SystemShock Loader: A look at Malware Dropped by Fake Electron Apps

TL;DR

“SystemShock is a malicious DLL loaded by Electron Apps masquarading as production tools. The DLL performs anti-analysis and anti-vm checks and then attempts to download or run additional code. The file also sends data that is likely stealing information and sending screenshots. More about the specifics of the Electron Apps found can be read on Malware Analysis: Fake Google Meet Application.”

Background: 

Earlier in the week I ran across some fake video conferencing applications, these gave the user the impression that they were installers for tools such as MS Teams, Google Meet, and Zoom. However, none of these were signed by their respective organizations. 

A review of the applications showed a complex and layered approach to hide a DLL that performs anti-analysis and anti-VM checks. The DLL also acts as a downloader for additional malware, AMSI bypass tools, and even appears to send out some recon data in the form of system information and screenshots.

A full deep-dive into this can be found on my writeup Fake Google Meet Application.” 

This post serves a couple purposes to compliment my previous post. First, I am officially giving this loader the name SystemShock. Secondly, I want to share detection opportunities, and lastly I want to show the steps to analyze a version of this DLL that encrypted it's resource file and how to analyze the file.

Analyzing encrypted SystemShock Loader

The sample with an encrypted resource file can be found on Malware Bazaar and the extracted resource file can be found on VirusTotal.  As with the other sample I covered in the previous blog post, this DLL is obfuscated using Smart Assembly.  You don't need to deobfuscate (de4dot) this sample to get the AES key/IV for decryption and observing likely compression.

Here is an observed string of interest: [Obsolete("Use `RawZipAndAes`.")].

While looking through the DLL in DnSpy I came across a couple notable locations that help with understanding and decoding the resource file. Which, by the way, the resource file can easily be saved by clicking it in the resource folder in DnSpy and clicking svae.

Notice the screenshot above shows array3 and array4 being used in cryptoTransform. I believed these to be the AES key and IV to decrypt the resource file.

Resource File Decrypted

I used "DefenderAI", yes, this is a name I kind of just made up on the spot as a fun opposition to "EvilAI" to describe a cyber defender using AI to write tools for good. Ok, so I really just used ChatGPT to help me write a real quick python decoder to run against the resource file with the potential AES key/IV.  The python script I used can be found on the SecurityMagic Github page. 

Upon running the tool, it produced a final payload file, similar to the resource file observed in my previous blog post. Once Base64 strings were decoded, it contained several references to security tools, AMSI bypass, taking/sending screenshot and information, and a potential download.

Some of the decoded strings of interest from the resource file

Detected Virtual Machine/
Detected Debugger via NtQueryInformationProcess
wireshark
mtmproxy
sniffer
x64dbg
x32dbg
ollydbg
idaq
processhacker
processexplorer
devenv
dbgclr
windbg
dbgview
fiddler
Add-MpPreference -ExclusionPath
powershell.exe
runas
SecurityCenter2 SELECT FROM AntiVirusProduct
microsoft remote display adapter
run_count.txt
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
caption Screenshot + message sent
http://ip-api[.]com/json/
http://api.ipify[.]org
hxxps://gmail.koomartin[.]com/api/gates/8SM8_NLmsAVyRnTiluV2RNlwCmsmIbHTLXtopL1L_fo/direct
hxxps://google.flicxd2[.]com/api/gates/8SM8_NLmsAVyRnTiluV2RNlwCmsmIbHTLXtopL1L_fo/direct
hxxp://193.233.113[.]14:5000/send_photo

Potential YARA rule to detect SystemShock Loader