Translated from: https://asec.ahnlab.com/en/48211/
Because Microsoft disabled macro code for Internet downloads by default, attackers began to increasingly use disk image files such as ISO and VHDs in malware distribution. Recently, researchers discovered that attackers were using VHD files to distribute ChromeLoaders. Judging by the file names, the attackers disguised the malware into cracked versions of Nintendo and Steam games. As shown below, some games are paid games.
The file name of the distribution
Searching on Google using the file names can uncover multiple websites distributing malware. A large number of cracked games and cracked paid applications are deployed, and downloading illegal programs from any source will be a trick.
Search engine results
For example, click on an ad of a malicious website and download a normal program file:
Malicious website advertising
It is easy for users to mistake VHD files for game-related programs, and the files in a VHD are shown below. All files except the Install.lnk file are hidden, so regular users will only see the Install.lnk file.
The file in the VHD
LNK file will run the properties.bat file, and the script will call the tar command to extract the files.zip file to the specified directory.
properties.bat
The files.zip file contains benign files and malicious JavaScript .js files related to node-webkit (nw.js). ), run by nw.exe and reference the data written in the package.json file for loading.
files.zip
properties.bat runs the data.ini file and the videos.exe file generated after extraction. The former is a VBS script that creates a shortcut to videos.exe in %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\.
data.ini
The videos.exe file contains the nw.exe file, which can reference package.json to run the script file specified by the main function. In this example, the start.html file is specified, which contains the obfuscated malicious JavaScript file.
package.json
Eventually, the videos.exe file executes the malicious JavaScript code in start.html to download the ChromeLoader. ChromeLoader is an ad-based malware that performs malicious behavior through Chrome extensions, stealing browser credentials and tampering with browser settings.
summary
Recently, there has been an increase in malware using disk image files, and attackers often disguise malware as cracking games and programs. Users must be extra careful when executing files downloaded from unknown sources. Security researchers recommend that users download the software from the official website.
IOC
bdcb5c80a664d82a28469f9fce0fbb12
ae8ae62aa04f06d32c548c2ef493a39f
82024e7af52481e71760c9d119eb903f
3515115d7efa1ac42bd56bc9348cd4f8
irymountain.com[.] ua
lesexwrecko[.] xyz
alnormatic[.] xyz