Win32 / Nymaim - another vector of infection
Win32 / TrojanDownloader.Nymaim malware is a Trojan downloader that also contains ransomware features and can block a user's computer for ransom. We have already written about it before and noted that the attackers used the compromise of web servers running Linux and then delivered the malicious code to users to spread this threat. Nymaim was installed on users' computers using the Blackhole exploit kit, the author of which was recently arrested by law enforcement agencies. One of the latest studies by the independent retailer kafeine , which is based on an analysis of one of the control panels of this set of exploits, shows that attackers have been able to infect almost 3 million users since the launch of Operation The Home Campaign .
Our previous analysis of Nymaim was devoted to the study of various methods of obfuscating its code, which the attackers used in it to complicate the analysis. In this article we will focus on the new vector of infection and a detailed analysis of the protocol for interaction with C & C.
')
The malicious Win32 / Nymaim code compromises the user's computer using two different executable files. The first performs the role of the loader and downloads the second file from the server, and then executes it. This second module can download other malware onto the user's computer or simply block it for ransom. ESET antivirus products detect both files as Win32 / Nymaim because they contain a lot of common code.
When we first discovered Nymaim, it was clear that it uses only one infection vector: covert installation of the code through the Blackhole (drive-by) exploit kit. Now it became clear that the attackers used another way to deliver this threat to users.
Since the end of September, a large number of detections of this malware have been recorded among files downloaded via the Internet using a web browser. Looking through the logs of file uploads in such cases, we found that the addresses from which the user got to download these files (referrer) belonged to Google. This indicates that he performed the search queries. Our analysis of some web pages that initiated the download of malicious code showed that attackers used “dark search engine optimization” (Black Hat SEO) to promote links to malicious content.
The attackers create special web pages called doorways , they are used for indexing by search engine robots. Doorway, which we studied, trying to raise their rankings for search engines by replacing or simulating popular web pages. As soon as the user clicks on one of the links in the search results, he initiates the download of the archive, whose name matches the text in the search query. In fact, the doorway page simply redirects the user to another site where this archive is located.
Fig. Session Fiddler, which shows the transition chain of requests for web pages.
As can be seen in the screenshot above, when the user clicks on the search query link, his browser is redirected to a special web page, from which the redirection to the archive with the contents occurs. Such redirection operations occur unnoticed by the user, who eventually sees an empty web page and a downloadable archive. This archive contains an executable file that, after launching, installs malicious code into the system. The name of the archive is closely related to the text of the search query in order to cause the user more confidence in it. For example, the same archive will be loaded with different names depending on the text of the search query. The following shows the possible names for a single archive with malicious code that we managed to get:
Note that all these names belong to the same file, and many names resemble pirated content.
We observed several families of malware that spread using this infrastructure. Among them are fake antiviruses (Fake AV), which are found by ESET as Win32 / AdWare.SecurityProtection.A , as well as Win32 / Sirefef (ZeroAccess) and already described Win32 / Nymaim.
In the course of our study, we collected several different lock screen covers for different countries. Win32 / Nymaim uses various covers for Europe and North America. The following list of countries for which we managed to get the cover is not exhaustive, since we have not investigated all cases.
Interesting is the fact that the cost of redemption is different for different countries. The following chart shows prices for different countries in US dollars.
For most of the countries studied, the repurchase price is around $ 150. However, for residents of the United States, this figure is much higher and amounts to $ 300.
When the first part of Win32 / Nymaim infects a computer, it tries to get a list of proxy addresses using IP addresses that are hardcoded into the body of the malicious program itself. Through the proxy servers, the second part of Win32 / Nymaim is loaded (that is, another dropper that is responsible for the second stage of the threat), as well as the cover of the desktop lock and other malicious code. The addresses of these servers change quite often and are apparently used to hide the addresses of C & C. In case none of the proxies is available, Nymaim uses a hard-coded URL in its code.
The network interaction of the malicious code with the server is encrypted using “salted” RC4 (i.e. RC4 with the addition of special bytes to the key to obfuscate the analysis). The following screenshot shows the format of an encrypted TCP packet.
The length of the "salt" of the data is obtained by overlaying the 0xF mask on the first byte of the encrypted message. This data is then decrypted by adding the “salt” byte to the next static RC4 key “* & ^ V8trcv67d [wf9798687RY”.
After decryption, the data has the following structure.
As noted earlier, Win32 / Nymaim blocks the user's OS or downloads malware there and then installs it. The second level of encryption is used in the latter case, which is associated with downloading malware. Using RSA, the header is encrypted, while data is encrypted using its own algorithm. The encryption scheme used is shown below in the screenshot.
Austria
Canada
France
Germany
Our previous analysis of Nymaim was devoted to the study of various methods of obfuscating its code, which the attackers used in it to complicate the analysis. In this article we will focus on the new vector of infection and a detailed analysis of the protocol for interaction with C & C.
')
The malicious Win32 / Nymaim code compromises the user's computer using two different executable files. The first performs the role of the loader and downloads the second file from the server, and then executes it. This second module can download other malware onto the user's computer or simply block it for ransom. ESET antivirus products detect both files as Win32 / Nymaim because they contain a lot of common code.
When we first discovered Nymaim, it was clear that it uses only one infection vector: covert installation of the code through the Blackhole (drive-by) exploit kit. Now it became clear that the attackers used another way to deliver this threat to users.
Since the end of September, a large number of detections of this malware have been recorded among files downloaded via the Internet using a web browser. Looking through the logs of file uploads in such cases, we found that the addresses from which the user got to download these files (referrer) belonged to Google. This indicates that he performed the search queries. Our analysis of some web pages that initiated the download of malicious code showed that attackers used “dark search engine optimization” (Black Hat SEO) to promote links to malicious content.
The attackers create special web pages called doorways , they are used for indexing by search engine robots. Doorway, which we studied, trying to raise their rankings for search engines by replacing or simulating popular web pages. As soon as the user clicks on one of the links in the search results, he initiates the download of the archive, whose name matches the text in the search query. In fact, the doorway page simply redirects the user to another site where this archive is located.
Fig. Session Fiddler, which shows the transition chain of requests for web pages.
As can be seen in the screenshot above, when the user clicks on the search query link, his browser is redirected to a special web page, from which the redirection to the archive with the contents occurs. Such redirection operations occur unnoticed by the user, who eventually sees an empty web page and a downloadable archive. This archive contains an executable file that, after launching, installs malicious code into the system. The name of the archive is closely related to the text of the search query in order to cause the user more confidence in it. For example, the same archive will be loaded with different names depending on the text of the search query. The following shows the possible names for a single archive with malicious code that we managed to get:
ieee-papers-on-soft-computing-pdf.exe
investments-9th-edition-2011-pdf.exe
video-studio-x4.exe
advance-web-technology-pdf.exe
new-headway-beginner-3rd-edition.exe
lourdes-munch-galindo-fundamentos-de-administraci-n-pdf.exe
numerical-analysis-by-richard-burden-and-douglas-faires-pdf.exe
speakout-pre-intermediate-wb-pdf.exe
nfs-shift-wvga-apk.exe
barbie-12-dancing-princesses-soundtrack.exe
donkey-kong-country-3-rom-portugues.exe
descargar-libro-english-unlimited-pre-intermediate-pdf.exe
Note that all these names belong to the same file, and many names resemble pirated content.
We observed several families of malware that spread using this infrastructure. Among them are fake antiviruses (Fake AV), which are found by ESET as Win32 / AdWare.SecurityProtection.A , as well as Win32 / Sirefef (ZeroAccess) and already described Win32 / Nymaim.
In the course of our study, we collected several different lock screen covers for different countries. Win32 / Nymaim uses various covers for Europe and North America. The following list of countries for which we managed to get the cover is not exhaustive, since we have not investigated all cases.
- Austria
- Canada
- France
- Germany
- Ireland
- Mexico
- Holland
- Norway
- Romania
- Spain
- Great Britain
- USA
Interesting is the fact that the cost of redemption is different for different countries. The following chart shows prices for different countries in US dollars.
For most of the countries studied, the repurchase price is around $ 150. However, for residents of the United States, this figure is much higher and amounts to $ 300.
When the first part of Win32 / Nymaim infects a computer, it tries to get a list of proxy addresses using IP addresses that are hardcoded into the body of the malicious program itself. Through the proxy servers, the second part of Win32 / Nymaim is loaded (that is, another dropper that is responsible for the second stage of the threat), as well as the cover of the desktop lock and other malicious code. The addresses of these servers change quite often and are apparently used to hide the addresses of C & C. In case none of the proxies is available, Nymaim uses a hard-coded URL in its code.
The network interaction of the malicious code with the server is encrypted using “salted” RC4 (i.e. RC4 with the addition of special bytes to the key to obfuscate the analysis). The following screenshot shows the format of an encrypted TCP packet.
The length of the "salt" of the data is obtained by overlaying the 0xF mask on the first byte of the encrypted message. This data is then decrypted by adding the “salt” byte to the next static RC4 key “* & ^ V8trcv67d [wf9798687RY”.
After decryption, the data has the following structure.
As noted earlier, Win32 / Nymaim blocks the user's OS or downloads malware there and then installs it. The second level of encryption is used in the latter case, which is associated with downloading malware. Using RSA, the header is encrypted, while data is encrypted using its own algorithm. The encryption scheme used is shown below in the screenshot.
- RSA is used to decrypt the first 128 bytes (the key is the same for all the samples we saw).
- Check the integrity of the header and body part with the data.
- Check the integrity of the remaining chunks of data.
- Decrypt data using two keys derived from the header. Below in the screenshot it is shown more clearly.
- Check the integrity of the decrypted data.
- The decoded data is decompressed using aPLib.
Austria
Canada
France
Germany
Source: https://habr.com/ru/post/198876/
All Articles