{"id":58035,"date":"2025-01-10T00:00:00","date_gmt":"2025-01-10T00:00:00","guid":{"rendered":"urn:uuid:e0eb8943-e39a-7102-c821-f9d557360f85"},"modified":"2025-01-10T00:00:00","modified_gmt":"2025-01-10T00:00:00","slug":"trend-micro-managed-xdr-analysis-of-infection-from-fake-installers-and-cracks","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/trend-micro-managed-xdr-analysis-of-infection-from-fake-installers-and-cracks\/","title":{"rendered":"Trend Micro\u2122 Managed XDR Analysis of Infection From Fake Installers and Cracks"},"content":{"rendered":"

<\/p>\n

<\/div>\n
\n
\n

Upon accessing the link, a separate post on YouTube opens, revealing the download link for the fake installer.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

In the following example, it leads to a download of the file from the Mediafire file hosting site:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

In another case, the threat was uploaded to another file-hosting site called Mega.nz.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

It’s clear that the threat utilizes known file hosting services as another layer to obscure its download further and evade detection.<\/p>\n

In the cases we will discuss in this blog, we observed that these threats are often distributed as fake installers or cracked software, which victims inadvertently encounter while searching for them on search engines.<\/p>\n

In the sample below, specific keywords trigger search results for these entries.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

The third item in the search results (refer to screenshot above) comes from OpenSea (an NFT marketplace), which is unusual because it hosted a downloadable file. The entry contains a shortened link that redirects to the actual link. One assumption is that they use shortened links to prevent scraping sites from accessing the download link.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

The following link will prompt you for the actual download link and the zip file’s password. Password-protecting the files can help prevent sandbox analysis of the initial file upon arrival, which can be a quick win for an adversary.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

The fourth and last entry in the search results (refer to the search results screenshot above) came from SoundCloud, a music-sharing platform that hosted the download link with a corresponding description. In this case, the download link was shortened using Twitter.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

The same user also posted additional entries that include means to download a specific file.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

Content from another entry made by the same user.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

Similar to the first case, another site displays the download link and password.<\/p>\n

In one of our download links, we discovered evidence of other entries they are attempting to fake, as shown in VirusTotal (VT).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

Infection analysis as seen by Managed XDR (post download)<\/span><\/b><\/p>\n

In the next section, we will discuss instances where the download was successful and the content was executed. This case sample highlights the activities observed on the host.<\/p>\n

Case 1 <\/b><\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

One observation about the unpacked file is that its size is 900 MB. This large file size helps defense evasion and allows it to bypass sandbox analysis to appear more legitimate as an installer. Moreover, it is restricted from submission in VT.<\/p>\n

The infection sequence is triggered upon executing the .exe file contained within the zip file.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

 A threat has been detected involving the execution of batch files. The content of the batch file was sourced and, while different from the Managed XDR case, is still functionally similar.<\/p>\n

The batch file contains obfuscated entries.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

The first cleanup involves removing garbage entries.<\/p>\n

The next step is to replace the variables, resulting in a clearer script.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

According to the batch file, it builds the AutoIt script by combining the multiple created files and executes it. Upon execution, we observed that it dropped several additional files.<\/p>\n

Processes may be injected with its code, and a new legitimate binary is sometimes introduced for process injection.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

Collecting and preparing sensitive data from browser environments for credential access was completed through a copy file operation.<\/p>\n

The process introduced by threat is also seen to establish connections to multiple command and control (C&C) addresses.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

Besides accessing its C&C, our investigation observed the threat committing a series of queries related to Domain Generation Algorithm (DGA) domains.<\/p>\n

Case 2<\/b><\/p>\n

In this second case, the infection started when a user downloaded a compressed file from a known file hosting site. Once downloaded, the user unpacks the file, which would require a password, and executes the installer. Upon execution, it proceeds to do a series of suspicious events, such as spawning a legitimate process and injecting its code into it. The threat also introduces a known scripting tool, AutoIt, to further obfuscate its execution, and later, it connects to its C&C to download and execute additional malware, typically different variants of infostealer.<\/p>\n

A snippet of the content of the zip file shows that, at a quick glance, it is just a standard application installer.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

Setup.exe is a version of rustdesk.exe, an open-source remote desktop access software identified on VirusTotal.<\/p>\n

The zip file contains a trojanized file for rustdesk.exe, where one of the DLLs is tampered with. For this specific sample, the tampered DLL that was loaded by Setup.exe was flutter_gpu_texture_renderer_plugin.dll.<\/p>\n

When the file is executed, it displays an error but is already running in the background.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

In the background, the following events have already taken place.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

Injecting malicious code into legitimate binaries, such as more.com, StrCmp.exe, SearchIndexer.exe, and explorer.exe, to evade detection by security defenses.<\/p>\n

It drops additional files that are information stealers or malware from a different family.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

Creates autorun registry entry and scheduled tasks to ensure ongoing persistence.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

Injected processes were later observed, which initiated C&C communication.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

Bundle of Stealers\/Loaders<\/span><\/b><\/p>\n

This time, it’s not just a single info stealer but an army of recent noisy ones. This is not new, as it was also observed before with raccoon stealers<\/a>.<\/p>\n

Observed stealers in the cases:<\/p>\n