|
| 1 | +--- |
| 2 | +title: "GachiLoader pt. 3 - Smart Contract C2" |
| 3 | +date: 2026-03-01T10:25:16+11:00 |
| 4 | +tags: ['reverse_engineering', 'DFIR', 'threat_hunting'] |
| 5 | +draft: false |
| 6 | +--- |
| 7 | + |
| 8 | +## Intro |
| 9 | + |
| 10 | +Today we're looking at an entirely different Rhadamanthys sample to pt1 and pt2 but with similarities. The payload is still an infostealer, however some different techniques have been applied. This isn't going to be a complete teardown, just some notable differences primarily in the way the malware retrieves the C2. The methods for acquiring the final injected payload executable were mostly identical to the previous sample, leaning on CheckPoint's tracer.js[^1] and some custom scripts. |
| 11 | + |
| 12 | +## Malware Chain |
| 13 | + |
| 14 | +Our new sample loosely has the following chain: |
| 15 | + |
| 16 | +```text |
| 17 | +=============================================================================== |
| 18 | +
|
| 19 | + GitHub repo (FPS Booster for all games) |
| 20 | + | |
| 21 | + +-> "Download official release" button |
| 22 | + | |
| 23 | + +-> .zip download (HTML smuggled via linked site) |
| 24 | + | |
| 25 | + +-> Unzip -> Latest_Software.v4.0.0.exe (69MB) |
| 26 | + | |
| 27 | + +-> Node SEA JavaScript payload |
| 28 | + | |
| 29 | + +-> Final executable injected via "Vectored Overloading" |
| 30 | + | |
| 31 | + +-> C2 retrieved from Polygon blockchain smart contract |
| 32 | +
|
| 33 | +=============================================================================== |
| 34 | +``` |
| 35 | + |
| 36 | +The sample was downloaded from the following Github repo: |
| 37 | + |
| 38 | + |
| 39 | + |
| 40 | +Looking at the contents of the repo (emojis, layout) and inspecting some of the URL location placeholders (yourusername) show that this was most likely LLM generated content: |
| 41 | + |
| 42 | + |
| 43 | + |
| 44 | +The actual release had no malware within it, however clicking the 'Download Official Release' button led us to the malware download URL of fullsofts[.]org: |
| 45 | + |
| 46 | + |
| 47 | + |
| 48 | + |
| 49 | + |
| 50 | + |
| 51 | +## What's Different? |
| 52 | + |
| 53 | +A few things that changed from the previous sample: |
| 54 | +- Github lure and HTML smuggling rather than MediaFire download |
| 55 | +- Control flow flattening |
| 56 | +- Node SEA embedded rather than BYO node and JS file |
| 57 | +- C2 retrieval via Blockchain (Polygon, compatible with Ethereum) |
| 58 | + |
| 59 | +Control flow flattening in Ida: |
| 60 | + |
| 61 | + |
| 62 | + |
| 63 | +Extracting the Node SEA content (JavaScript payload): |
| 64 | + |
| 65 | + |
| 66 | + |
| 67 | +## C2 Retrieval |
| 68 | + |
| 69 | +The previous sample retrieved a hex value from two telegra[.]ph pages and decrypted them to resolve the C2, whereas this sample retrieves the C2 address from a smart contract. You could forgive me for thinking this C2 retrieval technique could be labelled "EtherHiding"; I think this is very similar, but instead of retrieving a stored malicious payload, it's retrieving the C2 address. |
| 70 | + |
| 71 | +The malware will send a read-only `eth_call` to one of six Polygon RPC endpoints via JSON-RPC: |
| 72 | + |
| 73 | +```text |
| 74 | + poly.api.pocket.network |
| 75 | + polygon.drpc.org |
| 76 | + polygon-public.nodies.app |
| 77 | + 1rpc.io/matic |
| 78 | + polygon-bor-rpc.publicnode.com |
| 79 | + polygon-rpc.com |
| 80 | +``` |
| 81 | + |
| 82 | +That specific request looks like this: |
| 83 | + |
| 84 | +```json |
| 85 | + POST / HTTP/1.1 |
| 86 | + Content-Type: application/json |
| 87 | + |
| 88 | + { |
| 89 | + "jsonrpc": "2.0", |
| 90 | + "method": "eth_call", |
| 91 | + "params": [{"to": "0xb97b1A017feAf337bB70241F1571720f1eaEa5d1"}, "latest"], |
| 92 | + "id": 1 |
| 93 | + } |
| 94 | +``` |
| 95 | + |
| 96 | +The response is then extracted, hex decoded, and decrypted. We can achieve this using the following values: |
| 97 | + |
| 98 | +```text |
| 99 | + Algorithm : AES-256-CBC |
| 100 | + Key : 86dc073a1cbda36f85f45b1bd4ff247e2159790bc7a3568cc5dec23cdfbba1cd |
| 101 | + IV : 0x00 * 16 |
| 102 | + Ciphertext: 2fa31ce0f685cdddc2c80a238f75a0bac54867fa27cab73da3d4ed1c06da0993 |
| 103 | + 077840b3e8f075f1d5569480351535b3 |
| 104 | +``` |
| 105 | + |
| 106 | + |
| 107 | + |
| 108 | +Once decrypted, we get the following C2: |
| 109 | + |
| 110 | +```text |
| 111 | + deceptqower.onfinality[.]pro:443 |
| 112 | +``` |
| 113 | + |
| 114 | +Manually decrypting the encrypted strings within the binary gives us the C2 URI and also shows a bunch of well-known Rhadamanthys strings that show this to be an infostealer: |
| 115 | + |
| 116 | +```text |
| 117 | +POST /adb8a56294dadf33644cb54a090cb9f6/folgk.bvqd |
| 118 | +``` |
| 119 | + |
| 120 | + |
| 121 | + |
| 122 | +The blockchain is purely a resilient dead drop for the C2 address. All actual data movement goes through traditional HTTPS to the resolved C2. Note that this domain currently has no active DNS at time of writing, however the TA can rotate the C2 infrastructure for this sample effectively instantly by updating the smart contract. |
| 123 | + |
| 124 | +## Why this technique? |
| 125 | + |
| 126 | +This C2 retrieval technique is functionally very similar to Group-IB research on Deadlock ransomware[^2], however the stolen data is sent to the C2. |
| 127 | + |
| 128 | +Why is this method effective? I think it is put best here by Global Security Mag[^3]: |
| 129 | + |
| 130 | +> By using the blockchain in this way, the attackers gain two key advantages: their infrastructure becomes virtually impossible to take down due to the blockchain’s immutable nature, and the decentralized architecture makes it extremely difficult to block these communications. |
| 131 | +
|
| 132 | +## Indicators |
| 133 | + |
| 134 | +```text |
| 135 | +Git_Latest_Software.v4.0.0.zip: e46f9f123d9dbecd82ac310d818fccdb0318e24810e9c76b4b4de8339880e0e3 |
| 136 | +Latest_Software.v4.0.0.exe: 7f1917b261182a2eefe53083a4cd39b696cdc319928e00afbe36b4320fb20189 |
| 137 | +Download URL: fullsofts[.]org |
| 138 | +C2 Domain: deceptqower.onfinality[.]pro |
| 139 | +C2 URL: hxxps[:]//deceptqower.onfinality[.]pro/adb8a56294dadf33644cb54a090cb9f6/folgk.bvqd |
| 140 | +Final payload (extracted): 2ac0499e2691f9ddba7cee22cf6e528bcfad622489a137b4b29acb5fd9fdcf1f |
| 141 | +``` |
| 142 | + |
| 143 | +## References |
| 144 | + |
| 145 | +[^1]: https://research.checkpoint.com/2025/gachiloader-node-js-malware-with-api-tracing/ |
| 146 | + |
| 147 | +[^2]: https://www.group-ib.com/blog/deadlock-ransomware-polygon-smart-contracts/ |
| 148 | + |
| 149 | +[^3]: https://www.globalsecuritymag.fr/supply-chain-attack-using-ethereum-smart-contracts-to-distribute-multi-platform.html |
| 150 | + |
| 151 | + |
| 152 | +RG |
0 commit comments