Malware analysis

Threat Hunting – Malspam –Japan Office Infected

Kapil Kulkarni
February 20, 2018 by
Kapil Kulkarni

This is a lab that is conducted in a test bed. The resources were downloaded from malware.trafficanalysis.net. The samples provided came from a case study of a Japanese field office that was a victim of a major Cyber-attack.

Scenario

You work as a security analyst for a company with locations worldwide, and recently, corporate headquarters opened a field office in Japan.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

On Tuesday 2017-06-27, you notice several high-priority alerts from two different Intrusion Detection Systems (IDS). One IDS is running Snort using the Snort subscription ruleset, and the other is running Suricata, using the EmergingThreats Pro ruleset.

The results indicate a Windows computer was infected at the Japan field office, and you been asked to investigate this security breach. You have the "pcap," a text file containing the Snort alerts, and a text file containing the Suricata alerts.

We have been assigned the specific task to determine the cause of this Cyber-attack. We have been provided certain files upon which we will begin documenting and hunting systematically. The main purpose here is to investigate the malware's existence and the associated programs installed which include the command and control center tracking.

The files which have been provided are as follows:

  • 2017-06-28-traffic-analysis-exercise. pcap
    • File containing the traffic capturing post and pre-infection phase.
  • 2017-06-28-traffic-analysis-exercise-Snort-alerts.
    • Alert Files for the SNORT, which is an open source network intrusion prevention system.
  • 2017-06-28-traffic-analysis-exercise-Suricata-alerts.
    • Alert Files for the Suricata threat detection engine.

To begin this analysis, we use the available signatures to analyze the file and determine whether there is any known infection that is residing on the system. There are two different approaches that we can utilize:

  1. We can analyze the file through the available signature detections only.
  2. We can create a supposition and then use the required tools to reach a conclusion.

Considering both approaches, the second one will require more time depending on the data packet or sample size. Industry grade practices include a hybrid approach where we can analyze the files through various threat detection tools and then formulate a hypothesis.

We will be following the hybrid process. Below are websites that can be used to upload and verify the threat existence:

For this lab, we will use the VirusTotal website. It shares the samples with all the renowned AVs, and thus, it has the better reliability of detection. This is illustrated in the screenshot below:

We will be using a malware named "Trojan.Win32.Ursnif.eqlfmr". This is illustrated up above.

A quick search of resources that are related to the identified threat revealed more information regarding the whereabouts of this specific malware.

A few indicators of compromise are identified, which are described as:

The pcap file now has been utilized for further analysis since we have hit it now. Filtering for the pcap file with "HTTP.request" filter in Wireshark and a review of the host column shows a familiar host for the malware "vantagepointtechnologies.com." This host will lead to the downloading of a file named "wp.exe." This is illustrated in the screenshot below:

Here are the observed details:

IP address: 192.168.1.96

Hostname: FlashGordon-PC

The system is infected by the "Trojan.Win32.Ursnif.eqlfmr". Also, the wp.exe file has downloaded from the affected host.

This specific malware downloads more files and can steal the end user's private and confidential information. Also, it collects the passwords that are stored in the Internet Explorer web browser. It installs itself as an Adobe Flash Update and is spread through email. It targets the system registry and modifies it in such a way that it runs every time the Windows OS boots itself up.

TrojanSpy: Win32/Ursnif drops the following file, which is a device driver:

%windir%new_drv.sys - also detected as TrojanSpy:Win32/Ursnif

We resume our investigation through the pcap file provided where we can start examining for other pieces of evidence that are suspicious in nature other than the "TrojanSpy: Win32/Ursnif".

The first two requests that we observe are the DNS queries which attempts to connect to the matied.com IP of the matied.com website. It is loaded, and the user is taken to it, and this is proven to be a malicious website as well. This is illustrated in the screenshot below:

This threat has been flagged, and as a result, this will make other security resources involved as well. Because of this, we can now proceed with the "http.request." This is illustrated in the screenshot up above.

Also, the next request to be invoked is the standard "TCP handshake." This directs the HTTP traffic to matied.commtaking, as illustrated below:

The "gerv.gun" is a file request from the host machine. Various traces from the AV tools and reports revealed that the payload was embedded into the file and later installed onto the system. The malware was identified as a Trojan-Banker.Win32.Shiotob.wiu and is a possible replication of the Ursnif /Gozi ransomware.

The victims were made the primary targets of the phishing campaign. For example, the email appeared to be from a legitimate source, as illustrated in the screenshot below:


To analyze the file on a deeper level, we extracted the export HTTP objects. There are various methods to accomplish this task. One of the simplest is as follows:

"File → Export → Objects → Http."

You will then be provided a list of objects which can then be successfully extracted.

Next, select the one that is required and extract that object.


We have now retrieved the trow.exe and the wp.exe files. Since the latter is an infected file, we are only left with the trow.exe. file.

There is also a grev.gun file for which the request determined that it was some kind of executable wrapped inside a gun file. We were not able to successfully retrieve it, but there are plenty of resources to flag it down as a malicious file.

A hybrid analysis (www.hybrid-analysis.com) was used for further analysis. The impacted URL's are the ones that were visited by our host machine. The malware then read the terminal service related keys (often RDP related), followed by reading the active computer name and the windows installation date. Subsequently, the malware triggered payloads and imported suspicious APIs. This is illustrated in the screenshot below:

The Trow.exe file was obtained again with HTTP object. This proved to be vulnerable to various domains. The malware is from a family of the Win32/Cutwail, and thus leads to the downloading and executing of various arbitrary files hosted on compromised domains.

This malware family is used to compromise computers in various ways, at the attacker's will. For example, it can distribute additional malware, send spam, generate false 'pay per click' advertising revenue, harvest email addresses, and even break the security features of the "captchas" that are often used as a means of verification. The malware can also embed itself as a rootkit to bypass any detection and removal of it. This is illustrated in the above two screenshots.

The distribution URL includes the lounge-haarstudio.nl and the vatagepointtechnologies.com websites. By using the Linux based "file" and "strings" commands, it was revealed that these are 32-bit Windows executable files. Also, we also observed the file sections and the file imports which include the following Windows-based DLLs:

  • kernel32.dll
  • KERNEL32.dll
  • USER32.dll
  • GDI32.dll
  • ADVAPI32.dll
  • SHELL32.dll
  • ole32.dll
  • WinSCard.dll
  • COMCTL32.dll
  • pdh.dll
  • RPCRT4.dll
  • gdiplus.dll
  • WINHTTP.dll
  • WTSAPI32.dll

The corresponding executable files can even be accessing the privilege DLLs, as it is illustrated in the screenshot below:

Not forgetting that there are plenty of object files dumped from the export, we see some form of obfuscated data that may not be necessarily maybe malicious. While tracking down the command and control center, we come across numerous POST requests that contain obfuscated data.

This is an expected behavior from the client side which tries POSTing data to the server. There are also instances in which the data may be transferred to the server on port 443 but will be cleartext in nature. This is all illustrated in the above screenshots.

To track this down, we can make use of the network logs or signatures from the SIEM tools. If these tools are not available, we can then go ahead with either the VirusTotal or the hybrid analysis.com. These resources both consist of a database that has command and control centers, depending on the type of malware that is identified. This is illustrated in the screenshot below:

Finally, we have now reached a level where it has been confirmed that various attack agents and can now "beef up" the process with all sorts of details. As a result, this can be used by the defensive mechanisms that are implemented by the affected organization.

Conclusion:

Infected Machine Details:

Hostname: FlashGordon-PC

IP Address: 192.168.1.96

Infection Time and Date: Jun 27.2017 09:38:32 EDT

Operating System: Windows 7(user agent string mapped with operating systems)

Malicious Files Downloaded:

  • gerv.gun
  • wp.exe
  • trow.exe

Malicious Domain Observed:

Domain Registered Countries:

  • United States of America (Phoenix, AZ)
  • United States of America (Fort Lauderdale, FL)

Malware Variants Downloaded:

  • Win32/Cutwail
  • Trojan-Banker.Win32.Shiotob.wiu

Malware Impact:

It does the following:

  • Steals passwords
  • Provides advanced stealth functionality by dropping a second device driver to the disk;
  • Downloads and runs files;
  • Hides and protect its registry entries;
  • Hooks the various functions via the System Service Descriptor Table (SSDT);
  • Changes Internet settings;
  • Disables programs;
  • Monitors and steals user credentials;
  • Communicate directly with a remote server.

Md5 Signatures:

wp.exe - 4da48f6423d5f7d75de281a674c2e620

trow.exe - fb75d4f81be51074bb4147e781e5b402

(Obtained using md5sum command)

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Possible Exploited Software's:

  • Adobe flash
  • Microsoft Internet Explorer 7

Signatures Triggered:

  • ILE-EXECUTABLE download of executable content [11192]
  • FILE-EXECUTABLE Portable Executable binary file magic detected [15306]
  • INDICATOR-OBFUSCATION potential JavaScript unescape obfuscation attempt detected [19887]
  • POLICY-OTHER Remote non-JavaScript file found in script tag src attribute [32481]
  • POLICY-OTHER Remote non-JavaScript file found in script tag src attribute [35180]
  • ILE-EXECUTABLE download of executable content [11192]
  • FILE-EXECUTABLE Portable Executable binary file magic detected [15306]
  • INDICATOR-OBFUSCATION potential JavaScript unescape obfuscation attempt detected [19887]
  • POLICY-OTHER Remote non-JavaScript file found in script tag src attribute [32481]
  • POLICY-OTHER Remote non-JavaScript file found in script tag src attribute [35180]
  • ET SHELLCODE Possible UTF-16 encoded Shellcode Detected [2003174]
  • ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1) [2009205]
  • ET TROJAN Backdoor.Win32.Pushdo.s Checkin [2016867]
  • ET TROJAN Connection to Fitsec Sinkhole IP (Possible Infected Host) [2016998]
  • ET TROJAN Possible Compromised Host Sinkhole Cookie Value Snkz [2018141]
  • ET TROJAN Pushdo.S CnC response [2018897]
  • ET CURRENT_EVENTS WinHttpRequest Downloading EXE [2019822]
  • ET POLICY OpenDNS IP Lookup [2023472]
  • ET SCAN Unusually Fast 403 Error Messages, Possible Web Application Scan [2009749]
  • ET SCAN Unusually Fast 404 Error Messages (Page Not Found), Possible Web Application Scan/Directory Guessing Attack [2009885]
  • GPL WEB_SERVER 403 Forbidden [2101201]
  • ET POLICY Proxy Connection detected [2001449]
  • ETPRO TROJAN Sinkhole.tech Sinkhole Reply [2826425]
  • ET POLICY PE EXE or DLL Windows file download [2000419]
  • ET POLICY exe download via HTTP - Informational [2003595]
  • ET POLICY Binary Download Smaller than 1 MB Likely Hostile [2007671]
  • ET POLICY Internet Explorer 6 in use - Significant Security Risk [2010706]

Recommendations:

There are various techniques by which an organization can defend itself. This Includes all the following:

  • Making use of both IDS and IPS technologies for data packet level analysis;
  • Deploying firewalls and routers;
  • Running up-to-date security features of any software package that is used;
  • Getting the latest software updates and installing on them;
  • Understanding how malware works via security awareness training programs;
  • Limiting user privileges;
  • Using caution with attachments and file transfers;
  • Being vigilant when clicking on links to web pages;
  • Avoiding downloading pirated software;
  • Creating and implementing strong passwords.

References:

Kapil Kulkarni
Kapil Kulkarni

Kapil Kulkarni is Security Consultant at Aujas Networks and Freelance Writer. Kapil is a security pentester with over 3 years experience in the field, he is Offensive Security Certified Professional and Certified Ethical Hacker at EC Council.He is also a bug-bounty hunter and has interest in threat hunting.In the past he has worked on IoT, SCADA , PLC along with application and network security projects as well.His blog of teampwners can be found here:https://teampwners.blogspot.in/ and can be reached at kapil_kulkarni@yahoo.co.in and LinkedIn here at https://www.linkedin.com/in/kapil-kulkarni-oscp-ceh-5a333763/