Malefactors use complex malware to attack Russian business
From the end of last year, we started tracking a new malicious campaign to spread the banking Trojan. The attackers were focused on the compromise of Russian companies, ie, corporate users. The malicious campaign was active for at least a year and, in addition to the banking trojan, the attackers resorted to the use of other various software tools. These include a special loader packaged using NSIS , and spyware that is disguised as the well-known legitimate Yandex Punto software. As soon as the attackers managed to compromise the victim's computer, they install a backdoor and then a banking Trojan program.
For their malicious programs, the attackers used several valid (at that time) digital certificates and special circumvention techniques for AV products. The malicious campaign was aimed at a large number of Russian banks and is of particular interest, because the attackers used for it those methods that are often used in targeted attacks, i.e. attacks that are not motivated by purely financial fraud. It may be noted that there is some similarity between this malicious campaign and a major incident, which has gained greater fame earlier. This is a cybercrime group that used the Anunak / Carbanak banking trojan.
')
The attackers installed malware only on those computers that used the Russian language in Windows (localization) by default. The main distribution vector of the Trojan was the Word document with the exploit CVE-2012-0158 , which was sent as an attachment to the document. Below the screenshots show the appearance of such forged documents. The first document is entitled “Account No. 522375-FLORL-14-115.doc”, and the second “kontrakt87.doc”, it is a copy of the contract for the provision of telecommunications services of the mobile operator Megafon.
Fig. 1. Phishing document.
Fig. 2. Another modification of the phishing document.
The following facts indicate that the attackers were guided by the Russian business:
Special software tools that attackers install in a compromised system, allow them to gain remote control over the system and track user activity. To perform these functions, they establish a backdoor, and also try to get a password from a Windows account or create a new account. Attackers also use the services of a keylogger (keylogger), a thief of information from the Windows clipboard (clipboard stealer), as well as special software for working with smart cards. This group tried to compromise other computers that were on the same local network as the victim’s computer.
Our ESET LiveGrid telemetry system, which allows you to quickly track malware distribution statistics, has provided us with interesting geographical statistics about the distribution of malware used by attackers in the mentioned campaign.
Fig. 3. Geographical distribution statistics of the malware used in this malicious campaign.
Malware Installation
After the user opens a malicious document with an exploit on the vulnerable system, a special downloader packed with NSIS will be loaded and executed there. At the beginning of its work, the program checks the Windows environment for the presence of debuggers there or running in the context of a virtual machine. It also checks the localization of Windows and whether the user has visited the URLs listed in the table below in the browser. For this, the FindFirst / NextUrlCacheEntry API and the Software \ Microsoft \ Internet Explorer \ TypedURLs registry key are used.
The loader checks the presence of the following applications in the system.
The list of processes is really impressive and, as you can see, not only banking applications are present in it. For example, an executable file named "scardsvr.exe" refers to software for working with smart cards (Microsoft SmartCard reader). The banking trojan itself incorporates capabilities for working with smart cards.
Fig. 4. The general scheme of the installation of malware.
In case of successful completion of all checks, the bootloader downloads a special file (archive) from the remote server, which contains all the malicious executables used by the attackers. It is interesting to note that, depending on the checks listed above, the archives downloaded from a remote C & C server may vary. The archive may be malicious and not. In the case of non-malicious, it installs the user to the Windows Live Toolbar. Most likely, the attackers have gone to such tricks to deceive the automatic systems for analyzing files and virtual machines that run suspicious files.
The file downloaded by the NSIS loader is a 7z archive that contains various modules of malware. The figure below shows the whole process of installing this malware and its various modules.
Fig. 5. The general scheme of the malware.
Although the loaded modules serve to perform different tasks of intruders, they are equally packed and many of them have been signed with valid digital certificates. We found four such certificates that the attackers used from the very beginning of the campaign. After our complaint, these certificates were revoked. It is interesting to note that all certificates were issued to companies registered in Moscow.
Fig. 6. The digital certificate that was used to sign malware.
The following table shows the digital certificates that attackers used in this malicious campaign.
Almost all malicious modules used by attackers have the same installation procedure. They are 7zip self-extracting archives that are password protected.
Fig. 7. Fragment of the install.cmd batch file.
A batch .cmd file is responsible for installing malware into the system and launching various malicious tools. If the execution requires the missing administrator rights, the malicious code uses several methods for obtaining them (bypassing UAC). To implement the first method, two executable files are used with the names l1.exe and cc1.exe, which specialize in bypassing the UAC mechanism from leaked Carberp source texts. Another way is based on exploiting the CVE-2013-3660 vulnerability. Each module of a malicious program that needs privilege escalation contains both a 32-bit and 64-bit version of the exploit.
During the tracking of this campaign, we analyzed several archives downloaded by the loader. The contents of the archives differed, that is, attackers could adapt malicious modules for various purposes.
User compromise
As we mentioned above, attackers use special tools to compromise users' computers. Such tools include programs with executable file names mimi.exe and xtm.exe. They help attackers to establish control over the victim's computer and specialize in the following tasks: retrieving / recovering passwords for Windows accounts, enabling the RDP service, creating a new account (account) in the OS.
The mimi.exe executable file includes a modified version of the famous open source tool Mimikatz . This tool allows you to get passwords for Windows user accounts. The attackers removed from the Mimikatz the part that is responsible for user interaction. The executable code was also modified to start Mimikatz with the privilege :: debug and sekurlsa: logonPasswords commands.
Another executable file xtm.exe runs special scripts for execution that include the RDP service in the system, try to create a new account in the OS, and also change the system settings to allow several users to simultaneously connect to the compromised computer through RDP. Obviously, these steps are necessary to gain complete control over the compromised system.
Fig. 8. Commands executed by xtm.exe in the system.
Attackers use another executable file called impack.exe, which is used to install special software into the system. This software is called LiteManager and is used by hackers as a backdoor.
Fig. 9. Interface LiteManager.
Once installed in the user's system, LiteManager allows attackers to directly connect to this system and remotely control it. This software has special command line parameters for its secretive installation, creating special firewall rules, and running its own module. All parameters are used by intruders.
The latest module from the malware suite used by attackers is the bank malware with the name of the executable file pn_pack.exe. She specializes in spying on the user and is responsible for interacting with the C & C server manager. The launch of the banker is performed using the legitimate software Yandex Punto. Punto is used by attackers to launch a malicious DLL (Side-Loading DLL method). Malware itself can perform the following functions:
The module of the malicious program, which is responsible for performing all these tasks, is an encrypted DLL library. It is decrypted and loaded into memory during the execution of Punto. To perform the above tasks, the executable code DLL runs three threads.
The fact that the attackers chose Punto software for their own purposes is not a surprise: some Russian forums openly provide detailed information on such a topic as the use of flaws in legitimate software to compromise users.
The malicious library uses the RC4 algorithm to encrypt its strings, as well as during network interaction with the C & C server. She contacts the server every two minutes and transmits there all the data that was collected on the compromised system during this period of time.
Fig. 10. Fragment of network interaction between the bot and the server.
Below are some of the C & C server instructions that the library can receive.
In response to receiving instructions from the C & C server, the malware responds with a status code. It is interesting to note that all the modules of the banker that we analyzed (the latest one with the compilation date of January 18th) contain the string “TEST_BOTNET”, which is sent in each message to the C & C server.
Conclusion
To compromise corporate users, attackers at the first stage compromise one employee of the company by sending a phishing message with an exploit. Further, as soon as the malware is installed in the system, they will use software tools that will help them significantly empower the system and perform additional tasks on it: compromise other computers on the corporate network and spy on the user, as well as on bank transactions that performs.
For their malicious programs, the attackers used several valid (at that time) digital certificates and special circumvention techniques for AV products. The malicious campaign was aimed at a large number of Russian banks and is of particular interest, because the attackers used for it those methods that are often used in targeted attacks, i.e. attacks that are not motivated by purely financial fraud. It may be noted that there is some similarity between this malicious campaign and a major incident, which has gained greater fame earlier. This is a cybercrime group that used the Anunak / Carbanak banking trojan.
')
The attackers installed malware only on those computers that used the Russian language in Windows (localization) by default. The main distribution vector of the Trojan was the Word document with the exploit CVE-2012-0158 , which was sent as an attachment to the document. Below the screenshots show the appearance of such forged documents. The first document is entitled “Account No. 522375-FLORL-14-115.doc”, and the second “kontrakt87.doc”, it is a copy of the contract for the provision of telecommunications services of the mobile operator Megafon.
Fig. 1. Phishing document.
Fig. 2. Another modification of the phishing document.
The following facts indicate that the attackers were guided by the Russian business:
- distribution of malware using fake documents on the specified subject;
- malicious tactics and the malicious tools they use;
- links to business applications in some executable modules;
- names of malicious domains that were used in this campaign.
Special software tools that attackers install in a compromised system, allow them to gain remote control over the system and track user activity. To perform these functions, they establish a backdoor, and also try to get a password from a Windows account or create a new account. Attackers also use the services of a keylogger (keylogger), a thief of information from the Windows clipboard (clipboard stealer), as well as special software for working with smart cards. This group tried to compromise other computers that were on the same local network as the victim’s computer.
Our ESET LiveGrid telemetry system, which allows you to quickly track malware distribution statistics, has provided us with interesting geographical statistics about the distribution of malware used by attackers in the mentioned campaign.
Fig. 3. Geographical distribution statistics of the malware used in this malicious campaign.
Malware Installation
After the user opens a malicious document with an exploit on the vulnerable system, a special downloader packed with NSIS will be loaded and executed there. At the beginning of its work, the program checks the Windows environment for the presence of debuggers there or running in the context of a virtual machine. It also checks the localization of Windows and whether the user has visited the URLs listed in the table below in the browser. For this, the FindFirst / NextUrlCacheEntry API and the Software \ Microsoft \ Internet Explorer \ TypedURLs registry key are used.
The loader checks the presence of the following applications in the system.
The list of processes is really impressive and, as you can see, not only banking applications are present in it. For example, an executable file named "scardsvr.exe" refers to software for working with smart cards (Microsoft SmartCard reader). The banking trojan itself incorporates capabilities for working with smart cards.
Fig. 4. The general scheme of the installation of malware.
In case of successful completion of all checks, the bootloader downloads a special file (archive) from the remote server, which contains all the malicious executables used by the attackers. It is interesting to note that, depending on the checks listed above, the archives downloaded from a remote C & C server may vary. The archive may be malicious and not. In the case of non-malicious, it installs the user to the Windows Live Toolbar. Most likely, the attackers have gone to such tricks to deceive the automatic systems for analyzing files and virtual machines that run suspicious files.
The file downloaded by the NSIS loader is a 7z archive that contains various modules of malware. The figure below shows the whole process of installing this malware and its various modules.
Fig. 5. The general scheme of the malware.
Although the loaded modules serve to perform different tasks of intruders, they are equally packed and many of them have been signed with valid digital certificates. We found four such certificates that the attackers used from the very beginning of the campaign. After our complaint, these certificates were revoked. It is interesting to note that all certificates were issued to companies registered in Moscow.
Fig. 6. The digital certificate that was used to sign malware.
The following table shows the digital certificates that attackers used in this malicious campaign.
Almost all malicious modules used by attackers have the same installation procedure. They are 7zip self-extracting archives that are password protected.
Fig. 7. Fragment of the install.cmd batch file.
A batch .cmd file is responsible for installing malware into the system and launching various malicious tools. If the execution requires the missing administrator rights, the malicious code uses several methods for obtaining them (bypassing UAC). To implement the first method, two executable files are used with the names l1.exe and cc1.exe, which specialize in bypassing the UAC mechanism from leaked Carberp source texts. Another way is based on exploiting the CVE-2013-3660 vulnerability. Each module of a malicious program that needs privilege escalation contains both a 32-bit and 64-bit version of the exploit.
During the tracking of this campaign, we analyzed several archives downloaded by the loader. The contents of the archives differed, that is, attackers could adapt malicious modules for various purposes.
User compromise
As we mentioned above, attackers use special tools to compromise users' computers. Such tools include programs with executable file names mimi.exe and xtm.exe. They help attackers to establish control over the victim's computer and specialize in the following tasks: retrieving / recovering passwords for Windows accounts, enabling the RDP service, creating a new account (account) in the OS.
The mimi.exe executable file includes a modified version of the famous open source tool Mimikatz . This tool allows you to get passwords for Windows user accounts. The attackers removed from the Mimikatz the part that is responsible for user interaction. The executable code was also modified to start Mimikatz with the privilege :: debug and sekurlsa: logonPasswords commands.
Another executable file xtm.exe runs special scripts for execution that include the RDP service in the system, try to create a new account in the OS, and also change the system settings to allow several users to simultaneously connect to the compromised computer through RDP. Obviously, these steps are necessary to gain complete control over the compromised system.
Fig. 8. Commands executed by xtm.exe in the system.
Attackers use another executable file called impack.exe, which is used to install special software into the system. This software is called LiteManager and is used by hackers as a backdoor.
Fig. 9. Interface LiteManager.
Once installed in the user's system, LiteManager allows attackers to directly connect to this system and remotely control it. This software has special command line parameters for its secretive installation, creating special firewall rules, and running its own module. All parameters are used by intruders.
The latest module from the malware suite used by attackers is the bank malware with the name of the executable file pn_pack.exe. She specializes in spying on the user and is responsible for interacting with the C & C server manager. The launch of the banker is performed using the legitimate software Yandex Punto. Punto is used by attackers to launch a malicious DLL (Side-Loading DLL method). Malware itself can perform the following functions:
- track keystrokes on the keyboard and the contents of the clipboard for subsequent transfer to a remote server;
- list all smart cards that are present in the system;
- interact with a remote C & C server.
The module of the malicious program, which is responsible for performing all these tasks, is an encrypted DLL library. It is decrypted and loaded into memory during the execution of Punto. To perform the above tasks, the executable code DLL runs three threads.
The fact that the attackers chose Punto software for their own purposes is not a surprise: some Russian forums openly provide detailed information on such a topic as the use of flaws in legitimate software to compromise users.
The malicious library uses the RC4 algorithm to encrypt its strings, as well as during network interaction with the C & C server. She contacts the server every two minutes and transmits there all the data that was collected on the compromised system during this period of time.
Fig. 10. Fragment of network interaction between the bot and the server.
Below are some of the C & C server instructions that the library can receive.
In response to receiving instructions from the C & C server, the malware responds with a status code. It is interesting to note that all the modules of the banker that we analyzed (the latest one with the compilation date of January 18th) contain the string “TEST_BOTNET”, which is sent in each message to the C & C server.
Conclusion
To compromise corporate users, attackers at the first stage compromise one employee of the company by sending a phishing message with an exploit. Further, as soon as the malware is installed in the system, they will use software tools that will help them significantly empower the system and perform additional tasks on it: compromise other computers on the corporate network and spy on the user, as well as on bank transactions that performs.
Source: https://habr.com/ru/post/255325/
All Articles