Fake Microsoft Support phishing email - NJw0rm

Overview

Within the past few weeks there has been an uptick in malicious email spam that attempts to look like a vulnerability alert/patch from Microsoft support. The email claims to patch the vulnerability you simply run the Visual basic script that is attached to the email. In actuality the .vbs attachment is a backdoor with some simple capabilities.

The Email

The subject line and attachment.

What the email body looks like

 The Attachment

File: microsoft.vbs
Size: 48547
MD5:  C6B53FC46427527A0739E6B6443EF72D
https://www.virustotal.com/en/file/5ea2b4b1b66dbc6eb6132e79e74144afd8bbf5f151cb15acbab85071feccdee5/analysis/

Symantec            Trojan.Webkit!html
TrendMicro-HouseCallTROJ_GEN.F47V0913
Avast               VBS:Agent-AUI [Trj]
Kaspersky           Worm.VBS.Dinihou.a
Sophos              VBS/Dunihou-A
Microsoft           Worm:VBS/Dunihi.W
AVG                 ASP/BackDoor



The script is contains one large variable containing 'obfuscated' data which is deobfuscated and executed by the script below.

Obfuscated body of code

Script that deobfuscates and executes

As shown above, the large body of text, variable 'ABC', is split into an array which is delimited by the '-' characters. The array contains a bunch of base64 encoded characters.

Base64 characters

Essentially the remainder of the plain-text script in the initial .vbs attachment just decodes and executes(reads) the array of base64 characters. Since the characters are just base64 encoded, it's a quick task to decode it and obtain the crux of the VBscript payload.

 

The script is run with WScript.exe (Windows based script host)

It copies the script to %temp% which in my case falls under this directory

It also maintains persistence via registry keys

Code that modifies registry setting

 ...and once the keys have been modified

After registry is modified

C2 Stuff

The next thing to look at is communications to the C2 which is set in the config section of the script

gerssy.zapto.org resolves to 109.169.70.108

The script has a few different C2 command-driven capabilities: execute, update, uninstall, send

command capabilities

Upon infecting my analysis machine, a series of beacons were observed outbound to the C2 domain. It's apparent the beacons are meant to notify the C2 that my system is infected and ready for commands/actions.

A few minutes into the infection a payload comes across

File: sw.bin
Size: 33280
MD5:  531A35DC20B006886CBBA8423628CE4C
Compiled Date: Sep 12 21:23:48 2013 (Thu)
https://www.virustotal.com/en/file/91ff8ad36d52c0b761687235d5a12dea8cb0cf394d92d3d0e603c9853016fb3c/analysis/

Another payload also comes across shortly after that

File: 22.exe
Size: 54899
MD5:  50763E8C1FC3929F98CD1316E904C4FA
Compiled Date: Sep 7 14:16:48 2013 (Sat)
https://www.virustotal.com/en/file/9d8d6a577a035e8ff854d54451fd17d997c33c6b1c71bec27d4ed87dff7c1846/analysis/

Next, presumably the additional payloads that were downloaded begin exfiltrating what appear to be thumbnail screenshots of my analysis machine

Network capture showing outbound packet with embedded jpg file

And here is the actual image that was sent out to the C2

Actual jpg sent outbound

Then the malware began to exfil screenshots of my system from top to bottom three sections at a time (I guess due to the resolution I was running). The images are base64 encoded across the wire. I think the first circled field is for their remote desktop window identifier, the blocked out field is my IP, the other field is the resolution of my analysis system, and the final field might be how many vertical pixels the screenshot contains, ie: 0-390. Not entirely sure about that though.

Here is that screenshot decoded. Obviously the bad guys saw me watching them and capturing the network traffic. No biggie.

The streaming of screenshots continued outbound to the C2 for 10 or so minutes before it stopped. The beacons to the C2 continued, however, until I finally shut off my analysis machine.

The malware is pretty cool, and I know other groups have taken really deep looks into it. Regardless, I'll still keep checking it out. Here are some references:

http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf

http://contagioexchange.blogspot.com/2013/08/njrat-backdoorlv-strings-apt.html

http://www.fireeye.com/blog/technical/botnet-activities-research/2012/09/the-story-behind-backdoorlv.html

Let me know if there are any errors in my analysis or if I misidentified this as Njrat

FedEx Phishing - FakeAV

The Email

Lots of people have been getting emails that claim you have a package from FedEx, and in order to retrieve the package you must check their invoice. Below is an example of the email:

If you fell for the email and clicked the link to retrieve the postal receipt the page will direct you to a zip archive called 'Postal-Receipt.zip' which contains the malicious Exe

 

Some of the domains linked to in the Emails are

quitcigarettes4good[.]com

174.132.99.162

karthikimpex[.]com
174.121.37.123

mailguardian.com[.]au
175.45.134.28

lifestyle.bplaced[.]net
176.9.52.229

exodionline[.]com
64.37.52.84

edostatenationalassociationofireland[.]com

46.252.207.1

 The Attachment

 

File: Postal-Receipt.zip
Size: 31398
MD5:  DCEFC82EF60639AA821378D4BDC58EFC
FileType: Zip file

https://www.virustotal.com/file/2e3cc6664ef47521e4fb944013af388a91685a395021933eb381f8c3714a339b/analysis/


Here's what the exe in the Zip archive looks like once extracted. Clearly not a word document.

File: Postal-Receipt.exe
Size: 53248
MD5:  6B02ED78EF103CAE39D6FBBD13EF1AFD
Compiled Date: Sat, Dec 1 2012, 21:42:32  - 32 Bit
https://www.virustotal.com/file/a351d4e5cbbd1829aa46d4666309bfd0b11068e5c8815892723a11edac74afd7/analysis/

Post Infection

A quick screenshot depicting what the callbacks look like across the wire. The parameter is just a long series of hex which likely will initiate the download of the next payload since the attachment is likely just the dropper

Observed beacons to the following

140.135.66.217:8080
211.172.112.7:8080
82.113.204.228:8080
59.126.131.132:8080
59.25.189.234:8080
61.222.241.208:8080
81.93.248.152
103.4.225.41
5.104.106.56 - forserer1.tk


UPDATE

So it's definitely VM aware, but I sandboxed it and got the stage 2 payload.  FakeAV campaign

 




File: update.exe
Size: 573440
MD5:  24AF8A9423DC3A89E6D816C4DA3DAE95
Compiled Date: Dec 4 19:34:01 2012 (Tue)
https://www.virustotal.com/file/069d3e48010d6ef93f14c3d5e52ca2649c48fcc983f92be8236459324a69ef59/analysis/1354672077/

Stage 2 Domains/IPs
 
gilbillingpay.com - serves the FakeAv license page
178.162.170.132 

Some screenshots

That's the initial stuff anyways...I'll get more info later...Plus since it appears to be a huge campaign there will probably be dozens of other people providing some of the same info and more...