Monday, September 16, 2013

Fake Microsoft Support phishing email - NJw0rm

Overview

Within the past few weeks there has been an uptick in malicious email spam that attempts to look like a vulnerability alert/patch from Microsoft support. The email claims to patch the vulnerability you simply run the Visual basic script that is attached to the email. In actuality the .vbs attachment is a backdoor with some simple capabilities.

The Email


The subject line and attachment.

What the email body looks like

 The Attachment

File: microsoft.vbs
Size: 48547
MD5:  C6B53FC46427527A0739E6B6443EF72D
https://www.virustotal.com/en/file/5ea2b4b1b66dbc6eb6132e79e74144afd8bbf5f151cb15acbab85071feccdee5/analysis/

Symantec            Trojan.Webkit!html
TrendMicro-HouseCallTROJ_GEN.F47V0913
Avast               VBS:Agent-AUI [Trj]
Kaspersky           Worm.VBS.Dinihou.a
Sophos              VBS/Dunihou-A
Microsoft           Worm:VBS/Dunihi.W
AVG                 ASP/BackDoor



The script is contains one large variable containing 'obfuscated' data which is deobfuscated and executed by the script below.

Obfuscated body of code

Script that deobfuscates and executes
As shown above, the large body of text, variable 'ABC', is split into an array which is delimited by the '-' characters. The array contains a bunch of base64 encoded characters.

Base64 characters
Essentially the remainder of the plain-text script in the initial .vbs attachment just decodes and executes(reads) the array of base64 characters. Since the characters are just base64 encoded, it's a quick task to decode it and obtain the crux of the VBscript payload.




The script is run with WScript.exe (Windows based script host)

It copies the script to %temp% which in my case falls under this directory

It also maintains persistence via registry keys
Code that modifies registry setting

 ...and once the keys have been modified
After registry is modified



C2 Stuff

The next thing to look at is communications to the C2 which is set in the config section of the script

gerssy.zapto.org resolves to 109.169.70.108


The script has a few different C2 command-driven capabilities: execute, update, uninstall, send



command capabilities
Upon infecting my analysis machine, a series of beacons were observed outbound to the C2 domain. It's apparent the beacons are meant to notify the C2 that my system is infected and ready for commands/actions.


A few minutes into the infection a payload comes across

File: sw.bin
Size: 33280
MD5:  531A35DC20B006886CBBA8423628CE4C
Compiled Date: Sep 12 21:23:48 2013 (Thu)

https://www.virustotal.com/en/file/91ff8ad36d52c0b761687235d5a12dea8cb0cf394d92d3d0e603c9853016fb3c/analysis/


Another payload also comes across shortly after that

File: 22.exe
Size: 54899
MD5:  50763E8C1FC3929F98CD1316E904C4FA
Compiled Date: Sep 7 14:16:48 2013 (Sat)
https://www.virustotal.com/en/file/9d8d6a577a035e8ff854d54451fd17d997c33c6b1c71bec27d4ed87dff7c1846/analysis/




Next, presumably the additional payloads that were downloaded begin exfiltrating what appear to be thumbnail screenshots of my analysis machine

Network capture showing outbound packet with embedded jpg file

And here is the actual image that was sent out to the C2
Actual jpg sent outbound
Then the malware began to exfil screenshots of my system from top to bottom three sections at a time (I guess due to the resolution I was running). The images are base64 encoded across the wire. I think the first circled field is for their remote desktop window identifier, the blocked out field is my IP, the other field is the resolution of my analysis system, and the final field might be how many vertical pixels the screenshot contains, ie: 0-390. Not entirely sure about that though.


Here is that screenshot decoded. Obviously the bad guys saw me watching them and capturing the network traffic. No biggie.


The streaming of screenshots continued outbound to the C2 for 10 or so minutes before it stopped. The beacons to the C2 continued, however, until I finally shut off my analysis machine.

The malware is pretty cool, and I know other groups have taken really deep looks into it. Regardless, I'll still keep checking it out. Here are some references:

http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf

http://contagioexchange.blogspot.com/2013/08/njrat-backdoorlv-strings-apt.html

http://www.fireeye.com/blog/technical/botnet-activities-research/2012/09/the-story-behind-backdoorlv.html

Let me know if there are any errors in my analysis or if I misidentified this as Njrat

Tuesday, December 4, 2012

FedEx Phishing - FakeAV

The Email

Lots of people have been getting emails that claim you have a package from FedEx, and in order to retrieve the package you must check their invoice. Below is an example of the email:

If you fell for the email and clicked the link to retrieve the postal receipt the page will direct you to a zip archive called 'Postal-Receipt.zip' which contains the malicious Exe


Some of the domains linked to in the Emails are

quitcigarettes4good[.]com
174.132.99.162

karthikimpex[.]com
174.121.37.123

mailguardian.com[.]au
175.45.134.28

lifestyle.bplaced[.]net
176.9.52.229

exodionline[.]com
64.37.52.84

edostatenationalassociationofireland[.]com
46.252.207.1




 The Attachment

 






File: Postal-Receipt.zip
Size: 31398
MD5:  DCEFC82EF60639AA821378D4BDC58EFC
FileType: Zip file
https://www.virustotal.com/file/2e3cc6664ef47521e4fb944013af388a91685a395021933eb381f8c3714a339b/analysis/


Here's what the exe in the Zip archive looks like once extracted. Clearly not a word document.




















File: Postal-Receipt.exe
Size: 53248
MD5:  6B02ED78EF103CAE39D6FBBD13EF1AFD
Compiled Date: Sat, Dec 1 2012, 21:42:32  - 32 Bit
https://www.virustotal.com/file/a351d4e5cbbd1829aa46d4666309bfd0b11068e5c8815892723a11edac74afd7/analysis/

Post Infection

A quick screenshot depicting what the callbacks look like across the wire. The parameter is just a long series of hex which likely will initiate the download of the next payload since the attachment is likely just the dropper

Observed beacons to the following

140.135.66.217:8080
211.172.112.7:8080
82.113.204.228:8080
59.126.131.132:8080
59.25.189.234:8080
61.222.241.208:8080

81.93.248.152
103.4.225.41
5.104.106.56 - forserer1.tk


UPDATE

So it's definitely VM aware, but I sandboxed it and got the stage 2 payload.  FakeAV campaign






 




File: update.exe
Size: 573440
MD5:  24AF8A9423DC3A89E6D816C4DA3DAE95
Compiled Date: Dec 4 19:34:01 2012 (Tue)
https://www.virustotal.com/file/069d3e48010d6ef93f14c3d5e52ca2649c48fcc983f92be8236459324a69ef59/analysis/1354672077/

Stage 2 Domains/IPs
 
gilbillingpay.com - serves the FakeAv license page
178.162.170.132 

Some screenshots







That's the initial stuff anyways...I'll get more info later...Plus since it appears to be a huge campaign there will probably be dozens of other people providing some of the same info and more...




Thursday, August 30, 2012

Grooveshark Malvertisments





Grooveshark

 Edit: I was able to get the full exploit code, but as with any exploit kit it's obfuscated to hell and back. So I have to deobfuscate it first.
A bunch of people use Grooveshark to listen to music. While this isn't the first time Grooveshark has served malvertisments, it's worth posting anyways. I wasn't able to get the malicious ad syndication to bounce me the exploit page first-hand, and the pcap data I have doesn't contain the exploits or malware unfortunately.



The Malvertisment

If you're unfortunate enough to get served a malicious advertisment, unbeknownst to you, in the background scripts are executed that can redirect, enumerate, exploit, and infect. This malvertisment starts with a 302 redirect.


Next you'll get bounced to a body of obfuscated code that inserts a script on the page


When formatted it's easier to see what the script is doing. It's essentially using your user-agent to decode the obfuscated script.


I had to hard-code the user-agent into the script and removed some of the unnecessary HTML DOM stuff and got the iframe it creates.


Continuation...

I was able to get the malvertisment on my VM, so I have the exploit code. The next request takes you to a page with a embedded 'loading' gif and another iframe redirecting to the actual exploit code. Interestingly it also 'onbeforeunload's you to a Russian dating site. Maybe they own it and want some additional hits for monetary gain?



 
Here is a quick snippet of the exploit page code. It's obfuscated obviously. It's ugly. Even when formatted it's ugly.


 Actually when formatted it isn't so bad. It's just a bunch of <pre> tags that hold the obfuscated code. Then as exploit kits normally do, there is a small block of javascript that deobfuscates and eval()s the whole thing. Below you can see the body of script. Also you can see an applet on the very bottom - Set.jar. I was able to retrieve that java archive. A lot of AV vendors detect it.



File: Set.jar
Size: 19713
MD5:  5F21D6629648633B42119AB73680C1D6

https://www.virustotal.com/file/8699be5447dd8ba5e530dac02310ac34fd6134d955dbf666804ec804bae3a170/analysis/


Still not done yet though...It's just blackhole but it might be one of the new versions equipped with that java 0 day. It doesn't seem that way so far...


 
Summary
That's all I was able to entice their server to give me. All my other attempts got HTTP 500s. I may still be able to get the exploits/malware if I get lucky and get a malvertisment in my VMs.