Key Takeaways

• Cyble Research and Intelligence Labs (CRIL) has uncovered a novel phishing campaign tailored to cryptocurrency users.
• This campaign was deploying a well-known FatalRAT along with additional malware such as Clipper and Keylogger.
• The Threat Actors (TAs) orchestrating this campaign employ the DLL side-loading technique to load and execute FatalRAT, Clipper, and Keylogger modules.
• FatalRAT is a Remote Access Trojan that provides attackers with control over the victim’s computer and is equipped with extensive capabilities for stealing sensitive information.
• The inclusion of a clipper module alongside FatalRAT suggests a targeted strategy aimed at cryptocurrency users, and the addition of a keylogger module enhances data interception capabilities.
• The TAs behind this campaign are targeting Chinese-speaking individuals or organizations, as evidenced by using Chinese-language installers.

Overview

CRIL has recently uncovered a sophisticated phishing campaign that specifically targets cryptocurrency users, with a notable emphasis on users of the Exodus platform. In this intricate scheme, threat actors (TAs) have employed a deceptive website meticulously designed to mimic legitimate cryptocurrency applications.

The deceptive site, resembling the interface of the Exodus crypto wallet, aims to lure unsuspecting users into divulging their sensitive information. Exodus offers users the ability to manage their cryptocurrency holdings and conduct transactions. Available as both a desktop application and a mobile app.

The image below shows the deceptive phishing site, mimicking the authentic application interface.

Figure 1 – Phishing site

Once unsuspecting users are lured into downloading the software disguised as genuine Exodus installers from the phishing site, they inadvertently install a Remote Access Trojan known as FatalRAT. Additionally, this installer also deploys other malicious components, such as Clipper and Keylogger, marking a new development compared to previous campaigns.

The TAs have executed a multi-staged attack incorporating multiple components packaged within a single installer file, culminating in the installation of the FatalRAT malware, a clipper, and a keylogger. Notably, the TAs have employed DLL side-loading techniques as part of their strategy to evade detection, a method that has been observed in previous campaigns as well. The image below shows the infection chain observed in the current campaign.

Figure 2 – Infection chain

Upon installation on a victim’s system, the Trojanized Exodus crypto-wallet installer application grants the attackers unauthorized access and control, enabling them to steal sensitive information from web browsers, capturing keystrokes, data manipulation—particularly concerning wallet addresses in the clipboard—and other malicious activities, all concealed from users in the background.

This operation is further enhanced by launching the Exodus installation in the foreground, tactically employing it as a diversion to mislead and distract users, as illustrated in the accompanying figure.

Figure 3 – Displaying the Exodus application in the victim’s machine

Technical Analysis

Upon execution of the downloaded malicious installer (.msi), it drops numerous files into two distinct directories within the C:\ProgramData folder, named MoCo and Mo. The image below displays all the files along with their respective folder names.

Figure 4 – Extracted files from the installer

All files listed are components of a multi-staged attack primarily utilizing the DLL side-loading method to execute the final payloads aimed at evading detection by security software. The attack chain unfolds as follows:

• A legitimate executable, thelp.exe (Browser Support Module), is launched by the installer. Following this, thelp.exe utilizes DLL sideloading to load a malicious DLL file named “XLFSIO.dll,” which subsequently loads the loader module named “mt.dll” during runtime, as depicted in the figure below.

Figure 5 – Malicious files used for DLL Sideloading

• The file mt.dll is responsible for launching and executing two additional files named “Mi.JPG” and “BMi.jpg.” However, instead of images, these files contain a shellcode along with an embedded DLL, as shown below.

Figure 6 – Loader file containing the Shellcode filenames

• This shellcode’s objective is to load and execute the embedded DLL in memory by invoking an export function named SignalChromeElf.
• SignalChromeElf function performs decryption, loading, and execution of an encrypted payload present within the embedded DLL. This encrypted payload corresponds to the FatalRAT malware.

Similarly, other components such as Clipper and Keylogger are also observed being loaded into memory using similar methods.

Fatal RAT

FatalRAT is a Remote Access Trojan endowed with a broad spectrum of capabilities, allowing remote execution by an attacker. Initially detected in August 2021, the FatalRAT malware possesses capabilities including keystroke logging, screen resolution manipulation, downloading and executing files, as well as stealing data stored within web browsers.

Before commencing its infiltration procedures, the malware meticulously conducts a series of evaluations. These checks encompass assessments for virtual machine environments, processor types, and active processes, among other factors. Once successfully passing these checks, FatalRAT proceeds to decrypt configuration strings containing the Command and Control (C&C) server address as shown in the image below. Subsequently, any pilfered information is swiftly transmitted to the designated C&C server.

Figure 7 – FatalRAT Configuration strings

Based on our analysis, we’ve concluded that the version of FatalRAT employed in this campaign closely resembles the variant previously identified by AT&T and ESET. In this analysis, we will dive deeper into the Clipper and the keylogger modules.

Clipper

When thelp.exe is executed, it concurrently initiates the execution of the “BMi.jpg” file directly into memory through the utilization of the DLL “mt.dll.”

The file “BMi.jpg” contains a shellcode along with an embedded DLL (like FatalRAT), which is identified as Clipper. This shellcode is designed to load and execute the embedded DLL in memory by invoking DllEntryPoint(), as shown in the figure below.

Figure 8 – Shellcode content with Clipper DLL

After the Clipper content is executed in memory, it utilizes API functions associated with the Windows Clipboard, as depicted in the figure below, to carry out its Clipper activities.

Figure 9 – Clipper functions

The table below shows the details of targeted cryptocurrencies and their regular expressions.

The aforementioned Clipper malware performs the following activities:

• The malware continuously monitors clipboard activity by calling OpenClipboard() to gain access to the clipboard.
• Once the clipboard is open, it uses GetClipBoardData() to retrieve the content stored in the clipboard.
• It then checks if the clipboard content matches any cryptocurrency address patterns defined by the regular expressions mentioned in the above table.
• If a cryptocurrency address is matched, the malware replaces it with a pre-defined malicious wallet address controlled by the Threat Actor.
• After modifying the clipboard content, the malware uses SetClipBoardData() to update the clipboard with the manipulated data, which now contains the TA’s wallet address instead of the original one.
• When the user attempts to paste the cryptocurrency address into a transaction field, they unknowingly paste the TA’s address instead, resulting in the redirection of funds to the attacker’s wallet.

The figure below shows the code snippet used to perform the malicious Clipper activity.

Figure 10 – Code snippet of Clipper’s functionalities

The figure below illustrates the presence of Clipper malware strings within the memory of the “thelp.exe” file.

Figure 11 – Presence of Clipper strings in the memory of thelp.exe

Keylogger Module

In this campaign, we have observed that TAs have placed the keylogger module in an additional directory (C:\ProgramData\Mo) intended to log all keystrokes and system events. Although the FatalRAT malware already encompasses the keylogging function, this module operates independently without requiring direct intervention from the attacker.

Upon execution of the Trys.exe file, it employs DLL sideloading to dynamically load the “ty.dll” file. Subsequently, this action starts the execution of the “M.jpg” shellcode, which in turn executes the embedded Keylogger module within the memory, as shown below.

Figure 12 – Presence of M.JPG shellcode filename in ty.dll

The following figure illustrates the presence of keylogger module strings within the memory of the “Trys.exe” process.

Figure 13 – Presence of Keylogger strings in the memory of Trys.exe

Prior to initiating the keylogger functions, the malware attempts to identify virtual environments by checking VMware-related processes, paths, and other indicators. If such a virtual environment is detected, the code exits without executing further actions, as shown in the figure below.

Figure 14 – Anti-Vm methods

After that, the malware proceeds to capture keystrokes and system events on the victim’s system. It then saves this information with the filename “sys.key” in the %programdata% folder. The following image depicts the data recorded by the keylogger malware.

Figure 15 – Saved Keylogger file

Within the keylogger, the remote server’s name is encoded in reverse, as shown in the figure below. During runtime, it retrieves the exact domain name from the reversed string and establishes a connection to it for data exfiltration.

• 1-27.qq-weixin[.]org

Figure 16 – Hardcoded server name in reverse order

Attribution

It’s plausible that the group responsible for the previous campaign may be behind this recent attack. This speculation is based on similarities such as the infection chain, file names, and an error observed in the scheduled tasks created. Additionally, the targeting of Chinese individuals, evident Chinese language versions of software used, and the C&C server pattern look similar.

Conclusion

The increasing popularity of cryptocurrency has attracted the interest of this group, leading them to transition from creating fake websites mimicking popular applications to targeting crypto users directly. Given the behavior of this campaign, we can safely conclude that the primary targets of this campaign are cryptocurrency users.

With the incorporation of a potent blend of the RAT (Remote Access Trojan) and a dedicated clipper module, the attackers can seamlessly extract sensitive information from their victims. Clipper malware poses a notable danger to individuals engaged in cryptocurrency activities, as it specifically focuses on intercepting their transactions and redirecting funds to the wallets of TAs. In light of these threats, crypto users must remain vigilant and proactive against such attacks.

Recommendations

• Before accessing or downloading from any site, it is essential to diligently verify the URLs.
• Crypto users should carefully check their wallet addresses before making any cryptocurrency transaction to ensure there is no change when copying and pasting the actual wallet addresses.
• The seeds for wallets should be stored safely and encrypted on any device.
• Before submitting the cryptocurrency wallet information, verify the authenticity source.
• Use strong passwords and enforce multi-factor authentication wherever possible.
• Keep a close eye on your cryptocurrency accounts for any unauthorized activity or suspicious transactions.
• Review and update advertising policies on major platforms like Google and social media networks to prevent the dissemination of malicious ads promoting cryptocurrency scams.

MITRE ATT&CK® Techniques

Indicators of Compromise (IOCs)

Yara Rule

rule FatalRAT

{
meta:

            author = “Cyble Research and Intelligence Labs”

            description = “Detects FatalRAT dll files”

            date = “2024-04-10”

            os = “Windows”

            hash = “69cbdb401d6c03f3d64b3bf48d527cb4bf507952f34b170a3d020707fc4ff7be”

strings:

            $a1  = “SVP7” ascii nocase

            $a2  = “SVP7-Thread running” ascii nocase

            $a3  = “DisableLockWorkstation” ascii nocase

condition:

            uint16(0) == 0x5a4d and all of them

}

Related