<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=179060&amp;fmt=gif">

Minerva Labs Blog

News & Reports

Become A VIP Victim With New Discord Distributed Malware

Threat actors are always looking for a way to avoid detection, and one of the most popular techniques is to use legitimate services to mask malicious network activity. A recent trend is to abuse Discord (the game-centric text and voice chat platform) as a payload distribution platform.

A new malware (named “VIPSpace.exe” in the wild) will recklessly install up to 25 different malware on a victim PC, effectively destroying infected devices.

As a first stage, the malware is dropped by a self-extracting archive that drops and executes the next module, VIPSpace.exe.  The secondary payload accesses Discord’s servers, downloads a BMP (bitmap) file, and saves it with a DLL extension. As it turns out, the downloaded BMP file is actually an encrypted executable that will be decrypted in the memory and reflectively loaded.

The DLL accesses http://37.0.11[.]8/server.txt to get the IP address of a C&C server. 


IP address

After a successful connection to the C&C server, the in-memory module disables Windows Defender by creating the following registry keys:

  • Windows Defender AV - HKLM\SOFTWARE\Policies\Microsoft\WindowsDefender\DisableAntiSpyware
  • Automatic Remediation - HKLM\SOFTWARE\Policies\Microsoft\WindowsDefender\DisableRoutinelyTakingAction
  • Behavior Monitoring - HKLM\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection\DisableBehaviorMonitoring
  • Active Monitoring - HKLM\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection\DisableOnAccessProtection
  • Process Scanning - HKLM\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection\DisableScanOnRealtimeEnable
  • Real Time Protection - HKLM\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection\DisableRealtimeMonitoring
  • Downloaded Files and Attachments Scan- HKLM\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection\DisableIOAVProtection
  • Raw Volume Write Notifications - HKLM\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection\DisableRawWriteNotification

The malicious DLL will then access the C&C server to fetch an encrypted list of URLs. After decryption, it becomes clear that each URL stores a different malware that will be downloaded and executed later. The malware’s authors have implemented a multithreaded downloading algorithm in order to speed up the infection process.



multithreaded downloading algorithm

After investigating the multiple files dropped by this malware, most turned out to be benign or open-source malware, such as Redline Stealer. However, each download will still drop a uniquely generated sample. When analyzing this sample, we could not help but notice that this malware is written by an amateur, evident by the following:

  • The download of a significant number of malware to PC will most likely lead to a system crash that will not serve the supposed purpose of the threat actor.
  • A download of the different variants of the same malware (four variants of RedLine, two variants of BlackNet RAT) seems redundant.
  • Dropping an encrypted DLL file with a DLL extension opens up a detection opportunity.
  • No significant evasion techniques were implemented in the malware.

Even though this malware lacks sophistication, we cannot honestly know what threat actors will plan in future attacks. Services such as Discord allow hackers to execute an array of malware types during the second stage of the attack (i.e. when a BMP file is downloaded from Discord).  Such malware exploits the vulnerabilities of the world’s generally reactive approach to cyber-security. 

Request a Meeting

As seen in the image below, Minerva’s pre-emptive approach stops the attack before the malicious payload is downloaded from Discord. Our unique patented technology stops the attack at the initial stage, which is critical for preventing any further damage down the line. 

preemptive approach

IOCs:

Domains:

  • https://cdn.discordapp[.]com/attachments/873056123240972371/875681686568992788/E_PL_Client.bmp
  • http://93.95.98[.]5/base/api/getData.php 
  • http://37.0.10[.]214/EXT/minepass_settings.png 
  • http://37.0.10[.]214/WW/file1.exe
  • http://37.0.10[.]214/WW/file5.exe
  • http://37.0.10[.]214/WW/file4.exe
  • http://37.0.10[.]214/WW/file8.exe
  • http://37.0.10[.]214/WW/file7.exe
  • http://37.0.10[.]214/WW/file2.exe
  • http://37.0.10[.]214/WW/file3.exe
  • https://fsstoragecloudservice[.]com/campaign1/autosubplayer.exe - check all the https
  • https://cdn.discordapp[.]com/attachments/879422002287493133/879653243217670164/app24.bmp
  • https://cdn.discordapp[.]com/attachments/879422002287493133/879423887002206228/Passat.bmp
  • https://cdn.discordapp[.]com/attachments/879422002287493133/879423620030550088/Real231.bmp
  • https://a.goatagame[.]com/userf/2201/snakehi.exe
  • http://37.0.10[.]214/WW/fileT.exe
  • http://37.0.10[.]214/WW/PB14s.exe
  • http://hockeybruinsteamshop[.]com/pub1.exe
  • https://cdn.discordapp[.]com/attachments/879433223103459409/879433370159968306/Setup2.exe
  • https://cdn.discordapp[.]com/attachments/879422002287493133/879653242093600808/sfx_123_201.bmp
  • https://cdn.discordapp[.]com/attachments/879422002287493133/879685414934417479/R24.bmp
  • https://cdn.discordapp[.]com/attachments/879422002287493133/879653239560228884/help24.bmp
  • https://cdn.discordapp[.]com/attachments/879422002287493133/879653236993318933/Falioca24.bmp
  • https://cdn.discordapp[.]com/attachments/870454586861846551/870548989903274054/jooyu.exe
  • https://2no[.]co/2GSVH6
  • http://privacytoolz123foryou[.]xyz/downloads/toolspab2.exe
  • https://cdn.discordapp[.]com/attachments/879422002287493133/879423245999276102/VerminateMechanize_2021-08-18_15-57.bmp
  • https://7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws[.]com/offer/GameBox.exe

 

Hashes:

  • d05cb3a734aaa9d090be20fbaeddf8069a829fa78c44dd8378a2350c1510e1fc (VipSpace.exe)
  • DDE32911345A4C9D54355C6D57A72C5177D2A46CB0C507121E3709CADFCC9B44 (minepass_settings.png)
  • B483FE7D29CE8EEDCB3E1EC061E0F45BC44D0B48E4F21EAAF67A063388314FF7 (file1.exe)
  • 8B57CD06470E93ABF9EA61E86839A3F7EB3B13FBB37C5FEC34888652A65185C3 (file5.exe)
  • F4EC629473FBE96FA82FE1C1E30E6784144163D662E1C977ACF5BC1D62B20C0B (file4.exe)
  • E1CBEBC0C9A675CA172E7DE1908991F7B0BD0866C1BEA9404AE10BC201DE0FE6 (file7.exe)
  • CB54B6471597A9417BCC042D0F0D6404518B647BD3757035A01E9DE6AA109490 (file2.exe)
  • 9460FFE580332FE64BB4F35BB63DC6A4302F3613718A04DC0986CEA989160039 (file3.exe)
  • EEC05DC9ADE2A7EE74EA5FB115BDD687B457D1F81841238A61E9775D6CC4BFA6 (fileT.exe)
  • B9025AEF29F9F9D3126D390E66DF8C55A9C9F7C15520F9A59A963932EE86B815 (PB14s.exe)
  • 57381B4DE751F07C4537E2BECBB0F5C93A23897AA1BF1F0274E05F3FF4FD62F5 (toolspab2.exe)
  • DBD9CFA3D9B4E482EE79E7726E95168A5E27BB0482A0E4744A1E1C56D75F1C32 (ebook.exe)
  • 6D4B28002FC36B27DFDCA0FBD886C73704950EE88B14B805512A938F423D7E1C (autosubplayer.exe)
  • 98C781B3FD15D6C7C7624AA1A0C93910DD5D19722A1D9B8CB1C7B9673D311090 (app24.bmp)
  • DAB2A18DF66F2E74D0831A8B118DE6B9DF2642AC939CBAD0552E30696D644193 (Passat.bmp)
  • 3593247C384586966E5A0E28EB4C4174B31E93C78C7A9E8FEF96EC42A152E509 (Real231.bmp)
  • CA46080E121408D9624322E505DC2178BA99E15871C90E101B54E42EA7B54A96 (snakehi.exe)
  • 57FB96B12DB08B18906CE22C7E55B81A214EDE326166E772AE87412281044497 (pub1.exe)
  • 01550EE84AC5A220197177182FD2F3F9C9E845B416D06A384384E3CD62ECB569 (Setup2.exe)
  • 4B95FF6312411ED2EEC0DC2FDB251D985B6E9892E1B2F61AADB94DEA1B3EEB13 (sfx_123_201.bmp)
  • 1583FCEEAE47160FD37427A55F1D2122F3654E528E29C55D64DF145122515A55 (R24.bmp)
  • 15AD913C094CD58FFFA2067D86B75CF08FBCAC95C16C2D68BAB5B3498F059E31 (help24.bmp)
  • 963989F4B4D6E2D7C2281992AE5D62966726E81B5070B792399C7FD2017CA5CA (Falioca24.bmp)
  • 8CFA7E9BC6CBD458CEC18A25E6F763A3776802490E6B3D451D864C4DBA50C437 (VerminateMechanize_2021-08-18_15-57.bmp)
  • 857DD46102AEA53F0CB7934B96410EBBC3E7988D38DCAFDC8C0988F436533B98 (GameBox.exe)

 

Resources:

https://news.sophos.com/en-us/2021/07/22/malware-increasingly-targets-discord-for-abuse/

Talk To Minerva Labs

Interested in Minerva? Request a Demo Below

Stay Informed

Sign up for the Minerva newsletter and stay on top of the latest cybersecurity news.

Topics

see all