Cyble – Utilization Of Leaked Ransomware Builders In Tech-Related Scams

Key Takeaways

• This blog sheds light on a new Tech Scam wherein scammers employ deceptive tactics to lure users into paying for non-existent antivirus solutions.
• Uncovering Tech Scammers possible involvement in different ransomware attacks.
• The IP address of a domain used in this scam is associated with both the TORZON MARKETPLACE, a DarkWeb marketplace, and the “Chai Urgent Care” phishing campaign.
• A fake LinkedIn talent acquisition profile was also discovered, utilizing a fabricated persona found on the phishing site.

Overview

Tech scams involve fraudulent online activities where scammers deceive users by convincing them that their computer or device has issues, subsequently charging them for unnecessary technical support or services. These scammers often employ executable files as a means of perpetrating their schemes. For instance, they might send emails or messages containing phishing links or attachments disguised to appear legitimate but actually contain malicious software. This malicious application primarily generates fake pop-ups or messages, pressuring users into paying for supposed technical support or services.

Cyble Research and Intelligence Labs (CRIL) have reported on multiple tech scams in the past; here are some of the notable ones:

CRIL has recently observed a new Tech Scam campaign. One instance involved scammers setting up a non-existent antivirus solution site to deceive users into paying for non-existent services. During our analysis, we encountered various ransomware variants leveraged by tech scammers to propagate their fraudulent schemes.

A thorough investigation into the phishing site associated with this campaign revealed that its IP address has a history of involvement in various scam campaigns and is even associated with a DarkWeb marketplace.

Campaign Analysis

CRIL uncovered a dropper responsible for distributing several malware payloads, namely CraxsRAT, a Downloader, and a variant of Chaos ransomware. This downloader and ransomware are utilized to propagate Tech Scams.

The downloader proceeds to download four additional payloads. Upon execution, each of these payloads is utilized to propagate the deceptive AntiVirus website. The figure below shows the infection chain.

Figure 1 – Infection Chain

Initial Dropper

The dropper is a 32-bit .Net executable (SHA256: fbb8f0231c666f7b1bfb9256b60b73bc3f44779eb2865b040ca01a3d0a4e1140).

The dropper contains three embedded payloads within its Resources, as depicted in the figure below. When executed, the dropper employs Gzip decompression to extract these payloads, which are then placed in the %temp% directory and subsequently executed.

Figure 2 – Embedded Payloads

Following are the details of the payloads.

Vippqmccfq‎.exe  -Downloader

This file is a .Net downloader (sha256:
0860a8f9d5debc37dc997a501c593b0eb5f17d5e4ec27e41bec09c606309c0a5). It retrieves a batch script from Resources. It then places this file in the %temp% folder, naming it “Gwpuae.bat.” The following illustration presents the code responsible for dropping and subsequently running the batch file.

Figure 3 – Drops Batch Script

This batch script downloads additional payloads from a typosquatted domain hosted on GitHub pages and saves them to the %AppData% directory. The figure below shows the commands used by the batch script to download additional payloads.

Figure 4 – Downloads Additional Payloads

This batch script attempts to download four payloads, such as Microsoft Services.exe, System.exe, Runtime Broker.exe, and windows.exe, from the same hosting site and executes them. All of these executables point to the same non-existent antivirus site (www[.]bit[.]lysecure-net) and telegram handle (@securenet_global).

Microsoft Services.exe: Tech Scam Executable

This file is a 32-bit binary and uses TimeStomping; an anti-forensic technique. (SHA256: d79f5fe23a82b67205037c268f2fed92d727bf4215b20fa21c8a765e20661362)

Upon execution, this file will overlay a warning message on the victim’s desktop, as depicted in the figure below. The design of this alert is intentionally crafted to prevent the user from closing it or accessing other applications on their system. However, it’s crucial to note that this message is a deceptive alert. The warning prompts users to visit a specific website or contact someone via Telegram, likely with malicious intentions.

Figure 5 – Alert Message

This executable also uses persistence by making an entry to the “SOFTWAREMicrosoftWindowsCurrentVersionRun” key. So, it will automatically execute this file when a user logs in or restart the system.

The figure below shows the code for persistence.

Figure 6 – Establishing Persistence

System.exe: Chaos ransomware variant

This file (SHA256: c14ba9911b3d9f3f85a600f84538c9ee90dbd627ec3831bb89745a71bc0db16b) is a variant of Chaos ransomware. CRIL has reported on multiple variants of Chaos ransomware in the past; a few of them can be found below:

Upon execution, the ransomware encrypts files and alters their names by adding the “.encp” extension. Additionally, it drops a ransom note named “READ_ME.txt.” The scammer customizes the ransomware binary and steers victims toward the fraudulent antivirus website, as shown below.

Figure 7 – Chaos Ransomware variant

Runtime Broker.exe: LockBit Black Ransomware Variant

The specified file (SHA256: b38943f777ec2cb42abe5ef35b5d2933ce65e3aa3915d7d62bc1cd75c7586886) is identified as a variant of the LockBit Black ransomware. This variant seems to have been generated using the leaked LockBit Black builder from 2022. The illustration below displays both the ransom note and the wallpaper that this strain of ransomware has employed.

Figure 8 – Variant of LockBit Black Ransomware

windows.exe: Downloader of NoCry ransomware variant

This file (SHA256: f6eaa0d761f364d68443445b43ee4ebf722af3e65319c26bf136cda50a532685)  is a .Net downloader. Upon execution, it drops a batch script named “Jdomsoqo.bat” in the %temp% directory and executes it. The figure below shows the code for dropping and executing the batch script.

Figure 9 – Drops a Batch Script

This batch script further downloads a ransomware payload named “Start.exe” using a PowerShell command and saves it in the “AppData” directory. The figure below shows the content of the batch script.

Figure 10 – Content of Batch Script

This ransomware binary “Start.exe” is a variant of NoCry ransomware. (SHA256: 521357a0f9669de4a9233feeef7a3c5299c51de4a2531c56aacc807c0fd25a6a ).

The figure below shows the ransom note content in the binary’s resource section.

Figure 11 – Ransom Note Content

Upon execution, this ransomware encrypts files and renames them using the “.recry” extension. It further changes the desktop background, as shown in the Figure below, and displays the ransom note using .Net forms.

Figure 12 – Ransom Note of NoCry variant

Pwdsueslxagy.exe – Chaos Ransomware Variant

This file is ransomware binary (SHA256: 1ab84bd653ca8568f107b6f4bdf38c1839bfefda66d3af8013c781f6ac04c6e8). It is a variant of chaos ransomware. On execution, it first copies itself to the %AppData% directory named “svchost.exe” and then executes it.

This ransomware variant on encrypting the files renames them by adding “.encp” as an extension.

The figure below shows the ransom note and desktop background set by this ransomware variant.

Figure 13 – Ransom Note of Chaos Variant

During our testing, our system experienced a crash caused by the execution of various ransomware variants. This crash effectively halted the operation of all ransomware binaries. However, the initial version of the Chaos ransomware has a persistence mechanism, enabling it to launch itself after the crash during subsequent logins.

Non-existent Antivirus Site

The URL present in the alert message and ransom notes of all of the above binaries, “www[.]bit[.]ly/secure-net”, redirects to “https[:]//alpaca_jade_265.pineapplebuilder[.]com/index”, which is a non-existent Antivirus Solution site, as shown below.

Figure 14 – Non-existent Antivirus Site

The perpetrators of this website are trying to deceive people by selling counterfeit antivirus solutions.

The figure below displays their pricing for this non-existent product.

Figure 15 – Pricing Details

After conducting thorough investigations, we discovered that; All the profile images used for reviews or employees on the website were identified as those of professional models.

In one specific instance, the same image was even utilized for a Talent Acquisition profile on LinkedIn, indicating how some TAs leverage readily available images of models to deceive users.

The figure below shows the fake LinkedIn profile.

Figure 16 – Fake LinkedIn Profile

Other Findings

Recent Campaign

The typosquatted domain used in this campaign resolves to the IP address “185.199.110[.]153”. This particular IP address has been previously reported by the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) to be associated with a phishing campaign named “Chai Urgent Care”.

DarkWeb Marketplace

In addition to the previous findings, we made another discovery. The IP address “185.199.110[.]153” was also found to be associated with the TORZON MARKETPLACE, a DarkWeb marketplace. In May 2023, a researcher posted information regarding the usage of Link rotators by this marketplace and shared the IP addresses they identified. These findings raise suspicions about potential links between the individuals behind the Tech Scam and the TORZON MARKETPLACE.

Figure 17 – IP Address Attribute to TORZON (Source https://pastebin.com/zXzG7Ay3)

Conclusion

This Tech Scam attempts to deceive users by selling a non-existent antivirus solution. Using profile images of models for reviews and employees raises suspicions about the authenticity of the website’s claims and credibility.

Furthermore, the possibility of Tech Scammers executing ransomware attacks and discovering the IP address’s involvement with the “Chai Urgent Care” phishing campaign suggests potential links between the Tech Scam and illicit activities in the cyber underground.

Additionally, possible involvement with the TORZON MARKETPLACE indicates a wider network of criminal activity. Falling victim to the Tech Scam may result in financial losses, identity theft, or exposure to further cybercrimes.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

• Conduct regular cybersecurity awareness training for users to recognize phishing attempts, suspicious websites, and potential scams.
• Encourage users to verify the identity of the person or organization contacting them before sharing any personal or financial information.
• Block access to known phishing sites, malicious domains
• Avoid clicking on links or downloading attachments from suspicious or unknown email senders.
• Caution users about clicking on links in emails, messages, or ads that seem suspicious. Hovering over links to see the actual URL before clicking can help determine if they lead to legitimate sites.
• Install reputable antivirus and anti-malware software on your devices to protect against viruses, ransomware, and other malicious software.
• Perform regular and automated backups of critical files and store them offline or in a secure, separate location.

MITRE ATT&CK® Techniques

Indicators of Compromise (IOCs)

Yara Rule:

rule AV_TechScam{

meta:

author = “Cyble”

description = “Detect Executables Spreading AV_Secure Net TechScam”

date = “2023-08-08”

os = “Windows”

threat_name = “Tech Scam”

strings:

$a1 = “www.bit.ly/secure-net” ascii wide

$a2 = “@securenet_global” ascii wide

condition:

uint16(0) == 0x5a4d and all of them

}

Related

Source: https://cyble.com/blog/utilization-of-leaked-ransomware-builders-in-tech-related-scams/