Malware Analysis Report
10322463.r3.v1
2021-02-12
Notification
This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.
This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.
Summary
Description
This Malware Analysis Report (MAR) is the result of analytic efforts among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Treasury (Treasury) to highlight the cyber threat to cryptocurrency posed by North Korea, formally known as the Democratic People’s Republic of Korea (DPRK), and provide mitigation recommendations. Working with U.S. government partners, FBI, CISA, and Treasury assess that Lazarus Group—which these agencies attribute to North Korean state-sponsored advanced persistent threat (APT) actors—is targeting individuals and companies, including cryptocurrency exchanges and financial service companies, through the dissemination of cryptocurrency trading applications that have been modified to include malware that facilitates theft of cryptocurrency.
This MAR highlights this cyber threat posed by North Korea and provides detailed indicators of compromise (IOCs) used by the North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on other versions of AppleJeus and recommended steps to mitigate this threat, see Joint Cybersecurity Advisory AA21-048A: AppleJeus: Analysis of North Korea's Cryptocurrency Malware at https://www.us-cert.cisa.gov/ncas/alerts/AA21-048A.
There have been multiple versions of AppleJeus malware discovered since its initial discovery in August 2018. In most versions, the malware appears to be from a legitimate-looking cryptocurrency trading company and website, whereby an unsuspecting individual downloads a third-party application from a website that appears legitimate.
The U.S. Government has identified AppleJeus malware version—Union Crypto—and associated IOCs used by the North Korean government in AppleJeus operations.
Union Crypto, discovered by a cybersecurity company in December 2019, is a legitimate-looking cryptocurrency trading software that is marketed and distributed by a company and website—Union Crypto and unioncrypto[.]vip, respectively—that appear legitimate.
For a downloadable copy of IOCs, see: MAR-10322463-3.v1.stix.
Submitted Files (8)
01c13f825ec6366ac2b6dd80e5589568fa5c8685cb4d924d1408e3d7c178902f (UnionCryptoUpdater.exe)
0967d2f122a797661c90bc4fc00d23b4a29f66129611b4aa76f62d8a15854d36 (UnionCryptoTrader.exe)
2ab58b7ce583402bf4cbc90bee643ba5f9503461f91574845264d4f7e3ccb390 (UnionCryptoTrader.dmg)
631ac269925bb72b5ad8f469062309541e1edfec5610a21eecded75a35e65680 (unioncryptoupdater)
6f45a004ad6bb087f733feb618e115fe88164f6db9562cb9b428372c9add75f0 (UnionCryptoTrader)
755bd7a3765efceb8183ffade090ef2637a85c4505f8078dda116013dd5758f3 (NodeDLL.dll)
af4144c1f0236e6b59f40d88635ec54c2ef8034f6a96a83f5dbfd6b8ea2c0d49 (UnionCryptoTrader.msi)
e3623c2440b692f6b557a862719dc95f41d2e9ad7b560e837d3b59bfe4b8b774 (UnionCryptoSetup.exe)
Domains (1)
unioncrypto.vip
IPs (1)
216.189.150.185
Findings
e3623c2440b692f6b557a862719dc95f41d2e9ad7b560e837d3b59bfe4b8b774
Tags
trojan
Details
Name |
UnionCryptoSetup.exe |
---|
Size |
30330443 bytes |
---|
Type |
PE32 executable (GUI) Intel 80386, for MS Windows |
---|
MD5 |
24b3614d5c5e53e40b42b4e057001770 |
---|
SHA1 |
b040433fb50d679b2e287d7fcc1667a415fb60b0 |
---|
SHA256 |
e3623c2440b692f6b557a862719dc95f41d2e9ad7b560e837d3b59bfe4b8b774 |
---|
SHA512 |
55e9c7f59189e395b6b348d9fa8b4b907d0cedd790a33603a49ac857f5a07b205f8787fab0c7a9954e992852e6e5090f3cbf2243e86bb2546bd5628619648d87 |
---|
ssdeep |
786432:Dj2fi5nBGPBMNekleUtOaZ13vcdkIXX0kfp:+65AP+QAeUtOKvc+c0kR |
---|
Entropy |
7.984564 |
---|
Antivirus
Filseclab |
W32.ELEX.L.erpg.mg |
---|
Microsoft Security Essentials |
Trojan:Win32/UnionCryptoTrader!ibt |
---|
YARA Rules
No matches found.
ssdeep Matches
No matches found.
PE Metadata
Compile Date |
2018-09-20 09:08:01-04:00 |
---|
Import Hash |
cbc19a820310308f17b0a7c562d044e0 |
---|
Company Name |
UnionCrypto Co.Ltd |
---|
File Description |
Union Crypto Trader |
---|
Internal Name |
UnionCryptoTraderSetup.exe |
---|
Legal Copyright |
© UnionCrypto Corporation. All Rights Reserved. |
---|
Original Filename |
UnionCryptoTraderSetup.exe |
---|
Product Name |
Union Crypto Trader |
---|
Product Version |
1.0.23.474 |
---|
PE Sections
MD5 |
Name |
Raw Size |
Entropy |
---|
566abfd43bde6dda239bf28ac9b087ae |
header |
1024 |
2.960546 |
764b34cabee1111c9e11c8f836aebafb |
.text |
608256 |
6.539792 |
7989312225f01ce65374248a3e73a557 |
.rdata |
189440 |
4.588598 |
1ac52732b5e747734a833e523cd8f27f |
.data |
10240 |
4.418143 |
3afae9bb129e782e05f70b3416946646 |
.rsrc |
434688 |
6.340500 |
d11bf51446bb40b38f82ba6ce1f57dc4 |
.reloc |
162816 |
2.478756 |
Packers/Compilers/Cryptors
Relationships
e3623c2440... |
Contains |
af4144c1f0236e6b59f40d88635ec54c2ef8034f6a96a83f5dbfd6b8ea2c0d49 |
Description
This Windows program from the Union Crypto Trader site is a Windows executable. This executable is actually an installer, and will first extract a temporary MSI named UnionCryptoTrader.msi (af4144c1f0236e6b59f40d88635ec54c2ef8034f6a96a83f5dbfd6b8ea2c0d49) to the “C:\Users\<username>\AppData\Local\Temp\{82E4B719-90F7-4BD1-9CF1-56CD777E0C42}” folder, which will be executed by "UnionCryptoTraderSetup.exe" and deleted after it successfully completes the installation.
unioncrypto.vip
Tags
command-and-control
URLs
- hxxps[:]//unioncrypto.vip/update
- hxxps[:]//www[.]unioncrypto.vip/download/W6c2dq8By7luMhCmya2v97YeN
Whois
Whois for unioncrypto.vip had the following information on December 8, 2019:
Registrar: NameCheap
Created: June 5, 2019
Expires: June 5, 2020
Updated: June 5, 2019
Relationships
unioncrypto.vip |
Downloaded_To |
2ab58b7ce583402bf4cbc90bee643ba5f9503461f91574845264d4f7e3ccb390 |
unioncrypto.vip |
Downloaded_To |
755bd7a3765efceb8183ffade090ef2637a85c4505f8078dda116013dd5758f3 |
Description
While this site is no longer available, a download link of hxxps[:]//www[.]unioncrypto.vip/download/W6c2dq8By7luMhCmya2v97YeN was discovered by a cyber-security researcher and is recorded on VirusTotal for the OSX version of UnionCryptoTrader. In contrast, open source reporting disclosed the Windows version may have been downloaded via Telegram, as it was found in a “Telegram Downloads” folder on an unnamed victim. Union Crypto Trader has a legitimately signed Sectigo SSL certificate, which was “Domain Control Validated” just as the previous version certificates. .
The domain is registered with NameCheap at the IP address 104.168.167.16 with ASN 54290.
Screenshots
Figure 1 - Screenshot of the Union Crypto Trader website.
af4144c1f0236e6b59f40d88635ec54c2ef8034f6a96a83f5dbfd6b8ea2c0d49
Tags
dropper
Details
Name |
UnionCryptoTrader.msi |
---|
Size |
14634496 bytes |
---|
Type |
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Union Crypto Trader, Comments: Contact: Your local administrator, Keywords: Installer, Subject: Smart Cryptocurrency Arbitrage Trading Platform, Author: UnionCryptoTrader, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2018 - Premier Edition with Virtualization Pack 24, Last Saved Time/Date: Tue Aug 6 23:59:58 2019, Create Time/Date: Tue Aug 6 23:59:58 2019, Last Printed: Tue Aug 6 23:59:58 2019, Revision Number: {44311F94-C85D-4688-996A-4888F2D32062}, Code page: 1252, Template: x64;1033 |
---|
MD5 |
0f03ec3487578cef2398b5b732631fec |
---|
SHA1 |
349fb7c922fba6da4bf5c2a3a9e0735f11068dac |
---|
SHA256 |
af4144c1f0236e6b59f40d88635ec54c2ef8034f6a96a83f5dbfd6b8ea2c0d49 |
---|
SHA512 |
f2aa24d96daf090f3a29b5536f3ce0a9a59171b7fdb85887bc32ea6c5305e5ee03153b2c402399dd05a28d6fa90a3e979cc8153fd69686b5bbbb4ec199b8f2b3 |
---|
ssdeep |
393216:zDea98QM1lKTmbHJdgXuUSCve2TN4ksIVVYlm6j8ziFS:XeanAKTuHbd9Ye2qpj8Og |
---|
Entropy |
7.948615 |
---|
Antivirus
TrendMicro |
TROJ_FR.DEFD7DB1 |
---|
TrendMicro House Call |
TROJ_FR.DEFD7DB1 |
---|
YARA Rules
No matches found.
ssdeep Matches
No matches found.
Relationships
af4144c1f0... |
Contained_Within |
e3623c2440b692f6b557a862719dc95f41d2e9ad7b560e837d3b59bfe4b8b774 |
af4144c1f0... |
Contains |
01c13f825ec6366ac2b6dd80e5589568fa5c8685cb4d924d1408e3d7c178902f |
af4144c1f0... |
Contains |
0967d2f122a797661c90bc4fc00d23b4a29f66129611b4aa76f62d8a15854d36 |
Description
This Windows program is a Windows MSI Installer. The MSI installer will install "UnionCryptoTrader.exe"(0967d2f122a797661c90bc4fc00d23b4a29f66129611b4aa76f62d8a15854d36) in the “C:\Program Files\UnionCryptoTrader” folder and also install UnionCryptoUpdater.exe (01c13f825ec6366ac2b6dd80e5589568fa5c8685cb4d924d1408e3d7c178902f) in the “C:\Users\<username>\AppData\Local\UnionCryptoTrader” folder. Immediately after installation, the installer launches "UnionCryptoUpdater.exe."
Screenshots
Figure 2 - Screenshot of the UnionCryptoTrader Installation.
0967d2f122a797661c90bc4fc00d23b4a29f66129611b4aa76f62d8a15854d36
Tags
trojan
Details
Name |
UnionCryptoTrader.exe |
---|
Size |
1286144 bytes |
---|
Type |
PE32+ executable (GUI) x86-64, for MS Windows |
---|
MD5 |
46b3061fe981d0a5edfd8d55f75adf9f |
---|
SHA1 |
514263acf79aeb49d87192ae08f6c76854cdda12 |
---|
SHA256 |
0967d2f122a797661c90bc4fc00d23b4a29f66129611b4aa76f62d8a15854d36 |
---|
SHA512 |
38418a2f3a8870352d8a88d6fb48e2c93a35b48a559590beb12c7c507eadfd07bf087ea11e822fc3e7bc9d6710b17cb68c416ffcf87a787ed9428f2c6b56413e |
---|
ssdeep |
24576:fnrKym9OWCy0frP+1obeVbK8KW/TJ9+FCPjjcym8MUml:fnrKb9OWCy0q1obeVbPKW/TKcjlmhUml |
---|
Entropy |
6.414530 |
---|
Antivirus
No matches found.
YARA Rules
No matches found.
ssdeep Matches
No matches found.
PE Metadata
Compile Date |
2019-08-06 21:22:00-04:00 |
---|
Import Hash |
e0f869ddf0b356ab31c5676591e890ed |
---|
Company Name |
UnionCrypto Co.Ltd |
---|
File Description |
Union Crypto Trader |
---|
Internal Name |
UnionCryptoTrader.exe |
---|
Legal Copyright |
© UnionCrypto Corporation. All rights reserved. |
---|
Original Filename |
UnionCryptoTrader.exe |
---|
Product Name |
Union Crypto Trader |
---|
Product Version |
1.00.0000 |
---|
PE Sections
MD5 |
Name |
Raw Size |
Entropy |
---|
8a496cd41319fdb127a000e7a43bdfd4 |
header |
1024 |
3.518197 |
686f2fe8e51a4327d3e25e937c5eb1cc |
.text |
878080 |
6.431878 |
8f5b24579aaf7ecbc95b26614cf51e8c |
.rdata |
230912 |
5.566823 |
91b3d6678654de37caa94b211aae696e |
.data |
15360 |
4.052861 |
af667013369aea1785ada0e5442bcf07 |
.pdata |
41472 |
6.082142 |
aced93d352d733478dc51a779aef0c62 |
.gfids |
512 |
0.317810 |
1f354d76203061bfdd5a53dae48d5435 |
.tls |
512 |
0.020393 |
285d8a234d06cfb54adffe2eb077a2fe |
.rsrc |
113664 |
3.831914 |
241aeb18e88145608a8b273404896f72 |
.reloc |
4608 |
5.365584 |
Packers/Compilers/Cryptors
Microsoft Visual C++ 8.0 (DLL) |
Relationships
0967d2f122... |
Contained_Within |
af4144c1f0236e6b59f40d88635ec54c2ef8034f6a96a83f5dbfd6b8ea2c0d49 |
Description
This file is a 64-bit Windows executable contained within the Windows MSI Installer "UnionCryptoTrader.msi." When executed, "UnionCryptoTrader.exe" loads a legitimate cryptocurrency arbitrage application with no signs of malicious activity. (Note: arbitrage is defined as “the simultaneous buying and selling of securities, currency, or commodities in different markets or in derivative forms in order to take advantage of differing prices for the same asset”).
This application does not appear to be a modification of the Windows QT Bitcoin Trader, but may be a modification of Blackbird Bitcoin Arbitrage.
In addition to the "unioncrypto.vip" site describing "UnionCryptoTrader.exe" as a “Smart Cryptocurrency Arbitrage Trading Platform," many of the strings found in "UnionCryptoTrader.exe" have references to Blackbird Bitcoin Arbitrage including but not limited to:
--Begin similarities--
Blackbird Bitcoin Arbitrage
| Blackbird Bitcoin Arbitrage Log File |
output/blackbird_result_
output\blackbird_log_
ERROR: Blackbird needs at least two Bitcoin exchanges. Please edit the config.json file to add new exchanges
--End similarities--
The strings also contain the links and references to all fourteen exchanges listed as implemented or potential on the Blackbird GitHub page. In addition, the "config.txt" file found in the “C:\Program Files\UnionCryptoTrader” folder with "UnionCryptoTrader.exe" also contains references to all fourteen exchanges, as well as sets the database file to "blackbird.db." The file "blackbird.db" is also found in the same folder.
Screenshots
Figure 3 - Screenshot of the "UnionCryptoTrader.exe"application.
01c13f825ec6366ac2b6dd80e5589568fa5c8685cb4d924d1408e3d7c178902f
Tags
trojan
Details
Name |
UnionCryptoUpdater.exe |
---|
Size |
161280 bytes |
---|
Type |
PE32+ executable (console) x86-64, for MS Windows |
---|
MD5 |
629b9de3e4b84b4a0aa605a3e9471b31 |
---|
SHA1 |
1ef0e1cabd344726b663cec8d9e68f147259da55 |
---|
SHA256 |
01c13f825ec6366ac2b6dd80e5589568fa5c8685cb4d924d1408e3d7c178902f |
---|
SHA512 |
c70abbe52cbbed220fee218664d1c5f4313bd5387de11c275aa31115e90328dac032c6138954f3931c7d134e8613ad6c278ed29d78c0dc8199a1433b1a106132 |
---|
ssdeep |
3072:Q/MdytyORF471FiHNkwBFTdpSI94e1ZVypzCG9n7r:Q/ftvF471AHNFjdYIZOt |
---|
Entropy |
6.192246 |
---|
Antivirus
Avira |
TR/Agent.pfpad |
---|
BitDefender |
Trojan.GenericKD.33626108 |
---|
Comodo |
Malware |
---|
ESET |
a variant of Win64/Agent.UV trojan |
---|
Emsisoft |
Trojan.GenericKD.33626108 (B) |
---|
Ikarus |
Trojan.Win64.Agent |
---|
K7 |
Trojan ( 0056425b1 ) |
---|
Lavasoft |
Trojan.GenericKD.33626108 |
---|
McAfee |
Trojan-Agent.c |
---|
NANOAV |
Trojan.Win64.Mlw.icfhya |
---|
Symantec |
Trojan.Gen.2 |
---|
TACHYON |
Trojan/W64.Agent.161280.C |
---|
TrendMicro |
TROJ_FR.DEFD7DB1 |
---|
TrendMicro House Call |
TROJ_FR.DEFD7DB1 |
---|
VirusBlokAda |
Trojan.Win64.Agentb |
---|
Zillya! |
Trojan.Agent.Win64.5106 |
---|
YARA Rules
No matches found.
ssdeep Matches
No matches found.
PE Metadata
Compile Date |
2019-08-06 22:00:26-04:00 |
---|
Import Hash |
e217501515a13bba8aefe7dcf3b74f33 |
---|
Company Name |
UnionCrypto Co.Ltd |
---|
File Description |
Union Crypto Trading Updater |
---|
Internal Name |
unioncryptoupdater.exe |
---|
Legal Copyright |
© UnionCrypto Corporation. All rights reserved. |
---|
Original Filename |
unioncryptoupdater.exe |
---|
Product Name |
Union Crypto Trading Updater |
---|
Product Version |
1.0.23.474 |
---|
PE Sections
MD5 |
Name |
Raw Size |
Entropy |
---|
9b73650178bdd95af246609c1b650253 |
header |
1024 |
3.045187 |
ac3f61418ff1daa9142e2304a647c2aa |
.text |
98816 |
6.452850 |
cc2de13f05d38702ac9a560e450ab54a |
.rdata |
48128 |
5.088494 |
20ef8fb99461ca48fe9ed26ffb4cc26c |
.data |
3072 |
2.234569 |
abf07cda1f35bf5fe4a9ac21de63f903 |
.pdata |
6144 |
5.155358 |
3eab486bdf211a98334f08a5145dbf94 |
.gfids |
512 |
1.857174 |
c9ab77353b20e3b22c344b60c8859d56 |
.rsrc |
1536 |
3.943344 |
a9cd219d9ad71f6c2c60efc1308885c8 |
.reloc |
2048 |
4.924725 |
Packers/Compilers/Cryptors
Microsoft Visual C++ 8.0 (DLL) |
Relationships
01c13f825e... |
Downloaded |
755bd7a3765efceb8183ffade090ef2637a85c4505f8078dda116013dd5758f3 |
01c13f825e... |
Contained_Within |
af4144c1f0236e6b59f40d88635ec54c2ef8034f6a96a83f5dbfd6b8ea2c0d49 |
Description
This file is a 64-bit Windows executable contained within the Windows MSI Installer "UnionCryptoTrader.msi." When executed, "UnionCryptoUpdater.exe" first installs itself as a service, which will automatically start when any user logs on. The service is installed with a description stating it “Automatically installs updates for Union Crypto Trader."
After installing the service, "UnionCryptoUpdater.exe" collects different information about the system the malware is running on. Specifically, it uses Windows Management Instrumentation (WMI) Query Language (WQL) to collect this information. "UnionCryptoUpdater.exe" first finds the BIOS Serial Number by using the “SELECT * FROM Win32_Bios” WMI filter as a WQL Query String (Figure 4).
This returns SMBBIOSBIOSVersion, Manufacturer, Name, SerialNumber, and Version. The function later pulls the “SerialNumber” from this returned data (Figure 5).
The same process is followed to pull the operating system version and build number. The WQL Query String is “SELECT * FROM Win32_OperatingSystem," and the fields pulled are “Caption” and “BuildNumber." Note that the “Caption” field contains the OS version for the computer running the malware.
After collecting the system data, "UnionCryptoUpdater.exe" then builds a string consisting of the current time and the hard-coded value “12GWAPCT1F0I1S14." The current time is stored in the "auth_timestamp" variable.
This combined string is MD5 hashed and stored in the "auth_signature" variable. These variables are sent in the first communication to the command and control (C2) server, and are likely used to verify any connections to the server are actually originating from the "UnionCryptoUpdater.exe" malware.
These variables are sent via a POST the C2 hxxps[:]//unioncrypto.vip/update along with the collected system data. The system data is sent in this specific format:
--Begin format--
rlz=[BIOS serial number]&ei=[OS Version] (BuildNumber)&act=check
--End format--
These values, along with a hard-coded User Agent String of “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36” can be found in the malware data section.
If the POST is successful (i.e. returns an HTTP response status code of 200), but returns a string of “0”, UnionCryptoUpdater.exe will sleep for ten minutes and then regenerate the "auth_timestamp" and "auth_signature" to contact the C2 again.
If the POST is successful and the C2 server does not return the string “0”, the malware will decode the base64 payload and decrypt it. It then uses built in C++ functions to allocate memory, write the payload to memory, and executes the payload. If this is successful, the malware will send another POST to the C2 with the value “act=done” replacing the “act=check” for the previously specified format (Figure 9).
Screenshots
Figure 4 - Screenshot of the "UnionCryptoUpdater" Service.
Figure 5 - Screenshot of the "SELECT * FROM Win32_Bios" query string.
Figure 6 - Screenshot of the "SerialNumber" selection.
Figure 7 - Screenshot of the "UnionCryptoUpdater.exe" getting current time and combining with hard-coded value.
Figure 8 - Screenshot of the hard-coded values and User Agent in "UnionCryptoUpdater.exe."
Figure 9 - Screenshot of the hard-coded "&act=done" value.
755bd7a3765efceb8183ffade090ef2637a85c4505f8078dda116013dd5758f3
Tags
trojan
Details
Name |
NodeDLL.dll |
---|
Size |
537616 bytes |
---|
Type |
PE32+ executable (DLL) (GUI) x86-64, for MS Windows |
---|
MD5 |
549db64ceaebbbdd9068d761cb5c616c |
---|
SHA1 |
6d91ce7b9f38e2316aa9fb50ececc02eadc4cd70 |
---|
SHA256 |
755bd7a3765efceb8183ffade090ef2637a85c4505f8078dda116013dd5758f3 |
---|
SHA512 |
0281257ad97e0765b57d29bb22fe9973f4ad5c42a93762eda1b12e71f78d02155fe32eda4ccd4acadbfccf61563175c28c520df5b631698573422048dce6a8c0 |
---|
ssdeep |
12288:FOvSQSQs75paRGK9EovEfM9NosCz4jcauwVyZE19QLC:Mv0VpkGYvI6NAz4j5LV6+ |
---|
Entropy |
6.433002 |
---|
Antivirus
No matches found.
YARA Rules
No matches found.
ssdeep Matches
No matches found.
PE Metadata
Compile Date |
2019-10-21 12:33:45-04:00 |
---|
Import Hash |
c24e1d44f912d970e41414c324d04158 |
---|
PE Sections
MD5 |
Name |
Raw Size |
Entropy |
---|
41f1664ee936eb5e9c5a402b9f791086 |
header |
1024 |
3.215046 |
d7c3e5262e243bfd078cc689c0dcc509 |
.text |
393728 |
6.418398 |
0155d4e1f35b8f139d07993866f1e2f6 |
.rdata |
115200 |
5.560875 |
67b68408aebc7de9f6019e94ab5cf2ce |
.data |
3584 |
2.251912 |
809c1804672ec420bb9f366f30b025fb |
.pdata |
20480 |
5.768325 |
7eb4b39b296be7f4de3339727d0f1eb0 |
.gfids |
512 |
1.995088 |
28984c1ba2156023b894e0041ecd2479 |
.rsrc |
512 |
4.724729 |
1c7de4ac5824c7b888e15c611cb69191 |
.reloc |
2560 |
5.180527 |
Relationships
755bd7a376... |
Downloaded_By |
01c13f825ec6366ac2b6dd80e5589568fa5c8685cb4d924d1408e3d7c178902f |
755bd7a376... |
Downloaded_From |
unioncrypto.vip |
755bd7a376... |
Connected_To |
216.189.150.185 |
Description
This file is a 64-bit dynamic-link library (DLL). This file was identified as a payload for the Windows malware. This stage 2 is not immediately downloaded by "UnionCryptoUpdater.exe," but instead is downloaded after a period of time likely specified by the C2 server at "hxxps[:]//unioncrypto.vip/update." This delay could be implemented to prevent researchers from immediately obtaining the stage 2 malware.
The C2 and build path are visible from the "NodeDLL.dll" strings. The C2 for the malware is hxxp[:]//216.189.150.185:8080/push.jsp.
The build path found in the strings is “Z:\Opal\bin\x64_Release\NodeDll.pdb." This stage 2 is likely part of a project named “Opal” by the actors, due to the folder in the build path.
NodeDLL.dll has multiple functionalities which can be verified by examining the program imports and strings. Functionalities with corresponding strings/imports include but are not limited to:
1. Get/Update implant configuration
a. Imports: GetComputerNameA, GetCurrentDirectoryW, GetStartupInfoW, GetTimeZoneInformation
b. Strings: CurrentUser
2. Get/Put a file or directory
a. Imports: WriteFile
3. Execute a program
a. Imports: CreateProcessW
4. Directory listing
a. Imports: GetCurrentDirectoryW
5. Active Drive Listing (C:\, D:\, etc.)
a. Imports: GetLogicalDrives, GetDriveTypeW
6. Move a file/directory
a. Imports: CreateDirectoryW, MoveFileExW
7. Delete a file/directory
a. Imports: DeleteFileW
8. Screenshot active desktop
a. Imports: GetDIBits, CreateCompatibleBitmap, BitBlt, etc from gdi32
9. Execute a shell command through cmd.exe
a. Imports: GetCommandLineW, GetCommandLineA, CreateProcessAsUserW
10. Check IPv4 TCP connectivity against specified target
a. Imports: connect, bind, send, socket, getaddrinfo, etc. from ws2_32
b. Strings: Network unreachable, HTTP/1.%d %d, httponly, Remote file not found
11. Update configuration (beacon interval, AP address, etc.)
a. Strings: Host: %s%s%s:%d, Set-Cookie:
The "NodeDLL.dll" strings also show a hard-coded user agent string: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134”. Finally, a format string which matches the HostUS C2 is found in the strings: "%s://%s%s%s:%d%s%s%s," along with many references to proxies or proxy configurations.
216.189.150.185
Tags
command-and-control
URLs
- 216.189.150.185:8080/push.jsp
Ports
Whois
Queried whois.arin.net with "n 216.189.150.185"...
NetRange: 216.189.144.0 - 216.189.159.255
CIDR: 216.189.144.0/20
NetName: HOSTUS-IPV4-3
NetHandle: NET-216-189-144-0-1
Parent: NET216 (NET-216-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS7489, AS25926
Organization: HostUS (HOSTU-4)
RegDate: 2014-08-29
Updated: 2015-12-29
Comment: Please send all abuse reports to abuse@hostus.us
Ref: https://rdap.arin.net/registry/ip/216.189.144.0
OrgName: HostUS
OrgId: HOSTU-4
Address: 125 N Myers St
City: Charlotte
StateProv: NC
PostalCode: 28202
Country: US
RegDate: 2013-07-26
Updated: 2019-10-23
Comment: IP addresses from this network are further reallocated or assigned to customers.
Comment: Please send all abuse reports to abuse@hostus.us.
Comment: Abuse reports must be submitted through email with the IP address in title.
Ref: https://rdap.arin.net/registry/entity/HOSTU-4
OrgNOCHandle: HOSTU2-ARIN
OrgNOCName: HostUS Tech
OrgNOCPhone: +1-302-300-1737
OrgNOCEmail: noc@hostus.us
OrgNOCRef: https://rdap.arin.net/registry/entity/HOSTU2-ARIN
OrgAbuseHandle: HAD18-ARIN
OrgAbuseName: HostUS Abuse Desk
OrgAbusePhone: +1-302-300-1737
OrgAbuseEmail: abuse@hostus.us
OrgAbuseRef: https://rdap.arin.net/registry/entity/HAD18-ARIN
OrgTechHandle: HOSTU2-ARIN
OrgTechName: HostUS Tech
OrgTechPhone: +1-302-300-1737
OrgTechEmail: noc@hostus.us
OrgTechRef: https://rdap.arin.net/registry/entity/HOSTU2-ARIN
Relationships
216.189.150.185 |
Connected_From |
755bd7a3765efceb8183ffade090ef2637a85c4505f8078dda116013dd5758f3 |
Description
The C2 identified for NodeDLL.dll. The IP address 216.189.150.185 has ASN 7489 and is owned by HostUS.
2ab58b7ce583402bf4cbc90bee643ba5f9503461f91574845264d4f7e3ccb390
Tags
backdoordownloaderloadertrojan
Details
Name |
UnionCryptoTrader.dmg |
---|
Size |
20911661 bytes |
---|
Type |
zlib compressed data |
---|
MD5 |
6588d262529dc372c400bef8478c2eec |
---|
SHA1 |
06d9f835efd1c05323f6a3abdf66e6be334e47c4 |
---|
SHA256 |
2ab58b7ce583402bf4cbc90bee643ba5f9503461f91574845264d4f7e3ccb390 |
---|
SHA512 |
4a90cd71e210662c3e21994a6af6d80f45c394b972d85ba725dc0e33721036c38b68829ca831113276cbea891fc075e1fa9911aad1fc647b0c2a2bb7a9d965cd |
---|
ssdeep |
393216:psbbiMqkRiP3p+/34QRDCLqKbNH40iBNTnz0xcECffBJrd8ur8dx3PAxC9lG:WbipIM3p+/TBvBN0xcRmur8dxIxC9l |
---|
Entropy |
7.997189 |
---|
Antivirus
Ahnlab |
Backdoor/OSX.Nukesped.20911661 |
---|
Antiy |
Trojan/Mac.NukeSped |
---|
Avira |
OSX/Dldr.NukeSped.rtyrb |
---|
BitDefender |
Trojan.MAC.Lazarus.F |
---|
Cyren |
Trojan.PXZN-6 |
---|
ESET |
OSX/TrojanDownloader.NukeSped.B trojan |
---|
Emsisoft |
Trojan.MAC.Lazarus.F (B) |
---|
Ikarus |
Trojan-Downloader.OSX.Nukesped |
---|
K7 |
Trojan ( 0001140e1 ) |
---|
Lavasoft |
Trojan.MAC.Lazarus.F |
---|
McAfee |
OSX/Nukesped.b |
---|
Microsoft Security Essentials |
Trojan:MacOS/NukeSped.C!MTB |
---|
Sophos |
OSX/NukeSped-AB |
---|
Symantec |
OSX.Trojan.Gen |
---|
TrendMicro |
Trojan.3657DE58 |
---|
TrendMicro House Call |
Trojan.3657DE58 |
---|
Zillya! |
Downloader.Agent.OSX.68 |
---|
YARA Rules
No matches found.
ssdeep Matches
No matches found.
Relationships
2ab58b7ce5... |
Downloaded_From |
unioncrypto.vip |
2ab58b7ce5... |
Contains |
6f45a004ad6bb087f733feb618e115fe88164f6db9562cb9b428372c9add75f0 |
2ab58b7ce5... |
Contains |
631ac269925bb72b5ad8f469062309541e1edfec5610a21eecded75a35e65680 |
Description
This OSX program from the "UnionCrypto" download link is an Apple DMG installer.
The OSX program does not have a digital signature, and will warn the user of that before installation. Just as previous versions, the UnionCrypto installer appears to be legitimate and installs both “UnionCryptoTrader” (6f45a004ad6bb087f733feb618e115fe88164f6db9562cb9b428372c9add75f0) in the “/Applications/UnionCryptoTrader.app/Contents/MacOS/” folder and a hidden program named “.unioncryptoupdater” (631ac269925bb72b5ad8f469062309541e1edfec5610a21eecded75a35e65680) in the “/Applications/UnionCryptoTrader.app/Contents/Resources/” folder. The installer contains a postinstall script (see figure 10).
This postinstall script is identical in functionality to the postinstall script for the second version. It moves the hidden plist file (.vip.unioncrypto.plist) to the LaunchDaemons folder and changes the file permissions for the plist to be owned by root. Once in the LaunchDaemons folder, this program will be ran on system load as root for every user. This will launch the unioncryptoupdater program.
The postinstall script also moves the hidden “.unioncryptoupdater” binary to a new location “/Library/UnionCrypto/unioncryptoupdater” and makes the file executable. As the LaunchDaemon will not be run immediately after the plist file is moved, the postinstall script then launches the unioncryptoupdater program in the background (&). In contrast to the CelasTradePro “Updater” binary and JMTTrader “CrashReporter” binary, the unioncryptoupdater binary is not launched with any parameters.
Screenshots
Figure 10 - Screenshot of the postinstall script included in UnionCryptoTrader installer.
<img alt="Figure 11 - Screenshot of the "vip.unioncrypto.plist" file." class="cma-screenshot" src="data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAlgAAACnCAYAAADNPSI5AAABP2lDQ1BJQ0MgUHJvZmlsZQAAeJxjYGASSCwoyGFhYGDIzSspCnJ3UoiIjFJgf8rAyMDHwA8kpRKTiwscAwJ8gEoYYDQq+HYNqA4ILuuCzFr7fdm/Czr3tbeJLpCMrJzLgakeBXClpBYnA+k/QJyUXFBUwsDAmABkK5eXFIDYLUC2SBHQUUD2DBA7HcJeA2InQdgHwGpCgpyB7CtAtkByRmIKkP0EyNZJQhJPR2JD7QUBDo8ABSPzinICTiUdlKRWlIBo5/yCyqLM9IwSBUdgCKUqeOYl6+koGBkYGTIwgMIbovrzDXA4MopxIMQyJjMwmMYBGT8RYmlA928HxoMgE0JMPZ+BQTiUgeGgUUFiUSLcAYzfWIrTjI0gbO7tDAys0/7//xzOwMCuycDw9/r//7+3////dxkDA/MtBoYD3wDbKF6vyeVUsQAAwUJJREFUeJzsnXdYFFfXwH+7SwcBsaEo9oqKFXtFY9TYe4vGmthLTKJGjTH2Emvs0dh77yV2xYIFsYAVBUWK9Lbs7v3+IDOZXRdj8ibfm+Sd3/PwAFNun7lnzj33HI0AgYqKioqKioqKyp+GjdA6wPEjaLy9wGQCrTbbi4UQCCHQaDRoNJo/lKHRaEQIgVarRfuOvP6/MAkBv5TnT03XZEKr1WIymQDM0hdCIADte7ShtTaX0kSjQQiB7m/QjpBVLo1Wi1QrIQQmkwmdTven5mM0GuX2VKZvEkJuUyF+/W5Q/g3IbSm3o3RcUXZrSNdb9oW1fpb6zfJ6FRUVFZX/DTQmraPg+RM0Xp6/60YB75yMVKxjBN5X3LBsYxPw9xCl/vew7At1/KuoqKiovAsbAFJTs7RXVjRY0pe41saGhLg4rly5Qrly5Sjo7Y34RRslffnL1/7yRS9NQkIItDod6enpzJ83j5SUFFq3bk3NmjVl7Yw1JO2Atf8l7YhGo3lLayBpJ5TnTCaTfE6r1cqaq0uXLpGQkEDLli3l80IITEKg4VethqShkOpkTeMl3Z+alsbZM2do2rQpp06dwtHRkfr16wOg02pJSkggOjqaokWLvlOzodFqyUhL48KFC5QqVYpChQuDycTp06cBcHNz48nTp3Ts0OGd7SjVH6xrWKQ+U94v9Z/WQlujbEPLa0+eOEF1Pz88cuZECEF4RATHjx2ja7duODs5vTNP
|