PsiXBot: The Evolution Of A Modular .NET Bot
In this blog we will share our analysis of a modular piece of malware which is referred to by the author as PsiXBot. The malware first surfaced in 2017 but has recently undergone significant developments of its core and modules, which include the logging of keystrokes and stealing of Outlook and browser credentials. With these new developments done and the first large scale distributions observed in the wild, PsiXBot has officially made its debut in the malware ecosystem.
Fox-IT actively monitors cyber criminal activity on a daily basis in order to proactively identify threats that are relevant to our customers. On the 21st of February 2019 we noticed SmokeLoader, a popular bot used to install additional malware on infected machines for a fee, push a task in order to distribute a .NET malware sample. Further research on the sample revealed a bot with a modular nature and capabilities, such as stealing data from infected hosts as well as receiving download & execute tasks. Our interest was further peaked when the Spelevo Exploit Kit started distributing the same malware on the 16th of March at which point we decided to further investigate this piece of malware, resulting in the findings below.
Having seen it evolve since 2017 to now getting out from beta versioning, we observe its being distributed by multiple infection vectors, such as exploit kits and malware loaders.
During routine threat research activity, we stumbled upon a tweet on what seemed to be an early version of the malware known as PsiXBot. In the same Twitter thread a link was also shared to a very early version of that same malware.
An overview of the versions are found below:
- Mid 2017: First version spotted in the wild (SHA256: d2ee07bf04947cac64cc372123174900725525c20211e221110b9f91b7806332);
- August 2018: Updated version spotted (SHA256: ce0e46fa1c5b463ed4a070a05594a79203ed2dd5df96cece9f875e2957fda4fa);
- Early 2019: The latest version is now being distributed via different infection vectors (SHA256: ca30c42334fcc693320772b4ce1df26fe5f1d0110bc454ec6388d79dffea4ae8).
The illustration below displays the code structure of the versions: the first version to the left and the most recent one to the right.
Note that the name PsiX is derived from the name of the assembly. Taking a look to the PDB path, the same naming is again present:
Additionally, taking a look at the sample displayed in the center of the image above, the name “Radius” can be spotted as well. Part or whole name can be also observed among the C&Cs such as:
The differences we observed across the versions are mostly:
- New commands supported by adding different modules;
- Encryption of the strings with AES;
- Version number updated from
The analysis below is centered on the most recent version.
As you could have already seen, the malware is written in .NET and it is not obfuscated. Typically it’s distributed within a dropper which hides the main payload. Once executed the Main() function is invoked. It first verifies that it is the only running instance by looking to a hardcoded mutex (for the sample analyzed:
gfdhfyf543543cdsdfsdf), then it executes a loop to mimic sleep function before activating.
Most of the strings are encrypted with AES by a hardcoded string key. For this sample the key is:
The malware also checks the language settings of the victim, if the language is set to
ru-RU (Russian) the malware will exit. For all other language settings the malware will continue its malicious activity.
An additional check is relating the filename to ensure it is matching the one configured. In instances where it is not, it proceeds with the installation process, which is done by invoking the CopyEx method via WMI and invoking the copied binary again via WMI. The installation path is:
Local\Microsoft\.exe in the
After the installation the malware contacts the configured C&Cs, that are initialized by the following code:
public static string valid = new string
In order to communicate with the .bit domains it uses hardcoded DNS servers (
126.96.36.199 for the sample used in this analysis). Upon the DNS resolution, it sends a ping to the C&Cs in order to identify the first one that is up.
The bot reports to its C&C some information gathered from the infected host. An example of the string used in the request is:
action=call&user_name=john&bot_id=D63BAFF79F3A3504C70DC3298EE74C68&av=N/A&os_major=Microsoft Windows 7 Home Basic N &permissions=User&os_bit=64&cpu=Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz&gpu=Standard VGA Graphics Adapter&ram=2048&hdd=C:12345/67890&version=1.0.1&user_group=Admin&pc_net=4.0
The meaning of the parameters are:
- action: the purpose of the request;
- user_name: username of the victim’s host;
- bot_id: unique string to identify the infected host;
- av: name of the AntiVirus software installed;
- os_major: name of the OS installed;
- permissions: username’s permissions;
- os_bit: OS architecture;
- cpu: CPU model;
- gpu: GPU model;
- ram: RAM available;
- hdd: HDD Serial Number;
- version: version number of the malware (latest one is 1.0.1);
- user_group: User group name the username is part of;
- pc_net: version of .NET framework installed.
The data transfer is encrypted with RC4 using a hardcoded key which for this sample is
63a6a2eea47f74b9d25d50879214997a. It is interesting to note that the author encrypted most of the strings, except the RC4 encryption key, C&Cs and DNS servers which are in plain-text.
The C&C answers with a JSON string, like the following one:
If the server returns a valid response, the malware sleeps for 95 seconds before requesting a new command to execute. This is done by sending the data:
An example of a response is the following one:
In the example above the C&C asks for the execution of two commands. The
command_action value is the exact name of the method that must be invoked. The malware will resolve the method dynamically in accordance to this value. In order to avoid hardcoded strings, the author implemented an easy way to upgrade the malware: if the method name sent by the C&C is not present in the malware during execution, the method/call is simply ignored.
For one particular method invocation the malware uses a type named SukaBlyat, which is an offensive term used as Russian slang.
The two received commands are used in order to ask the C&C server for additional modules. The data transfered requesting the module is:
Subsequently, the module is downloaded and executed, while sending the following command:
The commands currently supported are:
The modules available for this recent version of the bot are:
- BrowserModule (assembly name stMod.exe): used to dump passwords or cookies from a variety of browsers as well as from FileZilla FTP client. It accepts an argument to specify which is the data to be dumped:
-passesfor the password or
-cookiesfor the cookies. The program returns a string with all the stolen information. It seems to be based on the QuasarRAT project;
BTCModule (assembly name LESHI.exe): accepts an argument and a cryptocurrency address. The supported address types are:
-ripple. Once such an address is configured, the program proceeds to monitor the clipboard every 3 seconds and verifies if the copied text is a valid address and of which type. If the check is successful the malware replaces the text with one of the configured wallet addresses;
ComplexModule (assembly name Client.exe): an old version of the open source rat QuasarRAT. In particular the xclient string (which is part of this module namespace) was present in a fork from 2016 (see
https://github.com/GeekGalaxy/QuasarRAT). Also within the decompiled source code we retrieved the type name QuasarClient;
KeyLoggerModule (assembly name KeyLoggerModule.exe): uses the SetWindowsHookEx API in order to set a global hook and intercept keystrokes. The intercepted keys are saved in a file named
NewComplexModule (assembly name RemoteClient.exe): implements a remote desktop like program. It allows streaming the desktop user, interacting with it and starting the browser. The code does not seem to be anything publicly available;
OutlookModule (assembly name OutlookPasswordRecovery.dll): dumps the Outlook passwords and returns a string with the information retrieved.
SchedulerModule (assembly name Scheduler.exe): used to ensure persistence. It just creates a scheduled task to run the bot each 60 seconds.
Typically, there are two ways of spreading such a strain of malware: infecting new unwitting victims and leveraging existing compromised systems. Fox-IT observes the PsiXBot actors are able to do both – delivering their malware via malspam campaigns or exploit kits (such as the Spelevo Exploit Kit) as well as using services offered on underground markets to load malware on (pre-infected) devices such as SmokeLoader.
The SmokeLoader bot from which we received the task to distribute the PsiXBot malware was configured with the below metadata:
The distribution URL sent by SmokeLoader‘s task is:
From the referenced distribution URL we managed to download the sample with SHA256: 9b8c0c82fe79ae15e0f723d6aa267d38d359a7260613a091a2d70d770488e919
The C&Cs of this sample are:
Spelevo Exploit Kit
With regards to the Spelevo Exploit Kit, the sample distributed is identified by SHA256: ca30c42334fcc693320772b4ce1df26fe5f1d0110bc454ec6388d79dffea4ae8
The C&C servers of this sample are:
Another distribution vector observed is spam mailings. One of the spam campaigns we managed to identify is Italian themed, with the following metadata:
Receiver from pecfe04.sogei.it (pecfe04.sogei.it [188.8.131.52]) by PECP-BE02 (lmtpd) with LMTP id 28663.002; Tue, 8 Jan 2019 16:22:51 +0100 (CET)
Receiver from PECP-FE04 ([127.0.0.1]) by pecfe04.sogei.it (Dovecot) with LMTP id 474fM6e/NFysCAAAxEz/xA ; Tue, 08 Jan 2019 16:22:51 +0100
Receiver from mx.pec.sogei.it (localhost [127.0.0.1]) by smtps.pec.sogei.it (Postfix) with ESMTP id 43YwxQ6pm5zgYCT for <firstname.lastname@example.org>; Tue, 8 Jan 2019 16:22:50 +0100 (CET)
Receiver from smtps.pec.aruba.it (smtpecgo01.pec.aruba.it [184.108.40.206]) by mx.pec.sogei.it (Postfix) with ESMTPS for <email@example.com>; Tue, 8 Jan 2019 16:22:50 +0100 (CET)
Receiver from avvocatismcv.com (ipvspec1.pec.ad.aruba.it [220.127.116.11]) by smtps.pec.aruba.it (Postfix) with ESMTPSA id 43YwxQ2V8Sz2L7hcc; Tue, 8 Jan 2019 16:22:50 +0100 (CET)
Attachments ["daticert.xml", "Nuovi_contratti_2019__145038.zip", "smime.p7s"]
Date 2019-01-08 15:22:50 (UTC)
From "Per conto di: firstname.lastname@example.org" <email@example.com>
Subject POSTA CERTIFICATA: Re: Notificazione ai sensi della legge n. 53 del 1994
The binary downloaded from this URL can be identified with SHA256: db1f57ffd6c58e1d40823e2c8834e45a67271557ceaa1b3bcccf4feab83243a1.
The C&C of this sample is:
The screenshot below shows PsiXBot’s login panel:
The following noteworthy code is inside the HTML:
<!-- saved from url=(0043)hxxps://kyrkymalol.000webhostapp.com/admin/ -->
The most relevant malware hashes can be found below:
PsiXBot first version: d2ee07bf04947cac64cc372123174900725525c20211e221110b9f91b7806332
PsiXBot updated version: ce0e46fa1c5b463ed4a070a05594a79203ed2dd5df96cece9f875e2957fda4fa
PsiXBot latest version: ca30c42334fcc693320772b4ce1df26fe5f1d0110bc454ec6388d79dffea4ae8
The full set of indicators of compromise can be found on our GitHub page.
More information on the threat actors behind PsiXBot is available for InTELL customers on Fox-IT’s cybercrime portal.