eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
In April 2024, eSentire’s Threat Response Unit (TRU) briefly covered the D3F@ck Loader in the previous article. In this article, we will discuss Сергей Пантелеевич (Sergei Panteleevich), the individual behind the orchestration of D3F@ck Loader. We will also provide analysis of D3F@ck Loader samples and an extensive list of indicators of compromise discovered during the hunting process.
It’s important to note that Sergei Panteleevich is not the real name of the person behind the loader; the developer used the name of a Russian financial fraudster and founder of MMM, a company that executed one of the largest Ponzi schemes in history during the 1990s.
So, let’s start with the D3F@ck Loader developer (referred to as "Sergei" in this article), who currently uses the Telegram handle @Mavr_MMM and AO_MMM, Null14 on hacking forums. The Telegram account was first created in October 2022. The following is the history of account name changes:
Telegram Handle
Display Name
@GhostBustersKING
GhostBusters
@GHOSTBUSTERSKING
GhostBusters
@GhostBustersKING
Сергей Пантелеевич
@Mavr_MMM
Сергей Пантелеевич
@MAVR_MMM
Сергей Пантелеевич
While researching Sergei’s historical Telegram activity, we identified references to a “GhostBustersTeam” Telegram bot in LummaC2 Public Telegram channel in January 2024. Sergei has a poor reputation among Telegram community members (Figure 1) and was restricted from posting messages due to inappropriate behavior in Lumma Stealer's public Telegram chat.
Figure 1: Snippet of the conversation from Lumma Public chat from other users talking about Sergei
Pivoting on the GhostBustersTeam bot, we found a reference on a Russian hacking forum where Sergei was promoting his MMM Team, also known as GhostBusters Team, and seeking to hire more people to spread Meta Stealer to exfiltrate data in June 2022 (Figures 2-3).
GhostBusters is a traffer (a term primarily used in Russian-speaking communities, referring to a person who deals with internet traffic. In the context of cybersecurity and the internet, a traffer typically works in the field of driving or redirecting internet traffic to specific websites, often for advertising or commercial purposes.
The term can also carry a negative meaning when traffers engage in less ethical practices such as distributing malware) team that specializes in distributing stealers, specifically Meta Stealer. @g0njxa provided a great report on GhostBusters team here.
Figure 2: Topic from Sergei on hiring people to the MMM Team on a Russian hacking forumFigure 3: GhostBusters Team poster
Apart from managing and operating the MMM Team / GhostBusters, Sergei also sells EV (Extended Validation) certificates for up to $3000 per year. According to the advertisements, the user can also request a unique company name to be created (Figures 4-6).
Figure 4: Certificate sale announcement (1)Figure 5: Certificate sale announcement (2)Figure 6: Certificate sale announcement (3)
It’s worth noting that it’s common for the developers behind loaders to sell EV certificates or promote the services that sell them, such as FakeBat and eDragon_x. EV certificates can help bypass SmartScreen, avoid application blocking upon running, and enhance a file's credibility; however, they often have a short lifespan due to the risk of revocation.
eSentire’s TRU team has actively been revoking certificates used by D3F@ck Loader. This forces malware developers and threat actors to invest more money and effort into obtaining new EV certificates.
Running the file with the valid EV certificate gives the end user a friendly UAC prompt (Figure 7). Running the file with a revoked invalid certificate would prevent the application from running (Figure 8).
Figure 7: An UAC prompt upon running the file with a valid EV certificateFigure 8: Running the file with a revoked invalid signature
The certificates we identified used by D3F@ck Loader are:
LLC Kama Lubricant Company
Ayog Tech Ltd
Primalspeed Ltd
Eleventh Edition Ltd
Tenet Tech Ltd
Clicksat Ltd
MAD PANDA Ltd
Joystery Ltd
Based on additional research, we assess with medium confidence that Sergei is in his late 30s and at one point lived in Chelyabinsk, Russia, and studied at Chelyabinsk Construction College (ЧелябинскийМонтажныйКолледж).
D3F@ck Loader Analysis
In the previous blog, we covered the initial advertisement on the Exploit forum on D3F@ck Loader developed by Sergei. The loader has been observed to be delivering additional malware, including Raccoon Stealer, MetaStealer, SectopRAT, and DanaBot.
The first batch of D3F@ck Loader payloads distributed were signed as “LLC Kama Lubricant Company”. Let’s look at the initial payload (MD5: 47bc9ef09f431cd1dc92840a19fe2158) distributed around February 2024 and advertised in one of the demo videos provided by Sergei (Figure 10).
Figure 9: Screenshot from the demo video
D3F@ck Loader uses the Inno Setup installer for the initial payload. Inno Setup is a free and user-friendly tool that makes it easy to create professional-looking installations. It includes a powerful scripting language (Pascal Scripting) that allows for the customization of installations.
Malware developers can use this feature to execute custom scripts that install additional payloads, set up persistence mechanisms, disable Defender, or perform other malicious activities during the installation process.
When analyzing Inno Setup malware, we highly recommend using the InnoExtractor tool by Havy Alegria. From the extracted files, we can look at the install_script.iss file, which contains all the installer instructions and settings (Figure 10).
Figure 10: Snippet of the install_script.iss
We will focus on the Files section of the script (Figure 11):
[Files] section specifies which files are to be included in the installer package.
Specifies the path to the source file that will be included in the installer. The {app} variable refers to the application's installation directory (Figure 12) specified by the script. In our case, it’s “{pf}\Telegram Selected”, where {pf} refers to “Program Files”
The embedded files are the following:
down – 7zip tool (MD5: 8f57948e69c82bf98704f129c5460576)
elevate.exe –tool that allows starting programs; in our case, it’s Setup.exe with elevated privileges from the command line (MD5: 7f3b7c1c476a6ddf0bc2acabc7ffe3be).
Setup.exe – facilitates the execution of Java payloads (MD5: 429d476259582313336a7eb6895362df).
jre.7z – password-protected archive with Java dependencies (799850b32ec090d3079a39d9703f4867).
lib.7z – password-protected archive with Java dependencies, including the instructions to execute the next-stage payloads (MD5: a4e56a67786fb2408bd3639a63a00cc8).
Figure 11: Installation directory
Thanks to the InnoExtractor Tool, we can also get CompiledCode.
CompiledCode is a file generated by Inno Setup that contains the compiled bytecode of PascalScript code. The compiled bytecode allows the installer to execute custom scripts to handle various installation tasks, conditions, and user interactions programmatically during the setup process.
Let’s fetch the CompiledCode into Pascal Script Decompiler. We notice the base64-encoded strings that are decoded to the instructions to extract the password-protected 7z archive named “lib”. The archive contains the main D3F@ck Loader payload.
Figure 12: Code responsible for extracting lib.7z archive
After extracting the payload from the archive, the code would execute Setup.exe and elevate.exe, which were mentioned previously.
As mentioned previously, Java binaries also play a crucial role in the operation of D3F@ck Loader. The payloads are written in JPHP with DevelNext. DevelNext is an integrated development environment (IDE) specifically designed for JPHP, which is a version of PHP that operates on the Java Virtual Machine (JVM).
The main payload’s functionality would contain “dn-compiled-module.jar” (MD5: 9231458f16389c65c76ad4b90cfe7504), specifically within “dn-compiled-module.jar\app\forms\” path. We can decompile the JPHP code to make it somewhat readable by capturing the section of codes where the Java magic bytes are present.
The “executePowerShellCommand” method from the decompiled code below is responsible for adding an exclusion path to Windows Defender and disabling behavior monitoring in Windows Defender (Figure 13).
Figure 13: Snippet of "executePowerShellCommand" method
The method “downloadAndRunFile$41” retrieves the final payload from the C2 server (jilinebyli[.]top), which is base64-encoded within Pastebin. The retrieved payload is then saved under the %TEMP% folder. As for the naming convention, the code fetches the current microtime using DateFunctions.microtime().
Microtime generally gives the current Unix timestamp in microseconds. The retrieved microtime is then passed to StringFunctions.md5(), which computes an MD5 hash of this microtime. MD5 hashing generates a 32-character hexadecimal number. The MD5 hash is then encoded into a base64 string.
After base64 encoding, any equals signs (=) used as padding in the base64 output are removed, so the name would be something like “MWE3OWE0ZDYwZGU2NzE4ZThlNWIzMjZlMzM4YWU1MzM.exe”.
Custom Base64-encoding
At the end of April 2024, Sergei began obfuscating strings in the code with the custom base64 alphabet.
The script from the sample (MD5: 5cf2e80ac2a7f7fa24f74966d3ec904f) creates the mutex to avoid two instances running simultaneously (Figure 14).
Figure 14: Code snippet that checks for the mutexes
From the “CURSTEPCHANGED” method, we can see base64-encoded strings (Figure 15).
Figure 15: Base64-encoded strings
We notice that immediately after the base64-encoded strings, it calls the “PAPERHELD” function. Looking into the “PAPERHELD” function, we notice a custom alphabet and instructions resembling base64-decoding with bit shifting operation (Figure 16).
Figure 16: Custom alphabet
We can make use of “maketrans” which creates a mapping where each character in the custom alphabet is replaced by the corresponding character at the same position in the standard alphabet. The decoded output of the strings is found on our IOC page on GitHub.
The decoded strings contain the instructions to extract the contents from the ZIP archive (additional downloaded payload), get a secondary C2 URL from Pastebin, start the malicious executable (125.exe) if it exists, and exclude the C:\ folder from being scanned by Defender.
Ceasar Cipher obfuscation
Around the end of May 2024, Sergei started using Ceasar Cipher for string obfuscation, so each character is rotated 12 positions backward in the ASCII table (MD5: 17af51265211f359f047f26598862c54) (Figure 17). He also introduced anti-sandbox and DDR (Dead Drop Resolver) features.
Figure 17: Snippet of the obfuscated strings
For the anti-sandbox feature, the loader checks if processes such as VboxService.exe, Vmwareuser.exe, or Vmtoolsd.exe are present via the “SELECT Name FROM Win32_Process Where Name="%s" query. If one of the processes is present, the loader exits (Figure 18).
Figure 18: VM processes check
In other samples, another sandbox/VM check was present and was located within the DISKV method (Figure 19). The loader queries the disk drive information and looks for strings related to virtual machines with findstr command, then redirects the output to a text file named ds.txt. If one of the strings is present in the text file, the loader will exit.
Figure 19: DISKV method
The developer also integrated the PICADOR method, which specifies the path for dropping the next stage payloads at %TEMP%/av (Figure 20).
Figure 20: PICADOR method
Upon analyzing the core JPHP payload of D3F@ck Loader, we can see that the loader sends the “ready”, “starting”, “downloaded” and “finished” commands to the C2 representing different stages of the infection process. You can check how the communication looks like in any.run sandbox.
“ready” – indicates that the payload retrieval process is ready to proceed after setting up the path where the payload will be dropped, which is "C:\\Program Files\\Windows NT."
“downloaded” – indicates that the final payload has been downloaded.
“starting” – indicates the beginning of the payload execution and the exclusion of the "C:\\" folder from Windows Defender scanning.
“finished” – indicates the completion of the process.
From the code, we can also see the working path of the D3F@ck Loader’s developer:
“C:\\Users\\nesto\\OneDrive\\\Рабочий стол\\\ИСХОДЫ\\WORK\\WORK\\DEVEL\\Launcher\\Auto\\\Без прогресса — С ПИНГОМ\\src\\app\\forms\\MainForm.php”,which translates to “C:\\Users\\nesto\\OneDrive\\\Desktop\\\Sources\\WORK\\WORK\\DEVEL\\Launcher\\Auto\\\Without progress— with the ping\\src\\app\\forms\\MainForm.php”.
The code also contains the link to the Telegram channel hxxps://t[.]me/+JBdY0q1mUogwZWMy.
At the time of writing this article, the link is no longer available. However, we were able to extract an active Telegram link (hxxps://t[.]me/+UfHrjVyCLZ03ODYy) from another sample (MD5: 9c125392b8d62590c4284bc46f894168). The Telegram channel serves as another DDR (Figure 19) and a fallback mechanism in case the main C2 domain is offline.
Figure 21: Telegram channel served as a DDR
Update
In August 2024, the developer updated the loader by changing the path to “%TEMP%\hsperfdata_admin” for the next-stage payloads within the PICADOR method and adding a new Sandbox/AntiVM check method located within the ISENOUGHSPACE method. The method checks for the infected machine's disk space, which is the system drive, and makes sure that it is at least 120GB; otherwise, the loader will not execute (Figure 22). We included the hashes for recent samples, please see the Indicators of Compromise section.
Figure 22: ISENOUGHSPACE method
We assess with high confidence that D3F@ck Loader will continue to actively operate and distribute its payloads through methods such as software impersonation and adult content, delivering various malware families.
The developer's use of Extended Validation (EV) certificates for the loader to bypass security screenings increases the chances of a successful infection on the host, although these certificates often have short lifespans due to diligent revocation efforts.
Additionally, the loader uses the Inno Setup installer, equipped with Pascal scripting, to perform malicious activities such as setting up persistence, retrieving additional payloads, and disabling security features during installation. Separately, the loader developer also runs multiple businesses, including a traffic team that specializes in distributing stealers and markets both EV certificates and the loader itself.
How eSentire is Responding
The eSentire Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create practical outcomes for our customers. We are taking a comprehensive response approach to combat modern cybersecurity threats by deploying countermeasures, such as:
Implementing threat detections and BlueSteel, our machine-learning powered PowerShell classifier, to identify malicious command execution and exploitation attempts and ensure that eSentire has visibility and detections are in place across eSentire MDR for Endpoint.
Performing global threat hunts for indicators associated with D3F@ck Loader.
Our detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center) analysts respond rapidly to any intrusion attempts related to known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape, constantly addresses capability gaps, and conducts retroactive threat hunts to assess customer impact.
Recommendations from eSentire's Threat Response Unit (TRU)
Report certificate misuse to certificate authorities.
MITRE ATT&CK
MITRE ATT&CK Tactic
ID
MITRE ATT&CK Technique
Description
Initial Access
T1189
Drive-by Compromise
D3F@ck Loader mainly delivers their payloads via Malvertising
Execution
T1204
User Execution
The loader tricks the user into executing a malicious file, often disguised as a trusted software or adult content with valid EV certificates.
Discovery
T1057
Process Discovery
The loader checks the running processes related to virtual machines
Defense Evasion
T1562.001 T1553
Disable or Modify Tools Subvert Trust Controls
Modifies security settings during installation to disable Windows Defender and avoid detection. Fraudulently obtained EV certificates are used to bypass SmartScreen.
Command and Control
T1102.001
Web Service: Dead Drop Resolver
Uses legitimate platforms like Telegram and Steam to host C2 IPs to facilitate command and control.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
