Threat Hunting – Chthonic Banking Trojan
This is a lab that is conducted in a test bed. The resources were downloaded from malware.trafficanalysis.net. The samples provided came from a case study of an Office workstation that was a victim of a Malware.
We have been called in an office environment where a possible banking malware was identified by the installed detection systems. We will uncover the alert obtained in deep for further analysis. The management would like to know what the purpose of malware was and has there been any external communication involved in the attack. Also, there is also a chance of malware propagating to another system connected to the same network.
The zip file contains only one .pcap file. Considering this as non-tampered pcap we begin the analysis with a manual approach. The task starts with determining below given basic information and then moving onto the core details of the compromise:
- IP address of the victim
- Domain and Hostname name
- Operating system version
- Suspicious External IP Address involved.
We begin our investigation where the basic communication starts with a DHCP handshake. The client server communication happens in 4 phases which are “Discover, Offer, Request, Acknowledge.” They are pretty much self-explanatory. For further details you can refer below refence link:
A couple of DNS requests are observed which are made to dns.msftncsi.com. Indicating this as a windows system and update fetching mechanisms are mainly responsible for such requests. However, it is advised to ensure you have these domains whitelisted and IP addresses id verified against them. Phishing or spamming URL are hosted against these domains, and spoofed updates can also be sent over the network from such malicious domains.
The request number 6-7 are the domain hostname and group name typically observed in the NBNS requests.
The domain flow is as per the standard procedure. The Configuration URLs are auto searched on the domain network. This includes the configuration polices predefined by the network admins. They are Located under wpad.localdomain.
Since the domain controller registers the server record (SRV) record, this allows the client to locate a domain controller (dc) on the network by domain named “DnsDomainName.”
Couple of DNS along with some of the HTTP request were intercepted. They will help us in determining the operating system by following the TCP stream. The “User-Agent” header “Windows 10 => (Windows NT 10.0)” indicated that the victim system might be windows 10. The domains belonging from request no 14-19 called in are again registered under Microsoft controlled domain network.
Making a note of the summary of every phase is important. This helps in the reporting process and set right path in the hunting process.
A quick First Phase hypothesis is detailed below:
- IP address of the victim: 10.0.1.95
- Domain and Hostname name: DELOREAN-PC, DOC-BROWN-GROUP, DOC-BROWN
- Operating system version: Windows 10
A couple of requesta to the MSN content distributor network and weather Microsoft services nothing suspicious from following tcp stream. However, one suspicious request was observed for jgbennett.com. Visiting the website in a restricted environment provided a forbidden page.
A quick google search observed a total virus link which helps us conclude that the website might be malicious and digging deep would find more details about the host. Many times, Google might help if the vector is fairly old however it is not always true for the newly launched campaigns.
Yes, finally a hit. We observe a “.exe” file downloaded from the website visited by the victim. This might the malware hosted by the attacker. Virus total also identified the website as a phishing and malware hosting. We must follow the tcp stream to analyze the response further and verify whether the downloaded file is executable.
The Downloaded file stream indicates the file is indeed an executable. Now we can narrow down the hunt with the available sample. We can now proceed with other observed “HTTP.Requests” where few requests to “amellet.bit.” A quick search on google indicated it as a chthonic malware command and control center. The same can be determined from the request typically in nature of same in length to one host and “POST” method.
What is the chthonic?
A malware mostly targeted the financial systems in 2014. The well-known banking Trojan is from the family of ZeusVm.There have been significant modifications made to this version. However, the basics remain the same. This includes the downloading of a file from a phishing campaign which downloads “word” with malicious “.exe” code embedded in it. The encryptor is same as the one used for Andromeda bots with encryption scheme of Zeus AES. The Andromeda bot help victims get infected by downloading the files to the local system. The exploited vulnerability specifically be ” CVE-2014-1761“.
A quick summary of the vulnerability as per McAfee says that the flaw exists in “overridetable” control word or some of the inside structures. The structures include “lfolevel,” “listoverridecount,” and “listoverride” fields. The predefined value allowed should be 0, 1 or 9 however in the case of the exploit is a trigger for the value of 25. The exploit controls the EIP address in DLL where there is no ASLR protection enabled. Once the download is completed for the malicious file, the code injection happens for “msiexec.exe” process.
After this, the data from the local system is gathered as with the Zeus Trojans and then sent over to the command and control center. The data is XOR with next byte and then encrypted with RC4.
Something common is every two packets having content length and same path. A clear indication of command and control center communications.
Several requests are again made to “msfconnectest,” and a text file is fetched. This communication may at the start may not look suspicious however cannot be neglected and need to be analyzed.
It is nothing but an Internet Connection test run. The weird stuff here is that this test takes place when a change to the connection is made. This would mean may be a MiTM attempt was made by forcefully making a configuring change Many malware families have this capability and again could be considered a threat vector as well. Many considerations are also to be noted. No other request was made to this domain other that the one highlighted and also TCP follow stream displayed no noticeable malicious output.
Moving ahead in the investigation we notice more request made for domain “amellet.bit” with POST method and every 2 packets with the same length. A repetitive environment with the communication. Since we have already flagged amellet.bit we can move ahead with the investigation.
The request reveal a wordpress website with a request made to googleapis and content distribution for singlemoms.org.Again nothing suspicious so far. Using virustotal to help us proove a malicious site also failed since this domain is clean so far.
After a few requests to the domain singlemoms.org. We observe a registered Tokelau domain “krep2010123.tk”.This certainly looks suspicious and needs to be searched deeper We resume our investigation by visiting the website in secured envioenment. The domain shows a deceptive site page and virus total help us hunt down. The website has several redirections one of which is to “freenom.link” and has been reported by VirusTotal as a phishing website.
The Bit defender flagged this website as a potentially unwanted software website. This is the malware hosting site. However, we are still unsure what led the user to this site (the redirection point). Even a single hint can lead us in the right direction.
One more website was included in the hunt, and this would be the redirection point. The website is flagged as a phishing page. The response header “location” helped us make this clear and we can now map a flow for the victim.
There has been something related to a www.singlemoms.com techsupport scam. Many known techsupport scams are present out there, and these are known to be affecting most of the internet users.
The flow here would be as follows.
This further redirect to “http://krep2010123.tk/?number=888-779-0939.” This page also has an mp3 which is a deceptive music’s playing at the hosted website just to create an effect.
Last but not the least we need to extract the objects we may get from the provided “.pcap” file which will include the “.exe” malware.
Not going in to the deep of the malware reverse engineering we can do strings or open it into a text editor and observe some PowerShell function “GetUserName,” “GetCurrentDirectory” etc. A detailed analysis of the malware can be found at https://www.hybrid-analysis.com/sample/00192f879f31c7425524dc4a1dee88a94d4dd24694a332873e3d1478276a69be?environmentId=100.This suffices for our investigation, and we can conclude the same stating all the known observations.
Infected Machine Details:
- Hostname: DELOREAN-PC
- IP Address: 10.0.1.95
- Infection Time and Date: October 21, 2017 (10 Hrs:21 Mins:53 Sec)
- Operating System: Windows 10.
- Malicious Files Downloaded:30_723bio_152.exe
Malicious Domain Observed:
- 22.214.171.124 – jgbennett.com
- 126.96.36.199 – amellet.bit
- 188.8.131.52 – www.singlemoms.org
- 184.108.40.206 – helpcenterforall.bid
- 220.127.116.11 – krep2010123.tk
Domain Registered Countries:
- USA – California
- Holland – Amsterdam
- Tokelau – New Zealand
- USA – Arizona
Malware Variants Downloaded: AZORult, Chthonic Banking Trojan
It does the following:
- Stealer of cookies from browsers and forms (form history, autofill)
- Modifies auto-execute functionality by setting/creating a value in the registry
- Writes data to a remote process.
- Reads terminal service related keys (often RDP related)
- Imports suspicious APIs
- Installs hooks/patches the running process
- md5: 658c30fcd1508a65df8b9b9b397a9459
- SHA256: a56876fd456d0737eecc4a8bbe3154b35314ab28accb29abf0df7c518c81a490
Possible Exploited Software’s: Windows (CVE-2014-1761)
- 2810099 || ETPRO TROJAN Chthonic CnC Beacon
- 2811901 || ETPRO TROJAN Chthonic CnC Beacon
- 2821358 || ETPRO TROJAN Win32/Zbot Variant Checkin
There are various techniques by which an organization can defend itself. This Includes all the following:
- Making use of both IDS and IPS technologies for data packet level analysis;
- Deploying firewalls and routers;
- Running up-to-date security features of any software package that is used;
- Getting the latest software updates and installing on them;
- Understanding how malware works via security awareness training programs;
- Limiting user privileges;
- Using caution with attachments and file transfers;
- Being vigilant when clicking on links to web pages;
- Avoiding downloading pirated software;
- Creating and implementing strong passwords.
We've encountered a new and totally unexpected error.
Get instant boot camp pricing