Overview
Within the past few weeks there has been an uptick in malicious email spam that attempts to look like a vulnerability alert/patch from Microsoft support. The email claims to patch the vulnerability you simply run the Visual basic script that is attached to the email. In actuality the .vbs attachment is a backdoor with some simple capabilities.The Email
The subject line and attachment. |
What the email body looks like |
The Attachment
File: microsoft.vbsSize: 48547
MD5: C6B53FC46427527A0739E6B6443EF72D
https://www.virustotal.com/en/file/5ea2b4b1b66dbc6eb6132e79e74144afd8bbf5f151cb15acbab85071feccdee5/analysis/
Symantec Trojan.Webkit!html
TrendMicro-HouseCallTROJ_GEN.F47V0913
Avast VBS:Agent-AUI [Trj]
Kaspersky Worm.VBS.Dinihou.a
Sophos VBS/Dunihou-A
Microsoft Worm:VBS/Dunihi.W
AVG ASP/BackDoor
The script is contains one large variable containing 'obfuscated' data which is deobfuscated and executed by the script below.
Obfuscated body of code |
Script that deobfuscates and executes |
Base64 characters |
The script is run with WScript.exe (Windows based script host)
It copies the script to %temp% which in my case falls under this directory
It also maintains persistence via registry keys
Code that modifies registry setting |
...and once the keys have been modified
After registry is modified |
C2 Stuff
The next thing to look at is communications to the C2 which is set in the config section of the scriptgerssy.zapto.org resolves to 109.169.70.108
The script has a few different C2 command-driven capabilities: execute, update, uninstall, send
command capabilities |
A few minutes into the infection a payload comes across
File: sw.bin
Size: 33280
MD5: 531A35DC20B006886CBBA8423628CE4C
Compiled Date: Sep 12 21:23:48 2013 (Thu)
https://www.virustotal.com/en/file/91ff8ad36d52c0b761687235d5a12dea8cb0cf394d92d3d0e603c9853016fb3c/analysis/
Another payload also comes across shortly after that
File: 22.exe
Size: 54899
MD5: 50763E8C1FC3929F98CD1316E904C4FA
Compiled Date: Sep 7 14:16:48 2013 (Sat)
https://www.virustotal.com/en/file/9d8d6a577a035e8ff854d54451fd17d997c33c6b1c71bec27d4ed87dff7c1846/analysis/
Next, presumably the additional payloads that were downloaded begin exfiltrating what appear to be thumbnail screenshots of my analysis machine
Network capture showing outbound packet with embedded jpg file |
And here is the actual image that was sent out to the C2
Actual jpg sent outbound |
Here is that screenshot decoded. Obviously the bad guys saw me watching them and capturing the network traffic. No biggie.
The streaming of screenshots continued outbound to the C2 for 10 or so minutes before it stopped. The beacons to the C2 continued, however, until I finally shut off my analysis machine.
The malware is pretty cool, and I know other groups have taken really deep looks into it. Regardless, I'll still keep checking it out. Here are some references:
http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf
http://contagioexchange.blogspot.com/2013/08/njrat-backdoorlv-strings-apt.html
http://www.fireeye.com/blog/technical/botnet-activities-research/2012/09/the-story-behind-backdoorlv.html
Let me know if there are any errors in my analysis or if I misidentified this as Njrat