Sunday, May 27, 2018

MalHide: an interesting Malware sample

Today I'd like to share an interesting (at least to me) analysis on a given sample. I have called this sample MalHide but you will see "why" only at the end of my post :D. I believe this is a quite interesting Malware since it firstly implements several obfuscation stages by using different obfuscation techniques and secondly it implements a quite new attack path (not new per-se but new on opportunistic malware families) where the attacker doesn't want to steal informations and/or compromise a system for possession and/or destruction but the attacker uses the compromised system as eMail relay in order to hide the attacker networks. It is amazing to figure out that attackers are primary moving on fraud direction. For example, having a successful privilege access on the victim machine, the attacker might decide to performa several malicious actions, but among all the choices, he decides to spawn a SMTP relay to send anonymously fraud emails. Based on my past experience this is quite wired, isn't it ?!

Disclaimer: I'm not going into details on every steps since I'am not writing a tutorial but mostly I'd like to prove that threats are getting more and more complex on relative short time and that attack path is quite unique at least for my personal experience.

Everything started from an eMail attachment. "Nuovo Documento.doc" is its name and it is able to bypass every single AntiSpam and AntiMalware engine the target had. The following image shows the initial stage where the ".DOC" file seems to be benign but not compatible with the running Microsoft Word instance.

Sample as it looks like on opening. Stage 1

The sample presents some macro functions on it. Many junk functions have been injected on the VBA side in order to make life harder to reverse engineers, bu fortunately the great Microsoft VBA Editor included in the Microsoft Office suite implements an useful debugger. The analyst observes that the AutoOpen() function is preserved and filled by code. It took almost 3 seconds to figure out it was a malicious code. The following image shows the Microsoft VBA Editor debugging view where  is possible to appreciate the variable qZbTUw containing a PwerShell encoded code. Here we are ! The second stage is approaching to the victim.

Stage 2. A running instance of PowerShell invoked by VBA

The PowerShell code was Base64 Encoded and additionally obfuscated through "variable mess". This technique is quite common for  javascript devs since the code they develop runs on client side and obfuscating code is used technique to protect (sort of) the written code, but on the given scenario it looks like a simple implementation of FileLess Staging, where the attacker runs a powershell script directly from memory without saving it on HD, in such a way the victim does not need to enable the "running powershell from file" Microsoft register key and it's much harder from AntiVirus detect the infection stage. Then the script  fires it on following the infection. Powershell ISE helps us to reverse the dropped payload. The following images show the decoding process: from the single line of obfuscated code to dropping URLs. I know, it's almost impossible to see the images since they looks like small, but please click on them to make a bigger view,  if you wish.

Stage 3. Decoding Powershell Drop-and-Execute


Stage 3. Decoded Powershell Drop-and-Execute
The analyst is now able to identify the dropping websites and block them (please refer to IoC section) ! The executed actions are quite standard. From an array of dropping website lets cycle over them and take the one who drops ! The cycling policy could differ from sample to sample since they could use a pseudo-random seed generator or adopting an increment rotation or a round robin rotation and son. For this analysis is not interesting cycling policy at all since we decoded all the possible dropping files. The Powershell command gets the 52887.exe from external source (dropping websites) and places it on C:\Users\Public\52887.exe. Finally it runs it. The Stage 4 is began, a new PE sample has been executed. The following image shows the Stage 4 dropping another stage into C:\Windows\SysWOW64\fonduewwa.exe. Fortunately this stage drops the code from itself without getting on network side. The fonduewwa.exe is then executed.

Stage 4. 52887.exe dropping to C:\Windows\SysWOW64\fonduewwa.exe

The new stage (Stage 4) performs the following steps:

1) It fires up services which acts as SMTP client.
2) Connects to a Command and Control which provides emails addresses, SMTP relays, and eMails body to be sent.
3) Sends eMail to exploit BeC communications.

The following images show the Command and Control address. The first image shows the used Windows API while the second one addresses the opened connections directly on the infected machine.

Command and Control IP Address (click to make it bigger)

Command and Control DNS resolution (click to make it bigger)


The Command and Control (c2) listens to: c-67-176-238-209.hsd1.il.comcast.net which today resolves in: 67.176.238.209. The C2 seems to answers to http queries having a specific set of cookies as the following image shows. The C2 crafted and rebuilt communication, made possible by reconstructing cookies from sniffed internal communications, gets back from C2 a kB of encoded data.

Command and Control Communication through HTTP

From C2 comes actions, victims addresses, SMTP servers and passwords. The sample connects to a given SMTP relays, it authenticate itself and sends email to the victims. The following images proves that the attackers have plenty credentials to SMTP relays around the globe.

Connection to real SMTP releys

As now I will not disclose Username e Password for getting access to SMTP relays, but if you can prove to be the owner (or at least to be working for the company owning) of one of them let's have a chat on that, many interesting things are happening into your network. The emails sent from the analysed sample are targeting specific victims. It was pretty easy to figure out that we were facing a new attack vector! This attack vector looks like a BeC (or CEO Scam) to specific targets. For those of you not familiar with this attack I am copying the definition provided by SANS (here).
"Cyber criminals have developed a new attack called CEO Fraud, also known as Business Email Compromise (BEC). In these attacks, a cyber criminal pretends to be a CEO or other senior executive from your organization. The criminals send an email to staff members like yourself that try to trick you into doing something you should not do. These types of attacks are extremely effective because the cyber criminals do their research. They search your organization’s website for information, such as where it is located, who your executives are, and other organizations you work with. The cyber criminals then learn everything they can about your coworkers on sites like LinkedIn, Facebook, or Twitter. Once they know your organization’s structure, they begin to research and target specific employees. They pick their targets based on their specific goals. If the cyber criminals are looking for money, they may target staff in the accounts payable department. If they are looking for tax information, they may target human resources. If they want access to database servers, they could target someone in IT.Once they determine what they want and whom they will target, they begin crafting their attack. Most often, they use spear phishing. Phishing is when an attacker sends an email to millions of people with the goal of tricking them into doing something, for example, opening an infected attachment or visiting a malicious website. Spear phishing is similar to phishing; however, instead of sending a generic email to millions of people, they send a custom email targeting a very  small, select number of people. These spear phishing emails are extremely realistic looking and hard to detect. They often appear to come from someone you know or work with, such as a fellow employee or perhaps even your boss. The emails may use the same jargon your coworkers use; they may use your organization’s logo or even the official signature of an executive. These emails often create a tremendous sense of urgency, demanding you take immediate action and not tell anyone."

Following few examples of the sent emails coming from C2 and delivering through the analysed sample.


Here we are, another email has been sent, another Malware have been thought and developed, another analysis I've been made but this time it looks like the "Malware economy" is seriously moving to fraud, there is much money respect to information stealing which is an ancient and romantic way to attack victims. Is this attack a significative example expressing the will of the new underground economy ? Is this attack a small and silent change of paradigm, where previously the attacker was interested to your data in order to sell them but now he gets more interested on fraud third parties (such as companies) through you ? I do not have such answer here.

Ok, now it's time to explain why I called this Malware MalHide. Well it's a complex Malware, it hides itself several times BUT most important it has been developed to hide the attacker from sending emails in a way that is not possible to trace back the Attacker IP from the attack path. So I believe MalHide would be a nice name :D

IoCs:

Samples:

  • 2f1f03b4afde643b2ed798e62f4718b0a285b8a8
  • e6b1a4b09613f1729782f1b2c04a30ad5ff30200
  • da39a3ee5e6b4b0d3255bfef95601890afd80709
Dropping URLs:
  • http://oddbods.co.uk/D6yd9x/
  • http://136.243.206.64
  • http://166.63.0.27
  •  http://136.243.206.64
  • http://promoclass.it/ACCOUNT/Invoice-161021407-Invoice-date-052518-Order-no=-06146166318/
Local Path:
  • C:\Windows\SysWOW64\fonduewwa.exe
  • C:\Users\Public\52887.exe
C2:
  • 67.176.238.209
  • c-67-176-238-209.hsd1.il.comcast.net
SMTP (contacted to send eMails, those are not malicious per-se !):
  • 186.1.11.125 (smtp.echamorro.com.ni)
  • 192.243.105.21 (mail.mcmillins.com)
  • 209.91.128.17 (mail.maslack.com)
  • 64.8.70.103 (mail.tds.net)
  • 208.80.38.254 (pop.spiderhost.com)
  • 193.252.22.84 (smtp.orange.fr)
  • 199.103.57.167 (mail.mytravelclinic.com)
  • 149.115.16.7 (mail.transamericanengineers.com)
  • 68.99.120.8 (mail.coxmail.com)
  • 74.125.71.108 (smtp.gmail.com)
  • 76.12.209.196 (mail.gachivvis.com)
  • 107.14.166.78 (pop.biz.rr.com)
  • 64.39.128.67 (mail.syrupcity.net)
  • 107.180.3.218 (mail.rutledge-associates.com)
  • 165.212.120.200 (exchange.postoffice.net)
  • 64.35.208.130 (smtp.atcnet.net)
  • 207.204.50.27 (mail.cabstore.biz)
  • 216.52.72.118 (smtp.zoho.com)
  • 209.237.135.167 (mail.astarabatement.com)
  • 107.14.166.72 (smtp.twcny.rr.com)
  • 74.208.5.2 (smtp.1and1.com)
  • 209.123.49.115 (ssl.datamotion.com)
  • 208.92.193.92 (mail.hdap.ca)
  • 68.178.213.37 (smtp.secureserver.net)
  • 72.167.238.29 (smtp.secureserver.net)
  • 66.226.70.67 (pop.doubleolaser.com)
  • 205.178.146.249 (mail.boersmatravel.com)
  • 173.201.192.229 (smtpout.secureserver.net)
  • 64.59.128.135 (mail.shaw.ca)
  • 69.156.240.33 (mail.bestelectric.ca)
  • 38.123.104.66 (smtp.263.net)
  • 184.106.54.11 (smtp.emailsrvr.com)
  • 184.106.54.10 (secure.emailsrvr.com)
  • 209.237.135.166 (webmail5.myregisteredsite.com)
  • 74.125.133.16 (pop.googlemail.com)
  • 68.178.252.229 (smtpout.secureserver.net)
  • 64.20.48.173 (mail.expertforccna.com)
  • 72.47.216.15 (smtp.newalbanyelitedental.com)
  • 66.102.1.109 (pop.gmail.com)
  • 205.207.122.80 (mail.connection.ca)
  • 182.50.145.3 (smtpout.asia.secureserver.net)
  • 74.125.133.109 (imap.gmail.com)
  • 74.6.141.48 (smtp.att.yahoo.com)
  • 193.252.22.86 (smtp.orange.fr)
  • 68.178.252.101 (smtpout.secureserver.net)
  • 69.4.62.69 (pop.kerrcad.org)
  • 69.168.106.36 (smtp.windstream.net)
  • 188.125.73.26 (smtp.mail.yahoo.com)
  • 65.254.254.53 (mail.fatcow.com)
  • 65.254.254.52 (mail.fatcow.com)
  • 69.49.123.241 (mail.salzburginteriors.com)
  • 207.29.219.108 (mail.bayou.com)
  • 198.57.169.26 (bst-hosting.com)
  • 207.223.121.25 (mail.cloudopscenter.com)
  • 207.204.50.18 (mail.reliusmed.com)
  • 208.180.150.85 (mail.lrgriffin.com)
  • 217.15.86.61 (mail.roche-bobois.com)
  • 204.8.72.128 (mail.gdins.org)
  • 66.96.160.206 (pop.seriousfunnyc.org)
  • 66.175.58.40 (mail.mhpwq.org)
  • 207.204.50.11 (mail.prestonequipment.com)
  • 208.89.138.22 (m.ivenue.com)
  • 205.178.146.235 (mail.holstongases.com)
  • 68.15.34.125 (mail.jancompanies.com)
  • 212.82.101.35 (smtp.verizon.net)
  • 192.185.4.163 (gator4151.hostgator.com)
  • 137.118.58.15 (pop.totelcsi.com)
  • 207.69.189.23 (smtp.ix.netcom.com)
  • 68.87.20.6 (smtp.comcast.net)
  • 65.254.250.110 (smtp.franklintonnc.us)
  • 66.118.64.100 (smtp.citynet.net)
  • 173.203.187.10 (pop.emailsrvr.com)
  • 173.15.144.57 (mail.pembertonpolice.com)
  • 173.203.187.14 (mail.sbctransportation.com)
  • 72.52.250.187 (www11.qth.com)
  • 68.178.213.203 (smtp.secureserver.net)
  • 64.78.61.107 (mail16.intermedia.net)
  • 165.212.11.125 (smtp.postoffice.net)
  • 72.35.23.61 (pop.callta.com)
  • 206.188.198.65 (mail.bayoubendtx.com)
  • 65.254.250.100 (pop.powweb.com)
  • 64.29.151.235 (mail.arizoncompanies.com)
Used eMails (sender):
  • helene.valeze@wanadoo.fr
  • mehdi.audam@wanadoo.fr
  • dominique.derbord@wanadoo.fr