FortiGuard Labs has been monitoring a new release of the malware known as Predator the Thief, labeled as version 3.3.4. After our last article about Predator the Thief, we have continued monitoring this malware family. There have been small development differences between each minor version, making this latest version very different from version 3.0.8 mentioned in our last article.
In early December we observed a new Predator the Thief campaign using version 3.3.3. We analyzed the new campaign, and found that it is both stealthier and more complicated than its predecessors. In addition, it was upgraded again to version 3.3.4 on Christmas Eve. In this report we will quickly analyze its latest set of capabilities.
Firstly, we discovered that the campaign now uses multiple phishing documents designed to look like invoices, all pushing the same payload of Predator the Thief. Figure 1 shows the infection chain, and Figure 2 shows an example of phishing document.
Once the document is opened the malware performs the following operations:
1. AutoOpen macro runs the malware VBA script.
2. It downloads three files through PowerShell.
3. It then uses a legitimate AutoIt3.exe to run decoded AutoIt script.
“SevSS.data” is decoded by certutil.exe, a legitimate command line program that is part of the Certificate Service in Windows. The script is then run to decrypt apTz.dat into the payload of Predator the Thief.
4. It then loads Predator the Thief into a specific hollow process (dllhost.exe, in this sample).
After running the malware, we found it connected with the C2 server corp2[.]site. In the data sent to its C2 server we found the information file “information.txt” contained its version.
As usual, the authors use Telegram to promote their malware business. They upgrade the panel and stealer almost every month. We checked the following channel, used for providing update notes for their customers:
The malware was upgraded in early December to Version 3.3.3, and it was soon upgraded again to a new version 3.3.4 on Christmas Eve. Here are notes for both versions:
The stealer’s side does not change much in either version released in December. However, there are have been some new features added since our last article. In the following section we will analyze the features found in version 3.3.3 to determine what changes have been made during this period.
More anti-debug tricks have been added to Predator the Thief.
We also found that it copies a portion of ntdll.dll into an allocated memory. It then hooks the copied portion with a simple shellcode to call the function NtQueryInformationProcess for anti-debug purposes. It also prevents analysts from hooking NtQueryInformationProcess to avoid being detected. And it also checks the crc32 checksum of the allocated memory to prevent any changes.
Before the main routine it also includes multi-level anti-debug functions. A thread is used to detect debuggers every five seconds.
In contrast with the previous version, 3.0.8, most of the junk code in the main routine has been removed. We can also observe that the assembly code is much shorter but more complicated. For example, all strings are decoded at runtime with XOR or SUB, and those string-decoding loops cause the flow to be more complicated.
We also found that the stolen information is sent as a zip file. However, those files are never generated in the file system. Instead, the malware allocates a memory space to locate the entire zip file structure, and then adds the zip file directly from memory to the request data.
This is an API used to get the configuration from C2 server. The configuration is more complex and detailed than previous versions, and is encrypted during the connection. One example returned the following base64-encoded-like data.
In fact, the string is encrypted using basic base64 and RC4 algorithms. The RC4 algorithm uses the C2 domain name as its key. After decoding the string shown in the previous figure, we found the following configuration string. Note that the IP information is masked.
The string can be divided into five parts using “#”. "" Indicates an empty configuration.
1. The first part of the string first analyzed in version 3.3.3 contains 12 arguments split with semicolons, and version 3.3.4 the configuration related to the CIS region check has been removed:
We found the following languages are checked in version 3.3.3: Russian, Armenian, Azeri, Belarusian, Georgian, Kazakh, Tajik, Turkmen, Uzbek, and Ukrainian. However, in version 3.3.4, the code related to the default language check had been removed. According to the information found in the author’s notes in Figure 8, this may imply that a CIS region check is now performed on the server side.
2. The second part contains a file grabber configuration. The following is an example of its configuration structure:
[%userprofile%\Desktop|%userprofile%\Downloads;*.txt,*doc;2048;test.txt;0]:[another grabber configuration]
It may contain multiple grabber configurations. There are five parts in each grabber configuration:
3. The third part is the victim’s IP information, which is checked and returned by the C2 server.
4. The fourth part is a sub-configuration for running the download module or other malware. Interestingly, the malware has become a possible loader for other malware due to its ability to download other malware.
There are multiple ways to run files, including hollow process injection, reflective DLL injection, and general API usage, such as CreateProcessA and ShellExecuteA.
Because this section has a complex configuration structure, we have simplified it to the following items:
5. The fifth and last part is another configuration for downloading and executing modules. Different from the fourth part of the configuration, it defines an API list. Each API downloads files from [APIName].get and [APIName].post.
The URL is in the following format:
“.get” is a PE file section named “.rdata”.
“.post” is the main part of the PE file.
Eventually, it creates an executable “Werfault.exe” in the “%ProgramData%\[5-random-lowercase-letters name]” folder and then immediately executes it with ShellExecuteA. Interestingly, it is not only an API name. It is also implemented as an API list, so multiple files can be downloaded from different APIs and executed immediately.
This is used for sending collected information to C2 server. The format is as follows:
The meaning of each argument is shown below:
This item is related to the configuration of the fourth part. If the fourth part is enabled, this argument will set to 1.
This item is encrypted by RC4 and base64. It also uses domain name as its RC4 key.
For example, we have the following encrypted string at the beginning of this section.
It can be decrypted into the following string.
|Windows 7 Enterprise x64
The format is “Registry Key Name|OS Version”. The registry key name comes from the fourth part of the configuration. If the configuration is not set, it will be empty. By setting this configuration, it will create a registry key at HKCU\Software\AdviceService Ltd.\[Name].
In this recent Predator the Thief malware and campaign, a simple but tricky way to abuse legitimate AutoIt software to execute the payload of Predator the Thief has been added. In addition, the whole program flow has been changed. More anti-analysis features are used, and the configurations are more detailed and complex. It is also able to collect information in a file-less manner and delete itself immediately after sending information to C2. This makes it more difficult for analysts to analyze its damage to the victim system. It also has added new features to execute its additional modules and second stage malware in different ways.
We will continue to monitor this malware family and its related activities and report on important new changes.
As part of our membership in the Cyber Threat Alliance, details of this threat were shared in real time with other Alliance members to help create better protections for customers.
Fortinet customers are protected from malicious threats mentioned in this analysis with the following solutions:
Malicious document: Detected as VBA/Agent.5C0F!tr
Encoded AutoIt script:
36fe75ca8ca8bcef475737dae530e50eb262484ba0cd4dac0081d8508412d0ad - Autoit/Injector.ESA!tr
RC4 Encrypted Predator the Thief 3.3.3:
dce3bb2609c710339569404f8dce4e0786521bb0de46ad9358fc27d5b687f043 - W32/Agent.PTM!tr
Predator the Thief version 3.3.3:
7195659c846b13069d19341b6da99d925acc7db827dd84e7dbe00815511d30b1 - W32/Agent.PTM!tr
Predator the Thief version 3.3.4:
b7e0218883dfb06a4bf5bab7bf5ad4038258dd0e925d4fdd772def810ee2c92d - W32/Agent.PTM!tr
C2: Detected as Malware: