- #CITRIO BROWSER VIRUS BY CITRIO .COM ARCHIVE#
- #CITRIO BROWSER VIRUS BY CITRIO .COM SOFTWARE#
- #CITRIO BROWSER VIRUS BY CITRIO .COM CODE#
- #CITRIO BROWSER VIRUS BY CITRIO .COM WINDOWS#
#CITRIO BROWSER VIRUS BY CITRIO .COM CODE#
As mentioned before, this code finally hides the payload inside of the selected legit process.
It is preparing the local injection shellcode ($a5_local_shellcode) and executing it in Line 211 in Figure 10. The rest of the function is quite similar to what was already described in other blogs. In this case, the adversaries picked option one - RegAsm.exe - to hide the payload. The adversary eventually selects which one will be used by providing the corresponding number to the function.įigure 9 - Injection victim process selection It is offering nine different legit process options for this injection. The following pictures show the disassembled RC4 shellcode:įigure 8 - RC4 function ($opcode variable)Īfter the payload is decrypted, the script calls the final InjectPayloadIntoProcess function to inject the payload into another process. After preparing the shellcode and the encrypted payload data, the RC4 function is getting executed in line 262 and decrypts the payload.įigure 7 - DecodeDataFromPEResourceOrString RC4 Function The variable $sopcode contains the bytes of the RC4 code. This is the final payload malware in an RC4 encrypted form. The result is stored again in the $data variable (Line 245 in Figure 7) and the order of the stored bytes is reversed by StringReverse(BinaryToString($data)) in Line 246. These font type resources are then extracted from the PE resources and concatenated to a large binary.įigure 5 - Resource Section of IMP_Arrival Noticedoc.exe The result is a list of strings in the following order: In the GetResourcesFromPE function (Figure 6), this parameter is converted into a string and split into the different font resource names. If these checks do not find anything, it is decoding and extracting resource font type (8) names from the string in the first parameter ($data) handed over to the DecodeDataFromPEResourceOrString function (Figure 7). These checks are very typical for AgentTesla campaigns for years, you can often find them in one or the other form in the first stage droppers.įigure 3 - Start of the deobfuscated AutoIT scriptįigure 4 - VM checks of the deobfuscated AutoIT script The deobfuscated version of the AutoIT script in Figures 3 and 4 shows that it comes with some anti-VM checks in the beginning. Figure 2 shows the decompiled version of the script.įigure 2 - Decompiled version of the AutoIT script Unfortunately, as usual, the content was heavily obfuscated before compilation. Most of the executables are compiled, sometimes UPX packed, AutoIt scripts that can be easily decompiled. In this blog post, we will focus on the first ones. In other campaigns by this adversary, we also saw completely different names and different file types like malicious office documents acting as first stage droppers. This actor often used filenames with the schema ".exe.
#CITRIO BROWSER VIRUS BY CITRIO .COM ARCHIVE#
In this case, this archive wasn't split into multiple files and it contained only a single executable with the name: "IMP_Arrival Noticedoc.exe". We often see that adversaries use old archive formats, hoping to bypass weak email security gateways.
#CITRIO BROWSER VIRUS BY CITRIO .COM WINDOWS#
Users can easily find an unpacker by double-clicking on the file and searching in the Windows Store for the appropriate software. ARJ archives can be unpacked with various tools like 7-Zip or WinRAR. This made it easier to share these files over dial-up connections. ARJ can split the archive into multiple smaller files.
#CITRIO BROWSER VIRUS BY CITRIO .COM SOFTWARE#
ARJ is an early 1990s archive format often used on the pirated software scene to convert files into archives. The campaigns we analyzed started with a malicious email similar to the one below:Īn ARJ archive is attached to this email. Any internet user is a potential target of this malware, and if infected, has the potential to completely take away a user's online privacy. In this post, we'll walk through one of these campaigns in detail and how the different stages of the dropper hide the malware.
The injection techniques we're seeing in the wild are well-known and have been used for many years, but with the adversaries customizing them, traditional anti-virus systems are having a hard time detecting the embedded malware. Once infected, the malware can steal information from many popular pieces of software, including the Google Chrome, Safari and Firefox web browsers. The adversaries using custom droppers, which inject the final malware into common processes on the victim machine. But information-stealing malware can operate in the background of infected systems, looking to steal users' passwords, track their habits online and hijack personal information.Ĭisco Talos has monitored adversaries which are behind a wave of ongoing campaigns dropping well-known information-stealer like Agent Tesla, Loki-bot and others since at least January 2019. Most users assume they are safe when surfing the web on a daily basis.
0 kommentar(er)
