8.in-addr.arpa
  • tiktokreactions.com
  • 13.223.169.192.in-addr.arpa
  • 106.124.125.74.in-addr.arpa
  • 104.124.125.74.in-addr.arpa

 

Author

Predict Cyber threats against your organization

Related Posts
Blog Image
February 3, 2024

From Discussion Forums to Malware Mayhem: The Alarming Rise of Abuse on Google Groups and Usenet

Explore the escalating wave of cyber threats on platforms like Google Groups and Usenet, uncovering the pivotal role of cybersecurity in safeguarding online discussion forums.

Redirect Chain: Advertisement Services being Abused by Threat Actors to Redirect Users to Malware, Betting, Adult Websites

Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.

Blog Image
December 29, 2023

Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2 Functionality for session hijacking

A detailed blog on Analysis of the Global Malware Trend: Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password Reset.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Malware Intelligence

min read

The Shang-Chi Malware Campaign: Is your pirated copy of the summer blockbuster laced with a RAT?

The Shang-Chi Malware Campaign: Is your pirated copy of the summer blockbuster laced with a RAT?

Authors
Co-Authors
No items found.

A recent campaign is spreading malware embedded in pirated copies of popular summer blockbusters like Shang-Chi and the Legend of the Ten Rings. Threat actors have been shipping malware embedded in pirated movies that are easily available on Torrent networks. In such campaigns, corrupted movie files trick users into running a batch program that downloads a compatible CODEC for the video file.

In some cases, the video file stops during playtime and prompts the user to execute the provided batch program to install the missing CODECS. In other cases, the downloaded file includes a README file instructing the user to run the same batch file. The dropper malware masquerades as a .srt file (a legit file type that holds subtitles of the video file, which in this case is a hexadecimal encoded dropper file written in C++ [-1-] ).

Screenshot of the files downloaded along with the corrupted movie
Screenshot of the files downloaded along with the corrupted movie

In the above screenshot, the subtitle file named ‘75095_VTS.srt’ contains the encoded payload, and the file named ‘Ultra XVid Codec Setup.bat’ contains the loader batch program of the malware.

 

Technical Analysis

The loader batch program file has two parts:

1. UAC elevation: The code segment below is responsible for running the batch program as administrator, bypassing Windows UAC. The exact code is available on stack overflow. [-2-]

Screenshot of the code responsible for running the batch program as administrator
Screenshot of the code responsible for running the batch program as administrator

The code segment given below is part of the same batch program, however, it gets executed with admin privilege after the elevation of privilege. It then executes 2 Powershell commands to exclude file types: ‘.exe’ and ‘.srt’ from security monitoring

Screenshot of the code running the batch program within admin privileges
Screenshot of the code running the batch program within admin privileges

The ‘ping’ command is used as a sleep mechanism.

2. Malware deployment: The final delivery of payload is via the ‘certutil’ application on Windows. Certutil has been abused by adversaries as a ‘living off the land’ tactic for deploying malware stagers and loaders.

The batch program decodes the hexadecimal encoded payload with the .srt extension to another .srt file, which can be executed after decoding. The command used for decoding is:

certutil -decodehex -f 75095_VTS.srt 75095_VTS_tmp.srt

Properties of the decoded executable file
Properties of the decoded executable file

Finally, the batch program launches the malware by executing the decoded .exe file using the following command: start 75095_VTS_tmp.srt

The final executable payload can be easily detected by over 60 security vendors.

Screenshot displaying the detection of the payload by 61 security vendors
Screenshot displaying the detection of the payload by 61 security vendors

 

Detailed Analysis

Our analysis has revealed that:  

  • The final payload shows the characteristics of a very generic RAT (Remote Access Trojan).
  • Droppings: Files are dropped to C:\Users\SYM\AppData\Local\Route0\ directory. And among the dropped files are two executable files: route.exe and zroute.exe. 
  • Persistence: The malware modifies the registry of the victim machine to have persistence on the system by adding the value “11f86284” to the following key: 

    Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Thus, the key-value points to route.exe file in the C:\Users\SYM\AppData\Local\Route0\ directory thereby surviving, and the system restarts.

    Screenshot displaying changed value of key
    Screenshot displaying changed value of key

     

    Campaign History

    A quick Google search of the filenames linked to this campaign reveals a plethora of domains hosting the same malicious files with similar names. Since these domains have high page rankings they appear at the top of Google’s search results. This is not a coincidence, but rather a devious strategy for threat actors to dupe unsuspecting users into accessing infected domains and downloading corrupted files.

    Attackers target sites running on common and popular CMSs (Content Management Systems) and then take control of the application to host their infected files. In peer-to-peer networks such as Torrent, it is not uncommon to see pirated movies used as bait to lure users into downloading infected files. 

    Malicious torrent files are hosted on compromised domains that have high SEO and page ranks. Attackers exploit popular and trending movie titles to link to files that aren’t even valid movie files, such as a corrupted video file that, when played, displays an error box and forces the user to run a malicious script, included with the pirated movie to resolve the missing CODEC issue.

    Sources that host malicious files 

Sources hosting malicious files attached with movie files from google search
Sources hosting malicious files attached with movie files from google search

 

Sources hosting malicious files attached with movie files from google search
Sources hosting malicious files attached with movie files from google search

References

[-1-]-https://www.seedr.cc/zip/131251833?st=582eb00e4f3474cc78843f78d711032d370e6045ff20ac01cf9850764c620c0e&e=1630886510

[-2-]-https://stackoverflow.com/questions/7044985/how-can-i-auto-elevate-my-batch-file-so-that-it-requests-from-uac-administrator

 

Indicators of Compromise

 

C2 81.89.133.248

20.50.102.62

 

IP Addresses DNS
  • 51.38.234.101:443 (TCP) 
  • 78.47.158.89:443 (TCP) 
  • 173.254.250.226:443 (TCP) 
  • 46.252.18.74:443 (TCP) 
  • 198.54.115.171:443 (TCP) 
  • 136.243.92.92:443 (TCP) 
  • 162.0.232.138:443 (TCP) 
  • 128.65.195.243:443 (TCP) 
  • 34.102.136.180:443 (TCP) 
  • 91.204.46.43:443 (TCP) 
  • 198.187.31.41:443 (TCP) 
  • 103.13.112.27:443 (TCP) 
  • 66.218.84.137:443 (TCP) 
  • 172.67.204.60:443 (TCP) 
  • 74.6.231.20:443 (TCP) 
  • 69.147.65.252:443 (TCP) 
  • 69.147.65.251:443 (TCP) 
  • 216.113.181.254:443 (TCP) 
  • 162.219.224.22:443 (TCP) 
  • 207.241.224.2:443 (TCP) 
  • 104.17.29.92:443 (TCP) 
  • 74.6.231.14:443 (TCP) 
  • 184.72.170.20:443 (TCP) 
  • 50.18.134.149:443 (TCP) 
  • 172.253.114.132:443 (TCP) 
  • 74.124.200.140:443 (TCP) 
  • 199.60.103.2:443 (TCP) 
  • 151.139.128.11:443 (TCP) 
  • 40.121.155.219:443 (TCP) 
  • 18.216.252.130:443 (TCP) 
  • 208.80.153.224:443 (TCP) 
  • 52.85.79.57:443 (TCP) 
  • 192.124.249.14:443 (TCP) 
  • 54.244.95.93:443 (TCP) 
  • 54.88.188.66:443 (TCP) 
  • 54.225.165.130:443 (TCP) 
  • 18.208.82.203:443 (TCP) 
  • 65.8.49.35:443 (TCP) 
  • 128.119.50.91:443 (TCP) 
  • 162.159.129.87:443 (TCP) 
  • 128.32.10.243:443 (TCP) 
  • 199.60.103.30:443 (TCP) 
  • 13.57.92.51:443 (TCP) 
  • 34.117.59.81:443 (TCP) 
  • 151.101.1.140:443 (TCP) 
  • 198.167.126.39:443 (TCP) 
  • 168.68.64.32:443 (TCP) 
  • 52.207.29.196:443 (TCP) 
  • 52.85.79.54:443 (TCP) 
  • 69.167.157.6:443 (TCP) 
  • 3.140.222.188:443 (TCP) 
  • 13.226.15.82:443 (TCP) 
  • 128.227.68.224:443 (TCP) 
  • 151.101.1.69:443 (TCP) 
  • 164.64.199.14:443 (TCP) 
  • 128.193.164.152:443 (TCP) 
  • 63.34.116.85:443 (TCP) 
  • 174.128.43.81:443 (TCP) 
  • 153.90.170.2:443 (TCP) 
  • 129.93.169.107:443 (TCP) 
  • 52.5.24.1:443 (TCP) 
  • 3.226.11.114:443 (TCP) 
  • 209.140.148.240:443 (TCP) 
  • 35.172.73.102:443 (TCP) 
  • 104.21.51.62:443 (TCP) 
  • 54.164.191.133:443 (TCP) 
  • 52.44.29.217:443 (TCP) 
  • 97.107.138.119:443 (TCP) 
  • 66.228.55.50:443 (TCP) 
  • 104.26.14.32:443 (TCP) 
  • 151.101.2.137:443 (TCP) 
  • 68.66.226.86:443 (TCP) 
  • 192.94.173.55:443 (TCP) 
  • 13.249.137.47:443 (TCP) 
  • 141.211.186.141:443 (TCP) 
  • 128.193.164.171:443 (TCP) 
  • 52.85.79.16:443 (TCP) 
  • 35.190.16.47:443 (TCP) 
  • 75.2.33.159:443 (TCP) 
  • 128.104.1.207:443 (TCP) 
  • 185.34.32.93:443 (TCP) 
  • 104.16.55.16:443 (TCP) 
  • 34.227.238.166:443 (TCP) 
  • 104.16.41.93:443 (TCP) 
  • 192.0.72.24:443 (TCP) 
  • 104.16.19.6:443 (TCP) 
  • 128.227.24.28:443 (TCP) 
  • 104.16.40.93:443 (TCP) 
  • 104.199.114.61:443 (TCP) 
  • 162.159.130.81:443 (TCP) 
  • 50.87.224.250:443 (TCP) 
  • 151.101.2.152:443 (TCP) 
  • 8.192.40.65:443 (TCP) 
  • 35.190.46.56:443 (TCP) 
  • 13.226.15.84:443 (TCP) 
  • 3.225.1.37:443 (TCP) 
  • 151.101.128.194:443 (TCP) 
  • 192.0.78.25:443 (TCP) 
  • 151.101.0.203:443 (TCP) 
  • 192.0.78.13:443 (TCP) 
  • 192.252.144.10:443 (TCP) 
  • 192.0.78.17:443 (TCP) 
  • 162.144.21.109:443 (TCP) 
  • 74.125.129.147:443 (TCP) 
  • 204.79.197.200:443 (TCP) 
  • 172.217.219.103:443 (TCP) 
  • 209.85.234.190:443 (TCP) 
  • 23.198.6.60:443 (TCP) 
  • 172.217.219.105:443 (TCP) 
  • 23.203.113.116:443 (TCP) 
  • 173.194.194.136:443 (TCP) 
  • 23.213.27.61:80 (TCP) 
  • 31.13.65.36:443 (TCP) 
  • 104.17.27.92:443 (TCP) 
  • 3.218.27.124:443 (TCP) 
  • 184.169.246.182:443 (TCP) 
  • 74.6.143.18:443 (TCP) 
  • 52.8.112.55:443 (TCP) 
  • 216.113.179.36:443 (TCP) 
  • 104.19.215.102:443 (TCP) 
  • 173.201.135.48:443 (TCP) 
  • 37.187.131.152:443 (TCP) 
  • 172.67.221.179:443 (TCP) 
  • 5.255.157.132:443 (TCP) 
  • 65.8.48.47:443 (TCP) 
  • 52.86.133.10:443 (TCP) 
  • 172.67.71.55:443 (TCP) 
  • 76.76.21.21:443 (TCP) 
  • 192.0.78.24:443 (TCP) 
  • 192.0.78.12:443 (TCP) 
  • 192.0.78.9:443 (TCP) 
  • 104.21.26.189:443 (TCP) 
  • 52.201.22.185:443 (TCP) 
  • 151.101.1.2:443 (TCP) 
  • 40.65.135.126:443 (TCP) 
  • 104.21.14.5:443 (TCP) 
  • 54.197.224.147:443 (TCP) 
  • 192.0.78.238:443 (TCP) 
  • 216.239.32.21:443 (TCP) 
  • 3.234.104.255:443 (TCP) 
  • 69.195.85.143:443 (TCP) 
  • 54.230.18.40:443 (TCP) 
  • 172.67.218.214:443 (TCP) 
  • 157.150.185.69:443 (TCP) 
  • 172.67.136.85:443 (TCP) 
  • 50.16.49.81:443 (TCP) 
  • 151.101.1.47:443 (TCP) 
  • 209.51.188.148:443 (TCP) 
  • 172.67.199.124:443 (TCP) 
  • 217.36.67.162:443 (TCP) 
  • 45.79.165.60:443 (TCP) 
  • 45.223.18.106:443 (TCP) 
  • 192.124.249.10:443 (TCP) 
  • 128.32.42.199:443 (TCP) 
  • 198.185.159.144:443 (TCP) 
  • 128.208.97.64:443 (TCP) 
  • 65.8.48.72:443 (TCP) 
  • 151.101.2.125:443 (TCP) 
  • 172.67.138.93:443 (TCP) 
  • 13.249.130.59:443 (TCP) 
  • 104.196.67.245:443 (TCP) 
  • 3.208.95.235:443 (TCP) 
  • 198.54.115.163:443 (TCP) 
  • 35.175.60.16:443 (TCP) 
  • 217.6.19.243:443 (TCP) 
  • 151.101.1.52:443 (TCP) 
  • 54.192.120.70:443 (TCP) 
  • 65.8.48.28:443 (TCP) 
  • 3.226.160.222:443 (TCP) 
  • 64.233.185.132:443 (TCP) 
  • 85.159.207.239:443 (TCP) 
  • 202.40.166.225:443 (TCP) 
  • 54.230.18.31:443 (TCP) 
  • 103.209.96.176:443 (TCP) 
  • 81.169.145.150:443 (TCP) 
  • 50.200.43.189:443 (TCP) 
  • 148.251.77.238:443 (TCP) 
  • 88.99.69.19:443 (TCP) 
  • 148.66.137.120:443 (TCP) 
  • 172.67.154.225:443 (TCP) 
  • 78.46.9.47:443 (TCP) 
  • 217.160.0.8:443 (TCP) 
  • 195.201.13.5:443 (TCP) 
  • 87.230.41.84:443 (TCP) 
  • 144.76.151.243:443 (TCP) 
  • 162.55.68.135:443 (TCP) 
  • 157.90.155.121:443 (TCP) 
  • 185.12.50.35:443 (TCP) 
  • 176.9.36.202:443 (TCP) 
  • 192.169.223.13:443 (TCP)
  • www.hoboleaks.space
  • search.yahoo.com
  • 130.165.225.54.in-addr.arpa
  • 130.252.216.18.in-addr.arpa
  • 92.92.243.136.in-addr.arpa
  • 22.224.219.162.in-addr.arpa
  • 109.165.114.104.in-addr.arpa
  • pages.ebay.it
  • 243.2317.10.32.128.in-addr.arpa
  • archive.org
  • tiktokreactions.com
  • 89.158.47.78.in-addr.arpa
  • 69.1.101.151.in-addr.arpa
  • www.jiskha.com
  • meltacardz.com
  • www.yahoo.com
  • 196.249.167.52.in-addr.arpa
  • good-deeds-day.org
  • labs.waterdata.usgs.gov
  • missionhealth.org
  • 188.222.140.3.in-addr.arpa
  • real.rotation.guce.aws.oath.cloud
  • 1611177g27.secure0020.hubspot.net
  • domyown.com
  • xsolidgoldbysarden.store
  • c1140.campuspress.com
  • 41.31.187.198.in-addr.arpa
  • www.nodalninja.com
  • dclsu.bepress.com
  • catalog.extension.oregonstate.edu
  • new-fp-shed.wg1.b.yahoo.com
  • blog.hubspot.com
  • www.ebay.com
  • 1611177.group27.sites.hubspot.net
  • cbsparts.ca
  • us-east-1.lb.campuspress.com
  • 219.155.121.40.in-addr.arpa
  • 20.231.6.74.in-addr.arpa
  • www.canr.msu.edu
  • marketing-prod-lb-1479136046.us-west-1.elb.amazonaws.com
  • 101.234.38.51.in-addr.arpa
  • ag.umass.edu
  • www.verizonmedia.com
  • 171.115.54.198.in-addr.arpa
  • 180.136.102.34.in-addr.arpa
  • 81.43.128.174.in-addr.arpa
  • ds-global3.l7.search.ystg1.b.yahoo.com
  • prda.aadg.msidentity.com
  • betteritemspro.com
  • 30.103.60.199.in-addr.arpa
  • www.lib.berkeley.edu
  • mastergardener.osu.edu
  • pages.ebay.com
  • cdn.ymaws.com
  • 254.121.249.8.in-addr.arpa
  • www.gmpartsdirect.com
  • www.gmpartsdirect.co
  • 116.113.203.23.in-addr.arpa
  • ifs-vip-node-prod1.ifas.ufl.edu
  • 54.79.85.52.in-addr.arpa
  • www.ebay.it
  • tp.6ca7af544-frontier.amazon.it
  • groummwine.com
  • 105.219.217.172.in-addr.arpa
  • digitalcommons.lsu.edu
  • www.youtube.com
  • www-amazon-it.amazon.map.fastly.net
  • 152.164.193.128.in-addr.arpa
  • edis.ifas.ufl.edu
  • 81.59.117.34.in-addr.arpa
  • nginx-prod-243.lib.berkeley.edu
  • theworldnews.net
  • nginx-prod.lib.berkeley.edu
  • 6.157.167.69.in-addr.arpa
  • 243.195.65.128.in-addr.arpa
  • edge.gycpi.b.yahoodns.net
  • 14.249.124.192.in-addr.arpa
  • advertising.yahoo.com
  • 60.6.198.23.in-addr.arpa
  • guce.yahoo.com
  • 252.164.114.104.in-addr.arpa
  • 140.200.124.74.in-addr.arpa
  • 196.29.207.52.in-addr.arpa
  • acsess.onlinelibrary.wiley.com
  • 2.224.241.207.in-addr.arpa
  • wallbox.com
  • www.albanehundevad.com
  • extension.umass.edu
  • www.oath.com
  • v4-edge.gycpi.b.yahoodns.net
  • 224.153.80.208.in-addr.arpa
  • group27.sites.hscoscdn20.net
  • weedlygreen.com
  • blogspot.l.googleusercontent.com
  • onlinelibrary.wiley.com
  • www-pinterest-com.gslb.pinterest.com
  • lib-saapp1.library.oregonstate.edu
  • reddit.map.fastly.net
  • 140.1.101.151.in-addr.arpa
  • 132.114.253.172.in-addr.arpa
  • issuu.com
  • www.princeedwardisland.ca
  • dnr.wisconsin.gov
  • 39.126.167.198.in-addr.arpa
  • nebnewspapers-prod.unl.edu
  • 20.170.72.184.in-addr.arpa
  • 60.204.67.172.in-addr.arpa
  • en.wikipedia.org
  • ir.library.oregonstate.edu
  • 136.194.194.173.in-addr.arpa
  • 251.65.147.69.in-addr.arpa
  • www.wildlife.state.nm.us
  • 1.24.5.52.in-addr.arpa
  • security.stackexchange.com
  • yahoo.uservoice.com
  • 203.82.208.18.in-addr.arpa
  • sxh.yimg.com
  • srk.shib.live
  • www.dekalbasgrowdeltapine.com
  • ds-oob-fo-media-router1.prod.media.g01.yahoodns.net
  • www.sixandflow.com
  • varni-rLoad-1731Z147IHXTT-5d002958b8033a2b.elb.us-east-1.amazonaws.com
  • www.pinterest.com
  • uae-queendatabase.site
  • www.gardeningknowhow.com
  • blogs.cornell.edu
  • extension.psu.edu
  • 53.group3.sites.hubspot.net
  • nimesphoneexpress.com
  • prod-rotation-v2.guce.aws.oath.cloud
  • 114.11.226.3.in-addr.arpa
  • 51.92.57.13.in-addr.arpa
  • 254.55.248.8.in-addr.arpa
  • finance.yahoo.com
  • 254.181.113.216.in-addr.arpa
  • www.good-deeds-day.org
  • 14.199.64.164.in-addr.arpa
  • virginia-db5.us-east-1.lb.campuspress.com
  • 82.15.226.13.in-addr.arpa
  • 66.188.88.54.in-addr.arpa
  • host.io
  • 147.129.125.74.in-addr.arpa
  • krgroups.net
  • scholar.harvard.edu
  • venezia-giorno-per-giorno.blogspot.com
  • helloorganicbd.com
  • 85.116.34.63.in-addr.arpa
  • 57.79.85.52.in-addr.arpa
  • nodalninja.com
  • 2.170.90.153.in-addr.arpa
  • scholarworks.montana.edu
  • 200.197.79.204.in-addr.arpa
  • albanehundevad.com
  • www.reddit.com
  • 87.129.159.162.in-addr.arpa
  • nebnewspapers.unl.edu
  • 43.46.204.91.in-addr.arpa
  • 32.64.68.168.in-addr.arpa
  • 107.169.93.129.in-addr.arpa
  • 11.128.139.151.in-addr.arpa
  • epage.g.ebay.com
  • sports.yahoo.com
  • 92.29.17.104.in-addr.arpa
  • webhosting-webnode-lb-731081414.us-east-2.elb.amazonaws.com
  • plombiermirabel.ca
  • www.golfdom.com
  • 14.231.6.74.in-addr.arpa
  • www.gmpartsonline.net
  • 149.134.18.50.in-addr.arpa
  • 226.250.254.173.in-addr.arpa
  • lb-az.mrp.usda.gov
  • 74.18.252.46.in-addr.arpa
  • 103.219.217.172.in-addr.arpa
  • 190.234.85.209.in-addr.arpa
  • produ-loadb-14qlqnvqs58to-caf651f80372dfb2.elb.us-east-1.amazonaws.com
  • gbksoft.com
  • 137.84.218.66.in-addr.arpa
  • media-router1.prod.media.yahoo.com
  • 252.65.147.69.in-addr.arpa
  • www.wibs-tirol.at
  • www.amazon.it
  • x1.i.lencr.org
  • 243.10.32.128.in-addr.arpa
  • jewishelpaso.org
  • climateactiontool.org
  • dyna.wikimedia.org
  • group3.sites.hscoscdn00.net
  • www.macoy.com
  • dfi09q69oy2jm.cloudfront.net
  • 35.49.8.65.in-addr.arpa
  • mattsmaskmaking.blogspot.com
  • 27.112.13.103.in-addr.arpa
  • cloudflare-resolve-to.c1140.campuspress.com
  • www.domyown.com
  • 93.95.244.54.in-addr.arpa
  • 224.68.227.128.in-addr.arpa
  • www.aphis.usda.gov
  • 138.232.0.162.in-addr.arpa
  • 91.50.119.128.in-addr.arpa
  • 2.103.60.199.in-addr.arpa
  • www.albanehundevad.com
  • 4.4.8.8.in-addr.arpa
  • tiktokreactions.com
  • 13.223.169.192.in-addr.arpa
  • 106.124.125.74.in-addr.arpa
  • 104.124.125.74.in-addr.arpa