Thursday, March 15, 2018

Inside Qarallax / Adwind / Qrypter leading to Tesla / HawkEye (part 1)

A few months ago I wrote about some Java RAT named QRypter (aka QRat or Qarallax) which is basically Adwind with some layers of obfuscation. The post is here.

Usually, this RAT is used as first stage of the infection. In a second stage additional payload is deployed in the victim. But before I explain this, let's take a look to the capabilities of this QRypter / Adwind.


This RAT written in Java is multiplatform. As it can be seen in the screenshot below is full of functionalities.  


The basic options permits to have full visibility and take control on the victims's file system, processes, connections, etc






But besides that, there are more advance functionalities like capture the webcam, access via Remote Desktop, remote console, retrieve stored password, capture the microphone, key logger, SOCKS proxy, retrieve the data from wallets, etc.


For each of the functionalities, there is an existing module. The modules are original from JBifrost malware, so clearly this is based on JBifrost malware.






Also, the remote console is based on JBifrost


The remote desktop functionality permits also to add new users






But, if all this features are not enough, there is also the possibility to automatically download any additional payload once the victims connects to the C2. This allows to deploy any additional payload to the victims without any interaction in the C2

 

Actually, lot of AgentTesla and HawkEye are being deployed this way.

So, let's talk about a bit AgentTesla and HawkEye

This two families of malware are very close in terms of capabilities and are used by threat actors which operate with similar TTPs. 

HawkEye and AgentTesla main target is to take screenshots of the victims, dump all the passwords stored in different programs (Outlook, browser, etc) and dump all the historical of cute&paste / keylog done in the system. The data is exfiltrated either via HTTP or via mail.

The first thing that happens, after a victim is infected via HawkEye, is that the threat actor receives an email informing that there is a new infection. This is a "Execution Confirmed" message. The content of such data is quite interesting as it contains information about the system, including the name of the file which was the infection vector, the private IP of the system the time frame to log and the functionality enabled.






On the other hand, AgentTesla already provides some data exfiltrated with information about the victim and screenshots in the first email. This is  "screen capture"





HawEye  provides 2 other messages: "stealer records" and "keylog records". The first one is password dumps,  while the second one is all the information recorded in the clipboard and a screenshot



AgentTesla sends two additional set of data: "Keystrokes" and "password recovered".


(To be continued)





Saturday, March 3, 2018

The strange case of Adwind embedded in a MS-DOS file

A few days ago there was a malspam campaign mimicking one bank and delivering a PDF file and some DOC files exploiting CVE-2017-11882










The PDF file contains several images and and two interesting URLs





The first URL, http://dropboox[.]ga clearly is a phishing link for Dropbox, however in this case it is not being used.

The other link, is still active by the time of writing this post, https://urlz[.]fr/6DWd,  redirects to http://mineralsconventionregistration[.]ca/Scann%20copy.z which it is a compressed file. In VT this file is being flagged: https://www.virustotal.com/#/file/670bca12bb20921b4689bb2651a8cc7b87840f31dbf729694027db4fb64e3296/detection





The first time I tried to detonate the file in several sandboxes it did not work, so I was interesting to understand a bit more. The file inside has .JAR extension, however the magic number for this file doesn't really correspond with the extension of the file, as it is MS-DOS




A first analysis of the file shows interesting things.  The beginning of the file is a MS-DOS file:


However, it contains several more files inside:




The analysis from previous tools seems is not accurate as one of the MS-DOS file has 7.2MB, however the total file is only around 800k. Checking with other tools, the analysis is different, for example, with foremost the MS-DOS files doesn't show





When unzipping the the .jar file, there is some warning :




I did a manual analysis on the file and as first look I even see some HTML, PHP and JavaScript code, right after the first MS-DOS code





When dumping the first PHP file, the content clearly is a phishing website to get passwords from email.




Then I forced my sandbox to detonate the file as JAR file, and ignoring the magic number, this worked and I could see they typical Adwind behaviour.








The connection to the Jrat C&C is 185.29.10.138:6060  (jrat138.duckdns.org). That IP is not new to me, as I have seen this IP linked to Qrat / Qrypter / Adwind in some analysis I i did in the past . 


As I said in the beginning, the file doesn't detonate in some sandboxes, due to how it is built. For example, this is the analysis from HA with no detonation

https://www.hybrid-analysis.com/sample/94f087e4f03d4c109db44e9c111e8a4c500ef619ccb5a4833b283495b9ecb23e?environmentId=100
Other sandboxes, detects that the extension doesn't match the magic number





Regarding the AV, it seems some of them detectes the HTML, in the beginning of the file, as phishing. While other detect it as Adwind




The behavior of the DOC files is very similar. However, instead of including the URLs in the PDF file,  CVE-2017-11882 is exploited to download the maliciuos file:




http://mineralsconventionregistration[.]ca/scan.hta

In the end, the final payload is exactly the same in bot cases, however the URL is not exactly the same:

http://mineralsconventionregistration[.]ca/scan.jar





Regardless of what the AV / Sandboxes detect, and what the magic number is,  when the user opens the file via the explorer, the file is executed like a normal Java file, hence it gets infected with Adwind. It seems that bad guys are trying with this techniques to by-pass some detection controls.


IOCs:

 http://dropboox[.]ga
185.29.10.138:6060  
jrat138.duckdns[.]org
http://mineralsconventionregistration[.]ca/scan.jar
http://mineralsconventionregistration[.]ca/scan.hta
1540f31ed4c2a721771dbc452b8feeaa
a9122eb1e0345568540ae6a9e35432cc
1540f31ed4c2a721771dbc452b8feeaa