I received a new spam mail quite recently stating that I can claim a tax refund. What caught my attention is that it says I have a tax refund from US even if in actuality I have never worked nor paid taxes in the US.
Here is a screenshot of the spam mail.
This mail has an archived file attached “Refund-Form-ID_0842893.zip” claiming to be a form in which I need to complete and submit for issuance of the said tax refund.
Inside the zip file is a malicious executable file named “Tax_76483691535948579.elc.exe” and is detected by ThreatTrack’s Vipre as Trojan.Win32.Zbot.qu (v) (but most commonly known as Andromeda by some).
This malware is closely related or should I say an updated version of the malware spam previously analyzed by my colleague in http://www.antimalwarelab.com/2014/05/spam-mail-from-fake-fedex.html.
Checks for process names to avoid, hashes them using ntdll.RtlComputeCrc32 and compares it to a table of CRC32-hashes within its body. Previous version of this malware uses direct comparison of hashes, now it uses a table where it loops and checks for the hash values listed in the table.
These are some of the hashes that were recovered by trial and error. As we know, recovering strings based from a computed hash is near impossible. These strings are file names/process names of common monitoring and analysis tools.
wireshark.exe – 0x77AE10F7
vboxservice.exe – 0x64340DCE
vboxtray.exe – 0x63C54474
vmtoolsd.exe – 0x278CDF58
vmwareuser.exe – 0x99DD4432
procmon.exe – 0x5BA9B1FE
filemon.exe – 0x3D46F02B
regmon.exe - 0x3CE2BEF3
netmon.exe – 0xF344E95D
It may also check for the CRC32-hash of the drive name where Windows directory is located and compare it to 0x20C7DD84 before it continues.
It checks for sbiedll.dll which is a used by Sandboxie (Sandbox security software for Windows).
It adds the following registry entries in attempt to hide suspicion.
It also deletes an autorun registry key of taskmgr.exe located in “image file execution options” if available
It will also disable some windows security services like
wscsvc – windows security center service
WinDefend – windows defender service
MpsSvc – part of windows firewall service
SharedAccess – internet connection sharing service
Wuauserv – windows update service
It then proceeds to delete its main executable in an attempt to cleanup its traces.
It first checks the operating system if Windows 32-bit or 64-bit and injects its code to either of each
%windir%\SysWOW64\msiexec.exe (for 64-bit)
%windir%\system32\msiexec.exe (for 32-bit)
It uses two code injection techniques so that if the first one fails, it still has its backup routine.
First is by the conventional way of injecting code to a target process (msiexec.exe) by using CreateProcess, MapViewOfSection, overwrite entry point of target process to point to code of malware, then ResumeThread.
The other is the same procedure as above but calls QueueUserAPC first before going to ResumeThread. The logic here is that the malware queues an APC using QueueUserAPC API before the thread begins to run (in this case the thread of msiexec.exe). The queued APC function points to the malware code safely copied to the address space of msiexec.exe. So after resuming the suspended thread, the APC function is called first, hence executing the code of the malware.
It also hooks ntdll.NtOpenSection and GetAddrInfoW to point to its own code.
It checks for internet connection by querying common DNS names like
update.microsoft.com
microsoft.com
bing.com
google.com
yahoo.com
It will then craft a message with the following format before it sends it to its C&C server
“id:%lu|bid:%lu|os:%lu|la:%lu|rg:%lu”
where,
id = Volume information of infected drive
bid = Bot ID version
os = Operating system version (whether 32 or 64bit)
la = ip address of infected host
rg = Check if it runs on administrative level (1 or 0)
Here is an example of its data string that is to be sent to C&C
id:2894982272|bid:34|os:593|la:3232258948|rg:1
It will be encrypted using RC4 with the key b8d4b5527da0f28c47cd82d86557d4dc and then Base64 encoding afterwards.
Here is the final encrypted equivalent of the same string
It uses Google Public DNS servers (8.8.8.8 & 8.8.8.4) to query its C&C servers listed below
http://62.76.40.177/srt/ge.php
http://37.139.47.108/srt/ge.php
As of this writing, the servers listed above are already inactive. However; variants of this malware family suggests that it downloads the well-known zeus bot or zbot malwares.
It may also download additional malware functionalities or plugins with dll export functions as “aReport” & “aUpdate”. Since the links are dead and I haven’t produced any additional downloaded files, I can only assume that “aReport” function sends some info to its C&C server while “aUpdate” function checks for an updated version of the malware.
Below is a code snippet on how it attempts to call the aReport function by traversing dll modules that are loaded in memory, looking for its dll component that is supposedly loaded already then using GetProcAddress to get the function address of aReport, then subsequently calling aReport function. The same procedure is done to aUpdate.
When it suspects that it is being analyzed or reversed, it executes its fake payload routine by adding the following registry entries
Here is a screenshot of the spam mail.
This mail has an archived file attached “Refund-Form-ID_0842893.zip” claiming to be a form in which I need to complete and submit for issuance of the said tax refund.
Inside the zip file is a malicious executable file named “Tax_76483691535948579.elc.exe” and is detected by ThreatTrack’s Vipre as Trojan.Win32.Zbot.qu (v) (but most commonly known as Andromeda by some).
This malware is closely related or should I say an updated version of the malware spam previously analyzed by my colleague in http://www.antimalwarelab.com/2014/05/spam-mail-from-fake-fedex.html.
ANTI-DEBUGGING
Checks for process names to avoid, hashes them using ntdll.RtlComputeCrc32 and compares it to a table of CRC32-hashes within its body. Previous version of this malware uses direct comparison of hashes, now it uses a table where it loops and checks for the hash values listed in the table.
seg000:000011E8 call CreateToolhelp32Snapshot
…
…
seg000:0000120B call Process32First
…
…
seg000:0000121A _checkNextProc: ; CODE XREF: DebugCheck+B9j
seg000:0000121A xor edi, edi
seg000:0000121C cmp [ebp+var_210], bl
seg000:00001222 jz short loc_124D
seg000:00001224
seg000:00001224 _convertToSmallCaps: ; CODE XREF: DebugCheck+75j
seg000:00001224 lea esi, [ebp+edi+var_210]
seg000:0000122B mov al, [esi]
seg000:0000122D xor ecx, ecx
seg000:0000122F cmp al, 5Ah ; 'Z'
seg000:00001231 setle cl
seg000:00001234 xor edx, edx
seg000:00001236 cmp al, 41h ; 'A'
seg000:00001238 setnl dl
seg000:0000123B test edx, ecx
seg000:0000123D jz short loc_1243
seg000:0000123F add al, 20h ; ' '
seg000:00001241 mov [esi], al
seg000:00001243
seg000:00001243 loc_1243: ; CODE XREF: DebugCheck+67j
seg000:00001243 inc edi
seg000:00001244 cmp [ebp+edi+var_210], bl
seg000:0000124B jnz short _convertToSmallCaps
seg000:0000124D
seg000:0000124D loc_124D: ; CODE XREF: DebugCheck+4Cj
seg000:0000124D push edi
seg000:0000124E lea eax, [ebp+var_210]
seg000:00001254 push eax ; # process name
seg000:00001255 push ebx
seg000:00001256 call RtlComputeCrc32
seg000:0000125B mov ecx, ds:7FF90218h ; # hash table of process to check
seg000:00001261 xor edx, edx
seg000:00001263 jmp short loc_1271
seg000:00001265 ; ---------------------------------------------------------------------------
seg000:00001265
seg000:00001265 _contHashCheck: ; CODE XREF: DebugCheck+9Dj
seg000:00001265 cmp eax, ecx
seg000:00001267 jz short _hashProcFound ; # hash matched
seg000:00001269 mov ecx, ds:7FF9021Ch[edx*4]
seg000:00001270 inc edx
seg000:00001271
seg000:00001271 loc_1271: ; CODE XREF: DebugCheck+8Dj
seg000:00001271 cmp ecx, ebx
seg000:00001273 jnz short _contHashCheck
seg000:00001275 jmp short loc_127E
CRC32-hash table of processes to avoid
These are some of the hashes that were recovered by trial and error. As we know, recovering strings based from a computed hash is near impossible. These strings are file names/process names of common monitoring and analysis tools.
wireshark.exe – 0x77AE10F7
vboxservice.exe – 0x64340DCE
vboxtray.exe – 0x63C54474
vmtoolsd.exe – 0x278CDF58
vmwareuser.exe – 0x99DD4432
procmon.exe – 0x5BA9B1FE
filemon.exe – 0x3D46F02B
regmon.exe - 0x3CE2BEF3
netmon.exe – 0xF344E95D
It may also check for the CRC32-hash of the drive name where Windows directory is located and compare it to 0x20C7DD84 before it continues.
It checks for sbiedll.dll which is a used by Sandboxie (Sandbox security software for Windows).
SYSTEM CHANGES
It adds the following registry entries in attempt to hide suspicion.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer TaskbarNoNotification dword:00000000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer HideSCAHealth dword:00000000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA dword:00000000
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer TaskbarNoNotification dword:00000000
HKEY_CURRENT_USER \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer HideSCAHealth dword:00000000
It also deletes an autorun registry key of taskmgr.exe located in “image file execution options” if available
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\image file execution options\taskmgr.exe
It will also disable some windows security services like
wscsvc – windows security center service
WinDefend – windows defender service
MpsSvc – part of windows firewall service
SharedAccess – internet connection sharing service
Wuauserv – windows update service
It then proceeds to delete its main executable in an attempt to cleanup its traces.
PAYLOAD
It first checks the operating system if Windows 32-bit or 64-bit and injects its code to either of each
%windir%\SysWOW64\msiexec.exe (for 64-bit)
%windir%\system32\msiexec.exe (for 32-bit)
It uses two code injection techniques so that if the first one fails, it still has its backup routine.
First is by the conventional way of injecting code to a target process (msiexec.exe) by using CreateProcess, MapViewOfSection, overwrite entry point of target process to point to code of malware, then ResumeThread.
seg000:00002561 call dword ptr ds:7FF900F8h ; # CreateProcessW
…
…
seg000:0000259E call NtMapViewOfSection
seg000:000025A3 test eax, eax
seg000:000025A5 jnz loc_262D
seg000:000025AB mov esi, [ebp+var_34]
seg000:000025AE mov eax, [ebp+arg_4]
seg000:000025B1 mov ecx, [ebp+var_4]
seg000:000025B4 add edi, esi
seg000:000025B6 push edi
seg000:000025B7 add ecx, eax
seg000:000025B9 push 6
seg000:000025BB lea eax, [ebp-3Ch] ; # overwrite entry point of msiexec.exe with
seg000:000025BB ; # 68 BF160A00 PUSH 0A16BF
seg000:000025BB ; # C3 RETN
seg000:000025BE push eax
seg000:000025BF mov [ebp+var_3B], ecx
seg000:000025C2 call MemCopy
…
…
seg000:000025F1 call NtUnmapViewOfSection
…
…
seg000:00002639 push [ebp+var_20]
seg000:0000263C call dword ptr ds:7FF90120h ; # ResumeThread
The other is the same procedure as above but calls QueueUserAPC first before going to ResumeThread. The logic here is that the malware queues an APC using QueueUserAPC API before the thread begins to run (in this case the thread of msiexec.exe). The queued APC function points to the malware code safely copied to the address space of msiexec.exe. So after resuming the suspended thread, the APC function is called first, hence executing the code of the malware.
…
…
seg000:00002745 mov eax, [ebp+arg_4]
seg000:00002748 mov ecx, [ebp+var_4]
seg000:0000274B push [ebp+var_1C]
seg000:0000274E add ecx, eax
seg000:00002750 push ecx
seg000:00002751 call dword ptr ds:7FF90128h ; # QueueUserAPC
seg000:00002757 push [ebp+var_1C]
seg000:0000275A mov [ebp+var_8], eax
seg000:0000275D call dword ptr ds:7FF90120h ; # ResumeThread
It also hooks ntdll.NtOpenSection and GetAddrInfoW to point to its own code.
It checks for internet connection by querying common DNS names like
update.microsoft.com
microsoft.com
bing.com
google.com
yahoo.com
It will then craft a message with the following format before it sends it to its C&C server
“id:%lu|bid:%lu|os:%lu|la:%lu|rg:%lu”
where,
id = Volume information of infected drive
bid = Bot ID version
os = Operating system version (whether 32 or 64bit)
la = ip address of infected host
rg = Check if it runs on administrative level (1 or 0)
Here is an example of its data string that is to be sent to C&C
It will be encrypted using RC4 with the key b8d4b5527da0f28c47cd82d86557d4dc and then Base64 encoding afterwards.
Here is the final encrypted equivalent of the same string
It uses Google Public DNS servers (8.8.8.8 & 8.8.8.4) to query its C&C servers listed below
http://62.76.40.177/srt/ge.php
http://37.139.47.108/srt/ge.php
As of this writing, the servers listed above are already inactive. However; variants of this malware family suggests that it downloads the well-known zeus bot or zbot malwares.
It may also download additional malware functionalities or plugins with dll export functions as “aReport” & “aUpdate”. Since the links are dead and I haven’t produced any additional downloaded files, I can only assume that “aReport” function sends some info to its C&C server while “aUpdate” function checks for an updated version of the malware.
Below is a code snippet on how it attempts to call the aReport function by traversing dll modules that are loaded in memory, looking for its dll component that is supposedly loaded already then using GetProcAddress to get the function address of aReport, then subsequently calling aReport function. The same procedure is done to aUpdate.
seg000:00000CFC call CreateToolhelp32Snapshot
seg000:00000D01 mov [ebp+var_4], eax
seg000:00000D04 cmp eax, 0FFFFFFFFh
seg000:00000D07 jz loc_D93
seg000:00000D0D lea eax, [ebp+var_228]
seg000:00000D13 push eax
seg000:00000D14 push [ebp+var_4]
seg000:00000D17 mov [ebp+var_228], 224h
seg000:00000D21 call Module32First
seg000:00000D26 test eax, eax
seg000:00000D28 jz short loc_D8A
seg000:00000D2A push ebx
seg000:00000D2B push esi
seg000:00000D2C
seg000:00000D2C _loopProc: ; CODE XREF: sub_CDD+A9j
seg000:00000D2C push 7FF904BCh ; # "aReport"
seg000:00000D31 push [ebp+var_20C]
seg000:00000D37 call dword ptr ds:7FF90068h ; # GetProcAddress
seg000:00000D3D test eax, eax
seg000:00000D3F jz short _nextModule
seg000:00000D41 call eax ; # call function "aReport"
FAKE PAYLOAD
When it suspects that it is being analyzed or reversed, it executes its fake payload routine by adding the following registry entries
HKEY_CLASSES_ROOT\.max HKEY_CLASSES_ROOT\.max @ "Matrix.Document"
HKEY_CLASSES_ROOT\.max\ShellNew HKEY_CLASSES_ROOT\.max\ShellNew NullFile ""
HKEY_CLASSES_ROOT\Matrix.Document HKEY_CLASSES_ROOT\Matrix.Document @ "Matrix Document"
HKEY_CLASSES_ROOT\Matrix.Document\DefaultIcon HKEY_CLASSES_ROOT\Matrix.Document\DefaultIcon @ "{malware path}\{malware.exe},0"
HKEY_CLASSES_ROOT\Matrix.Document\shell HKEY_CLASSES_ROOT\Matrix.Document\shell\open HKEY_CLASSES_ROOT\Matrix.Document\shell\open\command HKEY_CLASSES_ROOT\Matrix.Document\shell\open\command @ "{malware path}\{malware.exe} "%1""
HKEY_CLASSES_ROOT\Matrix.Document\shell\print HKEY_CLASSES_ROOT\Matrix.Document\shell\print\command HKEY_CLASSES_ROOT\Matrix.Document\shell\print\command @ "{malware path}\{malware.exe} /p "%1""
HKEY_CLASSES_ROOT\Matrix.Document\shell\printto HKEY_CLASSES_ROOT\Matrix.Document\shell\printto\command HKEY_CLASSES_ROOT\Matrix.Document\shell\printto\command @ "{malware path}\{malware.exe} /pt "%1" "%2" "%3" "%4""
HKEY_CURRENT_USER\Software\Matrix HKEY_CURRENT_USER\Software\Matrix\Recent File List HKEY_CURRENT_USER\Software\Matrix\Settings HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.max HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.max @ "Matrix.Document"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.max\ShellNew HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.max\ShellNew NullFile ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document @ "Matrix Document"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\DefaultIcon HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\DefaultIcon @ "{malware path}\{malware.exe},0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\open HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\open\command HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\open\command @ "{malware path}\{malware.exe} "%1""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\print HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\print\command HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\print\command @ "{malware path}\{malware.exe} /p "%1""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\printto HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\printto\command HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\printto\command @ "{malware path}\{malware.exe} /pt "%1" "%2" "%3" "%4""
