Investigating A Tech Support Scam – Part 3: What Did These Scammers Try And Do?

In part one of this investigation I dealt with the initial threat. In part two I looked at who the scammers who do business as People Connect Inc. are and showing that they are scammers. Now I will show you what these scammers were up to. Though, that took some effort.

First of all, I grabbed a ZIP file that was encrypted. I needed to break into it. Thus I reached out to a friend of mine who is a white hat hacker (in other words, a hacker that hacks to helps people rather than hurt them) to help with this. We used a program called John The Ripper on a custom computer with a series of Nvidia graphics cards to add computing power to the CPU to help to crack this ZIP file. It took several hours, but I had it cracked. When I got to look at the files, this is what I saw:

Screen Shot 2017-07-13 at 8.00.49 PM.png

Here’s what these files do. First, there were four batch files:

  • The first one is called execlock.bat and it takes away Internet access from dozens of websites using a supplied application called hosts.exe which is a Russian designed application that modifies a file on your computer called “hosts” which controls how your computer gets to the Internet. By doing this, it can make you think that you had a serious problem. But not enough to outright kill your Internet access (which would disconnect the scammers of course and keep the scammers from “fixing” things).
  • The second one is called execunlock.bat and it restores the Internet access that was removed by the previous batch file.
  • The third one is called lock.bat. It runs a file that was in the collection of files called elevate.exe and then runs the execlock.bat batch file that I mentioned earlier. This elevate.exe application allows one to bypass any security that might be present on the PC.
  • The fourth one is called unlock.bat. It runs a file that was in the collection of files called elevate.exe and then runs the execunlock.bat batch file that I mentioned earlier. This elevate.exe application again allows one to bypass any security that might be present on the PC.

Now I believe that the purpose of these batch files is to create a “problem” for the scammers to fix so that they can take your money. But they didn’t stop there. The real threat is three other files that were present.

  • The first threat is a file that I found called air.exe. It appears to be a remote control application which would allow someone in some other location to control a PC. It appears it is based on this application:
http://www.aeroadmin.com/en/
  • Next on the list is are two pieces of software called Nautilus Blue.exe and Nautilus Green.exe which appears to be another remote control application called Show My PC which is based on this:

https://showmypc.com

Here’s the catch, these apps run an install that appears to install other software. That of course isn’t good as it implies that it would create a problem that would be persistent.

One note: I figured out how what this stuff was doing using a piece of software called Process Monitor so that I could log everything that these pieces of software do at very low levels. Be it network access, reading or writing to the hard drive, or whatever else these pieces of software decided to do. On top of that, I used a Windows 10 virtual machine via Parallels Desktop to do my testing so that I could take a snapshot of the environment before running this stuff and go back to that snapshot over and over again during my testing. Plus I would not have to risk a a real PC being infected with something at the end of my testing.

I have reason to believe that if they got a chance to run these files (which they didn’t because I pulled the plug on these guys), the scammers could remote control a PC at will. Plus nothing from a malware or antivirus perspective will detect this stuff as it is based on commercially applications which makes this stuff very dangerous. That makes the scammers very dangerous. Thus I will be submitting all of this to antivirus vendors in the hopes that they will come up with countermeasures against this stuff so that these scammers cannot use these tools do do their evil deeds.

In the final part of this investigation, I will give you my tips in terms of avoiding a scam like this.

UPDATE: On top of submitting the files that I found to a variety of antivirus vendors, I have reached out to AeroAdmin and ShowMyPC as well to inform them that their software is being used in this scam and might have been modified. I will update you if I hear from them.

UPDATE #2: ShowMyPC has been very helpful in terms of unwrapping the files named Nautilus Blue.exe and Nautilus Green.exe. Here’s what they said:

Of the 2 files you sent one of them, green one, it seems like a renamed/perhaps re-bundled or modified file of our free version.

Our free version has an interface that has to be launched, explicitly press a button to start, next a warning dialog to accept settings and before a user could use it. It is very restrictive in time and usage and unlike many other programs has no inbuilt functionality to start remotely.

Our exe does not install anything but does extract files while in use.
Just delete the main exe and if any temporary files exist. You can read about uninstalling and any temp files on this link.
http://showmypc.com/faq/uninstall-showmypc.html

Although its hard to say how the program was modified, however if it was used on your customers pc, we maybe able to help you track the remote IP of the users if they made any connection and we can block those users from using this.

Any session using our program can be easily reported here.
https://showmypc.com/faq/warning.html

Thanks for bring this to our notice, and we continue to keep a watch on any abuse report.

I’d like to thank ShowMyPC for their help with this, Now over to Aero Admin. I am working with them as well and I will update you when I have more info.

Advertisements

3 Responses to “Investigating A Tech Support Scam – Part 3: What Did These Scammers Try And Do?”

  1. Wow, great job stopping those scammers! That could have been a dangerous situation.

    • Thanks. The investigation is still ongoing as I am still trying to figure out if the remote control apps were modified (it appears that they were) and what they were trying to install under the covers (At this point I think it might be a VPN but I am not sure at this point).

  2. […] threat. In part two I tracked down the scammers and I unwrapped what these scammers were up to in part three. Now I will tell you how to avoid a scam like […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: