by RSS Xiaopeng Zhang  |  Oct 24, 2016  |  Filed in: Security Research

Recently we received a SPAM with an attachment, which is a password-protected Word document. Its MD5 is 6619356e9e0c9d2445bf777a8bea5d6a, which is detected as “WM/Agent.60F9!tr” by the Fortinet AntiVirus service. When the document is opened, the attached malicious VB script code is executed and additional malware is created and executed.

Based on our analysis, this is information-stealing malware. In this blog, we’ll show you how the malware works, what information is stolen from a victim’s system, and how the stolen data is sent to attacker.

The SPAM

Figure 1, below, is a screenshot of the SPAM email we received. The message looks like a transaction notification from “Hendrerit Donec Porttitor Associates”. The password of the attached Word document is provided in the message body.

Figure 1 - SPAM Sample

When the Word document is opened, a dialog pops up requesting the password. See Figure 2, below.

Figure 2 – Password is required to open the Word document

After the password provided in the message body is input, the Word document is opened, as shown in Figure 3.

Figure 3 – The Word document is opened

As you can see, a warning is shown. After enabling “Macros” in Word options, the VB script code inside it is executed automatically.

Malicious VB Script Code

Here is a snippet of the malicious VB script code.

As you can see, in the function doCUmENT_Open, variable names are random strings. The characters in variable and function names are in upper-case or lower-case randomly. Other evasion techniques are also used, like JCrfd = 87 * 4. It’s difficult to understand the meaning of the code due to the obfuscation, but its purpose is to create a VBS file (like “22474.vbs”) and execute it.

In the newly-created VBS file, all strings are encrypted and obfuscated. After decrypting the strings at runtime, we can understand what it is going to do. See the following code snippet with decrypted strings. Comments we added are highlighted in green.

The VB script code snippet above shows that it tries to download a file from hxxp://www.polonews.info/er.txt or hxxp://doktrine.fr/mg.txt. The function JGfe3yG handles the downloaded data, which is actually an encrypted exe file. The decrypted data is saved into “%AppData%\434349.fyn”. The file name is random, and its MD5 is 4df3ce5c9a83829c0f81ee1e3121c6ea, which is detected as “W32/Malicious_Behavior.VEX” by the Fortinet AntiVirus service. Finally, the newly-created file is executed by calling the command “cmd.exe /C START "" "%AppData%\434349.fyn”“.

The Downloaded exe File

Once 434349.fyn starts running, it soon creates itself as a child process by calling the function CreateProcessW with the flag CREATE_SUSPENDED. This allows the code to be modified later. This is a common strategy that malware uses to protect itself against analysis. Next, the code of the child process is overwritten by another exe file that is dumped from 434349.fyn. After that, it calls the function ResumeThread to resume the child process, and then terminates itself.

The new code of the child process uses anti-sandboxing and anti-VM techniques. See the code snippet below.

The code continually captures the current mouse cursor position, which is used in the function sub_403894 to decrypt the data in .bss section that contains some important strings. For the malicious code to execute, we have to keep the mouse moving. This is one of its anti-sandboxing techniques.

From the following code snippet we can also see some VM detections. From MSDN, we know that the function SetupDiGetDeviceRegistryProperty retrieves a specific Plug and Play device property. The malware uses this function to get a string related to Removable and DockDevice device information. Then it checks if the string contains “vbox”, “gemu”, “vmware”, or “virtual hd”. If the result is yes, this child process terminates directly. This is one of its anti-VM techniques.

The malware then copies itself to “%AppData%\” and changes its name. This time it was called “%AppData%\bootames\audiider.exe”. However, note that the folder and file name are not fixed. They come from a name generation function that depends on the creation time and name of the DLL files in the system folder.

The malware also adds itself into the system registry “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\” so that this malware can be executed automatically when the system starts. See Figure 4, below.

Figure 4 - Add the malware to startup group

 

It then creates a .bat file and executes it, which actually executes the relocated and renamed exe file with an argument, by using the command "%AppData%\bootames\audiider.exe" "%AppData%\434349.fyn".

Inject Malicious Code Into Explorer.exe

On our test system, audiider.exe injected malicious code into explorer.exe, which is designed to later steal information from a victim’s system and submit it to the attacker. The process (explorer.exe) to be injected with malicious code might be different on different systems.

It also calls the function CreateRemoteThread with the flag CREATE_SUSPENDED to create a remote thread to explorer.exe. Later, it calls the functions ZwCreateSection and ZwMapViewOfSection to allocate a buffer in explorer.exe where the malicious code will be copied to by calling the function ZwWriteVirtualMemory. It then modifies the eip register of the remote thread to point to the malicious code by calling the function ZwSetContextThread. Finally, it calls the function ResumeThread to run the malicious code and then audiider.exe terminates itself. Following is a code snippet that shows the details:

[...]

0404D6F  lea     ecx, [ebp+var_4]

0404D72  push    ecx             ;

0404D73  push    4               ;; with creation flag "CREATE_SUSPENDED"

0404D75  push    ebx            

0404D76  push    edi            

0404D77  push    ebx

0404D78  push    ebx

0404D79  push    [ebp+var_10]    ; handle of explorer.exe, hProcess

0404D7C  call    eax             ;;;; CreateRemoteThread

0404D7E  mov     [ebp+var_C], eax ;

0404D81  cmp     eax, ebx

0404D83  jz      short loc_404D9E

0404D85  push    edi             ;

0404D86  push    [ebp+arg_0]

0404D89  lea     eax, [ebp+var_10]

0404D8C  call    sub_404BCA      ;

0404D91  push    [ebp+var_C]     ;

0404D94  mov     esi, eax

0404D96  call    ds:CloseHandle

0404D9C  jmp     short loc_404DAD

[...]

0404697  lea     eax, [eax+ecx+0C50h]

040469E  lea     ecx, [ebp+var_10]

04046A1  push    ecx

04046A2  lea     ecx, [ebp+var_C]

04046A5  push    ecx

04046A6  push    eax

04046A7  call    sub_405047      ; ;;will call ZwCreateSection and ZwMapViewOfSection inside.

04046AC  mov     [ebp+var_4], eax

04046AF  cmp     eax, ebx

04046B1  jnz     loc_4047EC

04046B7  mov     ebx, ds:dword_409878

04046BD  lea     eax, [ebp+var_8]

04046C0  push    eax

04046C1  mov     eax, [ebp+arg_0]

04046C4  push    dword ptr [eax]

04046C6  xor     ebx, 0EE55371Eh

04046CC  push    [ebp+var_10]

04046CF  add     ebx, edi

04046D1  add     ebx, [ebp+var_C]

04046D4  mov     [ebp+var_1C], ebx

04046D7  call    sub_405008      ;;;ZwMapViewOfSection

04046DC  mov     [ebp+var_4], eax

04046DF  test    eax, eax

04046E1  jnz     loc_4047EC

04046E7  push    [ebp+var_8]

04046EA  push    [ebp+var_14]

[...]

04047D1  mov     eax, [ebp+var_8]

04047D4  add     esp, 0Ch

04047D7  push    [ebp+arg_4]

04047DA  add     edi, eax

04047DC  push    edi

04047DD  add     edi, 40h

04047E0  push    edi

04047E1  push    [ebp+arg_0]

04047E4  call    sub_4030EF    ;; will call ZwWriteVirtualMemory and ZwSetContextThread inside.

04047E9  mov     [ebp+var_4], eax

[...]

0404CCC loc_404CCC:    

0404CCC  push    dword ptr [edi+4]

0404CCF  call    ds:ResumeThread ;;To execute malicious code inside explorer.exe

0404CD5  pop     edi

0404CD6  mov     eax, esi

0404CD8  pop     esi

0404CD9  pop     ebx

0404CDA  leave

0404CDB  retn    8

What Data is Stolen From Victim’s System, and How?

Based on a quick analysis of the malicious code, this malware is able to steal email related information from a victim’s system. It can get all the contact addresses from following files on the victim’s device:

  • “%userprofile%\contacts\username.contact” “%userprofile %\AppData\Local\Microsoft\Windows Mail\ account{*}.oeaccount”.

The targets are several email applications: Windows Mail, Windows Live Mail, Outlook Express, and Office Outlook. It also collects additional email data from the system registry, such as Email, Account Name, IMAP Server, IMAP Port, IMAP User, IMAP Password, IMAP Use SSL, POP3 User, POP3 Server, POP3 Port, POP3 Password, POP3 Use SSL, SMTP User, SMTP Server, SMTP Port, SMTP Password and SMTP Use SSL.

The relevant registry keys are:

  • HKCU\SOFTWARE\Microsoft\Windows Mail\
  • HKCU\Software\\Microsoft\Windows Live Mail\
  • HKCU\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

The data stolen from system registry is formatted as follows:

The stolen data is then saved in a local file, which is compressed in a zip file with the name “*.bin” in the “%temp%” folder.

During runtime, it continues to steal information from the system Clipboard as well as the applications from where you copy data to Clipboard. Also it sets up a keyboard hook function that can steal your input in applications such as Notepad.

The following code snippet shows how the malware steals information from the system Clipboard.

This function is called when the Clipboard copy operation happens (press ctrl+c). That means that the malware registers a Window message handling function to receive messages from the system.

Here is an example to clearly show you how the malware steals data from a victim’s system. In Figure 5, I typed some characters in Notepad, then copied (ctrl+c) the login password “123456”.

Figure 5 - Type in Notepad

Figure 6 – The stolen information by malware

In Figure 6, we can see the file “5463.bin” is created and it’s actually a compressed file. After decompressing it, we can access the file “01D21D1e661D80000B” where you can see all the data stolen by the malware from Notepad and the system Clipboard.

Stolen Data is Sent to The Attacker

All the stolen data is compressed and stored in “%temp%\{random}.bin” files. Finally, the malware encrypts them and sends them to attacker. Here is an example that shows the bin file that is encrypted and sent to the attacker.

Figure 7 - Encrypt bin file

Figure 8 – The encrypted bin file

Figure 9 - Sending an encrypted file to attacker’s server

The HTTP POST request has been detected by Fortinet IPS signature JeanAloup.Trojan.Credentials.Disclosure.

According to our analysis, this malware uses 5 domains that are encrypted by default inside the malware to submit the stolen data. They are shown below:

  • ASCII "arewithoutwarranty.xyz"
  • ASCII "lawassumewitthe.xyz"
  • ASCII "licensecanadian.ru"
  • ASCII "ufeescircumwodiscl.xyz"
  • ASCII "userderivativesoftware.xyz"

All the domains and malware download links mentioned above have been rated as “Malicious” by the Fortinet Web Filtering service.

Conclusion

Based on the above analysis, we can see how this malware works and what information is stolen from a victim’s system. The most dangerous aspect is that it’s able to monitor the system Clipboard and keyboard input, collect data from them, and send the stolen data to the attacker. Imagine you are editing a very confidential document and the remote attacker can get all of your input. The potential for compromise is very serious.

by RSS Xiaopeng Zhang  |  Oct 24, 2016  |  Filed in: Security Research