RecordBreaker Infostealer Disguised as a .NET Installer – ASEC BLOG

Malware that are being distributed disguised as cracks are evolving.

In the past, malware was simply distributed as the executable itself. However, there was a gradual shift towards also including normal files within a compressed file. More recently, there was a sample where a normal installer was downloaded and executed.

If the malware is executed in an ordinary user environment, the encrypted malware file is downloaded from the threat actor’s server and executed. The malware in this instance is the RecordBreaker (Raccoon Stealer V2) Infostealer.

However, in a virtual environment, a .NET update installer is downloaded from the official Microsoft website instead of the malware. After the installer is downloaded, it is then executed and terminated. The following windows may be displayed depending on the installation status of .NET Framework.

Figure 1. Upon executing .NET installer

Thus, it is highly likely that this file will be categorized as being normal when in analysis environments like sandboxes. It can be seen that the .NET installer has been executed after bypassing the sandboxes of VirusTotal.

Figure 2. Analysis information from VirusTotal

The compressed file that is being distributed is managing to deceive users since it also has several normal files and folders compressed inside of it. The figure below shows the files that are created after decompressing the RAR file that was downloaded from the distribution page. Only the “setup.exe” file is the malware while the rest are commonly used files unrelated to the malware.

Figure 3. Malware folder

This particular sample differs from previously distributed malware as it was written in Rust. Furthermore, the file size was not bloated in this distribution, with its size of about 20 to 50 MB. Compared to the previous samples where the file was bloated up to 3 GB, this is much smaller in size.

Additionally, several analysis disruption techniques were applied. The following is a list of the features that have been identified, most of which involve virtual environment detection.

  • Scan debugging status
  • Scan for strings related to virtual environment in the memory
  • Scan PC and user name
  • Scan for driver (.sys) related to virtual environment
  • Scan file/folder name
  • Scan running processes
  • System information (Disk size, process information, memory size, etc.)
Figure 4. Anti-VM string
Figure 5. Anti-Sandbox string

If not in a virtual environment, a PowerShell command is used to delay the execution before an encrypted malware file is ultimately downloaded from the C2.

“C:WindowsSystem32WindowsPowerShellv1.0powershell.exe” -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAANQA=
-enc Start-Sleep -s 5
Table 1. PowerShell command

C2 : http://89.185.85[.]117/bmlupdate.exe

The file downloaded from the C2 is encrypted with XOR and the key is “Fm6L4G49fGoTN5Qg9vkEqN4THHncGzXRwaaSuzg2PZ8BXqnBHyx9Ppk2oDB3UEcY”.

The downloaded file is decrypted and an injection is carried out after the normal process (addinprocess32.exe) is executed. The decrypted file is the RecordStealer malware and it does not employ any separate packing techniques. However, the code section of the malware contains a significant number of unnecessary API call codes to obstruct analysis.

MD5: 9fed0b55798d1ffd9b44820b3fec080c (Infostealer/Win.RecordStealer, 2023.06.02.03)

Figure 6. (Left) Encrypted binary (Right) Decrypted binary
Figure 7. Unnecessary API call codes

If a virtual environment is detected during the above scan process, a normal .NET installer is downloaded from the following address and executed.

hxxps://download,visualstudio,microsoft[,]com/download/pr/1f5af042-d0e4-4002-9c59-9ba66bcf15f6/124d2afe5c8f67dfa910da5f9e3db9c1/ndp472-kb4054531-web,exe

Therefore, the following difference between process trees occurs in virtual environments and normal environments.

Figure 8. Process tree structure comparison (Left) Virtual environment (Right) Normal environment

The ultimately executed RecordBreaker steals various sensitive information from users according to the configuration value received from the server. It then sends this information to the C2 before terminating itself.

Figure 9. RecordBreaker C2 communication

C2: 94.142.138[.]74

User-Agent: Zadanie

More details about RecordBreaker can be found in the post below.

The threat actor is actively creating new variants to bypass detection. Users should avoid using illegal tools such as cracks or keygens and use installers that are officially provided by their developers. In particular, if a file that was downloaded from an unknown website is either a password-protected compressed file or contains an executable with the name setup, activate, or install, it should be treated as suspicious.

AhnLab Security Emergency response Center (ASEC) is thoroughly monitoring malware that is being distributed in this way through an automated system. Relevant information can be confirmed in real-time through the AhnLab TIP service.

Figure 10. AhnLab TIP – Live C&C service

[File Detection]

Infostealer/Win.RecordStealer.R579433 (2023.05.19.02)
Infostealer/Win.RecordStealer.R581333 (2023.05.25.03)
Infostealer/Win.Vidar.R582891 (2023.05.30.03)
Infostealer/Win.RecordStealer.R583862 (2023.06.02.03)
Infostealer/Win.RecordStealer.R583865 (2023.06.02.03)

[IOC]

MD5 Distribution Date Download C2 RecordBreaker C2
8248d62ec402f42251e5736b33da1d4d 2023-05-18 hxxp://89.208.103[.]225/client14/enc2no.exe hxxp://94.142.138[.]246/
19e491dfe1ab656f715245ec9401bdd1 2023-05-19 hxxp://85.192.40[.]245/fol1paf2nyg0/bn1.exe hxxp://94.142.138[.]247/
21a8a6cfa229862eedc12186f0139da0 2023-05-19 hxxp://85.192.40[.]245/fol1paf2nyg0/bn2.exe hxxp://94.142.138[.]246/
a494e9ff391db7deac7ad21cadf45cca 2023-05-19 hxxp://85.192.40[.]245/fol1paf2nyg0/bn1.exe hxxp://94.142.138[.]247/
bc127d20aa80e7834c97060c1ce5d7f3 2023-05-19 hxxp://85.192.40[.]245/fol1paf2nyg0/bn2.exe hxxp://94.142.138[.]246/
ac449f0e00b004b3bba14c37f61d1e85 2023-05-19 hxxp://85.192.40[.]245/fol1paf2nyg0/bn1.exe hxxp://94.142.138[.]247/
14eb67caa2c8c5e312e1bc8804f7135f 2023-05-20 hxxp://85.192.40[.]245/fol1paf2nyg0/bn1.exe hxxp://94.142.138[.]247/
2802aaea098b45cf8556f7883bf5e297 2023-05-21 hxxp://85.192.40[.]245/fol1paf2nyg0/bn1.exe hxxp://94.142.138[.]247/
0c34e053a1641c0f48f7cac16b743a82 2023-05-21 hxxp://85.192.40[.]245/fol1paf2nyg0/bn2.exe hxxp://94.142.138[.]246/
a383055244f546ca4f7bd0290b16d9c9 2023-05-22 hxxp://85.192.40[.]245/fol1paf2nyg0/bn1.exe hxxp://94.142.138[.]247/
986bc66f125aae71d228eeecf3efe321 2023-05-23 hxxp://85.192.40[.]245/fol1paf2nyg0/bn1.exe hxxp://94.142.138[.]247/
97fbfaf2b454b3a9b3b4d4fd2f9a7cb9 2023-05-23 hxxp://85.192.40[.]245/fol1paf2nyg0/bn2.exe hxxp://94.142.138[.]246/
660f72ddf06bcfa4693e29f45d3e90b0 2023-05-23 hxxp://85.192.40[.]245/fol1paf2nyg0/bn1.exe hxxp://94.142.138[.]247/
894ce52199f7e633306149708c1b288b 2023-05-24 hxxp://85.192.40[.]245/fol1paf2nyg0/bn1.exe hxxp://94.142.138[.]247/
bdda7ef4439954a392c9b5150a6c6213 2023-05-24 hxxp://85.192.40[.]245/fol1paf2nyg0/bn2.exe hxxp://94.142.138[.]246/
8b6ff39df70b45bb34c816211cbc2af8 2023-05-24 hxxp://85.192.40[.]245/fol1paf2nyg0/bn1.exe hxxp://94.142.138[.]247/
b5e9f861213e7148491ba6c13972a8ba 2023-05-25 hxxp://85.192.40[.]245/fol1paf2nyg0/bn2.exe hxxp://94.142.138[.]246/
5254fc5d6990d2d58a9ef862503cc43d 2023-05-25 hxxp://85.192.40[.]245/fol1paf2nyg0/bn1.exe hxxp://94.142.138[.]247/
45613d3339b9f45366218362f2e6b156 2023-05-26 hxxp://85.192.40[.]245/fol1paf2nyg0/bn1n.exe hxxp://94.142.138[.]247/
f2c6fec557daa2596b5467026f068431 2023-05-26 hxxp://85.192.40[.]245/fol1paf2nyg0/bn1n.exe hxxp://94.142.138[.]247/
7523a30c60fb7d2c02df18fa967f577d 2023-05-28 hxxp://79.137.202[.]161/7yd0ymt74ny7qbuk/Pangl.exe hxxp://77.91.73[.]11:2705/
3215b2bd3aeaea84f4f696c7ba339541 2023-05-29 hxxp://79.137.202[.]161/7yd0ymt74ny7qbuk/Pangl.exe hxxp://78.46.248[.]198/
8e40018360068a2c0cb94a514b63a959 2023-05-30 hxxp://89.185.85[.]33/pctupdate.exe hxxp://79.137.203[.]217/
24960b3a4fb29a71445b7239cd30bbce 2023-05-30 hxxp://79.137.202[.]161/7yd0ymt74ny7qbuk/Pangl.exe hxxp://78.46.248[.]198/
83432cfda6a30f376d00eba4e1e6c93f 2023-05-30 hxxp://79.137.202[.]161/7yd0ymt74ny7qbuk/Pangl.exe hxxp://78.46.248[.]198/
73239203bc4cdf249575de358281fe82 2023-06-01 hxxp://89.185.85[.]33/pctupdate.exe hxxp://94.142.138[.]60/
d367b73118fa966b5f5432bbbf35bae5 2023-06-02 hxxp://89.185.85[.]117/bmlupdate.exe hxxp://94.142.138[.]74/
6a834288fd96008cbe3fc39c61d21734 2023-06-02 hxxp://89.185.85[.]33/pctupdate.exe hxxp://94.142.138[.]60/
972748e60f696333dd8b4b12f9f3a7af 2023-06-02 hxxp://89.185.85[.]117/bmlupdate.exe hxxp://94.142.138[.]74/
0c819835aa1289985c5292f48e7c1f24 2023-06-04 hxxp://89.185.85[.]117/bmlupdate.exe hxxp://94.142.138[.]74/
ebd8eeac32292f508b1c960553202750 2023-06-05 hxxp://89.185.85[.]117/bmlupdate.exe hxxp://94.142.138[.]74/

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Source: https://asec.ahnlab.com/en/54658/