I downloaded a “virus” on my PC to see what it does. Here is what I found.
It all started when I got contacted by someone offering me a job role as a beta tester for a game. The pay mentioned was really good for the work required. A bit too good in fact. Good enough to make me suspicious. The sensible thing to do would be to avoid responding. But if I were in the mood to do sensible things, I wouldn’t have spent past several months downloading random viruses on my computer only to post about it on twitter. So I dived headfirst into their scam to see how it all works.
Interestingly, the person who offered me this “job” told me to download the game from UniverseCity(dot)art. If you try to visit that site, it will not open because there is no such site. The real site was UniverseCity(dot)at. “at”, not “art”.
I told them that the site is not opening. It was at that point the person added me to discord group which purportedly belonged to UniverseCity community. The person also gave me a beta tester badge and sent me the game download file as a rar archive.
Like a few other online malwares involved in phishing and social engineering scams, this rar file too was password protected. That was the first red flag. Hackers love password protected rars as most online file scanners can’t analyze rar format. A few that might support rar can be barred from looking into them due to password protection. This is why services like virus total as well as most local antiviruses mark such files as clean.
Then there is red flag #2. The 6 MB archive contained a 700MB+ executable. An unnaturally high compression ratio means the file was artificially padded with blank data or repeating patterns. This, too, is usually done to stop malware scanners.
Most high quality online scanners use VirusTotal API to scan, which has a limit of 650MB. So it is no coincidence that these files are padded to make them slightly bigger than 650MB. Most of them specifically design the files to dodge VirusTotal.
Once I observed these 2 red flags, it was time to look inside the file. Fired up Veles (binary analysis tool). First obvious thing I saw was padding. No surprises there. Almost 99% of the file was simply filled with “00” bytes with very little actual instructions/data (as shown in the following video).
I recompressed the 700MB file back in a standard zip without password, which compressed to 7.4 MB. Now VirusTotal could scan it and got 15/59 hits. For our own information, this is good enough. But from perspective of an ordinary user, what this means is that only 30% of all antiviruses managed to flag this as malicious.
Whats more, many big brand anti-viruses such as Avast, AVG and BitDefender did not flag the file as suspicious.
So, what happens to the users of the other 70% antiviruses that couldn’t detect this file as malicious? thats what I wanted to find out by analyzing this malware.
First approach I used was trying to analyze the file in Ghidra. For those who don’t know, Ghidra is a software reverse engineering tool. It decompiles a binary into assembly level instructions, and for any select group of instructions, it provides a low level C-equivalent code.
The code was obfuscated and instruction bytes weren’t marked as instructions. This is common trick hackers use to make their malware less detectable. Due to this, Ghidra was unable to give us the assembly level instructions.
I could manually sift through the file and mark functions for decompilation, one function at a time. But that would be another desperate move and it would not even yield much good info anyway. It would be better to look for embedded strings and other data and hope we get some clues from there as to what this file does.
And clues we did get. Embedded strings contained multiple network calls and a string called “IpAddress”. Network calls are perfectly normal. IpAddress though is a little odd.
Most modern software don’t directly deal with IP addresses anymore unless absolutely necessary. They normally talk to domain names such as “https://example.com” and leave it up to DNS services to resolve the lower level stuff.
Now that we know it is talking to some IP address. Time to find out who it is talking to. For this, I fired up wireshark and ran the file inside a VM. Instantly it starts talking to this IP address: 80.89.228.168.
Quite a bit of back and forth going on between my device (192.168.126.133) and hacker’s (80.89.228.168). I started opening each packet to see what data is being sent and received. And JACKPOT. Found a suspicious packet. Lets zoom in here.
I copy-pasted the contents of this packet into a text editor to make it more readable. This appears to be a grocery list of what hacker wants from our pc. Presumably, it has asked the malware to send all txt, docx, xlsx files and files containing the word “wallet” or “key”.
It has also given the malware a whole other list of folders too. And we will cover what it is stealing from there later on. For now, the real question is, was this information really sent?
First analysis didn’t return anything because I was running it on an empty VM. There was nothing to send. But what if I had run this software on my main pc? To test this, I made a bait file called “walletkey.txt” on my VM desktop containing the word “charizard”.
Lets run wireshark again and see if it can catch this file being transmitted.
Sure enough, there is our Charizard, along with the filename “walletkey.txt”. Being transmitted to hacker’s IP. Malware caught stealing our information RED HANDED.
Infact, Charizard gets transmitted multiple times. My guess is because it first looks for all files containing “.txt” extenstion. Then all files containing the word “wallet”. Then all files containing “key”. And our walletkey.txt fits all these criteria so shows up in all these loops.
Think about what documents are present on your pc. All your excel files, all your notepad files, all your word documents. If by any chance you have anything like a bank statement, personal info, any passwords etc stored in any of the formats listed, the hacker now has it.
“But, thats it, right?” you might ask. “if I don’t keep my passwords or other personal info as a plain text file, I am safe?” not quite.
It appears to have stolen a LOT more than just textfiles. Before I elaborate further, let me ask this: when did you last update your operating system? how many apps on your device are at their latest version?
Older, unpatched or cracked apps can make your whole computer vulnurable to further attacks. Especially if a potential hacker knows exactly which apps you are using. They can then try all known vulnerabilities of those apps and use them to get into your system again and again.
And this malware transmits a LOT of information regarding apps currently installed on your pc. It has also transmitted information about your windows version, other software tools installed, apps currently opened, etc.
Tools such as metasploit come with hundreds of built-in attacks targeting unpatched software. If they know which apps you are using, and your app happens to have a known vulnerability, they can enter your computer at will.
“So thats it then? don’t store passwords in text or excel files, and keep all apps up to date? If I do this, then the malware can’t do anything to me? I am finally safe?” yeah still no.
It also appears to be stealing cookies and session keys.
For those that don’t know what session keys are, think of a hotel. You have to verify yourself at reception using your ID when you check in. Then they give you a key to access your room, gym, swimming pool, so you don’t have to verify your ID again and again.
Similarly, on sites like twitter, gmail, etc, you get a temporary session key when you log in by entering your password. When you like or share something or simply refresh your web page, your computer uses that session key so you don’t have to enter your password each time.
But what if that key gets stolen? in a hotel, someone else can enter your room or gym or pool instead of you. Same is the case here. With a stolen session key, a hacker can use your account without needing your password, for as long as that key remains valid.
So if your session keys are stolen (as is the case here), the hacker who sent it your computer can use ALL YOUR ACCOUNTS that you are currently logged into.
And if that wasn’t enough, it is also stealing unsecured passwords too. Not just those stored in a txt files. But also those improperly stored or improperly transmitted by your apps. For example, my discord email, username and password also showed up in transmitted data.
This took me by surprise. But thankfully, this was an alternate discord account made with an email I don’t use for anything important, running on vm, created specifically to talk to the hackers. So no damage there. But if I had run it on my main pc they couldve hacked my actual discord account.
Basically, this malware has the potential to steal your ENTIRE digital life. The important data on your pc. Session keys to all your apps. Crypto wallet information. Passwords insecurely stored in your apps. Pretty much anything.
Just remember. Don’t trust strangers on the internet. Don’t download anything from any place you don’t trust. Don’t run any apps without knowing exactly where they are coming from, and most importantly, DO NOT KEEP IMPORTANT DATA ON YOUR DEVICES IN A TEXT FILE.
If you enjoyed this thread, give me a follow and share it with friends. Would love additional feedback from you all. Hope to bring you more such malware stories from my online adventures. Till then, stay safe. Online and offline.
