Threat Research

Kaspersky crimeware report: FakeSG, Akira and AMOS

SecureList

Kaspersky researchers detail three active crimeware campaigns: the FakeSG NetSupport RAT distribution chain that abuses compromised websites and chained scripts/archives for persistence, the cross-platform Akira ransomware with Conti-like traits and anti-analysis measures, and the AMOS macOS stealer distributed via malvertising DMG installers. Technical highlights include scheduled-task persistence, shadow-copy deletion, file encryption, fake password prompts via osascript, and exfiltration to C2 over HTTP. #NetSupportRAT #Akira #AMOS

Keypoints

  • FakeSG deploys NetSupport RAT via compromised legitimate websites that prompt users to install a “browser update” which downloads obfuscated JS that chains additional scripts, 7z archives and executables.
  • The FakeSG chain establishes persistence by creating a scheduled task named “VCC_runner2”, extracting and copying malware from a 7z archive, and using a configuration file that contains the C2 address.
  • Akira is a C++ ransomware targeting Windows and Linux, deleting shadow copies via PowerShell/WMI, encrypting logical drives while skipping specific folders, and operating a TOR-based leak/communication site with anti-debugging behavior on its web panel.
  • Akira shows code and configuration similarities with Conti (identical exclusion folder list and string obfuscation routine) and uses JQuery Terminal for a minimalistic, debugger-detecting C2 panel.
  • AMOS (Atomic macOS stealer) initially written in Go and now in C is distributed via malvertising (cloned software sites), delivered as DMG installers, collects local notes, documents, browser data, wallets and IM data, zips payloads with miniz and exfiltrates over HTTP with a UUID identifying the buyer/campaign.
  • AMOS uses osascript to display fake password prompts when required, checks for blank passwords, and targets victims worldwide (notably Russia and Brazil).
  • Published IOCs include multiple file hashes for NetSupportManagerRAT, Akira and AMOS samples; a recurring download path (/cdn/wds.min.php); and artifacts such as the scheduled task name VCC_runner2.

MITRE Techniques

  • [T1053] Scheduled Task/Job – used to maintain persistence by creating a scheduled task named “VCC_runner2”. (‘creating a scheduled task with the name “VCC_runner2”’)
  • [T1490] Inhibit System Recovery – removal of shadow copies to prevent recovery, performed using PowerShell and WMI. (‘shadow copies are deleted (using a combination of PowerShell and WMI)’)
  • [T1486] Data Encrypted for Impact – Akira encrypts logical drives while excluding certain file types and directories. (‘logical drives are encrypted, and certain file types and directories are skipped’)
  • [T1027] Obfuscated Files or Information – use of string obfuscation functions and obfuscated JavaScript loaders to hinder analysis. (‘string obfuscation function used’ / ‘The download is a JS file that contains obfuscated code’)
  • [T1189] Drive-by Compromise – initial access via malvertising and cloned popular software sites that trick users into downloading installers (DMG). (‘popular software sites get cloned, and users are lured into downloading the malware’)
  • [T1059.007] Command and Scripting Interpreter: JavaScript – execution of obfuscated JavaScript that loads further scripts, sets cookies and initiates additional downloads. (‘The download is a JS file that contains obfuscated code. When executed, it loads another script from a remote location and sets a cookie.’)
  • [T1204.002] User Execution: Malicious File – social-engineering prompt to “update the browser” which induces the user to execute the downloaded malicious files. (‘displays a prompt to update the browser and starts automatically downloading another script’)
  • [T1041] Exfiltration Over C2 Channel – stolen data is compressed and sent to C2 infrastructure over HTTP, with requests including a UUID identifying the campaign/buyer. (‘The data is zipped with the “miniz” library and sent to the C2 over HTTP. Part of the request is the UUID identifying the malware buyer or campaign.’)
  • [T1071.001] Application Layer Protocol: Web Protocols (HTTP/HTTPS) – use of web/TOR-based communication sites for leak/communication and C2 interaction. (‘there is a leak/communication site on TOR’)
  • [T1497] Virtualization/Sandbox Evasion – anti-analysis behavior on the Akira web panel that triggers an exception when opened under a browser debugger to impede analysis. (‘if you open the website while using a debugger in the browser, an exception will be raised, stopping the analysis.’)

Indicators of Compromise

  • [File hash] Sample hashes from published IOCs – C60AC6A6E6E582AB0ECB1FDBD607705B (NetSupportManagerRAT), 00141f86063092192baf046fd998a2d1 (Akira), and 4 more hashes.
  • [File hash] AMOS samples – 3d13fae5e5febfa2833ce89ea1446607e8282a2699aafd3c8416ed085266e06f, 9bf7692f8da52c3707447deb345b5645050de16acf917ae3ba325ea4e5913b37.
  • [URL path] Download path used in FakeSG landing pages – /cdn/wds.min.php (consistent path across changing download URLs).
  • [Scheduled task] Persistence artifact – scheduled task name “VCC_runner2” used to maintain execution.
  • [Installer artifact] macOS distribution container – DMG image installers used by AMOS as the infection vector (installation instructions included in the DMG).
  • [C2 / Infrastructure] C2 and leak site indicators – configuration files in 7z contain C2 address; Akira operates a TOR-based leak/communication site.

FakeSG technical procedure: Compromised legitimate sites present a fake browser-update prompt that downloads an obfuscated JavaScript. The JS loads additional remote scripts, sets cookies, and triggers an automatic download chain that includes a batch script, a 7z archive and the 7z executable. The second batch script implements persistence by creating a scheduled task named “VCC_runner2”, extracting and copying malware binaries from the 7z archive, and relying on a configuration file inside the archive that contains the C2 address.

Akira ransomware workflow: Akira samples (C++; Windows/Linux) delete shadow copies via PowerShell and WMI to inhibit recovery, enumerate and encrypt logical drives while skipping a predefined exclusion list (notably matching Conti’s exclusions), and expose a TOR-hosted leak/communication panel. The group’s C2 site is implemented with JQuery Terminal and includes anti-analysis checks that raise exceptions when a browser debugger is present; the ransomware also uses string-obfuscation routines to hinder analysis.

AMOS macOS stealer procedure: AMOS is distributed via malvertising — cloned popular-software sites serving DMG installers with installation instructions. On execution the malware checks the local user/password state and, if required, displays a fake password prompt via osascript to obtain credentials. It collects notes, desktop/Documents files, browser cookies and logins, cryptocurrency wallet data, and IM data; it compresses collected data with the miniz library and exfiltrates to C2 over HTTP, including a UUID identifying the buyer or campaign.

Read more: https://securelist.com/crimeware-report-fakesg-akira-amos/111483/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint