Category Archives: Trojan

GPlayed Trojan – .Net playing with Google Market

This blog post is authored by Vitor Ventura.

Introduction

In a world where everything is always connected, and mobile devices are involved in individuals' day-to-day lives more and more often, malicious actors are seeing increased opportunities to attack these devices. Cisco Talos has identified the latest attempt to penetrate mobile devices — a new Android trojan that we have dubbed "GPlayed." This is a trojan with many built-in capabilities. At the same time, it's extremely flexible, making it a very effective tool for malicious actors. The sample we analyzed uses an icon very similar to Google Apps, with the label "Google Play Marketplace" to disguise itself.

The malicious application is on the left-hand side.



What makes this malware extremely powerful is the capability to adapt after it's deployed. In order to achieve this adaptability, the operator has the capability to remotely load plugins, inject scripts and even compile new .NET code that can be executed. Our analysis indicates that this trojan is in its testing stage but given its potential, every mobile user should be aware of GPlayed. Mobile developers have recently begun eschewing traditional app stores and instead want to deliver their software directly through their own means. But GPlayed is an example of where this can go wrong, especially if a mobile user is not aware of how to distinguish a fake app versus a real one.

Trojan architecture and capabilities

This malware is written in .NET using the Xamarin environment for mobile applications. The main DLL is called "Reznov.DLL." This DLL contains one root class called "eClient," which is the core of the trojan. The imports reveal the use of a second DLL called "eCommon.dll." We determined that the "eCommon" file contains support code and structures that are platform independent. The main DLL also contains eClient subclasses that implement some of the native capabilities.

The package certificate is issued under the package name, which also resembles the name of the main DLL name.

Certificate information

The Android package is named "verReznov.Coampany." The application uses the label "Installer" and its name is "android.app.Application."

Package permissions

The trojan declares numerous permissions in the manifest, from which we should highlight the BIND_DEVICE_ADMIN, which provides nearly full control of the device to the trojan.

This trojan is highly evolved in its design. It has modular architecture implemented in the form of plugins, or it can receive new .NET source code, which will be compiled on the device in runtime.

Initialization of the compiler object

The plugins can be added in runtime, or they can be added as a package resource at packaging time. This means that the authors or the operators can add capabilities without the need to recompile and upgrade the trojan package on the device.

Trojan native capabilities

This is a full-fledged trojan with capabilities ranging from those of a banking trojan to a full spying trojan. This means that the malware can do anything from harvest the user's banking credentials, to monitoring the device's location. There are several indicators (see section "trojan activity" below) that it is in its last stages of development, but it has the potential to be a serious threat.

Trojan details

Upon boot, the trojan will start by populating a shared preferences file with the configuration it has on its internal structures. Afterward, it will start several timers to execute different tasks. The first timer will be fired on the configured interval (20 seconds in this case), pinging the command and control (C2) server. The response can either be a simple "OK," or can be a request to perform some action on the device. The second timer will run every five seconds and it will try to enable the WiFi if it's disabled. The third timer will fire every 10 seconds and will attempt to register the device into the C2 and register wake-up locks on the system to control the device's status.

During the trojan registration stage, the trojan exfiltrates private information such as the phone's model, IMEI, phone number and country. It will also report the version of Android that the phone is running and any additional capabilities.

Device registration

This is the last of the three main timers that are created. The trojan will register the SMS handler, which will forward the contents and the sender of all of the SMS messages on the phone to the C2.

The final step in the trojan's initialization is the escalation and maintenance of privileges in the device. This is done both by requesting admin privileges on the device and asking the user to allow the application to access the device's settings.

Privilege escalation requests

The screens asking for the user's approval won't close unless the user approves the privilege escalation. If the user closes the windows, they will appear again due to the timer configuration.

After the installation of the trojan, it will wait randomly between three and five minutes to activate one of the native capabilities — these are implemented on the eClient subclass called "GoogleCC." This class will open a WebView with a Google-themed page asking for payment in order to use the Google services. This will take the user through several steps until it collects all the necessary credit card information, which will be checked online and exfiltrated to the C2. During this process, an amount of money, configured by the malicious operator, is requested to the user.

Steps to request the user's credit card information

In our sample configuration, the request for the views above cannot be canceled or removed from the screen — behaving just like a screen lock that won't be disabled without providing credit card information.

All communication with the C2 is done over HTTP. It will use either a standard web request or it will write data into a web socket if the first method fails. The C2 can also use WebSocket as a backup communication channel.

Before sending any data to the C2 using the trojan attempts to disguise its data, the data is serialized using JSON, which is then encoded in Base64. However, the trojan replaces the '=' by 'AAAZZZXXX', the '+' by '|' and the '/' by '.' to disguise the Base64.

Request encoding process

The HTTP requests follow the format below, while on the WebSocket only the query data is written.

<server path>?q=<IMEI>-<REQUEST CODE>:<Obfuscated Base64 encoded data>

As is common with trojans, the communication is always initiated by the trojan on the device to the C2. The request codes are actually replies to the C2 action requests, which are actually called "responses." There are 27 response codes that the C2 can use to make requests to the trojan, which pretty much match what's listed in the capabilities section.
  • Error
  • Registration
  • Ok
  • Empty
  • SendSMS
  • RequestGoogleCC
  • Wipe
  • OpenBrowser
  • SendUSSD
  • RequestSMSList
  • RequestAppList
  • RequestLocation
  • ShowNotification
  • SetLockPassword
  • LockNow
  • MuteSound
  • LoadScript
  • LoadPlugin
  • ServerChange
  • StartApp
  • CallPhone
  • SetPingTimer
  • SMSBroadcast
  • RequestContacts
  • AddInject
  • RemoveInject
  • Evaluate
Another feature of this trojan is the ability to register injects, which are JavaScript snippets of code. These will be executed in a WebView object created by the trojan. This gives the operators the capability to trick the user into accessing any site while stealing the user's cookies or forging form fields, like account numbers or phone numbers.

Trojan activity

At the time of the writing of this post, all URLs (see IOC section) found on the sample were inactive, and it does not seem to be widespread. There are some indicators that this sample is just a test sample on its final stages of development. There are several strings and labels still mentioning 'test' or 'testcc' — even the URL used for the credit card data exfiltration is named "testcc.php."

Debug information on logcat

Another indicator is the amount of debugging information the trojan is still generating — a production-level trojan would keep its logging to a minimum.

The only sample was found on public repositories and almost seemed to indicate a test run to determine the detection ratio of the sample. We have observed this trojan being submitted to public antivirus testing platforms, once as a package and once for each DLL to determine the detection ratio. The sample analyzed was targeted at Russian-speaking users, as most of the user interaction pages are written in Russian. However, given the way the trojan is built, it is highly customizable, meaning that adapting it to a different language would be extremely easy. The wide range of capabilities doesn't limit this trojan to a specific malicious activity like a banking trojan or a ransomware. This makes it impossible to create a target profile.

Conclusion

This trojan shows a new path for threats to evolve. Having the ability to move code from desktops to mobile platforms with no effort, like the eCommon.DLL demonstrates that malicious actors can create hybrid threats faster and with fewer resources involved than ever before. This trojan's design and implementation is of an uncommonly high level, making it a dangerous threat. These kinds of threats will become more common, as more and more companies decide to publish their software directly to consumers.

There have been several recent examples of companies choosing to release their software directly to consumers, bypassing traditional storefronts. The average user might not have the necessary skills to distinguish legitimate sites from malicious ones. We've seen that this has been the case for many years with spear-phishing campaigns on desktop and mobile platforms, so, unfortunately, it doesn't seem that this will change any time soon. And this just means attackers will continue to be successful.

Coverage

Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Indicators of compromise (IOC)


URLs
hxxp://5.9.33.226:5416
hxxp://172.110.10.171:85/testcc.php
hxxp://sub1.tdsworker.ru:5555/3ds/

Hash values
Package.apk - A342a16082ea53d101f556b50532651cd3e3fdc7d9e0be3aa136680ad9c6a69f
eCommon.dl - 604deb75eedf439766896f05799752de268baf437bf89a7185540627ab4a4bd1
Reznov.dll - 17b8665cdbbb94482ca970a754d11d6e29c46af6390a2d8e8193d8d6a527dec3

Custom activity prefix
com.cact.CAct

Astaroth Trojan Malware Returns to Infect South American Users

A new wave of Astaroth Trojan malware has resurfaced in South America, with more than 8,000 machines attacked in just one week.

According to the Cofense Phishing Defense Center, the Trojan used fake invoice emails with .lnk attachments that appeared to come from legitimate services under cam.br domains. It specifically targeted South American businesses — any attacks that detected an IP address outside of this geographic area were aborted.

If South American targets clicked on the provided link, Astaroth — the “Great Duke of Hell” in ancient lore — leveraged the Windows Management Instrumentation Console (WMIC) and its connected command-line interface to download nonlocal payloads with .xsl extensions.

Because the WMIC was run in noninteractive mode, users were typically unaware of the compromise. The malware then prevented users from opening any web browser except Internet Explorer, and when users navigated to Brazilian banks or businesses, it began recording keystrokes for data collection and account compromise.

How Does Astaroth Avoid Detection?

Astaroth first emerged in 2017, but Cofense noted that the revived campaign “has been well planned and supported, exclusively targeting South Americans.”

Despite its limited radius, however, the Trojan malware presents real concerns for organizations. To evade detection, the malware uses a randomly selected domain from a list of 154 in-code options. All the domains were hosted on Cloudflare, making it difficult to immediately identify them as malicious. This also made it hard for companies to effectively block Astaroth payloads due to the sheer number of legitimate domains associated with Cloudflare.

Furthermore, given the utility of the WMIC in managing Windows hosts, it remains a popular tool for corporate administrators — making it the ideal vehicle for Astaroth. It also makes it difficult for companies to avoid infection, since the WMIC is often a key part of day-to-day operations.

How to Protect Your Organization From Trojan Malware

To avoid Astaroth, IBM X-Force Exchange recommends implementing a separate verification process for email attachments. This could take the form of texts, phone calls or other secure communications. If users can easily verify that unexpected emails were not sent by legitimate vendors or clients, they can delete them instead of potentially exposing systems to risk.

Security professionals also suggest using continuous backup solutions coupled with regular account monitoring to limit the impact of data-stealing Trojan malware and prevent keyloggers from stealing password and login data.

Source: Cofense Phishing Defense Center

The post Astaroth Trojan Malware Returns to Infect South American Users appeared first on Security Intelligence.

QRecorder app in the Play Store was hiding a Banking Trojan that targets European banks

The QRecorder app in the Play Store impersonating a phone call and voice recording utility embedded a banking malware used to target European banks.

Security experts from ESET have discovered a malicious app in the official Google Play Store that impersonates a phone call and voice recording utility, it was hiding a banking malware used to target customers of European banks.

The malware, tracked as Razdel, is a variant of BankBot mobile banking Trojan.

According to the Czech Television, the malicious code targets apps from Raiffeisen Bank, as well as ČSOB and Česká Spořitelna.

Czech Police shared the identikit and pictures from ATM security camera of a money mule withdrawing money from one of the Prague ATM from affected victims accounts.

The malware was hidden in the QRecorder app and according to the ESET security researcher Lukas Stefanko, the banking Trojan was downloaded and installed by over 10,000.

QRecorder app malware

The malicious QRecorder app is able to intercept SMS two-factor authentication (2FA) messages and ask for permission to display overlays on top of legitimate bank apps to control what the user sees on his device.

To avoid raising suspicions, the malicious application correctly implements the audio recording features.

Stefanko discovered that the threat actor behind the operator sends commands to the app within 24 hours from installation, for example, it scans the device for specific banking apps.

Attacker leverages Google Firebase messages to communicate with compromised devices. If one of the targeted apps is installed on the device, before downloading payload it would request the user to activate Accessibility service and using this permission it would automatically download and execute the malicious payload.

Once the malicious payload is downloaded it sets triggers for legitimate banking apps. If one of the targeted apps is launched by the user, the malware displays overlay to steal credentials.

“Before downloading payload it would request user to activate Accessibility service and using this permission it would automatically download, install and open malicious payload.” wrote Stefanko.

“Once payload is downloaded it sets triggers for legitimate banking apps. If one of the targeted apps is launched it would create similar like looking activity that overlays official app demanding credentials.”

According to official statement of Czech police, QRecorder infected five victims in Czech Republic stealing a total of over 78,000 Euros from their accounts.

The analysis of the code revealed that the QRecorder malware is able to monitor a large number of banks, including Air Bank, Equa, ING, Bawag, Fio, Oberbank, and Bank Austria.

One of the most interesting aspects of this malware is that the threat actor created different payloads for each targeted bank.

QRecorder app was removed from the official Android store, below a video that shows how the app operates.

Pierluigi Paganini

(Security Affairs – QRecorder app, malware)

The post QRecorder app in the Play Store was hiding a Banking Trojan that targets European banks appeared first on Security Affairs.

Banking trojan found in call recorder app on Play Store – stole over €10,000

By Waqas

Android is one of the most vulnerable mobile operating systems with hackers developing new Android malware and banking trojan every 17 seconds. Then, there is Google and questionable security measures to protect users from sophisticated and persistent malware attacks. Recently, Lukas Stefanko, an IT security researcher at ESET has discovered a nasty piece of banking trojan targeting […]

This is a post from HackRead.com Read the original post: Banking trojan found in call recorder app on Play Store – stole over €10,000

OilRig Group Aims BONDUPDATER Trojan Malware at Middle Eastern Governments

The OilRig threat group launched an attack involving the BONDUPDATER Trojan malware against a high-ranking government office in the Middle East.

According to Palo Alto Networks’ Unit 42, the threat group sent a series of spear phishing emails with a blank subject line to government workers in the region last month. Anyone who opened the attachment risked activating the latest version of BONDUPDATER, which offers backdoor functionality that lets threat actors execute commands and download files on infected machines.

OilRig, which has been active for at least two years, had previously used the Trojan malware in similar attacks against Middle Eastern governments.

What’s New in This Version of BONDUPDATER?

BONDUPDATER was first spotted in November 2017 and is based on Microsoft’s PowerShell. In the most recent attack, however, researchers found that the spear phishing emails contained a Word document with a macro that installed the Trojan malware. The process involved creating a series of files on the victim’s system and then gaining persistence by dropping a script that scheduled a task to execute every minute.

This version of BONDUPDATER used TXT records to communicate with the command-and-control (C&C) server as well as the Domain Name System (DNS) A records, which it received by using a DNS tunneling protocol. This follows a pattern in which OilRig doesn’t always develop new tools, but simply saves development time by building on Trojan malware that’s already part of its arsenal.

Avoid Trojan Malware With UBA and IAM

In a recent podcast, IBM experts recommended layering on user behavior analytics (UBA) with identity and access management (IAM), which can make it easier to detect when employees exhibit potentially risky behaviors. This should be coupled with ongoing efforts to educate users about phishing schemes.

Source: Palo Alto Networks

The post OilRig Group Aims BONDUPDATER Trojan Malware at Middle Eastern Governments appeared first on Security Intelligence.

Freelancers Being Targeted With Malware Disguised as Job Offers

Hackers are using freelancing web applications such as the Fiverr and Freelancer to distribute malware disguised as job offers which

Freelancers Being Targeted With Malware Disguised as Job Offers on Latest Hacking News.

Researchers find new financial malware targeting banking customers in Brazil

Bad actors are targeting businesses in Brazil using clever social engineering tactics and camouflaged malware to bypass strong authentication and security controls and ultimately take over bank accounts.

Using a Trojan disguised as a legitimate banking module, the scammers seek login credentials to the victim’s banking account. IBM X-Force researchers dubbed the malware used in the scam “CamuBot” because it attempts to camouflage itself as a security module required by the banks impersonated by the attackers.

The operation begins with a scammer posing as a bank employee calling the victim to say they need to install a piece of software.

“To carry out their attacks, CamuBot operators begin with some basic reconnaissance to find businesses that bank with a certain financial institution. They then initiate a phone call to the person who would likely have the business’s bank account credentials,” according to a post on IBM’s security intelligence blog.

The attackers instruct the victim to browse to a URL to check whether the security module is up to date – which, conveniently, returns a negative answer. At this point, the unwary victim is told to install a “new security module” which actually hides a nasty Trojan horse. The malware is designed to dupe victims into thinking it is a legitimate piece of software from their bank – logo and all.

“Behind the scenes, CamuBot is fetched and executed on the victim’s device. […] After installation completes, a pop-up screen redirects the victim to a phishing site purporting to be their bank’s online banking portal. The victim is asked to log into his or her account, thereby unknowingly sending the credentials to the attacker.”

If the credentials are enough to take over the victim’s account, the attacker hangs up. According to IBM’s researchers, CamuBot operators can even bypass two-factor and biometric authentication by obtaining remote access to the victim’s devices and intercepting one-time passwords.

With full access to the victim’s account, the attackers will attempt a fraudulent transaction, tunneling it through the victim’s IP address to make the session appear legitimate to the bank.

HOTforSecurity: Researchers find new financial malware targeting banking customers in Brazil

Bad actors are targeting businesses in Brazil using clever social engineering tactics and camouflaged malware to bypass strong authentication and security controls and ultimately take over bank accounts.

Using a Trojan disguised as a legitimate banking module, the scammers seek login credentials to the victim’s banking account. IBM X-Force researchers dubbed the malware used in the scam “CamuBot” because it attempts to camouflage itself as a security module required by the banks impersonated by the attackers.

The operation begins with a scammer posing as a bank employee calling the victim to say they need to install a piece of software.

“To carry out their attacks, CamuBot operators begin with some basic reconnaissance to find businesses that bank with a certain financial institution. They then initiate a phone call to the person who would likely have the business’s bank account credentials,” according to a post on IBM’s security intelligence blog.

The attackers instruct the victim to browse to a URL to check whether the security module is up to date – which, conveniently, returns a negative answer. At this point, the unwary victim is told to install a “new security module” which actually hides a nasty Trojan horse. The malware is designed to dupe victims into thinking it is a legitimate piece of software from their bank – logo and all.

“Behind the scenes, CamuBot is fetched and executed on the victim’s device. […] After installation completes, a pop-up screen redirects the victim to a phishing site purporting to be their bank’s online banking portal. The victim is asked to log into his or her account, thereby unknowingly sending the credentials to the attacker.”

If the credentials are enough to take over the victim’s account, the attacker hangs up. According to IBM’s researchers, CamuBot operators can even bypass two-factor and biometric authentication by obtaining remote access to the victim’s devices and intercepting one-time passwords.

With full access to the victim’s account, the attackers will attempt a fraudulent transaction, tunneling it through the victim’s IP address to make the session appear legitimate to the bank.



HOTforSecurity

Linux & Windows hit with disk wiper, ransomware & cryptomining Xbash malware

By Waqas

Xbash is an “all in one” malware. Palo Alto Networks’ Unit 42 researchers have come to the conclusion that the notorious Xbash malware that has been attacking Linux and Windows servers is being operated by the Iron Group which is an infamous hacker collective previously involved in a number of cyber crimes involving the use […]

This is a post from HackRead.com Read the original post: Linux & Windows hit with disk wiper, ransomware & cryptomining Xbash malware

New trends in the world of IoT threats

Cybercriminals’ interest in IoT devices continues to grow: in H1 2018 we picked up three times as many malware samples attacking smart devices as in the whole of 2017. And in 2017 there were ten times more than in 2016. That doesn’t bode well for the years ahead.

We decided to study what attack vectors are deployed by cybercriminals to infect smart devices, what malware is loaded into the system, and what it means for device owners and victims of freshly armed botnets.

Number of malware samples for IoT devices in Kaspersky Lab’s collection, 2016-2018. (download)

One of the most popular attack and infection vectors against devices remains cracking Telnet passwords. In Q2 2018, there were three times as many such attacks against our honeypots than all other types combined.

service % of attacks
Telnet 75.40%
SSH 11.59%
other 13.01%

When it came to downloading malware onto IoT devices, cybercriminals’ preferred option was one of the Mirai family (20.9%).

# downloaded malware % of attacks
1 Backdoor.Linux.Mirai.c 15.97%
2 Trojan-Downloader.Linux.Hajime.a 5.89%
3 Trojan-Downloader.Linux.NyaDrop.b 3.34%
4 Backdoor.Linux.Mirai.b 2.72%
5 Backdoor.Linux.Mirai.ba 1.94%
6 Trojan-Downloader.Shell.Agent.p 0.38%
7 Trojan-Downloader.Shell.Agent.as 0.27%
8 Backdoor.Linux.Mirai.n 0.27%
9 Backdoor.Linux.Gafgyt.ba 0.24%
10 Backdoor.Linux.Gafgyt.af 0.20%

Top 10 malware downloaded onto infected IoT device following a successful Telnet password crack

And here are the Top 10 countries from which our traps were hit by Telnet password attacks:

Geographical distribution of the number of infected devices, Q2 2018. (download)

As we see, in Q2 2018 the leader by number of unique IP addresses from which Telnet password attacks originated was Brazil (23%). Second place went to China (17%). Russia in our list took 4th place (7%). Overall for the period January 1 – July 2018, our Telnet honeypot registered more than 12 million attacks from 86,560 unique IP addresses, and malware was downloaded from 27,693 unique IP addresses.

Since some smart device owners change the default Telnet password to one that is more complex, and many gadgets don’t support this protocol at all, cybercriminals are constantly on the lookout for new ways of infection. This is stimulated by the high competition between virus writers, which has led to password bruteforce attacks becoming less effective: in the event of a successful crack, the device password is changed and access to Telnet is blocked.

An example of the use of “alternative technology” is the Reaper botnet, whose assets at end-2017 numbered about 2 million IoT devices. Instead of bruteforcing Telnet passwords, this botnet exploited known software vulnerabilities:

Advantages of this distribution method over password cracking:

  • Infection occurs much faster
  • It is much harder to patch a software vulnerability than change a password or disable/block the service

Although this method is more difficult to implement, it found favor with many virus writers, and it wasn’t long before new Trojans exploiting known vulnerabilities in smart device software started appearing.

New attacks, old malware

To see which vulnerabilities are targeted by malware, we analyzed data on attempts to connect to various ports on our traps. This is the picture that emerged for Q2 2018:

Service Port % of attacks Attack vector Malware families
Telnet 23, 2323 82.26% Bruteforce Mirai, Gafgyt
SSH 22 11.51% Bruteforce Mirai, Gafgyt
Samba 445 2.78% EternalBlue, EternalRed, CVE-2018-7445
tr-069 7547 0.77% RCE in TR-069 implementation Mirai, Hajime
HTTP 80 0.76% Attempts to exploit vulnerabilities in a web server or crack an admin console password
winbox (RouterOS) 8291 0.71% Used for RouterOS (MikroTik) authentication and WinBox-based attacks Hajime
Mikrotik http 8080 0.23% RCE in MikroTik RouterOS < 6.38.5 Chimay-Red Hajime
MSSQL 1433 0.21% Execution of arbitrary code for certain versions (2000, 2005, 2008); changing administrator password; data theft
GoAhead httpd 81 0.16% RCE in GoAhead IP cameras Persirai, Gafgyt
Mikrotik http 8081 0.15% Chimay-Red Hajime
Etherium JSON-RPC 8545 0.15% Authorization bypass (CVE-2017-12113)
RDP 3389 0.12% Bruteforce
XionMai uc-httpd 8000 0.09% Buffer overflow (CVE-2018-10088) in XionMai uc-httpd 1.0.0 (some Chinese-made devices) Satori
MySQL 3306 0.08% Execution of arbitrary code for certain versions (2000, 2005, 2008); changing administrator password; data theft

The vast majority of attacks still come from Telnet and SSH password bruteforcing. The third most common are attacks against the SMB service, which provides remote access to files. We haven’t seen IoT malware attacking this service yet. However, some versions of it contain serious known vulnerabilities such as EternalBlue (Windows) and EternalRed (Linux), which were used, for instance, to distribute the infamous Trojan ransomware WannaCry and the Monero cryptocurrency miner EternalMiner.

Here’s the breakdown of infected IoT devices that attacked our honeypots in Q2 2018:

Device % of infected devices
MikroTik 37.23%
TP-Link 9.07%
SonicWall 3.74%
AV tech 3.17%
Vigor 3.15%
Ubiquiti 2.80%
D-Link 2.49%
Cisco 1.40%
AirTies 1.25%
Cyberoam 1.13%
HikVision 1.11%
ZTE 0.88%
Miele 0.68%
Unknown DVR 31.91%

As can be seen, MikroTik devices running under RouterOS are way out in front. The reason appears to be the Chimay-Red vulnerability. What’s interesting is that our honeypot attackers included 33 Miele dishwashers (0.68% of the total number of attacks). Most likely they were infected through the known (since March 2017) CVE-2017-7240 vulnerability in PST10 WebServer, which is used in their firmware.

Port 7547

Attacks against remote device management (TR-069 specification) on port 7547 are highly common. According to Shodan, there are more than 40 million devices in the world with this port open. And that’s despite the vulnerability recently causing the infection of a million Deutsche Telekom routers, not to mention helping to spread the Mirai and Hajime malware families.

Another type of attack exploits the Chimay-Red vulnerability in MikroTik routers running under RouterOS versions below 6.38.4. In March 2018, it played an active part in distributing Hajime.

IP cameras

IP cameras are also on the cybercriminal radar. In March 2017, several major vulnerabilities were detected in the software of GoAhead devices, and a month after information about it was published, there appeared new versions of the Gafgyt and Persirai Trojans exploiting these vulnerabilities. Just one week after these malicious programs were actively distributed, the number of infected devices climbed to 57,000.

On June 8, 2018, a proof-of-concept was published for the CVE-2018-10088 vulnerability in the XionMai uc-httpd web server, used in some Chinese-made smart devices (for example, KKMoon DVRs). The next day, the number of logged attempts to locate devices using this web server more than tripled. The culprit for this spike in activity was the Satori Trojan, known for previously attacking GPON routers.

New malware and threats to end users

DDoS attacks

As before, the primary purpose of IoT malware deployment is to perpetrate DDoS attacks. Infected smart devices become part of a botnet that attacks a specific address on command, depriving the host of the ability to correctly handle requests from real users. Such attacks are still deployed by Trojans from the Mirai family and its clones, in particular, Hajime.

This is perhaps the least harmful scenario for the end user. The worst (and very unlikely) thing that can happen to the owner of the infected device is being blocked by their ISP. And the device can often by “cured” with a simple reboot.

Cryptocurrency mining

Another type of payload is linked to cryptocurrencies. For instance, IoT malware can install a miner on an infected device. But given the low processing power of smart devices, the feasibility of such attacks remains in doubt, even despite their potentially large number.

A more devious and doable method of getting a couple of cryptocoins was invented by the creators of the Satori Trojan. Here, the victim IoT device acts as a kind of key that opens access to a high-performance PC:

  • At the first stage, the attackers try to infect as many routers as possible using known vulnerabilities, in particular:
    • CVE-2014-8361 – RCE in the miniigd SOAP service in Realtek SDK
    • CVE 2017-17215 – RCE in the firmware of Huawei HG532 routers
    • CVE-2018-10561, CVE-2018-10562 – authorization bypass and execution of arbitrary commands on Dasan GPON routers
    • CVE-2018-10088 – buffer overflow in XiongMai uc-httpd 1.0.0 used in the firmware of some routers and other smart devices made by some Chinese manufacturers
  • Using compromised routers and the CVE-2018-1000049 vulnerability in the Claymore Etherium miner remote management tool, they substitute the wallet address for their own.

Data theft

The VPNFilter Trojan, detected in May 2018, pursues other goals, above all intercepting infected device traffic, extracting important data from it (user names, passwords, etc.), and sending it to the cybercriminals’ server. Here are the main features of VPNFilter:

  • Modular architecture. The malware creators can fit it out with new functions on the fly. For instance, in early June 2018 a new module was detected able to inject javascript code into intercepted web pages.
  • Reboot resistant. The Trojan writes itself to the standard Linux crontab job scheduler, and can also modify the configuration settings in the non-volatile memory (NVRAM) of the device.
  • Uses TOR for communication with C&C.
  • Able to self-destruct and disable the device. On receiving the command, the Trojan deletes itself, overwrites the critical part of the firmware with garbage data, and then reboots the device.

The Trojan’s distribution method is still unknown: its code contains no self-propagation mechanisms. However, we are inclined to believe that it exploits known vulnerabilities in device software for infection purposes.

The very first VPNFilter report spoke of around 500,000 infected devices. Since then, even more have appeared, and the list of manufacturers of vulnerable gadgets has expanded considerably. As of mid-June, it included the following brands:

  • ASUS
  • D-Link
  • Huawei
  • Linksys
  • MikroTik
  • Netgear
  • QNAP
  • TP-Link
  • Ubiquiti
  • Upvel
  • ZTE

The situation is made worse by the fact that these manufacturers’ devices are used not only in corporate networks, but often as home routers.

Conclusion

Smart devices are on the rise, with some forecasts suggesting that by 2020 their number will exceed the world’s population several times over. Yet manufacturers still don’t prioritize security: there are no reminders to change the default password during initial setup or notifications about the release of new firmware versions, and the updating process itself can be complex for the average user. This makes IoT devices a prime target for cybercriminals. Easier to infect than PCs, they often play an important role in the home infrastructure: some manage Internet traffic, others shoot video footage, still others control domestic devices (for example, air conditioning).

Malware for smart devices is increasing not only in quantity, but also quality. More and more exploits are being weaponized by cybercriminals, and infected devices are used to steal personal data and mine cryptocurrencies, on top of traditional DDoS attacks.

Here are some simple tips to help minimize the risk of smart device infection:

  • Don’t give access to the device from an external network unless absolutely necessary
  • Periodic rebooting will help get rid of malware already installed (although in most cases the risk of reinfection will remain)
  • Regularly check for new firmware versions and update the device
  • Use complex passwords at least 8 characters long, including upper and lower-case letters, numerals, and special characters
  • Change the factory passwords at initial setup (even if the device does not prompt you to do so)
  • Close/block unused ports, if there is such an option. For example, if you don’t connect to the router via Telnet (port TCP:23), it’s a good idea to disable it so as to close off a potential loophole to intruders.

Securelist – Kaspersky Lab’s cyberthreat research and reports: New trends in the world of IoT threats

Cybercriminals’ interest in IoT devices continues to grow: in H1 2018 we picked up three times as many malware samples attacking smart devices as in the whole of 2017. And in 2017 there were ten times more than in 2016. That doesn’t bode well for the years ahead.

We decided to study what attack vectors are deployed by cybercriminals to infect smart devices, what malware is loaded into the system, and what it means for device owners and victims of freshly armed botnets.

&&

Number of malware samples for IoT devices in Kaspersky Lab’s collection, 2016-2018. (download)

One of the most popular attack and infection vectors against devices remains cracking Telnet passwords. In Q2 2018, there were three times as many such attacks against our honeypots than all other types combined.

service % of attacks
Telnet 75.40%
SSH 11.59%
other 13.01%

When it came to downloading malware onto IoT devices, cybercriminals’ preferred option was one of the Mirai family (20.9%).

# downloaded malware % of attacks
1 Backdoor.Linux.Mirai.c 15.97%
2 Trojan-Downloader.Linux.Hajime.a 5.89%
3 Trojan-Downloader.Linux.NyaDrop.b 3.34%
4 Backdoor.Linux.Mirai.b 2.72%
5 Backdoor.Linux.Mirai.ba 1.94%
6 Trojan-Downloader.Shell.Agent.p 0.38%
7 Trojan-Downloader.Shell.Agent.as 0.27%
8 Backdoor.Linux.Mirai.n 0.27%
9 Backdoor.Linux.Gafgyt.ba 0.24%
10 Backdoor.Linux.Gafgyt.af 0.20%

Top 10 malware downloaded onto infected IoT device following a successful Telnet password crack

And here are the Top 10 countries from which our traps were hit by Telnet password attacks:

&&

Geographical distribution of the number of infected devices, Q2 2018. (download)

As we see, in Q2 2018 the leader by number of unique IP addresses from which Telnet password attacks originated was Brazil (23%). Second place went to China (17%). Russia in our list took 4th place (7%). Overall for the period January 1 – July 2018, our Telnet honeypot registered more than 12 million attacks from 86,560 unique IP addresses, and malware was downloaded from 27,693 unique IP addresses.

Since some smart device owners change the default Telnet password to one that is more complex, and many gadgets don’t support this protocol at all, cybercriminals are constantly on the lookout for new ways of infection. This is stimulated by the high competition between virus writers, which has led to password bruteforce attacks becoming less effective: in the event of a successful crack, the device password is changed and access to Telnet is blocked.

An example of the use of “alternative technology” is the Reaper botnet, whose assets at end-2017 numbered about 2 million IoT devices. Instead of bruteforcing Telnet passwords, this botnet exploited known software vulnerabilities:

Advantages of this distribution method over password cracking:

  • Infection occurs much faster
  • It is much harder to patch a software vulnerability than change a password or disable/block the service

Although this method is more difficult to implement, it found favor with many virus writers, and it wasn’t long before new Trojans exploiting known vulnerabilities in smart device software started appearing.

New attacks, old malware

To see which vulnerabilities are targeted by malware, we analyzed data on attempts to connect to various ports on our traps. This is the picture that emerged for Q2 2018:

Service Port % of attacks Attack vector Malware families
Telnet 23, 2323 82.26% Bruteforce Mirai, Gafgyt
SSH 22 11.51% Bruteforce Mirai, Gafgyt
Samba 445 2.78% EternalBlue, EternalRed, CVE-2018-7445
tr-069 7547 0.77% RCE in TR-069 implementation Mirai, Hajime
HTTP 80 0.76% Attempts to exploit vulnerabilities in a web server or crack an admin console password
winbox (RouterOS) 8291 0.71% Used for RouterOS (MikroTik) authentication and WinBox-based attacks Hajime
Mikrotik http 8080 0.23% RCE in MikroTik RouterOS < 6.38.5 Chimay-Red Hajime
MSSQL 1433 0.21% Execution of arbitrary code for certain versions (2000, 2005, 2008); changing administrator password; data theft
GoAhead httpd 81 0.16% RCE in GoAhead IP cameras Persirai, Gafgyt
Mikrotik http 8081 0.15% Chimay-Red Hajime
Etherium JSON-RPC 8545 0.15% Authorization bypass (CVE-2017-12113)
RDP 3389 0.12% Bruteforce
XionMai uc-httpd 8000 0.09% Buffer overflow (CVE-2018-10088) in XionMai uc-httpd 1.0.0 (some Chinese-made devices) Satori
MySQL 3306 0.08% Execution of arbitrary code for certain versions (2000, 2005, 2008); changing administrator password; data theft

The vast majority of attacks still come from Telnet and SSH password bruteforcing. The third most common are attacks against the SMB service, which provides remote access to files. We haven’t seen IoT malware attacking this service yet. However, some versions of it contain serious known vulnerabilities such as EternalBlue (Windows) and EternalRed (Linux), which were used, for instance, to distribute the infamous Trojan ransomware WannaCry and the Monero cryptocurrency miner EternalMiner.

Here’s the breakdown of infected IoT devices that attacked our honeypots in Q2 2018:

Device % of infected devices
MikroTik 37.23%
TP-Link 9.07%
SonicWall 3.74%
AV tech 3.17%
Vigor 3.15%
Ubiquiti 2.80%
D-Link 2.49%
Cisco 1.40%
AirTies 1.25%
Cyberoam 1.13%
HikVision 1.11%
ZTE 0.88%
Miele 0.68%
Unknown DVR 31.91%

As can be seen, MikroTik devices running under RouterOS are way out in front. The reason appears to be the Chimay-Red vulnerability. What’s interesting is that our honeypot attackers included 33 Miele dishwashers (0.68% of the total number of attacks). Most likely they were infected through the known (since March 2017) CVE-2017-7240 vulnerability in PST10 WebServer, which is used in their firmware.

Port 7547

Attacks against remote device management (TR-069 specification) on port 7547 are highly common. According to Shodan, there are more than 40 million devices in the world with this port open. And that’s despite the vulnerability recently causing the infection of a million Deutsche Telekom routers, not to mention helping to spread the Mirai and Hajime malware families.

Another type of attack exploits the Chimay-Red vulnerability in MikroTik routers running under RouterOS versions below 6.38.4. In March 2018, it played an active part in distributing Hajime.

IP cameras

IP cameras are also on the cybercriminal radar. In March 2017, several major vulnerabilities were detected in the software of GoAhead devices, and a month after information about it was published, there appeared new versions of the Gafgyt and Persirai Trojans exploiting these vulnerabilities. Just one week after these malicious programs were actively distributed, the number of infected devices climbed to 57,000.

On June 8, 2018, a proof-of-concept was published for the CVE-2018-10088 vulnerability in the XionMai uc-httpd web server, used in some Chinese-made smart devices (for example, KKMoon DVRs). The next day, the number of logged attempts to locate devices using this web server more than tripled. The culprit for this spike in activity was the Satori Trojan, known for previously attacking GPON routers.

New malware and threats to end users

DDoS attacks

As before, the primary purpose of IoT malware deployment is to perpetrate DDoS attacks. Infected smart devices become part of a botnet that attacks a specific address on command, depriving the host of the ability to correctly handle requests from real users. Such attacks are still deployed by Trojans from the Mirai family and its clones, in particular, Hajime.

This is perhaps the least harmful scenario for the end user. The worst (and very unlikely) thing that can happen to the owner of the infected device is being blocked by their ISP. And the device can often by “cured” with a simple reboot.

Cryptocurrency mining

Another type of payload is linked to cryptocurrencies. For instance, IoT malware can install a miner on an infected device. But given the low processing power of smart devices, the feasibility of such attacks remains in doubt, even despite their potentially large number.

A more devious and doable method of getting a couple of cryptocoins was invented by the creators of the Satori Trojan. Here, the victim IoT device acts as a kind of key that opens access to a high-performance PC:

  • At the first stage, the attackers try to infect as many routers as possible using known vulnerabilities, in particular:
    • CVE-2014-8361 – RCE in the miniigd SOAP service in Realtek SDK
    • CVE 2017-17215 – RCE in the firmware of Huawei HG532 routers
    • CVE-2018-10561, CVE-2018-10562 – authorization bypass and execution of arbitrary commands on Dasan GPON routers
    • CVE-2018-10088 – buffer overflow in XiongMai uc-httpd 1.0.0 used in the firmware of some routers and other smart devices made by some Chinese manufacturers
  • Using compromised routers and the CVE-2018-1000049 vulnerability in the Claymore Etherium miner remote management tool, they substitute the wallet address for their own.

Data theft

The VPNFilter Trojan, detected in May 2018, pursues other goals, above all intercepting infected device traffic, extracting important data from it (user names, passwords, etc.), and sending it to the cybercriminals’ server. Here are the main features of VPNFilter:

  • Modular architecture. The malware creators can fit it out with new functions on the fly. For instance, in early June 2018 a new module was detected able to inject javascript code into intercepted web pages.
  • Reboot resistant. The Trojan writes itself to the standard Linux crontab job scheduler, and can also modify the configuration settings in the non-volatile memory (NVRAM) of the device.
  • Uses TOR for communication with C&C.
  • Able to self-destruct and disable the device. On receiving the command, the Trojan deletes itself, overwrites the critical part of the firmware with garbage data, and then reboots the device.

The Trojan’s distribution method is still unknown: its code contains no self-propagation mechanisms. However, we are inclined to believe that it exploits known vulnerabilities in device software for infection purposes.

The very first VPNFilter report spoke of around 500,000 infected devices. Since then, even more have appeared, and the list of manufacturers of vulnerable gadgets has expanded considerably. As of mid-June, it included the following brands:

  • ASUS
  • D-Link
  • Huawei
  • Linksys
  • MikroTik
  • Netgear
  • QNAP
  • TP-Link
  • Ubiquiti
  • Upvel
  • ZTE

The situation is made worse by the fact that these manufacturers’ devices are used not only in corporate networks, but often as home routers.

Conclusion

Smart devices are on the rise, with some forecasts suggesting that by 2020 their number will exceed the world’s population several times over. Yet manufacturers still don’t prioritize security: there are no reminders to change the default password during initial setup or notifications about the release of new firmware versions, and the updating process itself can be complex for the average user. This makes IoT devices a prime target for cybercriminals. Easier to infect than PCs, they often play an important role in the home infrastructure: some manage Internet traffic, others shoot video footage, still others control domestic devices (for example, air conditioning).

Malware for smart devices is increasing not only in quantity, but also quality. More and more exploits are being weaponized by cybercriminals, and infected devices are used to steal personal data and mine cryptocurrencies, on top of traditional DDoS attacks.

Here are some simple tips to help minimize the risk of smart device infection:

  • Don’t give access to the device from an external network unless absolutely necessary
  • Periodic rebooting will help get rid of malware already installed (although in most cases the risk of reinfection will remain)
  • Regularly check for new firmware versions and update the device
  • Use complex passwords at least 8 characters long, including upper and lower-case letters, numerals, and special characters
  • Change the factory passwords at initial setup (even if the device does not prompt you to do so)
  • Close/block unused ports, if there is such an option. For example, if you don’t connect to the router via Telnet (port TCP:23), it’s a good idea to disable it so as to close off a potential loophole to intruders.


Securelist - Kaspersky Lab’s cyberthreat research and reports

A week in security (September 10 – 16)

Last week on Malwarebytes Labs, we assessed the security of a portable router, identified ways to waste a scammer’s time, named the many faces of omnichannel fraud, questioned the security of 2FAs, profiled a massive tech support scam operation, and exposed a new HMRC phishing campaign.

Other cybersecurity news:

Stay safe, everyone!

The post A week in security (September 10 – 16) appeared first on Malwarebytes Labs.

OilRig Launching Attack Campaigns With Updated BONDUPDATER Trojan

The OilRig group conducted at least one attack campaign containing an updated variant of the BONDUPDATER trojan as its final payload. In August 2018, Palo Alto Networks’ Unit 42 threat research team detected an OilRig campaign targeting a high-ranking government organization in the Middle East. The email campaign leveraged spear-phishing, one of the most common […]… Read More

The post OilRig Launching Attack Campaigns With Updated BONDUPDATER Trojan appeared first on The State of Security.

Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware

Overview

Lazarus has been a major threat actor in the APT arena for several years. Alongside goals like cyberespionage and cybersabotage, the attacker has been targeting banks and other financial companies around the globe. Over the last few months, Lazarus has successfully compromised several banks and infiltrated a number of global cryptocurrency exchanges and fintech companies.

Kaspersky Lab has been assisting with incident response efforts. While investigating a cryptocurrency exchange attacked by Lazarus, we made an unexpected discovery. The victim had been infected with the help of a trojanized cryptocurrency trading application, which had been recommended to the company over email. It turned out that an unsuspecting employee of the company had willingly downloaded a third-party application from a legitimate looking website and their computer had been infected with malware known as Fallchill, an old tool that Lazarus has recently switched back to. There have been multiple reports on the reappearance of Fallchill, including one from US-CERT.

To ensure that the OS platform was not an obstacle to infecting targets, it seems the attackers went the extra mile and developed malware for other platforms, including for macOS. A version for Linux is apparently coming soon, according to the website. It’s probably the first time we see this APT group using malware for macOS.

The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms.

Trojanized cryptocurrency trading application

Thanks to Kaspersky Lab’s malicious-behavior detection technology, implemented in its endpoint security software, we were able to reassemble the stages of infection and trace them back to their origin. This helped us understand that one of Lazarus’ victims was infected with malware after installing a cryptocurrency trading program. We also confirmed that the user installed this program via a download link delivered over email.

Trojanized trading application for Windows

Including malicious code into distributed software and putting that on a website would be too obvious. Instead, the attackers went for a more elaborate scheme: the trojan code was pushed out in the form of an update for a trading application.

A legitimate-looking application called Celas Trade Pro from Celas Limited showed no signs of malicious behaviour and looked genuine. This application is an all-in-one style cryptocurrency trading program developed by Celas.

Screenshot of Celas Trade Pro

When we started this research, any user could download the trading application from the Celas website. Checking the installation package downloaded from the website confirmed the presence of a very suspicious updater.

Installation package download page

We have analyzed the following Windows version of the installation package:

MD5: 9e740241ca2acdc79f30ad2c3f50990a
File name: celastradepro_win_installer_1.00.00.msi
File type: MSI installer
Creation time: 2018-06-29 01:16:00 UTC

At the end of the installation process, the installer immediately runs the Updater.exe module with the “CheckUpdate” parameter. This file looks like a regular tool and most likely will not arouse the suspicion of system administrators. After all, it even contains a valid digital signature, which belongs to the same vendor. But the devil is in the detail, as usual.

The code writer developed this project under the codename “jeus”, which was discovered in a PDB path included in the updater and used as unique HTTP multipart message data separator string. Because of this, and the fact that the attacked platforms include Apple macOS, we decided to call this Operation AppleJeus.

Properties of the shady updater tool included in the package are:

MD5: b054a7382adf6b774b15f52d971f3799
File Type: PE32 executable (GUI) Intel 80386, for MS Windows
Known file name: %Program Files%\CelasTradePro\Updater.exe
Link Time: 2018-06-15 10:56:27 UTC
Build path: Z:\jeus\downloader\downloader_exe_vs2010\Release\dloader.pdb

The main purpose of Updater.exe is to collect the victim’s host information and send it back to the server. Upon launch, the malware creates a unique string with the format string template “%09d-%05d” based on random values, which is used as a unique identifier of the infected host. This malware collects process lists, excluding “[System Process]” and “System” processes and gets the exact OS version from the registry value at “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion”. It seems that such values only exist from Windows 10, so we assume that the author developed and tested it on Windows 10.

  • ProductName: Windows OS version
  • CurrentBuildNumber: Windows 10 build version
  • ReleaseID: Windows 10 version information
  • UBR: Sub version of Windows 10 build
  • BuildBranch: Windows 10 build branch information

The code encrypts the collected information with the hardcoded XOR key (“Moz&Wie;#t/6T!2y“) before uploading it to the server.

Data encryption routine

The code sends the victim’s information to a webserver using HTTP and the following URL:
www.celasllc[.]com/checkupdate.php

The server is a legitimate looking website owned by the developer of the program: Celas LLC. At this point we were not able to conclude with high confidence whether the server was compromised by the threat actor or had belonged to the threat actor from the beginning. To learn more about the server, please read the “Infrastructure” section below.

The malware used a hardcoded User-Agent string “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)” and fixed a multipart form data separator string “jeus“.

Using encryption, the custom separator string wouldn’t be a red flag for a legitimate application, but sending a request with the context-irrelevant string “get_config”, as well as uploading collected system information as “temp.gif”, mimicking a GIF image with a magic number in the header, definitely made us raise our eyebrows.

Communication with the C2 server

After successfully uploading data, the updater checks the server response. If the server responds with HTTP code 300, it means the updater should keep quiet and take no action. However, if the response is HTTP code 200, it extracts the payload with base64 and decrypts it using RC4 with another hardcoded key (“W29ab@ad%Df324V$Yd“). The decrypted data is an executable file that is prepended with the “MAX_PATHjeusD” string.

During our research, we found other similar files. One was created on August 3rd and another on August 11th. The PDB path shows that the author keeps improving this updater tool, apparently forked from some stable version released on July 2, 2018 according to the internal directory name.

Additional trojanized sample #1 Additional trojanized sample #1
Installation package MD5 4126e1f34cf282c354e17587bb6e8da3 0bdb652bbe15942e866083f29fb6dd62
Package creation date 2018-08-03 09:57:29 2018-08-13 0:12:10
Dropped updater MD5 ffae703a1e327380d85880b9037a0aeb bbbcf6da5a4c352e8846bf91c3358d5c
Updater creation date 2018-08-03 09:50:08 2018-08-11 7:28:08
Updater Build path H:\DEV\TManager\DLoader\20180702\dloader\WorkingDir\Output\00000009\Release\dloader.pdb H:\DEV\TManager\DLoader\20180702\dloader\WorkingDir\Output\00000006\Release\dloader.pdb

Note the TManager directory in the PDB path from the table. It will pop up again in another unexpected place later.

Trojanized trading program for macOS

For macOS users, Celas LLC also provided a native version of its trading app. A hidden “autoupdater” module is installed in the background to start immediately after installation, and after each system reboot. It keeps contacting the command and control (C2) server in order to download and run an additional executable from the server. The communication conforms to the Windows version of the updater and is disguised as an image file upload and download, while carrying encrypted data inside.

We have analyzed the following installation file:

MD5: 48ded52752de9f9b73c6bf9ae81cb429
File Size: 15,020,544 bytes
File Type: DMG disk image
Known file name: celastradepro_mac_installer_1.00.00.dmg
Date of creation: 13 July 2018

Once the Cellas Trade Pro app is installed on macOS, it starts the Updater application on the system load via a file named “.com.celastradepro.plist” (note that it starts with a dot symbol, which makes it unlisted in the Finder app or default Terminal directory listing). The “Updater” file is passed the “CheckUpdate” parameter on start.

Celas Trade Pro app plist file (Apple Property List)

The command-line argument “CheckUpdate” looks redundant from a code analysis perspective: there is no other argument that the application expects. In the absence of all arguments, it doesn’t do anything and quits. This may or may not be way to trick sandboxes that could automatically execute this trojan updater, with no suspicious activity produced without such a “secret” extra argument. The choice of a benign string such as “CheckUpdate” helps it to hide in plain sight of any user or administrator looking into running processes.

The trojanized updater works similar to the Windows version in many ways. Both applications are implemented using a cross-platform QT framework. Upon launch, the downloader creates a unique identifier for the infected host using a “%09d-%06d” format string template. Next, the app collects basic system information, which for macOS is done via dedicated QT classes:

  • Host name
  • OS type and version
  • System architecture
  • OS kernel type and version

The process of encrypting and transferring data is the same as in the Windows version. This information is XOR-encrypted with hardcoded 16-byte static key “Moz&Wie;#t/6T!2y”, prepended with GIF89a header and uploaded to the C2 server via HTTP POST and the following URL:

https://www.celasllc[.]com/checkupdate.php

POST request template strings

The module relies on a hardcoded User-Agent string for macOS:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36

Once the server replies, it checks the HTTP response code. HTTP response code 300 indicates that the server has no task for the updater and the application terminates immediately. If the HTTP response is code 200, then the updater gets the data in the response, decodes it from base64 encoding and decrypts it using RC4 with the hardcoded static key “W29ab@ad%Df324V$Yd“. It calculates the MD5 of the decoded and decrypted data, which is compared to a value stored inside, to verify the integrity of the transferred file. After that, the payload is extracted and saved to a hardcoded file location “/var/zdiffsec“, sets executable permissions for all users and starts the app with another secret hardcoded command-line argument “bf6a0c760cc642“. Apparently the command-line argument is the way to prevent the detection of its malicious functionality via sandboxes or even reverse engineering. We have previously seen this technique adopted by Lazarus group in 2016 in attacks against banks. As of 2018, it is still using this in almost every attack we investigated.

Downloaded payload

According to data from Kaspersky Security Network, the threat actor delivered the malicious payload using one of the shadowy updaters described above. We found a malicious file created at the same host:

MD5: 0a15a33844c9df11f12a4889ae7b7e4b
File Size: 104,898,560 bytes
File Type: PE32+ executable (GUI) x86-64, for MS Windows
Known file name: C:\Recovery\msn.exe
Link time: 2018-04-19 13:30:19

Note the unusually large size for an executable file. We believe that it was inflated with junk data on purpose to prevent easy download or transfer over the internet.

Searching for the reason for the malware’s appearance on the system revealed that there was an additional process responsible for producing several files before this malware was launched, suggesting a trojan dropper in action. The main function of this malware is to implant the Fallchill backdoor loader linked to several files. Upon launch, the malware checks one of the command-line arguments passed to it. The malware chooses one of the service names located in the following registry value as a disguise:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs

This value includes a list of several dozen standard system service names.

The randomly chosen service name is used to name the dropped file and newly registered Windows service. Let’s refer to this randomly chosen service name as [service]. The malware contains references to several files inside:

  • The file passed as argument: contains a 16-byte key
  • msncf.dat: Encrypted configuration data
  • msndll.tmp: Encrypted Fallchill loader
  • msndll.dat: Encrypted Fallchill backdoor (payload for the loader)
  • [service]svc.dll: Fallchill backdoor loader
  • [service].dat: Copy of msndll.dat

A mix of the above-mentioned files produces the final backdoor known as Fallchill. A more detailed procedure for technical specialists is as follows:

  1. Check whether the command-line argument points to a file of 16 byte size.
  2. Read the file passed via the command-line argument. The contents of this file contains a crypto key, which we will call the main key.
  3. Open the msncf.dat file (configuration file). If the file size equals 192 bytes, read the content of the file.
  4. Open msndll.tmp file and decrypt it using the main key.
  5. Create the [service]svc.dll file and fill it with pseudo-random data.
    1. The malware fills the file with 10,240 bytes of pseudo-random data, and iterates (rand() % 10 + 10240) times. This is why it produces files which are at least 104,851,000 bytes.
  6. Copy the 16-byte main key at the end of the [service]svc.dll file.
  7. Encrypt the [service].dat file name with the main key and append it at the end of [service]svc.dll.
  8. Overwrite the beginning of [service]svc.dll with data decrypted from msndll.tmp.
  9. Move msndll.dat file to [service].dat.
  10. Delete temporary files: msndll.tmp, msncf.dat, msndll.log.
  11. Timestamp [service]svc.dll and [service].dat files.
  12. Register [service]svc.dll as a Windows service.
  13. Save a copy of data from msncf.dat file in the following registry value
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskConfigs\Description.

Infection process diagram

Fallchill backdoor loader

We confirmed that the following malware was created on the infected host using the method described above:

Fallchill backdoor loader:

MD5: e1ed584a672cab33af29114576ad6cce
File Size: 104,878,356 bytes
File Type: PE32+ executable (DLL) (console) x86-64, for MS Windows
Known file name: C:\Windows\system32\uploadmgrsvc.dll
Link time: 2018-01-18 01:56:32

Encrypted Fallchill backdoor:

MD5: d8484469587756ce0d10a09027044808
File Size: 143,872 bytes
File Type: encrypted data
Known file name: C:\Windows\system32\uploadmgr.dat

Upon starting, uploadmgrsvc.dll reads 276 bytes from the end of its own executable file. The first 16 bytes of this 276-byte data are used as a decryption key, and the remaining 260 bytes contain the encrypted file path used by the backdoor.

Data at the end of the loader module

After decryption of the last 260-bytes, the malware retrieves the name or path of the file that contains the actual backdoor body in encrypted form.

Decrypted file name in the end of loader module

The malware reads the specified file and decrypts it using the same decryption routine. This is how the executable code of the backdoor is produced in memory and executed by the loader. Below is the meta information about the decrypted final payload in memory:

MD5: d7089e6bc8bd137a7241a7ad297f975d
File Size: 143,872 bytes
File Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Link Time: 2018-03-16 07:15:31

We can summarize the Fallchill backdoor loading process as follows:

Loading the Fallchill backdoor

As mentioned previously, the final payload belongs to a Fallchill malware cluster formerly attributed to the Lazarus APT group. Upon launching, this malware resolves the API function addresses at runtime, and reads the C2 server address from the registry value created during the installation stage:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskConfigs\Description

If there is no configuration value, the malware falls back to a default C2 server address.

  • 196.38.48[.]121
  • 185.142.236[.]226

This is a full-featured backdoor that contains enough functions to fully control the infected host. Some of its network protocol commands are described below.

Command ID Description
0x8000 Write current time and configuration data to registry key
0x8001 Send configuration data
0x8002 Replace configuration data in the fixed registry value
0x8003 Execute Windows command, store output in temp file and upload contents to C2
0x8006 Show current working directory
0x8007 Change current working directory
0x8008 Collect process information
0x8009 Terminate process
0x8010 Start new process
0x8011 Create process with security context of the current user
0x8012 Connect to specified host/port
0x8013 Get drive information
0x8014 Directory listing
0x8015 Search a file
0x8019 Write data to a specified file
0x8020 Read contents of specified file and upload to C2 server
0x8021 Compress multiples files to a temp file (name start with ZD) and upload to C2
0x8023 Wipe specific file
0x8025 Copy file time from another file time (timestamping)
0x8026 Shutdown malware service and self-delete
0x8043 Send “Not Service” unicode string to C2 server (communication test?).

This set of capabilities is very common for many Lazarus backdoors, which have been seen in other attacks against banks and financial industry in the past years.

Infrastructure

While working on the incident of the cryptocurrency company’s breach, we were curious about the legal status of the Celas LLC company that developed this trojanized trading application.

Celas LLC main homepage.

The website had a valid SSL certificate issued by Comodo CA. However, note that the certificate from this webserver mentions “Domain Control Validated”, which is a weak security verification level for a webserver. It does not mean validation of the identity of the website’s owner, nor of the actual existence of the business. When certification authorities issue this kind of certificate they only check that the owner has a certain control over the domain name, which can be abused in certain ways.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            22:a6:49:c1:ae:61:3f:58:5a:a5:e3:cb:8b:23:f0:61
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
        Validity
            Not Before: May 29 00:00:00 2018 GMT
            Not After : May 29 23:59:59 2019 GMT
        Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=celasllc.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:de:0f:58:f2:68:07:d2:0f:43:5a:07:c6:53:b7:
                    4a:b4:1c:4c:71:4f:a1:4e:80:e3:5a:ec:3b:90:a7:
                    91:ca:42:49:71:ba:da:33:4c:e4:4f:1f:86:d9:30:
                    32:a0:b1:f4:b2:f2:9c:28:97:7c:81:0f:02:d0:9c:
                    36:f6:9c:d6:f9:b5:ca:23:ba:1b:84:e4:0d:8c:9f:
         -- Redacted --

Below is the WHOIS record of the “celasllc.com” domain. The domain name was registered by an individual named “John Broox” with registrant email address “johnbroox200@gmail[.]com”.

Registrant Name: John Broox
Registrant Organization: 
Registrant Street: 2141 S Archer Ave   
Registrant City: Chicago
Registrant State/Province: Illinois
Registrant Postal Code: 60601
Registrant Country: US
Registrant Phone: +1.8133205751
Registrant Email: johnbroox200@gmail[.]com
…..
Name Server: 1a7ea920.bitcoin-dns.hosting
Name Server: a8332f3a.bitcoin-dns.hosting
Name Server: ad636824.bitcoin-dns.hosting
Name Server: c358ea2d.bitcoin-dns.hosting

The same name of “John Broox” was used inside the installation package of the macOS version of the trading application. The Info.plist properties file describes the package as follows:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    	<key>CFBundleVersion</key>
    	<string>1.00.00</string>
    	<key>CFBundleName</key>
    	<string>Celas Trade Pro</string>
    	<key>CFBundleIconFile</key>
    	<string>CelasTradePro</string>
    	<key>CFBundlePackageType</key>
    	<string>APPL</string>
    	<key>CFBundleGetInfoString</key>
    	<string>Developed by John Broox. CELAS LLC</string>
    	<key>CFBundleSignature</key>
    	<string>QTCELASTRADE</string>
    	<key>CFBundleExecutable</key>
    	<string>CelasTradePro</string>
    	<key>CFBundleIdentifier</key>
    	<string>com.celasllc.CelasTradePro</string>
    	<key>NSPrincipalClass</key>
    	<string>NSApplication</string>
    	<key>NSHighResolutionCapable</key>
    	<string>True</string>
    	<key>LSMinimumSystemVersion</key>
    	<string>10.10.0</string>
</dict>
</plist>

It looks at first sight like a legitimate WHOIS record, but something doesn’t really add up here. The domain celasllc.com was the only domain registered with this email address and was exclusively used for domain registration.

The registrant used the Domain4Bitcoins service to register this domain, apparently paying with cryptocurrency. According to open-source intelligence, the address of the WHOIS information is fake, unless it’s the owner of a ramen shop running a cryptocurrency exchange software development studio on the side.

View of the location referred in the WHOIS record. Image source: Google Maps.

The server hosting celasllc.com (185.142.236.213) belongs to the Blackhost ISP in the Netherlands.

WHOIS record of cellasllc.com server

Coincidentally, the Fallchill malware authors also preferred to use the same hosting company to host their C2 server. Moreover, the Celas LLC web server and one of the C2 servers of the Fallchill malware are located in the same network segment of this ISP:

  • Celas LLC infrastructure:
    • 185.142.236.213: Netherlands Blackhost Ltd. AS174 COGENT-174
  • Fallchill malware C2 server:
    • 196.38.48[.]121: South Africa Internet Solutions AS3741
    • 185.142.236[.]226: Netherlands Blackhost Ltd. AS174 COGENT-174
  • Additional attacker’s server from telemetry
    • 80.82.64[.]91: Seychelles Incrediserve Ltd AS29073
    • 185.142.239[.]173: Netherlands Blackhost Ltd. AS174 COGENT-174

However, when you look into Celas Trading Pro application’s digital signature, including its “Updater”, you will find that this certificate was also issued by Comodo CA, which refers to a company address in the United States.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            9a:73:55:0b:83:76:86:3b:d9:43:0f:aa:8b:5a:29:87
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Code Signing CA
        Validity
            Not Before: May 21 00:00:00 2018 GMT
            Not After : May 21 23:59:59 2019 GMT
        Subject: C=US/postalCode=49319, ST=Michigan, L=Cedar Springs/street=15519 WHITE CREEK AVE NE, O=CELAS LLC, CN=CELAS LLC
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b6:31:7a:c6:68:2f:d2:03:f2:e9:61:c4:86:4f:
                    46:62:e7:a6:d7:7c:bd:e6:9f:a8:83:2c:a6:44:43:
                    92:da:b7:ea:cc:3d:3e:35:20:3f:9c:57:46:1c:d1:
                    65:b8:28:50:29:cd:29:11:e8:56:59:85:e5:0f:19:

According to open-source data, this address doesn’t belong to a real business, and looks on maps like a meadow with a small forest and small real estate offering nearby.

Location of Cellas LLC, according to its digital certificate

Real estate history of that address

Pivoting the infrastructure a little further brings up some more suspicious things. It appears that the domain referred to two IPs, one of which was linked to a few other suspicious domains, according to PassiveDNS.

Cellas LLC linked infrastructure

The owners of the linked infrastructural elements preferred to use several interesting services for hosting domain registration. All these service providers offer a certain level of anonymity to their customers. Most of them accept Bitcoins as a main payment method to keep their customers anonymous. This is very uncommon for companies running a legitimate business.

Hosting services linked to Celas LLC:

  • Blackhost (https://black.host/)
  • Liberty VPS (https://libertyvps.net/)

Domain registration services linked to Celas LLC:

  • Domains4Bitcoins (https://www.domains4bitcoins.com/)
  • NameCheap (https://www.namecheap.com/)
  • ChangeIP (https://www.changeip.com/)
  • Njalla (https://njal.la/)

All the facts above can make the more sceptical among us doubt the intentions of Celas LLC and the legitimacy of this business. Of course, these facts alone would not be enough to accuse Celas LLC of committing a crime.

Attribution

Kaspersky Lab has previously attributed the Fallchill malware cluster to Lazarus group when it attacked the financial sector around the world. It was also confirmed by other security vendors, and the national CERT of US.

RC4 key from the older Fallchill

Fallchill malware uses a RC4 algorithm with a 16-byte key to protect its communications. The key extracted from the Fallchill variant used in the current attack is DA E1 61 FF 0C 27 95 87 17 57 A4 D6 EA E3 82 2B.

Current RC4 key of Fallchill

We were able to confirm that some of older Fallchill malware variants used exactly the same RC4 key. Below are Fallchill malware samples that used the same key (the compilation timestamp may indicate the date of malware creation).

MD5 Timestamp
81c3a3c5a0129477b59397173fdc0b01 2017-05-26 23:37:04
6cb34af551b3fb63df6c9b86900cf044 2017-06-09 17:24:30
21694c8db6234df74102e8b5994b7627 2017-11-07 17:54:19
5ad7d35f0617595f26d565a3b7ebc6d0 2015-10-24 01:52:11
c501ea6c56ba9133c3c26a7d5ed4ce49 2017-06-09 03:59:43
cafda7b3e9a4f86d4bd005075040a712 2017-11-07 17:54:33
cea1a63656fb199dd5ab90528188e87c 2017-06-12 19:25:31
6b061267c7ddeb160368128a933d38be 2017-11-09 17:18:06
56f5088f488e50999ee6cced1f5dd6aa 2017-06-13 08:17:51
cd6796f324ecb7cf34bc9bc38ce4e649 2016-04-17 03:26:56

Same C2 server with older Fallchill

We have confirmed that the C2 server addresses (196.38.48[.]121, 185.142.236[.]226) used in this attack have been used by the older variant of Fallchill.

MD5 Timestamp
94dfcabd8ba5ca94828cd5a88d6ed488 2016-10-24 02:31:18
14b6d24873f19332701177208f85e776 2017-06-07 06:41:27
abec84286df80704b823e698199d89f7 2017-01-18 04:29:29

Overlap of C2 infrastructure

Apparently, the attackers using the Fallchill malware continue to reuse code and C2 server infrastructure over and over again.

According to Kaspersky Security Network, Fallchill was not the only malware used in this attack. There was another backdoor that was used by the threat actor. We omit a full description of this backdoor in the current report to keep the write-up to an acceptable length, but we would like to highlight two important things discovered in it. First, this backdoor was created on 2018-07-12 and revealed an already familiar directory, “TManager”, which we previously saw in the Updater.exe application from the Cellas Trading Pro suite:

H:\DEV\TManager\all_BOSS_troy\T_4.2\T_4.2\Server_\x64\Release\ServerDll.pdb

Second, what is probably one of the most interesting findings to come from this additional backdoor was discovered hidden in hardcoded headers used to communicate with C2 server. The Accept-Language HTTP header string revealed a language code associated with North Korea. In our experience, this is something we normally don’t see in malware.

Accept-Language: ko-kp,ko-kr;q=0.8,ko;q=0.6,en-us;q=0.4,en;q=0.2

Accept-Language HTTP header value in the body of the backdoor

Conclusions

The Lazarus APT group’s continuous attacks on the financial sector are not much of a surprise to anyone. A lot of research has been done and published about such attacks. However, we think this case makes a difference. Recent investigation shows how aggressive the group is and how its strategies may evolve in the future.

First of all, Lazarus group has entered a new platform: macOS. There is steadily growing interest in macOS from ordinary users, especially in IT companies. Many developers and engineers are switching to using macOS. Apparently, in the chase after advanced users, software developers from supply chains and some high profile targets, threat actors are forced to have macOS malware tools. We believe that in the future Lazarus is going to support all platforms that software developers are using as a base platform, because compromising developers opens many doors at once.

We cannot say with full certainty whether Celas LLC was compromised and the threat actor abused it to push malware through an update mechanism. However, the multiple successful Lazarus attempts to compromise supply chain companies suggest that it will keep exploring this infection method. From all angles, the Celas LLC story looks like the threat actor has found an elaborate way to create a legitimate looking business and inject a malicious payload into a “legitimate looking” software update mechanism. Sounds logical: if one cannot compromise a supply chain, why not to make fake one?

This should be a lesson to all of us and a wake-up call to businesses relying on third-party software. Do not automatically trust the code running on your systems. Neither good looking website, nor solid company profile nor the digital certificates guarantee the absence of backdoors. Trust has to be earned and proven. Stay safe!

Appendix I – Indicators of Compromise

File Hashes (malicious documents, trojans, emails, decoys)

Trojanized installer and payload

9e740241ca2acdc79f30ad2c3f50990a celastradepro_win_installer_1.00.00.msi
4126e1f34cf282c354e17587bb6e8da3 celastradepro_win_installer_1.00.00.msi
0bdb652bbe15942e866083f29fb6dd62 CelasTradePro-Installer.msi
48ded52752de9f9b73c6bf9ae81cb429 celastradepro_mac_installer_1.00.00.dmg
b054a7382adf6b774b15f52d971f3799 Updater.exe
ffae703a1e327380d85880b9037a0aeb Updater.exe
bbbcf6da5a4c352e8846bf91c3358d5c Updater.exe
0a15a33844c9df11f12a4889ae7b7e4b msn.exe
E1ed584a672cab33af29114576ad6cce uploadmgrsvc.dll
D8484469587756ce0d10a09027044808 uploadmgr.dat
D7089e6bc8bd137a7241a7ad297f975d

Same RC4 key Fallchill

81c3a3c5a0129477b59397173fdc0b01
6cb34af551b3fb63df6c9b86900cf044
21694c8db6234df74102e8b5994b7627
5ad7d35f0617595f26d565a3b7ebc6d0
c501ea6c56ba9133c3c26a7d5ed4ce49
cafda7b3e9a4f86d4bd005075040a712
cea1a63656fb199dd5ab90528188e87c
6b061267c7ddeb160368128a933d38be
56f5088f488e50999ee6cced1f5dd6aa
cd6796f324ecb7cf34bc9bc38ce4e649

Same C&C server Fallchill

94dfcabd8ba5ca94828cd5a88d6ed488
14b6d24873f19332701177208f85e776
abec84286df80704b823e698199d89f7

File path

C:\Recovery\msn.exe
C:\Recovery\msndll.log
C:\Windows\msn.exe
C:\WINDOWS\system32\uploadmgrsvc.dll
C:\WINDOWS\system32\uploadmgr.dat

Domains and IPs

www.celasllc[.]com/checkupdate.php (malware distribution URL)
196.38.48[.]121
185.142.236[.]226
80.82.64[.]91
185.142.239[.]173

A Deep Dive Into RIG Exploit Kit Delivering Grobios Trojan

As discussed in previous blogs, exploit kit activity has been on the decline since the latter half of 2016. However, we do still periodically observe significant developments in this space, and we have been observing interesting ongoing activity involving RIG Exploit Kit (EK). Although the volume of its traffic observed in-the-wild has been on the decline, RIG EK remains active, with a wide range of associated crimeware payloads.

In this recent finding, RIG EK was observed delivering a Trojan named Grobios. This blog post will discuss this Trojan in depth with a focus on its evasion and anti-sandbox techniques, but first let’s take a quick look at the attack flow. Figure 1 shows the entire infection chain for the activity we observed.


Figure 1: Infection chain

We first observed redirects to RIG EK on Mar. 10, 2018, from the compromised domain, latorre[.]com[.]au, which had a malicious iframe injected to it (Figure 2).


Figure 2: Malicious Iframe injected in latorre[.]com

The iframe loads a malvertisement domain, which communicates over SSL (certificate shown in Figure 3) and leads to the RIG EK landing page that loads the malicious Flash file (Figure 4).


Figure 3: Malicious SSL flow


Figure 4: RIG EK SWF download request

When opened, the Flash file drops the Grobios Trojan. Figure 5 shows the callback traffic from the Grobios Trojan.


Figure 5: Grobios callback

Analysis of the Dropped Malware

Grobios uses various techniques to evade detection and gain persistence on the machine, which makes it hard for it to be uninstalled or to go inactive on the victim machine. It also uses multiple anti-debugging, anti-analysis and anti-VM techniques to hide its behavior. After successful installation on the victim machine, it connects to its command and control (C2) server, which responds with commands.

In an effort to evade static detection, the authors have packed the sample with PECompact 2.xx. The unpacked sample has no function entries in the import table. It uses API hashing to obfuscate the names of API functions it calls and parses the PE header of the DLL files to match the name of a function to its hash. The malware also uses stack strings. Figure 6 shows an example of the malware calling WinApi using the hashes.


Figure 6: An example of calling WinAPI using their hashes.

Loading

The malware sample starts a copy of itself, which further injects its code into svchost.exe or IEXPLORE.EXE depending on the user privilege level. Both parent and child quit after injection is complete. Only svchost.exe/IEXPLORE.EXE keeps running. Figure 7 shows the process tree.


Figure 7: Process tree of the malware

Persistence

The malware has an aggressive approach to persistence. It employs the following techniques:

  • It drops a copy of itself into the %APPDATA% folder, masquerading as a version of legitimate software installed on the victim machine. It creates an Autorun registry key and a shortcut in the Windows Startup folder. During our analysis, it dropped itself to the following path:

%APPDATA%\Google\v2.1.13554\<RandomName>.exe. 

The path can vary depending on the folders the malware finds in %APPDATA%.

  • It drops multiple copies of itself in subfolders of a program at the path %ProgramFiles%/%PROGRAMFILES(X86)%,  again masquerading as a different version of the installed program, and sets an Autorun registry key or creates a scheduled task.
  • It drops a copy itself in the %Temp% folder, and creates a scheduled task to run it.

On an infected system, the malware creates two scheduled tasks, as shown in Figure 8.


Figure 8: Scheduled tasks created by the malware

The malware changes the file Created, Modified, and Accessed times of all of its dropped copies to the Last Modified time of ntdll.dll. To bypass the “File Downloaded from the Internet” warning, the malware removes the :Zone.Identifier flag using DeleteFile API, as shown in Figure 9.


Figure 9: Call to DeleteFileW to remove the :Zone.Identifier Flag from the dropped copy

An interesting behavior of this malware is that it protects its copy in the %TEMP% folder using EFS (Windows Encrypted File System), as seen in Figure 10.


Figure 10: Cipher Command Shows the Malware Copy Protected by EFS

Detecting VM and Malware Analysis Tools

Just before connecting to the C2, the malware does a series of checks to detect the VM and malware analysis environment. It can detect almost all well-known VM software, including Xen, QEMU, VMWare, Virtualbox, Hyper-V, and so on. The following is the list of checks it performs on the victim system:

  • Using the FindWindowEx API, it checks whether any of the analysis tools in Table 1 are running on the system.

Analysis Tools

PacketSniffer

FileMon

WinDbg

Process Explorer

OllyDbg

SmartSniff

cwmonitor

Sniffer

Wireshark

Table 1: Analysis tools detected by malware

  • The malware contains a list of hashes of blacklisted process names. It checks whether the hash of any of running process matches a hash on the blacklist, as shown in Figure 11. 


Figure 11: Check for blacklisted processes

We were able to crack the hashes of the blacklisted processes shown in Table 2.

Hash

Process

283ADE38h

vmware.exe

8A64214Bh

vmount2.exe

13A5F93h

vmusrvc.exe

0F00A9026h

vmsrvc.exe

0C96B0F73h

vboxservice.exe

0A1308D40h

vboxtray.exe

0E7A01D35h

xenservice.exe

205FAB41h

joeboxserver.exe

6F651D58h

joeboxcontrol.exe

8A703DD9h

wireshark.exe

1F758DBh

Sniffhit.exe

0CEF3A27Ch

sysAnalyzer.exe

6FDE1C18h

Filemon.exe

54A04220h

procexp.exe

0A17C90B4h

Procmon.exe

7215026Ah

Regmon.exe

788FCF87h

autoruns.exe

0A2BF507Ch

 

0A9046A7Dh

 

Table 2: Blacklisted processes

  • The malware enumerates registry keys in the following paths to see if they contain the words xen or VBOX:
    • HKLM\HARDWARE\ACPI\DSDT
    • HKLM\HARDWARE\ACPI\FADT
    • HKLM\HARDWARE\ACPI\RSDT
  • It checks whether services installed on the system contain any of the keywords in Table 3:

vmmouse

vmdebug

vmicexchange

vmicshutdown

vmicvss

vmicheartbeat

msvmmouf

VBoxMouse

vpcuhub

vpc-s3

vpcbus

vmx86

vmware

VMMEMCTL

VMTools

XenVMM

xenvdb

xensvc

xennet6

xennet

xenevtchn

VBoxSF

VBoxGuest

   

Table 3: Blacklisted service names

  • It checks whether the username contains any of these words:  MALWARE, VIRUS, SANDBOX, MALTEST
  • It has a list of hashes of blacklisted driver names. It traverses the windows driver directory %WINDIR%\system32\drivers\ using FindFirstFile/FindNextFile APIs to check if the hash of the name of any drivers matches with that of any blacklisted driver's name, as shown in Table 4.

Hash

Driver

0E687412Fh

hgfs.sys

5A6850A1h

vmhgfs.sys

0CA5B452h

prleth.sys

0F9E3EE20h

prlfs.sys

0E79628D7h

prlmouse.sys

68C96B8Ah

prlvideo.sys

0EEA0F1C2h

prl_pv32.sys

443458C9h

vpcs3.sys

2F337B97h

vmsrvc.sys

4D95FD80h

vmx86.sys

0EB7E0625h

vmnet.sys

Table 4: Hashes of blacklisted driver names

  • It calculates the hash of ProductId and matches it with three blacklisted hashes to detect public sandboxes, shown in Table 5.

Hash

Product Id

Sandbox Name

4D8711F4h

76487-337-8429955-22614

Anubis Sanbox

7EBAB69Ch

76487-644-3177037-23510

CWSandbox

D573F44D

55274-640-2673064-23950

Joe Sandbox

Table 5: Blacklisted product IDs

  • The malware calculates the hash of loaded module (DLL) names and compares them with the list of hashes of blacklisted module names shown in Table 6. These are the DLLs commonly loaded into the process being debugged, such as dbhelp.dll and api_log.dll.    

6FEC47C1h

6C8B2973h

0AF6D9F74h

49A4A30h

3FA86C7Dh

Table 6: Blacklisted module names hashes

Figure 12 shows the flow of code that checks for blacklisted module hashes.


Figure 12: Code checks for blacklisted module hashes

  • It checks whether Registry keys present at the path HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum and HKLM\SYSTEM\ControlSet001\Services\Disk\Enum contain any of these words: QEMU, VBOX, VMWARE, VIRTUAL
  • It checks whether registry keys at the path HKLM\SOFTWARE\Microsoft, HKLM\SOFTWARE  contain these words: VirtualMachine, vmware, Hyber-V
  • It checks whether the system bios version present at registry path HKLM\HARDWARE\DESCRIPTION\System\SystemBiosVersion contains these words: QEMU, BOCHS, VBOX
  • It checks whether the video bios version present at registry path HKLM\HARDWARE\DESCRIPTION\System\VideoBiosVersion contains  VIRTUALBOX substring.
  • It checks whether the registry key at path HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0\Identifier contains any of these words: QEMU,vbox, vmware
  • It checks whether the registry key HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions  exists on the system.

Network Communication

The malware contains two hardcoded obfuscated C2s. After de-obfuscating the C2 URLs, it generates a random string of 20 characters, appends it to the end of URL, and sends the request for commands. Before it executes the commands, the malware verifies the identity of the C2. It calculates the hash of 4 bytes of data using the CALG_MD5 algorithm. It then uses the Base64 data from the CERT command as a Public Key in CryptVerifySignature to verify the hash signature (Figure 13). If the signature is verified, the malware executes the commands.


Figure 13: Malware verifies the C2 hash

During our initial analysis, we found that the malware supports the commands shown in Table 7. 

Command

Description

CERT <Base64 data>

Contains the data used to verify the identity of the C2

CONNECT <IP:Port>

Connect to given host for further commands

DISCONNECT

Close all the connections

WAIT <Number of seconds>

Wait for the number of seconds before executing the next commands

REJECT

Kind of NOP. Move on to next command after waiting for 5 second

Table 7: Commands supported by malware

Figure 14 shows commands being issued by the C2 server.


Figure 14: Commands issued by the C2 server

Conclusion

Despite the decline in activity, exploit kits still continue to put users at risk – especially those running older versions of software. Enterprises need to make sure their network nodes are fully patched.

All FireEye products detect the malware in our MVX engine. Additionally, FireEye Network Security blocks delivery at the infection point.

Indicators of Compromise (IOCs)

  • 30f03b09d2073e415a843a4a1d8341af
  • 99787d194cbd629d12ef172874e82738
  • 169.239.129[.]17
  • grobiosgueng[.]su

Acknowledgments 

We acknowledge Mariam Muntaha for her contribution to the blog regarding malicious traffic analysis.

Metamorfo Campaigns Targeting Brazilian Users

FireEye Labs recently identified several widespread malspam (malware spam) campaigns targeting Brazilian companies with the goal of delivering banking Trojans. We are referring to these campaigns as Metamorfo. Across the stages of these campaigns, we have observed the use of several tactics and techniques to evade detection and deliver the malicious payload. In this blog post we dissect two of the main campaigns and explain how they work.

Campaign #1

The kill chain starts with an email containing an HTML attachment with a refresh tag that uses a Google URL shortener as the target. Figure 1 shows a sample email, and Figure 2 show the contents of the HTML file.


Figure 1: Malicious Email with HTML Attachment


Figure 2: Contents of HTML File

When the URL is loaded, it redirects the victim to a cloud storage site such as GitHub, Dropbox, or Google Drive to download a ZIP file. An example is shown in Figure 3.


Figure 3: URL Shortener Redirects to Github Link

The ZIP archive contains a malicious portable executable (PE) file with embedded HTML application (HTA). The user has to unzip the archive and double-click the executable for the infection chain to continue. The PE file is a simple HTA script compiled into an executable. When the user double-clicks the executable, the malicious HTA file is extracted to %temp% and executed by mshta.exe.

The HTA script (Figure 4) contains VBS code that fetches a second blob of VBS code encoded in base64 form from hxxp://<redacted>/ilha/pz/logs.php. 


Figure 4: Contents of HTA File

After the second stage of VBS is decoded (Figure 5 and Figure 6), the script downloads the final stage from hxxp://<redacted>/28022018/pz.zip. 


Figure 5: Contents of Decoded VBS


Figure 6: More Contents of Decoded VBS

The downloaded ZIP file contains four files. Two are PE files. One is a legitimate Windows tool, pvk2pfx.exe, that is abused for DLL side-loading. One is the malicious banking Trojan as the DLL.

The VBS code unzips the archive, changes the extension of the legitimate Windows tool from .png to .exe, and renames the malicious DLL as cryptui.dll. The VBS code also creates a file in C:\Users\Public\Administrador\car.dat with random strings. These random strings are used to name the Windows tool, which is then executed. Since this tool depends on a legitimate DLL named cryptui.dll, the search order path will find the malicious Trojan with the same name in the same directory and load it into its process space.

In Q4 of 2017, a similar malspam campaign delivered the same banking Trojan by using an embedded JAR file attached in the email instead of an HTML attachment. On execution, the Java code downloaded a ZIP archive from a cloud file hosting site such as Google Drive, Dropbox, or Github. The ZIP archive contained a legitimate Microsoft tool and the malicious Trojan.

Banking Trojan Analysis

The Trojan expects to be located in the hardcoded directory C:\\Users\\Public\Administrador\\ along with three other files to start execution. As seen in Figure 7, these files are:

  • car.dat (randomly generated name given to Windows tool)
  • i4.dt (VBS script that downloads the same zip file)
  • id (ID given to host)
  • cryptui.dll (malicious Trojan)


Figure 7: Contents of ZIP Archive

Persistence

The string found in the file C:\\Users\\Public\\Administrador\\car.dat is extracted and used to add the registry key Software\Microsoft\Windows\CurrentVersion\Run\<string from car.dat> for persistence, as shown in Figure 8.


Figure 8: Reading from car.dat File

The sample also looks for a file named i4.dt in the same directory and extracts the contents of it, renames the file to icone.vbs, and creates a new persistent key (Figure 9) in \Software\Microsoft\Windows\CurrentVersion\Run to open this file.


Figure 9: Persistence Keys

The VBS code in this file (Figure 10) has the ability to recreate the whole chain and download the same ZIP archive.


Figure 10: Contents of VBS Script

Next, the Trojan searches for several folders in the Program Files directories, including:

  • C:\\Program Files\\AVG
  • C:\\Program Files\\AVAST Software
  • C:\\Program Files\\Diebold\\Warsaw
  • C:\\Program Files\\Trusteer\\Rapport
  • C:\\Program Files\\Java
  • C:\\Program Files (x86)\\scpbrad

If any of the folders are found, this information, along with the hostname and Operating System version, is sent to a hardcoded domain with the hardcoded User-Agent value “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0” in the format shown in Figure 11. The value of AT is “<host_name+OS&MD>=<list of folders found>”.


Figure 11: Network Traffic for Host Enumeration

The sample iterates through the running processes, kills the following, and prevents them from launching:

  • msconfig.exe
  • TASKMGR.exe
  • regedit.exe
  • ccleaner64.exe
  • taskmgr.exe
  • itauaplicativo.exe

Next, it uses GetForegroundWindow to get a handle to the window the user is viewing and GetWindowText to extract the title of the window. The title is compared against a hardcoded list of Brazilian banking and digital coin sites. The list is extensive and includes major organizations and smaller entities alike. 

If any of those names are found and the browser is one of the following, the Trojan will terminate that browser.

  • firefox.exe
  • chrome.exe
  • opera.exe
  • safari.exe

The folder C:\Users\Public\Administrador\logs\ is created to store screenshots, as well as the number of mouse clicks the user has triggered while browsing the banking sites (Figure 12). The screenshots are continuously saved as .jpg images.


Figure 12: Malware Capturing Mouse Clicks

Command and Control

The command and control (C2) server is selected based on the string in the file “id”:

  • al -> '185.43.209[.]182'
  • gr -> '212.237.46[.]6'
  • pz -> '87.98.146[.]34'
  • mn -> ’80.211.140[.]235'

The connection to one of the hosts is then started over raw TCP on port 9999. The command and control communication generally follows the pattern <|Command |>, for example:

  • '<|dispida|>logs>SAVE<' sends the screenshots collected in gh.txt.
  • '<PING>' is sent from C2 to host, and '<PONG>' is sent from host to C2, to keep the connection alive.
  • '<|INFO|>' retrieves when the infection first started based on the file timestamp from car.dat along with '<|>' and the host information.

There were only four possible IP addresses that the sample analyzed could connect to based on the strings found in the file “id”. After further researching the associated infrastructure of the C2 (Figure 13), we were able to find potential number of victims for this particular campaign.

 

Figure 13: Command and Control Server Open Directories

Inside the open directories, we were able to get the following directories corresponding to the different active campaigns. Inside each directory we could find statistics with the number of victims reporting to the C2. As of 3/27/2018, the numbers were:

  • al – 843
  • ap – 879
  • gr – 397
  • kk – 2,153
  • mn – 296
  • pz – 536
  • tm – 187

A diagram summarizing Campaign #1 is shown in Figure 14.


Figure 14: Infection Chain of Campaign #1

Campaign #2

In the second campaign, FireEye Labs observed emails with links to legitimate domains (such as hxxps://s3-ap-northeast-1.amazonaws[.]com/<redacted>/Boleto_Protesto_Mes_Marco_2018.html) or compromised domains (such as hxxps://curetusu.<redacted>-industria[.]site/) that use a refresh tag with a URL shortener as the target. The URL shortener redirects the user to an online storage site, such as Google Drive, Github, or Dropbox, that hosts a malicious ZIP file. A sample phishing email is shown in Figure 15.


Figure 15: Example Phishing Email

The ZIP file contains a malicious executable written in AutoIt (contents of this executable are shown in Figur 16). When executed by the user, it drops a VBS file to a randomly created and named directory (such as C:\mYPdr\TkCJLQPX\HwoC\mYPdr.vbs) and fetches contents from the C2 server.


Figure 16: Contents of Malicious AutoIt Executable

Two files are downloaded from the C2 server. One is a legitimate Microsoft tool and the other is a malicious DLL: 

  • https[:]//panel-dark[.]com/w3af/img2.jpg
  • https[:]//panel-dark[.]com/w3af/img1.jpg

Those files are downloaded and saved into random directories named with the following patterns:

  • <current user dir>\<5 random chars>\<8 random chars>\<4 random chars>\<5 random chars>.exe
  • <current user dir>\<5 random chars>\<8 random chars>\<4 random chars>\CRYPTUI.dll 

The execution chain ensures that persistence is set on the affected system using a .lnk file in the Startup directory. The .lnk file shown in Figure 17 opens the malicious VBS dropped on the system.


Figure 17: Persistence Key

The VBS file (Figure 18) will launch and execute the downloaded legitimate Windows tool, which in this case is Certmgr.exe. This tool will be abused using the DLL side loading technique. The malicious Cryptui.dll is loaded into the program instead of the legitimate one and executed.


Figure 18: Contents of Dropped VBS File

Banking Trojan Analysis

Like the Trojan from the first campaign, this sample is executed through search-order hijacking. In this case, the binary abused is a legitimate Windows tool, Certmgr.exe, that loads Cryptui.dll. Since this tool depends on a legitimate DLL named cryptui.dll, the search order path will find the malicious Trojan with the same name in the same directory and load it into its process space.

The malicious DLL exports 21 functions. Only DllEntryPoint contains real code that is necessary to start the execution of the malicious code. The other functions return hardcoded values that serve no real purpose.

On execution, the Trojan creates a mutex called "correria24" to allow only one instance of it to run at a time.

The malware attempts to resolve “www.goole[.]com” (most likely a misspelling). If successful, it sends a request to hxxp://api-api[.]com/json in order to detect the external IP of the victim. The result is parsed and execution continues only if the country code matches “BR”, as shown in Figure 19.


Figure 19: Country Code Check

The malware creates an empty file in %appdata%\Mariapeirura on first execution, which serves as a mutex lock, before attempting to send any collected information to the C2 server. This is done in order to get only one report per infected host.

The malware collects host information, base64 encodes it, and sends it to two C2 servers. The following items are gathered from the infected system:

  • OS name
  • OS version
  • OS architecture
  • AV installed
  • List of banking software installed
  • IP address
  • Directory where malware is being executed from

The information is sent to hxxp://108.61.188.171/put.php (Figure 20).


Figure 20: Host Recon Data Sent to First C2 Server

The same information is sent to panel-dark[.]com/Contador/put.php (Figure 21).


Figure 21: Host Recon Data Sent to Second C2 Server

The malware alters the value of registry key Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ExtendedUIHoverTime to 2710 in order to change the number of milliseconds a thumbnail is showed while hovering on the taskbar, as seen in Figure 22.


Figure 22: ExtendedUIHoverTime Registry Key Change

Like the Trojan from the first campaign, this sample checks if the foreground window's title contains names of Brazilian banks and digital coins by looking for hardcoded strings.

The malware displays fake forms on top of the banking sites and intercepts credentials from the victims. It can also display a fake Windows Update whenever there is nefarious activity in the background, as seen in Figure 23.


Figure 23: Fake Form Displaying Windows Update

The sample also contains a keylogger functionality, as shown in Figure 24.


Figure 24: Keylogger Function

Command and Control

The Trojan’s command and control command structure is identical to the first sample. The commands are denoted by the <|Command|> syntax.

  • <|OK|> gets a list of banking software installed on the host.
  • '<PING>' is sent from C2 to host, and '<PONG>' is sent from host to C2, to keep connection alive.
  • <|dellLemb|> deletes the registry key \Software\Microsoft\Internet Explorer\notes.
  • EXECPROGAM calls ShellExecute to run the application given in the command.
  • EXITEWINDOWS calls ExitWindowsEx.
  • NOVOLEMBRETE creates and stores data sent with the command in the registry key \Software\Microsoft\Internet Explorer\notes.


Figure 25: Partial List of Victims

This sample contains most of the important strings encrypted. We provide the following script (Figure 26) in order to decrypt them.


Figure 26: String Decryption Script

Conclusion

The use of multi-stage infection chains makes it challenging to research these types of campaigns all the way through.

As demonstrated by our research, the attackers are using various techniques to evade detection and infect unsuspecting Portuguese-speaking users with banking Trojans. The use of public cloud infrastructure to help deliver the different stages plays a particularly big role in delivering the malicious payload. The use of different infection methods combined with the abuse of legitimate signed binaries to load malicious code makes these campaigns worth highlighting.

Indicators of Compromise

Campaign #1
TYPE HASH DESCRIPTION
MD5 860fa744d8c82859b41e00761c6e25f3 PE with Embedded HTA
MD5 3e9622d1a6d7b924cefe7d3458070d98 PE with Embedded HTA
MD5 f402a482fd96b0a583be2a265acd5e74 PE with Embedded HTA
MD5 f329107f795654bfc62374f8930d1e12 PE with Embedded HTA
MD5 789a021c051651dbc9e01c5d8c0ce129 PE with Embedded HTA
MD5 68f818fa156d45889f36aeca5dc75a81 PE with Embedded HTA
MD5 c2cc04be25f227b13bcb0b1d9811e2fe cryptui.dll
MD5 6d2cb9e726c9fac0fb36afc377be3aec id
MD5 dd73f749d40146b6c0d2759ba78b1764 i4.dt
MD5 d9d1e72165601012b9d959bd250997b3 VBS file with commands to create staging directories for malware
MD5 03e4f8327fbb6844e78fda7cdae2e8ad pvk2pfx.exe [Legit Windows Tool]
URL   hxxp://5.83.162.24/ilha/pz/logs.php
URL   hxxp://5.83.162.24/28022018/pz.zip 
C2   ibamanetibamagovbr[.]org/virada/pz/logs.php
URL   sistemasagriculturagov[.]org
URL   hxxp://187.84.229.107/05022018/al.zip
Campaign #2
TYPE HASH DESCRIPTION
MD5 2999724b1aa19b8238d4217565e31c8e AutoIT Dropper
MD5 181c8f19f974ad8a84b8673d487bbf0d img1.jpg [lLegit Windows Tool]
MD5 d3f845c84a2bd8e3589a6fbf395fea06 img2.jpg [Banking Trojan]
MD5 2365fb50eeb6c4476218507008d9a00b Variants of Banking Trojan
MD5 d726b53461a4ec858925ed31cef15f1e Variants of Banking Trojan
MD5 a8b2b6e63daf4ca3e065d1751cac723b Variants of Banking Trojan
MD5 d9682356e78c3ebca4d001de760848b0 Variants of Banking Trojan
MD5 330721de2a76eed2b461f24bab7b7160 Variants of Banking Trojan
MD5 6734245beda04dcf5af3793c5d547923 Variants of Banking Trojan
MD5 a920b668079b2c1b502fdaee2dd2358f Variants of Banking Trojan
MD5 fe09217cc4119dedbe85d22ad23955a1 Variants of Banking Trojan
MD5 82e2c6b0b116855816497667553bdf11 Variants of Banking Trojan
MD5 4610cdd9d737ecfa1067ac30022d793b Variants of Banking Trojan
MD5 34a8dda75aea25d92cd66da53a718589 Variants of Banking Trojan
MD5 88b808d8164e709df2ca99f73ead2e16 Variants of Banking Trojan
MD5 d3f845c84a2bd8e3589a6fbf395fea06 Variants of Banking Trojan
MD5 28a0968163b6e6857471305aee5c17e9 Variants of Banking Trojan
MD5 1285205ae5dd5fa5544b3855b11b989d Variants of Banking Trojan
MD5 613563d7863b4f9f66590064b88164c8 Variants of Banking Trojan
MD5 3dd43e69f8d71fcc2704eb73c1ea7daf Variants of Banking Trojan
C2   https[:]//panel-dark[.]com/w3af/img2.jpg 
C2   https[:]//panel-dark[.]com/w3af/img1.jpg 

Don’t Let An Auto-Elevating Bot Spoil Your Christmas

Ho ho ho! Christmas is coming, and for many people it’s time to do some online shopping.
Authors of banking Trojans are well aware of this yearly phenomenon, so it shouldn’t come as a surprise that some of them have been hard at work preparing some nasty surprises for this shopping season.

And that’s exactly what TrickBot has just gone and done. As one of the most prevalent banking malware for Windows nowadays, we’ve recently seen it diversify into attacking Nordic banks. We’ve blogged about that a couple of times already.

As usual, the Trojan is being delivered via spam campaigns. According to this graph, based on our telemetry, most spam was distributed between Tuesday afternoon and Wednesday morning:

trickbot_spam_graph_20171213

The spam emails we’ve seen typically have a generic subject like “Your Payment – 1234”, a body with nothing but “Your Payment is attached”, and indeed an attachment which is a Microsoft Word document with instructions in somewhat poor English…

trickbot_spam_word_doc

Clicking the button will not reveal any document content, but launch a macro that will eventually download and run the TrickBot payload.
Same old trick, but some people who have just bought a Christmas gift might still fall for it and end up with another ‘gift’ installed on their computer.

And that ‘gift’ is the most interesting part of this story. The newest payload underwent some changes which are, well, remarkable…

Targets

Since its initial appearance during Fall 2016, the actors have been actively developing the malware, and are constantly expanding and changing the targets. Here a short summary of the recently spotted changes:

  • Removed: banks in Australia, New Zealand, Argentina, Italy
  • Changed: a few Spanish, Austrian and Finnish targets are now found in the Dynamic Injection list (adding interception code to the actual web page) instead of using Static Injection (replacing the complete web page)
  • Added: new banks, particularly in France, Belgium and Greece.

Anti-sandbox checks

Up till now, we were not aware of any features in TrickBot that were checking if the malware is run in a virtual machine or a sandboxed environment used for automatic analysis. The new version has introduced a few simple checks against some known sandboxes by calling GetModuleHandle for the following DLLs:

trickbot_antisandbox

(More info about every DLL can be found here)

If any of these modules are found, the payload just quits.

Interestingly, we have also found a few encrypted strings that seem to indicate detection of the Windows virtual machine images that Microsoft provides for web developers to test their code in Internet Explorer and Edge, however, these strings are not used anywhere (yet). Let’s see if the actors will expand their sandbox evasion attempts in a future version.

trickbot_test_vm

Auto-elevation

But we have saved the best for last. When the payload was running, we noticed that it didn’t run with user rights, as it always did before. Instead, it was running under the SYSTEM account, i.e. with full system privileges. There was no UAC prompt during the infection sequence, so TrickBot must have used an auto-elevation mechanism to gain admin rights.

A little search in the disassembly quickly revealed an obvious clue:

trickbot_elevation_1

Combined with a few hard-coded CLSIDs …

trickbot_elevation_2

… we found out that the actors have implemented a UAC bypass which was (as far as we are aware of) publicly disclosed only a few months ago. The original discovery is explained here:
https://msitpros.com/?p=3960
And later implemented as a standalone piece of code, and most likely the main inspiration for the TrickBot coders:
https://gist.github.com/hfiref0x/196af729106b780db1c73428b5a5d68d

In short: this bypass is a re-implementation of a COM interface to launch ShellExec with admin rights, and it is used in a standard Windows component “Component Manager Administrator Kit” to install network connections on machine level.

It works everywhere from Windows 7 up to the latest Windows 10 version 1709 with default UAC settings, and considering it’s basically a Windows feature, probably hard to address. In other words, perfect for usage in malware, and it wouldn’t surprise us if we’ll see the same bypass in more families soon.

Thanks to Päivi for the spam graph.

 

Breaking Down the Malware Behind the Ukraine Power Outage

Security researchers recently discovered that the power outage in the Ukraine in December was caused by a malware and identified as an evolved version of BlackEnergy. This Trojan, dating back to 2007, was a popular malware that was previously sold in Russian underground sites. However, its design and architecture changed from performing simple HTTP DDos attacks to modular functional strategy implementation. The latest version of this Trojan is now capable of dropping rootkits, performing stealthy approaches and backdoor commands via a CnC server. It is also worth noting that it is highly speculated to be utilized by a group of attackers that are against the government of Ukraine. Since Stuxnet, this BlackEnergy cyberattack is another of its kind since it also managed to sabotage an industrial sector and that the group responsible for the power outage was also linked to the Trojan found in the mining and railway sector of Ukraine.

Industrial systems typically electrical, power, oil or water uses Industrial Control Systems (ICS), which are used for control, supervision and data collection. Usually, the ICS are on an isolated network and, although still part of the network, rarely have limited access to the internet. It is interesting how BlackEnergy managed to get inside these systems. Later during our analysis, we will gain insight on what happened and how the group managed to infiltrate the network from the initial stage of the attack via a phishing email.

This blog will focus on the analysis of BlackEnergy, parts of its core components, as well as how ThreatTrack’s ThreatAnalyzer and ThreatSecure provide us the information needed for data intelligence gathering. We’ll leave the analysis of the plugins that BlackEnergy utilized for another separate blog.

This research also aims to provide information on (1) how to emulate the attack by dissecting each stage of the process and (2) show how to utilize ThreatTrack’s newest line of threat identification products to mitigate and lessen the probability that these types of outbreaks might happen to you or your company. We’ll begin the analysis using the two samples that we have.

Md5: 97b7577d13cf5e3bf39cbe6d3f0a7732

  • Type: XLS (Microsoft Excel file)
  • First seen: 8/16/2015

Md5: e15b36c2e394d599a8ab352159089dd2

  • Type: DOC (Microsoft Document file)
  • First seen: 1/22/2016

BlackEnergy’s method of arrival is via a spear-phishing email containing a malicious attachment. We can emulate this by attaching the samples that we have on an email and send it inside our network. There has been a lot of debate as to how the attachment(s) was/were executed since, for this version of BlackEnergy, no exploits of Office have been seen. The only thing we know is that somehow a person inside executed the document file(s), whether by social engineering or an insider.

Using ThreatTrack’s ThreatSecure Network and ThreatSecure Email, we can see that it was identified as something malicious when entering the network and also via email. The system changes that it will be performing can be seen under behaviors. The IP entry indicates the IP address of a remote server that it is trying to beacon to. Since this sample is already a few months old, and news of this attack has already been widespread, it only makes sense that the server is already down.

TSN_Excel

Fig 1: TSN catching the XLS attachment

docTSN_identified

Fig 2: TSN catching the DOC file

tse_unreviewed

Fig 2.1: ThreatSecure Email (TSE)

tse_details

Fig 2.2: Submit for Remediation

A cool feature of ThreatSecure Network is that, once a threat has been identified, any connection made to the target computer will be monitored and can be seen in the ThreatSecure Network UI  called ThressionsTM. Using these Thressions, users will be alerted that an attack is happening or has happened and, depending on their settings, will be able to block a said network session. Fig 2.1 and Fig 2.2 above show that the file we are analyzing was caught by ThreatSecure Email, and upon user’s request can be submitted for remediation to remove the system changes done by the malware.

It is a good practice to find out what the malware does in overview prior to getting deep in the assembly breakdown. There are a couple of ways we can do this. You can use an infected machine and the tools available on the net to see what the malware does upon execution. But this would take time and effort to set up, and there’s a much faster and easier way we can do this: Use a sandbox.

ThreatTrack’s dynamic malware analysis sandbox ThreatAnalyzer reveals the behaviors not normally seen on normal programs.

We started with the DOC file (e15b36c2e394d599a8ab352159089dd2) and the XLS (97b7577d13cf5e3bf39cbe6d3f0a7732), and both showed the same behavior:

  • Dropped the following files
    • %Temp%\vba_macro.exe
    • LNK file (windows shortcut) pointing to the DOC file
    • %Application Data%\FONTCACHE.DAT
    • %User%\NTUSER.LOG
    • %Common Startup%\<adapter name>.LNK file
  • Creates a named pipe
    • Pipe\{AA0EED25-4167-4CBB-BDA8-9A0F5FF93EA8}
  • Executed the following processes, some of the spawned multiple times
    • Vba_macro.exe
    • Cmd.exe
    • Attrib.exe
    • Ping.exe
    • Rundll32.exe %Application Data%\FONTCACHE.DAT, #1
    • %Program Files%\iexplore.exe
  • A screenshot showing what the document looks like when opened (DOC and XLS)
  • Created/Modified the following registry
    • Software\Microsoft\Internet Explorer\Main Check_Associations
    • Software\Microsoft\Internet Explorer\InformationBar FirstTime
    • Software\Microsoft\Internet Explorer\New Windows PopupMgr
    • Software\Microsoft\Internet Explorer\PhishingFilter Enabled
    • Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache Persistent
    • Software\Microsoft\Internet Explorer\TabbedBrowsing WarnOnClose
    • Software\Microsoft\Internet Explorer\TabbedBrowsing WarnOnCloseAdvanced
    • Software\Microsoft\Internet Explorer\Main DisableFirstRunCustomize
    • Software\Microsoft\Internet Explorer\Recovery NoReopenLastSession
    • Software\Microsoft\Internet Explorer\Main NoProtectedModeBanner
    • Software\Microsoft\Internet Explorer\TabbedBrowsing
    • Software\Microsoft\Internet Explorer\Recovery
  • Attempted to connect to a remote server
    • 5.149..254.114
    • Usage of RPCRT4.DLL
TA_processes

Fig 2.3: ThreatAnalyzer showing processes spawned by the DOC file

Looking a bit deeper

Now that we have an overview of what the samples are doing, we’ll do some classic reverse-engineering.

Although the two samples have different hashes and file formats (the one is a word document file and the other an excel sheet) they are, in basic sense, the same.

Both have a malicious macro script embedded in them and both are trying to deceive the user from disabling the macro security settings that is enabled by default. A fake Microsoft Office message appears in Russian, stating “This document was created by a newer version of Microsoft office. Macros must be enabled to display the content of the document.”

Depending on the security settings of Microsoft Office (high, medium or low), the image on Fig 4 will be displayed. If a user somehow chose to disable the macro security or is on a low security level, the malicious scripts previously mentioned will be executed immediately.

security_macro

Fig 3: Security on medium settings

Looking inside the VB macro, the code are fairly straightforward:

  • Declares a series of byte array
  • Save it in a file located in the %TEMP% directory
  • Execute the said file using the function SHELL
Fig 4

Fig 4: Byte array declaration (MZ)

 

Fig 5: Byte array declaration (PE)

Fig 5: Byte array declaration (PE)

Fig 4 shows the value 77, 90 in array a (1). Converted to hex, that is 0x4D, 0x5A (MZ), which is a strong indicator that these sequence of array is an executable. This is further verified in Fig 6, where we see 80, 69 that, when converted to hex, results in 0x50, 0x45 (PE).

Automatic execution is achieved by doing the following:

Fig 6: Byte array declaration (PE)

Fig 6: Byte array declaration (PE)

Fig 7. Deobfuscated macro

To put it simply, Fig 7 tells us that it will save the byte array into a file named vba_macro.exe located in %TEMP% directory and execute it using the Shell function.

Vba_macro.exe

According to the results from ThreatAnalyzer, Vba_macro.exe will spawn a file named FONTCACHE.DAT and several other processes. Looking inside the vba_macro executable, it seems it is heavily obfuscated at its entry point. It is posing as a file with an original name of packet.dll and is exposing several functions similar to that of being used by WinPCap. The weird thing is that although the function names are similar to that of a legit packet.dll located at the system directory (assuming WinPCap is installed), the assembled code is garbage, except for the first function, which is probably the deobfuscator code.

packet_dll_comparison

Fig 8: Note the similarities and the difference between the two.

The primary purpose of this file is to stage the next part of the infection process, which is to execute FONTCACHE.DAT.

Upon execution, this file reconstructs its code in an allocated part of memory and writes parts of itself in a separate file, the FONTCACHE.DAT, in the Application data folder. The GetAdaptersInfo API is used to get the name of the network card in use, use that as a file name for the .LNK, which is a windows shortcut file that will execute another program indicated on its path. On this case, it uses this method to ensure that the program it points to %windir%\System32\rundll32.exe “C:\Documents and Settings\Administrator\Local Settings\Application Data\FONTCACHE.DAT” will always get started upon boot up.

It deletes the credential named MCSF_Config before executing FONTCACHE.DAT using rundll32 with #1, indicating to execute the first ordinal function. This version of BlackEnergy uses the said credential to store its configuration, and in order to ensure that it will have the latest config, it deletes it prior to executing FONTCACHE.DAT.

creddelete_shellexecute

Fig 9: CredDeleteA and ShellExecute

It will call the following command line shell commands

cmd /s /c “for /L %i in (1,1,100) do (del /F “%TEMP%\vba_macro.exe” & ping localhost -n 2 & if not exist “%Application Data%\FONTCACHE.DAT” Exit 1)

cmd /s /c “for /L %i in (1,1,100) do (attrib +h “%TEMP%\vba_macro.exe” & del /A:h /F “%TEMP%\vba_macro.exe” & ping localhost -n 2 & if not exist “%Application Data%\FONTCACHE.DAT” Exit 1)

FONTCACHE.DAT

Fontcache.dat is executed using rundll32, a way for Windows to run compiled libraries. It has an argument of #1, which means to run the first ordinal in its exported functions.

In an attempt to make a researcher’s life more difficult and in order to slow down the time to fully analyze the malware, the authors decided to obfuscate, again, this piece of malware.

We’ll get a bit deeper by trying to unpack the malware using old methods. It is common knowledge for malware analysts to set a break point to common memory allocating APIs, such as VirtualAlloc and LocalAlloc, and see whether the malware is trying to unpack part of itself in memory; however, this particular sample uses RtlAlloc and HeapAlloc to copy parts of itself little by little.

After decryption and some initializations, it will enter its main loop.

mainloop_flow_letters

Fig 10: Chart of main function of FONTCACHE.DAT

(A) Attempts to read the current user’s credential named MCSF_Config using CredReadA API. The one that will be read is actually an encrypted buffer that will be written by the malware in function (B). This encrypted buffer will be decrypted twice and will contain information like the CnC server URL, bot version, build type and some other strings that will be appended to locally gathered data.

decrypted_configuration

(B) Reads the data in the .CDATA section of FONTCACHE.DAT and overwrites the current user’s credential with that blob. This is achieved via CredWriteA API. This part also gathers local information about the target system and saves it for later use.

(C) Responsible for modifying the settings for Internet Explorer in the registry.

    • Software\Microsoft\Internet Explorer\Main Check_Associations
    • Software\Microsoft\Internet Explorer\InformationBar FirstTime
    • Software\Microsoft\Internet Explorer\New Windows PopupMgr
    • Software\Microsoft\Internet Explorer\PhishingFilter Enabled
    • Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache Persistent
    • Software\Microsoft\Internet Explorer\TabbedBrowsing WarnOnClose
    • Software\Microsoft\Internet Explorer\TabbedBrowsing WarnOnCloseAdvanced
    • Software\Microsoft\Internet Explorer\Main DisableFirstRunCustomize
    • Software\Microsoft\Internet Explorer\Recovery NoReopenLastSession
    • Software\Microsoft\Internet Explorer\Main NoProtectedModeBanner
    • Software\Microsoft\Internet Explorer\TabbedBrowsing
    • Software\Microsoft\Internet Explorer\Recovery

The function also creates a separate thread that initiates the RPC communication over named pipes. The mentioned named pipe is the method of communication of different BE 3 plugins over the same network.

      1. Pipe\{AA0EED25-4167-4CBB-BDA8-9A0F5FF93EA8}

(D) Creates a file named NTUSER.LOG. Currently, due to the way it was programmed, it only creates a 0 byte file.

(E) Forms the message that will be sent over to its CnC server. It contains the following information:

      • B_id : BotID, comprises of <computername> _<unique bot identifier>
      • B_gen : generation of bot, on this case “release”
      • B_ver : Bot version, “2.2”
      • Os_v : target system OS version, “2600” (Build version of Windows XP)
      • Os_type: OS type, “0”

Using CryptBinaryToString, it “encrypts” the data that will be sent over the network and sent to its CnC server as POST data as the body parameter

post_data

(F) Creates an instance of Internet Explorer in the background using CoCreateInstance API. Since the settings of IE were already modified, no GUI will be seen, and it will be running under svchost.exe.

  • D30C1661-CDAF-11D0-8A3E-00C04FC9E26E using this GUID, an empty instance of IE will be called as it is the default handler of IWebBrowser2 interface.
  • Connects to http://5.149.254.114/Microsoft/Update/KC074913.php as an RPC client to send the information to a remote server.

rpc_cnc_connection

(G) Assuming a connection to the remote server has been made, it accepts 4 basic commands:

  • Delete – deletes a specified file
  • Ldplg – loads a plugin
  • Unlplg – unload a plugin
  • Dexec – download and execute a binary file

Using this, it has made itself modular as it can download and execute different plugin based on what type of attack will be performed. BlackEnergy has already been linked to several found plugins that also uses the named pipe mentioned above as inter-process communication, locally or even over the local network.

It is believed that these backdoor commands are the ones responsible for the attack that happened. The authors would upload new plugins, execute them and, after the damage has been done, delete the traces. These are (but not limited to):

      • Input/Output (IO) operations, deleting files and wiping away traces
      • Gathering system information
      • Keyloggers
      • Password stealers
      • Taking of screenshots
      • Remote access, SSH or RDP

After which, it will sleep for X number of seconds, depending on the one indicated on its configuration data and attempt to send the information and accept new commands from the CnC server.

Summary

overall_flow

Fig 11: Simplified overall flow of BlackEnergy 3

Point of entry is using a targeted spear-phishing email with a malicious attachment. Once it has been executed, the malware would be able to download and install new plugins. Communication between the core malware module and plugins are achieved through RPC communication. This is employed since most ICS are on an isolated network. Even if the target systems are on a network that does not have internet connection, the malware would still be able to ex-filtrate the data, install new plugins and control the systems using RPC named pipes over SMB. Simplified diagram on Fig 11.

The post Breaking Down the Malware Behind the Ukraine Power Outage appeared first on ThreatTrack Security Labs Blog.

Banking Protection – how does it work?

Security products are usually protecting you silently in the background. Until they encounter something malicious, that is. But there is one exception. You may have seen a banner in the upper part of the screen when visiting sites dealing with money. That’s our Banking Protection kicking in. It’s available in both Internet Security and our brand new SAFE. Let’s take a closer look at what’s going on when the banner appears.

One quite common form of malware is the banking Trojan. It sits in the computer and waits for the user to do her on-line banking. At this point it interferes with the traffic and manipulates payments. Much larger sums may go to an account other than the intended. The most sophisticated ones can even modify the account balance to hide the fact that a larger sum has been stolen. Most of these rely on some kind of communication with its own “mother ship”, and this is the point where Banking Protection strikes.

Every web site you open is checked and the products queries our Security Cloud to find out if it’s good, bad or ugly. This way the product also gets info about whether it is a banking site or not. If it is, then Banking Protection is activated. This means that all other connections to the web are monitored extra carefully and anything even remotely suspicious is blocked. In practice this means that we only allow connections that are known to be safe. This cuts off any Trojan’s communication to its server, and thus cripples most of them.

But wait a minute. How can the banking Trojan be active if our anti-malware is installed on the computer? Yes, that’s a good point. Banking Protection is actually your last line of defense. Any software that runs on your computer has passed through several levels of security. First the download source is examined, and known bad links are blocked. Then the actual executable is checked with several different techniques. Deep Guard will analyze the program when it runs. And then Banking Protection kicks in to protect you if all other layers have failed. So it’s not very likely that Banking Protection ever will stop a crime on your computer. But these banking Trojan cases can be very expensive so some extra security is never wrong.

And finally a word about the downsides. Nothing is perfect and Banking Protection has got some drawbacks too. I wrote that all network traffic, except connections known to be safe, are blocked. A side effect of this is that some of the mail traffic is stopped on my home computer. Sometimes I want to shoot away a mail to confirm that something has been paid. That mail will be stuck in my outbox until Banking Protection is disabled. So you need to be aware that there may be side effects like this. Just reach for the bar at the top of the screen and click End if you run into troubles. But finish your bank business before that.

 

Safe surfing,
Micke