Tuesday, November 5, 2013

Latest UPS spam runs include exploits


Spam runs never get old. Whether you have received a package from UPS, FedEx or even PayPal notifications, they either lead you to (poorly crafted) phishing websites or malware (mostly Trojans like Zeus).

This afternoon I saw a tweet from one of my friends on Twitter:


Not many moments later I had received the mail in my inbox. Here's what it looked like:

UPS Delivery Notification Tracking Number : XLMBGBN855XLMBGBN581



















Mail seems to come from:
auto-notify@ups.com or
auto@ups.com

Obviously the mail is spoofed and is really coming from:
UPS@enviosuperfast.info or
Quantum@enviosuperfast.info or 
View@enviosuperfast.info 

Which traces back to:
192.123.32.83 - Result & 184.82.214.54 - Result

Attached is a file called:
invoiceU6GCMXGLL2O0N7QYDZ.doc
MD5: 7c2fd4abfe8640f8db0d18dbecaf8bb4
Malwr Report
Malware Tracker Report

Other file names are possible as well, but always follow the same format:
invoiceXXXXXXXXXXXXXXXXXX.doc, where XXXXXXXXXXXXXXXXXX is a random string of 18 characters. I haven't seen any other possibilities (yet).

What's this? It seems this is not the usual ZIP file with a piece of malware in, no, rather this .doc file is actually an .rtf file which contains an exploit. There's also a URL in the mail, which leads to the download of the exact same file. (so you're screwed either way - whether you download/open the attachment or the link - malware authors wanting to up their success rate may be a good reason for this "tactic".)

Submission to Malware Tracker revealed CVE-2012-0158

 Let's perform some static analysis as well. Using our favorite tool Notepad++:
Clues in yellow indicating it's indeed an .rtf file (font used: Calibri)
















What's happening exactly when we are trying to open this with Wordpad? I can tell you: you just see the same thing as is happening above with Notepad++.

When using OfficeMalScanner (downloadable here) it is being revealed there's a (vulnerable) OLE document embedded. There's an excellent post over at SANS here as well on the usage of this tool.

Unfortunately OfficeMalScanner was unable to automatically extract malicious shellcode, but after some manual work I was able to receive another file, which ultimately delivers another exploit.

We have now two working exploits (both are exploits for Office/.RTF files):
CVE-2012-0158
CVE-2010-3333


When I tried to open it this .RTF file with Microsoft Word 2010, Word crashed and the following happened...:
 

Word crashing & malicious process(es) spawning



















Those are an awful lot of REG.exe processes, right? In case you're wondering, REG.exe is a legit Microsoft file - or tool- to edit the registry.

A process called WINWORD.exe is present, but neither vendor or description name are mentioned.
MD5: e5e1ee559dcad00b6f3da78c68249120
Malwr Report

Obviously this isn't the legit Microsoft Word, as that application had crashed. The first time I was reproducing this exploit in the works, it also dropped another file. Unfortunately I was a bit too fast and forgot to take a copy of that sample as well. I was not able to reproduce the spawning or creating of the latter sample.

The malware creates persistence by:
  • injecting into explorer.exe
  • Creating a key as follows: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\baebadcaacbfcbcdsacfsfdsf

It also recreates itself in:
  • %ApplicationData%
  • %CommonApplicationData%


It calls back to the following domains:
customer.invoice-appmy.com
customers.invoice-appmy.org
customer.appmys-ups.orgfeed404.dnsquerys.org
feed.queryzdnsz.org
feeds.nsupdatedns.com
feed404.dnsquerys.com
static.invoice-appmy.com

... Which resolves to the following IP's:
158.255.2.60 - Result
118.67.250.91 - Result


The reason for these domain names are probably to fool network administrators who are possibly taking a peek at the packets passing through their appliance: "Oh, it's just for DNS queries." , one may think. Nothing's less true though.


Payload

The payload can vary in this case. According to VirusTotal results, it may be ransomware. I was unable to reproduce that kind of behaviour. I have feelings it may be a Bitcoin miner or simply Zeus/Zbot again. Kaspersky had apparently noticed the same campaign, in their sample it's a Brazilian banking Trojan. You can read that article here.



Prevention



 Disinfection

  • Look for suspicious Run keys (examples here) and delete the associated file(s).
  • Run a full scan with your installed antivirus product.
  • Run a full scan with another antivirus and/or antimalware product.
  • In a company: warn your network administrator immediately!


Conclusion

One might wonder if this is a so-called "APT" (Advanced Persistent Threat). I highly doubt that.

Though spammers and malware authors have tried the technique of attaching a malicious file or posting a link in the mail, I haven't seen them do that both very much. (exceptions being some awkward and poorly made viagra spam)

Using these exploits, it's clear they are prooftesting their possiblities. How many have fallen or will fall for this campaign? How much of these mails were sent out anyway? There's no sure way of knowing.

Follow the above prevention tips. If you're an antivirus or security company or researcher or just someone interested in this field, this may interest you:

7500198c94051785a68addc5f264a10f
7c2fd4abfe8640f8db0d18dbecaf8bb4
ad0ef249b1524f4293e6c76a9d2ac10d
e5e1ee559dcad00b6f3da78c68249120

Friday, November 1, 2013

Malware spreading via Skype


Malware spreads via Skype. Just sends the file to all your contacts, nothing more, nothing less. (no message to invite you to check out "photos", no call, ...)


### Analysis ###

Known MD5's:
293cc1f379c4fc81a7584c40f7c82410
66def80d6f87f6f79156557172f9f295


Callback to IP's:
88.150.177.162

Callback to domains:
Random & partial DGA(1) - Pattern:
http://%random%.aingo.cc

Persistence:
Creates key in:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Injects into:
explorer.exe
Sets Proxy:
Yes


Type of malware: Caphaw - Banking malware


Technical details ~~

Meta-data
================================================================================
File:    /home/remnux/samples/invoice_171658.pdf.exe_
Size:    360448 bytes
Type:    PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5:     293cc1f379c4fc81a7584c40f7c82410
SHA1:    7bb5b71513e01c2095d37f42c64982a3edb523b5
ssdeep:  3072:fkrImDVQFgEHQPqviUBSnk92oKMcs3JVJXnGcYHmZ52ZgMed1pJ8t/Jpm3dDlnx/:MkpCEwCvi2b92NMxBnUmyZ9o1z8tL
Date:    0x52739069 [Fri Nov  1 11:28:41 2013 UTC]
EP:      0x401270 .text 0/4
CRC:     Claimed: 0x5eb47, Actual: 0x5eb47

Resource entries
================================================================================
Name               RVA      Size     Lang         Sublang                  Type
--------------------------------------------------------------------------------
RT_CURSOR          0x532b0  0x134    LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_BITMAP          0x536c0  0x1eec   LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_BITMAP          0x555b0  0x4e8    LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_ICON            0x55a98  0x128    LANG_RUSSIAN SUBLANG_RUSSIAN          GLS_BINARY_LSB_FIRST
RT_ICON            0x55bc0  0xea8    LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_ICON            0x56a68  0x568    LANG_RUSSIAN SUBLANG_RUSSIAN          GLS_BINARY_LSB_FIRST
RT_ICON            0x56fd0  0x10a8   LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_ICON            0x58078  0x468    LANG_RUSSIAN SUBLANG_RUSSIAN          GLS_BINARY_LSB_FIRST
RT_GROUP_CURSOR    0x533e8  0x14     LANG_RUSSIAN SUBLANG_RUSSIAN          Lotus 1-2-3
RT_GROUP_ICON      0x584e0  0x4c     LANG_RUSSIAN SUBLANG_RUSSIAN          MS Windows icon resource - 5 icons, 16x16, 16-colors
RT_VERSION         0x53400  0x2c0    LANG_RUSSIAN SUBLANG_RUSSIAN          data

Sections
================================================================================
Name       VirtAddr     VirtSize     RawSize      Entropy    
--------------------------------------------------------------------------------
.text      0x1000       0xee6        0x1000       5.764246   
.rdata     0x2000       0x49ce2      0x4a000      5.440947   
.data      0x4c000      0x619c       0x6000       0.012147    [SUSPICIOUS]
.rsrc      0x53000      0x5530       0x6000       3.693765   

Version info
================================================================================
LegalCopyright: gex Copright   ls soft
InternalName:  jex  MUWEfess dlle
FileVersion: 13, 13, 201, 1241
ProductName:  jox  Weaex Apps
ProductVersion: 13, 13, 21, 153
FileDescription:  jex dllx
OriginalFilename: lexlse.exe
Translation: 0x0419 0x04b0

~~


### Prevention ###

* Check your Skype settings. Only allow contacts to send you messages/files & contact you
* Don't download and run unknown files, especially PE(2) files


### Disinfection ###

* Run a full scan with your installed antivirus product
* Look for suspicious Run keys and delete the associated file(s)
* Run a full scan with another antivirus and/or antimalware product
* Change your Skype password
* Change your proxy to the original one(3) (usually none)
* Change ALL your other passwords
* Call your bank to ensure there was no unauthorized withdrawal or transaction

* When in doubt, seek advise on a professional malware removal forum(4)




### Conclusion ###

* Follow above prevention tips
* Use common sense & do not click on or run anything you encounter
* When in doubt, check the file on VirusTotal for example





# Links #

(1) http://en.wikipedia.org/wiki/Domain_generation_algorithm
(2) http://en.wikipedia.org/wiki/Portable_Executable
(3) http://www.wikihow.com/Change-Proxy-Settings
(4) http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs