Thursday, May 29, 2014

USPS Spam Delivering Asprox Variant

UPDATE: The botnet which is described here is called 'Asprox'. I've compared research with that seen from StopMalvertising.

Recent email spam has begun taking advantage of user's need to snail mail something.  The attacker will forward a message supposedly from USPS in order to get victim's to click on a link purported to be a shipping receipt, which actually leads to a malicious file.  If the user is unfortunate enough to click the link in the spam mail, a zip file containing a variant of Asprox is downloaded.

At the time of research, the VT score was 4/53
Once the file makes it way onto the desktop, it feigns a document icon in order to trick the user into thinking it is safe to view.  This is actually the malicious executable which scored 4/53 on initial VirusTotal scans.

Never trust an icon!  Check the 'Right Click > Properties' to see the true extension
The file itself creates local copies of itself in the logged-in User's Local Application Data and creates an autostarter to ensure that the victim stays infected after restarting their compromised PC.

The threat installs a randomly generated Autostarter value
ThreatLabZ has monitored this infection for a few days and observed several other download locations that kick off this threat.

All links download a similar package.  A third party sandbox analysis is available here
The common factor across all of these dropped files is that they all POST bzip2 compressed data which is then encrypted with a 16-byte random RC4 key via HTTP as reported by StopMalvertising.  We're seeing a growing number of attacks which utilize this method of phone home activity. The case of this Asprox threat phones home over ports 443 and 8080.

Communication is sent over port 8080 or 443
ThreatLabZ collected numerous IPs which were seen to communicate with malicious variants mentioned above.

IPs which communicated with Malicious samples.
Users and Administrators should be cautious of all traffic regardless of the ports it communicates on.  Attackers are leveraging nonstandard HTTP ports in order to bypass some security solutions.

Friday, May 16, 2014

Spearphishing Connects PCs to Russian Botnet

The talent over at MalwareBytes wrote this week about a Zbot dropper which comes from a PDF exploit through a spear-phishing e-mail.  In their blog, they discuss how a spear-phishing attempts to exploit either CVE-2013-0640 or CVE-2013-2729. User's must be extra cautious dealing with any attachment in an e-mail, but this threat merits extreme concern.  It installs a very persistent rootkit and logs the victim into a botnet which receives new commands/tasks every 10 minutes.  Removal is near impossible and also will use your Windows Mail to spear-phish your contact list.

As noted by MalwareBytes, attackers often use false extensions in order to infect victims (such as totally_legit.doc.exe). In the case of this attack, victim's download and click a malicious PDF.  This PDF, as Malwarebytes mentions, exploits Adobe Reader 11 and downloads an executable file.  At the time of research, 18/51 AV companies saw through this ruse and blocked the content before it had a chance to further exploit the victim.

We obtained a copy of the same malware in the Zscaler cloud and noted the following observations. A dropped file immediately connects to a Russian IP address to set up its beaconing activity as well as download more malicious PE files to the victim's machine.

axisbuild[.]com is showing some suspicious activity besides beaconing.
The translation of the C&C configuration file seen above in English is:

Интервал обращения к серверу в минутах
('Interval back to the server in minutes')
Таймаут цикличного обращения по ссылкам в минутах
('Timeout cyclical treatment referred to in minutes')
Список ссылок c&c
('The list of references c & c')
Страна бота
('Country bot')
Список задач
('task List')

In addition to awaiting for further commands from a remote server, the threat will also make many edits to the vicitm's system in order to remain despite removal processes.

There are several locations where this threat might download additional malicious PE files.  I've added a brief list below to illustrate.  I will provide more upon request to interested security professionals.


There are other locations used to download malicious files.
We took all different versions of these files and combined the phone home traffic to give a full list of IPs contacted.  The dropped files immediately begin to contact various IP addresses using nonstandard ports.  The following is a list of IPs and their hosted country.  

List of nonstandard ports used by all variants.

List of IP addresses which were contacted across all variants.

Administrators should monitor their networks for any activity which might match the outgoing transactions above.  Administrators will have a really tough time removing the threat due to the creation of a rootkit and altering the system's boot sequence.  The Zbot variant maintains a high level of persistence by doing the following:

This allows for untested drivers to be executed as part of the boot process

Dropped files create a system driver which executes during boot sequence.
  • Spawns drivers in the Windows Directory

The Autostarter value is randomly generated
  • Creates an autostart registry key

Used to inject malicious process into kernel.
  • Registers kernel notifiers (kernel callbacks)

The victim is used as a node in further spear-phishing campaigns.
  • Manipulates Windows Mail files



Users and Administrators must take extra caution against suspicious attachments.  Common methods for APT infection include tricking users to go to a compromised website or downloading something malicious through an attachment.  The fact that this threat compromises Windows Mail files means that the victim can be used to attack your contact list.  This allows for the attack to circumvent spam lists and base protections employed by regular users.  The best solution is to employ a sandboxing solution against all files which come through e-mail.

Sunday, May 11, 2014

Backdoor Xtrat Continues to Evade Detection

While reviewing recent reports scanned by ZULU, we came across a malicious report that drew our attention. It was notable as the final redirection downloaded ZIP content by accessing a PHP file on the domain 'www.stisanic.com'. 

URL: hxxp://www[.]stisanic[.]com/wp-content/coblackberrycomnotasdevozdate07052014[.]php


ZULU's virustotal check scored the file as higher risk. At the time 10 vendors on VT detected the ZIP file as malicious.
  • File : coblackberrycomnotasdevozdate07052014.zip 
  • md5 : d7d6574a443909b04b1ac76fb07b8dc2 
  • VT Report : 10/52


The ZIP file contained an EXE. Once again, only 10 vendors flagged the executable as malicious on VT. 
  • File: coblackberrycomnotasdevozdate07052014.exe 
  • md5: bd06e73db5b169120723206998a6074a 
  • VT Report: 10/52
The ZULU report turned out be live example of Backdoor Xtrat, which is a relatively old threat but one that many AV vendors are still not consistently detecting. AV vendors had first released a signature for this malware in May 2011 (MS advisory). The poor AV detection is the result of a common challenge - the attackers consistently alter the binary and there are numerous variants. This is of course a known limitation of signature based approaches and something that attackers regularly take advantage of. It's also a reason why security vendors, like Zscaler, are increasingly relying on behavioral analysis when analyzing binary files. Behavioral analysis doesn't rely on signatures or require any prior knowledge of the threat and is a key component in the Cloud-based APT solution that Zscaler released in 2013

Zscaler behavioral analysis report:

Screen capture of the Zscaler Behavioral Analysis report for Backdoor.Xtrat

Typical behavior of this backdoor:
  • Injects itself into svchost.exe, exploere.exe and iexplore.exe
  • Drops PE files
  • Performs network activity to accept commands from a remote server and sends data to the remote server
Dropped file details:

The backdoor drops the following two EXE files on victim's machine. Both of the EXE files are same, but are dropped with different names.
  • vbc.exe/wintegfire.exe
    • md5 : 6fb9ce258a2420d898b6d0fa4d73bb8f
    • VT Report : 6/52 (Also very less detection)
Network Activity:
The backdoor downloads content from 'analaloca.chickenkiller.com' over port 3460. 
  • URL: hxxp://analaloca[.]chickenkiller[.]com:3460/123456.functions 
  • IP: 181[.]135[.]149[.]40
  • Zulu report: 100/100

CnC Server Location:


CnC URLs with the above pattern of '/123456.functions':

cascarita1.no-ip.biz:33100/123456.functions
cascarita2.no-ip.biz:33200/123456.functions

cascarita3.no-ip.biz:33500/123456.functions
windows.misconfused.org:999/123456.functions
uranio2.no-ip.biz:10180/123456.functions
fungii.no-ip.org:999/123456.functions
mohammad2010.no-ip.biz:81/123456.functions
supermanaa.no-ip.biz/123456.functions
updating.serveexchange.com:999/123456.functions
spycronicjn.no-ip.org:81/123456.functions
allmyworkers.no-ip.biz:400/123456.functions
livejasminci.no-ip.biz:4444/123456.functions
31.193.9.126:3377/123456.functions


We also observed CnC URLs related to this backdoor with a small variation in the pattern. The pattern varinat observed was '/1234567890.functions'.  

CnC URLs with pattern '/1234567890.functions': 
suportassisten.no-ip.info:2180/1234567890.functions
laithmhrez.no-ip.info/1234567890.functions
papapa-1212.zapto.org/1234567890.functions
sarkawt122.no-ip.biz/1234567890.functions
outlook11551.no-ip.biz/1234567890.functions


Snort signatures:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Backdoor Xtrat URL Request"; flow:established,to_server; content:"/123456.functions"; http_uri; nocase; classtype:trojan-activity; reference:''; sid:XXXXX; rev:XX;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Backdoor Xtrat URL Request"; flow:established,to_server; content:"/1234567890.functions"; http_uri; nocase; classtype:trojan-activity; reference:''; sid:YYYYY; rev:YY;) 

We are seeing new CnC domains related to this attack every day. This shows that the attack remains active.

Avoid this backdoor and stay safe !

Pradeep

Friday, May 9, 2014

Bitcoin Miner Utilizing IRC Worm

Bitcoin miners have given a new reason for attackers to communicate en mass with infected users.  IRC worms are not exactly the most hip way to communicate, but they remain effective at sending and receiving commands.  I recently came across several samples which bit coin mining examples leveraging IRC.  The malicious binary, once installed, queries for the network shares connected to the victim's PC, drops a file, and creates an autorun.inf file to infect anyone unfortunate enough to use that same network share.

First, we see that the threat has many different variants at a single location
A portion of the malicious content on this IP.


This IP's urlquery report is also picking up some shady content on this IP.  Unfortunately, the Virustotal score at the time of analysis was 1/52.

The first thing the threat does is install itself to any network shares on the victim's system.

The file 'snkb0pt.exe' is installed in 'netshare:/snkb0pt/'
It also installs an autorun.inf file among files used to store content retrieved from victims.

Next, it installs itself as a service on the victim's PC to ensure that it can't easily be removed. Image File Execution Options are also created.  This will ensure that the malware can install as the "debugger" for a frequently-run program (such as Explorer) and thereby inject itself into the execution sequence.  Further explanation about this methodology seen here.

A service is created along with edits to Image File Execution Options.
Autorun additions are also created to establish itself at boot.
The malicious network share file is clearly calling shell32.dll in order to exploit other systems connected to this network share through a created autorun.inf file. 

That clsid is allows the executable to launch differently than in Explorer.
The export file stored in the network share stores information about what systems are infected.

There was not much IRC activity, but the framework exists to login to the attackers channel and receive commands for further action.

Connection is established

First attempt

A connection remains open, beaconing for further contact.

I analyzed all available samples and compiled a list of phone home DNS requests made by all the variants.
Of all samples collected, these dns requests were made.

Due to the high volume of variation in the samples, standard AV solutions only catch certain instances of the threat.

Sample 1

Sample 2

In the second instance, we see that some vendors have flagged the malware as a bitcoin miner.  A sandbox analysis of the second sample has strings related to a Bitcoin Mining application known as xptminer

The implications are that this threat infects one user and anyone connecting to a malicious network share. Infected machines then begin communicating to a server which manages bitcoin mining operations.