Friday, June 26, 2015

Potentially Painful Programs Promising Pirated Products

A major source of PC compromise doesn't come from targeted APT campaigns or Exploit Kits, but user's clicking things that they simply shouldn't. A common practice for adware and spyware writers is hosting large numbers of seemingly legitimate files that users might trust from an unknown source. Users know trusted download locations for common packages like Flash Player or Skype, but when searching for pirated software or media, any link that promises results becomes a trusted source. ThreatLabZ has been monitoring a large campaign of two well known adware/spyware packages, namely OutBrowse and MultiPlug.

ThreatLabZ has observed filenames purporting to be popular software applications, PC games, movies, TV series, car repair guides, etc. being used to trick users into downloading and running spyware packages. Below is a sample list of filenames from this month:
  • Colin McRae Rally 2.0 Full Version - FullRip   Download Low Spec PC Games   RataMap   Download Low End PC Games.exe
  • adobe acrobat 8 standard serial number generator.exe
  • dell bluetooth headset bh200 driver.exe
  • Wii dance revolution.exe
  • Besiege Free Download Game.exe
  • Tropico Reloaded   Free Download PC Game Full Version.exe
  • Minecraft 1.8 Crack Full Free Download.exe
  • Dragon Ball Complete Series Episode1.exe
  • Home.2015.720p._-DL.MaZiKa2daY.CoM.mkv.exe
  • visual studio 2012 crack torrent.exe
  • LEXUS LS 460 user guide provided through pdfretriever.com.exe
Once installed, the user is shown unsolicited advertisements and experiences a substantial increase in browser tracking activity. We noticed the cyber-criminals involved in these campaigns heavily leverage .info TLD domains as seen in the table below:



Domain
Adware Family
a.webboxwebs[.]info
MultiPlug Adware
get1.0111design[.]info
Outbrowse Adware
a.positionpublic[.]info
MultiPlug Adware
a.parser-case-croc[.]info
MultiPlug Adware
get.0136g[.]info
Outbrowse Adware
a.linuxcallring-north[.]info
MultiPlug Adware
a.northsinglemultiple[.]info
MultiPlug Adware
get.0136h[.]info
Outbrowse Adware
a.valuevilleville[.]info
MultiPlug Adware
a.cooledon[.]info
MultiPlug Adware
a.beeforcelevel[.]info
MultiPlug Adware
a.stickercenter[.]info
MultiPlug Adware
get.0136i[.]info
Outbrowse Adware

OutBrowse

The OutBrowse family authors leverage popular TV shows, software applications and trending news to deliver custom payloads that monitor the user's browsing activity. Their business model is to direct users to a pay site that provide various services.


Didn't I just download Tony Hawk Pro Skater2.Crack.CDKEY.exe?
The phone home communication for OutBrowse also provides excessive information to the advertisers. This data often includes the system's MAC address, IP address, different browser versions installed, and the machine GUID.


Data Collection from the victim's system.

OutBrowse beacons to several domains to share machine details and send aggressive advertisements. We have been monitoring this activity to the following domains for several months:
  • srv.dmdataserver[.]com
  • static.revenyou[.]com
  • srv.desk-top-app[.]info
Consistent traffic to known Outbrowse beacons

OutBrowse is normally found on the victim's machine by inspecting the user's C:\Documents And Settings\user\Local Settings\Temp\ directory for any suspicious files. It's common for OutBrowse to also install other bundled software packages as well. Users should check their autostart programs and Browser Helper Object (BHO) entries for software that is suspicious.

OutBrowse installed MiniGet as a BHO and Content Menu in Internet Explorer


MultiPlug

MutliPlug is another adware package that is installed as part of this campaign. The purpose of this package is to provide a custom executable to the victim that leads to additional bundleware. After a successful MultiPlug infection, we noticed applications like LightningDownloader, SeekerFoobar, WeatherBug, and EasyAutoRefresh getting dropped on the victim machine.


Silent Installers seen to download additional adware packages.
Once MultiPlug is installed, it starts downloading and installing additional packages in the background while displaying unsolicited advertisements.


A common location-targeted advertisement seen from a package installed by MultiPlug
Highly aggressive advertisements attempting to lead the victim to buying software.

The best way to remediate this attack is to review all installed programs through Windows Control Panel and odds are good that MultiPlug installed at least multiple unwanted software packages. Once this is done, users should review their autostart job files in the C:\WINDOWS\Tasks\ directory for anomalous entries. Installed Browser Helper Objects should also be checked using applications like HiJackThis or X-rayPC.

ThreatLabZ has been closely monitoring these campaigns for the past few months and the trend shows no sign of slowing down as seen in the time chart below:


Several sites are phishing users with the promise of illegally obtained content

The bulk of these attacks are hosted in the United States.




Conclusion
The moral of this story is to not trust seemingly legitimate content if you are attempting to obtain it illegally. Users show a distinct lapse in judgment when they believe the desired content is available for free. We recommend not attempting to pirate content and simply paying for the media desired.

Thursday, June 11, 2015

Gamarue dropping Lethic bot

The Gamarue (aka Andromeda) botnet is a highly modular botnet family that allows attackers to take complete control of an infected system and perform a range of malicious activity by downloading additional payloads. In this blog, we will cover a recent Gamarue infection that we looked at, which downloads and installs the Lethic bot on an infected system.

The Lethic botnet has been known to be involved in pharmaceutical and replica spam since it's inception as was detailed by Arbor Networks here. Neither of these botnets are new and have both survived takedown attempts by authorities. The Gamarue infection in our case was leading to the download of Lethic bot from the following URLs: 

Lethic Bot URLs
155[.]133.18.45/nut40a361.exe
155[.]133.18.45/dq40a361.exe
155[.]133.18.45/dqfjr73.exe
155[.]133.18.45/85fjr73.exe
155[].133.18.45/112fjr73.exe
(MD5: F909BE6B96C10E36F3C5B9E676F49C7E)

During our analysis, we noticed that the Gamarue and Lethic payloads involved in this infection were both packaged using the same custom packer. Below is the comparison of the code snippet from the packer routine:


Quick Analysis of Lethic bot 

Installation
The payload first checks the current running path. If the path does not contain “RECYCLER\S-1-5-21-0243556031-888888379-781862338-1861771”, it will create a new folder in “C:\RECYCLER” with a name of “S-1-5-21-0243556031-888888379-781862338-1861771” and then drops a copy of itself with the name “gBvhieXlS1.exe”. It also changes the attributes of the file to make it a system and hidden file.

Creating Path For Dropping File

It then creates “Run” and “RunOnce” registry keys with “fBvhieXlS1” as key name.
  • HKEYCURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce”
RunOnce Key Created

Remote Process Injection

Depending on the system CPU architecture, it utilizes one of these two methods to inject itself into explorer.exe:
  • For a 32-bit CPU architecture, it attempts to get the handle to the existing explorer.exe process and injects a malware module into it. It executes the injected code by calling “CreateRemoteThread” and terminates itself.
  • For a 64-bit CPU architecture, it creates a new explorer.exe process in suspended mode and then injects the malicious code into it. It follows this method if the processor architecture is x64 (AMD or Intel) or Intel Itanium-based. 

The following screenshot shows the instructions that the payload uses to identify the correct path to the explorer.exe file, taking into account both 32-bit and 64-bit versions of the Windows Operating System:

Function to get the path of explorer.exe

Network communication

The Lethic bot connects to a predetermined Command and Control (C&C) server at 93.190.137.107 on port 9900. We noticed several connection failures before a successful connection attempt to the C&C server. We believe that this is the malware author's attempt to evade automated analysis systems. Shown below is a snapshot of the network communication:

Command from C&C server

Lethic bot uses the infected machine as a SMTP proxy as evident in the network communication below:
 
SMTP proxy traffic
Conclusion
Gamarue & Lethic malware families have both survived takedown attempts and continue to be active in the wild. ThreatlabZ is actively monitoring these two malware families and ensuring coverage for our customers.

Analysis by:  Amandeep Kumar and Nirmal Singh

Thursday, June 4, 2015

Signed CryptoWall 3.0 variant delivered via MediaFire

Introduction

Ransomware has evolved immensely over the past few years, with CryptoLocker being the ground breaking strain reaping huge profits for cybercriminals. According to a report in December 2013, the CryptoLocker malware authors collected 27 million USD worth of bitcoins from their victims over a period of 3 months. Looking at the success enjoyed by the CryptoLocker strain, it's not surprising that many new copy cat variants including CryptoWall emerged in the wild starting in late 2013.

CryptoLocker suffered a major setback and the number of infections were reduced to nearly zero post Operation Tovar. This gave way to a worthy successor in CryptoWall, which has since evolved into one of the nastiest and most successful strains of Ransomware in the wild today.

The following are some of the notable features responsible for the success enjoyed by CryptoLocker and CryptoWall variants:
  • Asymmetric (public-key) encryption to encrypt user documents, making recovery infeasible
  • Holding user files hostage with a timer that increases the ransom amount over time
  • Ransom collected in bitcoins or as pre-paid cash vouchers
  • Usage of anonymizing networks like Tor & i2p

Recent 'crypt4' campaign - CryptoWall 3.0

CryptoWall has been known to arrive via spammed e-mail attachments, exploit kits and drive-by downloads. Recently, we started seeing a new campaign involving multiple signed CryptoWall 3.0 samples in our Cloud Sandboxes being downloaded from a popular file hosting service, MediaFire.

A quick Open Source Intelligence (OSINT), search lead us to this e-mail campaign where the attachment contains a Microsoft Compiled HTML help (CHM) file that leads to the download and execution of the the latest CryptoWall 3.0 variant hosted on MediaFire. The CHM file downloads and executes the CryptoWall executable from a hardcoded MediaFire location as seen in screenshot below:

Malicious CHM file - Extracted HTML code

Some of the file names we have seen in this campaign:
  • IPv6_updater.exe
  • IPv4_updater.exe
  • flashplayer17_ga_install.exe
Analysis of the new variant

The CryptoWall 3.0 payloads that we saw getting downloaded as part of this campaign were all signed by a valid certificate belonging to MDG Advertising as seen in the screenshot below:

Valid MDG Advertising certificate used to sign CryptoWall 3.0

The malware performs following file system changes to ensure persistence:
  • Dropped files
%USER%\APPDATA\7cc6cc79.exe [random alphanumeric name]
%USER%\Start Menu\Programs\Startup\7ddfa86e.exe [random alphanumeric name]
  • Registry entry
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run dd574bd = "%USER%\APPDATA\7cc6cc79.exe"
It also deletes the original copy of itself.

The malware then attempts to connect to the Command & Control (C&C) server to report the infection via a POST request as seen below:

C&C communication - Register infection

It uses RC4 encryption for the data being sent in the POST request. The original data is of the format
{1|crypt4|UniqueMD5Hash|2|1|2|PublicIP}
- "crypt4" string represents the Campaign ID
- "UniqueMD5Hash" is calculated from Computer Name, Volume Serial Number, Processor & OS information
The RC4 key is generated by doing a simple alpha-numeric sort on a string stored inside the binary as seen in the screenshot below. The unsorted RC4 key is also sent as part of the POST request.

RC4 Key encrypted POST request to C&C server

The malware then performs another POST request and in response it gets RC4 encrypted Tor domain & public key to use for encrypting the victim files. The Tor domain is leveraged for the decryption instruction. Screenshots below, show the original communication & decrypted response:

C&C communication - Requesting Public Key

C&C communication - Decrypted response with public key

Upon successful encryption of the files on the victim machine using the public key, it reports back the number of files that were encrypted to the C&C server. The information collected by the C&C server is leveraged to present a more personalized decryption instruction page that includes user's operating system, public IP address, and the number of files encrypted as seen below.

Personalized ransom payment page
The ransom amount requested in our case was $500 USD and to prove authenticity, the malware authors also offer the victim a "Decrypt 1 file for FREE" option, which is limited to a 512 kilobyte file.

Below is the geo distribution of the CryptoWall C&C servers we oberved in the past week:

CryptoWall C&C servers

CryptoWall C&C country distribution

Compromised WordPress sites used for C&C communication

We are also seeing an increase in the number of compromised WordPress sites being used for CryptoWall C&C communication. Below are some of the locations where the malicious scripts are being hosted on these servers:
  • /wp-content/plugins/revslider/temp/update_extract/
  • /wp-content/uploads/wpallimport/uploads/
  • /wp-content/themes/pptitan/
You can get full list of the Compromised WordPress sites that we have oberved in past one week here.

Conclusion

CryptoWall remains a potent threat to enterprises and individual users alike. Traditional AntiVirus applications continue to struggle against this nasty strain of ransomware, as once the infection is successful, there is very little AV vendors can do, even by adding signatures reactively. A hybrid and multi-layered security approach is required to counter this threat.

Taking regular backup remains the most effective counter measure against ransomware.

Deepen Desai & Avinash Kumar

Monday, June 1, 2015

More Porn clicker malware masquerading as Dubsmash on Google Play store

Introduction

Dubsmash is a mobile app to create short "selfie" videos dubbed with famous sounds. It is extremely popular and is currently ranked #10 under Top free Android apps. The users of this app include many well known celebrities who eventually post the dubbed videos on popular social networking platforms like Facebook and Twitter.

The popularity of this app has caught the attention of the malware authors too, which is evident with a string of Trojan Porn Clicker apps disguised as Dubsmash posted on the Google Play Store in the past month (covered in ESET and AVAST blogs). The malicious apps mentioned in those blogs were quickly taken down by Google. However, we continue to see newer variants of the same malware family being uploaded to the Google Play store with the latest one posing as Dubsmash V3.

Google Play - Trojan Porn Clicker app
Although the malicious app poses as Dubsmash, the icon that the user sees upon installation imitates Settings, Memory Game, or a Flappy Bird app. The newest iteration of this malicious app has already been downloaded nearly 5,000 times.

Fake App Icon
The malware automatically removes the icon once the user quits the application for the first time, however it continues to run in the background as seen below.
Porn Clicker Process

Porn Clicker analysis

The purpose of this malware is to generate revenue for the malware author by generating clicks on the adult porn websites. While this may be good news that the user's credentials or sensitive information are not being stolen, it can still lead to financial loss for the end users through increased mobile data usage.

The Porn Clicker variants described in the previous blogs involved hardcoded, encrypted porn URLs in the malicious APK, whereas we are now seeing the newer variant dynamically retrieving the porn URLs from a remote server.

Clicking activity
The malicious app in our case contained two hardcoded URLs shown in the screenshot below:
Porn Clicker remote servers
Preconfigured URLs:
  • memr[.]oxti.org/g/getasite/  - The malicious app will get a new porn URL to visit from this location.
  • memr[.]oxti.org/z/z2/ - This location currently serves JavaScript code that will result in a random click on the porn site that gets visited by the app.
Screenshots below show the porn URLs that are dynamically retrieved  by the malicious app from the first location.
Porn URL1

Porn URL2

Porn URL3
JavaScript leveraged by the malicious app from a remote location to perform click fraud is shown in the screenshot below.

JavaScript - Random Click
It appears that the malware author keeps uploading and removing the same app on the Google Play store under different accounts. During the course of this write up, we saw the following two variations:

  • Dubsmash V3 [Package name: com.memr.gamess] - has been removed
  • Dubsmash 2    [Package name: com.jet.dubsh] - still active


Conclusion

The first variant of the Porn Clicker app masquerading as Dubsmash was reported in April, 2015 and it is concerning to see newer variants of the same malware slipping through Google's app vetting process even today.  The malware authors are still targeting Dubsmash as a disguise to trick end users into downloading the malicious app.

It is highly recommended for users to check the reviews & ratings of the apps, even when downloading them from official Google Play store. If you are infected with such an app, you can delete it by going to Settings >Apps > (AppName).

Write-up by: Viral Gandhi & Deepen Desai