On August 28, AhnLab Security Emergency response Center (ASEC) discovered circumstances of a downloader in distribution disguised with contents regarding the violation of intellectual property rights, targeting unspecified masses in Korea. The distributed malware included a code that detects virtual environments to evade sandbox-based security solutions and was a .NET-type that downloads the MainBot malware. Judging from the file information collected by AhnLab Smart Defense (ASD) and VirusTotal, it seems that Korea and Taiwan were the target destinations for distribution.
|Video Image Regarding Violation of Intellectual Property Rights.exe
|Data on Piracy-00 Entertainment.exe
|Video Image Regarding the Violation of Intellectual Property Rights.exe)
|Product Error Video and Image.exe
With filenames related to intellectual property rights and file icons made to look like a PDF, the malware disguised itself and tricked the users into thinking that it was a PDF document.
[C2 Communication Method]
The malware downloads basic config information from the threat actor’s shared Google Docs page including the Telegram token, chat ID, and the download URL for MainBot.
- URL decoded with Base64: hxxps://docs.google.com/document/export?format=txt&id=10bTqbc6WMebYNQEZy86Uy_3YnIynx3VNnFD-wF1EH6E&includes_info_params=true&usp=sharing&cros_files=false&inspectorResult=%7B%22pc%22%3A1%2C%22lplc%22%3A12%7D&showMarkups=true
* ‘id’ is the threat actor’s unique Google Docs ID where the config information is saved
As shown in Figure 2, the malware parses the threat actor’s shared document page and obtains the threat actor’s Telegram server information before using the received message as a base to send commands to the infected PC such as MainBot installation and execution, file name change, and termination. At the time of analysis, MainBot could not be collected.
The malware had six conditions that checked for virtual environments to evade detection from sandbox-based malware detection solutions.
- Checks if the number of anti-virus products in the running system is 0.
- Performs the “SELECT * FROM WmiMonitorBasicDisplayParams” WMI query and checks if all monitors linked to the computer in question have 0 default display parameters (to check for physical connection to monitors)
- Using the Win32_Keyboard WMI class, it checks if there is USB keyboard information (to check for physical connection to a keyboard)
- Checks if the RAM is less than 4 GB
- Checks if the disk capacity is less than 128 GB
- Checks if there are no subsidiary keys to HKLMSOFTWAREWOW6432NodeClientsStartMenuInternet or only has either “IEXPLORE.EXE” or “Microsoft Edge”
If three or more of the six conditions are met, it determines the environment to be a virtual environment. The malware then sends the following string to the threat actor’s server and calls the Sleep function in the host every 5 seconds, just waiting indefinitely until the [HWID]-SKIP VM command is received from the threat actor’s server.
| ⛔ DETECT VM,SANBOX: Number of detected conditions
To continue please write the content: [HWID]-SKIP VM
We are still active until victime shuts down!
Afterward, when it receives the string [HWID]-SKIP VM through the Telegram server, it downloads and installs MainBot on the PC.
[Detection by MDS]
AhnLab MDS detects this type of malware with the detection name “Execution/MDP.Event.M11291” in sandbox environments.
On top of threat actors adding anti-VM techniques in malware to evade detection by security products, a growing number of cases show that there are also malware leveraging normal servers such as Telegram and Google Docs for command control, as seen in the case covered in this post. Because commands are carried out through communications with a normal server, it is difficult for even network solutions to detect such malware. Therefore, security managers should use not only network and APT solutions but also EDR products to monitor abnormal behaviors occurring in endpoint environments and prevent security incidents from occurring in the company in advance.
– Trojan/Win.Agent.C5478091 (2023.08.29.02)
– Malware/Win.Generic.C5479395 (2023.09.01.00)
AhnLab MDS detects and responds to unknown threats by performing sandbox-based dynamic analysis. For more information about the product, please visit our official website.