• Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg
  • Delicious

Anti-Malware Laboratory

Yet Another Malware Blog

About

An informal blog from your friendly neighborhood software security humans.

Blog Archive

  • ►  2015 (5)
    • ►  October (1)
    • ►  August (2)
    • ►  May (1)
    • ►  March (1)
  • ▼  2014 (8)
    • ►  October (1)
    • ▼  July (1)
      • SPAM: Taxes, allowances and tax credits
    • ►  June (1)
    • ►  May (4)
    • ►  April (1)
  • ►  2013 (12)
    • ►  December (3)
    • ►  November (5)
    • ►  August (2)
    • ►  March (2)
  • ►  2012 (35)
    • ►  April (4)
    • ►  March (12)
    • ►  February (17)
    • ►  January (2)

Categories

adobe (1) android (10) android february (1) baksmali (1) Black Hole (2) crimepack (1) disassembler (1) exploit (3) Exploits (4) Fakeav Winrar sfx (1) Fishbowl (1) flash (1) gift certificates (1) Google Authenticator (1) google play (1) hcp (1) java (1) Malware (5) mdac (1) Mobile (24) NSA Mobility Program (1) obfuscated script (1) pdf (1) Reversing (2) rhino (1) skype (1) smali (1) spam (1) test (1) Unpacking (1) vouchers (1) vulnerability (3)

Popular Posts

  • Bank of America spam: An Analysis
    An email claiming to be from Bank of America lures users to open an attachment that shows how to open secure emails from the bank. The mess...
  • [BE CAUTIOUS] Dragon Ball Z: Resurrection of F MALWARE and SCAM
    Be wary of downloading movies in torrent sites.  Executables can also be executed with a file size as huge as a gigabyte...
  • Unpacking MFC Compiled CryptoWall Malware
    Unpacking MFC Compiled CryptoWall Malware Introduction First and foremost, this article does not intend to analyze what CryptoWall malw...

Visitors to this blog

Tuesday, July 8, 2014

SPAM: Taxes, allowances and tax credits

Posted on Tuesday, July 08, 2014 by Unknown | No comments
I received a new spam mail quite recently stating that I can claim a tax refund. What caught my attention is that it says I have a tax refund from US even if in actuality I have never worked nor paid taxes in the US.
Here is a screenshot of the spam mail.

This mail has an archived file attached “Refund-Form-ID_0842893.zip” claiming to be a form in which I need to complete and submit for issuance of the said tax refund.

Inside the zip file is a malicious executable file named “Tax_76483691535948579.elc.exe” and is detected by ThreatTrack’s Vipre as Trojan.Win32.Zbot.qu (v) (but most commonly known as Andromeda by some).

This malware is closely related or should I say an updated version of the malware spam previously analyzed by my colleague in http://www.antimalwarelab.com/2014/05/spam-mail-from-fake-fedex.html.

ANTI-DEBUGGING


Checks for process names to avoid, hashes them using ntdll.RtlComputeCrc32 and compares it to a table of CRC32-hashes within its body. Previous version of this malware uses direct comparison of hashes, now it uses a table where it loops and checks for the hash values listed in the table.

seg000:000011E8                 call    CreateToolhelp32Snapshot
…
…
seg000:0000120B                 call    Process32First
…
…
seg000:0000121A _checkNextProc:                         ; CODE XREF: DebugCheck+B9j
seg000:0000121A                 xor     edi, edi
seg000:0000121C                 cmp     [ebp+var_210], bl
seg000:00001222                 jz      short loc_124D
seg000:00001224
seg000:00001224 _convertToSmallCaps:                    ; CODE XREF: DebugCheck+75j
seg000:00001224                 lea     esi, [ebp+edi+var_210]
seg000:0000122B                 mov     al, [esi]
seg000:0000122D                 xor     ecx, ecx
seg000:0000122F                 cmp     al, 5Ah ; 'Z'
seg000:00001231                 setle   cl
seg000:00001234                 xor     edx, edx
seg000:00001236                 cmp     al, 41h ; 'A'
seg000:00001238                 setnl   dl
seg000:0000123B                 test    edx, ecx
seg000:0000123D                 jz      short loc_1243
seg000:0000123F                 add     al, 20h ; ' '
seg000:00001241                 mov     [esi], al
seg000:00001243
seg000:00001243 loc_1243:                               ; CODE XREF: DebugCheck+67j
seg000:00001243                 inc     edi
seg000:00001244                 cmp     [ebp+edi+var_210], bl
seg000:0000124B                 jnz     short _convertToSmallCaps
seg000:0000124D
seg000:0000124D loc_124D:                               ; CODE XREF: DebugCheck+4Cj
seg000:0000124D                 push    edi
seg000:0000124E                 lea     eax, [ebp+var_210]
seg000:00001254                 push    eax             ; # process name
seg000:00001255                 push    ebx
seg000:00001256                 call    RtlComputeCrc32
seg000:0000125B                 mov     ecx, ds:7FF90218h ; # hash table of process to check
seg000:00001261                 xor     edx, edx
seg000:00001263                 jmp     short loc_1271
seg000:00001265 ; ---------------------------------------------------------------------------
seg000:00001265
seg000:00001265 _contHashCheck:                         ; CODE XREF: DebugCheck+9Dj
seg000:00001265                 cmp     eax, ecx
seg000:00001267                 jz      short _hashProcFound ; # hash matched
seg000:00001269                 mov     ecx, ds:7FF9021Ch[edx*4]
seg000:00001270                 inc     edx
seg000:00001271
seg000:00001271 loc_1271:                               ; CODE XREF: DebugCheck+8Dj
seg000:00001271                 cmp     ecx, ebx
seg000:00001273                 jnz     short _contHashCheck
seg000:00001275                 jmp     short loc_127E


CRC32-hash table of processes to avoid

These are some of the hashes that were recovered by trial and error. As we know, recovering strings based from a computed hash is near impossible. These strings are file names/process names of common monitoring and analysis tools.
wireshark.exe – 0x77AE10F7
vboxservice.exe – 0x64340DCE
vboxtray.exe – 0x63C54474
vmtoolsd.exe – 0x278CDF58
vmwareuser.exe – 0x99DD4432
procmon.exe – 0x5BA9B1FE
filemon.exe – 0x3D46F02B
regmon.exe  - 0x3CE2BEF3
netmon.exe – 0xF344E95D

It may also check for the CRC32-hash of the drive name where Windows directory is located and compare it to 0x20C7DD84 before it continues.

It checks for sbiedll.dll which is a used by Sandboxie (Sandbox security software for Windows).

SYSTEM CHANGES


It adds the following registry entries in attempt to hide suspicion.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer TaskbarNoNotification dword:00000000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer HideSCAHealth dword:00000000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA dword:00000000
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer TaskbarNoNotification dword:00000000
HKEY_CURRENT_USER \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer HideSCAHealth dword:00000000

It also deletes an autorun registry key of taskmgr.exe located in “image file execution options” if available
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\image file execution options\taskmgr.exe

It will also disable some windows security services like
wscsvc – windows security center service
WinDefend – windows defender service
MpsSvc – part of windows firewall service
SharedAccess – internet connection sharing service
Wuauserv – windows update service

It then proceeds to delete its main executable in an attempt to cleanup its traces.


PAYLOAD


It first checks the operating system if Windows 32-bit or 64-bit and injects its code to either of each
%windir%\SysWOW64\msiexec.exe (for 64-bit)
%windir%\system32\msiexec.exe (for 32-bit)

It uses two code injection techniques so that if the first one fails, it still has its backup routine.

First is by the conventional way of injecting code to a target process (msiexec.exe) by using CreateProcess, MapViewOfSection,  overwrite entry point of target process to point to code of malware,  then ResumeThread.
seg000:00002561                 call    dword ptr ds:7FF900F8h ; # CreateProcessW
…
…
seg000:0000259E                 call    NtMapViewOfSection
seg000:000025A3                 test    eax, eax
seg000:000025A5                 jnz     loc_262D
seg000:000025AB                 mov     esi, [ebp+var_34]
seg000:000025AE                 mov     eax, [ebp+arg_4]
seg000:000025B1                 mov     ecx, [ebp+var_4]
seg000:000025B4                 add     edi, esi
seg000:000025B6                 push    edi
seg000:000025B7                 add     ecx, eax
seg000:000025B9                 push    6
seg000:000025BB                 lea     eax, [ebp-3Ch]  ; # overwrite entry point of msiexec.exe with
seg000:000025BB                                                        ; # 68 BF160A00     PUSH 0A16BF
seg000:000025BB                                                        ; # C3              RETN
seg000:000025BE                 push    eax
seg000:000025BF                 mov     [ebp+var_3B], ecx
seg000:000025C2                 call    MemCopy
…
…
seg000:000025F1                 call    NtUnmapViewOfSection
…
…
seg000:00002639                 push    [ebp+var_20]
seg000:0000263C                 call    dword ptr ds:7FF90120h ; # ResumeThread

The other is the same procedure as above but calls QueueUserAPC first before going to ResumeThread. The logic here is that the malware queues an APC using QueueUserAPC API before the thread begins to run (in this case the thread of msiexec.exe). The queued APC function points to the malware code safely copied to the address space of msiexec.exe. So after resuming the suspended thread,  the APC function is called first, hence executing the code of the malware.
…
…
seg000:00002745                 mov     eax, [ebp+arg_4]
seg000:00002748                 mov     ecx, [ebp+var_4]
seg000:0000274B                 push    [ebp+var_1C]
seg000:0000274E                 add     ecx, eax
seg000:00002750                 push    ecx
seg000:00002751                 call    dword ptr ds:7FF90128h ; # QueueUserAPC
seg000:00002757                 push    [ebp+var_1C]
seg000:0000275A                 mov     [ebp+var_8], eax
seg000:0000275D                 call    dword ptr ds:7FF90120h ; # ResumeThread

It also hooks ntdll.NtOpenSection and GetAddrInfoW to point to its own code.

It checks for internet connection by querying common DNS names like
update.microsoft.com
microsoft.com
bing.com
google.com
yahoo.com

It will then craft a message with the following format before it sends it to its C&C server
“id:%lu|bid:%lu|os:%lu|la:%lu|rg:%lu”
where,
id = Volume information of infected drive
bid = Bot ID version
os = Operating system version (whether 32 or 64bit)
la = ip address of infected host
rg = Check if it runs on administrative level (1 or 0)

Here is an example of its data string that is to be sent to C&C
id:2894982272|bid:34|os:593|la:3232258948|rg:1

It will be encrypted using RC4 with the key b8d4b5527da0f28c47cd82d86557d4dc and then Base64 encoding afterwards.

Here is the final encrypted equivalent of the same string


It uses Google Public DNS servers (8.8.8.8 & 8.8.8.4) to query its C&C servers listed below
http://62.76.40.177/srt/ge.php
http://37.139.47.108/srt/ge.php

As of this writing, the servers listed above are already inactive. However; variants of this malware family suggests that it downloads the well-known zeus bot or zbot malwares.

It may also download additional malware functionalities or plugins with dll export functions as “aReport” & “aUpdate”. Since the links are dead and I haven’t produced any additional downloaded files, I can only assume that “aReport” function sends some info to its C&C server while “aUpdate” function checks for an updated version of the malware.

Below is a code snippet on how it attempts to call the aReport function by traversing dll modules that are loaded in memory, looking for its dll component that is supposedly loaded already then using GetProcAddress to get the function address of aReport, then subsequently calling aReport function. The same procedure is done to aUpdate.
seg000:00000CFC                 call    CreateToolhelp32Snapshot
seg000:00000D01                 mov     [ebp+var_4], eax
seg000:00000D04                 cmp     eax, 0FFFFFFFFh
seg000:00000D07                 jz      loc_D93
seg000:00000D0D                 lea     eax, [ebp+var_228]
seg000:00000D13                 push    eax
seg000:00000D14                 push    [ebp+var_4]
seg000:00000D17                 mov     [ebp+var_228], 224h
seg000:00000D21                 call    Module32First
seg000:00000D26                 test    eax, eax
seg000:00000D28                 jz      short loc_D8A
seg000:00000D2A                 push    ebx
seg000:00000D2B                 push    esi
seg000:00000D2C
seg000:00000D2C _loopProc:                              ; CODE XREF: sub_CDD+A9j
seg000:00000D2C                 push    7FF904BCh       ; # "aReport"
seg000:00000D31                 push    [ebp+var_20C]
seg000:00000D37                 call    dword ptr ds:7FF90068h ; # GetProcAddress
seg000:00000D3D                 test    eax, eax
seg000:00000D3F                 jz      short _nextModule
seg000:00000D41                 call    eax             ; # call function "aReport"


FAKE PAYLOAD


When it suspects that it is being analyzed or reversed, it executes its fake payload routine by adding the following registry entries

HKEY_CLASSES_ROOT\.max HKEY_CLASSES_ROOT\.max @ "Matrix.Document"
HKEY_CLASSES_ROOT\.max\ShellNew HKEY_CLASSES_ROOT\.max\ShellNew NullFile ""
HKEY_CLASSES_ROOT\Matrix.Document HKEY_CLASSES_ROOT\Matrix.Document @ "Matrix Document"
HKEY_CLASSES_ROOT\Matrix.Document\DefaultIcon HKEY_CLASSES_ROOT\Matrix.Document\DefaultIcon @ "{malware path}\{malware.exe},0"
HKEY_CLASSES_ROOT\Matrix.Document\shell HKEY_CLASSES_ROOT\Matrix.Document\shell\open HKEY_CLASSES_ROOT\Matrix.Document\shell\open\command HKEY_CLASSES_ROOT\Matrix.Document\shell\open\command @ "{malware path}\{malware.exe} "%1""
HKEY_CLASSES_ROOT\Matrix.Document\shell\print HKEY_CLASSES_ROOT\Matrix.Document\shell\print\command HKEY_CLASSES_ROOT\Matrix.Document\shell\print\command @ "{malware path}\{malware.exe} /p "%1""
HKEY_CLASSES_ROOT\Matrix.Document\shell\printto HKEY_CLASSES_ROOT\Matrix.Document\shell\printto\command HKEY_CLASSES_ROOT\Matrix.Document\shell\printto\command @ "{malware path}\{malware.exe} /pt "%1" "%2" "%3" "%4""
HKEY_CURRENT_USER\Software\Matrix HKEY_CURRENT_USER\Software\Matrix\Recent File List HKEY_CURRENT_USER\Software\Matrix\Settings HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.max HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.max @ "Matrix.Document"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.max\ShellNew HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.max\ShellNew NullFile ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document @ "Matrix Document"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\DefaultIcon HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\DefaultIcon @ "{malware path}\{malware.exe},0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\open HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\open\command HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\open\command @ "{malware path}\{malware.exe} "%1""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\print HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\print\command HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\print\command @ "{malware path}\{malware.exe} /p "%1""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\printto HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\printto\command HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\printto\command @ "{malware path}\{malware.exe} /pt "%1" "%2" "%3" "%4""



Read More
Newer Posts Older Posts Home
Subscribe to: Posts (Atom)
volute-glacial
volute-glacial
volute-glacial
volute-glacial
Copyright © Anti-Malware Laboratory | Powered by Blogger
Design by Fabthemes | Blogger Template by NewBloggerThemes.com