2023-01-03 (TUESDAY) - GOOGLE AD --> FAKE NOTPAD++ PAGE --> RHADAMANTHYS STEALER

NOTES:

ASSOCIATED FILES:

 

2023-01-03 (TUESDAY) GOOGLE AD --> FAKE NOTEPAD++ PAGE --> RHADAMANTHYS STEALER

NOTES:

- The Google ad for this infection chain did not hide the fake Notepad++ site (malicious site was visible in the ad).
- Hasankahrimanoglu[.]com[.]tr was used before in December 2022 for the same type of fake Notepad++ site.
- The downloaded zip contains a Rhadamanthys Stealer EXE inflated to approx 802 MB and a folder with unrelated files.
- This infection process used an image with data hidden through steganography, but I don't know what this data is.
- After the steganography image, the infection switched to websocket traffic to encrypt the post-infection traffic.
- Special thanks to @500mk500, @da_667, and @ex_raritas for identifying this malware!

GOOGLE AD URL:

- hxxps://www.googleadservices[.]com/pagead/aclk?sa=L&ai=DChcSEwiDiu-13Kv8AhWkE9QBHa7UADwYABACGgJvYQ&ae=2&ohost=www.google.
  com&cid=CAASJORopA-3gIku5H1e8Y7FuoHCKJjSFjgbPRpqoj2ZKXrbPcnfRQ&sig=AOD64_2JnosseZ0C9qLEszOg47HtRfUYig&q&adurl&ved=2ahUKEw
  jup-i13Kv8AhVckmoFHeyWDP8Q0Qx6BAgKEAE

FAKE NOTEPAD++ SITE:

- hxxps://noteepad.hasankahrimanoglu[.]com[.]tr/

ZIP DOWNLOAD URL:

- hxxps://noteepad.hasankahrimanoglu[.]com[.]tr/ing.php

DOWNLOADED ZIP ARCHIVE:

- SHA256 hash: 56840aba173e384469ea4505158eead4e7612c41caa59738fcf5efe9b2e10864
- File size: 69,728,905 bytes
- File name: Nottepaad_lastNeWx32x64.zip

EXE FOR RHADAMANTHYS STEALER EXTRACTED FROM ABOVE ZIP ARCHIVE:

- SHA256 hash: 8d0e8bafffed28f5c709a99392f7ab42430635839f7aba92a01c956c10702c8f
- File size: 802,160,640 bytes
- File name: Noteppad_SettupX32iX64.exe
- Note: This file has more than 801 MB of extra bytes to make the EXE too big for services like VirusTotal to analyze.

RHADAMANTHYS STEALER EXE CARVED TO REMOVE PADDING:

- SHA256 hash: af67a6bd0baf78191617c97aad2d21b7d6133e879c92c97b1b1345d629f79661
- File size: 333,344 bytes
- File name: Noteppad_SettupX32iX64-carved.exe
- Analysis: https://app.any.run/tasks/96a0206a-5683-47c1-9804-04aff3c55228
- Analysis: https://tria.ge/230103-tr9agsfb8w

POST INFECTION TRAFFIC:

- 162.33.178[.]106 port 80 - 162.33.178[.]106 - GET /gjntrrm/zznb2o.hgfq
- 162.33.178[.]106 port 80 - 162.33.178[.]106 - GET /gjntrrm/zznb2o.hgfq

NOTES ON THE POST-INFECTION TRAFFIC:

- The first HTTP GET request returns a 929,566 byte .jpg image that's 95x120 pixels and has obfuscated or encrypted data,
  so it seems there's steganography involved here.

- The second HTTP GET request upgrades the traffic, switching to encrypted websocket activity.

STEGANOGRAPHY IMAGE:

- SHA256 hash: c4b7e2de87630bde08e367c75d9a2b9ae79b1d4f03ee8014531239c9597efc2e
- File size: 929,566 bytes
- Location: hxxp://162.33.178[.]106/gjntrrm/zznb2o.hgfq
- File description: JPEG image 95x120 bytes
- Note: Same size, but different file hash seen from infections on at least 2 different Win10 hosts. 

 

IMAGES


Shown above:  Google ad leading to fake Notepad++ site.

 


Shown above:  Downloading zip archive from fake Notepad++ page.

 


Shown above:  Downloaded zip contains padded EXE for Rhadamanthys Stealer and folder full of unrelated files.

 


Shown above:  Microsoft Defender did not like the Rhadamanthys Stealer EXE.

 


Shown above:  Rhadamanthys Stealer post-infection traffic filtered in Wireshark.

 


Shown above:  First HTTP GET request returned steganography image.

 


Shown above:  Steganography image exported from the pcap.

 


Shown above:  Rhadamanthys Stealer data exfiltration through websocket traffic.

 

Click here to return to the main page.