ClearFake - Malware Analysis Lab

26 minute read

Technical Analysis of ClearFake

Overview (AI generated from video):

Summary

A new malware called ClearFake is using the Binance smart chain to deliver fake browser updates and deploy the Luma C2 stealer, compromising websites and stealing sensitive information. Highlights

Key Highlights

🕵️ ClearFake malware hides in the blockchain.
🎯 ClearFake prompts users with a fake browser update.
🔍 ClearFake uses the Binance smart chain for delivery.
🛠️ ClearFake employs an “ether hiding” technique for obfuscation.
📊 Monitor SG’s analysis reveals the attack chain and indicators.
🛡️ ClearFake uses anti-sandboxing techniques to evade detection.
⚠️ The malware deploys the Luma C2 stealer to steal credentials.

Key Insights

🧩 ClearFake leverages the Binance smart chain in a unique manner, showcasing the evolving sophistication of malware tactics.
💻 By analyzing the malware’s script, researchers can uncover anti-sandboxing techniques and evasion mechanisms employed by ClearFake.
🛡️ The use of the “ether hiding” technique demonstrates the malware’s adaptability and innovation in avoiding detection and analysis.
📑 Monitor SG’s detailed analysis provides valuable insights into the attack chain and indicators of compromise associated with ClearFake.
🕵️ The presence of Luma C2 stealer in the final payload highlights the malicious intent of ClearFake in stealing sensitive information from compromised endpoints.
📈 The deployment of the Luma C2 stealer underscores the threat posed by ClearFake in terms of data exfiltration and potential further compromise.
🌐 The connection between ClearFake and the Binance smart chain reveals the increasing reliance on blockchain technology by threat actors to deliver malware and evade detection.

Transcript (AI generated from video):

00:00:00	let's take a look at some new malware uploaded to malware Bazaar so this has been uploaded by monitor SG and it has the tag clear fake now clear fake is a family of malware that's been around for about a year and it was first discovered by Randy mcen now Randy details how this malware actually functions in his blog post basically the end result is that it's going to try to prompt a user with a fake browser update now if they download that fake browser update and run the script this is going to infect
00:00:29	their computer with a different family of malware clear fake is a little bit interesting in the way that it does this so I definitely recommend that you dive into his blog post to understand more about how this malware functioned when it was discovered but it has since evolved so I also recommend that you take a look at sequ blog post the reason being is because this malware has evolved to use the binance smart chain so what it does is it actually uses a smart contract to deliver part of the JavaScript that's going to be run that
00:01:00	prompts that fake browser update now this is a technique that's been dubbed ether hiding and is a little bit novel this is actually probably the only family of malware I know that uses this technique so let's dive in and actually see how it works so based on the seoa blog post here we know that clear fake actually uses JavaScript all throughout its chain if we look at the malware bizar submission you can see that monitor SG has mentioned that there is the binance.us JavaScript on a website it has a particular binance key or a
00:01:34	particular binance identifier I should say and this is actually for the smart contract that's going to be run and then it results in a Powershell script being downloaded that then once run is going to pull down a zip and executed by the looks of things so the first thing I want to do in my analysis is take a look at this binance identifier because this is going to be identifying the smart contract that is being used in this malicious campaign now if we take this identify and go to BSC scan which is the
00:02:04	binance Smart chain scanner created by Ether scan we can actually punch this in and see the contract we can also see who created the contract and a bit more details associated with this so the creator of the contract doesn't actually have any kind of indication that this is controlled by a malicious threat actor but it is right now a contract in itself can be viewed online so we can actually go to this and compile the bik code however there's a bit of a problem and the problem is that there's a number of
00:02:36	methods that are defined that can be run and we can see that that's going to be run here but it doesn't actually give us the details about this contract when it's actually run let's actually take a look at how this smart contract works by interacting with it so we actually get something a bit more useful than just this defined method that's going to be run so I've just gone ahead and opened up my console in Google Chrome and I've created a script that's largely based off of the malicious script that's going
00:03:06	to be present on websites and I got this from the Sequoia website the script is based off of this one here the difference being I don't want to evaluate what comes from the smart contract with this eval aob and Link so aob is going to convert b64 encoded string just to give you an idea that that is going to be what comes back from the smart contract so I don't want it to do that so I've actually tailored it just a little bit what is actually going to happen is we're going to implement the ethers script because we need that
00:03:33	on our page to be able to run properly then we're going to define a provider in this case the provider is the binance.us script is doing in itself so I didn't want to change that and then we Define the new contract that we get at this case I'm just going to log it to my console once this script runs it's going to run the load function that we've defined and that is an asynchronous function right here so let's actually just run this script and we can see okay ethers is not defined so that means there's a issue with the way that I have
00:04:15	imported this particular script okay now it does function I guess in the first instance we are appending it to the page and it didn't work quick enough so it didn't actually function but we do have it here now and you can see that the response seems to be this B 64 encoded string now this is completely different to what we saw in the smart contract decompiled so let's take this over to cyers Chef and let's actually deod it so we're going to do from Bay 64 so now that we've got it from Bay 64 what I'm
00:04:42	going to do is I'm going to take it and I'm going to take it to obfuscator doio because a lot of JavaScript that's being used by malicious thread actors are just obus gated using obus gate.io this T obus gate function is going to work quite nicely to get us what we need you can see it doesn't make a lot of sense looking at it maybe we can see the starts maybe some domains that are being mentioned here but let's actually just hit D obvious Kate and better beinging better boom we have what we need so this
00:05:06	actually has now the next endpoint that this is going to be run against to pull that next stage of our payload now we can actually match this up so there is this r y rxy z and if we look here we can see R yr doxyz so monitor SG has actually laid out this attack chain pretty nicely for us so now we can actually pivot based on some of the other indicators that we have so this XYZ domain let's actually take this end point and let's take a look in something like URL scan we're just going to run a search for it and you can see there's
00:05:34	lots of different endpoints that are mentioned there are actually a few websites that come up so this a light from heaven.org if we actually take a look at this okay it says there's no screenshot available but it does look like it's based on WordPress so immediately I'm beginning to think okay maybe this website's been compromised if we look at the requests we can see the same activity that we saw before where it does use this eventually reach out to this domain but one of the other things that we haven't
00:06:03	pivoted based off of is that actual binance smart chain domain that's being reached out to because we know it's being used in this malicious campaign and how often would this actually be sitting as a smart contract to run on a website I'm going to go ahead and say barely ever if never at all so let's actually take this data seat this BSC data seat search results 100 out of 8,253 that's not great it does look like there's quite a lot of websites that have been compromised that is hosting this particular fake browser update now
00:06:42	we could actually go on to some of these and see if the behavior looks the same I'm just going to spot pick some randomly and if we take a look we've got a website looks like a legitimate website it is based on WordPress uh oh let's take a look at the requests and we can see this ether script something that would also be good to Pivot off of because without that you're not able to get the smart contract and then we see the end points and the responses associated with those end points as well and if we actually look this looks like
00:07:10	it's a b 64 encoded string so this looks like the response from that smart contract in question there so let's actually just take that one browser work correctly this looks like it might be a test it doesn't look like it's actually responding at this point in time with a B 64 encoded string that then when it decodes is going to give the Mal question but if if they were able to infect a website and then have it run this smart contract they can change what the smart contract does so taking a look
00:07:36	at these end points when they come back is going to be a good idea we've got another binance one here we have the binance.con coded string I'm going to copy all of that we're going to put this in here we begin to see a few other things of interest so this looks like it's actually a b64 HTML content that's specified and it's creating something in the page in question so let's actually take that and decode That Base 64 and see what might be displayed so it does look like there is a HTML page that's
00:08:18	specified here it does look like there's popups mentioned let's go down oh dear something went wrong while displaying this web page there was an error during the latest update of your browser version here's what you need to do to up your browser which includes running a Windows Powershell script as admin so immediately we can begin to see how this attack chain pans out it makes that connection to the smart contract and the smart contract then presents a popup that goes above the web page they're
00:08:46	trying to access to say their browser is out of date and they need to update and then as a result of that they download this Powershell script they're going to run it as administrator and then it's going to deploy malware on their system and just to show you a little bit more there are actually translation here so this is only the English popup so if you were to be in Russia it would then present it with Russian text yes it's going to get I believe Spanish and so on and so forth that the support for all
00:09:12	different languages to say that your browser is out of date and you should be running this maare script as administrator so I've gone ahead and downloaded the HTML and this would pop up over their website and the user would be sitting there going oh okay there's there's an error and it's got clear instructions what's interesting is if you click on that it's going to copy text to your clipboard so you can see it's copied the entire Powershell payload that's going to be run to your clipboard if you click copy fix so then
00:09:42	you're going to do that then you have to rightclick the windows terminal and hit the windows Powershell as admin and then you're going to run that script by pasting it in there and this is something that a user might easily be able to do and not understand what they're doing it's a little bit interesting the way that this script works if we take a look at it you can see that down the bottom there is this text to copy and it has a listener for when you click that button so it can copy text to your clipboard and the
00:10:12	entire payload that's going to be run is actually embedded within this JavaScript that gets deployed here as well unless there's an issue in which case it just says unable to copy text to clipboard but this is in the console on your browser and if we take a look at the payload that was copied to the clipboard in this instance we do see that it is using from base 64 encoded string again so looking in cyers Chef we can see that this one is actually reaching out to this other website maybe it is another
00:10:41	compromised website and it's getting the content from this cow. HTML so you are then going to be downloading that data from that cow. HTML and specifying that in the argument list and executing it so let's actually take a look at this cow. HTML just to see what this would be deploying on an endpoint so taking a look at this it does look like it is a compromised website it is based on WordPress not surprising we can actually see the payload that's going to be returned here it does look like there's
00:11:12	another zip file on the compromised website itself so if we take a look at the response there is going to be this get random sleeping then it's going to go out and download this ZIP it's going to be downloaded to a file called helper. zip it's going to be extracted and then it's going to have the executable within it run and so we can confirm that that website was actually compromised and hosting the malicious payload so let's actually dive into the Powershell script to see how this functions on an endpoint and what
00:11:44	malware it might be delivering so I've gone ahead and downloaded the Powershell script and the first thing I can see is that it's going to be using wmi so the Windows management instrumentation framework to actually get information about the thermal details on on your system so the temperature it's probably got a good idea that if it's running in a sandbox it's not going to have thermal information that shows a temperature over a certain amount but if it is a legitimate system that's running maybe
00:12:14	it does we can see environment. exit so this is anti- sandboxing technique being used here we can see that it sets the clipboard to nothing so if you got anything copied to your clipboard I guess it just gets rid of that value it then adds a Windows Defender exclusion in your app data directory and the program data directory so we can see that it does create an exclusion and it does also check to see the exclusion has been added properly then we see that it sleeps for a second and then what it's
00:12:45	going to do is it's going to be getting date I don't know why it's doing that I guess date and time is going to be used somewhere in this script we can actually take this variable and see whether it's been used and it is it's used this in this one section it's being defined in this variable here and if we take that that variable is going to be copied into this one and then this one's going to be used here in script block as so we can see that the get date function is used as well but the main thing we're
00:13:14	interested in seems to be this giant based 64 encoded data so let's actually take this and do some analysis on it because this is what's going to be deployed on an endpoint or running on an endpoint when this Powershell script is run we can tell that by this invoke method down here so let's head over to cyberchef all right I've just put in the base 64 encoded data however what we don't want is these null bites so let's remove these null bites and now we actually get the next stage of our payload it does look like it's using
00:13:42	some sort of encryption because there is mention of AES this padding mode which is pkcs7 the cipher mode which is CBC the good thing is it is kind of giving us everything we need to decrypt this unless there's something to do with the key it does look like it's using bu for the key that's being defined in K so we have to figure out what K is and K looks like it might actually be something past to this let's take this step by step and actually do some analysis so the first thing I'm going to do is try to neaten
00:14:13	up this script I might even just be able to do a generic beautify and we can see straight away this is actually given us something a little bit neater so now we can begin to do some analysis let's take this put it back into a new section in notepad++ and do some analysis so let's take this script one step at a time one of the first things I want to do is take these base 64 encoded strings and make them something a little more legible I've taken the first one and we have an output value here so this output value
00:14:39	is going to be that and we're going to take the next one and we have this value here so now we seem to have K and V defined and so that might be a key and maybe an initialization Vector e is likely to be the encrypted byes so if we take this and base 6040 code it we're probably not not going to get anything legible and we don't it's gush that's okay let's do some analysis here now we can actually see most of it is done within function B so there seems to be a bunch of defining for the encryptor we can actually see
00:15:12	that there is a Define initialization Vector which does seem to be using the value V we can also see that there is a key which does seem to be using the bytes defined in K so this is something that now gets us on our way we do have the key size and the block size and the other details associated with how encryption is playing out in this case so without going too much into the detail this kind of just looks like it's being used to convert heximal values because it does have this bite and this 16 so this is likely just being used to
00:15:45	get kind of bite representation we do have a formula that's being used down here and invoke expression being used on the output of that we kind of can see what this is doing they they haven't made this very difficult at all if we take this base 64 encoded string which is also encrypted and we punch this in here what we're going to do is we're going to do from base 64 and now that gives us the jumbled output in its raw format now what we're going to do is actually just look at K and V and how this is performing encryption within
00:16:16	this function B we have the values that we decoded so let's do an AES decrypt now the key we do have a value here this isn't in hexad decimal this is actually utf8 because we've converted it from That Base 64 encoded string and it's actually encoded in utf8 so let's take utf8 there now the IV we worked out here now this has only got numbers and letters and it only goes up to the letter F so we can immediately see that this is actually using some sort of hexadecimal so we're going to keep the encoding here as hex now we have the
00:16:50	mode as CBC and we do have the mode as CBC the actual iterations of 128 should automatically be determined based on the key and the initialization Vector that we've given it so we don't actually need to do that but the input is raw because remember this was encrypted and we went from base 64 so we had it in its raw format so let's actually change the input to raw and now it looks like we have the next stage of the Powershell script that's going to be run without too much trouble at all let's actually
00:17:20	just take this and do some analysis on this so this looks like it's getting random value it's going to sleep for however long of that defined random value then it's going to to Define your TLS or your ssl3 everything to do with a secure network connection to actually be grabbing the next stage payload and it does seem that it's going out and reaching this from this exec resource. LTD so this is that next stage which is what we saw in the malare Bazar submission so it goes out and it gets a ank dotzip and it deploys it to a
00:17:53	temporary path then from there it looks like it writes all of the bytes associated with that so the file is downloaded properly it creates a directory for it it then extracts that zip file to that directory and then it looks for any executable files in that directory gets the first executable that it finds and then it's going to use the system Diagnostics to actually execute it and it's going to execute it with a window style of hidden and start it so now we actually know where we're focusing the next part of our effort so
00:18:23	let's jump in so I've gone ahead and extracted that archive and this is what it looks like we know that it is launching the executable in this directory so this ia. exe so let's actually take a look at whether that has any antivirus results on virus total so I've uploaded it and it says oh it's a potentially unwanted program and it is signed it seems to be an MFC application this might lead people to think maybe this is just adwar but they'd be wrong and it's not a pop either I mean technically this
00:18:54	executable is but it's not the executable we're actually interested in what I'm going to do is take every single one of these dll files that are in that directory and upload them to virus total so we've got the first one we're going to do some analysis oh and we can see yep okay potentially unwanted program it is signed all right let's take the next one compare that hash potentially unwanted program it is signed this one's more interesting because it didn't verify so it actually says that it did not verify there is
00:19:23	also a mention here of one of the names was payload one when it was submitted so we you might actually have a case where this dll has been modified and is actually being used to run some malware let's keep going through so we have the next one this one's signed and it's valid we have this one it's signed and it's valid this one is signed and valid this one is signed and valid this one is a known distributor it's not signed but it is cled as a known distributor so we can look away from that one as well
00:19:54	signed I mean valid known distributor known distributor known distributor and this one is also once again signed and valid and this one's signed and valid so why is it that they're all signed and valid besides this one this incred look at ex. DL and what's up with the other files that are in this directory there seems to be an SQL file but if we use detected easy we can see it's just flagged as binary which is not something we would expect to see with an SQL file we also have a zip file surely if we look at this with detected easy
00:20:26	also says it's binary so these look like have some sort of mismatched extensions they're not actually the fil types that they are perpetrating to be so looking at the fact that we have one of the DLS that seems to have been modified to break the signed certificate associated with it and the mismatched extensions here where there's a zip file that isn't actually an archive and there's an SQL file that isn't actually a SQL database what we actually likely are looking at is Ida or hijack loader now I know this
00:20:56	from previous analysis that I've done in another video which I will link in the description below but let's actually take a look and see if we can confirm this in any way shape or form now I have actually created a rule to detect idat or hijack loader now this is based off of the research from Rapid 7 Labs it's not a complicated rule at all it's actually just looking at the constants within the payloads that are being used and deployed within Ida or hijack loader instances what it's doing is actually
00:21:25	looking for that known offset which is going to be defining the destion key and that's going to allow me to understand that this is likely IAT or hijack loader there's also a configuration extractor that rapid 7 Labs created which we will be using if we get a hit on this to understand the final payload that's going to be deployed into memory from this clear pay campaign so let's actually go ahead and do some analysis so I'm going to go ahead and open up a command prompt here and what I'm going to do is run a Yara rule against the
00:21:53	clear fake directory where we've got all of those payloads to see if there's any hits so I'm going to run Yara 6 for I'm going to give it the rule that I've created here the Shell Code loader rule then I'm going to specify that it needs to be recursive and specified against the clear fake directory and you can see straight away we have a hit on this tor. ZIP for the idat load or encrypted payload that's actually what we're going to use the rapid 7 decrypter against to try to see if we can find out what the
00:22:22	final payload being delivered into memory is so I've got the rapid 7 extractor here and it is a python script so I'm going to run this I'm going to run python we're going to run it against the idat extractor and I believe we can just specify that and a input file which is going to be used against so let's go back to our defined file here that we found and we can see it's found the exor key the config size and it's wrote the final payload to a location on our endpoint so that's great let's take a
00:22:55	look at this bin file to determine what is actually being deployed into to memory at the end of this clear fake campaign so we do have the final payload here and I'm just going to open this up in PE studio so while it performs this analysis I might hit it with a floss as well just to see if there's any kind of output from that that allows us to get more idea on what this malware is looking in PE studio now we can see a number of strings that have been found including this FTP and CMD seemingly looking strings in the binary in these
00:23:24	sections we can actually see that there is a section with this JL which is unusual and a little bit interesting so something that we could probably pivot off of to see if there's anything else that uses that section name as well and so straight away from our strings output we do see once again this Luma no work which we've seen in a previous video which is associated with the Luma C2 Steeler we actually have a good indication that this is actually Luma C2 and we can see other evidence of that as well within the binary for
00:23:54	example there is a license key number that is defined in the Luma stealer which if we look at the strings we can see the naming convention associated with that we do see that it's stealing the cookies from the SQ light database and all of that good stuff from browsers but then there is also this kind of naming convention that goes with a name a hyphen and then a identifier like this and that's a good indication that this is lumacy 2 as well when combined with that there is also mention of name equals atto which is one of the known
00:24:30	indicators of lumacy 2 as well so now based on our analysis we know that clear fake is compromising websites then is using the binance smart chain technology to deploy fake browser update to endpoints that then if someone uses the fake browser update instructions by downloading the script and running it as administrator it's going to deploy Luma C2 stealer on the endpoint that's going to steal the credentials their session tokens and all that other information that's going to then be used however it
00:25:02	wants to be used maybe it's being sold to thread actors or maybe it's being used to compromise your environment but that's it that's all I wanted to show you today thanks so much for sticking in let me know your thoughts feelings comments anything else in the comment section below don't forget to give a like And subscribe if you enjoyed this video because it didn't cost you anything and it cost me time thanks so much and I will catch you next time