Asheer Malhotra – McAfee Blogs https://www.mcafee.com/blogs Securing Tomorrow. Today. Fri, 01 Mar 2019 15:07:27 +0000 en-US hourly 1 https://wordpress.org/?v=5.4.1 https://www.mcafee.com/wp-content/uploads/2018/11/cropped-favicon-32x32.png Asheer Malhotra – McAfee Blogs https://www.mcafee.com/blogs 32 32 ‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/#respond Wed, 12 Dec 2018 11:01:09 +0000 https://securingtomorrow.mcafee.com/?p=93008

This post was written with contributions from the McAfee Advanced Threat Research team.   The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee® Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download […]

The post ‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure appeared first on McAfee Blogs.

]]>

This post was written with contributions from the McAfee Advanced Threat Research team.  

The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee® Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation. According to our analysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries.

Operation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags. Our research focuses on how this actor operates, the global impact, and how to detect the attack. We shall leave attribution to the broader security community.

Read our full analysis of Operation Sharpshooter.

Have we seen this before?

This campaign, while masquerading as legitimate industry job recruitment activity, gathers information to monitor for potential exploitation. Our analysis also indicates similar techniques associated with other job recruitment campaigns.

Global impact

In October and November 2018, the Rising Sun implant has appeared in 87 organizations across the globe, predominantly in the United States, based on McAfee telemetry and our analysis. Based on other campaigns with similar behavior, most of the targeted organizations are English speaking or have an English-speaking regional office. This actor has used recruiting as a lure to collect information about targeted individuals of interest or organizations that manage data related to the industries of interest. The McAfee Advanced Threat Research team has observed that the majority of targets were defense and government-related organizations.

Targeted organizations by sector in October 2018. Colors indicate the most prominently affected sector in each country. Source: McAfee® Global Threat Intelligence.

Infection flow of the Rising Sun implant, which eventually sends data to the attacker’s control servers.

 

Conclusion

Our discovery of this new, high-function implant is another example of how targeted attacks attempt to gain intelligence. The malware moves in several steps. The initial attack vector is a document that contains a weaponized macro to download the next stage, which runs in memory and gathers intelligence. The victim’s data is sent to a control server for monitoring by the actors, who then determine the next steps.

We have not previously observed this implant. Based on our telemetry, we discovered that multiple victims from different industry sectors around the world have reported these indicators.

Was this attack just a first-stage reconnaissance operation, or will there be more? We will continue to monitor this campaign and will report further when we or others in the security industry receive more information. The McAfee Advanced Threat Research team encourages our peers to share their insights and attribution of who is responsible for Operation Sharpshooter.

 

Indicators of compromise

MITRE ATT&CK™ techniques

  • Account discovery
  • File and directory discovery
  • Process discovery
  • System network configuration discovery
  • System information discovery
  • System network connections discovery
  • System time discovery
  • Automated exfiltration
  • Data encrypted
  • Exfiltration over command and control channel
  • Commonly used port
  • Process injection

Hashes

  • 8106a30bd35526bded384627d8eebce15da35d17
  • 66776c50bcc79bbcecdbe99960e6ee39c8a31181
  • 668b0df94c6d12ae86711ce24ce79dbe0ee2d463
  • 9b0f22e129c73ce4c21be4122182f6dcbc351c95
  • 31e79093d452426247a56ca0eff860b0ecc86009

Control servers

  • 34.214.99.20/view_style.php
  • 137.74.41.56/board.php
  • kingkoil.com.sg/board.php

Document URLs

  • hxxp://208.117.44.112/document/Strategic Planning Manager.doc
  • hxxp://208.117.44.112/document/Business Intelligence Administrator.doc
  • hxxp://www.dropbox.com/s/2shp23ogs113hnd/Customer Service Representative.doc?dl=1

McAfee detection

  • RDN/Generic Downloader.x
  • Rising-Sun
  • Rising-Sun-DOC

 

The post ‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/feed/ 0
Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/#respond Wed, 25 Apr 2018 04:01:20 +0000 https://securingtomorrow.mcafee.com/?p=88422 McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure, entertainment, finance, health care, and telecommunications. This campaign, dubbed Operation GhostSecret, leverages multiple implants, tools, and malware variants associated with the state-sponsored cyber group Hidden Cobra. The infrastructure currently remains active. In this post, […]

The post Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide appeared first on McAfee Blogs.

]]>
McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure, entertainment, finance, health care, and telecommunications. This campaign, dubbed Operation GhostSecret, leverages multiple implants, tools, and malware variants associated with the state-sponsored cyber group Hidden Cobra. The infrastructure currently remains active. In this post, we dive deeply into this campaign. For a brief overview of this threat, see “Global Malware Campaign Pilfers Data from Critical Infrastructure, Entertainment, Finance, Health Care, and Other Industries.”

Our investigation into this campaign reveals that the actor used multiple malware implants, including an unknown implant with capabilities similar to Bankshot. From March 18 to 26 we observed the malware operating in multiple areas of the world. This new variant resembles parts of the Destover malware, which was used in the 2014 Sony Pictures attack.

Furthermore, the Advanced Threat Research team has discovered Proxysvc, which appears to be an undocumented implant. We have also uncovered additional control servers that are still active and associated with these new implants. Based on our analysis of public and private information from submissions, along with product telemetry, it appears Proxysvc was used alongside the 2017 Destover variant and has operated undetected since mid-2017.

The attackers behind Operation GhostSecret used a similar infrastructure to earlier threats, including SSL certificates used by FakeTLS in implants found in the Destover backdoor variant known as Escad, which was used in the Sony Pictures attack. Based on our technical analysis, telemetry, and data from submissions, we can assert with high confidence that this is the work of the Hidden Cobra group. The Advanced Threat Research team uncovered activity related to this campaign in March 2018, when the actors targeted Turkish banks. These initial findings appear to be the first stage of Operation GhostSecret. For more on the global aspect of this threat, see “Global Malware Campaign Pilfers Data from Critical Infrastructure of Entertainment, Finance, Health Care, and Other Industries.”

Analysis

The McAfee Advanced Threat Research team discovered a previously unknown data-gathering implant that surfaced in mid-February 2018. This implant appears to be a derivative of implants authored before by Hidden Cobra and contains functionality similar to that of Bankshot, with code overlaps from other Hidden Cobra implants. However, the variant is not based on Bankshot. Our analysis of the portable executable’s rich-header data reveals that the two implants were compiled in different development environments. (The PE rich header is an undocumented part of a Windows executable that reveals unique information to identify the Microsoft compiler and linker used to create the program. It is helpful for identifying similarities between malware variants to establish common development environments.) Our analysis of the code and PE rich header indicates that Bankshot, Proxysvc, and the Destover-like implant are distinct families, but also contain overlapping code and functionality with current tools of Hidden Cobra.

PE rich header data from the 2018 Bankshot implant.

PE rich header data from the new February 2018 implant.

PE rich header data from Proxysvc.dll.

When we compared the PE rich header data of the new February 2018 implant with a variant of Backdoor.Escad (Destover) from 2014 shortly before the Sony Pictures attack, we found the signatures to be identical. The Destover-like variant is 83% similar in code to a 2015 variant and contains the same rich PE header signature as the Backdoor.Escad variant we analyzed. Thus the new implant is likely a derivative of components of Destover. We determined that the implant is not a direct copy of well-known previous samples of Destover; rather, Hidden Cobra created a new hybrid variant using functionality present in earlier versions.

2014 Backdoor.Escad (hash: 8a7621dba2e88e32c02fe0889d2796a0c7cb5144).

2015 Destover variant (7fe373376e0357624a1d21cd803ce62aa86738b6).

The February implant fe887fcab66d7d7f79f05e0266c0649f0114ba7c was obtained from an unknown submitter in the United States on February 14, two days after it was compiled. This Korean-language file used the control server IP address 203.131.222.83. The implant is nearly identical to an unknown 2017 sample (8f2918c721511536d8c72144eabaf685ddc21a35) except that the control server addresses are different. The 2017 sample used address 14.140.116.172. Both implants specifically use FakeTLS with PolarSSL, which we saw in previous Hidden Cobra implants. PolarSSL libraries have appeared in implants since the Sony Pictures incident and were used exclusively in the implant Backdoor.Destover. This implant incorporated a custom control server protocol that sends traffic over port 443. The implementation does not format the packets in standard SSL, but rather in a custom format and transmitted over SSL—hence, FakeTLS. The control server traffic when compared to Backdoor.Escad is nearly identical.

TLS traffic in Backdoor.Destover, the 2018 Destover-like variant.

TLS traffic in Backdoor.Escad.

Further research into IP address 14.140.116.172 leads us to additional hidden components involved in the overall infrastructure. Proxysvc.dll contains a list of hardcoded IP addresses, including the preceding address, all located in India. Despite the name, this component is not an SSL proxy, but rather a unique data-gathering and implant-installation component that listens on port 443 for inbound control server connections.

Proxysvc was first collected by public and private sources on March 22 from an unknown entity in the United States. The executable dropper for the component was submitted from South Korea on March 19. McAfee telemetry analysis from March 16 to 21 reveals that Proxysvc components were active in the wild. Our research shows this listener component appeared mostly in higher education organizations. We suspect this component is involved in core control server infrastructure. These targets were chosen intentionally to run Proxysvc because the attacker would have needed to know which systems were infected to connect to them. This data also indicates this infrastructure had been operating for more than a year before its discovery. The Advanced Threat Research team found this component running on systems in 11 countries. Given the limited capabilities of Proxysvc, it appears to be part of a covert network of SSL listeners that allow the attackers to gather data and install more complex implants or additional infrastructure. The SSL listener supports multiple control server connections, rather than a list of hardcoded addresses. By removing the dependency on hardcoded IP addresses and accepting only inbound connections, the control service can remain unknown.

The number of infected systems by country in which Proxysvc.dll was operating in March. Source: McAfee Advanced Threat Research.

The 2018 Destover-like implant appeared in organizations in 17 countries between March 14 and March 18. The impacted organizations are in industries such as telecommunications, health, finance, critical infrastructure, and entertainment.

The number of infected systems by country in which the Destover variant was operating in March. Source: McAfee Advanced Threat Research.

 

Control Servers

Further investigation into the control server infrastructure reveals the SSL certificate d0cb9b2d4809575e1bc1f4657e0eb56f307c7a76, which is tied to the control server 203.131.222.83, used by the February 2018 implant. This server resides at Thammasat University in Bangkok, Thailand. The same entity hosted the control server for the Sony Pictures implants. This SSL certificate has been used in Hidden Cobra operations since the Sony Pictures attack. Analyzing this certificate reveals additional control servers using the same PolarSSL certificate. Further analysis of McAfee telemetry data reveals several IP addresses that are active, two within the same network block as the 2018 Destover-like implant.

Number of infections by Thammasat Universityhosted control servers from March 1519, 2018. Source: McAfee Advanced Threat Research.

Implant Origins

McAfee Advanced Threat Research determined that the Destover-like variant originated from code developed in 2015. The code reappeared in variants surfacing in 2017 and 2018 using nearly the same functionality and with some modifications to commands, along with an identical development environment based on the rich PE header information.

Both implants (fe887fcab66d7d7f79f05e0266c0649f0114ba7c and 8f2918c721511536d8c72144eabaf685ddc21a35) are based on the 2015 code. When comparing the implant 7fe373376e0357624a1d21cd803ce62aa86738b6, compiled on August 8, 2015, we found it 83% similar to the implant from 2018. The key similarities and differences follow.

Similarities

  • Both variants build their API imports dynamically using GetProcAddress, including wtsapi32.dll for gathering user and domain names for any active remote sessions
  • Both variants contain a variety of functionalities based on command IDs issued by the control servers
  • Common capabilities of both malware:
    • Listing files in directory
    • Creating arbitrary processes
    • Writing data received from control servers to files on disk
    • Gathering information for all drives
    • Gathering process times for all processes
    • Sending the contents of a specific file to the control server
    • Wiping and deleting files on disk
    • Setting the current working directory for the implant
    • Sending disk space information to the control server
  • Both variants use a batch file mechanism to delete their binaries from the system
  • Both variants run commands on the system, log output to a temporary file, and send the contents of the file to their control servers

Differences

The following capabilities in the 2015 implant are missing from the 2018 variant:

  • Creating a process as a specific user
  • Terminating a specific process
  • Deleting a specific file
  • Setting file times for a specific file
  • Getting current system time and sending it to the control server
  • Reading the contents of a file on disk. If the filepath specified is a directory, then listing the directory’s contents.
  • Setting attributes on files

The 2015 implant does not contain a hardcoded value of the IP address it must connect to. Instead it contains a hardcoded sockaddr_in data structure (positioned at 0x270 bytes before the end of the binary) used by the connect() API to specify port 443 and control server IP addresses:

  • 193.248.247.59
  • 196.4.67.45

Both of these control servers used the PolarSSL certificate d0cb9b2d4809575e1bc1f4657e0eb56f307c7a76.

Proxysvc

At first glance Proxysvc, the SSL listener, looks like a proxy setup tool (to carry out man-in-the-middle traffic interception). However, a closer analysis of the sample reveals it is yet another implant using HTTP over SSL to receive commands from the control server.

Proxysvc appears to be a downloader whose primary capability is to deliver additional payloads to the endpoint without divulging the control address of the attackers. This implant contains a limited set of capabilities for reconnaissance and subsequent payload installations. This implant is a service DLL that can also run as a standalone process.

The ServiceMain() sub function of Proxysvc.

The implant cannot connect to a control server IP address or URL. Instead it accepts commands from the control server. The implant binds and listens to port 443 for any incoming connections. 

 

 

Proxysvc binding itself to the specified port.

Proxysvc begins accepting incoming requests to process. 

Proxysvc makes an interesting check while accepting connections from a potential control server. It checks against a list of IP addresses to make sure the incoming connection is not from any of the following addresses. If the incoming request does come from one of these, the implant offers a zero response (ASCII “0”) and shuts down the connection.

  • 121.240.155.74
  • 121.240.155.76
  • 121.240.155.77
  • 121.240.155.78
  • 223.30.98.169
  • 223.30.98.170
  • 14.140.116.172 

SSL Listener Capabilities

The implant receives HTTP-based commands from a control server and parses the HTTP Content-Type and Content-Length from the HTTP header. If the HTTP Content-Type matches the following value, then the implant executes the command specified by the control server:

Content-Type: 8U7y3Ju387mVp49A

HTTP Content-Type comparison with a custom implant value.

The implant has the following capabilities:

  • Writing an executable received from the control server into a temp file and executing it

Proxysvc writing a binary to a temp directory and executing it. 

  • Gathering system information and sending it to the control server. The system information gathered from the endpoint includes:
    • MAC address of the endpoint
    • Computer Name
    • Product name from HKLM\Software\Microsoft\Windows NT\CurrentVersion ProductName
    • This information is concatenated into a single string in the format: “MAC_Address|ComputerName|ProductName” and is sent to the control server
  • Recording HTTP requests from the control server to the temporary file prx in the implant’s install directory with the current system timestamp

Analyzing the Main Implant

The February 2018 implant contains a wide variety of capabilities including data exfiltration and arbitrary command execution on the victim’s system. Given the extensive command structure that the implant can receive from the control server, this is an extensive framework for data reconnaissance and exfiltration, and indicates advanced use. For example, the implant can wipe and delete files, execute additional implants, read data out of files, etc.

The implant begins execution by dynamically loading APIs to perform malicious activities. Libraries used to load the APIs include:

  • Kernel32.dll
  • Apvapi32.dll
  • Oleaut32.dll
  • Iphlpapi.dll
  • Ws2_32.dll
  • Wtsapi32.dll
  • Userenv.dll
  • Ntdll.dll

The main implant dynamically loading APIs.

As part of its initialization, the implant gathers basic system information and sends it to its hardcoded control server 203.131.222.83 using SSL over port 443:

  • Country name from system’s locale
  • Operating system version
  • Processor description from

HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ProcessorNameString

  • Computer name and network adapters information
  • Disk space information for disks C: through Z: including total memory in bytes, total available memory in bytes, etc.
  • Current memory status including total physical memory in bytes, total available memory, etc.
  • Domain name and usernames based on current remote sessions

Domain name and username extraction using Win32 WTS APIs.

Data Reconnaissance

The implant receives commands over SSL as encoded data. This data is decoded, and the correct command ID is derived. Valid command IDs reside between 0 and 0x1D.

Switch case handling command execution based on command IDs.

Based on the command ID, the implant can perform the following functions:

  • Gather system information and exfiltrate to the control server (same as the basic data-gathering functionality previously described)
  • Get volume information for all drives on the system (A: through Z:) and exfiltrate to the control server

Gathering volume information.

  • List files in a directory. The directory path is specified by the control server.
  • Read the contents of a file and send it to the control server

Reading file contents and sending it the control server.

  • Write data sent by the control server to a specified file path

Open handle to a file for writing with no shared permissions.

Writing data received from control server to file.

  • Create new processes based on the file path specified by the control server.

Creating a new process for a binary specified by the control server.

  • Wipe and delete files specified by the control server

Wiping and deleting files.

  • Execute a binary on the system using cmd.exe and log the results into a temp file, which is then read and the logged results are sent to the control server. The command line:

cmd.exe /c “<file_path> > %temp%\PM*.tmp 2>&1”

Executing a command and logging results to a temp file.

  • Get information for all currently running processes

Getting process times for all processes on the system.

Getting username and domain from accounts associated with a running process.

  • Delete itself from disk using a batch file.

Creating a batch file for self-deletion.

  • Store encoded data received from the control server as a registry value at:

HKLM\Software\Microsoft\Windows\CurrentVersion\TowConfigs Description

  • Set and get the current working directory for the implant

Setting and getting the current working directory for the implant’s process.

The command handler index table is organized in the implant as follows:

The command handler index table.

Conclusion

This analysis by the McAfee Advanced Threat Research team has found previously undiscovered components that we attribute to Hidden Cobra, which continues to target organizations around the world. The evolution in complexity of these data-gathering implants reveals an advanced capability by an attacker that continues its development of tools. Our investigation uncovered an unknown infrastructure connected to recent operations with servers in India using an advanced implant to establish a covert network to gather data and launch further attacks.

The McAfee Advanced Threat Research team will provide further updates as our investigation develops.

Fighting cybercrime is a global effort best undertaken through effective partnerships between the public and private sectors. McAfee is working with Thai government authorities to take down the control server infrastructure of Operation GhostSecret, while preserving the systems involved for further analysis by law enforcement authorities. By creating and maintaining partnerships with worldwide law enforcement, McAfee demonstrates that we are stronger together.  

Indicators of Compromise

McAfee detection

  • Trojan-Bankshot2

MITRE ATT&CK techniques

  • Exfiltration over control server channel: data is exfiltrated over the control server channel using a custom protocol
  • Commonly used port: the attackers used common ports such as port 443 for control server communications
  • Service execution: registers the implant as a service on the victim’s machine
  • Automated collection: the implant automatically collects data about the victim and sends it to the control server
  • Data from local system: local system is discovered and data is gathered
  • Process discovery: implants can list processes running on the system
  • System time discovery: part of the data reconnaissance method, the system time is also sent to the control server
  • File deletion: malware can wipe files indicated by the attacker

IP addresses

  • 203.131.222.83
  • 14.140.116.172
  • 203.131.222.109

Hashes

  • fe887fcab66d7d7f79f05e0266c0649f0114ba7c
  • 8f2918c721511536d8c72144eabaf685ddc21a35
  • 33ffbc8d6850794fa3b7bccb7b1aa1289e6eaa45 

The post Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/feed/ 0
W97M Downloader Serves Vawtrak Malware https://www.mcafee.com/blogs/other-blogs/mcafee-labs/w97m-downloader-serving-vawtrak/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/w97m-downloader-serving-vawtrak/#respond Wed, 23 Mar 2016 00:32:49 +0000 https://blogs.mcafee.com/?p=48541 McAfee Labs recently found a variant of the W97M macro malware downloader that runs the Vawtrak malware. Although W97M usually employs Microsoft Office documents to run malicious Visual Basic scripts that download and run malware, this instance of W97M contains an embedded executable that is dropped onto the file system using a malicious macro. W97M […]

The post W97M Downloader Serves Vawtrak Malware appeared first on McAfee Blogs.

]]>
McAfee Labs recently found a variant of the W97M macro malware downloader that runs the Vawtrak malware. Although W97M usually employs Microsoft Office documents to run malicious Visual Basic scripts that download and run malware, this instance of W97M contains an embedded executable that is dropped onto the file system using a malicious macro.

W97M is a malware family comprising all malicious Office files (rich text, Word, Excel, etc.) that rely on macros containing VB scripts to download and run a specific malware from its control servers. Recently McAfee Labs has seen multiple waves of W97M malware serving malware, especially:

  • Ransomware such as TeslaCrypt and Locky.
  • Banking Trojans such as Dridex.

Vawtrak is a multifunctional malware family with the following capabilities:

  • Stealing FTP passwords from a victim’s system.
  • Stealing certificates from a victim’s system.
  • Stealing credentials and other information via process infection.
  • Malicious code injection in web pages displayed in a browser on a victim’s system.
  • Running arbitrary commands on a victim’s system.

Infection vector and analysis

W97M malware is usually served via malicious email spam campaigns. This instance of W97M, however, is served from compromised websites. These compromised websites might be used with exploit kits or phishing campaigns that trick victims into downloading and running the W97M documents.

Some URLs serving the W97M malware:

  • hxxp://www.excel-dougakaisetu.com/wordpress/wp-content/plugins/[masked]/account.doc
  • hxxp://www.ippan.x0.to/wp-content/themes/[masked]/account.doc
  • hxxp://www.newbeginningsari.org.au/wp-content/[masked]/account.doc
  • hxxp://www.sternschule-uelzen.de/wp-content/plugins/[masked]/account.doc
  • hxxp://elveland.no/wp-content/themes/[masked]/account.doc
  • hxxp://www.nightaccess.com/themes/[masked]/account.doc
  • hxxp://excel-dougakaisetu.com/wordpress/wp-content/plugins/[masked]/account.doc
  • hxxp://nightaccess.com/themes/[masked]/account.doc
  • hxxp://www.paintballandbbthailand.com/modules/[masked]/account.doc
  • hxxp://ippan.x0.to/wp-content/themes/[masked]/account.doc
  • hxxp://www.elveland.no/wp-content/themes/[masked]/account.doc
  • hxxp://paintballandbbthailand.com/modules/[masked]/account.doc
  • hxxp://sternschule-uelzen.de/wp-content/plugins/[masked]/account.doc
  • hxxp://www.yacht-energy.fr/wp-content/themes/[masked]/account.doc

The W97M sample appears to have an RSA-encrypted message embedded in its contents. The document asks the victim to “enable content” to view the decrypted contents of the document. This is a standard trick to get the victim to enable the malicious macro, which drops an embedded executable and executes it.

0_word_doc

Contents of a malicious W97M document.

The document contains the malicious .exe embedded inside one of its forms. We have seen other examples of W97M embedding commands in forms but not as in the preceding example, in which the entire .exe is embedded in the document.

1_embedded_MZ_in_form

Embedded .exe in a Visual Basic form.

The malicious macro reads the contents of the form and writes it into an executable in the %temp% directory.

2_VBS_Macro_code_to_drop_run_MZ_oxygon

Malicious macro code in the W97M malware.

Second-stage executable

The executable dropped in the %temp% directory is a VB 6 binary. The code is decrypted at runtime and the malware creates a suspended copy of itself that is injected with the malicious code. This malware is a variant of Pony malware.

The primary functions of the second-stage binary:

  • Steal FTP and other login credentials from known FTP software.
  • Download and run the third-stage binary (Vawtrak).

3_oxygon_FTP_strings

Strings in the second-stage malware indicate the theft of FTP credentials.

Once the second-stage binary has all the credentials it can find, it sends the stolen data to the following control servers:

  • hxxp://tittertte.ru/sliva/gate.php
  • hxxp://tythetru.ru/sliva/gate.php
  • hxxp://rulahat.ru/sliva/gate.php

These domains appear to be under the attacker(s) control:

  • They are registered with the same registrar with registrant information hidden.
  • They were registered on the same dates.
  • They expire on the same dates.

This malware targets the following software for credentials:

  • Far Manager
  • Total Commander
  • Ipswitch WS_FTP
  • CuteFTP
  • FlashFXP
  • FileZilla
  • FTP Navigator
  • Bulletproof FTP
  • Smart FTP
  • Turbo FTP
  • FFFTP
  • FTP++
  • GoFTP
  • Cofeecup FTP
  • CoreFTP
  • FTP explorer
  • LeapFTP
  • WinSCP
  • 32BitFTP
  • ClassicFTP
  • SoftX FTP client
  • UltraFXP
  • FTPRush
  • FTPControl
  • FTPVoyager
  • LeechFTP
  • Estsoft ALFTP
  • DeluxeFTP
  • Staff FTP
  • FTP Visicom Media
  • AceBit WiseFTP
  • FreshFTP
  • BlazeFTP
  • 3D-FTP
  • EasyFTP
  • Winzip FTP
  • WinFTP
  • FTPSurfer
  • FTPGetter
  • FTPNow
  • Robo-FTP 3.7
  • Linas FTP Site Manager
  • Notepad++ FTP
  • Coffeecup ftp profile
  • FTPShell
  • MyFTP
  • NovaFTP
  • Yandex
  • Adobe Common SiteServers
  • Frigate3
  • SecureFX
  • Cryer WebsitePublisher
  • BitKinex
  • ExpanDrive
  • NCH Software Fling
  • Directory Opus
  • NetDrive
  • Webdrive
  • Opera
  • Firefox
  • Firefox FireFTP
  • Mozilla Seamonkey
  • Mozilla Flock
  • Mozilla Profiles
  • SiteInfo.qfp SpeedFTP
  • Chrome login and web data
  • Chromium login and web data
  • Chrome plus login and web data
  • Bromium login and web data
  • Nichrome login and web data
  • Comodo login and web data
  • RockMelt login and web data
  • K-Meleon profile data
  • Epic profile data
  • GlobalDownloader
  • NetSarang
  • RDP
  • CyberDuck
  • Putty
  • MAS Soft FTPInfo
  • NexusFile
  • FastStone Browser FTPlist
  • MapleStudio Chromeplus
  • Windows Live Mail
  • Windows Mail
  • RimArts Mail
  • Pocomail
  • Incredimail
  • BatMail
  • MS Internet Account Manager
  • Thunderbird

Once the second-stage malware has uploaded the stolen credentials to the control server, it downloads the third-stage malware from a different set of control servers and runs it:

  • hxxp://awc.asia/wp-content/themes/[masked]/hsg.exe
  • hxxp://teatromanzonicassino.it/wp-content/themes/[masked]/hsg.exe
  • hxxp://www.bisaim.com/wp-content/themes/[masked]/hsg.exe

Third-stage executable

The third-stage executable is the Vawtrak payload (also a VB 6 binary).

The primary purpose of the binary is to infect other running processes in the system and:

  • Steal security certificates.
  • Infect Chrome and Firefox processes to inject malicious code into browsed web pages.
  • Steal financial login credentials for banks.

Process infection and API hooking

The malware spreads across the system by injecting its code into any process that doesn’t appear on the following whitelist:

  • csrss.exe
  • smss.exe
  • wininit.exe
  • services.exe
  • svchost.exe
  • lsas.exe
  • lsm.exe
  • winlogon.exe
  • dbgview.exe
  • taskhost.exe

The malware also looks for the following processes to establish API hooks:

  • Internet Explorer
    •     HttpEndRequest, HttpOpenRequest, HttpQueryInfo, HttpSendRequest,
    •     InternetConnect, InternetQueryDataAvailable, InternetQueryOption, InternetReadFile.
  • Firefox
    •     PR_Close, PR_Read, PR_Write, PR_Close, etc.
  • Chrome
    •     LoadLibrary, PFXImportCertStore, etc.
  • Other processes
    •     CreateProcessInternal: To infect any new process spawned by this process.
    •     PFXImportCertStore: To steal certificate information from the victim.

4_Vawtrak_Hooks

API hooks established by the third-stage malware.

The malware uploads the stolen data to one of the following control servers:

  • castuning.ru/rss/feed/stream
  • mgsmedia.ru/rss/feed/stream
  • puropea.com/rss/feed/stream
  • futooke.com/rss/feed/stream
  • citroxi.com/rss/feed/stream

Infection chain

The stages of infection are illustrated in the following figure:

4.1_Infection_Chain

Anti-VM measures

Both the second- and third-stage binaries of Vawtrak check the monitor resolution using User32.GetMonitorInfoA to make sure the malware isn’t running in a virtual machine. The malware binaries check to make sure the monitor resolution is greater than 800×600. This technique is employed to thwart some behavior-based detection systems.

5_Monitor_resolution_checks

Vawtrak’s monitor-resolution check.

Conclusion

This W97M malware differs from typical W97M malware due to the embedded binary inside the document. This tactic could be a result of the increased focus in the security community on W97M and the subsequent blacklisting of its control servers. Embedding an .exe in the doc file removes the need to contact a control server to download and execute the second-stage malware.

The encryption mechanisms and the use of VB 6 in both the second and third stages indicate that both instances of the malware share a common codebase, suggesting they could have been written by the same party.

MD5s

W97M samples. These samples are detected by McAfee as “W97M/Dropper.ao.”

  • e56a57acf528b8cd340ae039519d5150
  • 040c51e8c9118cc113c380d530984ba8
  • ef10ea1a8b342dd9f6d1cec46fcd3c0f

Second-stage malware: These samples are detected as “Generic.xy.”

  • 4b7623945d31ecd6ff1ed13f0ba1d6e0

Third-stage malware: These samples are detected as “RDN/Generic.cf” and “Vawtrak-FBB.”

  • 3e631d530267a38e65afc5b012d4ff0c

Yara rule for W97M Vawtrak dropper

rule W97M_Vawtrak_dropper
{
meta:
author=”McAfee”
description=”W97M_Vawtrak_Dropper”

strings:
$asterismal=”asterismal”
$bootlicking=”bootlicking”
$shell=”WScript.Shell”
$temp=”%temp%”
$oxygon=”oxygon.exe”
$saxhorn = “saxhorn”
$fire = “Fire”
$bin= “546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e”

condition:
all of them
}

 

The post W97M Downloader Serves Vawtrak Malware appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/w97m-downloader-serving-vawtrak/feed/ 0
Rovnix Downloader Updated with SinkHole and Time Checks https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rovnix-downloader-sinkhole-time-checks/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rovnix-downloader-sinkhole-time-checks/#respond Wed, 09 Dec 2015 23:20:33 +0000 https://blogs.mcafee.com/?p=46521 McAfee Labs has found that the latest Rovnix downloader now comes with the capability to check for the sinkholing of its control servers. This relatively new technique makes it difficult to detect the malware—especially on behavior-based malware detection systems. The malware checks for sinkholing of its control servers before each network communication session and does not […]

The post Rovnix Downloader Updated with SinkHole and Time Checks appeared first on McAfee Blogs.

]]>
McAfee Labs has found that the latest Rovnix downloader now comes with the capability to check for the sinkholing of its control servers. This relatively new technique makes it difficult to detect the malware—especially on behavior-based malware detection systems. The malware checks for sinkholing of its control servers before each network communication session and does not initiate its malicious activities—such as downloading and running the malicious payload(s)—if it thinks the Domain Name Service (DNS) records have been sinkholed. The downloader also uses an uncommon technique to perform a timing check to decide whether it should perform its malicious activities.

 

About Rovnix

Rovnix is a malware family that has been around since 2011. It hijacks the boot sector by infecting the VBR and NT LDR to persist on the target system. Its malicious capabilities include:

  • Stealing banking information from victims by infecting browser processes.
  • Stealing other passwords from the victim’s system.
  • Stealing Bitcoins from the target’s wallets.

The Rovnix malware family is modular in nature. It can:

  • Update its control servers after it has infected the target system.
  • Download new plug-ins, giving it the ability to carry out new malicious activities in the future.
  • Infect both 32- and 64-bit systems with corresponding DLLs and bootkit infection drivers and code.

 

Sinkholing

DNS translates domain names such as www.website_name.com to IP addresses that can be used by networking applications such as browsers to send and receive content from a web server. For applications that use domain names, DNS requests are the first step in establishing communication with web-based servers. Any malicious application that uses a domain name for its control servers needs to contact a DNS server to translate the domain name into a valid IP address for the servers.

Sinkholing intercepts the DNS request by the malware for a control server and responds with a spoofed address instead of the valid server IP. This disrupts the communication of the malware with its control server and has several advantages. The malware can no longer:

  • Download commands to execute on the target system.
  • Download new modules or malware to execute on the target system.
  • Exfiltrate stolen data from the target system.
  • Provide its status to the control server (in the case of botnets).
  • Send system statistics to the control server (such as system type, antimalware installed, etc.).
  • Download encryption keys from the control server, thus preventing the target’s files from being encrypted (in the case of ransomware).

Sinkholing has been used to disrupt a wide variety of malware campaigns including Trojans, botnets, ransomware, and other threats.

 

Sinkhole Detection Technique 

In a simple yet effective technique, the malware fetches the DNS name server records for the control server it attempts to contact.

DNSQuery
DNSQuery call to fetch DNS name servers.

The name server value(s) are then checked against a list of keywords that might indicate that the DNS name server records for the control server have been sinkholed. The malware checks for the following keywords in the DNS name server record values:

  • control
  • sink
  • hole
  • dynadot
  • block
  • trojan
  • abuse
  • virus
  • malw
  • hack
  • black
  • spam
  • anti
  • googl

SinkHoleChecks
String comparisons against DNS name server values.

Once the DNS name servers pass the sinkhole checks, the malware downloads various modules to steal information from the victim’s machine.

Domains Contacted

All of the domains that follow are control servers used to download malicious plug-ins/modules. The malware starts by contacting the first server listed. If it cannot contact the first server, it tries contacting the next server listed, and so on.

The domains listed are for MD5: 7ce075e3063782f710d47c77ddfa1261

  • transliteraturniefabriki.com: the first control server for communication and downloading additional plugins.
  • tornishineynarkkek2.org: a backup server. The domain has a history of switching IP addresses.
  • upmisterfliremsnk.net: a backup server. The domain also has a history of switching IP addresses.
  • itnhi4vg6cktylw2.onion: the last server. If none of the other control servers can be contacted, then the malware establishes a connection with this onion address.

Additional control domains seen in other Rovnix downloaders:

  • lastooooomene2ie2e.com
  • ecloud86.com, ecloud87.com, ecloud88.com, ecloud89.com, ecloud90.com, ecloud91.com
  • srvdexpress3.com, srvdexpress4.com, srvdexpress5.com, srvdexpress6.com, srvdexpress7.com
  • elorfans2.com, elorfans3.com, elorfans4.com, elorfans5.com, elorfans6.com
  • tornishineynarkkek.org, tornishineynarkkek3.org
  • mediacontent.us, mediacontent2.us, mediacontent3.us
  • romnsiebabanahujtr.org, romnsiebabanahujtr2.org, romnsiebabanahujtr3.org
  • pg7iuaqu5b7fq36o.onion
  • j7t4lg23tdhag3fn.onion
  • c2bbagrsvbs2v6a7.onion
  • hbs63zj7mwj5g6w7.onion

 

IP Addresses Hosting the Domains

Multiple domains in the control server list share the same IP address, indicating that the malicious actor has control of the IPs hosting the domains. For example, the following domains share the same IP:

  • lastooooomene2ie2e.com and transliteraturniefabriki.com
  • tornishineynarkkek.org, tornishineynarkkek2.org and upmisterfliremsnk.net
  • ecloud88.com and ecloud89.com
  • srvdexpress3.com, srvdexpress4.com and srvdexpress5.com
  • elorfans3.com and elorfans4.com

 

Timing Checks

The malware also does a time check using standard Network Time Protocol (NTP) servers to decide whether to proceed with its malicious activities. The check compares the times received from the control server and public time servers. If the time elapsed exceeds a certain threshold, the malware sleeps for a period before checking the times again. The time stamp might be fetched from the public NTP servers because many malware analysis systems can spoof local system time to trick the malware into running its malicious code.

 

Targets 

The downloaders have primarily been encountered in the United States, Canada, Japan, and parts of Europe.

The following map shows a geographic distribution of the Rovnix downloader:

RovnixDropper_InfectionMap

Geographic distribution of the Rovnix downloader infections.

 

Conclusion

The newest downloader for Rovnix introduces a new method to detect DNS sinkholing. This technique allows the malware to protect itself by not executing its malicious code if the control server has been sinkholed. Multiple server domains hosted on a single IP also indicate that one attacker might have control of these servers.

The usage of public NTP servers to check the time is a relatively new capability. This technique combats spoofing of local system time used by many dynamic malware detection systems.

 

MD5 Sums

7ce075e3063782f710d47c77ddfa1261
11f61c60ce548e2148c2f7a2e5f7103c
e8a94f1df66587abd7c91bfcbe5af5d5
fdef7dd0b7cece42042a7baca3859e41
b7d63dcb586ec9a54a91379990dcd804
7123a117c44e8c454f482b675544d1a9
5ea867f5f7c24e0939013faf3ed78535
0131d46686c66e6a4c8d89c3aa03534c
b0bce8bd66a005eff775099563232e64
e0bc0503ccc831c07d6cc4c394b5a409
29ef765145f6dd76cec5cc89c75b44de
a6fd6661c6ac950263ba9a3d4fc55354
19f14a5d5610e51f4985444f3f0e59ed

 

Yara Rule

The following Yara rule can be used to find samples of the Rovnix downloader:

rule rovnix_downloader
{
meta:
author=”McAfee”
description=”Rovnix downloader with sinkhole checks”

strings:
$sink1=”control”
$sink2 = “sink”
$sink3 = “hole”
$sink4= “dynadot”
$sink5= “block”
$sink6= “malw”
$sink7= “anti”
$sink8= “googl”
$sink9= “hack”
$sink10= “trojan”
$sink11= “abuse”
$sink12= “virus”
$sink13= “black”
$sink14= “spam”
$boot= “BOOTKIT_DLL.dll”
$mz = { 4D 5A }

condition:
$mz in (0..2) and all of ($sink*) and $boot

}

 

Acknowledgements

Thanks to Christiaan Beek, Jonathan Chang, and Sanchit Karve for contributing to this post.

 

The post Rovnix Downloader Updated with SinkHole and Time Checks appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rovnix-downloader-sinkhole-time-checks/feed/ 0