Geekly Articles each Day
📜 ⬆️ ⬇️

Dimnie: from geeks with github to corporate accountants

Introduction


While the information security community of Russia is closely monitoring new attacks by well-known criminal groups Carbanak, Buhtrap and RTM, there has been a replenishment in the camp of financial threats. And it is caused not by the appearance of a completely new banking Trojan, but by the addition of a banking module to the previously known spyware Dimnie.

Dimnie is a trojan for gathering information (screenshots, keystrokes, etc.) and gaining remote access to infected systems. More recently, in January, we got one of its new modules for substitution of payments 1C, and then it became clear that the authors of Dimnie do not want to limit themselves to information theft.

Dimnie gained fame in early 2017, when he attacked users of the GitHub service (colleagues from Palo Alto Networks wrote about this in more detail). But according to Virus Total, this trojan is far from new: attackers have been using it with might and main since the middle of 2014, and it was then that the samples of Dimnie executable files were detected for the first time.

GitHub has been attacked by many developers. By stealing their credentials, attackers could compromise projects and carry out a so-called attack with exploiting the credibility of a third-party organization.
')
During such an attack, the offender installs a backdoor into the source code of some popular program. As a result, when it reaches the customer, the attacker gains access to the systems of all end users, which often turn out to be large companies and government organizations. Thus, a cybercriminal kills a whole school of birds with one stone at a time, compromising much more systems than if he attacked only some one company. Well, then access to these systems can be sold for a pleasant amount to colleagues in an illegal shop who specialize in certain sectors of the industry (for example, banks).

The Dimnie Trojan was also distinguished from the crowd by an unusual way of hiding requests to the managing server - it masked them as requests for legitimate resources toolbarqueries.google.com and gmail.com and for JPEG images. But the attackers spread it quite typical - with the help of phishing emails with a little social engineering:



Scheme of work


Dimnie is a sophisticated modular trojan. All its modules are divided into main and auxiliary. The main ones - Downloader, Autorunner, Core and Loader - are loaded with each infection and do not cause harm in themselves. But the auxiliary modules - Keylogger, PCInfo, WebHistory, ProcInfo and Banker - are the “payload”, and it is with their help that information is extracted and replaced on the infected system. Each time Dimnie is started, the Loader module requests additional modules depending on what the criminal wants to do with the infected system. The general scheme of Dimnie work is shown in the figure:



List of modules


Our team managed to load and explore the following Dimnie modules:



Infection


January 29, we recorded a mailing list with such letters:



The letter was accompanied by a RAR-archive with the file “Documents beginning of the year.exe” - a Windows executable file.

A typical letter to deceive accountants who are not very advanced in cybersecurity matters surprised us with a rather careless level of performance. It is not in our rules to give advice to attackers, but at least it was possible to remove the “.exe” from the archive name ...

According to VirusTotal, the “Documents beginning of the year.exe” file was also distributed under other names:


Criminals used a PDF document icon to disguise it. Sitting under Windows with default settings, the user is unlikely to distinguish this file from a real PDF document:



When our unsuspecting accountant opens the file, the payload is launched — in this case, the first Dimnie module, which we called Downloader. It downloads the main module and fixes it in the system.

Downloader


First of all, the Downloader gets the core Core module and the module for attaching to the Autorunner system. To do this, it produces a DNS query to get a record called “justteordingto.xyz”.



Interestingly, here, as in the instance investigated by experts from Palo Alto Networks, the Trojan disguises its requests as proxy requests to the toolbarqueries.google.com and gmail.com resources and as JPEG images:



After that, the resulting module is executed in a separate thread.



For the Autorunner module, the address of the EntryPoint is determined and the call parameters are generated: the memory address where the module is located, the key for encrypting the data transmitted over the network, and the module identifier. Next, the Downloader module creates an Autorunner stream, waits for it to complete and then deletes it.

Autorunner


The Autorunner module contains the IP address 185.82.217.155, from which the Core module is loaded.



Depending on the rights that are available, Autorunner uses one of three methods of binding:



Core


As a result of the Core module operation, a DNS request is made to get the domain name record “worldmed.bit”, which belongs to the Namecoin distributed blockchain infrastructure. Domain name is requested from the following DNS servers:






The “.bit” domain zone exists outside the common Internet domain name system and is not regulated by ICANN. This is not the first use of Namecoin DNS servers by malware developers - the RTM banking trojan also enabled the “.bit” zone to resolve management server addresses. However, Dimnie distinguished himself from everyone here - he uses the “.bit” addresses only in the operation of the Core module, the rest of the modules we found contain the address of the management server in the form of an IP address wired into the module. Every time you start Core loads the Loader module.

Loader


The Loader module loads and runs all Dimnie function modules. The address from which the Loader loads the modules of this Trojan is the same as the address in the Autorunner module - 185.82.217.156.



At the same time, Loader uses its own implementation of the HTTP protocol. GET and POST requests are formed separately, and low-level winsock functions are used to send and receive answers.



According to our estimates, such network interaction is not quite suitable for use in corporate networks: if you have your own proxy server, these functions simply will not work.

The communication protocol in this implementation does not differ from that described in the report of colleagues from Palo Alto Networks. The same domains are used to create GET and POST requests ( toolbarqueries.google.com and gmail.com ), and the modules and their reports are also disguised as JPEG images.



To encrypt data, Dimnie authors use AES 256 in ECB mode. This mode of block encryption is considered the most unreliable - it contains the statistical features of the plaintext, and identical plaintext blocks correspond to the same blocks of the ciphertext. Given that many formats use standard headers and blocks of identical characters, ECB is by no means reliable, and this makes the choice of the Dimnie authors especially strange.



Note that loadable Dimnie modules run differently:




WebHistory module


The WebHistory module allows you to get the browsing history of the infected system’s web browsers. He enumerates in the registry all the paths where the history files of Mozilla Firefox, Google Chrome and Internet Explorer browsers can be located, and then for each of them forms a message of the following format:



Where <URLs_XXX> is a browser tag (URLs_IE, URLs_FF, URLs_Chrome); time stamp data formation; #URL_FILE - file where records were searched for; records of the format "X ^ Y ^ X ^ V" - timestamp, number of requests, type of request (h - http, s - https, f - ftp, I - local file), resource; time in milliseconds to search for data.

Keylogger module


The Keylogger module is a keyboard spy that intercepts key presses using the WinAPI RegisterRawInputDevices function and supports x86 and x64 architectures. At startup, it is embedded in explorer.exe and performs all subsequent actions from the context of this process. The keystroke log is saved to a temporary file in the% TEMP% directory along with window titles and the clipboard. Then all this data is sent to the management server.



PCInfo System Information Collection Module


The PCInfo module collects information about the infected system: computer name and domain name, user list, encoding used by default, information about network interfaces.

ProcInfo Process Listing Module


The ProcInfo module gets a list of running processes.

Stealer account data theft module


Stealer module is a so-called. Pony Stealer, software to steal user account passwords from various installed programs. The list of programs from which Pony steals passwords includes more than a hundred popular names, including many FTP clients, email programs (Outlook, Thunderbird) and wallets files (wallet.dat and electrum.dat) for storing keys of various cryptocurrencies:



In this case, the Pony Stealer is assembled as a DLL, and is loaded in the same way as other modules. Stolen data is being sent to the address “http://185.82.217.244/g/g.php”.

Banker payment data substitution module


The most voluminous of the modules loaded by us, the Banker module replaces the recipient's details in the text files of payment orders 1C (files 1c_to_kl.txt) when they are loaded into the remote banking service systems (bank clients).

Having received the appropriate command from the management server, the module injects its code into processes, mainly belonging to web browsers and remote banking systems:


The embedded code allows you to intercept the CreateFile function called when opening files: for example, when the user wants to load a payment order into the client bank and if the open file has the extension “.txt”, it starts with the line “1CClientBankExchange” and contains a section named “Payment Order ". In this case, there is a substitution of fields with the recipient details in accordance with data from the management server.



The substitution of details is not performed in the following cases:


It turns out that the authors of the Dimnie banking module are not going to steal money from the clients of Sberbank, VTB, Otkritie Bank and state organizations, as well as funds deducted to the Federal Tax Service.

All this indicates that cybercriminals do not want to attract too much attention to their activities - and, apparently, until recently they have succeeded in doing this.

It should be noted that the communication protocol of the Banker module differs from the communication protocol of the other modules - data is exchanged with the management server using the SOAP protocol, specifically the open-source gSOAP library. In addition, sending requests to the management server occurs without any encryption or obfuscation of traffic using false JFIF headers:

<?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns="uri"><SOAP-ENV:Body SOAP- ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><ns:get_Ar><uniq>1234567890</uniq></ns:get_Ar></SOAP-ENV:Body></SOAP-ENV:Envelope>

Using similar methods (SOAP XML) is not typical for malware - it can be more often found in enterprise code. Together with the lack of encryption traffic, this suggests that the Banker module was developed by a third-party developer.

Conclusion


Dimnie made a rather contradictory impression on us. On the one hand, it uses interesting technologies - domain masking, mimicry for a picture, a very complex modular architecture and a fail-safe Namecoin domain in a narrow place of this architecture. All this seems to indicate that the authors of Dimnie carefully approached the work on their offspring. But at the same time, there are also flawed moments in the Trojan: bad social engineering, use of ECB mode for encryption, impossibility of working through a proxy server, heavy SOAP-protocol.

In this case, to protect against Dimnie is quite simple:


Such an uneven quality of the Trojan led us to the idea that several attackers with different qualifications were engaged in its development. But, be that as it may, the transition from stealing information to stealing finance directly is disturbing.

So far it is impossible even to estimate how much money the authors of Dimnie have already managed to kidnap: no one writes about financial cyber threats about him, and we have not yet encountered successful cases of theft. Trojan authors avoid attacking large banks and government organizations and, possibly, limit the maximum amount of theft. Apparently, they are afraid to attract the attention of major players in the information security market. And so far they have succeeded in this very successfully.

Dimnie Network Identifiers:


• justteordingto [.] Xyz
• sixgoats [.] Pw
• selenaspace [.] Space
• guysid [.] Pw
• fracking [.] Host
• shortsell [.] Trade
• sellgrax [.] Club
• dajebikes [.] Pw
• bestintrading [.] Pw
• justteordingto [.] Xyz
• yibgenkleg [.] Host
• recruiterbox [.] Club
• geforthirode [.] Xyz
• yibkenkleg [.] Rocks
• yibjenkleg [.] Cn
• webwerkt [.] Trade
• ketpatontjohnbet [.] Xyz
• haptofhodabi [.] Xyz
• fydomotedwa [.] Xyz
• webfoundation [.] Top
• 185 [.] 82 [.] 217 [.] 244
• 185 [.] 82 [.] 217 [.] 155
• 185 [.] 82 [.] 217 [.] 156
• 185 [.] 82 [.] 217].] 249

Source: https://habr.com/ru/post/351122/

More articles:


All Articles