Suspicious Code Alert: Recipe App Hijacks Credentials and Appears to Establish C&C Connection

Over the last 2 weeks, we have observed a spike in what appears to be malvertising. Customers have noted downloading a file after clicking on a sidebar ad in a news article, which then led to command and control and browser credential stealing behaviors. The advertisement and website (VirusTotal) claims to help find recipes to count calories for various food items. That said, over 80% of customers we’ve observed responding to this same event are related to the healthcare industry. 

Additional Details

Observations note that upon downloading the file “Recipe Lister,” the file unzips and drops another larger executable file “Recipe Finder - Recipe Lister,” followed by additional DLLs. We’ve observed consistent file paths for this output as:

C:\Users\<user>\AppData\Local\Temp\<7-char>.tmp\7z-out
C:\Users\<user>\AppData\Local\Temp\2w1rXpxZnwDUwuTeNvdD6FUkeI0

This then leads to repeated network connections to suspicious or negatively reputed IP addresses (VirusTotal and VirusTotal). We’ve also noticed file creation time changes occurring, which seems consistent with timestomping behavior (T1070). Customer feedback has noted command and control traffic, followed by the stealing of browser credentials has occurred when engaging in their responses to this event. The software also appears to be utilizing NSIS plugins and appear to be related to DLL side-loading techniques (T1574 | VirusTotal Hash)

And, finally we observe it reaching out to varying domains across the events (which are listed below). These appear odd/suspicious, and have some malicious IP reputations that are associated. These domains are also more newly registered

• https://www.virustotal.com/gui/domain/sappointedmanah.org
• https://www.virustotal.com/gui/domain/manahegazeda.org/detection
• https://www.virustotal.com/gui/domain/ahegazedatthewond.org/detection

Recommendations

Overall, this software seems highly suspicious at the least. The events observed and customer feedback appear consistent with a malicious advertising campaign (T1583). Additional sandbox reports like Any.Run’s report or Joe’s Sandbox report indicate suspicious and malicious conclusions, which appear consistent with our current observations and analysis.

We recommend blocking the following Hashes/IPs/Domains as able to do so:

www[.]recipelister[.]com
https[:]//ahegazedatthewond[.]org
https[:]//manahegazeda[.]org
https[:]//sappointedmanah[.]org
"Recipe Lister": 1619BCAD3785BE31AC2FDEE0AB91392D08D9392032246E42673C3CB8964D4CB7
"Recipe Finder - Recipe Lister": 9C58AACA8DDE7198240F7684B545575E4833D725D67F37E674E333EEB3EC642C
224[.]0[.]0[.]251
172[.]67[.]150[.]5
104[.]21[.]57[.]122