Wednesday, November 27, 2013

Sharik Back for More After Php.Net Compromise

Sharik is a Trojan which injects itself into legitimate processes and adds registry entries for an added level of persistence.  The infection also sends information about the victim's PC to a remote server.  The threat can also receive commands from a known CnC server to download further malicious files.  The point of origin in this case is almost always a compromised website as discussed previously in a colleague's blog.  At the time of research, I had not pinpointed the initial infection for this threat.  The end result of the Trojan infection appears to be identical to past iterations of this threat.

The following are known drop points for this threat:
  • hxxp://69.64.70.25/301940a6b4673c67bd421220bb092fdc/justice-corresponding.php?zf=322d305457%26Be=2g55562e312f2j2j3155%26N=2d%26WT=L%26pP=i
  • hxxp://corp-firewall.com/6.exe
  • hxxp://66.11.227.108/0c3dcf60e6a7a6d2821831740af2cd59/optimum-bi.php?Jf=7172407038%26Ve=3b707139413a3e3e4170%26u=38%26sE=R%26q%29=w
  • hxxp://main-firewalls.com/6.exe
  • hxxp://main-firewalls.com/6.exe?
  • hxxp://lessnvanor.info/calculator.exe
  • hxxp://173.201.34.30/fabba93c6d389652ec249d95d79b9a43/connecticut-session.php?m7d%29-7-7g=8ew68aw68d%26-%21009GrVe=w88c8dw6wdw7wbwbwd8c%26h__%28D5V%2A_VI=ww%266U1P%2AJ0C9O%2A_V%21B=aGP%2Al%21FY%2A1_81%21C%26C8%21-N6%2AN=8y%2A%2AJk_%288XR_
  • hxxp://216.224.186.70/setup.exe
  • hxxp://61.152.158.37/da4fc29e32968439fd700e495d4e8903/instructors-spectrum.php?110b00aab11a001bba=-h-z76-b-e%260ba1a111a0b=-b7677-9-g-z-e-e-g76%26a0bab000ab01=-y%260bba0b01b1a00b1a=100a1a0100b110%26ba00aab0101ab1=11aab0b1bb10
  • hxxp://193.106.172.140/index.php
Many of these files have already been talked about in other blogs, especially for the the corp-firewall.com and main-firewalls.com drop sites.  What helped me tie all of these infectious files together was their distinct phone home traffic.  Every instance mentioned above displays the same phone home behavior albeit to different locations.  Below is the phone home activity displayed by all of the above trojans:

  • hxxp://174.70.149.96:35618/5239438/u491236/index.php
  • hxxp://50.88.254.49:35618/ci5Xud?feVStUWVtcBMjoAOg=qLPueIKdPtnm&KNXWYseFaHCidA
  • hxxp://80.15.218.122:35618/8DVQ6mm?xKKolchGvVMvI=SfipwkaWliPWrc
  • hxxp://50.88.254.49:35618/OGbJfx1ro?yXvViVNepTrkRlNJ=AwqRMHHpLqJXAD&qagYnRxnYQYSpIEcB=lFAIbxdmjHO&eFTsEVSmSYpCtMbdm
  • hxxp://68.102.186.119:35618/618342/d4921412/index.php
  • hxxp://50.88.254.49:35618/UkMlaX?FpvxpKdwTaBxKVBD=kkEAvywTFQIBomL&BDKBeMIRwgNa
  • hxxp://50.88.254.49:35618/KrU1qi1nu?SmjxtvpdphspkM=mxBoWXdFowVQLbm&PwkjWlqBMyBEf=qqePnpwIekn&YddGxrkSWPJgfe
  • hxxp://68.102.186.119:35618/618342/d4921412/index.php
  • hxxp://68.102.186.119:35618/jTORvR4mk?UkJmcNFNATO=NNpFbHCwxSRrRAHc&kIhIDgpeUOl=ILTtrQjWgYYOfAgJk
  • hxxp://78.167.119.210:35618/3W7a8ph?AMhxEPvNUERWTHOK=oykAeQgptMTkJ&YxYLAodNKB
  • hxxp://87.160.74.191:35618/suFTmE?FjRJTTyREjklwuELn=fSqlGVwMPjOin&bfGborcmWbla
  • hxxp://96.58.105.16:35618/3Pkppd?osWurwLDMTivWmgac=xvxKVqTCeXfNBDuqe&YVkeMBlqIHTwg=rnTHuVwBKUMfjDVi&KOdCbidxJEVB
  • hxxp://68.102.186.119:35618/cuw8y2?kwLQWFDmiQVKYmo=roVUdIwlxngKeJ&ilPweGjCVPFi
  • hxxp://70.90.19.69:35618/618342/g1048234/index.php
  • hxxp://109.29.222.118:35618/7x9pkn?KOwQrSdXnqXdAgJAA=FnHRwvBPgcIXuDA&rkWmaTRhJcWGAXtF=rnwXgTDkUrVXmfJdi
  • hxxp://107.213.251.143:35618/618342/h491274/index.php
  • hxxp://96.244.246.64:35618/493247/i423479/index.php
  • hxxp://74.71.202.23:35618/493247/i423479/index.php
  • hxxp://67.87.103.199:35618/493247/i423479/index.php
  • hxxp://69.92.46.228:35618/tY0pcd?soRLbxjFdVCeo=YjcGWaFpmwdyG
  • hxxp://68.118.249.206:35618/4Jdbqg5xi?UPrmDhcakwJtH=uHicfgSQWPsLJVa&uqHNsOpuWIEUKSQf=wqQOkoPieCTVsj&EuYAbtgNJHxoj=fYFukcVftXpEWOL
  • hxxp://69.92.46.228:35618/O2Wgky1ex?sKhnFBxHVOsAg=ArsWCCCVkgevlo
  • hxxp://64.251.129.122:35618/IFmZnn?LhnRHjJjcBP=YhfseyodnwkJi&NkAEOSEPXxUvwFan=orpPSnPiuFDuk&NeIxkIOJpWkH
  • hxxp://24.237.39.65:35618/5923/u82364286/index.php
  • hxxp://69.92.46.228:35618/SHPdiz?EApYkqAbAlYxWkG=jvBlaYDMbla
  • hxxp://24.151.47.183:35618/i2dBru5br?WOvpdgXBvbjRAI=lghnceNceN&vIBagHuAExoRd=eCYwmudMPJoyXsaj&RouLOdQJEXYJEJ
  • hxxp://69.92.46.228:35618/OKlHrt?wpOcUyyXtpGXCdFj=RJOWxyDOepMWDG&cDAbmAKpjg
  • hxxp://78.112.119.85:35618/5923/j41824612/index.php
  • hxxp://76.100.9.18:35618/PUU06dl?mUlCxcKquOICm=rMOvgjltEicp
  • hxxp://72.218.201.207:35618/nfCdkN?tOKAOFdkuIre=slKVYfIUkDpnM&OqnMeKxfwdyCQJ=wUGxeQRcvtDMwIoj&NpyeBDYjrurEkfc=sWJWvGdFTOkRAD
  • hxxp://173.30.185.44:35618/s6fjdU?UgFIrOJJWsjmQo=HmgyBypGXbTwHKL&UHqwbRQgtNcnCfsO=amBRUJFjWSdqagRyj
  • hxxp://68.82.210.42:35618/Igchv87fj?uNytyqkbJTVXEaBLH=aGnHwxpDNVcUReQf&uxLwEfRGPLBm=CmNinWfybrpgRj&EoOhaxhdbID=dSdbmpJOAj
  • hxxp://68.82.210.42:35618/FJEE7rn?qiXtdIHxpFmGE=KsmiFMHufteqwVd&dVOoTpCMVBDQm
  • hxxp://72.82.61.239:35618/36414/g977123/index.php
  • hxxp://173.30.185.44:35618/AHA24?VwweLQojXjqRbIi=KQIGDkFqLvGD&MVhIYJPKADM=fCeuCMPJGsmH&KBFYwYDElgmTTtHxe
  • hxxp://81.139.129.74:35618/36414/j481261/index.php
  • hxxp://98.254.127.113:35618/30468/83427g/index.php
  • hxxp://222.254.155.130:35618/30468/83427g/index.php
The transaction I'll be focusing on here is the very last bullet point.  After the infection occurs on the victim's PC, it creates an autostarter that hooks into explorer.exe to add a level of resilience to hinder standard AV removal methods.  At the time of research, the MD5 (fa33c07e27e4a1e9f1ecdf1172f12562) was being detected by 8/46 AV engines on Virustotal.





The main function of Sharik is to leave the victim open to further infection.  To do this, the infection will set up a backdoor and communicate with it's CnC.  The attacker can choose to attack the victim further later on.  The standard communication between the victim and attacker appears to take place on a non-standard port 35618.  Given the high volume of variants of this threat, it is advised to close this port or at least monitor it for suspicious activity.







It should also be noted that many of the above mentioned download locations are involved in other threats.  For example, main-firewalls[.]com is very closely related to Nymaim ransomware.  Another example is the md5, 771cc060cf15fc29290a0109c1cf7669, which is a Fareit variant.  So what is a ransomware application and a FTP stealing trojan doing displaying the same phone home activity as a resilient backdoor Trojan?  This activity hasn't been tied to on specific group at the time of research, but administrators and users should be on notice.  Where there is smoke there will inevitably be fire.  So if you suspect you or the users you are responsible for are seeing HTTP traffic like the above mentioned, then it definitely merits further investigation. Mind your clicks.

Thursday, November 7, 2013

CVE-2012-1889 is still alive!

In  Zscaler’s daily scanning, we identified an instance where CVE-2012-1889 (MSXML Uninitialized Memory Corruption Vulnerability) is still alive. Lets take a look.

The site hxxp://wm.17wan.info:9999/zx/zip.html?mag.fznews.com.cn is a Chinese site, which targets online gamers by serving malicious code which exploits Microsoft XML Core Services. This attack allows  a remote attacker to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site. The site serves highly obfuscated code to evade antivirus solutions. 
VirusTotal lookup
You can see the highly obfuscated code served by the malicious site in the screen shot below.

The highlighted code shows that the a CLSID object is being used, which is exploited by parsing long strings of the letter “A”. This CLSID object is related to the vulnerability detailed in CVE-2012-1889.
Lets take a look at a beautified version of this code.

This highlighted section shows the suspicious function, which leverages the shell code for exploiting the vulnerability.

Here function heapLib() performs a heap spray. You can see the complete series of functions utilized in the full attack.
Let's decode the script which is shown in first screen shot

The decrypted source code shows that random named parameters are used for obfuscation of the original code. The chunks of code are combined into a final code snippet, which is then decoded again for making the actual shell code. Here you can see that the variable “t” is using the “MYKEY” parameter and “MYKEY” is using the “MY” parameter to construct the final chunk. This final chunk is again decoded by the function utf8to6() and nbcode(), which are defined in the source code for the final payload and that is used by the window object. At the end of the code the “t” variable generates the final javascript snippet which executes the shellcode.

This is the javascript which is generated at variable “t”.  Again, this script is obfuscated. Obfuscation is primarily used by malware authors to avoid antivirus detection. It should be noted that malware authors do not always leverage 0-days, in fact most technical attacks utilize known vulnerabilities as attackers know that a large percentage of PC users have not applied the latest patches.

An interesting observation is that the javascript is written in such a way that it only works on IE. It avoids delivering an unnecessary heap spray when loaded in another browser. That’s why when you open this site with IE it crashes IE and while opening with any other browser it works fine. It does however attempt to serve alternate malicious files to other browser users such as the samples described below.

Here you can see the sourcode contains a link which drops a malicious Rar file.

VirusTotal lookup



HTTP Transactions 

This site makes a connection with following sites
  •   Js.users.51.la 
  •  Web1.51.la:82
Zscaler provides complete protection for these threats.