Thursday, April 17, 2014

[fireeye] Crimeware or APT? Malware’s “Fifty Shades of Grey”

Some cybercriminals build massive botnets to use unsuspecting endpoints for spam, distributed denial-of-service (DDoS) attacks, or large-scale click fraud. With the aid of banking Trojans, other cybercriminals create smaller, specialized botnets that focus on stealing bank credentials and credit card information.

Remote access tools, or RATs, are an integral part of the cybercrime toolbox. For example, a recent FireEye investigation into XtremeRAT revealed that it had been propagated by spam campaigns that typically distribute Zeus variants and other banking-focused malware. This tactic may stem in part from the realization that compromising retailers can net millions of credit card numbers in one fell swoop.
Malware designed to compromise point-of-sale (POS) systems is not a new phenomenon. But we have seen a recent surge in malware that specifically targets these systems (e.g. ChewbaccaDexterBlackPOS andJackPOS). Moreover, POS malware is being deployed in an increasingly targeted manner. For example, some attacks against retailers have been characterized as “APT style” attacks —  a designation traditionally reserved for malware-based espionage sponsored on some level by nation-states.
The extent to which such attacks are targeted, and not opportunistic, is unclear. The attackers could be singling out specific retailers in advance. Or they could be targeting an entire industry, simply capitalizing on opportunities that arise.
In this blog post, we examine one case that clearly illustrates the nature of this problem.

Attack Vector

The suspicious email shown in Figure 1, which was sent to several companies, prompted us to take a closer look.
Figure 1: Malicious email with JAR attachment
The content of the email is consistent with traditional spam messages that typically propagate banking Trojans. It does not appear to target the recipients specifically. The attachment is a Java archive file (JAR). When executed, the JAR file attempts to download and run an EXE from a remote location. The JAR does not contain a Java exploit per se; it simply uses class to download the executable (since it is not running inside a sandbox).
The file “CUP retrieval request for 18 Feb 2014.jar” (2fd3c07ac16393723b528ca29a028c00) contains the following:

Size   Compressed   Name
42      50          cfg/config
104     106         META-INF/MANIFEST.MF
3905    2212        CrossPlatformInstaller.class
The “config” file contains the location of the EXE to be downloaded:


The file “acrord.exe” connects to rglink77[.]no-ip[.]biz /


The payload in this case is the Netwire RAT. Netwire emerged in 2012. It can be used to build malware for multiple operating systems, including Windows, MacOS, and Linux. The RAT is marketed on a variety of underground forums, selling for $40–$140.
This sample was configured with the tag “UNIPAY”, so that the attackers know which hosts were compromised during this campaign.
While looking at the server hosting the file, which appears to be a compromised — but otherwise legitimate — website, we found an additional Netwire sample:

Email Extractor

We also discovered a simple tool that is used to extract email addresses. We found the output of this tool, which consisted of a list of 8,507 email addresses. It also contains the email that was used by the “sender” and its recipient (although we have seen other recipients that are not on this list).
The list contains 1,351 domains that primarily appear to be banks, financial services companies (money transfer / exchange, investment), and businesses (such as shipping, engineering, IT) in the Middle East and Asia. In other words, these attackers are interested in a wide variety of targets.
A website statistics package on the server reveals that “acrord.exe” had been downloaded 802 times. This indicates that up to 9.4% of the targets may have opened the malicious attachment — and thus may have been compromised.


In addition to the Netwire RAT, the attackers are also using the DarkComet RAT. DarkComet has been available for free since 2008. It is popular on a variety of underground forums and used by a wide range of actors for many purposes. (After reports indicated that DarkComet was used in connection with the conflict in Syria, the creator of DarkComet, DarkCoderSC, created a removal tool and ultimately quit developing the RAT).
In this case, the attackers used an older version of DarkComet (4.0) and specified the ID of “Email”, which probably indicates the attack vector for this campaign.


We also found that the attackers were using JackPOS, a malware tool that has been previously used in successful attacks. JackPOS can dump memory and look for Track 1 and Track 2 credit card data using regular expressions. This data is then uploaded to a command-and-control (CnC) server.
We don’t know how the attackers were deploying JackPOS in this particular case, but we suspect that once targets of interest were identified using either Netwire or DarkComet, the attackers would then deploy JackPOS to steal credit card information.


The attackers in this case are also using a Carberp-based Trojan that has VNC capabilities that we call “handsnake.” This Trojan is described in more detail in a Polish-language white paper.
Upon execution, the malware begins communication with the CnC server. The decrypted beacon is:

XP Professional Service Pack 3 (build 2600); English (United
At this point, the attackers can use the remote desktop function of the VNC component to take full control of the compromised system.


In addition to the RATs and POS malware described above, we have also seen the attackers deploy the Zeus banking Trojan. They are using version MMBB, which has been previously described here.
When executed, the malware connects to the CnC server to download the “config” file, which contains the “webinjects” to be used:

GET /modules/config.bin HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2)
Cache-Control: no-cache
The only major difference between this version of Zeus and previous versions is the shift from RC4 encryption to AES encryption.


The world of cybercrime features a broad spectrum of bad actors. On one end, highly focused state-sponsored attackers use custom tools and zero-day exploits. On the other end, “commodity” cybercriminals use widely deployed exploit kits that indiscriminately compromise thousands of systems around the globe.
In the middle are (at least) “fifty shades of grey.” One class of attacker mixes publicly available malware platforms and custom tools. These latter cases suggest that it is not always easy to estimate the size or sophistication of an adversary simply by finding one piece of what may be a far larger puzzle.

No comments:

Post a Comment