2018年1月2日火曜日

Analyzing Ramnit used in Seamless campaign

First

Seamless campaign which is a Drive-by Download attack campaign uses Ramnit banking trojan. Many articles about Seamless campaign are published. For example, Cisco Umbrella, Malware-Traffic-Analysis and traffic.moe. Seamless has been using Ramnit since it began to be observed. Once run, Ramnit injects code into the web page to steal information such as credit cards. Ramnit is a previously reported banking trojan, but since I didn't know much about it, so I investigated about it.

Seamless Campaign Traffic

First, about Seamless campaign. Seamless campaign consists of the following traffic.


When reaching Seamless's Pre-Gate from the ad network, Pre-Gate gets the user's time zone information and sends it to the server. If the user belongs to the target time zone, Pre-Gate redirects the user to Gate via several redirectors. The user reads the landing page of the RIG Exploit Kit at Gate, which attacks and sends Ramnit.


Seamless is sensitive to the user's geolocation. Pre-Gate exists for each target country. For example, Pre-Gate for USA redirect to Gate for USA and Ramnit for USA is sent.

Ramnit Traffic

Ramnit uses the original protocol when communicating with C2. Following this protocol, I try to extract the configs and modules from the traffic of Ramnit and C2.

This protocol uses port 443. But, not https. A simple mechanism is on tcp. Packet consists of multiple commands and data. The structure is as follows.



magic number is a fixed value. Packets start with this bytes. length is the length of command and data. In other words, strlen(command + data). command is 1 byte. There are various kinds of this.



Data has three structures.



The encryption key of RC4 seems to be stable. In my environment `fenquyidh` is the key.

Let's look at the data using actual traffic. If you have Ramnit traffic, use it. If you do not have it, look for Ramnit and move it, or look for pcap etc. For example, if you look at the #Ramnit tag on Twitter, you will find many Tweets. You will surely get Ramnit or its traffic.

Ramnit is banking trojan. It depends on the target country/region. For example, Ramnit used in attack campaign targeting Japan doesn't work with IP addresses of countries other than Japan. The configs and modules that Ramnit acquires from C2 also change. This time, let's see the traffic of Ramnit for Japan. If you are not able to get the traffic of Ramnit for Japan, please refer to this link. It seems that someone kindly released pcap ;)

https://gist.github.com/anonymous/2d7eef0c0ffba19338afd74823d7a8c9

Let's open pcap and look at the first packet.



When parsing this according to the protocol, it becomes as follows.



This data is encoded with RC4. So I decode it. RC 4 is a simple algorithm, write the code.



The results are as follows. Ramnit is sending two MD5 values to C2. Registration is done to bot by this.

string(32) "d5ad437b032fd239616c1d0d97a6b6eb"
string(32) "e4b7a6323fab5960363d771a124b6079"

This is what automates these processes.

https://github.com/nao-sec/ramnit_traffic_parser

This script uses tshark. If not installed, please install and set environment variables. Now, let's run the script.



Files are created in the output directory. Let's look at `064_21.bin`.

This file says "Antivirus Trusted Module v2.0 (AVG, Avast, Nod32, Norton, Bitdefender)". You can see that there is MZ header below 0x120 and it is a PE file. Cutting out 0x120 or later result in the following.



It is unpacked because packed by UPX.



Looking at this DLL with IDA, you can see that it is a program that interferes with Anti-Virus software.

Several DLL modules (067_21.bin, 070_21.bin, 073_21.bin) are downloaded like this.

Next, let's see 106_15.bin. This file seems to be zip. Looking inside it was IE's cookies. There was a DLL module that zipped the cookie, so it might be related.



Finally, look at 139_13.bin. This is the config of the injecting code for the web page.



Looking at this configuration, URLs of many credit card companies and related companies exist. It was localized for Japan.

Ramnit Modules

I analyzed the modules that Ramnit downloads. All modules had data added at the beginning of the PE format.


Also, its PE file is a DLL, packed with UPX.


At the beginning of the module there is a comment like a description of the role. Most of them are similar to the information already analyzed by analysts.




For Japan

[module 1]

  • AvTrust
  • Antivirus Trusted Module v2.0 (AVG, Avast, Nod32, Norton, Bitdefender)


Add to antivirus software exception list

[module 2]

  • CookieGrabber
  • Cookie Grabber v0.2 (no mask)


Compress and send cookies of browsers (firefox, chorome, opera, IE) to zip.

[module 3]

  • Hooker
  • IE & Chrome & FF injector


[module 4]
Browser communication hook


  • VNC IFSB
  • VNC IFSB x64-x86


I think it is similar to this code.
https://github.com/gbrindisi/malware/blob/master/windows/gozi-isfb/AcDll/activdll.c

[module 5]

  • FFCH
  • FF&Chrome reinstall x64-x86 [silent]


For USA

module 1~4 is the same. module5 had the following functions instead.


  • FtpGrabber2
  • Ftp Grabber v2.0


And In US IP, AZORult has been downloaded.

https://www.hybrid-analysis.com/sample/37b66f9117a2140fa11badad967c09142860d04af9a3564bfe58527d7d7e9270

IOCs

https://github.com/nao-sec/ioc/blob/master/nao_sec/5a34bc94-1eb8-4213-9ab8-34dbc0a8010a.json

Finally

The Ramnit has not changed very much for a long time. It was consistent with Symantec's contents published in 2014.

https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf

The configuration changes depending on the IP address, but the same module was downloaded.

Ramnit traffic is interesting ;)

2017年12月11日月曜日

Survey of "ngay campaign"

First

I began observing this campaign around August. Even now it continues to do Drive-by Download attack, serious threat. The domain used in this campaign is distinctive. Therefore, I call it "ngay campaign". I think that this campaign is related to Vietnam. "ngay" (ngày in Vietnamese) means "day". I introduce what I looked into about this campaign.

Traffic Chain

Look at the following image. This campaign leads to the RIG Exploit Kit. This campaign seems to have used Disdain Exploit Kit once. Now it is using RIG Exploit Kit.


Such a html is included in the landing page URL of RIG Exploit Kit.


Look of the landing page changes, but previously there was such a thing. This site was in Vietnamese.


IOCs

They prefer the Freenom domain. That is, ".tk", ".cf", ".ml", ".ga", and ".gq". The following domains are the Freenom domains that were used in this campaign that I observed.

In addition, ".club" domains are also used.

These domains are characteristic. Many domains consist of strings and numbers. Strings often include "camp", "ngay", "test", "tonic", "day" or "tds". Also, numbers often include "08", "09", "10", "11" or "17". As the meaning of ngay campaigns, numbers like dates are used frequently.

The IPs corresponding to these domains are as follows. It's all DigitalOcean's VPS.



---

QuantLoader is downloaded and executed from RIG Exploit Kit. And, QuantLoader downloads cryptocurrency miner.

QuantLoader:
e03bbcf5df946d4c0730d7cca14e3cd38c0a6410948b96f35e99f1eca7b0d3ad
77038978efc49e1121c373339762ba9db03925880c49e080a5c76ba11c517350

Coin Miner:
2ccac3cba9d59b1d740b7984b53d6285f2ac85a3457a3d9e3bf707138bd36e31
dc8756e58cf3a2ca560d925f3af89aeb41689f7ebf6ee36cd00db801130a952a

Miner is hosted in the following domain.

The admin page of QuantLoader is this. Looking at the source code, you can see that this was created by "CPPGURU Software".


Conclusion

This campaign has not definitely disappeared. I'll continue to observe. Please don't use vulnerable web browser.

2017年11月20日月曜日

Analyzing KaiXin Exploit Kit

First

Yesterday, the activity of KaiXin Exploit Kit has been reported by Brad.

http://malware-traffic-analysis.net/2017/11/17/index.html

I began learning about EK from February 2017. Therefore, I didn't know about KaiXin EK, so I tried to analyze.

What is KaiXin Exploit Kit

According to "Recent example of KaiXin exploit kit", KaiXin EK has been observed since August 2012. It's mainly used for attack campaign targeting China, and in recent years almost no activity has been reported. What kind of mechanism is attacking?

Traffic Chain

First, I briefly introduce the chain of traffic generated by KaiXin EK. Please look at the images.


When accessing KaiXin EK's landing page, multiple attack codes are loaded. The attack code branches depending on the user's environment (IE, JRE, Flash Player version, etc). Ultimately, if the user is an attack target, malware (exe file) will be downloaded and executed.

Lansing Page

KaiXin EK obfuscates JavaScript including attack code. Landing page is also obfuscated, but very simple. When decrypting according to the flow, the following code is obtained.

https://gist.github.com/koike/5fe67c5c608ef76f735119be8f6e7f79

Using the version information of JRE or IE, branch the next processing.


For example, if JRE version is between 17006 and 17011, load Java Applet "EyDsJd.jar". At that time, malware ("11.7.exe") URL is passed as argument, and jar downloads and executes that malware by exploiting the vulnerability of JRE.


The vulnerabilities used by each jar files are these.

BvJfRc.jar CVE-2012-4681
EyDsJd.jar CVE-2013-0422
XlGaYb.jar CVE-2011-3544

After that, EK uses vulnerabilities other than JRE.


Let's look at each of the html files that are being loaded.

RfVvPx.html

"RfVvPx.html" is always loaded. It attacks Adobe Flash Player vulnerabilities.

https://gist.github.com/koike/d958b5ea79a558e5f440008d2abc1ae7


Use the version information of Flash Player and IE to change the swf file to be loaded. I don't know swf, but EK downloads and executes malware using some Adobe Flash Player's vulnerability.


XsSgBz.html

"XsSgBz.html" is loaded when user is using Edge on Windows 10. This html attacks CVE-2016-7200 and CVE-2016-7201. This vulnerability was used in multiple EKs. Details are described on Kafeine's blog.

http://malware.dontneedcoffee.com/2017/01/CVE-2016-7200-7201.html

The first part contains the code to decode the URL of the download destination and the shellcode to download and execute the malware.

https://gist.github.com/koike/01bea2bcd1ec805d4fc67a2514e95aef


shellcode is published in github below.

https://github.com/stephenbradshaw/shellcode/blob/master/descript.asm

The second part is an exploit for Microdoft Edge. (CVE-2016-7200 and CVE-2016-7201). Just deleting comments etc. will almost match the code published on the following github page.

https://github.com/theori-io/chakra-2016-11/blob/master/exploit/FillFromPrototypes_TypeConfusion_NoSC.html

OvTiFx.html and HiFyUd.html

"OvTiFx.html" and "HiFyUd.html" use CVE-2016-0189. This vulnerability is also used in RigEK and others. For details, please see here.

https://gist.github.com/koike/7aae4bdd11cd415c83f2cea4cddc9d03


Malware

This malware is used by KaiXin EK. I cannot identify this. Please tell me if you can analyze.

MD5 : 1a1929f525a710c81dfb7873ddad9d33
SHA256 : f710f3c77276e7082d68d365413a658d80b6cac66c8b0c9a67b20426259a2035

https://www.hybrid-analysis.com/sample/f710f3c77276e7082d68d365413a658d80b6cac66c8b0c9a67b20426259a2035?environmentId=100
https://www.virustotal.com/#/file/f710f3c77276e7082d68d365413a658d80b6cac66c8b0c9a67b20426259a2035/detection

Finally

KaiXin EK didn't have much complicated mechanism, but logic was interesting. The vulnerabilities used by EK are old and not very strong, but I enjoyed the analysis ;)

Zip archive of the IOC files is here
https://gist.github.com/koike/276628c896f572a7ebc9e0b933d27c78

2017年10月17日火曜日

Response of Rig Exploit Kit has changed

First

On 15th October, I noticed the change of Rig Exploit Kit. It's a very small change, there will be some people who have not noticed. The resulting impact is limited. However, it has been troublesome for some researchers. I'll introduce this change.

Change of RigEK

First of all, do you know about the nature of RigEK? RigEK uses functions that interfere with several analyzes. Besides obfuscating code, there is a function that controls access. Simply, RigEK will not attack even if you access the same IP address more than once consecutively. If you accessed more than once, you will be redirected to the general website (Strictly there is a grace period of one and a half to two minutes). This makes analysis difficult.

This is the response of the previous RigEK landing page.



Response when accessing for the first time on top. Below is the response when accessing twice with the same IP address.

Looking at the response below, you can see that it's a very characteristic response. It's redirected to the website in Location header with HTTP Status Code 302, but the body containing the attack code still exists. Therefore, by ignoring the Location header, it was possible to analyze RigEK any number of times.

However, response changed for the second time or later two days ago. The new response is as follows.


Instead of HTTP Status Code 302, a string of "not found" has been sent at 200. This is a small change, but it certainly shows that RigEK is changing.

Finally

Such changes will continue to occur. Also note small changes, I will continue to observe RigEK in the future.

2017年9月27日水曜日

Looking into Drive-by Mining

First

Recently, reports on Mining from ESET, Sucuri and Malwarebytes were released. Drive-by Download is not as strong as before, but Drive-by Mining is trying to rise. Drive-by Mining has two pattern, tampering general websites and Malvertising. Similar traffic was also observed in my traffic observation environment. I noticed that there are several campaigns, and one of them is very interesting. About it, I show a simple report.

Traffic Analysis

Entrance is a general website. This website was loading advertisements. It causes Malvertising. In this website, this code was loaded.



About "code[.]moviead55[.]ru", you can refer to the ESET report.
"Cryptocurrency web mining: In union there is profit"

But, it generated traffic that was slightly different from the report.

The read code is simple obfuscated. When it is decoded, after some processing, an iframe is generated.



This iframe loads html. That html contained such a code.



Let's see JavaScript registered in Worker.



This is the wasm that is being loaded.
https://www.virustotal.com/#/file/1fd2bc9a5011ad82b543b51b8f800d47bc5d8229a01263de620f878088ff585a/detection

convert.js was similar to the code published on GitHub. It was a very similar code.
https://github.com/mtve/yazecminer

Finally, this is traffic chain.

While accessing, my CPU was high load.

Conclusion

Attackers always use the latest technology. I found a lot of sites using coin-hive etc in Drive-by Mining. If you have high load on CPU when accessing websites, possibility of Mining.




2017年8月5日土曜日

Malware dropped by RIG(2017 July)

These are malware that I drop on RIG which I observed in July .

If you have additional information please contact Twitter(@nao_sec).

2017年7月22日土曜日

Seamless Campaign Dropping Ramnit Continuously 1

Please read the previous blog about malware in May and June.
http://www.nao-sec.org/2017/07/malware-dropped-by-rig2017-may-june.html

The addresses of the known C2 servers that are introduced in some blogs are as follows

  • 142.4.204.195
  • 34.194.213.50 - aofmfaoc.com
  • 87.106.190.153
  • 62.173.141.41 – gssbjwhoose.com
  • 185.118.65.143 - hdyejdn638ir8.com

Refer to the following

Domain name is changed immediately. IP address is used several times. I'll report  malware C2 related to Ramnit that connect with these C2.

Network Based IOCs

  • 162.255.119.204 - onaxjbfinflx.com
  • 162.255.119.206 - lwqmgevnftflytvbgs.com
  • 162.255.119.18 - sinjydtrv.com
  • 162.255.119.193 - mrthpcokvjc.com
  • 185.118.66.222 - xomeommdilsq.com
  • 166.78.144.80 - ydchosmhwljjrq.com
  • 185.20.225.124 - g283yr84iri4i.com
  • 62.173.141.42 - ypfptjsuthmaaebx.com

Malware Correlation