Key Takeaways
- Cyble Research and Intelligence Labs (CRIL) encountered a RAR archive file that could propagate through adult websites or fake adult sites, etc.
- In this malware campaign, Threat Actors (TAs) exploit a vulnerability in WinRAR (CVE-2023-38831) to distribute their malicious payloads onto the systems of their victims.
- The vulnerability triggers the execution of a CMD file, which initiates the download of a BAT file.
- The initial Batch script in this stage acts as a downloader to obtain a PowerShell grabber, which is responsible for pilfering sensitive data and then proceeds to fetch Apanyan Stealer.
- Furthermore, the Batch file downloads and runs additional malware, including The Murk-Stealer and AsyncRAT, which carry out other malicious activities on the victim’s system.
Overview
CRIL came across a RAR archive file on October 3rd on VirusTotal. This file exploits a WinRAR vulnerability to deliver various malicious payloads to the victim’s system. This particular campaign appears to target individuals who engage in viewing/downloading Illicit images and videos, aiming to infect them using various malware types, such as Apanyan Stealer, The Murk-Stealer, and AsyncRAT.
The initial infection could potentially originate from people who download explicit images and videos from adult websites or fake adult sites, based on the below filenames.
- 11yo_hard_[redacted].rar
- luna_12yo.rar
- boy10[redacted]15yo.rar
This technique commences by initiating the download of an RAR archive file from certain websites. Within this RAR archive, a JPG image file and a folder bearing a similar name. After opening the RAR archive and subsequently accessing the JPG file, it leverages a WinRAR vulnerability (CVE-2023-38831) to execute a CMD file located within the same name folder. This CMD file is responsible for downloading and running a BAT file.
The BAT file contains a code that initially downloads and executes a PowerShell grabber, which subsequently gathers sensitive information and proceeds to download and run the new Apanyan Stealer.
Moreover, the BAT file also initiates the download and execution of The Murk-Stealer and AsyncRAT malware on the victim’s system. These malware strains are designed to pilfer sensitive information and transmit it from the victim’s machine while granting unauthorized access to the system for remote attackers, as illustrated in the figure below.
Technical Analysis
WinRAR Vulnerability (CVE-2023-38831)
Upon opening the archive file “11yo_hard_[redacted].rar,” it reveals a JPG file along with a folder that shares the same name as the file, as shown in the figure below.
Nonetheless, if the user double-clicks on the JPG file “11yo_hard_[redacted].jpg,” it exploits the CVE-2023-38831 vulnerability to silently execute a CMD file named “11yo_hard_[redacted].jpg .cmd” within the folder as shown in the below Figure 3. This CMD file is used to install malware on the victim’s system. Concurrently, the CMD script additionally loads an image file to entice the user while evading any potential suspicion.
File Extension Spoofing Exploit
CVE-2023-38831: WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file.
The vulnerability is exploited by crafting archives with a modified structure, slightly different from safe files. This modification causes WinRAR’s ShellExecute function to receive an incorrect parameter when it tries to open the decoy file.
Consequently, the program bypasses the harmless file and instead finds and executes a CMD script. While the user believes they are opening a safe file, the program initiates a different one, as stated by bleeping.
Upon successful execution of the CMD file named “11yo_hard_[redacted].jpg .cmd,” it initiates the download of another CMD file “payload.cmd” from the GitHub URL using the curl command. This downloaded CMD file is then saved as a batch file named “uwu.bat” in the %temp% folder. Following that, a PowerShell command, saps (Start-Process) is used to execute the “uwu.bat” file discreetly using a hidden window, as shown in the figure below.
Downloader
Upon execution of the batch file, it carries out the following actions:
- It creates a directory named “GraphicsType” in the “%programdata%” folder.
- Next, it generates a batch file named “SystemTray.bat” within the “%programdata%GraphicsType” directory, intended for configuring a registry entry that executes a command during the next user login.
- After that, it employs the curl command twice. Firstly, it downloads an image file named “seins.jpg” from a specified URL and stores it in the “%temp%” directory. Secondly, it downloads a PowerShell script called “helper.ps1” from a GitHub repository, saving it to the same location as “script.ps1.”
- Subsequently, it employs PowerShell to run the “script.ps1” script from the “%temp%” directory, using a hidden window. This PowerShell grabber is responsible for extracting sensitive data and then proceeds to download “main.exe”, identified as “Apanyan Stealer.”
- Following that, it downloads two PNG files, namely “5v4rjb.png” and “g08ugo.png,” from an online file storage site using Curl. Indeed, these files are executables masqueraded as PNG images. Once downloaded, they are stored in the “%programdata%GraphicsType” directory under the aliases “winint.exe” and “SystemTray.exe.”
- Afterwards, it starts Windows Explorer to run both the executables, “winint.exe,” identified as “The Murk-Stealer,” and the “SystemTray.exe,” identified as “AsyncRAT.”
- Finally, it leverages the system’s default image viewer to display the “seins.jpg” image, creating the illusion that the victim has opened an image.
The following illustration displays the files downloaded and stored on the victim’s system during the execution.
The diagram below illustrates the process tree of the malware infection that occurs after the successful execution of the deceptive file named “11yo_hard_[redacted].jpg .cmd.”
PowerShell Grabber & Downloader
In the beginning, the “uwu.bat” file downloads and starts the execution of a PowerShell script called “script.ps1” from the %temp% directory.
The PowerShell script intends to carry out unauthorized activities on a system. These activities include collecting system information, localization data, hardware details, screen captures, grabbing Wi-Fi passwords, and potentially pilfering data associated with Steam accounts and sensitive files with specific keywords, referred to as the “Kiwi Grabber.” Subsequently, the script exfiltrates this sensitive information to a Command and Control (C&C) server.
When the PowerShell script “script.ps1” is run, it downloads an executable file called “main.exe” from a GitHub repository. Subsequently, it initiates the execution of this downloaded executable using the saps command. This executable is a PyInstaller file and is recognized as “Apanyan Stealer.”
The PowerShell script then focuses on and collects the following sensitive information from the victim’s system.
- System Information: It collects data such as the username, computer name, operating system, Hardware ID (HWID), antivirus software details, and whether grabbers are detected on the system.
- Localization Information: It retrieves the system’s IP address, country, region, city, postal code, timezone, and ISP (Internet Service Provider).
- Hardware Information: It acquires details about the GPU, CPU, motherboard, RAM, and the overall hardware configuration.
- Screenshots: It captures screenshots of the system’s desktop, including information about the time, date, and image dimensions.
- Wi-Fi Passwords: It tries to retrieve Wi-Fi network SSIDs, passwords, and authentication methods saved on the system.
- Steam Accounts: If Steam is installed, it looks for Steam configurations and accounts associated with Steam, potentially including usernames and other information.
- Kiwi Grabber: It searches for files on the system with specific keywords (related to banking, passwords, crypto-wallets and other sensitive data) as mentioned in below figure, and archives them for potential exfiltration.
After collecting all the sensitive information from the system, the PowerShell script proceeds to send this gathered data in a JSON format, to a specified Discord C&C server using Curl command.
Apanyan Stealer
Before conducting grabber activities, the PowerShell grabber downloaded a PyInstaller executable file named “main.exe,” which is Apanyan Stealer. After extracting the PyInstaller file “main.exe,” it shows various Python-supporting files such as “.pyc,” “.pyd,” and “.dll” files, as shown below.
The “main.py.fxdtml.pyc” Python compiled file is responsible for the Apanyan stealer’s operation. It employs three layers of encoding to conceal the stealer code.
During execution, it acquires the stealer’s python code (Figure 13) through the following sequence of actions.
- The decompiled code of the .pyc file (main.py.fxdtml.pyc) contains an obfuscated data. This obfuscated data is de-obfuscated using the replace function, resulting in binary data.
- Subsequently, this binary data is converted into a text representation by first converting it into an integer and then decoding the resulting bytes into a string. This newly obtained string contains another piece of Python code.
- Within this new Python code, there is a base85 encoded string. The exec function uses the “base64.b85decode” function to decode this base85 encoded string, revealing yet another piece of Python code.
- In this new Python code, there is a base32 encoded string. Again, the exec function employs “base64.b32decode” function to decode this base32 encoded string, ultimately revealing the final Python script, which identified as “Apanyan stealer.”
The figure below illustrates the final stage of the “Apanyan Stealer” Python script.
Anti-VM/Anti-Debug
When executed, the stealer initially conducts checks to avoid virtual machine (VM) and debugging environments. The script evaluates certain conditions to decide whether it should terminate or proceed, potentially as a strategy to avoid being detected.
It contains lists of blocked usernames, computer names, hardware IDs (HWIDs), IP addresses, and MAC addresses. It acquires the current user’s username, computer name, HWID, IP address, and MAC address. The script then verifies if any of these values correspond to the blocked values in their respective lists. If a match is found, the script terminates.
The following figure illustrates the code snippet of the function utilized to conduct the Anti-VM check.
Steam()
Following the AntiVM check, the stealer proceeds to execute the steam() function. This function is specifically designed to identify Steam installations on the system, gather configuration data, and extract the URLs associated with Steam accounts. The gathered information is then stored in a text file named “accounts.txt,” as shown in the below code snippet figure.
Browser()
Once the sensitive information from Steam applications has been obtained, the malware proceeds to execute the browser() function. This function is responsible for extracting sensitive data, including passwords, cookies, browsing history, and bookmarks, from various web browsers installed on the system. Subsequently, it arranges and stores this data in corresponding text files. The figure below displays the web browsers that are targeted by the Apanyan Stealer.
IP()
Subsequently, the stealer initiates the process of gathering details about the system’s IP address and geographical location using the function ip(). The details such as IP address, country, city (along with postal code), geographical coordinates (latitude and longitude), time zone, organization (like the ISP or hosting provider), and a link to Google Maps pinpointing the exact location based on latitude and longitude. All this data is meticulously compiled and saved in a file named “ip.txt” within the “Information” directory, as shown in the below code snippet of the figure.
Token()
After that, the malware executes the token() function, which is created to steal the Discord authentication tokens from various locations, validate their authenticity, and store them in a file named “tokens.txt.” The figure below displays the Discord tokens that are targeted by the Apanyan Stealer.
Exfiltration
Finally, the stealer compresses the collected text files into a ZIP archive and transmits this archive to a Command and Control (C&C) server using a Discord webhook URL, as shown in the below code snippet figure.
The Murk-Stealer
The-Murk-Stealer is an open-source turbo stealer coded in Python, capable of extracting sensitive data from a victim’s computer. It sends the collected logs through Discord webhooks, a Telegram bot, or an XMPP bot. This tool is available on GitHub.
When executed, “winint.exe,” the Murk-Stealer carries out an extensive range of functionalities, including:
- Collects system Information such as current time, timezone, city, region, country, username, PC name, OS, OS version, architecture, HWID, MAC address, BIOS serial number, machine GUID, and baseboard manufacturer. It also gathers Network-related information, including external and internal IP addresses, coordinates, organization, and postal code.
- Gathers hardware Information, such as CPU details, GPU information, RAM details, and Drive-related information. It also collects Other information like installed antiviruses, running processes, clipboard contents, installed programs, product keys, and Wi-Fi details.
- Grabs files with extensions like .txt and .docx from Desktop, Documents, and Downloads folders.
- Collects session information from messaging apps like Telegram, Viber, Pidgin, Discord (with token and password retrieval), Skype, WhatsApp, and other similar platforms.
- Gathers credentials associated with gaming platforms such as Steam, Epic Games, Uplay, Roblox, Minecraft, BattleNET, and others.
- Collects wallet information from services like PayPal, Kivi, Binance, Metamask, Atomic, and more.
- Steals data from web browsers like Chrome, Firefox, Opera, Edge, Brave, and others. This includes passwords, cookies, browsing history, downloads, extensions, and stored card details.
- Captures VPN credentials from services like Nord VPN, Open VPN, and Proton VPN.
- Additionally, it takes screenshots, accesses camera photos, employs anti-debug and antivirus bypass mechanisms, and possesses self-destruction capability for the malware.
The icon of the downloaded executable payload “winint.exe” is depicted in the figure below, and it’s worth noting that the GitHub page of “Murk-Stealer” uses a similar icon as its avatar.
AsyncRAT
AsyncRAT is a Remote Access Trojan (RAT) that was created using C# and originally surfaced in 2016. It offers cyber attackers the capability to remotely control compromised systems. Notably, this malware boasts extensive customization options, allowing attackers to add new features and functionalities as needed. Consequently, it has gained popularity among malicious actors seeking to carry out targeted attacks.
While AsyncRAT was initially developed for educational purposes and remains available as an open-source project on GitHub, it has unfortunately been exploited for malicious purposes worldwide. Its broad range of capabilities includes keylogging, audio and video recording, information theft, remote desktop manipulation, and more.
Upon execution of the “SystemTray.exe,” the AsyncRAT performs a wide array of functions, including:
- Screen viewing and recording
- SFTP access, allowing both uploads and downloads
- A client and server chat interface
- Support for Dynamic DNS and multiple servers
- Password recovery capabilities
- A JIT (Just-In-Time) compiler
- Keylogging functionality
- Anti-analysis measures
- Controlled update mechanisms
- Antimalware startup procedures and others.
Conclusion
Threat actors may focus on individuals who visit adult websites due to the substantial user base, potential for anonymity, increased user engagement, the potential for financial gain through stolen data, blackmail opportunities, lowered user security awareness, and the presence of vulnerabilities on such sites that can be exploited. In this campaign, TAs are utilizing a WinRAR vulnerability as a means to deliver multiple forms of malware into the victim’s system, with the objective of pilfering sensitive data and gaining unauthorized access to their system.
The TAs employ multifaceted delivery methods to bolster their malicious activities. These tactics assist them in avoiding detection, ensuring long-term presence, evading alarm triggers, postponing execution, countering defensive measures, and deterring attempts at reverse engineering.
Cyble Research and Intelligence Labs maintains its surveillance on the latest phishing or malware strains in circulation, providing up-to-date blogs containing actionable intelligence to safeguard users against these attacks.
Our Recommendations
- Refrain from downloading explicit content from adult websites to reduce the risk of encountering harmful content or malware.
- The campaign takes advantage of a File Extension Spoofing Vulnerability (CVE-2023-38831) found in WinRAR version before 6.23. To mitigate the infection risk, users are advised to upgrade to the latest version of WinRAR, which addresses this vulnerability.
- Employ security software capable of categorizing and preventing access to websites that are notorious for hosting or disseminating malware. These systems enable the maintenance of an up-to-date repository of malicious URLs.
- Enhancing security by enforcing policies and restrictions to prevent unauthorized PowerShell script execution.
- Deploy strong antivirus and anti-malware solutions to detect and remove malicious executables and scripts.
MITRE ATT&CK® Techniques
| Tactic | Technique | Procedure |
| Initial Access (TA0001) | Phishing (T1566) | This malware reaches users via Adult sites. |
| Execution (TA0002) | Command and Scripting Interpreter: Windows Command Shell (T1059.003) |
cmd.exe are used to download the first stage payload. |
| Execution (TA0002) | Command and Scripting Interpreter: PowerShell (T1059.001) |
PowerShell commands are used to download the next stage payload. |
| Execution (TA0002) | Windows Management Instrumentation (T1047) |
Queries various information from victim’s system |
| Persistence (TA0003) | Registry Run Keys / Startup Folder (T1547.001) |
PowerShell creates an AutoStart link. |
| Defense Evasion (TA0005) | Virtualization/Sandbox Evasion (T1497) | Performing Anti-VM/Anti-Debug technique for evasion. |
| Defense Evasion (TA0005) | Disable or Modify Tools (T1562.001) |
The malware scans for VM and Debugger- related processes and terminates them. |
| Defense Evasion (TA0005) | Masquerading (T1036.008) | Download files with a non-matching file extension (content does not match to file extension). |
| Defense Evasion (TA0005) | Modify Registry (T1112) | Uses reg.exe to modify the Windows registry. |
| Discovery (TA0007) | Process Discovery (T1057) | Queries a list of all running processes. |
| Discovery (TA0007) | Query Registry (T1012) | The malware is examining the registry to extract system details. |
| Discovery (TA0007) | System Information Discovery (T1082) |
The malware gathers system information through PowerShell, Command Prompt (cmd), and WMIC. |
| Discovery (TA0007) | Security Software Discovery (T1518.001) |
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory). |
| C&C (TA0011) |
Application Layer Protocol (T1071) |
The malware uses TCP to interact with the C&C server. |
| C&C (TA0011) |
Ingress Tool Transfer (T1105) |
The malware has the ability to download files from C&C |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type |
Description |
| 2a156fc93f1b133ff6f50df24a4e5faa 0863dffc2a670fde374b06df0b88e270f93bbd6e c1bc860ba34dc239e58067bc23de9987020d13c48499422352f93a7ee0feb1d8 |
MD5 SHA1 SHA256 |
11yo_hard_ [redacted].rar |
| 416f600c19d252b601218eceedb782c9 971b3e634775606f76c9ed752ab99b51b74a8b4a 0095db1c353db11718c24d1af5d61f9a90638a4165c86777508f8c73b7af9d15 | MD5 SHA1 SHA256 |
luna_12yo.rar |
| 668ee99ffb369dee2850e6c09f91a01e d63d077dbf6a186f5ac5695e61fc1448a721e916 baa17ae458d6306660ff77083432f56a3cd9607585842a49d7b283b17506ab08 |
MD5 SHA1 SHA256 |
11yo_hard_ [redacted].jpg .cmd |
| badd509d165669a38c3f8f9851acb8e8 29193941bd3a96088019d9a6fcb4bfeb63059622 818e1ae50c13fddcb83a97cd15a604b567656207e0229b36c3a1c436daa72d07 |
MD5 SHA1 SHA256 |
uwu.bat |
| 4ecab7c77f89d2b6fb6cafb85c7b7d04 f52ff94698d74497b65de6459abb8b25c476ec33 41efdecf295b7f916f137e98ef28a57695d4146c407e6961732de4943cba859d | MD5 SHA1 SHA256 |
script.ps1 |
| 00098b7ae5bde365c8e691050e6edbaa 4cb154b7127a7f55852a246ba25f72b4d96a4694 45b99afede517c53b99abf4957644d96708dfbef7418f083539844e68b0518aa | MD5 SHA1 SHA256 |
script.ps1 |
| 1892848ed0a74eab34eb3716af02a6c0 64f3365ee39365dea7298cc043551be6be87001b 027950290c6e03bd99e70b72f3b41d45de6916e92311ace830020d38d097a5f8 | MD5 SHA1 SHA256 |
main.exe |
| 729e10dffe5dcd40fed21466fa0c8053 328abe83643c37c207ebfc199297c687c15f5984 bb8dc3c52e65954732146d65d20045a59830a49be4524d828c4cd8825343dd8b | MD5 SHA1 SHA256 |
SystemTray. exe |
| 4268e01464e706c78b5c70ba703c39cb 01f2169679f545fa6b50f9e9a78515d9ba8829fe e3695ccd916374b1a1aa591332746d45b1b6b5a72de46c2f21d2557c7f74eb20 | MD5 SHA1 SHA256 |
winint.exe |
| hxxps://raw[.]githubusercontent[.]com/MisericordeXHD/winrar/main/ payload[.]cmd |
URL | Link to download Batch file |
| hxxps://raw[.]githubusercontent[.]com/MisericordeXHD/winrar/main/ helper[.]ps1 |
URL | Link to download PowerShell grabber |
| hxxps://github[.]com/MisericordeXHD/winrar/raw/main/main[.]exe | URL | Link to download Apanyan Stealer |
| hxxps://files[.]catbox[.]moe/5v4rjb[.]png | URL | Link to download Murk-Stealer |
| hxxps://files[.]catbox[.]moe/g08ugo[.]png | URL | Link to download AsyncRAT |