Unveiling the D3F@ck Malware-as-a-Service Loader

Short Summary

eSentire’s Threat Response Unit (TRU) investigates the D3F@ck Loader malware, tracing its origins to a developer known as Sergei Panteleevich. The article details the loader’s capabilities, including its use of Extended Validation (EV) certificates to bypass security measures, and its distribution methods for various malware payloads. The TRU team continues to monitor and respond to threats associated with D3F@ck Loader.

Key Points

• eSentire operates 24/7 Security Operations Centers staffed with elite threat hunters.
• The D3F@ck Loader is linked to a developer using the alias Sergei Panteleevich.
• Sergei promotes his operations on Telegram and Russian hacking forums.
• D3F@ck Loader utilizes EV certificates to bypass security measures.
• The loader has been observed delivering various malware, including Raccoon Stealer and MetaStealer.
• eSentire’s TRU team actively revokes certificates used by D3F@ck Loader to hinder its operations.
• Detection and response strategies are in place to combat threats from D3F@ck Loader.

MITRE ATT&CK TTPs – created by AI

• Initial Access – T1189
  • Drive-by Compromise: D3F@ck Loader mainly delivers their payloads via Malvertising.
• Execution – T1204
  • User Execution: The loader tricks the user into executing a malicious file, often disguised as trusted software or adult content with valid EV certificates.
• Discovery – T1057
  • Process Discovery: The loader checks the running processes related to virtual machines.
• Defense Evasion – T1562.001, T1553
  • Disable or Modify Tools: Modifies security settings during installation to disable Windows Defender and avoid detection. Fraudulently obtained EV certificates are used to bypass SmartScreen.
• Command and Control – T1102.001
  • Web Service: Dead Drop Resolver: Uses legitimate platforms like Telegram and Steam to host C2 IPs to facilitate command and control.

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

In April 2024, eSentire’s Threat Response Unit (TRU) briefly covered the D3F@ck Loader in the previous article. In this article, we will discuss Сергей Пантелеевич (Sergei Panteleevich), the individual behind the orchestration of D3F@ck Loader. We will also provide analysis of D3F@ck Loader samples and an extensive list of indicators of compromise discovered during the hunting process.

It’s important to note that Sergei Panteleevich is not the real name of the person behind the loader; the developer used the name of a Russian financial fraudster and founder of MMM, a company that executed one of the largest Ponzi schemes in history during the 1990s.

So, let’s start with the D3F@ck Loader developer (referred to as “Sergei” in this article), who currently uses the Telegram handle @Mavr_MMM and AO_MMM, Null14 on hacking forums. The Telegram account was first created in October 2022. The following is the history of account name changes:

Telegram Handle	Display Name
@GhostBustersKING	GhostBusters
@GHOSTBUSTERSKING	GhostBusters
@GhostBustersKING	Сергей Пантелеевич
@Mavr_MMM	Сергей Пантелеевич
@MAVR_MMM	Сергей Пантелеевич

While researching Sergei’s historical Telegram activity, we identified references to a “GhostBustersTeam” Telegram bot in LummaC2 Public Telegram channel in January 2024. Sergei has a poor reputation among Telegram community members (Figure 1) and was restricted from posting messages due to inappropriate behavior in Lumma Stealer’s public Telegram chat.

Pivoting on the GhostBustersTeam bot, we found a reference on a Russian hacking forum where Sergei was promoting his MMM Team, also known as GhostBusters Team, and seeking to hire more people to spread Meta Stealer to exfiltrate data in June 2022 (Figures 2-3).

GhostBusters is a traffer (a term primarily used in Russian-speaking communities, referring to a person who deals with internet traffic. In the context of cybersecurity and the internet, a traffer typically works in the field of driving or redirecting internet traffic to specific websites, often for advertising or commercial purposes.

The term can also carry a negative meaning when traffers engage in less ethical practices such as distributing malware) team that specializes in distributing stealers, specifically Meta Stealer. @g0njxa provided a great report on GhostBusters team here.

Apart from managing and operating the MMM Team / GhostBusters, Sergei also sells EV (Extended Validation) certificates for up to $3000 per year. According to the advertisements, the user can also request a unique company name to be created (Figures 4-6).

It’s worth noting that it’s common for the developers behind loaders to sell EV certificates or promote the services that sell them, such as FakeBat and eDragon_x. EV certificates can help bypass SmartScreen, avoid application blocking upon running, and enhance a file’s credibility; however, they often have a short lifespan due to the risk of revocation.

eSentire’s TRU team has actively been revoking certificates used by D3F@ck Loader. This forces malware developers and threat actors to invest more money and effort into obtaining new EV certificates.

Running the file with the valid EV certificate gives the end user a friendly UAC prompt (Figure 7). Running the file with a revoked invalid certificate would prevent the application from running (Figure 8).

The certificates we identified used by D3F@ck Loader are:

• LLC Kama Lubricant Company
• Ayog Tech Ltd
• Primalspeed Ltd
• Eleventh Edition Ltd
• Tenet Tech Ltd
• Clicksat Ltd
• MAD PANDA Ltd
• Joystery Ltd

Based on additional research, we assess with medium confidence that Sergei is in his late 30s and at one point lived in Chelyabinsk, Russia, and studied at Chelyabinsk Construction College (ЧелябинскийМонтажныйКолледж).

D3F@ck Loader Analysis

In the previous blog, we covered the initial advertisement on the Exploit forum on D3F@ck Loader developed by Sergei. The loader has been observed to be delivering additional malware, including Raccoon Stealer, MetaStealer, SectopRAT, and DanaBot.

The first batch of D3F@ck Loader payloads distributed were signed as “LLC Kama Lubricant Company”. Let’s look at the initial payload (MD5: 47bc9ef09f431cd1dc92840a19fe2158) distributed around February 2024 and advertised in one of the demo videos provided by Sergei (Figure 10).

D3F@ck Loader uses the Inno Setup installer for the initial payload. Inno Setup is a free and user-friendly tool that makes it easy to create professional-looking installations. It includes a powerful scripting language (Pascal Scripting) that allows for the customization of installations.

Malware developers can use this feature to execute custom scripts that install additional payloads, set up persistence mechanisms, disable Defender, or perform other malicious activities during the installation process.

When analyzing Inno Setup malware, we highly recommend using the InnoExtractor tool by Havy Alegria. From the extracted files, we can look at the install_script.iss file, which contains all the installer instructions and settings (Figure 10).

We will focus on the Files section of the script (Figure 11):

• [Files] section specifies which files are to be included in the installer package.
• Specifies the path to the source file that will be included in the installer. The {app} variable refers to the application’s installation directory (Figure 12) specified by the script. In our case, it’s “{pf}Telegram Selected”, where {pf} refers to “Program Files”
• The embedded files are the following:
  • down – 7zip tool (MD5: 8f57948e69c82bf98704f129c5460576)
  • elevate.exe – tool that allows starting programs; in our case, it’s Setup.exe with elevated privileges from the command line (MD5: 7f3b7c1c476a6ddf0bc2acabc7ffe3be).
  • Setup.exe – facilitates the execution of Java payloads (MD5: 429d476259582313336a7eb6895362df).
  • jre.7z – password-protected archive with Java dependencies (799850b32ec090d3079a39d9703f4867).
  • lib.7z – password-protected archive with Java dependencies, including the instructions to execute the next-stage payloads (MD5: a4e56a67786fb2408bd3639a63a00cc8).

Thanks to the InnoExtractor Tool, we can also get CompiledCode.

CompiledCode is a file generated by Inno Setup that contains the compiled bytecode of PascalScript code. The compiled bytecode allows the installer to execute custom scripts to handle various installation tasks, conditions, and user interactions programmatically during the setup process.

Let’s fetch the CompiledCode into Pascal Script Decompiler. We notice the base64-encoded strings that are decoded to the instructions to extract the password-protected 7z archive named “lib”. The archive contains the main D3F@ck Loader payload.

After extracting the payload from the archive, the code would execute Setup.exe and elevate.exe, which were mentioned previously.

As mentioned previously, Java binaries also play a crucial role in the operation of D3F@ck Loader. The payloads are written in JPHP with DevelNext. DevelNext is an integrated development environment (IDE) specifically designed for JPHP, which is a version of PHP that operates on the Java Virtual Machine (JVM).

The main payload’s functionality would contain “dn-compiled-module.jar” (MD5: 9231458f16389c65c76ad4b90cfe7504), specifically within “dn-compiled-module.jarappforms” path. We can decompile the JPHP code to make it somewhat readable by capturing the section of codes where the Java magic bytes are present.

The “executePowerShellCommand” method from the decompiled code below is responsible for adding an exclusion path to Windows Defender and disabling behavior monitoring in Windows Defender (Figure 13).

The method “downloadAndRunFile$41” retrieves the final payload from the C2 server (jilinebyli[.]top), which is base64-encoded within Pastebin. The retrieved payload is then saved under the %TEMP% folder. As for the naming convention, the code fetches the current microtime using DateFunctions.microtime().

Microtime generally gives the current Unix timestamp in microseconds. The retrieved microtime is then passed to StringFunctions.md5(), which computes an MD5 hash of this microtime. MD5 hashing generates a 32-character hexadecimal number. The MD5 hash is then encoded into a base64 string.

After base64 encoding, any equals signs (=) used as padding in the base64 output are removed, so the name would be something like “MWE3OWE0ZDYwZGU2NzE4ZThlNWIzMjZlMzM4YWU1MzM.exe”.

Custom Base64-encoding

At the end of April 2024, Sergei began obfuscating strings in the code with the custom base64 alphabet.

The script from the sample (MD5: 5cf2e80ac2a7f7fa24f74966d3ec904f) creates the mutex to avoid two instances running simultaneously (Figure 14).

From the “CURSTEPCHANGED” method, we can see base64-encoded strings (Figure 15).

We notice that immediately after the base64-encoded strings, it calls the “PAPERHELD” function. Looking into the “PAPERHELD” function, we notice a custom alphabet and instructions resembling base64-decoding with bit shifting operation (Figure 16).

We can make use of “maketrans” which creates a mapping where each character in the custom alphabet is replaced by the corresponding character at the same position in the standard alphabet. The decoded output of the strings is found on our IOC page on GitHub.

The decoded strings contain the instructions to extract the contents from the ZIP archive (additional downloaded payload), get a secondary C2 URL from Pastebin, start the malicious executable (125.exe) if it exists, and exclude the C: folder from being scanned by Defender.

Ceasar Cipher obfuscation

Around the end of May 2024, Sergei started using Ceasar Cipher for string obfuscation, so each character is rotated 12 positions backward in the ASCII table (MD5: 17af51265211f359f047f26598862c54) (Figure 17). He also introduced anti-sandbox and DDR (Dead Drop Resolver) features.

For the anti-sandbox feature, the loader checks if processes such as VboxService.exe, Vmwareuser.exe, or Vmtoolsd.exe are present via the “SELECT Name FROM Win32_Process Where Name=”%s” query. If one of the processes is present, the loader exits (Figure 18).

In other samples, another sandbox/VM check was present and was located within the DISKV method (Figure 19). The loader queries the disk drive information and looks for strings related to virtual machines with findstr command, then redirects the output to a text file named ds.txt. If one of the strings is present in the text file, the loader will exit.

The developer also integrated the PICADOR method, which specifies the path for dropping the next stage payloads at %TEMP%/av (Figure 20).

Upon analyzing the core JPHP payload of D3F@ck Loader, we can see that the loader sends the “ready”, “starting”, “downloaded” and “finished” commands to the C2 representing different stages of the infection process. You can check how the communication looks like in any.run sandbox.

• “ready” – indicates that the payload retrieval process is ready to proceed after setting up the path where the payload will be dropped, which is “C:Program FilesWindows NT.”
• “downloaded” – indicates that the final payload has been downloaded.
• “starting” – indicates the beginning of the payload execution and the exclusion of the “C:” folder from Windows Defender scanning.
• “finished” – indicates the completion of the process.

From the code, we can also see the working path of the D3F@ck Loader’s developer:

“C:UsersnestoOneDriveРабочий столИСХОДЫWORKWORKDEVELLauncherAutoБез прогресса — С ПИНГОМsrcappformsMainForm.php”,which translates to “C:UsersnestoOneDriveDesktopSourcesWORKWORKDEVELLauncherAutoWithout progress— with the pingsrcappformsMainForm.php”.

The code also contains the link to the Telegram channel hxxps://t[.]me/+JBdY0q1mUogwZWMy.

At the time of writing this article, the link is no longer available. However, we were able to extract an active Telegram link (hxxps://t[.]me/+UfHrjVyCLZ03ODYy) from another sample (MD5: 9c125392b8d62590c4284bc46f894168). The Telegram channel serves as another DDR (Figure 19) and a fallback mechanism in case the main C2 domain is offline.

Update

In August 2024, the developer updated the loader by changing the path to “%TEMP%hsperfdata_admin” for the next-stage payloads within the PICADOR method and adding a new Sandbox/AntiVM check method located within the ISENOUGHSPACE method. The method checks for the infected machine’s disk space, which is the system drive, and makes sure that it is at least 120GB; otherwise, the loader will not execute (Figure 22). We included the hashes for recent samples, please see the Indicators of Compromise section.

We assess with high confidence that D3F@ck Loader will continue to actively operate and distribute its payloads through methods such as software impersonation and adult content, delivering various malware families.

The developer’s use of Extended Validation (EV) certificates for the loader to bypass security screenings increases the chances of a successful infection on the host, although these certificates often have short lifespans due to diligent revocation efforts.

Additionally, the loader uses the Inno Setup installer, equipped with Pascal scripting, to perform malicious activities such as setting up persistence, retrieving additional payloads, and disabling security features during installation. Separately, the loader developer also runs multiple businesses, including a traffic team that specializes in distributing stealers and markets both EV certificates and the loader itself.

How eSentire is Responding

The eSentire Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create practical outcomes for our customers. We are taking a comprehensive response approach to combat modern cybersecurity threats by deploying countermeasures, such as:

• Implementing threat detections and BlueSteel, our machine-learning powered PowerShell classifier, to identify malicious command execution and exploitation attempts and ensure that eSentire has visibility and detections are in place across eSentire MDR for Endpoint.
• Performing global threat hunts for indicators associated with D3F@ck Loader.
• Developing detection rules for eSentire MDR for Endpoint to identify D3F@ck Loader.

Our detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center) analysts respond rapidly to any intrusion attempts related to known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape, constantly addresses capability gaps, and conducts retroactive threat hunts to assess customer impact.

Recommendations from eSentire’s Threat Response Unit (TRU)

MITRE ATT&CK

MITRE ATT&CK Tactic	ID	MITRE ATT&CK Technique	Description
Initial Access	T1189	Drive-by Compromise	D3F@ck Loader mainly delivers their payloads via Malvertising
Execution	T1204	User Execution	The loader tricks the user into executing a malicious file, often disguised as a trusted software or adult content with valid EV certificates.
Discovery	T1057	Process Discovery	The loader checks the running processes related to virtual machines
Defense Evasion	T1562.001 T1553	Disable or Modify Tools Subvert Trust Controls	Modifies security settings during installation to disable Windows Defender and avoid detection. Fraudulently obtained EV certificates are used to bypass SmartScreen.
Command and Control	T1102.001	Web Service: Dead Drop Resolver	Uses legitimate platforms like Telegram and Steam to host C2 IPs to facilitate command and control.

Detection

You can access the detection rules here.

Indicators of Compromise

You can access the indicators of compromise here.

References

Source: Original Post