HORUS Protector Part 1: The New Malware Distribution Service
Recently, the SonicWall threat research team came across a new malware distribution service called Horus Protector. Horus Protector is claiming to be a Fully Undetectable (FUD) crypter. We have observed a variety of malware families propagated by Horus Protector including AgentTesla, Remcos, Snake, NjRat and many others.
The authors appear to be native French speakers. The files in the distribution mechanism have instructions in the French language and the desktops shown in YouTube demo videos have French as the default language for the software installed on their desktop.
Figure 1: Horus Telegram Group Description
The authors have their own telegram group that communicates the latest updates to their subscribers. They also have different links on the homepage along with a demo YouTube video and a description of their services and prices. This page also has links to their telegram group. The authors provide three service packages with varying features: Shared STUB at $50/month, Premium STUB at $100/month and Private STUB at $150/month.
Figure 2: Webpage with demo YouTube video
The telegram group currently hosts four different versions of the crypter, v 0.3, v 0.4, v 0.4.1 and the latest version, v 0.4.2. These can be downloaded by anyone from the Telegram group, but a key is required to use the service, which the author will provide after payment.
The HORUS Protector service providers keep looking for detections by AV vendors and update their code accordingly. These updates are provided on its Telegram group channel. Initially, the scanning service kleenscan[.]com is used to test the detection by AV vendors. The website contains details about 39 well-known AV scanners and claims not to share malware with AV vendors. These kinds of services are used by malware authors to test the detection rates of malware binaries. Furthermore, there are some advertisements for harmful services on the scanner website, showcasing its malicious use.
Figure 3: Kleenscan service
In the image below, we observe updates on malware detection, indicating that the authors were indeed tracking AV detections to keep their malware service undetectable.
Figure 4: Telegram Group Updates
Also, the hashes of all encrypted malware (or we can say hashes of the generated infection chain) were checked on VirusTotal to update their mechanism and payload generation tactics.
HORUS Protector Tool
We have analyzed the latest version of the protector (v 0.4.2) and found that it spreads malware through multilayered malware propagation with extensive use of registries. Previously, the generated infection vectors were scripts like JavaScript, but now it uses a .zip file containing VBE script, which is encoded visual basic script.
Figure 5: Horus Protector binary
We can see that the tool is a 32-bit DotNet Assembly file with a FUD cryptor, as described in comments. Also, this version is mentioned in the FileVersion property.
When run, the tool shows a prompt for a requirement of an internet connection to access the features of the tool.
Figure 6: Internet Connection Prompt
Once a user clicks “yes”, the tool will generate the ID of the user from the hardware configuration of the system. It retrieves the drive serial number using ManagementObject.Properties[“VolumeSerialNumber”]; and the processor serial number using ManagementObject[“ProcessorId”]. Both values are converted to string and concatenated to form the ID of the user. Afterwards, it attempts to connect to its server 144.91.79[.]54:670.
Figure 7: User Information
The tool has two tabs, the first is User Informations and the second is Crypter. Under the User Informations tab, you can find the ID, the subscription package and the days passed since the subscription date. The last row indicates whether it is connected to the server. If connected to the server, it shows “Connected Successfully” if it’s not connected, it shows “Connexion failed !”.
The second tab shows details related to the cryptor/tool.
Figure 8: Crypter Window
The user has to provide malware payload by using “Add..” button. One of the genuine processes from the list using the “Inject to:” option must be selected and then payload will be injected upon execution.
The “inject to:” list has the following options:
“MSBuild.exe”, “RegAsm.exe”, “RegSvcs.exe”, “vbc.exe”, “AddInProcess32.exe”, “ngentask.exe”, “AppLaunch.exe”, “aspnet_compiler.exe”, “csc.exe”, “cvtres.exe”,”mscorsvw.exe”, “MicrosoftEdgeUpdate.exe”.
The “Online Scan” checkbox is supposed to be used for using malware scanning services to check which AV vendors are detecting the file. The function of the “Botkill (beta)” checkbox is still unclear, but we believe it is intended as an option to remove persistence(scheduled task, run entries etc.) to avoid detection.
Figure 9: Data Sent to Server
After selecting all the necessary fields, it transmits the data to the server, including the User ID, malware payload, the name of the file to be injected and the checkbox values.
The main processing of the payload is carried out server side. For the newest version, it downloads the infection vector on a users’ machine as a VBE script. This VBE script downloads and carries out the execution of the multistage infection chain. Also, a significant persistence technique is used for stealthy malware infection.
The infection chain will be discussed in our second blog on this tool.
IOCs:
IP:
144.91.79[.]54:670
MD5:
f9aebea5a93ab48c69bb116e70478d09
0250722d091337129c84d9e82bb626f5
4564f734da06c25128722ff9d6188eab
7b9717229f2d8a289da22ba4db19a892
