04.20.12

Digital Resurrections – malicious links piggybacking on trending videos

News trending on most major, and a few tech websites, is the re-animated emergence of a digital avatar resembling a long deceased musician.
2Pac videos have gone viral, and as expected it’s almost too good an opportunity for the malware guys to pass up.

It must be mentioned that the video format itself is not immune to embedded malicious links, but this time, the links are far more obvious.

In fact, the links are in plain sight. Almost “Helpful” and benign looking… if only they were!

Just as a force of habit, I followed the links utilizing simple command line utilities, and had a quick peek into their innards.
See, it’s not paranoia if the software really does turn out be malware!

Before I start to wax lyrical about the dangers of downloading unknown software, I’d rather state that it’s a common practise.
There’s nothing unusual about downloading and sometimes running applications, or opening images and videos from various sources.
Millions of people do this every day. Millions get infected. We’re just ensuring you have the information you need.

 

A “video” should ordinarily be in a commonly used video format.
Well, there could be instances where a player is included with the content itself, and that needs to be an application.
But just looking at these made me suspicious, so out came the tools.

Now, we’ve observed malware in all shapes and forms, but this family of malware has its peculiarities.

1.    The binaries are consistently coded using .NET, which is not the hardest platform to analyse given the right tools
2.    Yet, an attempt at obfuscation of Strings and Function names across the binaries
3.    Similar simplistic decryption routines in both the binaries.

In fact the inner code structure seems to suggest a single development source.

But what makes it weird, is the question: Are the malware guys actually attempting to look innocuous by using this development platform? Or are they just lazy ?

It’s not the first time .Net has been used to develop malware, and they’ve even tried to obfuscate some of their code.
Yet the Malware author seems to have put in a minimum amount of effort, with similar implementations of simple encryption in both binaries.

For the technically intrigued, this part might interest you.
It jumps out almost immediately when a “video” file does the following :

Biggieholo.exe

The Sting manipulation function in there doing little more than :

The 2nd File (tupacpart2.exe) downloads as a rar – that contains this single executable.
And disassembly reveals yet another executable embedded within it that also follows a similar code structure.
A more complete investigation into the intricacies of the files continues.

At this stage, having a look at some of the other videos posted by the same source suggests a certain “intent” and deviousness.
The videos posted seem to follow the genre of trending music, game cheats, etc.,
a very similar audience to the recently discussed keygen audience, that was being targeted by a certain family of malware.

Maybe the malware guys know that the same people are likely to look up these search terms!
In all cases, it does pay to be vigilant.

The question that needs to be asked is – do you have complete and Total Defense?