On June 30, 2016, Cyphort Labs discovered an infection via malvertising on the website trendystyleshop.com. According to Domain Tools, the site was registered in February 2016 under namecheap.com. What draw our interest to this infection is that it installs TeamViewer, a popular remote application tool which is widely used in enterprises. It makes sense for cyber criminals to use it because it is a good way to masquerade backdoor access as it blends with other users using the same app. You probably recall that a month ago a major hack of TeamViewer accounts was reported on various news outlets.
Infection Chain
The affected ad network is “nanoadexchange.com”. It advertises a game from “uphillrush.pro” but the ad is injected with an iframe that redirects to “aga111.pro” then redirects to “jnqedq.lswswc.xyz” which is hosting a Flash exploit kit.
After successful exploitation, it downloads an Andromeda bot from the same domain. The binary arrives encrypted over the network.
The bot is installed in the %APPDATA% folder and filename starting with ms*.exe. Example:
- %APPDATA%\msqgoj.exe
As a persistence method, it will spawn a new process of “msiexec.exe” and inject its code. However, it will not install itself if the following processes are found as part of its Anti-Sandbox and Anti-Analysis trick:
- avpui.exe
- filemon.exe
- netmon.exe
- perl.exe
- prl_cc.exe
- prl_tools.exe
- prl_tools_service.exe
- procmon.exe
- python.exe
- regmon.exe
- sandboxiedcomlaunch.exe
- sandboxierpcss.exe
- sharedintapp.exe
- vboxservice.exe
- vboxtray.exe
- vmsrvc.exe
- vmtoolsd.exe
- vmusrvc.exe
- vmwareservice.exe
- vmwareuser.exe
- wireshark.exe
However, it ignores the process blacklisting check when the following registry key is present:
- HKLM \ SOFTWARE\Policies\is_not_vm
Andromeda has been around since 2011. It is a modular type of malware with the following known types:
- Keylogger
- Browser Form Grabber
- Hidden TeamViewer
- Rootkit
For this infection, we have seen it installing additional modules from vbbb.ru including Browser Form Grabber and Hidden TeamViewer.
The above image shows the communication to the CnC server. Bmla.ru is encrypted via RC4 where the key is hardcoded in the malware body. Download domain is at vbbb.ru but both are with the same IP address, 93.170.187.47.
As part of its routine, Andromeda gets the current time via NTP (Network Time Protocol) domains. It connects to the following NTP domains:
- pool.ntp.org
- africa.pool.ntp.org
- oceania.pool.ntp.org
- asia.pool.ntp.org
- south-america.pool.ntp.org
- north-america.pool.ntp.org
- europe.pool.ntp.org
Is Andromeda On the Rise Again?
Using the IP of the CnC 93.170.187.47, we gathered some domains resolved from it. We found that it is actively using the .ru TLD with 4 random letters as domain and usually having the last 3 letters the same. It also shows that this pattern has been active since April 10, 2016.
| IP | Domain | Date Resolution | Country |
| 93.170.187.47 | fghd.ru | 2016-07-04 | Czech Republic |
| fghf.ru | 2016-07-04 | ||
| vbbb.ru | 2016-06-27 | ||
| bmlc.ru | 2016-06-24 | ||
| bmla.ru | 2016-06-23 | ||
| zvvv.ru | 2016-06-21 | ||
| unnn.ru | 2016-06-20 | ||
| 5.8.63.35 | zvvv.ru | 2016-06-18 | Russia |
| vbbb.ru | 2016-06-02 | ||
| acpf.ru | 2016-06-03 | ||
| unnn.ru | 2016-06-01 | ||
| aqqq.ru | 2016-06-01 | ||
| zggg.ru | 2016-05-31 | ||
| 95.213.192.70 | dqqq.ru | 2016-05-18 | Russia |
| aqqq.ru | 2016-05-18 | ||
| cqqq.ru | 2016-05-18 | ||
| zggg.ru | 2016-04-10 | ||
| zhhh.ru | 2016-04-10 | ||
| zkkk.ru | 2016-04-10 | ||
| znnn.ru | 2016-04-10 | ||
| zvvv.ru | 2016-04-10 | ||
Source: virustotal.com
We also discovered that one of the IPs used by Andromeda is actively used by Cerber ransomware, a ransomware infection used to encrypt that . For instance, znnn.ru was registered with the following IP addresses sometime in May 2016.
| IP | Cerber CnC | Date |
| 31.184.233.109 | cerberhhyed5frqa.amdeu5.win | 2016-05-31 |
| cerberhhyed5frqa.maqwe5.win | 2016-05-26 | |
| cerberhhyed5frqa.nerti5.win | 2016-05-29 | |
| cerberhhyed5frqa.tewoaq.win | 2016-05-26 | |
| 176.103.56.12 | cerberhhyed5frqa.ti4wic.win | 2016-05-23 |
| cerberhhyed5frqa.workju.win | 2016-05-26 | |
| cerberhhyed5frqa.red4is.win | 2016-05-24 |
It is unclear to us how the installation of TeamViewer is being exploited at this time by the actors behind this campaign, but it clearly is a major compromise that opens the door to a lot of possibilities. Cyphort Labs will continue to monitor and report any new developments.
IOCs
| Md5 | Path | Description |
| e9f3c513861a70b568d61f80b719e0ca | %appdata%\ms*.exe | Andromeda Bot |
| 45959b3d2bde20435a9aeed861046506 | %TEMP%\msiexec.exe | Team Viewer Module |
| 36effd0f31f11de9cc01a358d37036c4 | %TEMP%\KB*.exe |
| IP Address |
| 93.170.187.47 |
| 5.8.63.35 |
| 95.213.192.70 |
| 31.184.233.109 |
| 176.103.56.12 |
The post Infected Site Installs TeamViewer appeared first on Cyphort.