Wednesday, July 29, 2015

Anatomy of a Scamware Network - MultiPlug

While examining our cloud sandbox data recently, we uncovered a large MultiPlug network that caught our attention due to its use pattern of code signing certificates and the breadth of its hosting infrastructure.

Overview of the Scamware Hosting Network (Node Legend -- Red: Host, Pink: Domain, Green: File-MD5)

As we discussed in June, MultiPlug is a common scamware family that tricks users into downloading/installing an initial binary, which then delivers a variety of additional spyware packages. Search poisoning is used to bait users into installing the scamware, with the lures including cracked and legitimate software, pirated music and movies, as well as other documents and files that a user might be seeking.

This installer pretends to help speed up your downloads

After taking the bait and executing the file, the user is presented with one of several typical-looking installer dialogs that promise to deliver what the user was originally searching for. Whether the user realizes the mistake or not, the “installer” will proceed to fetch multiple encrypted payloads from a remote webserver. The installation of the payloads continues even if the user clicks the various “Decline”, “Cancel”, or “Exit” buttons. Throughout the process, the scamware also gathers system information and sends it to remote webservers.

Data sent to remote servers via HTTP POST

Several typical components of the scamware include a payload called ‘compfix’ that is installed as a system service to be run at boot time, as well as a payload called ‘SystemStrengthener’.

'compfix' installed as a service

Besides the benevolent sounding payloads mentioned above, the scamware makes a few changes to the user’s Browser configuration. If Chrome is installed, two DLLs are dropped into the Chrome installation directory that appear to be modified and slightly outdated versions of ‘chrome.dll’. Chrome and Internet Explorer also receive browser extensions that spy on user behavior and serve ads. As a bonus, the IE add-ons are marked as uninstallable without Administrator approval.

Modified Chrome DLLs with invalid certs

User is prevented from disabling scamware addons

User is prevented from disabling scamware addons

New Chrome addons installed without notice

Apart from some additional obfuscation layers compared to previous versions, the technical aspects of this malware are fairly standard. However, the breadth of the hosting network and the pattern of code signing certificates used, made this an interesting campaign. We uncovered 33 unique certificates, all issued from the same Certificate Authority: Certum / Unizeto Technologies. (Note: we also identified other adware campaigns utilizing Certum certificates, though they appeared to be unrelated.)

Unizeto Technologies / CERTUM issued certificates (Node Legend -- Yellow: Issuer, Blue: Signer)

These 33 certificates were used to sign 2,783 pieces of scamware that were hosted on 447 unique hosts (323 unique domains). While it's normal for adware campaigns that utilize code signing to rotate through their certificates as they are blocked by AV and security companies, the volume of unique signing certificates in use signals that something is different here. Additionally, the data in the signatures indicates that all of the certificates are owned by individual persons with free email accounts. This hinders naive blacklisting as well as attribution, since there is no clear way to link the campaign to a specific organization.

Overview of the Scamware Network (Node Legend -- Yellow: Issuer, Blue: Signer, Red: Host, Pink: Domain, Green: File-MD5)

Given the nature of this MultiPlug campaign, it is easy to hypothesize that the organization behind it has more evil-intent than the usual adware/scamware operators. That said, it could just be a matter of the organization trying to maximize their ROI for this large infrastructure they operate. Regardless of their intentions, enterprises should be wary of even the most innocuous looking adware due to the ability to perform system and network reconnaissance, achieve persistence on infected hosts, deliver arbitrary payloads, and take control of the system, it's applications, and it's data.

Monday, July 13, 2015

Adobe Flash Vulnerability CVE-2015-5119 analysis

With the leak of Hacking Team's data, the security industry came to learn about multiple new 0day vulnerabilities targeting Flash, Internet Explorer, Android, etc. As always, exploit kit authors were quick to incorporate these 0day exploits into their arsenal.

In this blog, we will be looking at the CVE-2015-5119 exploit payload that we have now seen in the wild. The sample has multiple layers of obfuscation and packer routines. The malicious Flash payload is packed, XOR'ed and stored as a binary data inside a parent Flash file that dynamically unpacks a malicious Flash file and writes it to memory at run time.

Here is the structure of the CVE-2015-5119 exploit payload:

Packages, properties and method names are stored in variables for obfuscation:

Here we observe the calling of the unpack routine to decrypt the embedded SWF exploit payload:

An XOR key is used for unpacking and is hardcoded and assigned to the variable vari_10. This is what the unpacked content looks like:

Upon decompilation, it is apparent that majority of the codebase, including variable names and function names are the same as what we saw in the leaked source by the Hacking Team. The public exploit also has checks for:
  • Presence of a debugger
  • Operating System bitness (32-bit or 64-bit)

When the program execution starts, the ActionScript looks for the input parameters and based on it, sets a variable which is then sent to the main exploitation routine as seen below:

The TryExpl() routine allocates sequential pages of memory and begins the exploit cycle:

The vulnerability lies in making use of the valueOf property and corrupting the vector space so that the valueOf  property will overwrite the length field of the vector object, which will be further used to get access to vtables.

Here is explicit definition of valueOf function

prototype.valueOf() is setting up the length of the ByteArray to 4352

Once the memory allocation is done, a MyClass object is created and assigned to _ba[3]. The
valueOf()  function defines the length of ByteArray to 4352, which is greater than the length of the object created, causing reallocation of bytes inside the memory.

If the value of _ba[3] is set to zero after the assignment then it was successful in triggering a Use After Free vulnerability. The exploit code looks for the kernel32.VirtualProtect() (VP) function in the corrupted vector space as seen below:

A call to the VP function is made, which replaces the vtable pointer and sets the PAGE_EXECUTE_READWRITE permission before executing the final payload.

Hashes of  CVE-2015-5119 exploit payloads seen in the wild:

  • 061c086a4da72ecaf5475c862f178f9d
  • 079a440bee0f86d8a59ebc5c4b523a07
  • 16ac6fc55ab027f64d50da928fea49ec
  • 313cf1faaded7bbb406ea732c34217f4
  • 6d14ba5c9719624825fd34fe5c7b4297

  • Conclusion

    It will be a challenge for security vendors to get container file detection in place as majority of the time, the embedded content is highly obfuscated with multiple levels of packing. Adobe has already released a patch to fix this issue. We highly recommend enabling the Adobe's auto update feature to keep the relevant plugins updated.


    Wednesday, July 8, 2015

    Hacking Team leak, Flash 0day, exploit payloads and more

    [Update - July 13, 2015]

    In addition to the Flash 0day exploit that we reported earlier [CVE-2015-5119], two new Flash 0day exploits were found in the Hacking Team's leaked data and these flaws are not yet patched:
    • CVE-2015-5122: valueOf use after free vulnerability during the assignment to freed TextBox
    Two in-the-wild samples reported here
    • CVE-2015-5123: valueOf use after free vulnerability during the assignment to freed Bitmap
    Adobe acknowledged these issues over the weekend and is working on a patch. Meanwhile, ThreatLabZ has deployed additional coverage for these new exploits to protect Zscaler customers. We are continuously monitoring for new in-the-wild exploit payloads for these flaws.


    Data breaches have become a common and painful reality. Major enterprises, including retailers and financial institutions have been affected in the past few years. Even cyber criminals are not spared from breaches, with various malware code leaks, the most recent being that of the KINS 2.0 Banking Trojan family.

    Earlier this week, we saw a large stolen information archive (400 GB) being published that belonged to the notorious Italian hackers-for-hire firm - Hacking Team. Hacking Team has been known to sell offensive surveillance technology to government agencies worldwide. The archive contains e-mails, invoices, and more importantly exploits & malware source codes. An individual that goes by the handle PhineasFisher has taken credit for the attack and if that name sounds familiar it's because he's done similar work before, having hacked and leaked data from Gamma International last year. His motivation for that breach was apparently similar as he accused the firm of selling surveillance tools to repressive regimes. While our assessment is far from over, in this blog, we will provide a quick run down of what we have seen in the archive related to exploits & malware thus far and we will continue to update as we discover more details.

    Exploits, Remote Control System, and more

    • Flash 0-day exploit with Proof-Of-Concept (POC) [CVE-2015-5119] - Confirmed 0day for the latest version of Adobe Flash Player, running on Windows XP and Windows 7. The exploit did not succeed on Windows 8.1. We also saw support for targeting OS X. This is a Use-After-free vulnerability in Adobe Flash player's built-in ByteArray class that can lead to crash or remote code execution by the attacker.
     Affected applications:
    1. The majority of the popular browsers including Chrome, FireFox, Internet Explorer and Safari with Flash Player installed are vulnerable to this issue.
    2. Microsoft Office 2007/2010/2013 - where the attack scenario will involve an office document with the malicious SWF file embedded in it. The document may arrive via an e-mail or as a drive-by download on the target system.
    Adobe released a patch today to address this vulnerability.
    • Microsoft Windows Kernel code injection vulnerability exploit that can be leveraged to perform privilege escalation on the target system to bypass various security mechanisms
    • Support for iOS devices - They are leveraging the popular iOS Jailbreak application Cydia for iOS devices to further install malicious payloads on the target device.
    • Support for Android Devices - There is a separate module for Android OS (Android Webkit) that is leveraging a probable 0day exploit [we are still working on confirming this] in the Android browser and running various known root-access exploits like exynos, gingerbreak, levitator, etc. to root the target devices and further install malicious payloads. 
    • Support for Windows & Blackberry devices - We also saw source code for supposed exploits that will target Windows Phone 8 as well as Blackberry devices. 
    • MacOS Rooting exploit to enable online and offline installation of untrusted applications.
    • A Remote Control System (RCS) Dropper module that is capable of creating both mobile and computer system payloads for Windows and Macintosh. 
    • A multi-stage JAVA exploit module that contains a weaponized version as well as a two stage version with features to by pass Microsoft Security Essentials and an example Trojanized Putty.exe payload.
    • Multiple driver files that may contain Rootkit functionality to hide the malicious process and evade detection.
    • Source code of the core Remote Control System module where we can see the in-depth list of features supported by it.
    1.) Monitoring modules for Instant messengers, Web Browsers, PC cameras & microphones, etc.
    2.) Monitoring social media activities over Yahoo, Gmail, Twitter, and Facebook
    3.) Hooking Outlook and getting email and contact details.
    4.) Relaying infected system information including time, battery status, processor, memory, OS, user etc..
    5.) Advanced keylogging capabilities
     We also observed support for 64-bit operating system target.
    • There are also multiple anti-VM, anti-Sandbox, and anti-AV evasion modules present in the source code archive.
    We are still combing through the archive evaluating more exploits and we will continue to publish our findings as they emerge.

    Loader configuration server

    We saw a hardcoded IP address in the first stage shellcode payload that is supposedly hosting the configuration file as seen below

    Hardcoded configuration file location

    The shellcode payload is presumably used by the loader for downloading and installing the main RCS component following a successful exploitation attempt. A quick VirusTotal lookup for the IP address reveals lot of interesting activity in the past two months only:

    VirusTotal report for the Configuration Server
    Enterprises would be advised to block the aforementioned IP address if they are concerned that they may have been targeted by any of the Hacking Tools applications.


    As has been the case in the past after any such leak, we will start seeing the leaked code being incorporated into many future spin offs as well as existing malware families as feature upgrades. Exploit Kit authors have already incorporated the Flash 0day payload in their exploit arsenal as noted here.

    ThreatLabZ has ensured coverage for the Flash 0day (CVE-2015-5119) and other exploit payloads ensuring protection for the Zscaler customers. We will continue to monitor further developments surrounding this leak.

    Research by: Abhay Yadav, Nirmal Singh, Deepen Desai

    Monday, July 6, 2015

    Fake BatteryBotPro ClickFraud, AdFraud, SMS & Downloader Trojan

    [UPDATE #1 - July 8, 2015] We would like to clarify that at the time of our analysis, the app was not present on the Google Store. We found references to this fake app being hosted on the Google Play store during our research where it showed that the App has been removed from the Google Play store already as seen below:

    Link to Google Play Store for the fake app

    [UPDATE #2 - July 9, 2015] Google Android security team confirmed that the fake application was uploaded to the Google Play Developer Console by the miscreants.

    Google Play Developer Console enables developers to easily publish and distribute their applications directly to users of Android-compatible phones

    However, as per Google's Android team the fake app did not make it to the official Google Play Store as Google's security system flagged the fake app during scanning.

    Malware authors tend to follow one of the following two methods for malware development:
    1. Create a malware app from scratch.
    2. Compromise a legit app by embedding malicious modules into it. 
    With Android being open source and an Android app being easily reversible, most of the malware developers tend to stick with the second option.

    Spoofed Functionality and Ads:

    We came across a malicious app recently that followed this path. This time the spoofed app was a copy of a legit app named BatteryBot Pro. The spoofed app had the package name of 'com.polaris.BatteryIndicatorPro' and was removed from the Play Store as soon as Google became aware of it's malicious intent.

    We also saw a spoofed version of BatteryBot Pro available for free during our research. The actual price of BatteryBotPro on official Play Store is Rs.179.99. The legit BatteryBotPro app demanded for minimal permissions as shown below:

    Legit app permissions

    In contrast, the fake app was requesting many more permissions, raising a red flag as can be seen in the screenshot below:

    Permission requested by Malware

    The screenshot below shows a comparison between the actual app and the fake app. The legit app functionality was modified and embedded at a different location within the fake app:

    legit app vs fake app

    Upon installation of the malicious app, it demanded administrative access, which clearly portrays the motive of malware developer to obtain full control access of the victim's device.

    Request for Administrator access

    Once the permission is granted, the fake app will provide the same functionality to the victim found in the original version of BatteryBot Pro but performs malicious activity in the background.

    opening BatteryPro screen

    ClickFraud and AdFraud activity

    Though the app seems to be working normally, at the back-end it tried to load various ad libraries, ultimately delivering a click fraud campaign.

    Requests sent in back-end
    Some of these URLs were hard coded in the app and some were sent by the remote server.

    Hard-coded URLs in database

    The malware tries to collect the following information from the victim device:
    -Memory available in device
    -Phone Operator
    -Phone Model
    -Sim Card availability
    The following screenshot shows the data being collected.

    Parameters sent to server

    Parameters sent to server
    On the basis of various parameters and conditions in the server request, the malware starts receiving a list of ads to be displayed, along with the URLs from where to fetch the ad.s

    Response from server containing ad URL

    The malicious app then downloads and installs additional malicious APKs without the user's consent:

    Downloaded Apps by malware
    Apart from the implicit downloads, the malware also displays pop-up ads to the user:

    Pop up Ads

    This malware was not only built with the purpose of displaying ads, it was also designed with more evil intentions.

    Sending SMS messages: 

    The main Activity Screen is identical to original app but when the user clicks on "View Battery Use", the malware sends a few requests to its Command & Control server to retrieve short codes. These short codes were premium rate SMS numbers where a message was sent. This will result in financial loss to the affected user.

    Requests sent to server can be seen below:

    Device info sent in request

    Though the content was encoded, we did not have to work hard to determine what was sent as the malware developer forgot to remove the logs. The server responds with short codes that are used for sending messages. The following screenshot shows a premium SMS response received from the server.

    Logs showing server response

    Uninstall FAILED: 

    Apart from displaying ads and sending SMS message, the malware is also very persistent. Being run with administrator privileges, the user cannot delete the app after installation.

    Uninstall not possible

    "Persistence" Effect:
    While  in some of the scenarios we were able to manually delete the app, the malware authors have taken care of ensure persistence. The malware silently installs an app with a package name of com.nb.superuser, which runs as a different thread and resides on the device even if the app is forcefully deleted.

    This acts as a service and sends requests to hard-coded URLs found in the app.
    The screenshot below shows the hard coded URLs.

    Hard-coded URLs

    The service started by this app continually sends requests to aforementioned URLs, some of which will deliver new APKs.


    The Malware we saw in this blog was designed with multiple evil intentions including ClickFraud, AdFraud, Premium rate SMS fraud and the download & installation of additional malicious APKs.

    A few traces of command execution were also seen in the app but were not fully implemented. Perhaps the developer is working on an upgraded version of the malware with proper "command-execution" functionality.

    The ThreatLabZ team will continue monitoring new mobile malware threats and ensure protection for Zscaler customers.

    Sunday, July 5, 2015

    A look at recent Tinba Banking Trojan variant


    Tinba is information stealing Trojan. The main purpose of the malware is to steal information that could be browsing data, login credentials, or even banking information. This is achieved through code injection into system process (Winver.exe and Explorer.exe) and installing hooks into various browsers like IExplorer, Chrome, Firefox and Opera.

    Tinba has been known to arrive via spammed e-mail attachments and drive-by downloads.  Recently, Angler Exploit Kit instances were also found to be serving Tinba banking Trojan as seen here.

    Detailed Analysis of Tinba

    Tinba is packed with a custom packer and uses well known anti-debugging technique using the WinAPI function “IsDebuggerPresent” to hinder reverse engineering of the binary image. The execution flow of the infection cycle for Tinba is shown below.
    Execution flow of Tinba

    The image below shows the custom packer code being used by the Tinba sample we were looking at.

    Tinba unpacking Routine
    The unpacked binary image is shown below which upon execution will perform code injection into system processes like Winver.exe and Explorer.exe.

    Unpacked Binary
    It generates Mutex name using root volume information of the victim’s machine as shown below.

    Mutex name generation
    Remote Thread in System Process
    A remote thread is created inside Explorer process that is responsible for creating a copy of Tinba Binary in %APPDATA% & auto start registry entry in Registry hive.

    Explorer remote thread
    The Tinba binary is stored in a hidden folder which is created under %APPDATA% directory:

     C:\Documents and setting \username \Application Data\mutexname\bin.exe
    It also creates an auto-run registry entry to execute Tinba binary during every windows start-up as shown below:

    Auto start registry entry

    Another thread is also created in Explorer process which is responsible for generating DGA (Domain Generation Algorithm) domains and injecting code into browsers like IExplorer, Chrome, Firefox and Opera.

    Explorer local thread
    Domain Generation Algorithm

    The following is the Domain Generation Algorithm (DGA) used by Tinba variant where every sample uses a hardcoded domain and seed to generate the DGA domains.

    DGA routine

    Hardcoded Domain and seed
    These DGA domains are fast flux domains where single domain is frequently switched to different IPs by registering it as part of the DNS A record list for a single domain.


    Remote Thread in browsers

    The Explorer thread searches for browser process either by checking path of the browser executable or by loaded application specific DLL (e.g. NSS3.dll for firefox.exe). If the targeted browser process is found, then the secondary thread is created in the process.

    Browser thread
    This thread is responsible to get updated Bot configuration details like Target URL list and strings (BOTUID ) from a remote C&C server. If there is no updated list of target URLs from C&C server, then it uses default targeted list of URLs which is stored in the injected code. The list of default target URLs after decryption is shown below.

    Default Targeted URL list
    The collected information form webmail, social media and the banking sites are stored in "log.dat" file.

    Log file path
    C&C communication & Cryptography:
    The POST request to C&C server contains encrypted system information like system volume & version information.  The cryptography routine is a simple byte 'XOR' with an 8 bit 'ROR' of the key after each write. 

    Send Data Encryption

    A sample Tinba POST request to DGA domains with 157 bytes of encrypted data is shown below.

    C&C POST Request
    Geo distribution of C&C call back attempts that we blocked in past one month:

    Geo Location
    We have seen following C&C server IP addresses:
         Tinba also known as small banking Trojan continues to be prevalent in the wild.  The arrival method varies from e-mail spam, drive-by downloads and most recently Exploit Kit infection cycle. Zscaler ThreatlabZ is actively monitoring this malware family and ensuring coverage for our customers.