On January 27, 2016 Cyphort Labs discovered a site infected with Angler EK leading to a fileless Gootkit (a.k.a. XswKit) malware. The site was redirecting visitors to the malware through a compromised OpenX Ad server injecting a malicious iframe into the page. The iframe leads to Angler EK which downloads Bedep ad-fraud which then downloads a Gootkit loader.
The loader injects a DLL component found in its body into explorer.exe. The injected DLL then downloads the fileless Gootkit and saves it in the registry as binary data, then loading it in memory only.
Infection Chain
The compromised site is a Romanian broadcasting company, www.tvr.ro. The chain starts from bannere.tvr.ro making HTTP request to OpenX Ad server which will inject an iframe to the webpage. It appears that the OpenX Ad server was infected, specifically the file /openx/www/delivery/ajs.php. In previous years, there have been reports of a vulnerability in OpenX software which will allow the attacker remote code execution and code injection. We believe that this is likely the case here but we are not sure if this is a new vulnerability or an old one.
The iframe leads to Angler EK which makes use of a flash exploit, CVE-2015-5560. The flash exploit downloads Bedep ad-fraud malware which will download the Gootkit loader.
Gootkit Loader
This executable is saved in the %windir% folder with a random numbers as the filename e.g. 2144874235-50823412.exe. It is a packed executable where most of the packed data is in its .rsrc section. After unpacking, it unwraps a DLL component found in its .data section and injects it into the explorer.exe process.
The unpacking of the DLL uses some custom decryption algorithm. After unpacking, it searches for explorer.exe process and inject the dll. There are two ways it can inject to explorer.exe: either using CreateRemoteThread or modifying the process’s main thread using ThreadContext APIs. Then it terminates itself.
Injected DLL
The injected dll is the main malware routine. Its main purpose is to download additional malware from a set of domains and save the downloaded malware as a binary data in the registry. It first checks for its execution environment which it also uses to initialize its variables. It also set an environment variable “vendor_id” with value “unstable_2380″. The unstable value might mean this is an unstable version which could mean it is still under development. It then creates five threads, each with a different task.
The first 2 threads are responsible for downloading file-less malware while the third and fourth thread are responsible malware update. The fifth thread is a “kill-self” mechanism which is triggered by the presence of uqjckeguhl.tmp in the %TEMP% folder.
First & Second Threads
The first thread is responsible for injecting code into the current process. It starts by waiting for an event triggered by the second thread. Once that event is triggered, it will inject the code downloaded by the second thread to the current process, which in this case is explorer.exe.
The second thread connects to the following domains via SSL:
- karlsadovnik75[dot]com
- karlsasyxushee75[dot]com
- karlsasyn725[dot]com
- karlsadroch27[dot]com
- karlsamochux2[dot]com
- karlsabrero22[dot]com
- karlsalomun9[dot]com
- karlsaranu82[dot]com
- karlsardabale9[dot]com
It uses HttpOpenRequest to make a request for SSL connections by setting the dWflag to 0x84800300, which sets the flag for INTERNET_FLAG_SECURE.
By using SSL, it is able to add a layer of protection for its network traffic. However, it appears that the certificates from these domains are not trusted. In order to bypass it, it uses InternetQueryOption and InternetSetOption to set the INTERNET_OPTION_SECURITY_FLAGS to ignore invalid certificates.
The return of InternetQueryOptionA is ORed with 0x7380 which sets the following flags. In effect, it will ignore the untrusted certificates and ignore the redirect to https:
- SECURITY_FLAG_IGNORE_REDIRECT_TO_HTTPS
- SECURITY_FLAG_IGNORE_CERT_CN_INVALID
- SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
- SECURITY_FLAG_IGNORE_WRONG_USAGE
- SECURITY_FLAG_IGNORE_UNKNOWN_CA
- SECURITY_FLAG_IGNORE_REVOCATION
The downloaded data is saved into the registry as follows:
- HKEY_CURRENT_USER\Software\AppDataLow\binaryImage32_0
- HKEY_CURRENT_USER\Software\AppDataLow\binaryImage32_1
- HKEY_CURRENT_USER\Software\AppDataLow\binaryImage32_2
- HKEY_CURRENT_USER\Software\AppDataLow\binaryImage32_3
- HKEY_CURRENT_USER\Software\AppDataLow\binaryImage32_4
- HKEY_CURRENT_USER\Software\AppDataLow\binaryImage32_5
- HKEY_CURRENT_USER\Software\AppDataLow\binaryImage32_6
As shown, the saved data is encrypted and does not result into an executable file.
The second thread is also responsible for querying the data in the registry. It decrypts the data using a custom XOR decryption and decompresses it using RtlDecompressBuffer.
After which, it sets an event which triggers the first thread to proceed with process injection.
Third and Fourth Thread
The fourth thread is responsible for downloading a file from the same domains above. The exact url path is {Domain}/rpersists2/%d where %d is some random number. It also expects the downloaded file to be having “MZ” header.
The third thread saves the downloaded file in the %Windir% folder using random number filename such as 2144874235-50823412.exe. It will also create a registry entry to ensure its execution every after reboot such as:
- HKCU\Software\Microsoft\Windows NT\CurrenVersion\Winlogon\Shell
- Data: C:\Windows\2144874235-50823412.exe
File-less Gootkit
Gootkit malware was first discovered in 2014. It is a banking trojan which initially focused on French banks and later on expanded to European banks as reported last December by Proofpoint.
The version we were able to capture appears to be version 4 as seen in its code:
The file size is pretty large at 4.86MB. References to source code can also be seen in the sample such as:
- src_iedriver\CabFile.cc
- src_iedriver\CertGen.cc
- src_iedriver\node_xz.cpp
- src_iedriver\socket_watcher.cpp
- src_iedriver\SpywareJSWrappers.cc
- src_iedriver\sqlite\node_sqlite3.cc
- src_iedriver\Threading.cc
- src_iedriver\VideoRecorder.cc
- src_iedriver\VmDetection.cc
- src_iedriver\wincrypt.cc
- src_iedriver\WindowsRegistry.cc
- src_iedriver\ProtectedStorage.cc
This gives us an idea of the capabilities of this malware. For instance, SpywareJSWrappers is likely the spyware module. This module has some APIs used for stealing information such as SpAddPortRedirection, DownloadFileRight, SpHookHttp, SpTakeScreenshot, SpHookRecv, SpHookSend, SpInsertInjection, SpHookKeyboard , etc.
Summary
We have seen in this infection how attackers try to hide their infection through fileless malware and SSL traffic. They also utilized Angler EK as means to deliver their payload with its ability to detect AV engines and encrypted binary download. In our recent blogs, we have shown how Angler uses Bedep to download additional malware such as POS malware. Bedep is known to be an ad-fraud malware with download capabilities. We have not seen Bedep to be installed in the file system as the usual case so in this case, it acted only as a downloader. In this infection, the goal is to install Gootkit, a very dangerous malware with Backdoor and Spyware capabilities while achieving stealth through fileless infection and encrypted network traffic. The Gootkit loader is detected by Cyphort as TROJAN_WALDEC.DC.
Cyphort Labs will continue to monitor this threat and will provide additional details as needed.
As of this writing, the site is now clean from infection.
Hashes
136fe64689f3919e1ba46e384ca8bef7 – Gootkit Loader
Special thanks to Alex Burt, Abhijit Mohanta, Sandeep Mandhotra and rest of Cyphort Labs for the discovery and analysis of this infection.
The post Angler EK leads to fileless Gootkit appeared first on Cyphort.