Bitdefender analysts recently uncovered a series of attacks that leverage office tools and image-editing software cracks to compromise computers, hijack crypto-currency wallets, and exfiltrate information via the TOR network. “Once executed, the crack drops an instance of ncat.exe (a legitimate tool to send raw data over the network) as well as a TOR proxy,” said Bitdefender’s Bogdan Botezatu, Director of Threat Research and Reporting and Security Researcher Eduard Budaca in a blog post. These files are placed in the system storage identified as ‘%syswow64%-nap.exe’ or ‘%syswow64%-ndc.exe’, and ‘%syswow64-tarsrv.exe’. A batch file is also placed at ‘%syswow64%-chknap.bat’ which contains a command line for the Ncat component dedicated to traversing ports 8000 and 9000 in .onion domains as shown below.
These tools work together to create a powerful backdoor that communicates through TOR with its command and control center: the ncat binary uses the listening port of the TOR proxy (–proxy 127.0.0.1:9075) and uses the standard ‘–exec’ parameter, which allows all input from the client to be sent to the application and responses to be sent back to the client over the socket (reverse shell behavior).
The crack also creates persistence mechanisms for the TOR proxy file and the Ncat binary on the compromised machine with a service and a scheduled task that runs every 45 minutes.
According to Bitdefender’s investigation, the backdoor is most likely being used interactively by a human operator rather than sending automated requests to the victims. Some of the actions that were observed by the researchers are:
File exfiltration BitTorrent client execution to exfiltrate data Disabling the firewall in preparation for data exfiltration Stealing of Firefox browser profile data (history, credentials, and session cookies). Before exfiltration, attackers archive the profile folder with 7zip to generate one file that contains everything. Theft of the Monero wallet via the legitimate CLI client ‘monero-wallet-cli.exe’.
The above list of actions is non-exhaustive, as attackers have complete control of the system and can adapt campaigns based on their current interests. As per Bitdefender, these types of malware-loaded cracks mostly affect people who download files from websites that have little or no control. “These cracks are usually hosted on direct-download websites rather than on torrent portals, as the latter have a community that downvotes and flags malicious uploads,” Botezatu told TF. Currently, distribution of these cracks are mostly found in the United States, India, Canada, Greece, Germany, Italy, Spain, South Africa, and the United Kingdom. For more information about the files and processes involved, you can read Bitdefender’s complete write-up here.
