StegBaus: Because Sometimes XOR Just Isn’t Enough

Posted on by Brandon Young

This past week, our team has identified a group of malware samples that matched behavioral heuristics for multiple known malware families.  These samples all displayed their typical respective malware characteristics and contacted known command and control (C2) servers from those families. However, initial static analysis revealed that all of these samples appear to be identical on the surface, leading us to believe that we had discovered a new loader.  The malware families identified at this time are DarkComet, LuminosityLink RAT, Pony, ImmenentMonitor, and some multiple variations of shellcode.  We are calling the malicious loader StegBaus based on its use of custom steganography and a PDB string, which was found in an embedded DLL.

Because of the large number of infections that the aforementioned malware families have previously been involved in, any new loading techniques that could make it easier for an attacker to execute these malware families on a victim computer should be taken seriously and an attempt at identifying it pre-infection should be treated as a high-priority.

This loader is unique in numerous ways, most notably the steganography that is being used to hide the loader configuration, as well as the final payload.  These features will be discussed in the analysis section below.  The loader also uses common techniques, such as the RunPE method, to load final payload into memory as a new process.  This method has been seen in the wild for a number of years and typically involves utilizing a host process, threading contexts, and memory allocation.  Although these steps appear to be relatively static within the loader, there are slight differences we were able to identify based on the time of deployment.  One such case is a sample that appears to have been used for testing at least 6 months before the majority of samples were seen in the wild.

UPDATE: The domains tags[.]bkrtx[.]com and sg[.]symcb[.]com were erroneously included in the list of domains below. On February 20, 2017, this blog post was updated to remove those domains from that list.

Distribution

The .NET executables with a code-base similar to the StegBaus loader were originally seen being tested in mid-2016 with much less obfuscation and the addition of testing phrases and strings.  While hunting for related samples with the same characteristics, we were able to identify similar features in the KazyLoader .NET packer.  KazyLoader provides a means for data hiding in BMP files and similar encryption schemes as well, and although these similarities exist, the increased sophistication in StegBaus and the limited visibility into the KazyLoader code-base makes linking these two families together very difficult.

The first known instance of StegBaus that Palo Alto Networks was able to identify was seen on December 30, 2016, with numerous samples being encountered since then.  It should be noted that the malware families being distributed by StegBaus are all commodity malware and many of them have had their source-code leaked online in the past.  This fact makes it difficult to determine if the author of StegBaus is generating his/her own custom samples, reusing samples found in the wild, or has a connection to the groups that use these malware families for criminal activities.

The most common filenames used to deliver StegBuas in the wild are:

  • image44.scr
  • barbiure.exe
  • image56.scr
  • image.scr
  • corben.exe
  • picture.scr
  • Netsparker.exe

The most common HTTP connection information is as follows:

  • Kimki[.]ru , POST , /chamber/panelnew/gate.php
  • kimki[.]ru, POST, /nelson/panelnew/gate.php
  • kimki[.]ru , POST , /emeka/panelnew/gate.php
  • oxylala[.]gdn , POST , /emeka/panelnew/gate.php
  • oxylala[.]gdn , POST , /charly/panelnew/gate.php
  • oxylala[.]gdn , POST , /asaba/panelnew/gate.php
  • oxylala[.]gdn , POST , /victor/panelnew/gate.php
  • oxylala[.]gdn , POST , /mandela/panelnew/gate.php
  • oxylala[.]gdn , POST , /asaba/panelnew/gate.php
  • minecon[.]co, POST, /Panel/gate.php
  • informer.pe[.]hu , POST , /Server/

The most common DNS queries are the following:

  • custom[.]generatione[.]tech
  • goodluckjayjay[.]duckdns[.]org
  • slyopeznetwr[.]ddns[.]net
  • 11live[.]zapto[.]org
  • goodluckyugo[.]duckdns[.]org
  • akudon[.]chickenkiller[.]com
  • informer[.]pe[.]hu
  • files[.]catbox[.]moe
  • minecon[.]co
  • kimki[.]ru
  • oxylala[.]gdn

Analysis

StegBaus is originally distributed in a .NET-compiled executable that uses Confuser v1.9.0.0 obfuscation.  Initial static analysis of the sample reveals multiple portable network graphics (PNG) image files that are embedded as .NET resources.  These can be seen in the figure below.

fig1

Figure 1 PNG resource files

Upon execution, StegBaus loads a new DLL into its memory space and execution is transferred to the DLL’s main function, which in later samples has been renamed to a singular letter (A, K, or Q).  This DLL is completely deobfuscated and its internal name was found to be A.dll in each variation that we analyzed.  The functions contain no obfuscation and can be clearly read, as shown in Figure 2.

fig2

Figure 2 Function list

As can be seen from the function list above, StegBaus contains a number of functions that appear to do relatively simple things.  After analysis of these functions, it is clear that the functions actually do exactly what their names suggest.  Full anlaysis of each of these functions will not be provided, but some of the most interesting ones will be discussed throughout the explanation of the data hiding techniques.

After analyzing the original, heavily obfuscated, executable and finding the embedded resources, we chose to investigate this DLL for any resources as well.  It turns out that the author used this resource section to embed numerous blobs of base64-encoded data as seen below in Figure 3.

fig3

Figure 3 Embedded base64-encoding

The resources seen in Figure 3 both contain base64-encoded data, which each decode into a separate DLL. These DLLs are named img2data.dll and CreateShortct.dll respectively.  The CreateShortct.dll file is used to locate the current users Startup folder and creates a shortcut to the original executable using a random 8 character name.  The img2data.dll, however, is a little more interesting and will be discussed in the Data Hiding section.

The CreateShortct.dll contains the following PDB string that was used in naming the malware:

Data Hiding

The img2data.dll file contains custom functionality to convert images into a data stream by using numerous libraries included in the .NET Framework.  The actual code for the function can be seen below:

fig4

Figure 4 ImagesToData function

The reimplementation of this code is provided here and can be compiled as C# in Visual Studio by adding a library reference to System.Drawing.  The provided decoder will take a directory name that contains all of the PNG resource files with their original names and provide a binary output file that can be used to continue analysis.

The img2data.dll is utilized by the ConvertImagesToData function in A.dll.  This function simply loads the DLL into memory via .NET module loading techniques and creates a buffer for data storage.  Essentially, the img2data.dll will locate the resources in the original executable and read all of the raw bytes into a memory stream before being manipulated.  After this data has been converted into a usable data stream and stored in the global buffer, it is then decrypted multiple times, as discussed below.

Encryption

Although data hiding with steganography is unusual, it is an extremely effective means of concealing information, the malware authors found it necessary to also use AES encryption.  Specifically, the RinjndaelManaged function that belongs to System.Security.Cryptography is used to decrypt data using AES-128.

While debugging the malware and stepping through the crypto routines, we can easily identify the initial password that is used to generate the key and initialization vector (IV) for the AES routine.  The password is gathered by identifying the timestamp from the STARTUP_INFORMATION structure of the original executable and this value is then run through a sequence of arithmetic operations. This information is then used to create a new GUID, which in turn is truncated to 8 characters, and then used as the password.  The password for the sample analyzed is “d1ee1095”, which is easily identifiable during debugging and execution.  This value is then run through the Password-Based Key Derivation Function 2 (PBKDF2) and we can hex-encode this result for both a 32-byte and 16-byte value.  The return value for the 32-byte value is the key and the 16-byte value is the IV.

Once the key and iv are produced, the decryption proceeds by using AES with CBC.  The following script can be used to decrypt the data once the password has been identified:

After decrypting the data, the results are not as we expected…there is no human readable data.  This leads us to further debugging to identify any other techniques being used.  In this case, the authors decided that using steganography and AES encryption wasn’t enough they had to encrypt the data twice using the same AES implementation.  Using the same script as above and the decimal representation of the previously returned timestamp, “1484648550”, we are able to determine the key and IV for the second iteration of decryption.  This time we are provided with what appears to be a human readable configuration file, which contains the following data:

  • Emulation
  • Install
  • Notify
  • Options.Compress
  • Options.CheckVM
  • Options.CheckSandbox
  • Options.DelayTime
  • Options.MonitorPackage
  • Options.MonitorRegistry
  • Options.MonitorSelf
  • Options.HostIndex
  • Options.UACBypass
  • Files.Main
  • Files.Count

Finally, after the aforementioned decryption is finished, the StegBaus configuration options become visible as we see in the figure below.  These options dictate which additional functions are going to be called in A.dll.  As shown before, there are a number of additional functions, but they are not used unless the configuration has the options enabled.  Along with the configuration options, the decrypted data also contains the final payload and is represented in two different forms in the samples we analyzed.

fig5

Figure 5 Decrypted data forms (plaintext vs. zlib)

As seen in the figure above, the two different data representations in the decrypted data buffer are plaintext and a zlib-compressed data blob.  In some of the first samples identified, the decryption stage mentioned above is actually the final stage of data hiding and this executable is then loaded into memory via the RunPE method.  The newest samples analyzed utilize zlib compression to further hide the final payload within the decrypted data buffer.  The decompression is completed in the Decompress function, which can be seen in Figure 2 as part of A.dll.  When the final payload is decompressed, it is loaded into memory as a new process via the RunPE method as well.

Conclusion

The StegBaus loader that was identified contains many advanced data hiding techniques and has been seen delivering numerous different commodity malware families.

Currently, the loader itself is being identified as malware by WildFire and can be seen in Autofocus as well.  Palo Alto Networks is detecting this malicious loader via behavioral identifiers and is also identifying the malware families being delivered by these measures.

I would like to thank threat analyst Brandon Levene for bringing this unique malware family to my attention.  The characteristics identified within the analyzed samples led to the discovery of more than 250 samples utilizing the StegBaus loader, all of which were identified as malware in WildFire.

Appendix

SHA256 Hashes

1678e719a18eabf552cd54f763f401959fccb47fa3ef035c1f5b49c440dc0ddd
4233a707e1772c6399776dd563dfb315b59cd2bd685bc78802958065a871817a
440e31eac26692e8cdfc357f2b66fb371a4d3601961cae3082a2d3f3855d4a0c
2f43238efb23e00c8413cc4c203bfd29b17e846dedd613c86d9edc8b20dc2600
a5a8addaec02c0a7849adbf6125e6d41315b3c6e40deb31ec605aa083f5dcd56
f70bf0d2f14da3f677986c90b68c576aa5f9bd543a585b8b3072524ae0560272
5a56042607f463ff286a16537c6ae8ffe78d3c2258674dc095d4818ce9552198
c33b2d07872354cc87206b886143bb3e250fc49a260a67276564b258cb67c290
b97c36f7d7118ab964ac7e7337dd3de0ab86cb286e724f3787b358aef5f2a5f1
4dc9edcce2e78405c9301057a39b6a5e7fdca60b6f11b35e4467312d459dce14
658d455f574cbf59c4398fdaf68a9d93a250e85812ed7557b9a5d589440d11b5
8ef803d8e1f2d6221bc1d562b6ee6b1f6886baa0a46a0758677f423eaf4b4e72
f482c2201e13573e6dc93cab302683f7e8fa677673a14ba9f0cc7199feb94b85
773a8cd7becf55e4a8fb56896253d1408def916a405252439fb5e4d541b5bffb
a2e36d4102b6be41cbeb16a8627b913f19c0cabb9c828359ecb41d50122a6df2
64aafb17ca136e56678c7321313894fa0b2331d42b16054be5a3d57c8fd3a312
6b0edf8e9dce9f137aa92fc7cd25f8148c1efcd0a418dc35035d025510b18cba
9cd0af91e0cbe55db3b2a444941378802879a78db6484d4449ceca1f3b6862c5
10888258eb6136ae1cc7ad6e3dd9ec8ada384365c71932c15273e0027577bdc4
a9dc85927b32af2a40cbce1866a76cd67d7b329fc775ad09bfbe5cb6ea463c65
2b631fa0cfabfb9d96460ac800219b324c69a7f7e54f84ec37a378e0bad54992
e43b1e25e4a4d19babed4b25a9a2547efb6843eb128d5e50ef80a871a8a7ed0d
d43814e12d945f21076748ff1695dbb977854db2ff0b44b32c59dd1ecbb120e0
4be05fd94f7c7f42a2f711184d1b67eaebbdbb3c77b9ff626c1f41c39cf0974f
7f1ba131992a21c1c9e7c300fe4a0e58b1554f27ab8b9a804f802c9f92ab411d
950078b915e0ab5c9238d0ecaf6b0b6392ae8c74f8a731a3bfc02015ecbf06df
dff0de34c5579339210709bd0f1ed9050a67d14233f7098ad76e302fabb047f2
a0ed357c96b0f17a3f45bd9926c381dab2d86bbb0dc7915f4294d24fbbd90694
0f5c982ba2789fc5dc45f1bcc8b97a8338026e8e6a4a897c7a9598f7c822198f
cd193bf66b4a0859524e3c87cbd677986270916fd520de6a90776e375f22def8
3fa229f1a014f04975f6f25aa81a657daeb583e22bd7a5ace47d63ec392cc7f4
269e74ef268dd0c5537b7154538bfba3cc23b3e0a8338a920f44f3f16d5e141d
04ca2140616cb9ff7d417ddc1924f2812d03b0b67dc197cd26d0b69981c9f55e
e8aedfd0addbb2ba395c23f39a17b962e5861dd1df020e8f134a19042ef38552
3ef998f62f696bc1677f78f3a356d95f9c56ca71e58759c5830c3c6f64e0f1ef
67ad00d6ca060b6c6ad7263b32aa105bceac3c3bd78db45021b8df6d10e0c996
0a9ecc4953983197d0369ae6ee383c4da3ed26a1b557ae0214b3d834a219083f
669e80679707bd00bf48994cf9d4fee5b58f6b87534cf7da5aefe71c0bee3d34
72c8b6c8219d7ae1b99165428c77855e8e4001d2217e369f156192e8c0afc276
ee4704cbe11ff52e6a4e33100dce375e0098d09919402246390706d0b4e4a19a
17530ed17699da87a3f4e64af69a78bfa525d80b1c1e5b0c61b48282c231b32e
7a457ced31004aeccbbdc169b66a02a55a38bd1934c0ed54d97a69980945f487
2c821b1aadd0b0606a480d66790700bf77229aeb9a540fdc989667a61c38be05
97ac4c6f670374b849fdbdf43a2f1cbd1807fc0b419073e757c0ec429da51182
b6ddcd352d4345186b9537f12cc82c9aa85697e681858c8b686b18c3b9f66b56
c4c5fdc968d350ad7646a988e768bf275a2484296042590378288e5b955942be
380a1a709b01c3f3b7f0198e9a06faa6918c6d14dc52f7f75a5384f71ade30a6
920287016bf31fab721b67c4be8c181655701f56a6f54c0e52dcba58b5922f50
17fb1bdebf607fd0db97785f4c5fecf6625d528cbae5f0535dd575294ec63a15
67597bc132585a083f946a8853004a5cca9a215f15122b2969f0e3f27af06974
b782000fbb86bd69a8f67d4fe58526e1e2cb0ac6f92ecb52ca3ff8ad754eadc3
784e60507721c12f9d7cb20edd8d874a5ac29cbb6eec33629b16e49e0a564f51
2d11f5fafb07a3e1b311572c4ccce87a4a6615d8912929857d8ac07a632e1719
6d2c31e412f07246975eab4a15a8ad7829966efc8f638b25c64e504accaa7b93
db81b258a9eff00a892a8cec7409983d84ea04baa0fdc1fe9589ebf3f8636704
f9c54e8dffff277aea04447cfaf18e0255c27b4e5fc9606389c133795379f52c
20f83cdd0f35ff5d0d39241893370801a8206eb22cb85f34e3749ae8edaf778a
6f51b8555fb5f959dcbac46aca02106f1affdacba29988682b69eb5a6c9ce973
b6d06b8d03dbafbabf59b2b96b6d66fd0f754034770e80c9aee312a7270b30c3
241180a7c31bfeaec07210e348cbf860c87adc2340c6bd25cf41f82fbd6cd994
0da8134694f67efcf5ca82d638f48734b09a53d52b791abfcae29521989ecc28
d8890b413e9708ac7fce71f076cac0c96302d3af27edea66c36ea072bf14e1a2
23c0d83e04199229a0b0f98d1767cce992a9aa847f957d8d0a5bb045f92315d2
b789a5df1f5ebe997870323ad3802f691c83e19bc8a22bca82edccce17f5b57c
62f23d89d1876eef9d109392b4637450a2f87b7ccb02d7433a1dbcd4c1edf946
dc5d64bf089add373a24abc24a9185d93cf29edee7907ba3460712945b4d28dd
55ca978a8831c4a483c4dc88637edac5dfe050ebbd6f2e0d5e8c16669dc60a2b
c805f6fcc78ebcbb3170580626ea8616f4e06b9d4936e2fb6aae79a4410f1e0d
18bf92b767562e63326cf142481bc0c33a8650c80f20d611feb7a3de82de51a4
8c91edcc3541869bab5a2466fa0a8c075f9acac3badc8534c221a019ffe3ad7a
aae8a273f9bae5bf187ce9b3ba3ad945386bb38286ebcba38b7ccc1e8ad00c18
4f8d5b7c4e5cd429b1a27bf8b8c67ca6b7dcecf728b9362836633b5f46ecbf22
675e79744c4fffded353b45271638cc5cedeeb745597547f5ea029d14909772c
eae0fc7c52b8b5d9919129fdeeb5f59908d41873583a8f4169dfdb156afac5e6
59a46a335f8750210eada0aca256fab1d5cbec5c5f8563acdae58ba04ed4e0ce
639b095a360b75903d6fe72a0bb20efc0f15ed8ddafa92bcf16c3520f53990b9
b9c54dc17605268687f4ed80d2e52d888754d6d28dcaf62e6702b1711e5323ba
65e3121018d6bd04e28dd56e4dae9b11537a47368288ba8dd049be7642dd5460
009d1be4c0a33202ba87e12ac83f584560f19c7bbc1eccfe5a16636055f896b9
7a87a72e31e05662bbe20f3c38e4dec0ec798cd474564f1889240be80c970038
4cd730d8ed2a4d5b0f09707da83ee832187e6c13e243fdda777962cbb5830df8
bebdc8401979bd414a19a94dd599f2c5971f184f825350ca3647eb22c8e5c341
4f5c2e75bd0d4751a80770877f4f669e214b3b3047f9f9b623bacd2301e924a4
8e38d194a3aee0534afaf0297751d7e22e50477a1b0b265fb80763db58423a7d
e67806d0be3d3b44d3128691c08acbc5e19f8b4d07fc107327c4df013a2af57c
31aedd2a097552a9cbe8cd982e5bb5835d62c331f50663d1376c09566cc9f600
5a75141e0f3c941f36195ed0c59962c1bfc1d169167df6a398f3db097e497873
cafa05a6910d5d2e810837fae1af4d2f6b8fb665b2f4d60ae6a2c83c38560798
ad5795f71bb5935f5b13cebf2a09a066c14e919e9c2d92b52b4e91b4ea1e528d
27f7724ccffdb639199f48b1074d2961abb54cbd40afb1c14cdd9e9b85cc9bdf
e9408418e2f6f80b02372301b0f576a953d6b207a95727f4d6201ae3385a29bd
2d9be2fd8a918e7b651271f74f33d739f659cc5bf20bb96f55aabd71297427ba
14f284d7354499fd9a73d5725e74da849422d9f1cc823cbdb128146853bb385a
a6493a668482aaea9201522a8571ef4edd4c635c45be38d49c2d53043d16d3d4
62b7e5c327522e113d61665c513a5af78fb63269bb58df942f2a43f97168b7cf
29860b49473c93b9c1e57cfb96f1374605a49f9434f2479aaafb61e82afbcf57
de4f8b7a945a46d4fe73003a1e610414dbf5c3f167ad38077b7c531fd9d10fb2
203c70380046fbde35be55b58f06d3ef87fbc81f50f6401baf608aa2ee0db07d
f5e814538cc1dedb24af16e8a151c753fa68b09e3e9285692cd436fe8dbc6c0f
8c24a7af9c071c9a39d9dfe3f7b7bf31d715a52d3336129f15fa2b8e14c06137
b0f6656abadeb6505c6ff3eb92ad23f61806c31502676774c36813774b673f49
c70f80d7d7f2e992b427c198b578b3fd907848ee07611f2f1bc3b90986dd2b7d
e2a572fdf9b8b7a76509037c100d53c5895797f87d1be609377f4d2986649df1
fcd166f89653f3084685c9e85e4950aa22b24287b4fe9a12c5c35ea80dabfcab
d2ee9df1a46e752c77a828151105f8326617bbce7f100eec5caa1a98f0dd604d
a52149e5fa5ea0acf12b426c0efe4feec1c54d85071fd3dc8eea2e0eb18086ab
a7cf7a4381740369e87692315dbe1f3f74ee96a5bced002c03f0d14335e87268
9a385073ccd80f962a710fcc686b6e8fd2af39ee6b3d2404711e159ed6709ad3
b3063cadbc6dcbfa7e7b84e1785ce083566db1db453ce6d9dd5b03251c946b75
351e6001e8df4e0f0ffbb8875064da7cb4c00a46c7e78e5e5a329c301326cb19
0ee2ce7ccb2456ae34dec2422ce417b1ac212b00b02411cf14621fa1402356dd
522f6e19972574a0c33d1c2950c27b4d0a8950333643d0d026971b9b303faa3b
d4b39c83c3e343b8d4a889e346492e40dae52417088f191c06a8755d985a4c57
fcaf94a7b8350a467e486a992e69060e088c00614a0f5a4f5641fcd39bb79e9a
b5fc369daf027150ed929b4f3937e955160b7e329b6fcb8ddb4e3a8133024128
4f728cb4446b9afda12090edf32963b750d621050038000548171cc004c5a749
b4497e296fd82f24ecdbfda1c562e5f35ec8fbd9d505a764c44e0a9025b321f5
0f84fd9cbc611c42bd22ddaabb3787eda0699e9de42835fed483c92b47f84d2c
edd01dd32b53fa6c218a93dc192ace1e6a68b0b6ddc51371b0c70cb2ad41c897
41773222c470e282a914a2ced7b396a278d74f04721d45281b570ce4d218c87e
9e42f49eb246b6441d68299cd93e7ca3670084a21c277c09f46b8585dedda4a5
018dd2616adb9d2019c3bfe9d57f2c6665dc29dc891df55e0f55a28004419440
2e1713ea9af114c9b96df64719094fa9f039334ee7adc84998510a5b41637574
6b6caf9025252a01c0e7b39fce91e7080b6702c4c37e90238569dedd3a1c9812
b982c7ccbd44b5966435677cf192b32288856809f64756dd0310e407b30b233f
5c3f5b20b9cc11e2a2e4490f1bad87038604160b6af963dd7d8a15bcbba8bde2
e8d8883c83b157f9d63725fe47eb37adfc1bf2d930c051d79f46882a1e48ddde
51d1a97beaa356625f1f08968d53c5bdb038d2f5ba2c2f3e4708b31a0324cc79
90d6b756d1e96f2ee6f155cdc1fb9c446bae49bccb647465ed939cdb0c2a529e
8066e1c172af6e66dfa291bd8b3adb82dbadf973f2979e5ec9c49af3e1fc19ad
87f9117daa3177726633374a72701243d30b472016031fb32422012ae665fc42
c4470c8510e3e26b34650be4b4e8e8b22f3d41a6a2eabf2b2100a8f8be3cd06e
18dd3231fbbfb2e97195cf04b29a05a3d6c540a78ee9830388b50e31e877c682
d48682110e84327dbe367e533f33f339577c8a8988290e4fb3a5fc5a4ffe18e7
62bdf2b515f9ee512b85eccbbd0676e4e772994870c513e4afb6a550dbe85b96
115f70d230b097b1a3136394b4075594aacd5a1f225ba237cd5707adbe28a862
8d7a4fd6f9bedcedd9b7722703132295e56fa9b36e76e5f41b633708e011f3d7
f219a70c67907160a375718aca0ddd141a5a0d36b2c5a77e2a5b88ee4940a9c7
d12457bc48670045141423bd344745f93119948a1bbaf212dbdafb3c2f1b4250
04c25d5af8ebe51308d78d8787240c7d4057b7d26b755196892bd0b19a6a0387
b259ea6a57a02f15e05b07d18ff278a3db52e2fcc78bd0b0ed3f790d051b4740
05bf4501e024484235d8fe783e02069586547f05aaf22500a4ce887f0b97e77c
037bd77ad772e41d74c7bc15e89af0095a9792680950edfccb6e06c97a521e2e
c24a470f25ce17f9e2657b2fecfd650afb03e17e18acabd7f60f9456bfcf7781
bee5d3c44a17abd07157e195d0ee0480cc7e47232f3edbc6f333b0b03418de0a
8e2fa7dde4fe36b949508d51ffcc7b4e99495ffc93ab4728a18ced93ce04450b
f0d3981462a3f293fb0029d8db1da2a8151bec7fabf7d515d303d77d4ee60c99
3174d2ede7e0385f25b5b10b395c12c3c640dfd84e18efed2a76c9325e053c20
afb4dd18d0b858e073741b2c329994960aabcf0058bda3255c6aec626c81bff2
bf8b00eda1f6b5152ae09acfb98026ce2acbd0b28c42aa0968ee2b98348ca9ba
8f79bff125b98c5865c23e8ec907672e14f93744189f1b4ffe816805072a4281
649b46f0c7c55e3c04feee6c155cad11856cb51676a14d6466810b3c3b3c5929
223b4732a0d8d51c7286b06fbddba76b3dbe85731870c7480b054267a427882c
bf3d9397916eaa3330d71a201bc7babc63a9bc959c55445425e0074129e086ec
075c7fdce6c1c75c8862819c4ce67f28fa5e136b7fce8ca581aaa0fa722cd6ad
7a54fe769e7e761bc48a6cc6aa0454a46934514d3f14b899f2a369037d9e8868
88389b0f935a993515a45555ec4d93672402dff10abedf44b8fc51b173e65869
50349613c6fbac2b344f5b7753a165620be112a674763153a6de497df43589af
e6c1861f51231eaa33e6c6e3dd0fc0168ced641af811b29b30ce6ebeeb681c40
115dd4bc7ad38c95b0fc2e62cee716f13169762a27d74fe2b8cf8514e3d0847e
6a6b275ebd34ddd8e7273b0d8ba81f5a47154e559816625595ec1c16f16ad1cf
47f72151463862d863bb2bca5aad869cf07056a190e3b419f319d0d1ed48f42f
36c850d42c69534d156c9cbfb6d742c3174d61adf870edbdba4e510e34039c49
6f7970f6831a647da4ab9727535a599e602d94623a295209c3248aafe84c5ee0
f705eb07b29abd9de90843dabf7f44593d34f1065cd622885fa885e1877bb90e
2217da4c3df09c9b675e8904ee51d7cd791469d4ebaf985bf6a2800e6145a948
1a796b42fc43e5a646f619319f9fe5d53aaa4c8c59b147d523eadd03846baca5
78b3a73fb8b29a0f06117f386546fd97e6dfea06ad7ede29ae1ba212b0befc46
987667455144351324f3081a80751cf43fd562437c88026bb6dbb11f3c8737a7
093555823e8e1fd7463637a151ab4a3df461b6c8a25223ba209c0b42310c7398
7d5496e7d40ab1c2893b54a3bfcd3acac447a0e031e762b2149c53560e1675df
5f72291e2b93e2ba00da91c39704db98414c8e102d95d6ee5eb5cd3fa0951160
28e8bf1314d1c481cbb47b44364d3b9f6219e73943879b26251f15113c47bce4
ba31d49658e1dae50d656cf066503187f4b7ef30a2a0891f44a92c548bdd17f1
76978f754001b1888d9f3ad235639dafa5cdf63f08a47a260831b68adb951769
cdf0f9967a7d7fd574d291b3377632350d3c049b6a0fa10d4af6d4abe67b5266
153d6d64d4f03687be35f694ad5a71b110d26c8d54ac1b213ad00a9c2689c2bc
dce2b7c9b0d0ea08eab5911ba20c299e91063ee3e10112b78cf414165d875f1b
de2b2e025c205479f412453290c35b63c6e94655de559e243c65dcd6b6aad1d7
7ca569d5d4f9936e31faabfe00dd02064ecc00121957959117f875f60b11922f
6397208c697a0541d7fa79a9a3e7f8d32223c20c85858fbefa96ecd675945ff6
3c6337b597a847c68269a447d8fb716c9ef79bd35cdca2342efa74f4915192ad
14387e3ff0ca651eb05025ca05c1ddd17bac0639be39c505b9dbed71fe9b3137
76b313b8906a9a19af67cbedac5c109bd0d036560a97aa7f345eaf9c90db5c53
b65bde1984d76466d6da12059aad5213c6b1de61f7f6e694b35ba15bbcc0dc98
6109f63d8cc209bee8b57ee7a35cc5fde8823fd37177ef775757f726798520db
219edd89942ce23bcb3a139759ba19c099084c93d301700f40b7fef414d8ca3a
5b1de6e0679534abb19fb3f7b5c4df4ae900e903cec6b4e2ec651ce3ca6d247a
57a841c491c7c4f702a4a3fb0814754018aa7d22c3f192acf19475156e8285b6
c3701090514fb846a83587301a2e63ff63632029b9a1779a25783cc73976c92a
b14d8eeb74ef1998ab0810dba152b3b055a6164d0c7d53461d6b8d6d55648699
a262614704b19ea9bf58266cc3bd17408e4979d4fd7483b6d96244966078a010
619c3847cdf9b2a7a3f13bd2be8af1b56e6df39c2424cdbe7d9b8962ddbb4e16
c964cf49374d5001a0d8e94b4981e3997a898c4e4a9adf9293fd872359ebe34d
18c2d3ddb4f937f580ac4b04edc969ffba27647c5feed84a20cd69a99753d088
3241f26a263314754cfc83bae912699f0c25f1f66110f715f2b3056f43705143
1f79ac7f0201584d6ea7d6b0c96d2285572ed4a191e765a20f5ccae6ebb2f34d
39b7ce2df93eb2e0b9f2ce26a3fb75841585005a9ee2da3b1285c3c942347015
43fbede2d81121935a2b186885a017c300d547b51e62c4d8f4e8abb736b1a248
49fdb3e17fe1abe377efccf40dfd33b81ba4e1f7eb71cff20ce384baa80536a2
e295759d8b341f2439c0c8fe649cab6b789b59cf02a370eab901bd97e9edf39c
bebc952556088b9e9181ac27b268f0bd68f973d1d9ee193a928d6fda8e4bd09d
13d69010410bc20918f5d126efecc497d98d675ca714815652a28b7dc8a6f4ea
65758d6ed0aa38a46c67dd1f5e6b5b4e683a24866f9b74964c64ac40b6438596
b790ea9f8a4c66fa606fe9588e6a6b530222928f95d0f24013b01d2ccb4f529b
5d24d262b62c3024f511f03334d0ecb38fe2b9430650c295ee34aecfe5e21b4e
50e57d18cdc240d5c6c86dd34d7a7377d1dd27a261d0d9e6e2fc9a1e2c40d1d7
209426520c8057c26a6ece290272b0c8ae43143ac50ae8d0b5d7c8f5bd6b84fe
517e653ef19bdb890d0e5ef463883a4a07b1fc80cc744be118ac1aa9ee7ec387
a10687e18624b2892356e76c50e35c3694a02232d6cf38d4ddd7b7179334b60b
a72e9f99c9a974b331daefc28ccc0d7abdc677b4a36ac5e7656715868019c5f4
767a721e1bab73766a3f8effd34335d88a5c056ab3bf2d4149ee357d1242ad4b
54d3ca5af4380eeefef22bbe1d616ddd2e271ee530b06f290c5b0cda5f6b406a
cc45029445077d8d97b56e082656ab5419d822923977e483deca7754fb02e964
37b8555c0f25645850081a7d9333fac1ee551ae46b9352dc5b51b3af699dc226
528e5b4ab20745d773da1e14be0da5e466ab48e9f6028650a25701315e074a70
0b7857fde5312af28a68621fed4ac095aa4b5b21fe90426fad692b1bc97de517
f5ab96680a2f21c1f5a8d68ea563e0dae9576363fc55ee4ef636efb0f96305f4
3793ff12755d90dfd26a955fc0400f59d83bfe0b60f69ccbaba068deb0fcf80b
96e55f5d545c074c4033fbc1cbd2f158e23fe4d9f17bc44a8bc62b9452e7301e
c3e1bf7be1780bf38e61d552379f832c8d1e1ebdb3420237d9374d2c9d9b40c3
c58ab8c4fc460263768452711e9f3e18aa95f41373f965f23c86a7175189d040
02779a9dbb4d79e5f82c6055e509596f9476615a085ef39170c77b64f446b5ad
7dafa710e0cdbfb09ec7e2a12930a14e229478d3fa07337ec568dfc154f1bee2
5a9d754c87c03f39f829cf77323dc8c3e18a581d4b6efff798653f5e0bcf400b
2bf1481d37b2c91ab46676e63ef261fa968ac67a27e9eaff4773202a415d1024
70051995172e84b35b8251786c0c7dd9cd93ee44860e8384376e5491a55ece57
86f630a78192c157ff9fdfc8a3e99de4d61d227154efd19b90f91ad4bf8d5d8c
da2625c72a7d295dfdc731573681f7572443c546dff650ef21df09f16fd78aea
ded4bbe722f2f0a3c123f4221e88a36d6cbbb8c7d5bd84e2a019b82999b90021
7d7cb8b750fd51e73749fc50b93f73bf6242076c0df5702e96f1d29fad3208d2
4c225e8059a6abd6724120733da19b07ba7672e32e3dc58d1cf2d8f3df757feb
5dd97af794eadaa6955ecbec604a43977ae4f5484590d7da6ddcf13c77baaff1
1103fc1fc384ce3caaf4efe98e99cfa9d6ee6c3317572165756bbab6535d9b0f
8a65215c55495de5701a3f644141449d7519c41d61a5921aad4c33074c8b99c2
d7d2fe407f19187fdb699fb2cb118891e82d9cf61e69ea9779028b8ce33ddfee
5a93affe27209627f978c4df1f7285734e8f17597aa404ddc993c340671a4be5
e1fdd18455a4b256616f450af719721596804987a5fed0f8ef8fb0a96ab3b45e
edaccdde124eadfed40f072d4c19b62a787c2efea9a67248efef60df8759602d
13cc6b6c6d77cfd95f6b7e08e279cc6cb7cd149cf99260a4ab1889df30867d97
18cfec8bcfecdfcd1f705ebe0eac73bf9fc37ae23023c40b5145a55960951213
986d86973ce80e22ccf3225b74c9e029abcce5a70c2977e841abdf1a92cf590c
6dc9e636ae0df8adf9ca10aed0b2d730970f5cd08d9689711ce8a0a2b037f1a3
86b53caf1eb03bbbb79d242ad84b47f66a9653781a20734e6616edb7aea6145a
944f0e4c1596ebdd0a2be10909cfa694d0b0ef8c7780ac2cfcbd47783b3412dd
f105d49f51b58d5933fa473fb0ad0ff4defaf99a49f9acc6f4d62ff5140c5f3b
024e1ebab660c8ab023fe17ecd181ad59032094da4f38f5056af0255291c24e0
6af78d42f3bcf34872f6f6de66364d7e8d352cfabe2622c412ddbb1e87886a7c
532a729c6f7587c68e8e69b2e5e93ef980ee310e19f8fd10a611e0e03608bb80
177d447145d70a354521949cd50509efa12f7a2f9fa7735fd98beac8c610de7a
1562995de8d09b7413299362a8f2dbed7c87148177628a247c20fa935fab82a6
1bcb5b03ca5fed28cfdedd995c2721f1d7e384b72e970c861f46acbaf6fdf0a8
effc998acf696bd9a660bfcfebd5c9204b1941ea60ad2897fa11e229b083d6da

Exploring the Cybercrime Underground: Part 4 - Darknet Markets

Posted on by vickykhan

Introduction

Parts 1, 2 and 3 of our Cybercrime Underground the cybercrime series discussed some of the concepts and definitions around cybercrime, and how cybercriminals collaborate in cybercrime forums in buying and selling malicious tools and services. This latest report in our cybercrime series will provide a glimpse of the darknet markets where cybercriminals buy and sell data which have likely been stolen directly by compromising victim computer systems or by the result of a large database compromise. This blog focuses on explaining what darknet markets are, common payment model used, the type of digital data being bought and sold in the darknet markets and their typical costs. The objective of this blog is not to provide an exhaustive list of all the products and services being sold in the darknet markets but to shed light on how cybercriminals are utilizing the darknet markets to trade with impunity. It is important to understand the impact to the growing number of cybercrime campaigns and how the stolen data is monetized by the cybercriminals due to the demand in specific PII data in the darknet markets.

Many articles and research published by the information security industry discuss how cyber attacks can be broken down in phases which is widely known as the cyber kill-chain model. Darknet markets also play two important roles in the overall attack kill-chain. First these markets allow cybercriminals to purchase tools which are then utilized in specific stages of the kill-chain. For example: Malware creation and exploit tools which are sold in the darknet markets aid cybercriminals during the 'weaponization' and 'exploitation' phase of the kill-chain model respectively. The last phase of the kill-chain model 'Actions on Objectives', specify the objective or goal of an adversary. Second, darknet markets allow cybercriminals to achieve their goal of making monetary profit by selling the data which may have likely been stolen from victim computer systems. It is also worth noting that not all digital data being sold in the darknet markets are gained from the result of successful cyber attacks. Insider data theft can end up in a darknet market as well. Insiders with the knowledge and know-how on sensitive information can aid in creating fake identification products which look authentic. For example a former Australian police officer was arrested in November 2016, for creating and selling fake police IDs, security and maritime passes in a darknet market.

The darknet markets today have increased in numbers as well as the number of users- one of the primary reasons has been the anonymity the darknets provide to the users to perform their illicit and illegal trades as well as the decentralized architecture provided by the Tor network which makes it increasingly difficult for law-enforcements to take actions against darknet markets.

What are Darknet Markets?

Darknet markets are websites which are hosted on the deep-web and can be accessed typically using the Tor network. The products and services which are bought and sold in the darknet markets can range from stolen credit-cards, personal information & ID scans, personal credit reports, operating accounts of online payment systems, email accounts with stolen credentials, counterfeit items, malware & exploit kits, drugs and also weapons, among other illegal products.

Access to Darknet Markets:

Darknet markets are hidden websites which cannot be accessible using regular browsers or search engines as they do not have an actual DNS name. Most darknet markets have a .onion TLD suffix which states that it is a hidden service and can only be reachable by the TOR network. A .onion site consists of 16 alphanumeric characters followed by a .onion TLD. The 16 characters may include letter from 'a to z' and numeric numbers from '1 to 7'. Below is a syntax of a .onion hidden service.

SYNTAX:         [digest].onion

The digest is the base32 encoded value of the first eighty bits of a SHA1 hash of the identity key for a hidden service. Once Tor sees an address in this format it tries to connect to the specified hidden service. Many darknet market users also use a VPN network to add an additional layer of privacy to hide their source.

underground_4_1

 Figure 1   High-level depiction on how darknet markets are accessed using Tor

Payment Model:

The payment process in the darknet markets has followed the process which was used by the “Silk Road”, one of the first and best known darknet markets. Purchases in the darknet markets are typically made using virtual currencies like Bitcoin. An individual who wants to buy a product in the darknet market needs to credit his/her darknet market account with Bitcoins to make purchases in the darknet market. The buyer purchases and moves Bitcoins to the darknet user account used by the buyer and makes the desired purchase. Once the buyer has initiated the purchase, the respective cost of the purchase in Bitcoins from the buyer's account are held in the darknet market's escrow until the order has been completed. Once the purchase order has been completed, the Bitcoins are released to the Seller (Vendor). The figure below shows a flowchart of the payment model being used in darknet markets.

underground_4_2

Figure 2    Payment model of Darknet Markets

Common Types of Data Bought & Sold:

Darknet markets provide many types of illegal products to be sold. This blog will not cover all the product types being available in the darknets but cover some of the most common types of information/ services which are transacted by cybercriminals in the darknet markets. Some of the types which we will discuss in this blog are:

  1. Credit Cards/ CVV numbers
  2. Credit Score Reports
  3. Passport Scans
  4. Driving license Scans
  5. Document scan templates
  6. Compromised account credentials
  7. Malware/ Exploit kit services

Credit Cards:

It is not a surprise to see ‘credit cards’ being sold in the darknet markets as they are further used to commit fraud and are also used by cybercriminals to finance their requirements and make profit. There are multiple ways in which credit cards are stolen – some of which are phishing scams, ATM skimmers and also by people in the industry who have access to customer credit card information. Credit card fraud has been costing the financial industry billions of dollars and due to the high number of credit card frauds, the financial industry may find it overwhelming to investigate every fraud incident and may only tend to focus on cases where the cost of the fraud is very high. The cybercriminals / fraudsters are well aware of this challenge and try to perform their fraud activities by transacting small number of transactions on each card to avoid being detected by anti-fraud systems. The below snap shot was taken from a credit card sales ad at a darknet market where a seller also provides advice on making less amount transactions per card to avoid getting detected.

underground_4_3

Figure 3 Seller advises buyers to make low transactions to avoid detection

The typical cost of credit cards being sold in the darknet markets can range from USD $1 to $25 for each card. The cost is higher if there is a confirmed high balance or if it is a premium card (platinum, business, corporate, gold). Some of the costs can be much higher if they come in a bundle and may also include how-to tutorials on making the most out of the credit cards to conduct fraud.

Figure 4 below shows some of the most recent credit card sales listings on a darknet market.

underground_4_4Figure 4 Credit Card listings on a darknet market

Credit Score:

Stolen identities are in big demand in darknet markets as they allow cybercriminals to conduct fraud using real identities of individuals who could have been victims to phishing/malware attacks or organizations holding PII data of their customers getting breached. Credit Score reports are one of the most highly traded PII (personally identifiable information) in the darknet markets.  A credit score report is an analysis report of the credit worthiness of an individual and the credit score depends on the credit files of a person. Financial organizations use credit score reports to assess a client’s credit history which is used to approve loans. Credit reports are not only used by financial organizations but many others like governments, insurance, and many other organizations which require a credit history to process a request. The price of the credit score lists depends on the score of the report, with the higher score reports going for a higher price. Figure 5 and 6 below shows two examples of credit report listings which are being sold on a darknet market. A credit score of 750+ costs USD $50 in one of the listing and another listing shows a score between 720 and 820 would range between USD $ 49.50 to $100.

underground_4_5

Figure 5 Example credit report listing on a darknet market

underground_4_6

Figure 6 Example credit report listing at a darknet market

Passport / Driving License Scans:

Identity documents like passport and driving license scans are also in high demand as they can be used to commit fraud which can range from opening bank accounts, PayPal accounts, purchasing real estate, and perform any other transactions which may require a scanned copy of a passport or a driver’s license for verification. Many developed nations have a robust digital architecture with public services being available online where such scanned copies can be used to process and transact services by using real identities which are being sold in the darknet markets, further fuelling the opportunities to commit fraud. Even developing nations are not immune to these threats- Nations like India are investing heavily in transforming its digital architecture to provide public services electronically and encourage citizens to use the internet and the online services being provided. Given Personal Identifiable Information (PII) data are used in many such services, these type of information are in demand in the darknet markets as they can be used to conduct multiple types of fraud.

underground_4_7

underground_4_8

Figure 7 Listings showing passport and ID scans of India and UK being sold on a darknet market

Document Scan Templates:

Another type of listing which is quite regular in the darknet markets include but are not limited to templates of passports, driving licenses, SSNs, bank statements, utility bills, credit cards, tax statements and invoice receipts of different vendors. Figure 8 is an example of a sample of an Australian passport template which has the same passport ID details but has different photos of individuals. The seller of the below template also shares that any details in the passport including the photograph can be changed and it would still look legitimate. The seller provides full editable versions of the template in .psd format which is an Adobe Photoshop document format. The seller also provides download links to cracked versions of Adobe Photoshop so the buyers can use the .psd files without needing to buy a licensed copy of the software. Each .psd template sold can cost between USD $20 to $100.  However, many listings have these templates being sold in bundles as well- For example a list of 9 templates for Canadian documents consisting of passport scans, bank statements, invoice documents and utility bills is selling on a discounted price of USD $387 where the original price would have exceeded $500 if bought separately.

underground_4_9

Figure 8 Scanned templates of Australian passports being listed at a darknet market

Compromised Account Credentials:

Credentials of many online services which include banking, telco, social media networks and many more are being listen in the darknet markets. Figure 9 shows some of the listings of compromised accounts being sold at a darknet market.

underground_4_10

Figure 9 Compromised credentials being sold at a darknet market.

Malware / Exploit Kit Services:

There are many types of malicious tools and services being sold in the darknet markets, some of which we have already shared in part 2 of our cybercrime underground series. Figure 10 below shows a listing on a darknet market for a Ransomware and BTC stealer setup service where a seller provides the tools and also configures it for the buyer.

underground_4_11

Figure 10 Ransomware service being listed on a darknet market

Impact:

The global cost of cybercrime has been on an alarming rise with the estimated loss to be in billions of dollars, with some reports indicating that the overall loss could be in trillions. A large portion of this cost can be attributed to the fraud conducted due to stolen PII data, some of which we have covered in this blog. For example- In Asia, Australia has been impacted the most due to identity crimes with an estimated loss of AUD $2.2 billion annually. The Australian Federal Police also mention that identity crime has been a key enabler to 'organised crime' which in turn has been costing Australia AUD $15 billion dollars annually. This really shows the vast impact nations and organizations are facing due to the identity and PII information being stolen, bought, and sold in the darknet markets.

Conclusion:

Darknet markets have allowed cybercriminals, fraudsters and criminals who trade in weapons, drugs and illegal products to trade without much concern of getting caught due to the anonymity provided by the deep-web. Though it may be difficult to identify the perpetrators who are managing or using the darknet markets for their profit, global law-enforcement agencies are continuously working to bring the criminals behind the darknet markets to justice and the number of successful cases has been growing where many criminals behind the darknet markets have been arrested. Large percentage of internet and online service users are often unaware of the threats in the digital world and tend to not follow common online safety measures to secure their personal information or their systems, which eventually result in their personal data being stolen and traded in darknet markets, where the information are further used to commit fraud. It is imperative to have an understanding on how these criminals operate and the type of information being traded to better secure ourselves.

Organisations should follow industry standards on securing data and implement security technologies to prevent cyber attacks and reduce the risk of data being stolen and traded in the darknet markets. Palo Alto Networks Next-Generation security platform provides a holistic solution to protect the digital way of life by safely enabling applications and preventing known and unknown threats across the network, cloud and endpoints. For more information on the next-generation security platform visit here.

References:

  1. http://blog.paloaltonetworks.com/2016/08/unit42-exploring-the-cybercrime-underground-part-1-an-introduction/
  2. https://en.wikipedia.org/wiki/Silk_Road_(marketplace)
  3. https://en.wikipedia.org/wiki/Darknet_market#/media/File:Marketlifetimes.png
  4. https://gitweb.torproject.org/torspec.git/tree/address-spec.txt
  5. https://svn.torproject.org/svn/projects/design-paper/tor-design.pdf
  6. https://en.wikipedia.org/wiki/Credit_score
  7. http://digitalindia.gov.in/content/about-programme
  8. https://www.deepdotweb.com/tag/arrested/
  9. https://www.ag.gov.au/RightsAndProtections/IdentitySecurity/Pages/Trends-in-Identity-Crime.aspx
  10. http://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/
  11. https://www.juniperresearch.com/press/press-releases/cybercrime-cost-businesses-over-2trillion
  12. https://www.afp.gov.au/what-we-do/crime-types/fraud/identity-crime
  13. http://www.abs.gov.au/ausstats/abs@.nsf/mf/4528.0/
  14. https://www.ag.gov.au/RightsAndProtections/IdentitySecurity/Documents/Identity-crime-and-misuse-in-Australia-2016.pdf
  15. http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
  16. https://www.paloaltonetworks.com/products/designing-for-prevention/security-platform

Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments

Posted on by Mashav Sapir

Palo Alto Networks Traps Advanced Endpoint Protection recently prevented recent attacks that we believe are part of a campaign linked to DustySky. DustySky is a campaign which others have attributed to the Gaza Cybergang group, a group that targets government interests in the region.

This report shares our researchers’ analysis of the attack and Remote Access Tool (RAT). We also discovered during our research that the RAT Server used by this attacker is itself vulnerable to remote attack, a double-edged sword for these attackers.

Attack

The initial infection vector in this attack is not clear, but it results in installing the “Downeks” downloader, which in turn infects the victim computer with the “Quasar” RAT.

Downeks uses third party websites to determine the external IP of the victim machine, possibly to determine victim location with GeoIP. It also drops decoy documents in an attempt to camouflage the attack.

Quasar is a .NET Framework-based open-source RAT. The attackers invested significant effort in attempting to hide the tool by changing the source code of the RAT and the RAT server, and by using an obfuscator and packer.

Detection

Unit 42 researchers observed the Quasar RAT being prevented from executing on a Traps-protected client in September 2016. We observed these Quasar samples:

File Name:  f-secure.exe
SHA256: 99a7cb43fb2898810956b6137d803c8f97651e23f9f13e91887f188749bd5e8f
Note: connects to hnoor.newphoneapp[.]com

File Name:  HD_Audio.exe
SHA256: 0c4aa50c95c990d5c5c55345626155b87625986881a2c066ce032af6871c426a
Note: connects to manual.newphoneapp[.]com

File Name: HD_Audio.exe
SHA256: 86bd78b4c8c94c046d927fb29ae0b944bf2a8513a378b51b3977b77e59a52806
Note:  crashes upon execution

File Name: sim.exe
SHA256: 723108103ccb4c166ad9cdff350de6a898489f1dac7eeab23c52cd48b9256a42
Note: connects to hnoor.newphoneapp[.]com

Further research found other Quasar examples, an attack earlier in the month 2016 on the same target:

SHA256: 1ac624aaf6bbc2e3b966182888411f92797bd30b6fcce9f8a97648e64f13506f

We found the same Quasar code in an additional attack on the same day, but upon a different target. A second Quasar sample was also observed attacking this new victim:

SHA256: 99a7cb43fb2898810956b6137d803c8f97651e23f9f13e91887f188749bd5e8f

We do not have detailed visibility into the specific host attacked, and have not been able to reproduce the second stage of the attack in our lab. However, based upon the timeframe of subsequent telemetry we observe, we understand the attack chain as follows:

  1. The initial dropper (which varies across attacks) is delivered to the victim via email or web:

File Name: Joint Ministerial Council between the GCC and the EU Council.exe"
SHA256: 0d235478ae9cc87b7b907181ccd151b618d74955716ba2dbc40a74dc1cdfc4aa

  1. The initial dropper, upon execution, extracts an embedded Downeks instance:

File Name: ati.exe
SHA256: f19bc664558177b7269f52edcec74ecdb38ed2ab9e706b68d9cbb3a53c243dec

  1. Downeks makes a POST request to dw.downloadtesting[.]com, resulting in the installation of the Quasar RAT on the victim machine.
  2. Additional Downeks downloaders connecting to the previously-observed server dw.downloadtesting[.]com were also found in this attack:

SHA256: 15abd32342e87455b73f1e2ecf9ab10331600eb4eae54e1dfc25ba2f9d8c2e8a

SHA256: 9a8d73cb7069832b9523c55224ae4153ea529ecc50392fef59da5b5d1db1c740

Further research identified dozens of Dowenks and Quasar samples related to these attackers. All included decoy documents written in Arabic (all related to Middle Eastern politics) or Hebrew. Most of them use the same mutex structure, share the same fake icon and unique metadata details, file writes, registry operations, and fake common program metadata, as seen in DustySky samples.

The Downeks downloader and Quasar C2 infrastructures are each self-contained and independent of each other. However, we did find a single shared IP address demonstrably connecting the Downeks downloader and Quasar C2 infrastructure s. The below chart (Figure 1) shows Quasar infrastructure (top), Downeks (bottom), and the shared IP link.

quasar_1

Figure 1- Quasar and Downeks

Charting the samples and infrastructure clearly shows the separate Downeks campaigns, and infrastructure links (Figure 2):

quasar_2

Figure 2- Infrastructure Patterns and Connections

In Figure 2, top-right (green) has the Quasar infrastructure (Figure 3), with a link to the Downeks infrastructure. Left (yellow) is DustySky infrastructure (Figure 4) and the links to this Downeks campaign. As well as similarities in the code, decoys and targets, we also identified C2 infrastructure links between DustySky and this campaign. The remainder is sub-campaigns of Downeks samples, their infrastructure, their links – and a favored ISP (center) (Figure 5).

fig3-5

The timing of the attacks is commensurate with the Middle-Eastern working week (Figure 6):

fig6

Figure 6- Attacks by day-of-the-week

The sample build days-of-the-week follow an almost identical pattern (Figure 7):

fig7

Figure 7- Builds by day-of-the-week

We saw five samples built on the same date in December 2015, and six on the same date in January, further solidifying the link between each sample.

Quasar

We analyzed a Quasar sample we found that was communicating with an active C2 server at the time of analysis:

SHA256: 4393ff391396cdfd229517dd98aa7faecad04da479fe8ca322f035ceee363273

Quasar is a publicly-available commodity RAT, an evolution of his earlier xRAT, by German developer “MaxXor”. This sample is a modified version of Quasar, most likely forked from open source version 1.2.0.0 on GitHub. The client was likely built using the Quasar server client builder. We observed the following customizations:

C2 server:

app.progsupdate[.]com, which resolved to 185.141.25[.]68), over port 4664.

Quasar mutex name:

VMFvdCsC7RFqerZinfV0sxJFo

Keylogger log location:

Users\hJTQwqwwSCkZU\AppData\Roaming\GoogleDesktop\<date>

The malware uses fake version information to appear as a Microsoft update program, as well as Google Desktop once unpacked.

quasar_8

Packer

This sample is packed by “Netz”, a simple .NET Framework packer which stores the original executable compressed (zlib) as a resource. At runtime, the packer decompresses the resource and uses Reflection to load the assembly, find its Entry point, and Invoke it. Extracting the payload is straight forward – we simply dump the resource and decompress it. After decompilation, the packer looks like this:

Find the resource and call InvokeApp:

Get the assembly object by decompressing the resource and loading it with Reflection:

And finally, find the entry point and invoke it:

Extracting produces:

SHA256: c931de65d9655a772d23e4227a627a1140d8d3c4912ca71c324421b13efa1a02

quasar_9

This layer uses obfuscation in an attempt to avoid detection/analysis.

Obfuscation

We discovered that the sample was obfuscated using .NET reactor. It is possible to decompile the deobfuscated sample and retrieve most of the original source code but not enough to compile it easily.

After deobfuscation we extracted:

SHA256: d773b12894d4a0ffb0df328e7e1aa4a7112455e88945a10471650e503eecdb3d

quasar_10

Quasar Code

After decompiling the sample, we were able to document the modifications from the open-source Quasar.

Settings

The configuration of Quasar is stored in the Settings object, which is encrypted with a password which is itself stored unencrypted.

Modifications:

  • The ISCHECKIP and INSTARTUPFOLDER are not found in open source Quasar samples.

Cryptography

The sample we analyzed is using RijndaelManaged with ECB mode and PKCS7 padding. The key is the SHA256 hash of the hard-coded password. The password of the sample we analyzed is:

“6y7u^Y&U6y7u^Y&U6y7u^Y&U”

Although at first glance this appears somewhat complex, it is in fact a rather simple, repeated keyboard sequence. We observe similar keyboard patterns in other samples: “567%^&”, “zxc!@#ASD”.

Modifications:

  • Uses SHA256 instead of MD5 to create the key.
  • Uses RijndaelManaged instead of AES for encryption. (with ECB mode, which is considered weak).

Serialization

Quasar contains the NetSerializer library that handles serialization of high level IPacket objects that the client and server use to communicate. The serialization assigns unique IDs for serializable objects types. The open source and several other samples we found give a dynamically-assigned 1 byte ID at compile time. The sample we analyzed changed that behavior and hard-coded DWORD for each object type. This is a better implementation, as it allows servers and clients from different versions to communicate with each other to some extent.

Version

The sample we analyzed is most likely forked from open source quasar 1.2.0.0. We find multiple file/object names hinting at the version, but must compelling:

  • Quasar version 1.1.0.0 names the encryption module name space "Encryption", while subsequent Quasar versions use "Cryptography" – which we observe in this sample.
  • Quasar version 1.3.0.0 changed the encryption key generation, and stopped saving the password in the sample. There are more indications as well, such as names of objects, files etc.

Other samples we analyzed had different combinations of modification to cryptography and serialization.

The C2 server

Our decompilation of the serialization library was not complete enough to allow simple recompilation. Instead, we downloaded and compiled the 1.2.0.0 server of the open-source Quasar RAT, having determined that this seemed likely the most similar version. The out-of-the-box server could not communicate with the client sample owing to the previously documented modifications that we had observed. We incorporated those changes into our build, discovering that this worked for most sample versions with almost no further modification.

Both the client and the server use the same code to serialize and encrypt the communications. Instead of compiling a different server for each client, our server uses the code from within the client to communicate with it. Using Reflection, the server can load the assembly of the client to find the relevant functions and passwords.

Load the client assembly:

Encryption:

Rather straight forward, as the server version uses the same API as the sample client.

Get the AES class:

Getting the setDefKey, encrypt and decrypt methods:

Replace the server functions:

with

with

with

Serialization:

This was more complex. Both the client and server uses the same API, but the client serializer cannot serialize server objects, because they are not the same as their "mirrored" objects inside the client. In some cases these objects are completely different, for example the server commands to get the file system.

Our solution is to:

  1. Translate on the fly the objects the server send to mirrored matching client objects (will not work if client doesn’t have this object, or renamed it).
  2. Copy the content from the server object into the new client object (will not work if client implementation is different).
  3. Serialize the client object (which will be later encrypted and sent).
  4. Deserialize the decrypted response into another client response object.
  5. Translate the client response object into the server version of the client response object.
  6. Copy the contents from the client response object into the translated server object.
  7. Return the translated object.

Communication

Our sample communicates with app.progsupdate[.]com, which resolved to 185.141.25[.]68, over TCP port 4664.

Architecture

This is the communication architecture between quasar client and server (Figure 8):

quasar_11

Figure 8- Communication Architecture

  1. The server sends a command. for example, “Get System Information”.
  2. The command is translated to an IPacket of type GetSystemInfo.
  3. The packet is serialized into a stream of bytes.
  4. The stream of bytes is encrypted (in some versions there is also optional compression step).
  5. The stream of bytes is sent over TCP to the client.
  6. The client receives and decrypts the packet.
  7. The client deserializes the packet into IPacket GetSystemInfo.
  8. The relevant handler of the client is called, collects the system information and sends it back inside IPacket of GetSystemInfoResponse.

Each of these layers seems to be different to some extent in the various samples we found. The IPacket, Serialization and Encryption framework code is shared between the client and the server, therefore we can use it with Reflection. However the Server handlers and command function are not, so we cannot create a completely perfect simulation.

Initial handshake

After the TCP handshake completes, the server starts another handshake with the client by sending packets in the following order (Figure 9):

quasar_12

Figure 9- Initial Handshake

The client returns data to the server about the victim computer, which is displayed in the server GUI (Figure 10):

quasar_13

Figure 10- Quasar RAT Server GUI

The server and client then enter into a keep-alive mode, where the attacker can send commands to the client and receive further responses.

RAT commands

The attacker can issue commands (not all commands appear in different samples) through the Quasar server GUI for each client:

  • Get system information
  • Get file system
  • Upload / download / execute files
  • Startup manager
  • Open task manager
  • Kill / start processes
  • Edit registry
  • Reverse Proxy
  • Shutdown / restart the computer
  • Open remote desktop connection
  • Observe the desktop and actions of active user
  • Issue remote mouse clicks and keyboard strokes
  • Password stealing
  • Retrieve Keylogger logs
  • Visit website
  • Display a message box

Our server build was able to successfully execute most of the commands.

The file system commands underling handlers and IPacket were modified to support more features, so these commands don’t work out of the box and required manual implementation from us.

A Double-Edged Sword…

With further analysis of the Quasar RAT C2 Server, we uncovered vulnerabilities in the server code, which would allow remote code execution. This might allow a second attacker to install code of their choice – for example, their own Quasar RAT – on the original attacker’s server. We refer to this (somewhat ironic) technique as a “Double Edged Sword Attack”. We did not apply this to any live C2 servers – we only tested this with our own servers in our lab.

In the lab, we changed our Quasar RAT source code to use the known encryption key, and to send fake victim IP address, City, Country code, Flag, and Username. The Quasar server does not verify the RAT data, and displays this data in the RAT Server GUI when the RAT is executed and connects to the server. We found this could be used to supply compelling “victim data” to convince the attacker to connect to this “victim” via the GUI.

Quasar server includes a File Manager window, allowing the attacker to select victim files, and trigger file operations – for example, uploading a file from victim machine to server. Uploaded files are written to the server sub directory “clients\user_name@machine_name_ipaddress”.

Quasar server does not verify that the size, filename, extension, or header of the uploaded file is the same as requested. Therefore, if we convince the attacker to request the file “secret_info.doc (20KB)”, we can instead return to the server any file of our choice, of any size or type.

When the Quasar server retrieves the name of the uploaded file from the victim, it does not verify that it is a valid file path. Therefore sending the file path "..\..\ secret_info.doc " will result in writing our file instead to the same directory as the Quasar server code.

Quasar server does not even verify that a file was requested from the victim. Immediately when the File Manager window is opened by the attacker, the Quasar server sends two commands to the RAT: GetDrives and listDirectory (to populate the list of the victim’s files in the RAT Server GUI). We can respond to those commands by instead sending two files of our choice to the Quasar server. Again, we control the content of the file, the size and the path and filename.

Quasar is a .NET Framework assembly, loading multiple DLLs upon launch, for example “dnsapi.dll”. Quasar server is vulnerable to a simple DLL hijacking attack, by using this technique to replace server DLLs.

When the attacker restarts the Quasar application, our uploaded “dnsapi.dll” will instead be loaded. Through this vector, we could drop our own Quasar client on the attacker’s server and execute it. Our Quasar RAT will connect to our own (secured, of course) Quasar server, allowing us to control that attacker’s server with his own RAT. We can also replace “shfolder.dll” (and add a DLL export proxy to avoid a crash), which is loaded whenever the attacker clicks the builder tab – allowing us to infect the server while it runs, without the need to wait for application restart.

Downeks

Although Downeks has been publicly examined to some extent, our analysis found several features not previously described.

Earlier Downeks samples were all written in native code. However, among our Downeks samples, we found new versions apparently written in .NET. We observe many behavioral similarities and unique strings across both the native-Downeks versions, and the new .NET Downeks versions. Almost all of the strings and behaviors we describe in this analysis of a .NET version are also present in the native version.

We observed these samples deployed only against Hebrew-speaking targets.

Downeks.NET – “SharpDownloader”

Downeks .NET internal name is “SharpDownloader”, “Sharp” may be a reference to the language it was written in – C#.

As seen in previous Downeks versions, it uses masquerades with icons, filenames and metadata imitating popular legitimate applications such as VMware workstation (Figure 1) and CCleaner, or common file formats such as DOC and PDF.

quasar_14

Figure 11 - Application metadata masquerading as VMWare Workstation

All 3 samples were compiled with the same timestamp. Downeks.NET is obfuscated using “Yano” and can be easily de-obfuscated using the de4dot utility.

SHA256: 4dcf5bd2c7a5822831d9f22f46bd2369c4c9df17cc99eb29975b5e8ae7e88606
SHA256: 905f6a62749ca6f0fd33345d6a8b1831d87e9fd1f81a59cd3add82643b367693
SHA256: c885f09b10feb88d7d176fe1a01ed8b480deb42324d2bb825e96fe1408e2a35f

Communication

Downeks is a backdoor with only very basic capabilities. It communicates with the C2 server using HTTP POST requests.

It runs in an infinite loop, in each iteration it requests a command from the C2, and then it sleeps for a time period it receives in the C2 response (defaulting to 1 second if no sleep-time sent).

The data that is sent in the POST is serialized with json, which is then is encrypted, and finally encoded in base64. The json format is typically {“mth”:”some_method”, “data”:”some_encrypted_data”}. The C2 server responds using the same format and serialization/encryption/encoding.

Download and Execute

As described in earlier analyses, Downeks’ main purpose is as a downloader. Unfortunately, we were unable to get any C2 servers to issue download commands to any samples that we tested in our lab.

The download is initiated upon receiving json with a “download” command, which includes the URL of the file to be downloaded. Downeks can also be instructed to execute binaries that already exist on the victim machine. After successful execution, Downeks returns the results to the C2 server.

Downeks also has a self-update capability, if instructed by the C2.

Screen Capture

Downeks can be instructed with the “img” command to capture the victim screen and transmit it back to the C2. The parameters “wth” and “qlt” specify “width” and “quality”.

Appdata

Downeks .NET creates a file in the “Appdata” directory, based on certain properties of the machine. During our analysis, Downeks created a file in “Appdata\Roaming” containing only “SD{new line} 0” (“SD” possibly for “SharpDownloader”).

Although this file itself is not particularly interesting, the older (native) Downeks versions also creates a file in Appdata\Roaming, with identical data.

The filenames across the two variants bear striking similarities. The .NET variant creates “1FABFBFF0000065132F71D94”, while the native version creates “000206511FABFBFF”. We observed the string “1FABFBFF0000065132F71D94” in memory during debugging of the native variant (Figure 12). This is a pseudo-unique ID for each machine, based on install date taken from the registry, volume serial number, OS version and service pack, Processor architecture, and computer name.

quasar_15

Figure 12 - Machine ID in memory

Installed Antivirus check

Downeks enumerates any antivirus products installed on the victim machine and transmits the list to the C2. It constructs this list using the WMI query:

“SELECT displayName FROM AntivirusProduct”

Persistence

Downeks achieves host persistence through either the registry “run” key or with a shortcut in the start-up folder.

External IP

In another similarity between both variants, Dowenks assesses the victim’s external IP using an HTTP request to http://www.myexternalip.com/raw.

Other commands

Downeks can be instructed by the C2 to perform a few other commands:

  • Check if the computer name and user name, or external IP address, is in a provided list and if so, display a message box with a message as defined by the C2.
  • Kill any running process and attempt to delete the associated executable.
  • “Setup” command – sends various info about the machine with each iteration of the C2 communications loop.

Encryption keys

Downeks has static encryption keys hardcoded in the code. These keys are initialized in the “Defaults” class constructor, suggesting that the author of this malware has great affection for stackoverflow:

Typos

We observed some typos in the code, such as “responce” ( “response”) and “GroubID” (“GroupID”) in this version.

Coverage & IoCs

Palo Alto Networks customers are protected from Downeks and Quasar used in this attack:

  • WildFire properly classifies these Downeks and Quasar samples as malicious.
  • Traps detects and blocks malicious behavior exhibited by new, unknown Quasar samples.
  • C2 servers associated with this activity are blocked through Threat Prevention DNS signatures.
  • AutoFocus customers can monitor this activity using the Downeks and QuasarRAT tags.

A list of Indicators of Compromise can be found in Appendix C - IoCs.

Appendix A - IoCs

C2 Domains

downloadtesting.com
gameoolines.com
onlinesoft.space
newphoneapp.com
gamestoplay.bid
smartsftp.pw
galaxysupdates.com
galaxy-s.com
datasamsung.com
progsupdate.com
topgamse.com
bandtester.com
speedbind.com
ukgames.tech
wallanews.publicvm.com
wallanews.sytes.net
noredirecto.redirectme.net
dynamicipaddress.linkpc.net
downloadlog.linkpc.net
havan.qhigh.com
kolabdown.sytes.net
rotter2.publicvm.com
ftpserverit.otzo.com
webfile.myq-see.com
downloadmyhost.zapto.org
help2014.linkpc.net
safara.sytes.net
exportball.servegame.org
viewnet.better-than.tv
down.downloadoneyoutube.co.vu
netstreamag.publicvm.com
hostgatero.ddns.net
subsidiaryohio.linkpc.net
helpyoume.linkpc.net

Quasar & Downeks SHA256s

3053e1e8df7e525ef98a77190cefce258aea365e2998425ecc8e139230680156
f19bc664558177b7269f52edcec74ecdb38ed2ab9e706b68d9cbb3a53c243dec
0d235478ae9cc87b7b907181ccd151b618d74955716ba2dbc40a74dc1cdfc4aa
96c1346351a53c865afef5e087a8cbcf8e28d652fbc083a93399a8b94328d456
15abd32342e87455b73f1e2ecf9ab10331600eb4eae54e1dfc25ba2f9d8c2e8a
b66e5af52fd4d802f64788692b3eafe6b5ff61cea09c06a237a96b6cdb90b41a
55a7ca1e5ed2d74c7eb6ab6a985c1d369157a91275f575967aefb7ddb3388e0c
9a8d73cb7069832b9523c55224ae4153ea529ecc50392fef59da5b5d1db1c740
39bdeaded0f919caa6697ae1ae4953de1c7afa79905939dbbd8c647a84f6cd07
0e41c3611da6e3a2b0dd0d43b9ce0b3f3405472efa5760767719cc82692afb7b
bc7c3f687d0589a4db53475bc65056a628b52aa27f84c1d76b9fe686d495df27
0d1aa670df8ae1379d6997c9dc8b40c893ee395c3d45b84c2ad1732e86973143
8ac7138215b2500d0737b483b9194419c0e0248014147e84f43b1e2b409184cf
8ca99455d244fab2701beb5127f94745154e03ac1231a58f8bd2cd01732a341b
a149340f920888256902e28e4c5d8587fed3037682e875ed1fdf6a3213c50e92
78aaed20914d3895708985aee089a464b31e11eb3b3e90b530dcebbe10e915ec
704b19e0460a0fa7d952ba6feb5eadb9054895d1d753df72faf6f470446a0519
118d0bd8ec35b925167c67217d2fe06ac021ce253f72d17f1093423b8f9b4a2b
68ec3588735341566e9736b897aac06affb4a4808b05ceffb72384e77ea04b2c
d3c710eaaf849598fa486823da42bdce03ea3c9421c3936e3330e98b34e4ef47
e6e9f7b0449976537d9276192e5767c9909cd34df028a8bf1cac3dbe490f0e73
75336b05443b94474434982fc53778d5e6e9e7fabaddae596af42a15fceb04e9
4dcf5bd2c7a5822831d9f22f46bd2369c4c9df17cc99eb29975b5e8ae7e88606
b8a3096a396c28462c0d168d97e28573e0e6d272bbc1dd2432e7effe098bd979
905f6a62749ca6f0fd33345d6a8b1831d87e9fd1f81a59cd3add82643b367693
c885f09b10feb88d7d176fe1a01ed8b480deb42324d2bb825e96fe1408e2a35f
0c4aa50c95c990d5c5c55345626155b87625986881a2c066ce032af6871c426a
1ac624aaf6bbc2e3b966182888411f92797bd30b6fcce9f8a97648e64f13506f
1acffe68fcdc301b8ab7640eda75ff82788b2f93d869e421e28bacbba93b76d1
723108103ccb4c166ad9cdff350de6a898489f1dac7eeab23c52cd48b9256a42
99a7cb43fb2898810956b6137d803c8f97651e23f9f13e91887f188749bd5e8f
86bd78b4c8c94c046d927fb29ae0b944bf2a8513a378b51b3977b77e59a52806
3243292E46A198BD83E0DCE58258312852C99217187E6D5399066189FEB2677B
9b8d8780454708b950459d43161097ac72f62ff349bc8f379b5b2216bc9ae935
3619b12b11cda6e87644d3316355d99ee5fa5407aa8a8f107aa1058e33b19bf6
0f8378603e269db16eb7eaca933b587c7de3e914c1d9afaaae688c410befb895
d3066fa4a7a1ef38c753796479768b765c6903ef50c35352e29e79dcd49e4348
39b991838653739eef482af6336fcf03922d7e9d88d17946b688a513dd2bfc34
4393ff391396cdfd229517dd98aa7faecad04da479fe8ca322f035ceee363273
759ae70b035c3bbb6699520db3a55f3947e6ba1b5ce639ec036e3096ee10b26d
17942d9d76dafb64aa0d3ab53c9ee56e5d8bd4477440f06780b70dd4c02af8b8
fea74bf9eed7363f97a09756b4652409cfcd7bbe023383805aec5da7de6310bd
f5413c785770400215c3191ea887517b4380ec81be4e5bdc5aea12bf82f9105d
8cdbea2aea51f73c68adc517eed533802e1f3b2a9ec0b0560b6bb8fc03ac3e4f
dbdc72a7cfbf03599b95d8f1c47e157da34ea5d2f951cf5f49715e8caab58cd4
65986f6f919e9152176a10ae3964fac130ae6195e189453d17306a225022774d
91a4e395d57a52a85a2bda653a0ed796865e8af01c1345dff63469759448daf0
53e82d01dd2502416ad49329e1224a7c4519182186e60f690ecd0cf266f5af5e
575708d3eb23f8111b7174408f05caf6574c5d6782c750562bfb9abe48cb219e
fefa0781e88fa215419b2a1294c8b952b192f8360aeab2f97bbd9cea15fc7338
ea16f0d55918752ad432d0da03a7e39ab9a8442b74ae0bbe724900605a9ba71f
6f6414c8f8a800c769da1f6994cad25757a2928375803a498171db3395183b98
dbeb3c262cc6eefea93846f817e8333ee541ec23d19ffef56a94585e519e6ff1
2ddce8b010f011a04cf24dc8e5932ae13b463dd6a3cb9bf02ae835b04a70d042
182c82100069834ad4a8dadee6874cfb612f0b9babc7cd3ee5d69f16440ad6d7
f772463bafef5f45f675658eee43b6f56911a4f449afb0cc68ac068002a2f875
b30e3dc47848666e71c1f13050a6502b2c2a7a542ee867d152ffb2dd186d7114
e5e4895d2195e14a3a105f3ed73fd49493e9dbdd7dfc6f6616023473fa8f86c6
f4eda40b3f1c77f8f9e02674d93214dd31c13080b034e37b26cc66d744500b1e
95d9a2b664e3e5c1206d94241ded115643aa0452dd3fe3338363ff826260f40c
575b84c2d3bceebfabb2deb289a230f52aca2c504aa854251c1e9057f3f0cf5a
21f09c93325c03940c24d8bd6f33a1a4876bfd5feb8c8bac05b0a359255c0b42
695821451be582d85cd8e42ce4446f131bd474e6c715bdf13fe8bac6de34b2e3
e874deabb7953c2b9b5e67fc08297019bb0171c2fbdbe136b822cee4d43b72e5
6a700aea23f7cb6907e464981a136b0fbfb5a48b910af2f9a44baf98d25f1722
b6adae77a975058720e525a7f6d2451a01fedd3c6cab1515570d8490a8eb4f67
d735c19fc9223e1bc4e625c1f47801d758426fbae89e5086bc56a8d6b1df2011
a66a27d801891e39d3819355366399fabbf2f05327ddb7c7b5d304fabeac7118
cdf4ec8beb3f15d04b54165b53475aa03949a67f9cb1847a749b2fb44a3fe0a4
0045c28ed2a9d98efb798ec59f34b6a3058838f933af7c0dae6482a0e86e37bf
8814fec28ccac77456be73305b32ad5a266a4929203b2acf431759c90fe579bd
f1b682808f1819f0e3d030fce1fd6b1ca95ad052b069e028cd9ed4afd81cd4d6
f361974e6fd6a6d7cfbfafb28159c4f8e514fe6f399788be4daa2449767d5904
11b1088ad962984f6df89ccc6bbc98bf220af952dec0b4622f8453a0a164cb65
Aacf24e288388431b30f8da765b4696975adc9cc0303d285abb05077eda21da2
02bd710d3055076f86116d28427322c9cb623291c6c5a66c1932181fc6558586
5e7d68c53212f6d467533f105d4a067682e28da47304a53c17b056d2b4404f0a
3ff059a53e38f9fcd24e8d6bf008b4e14733db317857764cfcef736119ff26c9
dcc04adf96045e7227a0e1f1d092919276b21035bcb3c5ed462650ef8d2e7aa3
20e3d4c9223955495d00e72e2fedfe825e9fcda57696a255215895cfba490876
6050d4c1efcf8242382293842313f3a93309f1e449197d98c60cec29090c6bff
1d533ddaefc7859a3f6c6751114e895b7aa5935eb0ed68b01ec61aa8560ae3d9
488ba22d6cb8c9b0310c58fa4c4739692cdf45676c3164b357314322542f9dff
7eeeae1f2fc62653593c7ce254e9cf855905035c2e8f8c0588887cb8e99dd770
d2d08bb2707b635617e5bab0fcd033b6f68a753dd2b3897adca1c627758e686b
d30dbf17078a11c32dd23acea42335860e739c9f18bf0ed611132eef4d5cfcb6
7c578dcdcefe78fb1dd51ac611f6450d9eb5be6c5f1e3363f460321a46be4a39
a40627acae6917787e92f9efa85739136c1670dcc5fe66695e105ddd72d7b80a
5668470c92408f4b9f3a659005c2acca9da8df750cc491bffc88ef640474fa4a
d735c19fc9223e1bc4e625c1f47801d758426fbae89e5086bc56a8d6b1df2011
25e6bf67410dffb95c527c19dcff5223dbc3bf4c987650e45fbea1267072e8ff
f53fd5389b09c6ad289736720e72392dd5f30a1f7822dbc8c7c2e2b655b4dad9
2c2ae3f482d9db2541de0d855b5b12cd18028a94887f0c28acf1e2d6a4f3d4ac
a35e2b21f7f770debcffc79eb4834ec8881465df06cee41af705b6ea5d899978
a7aeeead233fcdfe1c7475db982497a82d8ae745ec1c58bd87215e8869c3f9e4
f0e3562d0438695c7f3af0c280968cfc7134b484010d9ba2aceab944b441b127
f5413c785770400215c3191ea887517b4380ec81be4e5bdc5aea12bf82f9105d
29049e2c7671a7c4fc953cb76e539150cc7c80e1b83c19d0894dfa446ce5276e
2eb7aa306551d693691d14558c5dc4f6d80ef8f69cf466149fbba23953c08f7f
dbdc72a7cfbf03599b95d8f1c47e157da34ea5d2f951cf5f49715e8caab58cd4
de3e25a69ba43b9f236e544ece7f2da82a4fafb4489ad2e263754d9b9d88bc5c
bc846caa05939b085837057bc4b9303357602ece83dc1380191bddd1402d4a2b
44b99603dde822b6b86577e64622e9a2f5b76b6d8bd23a3fe1b4d91b73d0230a
bb24105295588d14c4509ec7374fbe6f7a4821cf4e9d9282754dd666ad7a7ea1

Threat Brief: Shamoon 2 Wave 3 Attacks

Posted on by Unit 42

As part of Palo Alto Networks Unit 42’s ongoing monitoring of the Shamoon 2 situation, we have updated information since our last posting Threat Brief: Second Wave of Shamoon 2 Attacks Reveal Possible New Tactic.

Since that Threat Brief, our Unit 42 researchers have become aware of another wave of Shamoon 2 attacks. This third wave was set to wipe systems using the Disttrack malware on January 23, 2017.

Aside from that difference, this latest wave of Shamoon 2 attacks appears to be the same as wave 1, which wiped systems on November 17, 2016, and wave 2, which wiped systems on November 29, 2016. The wave 3 samples our Unit 42 researchers have analyzed are similar to the other two waves in terms of the attack vectors, payloads and actions taken: there is no new intelligence to share on those.

This latest threat intelligence suggests that Shamoon 2 attacks are an ongoing situation and that additional waves of attack are possible in the future.

Organizations that are concerned about this situation and believe it poses risks to them should perform a risk assessment that considers the following possible actions in response:

  1. Examine all remote access traffic like RDP and SSH and block all unnecessary remote connections.
  2. Alternately, consider blocking all remote access connections to your organization altogether.
  3. Consider forcing a full password-reset organization-wide of all accounts, and especially those with administrative privileges.

In addition, organizations should review their backup strategies and disaster recovery/business continuity plans.

Our Unit 42 research team continues to follow the situation closely and we will provide updates as appropriate.

Farming Malicious Documents to Unravel Ransomware

Posted on by Jeff White

While analyzing a recent malicious Microsoft Word document, it downloaded a ransomware variant, “SAGE 2.0” (Sage Locker), which is a spin-off from CryLock. This ransomware has been slowly making the rounds lately; most notably because a number of these campaigns have been seen delivering both Sage and Cerber ransomware families from the same download locations, sometimes changing between the two periodically throughout the day.

In this blog post, I plan to analyze the distribution infrastructure for the ransomware and enumerate indicators that can be deployed for detection and prevention; however, before I get into the infrastructure, I need to briefly mention how the distribution occurs.

I stumbled across this, not because of the ransomware itself, but due to how the Microsoft Word documents download the ransomware executable. Specifically, these Microsoft Word documents are delivered via e-mail, as usually happens with these types of ransomware campaigns, and launch a PowerShell process to download the actual ransomware using an evasion technique I’ve been monitoring. The idea behind the evasion technique is to bypass pattern or string matches that prevent process launching by using the Windows command-line escape caret character injected between your regular characters to break up commands such as “powershell” and “executionpolicy” – below is an example of this.

If, for example, you tried to block “powershell”, it would fail because the carets have broken up the word, but it will have no impact on Microsoft Window’s actual processing of it. The Microsoft Word document contains an obfuscated macro that puts together this command and executes it, which subsequently downloads the ransomware file and runs it. Nothing mind bending but, despite its attempt to evade detection and prevention, it actually stands out more and has the reverse effect.

Pivoting off of this path in the URL “read.php?f=0.dat”, I was able to use Palo Alto Networks AutoFocus to quickly identify 9,107 unique Microsoft Word document since December 15th, 2016 that matched this pattern in their dynamic process activity. From there, I was able to extract all of the download locations being used by this campaign from the identified samples.

To determine if there were any underlying correlations at the registrant level, I pulled WHOIS data for all of the identified domains and, sure enough, another pattern begins to emerge.

unraveling_1

Figure 1 Connections between delivery domains.

What you see in Figure 1 are five clusters of domains: the light green represent the Name of the person who registered the domain and the dark gray represents the persons e-mail. For each “person” there are multiple domains that are tied to that identity.

With this information in hand, I used the e-mails to continue pivoting and pulled every domain these identities have registered. To my surprise, there were 574 total domains, with each one having between 125-160 except for the “dns at unit.org[.]hk” address, which has just nine.

Now, with just a quick review of some of these domains you can get a feel for the general malicious nature of them through the abundant amount of domains masquerading as other companies, whether for phishing or evasion purposes.

Using this new list of domains, I was able to go back through AutoFocus and further enumerate another 12,422 samples, all showing similar activity to the previous documents.

Below are examples of each variation of their download command and unique URL path.

“search.php”

“read.php?f=1.dat”

“read.php?f=404”

“admin.php?f=0.dat”

“admin.php?f=1.jpg”

This next one is particularly interesting as it was serving Locky instead of Sage or Cerber. The first instance of this was on December 9, six days before the Sage and Cerber campaigns described in this post began.

Another thing to note is that it uses a different PowerShell command but the actor(s) behind it still used the “read.php?f=X.dat” format during the download.

“read.php?f=3.dat”

Last, but not least, there was samples starting on August 6, 2016 which used yet another iteration to download the ransomware. This one uses BITS to transfer the file as opposed to PowerShell and drops the file with a screensaver “scr” extension instead of the previously seen executable “exe” in newer iterations.

“admin.php?f=1.exe”

After going over the files and scraped data from dynamic analysis reports, it’s clear the actor(s) behind this campaign have a pattern they like to follow. Regardless of ransomware variant, these small trails can allow us to unravel a larger infrastructure and generate more actionable data for current and, possibly, future threats.

Palo Alto Networks customers are defended by this threat in the following ways:

  • The domains used to delivery this malware and used in related attacks are blocked through Threat Prevention
  • WildFire identifies files using these techniques as malicious
  • AutoFocus users can identify related activity using the PowerShellCaretObfuscation and CerberSage_Distribution

Below is a summary of indicators that can be used for detection and prevention.

Enumerated Paths:

Direct ransomware download URLs:

Enumerated Domains:

Updated March 15, 2023, at 9:30 a.m. PT. to update CryLocker to CryLock.

Exploring the Cybercrime Underground: Part 3 – Into the RAT Nest

Posted on by simon-conant

In this third part of Unit 42’s Cybercrime Underground blog series, we’re taking a slightly different approach. In this blog we begin with data from a real attack in the wild, and use the evidence from that attack to make a connection back to underground forums and the actors who are using them.

Rather than starting from an attack we had already explored, we looked into a third-party research report linking an Adwind malware sample to a specific command and control (C2) domain and loosely associating a number of other domains.

Using Autofocus, we found an additional dozen samples on the same C2 – almost all of which were instead the LuminosityLink Remote Access Tool (RAT) – itself the subject of a recent Unit 42 report. RATs, Remote Access Tools, are sometimes defended as legitimate utilities but in fact are most typically used for illegitimate, unauthorized access, to control malware-infected systems. From there we dived into associated infrastructure, and underground forums, to see what connections we might find.

Linking Command and Control Infrastructure

We identified five further C2 domains contextually linked with the same naming scheme as the noted Adwind sample, but using different Dynamic DNS root domains. These led us further to additional IP addresses, themselves associated with other known malware C2s. Of immediate interest, not only were these C2s linked, but almost every C2 observed currently resolving to those IP addresses all appeared to be using similar dynamic DNS services.

Figure 1 shows the cluster of Dynamic DNS C2s (right) resolving to the IP addresses associated with the initial C2 investigation (left). We found several thousand files in Autofocus that connected to this infrastructure – every one of them malware.

ratnest_1

Figure 1 Dynamic DNS domains and IP clusters

The linked C2 domains include a handful of first-party and apparently-compromised domains, but are predominantly dynamic DNS. These dynamic DNS providers include abused, legitimate commercial services (e.g. NoIP, DynDNS), and what appears to be purposely-misleading and/or underground services (such as alcatelupd[.]xyz, appleupdate[.]xyz, fagdns[.]net) (Figure 2).

The malware we observed on this infrastructure was almost uniquely commodity RATs including DarkComet, DarkTrack, LuminosityLink, NJRAT, ImminentMonitor, NanoCore, Orcus, NetWireRAT, BabylonRAT, Remcos, ZyklonHTTP, SandroRAT, RevengeRAT, SpyNote, QuasarRAT, and HWorm.

ratnest_2

Figure 2 Dynamic DNS including legitimate providers and deliberately misleading base domains

Abusing legitimate dynamic DNS providers gives the actors a quick, easy, and reliable service – but with the risk of rapid takedown of their infrastructure if abuse is detected by or reported to the dynamic DNS provider. This has created a marketplace for shady home-grown dynamic DNS services which advertise on underground forums that they ignore such abuse. Figure 3 is an example of an underground forum member recommending such a service, over that of a legitimate commercial one.

picture3

Figure 3 Recommending an Underground service over a legitimate commercial one.

We observed clusters of such hosts contextually-linked across multiple domains, for example:

This not only groups activity, but suggests multiple actors are using this infrastructure. Several of those hosts were observed sharing multiple IP addresses already identified in this cluster, further linking the activity. Additionally, this expands on prior Unit 42 research into the LuminosityLink RAT, corroborating those C2s and contributing to further context on them.

Marketplace

The next question is, who is operating these dynamic DNS services, and where are they selling them. Using open source data and information from underground forums, we are able to connect some of these dots.

A Swede in his 30s, Gustaf, runs “ra4wvpn”, which offers domains, hosting, and a VPN service.

John, “Armada”, a Canadian also in his 30s and one of the persons behind the Orcus RAT (subject of another recent Unit 42 report) owns several of the C2 root domains and offers a paid DNS service advertised on underground forums.

“LaPanthere” runs fagdns. He insists that his service does not tolerate abuse (despite the context of where the service is advertised). His ISP suspended fagdns[.]com for abuse, he returned with fagdns[.]su registered elsewhere – but his reputation took a hit as he now appears somewhat gun shy:

collage_1And other underground providers face a similar fate – Punkbastard’s free service was discontinued when his domain was suspended by his provider, for abuse:

ratnest_9

Although LaPanthere advertises his service on an underground cybercrime forum, he protests that his service is legitimate – and suggests that those interested in illegal activities might want to consider the paid service of the Canadian, Armada, with a helpful flow chart:

ratnest_10

The domains of just two of these dynamic DNS providers alone are contacted by almost 3000 unique malware samples identified in our Autofocus service. As well as providers advertising their services on the underground forums, other forum members author advice and step-by-step tutorials, assisting technically unsophisticated miscreants in setting up their RAT systems. More details on this topic were covered in part two of this series. The below figures corroborate how threat actors collaborate in such forums by sharing attack methodologies and also buying and selling such services.

ratnest_11

ratnest_12

ratnest_13

ratnest_14

ratnest_15

 

screen-shot-2017-01-26-at-11-12-07-am-2-copy

Several forum actors offer complete setup services, at fairly low prices:

ratnest_18

Attribution

We observed malware using the same C2 that originated this investigation being spread in email attacks. These appeared to be high-volume and indiscriminate, including both corporate targets and free-email-service addresses. Each email was sent to 16 recipients; the recipient list throughout the campaigns incrementing alphabetically, suggesting strongly they are simply parsing a huge email address database.

We observed these emails sent from an email address at a legitimate Nigerian commercial organization – confirmed by its Nigerian IP address to be the actual originating domain, and not spoofed. The attacks leveraged content and filenames referencing that organization. This is most likely explained by either a compromised account or system, or possibly an insider. In other words, this is likely an example of true Business Email Compromise (BEC) as opposed to the less sophisticated, trickery-only Business Email Spoofing (BES).

We noted a domain using the same naming pattern as the C2 in the original report registered for a few days in 2015, before being suspended for abuse. The WHOIS was apparently false, but with some interesting links:

Registrant Name: Roger Lougheed
Registrant Street: 200 Florida Ave Tavernier, FL 33070
Registrant City: Tavernier
Registrant State/Province: Florida
Registrant Postal Code: 33070
Registrant Country: Nigeria
Registrant Phone: +1.3128699324
Registrant Email: jmcoru@yahoo.com

As well as another Nigerian reference, the registrant email address resolves to the Skype account “mikescotoru1”. This handle is found at a handful of coding/malware forums. Dropping the “1”, “mikescotoru” is found at other underground forums, including some very contextual links:

ratnest_19

Further posts suggest a rather unsophisticated user, asking very basic questions, and purchasing the pieces for his campaigns. The handle “jmcoru” is less unique, but also found on various underground hacking and website hosting forums.

Conclusion

Starting from a third party’s research report, we were able to use Autofocus and open-source intelligence to connect a real world attack to a series of actors operating malicious Dynamic DNS services and offering training and tools to help unskilled actors launch these attacks.

The original report suggested that this was “a wave of persistent attacks against a number of commercial and non-commercial organizations”, characterized the observed activity as “refined APT campaigns”, and went on to conclude that that this was part of “small-scale, targeted attacks with small infrastructure”.

Through our research, we instead understand that this specific malware was spread by an unskilled, opportunistic, financially-motivated Nigerian criminal. When we inspected email-borne attacks for samples on the original C2, the recipients more closely resembled indiscriminate, wide-scale targets.

The infrastructure further led us away from attribution of this as APT activity, instead revealing low-sophistication “service providers” on underground forums, sharing of best practices and tutorials among script kiddies, and end-to-end full-service operations providing entire RAT system setups for even the least capable aspiring cyber criminal.

Thanks to Brandon Levene and Jeff White for assistance in reviewing unknown malware seen on this infrastructure.

IOCs

As well as specific C2 host names / IPs, we also identified multiple malicious DNS providers / domains with multiple C2s.

Palo Alto Networks customers are protected from this threat in the following ways:

  1. WildFire accurately identifies all malware samples using this infrastructure as malicious.
  2. C2s and malicious Dynamic DNS provider domains identified in this investigation are flagged as malicious by Threat Prevention.
  3. AutoFocus users can view malware using known malicious Dynamic DNS providers using the “AbusedDynamicDNSProvider” tag.

You can download a copy of associated IoCs here.

Threat Brief: Second Wave of Shamoon 2 Attacks Reveal Possible New Tactic

Posted on by Unit 42

Palo Alto Networks Unit 42 threat intelligence team has just released new research that has uncovered a previously unknown second wave of Shamoon 2 attacks: Second Wave of Shamoon 2 Attacks Identified

Based on our analysis, these attacks were timed to occur on November 29, 2016, twelve days after the initial Shamoon 2 attacks that we wrote about previously.

Like the initial Shamoon 2 attacks, this second wave of Shamoon 2 attacks utilize the Disttrack wiper malware. Disttrack is optimized to destroy systems by targeting their hard drives and to spread as widely as possible throughout a network it’s infiltrated. And once again, the Disttrack malware was configured to operate without any command and control (C2) servers, essentially optimized for a one-way mission of data destruction.

But this second wave of Shamoon 2 attacks show evidence of potential new tactic. Unit 42 analysis shows that the latest sample contains credentials for virtual desktop infrastructure (VDI) solutions, such as Huawei’s FusionCloud. VDI solutions can provide protection against a destructive malware like Disttrack through the ability to load snapshots of wiped systems to recover from a wiper attack. The presence of these credentials in the sample may suggest that attackers intended to increase the impact of their attack by not only wiping systems but also carrying out destructive activities against the VDI deployment, as well as any snapshots.

In essence, a manual destructive attack against the VDI deployment and snapshots coupled with the destructive attack by the malware could destroy an organizations’ systems and primary line of backup against such an attack.

The possible targeting of VDI solutions with legitimate credentials (either stolen or default) represents an escalation in tactics not only in this specific attack but other future attacks. Security teams and administrators should be aware of and take immediate steps to evaluate this development and consider adding additional safeguards to protect credentials related to their VDI deployment.

Full technical details including associated indicators of compromise (IOCs) that can be used for more detailed analysis and protection, can be found the full report.

Palo Alto Networks customers are protected from the Disttrack payload used in this attack:

  • WildFire properly classifies Disttrack samples as malicious
  • Threat protection AV signature of Virus/Win32.WGeneric.ktoto detects the new payload.

AutoFocus customers can monitor Disttrack activity using the Disttrack tag

Campaign Evolution: EITest from October through December 2016

Posted on by Brad Duncan

EITest is a name originally coined by Malwarebytes Labs in 2014 to describe a campaign that uses exploit kits (EKs) to deliver malware. Until early January 2016, "EITest" was used as a variable name in the attacker’s malicious injected script in pages on legitimate websites compromised by this campaign. While the variable name is gone, the name for the campaign remains: we still call this campaign "EITest" and it continues to use EKs to distribute a variety of malware.

We reviewed EITest in March 2016 and October 2016. However, the EITest campaign looks noticeably different than when we last reviewed it three months ago.

The EITest campaign is focused on the Delivery, Exploitation, and Installation phases of the cyber attack lifecycle. The way the attacker executes each of these phases changes over time, and this blog examines the changes during the last quarter of 2016. Two significant changes have occurred during this time.

  • Since our last report, EITest no longer uses a gate between the compromised website and the EK landing page (possibly in response to that report).
  • Script injected by the campaign into pages on legitimate websites no longer contains any obfuscation.

Perhaps the most interesting thing about EITest is its longevity.  People have been tracking this campaign since 2014, and its longevity suggests that despite the shifting EK landscape, EKs remain a profitable venture for the criminals involved.

Chain of Events

Successful infections by the EITest campaign generally follow a set sequence of events. It currently uses at least two variations of Rig EK to deliver a variety of ransomware. The infection sequence is similar to other campaigns utilizing EKs to distribute malware. To understand how campaigns use EKs, see our previous blog on EK fundamentals. For EITest, we see the following steps:

  • Step 1: Victim host views a compromised website with malicious injected script.
  • Step 2: The injected script generates an HTTP request for an EK landing page.
  • Step 3: The EK landing page determines if the computer has any vulnerable browser-based applications.
  • Step 4: The EK sends an exploit for any vulnerable applications (for example, out-of-date versions of Internet Explorer or Flash player).
  • Step 5: If the exploit is successful, the EK sends a payload and executes it as a background process.
  • Step 6: The victim's host is infected by the malware payload.

For most of its history, EITest has used a gate between the compromised website and the EK landing page. However, the EITest campaign has stopped using a gate after we published our previous blog about it on October 3, 2016.  Since then, injected script from this campaign links directly to an EK landing page. Gates are no longer used by EITest.

eitest_1

Figure 1: Chain of events for the EITest campaign as of October 3, 2016.

EITest and Rig EK

The EITest campaign still uses Rig EK to deliver its malware. Our research shows EITest most often uses a variant of Rig EK called Empire Pack. Many in the community refer to Empire Pack as "Rig-E" to distinguish it from other variants and still emphasize its relationship to the original Rig EK.  Empire Pack uses the same URL patterns we've seen from Rig EK since late March 2015, while other variants of Rig EK like Rig-V (an improved "VIP" version or Rig) and Rig standard moved on to different URL patterns.

Of note, the variant of Rig EK that EITest uses depends on the payload it delivers. Most EITest payloads are sent using Rig-E.  However, EITest has used Rig-V to distribute ransomware like Cerber or CryptoMix (also known as CryptFile2).

Payloads sent by EITest

Since October 2016, the EITest campaign continues using Rig EK to distribute a variety of malware.

We occasionally see ransomware like Cerber or CryptoMix from the EITest campaign. More often, the campaign will distribute information stealers like Gootkit or the Chthonic banking Trojan. EITest has also delivered other types of malware like Ursnif variants and Latentbot.

Patterns of injected script

When we last examined injected script by the EITest campaign, it still used obfuscation to disguise the EK landing page URL.  By October 15th 2016, EITest stopped obfuscating URL within the injected script.  Figure 3 shows the injected script shortly before the change.  Figure 4 shows the injected script shortly after wit an unobfuscated landing page URL.

eitest_2

Figure 3: Injected EITest script in page from a compromised website on October 13th, 2016.

eitest_3

Figure 4: Injected EITest script in page from a compromised website on October 17th, 2016.

Throughout the rest of 2016, injected script from EITest hasn't changed that much, as seen in Figure 5.

eitest_4

Figure 5: Injected EITest script in page from a compromised website on December 30th, 2016.

Conclusion

EKs are still a popular method to distribute malware. Campaigns like EITest continue to use EKs to deliver a variety of malware, including information stealers and ransomware. These campaigns do not have a specific target and anyone with a Windows system that’s out of date or has out of date applications is vulnerable to infection.

As the EK model of distribution remains profitable, we expect to see malware delivered by EKs through campaigns such as EITest. Domains, IP addresses, and other indicators associated with this campaign are constantly changing. Fortunately, EKs are relatively ineffective against people using a fully-patched Windows operating system who ensure their applications are all up-to-date. Furthermore, customers of Palo Alto Networks are protected from the EITest campaign through our next-generation security platform.

 

Second Wave of Shamoon 2 Attacks Identified

Posted on by Robert Falcone

In November 2016, we observed the reemergence of destructive attacks associated with the 2012 Shamoon attack campaign. We covered this attack in detail in our blog titled Shamoon 2: Return of the Disttrack Wiper, which targeted a single organization in Saudi Arabia and was set to wipe systems on November 17, 2016. Since our previous publication, we have found  another, similar but different payload used to target a second organization in Saudi Arabia that was configured to wipe systems twelve days later on November 29, 2016. This latest attack potentially materially impacts one of the primary countermeasures employed against wiper attacks: Virtual Desktop Interface snapshots.

The payload used in this attack was very similar to the November 17, 2016 payload, but exhibited slightly different behaviors and contained hardcoded account credentials specific to the newly targeted organization. The hardcoded account credentials met Windows password complexity requirements, which suggests that the threat actors obtained the credentials through a previous, separate attack, similar to the November 17, 2016 attack.

The most notable thing about this latest sample is that it contains several usernames and passwords from official Huawei documentation related to their virtual desktop infrastructure (VDI) solutions, such as FusionCloud. VDI solutions can provide some protection against a destructive malware like Disttrack through the ability to load snapshots of wiped systems. The fact that the Shamoon attackers had these usernames and passwords may suggest that they intended on gaining access to these technologies at the targeted organization to increase the impact of their destructive attack. If true, this is a major development and organizations should consider adding additional safeguards in protecting the credentials related to their VDI deployment.

At this time, we have no details of the attack we believe preceded this Shamoon attack to obtain credentials. We also have no details on the delivery method used to deliver the new, similar, but different Disttrack payload in this attack.

The Second Shamoon 2 Attack

This second known attack associated with Shamoon 2 also used the Disttrack payload, albeit a new, similar but different one from the original Shamoon 2 attack. Specifically, it used a 64-bit variant that was configured to begin its destructive activities on November 29, 2016. Like the Disttrack sample used in the first reported Shamoon 2 attack, it including a wiper and communications module stored in resources within the executable.

Table 1 below shows that the method the Disttrack payload uses to extract and decrypt the modules from resources is the same; however, the resource names changed from “X509”, “PKCS7” and “PKCS12” to “LANG”, “MENU” and “ICO”.

Component Resource Name Offset Size Base64 key
Wiper LANG 94399-14 = 94385 563712 OWRKbTxrleYfLm…
Communications MENU 218709-14 = 218695 187904 QsCfQA6ze9CoOz…
Unknown ICO Unknown Unknown ijX7buB1FIjSn/0D…

 

Our efforts to decrypt the “ICO” resource have thus far been unsuccessful as the Disttrack payload has an associated key but does not contain code that decrypts and extracts this resource.

Propagation Inside Compromised Networks

Similar to the previous attack, the Disttrack payload in this attack spreads to other systems on the local network (/24 network specifically) by logging in using legitimate domain account credentials, copying itself to the system and creating a scheduled task that executes the copied payload. While this method is the same as discussed in our previous blog, the account credentials used in this attack were specific to the targeted organization and the file names used when copying the payload to remote systems were different.

Legitimate User Accounts

There were 16 account credentials found hardcoded within the Disttrack payload, appearing to be a mixture of individual user accounts and broader administrator accounts. All but one of the passwords met Windows complexity requirements, specifically, containing uppercase and lowercase characters, and either a number, symbol, or both. One of the general administrator accounts seen in this payload was also in the Disttrack payload in the first Shamoon 2 attack from November 17, 2016, which may not be specific to the targeted organization and instead used as an attempt to guess the login credentials. Based upon the existence of these credentials, it is highly likely the threat actors had carried out a previous attack to obtain these account credentials, as it is unlikely that these passwords were guessed or brute forced.

As noted earlier, a new development with this latest Disttrack payload is that several of the usernames and passwords are found within official documentation as administrator accounts for Huawei’s virtualized desktop infrastructure (VDI) products, such as FusionCloud. This may suggest that the targeted organization used these credentials when deploying Huawei VDI systems. Shamoon actors may have obtained these credentials from a prior attack; however, it is also possible that the actors included these default usernames and passwords as an attempt to guess the login credentials to the VDI infrastructure.

VDI solutions can provide some protection against a destructive malware like Disttrack through the ability to load snapshots of wiped systems. Also, since FusionCloud systems run a Linux operating system, which would not be susceptible to wiping by the Windows-only Disttrack malware, this could be seen as a reasonable countermeasure against attacks like Shamoon. However, if the attacker was able to log into the VDI management interfaces using the account credentials they could manually carry out destructive activities against the VDI deployment, as well as any snapshots. The targeting of VDI solutions with legitimate, stolen or default credential represents an escalation in tactics that administrators should be aware of and take immediate steps to evaluate and address.

New Disttrack Names

The filenames that the payload copies itself to within the System32 folder of the remote system differs from the previously reported attack, specifically using “ntertmgr32.exe” for 32-bit or “ntertmgr64.exe” for 64-bit systems. The scheduled task executes these files on the remote system, which results in the creation of a Disttrack service named “NtertSrv” compared to the service name “ntssrv” created by the Disttrack payload used in the November 17, 2016 attacks. This can be seen in Figure 1.

shamoon_1

Figure 1 Disttrack service created on systems during propagation

Command and Control

The communications module used in this attack is rather hobbled, as it was configured without an operational command and control (C2) server to communicate with. The lack of an operational C2 is much like the November 17, 2016 attack that had the IP address “1.1.1.1” within its configuration to use as a C2 server. Unlike the non-operational C2 of “1.1.1.1” used in the first Shamoon 2 attack, this communications module completely lacked any IP address or domain name for a C2 server within its configuration.

Also, in this sample, Disttrack did not save its communications module to the system using the filename “netinit.exe” like in the original attack, rather it chose a random name from the following list:

• caiaw00e.exe
• sbuvideo.exe
• caiaw00i.exe
• olvume.exe
• usinwb2.exe
• briaw005.exe
• fpwwlwf.exe
• epiaw003.exe
• briaw002.exe
• olvsnap.exe
• dmwaudio.exe
• briaw006.exe
• miWApRpl.exe
• caiaw00b.exe
• lxiaw003.exe

Lastly, the communications module also uses different file names than the original Shamoon 2 attack. Instead of setting a custom “kill time” in a file named “usbvideo324.pnf” within the “%WINDOWS%\inf” folder, it uses a file name of “dcT21x400i.pnf”. It also would send the C2 server the contents of a file named “vsfnp7_6.pnf” from the folder “%WINDOWS%\inf” instead of “netimm173.pnf”.

Destruction

Much like the initial attacks, the lack of an operational C2 server suggests that the threat actor’s sole intention for carrying out this Shamoon 2 attack was to destroy data and systems. Without an operational C2, the actor would be unable to issue a command to set a custom “kill time” when the Disttrack payload would begin wiping systems, which would force the payload to rely on its hardcoded “kill time”. The hardcoded date suggests that this attack was set to begin wiping systems on November 29, 2016 at 1:30 AM local Saudi Arabia time.

Unlike the previous Shamoon attacks that occurred on a holiday and over a weekend, this kill time occurred during the work week, as November 29, 2016 was a Tuesday. However, it appears this attack attempted to maximize its impact by occurring very early in the morning before the majority of the organization’s staff were on site. This aligns with the Shamoon actors conducting their attacks off-hours to increase the efficacy of the attack by increasing the timeframe of detection and response.

When Disttrack observes the system clock exceeding the “kill time”, it will save its wiper component to the system using one of the following randomly chosen filenames:

• pdwmtphw.exe
• caiaw00a.exe
• sdwprint.exe
• caiaw00d.exe
• kyiaw002.exe
• sdwscdrv.exe
• briaw00a.exe
• saiaw002.exe
• _mvscdsc.exe
• hdvmp32.exe
• _s3wcap32.exe
• hpiaw001.exe
• lxiaw004.exe
• cniaw001.exe
• lxiaw006.exe
• caiaw00f.exe
• newtvsc.exe

When executed, the wiper component will extract a kernel driver from its resource section and decrypt it with a 172-byte XOR key. The wiper saves the kernel driver (SHA256: 5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a) to the “Windows\System32\Drivers” folder in a file named “vdsk911.sys”. The wiper then uses this file to create a kernel driver service named “vdsk911”, as seen in Figure 2.

shamoon_2

Figure 2 RawDisk kernel driver service created by Disttrack wiper

The kernel driver is the 64-bit version of the commercial RawDisk driver by EldoS Corporation, which is the exact same file as the “drdisk.sys” driver extracted from the Disttrack 64-bit payload in the ‘X509’ resource in the first reported Shamoon 2 attack. The Disttrack payload will use this kernel driver to access the master boot record (MBR), partition tables and files and folders on the system to overwrite them with the same image of the deceased Syrian boy as in the previous Shamoon 2 attack.

During our analysis, we again observed the wiper setting the system time to a random date between August 1 and August 20, 2012, as seen in Figure 3. As mentioned in our previous blog, the reason the wiper sets the system time to this random date in August 2012 is due to a temporary license key needed to use the RawDisk kernel driver. The temporary license key used in this attack is the exact same as the first attack.

shamoon_3

Figure 3 Wiper changing the system date to a random date in August 2012

Since our original blog, we’ve successfully decrypted the license key, which can be seen in Figure 4. The expiration date in the temporary license key is an 8-byte field (highlighted by the orange box) that corresponds to Microsoft’s FILETIME structure, which represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). In the temporary license key used in all of the Shamoon related attacks, the expiration date was set to August 30, 2012 at 8:34:29 UTC, which is the reason the wiper sets the system time to a random day between August 1 and August 20, 2012. Also, we found that the temporary license key was registered to “binnatova@bsunanotechnology.com”. We are unsure how this email address is involved with Shamoon, as it was likely compromised back in 2012 and used by the actor to obtain the temporary license for RawDisk.

shamoon_4

Figure 4 RawDisk temporary license decrypted showing August 2012 expiration date

After the MBR, partition tables and files are overwritten, the wiper issues the command of “shutdown -r -f -t 2” to reboot the system, which is the same command as used in the first Shamoon 2 attack. Figure 5 shows the dialog box that pops up as a result of this command, which will be followed by a system reboot.

shamoon_5

Figure 5 The shutdown dialog box opened just before reboot of a Windows 7 system wiped by Disttrack

The purpose of rebooting the system remains the same, as the portions of the hard disk and filesystem needed to successfully boot the system were overwritten with a JPEG image, the system is no longer able to start up. Figure 6 shows the result of this reboot in an analysis virtual machine, as the operating system could no longer be found.

shamoon_6

Figure 6 System unable to find its operating system

The operating system fails to load as the MBR is overwritten with a JPEG image. As seen in Figure 7, sector 0 of the physical hard disk, which normally stores the master boot record now contains the beginning of a JPEG file marked by the “JFIF” magic bytes in the two orange boxes.

shamoon_7

Figure 7 Hexdump of sector 0 of the physical showing the MBR overwritten with a JPEG file

Conclusion

We analyzed a second Disttrack payload associated with Shamoon 2, which suggests that the threat actors targeted a second Saudi Arabian organization in this attack campaign. The actors used the Disttrack payload to spread to other systems on the local network using legitimate credentials. The legitimate credentials were specific to the targeted organization and were complex enough to suggest that the threat actors carried out a previous attack to obtain the credentials. Also, the actors hardcoded credentials found in Huawei’s official documentation for its VDI solutions, suggesting that the threat actors may have had access to appliances hosting the infrastructure. The Disttrack wiper was set to begin overwriting systems on November 29, 2016 at 1:30 AM, which aligns with the Shamoon actor’s tactic to maximize its impact by attacking at a time when the targeted organization would have less staff and resources available onsite.

Palo Alto Networks customers are protected from the Disttrack payload used in this attack:

  • WildFire properly classifies Disttrack samples as malicious
  • Threat protection AV signature of Virus/Win32.WGeneric.ktoto detects the new payload.
  • AutoFocus customers can monitor Disttrack activity using the Disttrack tag

Indicators of Compromise

Hashes

010d4517c81bcdc438cb36fdf612274498d08db19bba174462ecbede7d9ce6bb (64-bit Disttrack)
efd2f4c3fe4e9f2c9ac680a9c670cca378cef6b8776f2362ed278317bfb1fca8 (Communication)
113525c6bea55fa2a2c6cf406184092d743f9d099535923a12cdd9b9192009c4 (Wiper)
5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a (vdsk911.sys)

Filenames

ntertmgr32.exe
ntertmgr64.exe
vdsk911.sys
dcT21x400i.pnf
vsfnp7_6.pnf
caiaw00e.exe
sbuvideo.exe
caiaw00i.exe
olvume.exe
usinwb2.exe
briaw005.exe
fpwwlwf.exe
epiaw003.exe
briaw002.exe
olvsnap.exe
dmwaudio.exe
briaw006.exe
miWApRpl.exe
caiaw00b.exe
lxiaw003.exe
pdwmtphw.exe
caiaw00a.exe
sdwprint.exe
caiaw00d.exe
kyiaw002.exe
sdwscdrv.exe
briaw00a.exe
saiaw002.exe
_mvscdsc.exe
hdvmp32.exe
_s3wcap32.exe
hpiaw001.exe
lxiaw004.exe
cniaw001.exe
lxiaw006.exe
caiaw00f.exe
newtvsc.exe

Service Names

NtertSrv
vdsk911

2016 Updates to Shifu Banking Trojan

Posted on by Dominik Reichel

Overview

Shifu is a Banking Trojan first discovered in 2015. Shifu is based on the Shiz source code which incorporated techniques used by Zeus. Attackers use Shifu to steal credentials for online banking websites around the world, starting in Russia but later including the UK, Italy, and others.

Palo Alto Networks Unit 42 research has found that the Shifu authors have evolved Shifu in 2016. Our research has found that Shifu has incorporated multiple new techniques to infect and evade detection on Microsoft Windows systems. Some of these include:

  • Exploitation of CVE-2016-0167 a Microsoft Windows Privilege Escalation vulnerability to gain SYSTEM level privileges. Earlier versions of Shifu exploited CVE-2015-0003 to achieve the same goal
  • Use of a Windows atom to identify if the host is already infected with Shifu in addition to the mutex used by previous versions
  • Use of “push-calc-ret” API obfuscation to hide function calls from malware analysts
  • Use of alternative Namecoin .bit domains

We have also identified new links between Shifu and other tools which suggest Shifu isn’t simply based on the Shiz Trojan, but is probably the latest evolution of Shiz.

The primary goal of this report is to introduce Shifu’s new features to other malware analysts who may encounter this Trojan in the future. The following sections give an overview of the new features, and the appendix at the end includes the technical details on the overall functionality of Shifu.

New Developments and Features in Shifu

The Shifu version discussed in this analysis is comprised of several stages of payloads and was compiled in June 2016. The following image illustrates the different files included in the initial loader which get decrypted after execution:

shifu_1

Figure 1. File structure of Shifu

The initial obfuscated loader (x86 exe) contains the encrypted second stage injector (x86 exe). It uses three layers for decryption by subsequently allocating memory via VirtualAlloc() for the next layer. The second stage injector gets decrypted into memory and the original loader process is then overwritten with it. Next, the section flags are adjusted and the IAT addresses are resolved. The final decryption layer then jumps to the entry point of the second stage injector.

The second stage injector contains two exploits for CVE-2016-0167 (x86/x64) that have a compilation time stamp dated February, 2016. At the time of compilation, patches were not yet available for this vulnerability. However, the malware’s compilation time stamp dates June 2016. This may indicate the people behind this Shifu version had access to the zero-day exploit at that time or gained access to it afterwards. The exploit uses an interesting technique which makes it possible to just copy the raw disk file into memory. To make the file executable in memory, it uses a custom PE loader shellcode appended to both versions of the exploit as an PE overlay. The shellcode takes care of all the adjustments needed to get a proper executable memory image and executes the exploit. By doing so, the file just needs to be copied into a memory buffer and execution needs to be passed to the shellcode.

We have also found multiple other variants of the exploit, standalone versions (x86/64), but also versions which are embedded in an injector like in Shifu. Additionally, we identified a version of Vawtrak which contains an earlier version of the exploit dating back to November 2015, according to the compilation time stamp. The compilation time stamp of this Vawtrak sample itself dates January 2016 and thus is effectively the first malware known to us to use this exploit.

The second stage injector contains several anti-analysis tricks similar to the previous version. It also contains two command line parameters with functionality that indicate the malware is still in development. Further, the second stage injector uses an atom to check if the system is already infected, instead of using a mutex like most of the malware today. The use of atoms is not a new technique, but still not very widespread.

The main payload is encrypted and packed inside the .tls section of the second stage injector. It first gets decrypted and then unpacked with the aPLib compression library. As persistence method, the main payload copies the initial loader to the AppData folder and creates a Jscript file inside the Startup folder which points to it. The second stage injector injects the main payload inside a x86 instance of svchost and patches its API function calls with an obfuscation technique to make static and dynamic analysis of the malware more difficult.

Compared to the previous version, the main payload contains some updates. This includes the strings to search on the victim’s system, the browser target list, and the bot commands. The main payload uses .bit top-level domains to contact its C&C server. The domain names, the user-agent string and the URL parameters are encrypted with a modified RC4 encryption algorithm. The domain names indicate that the attackers may be either located in Ukraine or have a Ukrainian background.

Unfortunately, at the time of the analysis the C&C server didn’t respond with any commands and thus further analysis of the targeted financial institutions wasn’t possible. This information would be normally downloaded into a configuration file on the victim’s disk. For some of its functionality, the main payload hooks some API functions inside the svchost.exe process into which it is injected. Further, it uses the Apache web server for the web injections. If it was successfully downloaded from the C&C server, the malware makes use of a layered service provider to hook into the Winsock API for intercepting and modifying inbound and outbound Internet traffic. It also contains the normally used methods to hook into the browsers networking functions found in many other banking Trojans.

Both the second stage injector and the main payload contain a lot of strings which are never used. This indicates the author(s) were either in a rush to build the malware or the development was done in a sloppy way.

Instead of the string “IntelPowerAgent6” seen in the last version, this sample contains the string “IntelPowerAgent32” which is never used. In addition to the atom created by the second stage injector to check if the system is already infected, the main payload also creates a mutex with a name based on the same procedure to create the name for the atom (see Appendix). However, the mutex uses a hardcoded prefix named “DAN6J0-” before the byte sequence that is also used for the atom string: “{DAN6J0-ae000000d2000000e100}”

shifu_2

Figure 2. Shifu mutex and the associated svchost process

Shifu, Shiz and Other Related Tools

The Shifu banking Trojan is mainly based on the Shiz/iBank source code, which is one of the oldest banking Trojans still in the wild today. Shiz was first discovered in 2006 and has been through several stages of development since that time. It began as a banking Trojan which only focused on Russian financial institutions. Later, it also began targeting an Italian bank which may have set the stage for a more international focus. The internal versions we have tracked over the last five years ranged from generation 2 to 4 (2011) and 5 (2013/2014). The fifth generation of Shiz was the last one we saw in the wild in 2014 (last internal version was 5.6.25) and it differs from the 4th generation in the coding style. It looks like it was developed by another coder, which could indicate the source code was sold or shared. The query string used to contact the C&C server of one of the very first versions of the fifth generation supports our theory:

botid=%s&ver=5.0.1&up=%u&os=%03u&ltime=%s%d&token=%d&cn=reborn&av=%s

We can see that the campaign name (cn) contains the string “reborn”.

Shifu was first discovered in the wild in the middle of 2015 and we believe it's the evolution of the 5th generation of Shiz with a more international focus.

We have not only tracked the Shiz banking Trojan over the last couple of years, but also found several additional malware tools allegedly from the same author(s). Collected samples indicate the author(s) have developed a whole set of financially related malware. It’s not clear if the author works as part of a group or uses the malware themselves. These tools are mainly based on the source code of the fifth generation of Shiz.

We have connected these tools together because they all contain a PDB path that has the same root folder:

Z:\coding\...

Furthermore, most of the tools are based on the Shiz source code, because the coding style and used API functions are very similar. Also, comparing the code between the tools with BinDiff shows a high degree of similarity. Moreover, those tools with network functionality contain query strings similar to the one in Shiz to contact their C&C server.

As our colleagues from FireEye described last year, the PDB path found in Shifu is as follows:

Z:\coding\project\main\payload\payload.x86.pdb

Other tools we have identified have the following PDB paths and are likely from the same author(s):

Z:\coding\cryptor\Release\crypted.pdb

Z:\coding\malware\tests\Release\cryptoshit.pdb

Z:\coding\malware\RDP\output\Release\rdp_bot.pdb

Z:\coding\malware\ScanBot\Release\bot.pdb

The malware internally named "cryptor" contains an encrypted sample of BifitAgent, the first malware known to attack the financial software from BIFIT. While it's possible that BifitAgent is developed from the same person, we haven't found any indications for that. According to the compilation time stamps, most of the samples were created in October/November 2013.

The malware with the name "rdp_bot" is a small bot which uses the RDP protocol to gain full access to a computer. It uses the same modified RC4 encryption algorithm as the Shifu version discussed in this article. This tool was probably used along the Shiz banking Trojan, because the attacker is able to do his fraudulent activities directly from the victim’s computer. By doing so, one could fool bank antifraud systems which check for the IP address, browser footprints or keyboard layouts. The tool is based on the research about RDP performed by Alisa Esage. The samples date from June to November 2013.

The tool which is named "cryptoshit" contains an encrypted sample of rdp_bot and also uses the same modified RC4 algorithm as the Shifu version described here. The samples date September/October 2013 and January 2014 according to the compilation time stamp.

The malware with the internal name "ScanBot" is a small backdoor which uses the Super Light Regular Expression library (SRLE) for scanning a victim’s computer for files via commands from its operator. The samples date June 2013 according to the time stamp.

Protection Against Shifu

Palo Alto Networks customers are protected from Shifu in the following ways:

  • Wildfire classifies Shifu files as malicious and signatures are loaded into Threat Prevention
  • AutoFocus customers can track malware using the Shifu tag
  • Command and Control domains used by Shifu are blocked through Threat Prevention

SHA256 Hashes of Samples Discussed

Initial obfuscated loader

d3f9c4037f8b4d24f2baff1e0940d2bf238032f9343d06478b5034d0981b2cd9
368b23e6d9ec7843e537e9d6547777088cf36581076599d04846287a9162652b
e7e154c65417f5594a8b4602db601ac39156b5758889f708dac7258e415d4a18
f63ec1e5752eb8b9a07104f42392eebf143617708bfdd0fe31cbf00ef12383f9

Second stage injector

003965bd25acb7e8c6e16de4f387ff9518db7bcca845502d23b6505d8d3cec01
1188c5c9f04658bef20162f3001d9b89f69c93bf5343a1f849974daf6284a650

Exploit injector

e7c1523d93154462ed9e15e84d3af01abe827aa6dd0082bc90fc8b58989e9a9a

CVE-2016-0167 exploit (x86)

5124f4fec24acb2c83f26d1e70d7c525daac6c9fb6e2262ed1c1c52c88636bad

CVE-2016-0167 exploit (x64)

f3c2d4090f6f563928e9a9ec86bf0f1c6ee49cdc110b7368db8905781a9a966e

Main payload

e9bd4375f9b0b95f385191895edf81c8eadfb3964204bbbe48f7700fc746e4dc
5ca2a9de65c998b0d0a0a01b4aa103a9410d76ab86c75d7b968984be53e279b6

Appendix - Technical details

Second Stage Injector Analysis

The second stage injector contains an exploit injector (x86 DLL) which in turn has two embedded exploits (x86/64 DLL) for CVE-2016-0167. The second stage injector also contains the encrypted and aPLib packed main payload module (x86 DLL) in its .tls section. For decryption, it uses a modified version of the RC4 encryption algorithm with a salt that is stored in the .rsrc section. Significant strings in the second stage injector's .data section were XORed with the key 0x8D and get decrypted on-the-fly. Decrypted strings:

Exploit Injector with Embedded CVE-2016-0167 Exploits

The exploit injector is used to gain SYSTEM privileges on the infected host. The injector contains the actual exploits for both x86 and x64 systems. The magic PE bytes ("MZ") at the beginning of the files are patched will null bytes to prevent them from automatic extraction.

The second stage injector checks for the current process' integrity level and the OS version. If the integrity level of the process is low and the OS version is 6.1 (Windows 7 / Windows Server 2008 R2), the second stage injector writes the exploit injector file into memory. Then, it searches for the magic value 0x99999999 in the exploit injector which marks the beginning of the PE overlay. When the address was found, 12 bytes are added and the second stage injector jumps to this address which is in fact a custom PE loader shellcode. The call to the shellcode looks as follows:

Custom PE loader shellcode

It first gets the end of the shellcode which is then used to scan the exploit injector file for the magic PE number ("MZ"). The code to get end of the shellcode looks as follows:

Next, a custom GetProcAddress() function is used together with a hashing function to find the address of VirtualAllocEx(). Then, VirtualAllocEx() is called to allocate a memory buffer of with full access rights into which the exploit injectors sections are written with the appropriate memory alignments. The necessary memory addresses are then adjusted with help of the relocation information, the API function addresses are resolved and the IAT is filled. Finally, the shellcode jumps to the DLL entry point of the freshly created exploit injector module.

Exploit injector

At first, the strings "kernel32.dll", "LoadLibrary" and "GetProcAddress" are created. Next, the image base address for kernel32.dll is searched and the addresses of LoadLibrary() and GetProcAddress() are obtained. With help of these API functions, the IAT addresses of the exploit injector get resolved and the IAT is filled. The purpose of this function is unclear, as it was already done by the second stage injector. Thereafter, a new thread gets created with API function CreateThread().

The thread first calls IsWow64Process() and according to the result either the embedded x86 or x64 version of the exploit file is written into a memory buffer. Next, the PE magic value ("MZ") is written to the beginning of the exploit file. Then, an event named "WaitEventX" is created which is later used by the exploit. Then, the main exploit loading function is called.

The exploit loading function searches for the following process names and if found also the module names for the following strings which are part of Trend Micro security software:

  • "uiSeAgnt.exe"
  • "PtSessionAgent.exe"
  • "PwmSvc.exe"
  • "coreServiceShell.exe"

If one of the processes is found, a suspended process of wuauclt.exe is created. Otherwise, a suspended process of svchost.exe is created. In both cases, the command line argument "-k netsvcs" is passed, but can be only used by svchost.exe. It should be noted that this functionality always fails if the x64 version of Trend Micro Internet Security is installed. The code (x86) calls CreateToolhelp32Snapshot() on a x64 process which results in an error (ERROR_PARTIAL_COPY). Moreover, it also fails because the code tries to access a protected Trend Micro process (ERROR_ACCESS_DENIED).

Next, it maps the x86 or x64 file of the exploit into memory with CreateFileMapping() and MapViewOfFile() and fills in the memory with the exploit bytes. Finally, the section gets mapped into the suspended process of svchost.exe or wuauclt.exe by using ZwMapViewOfSection(). It then checks the OS version if it is 5.2 (Windows Server 2003 / Windows XP 64-Bit Edition) and exits the function if so. Afterwards, two memory buffers are created and a shellcode is written to each of them. The first obfuscated shellcode calls the second shellcode, which is a stager for the mapped exploit file. Next, it calls ResumeThread() to execute the suspended process so the exploit is executed.

The second stage injector verifies that the exploit was successful by checking if the integrity level of itself is still SECURITY_MANDATORY_LOW_RID. If not, the exploit successfully elevated privileges to SECURITY_MANDATORY_SYSTEM_RID and continues with the injection of the main payload. If the exploit failed, it tries to execute itself under the SYSTEM user account with help of the Windows command line (cmd.exe) and runas.exe tool.

Atom String Building

Instead of using a mutex like most of today’s malware, the second stage injector creates an atom and checks the global atom table to see if an instance of Shifu is already running.

At first, it uses the template string "%OS%_%NUMBER_OF_PROCESSORS%" for the API ExpandEnvironmentStrings() to get the Windows version and number of processors. For example, in Windows 7 with one processor the result would be "Windows_NT_1". This string is then used to calculate four CRC32 hashes with RtlComputeCrc32() and the following initial values:

  • 0xFFFFFFFF
  • 0xEEEEEEEE
  • 0xAAAAAAAA
  • 0x77777777

The resulting CRC hashes of the string "Windows_NT_1" are as follows:

  • 0x395693AE
  • 0xB24495D2
  • 0xF39F86E1
  • 0xBAE0B5C8

Next, the last byte of each CRC hash is stored as a DWORD value on the stack:

  • 0xAE000000 (from 0x395693AE)
  • 0xD2000000 (from 0xB24495D2)
  • 0xE1000000 (from 0xF39F86E1)
  • 0xC8000000 (from 0xBAE0B5C8)

The stack with the hash byte sequence looks as follows:

AE 00 00 00 D2 00 00 00 E1 00 00 00 C8 00 00 00

The atom string is then created by converting first 8 bytes of the hash byte sequence to ASCII characters with snprintf() function. The result in this case would be:

"ae000000d2000000"

At last, it calls GlobalFindAtom() API to check if the atom is present and calls GlobalAddAtom() if not.

shifu_3

Figure 3. Shifu atom in the global atom table

Command Line Arguments

The second stage injector has two command line parameters of which only one has a functionality. They may be used for an upcoming feature or were just forgotten to be removed.

  • --crypt-test

Shows just a message box with the text "It work's!"

  • --vm-test

No functionality

Anti-Analysis Tricks

Anti Sandboxie / Avast

Shifu checks if the module snxhk.dll (Avast) or sbiedll.dll (Sandboxie) is present in its own process space by calling GetModuleHandleA() and runs an infinite Sleep() loop if a handle is returned.

All the following anti analysis tricks are only used if Shifu is executed on a 32-bit Windows machine (no Wow64 process).

Process name detection

It enumerates running process names, converts them to lowercase, calculates the CRC32 hashes of those names and compares to the following list:

  • 0x99DD4432 - ?
  • 0x1F413C1F - vmwaretray.exe
  • 0x6D3323D9 - vmusrvc.exe
  • 0x3BFFF885 - vmsrvc.exe
  • 0x64340DCE - ?
  • 0x63C54474 - vboxtray.exe
  • 0x2B05B17D - ?
  • 0xF725433E - ?
  • 0x77AE10F7 - ?
  • 0xCE7D304E - dumpcap.exe
  • 0xAF2015F2 - ollydbg.exe
  • 0x31FD677C - importrec.exe
  • 0x6E9AD238 - petools.exe
  • 0xE90ACC42 - idag.exe
  • 0x4231F0AD - sysanalyzer.exe
  • 0xD20981E0 - sniff_hit.exe
  • 0xCCEA165E - scktool.exe
  • 0xFCA978AC - proc_analyzer.exe
  • 0x46FA37FB - hookexplorer.exe
  • 0xEEBF618A - multi_pot.exe
  • 0x06AAAE60 - idaq.exe
  • 0x5BA9B1FE - procmon.exe
  • 0x3CE2BEF3 - regmon.exe
  • 0xA945E459 - procexp.exe
  • 0x877A154B - peid.exe
  • 0x33495995 - autoruns.exe
  • 0x68684B33 - autorunsc.exe
  • 0xB4364A7A - ?
  • 0x9305F80D - imul.exe
  • 0xC4AAED42 - emul.exe
  • 0x14078D5B - apispy.exe
  • 0x7E3DF4F6 - ?
  • 0xD3B48D5B - hookanaapp.exe
  • 0x332FD095 - fortitracer.exe
  • 0x2D6A6921 - ?
  • 0x2AAA273B - joeboxserver.exe
  • 0x777BE06C - joeboxcontrol.exe
  • 0x954B35E8 - ?
  • 0x870E13A2 - ?

File detection

Shifu checks if the following files or folders exist on the system and runs an infinite Sleep() loop if so:

  • c:\sample\pos.exe
  • c:\analysis\sandboxstarter.exe
  • c:\analysis
  • c:\insidetm
  • c:\windows\system32\drivers\vmmouse.sys
  • c:\windows\system32\drivers\vmhgfs.sys
  • c:\windows\system32\drivers\vboxmouse.sys
  • c:\iDEFENSE
  • c:\popupkiller.exe
  • c:\tools\execute.exe
  • c:\Perl
  • c:\Python27

Debugger detection

It checks if it’s being debugged by calling IsDebuggerPresent(). Also, it calls ZwQueryInformationSystem() with ProcessDebugPort and ProcessDebugObjectHandle to check for a debugger presence. If a debugger is detected it runs an infinite Sleep() loop.

Wireshark detection

Shifu attempts to open \\.\NPF_NdisWanIp with CreateFile() and will enter an infinite Sleep() loop if it is successful.

Self-sanity checks

It checks its own file name length if it is longer than 30 characters and runs an infinite Sleep() loop if so. Also, it checks if its own process name CRC32 hash matches one of the following:

  • 0xE84126B8 - sample.exe
  • 0x0A84E285 - ?
  • 0x3C164BED - ?
  • 0xC19DADCE - ?
  • 0xA07ACEDD - ?
  • 0xD254F323 - ?
  • 0xF3C4E556 - ?
  • 0xF8782263 - ?
  • 0xCA96016D - ?

Furthermore, it checks if one of the following modules from GFI Sandbox is present in its own process address space:

  • api_log.dll
  • dir_watch.dll
  • pstorec.dll

Unknown anti-analysis trick

Shifu uses an anti-analysis trick whose purpose is unknown to us. It retrieves the address of Process32NextW() and compares the first 5 bytes with the sequence 0x33C0C20800 which disassembles to:

This code is only present in 32-bit Windows XP and not in later Windows versions, because the Unicode version of that function probably wasn't implemented yet. If the code sequence is found meaning that Shifu was executed on 32-bit Windows XP, it runs an infinite Sleep() loop.

Windows domain name check

It checks if the computer workgroup name is either "WORKGROUP" or "HOME" with API functions NetServerGetInfo() and NetWkstaGetInfo() and runs an infinite Sleep() loop otherwise. Next, it checks for the name "ANALYSERS" and runs the infinite loop if found.

Computer and user name check

Shifu gets the computer and user name with GetComputerName() and GetUserName() to check for the following strings:

  • SANDBOX
  • FORTINET
  • VIRUS
  • MALWARE
  • MALNETVM

If one is found it runs an infinite loop.

Process termination feature

Second stage injector of Shifu enumerates all running processes, converts every name to lower case, calculates the CRC32 hash of it and compares it to the following ones:

  • 0xD2EFC6C4 - python.exe
  • 0xE185BD8C - pythonw.exe
  • 0xDE1BACD2 - perl.exe
  • 0xF2EAA55E - autoit3.exe
  • 0xB8BED542 - ?

If one matches, it first tries to terminate the process with OpenProcess() and TerminateProcess(). If that fails, it tries to close the main window handle of the process if it is flagged as HANDLE_FLAG_PROTECT_FROM_CLOSE with ZwClose(). Then, it opens the process with full access rights and unmaps it from memory with ZwUnmapViewOfSection(). At last, the main window handle of the unmapped process is closed.

Main Payload Decryption, Unpacking and Injection

To decrypt the main payload, the second stage injector retrieves a salt needed for the decryption algorithm from its .rsrc section. It uses a modified RC4 algorithm where the salt is used to XOR the array of 256 bytes byte after byte at the beginning. The encrypted array is then used to decrypt the main payload located in the .tls section. The decrypted main payload is additionally packed with the aPLib compression library.

If the initial loader runs as a medium or high integrity level process, the routine which calculates the atom string name is called again. This time, only the first 4 bytes are used to build a string, for example "ae000000". Next, the CRC32 hash of this string is calculated and used to XOR another array of 256 bytes starting from 0x0 to 0xFF. This encrypted array is then used to again encrypt the decrypted main payload. The resulting encrypted data are written to registry for persistence purposes under the key "HKCU\software\microsoft\windows" with a random CRC32 hash name, for example "f4e64d63". Also, a second value with the string "ae000000" as name is created and filled up with null bytes and the path of the initial loader, for example "C:\ProgramData\7d5d6044.exe". At last, the temporarily encrypted main payload gets decrypted again.

shifu_4

Figure 4. Encrypted main payload and initial loader path stored in the Windows registry

Next, the main payload gets unpacked into memory. Thereafter, a suspended svchost.exe process (x86) is created with the same integrity level as the parent process. The main payload gets mapped into the process and the magic PE value (MZ) patched. The svchost process gets then resumed so the main payload is executed. At last, a batch file is created and executed in the %TEMP% folder. It overwrites the original executed initial loader with a random number of bytes to cover the tracks. The random bytes are always followed by a space character and the CR LF control characters.

Main Payload Analysis

The main payload module's IAT function names were XORed with the key 0xFF to make static analysis more difficult. Significant strings in the .data section are also XORed with the key 0x8D and get decrypted on-the-fly. Decrypted strings:

API Obfuscation

The main payload uses an API obfuscation technique known as Push-Calc-Ret obfuscation. The calls to the real API functions are patched by the second stage injector after the main payload gets injected into the svchost process. Whenever a Windows API function should have been called, instead the address of a trampoline function is called which calculates the actual function address. All the trampoline function addresses are stored in an array in memory.

For example, the main payload wants to call CreateFile(), but this call is patched. Now, it calls the trampoline function which could look as follows:

First, a value is pushed to the stack. Next, the EFLAGS register is saved to the stack, because it will be altered by the following XOR instruction (OF, CF flags are cleared and the SF, ZF, and PF flags are set according to the result). Then, the previously pushed value is XORed with another value to calculate the actual API function address. At last, the EFLAGS register gets restored and the real API function address is called via the RETN instruction.

Persistence Method

The main payload copies the initial obfuscated loader file to the %ProgramData% folder with a random file retrieved with GetTickCount(). Then, it creates a JScript file named "Common.js" in the Startup folder of the current user. The file contains the following code which runs the initial loader after the system was rebooted:

Updates of the Main Payload compared to Previous Version

Reports on previous versions of Shifu have been published by FireEye and Fortinet.

In comparison to the previous version, the list of substrings to scan for in the string that gets created with the computer name, user name, install date and system drive volume serial number was expanded:

  • TREASURE
  • BUH
  • BANK
  • ACCOUNT
  • CASH
  • FINAN
  • MONEY
  • MANAGE
  • OPER
  • DIRECT
  • ROSPIL
  • CAPO
  • BOSS
  • TRADE

Updated command list:

  • active_sk
  • deactive_sk
  • deactivebc
  • get_keylog
  • get_sols
  • inject
  • kill_os
  • load
  • mitm_geterr
  • mitm_mod
  • mitm_script
  • wipe_cookies

Updated list of targeted browsers:

  • iexplore.exe
  • firefox.exe
  • chrome.exe
  • opera.exe
  • browser.exe
  • dragon.exe
  • epic.exe
  • sbrender.exe
  • vivaldi.exe
  • maxthon.exe
  • ybrowser.exe
  • microsoftedgecp.exe

The main payload will download the Apache httpd.exe server file from one of the C&C servers to store it on disk for web injection purposes. Compared to the previous version, the main payload also contains two strings which indicate some functionality for the Zend PHP Framework:

  • zend_stream_fixup
  • zend_compile_file

Function Hooking in Svchost

Like in the previous version, the malware hooks some API functions to redirect URLs, capture network traffic, the clipboard and to log keystrokes. It uses a technique known as inline function hooking where the first 5 bytes of a function get patched with a jump to the malware's hook handlers. The following functions get hooked:

  • NtDeviceIoControlFile (ntdll.dll)
  • ZwDeviceIoControlFile (ntdll.dll)
  • GetClipboardData (user32.dll)
  • GetMessageA (user32.dll)
  • GetMessageW (user32.dll)
  • TranslateMessage (user32.dll)
  • GetAddrInfoExW (ws2_32.dll)
  • gethostbyname (ws2_32.dll)
  • getaddrinfo (ws2_32.dll)

Network Functionality

The main payload of Shifu uses .bit top-level domains which is a decentralized DNS system based on the Namecoin infrastructure. The malware requests the IP addresses of the domains by subsequently contacting the following hardcoded Namecoin DNS servers:

  • 92.222.80.28
  • 78.138.97.93
  • 77.66.108.93

The C&C domain names, the user-agent string and the URL parameters are encrypted with a modified RC4 encryption algorithm. Decrypted strings:

  • klyatiemoskali.bit
  • slavaukraine.bit
  • Mozilla/5.0 (Windows; U; Windows NT 5.2 x64; en-US; rv:1.9a1) Gecko/20061007 Minefield/3.0a1
  • L9mS3THljZylEx46ymJ2eqIdsEguKC15KnyQdfx4RTcVu8gCT
  • https://www.bing.com
  • /english/imageupload.php
  • /english/userlogin.php
  • /english/userpanel.php
  • 1brz

The encrypted strings are stored in the following format inside the .data section:

<LengthOfString><EncryptedString>

The domain string “klyatiemoskali“ means roughly translated to wish something bad to Muscovites. The second domain string “slavaukraine” means translated “glory to the Ukraine”. The included RC4 key "L9mS3THljZylEx46ymJ2eqIdsEguKC15KnyQdfx4RTcVu8gCT" is used to encrypt the network traffic.

At the time of analysis, only the following Namecoin DNS server was answering with the IP address of the actual C&C server:

77.66.108.93 (ns1.dk.dns.d0wn.biz)

shifu_5

Figure 5. Namecoin DNS server information of 77.66.108.93

The following screenshot shows the captured network traffic during the dynamic analysis of Shifu:

shifu_6

Figure 6. Shifu network traffic captured with Wireshark

We can see that Shifu subsequently queries the Namecoin DNS servers with the domain name klyatiemoskali.bit to get the IP address. After one name server responds with the IP address of the C&C server, it does a TLS handshake to open an encrypted network channel. Finally, it sends some encrypted data and gets an encrypted answer. However, no further network traffic could have been observed during the time of the analysis. Both domain names, klyatiemoskali.bit and slavaukraine.bit, resolved to the IP address 103.199.16.106 at the time of analysis.

As the .bit top-level domain relies on the Namecoin cryptocurrency which is based on the Bitcoin system, every transaction can be traced back. Thus, we can use a Namecoin block explorer to look when the .bit domains were registered and which IP addresses are connected to it. For example, if we use the web service namecha.in, we can get the following information for klyatiemaskali.bit:

shifu_7

We can see the same information for slavaukraine.bit:

shifu_8

Both domains were registered on 2016-06-03 and only one IP address is assigned to them. This IP address coincides with the response of the Namecoin DNS server we have seen in the captured network traffic. Moreover, we can see the domain seems to be still active.

URL Query String for C&C Server

The main payload contains a query string template used to send information of the victim to the C&C server:

botid=%s&ver=%s.%u&up=%u&os=%u&ltime=%s%d&token=%d&cn=%s&av=%s&dmn=%s&mitm=%u

We can see that some information is dynamically retrieved (bot identifier, uptime, operating system version, local timestamp, token, anti-virus software, domain name of workstation, man in the middle interception detected), while also static values like the bot version and the campaign name are send. An example of the created query string could look as follows:

botid=26C47136!A5A4B18A!F2F924F2&ver=1.759&up=18294&os=6110&ltime=-8&token=0&cn=1brz&av=&dmn=&mitm=0

We can see that the internal Shifu version is “1.759” and the campaign name is stated “1brz”.

If we compare Shifu's query string with the one of the latest Shiz version we have tracked which dates February 2014 (internal version 5.6.25), we can see the similarity between those two malwares:

botid=%s&ver=5.6.25&up=%u&os=%03u&ltime=%s%d&token=%d&cn=sochi&av=%s

Modified RC4 Encryption Algorithm

Shifu uses a modified version of the RC4 encryption algorithm. We have reconstructed the algorithm in Python and show how the domain name "klyatiemoskali.bit" present in the main payload will be encrypted as an example:

 

DragonOK Updates Toolset and Targets Multiple Geographic Regions

Posted on by Josh Grunzweig

The DragonOK group has been actively launching attacks for years. We first discussed them in April 2015 when we witnessed them targeting a number of organizations in Japan. In recent months, Unit 42 has observed a number of attacks that we attribute to this group. Multiple new variants of the previously discussed sysget malware family have been observed in use by DragonOK. Sysget malware was delivered both directly via phishing emails, as well as in Rich Text Format (RTF) documents exploiting the CVE-2015-1641 vulnerability (patched in MS15-033) that in turn leveraged a very unique shellcode. Additionally, we have observed instances of the IsSpace and TidePool malware families being delivered via the same techniques. While Japan is still the most heavily targeted geographic region by this particular actor, we also observed instances where individuals or organizations in Taiwan, Tibet, and Russia also may have been targeted.

Infiltration

We observed two unique techniques of infiltration for this particular campaign:

  1. Phishing emails being sent with malicious executables directly attached
  2. Malicious RTF files which exploit CVE-2015-1641.

The phishing emails had the following characteristics:

Email Subjects

  • Pickup at the Juanda Airport (1-Sep)
  • ポイントプレゼントのお知らせ [Roughly Translated: Point gift announcement]
  • 20周年記念パーティー [Roughly Translated: 20th Anniversary Party]
  • 参加者の10周年記念同窓会一覧 [Roughly Translated: List of participants' 10th anniversary alumni association]
  • 子供の調査連れ [Roughly Translated: Children's investigation]
  • G20 report
  • 記念日の再会 [Roughly Translated: Anniversary reunion]
  • 最新の人事異動通知 [Roughly Translated: Recent personnel change notice]

Attachment Filenames

  • G20 report.exe
  • exe
  • List of Participants.exe
  • Registration form.exe

These emails targeted the following industries in Japan:

  • Manufacturing
  • Higher Education
  • Energy
  • Technology
  • Semiconductor

The malicious RTF files in question leverage a very specific shellcode to drop and execute the malicious payload, as well as a decoy document. Decoy documents are legitimate benign documents that are opened after the malicious payload is delivered, thus ensuring that the victim does not become suspicious because their expected document opened as expected.

Two samples were found to include the decoy document show in Figure 1.

The title of the document roughly translates to “Ministry of Communications & Departments Authorities Empty Sites and Hosted Public Works Source Clearance Photos”. The use of traditional Chinese indicators the target likely residing in either Taiwan, Hong Kong, or Macau. However, based on the Taiwanese subject matter in this document, we can safely come to the conclusion that the intended victim was of Taiwanese origin. These samples delivered an updated version of the IsSpace malware family, which was discussed previously in a watering hole attack targeting an aerospace firm. IsSpace is an evolved variant of the NFlog backdoor, which has been used by DragonOK in the past.

dragon_1

Figure 1 Taiwanese decoy document

Two other samples were identified that used a Tibet-themed decoy document. The document in question (Figure 2) appears to be an internal newsletter from the Central Tibetan Ministry, as suggested by the logo used as well as the content of the document itself.  This document indicates that the malware may have been targeted towards an individual that is interested in Tibetan affairs. These particular samples were unique in that they delivered the TidePool malware family that we reported on in May of 2016. We have not previously observed DragonOK using TidePool in attacks.

dragon_2

Figure 2 Tibetan decoy document containing internal newsletter

We also identified an additional sample using decoy targeting Taiwanese victims (Figure 3), which deployed a newer sysget sample.

dragon_3

Figure 3 Taiwanese-targeted decoy document

Other new samples associated with this group used a Russian language decoy document (Figure 4.) The decoy document in question discusses the GOST block cipher, which was created by the Russian government in the 1970’s. The combination of Russian language and Russian-specific subject matter indicates that the intended victim speaks Russian and may be interested in encryption. Like the previously discussed Tibetan decoy documents, these samples also delivered the TidePool malware family.

dragon_4

Figure 4 Russian decoy document discussing the GOST block cipher

Finally, multiple samples used a traditional Chinese language decoy document that discussed a subsidy welfare adjustment program. The use of traditional Chinese indicators the target likely residing in either Taiwan, Hong Kong, or Macau. Similar to other attacks witnessed, a variant of the sysget malware family is installed by these files.

dragon_5

Figure 5 Decoy document discussing subsidy welfare adjustment program

Malware Deployed

In looking at the various malware samples used in attempted attacks, the following four families were identified:

  • Sysget version 2
  • Sysget version 3
  • TidePool
  • IsSpace

We broke the sysget classification into multiple variants when we found that a number of changes have been made since our April 2015 report. Major distinctions between the versions of sysget include the following:

Sysget version 2

  • Removed support for persistence on Windows XP
  • Reworked the URIs used for network communication
  • Added additional layers of encryption for network communication and stored configuration files
  • Switched from RC4 to AES-128

Sysget version 3

  • Numerous anti-debug and anti-vm procedures added
  • Encrypted URIs in network communication with an initial static key

In addition, we observed a sysget version 4 that was discovered in another sample during our research. This version is not attributed to a specific attack against an organization.

Indicators of compromise related to sysget version 4 and other samples not directly attributed to specific attacks may be found in the Appendix of this blog post.  Additionally, more information about the various sysget variants may also be found in the Appendix.

The TidePool samples encountered are consistent with the samples previously discussed. I encourage readers to view our previous blog post to learn more about the intricacies of this particular malware family.

The IsSpace malware sample, however, looks to have been updated since last we wrote on it. While the available commands from the command and control (C2) server remains the same, the URI structure of the network communication has been modified. Additionally, the installation routine for this malware family has been updated to be far less complex than previous discussed versions, favoring PowerShell to set persistence and forgoing the previously used side-loading technique. A more detailed analysis of the new instances of IsSpace may be found at the end of this blog post in the Appendix.

Infrastructure

A number of unique domains were employed by the various Trojans used in these attacks. For the numerous instances of sysget we observed, the following domains were observed for their C2:

  • kr44.78host[.]com
  • gtoimage[.]com
  • gogolekr[.]com

All of the above domains have Chinese WHOIS registrant details. Additionally, the gotoimage[.]com and trend.gogolekr[.]com are both registered to the same registrant and resolve to the same netblock of 104.202.173.0/24.

The instances of TidePool identified communicated with the following C2 servers:

  • europe.wikaba[.]com
  • russiaboy.ssl443[.]org
  • cool.skywave[.]top

These domains did not have many definitive relations with the sysget C2 servers except for cool.skywave[.]top, which shared a unique registrant email with the sysget C2 server of trend.gogolekr[.]com. Additionally, the geographic region of the resolved IPs was consistent with the previous set, as they all resolved to various regions in southeast Asia. Specifically, the domains resolved to China, Korea, and Taiwan in the past six months.

The IsSpace samples resolved to the following domains:

  • www.dppline[.]org
  • www.matrens[.]top

These domains had no apparent connections to the previously discussed C2 servers, other than the fact that they resolved to Korea and Hong Kong respectively. Additionally, the registrar of ‘Jiangsu Bangning Science and technology Co. Ltd.’ was used for a large number of domains. A full graph of the relations between the various attacks is shown in Figure 6.

dragon_6

Figure 6 Relationships between attacks

Conclusion

The DragonOK group are quite active and continue updating their tools and tactics. Their toolset is being actively developed to make detection and analysis more difficult. Additionally, they appear to be using additional malware toolsets such as TidePool. While Japan is still the most-targeted region by this group, they look to be seeking out victims in other regions as well, such as Taiwan, Tibet, and Russia.

Palo Alto Network customers are protected against this threat in the following ways:

  • Malware families are tagged in AutoFocus via a variety of tags (TidePool, NFlog, Sysget)
  • The following IPS signatures detect malicious network traffic:
    • IPS signature 14365 (IsSpace.Gen Command And Control Traffic)
    • IPS signature 14588 (Suspicious.Gen Command And Control Traffic)
    • IPS signature 13574 (NfLog.Gen Command And Control Traffic)
    • IPS signature 13359 (Nflog.Gen Command And Control Traffic)
  • All samples are appropriately marked malicious in WildFire

Appendix

CVE-2015-1641 Exploit and Shellcode

This particular group uses a very specific shellcode payload when exploiting CVE-2015-1641. This CVE is memory corruption vulnerability which allows for arbitrary code execution in various versions of Microsoft Office, including 2007, 2010, and 2013.

The shellcode begins by dynamically loading a small number of API functions from kernel32. A number of hashes are included that represent function names, which have a rotate right 7 (ROR7) operation applied against them before being XORed against a key of “\x10\xAD\xBE\xEF”. The ROR7 operation is a very common technique in shellcode to obfuscate what functions are being called. The author added the XOR operation to add another layer of obfuscation.

dragon_7

Figure 7 API function hashes contained in shellcode

After the shellcode loads the necessary API functions, it proceeds to seek out a number of markers that will mark the beginning and ending of both an embedded malicious payload, as well as a decoy document.

The malicious executable is marked with a starting point of 0xBABABABABABA and an end marker of 0xBBBBBBBB. The decoy document is found immediately after the end of the malicious payload, and has an end marker of 0xBCBCBCBC. Both executables are encrypted with a 4-byte XOR key. Should the original data contain 0x00000000, it will not have the XOR applied against it.

The malicious payload is XORed against a key of 0xCAFEBEEF and the decoy document is XORed against 0xBAADF00D. The following script may be applied against the RTF document to extract both the malicious payload and the decoy:

When both files are decrypted, they are written to the following location in the %TEMP% directory:

  • ../..exe
  • ../..doc

Note the initial ‘..’, which represents the parent directory of %TEMP%. This coupled with the unusual names of ..exe and ..doc make this particular shellcode very unique, which is one way we have attributed these samples to the same group. After the samples have been written, they are executed via calls to WinExec.

Sysget v2 Analysis

One of the fundamental changes witnessed in the second iteration of sysget is removing support for Windows XP and lower. Other changes include modifications to the URIs used for network communication.

Like the original version of sysget, sysget v2 still uses a named event of ‘mcsong[]’ to ensure a single instance is running at a time. It proceeds to make attempts at copying itself to the %STARTUP%/notilv.exe path. However, it uses COM objects to perform this action that is not available in Windows XP, which prevents the malware from installing itself to this location. While the remainder of the malware operates as expected, it will not survive a restart of the system.

Sysget proceeds to make an attempt at reading the following configuration file. This filename and path has changed since the original version, and is consistent in the subsequent versions.

  • %APPDATA%/vklCen5.tmp

This configuration file holds both a unique victim identifier, as well as a key that is used to encrypt HTTP traffic. It is encrypted using the AES-128 encryption algorithm, using a static key of ‘734thfg9ih’. Using AES-128 is a change from the previous version, where RC4 was used for all encryption operations. The following Python code may be used to decrypt this file:

When executed against an example configuration file, we see the following output, which includes the two pieces of data noted previously:

The encryption of this configuration file is a new feature that was not present in the original version of sysget.

If this file is not present on the system, the malware will attempt to retrieve the necessary information via a HTTP request. The following request is made to the remote command and control server. Note that the full URI is statically set by the malware sample.

The server responds with the following data, encrypted using the same technique previously described with a static key of ‘aliado75496’. Once decrypted, we see the following example data being sent back to sysget:

gh1443717133\n1059086204\n

The first string is used as a key for all subsequent network communication. The second string is treated as a unique victim identifier. This data is encrypted using the key of ‘734thfg9ih’ and written to the %APPDATA%/vklCen5.tmp file.

After this information has been obtained, the malware proceeds to enter its command and control loop. An HTTP request such as the following is made to the remote server. Note that the ‘mid’ GET variable holds the MD5 hash of the previously obtained victim identifier. The remaining data in the URI is hardcoded.

The response is encrypted using the unique key that was obtained previously. Should the response contain ‘Fatal error’ unencrypted, no further actions are taken by the malware sample. Once decrypted, the response may have one of the following two choices, and their accompanying purpose. Alternatively, if a raw command is provided, the malware will execute it and return the results.

Command Description
goto wrong "[file_path]";\n Read a specific file and return its contents.
goto right "[filename]" "[identifier]" Write a given file. The identifier is used to retrieve the file’s contents in a subsequent HTTP request.

When the ‘goto wrong’ request is made, a HTTP POST request is made to the following URI. In the following URI, the ‘list’ parameter contains the MD5 hash of the victim’s identifier.

/index.php?type=register&pageinfo=myid32987&list=5717cb8fed2750a2ee9e830a3
0716ed4

The contents of this POST request contains the victim’s identifier, as well as the file’s contents encrypted with the unique key. The first 50 bytes are reserved for the victim identifier, as shown below:

Once decrypted, the data contains both the filename, as well as the contents of that file.

If the ‘goto right’ command is used, the malware will make a subsequent request to the following URI. The ‘cache’ variable holds the unique identifier that was provided in the ‘goto right’ command.

/index.php?type=goto&pageinfo=myid47386&cache=identifier

Once the file contents are obtained, they are written to the specified filename in the %STARTUP% folder.

When a raw command is received, the malware will upload the results to the following URI via a POST request:

/index.php?type=register

An overview of the network communications exhibited by sysget version 2 can be seen in the figure below.

dragon_8

Figure 8 Sysget version 2 command and control flow

Sysget v3 Analysis

Some of the biggest changes witnessed in version 3 of sysget includes numerous anti-debug and anti-vm detections added, as well as the encryption of the URIs used for network communication.

When the malware initially executes, it performs the following checks to ensure it is not being debugged and not running in a sandbox or virtualized environment.

Should these checks return false, the malware proceeds to enter its installation routine. The malware originally copies itself to a temp file in the %TEMP% directory with a filename prefix of ‘00’. It proceeds to append 4194304 bytes of randomly chosen data to the end of this file. The increased filesize may have been added by the author in an attempt to thwart sandboxes that impose filesize limits on what is saved and/or processed. Finally, the malware copies the original file from the tmp path to the %STARTUP%/winlogon.exe path using the same technique witnessed in version 2. Sysget then writes a batch script in the %TEMP% folder with the following contents, cleaning up the original files and spawning the newly written winlogon.exe executable:

After installation, sysget will attempt to read the same %APPDATA%/vklCen5.tmp file as witnessed in the previous variant. A number of strings within the malware, including the ‘734thfg9ih’ key used to encrypt this file, have been obfuscated via a single-byte XOR of 0x5F.

Similar to previous versions, should this vklCen5.tmp file not be present on the victim machine, it will make an external HTTP request to retrieve the necessary information. The following request is made by the malware. Readers will notice that the URI has changed from previous versions in a number of ways. This version of sysget looks to always make requests to 1.php, which is hardcoded within the malware itself. Additionally, all HTTP URIs in this version of sysget are encrypted. The initial GET request made to retrieve the victim identifier and unique key is encrypted with a key of ‘Cra%hello-12sW’. The subsequent response containing this information is then decrypted using a key of ‘aliado75496’, which is consistent with previous versions.

When the URI above is base64-decoded and subsequently decrypted, we see the following:

index.php?type=read&id=692fdc3c7b2c310fc017e4af335b8dc8&pageinfo=jp&lang=utf-8

This URI is consistent with the previous sysget variant. It would seem the authors simply have added this layer of encryption to hinder efforts to block the malware via network-based detections.

After this initial request to retrieve the victim identifier and unique key, sysget enters its command and control loop. This process is consistent with the previous version, but simply has the extra layer of encryption used for the URIs.

Sysget v4 Analysis

The fourth variant of sysget is nearly identical to the third variant. However, the main difference lies in the URIs used for network communication. In addition to the expected encryption of the URIs, this variant also mangles the base64 encoding that is performed afterwards. The following Python script may be used to de-obfuscate the base64 URI found in this variant:

Additionally, the C2 URI changes in this variant, from 1.php to 5.php

IsSpace Analysis

When initially run, IsSpace will create a unique event to ensure a single instance of the malware is running at a given time. This event name appears to be unique per the sample, as multiple samples contained unique event names. The following event names have been observed in the samples that were analyzed:

  • e6al69MS5iP
  • v485ILa3q5z

IsSpace proceeds to iterate over the running processes on the system, seeking out the following two process substrings:

  • uiSeAgnt
  • avp.exe

The uiSeAgnt string may be related to Trend Micro’s solutions, while avp.exe most likely is related to Kaspersky’s anti-malware product.

In the event uiSeAgnt is identified, the malware will enter its installation routine if not already running as ‘bfsuc.exe’ and proceeds to exit afterwards. Should avp.exe be identified, the malware enters an infinite sleep loop until a mouse click occurs. After this takes place, the malware proceeds as normal.

The malware then determines if it is running under Windows XP. In the event that it is, it will make a HTTP GET request to www.bing.com, presumably to ensure network connectivity.

dragon_9

Figure 9 IsSpace connecting to www.bing.com

If the malware is not running on Windows XP, it will attempt to obtain and decrypt any basic authentication credentials from Internet Explorer. This information is used in subsequent HTTP requests in the event a 407 (Proxy Authentication Required) or 401 (Unauthorized) response code is received during network communication.

IsSpace will then enter its installation routine, where it will first copy itself to the %LOCALAPPDATA% folder with a name of ‘bfsuc.exe’.  It then sets the proper registry key for persistence by executing the following PowerShell command:

The malware then makes an initial HTTP POST request to the configured C2 server. It will make this request to the ‘/news/Senmsip.asp’ URI. The POST data is XORed against a key of “\x35\x8E\x9D\x7A”, which is consistent with previous versions of IsSpace and NFlog. Decrypted, the POST data reads “01234567890”. The C2 server in turn will respond with the victim’s external IP address.

dragon_10

Figure 10 Initial IsSpace beacon

IsSpace then spawns two threads that will make HTTP requests to the following URIs:

  • /news/Sennw.asp?rsv_info=[MAC_ADDRESS]
  • /news/Sentire.asp?rsv_info=[MAC_ADDRESS]

The ‘Sennw.asp’ POST requests that are made contain collected victim information. They, like other information sent across the network, are encrypted using the previously mentioned 4-byte XOR key. When decrypted, we are provided with information such as the following:

The information, delimited via ‘#%#’, is as follows:

Value Description
60-F8-1D-CC-2F-CF MAC address
172.16.95.1 External IP collected previously
172.16.95.186 Internal IP address
WIN-LJLV2NKIOKP Hostname
Win7 Windows version
English(US) Language
2016-12-20 16:27:12 Timestamp
Active Malware status. May also be ‘Sleep’
xp20160628 Potential campaign identifier
IsAdmins / False User admin status

The malware is expected to return one of the following two responses to this HTTP request:

  • Active
  • Slient (Note the typo)

In the event the response of Slient is received, the malware will stop sending out HTTP requests to the ‘Sentire.asp’ URI. Conversely, if the malware is set to the ‘Sleep’ status and the ‘Active’ response is received, it will begin the ‘Sentire.asp’ requests once more.

The requests to ‘Sentire.asp’ act as the main C2 loop, requesting commands from the remote server. The commands are consistent with previously observed instances of IsSpace, however, the URIs have been modified.

Command Description Response URI
CMD Executes command Sentrl.asp
Browse List specified directory Senjb.asp
UploadFile Upload file Sensp.asp
DownLoad Download file Senwhr.asp
DelFile Delete file N/A

DragonOK Indicators

Malicious RTF Documents

020f5692b9989080b328833260e31df7aa4d58c138384262b9d7fb6d221e3673
0d389a7b7dbdfdffcc9b503d0eaf3699f94d7a3135e46c65a4fa0f79ea263b40
52985c6369571793bc547fc9443a96166e372d0960267df298221cd841b69545
785398fedd12935e0ae5ac9c1d188f4868b2dc19fb4c2a13dab0887b8b3e220d
941bcf18f7e841ea35778c971fc968317bee09f93ed314ce40815356a303a3ec
ba6f3581c5bcdbe7f23de2d8034aaf2f6dc0e67ff2cfe6e53cfb4d2007547b30
df9f33892e476458c74a571a9541aebe8f8d18b16278f594a6723f813a147552
925880cc833228999ea06bd37dd2073784ab234ea00c5c4d55f130fe43a0940b
3e4937d06ac86078f96f07117861c734a5fdb5ea307fe7e19ef6458f91c14264
16204cec5731f64be03ea766b75b8997aad14d4eb61b7248aa35fa6b1873398b
64f22de7a1e2726a2c649de133fad2c6ad089236db1006ce3d247c39ee40f578
c3b5503a0a89fd2eae9a77ff92eef69f08d68b963140b0a31721bb4960545e07
d227cf53b29bf0a286e9c4a1e84a7d70b63a3c0ea81a6483fdfabd8fbccd5206
9190b1d3383c68bd0153c926e0ff3716b714eac81f6d125254054b277e3451fe
d321c8005be96a13affeb997b881eaba3e70167a7f0aa5d68eeb4d84520cca02
d38de4250761cb877dfec40344c1642542ca41331af50fa914a9597f8cc0ee9b
5a94e5736ead7ea46dbc95f11a3ca10ae86c8ae381d813975d71feddf14fc07a
bbdc9f02e7844817def006b9bdef1698412efb6e66346454307681134046e595

IsSpace

12d88fbd4960b7caf8d1a4b96868138e67db40d8642a4c21c0279066aae2f429
1a6e3cd2394814a72cdf8db55bc3f781f7e1335b31f77bffc1336f0d11cf23d1

C2 Domains

www.dppline[.]org
www.matrens[.]top

C2 Domains

europe.wikaba[.]com
russiaboy.ssl443[.]org
cool.skywave[.]top

Sysget Version 2

82f028e147471e6f8c8d283dbfaba3f5629eda458d818e1a4ddb8c9337fc0118

C2 Domains

newtw2016.kr44.78host[.]com

Sysget Version 3

02fc713c1b2c607dff4fc6c4797b39e42ee576578f6af97295495b9b172158b9
a0b0a49da119d971fa3cf2f5647ccc9fe7e1ff989ac31dfb4543f0cb269ed105
b49cb2c51bc2cc5e48585b9b0f7dd7ff2599a086a4219708b102890ab3f4daf3
b8f9c1766ccd4557383b6643b060c15545e5f657d87d82310ed1989679dcfac4
d75433833a3a4453fe35aaf57d8699d90d9c4a933a8457f8cc37c86859f62d1e
685076708ace9fda65845e4cbb673fdd6f11488bf0f6fd5216a18d9eaaea1bbc
7fcc86ebca81deab264418f7ae5017a6f79967ccebe8bc866efa14920e4fd909
c5c3e8caffd1d416c1fd8947e60662d82638a3508dbcf95a6c9a2571263bdcef

C2 Domains

gtoimage[.]com
trend.gogolekr[.]com

Additional Indicators

Sysget Version 2

a768d63f8127a8f87ff7fa8a7e4ca1f7e7a88649fe268cf1bd306be9d8069564
2bf737f147e761586df1c421584dba350fd865cb14113eee084f9d673a61ee67
2c7c9fd09a0a783badfb42a491ccec159207ee7f65444088ba8e7c8e617ab5a5
d91439c8faa0c42162ea9a6d3c282d0e76641a31f5f2fbc58315df9c0b90059c
89d8d52c09dc09aeb41b1e9fafeacf1c038912d8c6b75ad4ef556707b15641ff
6c1d56cb16f6342e01f4ebfc063db2244aef16d0a248332348dcdb31244d32f2
9c66232061fbb08088a3b680b4d0bffbbce1ce01d0ce5f0c4d8bf17f42d45682
b138ea2e9b78568ebd9d71c1eb0e31f9cf8bc41cd5919f6522ef498ffcc8762a
8830400c6a6d956309ac9bcbcceee2d27ba8c89f9d89f4484aba7d5680791459
bda66f13202cef8cfb23f36ac0aee5c23f82930e1f38e81ba807f5c4e46128e3
e8197e711018afd25a32dc364a9155c7e2a0c98b3924dc5f67b8cd2df16406ff
e9c0838e2433a86bc2dec56378bd59627d6332ffb1aec252f5117938d00d9f74
c63685b2497e384885e4b4649428d665692e8e6981dad688e8543110174f853b
2c9c2bfea64dd95495703fcec59ad4cf74c43056b40ed96d40db9b919cfd050b
94850525ea9467ae772c657c3b8c72663eaa28b2c995b22a12b09e4cacecad6d
e8bd20e3d8491497ca2d6878b41fb7be67abb97ee272ef8b6735faa6acd67777

C2 Domains

hello.newtaiwan[.]top
bullskingdom[.]com
mail.googleusa[.]top
www.modelinfos[.]com
modelinfos[.]com
www.sanspozone[.]com

Sysget Version 3

f9a1607cdcfd83555d2b3f4f539d3dc301d307e462a999484d7adb1f1eb9edf6
7f286fbc39746aa8feeefc88006bedd83a3176d2235e381354c3ea24fe33d21c
3b554ef43d9f3e70ead605ed38b5e66c0b8c0b9fc8df16997defa8e52824a2a6
8d7406f4d5759574416b8e443dd9d9cd6e24b5e39b1f5bc679e4a1ad54d409c6
edf32cb7aad7ae6f545f7d9f11e14a8899ab0ac51b224ed36cfc0d367daf5785
db19b9062063302d938bae51fe332f49134dc2e1947d980c82e778e9d7ca0616
cde217acb6cfe20948b37b16769164c5f384452e802759eaabcfa1946ea9e18b
9bee4f8674ee067159675f66ca8d940282b55fd1f71b8bc2aa32795fd55cd17e
39539eb972de4e5fe525b3226f679c94476dfc88b2032c70e5d7b66058619075
c45145ca9af7f21fff95c52726ff82595c9845b8e9d0dbf93ffe98b7a6fa8ee9
55325e9fccbdada83279e915e5aeb60d7b117f154fa2c3a38ec686d2552b1ebc
2c7d29da1b5468b49a4aef31eee6757dc5c3627bf2fbfb8e01dec12aed34736a
16dc75cf16d582eac6cbbe67b048a31fffa2fb525a76c5794dad7d751793c410
91eee738f99174461b9a4085ea70ddafc0997790e7e5d6d07704dcbbc72dc8bf
4a702ffbf01913cc3981d9802c075160dfd1beed3ba0681153d17623f781f53f
e8bed52c58759e715d2a00bdb8a69e7e93def8d4f83d95986da21a549f4d51c5
ed5598716de2129915f427065f0a22f425f4087584e1fa176c6de6ad141889d1
adc86af1c03081482fe9ba9d8a8ae875d7217433164d54e40603e422451a2b90
f0540148768247ed001f3894cdfa52d8e40b17d38df0f97e040a49baa3f5c92e
ce38a6e4f15b9986474c5d7c8a6e8b0826330f0135e1da087aae9eab60ea667a
5c4e98922e6981cf2a801674d7e79a573ebcdc9ebc875ef929511f585b9c4781
4880b43ddc8466d910b7b49b6779970c38ce095983cad110fa924b41f249f898
76b6f0359a3380943fece13033b79dc586706b8348a270ac71b589a5fd5790a4
feab16570c11ec713cfa952457502c7edd21643129c846609cb13cdc0ae4671c
ed9ca7c06aac7525da5af3d1806b32eeb1c1d8f14cc31382ca52a14ed62f00a9
a3aa4b3b3471b0bb5b2f61cbc8a94edef4988436e0bc55e9503173c836fb57a3
29ee56ca66187ece41c1525ad27969a4b850a45815057a31acee7cc76e970909
65201380443210518621da9feb45756eac31213a21a81583cc158f8f65d50626
cccb906d06aef1e33d12b8b09c233e575482228d40ac17232acad2557da4e53b

C2 Domains

gtoimage[.]com
trend.gogolekr[.com
www.bestfiles[.]top

Sysget Version 4

2ac8bc678e5fa3e87d34aee06d2cd56ab8e0ed04cd236cc9d4c5e0fa6d303fa3
8dc539e3d37ccd522c594dc7378c32e5b9deeffb37e7a7a5e9a96b9a23df398e

C2 Domains

www.sanseitime[.]com

 

Campaign Evolution: pseudo-Darkleech in 2016

Posted on by Brad Duncan

Darkleech is long-running campaign that uses exploit kits (EKs) to deliver malware. First identified in 2012, this campaign has used different EKs to distribute various types of malware during the past few years. We reviewed the most recent iteration of this campaign in March 2016 after it had settled into a pattern of distributing ransomware. Now dubbed "pseudo-Darkleech," this campaign has undergone significant changes since the last time we examined it. Our blog post today focuses on the evolution of pseudo-Darkleech traffic since March 2016.

Chain of events

Successful infections by the pseudo-Darkleech campaign have generally followed a set sequence of events. This happens regardless of the EK used or the payload delivered. The sequence is:

  • Step 1: Victim host views a compromised website with malicious injected script.
  • Step 2: The injected script generates an HTTP request for an EK landing page.
  • Step 3: The EK landing page determines if the computer has any vulnerable browser-based applications.
  • Step 4: The EK sends an exploit for any vulnerable applications (for example, out-of-date versions of Internet Explorer or Flash player).
  • Step 5: If the exploit is successful, the EK sends a payload and executes it as a background process.
  • Step 6: The victim's host is infected by the malware payload.

In some cases, the pseudo-Darkleech campaign has used a gate between the compromised website and the EK landing page. However, we far more frequently see injected script from the compromised website lead directly to the EK landing page. To get a better idea of the relationship between EKs and campaigns, see our previous blog on EK fundamentals.

fig1

Figure 1: Chain of events for the pseudo-Darkleech campaign.

EKs used by pseudo-Darkleech

The pseudo-Darkleech campaign used Angler EK until that EK disappeared in mid-June 2016. Like many other campaigns, pseudo-Darkleech switched to Neutrino EK after Angler EK disappeared.

Pseudo-Darkleech stayed with Neutrino EK until mid-September 2016. At that point, Neutrino EK ceased operations. The pseudo-Darkleech campaign then switched to Rig EK, and it has stay with Rig since then. We still see indications of a Neutrino EK variant, but at much reduced levels compared to before.

Searching for EK activity in AutoFocus, we saw a significant drop in Neutrino and a corresponding rise in Rig activity starting in mid-September 2016.

fig2

Figure 2: Hits on Neutrino and Rig EK activity in September 2016.

Payloads sent by pseudo-Darkleech

When we last reviewed the pseudo-Darkleech campaign in March 2016, it was delivering TeslaCrypt ransomware. Since that time, pseudo-Darkleech has changed the ransomware payloads it delivers. In April 2016, this campaign switched to CryptXXX ransomware after TeslaCrypt shut down and released its master decryption key. By August 2016, pseudo-Darkleech had switched to a new variant of CryptXXX ransomware dubbed CrypMIC.

By October 2016, pseudo-Darkleech switched to distributing Cerber ransomware, and it has continued sending Cerber as of early December 2016. Below is a summary of EKs and payloads used by the pseudo-Darkleech campaign so far in 2016.

  • Jan 2016: Angler EK to deliver CryptoWall ransomware
  • Feb 2016: Angler EK to deliver TeslaCrypt ransomware
  • Apr 2016: Angler EK to deliver CryptXXX ransomware
  • Jun 2016: Neutrino EK to deliver CryptXXX ransomware
  • Aug 2016: Neutrino EK to deliver CrypMIC ransomware
  • Sep 2016: Rig EK to deliver CrypMIC ransomware
  • Oct 2016: Rig EK to deliver Cerber ransomware

Patterns of injected script

Any EK infection chain almost always starts with injected script from a particular campaign in a page from a compromised website. These pages are from legitimate websites that have been compromised and are being used by the campaign.

When we last examined injected script by the pseudo-Darkleech campaign, it was a large block of heavily-obfuscated text that averaged from 12,000 to 18,000 characters in size. It remained large and obfuscated through June 2016.

fig3

Figure 3: Start of injected pseudo-Darkleech script in page from compromised website in June 2016.

fig4

Figure 4: Middle of injected pseudo-Darkleech script in page from compromised website in June 2016.

fig5

Figure 5: End of injected pseudo-Darkleech script in page from compromised website in June 2016.

But by July 1st 2016, injected pseudo-Darkleech script stopped using obfuscation and became a straight-forward iframe. This iframe has a span value that puts it outside the viewable area of your web browser's window.

fig6

Figure 6: Example of injected pseudo-Darkleech script from July 2016.

The injected script has changed slightly since then, but it remains short and unobfuscated as of early December 2016.

fig7

Figure 7: Example of injected pseudo-Darkleech script from December 2016.

Conclusion

With the recent rise of ransomware, we continue to see different vectors used in both targeted attacks and wide-scale distribution. EKs are one of many attack vectors for ransomware. The pseudo-Darkleech campaign has been a prominent distributer of ransomware through EKs, and we predict this trend will continue into 2017.

Domains, IP addresses, and other indicators associated with this campaign are constantly changing. Customers of Palo Alto Networks are protected from the pseudo-Darkleech campaign through our next-generation security platform, including Traps, our advanced endpoint solution that prevent EKs from compromising a system. We will continue to investigate this campaign, inform the community of our results, and further enhance our threat prevention.

Review of Regional Malware Trends in EMEA: Part 1

Posted on by Alex Hinchliffe

Introduction

As we head towards the end of the year it’s common to reflect on the year almost behind us and to predict what the new year approaching will bring in terms of security challenges. This blog is part of a series that describe malware trends seen in the EMEA (Europe Middle East and Africa) region over the last six months of 2016.

Not long after joining Palo Alto Networks and the Unit 42 Threat Research team I was tasked with authoring and publishing monthly regional threat reports for internal use that focused on the EMEA region using data from our AutoFocus Threat Intelligence Service. The report contents and structure are fluid but some constants exist too, such as tips, take-aways and tools described for readers to learn and act upon to improve their security posture. We are working towards making the reports themselves public, meanwhile, this blog, and future blogs in the series, serve to publish summary information from each of the reports. This blog refers to data extracted from the June and July reports.

EMEA is the largest region on earth in terms of land mass spanning 4 continents from Greenland in the North and West, to the Cape of Good Hope in the South of Africa and as far as Iran in the East but location is pretty much where the commonality ends. The EMEA region is incredibly diverse with more countries than other regions, more languages, arguably more ethnicities and vastly contrasting GDP (Gross Domestic Product) figures as well as population sizes. Despite EMEA accounting for approximately one third of the world’s GDP, per capita, it also includes both the richest and poorest countries. All this amounts to the region being a great place to conduct business however, unfortunately, cyber criminals also believe the same and find it a lucrative market. The malware seen here is not necessarily unique to the region but like the region it is diverse!

Breaking-down the EMEA region into sub-regions is necessary to create digestible threat reports with meaningful data, however even that is not simple due to disparate cybersecurity postures and policies, maturity levels and, indeed, social and economic aspects of each country. That being said, the reports thus far cover segments of the region that are somewhat similar in terms of most of those aspects. For example, the first report covers countries in western Europe with similar GDP (Gross Domestic Product) amount. The second report covers some countries that are located in the Middle East region and are considered as emerging markets.

United Kingdom, Germany and France

These three countries top the GDP list for the EMEA region and thus the European sub-region as well with most of their wealth coming from the services sector.

Highlights:

  • Information stealing Trojans are rife in all three countries most likely due to their large service sectors with companies that store and process customer data.
  • Low-points in malware sessions were around Brexit referendum voting time.
  • Higher than usual H1N1 downloader Trojan activity

trend_1 The United Kingdom had the highest amount of malicious sessions of all three countries, as seen in our next-generation security platform and, as the three-month** trend shows, much of this traffic trend_2

was during April and May, peaking on May 27th. Most of this peak consisted of Locky ransomware campaigns but also included more than one hundred samples in over 7,000 sessions affecting Government and Higher Education.

** The regional threat reports are monthly but often it’s useful to review information and trends especially over a wider period for more context.

trend_3 Germany showed a similar peak to the trend_4

United Kingdom and also consisted mostly of Locky ransomware campaigns. However Germany saw fewer samples but over double the number of sessions. In contrast to the United Kingdom, the majority were seen in the Healthcare and High Tech industries. Locky, like many other variants of ransomware, is victim-agnostic because of the nature of the adversary’s attack and delivery method that uses weaponized documents, containing macros to drop and execute the payload, attached to emails sent out in very large, wide-spread malspam campaigns a la Dridex. The evolution of Locky ransomware since early 2016 has seen various changes not only in the payload behavior but also the distribution methods switching between various Exploit Kits (EKs) and campaigns to infect users browsing compromised websites. Locky is ubiquitous: so much so other cybercriminals have copied its traits, while using their often-recoverable malware to infect and encrypt as if it were Locky, probably to social engineer the victim into a quicker response and payment.

During the spike of Locky-related activity on May 27th just under a quarter of samples seen in the United Kingdom contained a unique feature not present in any samples seen in Germany during the same activity. AutoFocus additionally tagged those samples as having a behavior indicating the malware queried the system BIOS (Basic Input Output System) information during execution in our WildFire™ cloud sandbox. The “BiosDiscovery” tag represents a method commonly used by malware to determine whether running in a virtual machine or not, which could indicate execution in a sandbox environment.

Bolster your defenses:

Locky certainly is a formidable force with its aggressive distribution methods and sheer prevalence, which raises the probability of would be victims getting infected, however there are numerous points during the kill chain or attack lifecycle at which both an exploit delivering Locky or the Locky malware itself can be disrupted preventing its end game of encrypting your data. Interrupting network communications based on source and destination domain names, command & control traffic and unknown TCP; on the end point exploit-related behavior in various applications can be blocked and further methods include detecting DLL and thread injection routines as well as suspicious static file attributes, such as lack of digital signatures.

Malware, including Ransomware, is often distributed by attackers using email but sometimes the method of delivery can differ. Many include the malware as a raw executable file (.EXE, .SCR, .CPL or other file types) as an attachment, which is quite a primitive technique but sadly one that still results in successful infections. Less amateurish are those attackers who obscure their payloads inside other file formats, such as documents containing macros capable of unpacking and executing the executable file embedded inside or downloaded from a remote host; using JavaScript attachments (either directly attached or masquerading inside an archive ZIP attachment) leads to similar results. Some file attachments include exploits capable of exploiting vulnerable applications or systems, or contain URLs pointing to sites hosting Exploit Kits that use more advanced and automated means to deploy the same exploits, however end-point protection with exploit prevention can stop these methods.

trend_5 Based on this information it’s possible to stop many of the low-hanging fruit malware attacks on your network and end-points. Start doing something different tomorrow - Block email file attachments such as document files containing macros, ZIP files containing JavaScript code (or JavaScript full stop,) and other suspicious file types. If you can’t block exclusively, at least reduce who in the company can receive such email attachments to reduce the attack surface.

trend_6 The landscape trend_7in France was a little different over the same time period with the peak volume occurring very early on comparatively. April 7th saw over two hundred samples in more than 27,000 sessions using various applications including email-based and web-browsing, predominately affecting Government, High Tech and Service Provider sectors. Rockloader – an intermediary downloader Trojan – made up most of the malware samples, together with subsequent payloads including Kegotip and Pony Trojans capable of harvesting credentials or other data from victim systems as well as installing further payloads, such as Locky ransomware.

Brexit Disrupts Malware Volume

After 3 months of pretty consistent malware volume, different peak dates and malware campaigns it’s very interesting to note that all three countries had their troughs in the same week, if not the same day, at the at the end of June. No, not early summer holidays for these countries or their attackers, but instead, a very significant political event so-called Brexit (“British Exit”) whereby British citizens voted to leave the European Union during a referendum held on Thursday 23rd June. The decision, which came as a shock to many around the world, became known the day after. This whole event was significant and I strongly believe it was no coincidence that typical traffic patterns were affected. Perhaps attackers were waiting for the media to report the result with predictions for the future, largely revolving around economic uncertainty and Britain slipping back into recession, before launching their “post-Brexit” phishing attacks using topical news, as reported the week after.

In the month of June, PredatorPain, an information stealing Trojan capable of capturing passwords, keystrokes, screenshots and other sensitive information, was extremely prevalent in the United Kingdom. Germany had a mixture of malware each constituting significant volume including Vawtrak, another type of information stealing malware forming a botnet primarily focused on gaining unauthorized access to bank accounts through online banking websites, H1N1, and a single variant of the Andromeda downloader Trojan that alone was the most prevalent sample of the month. France also saw significant volume of the H1N1 Trojan downloader, which is capable of receiving remote commands from a command and control (C2) server in order to download and execute further malicious payloads.

Turkey, Saudi Arabia and United Arab Emirates

These three countries form part of the Middle East region and the emerging markets of the world. Turkey’s economic growth relies primarily on services, much like the European countries in the first regional threat report, however Saudi Arabia and United Arab Emirates (UAE) are extremely reliant on their oil and industrial sectors, although the UAE is diversifying into services and other sectors. The diversity of these countries, not to mention the greater Middle East region, their natural resources and foreign policies makes for a very interesting cyber attack landscape, an example of which, dubbed the OilRig campaign,  describes some targeted attacks, against various industries and countries.

It’s no surprise to learn that all three countries saw Locky campaigns throughout the month of July but also multiple attacks using the LuminosityLinkRAT (Remote Access Trojan) that has many features including an aggressive key logger that injects its code in almost every running process on the system. Once installed the attacker effectively has full control over the victim’s machine with the ability to retrieve user credentials, record web cameras and more.

trend_8trend_9 Saudi Arabia and UAE saw other common malware families not present in Turkey, such as NetWireRAT, which has shown an uptick trend_10the rise trend_11globally   often using Microsoft Excel documents attached to phishing emails that use macros to launch the malicious payload, whereas in Saudi Arabia and UAE, the emails included the executable files directly implying either different actors behind the attacks or an assumption about targets not filtering such file type attachments. Atmos malware – a polymorphic variant of Citadel (which is based on ZeuS) targeting financial and confidential user data is also trending upwards trend_12in these two countries.

Neutrino point-of-sale (PoS) malware was seen in Turkey and UAE during July. Neutrino attempts to scrape credit card information from memory on the infected system. UAE saw one variant of this malware over twenty one SMTP sessions using blank email subject lines and attachment “Payment TT copy with Invoice.exe” primarily affecting the Energy sector.

trend_13

Like the United Kingdom, the PredatorPain information stealing Trojan was present in Turkey in July, however on this occasion the malware was delivered through an exploit in a Rich Text Document (RTF) file taking advantage of a 2012 vulnerability causing a buffer overflow in the ListView / TreeView ActiveX controls present in the MSCOMCTL.OCX library. The fact this exploit was so old proves that attackers will often use such techniques as they are still successful, unfortunately.

Patching systems as a security practice is as critical now as it ever has been, if not more so, given the advancements in Exploit Kits largely automating the exploitation and delivery malware but you can prioritize by focusing on vulnerabilities being used by attackers in the wild, followed by vulnerabilities with known exploits and Proofs of Concept.

After Locky, related downloader malware and PredatorPain, the Pony Trojan was the next most prevalent malware in all three countries. Pony is a popular piece of commodity malware capable of downloading further payloads but also comes equipped with a number of plugins to stealing stored credentials for various file transfer clients, web browsers and email applications. Whilst global trends for this malware were trending down slightly during this time the volume seen in the three countries was consistent and at quite high volume, relatively speaking, with Higher Education and Finance sectors being most affected.

Conclusion

EMEA is a socially and economically diverse region with many interesting assets whether they be citizen data, financial information or natural resources and, as such, is a target for cyber criminals the world over.

It’s interesting to consider that information-stealing malware, such as PredatorPain, is prevalent in countries that have a more service-based economy that manage and process plenty of user data and personally identifiable information (PII).

Some of the other countries analyzed that are more reliant on industrial sectors and natural resources seem to have more cyber attacks using RATs providing full control to remote attackers and use of key-logging technologies to harvest data.

Currently on its fourth iteration the regional threat reports have proved useful and, based on feedback, discussions are now ongoing about releasing publicly and expanding beyond the EMEA region as well, so watch this space so you too can get a better understanding of what's going on in different countries, sub-regions and industry verticals around the world.

Cyber Hygiene

The threat landscape is vast and can be complex but you can minimize your risk of infection and enhance the overall health of your network by following some basic cyber hygiene habits:

Patch systems and applications wherever (and as soon as) possible. Alternatively, focus on other security solutions, such as exploit prevention technology to protect those systems and applications from attack or to help manage patching cycles to suit your requirements. Prioritize patching based on known exploits or in-the-wild-attacks. Segment those unpatched/unpatchable devices in the network with additional access controls based on users or application communication to minimize the risk of exploitation. Perform regular vulnerability scans of systems and review changes to spot new devices or changes in active vulnerabilities.

Change the file association for JavaScript to be opened using notepad (or something else benign) rather than the Windows Scripting Host or other shell capable of executing malcode. This can be done per PC or enterprise-wide using Group Policy.

Educate users and employees of the security risks faced by your organization and perform regular training and reminders about these and how they can help the effort. Provide a platform for users to learn about the risks and to report incidents to security-related staff. Create a culture whereby such reporting is important and valued. Monitor effectiveness of training for the purposes of gap analysis and creating dialogue between security teams and users.

Palo Alto Networks Unit 42 Vulnerability Research December 2016 Disclosures

Posted on by Unit 42

As part of Unit 42’s ongoing threat research, we can now disclose that Palo Alto Networks Unit 42 researchers have reported six vulnerabilities that have been fixed by Apple, Adobe and Microsoft.

This includes two vulnerabilities in Apple WebKit and impacts iCloud for Windows, Safari, iTunes for Windows, tvOS and iOS.

  1. CVE-2016-7639: Tongbo Luo
  2. CVE-2016-7642: Tongbo Luo

This includes three code execution vulnerabilities affecting Adobe Flash (APSB16-39).

  1. CVE-2016-7873: Tao Yan
  2. CVE-2016-7874: Tao Yan
  3. CVE-2016-7871: Tao Yan

And this includes one memory corruption vulnerability affecting Microsoft Office for the Mac (MS16-148):

  1. CVE-2016-7263: Jin Chen

For current customers with a Threat Prevention subscription, Palo Alto Networks has also released IPS signatures providing proactive protection from these vulnerabilities.

Palo Alto Networks is a regular contributor to vulnerability research in Microsoft, Adobe, Apple, Google Android and other ecosystems. By proactively identifying these vulnerabilities, developing protections for our customers, and sharing the information with the security community, we are removing weapons used by attackers to threaten users, and compromise enterprise, government, and service provider networks.

Let It Ride: The Sofacy Group’s DealersChoice Attacks Continue

Posted on by Robert Falcone

Recently, Palo Alto Networks Unit 42 reported on a new exploitation platform that we called “DealersChoice” in use by the Sofacy group (AKA APT28, Fancy Bear, STRONTIUM, Pawn Storm, Sednit).  As outlined in our original posting, the DealersChoice exploitation platform generates malicious RTF documents which in turn use embedded OLE Word documents. These embedded OLE Word documents then contain embedded Adobe Flash (.SWF) files that are designed to exploit Abode Flash vulnerabilities.

At the time of initial reporting, we found two variants:

  1. Variant A: A standalone variant that included Flash exploit code packaged with a payload.
  2. Variant B: A modular variant that loaded exploit code on-demand and appeared non-operational at the time.

Since that time, we have been able to collect additional samples of the weaponized documents that the DealersChoice exploitation platform generates. These latest, additional samples are all Variant B samples. Two of these samples were found to have operational command and control servers which allowed us to collect and analyze additional artifacts associated with the attack.

In late October 2016 Adobe issued Adobe Security Bulletin APSB16-36 to address CVE-2016-7855. In early November 2016 Microsoft issued Microsoft Security Bulletin MS16-135 to address CVE-2016-7255.

Both of these were in response to active exploitation of zero-day vulnerabilities thought by other researchers to be associated with the Sofacy group. Additional reporting as well as our own analysis indicates the exploit code for the Adobe Flash vulnerability CVE-2016-7855 was indeed delivered using DealersChoice. In-house testing also reveals customers of Palo Alto Networks Traps end-point agent are protected by the new exploit code.

Deal Me In: Finding Live C2 Servers

In our previous blog discussing DealersChoice, we identified the steps that Variant B would take once executed on a victim host, but were unable to successfully interact with the command and control (C2) server identified at the time.

We have since discovered two fully operational and active C2 servers (versiontask[.]com and postlkwarn[.]com) that followed the exact steps we outlined in the blog; loading the additional Flash exploit code into memory, following by loading the associated payload also into memory. Figure 1 details the workflow of victim to C2 communications.

dealerschoice2_1

Figure 1 Workflow of DealersChoice

The ActionScript within Variant B will interact with the C2 server, specifically to obtain a malicious SWF file and a payload. This process starts with an initial beacon to the C2 server that contains system information and the victim’s Adobe Flash Player version. Figure 2 shows the beacon sent by the ActionScript to the C2 server.

dealerschoice2_2

Figure 2 Initial beacon from DealersChoice to its C2 server

The C2 responds to the initial beacon with strings that DealersChoice’s ActionScript uses as variables in upcoming actions, such as additional HTTP requests and the decryption of the responses to those requests. Figure 3 shows the C2 server’s response to the beacon, specifically including  k1, k2, k3 and k4 values.

dealerschoice2_3

Figure 3 C2 response to beacon provides DealersChoice tokens and keys needed to decrypt data

The ActionScript then uses the k1 variable from the C2 response data as a token within the HTTP request sent back to the C2 server to obtain the malicious SWF file, as seen in Figure 4.

The C2 server will respond to this request with data that the ActionScript will decrypt using the value of the k3 variable.

The active C2 servers provided Variant B with a malicious SWF file that was the same SWF file found within Variant A samples that exploited CVE-2015-7645 (addressed in October 2016 in Adobe Security Bulletin APSA15-05).

c42a0d50eac9399914090f1edc2bda9ac1079edff4528078549c824c4d023ff9
45a4a376cb7a36f8c7851713c7541cb7e347dafb08980509069a078d3bcb1405

dealerschoice2_4

Figure 4 DealersChoice HTTP request to obtain a malicious SWF file to exploit Adobe Flash Player

After receiving the malicious SWF file, Variant B will then issue an HTTP request using the k2 variable as a token to obtain its payload, as seen in Figure 5. The C2 will respond to this request with data that Variant B will decrypt using the value in the k4 variable as a key. The resulting decrypted data contains shellcode and a payload that the shellcode decrypts and executes.

dealerschoice2_5

Figure 5 DealersChoice HTTP request to obtain shellcode and payload to execute upon successful exploitation

The active C2 servers versiontask[.]com and postlkwarn[.]com provided shellcode that decrypts and executes a payload which in both cases was a loader Trojan that extracts and decrypts an embedded DLL that it saves to the system.

5dd3066a8ee3ab5b380eb7781c85e4253683cd7e3eee1c29013a7a62cd9bef8c fa8b4f64bff799524f6059c3a4ed5d169e9e7ef730f946ac7ad8f173e8294ed8

In both cases, the DLL saved to the system is a variant of Sofacy’s tool that uses the Carberp source code.

82213713cf442716eac3f8c95da8d631aab2072ba44b17dda86873e462e10421 3ff1332a84d615a242a454e5b29f08143b1a89ac9bd7bfaa55ba0c546db10e4b

The two variants of the Seduploader tool share a common C2 domain of apptaskserver[.]com, with differing backup C2 domains of appservicegroup[.]com and joshel[.]com.

Ace in the Hole: Analyzing Victim Fingerprinting

In the process of analyzing Variant B’s active C2 server, we wanted to test our hypothesis that the C2 server would load different exploit code dependent on victim fingerprinting.  We tested this by providing different responses to the C2 server.

First, we issued requests to the C2 server from a VPN located in California, USA and the server did not respond to the requests. We then connected to another VPN located in the Middle East and issued the same requests, at which point the C2 server responded with a malicious SWF and payload. This fact suggests that the Sofacy group uses geolocation to filter out requests that originate from locations that do not coincide with the location of their target.

We then issued several requests to test the C2 and each time the server responded with different k1, k2, k3 and k4 variables, suggesting that the server randomly chooses these values for each inbound request.

To further test the C2 server logic we created requests that contained different values for the operating system and Flash player version. When we sent the HTTP requests to the C2 server with the Adobe Flash Player version set to 23.0.0.185, the most recent Flash version vulnerable to CVE-2016-7855, the server responded with a compressed SWF file (SHA256: c993c1e10299162357196de33e4953ab9ab9e9359fa1aea00d92e97e7d8c5f2c) that exploited that very vulnerability.

Finally, when we issued requests to the C2 server indicating the victim was a macOS system, the C2 server served the same malicious SWF file and Windows payload as before, suggesting that the Sofacy group is not using DealersChoice to check operating system type for its victims at this time.

In all cases the payload delivered by the C2 server is a loader Trojan (SHA256: 3bb47f37e16d09a7b9ba718d93cfe4d5ebbaecd254486d5192057c77c4a25363) that installs a variant of Seduploader (SHA256: 4cbb0e3601242732d3ea7c89b4c0fd1074fae4a6d20e5f3afc3bc153b6968d6e), which uses a C2 server of akamaisoftupdate[.]com.

Show Your Hand: Decoy Documents

Six documents were collected for this wave of DealersChoice attacks, all appearing to be Variant B, using similar lures to what we had observed in the previous wave. The six filenames we discovered were:

  • Operation_in_Mosul.rtf – an article about Turkish troops in Mosul
  • NASAMS.doc – a document that is a copy of an article regarding the purchase of a Norwegian missile defense system by the Lithuanian Ministry of National Defence
  • Programm_Details.doc – a document that is a copy of the schedule of a cyber threat intelligence conference in London, targeting a Ministry of Defense of a country in Europe
  • DGI2017.doc – a document targeted at a Ministry of Foreign Affairs of a Central Asian country regarding the agenda for the Defence Geospatial Intelligence gathering in London
  • Olympic-Agenda-2020-20-20-Recommendations.doc – a document containing details of agreements for the 2020 Olympics
  • ARM-NATO_ENGLISH_30_NOV_2016.doc – a document outlining an agreement between the Republic of Armenia and NATO

dealerschoice_figure_6

Figure 6. Collected decoy documents for current wave of attacks

Unlike the first DealersChoice attacks, these documents used stripped out or forged metadata in order to add in an additional layer of obfuscation. Two of the documents, NASAMS.doc and Programm_Details.doc shared a common, unique username pain in the Last Saved By field. Additionally, each of the weaponized documents continued to use the OfficeTestSideloading technique we had previously reported on. This was the technique we had discovered the Sofacy group began using over this past summer as a way to sideload DLL files using a performance test module built into the Microsoft Office suite as well as maintain persistence on the victim host.

Filename Author Last Saved By Subject SHA256
Operation_in_Mosul.rtf Robert Tasevski ---- Turkish troops in Mosul f5d3e827…
NASAMS.doc Антон Гладнишки pain Norwegian missile defense system 1f81609d…
Programm_Details.doc Laci Bonivart pain Conference schedule 1579c7a1…
DGI2017.doc Невена Гамизов Невена Гамизов Conference schedule c5a389fa…
Olympic-Agenda-2020-20-20-Recommendations.doc admin User Recommendations for 2020 Olympics 13718586…
ARM-NATO_ENGLISH_30_NOV_2016.doc User User NATO agreement 73ea2cce…

 

The six first-stage C2 domains for the weaponized documents were all registered by unique registrant emails. Versiontask[.]com and Uniquecorpind[.]com appear to be completely new infrastructure, not sharing any artifacts with previously observed Sofacy group campaigns.

Type Domain Date Registered Registrant Email
First stage C2 Versiontask[.]com 2016-10-24 dalchi0@europe.com
First stage C2 Uniquecorpind[.]com 2016-10-25 yasiner@myself.com
First stage C2 Securityprotectingcorp[.]com 2016-08-19 ottis.davis@openmailbox.org
First stage C2 Postlkwarn[.]com 2016-11-11 fradblec@centrum.cz
First stage C2 adobeupgradeflash[.]com 2016-11-22 nuevomensaje@centrum.cz
First stage C2 globalresearching[.]org 2016-11-18 carroz.g@mail.com

Six second stage C2 domains for the Seduploader payloads delivered by DealersChoice were identified.

Type Domain Date Registered Registrant Email
Seduploader C2 Joshel[.]com 2016-11-11 germsuz86@centrum.cz
Seduploader C2 Appservicegroup[.]com 2016-10-19 olivier_servgr@mail.com
Seduploader C2 Apptaskserver[.]com 2016-10-22 partanencomp@mail.com
Seduploader C2 Akamaisoftupdate[.]com 2016-10-26 mahuudd@centrum.cz
Seduploader C2 globaltechresearch[.]org 2016-11-21 morata_al@mail.com
Seduploader C2 researchcontinental[.]org 2016-12-02 Sinkholed

Much like the first stage C2 domains, the five non-sinkholed second stage C2 domains were registered recently and used unique registrant email addresses previously unused by the Sofacy group. However, each of these domains used nameservers commonly associated with the Sofacy group, ns*.carbon2u[.]com and ns*.ititch[.]com. The domain akamaisoftupdate[.]com revealed additional artifacts linking it back to previous Sofacy group campaigns. Based off passive DNS data, we discovered akamaisoftupdate[.]com resolving to 89.45.67.20. On the same class C subnet, we discovered 89.45.67.189, which previously had resolved to updmanager[.]net, a well reported domain in use by the Sofacy group.

The domain securityprotectingcorp[.]com was also found to have links to previous Sofacy group infrastructure. It was registered a couple of months prior, but analysis of the registrant email address revealed that it had also been used to register microsoftsecurepolicy[.]org, which using passive DNS data we found had resolved to 40.112.210.240, a sinkhole with several other Sofacy group associated domains. Several of the corresponding sinkholed domains have been used over the years for multiple purposes by the Sofacy group, as C2s for multiple tools such as Azzy or XAgent, or to host phishing sites to gather credentials from targets.

dealerschoice2_7

Figure 7 Chart of DealersChoice infrastructure

Conclusion

It appears evident at this time that the Sofacy group is actively using the DealersChoice tool, specifically the Variant B, to attack targets of interest. As evidenced by the delivery of exploit code for a recently patched  vulnerability in Flash (which was used in zero-day attacks), we can see how the malware provides flexibility in exploitation methodology and is truly a platform in itself. New infrastructure does appear to have been created for DealersChoice, but as we have seen in the past, the Sofacy group has a tendency to reuse artifacts from previous campaigns and this is no exception. Palo Alto Networks customers may learn more and are protected via:

Note that even though CVE-2016-7855 was a zero-day vulnerability, Palo Alto Networks customers would have been protected by our Traps endpoint agent as seen in Figure 8.

dealerschoice2_8

Figure 8 Palo Alto Networks Traps blocking exploitation of the CVE-2016-7855 vulnerability

Indicators of Compromise

Document Hashes:

f5d3e827c3a312d018ef4fcbfc7cb5205c9e827391bfe6eab697cc96412d938e
1f81609d9bbdc7f1d2c8846dcfc4292b3e2642301d9c59130f58e21abb0001be
1579c7a1e42f9e1857a4d1ac966a195a010e1f3d714d68c598a64d1c83aa36e4
c5a389fa702a4223aa2c2318f38d5fe6eba68c645bc0c41c3d8b6f935eab3f64
137185866649888b7b5b6554d6d5789f7b510acd7aff3070ac55e2250eb88dab
73ea2ccec2cbf22d524f55b101d324d89077e5718922c6734fef95787121ff22

DealersChoice C2s:

Versiontask[.]com
Uniquecorpind[.]com
Securityprotectingcorp[.]com
postlkwarn[.]com
adobeupgradeflash[.]com
researchcontinental[.]org

Seduploader C2s:

Appservicegroup[.]com
Apptaskserver[.]com
Akamaisoftupdate[.]com
Joshel[.]com
globaltechresearch[.]org
researchcontinental[.]org

Get the latest news, invites to events, and threat alerts

Default Heading

Read the article Right Arrow