Targeted attacks on Polish banks: technical analysis
On the Polish portal ZaufanaTrzeciaStrona.pl, dedicated to cybersecurity, not so long ago there was news of successful attacks on Polish banks (English version here ). The incident was described as “most serious”. Data confirmed by Symantec and BAE Systems . Institutions from Mexico and Uruguay, as well as other targets around the world, have added to the list of victims.
There are many interesting things in these attacks - from targets and vectors of infection to the features of malicious executables. If the first two aspects have already been studied, then the malicious code has not been studied in detail. In this post we will conduct a technical analysis of the malware.
')
Distribution channel
According to ZaufanaTrzeciaStrona.pl, hackers launched a series of watering hole attacks - infecting sites that potential victims visit. The compromised site redirects the user to the infected page with the exploit. In Poland, the starting point was the official website of the Financial Supervision Commission (Komisji Nadzoru Finansowego).
According to our data, in Mexico, the website of a similar agency was used for the same purpose (the National Commission on the Banking System and Securities - ComisiĂłn Nacional Bancaria y de Valores). Unfortunately, this information has not yet been confirmed by web tracking services or by the institution itself. However, we assume that the redirection was made from this site:
Stage 1: Injection
If the exploit kit successfully delivered the trojan, a malicious load is executed on the victim's computer - a 64-bit console application. Unlike the injection described by BAE Systems, the program expects one of three arguments to be specified: -l, -e, or –a (section 2 in the figure below).
While the -l option has the same value, the remaining two are needed to unpack the resources of the next stage (section 4) and to autostart one of them as a service (section 5):
In Section 5, the injection attempts to change the configuration of the system service in order to install the loader as a service. The configuration is designed to be automatically started by the service control manager during system power up. For this you need administrator rights.
At the first stage of the attack, the threat does not conceal itself as thoroughly as at later ones. It even contains a lengthy statement that provides information on the status of execution (in this case, the extraction of encrypted resources; however, there is no information about debugging, including the names of the original functions).
Injection uses API dynamic loading instead of Windows functions in the import table (for more details, see the Novet Operation Blockbuster report on the Lazarus hacker group, page 34). Section 3 in the image above demonstrates the shell of this function, which runs one system library after another.
It seems that hackers designate the second stage as “bootloader”, and the third, containing the main functionality of malware, as “module”. The loader is decrypted, while the module is extracted and installed unchanged. For the purpose of masking, the files borrow the creation time from the shlwapi.dll system.
An interesting feature of the encryption algorithm is the relatively new Spritz stream cipher, resembling RC4. The implementation of Spritz in the C and Python programming languages ​​is already available; it corresponds to the following unpacked code from the injection:
Stage 2: Boot Loader
The threat hides the presence in the infected system. The loader is protected by Enigma Protector, a paid utility, the module is stored encrypted. As we expected, hackers use an unregistered copy of the 64-bit Enigma v1.31 - it would be strange to expect that a qualified author would make an elementary mistake and threaten to reveal his identity using an officially registered copy. (On the contrary, the use of hacked or pirated software, if it is available, is not unusual.) Hackers who plan to build a botnet, as a rule, do not use commercial archivers, because some anti-virus vendors identify them by virus signature. Therefore, this limits the potential size of the botnet. But in the case of a targeted attack, there are advantages to using such protection. One of them - restoring the original binary code (as it was before the masking process) is easier than ever.
It seems that only 64-bit versions of Windows are at risk. The impression is erroneous, since 32-bit malware modifications were also found on computers in the affected institutions. Despite the similar structure, the 32-bit version is not just a 64-bit compilation, it is slightly different: the injection and bootloader stages are combined into one stage, the classical RC4 encryption is used instead of Spritz, the module of this stage is stored in the system registry, and not in the file system . The version of the used protector Enigma is 3.7 with a single development license, it is clearly used to protect the binary code on January 11, 2017.
Stage 3: Module
The third and final stage is a relatively large module (about 730 Kb), which contains the main functions of the malicious program: interaction with the C & C manager and receiving commands from operators (hackers). The module injects itself into all current sessions in a compromised Windows system.
The upper line shows different parts of the binary code: the code sections are highlighted in blue, the data sections are gray-yellow. Blue (as opposed to dark blue) is a code statistically associated with existing libraries. In addition to the usual C runtime, we found a link to the open source libcurl file transfer library (version 7.47.1, released on February 8, 2016), as well as code snippets of the OpenSSL and XUnzip projects. The color effect in the row is not automatically generated, in which case we needed to explicitly mark the parts that we consider connected by the library code, and we imported all the function names. Dark blue sections - code written by the attackers.
Only one URL is encoded in the module. The data exchange is encrypted. We did not record any interaction because the remote server did not respond during the analysis. The module supports enough commands to classify it as a remote access trojan. The instruction set is the following: “SLEP”, “HIBN”, “DRIV”, “DIR”, “DIRP”, “CHDR”, “RUN”, “RUNX”, “DEL”, “WIPE”, “MOVE”, “FTIM ”,“ NEWF ”,“ DOWN ”,“ ZDWN ”,“ UPLD ”,“ PVEW ”,“ PKIL ”,“ CMDL ”,“ DIE ”,“ GCFG ”,“ SCFG ”,“ TCON ”,“ PEEX ”, “PEIN”. The purpose of most commands is obvious: SLEP - go to standby mode, PKIL - destroy the process, UPLD - secretly output data, DOWN - download, DEL - delete the file, etc. It is possible that the original functions of libcurl were adapted to the tasks of hackers. However, libcurl is a large-scale project with hundreds of contributors, tens of thousands of lines of code, and hundreds of versions. Verification and analysis is carried out at the present time.
Lazarus-like toolkit
BAE Systems researchers describe a 32-bit injection protected by Enigma as follows: “After unpacking, the software resets a version of a known malware program resembling part of the toolkit of the Lazarus hacker group”. This is confirmed by Symantec experts: "Some lines of code resemble Lazarus cybergun malware." The link is confirmed by the report of Novetta, in particular, the already mentioned dynamic loading API. Based on this evidence, we characterized the key properties of the attacker's malicious tool as follows:
Our data shows the recent in-the-wild activity of various programs such as Lazarus. However, to present a clear picture of the incident, it takes time to gather additional information.
Strange discovery
During the study, we found an interesting sample of this malware family. This is a console application fdsvc.exe, waiting for four parameters (we compare it with the list of characteristics - 2), which is executed in a multistep (1). Moreover, the application decodes the next stage using RC4 with a 32-bit key (4). Two properties from the list above (3 and 5) are missing. On the other hand, the tool injects the payload into all running Windows sessions. The payload is statistically related to libcurl v7.49.1.
Another interesting feature is the hacker teams in the final stage. Teams are used "in Russian" - written in Cyrillic translit, but not very similar to the work of the Russian-speaking author.
This sample once again reminds of how important it is to be careful in determining the language of the attackers. Such "bait" in broken Russian may well be staged. Without going into details of a philological nature, one can remember that malware authors are most often used to designate number commands or abbreviations in Latin. A team of 12 letters is at least impractical.
Conclusion
Considering the samples, we venture to assume that this is not a reuse of the code that existed long before the attacks on Polish banks, and not a forgotten or stopped project. Moreover, over the course of many weeks, we have seen the emergence of malware resembling “our” samples.
The hackers behind the incident are highly qualified, so the information security specialists of financial institutions are not recommended to relax. Here, by the way, it is necessary to remind you of a 50% discount when switching to ESET antivirus products from solutions from other manufacturers - for more details, click here .
Sample Table and Indicators
Samples used in attacks:
Malicious software with translit in code:
There are many interesting things in these attacks - from targets and vectors of infection to the features of malicious executables. If the first two aspects have already been studied, then the malicious code has not been studied in detail. In this post we will conduct a technical analysis of the malware.
')
Distribution channel
According to ZaufanaTrzeciaStrona.pl, hackers launched a series of watering hole attacks - infecting sites that potential victims visit. The compromised site redirects the user to the infected page with the exploit. In Poland, the starting point was the official website of the Financial Supervision Commission (Komisji Nadzoru Finansowego).
According to our data, in Mexico, the website of a similar agency was used for the same purpose (the National Commission on the Banking System and Securities - ComisiĂłn Nacional Bancaria y de Valores). Unfortunately, this information has not yet been confirmed by web tracking services or by the institution itself. However, we assume that the redirection was made from this site:
Stage 1: Injection
If the exploit kit successfully delivered the trojan, a malicious load is executed on the victim's computer - a 64-bit console application. Unlike the injection described by BAE Systems, the program expects one of three arguments to be specified: -l, -e, or –a (section 2 in the figure below).
While the -l option has the same value, the remaining two are needed to unpack the resources of the next stage (section 4) and to autostart one of them as a service (section 5):
In Section 5, the injection attempts to change the configuration of the system service in order to install the loader as a service. The configuration is designed to be automatically started by the service control manager during system power up. For this you need administrator rights.
At the first stage of the attack, the threat does not conceal itself as thoroughly as at later ones. It even contains a lengthy statement that provides information on the status of execution (in this case, the extraction of encrypted resources; however, there is no information about debugging, including the names of the original functions).
Injection uses API dynamic loading instead of Windows functions in the import table (for more details, see the Novet Operation Blockbuster report on the Lazarus hacker group, page 34). Section 3 in the image above demonstrates the shell of this function, which runs one system library after another.
It seems that hackers designate the second stage as “bootloader”, and the third, containing the main functionality of malware, as “module”. The loader is decrypted, while the module is extracted and installed unchanged. For the purpose of masking, the files borrow the creation time from the shlwapi.dll system.
An interesting feature of the encryption algorithm is the relatively new Spritz stream cipher, resembling RC4. The implementation of Spritz in the C and Python programming languages ​​is already available; it corresponds to the following unpacked code from the injection:
Stage 2: Boot Loader
The threat hides the presence in the infected system. The loader is protected by Enigma Protector, a paid utility, the module is stored encrypted. As we expected, hackers use an unregistered copy of the 64-bit Enigma v1.31 - it would be strange to expect that a qualified author would make an elementary mistake and threaten to reveal his identity using an officially registered copy. (On the contrary, the use of hacked or pirated software, if it is available, is not unusual.) Hackers who plan to build a botnet, as a rule, do not use commercial archivers, because some anti-virus vendors identify them by virus signature. Therefore, this limits the potential size of the botnet. But in the case of a targeted attack, there are advantages to using such protection. One of them - restoring the original binary code (as it was before the masking process) is easier than ever.
It seems that only 64-bit versions of Windows are at risk. The impression is erroneous, since 32-bit malware modifications were also found on computers in the affected institutions. Despite the similar structure, the 32-bit version is not just a 64-bit compilation, it is slightly different: the injection and bootloader stages are combined into one stage, the classical RC4 encryption is used instead of Spritz, the module of this stage is stored in the system registry, and not in the file system . The version of the used protector Enigma is 3.7 with a single development license, it is clearly used to protect the binary code on January 11, 2017.
Stage 3: Module
The third and final stage is a relatively large module (about 730 Kb), which contains the main functions of the malicious program: interaction with the C & C manager and receiving commands from operators (hackers). The module injects itself into all current sessions in a compromised Windows system.
The upper line shows different parts of the binary code: the code sections are highlighted in blue, the data sections are gray-yellow. Blue (as opposed to dark blue) is a code statistically associated with existing libraries. In addition to the usual C runtime, we found a link to the open source libcurl file transfer library (version 7.47.1, released on February 8, 2016), as well as code snippets of the OpenSSL and XUnzip projects. The color effect in the row is not automatically generated, in which case we needed to explicitly mark the parts that we consider connected by the library code, and we imported all the function names. Dark blue sections - code written by the attackers.
Only one URL is encoded in the module. The data exchange is encrypted. We did not record any interaction because the remote server did not respond during the analysis. The module supports enough commands to classify it as a remote access trojan. The instruction set is the following: “SLEP”, “HIBN”, “DRIV”, “DIR”, “DIRP”, “CHDR”, “RUN”, “RUNX”, “DEL”, “WIPE”, “MOVE”, “FTIM ”,“ NEWF ”,“ DOWN ”,“ ZDWN ”,“ UPLD ”,“ PVEW ”,“ PKIL ”,“ CMDL ”,“ DIE ”,“ GCFG ”,“ SCFG ”,“ TCON ”,“ PEEX ”, “PEIN”. The purpose of most commands is obvious: SLEP - go to standby mode, PKIL - destroy the process, UPLD - secretly output data, DOWN - download, DEL - delete the file, etc. It is possible that the original functions of libcurl were adapted to the tasks of hackers. However, libcurl is a large-scale project with hundreds of contributors, tens of thousands of lines of code, and hundreds of versions. Verification and analysis is carried out at the present time.
Lazarus-like toolkit
BAE Systems researchers describe a 32-bit injection protected by Enigma as follows: “After unpacking, the software resets a version of a known malware program resembling part of the toolkit of the Lazarus hacker group”. This is confirmed by Symantec experts: "Some lines of code resemble Lazarus cybergun malware." The link is confirmed by the report of Novetta, in particular, the already mentioned dynamic loading API. Based on this evidence, we characterized the key properties of the attacker's malicious tool as follows:
- Multistep malware that cascades.
- The initial stage is a console application that expects at least one parameter.
- WINAPI loads automatically.
- The RC4 stream cipher or another similar algorithm with a long key that is used for decryption in the next step.
- The next step (s) are DLL libraries that are loaded as a service with the startup type SERVICE_AUTO_START (administrative rights are required).
Our data shows the recent in-the-wild activity of various programs such as Lazarus. However, to present a clear picture of the incident, it takes time to gather additional information.
Strange discovery
During the study, we found an interesting sample of this malware family. This is a console application fdsvc.exe, waiting for four parameters (we compare it with the list of characteristics - 2), which is executed in a multistep (1). Moreover, the application decodes the next stage using RC4 with a 32-bit key (4). Two properties from the list above (3 and 5) are missing. On the other hand, the tool injects the payload into all running Windows sessions. The payload is statistically related to libcurl v7.49.1.
Another interesting feature is the hacker teams in the final stage. Teams are used "in Russian" - written in Cyrillic translit, but not very similar to the work of the Russian-speaking author.
This sample once again reminds of how important it is to be careful in determining the language of the attackers. Such "bait" in broken Russian may well be staged. Without going into details of a philological nature, one can remember that malware authors are most often used to designate number commands or abbreviations in Latin. A team of 12 letters is at least impractical.
Conclusion
Considering the samples, we venture to assume that this is not a reuse of the code that existed long before the attacks on Polish banks, and not a forgotten or stopped project. Moreover, over the course of many weeks, we have seen the emergence of malware resembling “our” samples.
The hackers behind the incident are highly qualified, so the information security specialists of financial institutions are not recommended to relax. Here, by the way, it is necessary to remind you of a 50% discount when switching to ESET antivirus products from solutions from other manufacturers - for more details, click here .
Sample Table and Indicators
Samples used in attacks:
Malicious software with translit in code:
Source: https://habr.com/ru/post/324416/
All Articles