Vitallia Trojan Returns to the Castle

TRIOX’s security researchers have detected an anomalous torrent which is uploaded by malware distributors to the torrent site of The Pirate Bay.

TRIOX Security

 

Uploading the extracted file of Setup.exe to VirusTotal shows the following detection rates:

TRIOX Security

Link: https://www.virustotal.com/gui/file/58b15aa8d3b96e1a3fa318f7a862a61c4b5ad5c7887e46d65d60279ed9ecdce4/detection

 

Threat Intelligence

TRIOX’s security research group found a direct connection to a dropped file dubbed as irsetup.exe which is a dropper for targeted Adware campaigns:

TRIOX Security

 

Searching for well-known used names in this variant, shows the name of suf_rt.exe which is used by other trojan variants:

TRIOX Security

 

Also, the use of urlmon.dll to download next stage files is an activity we see a lot in trojanized applications:

TRIOX Security

 

There is a contact to URL of hxxps://pastebin.com/raw/rT66cTc6 and other suspicious locations:

TRIOX Security

 

One of the IP addresses that the sample contacts 104.18.21.226:

TRIOX Security

 

The following shows the relations between malicious files and the IP of 104.18.21.226:

TRIOX Security

 

Extracted IoCs as the following IoC connects to the Vitallia Trojan:

__IRCT:3″ “__IRTSS:0” “__IRSID:S-1-5-21-2052111302-484763869-725345543-1003

IRAOFF:1790722

An example of the connection between the above mentioned extracted IoC and the Vitallia trojan:

TRIOX Security

 

Executive Summary

The following is the general execution flow of the malware which will end up in our case installing an application dubbed as “takemyfiles.exe”:

TRIOX Security

 

The following is the message that will be presented at the end of the installation:

TRIOX Security

 

This will be accompanied by Google chrome and Bing configured as the default search engine for its adware operations of making money on ads.

There will be an option to upload files by right-clicking on them and uploading them to a remote server over an HTTP server.

Also, a VPN client dubbed MaskVPN will be deployed on victim clients to tunnel all the data through the attacker’s controlled attack infrastructure. Below is a screenshot of the MaskVPN client deployment:

 

And below is the VPN tunnel in action:

TRIOX Security

 

And a service-based persistence mechanism:

TRIOX Security

 

Malware Analysis

Stage 1 – Setup.exe

SHA-256 Hash: 58B15AA8D3B96E1A3FA318F7A862A61C4B5AD5C7887E46D65D60279ED9ECDCE4

The following is the “requestedExecutionLevel” of “requireAdministrator” in the first stage of Setup.exe:

TRIOX Security

TRIOX Security

 

The Setup.exe file, which is not packed is based on an installer dubbed as Setup Factory as can be seen below:

TRIOX Security

Link to the official website of Setup Factory: https://setupfactory.com/

Setup.exe drops irsetup.exe into a folder named with a predefined naming convention of _ir_sf_temp_[0-9] under %temp%:

TRIOX Security

TRIOX Security

 

Drops files irsetup.exe and lua5.1.dll and executes irsetup.exe using the ShellExecuteA function with the open parameter:

TRIOX Security

 

Stage 2 – irsetup.exe

SHA-256 Hash: B15D67B4A57184E5202DF3C25E20DC0B7F853F4D527D148B337138900989824A

The file of irsetup.exe is packed with UPX:

TRIOX Security

 

As can be seen in the following screenshot, the irsetup.exe file is indeed an obfuscated code with some loops without normal functions that IDA can identify:

TRIOX Security

 

Also, there is a very low rate of Windows API function which is yet another indicator of packing:

TRIOX Security

 

The unpacking in this case is made easily using the upx.exe -d option provided as part of the UPX packer:

TRIOX Security

 

After unpacking irsetup.exe, we can see normal sections, strings, imports and overall normal functionality:

TRIOX Security

Note: The number of strings and a specific link found in this particular sample, leads to a company named IndigoRose which seems to somehow be connected with this file. Maybe because it’s connected to the Setup Factory package installer which is developed by IndigoRose:

hxxp://www.indigorose.com/route.php?pid=suf9buy

Other indications of IndigoRose corporation (seems like they are the frontend of the Adware spreading operation):

TRIOX Security

And more indicators:

TRIOX Security

 

This is how the malicious installer looks like:

TRIOX Security

 

When executing the irsetup.exe and clicking on the “Next >” button, information is enumerated from victim endpoints such as the system certificates as can be seen below:

TRIOX Security

 

Read of cookies:

TRIOX Security

 

Check of the “hosts” file under C:\Windows\System32\drivers\etc:

TRIOX Security

 

Furthermore, the malware checks in which country endpoint of the victim resides using ip-api.com:

TRIOX Security

Note: In our research, we needed to change our country using a VPN solution in order to get the last payload.

The executed irsetup.exe process drops and executes a randomly upper-case letter named file which in our case is OPHXPIJH.exe:

TRIOX Security

 

The following is the detection results after uploading the randomly named file to VirusTotal:

TRIOX Security

 

Relations of the file provided in the VirusTotal’s report:

TRIOX Security

 

Related files:

TRIOX Security

Link to the VT results:

https://www.virustotal.com/gui/file/28a145f1231638df9c814fe5f16982336ddb3d55843bef9284a7fb24d2d4278b/detection

 

The following is some drill-down to OPHXPIJH.exe (randomly named file).

The following is the subroutine of sub_401F88 which will contain the installer’s main functionality:

TRIOX Security

 

The operations of the above-mentioned function comprised in the screenshot below:

TRIOX Security

 

Under the subroutine of sub_D618AE, the folder of the next irsetup.exe is created like in the previous stages:

TRIOX Security

 

After this function returns, the next stage will be executed under the subroutine of sub_401BAF:

TRIOX Security

 

After the return from the sub_401F88 subroutine and before OPHXPIJH.exe (randomly named file) is terminated, the Sleep() function is used to sleep for 10 seconds, then deletion of previously dropped files if exists and finally OPHXPIJH.exe is terminated:

TRIOX Security

 

The following are some registry enumerations regarding proxy settings done by OPHXPIJH.exe before terminating:

TRIOX Security

 

And finally, immediately after reading cookies, drops another stage of another file dubbed as irsetup.exe:

TRIOX Security

 

The second created stage of irsetup.exe followed with the lua5.1.dll file:

TRIOX Security

 

The second irsetup.exe enumerates system languages:

TRIOX Security

 

Fingerprinting MachineGUID:

TRIOX Security

 

Stage 3 – installerapp.exe

Hash: B945185DC04126878956EBC6246CB62391EDBA6E64D954F3F33CE767E74238E7

After executing the installer, the following processes are created:

TRIOX Security

 

Execution parameters of msiexec.exe:

TRIOX Security

 

“C:\Windows\system32\msiexec.exe” /i “C:\Users\Terminator\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager – Postback Johan.msi” /qn CAMPAIGN=1981 AI_SETUPEXEPATH=C:\Users\TERMIN~1\AppData\Local\Temp\installerapp.exe SETUPEXEDIR=C:\Users\TERMIN~1\AppData\Local\Temp\ EXE_CMD_LINE=”/exenoupdates  /forcecleanup  /wintime 1619345143 /qn CAMPAIGN=””1981“” ” CAMPAIGN=”1981

Note: campaign number 1981 is used a lot. Seems the attackers divide their infections based on targeted Adware / Trojan campaigns.

 

Uploading the MSI file to VT gives the following results:

TRIOX Security

 

Notice that this MSI file is a very odd one and also has a Sigma rule matched to it despite the fact that no security vendor detects it.

Also, connection to the downloaded driver file named INA9F89.tmp under the path %temp%:

TRIOX Security

 

Which has high relations to malicious files:

TRIOX Security

 

Eventually, crucial data is exfiltrated from the host machine over HTTP-TLS encrypted channel.

The Windows version is sent via an encrypted HTTP POST request:

TRIOX Security

 

Victim’s Windows operating system service pack level:

TRIOX Security

 

The physical memory space used in our machine:

TRIOX Security

 

And other interesting information such as the screen resolution, language pack, office, PowerShell versions and more.

Based on the enumerated and exfiltrated information, the C2 of the attacker decides which payload to deliver the victim with as shown in the executive summary section.

 

To Summarize

This malware was seen a lot around 2017-2018 and now seems that the threat actor behind this malware tries to spread through infection vectors such as downloaded torrents. The malware employs several evasion techniques like packing, network encryption such as the use of VPN and encrypting the exfiltrated data from victim machines with TLS encrypted packets to evade security systems like IDS / IPS, Firewall, Antivirus and EDR systems.