Malware

Aveo Malware Family Targets Japanese Speaking Users

Clock Icon 5 min read

This post is also available in: 日本語 (Japanese)

Palo Alto Networks has identified a malware family known as ‘Aveo’ that is being used to target Japanese speaking users. The ‘Aveo’ malware name comes from an embedded debug string within the binary file. The Aveo malware family has close ties to the previously discussed FormerFirstRAT malware family, which was also witnessed being used against Japanese targets. Aveo is disguised as a Microsoft Excel document, and drops a decoy document upon execution. The decoy document in question is related to a research initiative led by the Ido Laboratory at the Saitama Institute of Technology. Upon execution, the Aveo malware accepts a number of commands, allowing attackers to take full control over the victim machine.

Deployment

The Aveo malware sample disguises itself as a Microsoft Excel document, as the icon below demonstrates. Note that the filename of ‘malware.exe’ is simply a placeholder, as the original filename is unknown.

Aveo Malware 1

Figure 1 Microsoft Excel icon used by Aveo malware

The executable is in fact a WinRAR self-extracting executable file, which will drop the decoy document and Aveo Trojan upon execution. The following decoy document is dropped and subsequently opened when run.

Aveo Malware 2

Figure 2 Decoy document used with Aveo malware

This decoy document is hosted on the Ido Laboratory and contains information about a 2016 research initiative. The document lists participants in the 16th CAVE workshop, including names, affiliations, and email addresses of those involved. The document, written in Japanese, as well as the filename of this document, “CAVE研究会参加者.xls”, indicates that this malware was used to target one or more Japanese speaking individuals. Additionally, the similarities between the Aveo and FormerFirstRAT malware families, which will be discussed later in the post, further add evidence that Japanese speakers are being targeted.

Infrastructure

The Aveo Trojan is configured to communicate with the following domain name over HTTP.

  • snoozetime[.]info

This domain was first registered in May 2015 to ‘jack.ondo@mail.com’. Since that time, it has since been associated with the following three IP addresses:

  • 104.202.173[.]82
  • 107.180.36[.]179
  • 50.63.202[.]38

All IP addresses in question are located within the United States.

Aveo Malware 3

Figure 3 PassiveTotal screenshot showing associated IP addresses with snoozetime[.]info

The WHOIS information for snoozetime[.]info lists a registrant email address of ‘jack.ondo@mail[.]com’ and a name of ‘aygt5ruhrj aygt5ruhrj gerhjrt’. Pivoting off of these two pieces of information to domains that share the same yields the following additional domains and email addresses.

  • bluepaint[.]info
  • coinpack[.]info
  • 7b7p[.]info
  • donkeyhaws[.]info
  • europcubit[.]com
  • jhmiyh.ny@gmail[.]com
  • 844148030@qq[.]com

Malware Analysis

After running the self-extracting executable, a number of files are dropped to the file system and the following execution flow is witnessed:

Aveo Malware 4

Figure 4 Malware execution flow

When the mshelp32.exe executable runs, it begins by reading in the setting32.ini file, which contains the name of the decoy document. This information is used to build a batch script, such as the following.

This batch script is executed within a new process, and acts as a simple cleanup script that runs after Aveo and the decoy document are executed.

Aveo Malware Family

The Aveo malware initially runs an install routine, which will copy itself to the following location:

  • %APPDATA%\MMC\MMC.exe

If for any reason the %APPDATA%\MMC directory is unable to be created, Aveo will use %TEMP% instead of %APPDATA%.

After the malware copies itself, it will execute MMC.exe in a new process with an argument of the original filename. When executed, if this single argument is provided, the malware will delete the file path provided.

After the installation routine completes, Aveo will exfiltrate the following victim information to a remote server via HTTP.

  • Unique victim hash
  • IP Address
  • Microsoft Windows version
  • Username
  • ANSI code page identifier

This information is exfiltrated to the ‘snoozetime[.]info’ domain, as seen in the following example HTTP request:

To encrypt the provided data, the malware makes use of the RC4 algorithm, using a key of ‘hello’. As shown in the following image, the encryption routines between Aveo and FormerFirstRAT are almost identical, with only the algorithms and keys being changed.
Aveo Malware 5

Figure 5 Comparison of encryption function between Aveo and FormerFirstRAT

In order to decrypt the data provided via HTTP, the following code may be used:

Running the code above yields the following results:

After the initial victim information is exfiltrated, the malware expects a response of ‘OK’. Afterwards, Aveo will spawn a new thread that is responsible for handling interactive command requests received by the command and control (C2) server, as well as requests to spawn an interactive shell.

Aveo proceeds to set the following registry key to point towards the malware’s path, thus ensuring persistence across reboots:

HKCU\software\microsoft\windows\currentversion\run\msnetbridge

A command handler loop is then entered, where Aveo will accept commands from the remote C2. While the Aveo malware family awaits a response, it will perform sleep delays of randomly chosen intervals between 0 and 3276 milliseconds. Should the C2 server respond with ‘toyota’, it will set that interval to 60 seconds. Aveo accepts the following commands, shown with their associated function.

  • 1 : Execute command in interactive shell
  • 2 : Get file attributes
  • 3 : Write file
  • 4 : Read file
  • 5 : List drives
  • 6 : Execute DIR command against path

The following example request demonstrates the C2 server sending the ‘ipconfig’ command to the Aveo malware.

C2 Request

Aveo Response

Conclusion

Aveo shares a number of characteristics with FormerFirstRAT, including encryption routines, code reuse, and similarities in C2 functionality. Aveo is far from the most sophisticated malware family around. As witnessed in the previously discussed FormerFirstRAT sample, this related malware family also looks to be targeting Japanese speaking users. Using a self-extracting WinRAR file, the malware drops a decoy document, a copy of the Aveo malware, and a cleanup script.

Palo Alto Networks customers are protected from this threat in the following ways:

  • An AutoFocus tag has been created to track and monitor this threat
  • WildFire classifies Aveo samples as malicious
  • C2 domains listed in this report are blocked through Threat Prevention.

Indicators of Compromise

SHA256 Hashes

9dccfdd2a503ef8614189225bbbac11ee6027590c577afcaada7e042e18625e2
8101c298a33d91a985a5150d0254cf426601e4632250f5a03ddac39375e7fb4d

C2 Domains

snoozetime[.]info

Registry Keys

HKCU\software\microsoft\windows\currentversion\run\msnetbridge

File Paths

%APPDATA%\MMC\MMC.exe
%TEMP%\MMC\MMC.exe

Enlarged Image