in2al5d p3in4er is Almost Completely Undetectable

The Aurora stealer is a notorious Golang-based information stealer that’s been gaining popularity from the end of 2022 through the first quarter of 2023. The Morphisec Threat Labs team has been tracing its activities using our prevention telemetry along with dark-web activities.  

In this blog post however, we aren’t going to cover Aurora, but a sometimes overlooked, extremely critical component of the attack delivery chain. The component that makes Aurora’s delivery stealthy and dangerous is a highly evasive loader we named “in2al5d p3in4er.”  

The in2al5d p3in4er loader is compiled with Embarcadero RAD Studio and targets endpoint workstations using advanced anti-VM (virtual machine) technique we describe in detail in this post.  

We also cover new techniques with significant negative outcomes that represent a concerning change in the landscape, especially in the new era of ChatGPT. 

Delivery 

Threat actors always find innovative ways to spread malware and access sensitive information. One growing trend is using YouTube as a malware distribution channel. Hackers take over popular YouTube accounts and post videos with links to malicious websites or downloads. To increase video visibility, they use search engine optimization (SEO) tags to make a video rank higher in search results.  

Stealing YouTube accounts is a lucrative business for cybercriminals. Many underground forums and marketplaces offer these services for a fee. The threat actor in this post appears to be using this method as a service, including the websites the videos redirect to. 

Invalid Printer Loader
Compromised YouTube channel

The service uses artificial intelligence (AI) to generate videos. This streamlines the process of creating convincing budget backed content. And it allows threat actors to automate diverse lure creation, such as fake software that tricks users into clicking on links. 

adobe audition danger
Example video with download instructions 

The above video redirects to different websites that look legitimate. 

allfreesoftware in2al5d p3in4er
Fake websites redirected by the YouTube video 

The service the threat actors are using enables the creation of decoy websites that look identical to the original websites. These fake websites use similar URLs, logos, and branding to convincingly appear legitimate. Once a user visits one of these sites, they’re enticed to download an application containing malware or lured to enter sensitive/personal information into the decoy generated website. These websites use geographical targeting to deliver content based on the visitor’s geo-location.

The website below is a clone of jobseeker.com 

Decoy website for jobseeker.com
Decoy website for jobseeker.com 

Technical Analysis 

This loader uses a surprisingly simple yet highly effective evasion technique. It leverages the usage of CreateDXGIFactory function of dxgi.dll library to query the vendor ID of the graphics card installed on a system. The ID is then compared against a whitelist of vendor IDs; specifically, the 0x10de (NVIDIA), 0x1002 (AMD), and 0x8086 (Intel) graphics cards. If the vendor ID doesn’t match the whitelisted values, the loader makes it appear as a benign application by terminating itself. 

The anti-VM function checks the graphics vendor ID 
The anti-VM function checks the graphics vendor ID 

After checking the vendor IDs, the loader decrypts the final payload in separate chunks and injects it into `sihost.exe` using a process hollowing technique. 

Payload decryption routine  
Payload decryption routine 

Some samples of the loader do not use the process hollowing technique. Instead, they allocate memory to write the decrypted payload into the allocated memory, and then make a call to the payload entry point (EP). 

Payload injection  Payload injection 

During the injection process, all loader samples resolve the necessary Win APIs dynamically and decrypt these names using a XOR key: “in2al5d p3in4er” (invalid printer), as illustrated in the figure below. 

String decryption routine using the "invalid printer" key  
String decryption routine using the “invalid printer” key 

Another element helping the low detection rate on VirusTotal is the threat actor using Embarcadero RAD Studio to generate executables. Embarcadero RAD Studio is an integrated development environment (IDE) for building software applications that runs on various platforms and operating systems. 

Examining samples from our investigation, we found the threat actor is compiling executables using several options from the Embarcadero IDE. Those with the lowest detection rate on VirusTotal are compiled using “BCC64.exe”, a new Clang based C++ compiler from Embarcadero. This compiler is based on a different code base than a “Standard Library” (Dinkumware) or “Runtime Library” (compiler-rt) and generates optimized code which changes the entry point and execution flow. This breaks security vendors’ indicators, such as signatures composed from “malicious/suspicious code block.” 

A zero detection rate on VirusTotal 
A zero detection rate on VirusTotal 

The loader is particularly successful in evading sandboxes and virtual machines. As seen in the image below, the loader has evaded execution by multiple sandboxes. This is a testament to the effectiveness of the loader’s simplicity, which leverages a specific aspect of system configuration to achieve exceptional stealth. 

Example of a sandbox that fail to execute Example of a sandbox that fail to execute Example of sandboxes that fail to execute  

Note: A similar technique for evading virtual machines was covered in 2016. It checked the graphics card vendor ID using the DXGI.dll. Although the anti-VM techniques observed in the wild are generally based on blacklisting, this approach uses an inverse check which only searches for graphic cards the target victim should own. This helps to evade sandbox analysis that searches for blacklists of graphic cards. 

Defending Against in2al5d p3in4er 

Malware loaders like in2al5d p3in4er are essentially basic delivery. They establish a foothold between an attacker and their compromised target and are typically the first stage of an attack.  

The attackers behind in2al5d p3in4er are combining it with widely accessible social engineering tools for a high impact campaign that takes over popular YouTube accounts and directs viewers to convincing looking fake websites. They’re then enticed to download malware from a fake website. 

One of the first steps to avoid compromise by in2al5d p3in4er is training organization employees how to detect social engineering campaigns: ensuring URLs are legitimate, and not downloading cracked versions of software. 

But as the detection ratio of zero on VirusTotal makes clear, reactive, detection-based cybersecurity technologies like those used in NGAV, EPP, and EDR/XDR are barely capable of detecting and stopping in2al5d p3in4er. Stopping this loader requires different technology.  

Morphisec’s Automated Moving Target Defense (AMTD) technology takes a fundamentally different approach to cybersecurity that isn’t detection-based. Instead of waiting for malware to breach a system before detecting it, Morphisec proactively secures runtime memory to prevent any unauthorized code—like in2al5d p3in4er—from executing, regardless of whether a recognizable signature or behavior pattern exists for it. To learn more about Moving Target Defense, read the free white paper: Zero Trust + Moving Target Defense—The Ultimate Ransomware Strategy. 

Zero Trust and Moving Target Defense White Paper

IOCs (Indicators of Compromise) 

Malicious/Compromised Websites

  • cv-builder[.]site
  • siamaster.com[.]mx
  • chatgptex[.]us
  • allfreesoftware[.]online
  • all-free-software[.]online 

Hash – Loader 

C2 – Aurora 

380978251b2c661ff15b2610763770dfa14fb360ad0ca64243e0d5d5893952cb 
 
66383d931f13bcdd07ca6aa50030968e44d8607cf19bdaf70ed4f9ac704ac4d1 
 
cdb09a5df36fece23bc3c9df101fe65724327b827ec43aa9ce0b3b76bdcc3101 
 
adb6808f97191d961687b5f30f35c843686699d70f482f4d7d8d4f41e84faba6 
 
2c540f5220b7ba3cd6efcd2fe8091fc24f8da11be4b1782c4e502261ef48da82 
 
0b478f9ed769603bba01ad7a2d6936a28424e4be05c8833869976aa77a98fed3 
 
bb9a16632ae94bbfae713f56c51dc5d2ff6199ccd051e2285ea90c6dfeb5d4b1 
 
b299898055262e065afd5b0479b2e3a190e314cab3ead3722b2cdbe3534a2681 
 
11cc3e4b8413a1b8c0c0d7193c2f26670d4765f96e797140c809d4a0655f9cb4 
 
c1dafead343c67d203d2fa9050967fea868fc517f8d66b23cc166642d8b7985b 
 
e18455804b8a6a008a2b357265802ad35f6441bbcc359ab5bd5df994f201ab36 
 

45.15.156.182:8081 

095b9e90e1c9d7d95f362fe381512da60bb31727c068c6dfabe055ab387aed82 
 
737f6c8e1a8ea4a9064a0cfaa4ceed495481d9bb133ed5d6bfeda3a83351af9d 
 
a4cab01d61d8c18876d4b53d52de365fb9b512430371fd4217359159f3c507f6 
 
e8cccc9f9b124826c0e43897f0e21124b4b0cd7991f434b0dd7838bed7e361b3 
 
3c3622ab5f449166ad804ee73fde6aedf6934aa960701f7edefca9b5aedfffd8 

45.15.156.70:8081 

5c9f5082e44e91e1aed15261e82216e59f2668ec5b25348526aad98472c5d722 
 
fa2cfb4b76c38ab4cef4592ed703a8866ffffec67adbe9ea057882b47a4bd7b7 
 
780285087fb35911db189ba92c6c8d251a1f640b3a473e0ce7ea27f59cde492b 

45.132.106.77:8081 

Df99a29a0fd7f62e3798260b2068c711a5356346b7b0c0477e30643138345fba 
 
ffd1f682649507fd850a8faf76b4c3c498dbcbef70bd0202126b91f24d5c1408 

199.127.62.3:8081 

7ed926820973cd3c14b783109094604369e37cc06cb08a338b856f4e5cf2684c 
 
cc79ef40d93c939c43624504461ec5ddf8279624ae88a739e7382c181e18104b 

94.142.138.73:8081 

1beb12971e69fb4040d60a6bd3667cb24c48a3db0fbf814d629874ee40312405 

94.142.138.84:8081 

4accbeea02170cb5215fbe937fabae030986f84ee7acc983cc15ce120e073861 

94.142.138.218:8081 

e827cde3646048c9e09a61eeb45cc37f1d8a20190762c513ddf1e9dc13e4b897 

199.247.24.79:8081 

5e4b6272dc2d955c5e52c755ea598f44e324b04466a4e3bacf6c9d845345322b 

5.34.180.208:8081 

 

Source: https://blog.morphisec.com/in2al5d-p3in4er