<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=179060&amp;fmt=gif">

Minerva Labs Blog

News & Reports

Preventing Fake Software Installers with Minerva Labs

Fake installers are on the rise, and it is not a coincidence. This opportunistic method of infection is getting increasingly popular because of the ease of creating new and obfuscated payloads automatically, which are detected by AV vendors with a delay a few hours up to a few days.

A fake software named “LideEx Converter” embeds itself in many of these fake installers. The sample we analyzed tried to masquerade as a fake “Among Us” installer (a popular online game).

The setup binary creates the directory “LideEx Converter” inside the “Programs Files” directory and stores its initial payload there under the name LideEx.exe.

When executed, the malicious software sends information about the infected machine to its C&C server at http://opengolad[.]com/v2/events which in turn sends additional malicious payloads.

The fake installer is signed with an invalid signature issued to “Lespeed Technology”:

In our case the installer dropped a version of RedLineStealer, a notorious info-stealer that targets browser saved credentials and cryptocurrency wallets stored on disk.

A detailed technical analysis of the payload was done by Proofpoint and can be found here.

RedLineStealer searches for the file addinprocess32.exe in the .NET installation directory and injects its payload into a newly spawned instance of the process. The injected payload then collects sensitive data and sends it back to an attacker-controlled server, whose address is hardcoded in the malware’s binary.

Minerva labs blocks RedLineStealer with our Memory Injection Prevention module:

In addition, Minerva also protects from the initial downloader with our Vaccine module, by simulating the malware’s internal kill-switch mechanism:

 

IOCs:

C2:

http://opengolad[.]com/v2/events

http://185[.]153[.]198[.]117/IRemotePanel

Files:

%ProgramFiles%\LideEx Converter\LideEx.exe

Mutexs:

FVSDFSDFAFSDFDSF

Hashes:

e0facc32daf7f30516535ea4c2726e6aa1aa9823eb08cf5e0dc6071f6ce13c86

b1ea0583b34d56d002285036b462962d0d9858c58d812816482ca03b196f3925

b6c176dfadd4417706daeb770bd96dd710f245313ea2db07b4f3bbf1f4fdd0b2

d129ecc89d72cf1481b0f02e0b05e70121e780016a17665783507cb60e204d17

78a1e59d4eb9c30bc511bf5ccaab268c3d7de3d330af59d2f741546514dbc194

613ffac0bf60dbae47adb42a93310d9457a54cc98c084b2ea567d8c1a4f27afa

643ff5bcaae90e67b88582884db6d08e681bf13d68a0eeebb8f65cbef6998aac

b249b9e8991eb647ec697f1dcc93b8ef453bafdc7e53e5d0a10ae739cd9aecda

7f044fd9de62563bcc2e18dc2cf0587df9660d35d239cd75fb6fd136e57c4311

f6a42d441b3f22efb7cdc7cb10e407284a29d331acb62cc8ec78ad17fddf1163

468098c30772a9caa5390797f6f77228275870cab4def7e758ea8f1aa0b95109

e3bf21c529c8a9c1d4476c79c88a25fe7cf6e79803720e1f2cc4d47358caae8e

eb42084cc15beda80f94bd5e048c4e49091020c214236c26c1aede71cf8b32c1

c4c730717bafa7505b5e2fe47895f4287045665cabb423804d110ae1288461a4

8f5f7b383dc75b64b92bb56ce65bd39d54bc0236ba5e5f5afdafb930f3909894

f60c5c8f1384572eab6856374d7d9fb2137e618c414b5ce6df32f2e38088b884

9997364ea75a2ca4d712dcd57b155536e08dd9c81ab81e9339d52303f99ba793

08aaa66f7246411556c2792fc312d28d08c0e462694417647865286788bdd16e

9baf44355bdbd0b6a74e0148aae40bc516e7265908cd34e351c1de579d8e28af

c120d1b207f46951444a9f0e2efd362c4f4ec8b1be4d1d435f47c2b015ce0b34

222eb41ecce5abb4aa105a86b44ba934a95fc322cc5a6ef6df577fde477241a6

12a9283f64b7cd6e19a27b0a2be5cce28d8b6bb9bcce8af37c4b3d8b3085761c

83591531a98c3d32c7ac24763cb640898bb2e95cf40742ddd00233fa0314676c

d09f773d807c70109f3a2a096f1132ab6f31a7c7f4cb34d187a92e89bf2e7c56

385aabfb3add16bd2301ca3f5bcecf354ffecf18b93d160c17ca812776c0732e

a319d5c0bbd01683ec5c4ecfe473d28e9601d5b13cdc9df8a2116284c932908c

615198cf9916591531ba2ad39c570222600f62a33f18cdfe9fdf99275e80213f

66416f10bb58e82be99c324d35ad523a1832cb59e15fd3451b26b8872469fe00

5a929292cdaa74324cbabe6663b52adfca7084e68de2ebec0e785092d9d040e8

e20b1773a15024d9c7224f51ded46b8f5d86635950f679ca3d4deb43c57db897

5a811fe42aac7dc422783f2fe1e8843a7f99d32bf4269ed196817b4592fba3d2

5f057c771acdf7b7ff0daccb09016a1bfea520407b4e6add8efbc144f1b6db50

01c582866437f54aea01956d3618df51726ed1052892a1bdefbd17632f8648b6

c2f9ef15906e57d8d0f848a4e3434cb04e5040bd4f8b7c521924a08acd39c398

73a04c2b61b0ed9a8c485398ac007603fac262358019d7d8bbc3cd724aaeeacc

386ffaeecc46f5e6e93478775e39f2b1909f57dd471e1ccd5f7e772a136ed0cf

f3e2d9d6da96371dce18aa74e90566397e266ff28d4a4f0ecb9abaf62b6264c5

60aba06dbd72b85a13d3f1ebef3ec3b30cde9e00bc33372d187aa5b7e345a273

847749589e6c400a811091a5340baedfdd02a2407618135bffe872b3fb445393

3376937fbcb173ba896d1e56980df5bb0ccba44a0476386bc9548bba0f345e3a

d087ed6f46922eebe56b0cb62e04a66bee779a00747d7c0ad5b7ee53310e062d

e8da1de4975e342502ba4c75ec116779e2ed2b67d223eacac95610ef948af9c9

6651d631634f613d410e1a96add46e72cbea11571e9835397559a36ea6aee2b8

f10b4d13b98a9720c90f83b9389e7b1fbf8cf7d7b7933a97f3e70ce157bcdb99

bdf68ec8f76c8337fb7d2d0780ccb512604fcd0b59adcc50015d4bf791d5ef23

f63482d6c7345f24d479b9441545d1b90cd33a1d67426b77223dc209227c59a7

5966717ab01a556464157fd33d963db53a51fd7ee5c559c64bdd79c1febd2727

63263e5eec6ac09aaf32e386e0913630f29f0c8e4745eb34fac81afd862f007a

00bc5178f7c5feb636fbbb655a92fa44e0449622cb6f4bebf9f8d429d696c841

24a8a78aba174ffbef4fa04b56ccbc5245995c1b202d8b1af85d86eccb0abc2b

353e9f2d0692b479e4c4077a5d531aa4aa15081ba08ba24f696963b65b6fd198

7cc08c93b401c585478321325e5745e45ebe01dad64128bdd96b8652cec40731

9f7b56be18f48ed445a7f23744f8dd7d765ec5f29e4bda66e915561fed16f912

c2cdc5e4e0656f3fb0e0058b0c39fd13848d703601def84860f85f5ba94457e0

d0568d7ff072270474ba4140a46d673861a62d996f3e4d2e2d749c0690b2fba7

e20b648c64b4c79f4c0939c7611f103f79363e9c6e26886050dae268f451ad38

3e099f9fcb13bd87ad38551a5ee12b8807bb831e9952b5f55a1a22f8615c4cf2

f28257c52c68f51218efdcb5fb5df1ef422a7c0a54c645e28fded537d1c43db2

424dfcf34a9379ecf400097192bff5095169e2f7308e982d46e156829fb844a3

9aef143b2598f14f2f48049301da99275e4a0f86b54d4e816f3a58314d1cefa7

23e33c00d128ee097f551adf4653fd2b84311d60978fcc45960d11f18ef4ad3e

bb52d57fd2d6176b5b5ed2ee0cfef69bb32825dffa441f977765bb4e274cec5f

b1ea0583b34d56d002285036b462962d0d9858c58d812816482ca03b196f3925

d129ecc89d72cf1481b0f02e0b05e70121e780016a17665783507cb60e204d17

b023448afbb8a58c2787e5a3ce5d8de5405f75cce232f16bc5b47b8d75a2bdcb

 

 

Subscribe to Our Blog

Topics

see all