K7 Antivirus

  We at K7 Lab s noticed that there were several RedLine Stealers resurfacing. Hence, we decided to analyze one such sample from our incident queue . The sample we studied for the sake of this blog was  an NSIS compiled binary with the NSIS script and the malicious binary in its overlay. Upon execution it drops 2 executables in the ‘AppData\Roaming’ folder. @deadma3ay_crypted.exe  1079929187.exe It then runs “@deadma3ay_crypted.exe” in background and injects the malicious code into a suspended instance of the ClickOnce .Net utility named AppLaunch.exe and then proceeds to connect with the C2 server. The process tree showing AppLaunch.exe was started in suspended state as shown below. Figure 1: Process tree Figure 2: @deadma3ay_crypted.exe creates a process which is in suspended state Figure 3 :AppLaunch,exe created and is in suspended state Highlighted above is the call to the API CreateProcessW with the “ dwCreationFlags ” set to 0x00000004 meaning it would start the pro...

  In the last week of July, we detected a ransomware named   Nopyfy   in our customer end. In August 2021, Nopyfy ransomware was uploaded to github as an   open-source   ransomware project.   Hackertback , a hacking tools selling website, sells   custom   versions of Nopyfy Ransomware with s etup guide  and   support . Figure 1: Open-source files in github C2 Analysis The C2 was active during the time of analysis. We got the hardcoded FTP user credentials from the binary. Using the FTP credentials, we got access to the PHP files which were hosted on it.  Figure 2: Penetrating C2 This got us curious and we started finding ways to get the victim’s details. But we didn’t have the credentials of the login form in the C2 home page and didn’t have access to the MySQL database.   Figure 3: C2 Homepage So, we used the FTP access as a backdoor and modified the PHP file to accept our custom set password. After logging into the ...

  Threat actors are constantly using new tricks and tactics to target users across the globe. This blog is about SpyNote,  an Android RAT targeting Indian Defense personnel. The initial attack vector information was found on the   newindianexpress   website. Let’s now get into the details of how this SpyNote works. This RAT is propagated via WhatsApp  with the name “ CSO_SO on Deputation DRDO. apk “.   Once the user falls prey to this RAT and  installs this malicious  “CSO_SO on Deputation DRDO. apk”,  this app pretends to be the genuine Adobe reader icon in the device app drawer as shown in Figure 1. Figure 1: Fake Adobe Reader icon of  the malware Upon launching , this application opens a Google Drive URL that is hardcoded in the app’s “strings.xml” file  and displays the images as shown in Figure 2. Google Drive URL hardcoded in the app’s “strings.xml” file as shown in Figure 3. Figure 2: Images from Google Drive Figure 3: H...