Caution is advised as an Infostealer that prompts the execution of legitimate EXE files is actively being distributed.
The threat actor is distributing a legitimate EXE file with a valid signature and a malicious DLL compressed in the same directory. The EXE file itself is legitimate, but when executed in the same directory as the malicious DLL, it automatically runs that malicious DLL. This technique is called DLL hijacking and is often used in the distribution of malware.
The distribution of malware disguised as cracks and keygens for commercial software is also increasing the sample size of the DLL hijacking method. The distribution began in earnest around last May and has continued to spread actively since August to the present.
When searching for various cracked commercial software on search engines, malicious sites appear at the top, and clicking the Download button on these sites leads to various redirections before arriving at the ultimate distribution site. The downloaded file is an encrypted compressed RAR file, and the password is provided in the file name or on the distribution page. When this file is decompressed and the legitimate EXE file contained within is executed, the system becomes infected by the malware. The EXE files are mostly named setup.exe or Installer.exe and have valid signatures since most of them are the executable files of well-known software.
The malicious DDL files are created by modifying a segment of legitimate DLL files. The modified code reads a specific data file in the same directory, decrypts it, then executes it. If the entire malware data were to be contained within the DLL files, the appearance of the files would be significantly altered, making them easier to detect. Therefore, it is suspected that this method is utilized so that malicious behavior can be performed while only altering the bare minimum of the original DLL files.
Ultimately, the data file, legitimate EXE file, and modified malicious DLL must all be located in the same directory for the malware to function. The data file is disguised as a PNG image file. The modified area of the malicious DLLs includes the end part of a certain function that must be executed in the EntryPoint execution flow, along with some code and data areas. All the code is encrypted and executed after being decrypted in the memory in order to evade code pattern detection. After execution, the malware has been observed to delete the malicious DLLs in order to erase traces.
The execution process of the malware is explained using the recently distributed sample below.
| Legitimate EXE | e634616d3b445fc1cd55ee79cf5326ea (vlc.exe) |
| Malicious DLL | 58ea42289ae52e82ffcfa20071c32d7a (libvlccore.dll) |
| Final malware | LummaC2 Stealer |
| C2 | hxxp://hokagef[.]fun/api |
Decompressing the password-protected compressed file downloaded from the distribution site using the password specified in the file name (“2023”) creates the following files.
The “Setup.exe” and “libvlc.dll” are legitimate components of the well-known software “VLC Media Player” and are valid files with legitimate signatures. The “libvlccore.dll” file is the modified malicious DLL file. The signatures do not match since a portion of the file was modified. The directories such as demux and lua are included as data to disguise the file as being legitimate but are unrelated to the actual execution of the malware.
When the “Setup.exe” file is executed, the malicious DLL “libvlccore.dll” is automatically run. The end part of a certain function within the DLL EntryPoint execution flow has been modified in the malicious DLL. Consequently, the DLL EntryPoint is triggered upon loading the DLL, ultimately causing the execution of the code modified by the threat actor.
The functionality of this code is to locate and read the “ironwork.tiff” file in the same directory. It then reads and decrypts this file before executing it. This file is a data file that contains information on the code to be executed later. The file header is a PNG file, but it is filled with encrypted malicious data starting from the middle of the file.
It loads the “pla.dll” from the system directory (SysWow64) and injects the decrypted code into the code region of the DLL’s memory, followed by branching to that location. This method differs from the typical approach used by most malware, which involves allocating virtual memory to write code.
The API used in the subsequent step utilizes the NTDLL relocation technique. Even when executing “cmd.exe” and injecting code, it deviates from the typical code injection method. Instead of directly injecting code into the target process, it loads (DLL injection) “pla.dll” into the target process and then injects the malware into the code region of that DLL.
At this point, the necessary data file for malicious behaviors is written to the %TEMP% path. This file path is registered as a certain environment variable and inherited by the child process, which is “cmd.exe”.
cmd.exe has its EntryPoint modified to the code region of “pla.dll.” This code decrypts the file located at the path registered in the environment variable. It then generates the LummaC2 malware binary and proceeds to execute “explorer.exe”. Afterward, it injects the binary and executes it.
- LummaC2 malware binary: 1d1ef4a4155edb56e8f3c8587fde8df0
The overall process tree structure is as follows.
LummaC2 is an Infostealer that can designate targets and install additional malware based on the responses it receives from its C2 server. It is capable of exfiltrating various sensitive data, including cryptocurrency wallets, information saved on browsers, information from applications like Steam, email client data, specific files in certain folders with particular extensions, and more.
The C2’s responses are composed of data and an XOR key, and when decrypted, they take the form of JSON-formatted data, as shown below. Responses from the C2 change periodically, leading to variations in its behavior in turn.
This distribution method infects systems via the execution of legitimate EXE files that belong to well-known software. The malicious DLLs closely resemble the original DLLs in appearance, making them different from simple EXE-based malware. Consequently, the initial detection rates by anti-malware vendors are considerably low, underscoring the need for caution from users.
Meanwhile, ASEC is actively monitoring and responding to this type of distributed malware using its automatic collection system and is responding quickly to variations that occur.
Aside from the example given in this post, various legitimate files and DLLs have also been abused. Information regarding the legitimate EXE and malicious DLL files used for distribution is as follows.
[IOC Information]
| PSPad.exe | Jan Fiala | 4ec1a433d0c1e6b58da254b506e3444f | libeay32.dll | a3a0395dc0f15e2e92a55dcb7c3a7735 |
| WizTree.exe | Antibody Software Limited | cce7eaa082751bdd6780707a9444964d | winmm.dll | c474b9effe72f11e73bfd8e2d5235108 |
| WizTree64.exe | Antibody Software Limited | 50a40274ffe963e1f214f9f19746e29e | winmm.dll | 4474e26725db0e84d8418b25137d275b |
| InstallShield SetupSuite.exe | Flexera Software LLC | 696e066c4f3d52d5766e724afbdb3594 | xmllite.dll | 483ad6a57ea6cae5696841f07f1177f0 |
| TSConfig.exe | Flexera Software LLC | 48c9a0c76b44a5f2729c876085adba4e | FNP_Act_Installer.dll | 89618931cf9487370542ca40509795a4 |
| VBoxSVC.exe | Oracle Corporation | c8a2de7077f97d4bce1a44317b49ef41 | VBoxRT.dll | a860b368e9e2aa5cb4e7cb73607d18b1 |
| SenseCE.exe | – | 8f0717916432e1e4f3313c8ebde55210 | MpGear.dll | f362e88dd656c5512dbee66efffae107 |
| palemoon.exe | Mark Straver | 64e3c6d6a396836e3c57b81e4c7c8f3b | mozglue.dll | 200499eacae55905e27d0b96314cb0c7 |
| topoedit.exe | Microsoft Corporation | 88691dbfa349db78f96e3278d1afc943 | tedutil.dll | 8096e5aacfe4dc4ea1afe03ca254982a |
| vlc.exe | VideoLAN | e634616d3b445fc1cd55ee79cf5326ea | libvlccore.dll | 61762b4a21b0b7b479d2eac80b630c2e |
| Mergecap.exe | Wireshark Foundation | 23ba27d352305f29d201ac5e43fc4583 | libglib-2.0-0.dll | 4b8ac7aab387e01cfa2c53cad3ef69b1 |
| AcroBroker.exe | Adobe Systems, Incorporated | a13bfe522abc659704965388ad4581ee | sqlite.dll | e74fb90de19d7cc0b01155f29e6c306f |
| VBoxTestOGL.exe | Oracle Corporation | ba99b11a84a19051eca441320af22f4e | QtCoreVBox4.dll | 4f688e1c75cbee5949af010cbc5d4057 |
| vlc.exe | VideoLAN | e634616d3b445fc1cd55ee79cf5326ea | libvlccore.dll | 58ea42289ae52e82ffcfa20071c32d7a |
| TPAutoConnect.exe | Cortado AG | 1377ef7319507a10d135d5128ac9fbc8 | TPSvc.dll | 12e5c5c08049ecaa5e15d51bbe58fd41 |
C2
- hxxp://go-vvv[.]com/hittest.php
- hxxp://cloudsaled[.]xyz/
- hxxp://cloudsaled[.]xyz/c2conf
- hxxp://warnger[.]xyz/
- hxxp://warnger[.]xyz/c2conf
- hxxp://warnger[.]xyz/
- hxxp://warnger[.]xyz/c2conf
- hxxp://5.42.66[.]17/
- hxxp://nursepridespan[.]fun/
- hxxp://nursepridespan[.]fun/api
- hxxp://paintpeasmou[.]fun/
- hxxp://paintpeasmou[.]fun/api
- hxxp://spreadbytile[.]fun/
- hxxp://spreadbytile[.]fun/api
- hxxp://willywilk[.]fun/api
- hxxp://tfestv[.]fun/api
- hxxp://hokagef[.]fun/api
- hxxp://gonberusha[.]fun/api
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Source: https://asec.ahnlab.com/en/58319/