Keypoints
- Attackers host malicious YouTube download pages that sometimes redirect users to ad pages or to download malware uploaded on GitHub.
- The initial downloader is delivered as Setup.exe which installs WinMemoryCleaner.exe and executes WinMemoryCleanerUpdate.bat to run the downloader with an /update argument.
- WinMemoryCleaner performs sandbox/VM checks, runs a PowerShell script that installs Node.js, downloads a JavaScript payload, and registers scheduled tasks to run it periodically.
- Two Task Scheduler entries observed: “Schedule Update” and “WindowsDeviceUpdates”, the JavaScript executes via Node.js and communicates with a C&C server.
- The JavaScript sends basic system information to the C&C and can execute PowerShell commands received from the server to install additional JS payloads or final Proxyware components.
- Observed Proxyware families installed include DigitalPulse, HoneyGain, and recently Infatica; the Infatica chain installs CleanZiloApp and loads infatica_agent.dll via CleanZilo.exe.
- Multiple V3 detection names and file hashes, URLs, and malicious domains were identified; users are advised to avoid executables from suspicious sources and remediate with V3.
MITRE Techniques
- [T1204] User Execution – Malware is distributed via a fake YouTube downloader page where users click “Download” and run Setup.exe disguised as WinMemoryCleaner (“the downloaded executable file is disguised as WinMemoryCleaner and contains a feature to install Proxyware”).
- [T1543] Create or Modify System Process – The installer registers scheduled tasks (“tasks are registered as “Schedule Update” and “WindowsDeviceUpdates” respectively”) to ensure periodic execution of the JavaScript payload.
- [T1059.001] PowerShell – WinMemoryCleaner runs a PowerShell script to install Node.js, download JavaScript malware, and execute further installation (“The PowerShell script installs NodeJS, downloads the JavaScript malware, and registers it to the Task Scheduler”).
- [T1059.007] JavaScript – Malicious JavaScript executed via Node.js performs C&C communication and can execute commands to install additional payloads or final Proxyware (“A malicious JavaScript that is executed via Node.js periodically … sends the following basic information to the C&C server, and can execute when receiving PowerShell commands in response”).
- [T1499] Endpoint Denial of Service (Resource Consumption) – Proxyware consumes network bandwidth of infected hosts, effectively using system resources for attacker profit (“the infected system loses network bandwidth involuntarily, and the profit goes to the attacker”).
- [T1071.001] Application Layer Protocol: Web Protocols – The JavaScript communicates with a C&C server to send information and receive commands (“The JavaScript sends the following basic information to the C&C server, and can execute when receiving PowerShell commands in response”).
- [T1016] System Network Configuration Discovery – The malware collects basic system/network information and sends it to C&C (“The JavaScript sends the following basic information to the C&C server”).
Indicators of Compromise
- [File Hash ] dropper/downloader samples – 037e94519ce35ef944f1dc3f1434d09d, 0af46f150e0ffa678d20fcbe5e145576 (and 3 more hashes).
- [URL ] payload and loader hosting – https[:]//d8mrs2p5baql5[.]cloudfront[.]net/CleanZilo[.]exe, https[:]//d8mrs2p5baql5[.]cloudfront[.]net/infatica_agent[.]dll.
- [URL ] malicious JavaScript/redirects – https[:]//a[.]pairnewtags[.]com/p[.]js, https[:]//d14vmbql41e8a5[.]cloudfront[.]net/pas[.]js.
- [FQDN ] attacker-controlled domains used for distribution/redirects – 4tressx[.]com, cloudnetpr[.]com (and fastconnectnetwork[.]com, connectiondistribute[.]com, kuchiku[.]digital).
- [File Name ] installed artifacts and tasks – Setup.exe (initial downloader), WinMemoryCleaner.exe (downloader), CleanZilo.exe and infatica_agent.dll (Infatica Proxyware payload).
Read more: https://asec.ahnlab.com/en/89787/