Wtf are these Threat Actors doing? XUbuntu malware is dumb and stinky

Yesterday night before I went to bed I saw @sysadafterdark write they suspected Xubuntu-dot-org was compromised and potentially delivering malware. I said, "whoa, that's badass", and was excited to look into it this morning.

Link to Reddit thread :https://www.reddit.com/r/xubuntu/comments/1oa43gt/xubuntuorg_might_be_compromised/

What the fuck am I looking at?

The website download no longer words. However, I saw people share the initial file hash:

ec3a45882d8734fcff4a0b8654d702c6de8834b6532b821c083c1591a0217826

I pulled the file, opened it with CFF explorer, and saw it was .NET based. Cool beans. ILSpy it is.

I open this slop of fuckin' shit in ILspy and see these goobers doing literally zero obfuscation on the binary. However, this is clearly masquerading malware based off of the silly GUI they wrote for it.

I look at the GUI, and look at the code, and it's pretty obvious what they're doing. These goobers have a generic GUI that triggers a malicious action when the unsuspecting victims clicks the "Generate Click" button.

Okay, let's look at this fuckin' thing now... and yeah, it's definitely trying to be malware. There is no denying it. But, is it good malware? (SPOILER: No, it's not. This is dumb and stinky).

This is very clearly Base64 encoding ("==" at the end). The function "Xs" clearly decodes the Base64 encoding. However, Base64 encoding doesn't have a key (as you can see they named the variable).

When you look at there "Xs" function it's literally just Base64 encoding + Xor with a key of 247.

If you make some ghetto ass Python script you can deobfuscate all these strings in .02 seconds with this shit I wrote (replace "b" variable with the lame encoding)

import base64

b = "lpqEntmTm5s="
k = 247
decoded = base64.b64decode(b)
deobfuscated = bytes(x ^ k for x in decoded)
print(deobfuscated.decode("utf-8", errors="ignore"))

and you end up getting this shit:

amsi.dll
AmsiScanBuffer
kernel32
VirtualProtect
1
ntdll
EtwEventWrite
osn10963
elzvcf.exe
Software\Microsoft\Windows\CurrentVersion\Run

They also decided to Base64 + Xor an entire binary in their GUI (as you can see in the image)

You can tell also because when you deobfuscate it using the shit Python script I shared, you can see the MZ header it all of it's glory.

TLDR first binary from Xubuntu is a GUI disguised as an application that will ... help you download Xubuntu ... ? It's written in C#.NET and has a cute GUI. The malware payload only triggers when the generate button is clicked. When the generate button is clicked it writes the actual malware payload (stage 2) to disk. It also sets the malware payload to run at start.

Stage 2 file hash:

afaebc6cf20f32ea0644f69c511a5da12f3b860f7d13b18500051830337965d7

Stage 2 made me depressed. I looked out the window and cried. I played "Paint It Black" by Rolling Stones and contemplated the duality of life. I don't even feel like writing this anymore. I'll just include a screenshot of the binaries IAT and yell.

In summary, stage 2 is a really simple and small binary. It listens to the clipboard and replaces ... strings. THAT'S IT

I double checked the first malware payload and the second malware payload. This thing setups callback routines (AddClipboardFormatListener) but ... THAT'S IT

Trying to swap destination crypto addresses and wallets .. AND THAT'S IT?!

You compromised a large website, you could have tailored this for Linux malware, some specially crafted Windows malware, a data stealer, ransomware, ... fucking SOMETHING. All you did was try to replace crypto stuff from the fuckin' clipboard? Dawg, you had ONE SHOT, ONE OPPORTUNITY and you let it slip

God, I hope I'm wrong and I missed something.

PreviousFake Lockbit 5.0 silliness and 3 layers of ransomware lasagna NextThe rise of malware mainstream "acceptance" and "popularity" is thanks to the government

Last updated 10 days ago