Circle of the fraud: more information about Bitcoin Orcus RAT campaign

FortiGuard Labs continues to investigate a series of attacks on Bitcoin users. In our first blog, we provided a deep analysis of malicious samples from the Bitcoin Orcus RAT campaign. In this second part, we recreate the full path of a multistage complex attack, shed some light on some other activities of these criminal actors, and reveal their possible identities.

Failed attempt

Bitcointalk.org is a popular place to trade for bitcoins. In 2015 there was a simple and straightforward attack on its users. Somebody registered a domain with very similar name – Bltcointalk.org. After that, criminals distributed this fake link on Reddit.com as well as in personalized messages sent to the users of the original Bitcointalk.org. We found traces of this attack in the Archive.is database.

Figure 1. Bltcointalk.org snapshot in 2015

Fifty BTC is worth a small fortune in December of 2017. Back in May 2015, however, 50 BTC cost way less.  Nevertheless, it was still a significant amount, valued at around $11,500 USD. Obviously, the expectations of these attackers were quite high. However, this attempt ended in failure – we could not find any transactions for that specified bitcoin wallet.

Some users of the original Bitcointalk.org also claim that they received messages with a phishing link from a user of this forum. They did not notice the forgery right away, but were very suspicious since the author of these messages was a newbie who had zero posts on the forum. In the ensuing discussion, one of the users offered to restrict newbie users from sending PMs. We’re not sure if the perpetrarors of 2017 attack were aware of this case from 2015, but this time they decided to act differently.

In early 2017, the domain Bltcointalk.org expired. On October 18, 2017, however, this domain name received a new owner: somebody with the email cobainin[@]yandex.com. Two days before that, somebody with the nickname harrison801 started a new thread on the original Bitcointalk.org:

https://bitcointalk.org/index.php?topic=2271035.msg23022014#msg23022014

This newbie user wanted to buy an old bitcointalk.org account, and asked the to contact him using the same email address: cobainin[@]yandex.com:

Figure 2. Messages on Bitcointalk.org

Our suspicion was that these accounts would be used for further attacks on the users of bitcointalk.org. As we closely looked into other domains that are related to cobainin[@]yandex.com, we found several possible ways as to how users could be attacked.

YouTube

At the beginning of December, under a YouTube account using the name “GunBot Crypto Trader”, several videos in both English and Russian related to cryptocurrency trading were posted. The content of these videos was taken from other sources, but the descriptions of these videos was altered. They now contains links to several fake sites: qunthy.org, wcx.nz, githvb.com and bltcolntalk.org.

Figure 3. Malicious links in the YouTube video description

It turns out that all these fake sites are controlled by the same attackers. Clicking on any of these links leads users to the “circle of fraud,” where they will be attacked in several different ways. We decided to start our investigation from qunthy.org.

QUNTHY.ORG

Qunthy.org is a fake website that mimics gunthy.org – the original website of the GUNBOT crypto-trading bot.

If you press the button labeled “GET IT”, you will be redirected to another fake website – the already mentioned githvb.com. After that, several redirects occur:

hxxps://githvb.com/Gunbot.XT.Edition.-.Windows.package.zip -> hxxp://bit.ly/2i9qChv ->

hxxps://desfichiers.com/?j36l4b871n

At the end of this redirection chain an archive is downloaded which contains a custom-packed Orcus RAT, which was already described in our previous article.

Another vector for an attack is the “CONTACT” button. Normally, if a user hovers his mouse over a link, the legit URL is shown in the browser:

Figure 4. Fake links on qunthy.org

However, this site uses a trick here to capture users, because once a click is made the user is redirected to a completely different URL. This trick is done with use of the handler for onClick events. This handler simply rewrites the hyperlink after a mouse click:

Figure 5. Part of the source code for qunthy.org

As a result, unsuspecting users are redirected to another domain controlled by the criminals – the infamous bltcolntalk.org

hxxps:// bltcolntalk.org/index.phptopic=3D1715214.0/#/

This page is actually a copy of a legitimate bitcointalk.org thread. Part of the original links, however, have been changed to its “forged analogs”, which are already familiar to us. The bogus panel (shown in the orange rectangle on the picture below) leads to the phishing login page on the same domain.

Figure 6. Pop-up banner and bogus panel of the bltcolntalk.org

However, phishing is not the only attack vector here. After about 30 seconds another small banner pops up (shown in the red rectangle, above.)

This banner uses the same trick with onClick handler to hide its real destination. The choices shown on the banner are fictional. Regardless of which one they choose, users will simply be redirected to a malicious link hosted on the file sharing site desfichiers.com. As a result, another malicious file is downloaded (described below):

                   flashplayer27pp_ka_install.exe

Another interesting link is the “Learn more” button. It also leads to a fake domain registered under the same email address (we will come back to this link later):

hxxps:[//]adobe.br.com/flash/

flashplayer27pp_ka_install.exe

This executable belongs to the same malware family as MSIL/Orcus.KAD!tr, which we analyzed in our previous article. Here we will simply list its main features:

• It is an MSIL platform
• The payload is packed in resources with the name DVDImageBurn.Mastering
• The key used for encryption is exactly the same as used in the previous version
• “Process Replacement” is used to hide its malicious activity
• A customized version of the Orcus RAT is loaded.
• The name used to copy itself on a victim’s machine is different this time:

C:Users%USERNAME%AppDataRoamingMicrosoftWindowsDwiDeskAdobe Helper.exe

• While this malicious activity is happening in the background, the displays an Adobe GUI to distract the victim’s vigilance.

Figure 7. GUI of the malicious sample

• The C2 is also the same as in previous versions:

172.111.160.213

Taking down a C2 server – Orcus Technologies’ reaction

After publication of our previous article, FortiGuard Labs was contacted by a person who claims that he is the owner of Orcus Technologies. He wrote that he was rather disturbed by the fact that his software was being misused. He also claims that he managed to take down the server 172.111.160.213.

We can confirm that a new sample tried to use the IP 172.111.160.213 as a C2 server, but it failed to establish a connection during our dynamic analysis tests.

hxxps://adobe.br.com/flash

The domain adobe.br.com is also registered to the email address cobainin[@]yandex.com. The interface tries to mimic the original Adobe Flash Player download page, and it does so quite well, except for the fact that Flash Player version it advertises was already outdated at the time of writing.

Figure 8. Fake Adobe download page

Note that, once again, if a user hover his mouse over the “Install now” button he will see a legitimate link to the original download page. However, once again the same trick with onClick handler is used. This time, in addition to the original download page, a window with a malicious link is opened.

Figure 9. Part of the Adobe.br.com source code

This malicious link is the beginning of a long chain of redirects shown below. Why the criminals decided to use such a long chain comprised of controlled and third-party resources is not quite clear. It is obvious that the length of the chain makes it vulnerable.

hxxp://bit.ly/2Ayl3UR -> hxxps://bltcointalk.com/ddww -> hxxps://bltcolntalk.org/rrww ->

hxxp://bit.ly/2AhpAIH -> hxxps://desfichiers.com/?zqwapyjboc -> hxxps://a-4.1fichier.com/d12858225 (the last link is constantly changing)

Another drawback of such a scheme is the time required for this chain to complete because it forces the intended victim to wait longer before the final payload can be downloaded.

The payload here is the file sourcecode.vbs. This is exactly the same VBS downloader that was sent as an attachment in previous phishing emails. FortiGuard Labs described this downloader in our previous related article.

Other Activities of the attackers

We noted that all connected malicious domains were registered under different names, but they are all registered under the same email – cobainin[@]yandex.com. As a result, we decided to explore other domains registered using this email address. The list is shown below.

Figure 10. List of domain names registered by the criminals

Most of these domains have already been described before. The last three shown above are trying to mimic the bitcoin trading platform wex.nz.

There is another interesting related domain: nootropicplace.com. Since 2017-08-01 it has been protected by Privacy Protect, but before that date it was registered under the same email address as all the others.

Nootropicplace.com is a marketplace where a variety of brain stimulating drugs are sold.

Figure 11. Nootropicplace.com

While cannot comment on whether selling these drugs is legal or not, what is alarming is the fact that these drugs are sold for bitcoins, and that there is no ability to look into the addresses of the sellers to determine if they are legitimate.

Possible identity of the attacker

We also conducted an investigation in an attempt to find out more about these possible criminals. We checked the registrant names and addresses that were used for registration of the malicious domains, but we believe that this data is fictitious. Nevertheless, in addition to the fake email addresses used, the attackers left many other pieces of information that we could track.

For example, the source code of the fake bltcolntalk.org page contains a local path to where the original page was stored:

Figure 12. Part of the source code of Bltcointalk.org

So, it looks like criminals used a Windows OS with the username Scarfo.

More info was found in the Google cache. At some point there had been an advertisement attempting to sell this domain:

Figure 13. Deleted message on Bltcointalk.org

Note that if “Nickodemo Scarfo” was a real name, it would most probably  be written as “Nicodemo” – without additional “K”. Therefore, we can assume that somebody using the pseudonym Nickodemo Scarfo wished to sell this domain, but later this message was deleted and the domain was instead used by “Scarfo” himself.

Another clue is found in the domain RIGHTINQUIRER.COM. We could not find any malicious activity related to the use of this domain yet, and its current purpose is unclear. However, we found some interesting conversations on Reddit about it:

Figure 14. Messages on Reddit

Somebody using the nickname r3xxb0bb claims that he managed to buy domain rightinquirer.com. The post was written on the September 14, 2017 – the day after rightinquirer.com was registered under the email address cobainin[@]yandex.com.

Furthermore, Reddit user r3xxb0bb is also the creator and administrator of /r/Nootropicplace/

Figure 15. The Nootropicplace community on Reddit

As a result, we have now established a strong connection between r3xxb0bb and cobainin[@]yandex.com.

R3xxb0bb

This username is not popular. Therefore, we decided to search for other uses of the same username.

We found this post by the user R3XXB0BB posted on the website related to the Tucker High School's FIRST Robotics Competition Team:

Figure 16. R3XXB0BB’s post on sparky384.org

In addition, the same username is used by this YouTube account:

Figure 17. Youtube.com/user/r3xxb0bb

As can be seen, this user is also interested in robots and uses the name “Bobb Shires”.

So we checked the registration records for the domain sparky384.org. While most of fields were obfuscated with the service gandi.net, the Registrant Name is specified as Robert Shires.

Figure 18. Whois information for Sparky384.org

We were also able to find the Facebook group of Sparky384. One of the users who has “liked” posts in this community was “Bobb Shires.” One of his profile pictures depicts a middle-aged man who looks the same as the man shown in the Sparky384 team group photo.

Figure 19. The Bobb Shires profile and Sparky384 team photos (photos intentionally blurred)

As a result, we believe that “Bobb Shires” is a real identity and not simply pseudonym. Note that the only connection “Bobb Shires” currenly has with Reddit account “r3xxb0bb” is the same username. While the username itself is quite unique, we still wanted to find more connections.

As a result, we read all the posts of Reddit user r3xxb0bb and found this Reddit thread. In this thread r3xxb0bb and another user discuss the isolation of a robot controller. More important than thread itself, however, is found in the subreddit r/FRC – FIRST Robotic Competition. This is the same competition in which Sparky384 took part.

Figure 20. R3xxb0bb’s post on reddit.com/r/FRC/

Conclusion

FortiGuard found several malicious domains that were used for phishing and the spreading of the custom-packed Orcus RAT. We traced this malicious activity to the Reddit account r3xxb0bb. We believe that there is a strong possibility that this account was used by someone identifying as “Bobb Shires” on January 24, 2016. However, we cannot confirm whether this account is still used by him. Because the criminals related to cobainin[@]yandex.com tend to buy aged accounts on different forums, it is possible that they somehow managed to gain control over this account by, for example, stealing the user’s passwords and identity, or simply bought it. If this is the case, then it serves as a perfect example as to why you should be concerned with your cybersecurity and protecting your identity, even if you believe that you have “nothing to lose”.

-= FortiGuard Lion Team =-

IOC

6554fabddabac2b14cb3209393a13471e7fe985750f1a9a8f030d1ebbc8dff35 – MSIL/Orcus.KAD!tr

C&C

172.111.160.213

Malicious Domains:

ADOBE.BR.COM

BITCOLNTALK.COM

BITCOLNTALK.ORG

BITLFY.COM

BLTCOINTALK.COM

BLTCOINTALK.ORG

BLTCOLNTALK.COM

BLTCOLNTALK.ORG

GITHVB.COM

QITHUB.ORG

QUNTHY.ORG

WCX.NZ

WEX.AC.NZ

WEX.MS