Thursday, April 23, 2015

IRC Botnets alive, effective & evolving

An IRC Botnet is a collection of machines infected with malware that can be controlled remotely via an IRC channel. It usually involves a Botnet operator controlling the IRC bots through a previously configured IRC server & channel. The Botnet operator, after appropriate checks, periodically moves the IRC bot to a new IRC channel to thwart researchers & automated sandboxes from monitoring the commands.

In this blog, we will look at one of the most prevalent IRC based malware families - DorkBot, followed by three additional IRC Botnet families - RageBot, Phorpiex, and IRCBot.HI.

DorkBot Installer
In our telemetry data from last 3 months we have seen following URL serving the DorkBot installer:
api1[.]wipmania[.]com[.]wipmsc[.]ru/api1[.]gif  (Check APPENDIX section for additional info.)
The malware executable checks for two command line arguments
  • "-aav_start"  - It terminates
  • "–shell"  - It starts the infection cycle, creates a registry key "Windows Update" to ensure persistence, and creates a mutex named Windows_Shared_Mutex_231_c000900 to ensure only one copy of Dorkbot is running
If no command line argument is provided, it starts injecting threads into other processes without performing the above mentioned actions. 

It first injects a thread into svchost.exe and performs the following actions:
  1. Copy itself as "%APPDATA% \Update\Explorer.exe" on the infected system.
  2. Creates a Run registry key with the name of "Windows Explorer Manager" for the dropped executable copy.
  3. It creates a thread that monitors the Run key created in step 2 & recreates it if missing, every 10,000 seconds.
  4. It also creates a thread that copies the file created in step 1 to file name “\c731200” in the "%APPDATA%” folder.
  5. It then creates a remote thread in mspaint.exe that tries to resolve a predetermined list of domains as shown in image below:
DorkBot - Hardcoded Domains
The main Dorkbot binary (MD5-E7E48AD1A2A57CC94B56965AA8B476DA) was found embedded in the resource section which is extracted and executed at runtime.

DorkBot - memory strings
It also creates a remote thread in the “calc.exe” process that performs the following actions:
  1. Creates a mutex with the name “c731200
  2. Checks for Internet connectivity using API InternetCheckConnection with as the URL.
  3. It then tries to download files from 20 different URLs and saves the downloaded file with random file names in the %Temp% folder. File names are shown in the screenshot below:
DorkBot- Random file names
All the URLs are hardcoded in the DorkBot and are encrypted via a custom encryption method.
DorkBot - Encrypted URLs
DorkBot - Pseudocode of decryption function

Below is the full list of URLs from from where it tries to download additional malware:


Dorkbot represents a family of information stealing worms that uses IRC based Command & Control (C&C) server communication. Dorkbot is also known as ngrBot due to it's similar feature set. It is one of the most powerful IRC based botnets that generates revenue for the botnet operator via the following features:
  • Capable of spreading via chat messengers, USB drives, & social networking sites
  • Supports multiple Distributed Denial of Service (DDoS) attack types
  • Capable of stealing login credentials for multiple HTTP and FTP sites
  • Blocks security update related websites to evade detection
  • Capable of downloading, installing and uninstalling other malware payloads
RageBot, Phorpiex, and IRCBot.HI Analysis –
From our 3 months telemetry data, we have seen the following URLs serving these IRC bots–

Malware Name

In addition to IRC based C&C communication, all these bots have following similarity in their operation:

1. Checks execution environment - Virtual Environment, Honeypot or Sandbox

RageBot - Check via Username
As seen in the screenshot above, Ragebot is checking for common usernames found in certain public sandboxing environments before executing further.

Phorpiex - Check via DLL name
Phorpiex bot looks for strings like 'qemu', 'virtual', and 'vmware' in system registry to check for execution in Virtual Environment. In addition, it also checks for the presence of Sandboxie sandbox environment by looking for specific DLLs as seen in the screenshot above.

IRCBot.HI - Check via DLL & Product IDs
It is important to note that IRCBot.HI checks the ProductID value from the registry against multiple hardcoded ProductID values. It terminates execution if any of them matches. We believe that these hardcoded ProductIDs were harvested from various online public sandboxes.

2. Creates Mutex
RageBot – It creates a mutex with name “ie”

RageBot - Mutex
           Phorpiex – It creates a mutex with name “t2”, We have also seen some Phorpiex samples which were creating mutexes with name “t3” and “t4”. 
Phorpiex - Mutex
          IRCBot.HI – During installation it creates a mutex with the name MAIN_<RandomNumber>. When it runs from the installation path, it creates a mutex with the name BACKUP_<RandomNumber> 

IRCBot.HI - Mutex
3. Installation

RageBot- It installs itself in “%ProgramFiles%\Common Files\System” or “C:\DOCUME~1\” directory. The malware uses ragebot.exe as file name for the dropped file.
RageBot – Building installation path
If it is not able to create the file at the above mentioned locations then it tries to install itself in “C:\RECYCLER” directory.

Phorpiex – It installs itself into %WINDIR% , %USERPROFILE% , %APPDATA% and %TEMP% locations by creating a folder “M-50504578520758924620” containing a file named winmgr.exe.
Phorpiex – Pseudocode of Installations function 
It then deletes itself after installation by running a batch file dropped in the %TEMP% folder.

IRCBot.HI – During our analysis it installed itself into %WINDIR% and %USERPROFILE%. In %WINDIR%, it creates a folder named 1756410959 and drops copy of itself as lsass.exe. In %USERPROFILE%, it drops copy of itself as ctfmon.exe. 

IRCBot.HI – Installing in different locations

4. Adding autostart feature using Run registry key.

RageBot – Creates Run Key -         HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and key name as – “Windows Update”

Phorpiex – Creates Run Key - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and key name as – “Microsoft Windows Manager”

IRCBot.HI – Creates Run Once Key - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce and key name as – “*<RandomNumber>”
IRCBot.Hi – RunOnce Entry
5. Adding itself to Windows Firewall trusted application list 
All these bots add themselves to the Windows Firewall’s exception list by modifying the key
6. Propagation method 

RageBot – 
  1. It copies itself to the following P2P & Instant messenger application folders for spreading  
    • \Program Files\LimeWire\Shared
    • \Program Files\eDonkey2000\incoming
    • \Program Files\KAZAA
    • \Program Files\Morpheus\My Shared Folder\
    • \Program Files\BearShare\Shared\
    • \Program Files\ICQ\Shared Files\
    • \Program Files\Grokster\My Grokster\
    • \My Downloads\
  2. It also searches for RAR files and copies itself inside them.
Phorpiex –

    A. Creates a shortcut in a removable device
  • It checks for all removable devices
  • Copies itself with a different name
  • Creates a shortcut to an already present folder and sets the path of a shortcut to run the malicious file
  • Hides the malicious file and folder by setting a hidden attribute for both
Phorpiex - Creating Shortcuts

    B. Creates an autorun.inf file in removable devices to autorun the malicious file
  • Checks for all removable devices.
  • Copies itself with a name of windrv.exe
  • Creates an autorun.inf file to autorun the malicious file
Phorpiex - Creating autorun.inf file
IRCBot.HI - 
We identified strings related to Skype in memory during our analysis that would suggest this bot is capable of spreading via Skype. 
IRCBot.HI - Skype inject related string
7. IRC based Command & Control communication
All these bots use the IRC protocol for C&C communication. Bots perform different actions based on the commands received from the remote C&C server.

RageBot – During our analysis, this RageBot sample was trying to connect to vnc.e-qacs[.]com on port 6668. Upon successful connection, the following initial communication was observed:
RageBot - C&C Communication
You can find full list of C&C commands in the appendix section.
Phorpiex – It tries to connect to trksrv[.]su on port 5050. Some other IRC servers it tries to connect to are - trik[.]su , srv50[.]ru and trkbox[.]ru. Upon successful connection, it sends the following IRC commands:
                                      NICK `|USA|hihdlxu
                                      USER x "" "x" :x

Some other commands:

                              001 -> Sends JOIN #b message to server
                              PING -> Checks status
                              .j <channel name> - > Join given channel
                              bye -> Uninstall bot

Phorpiex - C&C Communication
IRCBot.HI - It tries to connect to irc[.]ernsthaft[.]su or irc[.]ded-rrwqwzjzjris[.]com on port 6667. 
Upon successful connection, it sends the following IRC commands:

                                     PASS ddos
                                     USER <8 char string> <1 digit number> * :<8 char string>
                                     NICK n[USA|A|D|<OS_NAME><OS_TYPE>|1c]<8 char string>
                                     JOIN #PlanB

Below is a sample of the C&C communication for this bot:

IRCBot.HI - C&C Communication
In this era of sophisticated Botnets with multiple C&C communication channels, custom protocols, and encrypted communication; we continue to see a steady number of new IRC based Botnet payloads being pushed out in the wild on a regular basis. As we saw in our analysis, IRC based Botnet families continue to evolve in terms of sophisticated features incorporated in the bots.

ThreatLabZ is actively monitoring this threat and ensuring signature coverage for Zscaler customers.


DorkBot installer URLs and MD5

Jan-15 E49B3EF80FF4DB4DB1D5220930EC7DAD api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 CC9D72663D2495779B0C81AEE34592E7 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 A98472BCAA010433A80410C3483C90E1 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 EEFC72EFFD96FFD11EC2D69CD6248AC5 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 4E7149C1401F5A0BC34E3AAD6070F4BE api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 5B14C029570F40BDDC73669FE4EFEFB0 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 4C54D366B04F9980F038CB6FC62603D0 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 6E4282023D6A19B27C30DB5D54CEE32C api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 E7B61B2BE23167965079468DF36497EF api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 DC8CBA3F91A34F0D1EFA79BE4495B305 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 8AAD291926335F28B4402830252556F7 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 8036A36C372602CFA049996B9F5BD6AE api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 8036A36C372602CFA049996B9F5BD6AE api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 7257FD6F90B5AA9BB249EA74B764A401 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 B186525826856E881E879C6C44BB2452 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 220188F1BD2E10BA0751383EA0946DBA api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 2DB9BD0ABD99F3285721D358A6816737 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 EBEB072B8336F5FD35328227A60B271C api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 01303BEFE5938C3C748C4E058A8A6AE9 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 82E2CA09BDEB3ABF8B70D848F66793E7 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 0B2E7AE8DF2ADA1E86A3A25FC248C6FE api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 430560EBD3BE6A680BFA6409F332585B api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 F79AF05D9B43F99EB6FC64DA2C129F67 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 384252746FAFF8D264E6A8CA450B6301 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 C9636239ED698834CABA78E1F9F8DB0F api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 9C42746376CC7D265D6BF554B960EDE2 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 67B08BF0F2C89DE4E0D1C36BAF7193B9 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 735B6602B4BD1D71246F43642D6873AA api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 7D9AF61AE962443D586BFC8A86100B5F api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 05ABC48A4BEE624D7952954CF14F699D api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 FF638ACA7D8D10ED8AD2DE1BC333123D api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 AA4085182E8F10FEC8EBC3F6D3612321 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 1A54593E7C82DD1B16B7626FCB211DA1 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 235E67A88907DA68BFBB9264A00A31E3 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 2CBD9428DEE885C30258BF0C38299138 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 CCDC5EC2085536160813658BE549F0B6 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 CBD732F87901EE03820DBA41D0D2895A api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 BE5E43F2786D628B7AA8689C2108247D api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 5AEC4A3B3E0AEB3B13B98086FC81D797 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 6034814DB1C25A092C39F251F29B2216 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 6CAE0B51E5EAD86EEA47C4068287650A api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 451E324D3CB601E00FA041D6FDE1C4EC api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 9AEB3A097F11887D89EC08D337814B6B api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 8F9F97232DBE283BC5E7B6AB4DD580B8 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 F57A08679380F3FDFD369528FE5CE854 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 F24BC22CFD12E3FDE40D06BF54F35CF1 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 4BB4C19B5FC2401D45845789CC761577 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 583432D95424EC051AFE9E621DC41ACA api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 C5756AC3FE61266D326B43E904BC1A6C api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 44012367D7FFA7845B59462952AB9014 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 FC506F023FF71E3ACDEE4449C43E5F1B api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 322E11B552B897ADBC9ABCE51774988E api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 EC0832E5818E4CD753C4B2675C6179A1 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 63C37B2FEB0C0F71568B9771AC4DACE4 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 7BE4749D1D1F8950F7288C67A393B7F0 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 ADDF9E2B207AD9E89DB46E81A8121882 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 3E70DB4E5F5F60F2FDE7AEC38F4B30CD api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 268301147BC53722A898E1F38E6F026D api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 309FB15C08861BC063C19C326A29AC98 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 422C1A2BC53F72CAE5435F7F5598BDFD api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 30A6C9DC574075C5EA47F17EA9392C47 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 37A9570400CB0C0CD4E5273AE3232EB5 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 E59BCA5EE865FE5789C96B20A43F9207 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 919C861E6A6ABF88045476D5D92A5DE1 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 5FD98DE177F158C31960BF80272F2535 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 9439AA18598643131B3F8DD9E69AB294 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 F66A06166B73391C4C7A7A58CC6CE66C api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 79589FC33375A63BB44A8DE0B2B5DAF8 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 2C328EF3F2074D68729F329D4B2F8013 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 90E8FF73C7E78B99ABCD1FC22394F22E api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 A3AEC401831AF6EF1C75AFB1C50D96DA api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 42C7C8719D33AFCF36DC7D5D2594EB5B api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 375E51758336183B07CA7DBF771D2EF8 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 FA20E413002E17B938B2451552721027 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 09840FA1887528B20C98C408C8EB6E07 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 6AB2975E77EA4724FADF4CCB7250F0E9 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 51E7E34FFB5EF17FDE5FAFC5DF8F7212 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 F61E3F5ACFE1F861CECEA0A793D4F333 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 229236B39E92E629178419CB8A529E1A api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 D299AD2A61F325F5DA56AE7674D2F77D api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 53CA20232F358A9C256748403451EF14 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 41BE96D1B3BDF9E48D97AE153D6EFD45 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 213E0B42AF7CF1D0DCB75E378CA93512 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif

RageBot Commands

Command Description
PING Check status
422 Check status
433 Redefine nick name
-s Silent mode
h 0f6969d7052da9261e31ddb6e88c136e Uninstall bot.
h fd456406745d816a45cae554c788e754 Download and run file
Botinfo Sends botinfo
p2p Starts p2p spread, Copy itself into following location-
\Program Files\LimeWire\Shared
\Program Files\eDonkey2000\incoming
\Program Files\KAZAA
\Program Files\Morpheus\My Shared Folder\
\Program Files\BearShare\Shared\
\Program Files\ICQ\Shared Files\
\Program Files\Grokster\My Grokster\
\My Downloads\
commands Sends following list of commands
commands: botinfo/rarworm/xpl/p2p/vncstop/disconnect/reconnect/nick/restart/part/join/
rarworm Scan for .rar files and copy itself into .rar archives with name as ?self-installer.exe?
disconnect Disconnect itself
b0tk1ller (off) Starts a thread that scans for the running processes and terminate the process if process name matched with hardcoded process names.
If parameter off is provided it stops the bot killer thread.
reconnect Reconnects to the same server Same as reconnect since there is only one ip hardcoded in the bot.
nick (nickname) Sets nick name if nickname not provided that generates random nickname
restart Restarts itself
vncstop Stop VNC scanning threads.
join (channel_name) Join mentioned channel
xpl Starts vnc and ftp scanning threads.

Analysis by: Amandeep Kumar, Avinash Kumar, Nirmal Singh & Deepen Desai

Wednesday, April 22, 2015

Fake porn site serving Chinese SMS Trojan

The majority of Android malware continues to target Android devices that permit the installation of apps beyond the official Google Play store. Often, the malicious Android apps are delivered via third party app stores, but we do also see rogue apps delivered directly from malicious sites. Recently, we came across a fake porn site which is serving a Chinese SMS Trojan.


Malware payload.

The above screenshot shows the malicious APK file being downloaded following user acceptance. When a user visits the page and attempts to view a video they will then be prompted to install an app. The user is social engineered into believing that installing the app is necessary to view the video, but in doing so, they are actually installing the malicious app that will carry out SMS fraud.

File Info:
Name: GA2161.apk
Size: 0.9 MB.
Package name: iickcf.ndakik.feockk.gcahbp.oefdnc.omeonn

Interestingly, the payload filename is dynamically generated and will change with each new download. This is likely an attempt to bypass basic blacklisting of a known malicious app name.

Changing APK names

Upon successful infection, the following icon is visible to the end user on their mobile phone:

Icon of installed malware
The malware then declares a Broadcast Receiver, which is registered to intercept all future SMS messages received by the user. The received message is analyzed by the malware to determine where it was received from. Once the sender's identity is confirmed, it parses the content of the received messages and matches it against certain hard coded message strings as seen below:

Receives SMS.
The following is the list of hard coded Chinese message strings and their English translations:

Hard coded message strings.
Translated Chinese message strings [Credit: Google]

The intention of the malware author is clear from these message strings. The app generates fraudulent transactions from an infected device by purchasing on-demand videos and premium SMS services controlled by the attacker. SMS messages are generated by the app to initiate a purchase. The app then monitors incoming SMS messages to identify the purchase validation message, which must be accurately responded to in order to complete the transaction. When the validation message has been intercepted, it is parsed and matched against the hardcoded strings in the image above, to determine and submit the appropriate response. Once this occurs, the transaction is complete and the victim will be charged by their mobile provider.

SMS Trojan Fraud cycle

SMS send function.
The malware also leverages the International Mobile Subscriber Identity (IMSI) property for determining the location of the device, as well as service provider information as seen below:

Checks for IMSI.

After a successful SMS send operation, the app submits a POST request to its Command & Control (C2) server '' on port 8456.

Post request.

The app sends the following information to the C2 server:

Post request capture.

We were able to observe portions of the C2 server panel used by the malware author due to a lack of authentication applied to specific web pages. The administration panel used to manage the Trojan can be seen in the screenshots below:

C&C Panel Login

C&C Panel Actions
It also sends the same information to IP Address, which appears to be an alternate C2 server for the same Trojan:

Portal 3
Post request.

The malicious app then sends a POST request checking for updates and in response, receives a URL pointing to a JAR file named "firstpay_v7.0.jar" as seen below:

Jar file location
This jar file consists of a Dex file which is capable of running on the infected mobile device as seen below:
Dex execution.

Below you can see the warning message dislayed by the phone when sending an SMS message which may incur additional charges.

Money warning

This malware is yet another addition to the Android SMS Trojan Family. It scams the user by purchasing subscriptions for porn services, on-demand videos and sending premium rate SMS messages. SMS fraud remains the most common form of monetization that we see with malicious mobile apps and it is almost exclusively a problem on the Android platform. One simple yet effective defense, involves restricting app installation to reputable App stores such as those operated by Google & Amazon.

Research & Analysis by Viral and Shivang.

Tuesday, April 21, 2015

Malvertising, Exploit Kits, ClickFraud & Ransomware: A thriving underground economy

Malvertising involves using malicious online advertisements as a means to serve malware payloads to unsuspecting users. Cybercriminals leverage compromised advertising networks to serve malicious advertisements on legitimate websites which subsequently infect the visitors. This has become one of the most successful vectors of malware delivery for cybercriminals. Malvertising campaigns in most cases will involve a malicious advertisement redirecting the user to an Exploit Kit (EK) landing page.

Exploit Kits
Exploit Kits are web-based frameworks that attempt to exploit browser application plugins for known vulnerabilities. Upon successful exploitation, the EK will silently download and install a malware payload on the victim machine. The entire exploit cycle is completely hidden from the end user.

The Exploit Kit infection cycle typically moves through three distinct stages:

Stage 1 - Loading stage: This stage involves the initial delivery mechanism which causes the user to visit a compromised website or advertisement. This compromised website then leads the user to the actual Exploit Kit landing page which may involve a series of web redirects.

The initial delivery vector can be any of the following:
  • Spam & phishing e-mail
  • Social Networking sites
  • SEO poisoning
  • Compromised website
  • Malvertising on legitimate sites
It is important to note that malvertising is one of the most dangerous and extremely successful initial delivery mechanism here as even the most cautious user is susceptible to this attack while visiting a perfectly legitimate website. In most other cases, a well informed user can avoid the attack by carefully inspecting the link in an e-mail or search results.

Stage 2 - Landing Stage: During this stage, the victim machine visits the actual EK hosting site and the exploit cycle is started. The EK code will attempt to exploit the identified vulnerable plugins by downloading the relevant exploit payloads.

Upon successful exploitation, the EK will lead to the download of the malware payload as configured by the EK operator. The entire exploit cycle may not require any user intervention in most cases, which greatly increases the success rates.

Stage 3 - Malware Payload Delivery: This is the final stage of the Exlpoit Kit infection cycle where the malware executable is downloaded and installed on the victim machine. This is usually achieved, after successful exploitation, by one of the EK payloads that was served during the landing stage.

The EK operators strive to ensure that the EK code, exploit payloads and the end malware payloads have very low to zero antivirus detection. Over the past few years, EK authors have implemented multiple new features to improve the effectiveness & infection success rates:
  • Anti-VM and Anti-Analysis features
  • Detection of known antivirus drivers
  • Multiple levels of highly obfuscated JavaScript code
  • Dynamic construction of exploit payload URLs only when a vulnerable plugin is found
  • Short lived exploit payload URLs often restricted to one visit per IP address
  • Obfuscated and repackaged exploit payloads
  • Repackaged malware payloads
Recent Malvertising & EK campaigns
After last year’s infamous “Kyle & Stan” malvertising campaign that affected Google, Yahoo, YouTube and multiple other popular websites, this year has been no different. We have seen a malvertising campaign leading to a zero day Flash Exploit payload via the Angler EK to start of the year, followed by a Malvertising campaign targeting European Transit users. There have been numerous other instances of Malvertising which involved popular sites like,, and we only expect this trend to continue throughout the year.

Malvertising attempts blocked [Last 7 days]
Users targeted globally by Malvertising [Last 7 days]

Advanced techniques to evade detection
We have also noticed some new techniques being introduced in the Malvertising & EK exploit chain this year to further evade detection by URL reputation & network scanners:
  • 302 cushioning, or a 'cushion attack', is used to redirect victims to malicious sites via simple HTTP 302 redirects rather than traditional techniques like iframes or JavaScript redirects which are easy to detect by network IDS/IPS devices.
  • Domain Shadowing, involves compromising the parent domain and creating multiple sub-domains that point to malicious code.

Please refer to our most recent write-up describing it in more detail.

A typical Malvertising infection cycle would involve following stages:

Malvertising infection cycle

Cybercrime Infrastructure & Business Model

Threat actors involved at different stages of the infection cycles are part of a thriving Cybercrime infrastructure & business model that is all interconnected as seen below:

Cybercrime Infrastructure & Business Model

The top Exploit Kits that we have seen involved in various Malvertising campaigns in 2015 are:
  • Angler
  • Nuclear
  • Magnitude
  • RIG
Angler Exploit Kit
Angler Exploit Kit is one of the most prevalent exploit kits in existence today and has many similarities with other exploit kits. Victims are usually served Angler landing pages via compromised websites where an iframe or script has been injected into the compromised site's page and loads Angler's exploit page. The landing page for Angler is very similar to Nuclear, but instead of displaying totally randomized text for obfuscation, random passages from the novel "Sense and Sensibility" are used. Angler domains at first glance may look like legitimate domains, for example:

Angler EK operators are leveraging domain shadowing technique to shield their landing sites from URL categorization-based detection. Over the past few months, we've seen Angler changing tactics somewhat. In late 2014, the landing page took the form of a 10 character alphanumeric php page, for example: 
This format quickly changed to exclude the php extension, then changed to an entirely new format:
This is another attempt to blend in with normal looking web traffic. Exploit pages and payloads have a similarly consistent format that has not noticeably changed since late 2014:
The majority of the recent Angler EK infections were serving the Bedep AdFraud bot.

Angler EK instances blocked
Angler EK server locations

Nuclear Exploit Kit
Nuclear EK is arguably the most advanced exploit kit currently in use and includes a variety of different exploits. First appearing in 2009, the kit is very actively developed, with new exploits and defenses added incrementally over the years, and it is used to serve any number of payloads, including ransomware, click fraud, and multiple backdoors. Nuclear contains exploits for multiple common software components, including Flash, Internet Explorer, Java and Silverlight. Notably, in March 2015, the kit began including a Flash exploit for CVE-2015-0336 only a week after a patch was released by Adobe. Similar to Angler EK, Nuclear uses compromised webservers to serve exploits via 302-cushioning and domain shadowing, but free subdomain and dynamic DNS providers are also heavily used.
Using new subdomains of compromised sites enables Nuclear to evade older, domain-based blocking and allows for rapid rotation or one-time use of subdomains to hinder analysis by security researchers. In addition, before actually serving the exploit kit's landing page, potential victims are sent through an intermediary hop via 302-redirection; the victim is either 302-redirected to the landing page if this is a new victim, or sent to the desired non-malicious page.

Another interesting feature of Nuclear is that various fields are Base64-encoded and passed to the malicious domain:
--base64 decoded--
Similar to Angler, the landing page contains sections of highly obfuscated JavaScript in between chunks of text; however, unlike Angler, Nuclear uses totally randomized text, which makes landing pages more difficult to detect using traditional signatures.
<textarea id='DjwvKE' title='riaXWWvroLTqxkFhlrC' name='MTdak' cols='84' rows='7'>cbkKKLhgidYWpsNmcSUOJXFDrjdbvBIScsdmDKTlorIdjVQMnlaxJgAAPecLfkdIdGvgRPSFGbjqwACkmcivIjwYOYjuJNCmUySlNlrUMbKJbMuNpcJyMFWadGUnTXZnVsYjdQDqrOATbuhQXqPjvlJZseMLBmyXeXGInJyfYyzztgPQWeASQJsInFUprSMVqSddccJAbIzUoPlLuleLvWUjboYSHloxDRbgukhVthqixbtrNYDIuXsWMQpTBdQFvsmpcTLVBCDyexqrVtAQRsndJcxLGORBGDriXDEYFIXkGNbcG</textarea>
<h2>QMx sKWhYGWu eZJGyZ aFnKgWwC xfgcc KmTs rOETlec oBWPHKZ yVrHkWnM AXkEQvfe oPeaHHcdWk kYVRPcClQO GmV gQl</h2>
<h4>fQgQqXM gvllOkaC HknmN qvPFFFKKja TRNMxyHikW JYAb QOWuNSKTX mhzDYzV</h4>
The majority of the recent Nuclear EK infections were serving Teslacrypt Ransomware.

Nuclear EK instances blocked
Nuclear EK server locations

Magnitude Exploit Kit
Magnitude EK, like Angler and Nuclear, is heavily reliant on landing page javascript obfuscation as a means of both exploiting the victim’s system and hindering detection. First documented in October 2013, the kit targets users with outdated Browser application plugins and CVE-2015-0336 was recently included in the kit’s arsenal of exploits. This exploit kit has historically leveraged malvertising for distribution rather than compromising individual websites. ThreatLabZ has observed numerous ad networks being used as intermediaries, including one campaign which saw Yahoo! ads redirecting victims to Magnitude landing pages.

A Magnitude landing page is easy to spot at a glance since they typically have an unusually large number of subdomains, as seen in the examples below.
The payload page for these threats is the same hostname and domain followed by a 32-40 character hexadecimal string. The final payload is ransomware called CryptoWall 3.0, which encrypts the victim’s files. CryptoWall displays a message demanding payment for decrypting the files; this ransom increases depending on how long the victim waits. This is done to give the victim less time to find an alternative solution and to get the maximum amount of money from the victim. 

Magnitude EK instances blocked
Magnitude EK server locations

RIG Exploit Kit
The RIG EK has been a relative newcomer to the exploit kit ecosystem. Since its debut in early 2014, it has been a prevalent threat to web-surfers. The developers have been very active in updating it with the latest features common to other exploit kits, and is currently making heavy use of domain shadowing. One major difference between RIG and others seems to be the modularity of the kit itself. RIG doesn't contain any exploits directly, but relies on a backend service for providing exploits. This is evidenced by the source code that was supposedly leaked by a RIG developer in February 2015. The leak seems to have been the result of internal squabbles between the developers, with the leak intended as a final blow to the development team. Customer posts on underground forums complained that their RIG deployments would occasionally be hijacked to deliver malware payloads that they did not designate for use. These issues point to a rogue developer in the RIG team, and the availability of the source will surely result in the emergence of derivative exploit kits.

Though RIG has made news by being injected into some major sites such as and, it appears that RIG is most frequently encountered via a combination of Malvertising and search poisoning. We commonly see redirectors that match the following two patterns:
There’s a two stage landing page that follows the redirectors, with the landing pages hosted on a variety of domain-shadowed hostnames:
An example of the redirector and two-stage landing page:

Two-stage landing page

Analysis of the URI paths on the landing pages shows that there are a few distinct parts. In the example above, the path “?xXmNd7GfKB7KA4M=l3SKfPrfJxzFGMSUb-nJDa9GPkXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFT_zR3AaQ4ilotXQB5MrPzwnEqWwxWeioWA_0TfZl4W-5rBHbU6iw6gyLRGJMlzk0TQu2gCz-kaUEgbrA” features two distinct components separated by an equal sign (“=”). The first part (“xXmNd7GfKB7KA4M”) appears to be a unique client identifier while the much longer second part appears to be related to the overall campaign, with the same characters starting the string. A selection of campaign strings follow:

RIG EK instances blocked

RIG EK server locations

Malware Payload: ClickFraud & Ransomware

Exploit kits can serve a variety of different payloads, from Backdoors and Ransomware, to generic Downloaders. We’ve noted that the ultimate goal of many exploit kits is to monetize the infected system as much as possible, most commonly via Adfraud/ClickFraud. To support this goal, a very common payload for exploit kits is the Trojan Bedep, which can download additional malware and is used to perpetrate advertising fraud. In order to evade detection, Bedep is usually downloaded in an encrypted form and decrypted in memory as part of the infection process. Once decrypted, Bedep uses a domain generation algorithm (DGA) to communicate with its command and control servers. This communication is over normal HTTP, but messages are encrypted and then Base64 encoded, making analysis and detection more difficult.

When used for advertising fraud, Bedep creates a hidden desktop (a desktop instance not visible to the end user), shown below, that is not normally accessible in Windows, then begins displaying loading web pages and advertisements to commit advertising fraud.

Bedep Adfraud traffic & hidden desktop used to display Ads

Multiple windows are created to display ads (shown below) and in practice, this heavily impacts the performance of the infected system.

Bedep displaying multiple Ads on hidden desktop

Pages are quickly cycled to make as much money from the Ads as possible. In general, Bedep’s Adfraud traffic takes the form of ‘/r.php?key=’ or ‘/ads.php?sid=’ followed by a 32-character alphanumeric string, for example:
Another popular payload for exploit kits is ransomware, such as CryptoLocker and CryptoWall. This type of ransomware encrypts files on an infected system, and then demands payment to decrypt the files. CryptoLocker was first discovered in 2013 and quickly became popular due to the use of asymmetric encryption to hold user’s files for ransom, which is expected to be paid in Bitcoins. Additionally, recent samples contact a command and control infrastructure hosted on TOR hidden servers via TOR proxy gateways, such as ThreatLabZ recently analyzed a sample of CryptoWall 3.0, a derivative clone of CryptoLocker, and found the binaries were hosted with a “.jpg” extension to avoid raising suspicion. Some of the other features of this CryptoWall sample include:
  • Decryption service hosted on TOR
  • CAPTCHA on decryption service
  • High ransom amount (700 USD, increasing to over 1400 USD)
  • Multiple payment options accepted besides Bitcoin
Ransomware is an attractive payload for criminals since many individuals and companies with no or incomplete data backups are likely to pay the ransom to recover sensitive files. Since the victim’s files are already encrypted, there is little to fear from traditional anti-virus signatures or blocking command and control traffic. Finally, even if someone pays the ransom, there is no guarantee that any files will be decrypted.

Multi-tasking example from a recent infection
A recent development we’ve observed is using Bedep to install ransomware as well as committing advertising fraud. In the observed sample, Angler EK first installed Bedep on the compromised system, which immediately downloaded a piece of ransomware called “Threat Finder v2.4.” Like other popular ransomware, Threat Finder displays a “HELP_DECRYPT” message which instructs users to send 300 USD of Bitcoins to a Bitcoin wallet in order to decrypt files. The screenshot below shows both the Threat Finder ransom window and advertising fraud sessions captured by Fiddler. Installing both ransomware and committing advertising fraud potentially generates even more money for the perpetrators.

Threat Finder v2.4, Bedep, dual infection

Trust us, we'll decrypt your files.... but only if you pay!

Malvertising campaigns have seen a significant uptick in 2015 and continue to be the most lucrative initial delivery mechanism for Exploit Kits. The fact that the legitimate websites becoming target of these campaigns have very little to no control for preventing such attacks makes this a very dangerous vector and a popular choice for cybercriminals.

The users should ensure that all the Browser application plugins are always patched with latest updates and disable the plugins that are not used. We also highly recommend using click-to-play feature available in many browser for Java & Flash plugins.

Analysis by: Deepen Desai, John Mancuso, Ed Miles, Chris Mannon