Monday, September 16, 2013

Fake Microsoft Support phishing email - NJw0rm

Overview

Within the past few weeks there has been an uptick in malicious email spam that attempts to look like a vulnerability alert/patch from Microsoft support. The email claims to patch the vulnerability you simply run the Visual basic script that is attached to the email. In actuality the .vbs attachment is a backdoor with some simple capabilities.

The Email


The subject line and attachment.

What the email body looks like

 The Attachment

File: microsoft.vbs
Size: 48547
MD5:  C6B53FC46427527A0739E6B6443EF72D
https://www.virustotal.com/en/file/5ea2b4b1b66dbc6eb6132e79e74144afd8bbf5f151cb15acbab85071feccdee5/analysis/

Symantec            Trojan.Webkit!html
TrendMicro-HouseCallTROJ_GEN.F47V0913
Avast               VBS:Agent-AUI [Trj]
Kaspersky           Worm.VBS.Dinihou.a
Sophos              VBS/Dunihou-A
Microsoft           Worm:VBS/Dunihi.W
AVG                 ASP/BackDoor



The script is contains one large variable containing 'obfuscated' data which is deobfuscated and executed by the script below.

Obfuscated body of code

Script that deobfuscates and executes
As shown above, the large body of text, variable 'ABC', is split into an array which is delimited by the '-' characters. The array contains a bunch of base64 encoded characters.

Base64 characters
Essentially the remainder of the plain-text script in the initial .vbs attachment just decodes and executes(reads) the array of base64 characters. Since the characters are just base64 encoded, it's a quick task to decode it and obtain the crux of the VBscript payload.

 



The script is run with WScript.exe (Windows based script host)

It copies the script to %temp% which in my case falls under this directory

It also maintains persistence via registry keys
Code that modifies registry setting

 ...and once the keys have been modified
After registry is modified



C2 Stuff

The next thing to look at is communications to the C2 which is set in the config section of the script

gerssy.zapto.org resolves to 109.169.70.108


The script has a few different C2 command-driven capabilities: execute, update, uninstall, send



command capabilities
Upon infecting my analysis machine, a series of beacons were observed outbound to the C2 domain. It's apparent the beacons are meant to notify the C2 that my system is infected and ready for commands/actions.


A few minutes into the infection a payload comes across

File: sw.bin
Size: 33280
MD5:  531A35DC20B006886CBBA8423628CE4C
Compiled Date: Sep 12 21:23:48 2013 (Thu)
https://www.virustotal.com/en/file/91ff8ad36d52c0b761687235d5a12dea8cb0cf394d92d3d0e603c9853016fb3c/analysis/


Another payload also comes across shortly after that

File: 22.exe
Size: 54899
MD5:  50763E8C1FC3929F98CD1316E904C4FA
Compiled Date: Sep 7 14:16:48 2013 (Sat)
https://www.virustotal.com/en/file/9d8d6a577a035e8ff854d54451fd17d997c33c6b1c71bec27d4ed87dff7c1846/analysis/




Next, presumably the additional payloads that were downloaded begin exfiltrating what appear to be thumbnail screenshots of my analysis machine

Network capture showing outbound packet with embedded jpg file

And here is the actual image that was sent out to the C2
Actual jpg sent outbound
Then the malware began to exfil screenshots of my system from top to bottom three sections at a time (I guess due to the resolution I was running). The images are base64 encoded across the wire. I think the first circled field is for their remote desktop window identifier, the blocked out field is my IP, the other field is the resolution of my analysis system, and the final field might be how many vertical pixels the screenshot contains, ie: 0-390. Not entirely sure about that though.


Here is that screenshot decoded. Obviously the bad guys saw me watching them and capturing the network traffic. No biggie.


The streaming of screenshots continued outbound to the C2 for 10 or so minutes before it stopped. The beacons to the C2 continued, however, until I finally shut off my analysis machine.

The malware is pretty cool, and I know other groups have taken really deep looks into it. Regardless, I'll still keep checking it out. Here are some references:

http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf

http://contagioexchange.blogspot.com/2013/08/njrat-backdoorlv-strings-apt.html

http://www.fireeye.com/blog/technical/botnet-activities-research/2012/09/the-story-behind-backdoorlv.html

Let me know if there are any errors in my analysis or if I misidentified this as Njrat
Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)