Post

When Your Vibrator Steals More Than Your Pleasure

Posted Updated
By ChrisZ 10 min read

Hey folks! Welcome to my very first cybersecurity blog post, and boy, do I have an intriguing topic for you – malware!

So, I’m casually scrolling through Reddit the other night, on the r/Malware community, and I read something rather odd, a post titled “Malware from a Vibrator!”. Yep, you read that correctly – a vibrator. (And yes, I did just drop a Harry Potter reference there!)

Reddit Post from r/Malware Reddit Post: “Malware from a Vibrator!”

Now, I’ll be honest, I couldn’t help but chuckle at the absurdity of it all. But at the same time, my curiosity was piqued. I mean, malware from a vibrator? How does that even happen? Naturally, I decided to roll up my sleeves and conduct my own analysis of the situation. After all, it’s been a while since I’ve done a simple malware analysis - static and dynamic, and this seemed like the perfect opportunity to dust off those skills.

Static analysis refers to the examination of malware code or binaries without executing them. It involves analyzing the characteristics of the malware such as its code structure, embedded strings, function calls, API usage, and other attributes to understand its behavior and potential impact. Dynamic analysis involves observing the behavior of a program while it is running or being executed. Unlike static analysis, which examines the code or binary without execution, dynamic analysis focuses on monitoring the actual runtime behavior of the program to understand its actions, interactions, and effects on the system.

Now, let’s get into the juicy stuff – first, the malware distribution. According to the Reddit post, this particular malware hitched a ride on a vibrator purchased from a mall. Imagine plugging in your new toy to charge, only to have it automatically open a web browser and start downloading a suspicious file. Talk about unexpected!

The URL is hxxps://citaconsulr[.]com/Mia_Khalifa%2018+[.]zip which downloads a file named Mia_Khalifa 18+.zip (Sound familiar?😉) once opened.

Now, let’s break down some details about this file and its behavior. We’ll first start with static analysis to determine basic file information.

File Information

Mia_Khalifa 18+.zip

So, the file we get, Mia_Khalifa 18+.zip (SHA1: 9b3fec60f264dcd99a31141c8a2bcb0a09f2bff6), is a compressed file (.zip) containing a folder called Xmls, and an installer file (.msi) named Mia_Khalifa 18+.msi (SHA1: 3b27a896233eb882d1475f773836bf69d1c3bddf) once it’s unpacked.

Quick note: MSI (Microsoft Installer) files are essentially database files used by Windows Installer, Microsoft’s software installation and configuration service. They carry all the necessary info for installing and configuring software applications on Windows OS.

Extracted Mia_Khalifa 18+.zip Extracted Mia_Khalifa 18+.zip

The Xmls folder seems to be full of junk xml files, likely just decoys unrelated to the malware. So, our focus shifts to the Mia_Khalifa 18+.msi file.

Mia_Khalifa 18+.msi

For those unfamiliar, MSI files are also like compressed files that include multiple files and resources required for installation, which are unpacked during installation. We can extract them using tools like 7zip, WinRAR, or the msiexec command-line utility provided by Microsoft.

To extract an msi file, we can use this command:

1

msiexec /a "example.msi" /qb TARGETDIR="C:\path\to\extract"

Running this command on Mia_Khalifa 18+.msi yields a folder named Outweep Dynes and another Mia_Khalifa 18+.msi file.

Extracted Mia_Khalifa 18+.msi Extracted the first level Mia_Khalifa 18+.msi

Inside, we’ll find another msi file with the same filename, but notice it’s a different size (smaller) than the previous one. Attempting to extract this second msi file throws an error, seemingly looking for a file named InstallerPlus_v3e.5m.exe. Let’s leave it at that for now.

Error extracting second msi file Error extracting the second level Mia_Khalifa 18+.msi

As mentioned earlier, MSI files are just compressed files. So, using 7zip to extract the msi file reveals mostly installation components and config files.

Extracting second msi file using 7zip Extracting the second level Mia_Khalifa 18+.msi

These doesn’t provide any helpful information, thus let’s move on and focus on that file inside the Outweep Dynes folder - InstallerPlus_v3e.5m.exe.

Outweep Dynes folder Outweep Dynes folder

InstallerPlus_v3e.5m.exe

Our file, InstallerPlus_v3e.5m.exe (SHA1: 296cabbf411c0c7f86c8c7214a633d0244fffff5), is an exe file as observed. We can employ PE tools like PEID and PEStudio (or any PE tools) to scrutinize its nature and gather more intel.

Using PEID to check the file signature:

PEID output PEID output

According to PEID, it’s identified as a Microsoft Visual C++ 8 [RAR SFX] file.

PE Studio provides additional insights, revealing an export of sfxrar.exe (used for extracting the archive):

PE Studio output PE Studio output

Another noteworthy detail is that this file predominantly uses the Russian language.

Uses Russian Language

Furthermore, it’s evident that this file has been overlaid with a RAR file.

PE overlay refers to additional data appended to the end of the PE file beyond the end of the PE headers and sections. It’s often used by developers to include extra data, such as debugging information or resources. In this instance, it’s a RAR/archived file.

PE Overlay PE Overlay

With these information, we’ve confirmed that it’s not a typical exe file but a self-extracting archive (SFX).

SFX files are self-extracting archives, capable of automatically extracting their contents. They’re often used to bundle software installations or files for distribution, simplifying the extraction process for users.

So, can we extract it? Absolutely! However, upon extraction, it prompts for a password, which we don’t have… yet!

Extracting the SFX file Extracting the SFX file

In such cases, we have a few options. Typically, zip passwords use symmetric encryption like AES or ZipCrypto. Given that this is a self-extracting zip file, we can assume that the password is stored within or can be found within the files since it’s required for extraction. We could sift through all the files and binaries we have to find that password or brute-force it. Either way, its tedious. Alternatively, we can let it run, monitor processes, and possibly find a clue about the password dynamically, which we’ll explore in the next part. Let’s halt our static file analysis here since we can’t proceed further.

In the upcoming sections, we’ll execute the main file extracted from Mia_Khalifa 18+.zip – the initial Mia_Khalifa 18+.msi (SHA1: 3b27a896233eb882d1475f773836bf69d1c3bddf).

With tools like ProcMon, we can observe the execution tree of the primary malware file.

Malware Process Tree Malware Process Tree

As seen above, msiexec spawns new processes, first the payload sfx payload we’ve seen InstallerPlus_v3e.5m.exe (SHA1: 296cabbf411c0c7f86c8c7214a633d0244fffff5), then followed by an executable named Installer-Advanced-Installergenius_v4.8z.1l.exe. You might wonder where this file came from – it’s the file inside the sfx file, which we haven’t encountered previously since the sfx was password-protected and only unpacks during runtime. We can safely assume that Installer-Advanced-Installergenius_v4.8z.1l.exe is the final executable payload.

Examining the process of InstallerPlus_v3e.5m.exe, we notice a triggered command:

1

"C:\Users\zorro\AppData\Local\Outweep Dynes\InstallerPlus_v3e.5m.exe" -pe548ycMIJPeyhTd

InstallerPlus_v3e.5m.exe Commandline InstallerPlus_v3e.5m.exe Commandline

Here, we can spot the password used: e548ycMIJPeyhTd. Extracting files with passwords typically uses the -p flag, followed by the password input characters. Note: Manually running or extracting the file would automatically execute the file inside it rather than allowing you to view it.

Digging deeper, the following files are either copied or written onto the disk. These are the same files mentioned in the previous parts.

1
2

C:\Users\zorro\AppData\Local\Outweep Dynes\InstallerPlus_v3e.5m.exe
C:\Users\zorro\AppData\Local\Temp\RarSFX0\Installer-Advanced-Installergenius_v4.8z.1l.exe

File Creation Files dumped by the malware

To proceed further, we need to obtain Installer-Advanced-Installergenius_v4.8z.1l.exe (SHA1: 4CB1FC54DC24F175C744A958E74FF84B5FB16D4E) for analysis. It’s observed that this particular malware automatically deletes these files after execution. One way to obtain a copy is to suspend the process to prevent it from following its routine, then copy the file.

Now that we have a copy of the file, we can retrieve basic file information. A notable detail from the information below is the compiler stamp, indicating February 2024, suggesting it’s recently compiled. Additionally, the large file size (720244224 bytes, roughly 686 MB) is a technique to bypass AV softwares since large files are often skipped during scanning.

Installer-Advanced-Installergenius_v4.8z.1l.exe File Information Installer-Advanced-Installergenius_v4.8z.1l.exe File Information

Throughout the malware execution, these processes and dumped files were automatically closed and deleted after runtime. I haven’t detected any malicious indicators or behaviors such as C2 or modifications made, leading me to believe that this malware incorporates anti-analysis techniques like anti-sandboxing. Samples of the same malware family have been observed to exhibit this behavior, as indicated in this report.

Network Connections

When it comes to network connections, we can utilize tools like Fakenet-NG, TCPView, and Wireshark to scrutinize whether this particular malware establishes any Command-and-Control (C2) connections or emits network requests. However, after multiple attempts, I haven’t observed any malicious connections. This could likely be due to the anti-analysis behavior as mentioned previously.

Since this incident was posted on Reddit, several users have uploaded the main sample Mia_Khalifa 18+.msi (SHA1: 3b27a896233eb882d1475f773836bf69d1c3bddf) into sandboxes. One particular result marked the sample as malicious, identifying it as a Lumma Stealer malware.

Mia_Khalifa 18+.msi Sandbox Result Mia_Khalifa 18+.msi Sandbox Result

Moreover, upon searching for the hash of the final payload executable, Installer-Advanced-Installergenius_v4.8z.1l.exe (SHA1: 4CB1FC54DC24F175C744A958E74FF84B5FB16D4E), on the same sandbox platform, particularly by the final payload, we have seen a report indicating the same verdict and malware classification.

Installer-Advanced-Installergenius_v4.8z.1l.exe Sandbox Result Installer-Advanced-Installergenius_v4.8z.1l.exe Sandbox Result

In this report, we also find additional information, particularly a list of C2 servers or URLs the file connects to.

Malware C2 Connections Malware C2 Connections

Additionally, while examining all the network connections, I’ve come across some additional suspicious domain/IP addresses, namely stamprollabbeymemberw[.]site and 176[.]113[.]115[.]227.

It’s worth noting that the final payload hasn’t been uploaded or detected on VirusTotal yet as of writing.

Now, let’s delve into the malware itself – Lumma Stealer.

Lumma Stealer

Lumma Stealer, also known as LummaC2 Stealer, is a C language-based information-stealing program that operates under a Malware-as-a-Service framework. It has been accessible through Russian-speaking online forums since at least August 2022. Lumma Stealer primarily targets cryptocurrency wallets (e.g., Binance and Ethereum) and browser extensions used for two-factor authentication (2FA) (e.g., Authenticator) and cryptocurrency (e.g., Metamask). Its ultimate goal is to extract sensitive data from the victim’s device and send it to a Command-and-Control (C2) server. A successful exfiltration of information can lead to various fraud scenarios, such as hijacking bank accounts using stolen credentials and monetary loss due to stolen cryptocurrency. This malware emerged as one of the prominent infostealers back in 2023, as reported by KELA Research.

Upon reading through various reports on Lumma, I’ve discovered that this malware is typically distributed through cracked or fake copies of popular software, emails containing payloads in the form of attachments or links impersonating well-known companies, or via Discord’s content delivery network (CDN). Interestingly, none of the reports I’ve come across mention distribution via a pleasure device 😆. It’s indeed my first time hearing about malware distributed in this manner, which I find both amusing and intriguing.

Now, I don’t know about you, but the idea of malware being distributed through a pleasure device is both bizarre and oddly amusing. It just goes to show that when it comes to cybersecurity, you never know what you’re going to encounter.

So, there you have it – thank you for reading up. If you’re planning on buying a vibrator, make sure it’s penetration tested. No pun intended 😜

Until next time!

IOCS

Files

  • Mia_Khalifa 18+.zip (SHA1: 9b3fec60f264dcd99a31141c8a2bcb0a09f2bff6)
  • Mia_Khalifa 18+.msi (SHA1: 3b27a896233eb882d1475f773836bf69d1c3bddf)
  • InstallerPlus_v3e.5m.exe (SHA1: 296cabbf411c0c7f86c8c7214a633d0244fffff5)
  • Installer-Advanced-Installergenius_v4.8z.1l.exe (SHA1: 4CB1FC54DC24F175C744A958E74FF84B5FB16D4E)

URL/Domain/IP

  • hxxps://gemcreedarticulateod[.]shop/api
  • hxxps://secretionsuitcasenioise[.]shop/api
  • hxxps://claimconcessionrebe[.]shop/api
  • hxxps://liabilityarrangemenyit[.]shop/api
  • stamprollabbeymemberw[.]site
  • 176[.]113[.]115[.]227

References

  • https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
  • https://it.darktrace.com/blog/the-rise-of-the-lumma-info-stealer
  • https://www.trendmicro.com/en_us/research/23/j/beware-lumma-stealer-distributed-via-discord-cdn-.html
  • https://tria.ge/240218-vthe8adb47
  • https://tria.ge/240217-fsz7baca54
  • https://socradar.io/malware-analysis-lummac2-stealer/
  • https://www.kelacyber.com/emerging-infostealers-2023-report/
cybersecurity, malware
cybersecurity malware c2 stealer lumma
This post is licensed under CC BY 4.0 by the author.