It is not new for malware authors to abuse redirection/shortening services to trick victims into clicking links to malicious URLs. This blog explains how users are tricked into clicking what looks like an YouTube link but are in reality redirected to malicious websites and thereby becoming a threat for them.

This post about “Casino hack” is one such example. The very word will definitely lure users into clicking the link to find out more. Little do they know that this is a trap laid out by the threat actors to download malware onto their devices.

Attackers use keywords in URLs like Casino hack, Telegram crack, Hack tools, game names to lure the victims into clicking those URLs which in turn will lead them to sites compromised by attackers to download malicious files. One such site used is Upload.ee.

Upload.ee is a genuine site and is used to upload and download files with best quality and speed, this has been used by the attacker to host malware.

The URL redirection link from YouTube is hxxps[:]//www.youtube.com/redirect?v=sqxO40hXxq0&event=video_description&q=https%3A%2F%2Fwww.upload.ee%2Ffiles%2F12574316%2FCasino_Hack_by_YAZD_v3.49.rar.html&redir_token=QUFFLUhqbWxNY05PdGpOdTJfRG9qUHFTamU5Nlh0cnYzQXxBQ3Jtc0ttMFNLS3otU3dVZ1pfNDhRYWhiZE1KeUdLdDY5c3hrN0xpX3k2S3B4ZHl3cW41WktNdnR3Q1RERktoWWNoS3VHeVdWdm13dmhYSzdKVXVGeG1qYzlub0k5Vnp4dWxFbnBVVXpaUXNTMkFqM05ycS16QQ%3D%3D.

Figure 1: YouTube Redirection

This link leads to the Upload.ee site, from where the Casino_Hack_by_YAZD_v3.49.rar is downloaded.

Figure 2: Redirection to Upload.ee and download of Casino_Hack_by_YAZD_v3.49.rar

On extracting Casino_Hack_by_YAZD_v3.49.rar, it contains Casino Hack by YAZD v3.49.exe, Casino Updater.exe and a Read Me.txt as shown in Figure 3 and Figure 4.

Figure 3: Extracted Files
Figure 4: Read Me.txt

The working flow of Casino_Hack_by_YAZD_v3.49.rar has been depicted below.

Casino Hack by YAZD v3.49.exe

Figure 5: Execution of Casino Hack by YAZD v3.49.exe

The extracted file Casino Hack by YAZD v3.49.exe is found to be UPX packed and on unpacking the file, it has a PE file in its resource section.

Figure 6: PE file at Resource section

This Casino Hack by YAZD v3.49.exe drops C:\Users\_\AppData\Local\Pic1fPBkmq\LOHejsSdpL.exe and C:\Users\_\AppData\Local\Temp\RhTLxG5moP.exe which is again a UPX packed file and the unpacked files contains PE file at its resource section.  RhTLxG5moP.exe inturn drops C:\Users\_\AppData\Local\Temp\lZJY7sOosm.exe.

Figure 7: Dropped files of Casino Hack by YAZD v3.49.exe

Casino Updater.exe

The other extracted file Casino Updater.exe is found to be a malicious Quasar RAT executable. Quasar RATs are open-source Remote Administration Tools for Windows written in C# and available publicly in the GitHub repository. Figure 8 lists the features of Quasar RAT which are pretty self explanatory. 

Figure 8: Features mentioned in GitHub

These are .NET files and most of the time these are found to be used by many APT actors and in most instances these are packed to make the analysis difficult.

The Quasar malware Casino Updater.exe starts itself from another location C:\Users\_\AppData\Roaming\COM Surrogate and creates persistence by making changes in the Autorun registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\COM Surrogate.

Figure 9: Casino Updater.exe starts itself from another location

The IP contacted by Casino Updater.exe is 208.95.112.1 and this IP has been observed to be carrying out SSH brute force attacks in the past. The domains contacted are ip-api.com and hasamu.duckdns.org where ip-api.com is usually used by RATs and spyware as reconnaissance on systems that are infected.

The attacker sends a http GET request to hxxp[:]//ip-api.com/json/ where the geolocation of the malware being downloaded is received by the attacker.

Figure 10: Geolocation of Malware Downloaded

Some of the APT groups that have used Quasar RAT in the past are Iran based APT 33, Pakistan based Gorgon group, Gaza cybergang, India based Dropping Elephant and China based APT 10. The main intention of all these groups has been information theft and espionage activities.

Remote Access Trojans can cause heavy damages. The target could be all kinds of sectors because this tool is open-source and could be used by any threat actor. Since Quasar RAT have many features and capabilities, it is better to always be precautious while clicking any link. 

Here at K7 Labs we keep actively monitoring such malware and have proactive detection for all the variants that are downloaded by clicking the malicious redirect YouTube (or any other legitimate service) URLs.

Indicators of Compromise (IOCs)

                    MD5                File Name      K7 Detection Name
1CE31BB094A824F82007F1A7BCE984B0Casino_Hack_by_YAZD_v3.49.rarTrojan ( 0001140e1 )
B80F8B4C1EA68AA76CCD02C25474313BCasino Hack by YAZD v3.49.exePassword-Stealer ( 00567ea11 )
666318735B6D339B195D344EC8899D88Casino Updater.exeTrojan ( 00521dab1 )
666318735B6D339B195D344EC8899D88COM Surrogate.exeTrojan ( 00521dab1 )
412C6C1AB8B29C333D90D894978C4814LOHejsSdpL.exePassword-Stealer ( 00567ea11 )
412C6C1AB8B29C333D90D894978C4814RhTLxG5moP.exePassword-Stealer ( 00567ea11 )
2EF97DE793ADBE9E7ED6CA8F6E818F91lZJY7sOosm.exeTrojan ( 0001140e1 )

MITRE ATT&CK

TacticsTechniques
ExecutionExecution through API
PersistenceRegistry Run Keys/Startup Folder
Winlogon Helper DLL
Defense EvasionInstall Root Certificate
DiscoveryQuery Registry

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “YouTube Redirection Links Download Quasar RAT”