Roboto Condensed Delivers Downloader Which Downloads a CoinMiner.

My first post on the Roboto Condensed social engineering scheme can be seen HERE. BleepingComputer.com also wrote an article on this.

The pages presented to both Chrome and Firefox users can be seen below:

Here is an image of the page source:

The binary file, fontpackupd60.exe, is being hosted on a compromised website in the /plugins/ directory. The threat actor(s) behind this social engineering scheme have used different payloads for Chrome and Firefox however this time they were identical.

Executing fontpackupd60.exe generated the following HTTP events:

The first HTTP traffic we see are POST requests to api.highwrite.ru (resolves to 144.76.173.214):

The first POST request is to /2.0/method/checkConnection. The server responds with a 200 OK and the string c3VjY2Vzcw==. This base64 encoded string decodes to “success”.

We then see a POST request to /2.0/method/error containing profile=[profile number].

You can also see that the connections to api.highwrite.ru use Opera/8.53 (Windows 98; U; en) as the User-Agent.

The next set of HTTP connections to api.highwrite.ru are shown below:

In this TCP stream you can see system information being POSTed back to /2.0/method/installSuccess. Information includes the buildID, profile, os, platform, processor, and videocard. The server responds with a 200 OK containing the ID number.

The next HTTP connections are shown below:

The server responds to the POST request with a 302 Found pointing to hxxps://github[.]com/Melicano01/wiwi/raw/master/upd.exe. You can see that for this GET request the User-Agent is Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729).

The GitHub repo containing upd.exe is shown below:

All executables located here:

The file being downloaded, upd.exe (aka “lsass.exe”), is being identified as a Coin Miner by Hybrid-Analysis and by my friend @Antelox.

The next set of HTTP connections are shown below:

After a successful connection check and our id number being POSTed back to the server, the server responds with a 200 OK containing the base64 encoded string Rk1BUC5leGU=, which decodes to “FMAP.exe”.

This is followed by a POST request to /2.0/method/get, which returns another 200 OK containing the base64 encoded string:

aHR0cHM6Ly9naXRodWIuY29tL01lYXR5QmFuYW5hL01lYXR5QmFuYW5hL3Jhdy9tYXN0ZXIvRk1BUC5leGU7Rk1BUC5leGU7

This string decodes to:

hxxps://github[.]com/MeatyBanana/MeatyBanana/raw/master/FMAP.exe;FMAP.exe;

This is yet another GitHub repo containing various payloads:

All executables located here:

Something to note, the Hybrid-Analysis report showed that the sandbox tried downloading MeatyBanana.exe:

Following the instructions to download FMAP.exe from the GitHub repo is another POST request to /2.0/method/config. The server responds with a 200 OK containing the following base64 encoded string:

LW8geG1yLnBvb2wubWluZXJnYXRlLmNvbTo0NTU2MCAtdSBpbXBlcmlvcm1heEBnbWFpbC5jb20gLXAgeCAtayAtdCA=

This decodes to:

-o xmr.pool.minergate.com:45560 -u imperiormax@gmail.com -p x -k -t

This is the Monero MinerGate pool address.

The last POST request to api.highwrite.ru is shown below:

The POST request is to /2.0/method/setOnline and the server responds with a 200 OK containing another base64 encoded string:

b3Blbl91cmw7aHR0cDovL2FkdHJhY2sxLndhdy5wbC9nby5waHA/YV9haWQ9NTliYWFmNTc1YzM0MA==

This decodes to:

open_url;hxxp://adtrack1[.]waw[.]pl/go.php?a_aid=59baaf575c340

It should be noted that the infected machine made a POST request to /2.0/method/setOnline every 10 minutes.

The URLs returned by the server kick off a chain of redirections that eventually results in the browser loading an .html page from brieb.blob.core.windows.net:

The landing pages attempt to trick users into download and running the file “Setupexe“. The file is downloaded from subdomains using the .bid TLD. For example:

Below is an example of a GET request for setupexe.exe:

Hybrid-Analysis has categorized this file as a backdoor. It generates a lot of ad traffic so I’m thinking it could be adware. The Hybrid-Analysis report also shows post-infection GET requests to .bid TLD’s like fun.losscook.bid (216.137.61.147) and build.zebraexpansion.bid (34.253.150.26) using the User-Agent “InstallCapital”.

Below are images of the setup wizard: