Latest Stories

Stay up-to-date with everything at Approach

Blog article

Kekw goes bananas

Publication date

08.06.2023

A new malware strain emerges, rebranded and evolving—discover how cybercriminals are leveraging GitHub and crypto to fuel their operations!
Approach Cyber Editor

A new warrior has entered the ring

Last week, I released my blog « Kekw keeps evolving » detailing how the Kekw malware was being spread via trojanized tools on GitHub where a malicious PyPi package is downloaded and executed to steal all kinds of information from the user running the tool.

While working on that blog, I noticed on 28 May that another GitHub account (Sammy3003) uploaded several new repositories that were identical to the ones analysed previously.

The account was created on 13 March 2021 with no activity until January 2023, when two non-malicious repositories were created. One contained several, but identical, template files for a resume, the other repository contains the account’s GitHub config file.

With no additional activity until end of May, this GitHub account likely got compromised and is now being used for malicious purposes.

The threat actor uploads 5 repositories:

-Tron-Sweeper

-Twitter-Follow-Bot

-Telegram-Mass-DM

-Bitcoin-Wallet-Finder

-Discord-Mass-DM

Except for « Tron-Sweeper », the other repositories were also present in the GitHub accounts analysed in my previous blog.

The command to download additional malicious code is hidden by moving it out of sight, at least when the text is not wrapped.

-The green rectangle shows only legitimate imports (keep this in mind for later)

-The red rectangle shows the entire horizontal scroll bar

-The blue rectangle shows that the scroll box is very small compared to the scroll bar

What could be the reason for the scroll box being so small?

Going through the code, there is nothing that could explain this behaviour such as a very long base64 encoded command or code encrypted with Fernet as seen in my previous blog.

Switching to « raw » code mode, no endless scrolling is needed as the malicious code that downloads a second stage becomes visible immediately.

Compare the code that’s in the green rectangle from the screenshot above, with the code that’s shown when in raw mode.

That was pretty easy! It looks like the Python script downloads and executes a script which is retrieved from hxxps://bananasquad[.]ru/paste.

Analysing the website with VirusTotal on 28 May, we get a clean sheet.

On Friday 2 June, the URL is already marked by seven vendors as malicious.

Looking up some information about the domain, we find that bananasquad[.]ru was registered only weeks ago. To be precise, two weeks before the repositories were uploaded on the GitHub account of Sammy3003.

Let’s compare the whois records of kekwltd[.]ru and bananasquad[.]ru.

The domain kekwltd[.]ru was used in the malware samples analysed in the previous blog and explains how the malware received its name.

The new domain bananasquad[.]ru is used in this malware sample, and inspired the title of this blog.

Whois record for kekwltd.ru
Whois record for bananasquad.ru

Both domains are registered by a « Private Person », both using Cloudflare as nameserver, and they’re both registered at the same registrar. R01-RU is the first accredited registrar in the national domain RU, according to their own website and they claim to be one of the leaders in .RU, .SU, and .РФ domains.

Let’s see who you really are

Using urlscan.io, it’s possible to retrieve the script from the bananasquad URL. On first glance, it looks really familiar to what we’ve seen before in the « Kekw keeps evolving » blog. If you haven’t read that blog, give it a read to make sure you know what it’s all about.

After looking at it a bit more in-depth, we can see that the code mostly matches with the latest version of the PyPi package syssqlitedbpackageV1. However, the last 16 lines of the code from syssqlitedbpackageV1 is not present anymore.

Left side: syssqlitedbpackageV1

Right side: bananasquad[.]ru/paste

The Fernet encrypted command also makes a return in this new version. Due to the length of the command, it was omitted from the code comparison above.

Let’s look at what we can find when we decrypt the Fernet command.

Again, the script we get after decrypting is mostly the same. Only containing changes to reflect the new domain as well as new crypto addresses for the crypto replace functionality.

Changes to the code for the new domain and removal of other kekw references in the code:

Changes to the crypto addresses used to replace any copied crypto addresses by the victim:

The threat actor is even too lazy to change the version number:

The account Sammy3003 gets deleted by GitHub within 72 hours after upload of the malicious repositories.

Follow the money

When analysing the crypto addresses for money flowing in or out, there’s only a couple of transactions for the Bitcoin and the Ethereum addresses. Date last checked; 2 June 2023.

No transactions on Monero, Cardano or Dash.

Bitcoin (bc1qlxay4saq3tjv79yqc6devlty6jfgjnalgmhu2a)

-0.8058667 BTC is received on 17 May

-0.02486524 is sent on 17 May

-0.02491276BTC is sent on 17 May

-0.03009624BTC is sent on 17 May

-0.00071243BTC is sent on 29 May

The transaction on 29 May sticks out, even though it’s the smallest amount. When following that transaction, after several hops, the money is send to the Bitcoin address 37jAAWEdJ9D9mXybRobcveioxSkt7Lkwog. Through OSINT, we can identify that this wallet belongs to the crypto exchange ChangeNow.io.

Ethereum (0x69b2bba5dc9d0f68ce0ae98395f72cefad7e543a)

-1.23ETH is received on 20 May

-1.23ETH is sent on 29 May

Again, we see an outgoing transaction on 29 May. Let’s track the transaction to the wallet it’s sent to (0x69b2bba5dc9d0f68ce0ae98395f72cefad7e543a). 5 minutes after the money has been transferred, it again gets sent to another wallet. This time it goes to 0x077d360f11d220e4d5d831430c81c26c9be7c4a4. This wallet contains a lot of money and has made many transactions in its lifetime. Using OSINT, we can again link this wallet to the same crypto exchange (ChangeNow.io) as with the Bitcoin money flow.

It looks like the threat actor is using this exchange to gather any stolen currency.

Conclusion

As this GitHub account and rebranded malware was very short-lived and lesser in quantity when it comes to GitHub accounts and repositories, the stolen amount of crypto currency is also way less compared to the Kekw variant.

Based on the analysis made in this blog, I suspect this to be the same threat actor and not a different threat actor using the same malware bought from a Malware-as-a-Service vendor.

Subscribe to our SOC Newsletter

OTHER STORIES

The Malware Masquerade: The Art of Initial Access & Evasion Techniques

Cybercriminals keep evolving—uncover the latest malware delivery tricks, evasion tactics, and real-world attack chains to stay ahead in cyber security.

Navigating the Challenges of DNS Over HTTPS (DoH) in Enterprise Security

DNS over HTTPS (DoH) boosts privacy but opens new security risks—learn how cybercriminals exploit it and how enterprises can stay protected.

Dive into the Terrapin Attack – Know Your SSH Vulnerabilities and Defend Like a Pro!

SSH security is at risk with the Terrapin attack—learn how it exploits vulnerabilities, weakens encryption, and what steps you need to take to stay protected.

Contact us to learn more about our services and solutions

Our team will help you start your journey towards cyber serenity

Do you prefer to send us an email?

info@approach-cyber.com

Facebook-f Linkedin-in Youtube

Our certifications & labels

Facebook-f Linkedin-in Youtube