Geeks for your information Security Security Vendors G Data G DATA Security Blog v
Babax stealer rebrands to Osno, installs rootkit
Babax stealer rebrands to Osno, installs rootkit
harlan4096 Online
MalWare Zoo Team
*******
Posts: 15,316
Threads: 9,909
Thanks Received: 9,186 in 7,338 posts
Thanks Given: 10,037
Joined: 12 September 18
#1
Bug  12 November 20, 10:18
Quote:
[Image: G_DATA_Blog_RebrandBabax_Header.jpg]

Babax not only changes its name but also adds a Ring 3 rootkit and lateral spreading capabilities. Furthermore it has a ransomware component called OsnoLocker. Is this combination as dangerous as it sounds?

Emergence of Babax and Osno

Babax stealer is at least around since June 2019. At that time a user named ForlayPy gave away the source code for free after being dissatisfied with a customer they sold the source to.

A colleague of mine discovered the first Osno stealer sample[1] on 5th October 2020. The sample[1][sup] [/sup]is a packed .NET assembly with the module name

FallGuysStats. The module name indicates that it is using a statistics generator for the Steam game Fall Guys as a lure. The config shows version Osno 2.1.5 and has placeholders for some of the functions, including FTP and Telegram settings.

By the end of October researcher @backsla3h noted that the stealer is sold on forums. The advertisment comparison of Babax and Osno shows not only an increased price but also four more features or "Benefits" for Osno: r77 and network spreading, Anti-AV and evasion of WindowsDefender via allowlist, AnarchyGrabber and microphone records. Additionally there is a ransomware module which is not advertised (yet). Most of these features are described in the following sections.

Rootkit r77

Although the advertisment calls this an exploit, it is actually an open source rootkit by bytecode77. The Github repo provides DLL's for this rootkit as well as an installer. Osno does the installation itself. Just like the rootkit installer, Osno registers the rootkit DLL to AppInit_DLLs and enables LoadAppInit_DLLs so it is loaded with every process. Because the rookit DLLs are not signed, it sets RequireSignedAppInit_DLLs to 0.

The rootkit uses MinHook to redirect WinAPI calls, so that it hides processes and file names, e.g., from explorer and taskmanager. The proof-of-concept binaries for the rootkit hide files and processes that start with "$77". Since Osno uses the proof-of-concept binaries, it needs to add the prefix "$77" to its own files to make it work.

The Github README.md for r77 states that the rootkit is still work in progress. Because of that hiding files for x86 is currently unstable and disabled in the proof-of-concept files.
...
Continue Reading
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
Microsoft releases KB5070773 out of ban...
Thanks for the updat...jasonX — 12:07
Google Chrome 141.0.7390.122/.123
Google Chrome 141....harlan4096 — 11:05
AnyViewer Remote Desktop 3.3.1 for macOS
Version 3.3.1 S...harlan4096 — 10:57
AnyViewer Remote Desktop 5.40 for Window...
Version 5.4.0 O...harlan4096 — 08:40
Bitdefender 27.0.55.279
Bitdefender 27.0.5...harlan4096 — 07:40

[-]
Birthdays
Today's Birthdays
avatar (40)Michaelcrini
Upcoming Birthdays
avatar (47)Michaelaceve
avatar (37)QuadirLigh
avatar (38)Mblippek
avatar (44)viecontAceve

[-]
Online Staff
There are no staff members currently online.

>