Please disable your adblock and script blockers to view this page

The Supreme Backdoor Factory


VirusTotal Intelligence
PE
the JXplorer 3.3.1.2
LDAP
PowerShell
DNS
JXplorer SourceForge
UPX
MD5s of PE
ZLIB
the BitRock Install Builder
Tcl
ActiveTcl
SDX
WinMerge
Cookfs
Google
Blaze Bot Supreme NYC
Supreme NYC Blaze Bot
GitHub
Wayback Machine
SourceForge -
allare778
AES
RSA
BK.jar
VT
ecc.freeddns[.]org
HTTP
JAR
the FEimea Portable App
JXplorer GitHub
Linux
ELF
XOR
GitHub API
SUB
EasyModbus
HOME/.local
HOME/.config/
$HOME/.config/autostart/.desktop
$HOME/Library/LaunchAgents/AutoUpdater.dat
SoftwareSync
Windows
ExplorerSync.db, ExplorerSync
JXplorer Tcl
%APPDATA%
JXplorer Windows
FEN
hxxp://allesare.sourceforge[.]net/.
Supreme New York
Bot”)The
JXplorer Linux
the Eimea Lite App
sanemarine.duckdns[.]org
lemonade.freeddns[.]org
Allesare Ltd.
Java
Aero.cpl
streettalk_priv_bot - Supreme Bot
Wayback Machine copy]).Despite


Metakit
YouTube
Stein Sørnson
Java
Dynu
L1ma
114504
Git
Jd-Gui
9d4aeb737179995a397d675f41e5f97f
Eimea
Lite App
supreme_bot2.cpl
Andrew Dunkins
jj Feb 26th

Gehaxelt


3011
polarbear.freeddns[.]org.My


Linux


Windows


Java
JXplorer
VT
0489493aeb26b6772bf3653aedf75d2a
Linux

No matching tags

Positivity     33.00%   
   Negativity   67.00%
The New York Times
SOURCE: https://dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/
Write a review: Hacker News
Summary

The bot contained an update functionality that downloaded AES encrypted and RSA signed “update instructions” file from the other project repository belonging to the user allare778:hxxp://allesare.sourceforge[.]net/en-us/bverThe implementation of update mechanism seemed to allow project owner to execute arbitrary system commands on hosts running blazebot.At that point I thought that the connection between modified JXplorer installer and the “Supreme NYC Blaze Bot” could be just coincidental. I downloaded latest Windows version (3.3.1.2) of the JXplorer installer from its official website and I compared MD5 hash with installer file hosted on the official GitHub repository pegacat/jxplorer. What was also strange the serkovs/jxplorer was not even a clone of the official JXplorer repository and it only contained a single file - Linux installer for the JXplorer 3.3.1.2:I downloaded Linux installer (32 bit ELF binary) from both repositories and compared the files. Below graph shows “social interactions” between the serkovs account, two other accounts that I analyzed (mansiiqkal and ballory) and a number of related (starred/subscribed) repositories:I decided to inspect content of the ballory/ffmpeg [Wayback Machine copy] repository because it did not contain JAR file(s) like most of other identified repositories - instead it had a bunch of Linux binaries, claiming to contain “FFmpeg Linux Build (64 bit)”. The code used a custom decryption routine to decrypt an array of bytes and then used resulting blob (3011 bytes in total, MD5: cf2ca657816af534c07c8ceca167e25b, VT) as a source of file content and strings (file names, system commands).Depending on the operating system type the code was executed on, it performed different actions described below:The code dropped a JAR file (MD5: 9d4aeb737179995a397d675f41e5f97f) to $HOME/.local/share/bbauto and created a desktop entry persistence by setting $HOME/.config/autostart/none.desktop file to execute the following command:The code also created an additional desktop entry $HOME/.config/autostart/.desktop set it to execute the following command:The code dropped a JAR file (MD5: 9d4aeb737179995a397d675f41e5f97f) to $HOME/Library/LaunchAgents/AutoUpdater.dat and established persistence by creating a launch agent called AutoUpdater ($HOME/Library/LaunchAgents/AutoUpdater.plist).The code also created an additional launch agent called SoftwareSync set to execute the following command:The code dropped a JAR file (MD5: 9d4aeb737179995a397d675f41e5f97f) to %temp%\..\Microsoft\ExplorerSync.db and established persistence by executing following command:The dropped JAR file (MD5: 9d4aeb737179995a397d675f41e5f97f) and Windows file and scheduled task names (ExplorerSync.db, ExplorerSync) were exactly the same as discovered in the modified JXplorer Tcl installer script. This created another plausible connection between the mansiiqkal/easymodbustcp-udp-java repository and modified Windows installer of JXplorer.I also analyzed previous version of the EasyModbusJava.jar (MD5: 38f51f6555eba1f559b04e1311deee35, VT) file committed to the mansiiqkal/easymodbustcp-udp-java repository on 2018-02-20. The only notable difference was usage of %APPDATA% instead of %TEMP% as a base directory for location of dropped JAR file on a Windows systems.By following breadcrumbs I was able to discover and draw connections between pieces of malware and online infrastructure:The modified JXplorer Windows installer found on VirusTotal and modified EasyModbus Java library found on GitHub (mansiiqkal/easymodbustcp-udp-java) dropped the same JAR file (FEN downloader, MD5: 9d4aeb737179995a397d675f41e5f97f). Coincidentally, the malicious code present in the modified JXplorer Windows installer referenced “blazebot” and supremenewyork[.]comGitHub account serkovs created the serkovs/jxplorer repository containing modified JXplorer Linux installer file. Following up on specific indicators found in analyzed files and collected metadata about GitHub repositories I was able to discover additional related pieces of malicious code.I started with VirusTotal hunting capabilities - the search returned a set of binaries belonging to the same malware family: Eimea Lite App. The functionality and supported commands of this malware seems to be closely tied with previously discussed FEimea Portable App. The main difference is that while FEimea Portable App is written in Java, the Eimea Lite App comes in the form of compiled binaries for both Windows and Linux operating systems. The only difference was that shellcode was set to execute the following command:Overall there were 305 backdoored ELF binaries in nine GitHub repositories belonging to Andrew Dunkins.Following that trail I found one additional account (snacknroll11) that starred some of Andrew Dunkins’ repositories and that contained a repository with interesting name and description (streettalk_priv_bot - Supreme Bot [Wayback Machine copy]).Despite the name and description of the binary, the file included in that repository (supremebot.exe) turned out to be something else - something that I have seen previously and something that provided a great closure for this post.The file supremebot.exe (MD5: 6ee28018e7d31aef0b4fd6940dff1d0a, VT) was actually another modified version of JXplorer 3.3.1.2 installer for Windows.

As said here by dfir.it!