Malicious software is used for cyber espionage over users in Central and Eastern Europe.
Last year, ESET specialists were able to detect and analyze several instances of malicious software that were used in cyber espionage operations for users. This malware was named SBDH and uses in its work powerful data filters, various methods of interaction with its operators, as well as an interesting technique for ensuring its survival in the system. The malicious program was aimed at obtaining government and government agencies that are interesting for the attacking data of computers, which are mainly focused on economic growth and cooperation in Central and Eastern Europe. Information about the SBDH will also be presented by researchers ESET Tomáš Gardoň and Robert Lipovský at the Copenhagen Cybercrime Conference 2016 in Copenhagen.
SBDH consists of a loader and other modules that are used by operators. Compact loader distributed by attackers using phishing emails. Such messages contained an attachment, which contained a file with a double extension in the name. Since Windows hides the extension of known files, a fake extension was displayed to the user, which the attackers expected. In order to further convince the potential victim of its legitimacy, the icons of the standard Microsoft applications or the Word document were selected for the executable files.
Fig. Malefactors mask the executable file of the loader under legitimate Microsoft applications.
')
Fig. Malefactors mask the executable file of the loader under the Word document.
After successful execution in the system, the malware accesses the remote server to load into the system its two main components: the backdoor and the data thief. The combination of these modules allows an attacker not only to gain complete control over the compromised computer, but also provides him with advanced methods to steal data from him. Thanks to the powerful filter system, the operator can indicate in detail what specific data should be stolen. The filter includes information about the file extension, the date it was created, its size, and other characteristics. The service data of the filters can be modified using the configuration files of the malicious program.
Fig. Malware configuration file.
Since all components of this cybercriminal tool require connection to the C & C server manager, the performance of the SBDH depends to a great extent on the ability to work with the network connection. For this, the authors implemented several methods of interaction in the C & C server in the SBDH. The first is to use a simple HTTP protocol. If it is unavailable, the malware tries to use the SMTP protocol and a free external gateway to send emails. The latter method consists in the possibility of using Microsoft Outlook Express and sending generated email messages through it in a special way. Such emails are sent under the account of the current user, allowing the malicious program to bypass security restrictions (it is assumed that the current user has the right to send and receive emails). Messages sent by the malware are then placed in the outgoing messages directory in order to exclude them from showing increased attention.
In order to detect incoming connections, that is, the attempts of operators to contact the bot, the malicious program searches for emails in the user's mailbox. Such malicious emails have a specific topic name. In the case of SBDH detection of such letters, they are analyzed in order to extract from there the sent commands of operators. After this operation, the bot modifies the subject field in the email so that it does not attract its attention in the future. However, this latter feature was used by SBDH until 2006, when Outlook Express was replaced by another new application called Windows Mail. After that, the authors focused more on improving the method of interacting with the C & C server via HTTP and began to mask this process with the use of fake .JPG and .GIF image files for sending the necessary data.
Fig. Masking the process of interaction with the managing server.
In the event that the C & C server’s manager is unavailable, the backdoor component will resort to using a hard-coded URL contained in it that points to a fake image file (located on a free resource), which in turn contains the address of the alternative C & C server.
Fig. Image with the URL of the alternative C & C server.
Some of the SBDH samples analyzed by us contained an interesting implementation of the method for ensuring their survival in the system. The malicious program modified the Word document handler used by the system in such a way that when trying to open or edit a Word file in Explorer, the malware code was executed.
Fig. The B64SBDH identifier in the body of the malware.
It should be noted that the name SBDH itself is a sequence of characters that was part of the compilation path in the loader file. Another interesting feature is the fact that the string “B64SBDH” is used to load the other two components of the malicious program from the C & C server, which is triggered.
Conclusion
The cybercriminals behind the SBDH use the same methods as those behind the Buhtrap operations . This spy tool proves the fact that even modern threats are spread using simple methods such as email attachments. However, the risks of compromising such malware in organizations can be significantly reduced by instructing employees and using a reliable multi-level security solution.
Identifiers of malicious samples SBDH (hashes):
1345b6189441cd1ed9036ef098adf12746ecf7cb
15b956feee0fa42f89c67ca568a182c348e20ead
f2a1e4b58c9449776bd69f62a8f2ba7a72580da2
7f32cae8d6821fd50de571c40a8342acaf858541
5DDBDD3CF632F7325D6C261BCC516627D772381A
4B94E8A10C5BCA43797283ECD24DF24421E411D2
D2E9EB26F3212D96E341E4CBA7483EF46DF8A1BE
09C56B14DB3785033C8FDEC41F7EA9497350EDAE
SBDH consists of a loader and other modules that are used by operators. Compact loader distributed by attackers using phishing emails. Such messages contained an attachment, which contained a file with a double extension in the name. Since Windows hides the extension of known files, a fake extension was displayed to the user, which the attackers expected. In order to further convince the potential victim of its legitimacy, the icons of the standard Microsoft applications or the Word document were selected for the executable files.
Fig. Malefactors mask the executable file of the loader under legitimate Microsoft applications.
')
Fig. Malefactors mask the executable file of the loader under the Word document.
After successful execution in the system, the malware accesses the remote server to load into the system its two main components: the backdoor and the data thief. The combination of these modules allows an attacker not only to gain complete control over the compromised computer, but also provides him with advanced methods to steal data from him. Thanks to the powerful filter system, the operator can indicate in detail what specific data should be stolen. The filter includes information about the file extension, the date it was created, its size, and other characteristics. The service data of the filters can be modified using the configuration files of the malicious program.
Fig. Malware configuration file.
Since all components of this cybercriminal tool require connection to the C & C server manager, the performance of the SBDH depends to a great extent on the ability to work with the network connection. For this, the authors implemented several methods of interaction in the C & C server in the SBDH. The first is to use a simple HTTP protocol. If it is unavailable, the malware tries to use the SMTP protocol and a free external gateway to send emails. The latter method consists in the possibility of using Microsoft Outlook Express and sending generated email messages through it in a special way. Such emails are sent under the account of the current user, allowing the malicious program to bypass security restrictions (it is assumed that the current user has the right to send and receive emails). Messages sent by the malware are then placed in the outgoing messages directory in order to exclude them from showing increased attention.
In order to detect incoming connections, that is, the attempts of operators to contact the bot, the malicious program searches for emails in the user's mailbox. Such malicious emails have a specific topic name. In the case of SBDH detection of such letters, they are analyzed in order to extract from there the sent commands of operators. After this operation, the bot modifies the subject field in the email so that it does not attract its attention in the future. However, this latter feature was used by SBDH until 2006, when Outlook Express was replaced by another new application called Windows Mail. After that, the authors focused more on improving the method of interacting with the C & C server via HTTP and began to mask this process with the use of fake .JPG and .GIF image files for sending the necessary data.
Fig. Masking the process of interaction with the managing server.
In the event that the C & C server’s manager is unavailable, the backdoor component will resort to using a hard-coded URL contained in it that points to a fake image file (located on a free resource), which in turn contains the address of the alternative C & C server.
Fig. Image with the URL of the alternative C & C server.
Some of the SBDH samples analyzed by us contained an interesting implementation of the method for ensuring their survival in the system. The malicious program modified the Word document handler used by the system in such a way that when trying to open or edit a Word file in Explorer, the malware code was executed.
Fig. The B64SBDH identifier in the body of the malware.
It should be noted that the name SBDH itself is a sequence of characters that was part of the compilation path in the loader file. Another interesting feature is the fact that the string “B64SBDH” is used to load the other two components of the malicious program from the C & C server, which is triggered.
Conclusion
The cybercriminals behind the SBDH use the same methods as those behind the Buhtrap operations . This spy tool proves the fact that even modern threats are spread using simple methods such as email attachments. However, the risks of compromising such malware in organizations can be significantly reduced by instructing employees and using a reliable multi-level security solution.
Identifiers of malicious samples SBDH (hashes):
1345b6189441cd1ed9036ef098adf12746ecf7cb
15b956feee0fa42f89c67ca568a182c348e20ead
f2a1e4b58c9449776bd69f62a8f2ba7a72580da2
7f32cae8d6821fd50de571c40a8342acaf858541
5DDBDD3CF632F7325D6C261BCC516627D772381A
4B94E8A10C5BCA43797283ECD24DF24421E411D2
D2E9EB26F3212D96E341E4CBA7483EF46DF8A1BE
09C56B14DB3785033C8FDEC41F7EA9497350EDAE
Source: https://habr.com/ru/post/304786/
All Articles