Tuesday, March 25, 2014

Walkthrough of a Recent Zbot Infection and associated CnC Server

During routine ThreatLabZ log analysis, we encountered the following malicious Zbot executable connecting back to it's CnC and exfiltrating data via POST requests.
  • MD5: 0b43d6a65f67ef48f4da3a1cc09335a1
  • Size: 442368 bytes
  • Detected as PWS:Win32/Zbot by Microsoft (VT 43/49)
[POST DATA]


iTpRAQWetIVVzRx502Gqds3DKmG80ru/P1ggedWTJAgrue/EVaoL95bMH6K0It8I9/wGHEIKbkXhcoxGOKgJOxGFYkvfoWsUM/NWAUQ+wdjlZOpD0Ke77Sob6rQT0WToRF9lWkhx514Es9wGHNKTn5xrTY7pJeqxGiTNMsB3fsCFfjZZKabmhwDzKTP/0W6FFEJb


What separated this discovery from your average CnC server? The attackers were kind enough to leave the CnC server largely exposed (directory browsing enabled, many files not password protected) to provide a rare behind the scenes look at a live botnet operation. Let's walk through what we observed.  

The above mentioned Zbot variant was responsible for dropping the following malicious files:
  • 6ca1690720b3726bc76ef0e7310c9ee7 - Win32/Stoberox.B (VT 26 / 50)
  • d2c6a0e888d66882d7dc29667c4c9ec0 - TrojanDownloader:Win32/Cutwail (VT 38/50)
We also noted that it started a server listening on ports 1548 and 3492 and sends some data via POST requests to hxxp://vodrasit.su/admin/gate.php
(see malwr sandbox report).

Domains contacted:
  • shivammehta.com [ IP: 181.224.129.14]
  • merdekapalace.com [IP: 202.71.103.21]
  • vodrasit.su [IP: 37.115.13.224]
IPs contacted:

Malicious IP Virus total links
99.42.33.76 https://www.virustotal.com/en/ip-address/99.42.33.76/information/
115.126.143.176 https://www.virustotal.com/en/ip-address/115.126.143.176/information/
50.179.168.36 https://www.virustotal.com/en/ip-address/50.179.168.36/information/
158.58.230.200 https://www.virustotal.com/en/ip-address/158.58.230.200/information/
212.186.32.8 https://www.virustotal.com/en/ip-address/212.186.32.8/information/
61.27.49.175 https://www.virustotal.com/en/ip-address/61.27.49.175/information/
86.133.91.153 https://www.virustotal.com/en/ip-address/86.133.91.153/information/
206.205.226.130 https://www.virustotal.com/en/ip-address/206.205.226.130/information/
172.245.217.122 https://www.virustotal.com/en/ip-address/172.245.217.122/information/
80.213.146.163 https://www.virustotal.com/en/ip-address/80.213.146.163/information/
81.206.227.11 https://www.virustotal.com/en/ip-address/81.206.227.11/information/
91.21.200.217 https://www.virustotal.com/en/ip-address/91.21.200.217/information/
1.240.64.211 https://www.virustotal.com/en/ip-address/1.240.64.211/information/
24.184.76.143 https://www.virustotal.com/en/ip-address/24.184.76.143/information/
97.104.63.159 https://www.virustotal.com/en/ip-address/97.104.63.159/information/
172.11.217.35 https://www.virustotal.com/en/ip-address/172.11.217.35/information/
87.1.90.206 https://www.virustotal.com/en/ip-address/87.1.90.206/information/
81.149.88.233 https://www.virustotal.com/en/ip-address/81.149.88.233/information/
203.110.94.69 https://www.virustotal.com/en/ip-address/203.110.94.69/information/
50.11.239.126 https://www.virustotal.com/en/ip-address/50.11.239.126/information/
181.224.129.14 https://www.virustotal.com/en/ip-address/181.224.129.14/information/
108.162.199.119 https://www.virustotal.com/en/ip-address/108.162.199.119/information/
202.71.103.21 https://www.virustotal.com/en/ip-address/202.71.103.21/information/
65.55.172.254 https://www.virustotal.com/en/ip-address/65.55.172.254/information/
120.150.210.249 https://www.virustotal.com/en/ip-address/120.150.210.249/information/

While looking at the POST data submitted to hxxp://vodrasit.su/admin/gate.php, we explored this site and found that it is currently hosting two malicious files and a password protected admin console.

Below are the files which are hosted on hxxp://vodrasit.su/, which can be observed thanks to the fact that the attackers left directory browsing enabled:

[   ]  admin.zip 03-Mar-2014 09:49 12M  
[DIR] admin/ 21-Aug-2013 23:44  
[   ]  all.exe 21-Mar-2014 17:36 457K
[   ]  rok.exe 21-Mar-2014 06:23 75K


 
all.exe attempted to communicate to the followings DGA generated Domains:
  • aulbbiwslxpvvphxnjij.biz
  • kvdmkndexomrceqydtgepr.net
  • gadmxsmfeqrscmfytvksirnyxm.com
  • xgkzhahdqsxgusireqxdqkzsk.ru
  • aemfyldumrlithbaayzhib.com
  • jbqswspnseqsqwmrnzxodivuciv.net
  • ijfifyhydeydxwdnrkuwsovofm.org
  • lrtofahqzlvrsxsscdaykzuqs.info
  • dgmeulrobvsfaskdrknkfswyt.biz
  • cqdwgydskztyluwhjzcmmjlfqs.ru
  • hiciqglzaqwopnzdmtkdro.com
  • xgadhizdspnditwhdaxcjae.info
  • bypjgqusdmeanbylqghtvcqkead.org
  • civmvcibuhjzuoijxrozaegmfi.biz
  • ijrtkzdjbztgattccytojrswsd.com
  • igaytdmoqkmfauzdbmrwrceapf.ru
  • jbtkscmfuuygmdmdrorodfmp.com
  • sougwcinroivgtpvjzijuocagqau.net
  • hiufeamaqsyxmntswooronrnvz.biz
  • bymncecukrcusxvctsduxceu.info
  • prdmzrmreylvkqqodj.com
  • sbusxwswayizfepfydtoovvbqhm.ru
  • yhayxjzmbpscaypizlnftofl.com
  • tkytijfhiaqbymnxkxcwxg.biz

Admin Console

Although we weren't able to access the live admin console as it was password protected, we were able to replicate the setup from the exposed source files (hxxp://vodrasit.su/admin.zipand it would appear as shown below:



Another directory with browsing enabled exists at hxxp://vodrasit.su/admin/db/. Here the data from infected machines connecting back to the CnC server can be observed:


Before being transmitted from a victim machine, the data is encrypted using RC4 encryption, base64 encoded and then sent via the POST method to the CnC.

Here is the code for first decoding the data using base64 decoding and then RC4 decryption:




After decoding and decrypting, a record is created in the aforementioned directory hxxp://vodrasit.su/admin/db/.

The following a sample of the information stored from an infected victim:



What does this data represent?


This particular record includes the following:
  • OS: WINDOWS 7
  • Bits: 0 means OS is 32 BIT 
  • Country: SOUTH KOREA
We are continuing to track these malicious Domains and IP addresses and advise you to block them too.

- rubin

Friday, March 21, 2014

Scams Taking Advantage of Malaysia Airlines 370 Disappearance

I spent some time today looking for sites that are taking advantage of the disappearance of Malaysia Airlines flight 370 (MH370) to profit from the tragedy. Unsurprisingly, it was all too easy to find examples of this as it is almost a given that scammers will attempt to profit from any breaking news story, especially those where the public is desperate for the latest tidbit of news - regardless of where it may be coming from.

Advertising Scam

The first example is an advertising scam. The scam begins with the infection of a legitimate site, in this case debiworley[dot]com, a personal website for a photographer. A subdomain has been added to the site, which hosts different scams, all leveraging the same approach. In the case of the MH370 scam, an alleged video has been posted to alert[dot]debiworley[dot]com/news/?mh370. At that page you'll see the image shown below, which purports to show a Malaysian Airlines plane crashed in the jungle:


The page includes the fake video and also includes comments formatted to appear as though they're from Facebook. Despite the look of the page, everything is simply an image. Clicking anywhere on the video doesn't actually play the video, but instead prompts the user to share the video on Facebook by presenting the following popup, before it can be played.


If the user chooses to share the video, it does not ever play, but instead simply shares the scam with their Facebook friends. What the victim is promoting is a quickly hacked together site hosted at vinreox[dot]com, a simple website that acts as a front end for various YouTube videos and the owner profits from advertisements on the site.

Note: The owner of the infected website has been informed of the infection.

Pay-Per-Click Scam

This time around, the scam appears to be hosted at a site controlled by the attacker. There are various URLs on the domain that ultimately link to the same content, but one in particular (rentadp[dot]com/malaysia/) appears to be piggybacking on the MH370 disappearance. When visiting that URL, the victim is redirected to a completely fake Facebook page.



Once again, most of the page is nothing more than an image and the only links either refresh the page or prompt the user to share the scam on their real Facebook profile before they can view the video. It would appear that the scammers were a bit lazy this time as despite the URL referencing 'Malaysia', they've clearly used a picture of US Airways Flight 1549, which crash landed on the Hudson river in 2009.


Should users choose to share the scam, they won't ever see the video, but instead will be redirected to a pay-per-click scam which requires yet another task, this time around the victim must fill out one of three surveys before they can proceed. This is where the the scammers make money. They're paid a few cents for every survey completed.


Unfortunate that anyone would seek to profit from a tragedy, but unfortunately, this has now become the norm.

- Michael




Wednesday, March 12, 2014

LightsOut EK Targets Energy Sector

Late last year, the story broke that threat actors were targeting the energy sector with Remote Access Tools and Intelligence gathering malware.  It would seem that the attackers responsible for this threat are back for more.  This particular APT struck late February between 2/24-2/26.  The attack began as a compromise of a third party law firm which includes an energy law practice known as Thirty Nine Essex Street LLP (www[.]39essex[.]com).  The victim site is no longer compromised, but viewers should show restraint and better browsing practices when visiting.

39essex.com shown as a referral URL to suspicious site.


The compromise leads the victim to another site which provides the attacker with a specific user-agent in the URL field.  The purpose of this is to pass along diagnostics to the attacker so that the proper malicious package is sent to the victim.  This should be taken as a point of identification in administrator logs as this may indicate an attack on your network.

At the time of research, the Java Class file was returning 404.

There are several other locations which show similar activity that are also related to this threat.  Malicious redirects come from IP address 174[.]129[.]210[.]212 should also be taken as suspicious as well as some sites hosted on this domain (aptguide[.]3dtour[.]com).

The URLquery and VirusTotal entries for this IP corroborates the notion that this location played a part in using LightsOut Exploit Kit.  


LightsOut performs several diagnostic checks on the victim's machine to make sure that it can be exploited.  This includes checking the browser and plugin versions.

The deobfuscated Javascript sheds some light on the iframe injection.

More JS Deobfuscation


Checking to see what version of Adobe is installed.

Checking to see if you are IE7.

Checking to see if Java is enabled in the browser.

Ultimately, a payload is delivered from the LightsOut Exploit kit, which attempts to drop a malicious JAR file exploiting CVE-2013-2465. At the time of research, the binary file was no longer available, which suggests that the attack window has now closed for this particular watering hole.  However, other security sources tell us that the site used in the attack is also a known HAVEX RAT CnC.

The recent activity of this threat originating from a site in the energy sector should serve as a warning to those in the targeted industry.  Prior research from other sources tells us that the threat actors involved are highly motivated and agile.  Their motive is to gather intelligence for further attacks, so be on your guard and monitor transaction logs for suspicious activity!