TL;DR
“Fake Google Meet installer unpacks an Electron app that performs anti-analysis checks and downloads follow-on stealer/downloader payloads (not signed by Google). Check out more information on SystemShock Loader.”
"Gucheng County Sili Technology Co., Ltd.", a now revoked certificate signer.
However, VirusTotal has, at the time of this writing, 0 detections for this. So how bad can it be?
This is an NSIS installer executable, meaning I can extract the files with 7Zip. Inside the $PLUGINSDIR, is an app-64.7z file, in recent EvilAI and TamperedChef campaigns this usually means this is an Electron based application that is extracted.
Quick Note on EvilAI
I want to pause right here and suggest that "EvilAI" is more of a campaign than outright malware. The idea suggests that malicious applications masquerading as legitimate, are being designed with the assistance of AI to deliver malware or steal data. I doubt every sample being called "EvilAI" is even written with AI assistance.
App-64.7z
This folder contains an unsigned Electron application called "Google_Meet.exe", of course there are several other files, including a resources directory. This contains an app.asar file (which can be extracted with 7zip), and elevate.exe which I wrote about earlier.
Once app.asar is extracted there is an icon file, a json page, a main.js file, and an assets directory. The assets directory contains config.dat (a compressed file), and a.bin (a copy of 7zxa.exe) used to extract config.dat.
How do I know this? Main.js told me so.
When I launch Google_Meet.exe, it closes my Wireshark, Fiddler, and Process Hacker applications. Very interesting. When I re-launch Process-Hacker, There are several instances of the "Google Meet" running still, even though it wouldn't appear that way to a typical end-user.
So, I suspect there is some level of anti-vm/anti-sandbox, or some level of process awareness happening. I ran this sample through a sandbox, and interestingly enough, it ran. Here are some key points to the sandbox run.
Sandbox Results:
- Checks IP against ipify.org
- attempts to download crssld.exe from adfjkadf[.]xyz
- DNS query runicorchid[.]pro
- filemanagers mutex via child process
- AV enumeration
- Firefox password manager access attempted
- VM Aware
It's difficult to say if the download crssld is intended normally, or dropped when it recognizes its in a sandbox environment. However, I suspect this is actually the child process that is decoded/extracted from the main process, and is the one that has the filemanagers mutex, and also makes network calls to a Cloudflare IP address.
Further Static Analysis
After sorting the files by date in the AppData\Local\Document directory where the files are extracted to, I observed a file named System.Cover.Lib.dll with the same date as the Google_meet.exe and the Google_Meet.dll file, Loading this in DnSpy revealed a somewhat obfuscated codebase, but it is clear that this has Anti-VM intent.
Using De4Dot I was able to produce a cleaner version of this:
The decoded file doesn't get any further detections in VirusTotal at the time of this writing, but it's bad. How do I know? The resource file has a bunch of encoded data used to support the DLL for Sandbox, VM, and analysis evasion. Additionally, it downloads additional files.
Additionally, there is text near the end of this that says "Screenshot + message sent". This suggest information stealing, in addition to being a Downloader. The pastebin link appears to run a powershell script that appears to be TrollAMSI an opensource AMSI bypass proof of concept. There are multiple downloads from adfjkadf[.]xyz the link provided is the VirustTotal relations tab. This looks like a nasty Downloader, with some Stealer capabilities.
I have included hashes of other Applications with the same certificate signer, as well as the hashes for the files referenced in the download links from the resource file. It is possible that crssgeo.exe is
Rhadamanthys.
Update November 3, 2025
I found more samples while hunting, here is one of the samples MetaNet 1.0.0.exe which also drops Systemshock Loader with file System.Spy.Lib.dll. This opens up a new avenue of searching, since I observed a different certificate signer for this sample. The signer in this case is "
Nanjing Bangqiao Network Technology Co., Ltd.". Here is the Final Payload, which contains Base64 strings that decode to the downloader links and anti-analysis strings.
| File | SHA-256 |
|---|---|
| MS Teams | 74f927e8c6c219fecd5eb79f4b1d5caae2bf388d77ef16fd03cc10ec3dfbc3e1 |
| We Chat | 3b04644dda56b1769808361bdad1e15698f943eb295de973078cdf5f30f0b06d |
| Surf AI | 1f4a1bb9140d5dcf02685ad6fc8fc962179bd2299ad2359b6acac1e64e1015b3 |
| Zoom | b19e74ec80936640323f905c67bc8cd567a09cdbedc4881b77a8d29cd69b4096 |
| crssld2 | b8ed64dd4fe592654827248f9773be37a7606c8d384cb35ab4f244735d24f346 |
| crssgeo | 445ab893d942b290276457f866335399ce4819f918ed52209eab019ee5dd1d7c |
| crssgeo1 | bcdf2844b61ba1b9d422fa6185338adb4802759850bde6ba631dd6c4f865eed3 |
| crssgeo2 | b6dad8ed041b99f7753f4b856a648906665c410d0a84f586183a351dd96f4862 |
Comments
Post a Comment