# Wtf are these Threat Actors doing? XUbuntu malware is dumb and stinky

Yesterday night before I went to bed I saw [@sysadafterdark](https://x.com/sysadafterdark) write they suspected Xubuntu-dot-org was compromised and potentially delivering malware. I said, "whoa, that's badass", and was excited to look into it this morning.

Link to Reddit thread :<https://www.reddit.com/r/xubuntu/comments/1oa43gt/xubuntuorg_might_be_compromised/>

What the fuck am I looking at?

The website download no longer words. However, I saw people share the initial file hash:

```
ec3a45882d8734fcff4a0b8654d702c6de8834b6532b821c083c1591a0217826
```

I pulled the file, opened it with CFF explorer, and saw it was .NET based. Cool beans. ILSpy it is.

I open this slop of fuckin' shit in ILspy and see these goobers doing literally zero obfuscation on the binary. However, this is clearly masquerading malware based off of the silly GUI they wrote for it.

I look at the GUI, and look at the code, and it's pretty obvious what they're doing. These goobers have a generic GUI that triggers a malicious action when the unsuspecting victims clicks the "Generate Click" button.

<figure><img src="/files/8xOYqHBuVSskbow2Lh7B" alt=""><figcaption></figcaption></figure>

Okay, let's look at this fuckin' thing now\... and yeah, it's definitely trying to be malware. There is no denying it. But, is it good malware? (SPOILER: No, it's not. This is dumb and stinky).

<figure><img src="/files/T5CZMKU6exmRXculjqvg" alt=""><figcaption></figcaption></figure>

This is very clearly Base64 encoding ("==" at the end). The function "Xs" clearly decodes the Base64 encoding. However, Base64 encoding doesn't have a key (as you can see they named the variable).

When you look at there "Xs" function it's literally just Base64 encoding + Xor with a key of 247.

<figure><img src="/files/KeFT79Ao1zrQPtBn5NAD" alt=""><figcaption></figcaption></figure>

If you make some ghetto ass Python script you can deobfuscate all these strings in .02 seconds with this shit I wrote (replace "b" variable with the lame encoding)

```python
import base64

b = "lpqEntmTm5s="
k = 247
decoded = base64.b64decode(b)
deobfuscated = bytes(x ^ k for x in decoded)
print(deobfuscated.decode("utf-8", errors="ignore"))

```

and you end up getting this shit:

```
amsi.dll
AmsiScanBuffer
kernel32
VirtualProtect
1
ntdll
EtwEventWrite
osn10963
elzvcf.exe
Software\Microsoft\Windows\CurrentVersion\Run
```

They also decided to Base64 + Xor an entire binary in their GUI (as you can see in the image)

<figure><img src="/files/7MxwCreq4iLb2mYzQpoG" alt=""><figcaption></figcaption></figure>

You can tell also because when you deobfuscate it using the shit Python script I shared, you can see the MZ header it all of it's glory.

<figure><img src="/files/6FqtJws4g5v9XCi56xr2" alt=""><figcaption></figcaption></figure>

**TLDR first binary from Xubuntu is a GUI disguised as an application that will ... help you download Xubuntu ... ? It's written in C#.NET and has a cute GUI. The malware payload only triggers when the generate button is clicked. When the generate button is clicked it writes the actual malware payload (stage 2) to disk. It also sets the malware payload to run at start.**

Stage 2 file hash:

```
afaebc6cf20f32ea0644f69c511a5da12f3b860f7d13b18500051830337965d7
```

Stage 2 made me depressed. I looked out the window and cried. I played "Paint It Black" by Rolling Stones and contemplated the duality of life. I don't even feel like writing this anymore. I'll just include a screenshot of the binaries IAT and yell.

In summary, stage 2 is a really simple and small binary. It listens to the clipboard and replaces ... strings. THAT'S IT

<figure><img src="/files/ex8fz7Vdsl9xS6ynvg6Q" alt=""><figcaption></figcaption></figure>

I double checked the first malware payload and the second malware payload. This thing setups callback routines ([AddClipboardFormatListener](https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-addclipboardformatlistener)) but ... THAT'S IT

Trying to swap destination crypto addresses and wallets .. AND THAT'S IT?!

You compromised a large website, you could have tailored this for Linux malware, some specially crafted Windows malware, a data stealer, ransomware, ... fucking SOMETHING. All you did was try to replace crypto stuff from the fuckin' clipboard? Dawg, you had ONE SHOT, ONE OPPORTUNITY and you let it slip

God, I hope I'm wrong and I missed something.

<figure><img src="/files/Zp9jWs9eGfwoZrTicldu" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://malwaresourcecode.com/home/my-projects/write-ups/wtf-are-these-threat-actors-doing-xubuntu-malware-is-dumb-and-stinky.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.