In our recent blog, we talked about the delivery of Buhtrap by using compromised website and a recent web exploit. On this blog, we will focus on the second stage payload and the state of Buhtrap operation.
The Buhtrap downloader employs checks before it will infect a system. First, the system must have banking processes or banking software running, mostly Russian. Or the system must have an indication that it is visiting any Russian banks defined on its list.
If the system meets any of the 2 requirements above, it will download and execute the next stage malicious payload, otherwise, it will download a benign sample.
Technical Analysis of Second Stage Payload
The 2nd stage payload is an NSIS compiled sample as seen on previous Buhtrap samples. This is one way Buhtrap is trying to evade AV detection by disguising as an installer. NSIS is an open source software widely used in installers. Recently, we are seeing a trend where ransomware are adapting this method as the case with Locky and Cerber.
The sample is also digitally signed with a valid digital certificate and also contains file properties and versions.
Installation
Inside the NSIS package is a 7zip password protected archive. This is where all its components are stored. With this, a command line 7zip tool is also included in the package to unzip the component files. The password is hardcoded on the NSIS script and the password is different from other Buhtrap samples we have seen. For this sample, the password is “p2DP9ENv5bK”. It also modifies the timestamp of the file using a custom file utility FileTouch.exe which is basically similar to the touch utility in Linux
Below are snippets of the NSIS script that we extracted:
We executed the file on our box but we found that it did not do anything. Inspecting the NSIS script reveals that it is checking if the system language is Russian via GetSystemDefaultLangID.
We hooked this API and forced the malware to think we are in a Russian system.
After-which, the following commands and processes were monitored:
attrib -h -s -r “C:\Users\Administrator\AppData\Roaming\Microsoft\Zerno”
7za.exe x -p2DP9ENv5bK install.dat dev2055.tmp -aoa
7za.exe x -p2DP9ENv5bK dev2055.tmp -aoa -o8992023.tmp
7za.exe x -p2DP9ENv5bK install.dat FileTouch.exe -aoa
C:\Users\Administrator\AppData\Roaming\Microsoft\Zerno\zerno.exe
As shown above, the malware components are extracted into “%AppData%\Microsoft\Zerno”. Then zerno.exe was executed. The Zerno folder has the following files:
From these files, only the files zerno.exe and msvcr71.dll are malicious. The other files are benign files which are part of Notepad++ software. This is an attempt to obscure its malicious behavior as it tries to pretend to be a legitimate Notepad++ installer.
For persistence, it creates a shortcut link in the start-up folder that will launch zerno.exe at every startup.
What Does this Malware Do?
The main executable is zerno.exe and interestingly its only job is to launch the msvcr71.dll library which performs all the malicious behavior.
Msvcr71.dll
This is where all the malicious routines are compiled. This is a trojan-spyware which has the following functions:
- Keylogger
- Get System Info
- Read Smart Card Info
- Downloader
Keylogger
The keylogger thread creates an invisible window procedure and retrieves and handles the messages. It logs this information into “uninstall.log” located in %temp% folder.
The following snapshot illustrates how it implemented the keylogger routine.
Smart Card Reader
One of its interesting payloads is to read smart card information. It lists available smart card readers and their status by using “WinSCard.dll” APIs:
It does not actually read what is in the smart card only determine their status. It logs all these information in “uninstall.log”
Downloader
It is also capable of downloading additional malware from its CnC server. Another interesting feature of this malware is that it is capable of diskless loading by checking on the response from the server. The first 2 bytes are checked, If the downloaded file starts with ‘MZ’ (0x5A4D), it writes the file into %temp% folder and executes it. If the response starts with “LD” (0x444c), it will only load the malware into the memory.
Diskless Loading
CnC server
It communicates with its CnC server “quotedb.info” via HTTP Post. All communication we observed is encrypted.
State of Buhtrap Operation
As stated in our previous blog, the IP of rozhlas.site is 50.7.86.243. We looked into the domain history of this IP and found some interesting information about the current state of Buhtrap.
|
Domain |
Last Resolved |
|
getadobe.org |
5/10/2016 |
|
chromelabs.org |
5/13/2016 |
|
adobelabs.org |
5/14/2016 |
|
canvaslabs.org |
5/22/2016 |
|
57569b378f3fb.archive.getadobe.org |
6/7/2016 |
|
chrome.services |
7/2/2016 |
|
get.adobelabs.org |
7/2/2016 |
|
safechrome.services |
7/11/2016 |
|
www.safechrome.services |
7/28/2016 |
|
cdn.lidovky.site |
8/9/2016 |
|
rozhlas.site |
8/17/2016 |
|
getcanvas.org |
9/14/2016 |
|
medioca-room02.org |
9/28/2016 |
From the history of the domains, it appears they have used this IP from May to September, 2016. But it’s very possible that they are still using the same IP for their operation. If we look into the details of each domain, we can find presence of multiple samples, although with different behavior, but appears related to Buhtrap operation. For instance, 5 samples that were downloaded from getadobe.org differ in behavior from the sample we described in this blog. Those samples are detected by Kaspersky as “Trojan.Win32.Karamanak”, which is also their detection for the sample in this blog.
As seen on the domains, they are also using domain names related to Chrome, Adobe or popular graphics software as a way to stay low.
Chromelabs.org
Using this domain the actors started using CVE-2016-0189 as their method of infection. In fact, they used the same binary exploits found in the github repository of offensive security. The following are the files downloaded in this domain:
- http://chromelabs.org/data/shell32/51d2a95ddc.dll
- http://chromelabs.org/a3b4x62.exe
- http://chromelabs.org/blog/dsfsdhdh.vbs
- http://chromelabs.org/news/dsfsdhdh.exe
- http://chromelabs.org/track/automate.js
Adobelabs.org
A similar NSIS compiled payload was downloaded on this domain.
Also, the following files appearing as installers connects to this domain
|
Md5 |
Filename |
signer |
|
2530a11c4fa57fd3f9cdc30c8fd40878 |
Shockwave_setup.exe |
LLC LVIV IT! |
|
ead9344c8022e0479ebe272472d6197a |
chrome_update_win.exe |
Bit-Trejd |
|
fda920b3d72728f6a89672e07a900c70 |
chrome_update.exe |
LLC LVIV IT! |
|
e5f01322da2b6cda707a8135c7320b79 |
shockwave_setup_winax.exe |
Bit-Trejd |
Getcanvas.org
The samples we have seen from getcanvas.org are the same samples we found on rozhlas.site
Conclusion
It appears based on this research that the actors are using patterns in their attack and they are as follows:
- Using digitally signed malware
- Using NSIS and hiding their components in a password protected archive
- Using domains that are similar to popular softwares, eg. adobe, chrome
- Constantly changing their CnC domain but using the same IP
It is also evident that the actors are still very active. They are clever enough not to infect systems that are not their target which allows them to stay under the radar for as long as possible. These Tactics Techniques and Procedures are the hallmark of Advanced Persistent Threats groups.
Analysis by Dhruval Gandhi & Paul Kimayong.
The post Buhtrap Malware: What Every Bank’s Security Team Needs To Know appeared first on Cyphort.