When it comes to new types of malware, there is always the question of what their objectives are. At the moment we are monitoring a new .NET spyware that has not yet been reported. It distinguishes itself by using persistent anti-analysis techniques implemented by utilizing the Confuser packer. Apart from that, the spyware does not put a lot of effort into disguising itself during runtime, thus revealing its intentions. This malware collects login details from many different programs and uses a keylogger to gather information.
This .NET spyware that we named Camolog is spreading due to an ongoing phishing campaign and it uses a keylogger to collect login details from mail clients, browsers, FTP and instant messenger clients. After these campaigns collect information, the access data gathered is usually sold by cybercriminals or used for later attacks.
In the individual emails of a large wave of spam emails, the subject headings (see screenshot) and attachments are slightly different. Most of the time, the attachments that deliver the malware are between 400KB and 1.3MB in size. In the following screenshot, you can see one of these phishing e-mails with the contact information crossed out, because in many cases, these are the information stolen from real people.
Example of a phishing mail that delivers malware
The phishing email fools the recipients into believing that they are going to receive a price quote or an offer of some kind and this motivates them to open the attachment. However, it contains a RAR archive named “Sample Product 9076_pdf.rar”. The archive hides the executable .NET file “SampleProduct9076_pdf.exe” which serves as a dropper for the spyware and is secured by a version of the publicly available cover-up tool Confuser.
When opening the malware in the .NET decompiler dotPeek, the usage of Confuser becomes apparent. The project name “dimineata” is noticeable and can be used to identify the malware and is displayed in the screenshot below.
The .NET Decompiler dotPeek lets you analyze the Confuser.
On the other hand, the application of both anti-decompiler and anti-debugger techniques makes it harder to analyze the malware. The analysis tool IDA Pro will crash when loading the binary file, specific .NET decompilers do not function properly and debuggers used in dynamic analyses fail, which means that manual analyses will rarely provide information. It’s likely that this is also one of the reasons why there is an absence of this spyware being publicly reported so far.
Bypassing security measures
The only way to obtain an overview of this malware’s behavior is to run it in a safe and controlled environment. In doing so, you can observe that the malware runs as a process named “chrome.exe” with the description “Accu-Chek 360˚ diabetes management software”. This process starts another sub-process with the same name. After a few moments, the original binary file generates a copy of itself as AppData\Local\Temp\iaq\iaq.exe, starts its sub-process and subsequently deletes itself.
At the time the sub-process is loaded, its binary data must be fully extracted and decrypted in the memory. The transfer takes place in the form of a byte array to the AppDomain.Load() function. This function is not affected by the anti-analysis methods of the cover-up tool because it belongs to the .NET framework. Unlike the malware functions, it can be easily analyzed. Thus, with a debugger such as dnSpy it is possible to set a breakpoint on this function and dump the binary file of the malware that is loaded by the dropper. But, let’s have a closer look into the malware itself.
Analysis of spyware.
The binary file of the dropped spyware is only masked by randomly renaming the functions and variables, not by additional anti-analysis methods. Therefore, it is possible to generate readable source code with a .NET decompiler again and thus reveal the behavior of the malware.
Stay in touch
Sign up to get the latest News about Cloud Security.
What information is collected?
The spyware collects numerous information: Next to the FTP Client SmartFTP’s connection data, which are saved in the favorites, but also passwords from the client WS_FTP, recently used connections from FileZilla, connections of saved sessions from WinSCP and the connection data from FTPWare.
Additionally, the account data saved in the Instant Messenger Pidgin and the passwords from the video chat tool Paltalk are read out. Camolog also diligently collects account data from the Outlook and Thunderbird mail clients as well as the login details from the YandexBrowser, ChromePlus and Chromium browsers. The spyware can also record all kind of data and password input with a keylogger.
The Spyware nests itself within the system by creating registry keys for Windows Autorun (see list of indicators). The malware is pretty good at identifying itself in the system through these registry keys and the running process “chrome.exe”.
Cloud protection by Hornetsecurity products
Through the use of our cleverly designed spam filter mechanisms, Hornetsecurity has been detecting the emails of this campaign since they first appeared and we have been filtering them out in the cloud. As a result, there is no way for the spyware to get close to our customers’ business infrastructure.
With Hornetsecurity Advanced Threat Protection, our customers benefit from being protected against any variation of this malware. Through the use of behavioral analysis, the level of protection Hornetsecurity ATP provides exceeds that of a conventional spam filter.
Here is an extract from the ATP behavioral analysis:
The detailed evaluation of the sandbox analysis.
List of indicators for the detection of malware
Subject lines used in the campaign:
- Quotation request
- Quote-Bid Identifier: ITB-0011-0-2018/AM
- Quote-Bid Identifier: ITB-0014/0015-0-2018/AM
- Kindly Quote-Bid Identifier: ITB-0016-0-2015/AM
- Quotation required
Attachment of the phishing email – Win32 RAR Archive
- File name: Sample Product 9076_pdf.rar
- SHA256: 5f5e7a57d9500fcece0b7c88c8925bb13243222182e5badddaa2419bda963ca6
- Attachments of other emails of this campaign:
- 30eaa3e9b9390f603d2a349c0a4cf064225eff3ede60a24aab8e69cf67cf83a5 Product sample 0015_pdf.rar
- 6acf72c636aa9ff2fae225d75eea063c2ee61026151a6c405175dd06e8a5c01f product sample 0019_pdf.rar
- a54f7ff3ecf8acccc23fe2c52fd5e58099852f3448dcec67c6deff5fa925a4d5 Sample product 0011_pdf.rar
- c165676976f9e91738c5b6a3442bf67832a7556e23e49f1a77c115af47b290ee Sample Product 0014_pdf.rar
- 97cea5ce28bbebff16251cbde247362915e8f41a89f979ae266c797aff6ef5e6 Sample Product 0016_pdf.rar
- 5f5e7a57d9500fcece0b7c88c8925bb13243222182e5badddaa2419bda963ca6 Sample Product 9076_pdf.rar
- File type: RAR archive data, v4, os: Win32
- Size: 331K
- Content of the archive, SHA256: 2feb8a19f44c29a83a0561ca7e38492e1a843add08eda2027a8a7c5041af6de6
Dropper from out of the archive
- File name: SampleProduct9076_pdf.exe
- SHA256: 2feb8a19f44c29a83a0561ca7e38492e1a843add08eda2027a8a7c5041af6de6
- Other dropper of the campaign:
- 38782911f7deca093b0e6018fd6c51122a8211c9c446f89de18e6ada85afa0d1 Product sample 0015_pdf.exe
- 542b6a778489710994aadfaca3b57e0a9c03d2e3b6d5617e3220f364cbde9a45 product sample 0019_pdf.exe
- 04381c6ecdf618ce122084a56ca5416c6774cba4b34909e95f7a532523c3e877 Sample product 0011_pdf.exe
- 42992976461c59a4a52e4bf202d4bfcd738408d729ff9cbc55786016cb4075c3 Sample Product 0014_pdf.exe
- 2a159afdc686df016ee370aeed134f9c4fe44320a32ec2eb25d76270206b5b5a Sample Product 0016_pdf.exe
- 2feb8a19f44c29a83a0561ca7e38492e1a843add08eda2027a8a7c5041af6de6 Sample Product 9076_pdf.exe
- File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- Size: 429K
- Process name: chrome.exe
- Description: Accu-Chek 360˚ diabetes management software
- Drops the file SHA256: 67c7840eefb640e70473ebc4bb7dec89f8168d679226be0696708e3427956114
- Significant string: dimineata.exe
- Stores a copy of itself under C:\Benutzer\analyst\Appdata\Local\Temp\iaq.exe ab
- File name: impartial.exe
- SHA256: 67c7840eefb640e70473ebc4bb7dec89f8168d679226be0696708e3427956114
- File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- Size: 58K
- Process name: chrome.exe
Registry Keys, of which information have been gathered
- HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles*
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook*
- HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Files, of which information have been gathered
- C:\Users\Administrator\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
- C:\Users\Administrator\AppData\Local\Chromium\User Data\Default\Login Data
- C:\Users\Administrator\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
- C:\Users\Administrator\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
Registry Keys, that have been created to generate persistence
- Autorun entry for the dropper: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\iaq
- reg_value C:\Users\ADMINI~1\AppData\Local\Temp\iaq\iaq.exe
- Autorun entry of the spyware: Spyware: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Application
- reg_value C:\Users\Administrator\Desktop\chrome.exe -boot
Attackers do not always have to use newly developed malicious codes. If it seems appropriate to them, they often also use proven malware for their purposes. In that case, it is obviously very important to choose the distribution path in such a way that the malicious software can be placed without the victim noticing. We took a closer look at such an approach using the example of NanoCore.
NanoCore is a Remote Access Trojan, which has been available in various versions as a relatively inexpensive finished product since 2013. Remote Access Trojans are a very dangerous type of malware that allows attackers to remotely control and monitor infected systems. In 2015, the full version and all plugins of NanoCore was cracked and has been available for free in underground forums ever since.
Stay in touch
Sign up to get the latest News about Cloud Security.
The developer of NanoCore was arrested last year and sentenced to 3 years imprisonment . This case is of particular importance, since it was the first time a developer of a dual-use tool, who did not use the tool “for personal use” for hacking, was convicted. Crucial to the conviction was the fact that the developer had offered the software in hacker forums even though he knew that some of his customers would use the tool for illegal purposes.
NanoCore has still not gone out of style and continues to be up to no good. However, because the tool is very well-analyzed and therefore easily detectable by antivirus products, the attackers often have to be creative to deliver the Trojan. For this reason, they come up with elaborate concealment methods.
Last week, we witnessed a cyber-attack with NanoCore, which creatively combined various techniques to deliver and install the Remote Access Trojan. To do this, the attackers used a combination of phishing, a self-extracting Winrar archive, and the legitimate AutoIT administration tool.
Delivery via phishing mail
The initial phishing mail tricks the recipient into a special business offer, which is supposed to be included in an enclosed PDF called “inquiry.pdf”. The email tries to be more convincing by using the complete contact information. Since this information is often real, we have blackened it in the screenshot below.
Example of a phishing mail
The attached phishing PDF looks like a link to Dropbox but includes a URL that downloads an archive file from another source.
Fake Dropbox page to malware link
This “inquiry.zip” ZIP archive contains the file “inquiry.scr”. The file extension “scr” is only an alternative to “exe” and was formerly used for executable PE files that install screensavers. In this case, it is a self-extracting Winrar archive that is being misused as a malware dropper.
Use of a self-extracting archive
The strings contained in the file show that the scr file is a self-extracting Winrar archive. Significant strings include:
- Software\WinRAR SFX
- WinRAR self-extracting archive
The archive could not be extracted manually without error. Only an execution of the file shows the undamaged content of the archive, consisting of:
- 42 randomly named files with different endings, which are only about 500 bytes in size and contain ASCII data
- The legitimate administration tool AutoIT, renamed as “mta.exe”
- An ASCII file “qoa.docx” that is 951K in size and contains the configuration for AutoIT
- • An ASCII file “stt = dsr” that is 3MB in size and contains an obfuscated script in the AutoIT native VBA-like scripting language
In August 2015, TALOS reported a similar attack that used the combination of a self-extracting archive with AutoIT to distribute NanoCore. Since this attack had even more similarities to the attack we observed, we suggest a link between these incidents. For example, the attack stops for 20 seconds once a running Avast process is detected. In 2015, however, an office macro was used in the phishing mail, while in this case a PDF was used. There are also differences in the payloads delivered, such as the delivery of additional malware in the 2015 Talos attack.
Attackers abuse automation tool AutoIT
AutoIT is a legal tool , used to automate administrative tasks. It provides its own scripting language, which is based on VBA. The tool is available for free and has unfortunately been used so many times by criminals to install malware that it is sometimes mistaken for being dangerous.
The AutoIT script in the file “stt = dsr” from the ZIP archive has an AntiAV technique built in which will put the application to sleep if the process “avastui.exe” is running on the system. It reads out different values from the section “Setting” in the “qoa.docx” configuration file. Afterwards, a randomly named file is created into which one of the detected strings is written. This file is also an obfuscated AutoIT script, 272K in size, and is called “DIENU” in our case. In this file, the string “Settings File Name” is overwritten with the name of the configuration file “qoa.docx”. Then the script sets the attributes of all extracted files to “hidden” and “read only” to make them as inconspicuous as possible. AutoIT is started and the created “DIENU” script, which uses “qoa.docx” as a configuration file, is passed to AutoIT.
Intelligent system check before installing NanoCore
The “DIENU” script makes some changes to the system, such as changing the system configuration and registry entries. It tries to find out if it is running in a VMware or Virtualbox Sandbox. If so, the script aborts to avoid potential analysis. Subsequently, the Remote Access Trojan is installed by injecting malicious code into the process memory of RegSvcs.exe – a .NET tool designed to install services. This technique is often used to hide malware in legitimate programs.
Functional sequence of the NanoCore attack
Flexibility of NanoCore through modular design
NanoCore has a modular structure. The respective plugins, which can be switched on and off independently, are described in detail in an article by DigiTrust. Two plugins were used in this attack: the client plugin in version 220.127.116.11 and the surveillance plugin with product version number 18.104.22.168.
The plugins were written as library files “ClientPlugin.dll” and “SurveillanceExClientPlugin.dll” for .NET and obfuscated with the tool “Eazfuscator.NET 3.3”. The methods have the attributes “DebuggerHiddenAttribute” and “DebuggerNonUserCode”, to complicate the analysis with a debugger. This prohibits debugging these methods and setting breakpoints.
The client plugin is the basic element that handles communication with the command-and-control server and the management of collected information in a key/value collection. The information can optionally be compressed and send to the C2 server via pipe. The client also has options to change settings, uninstall plugins as well as uninstall and control the host computer, such as shutting it down, restarting it, or disabling security mechanisms.
The surveillance plugin comes with all sorts of features for spying on the victim. This allows the attacker to collect passwords, logs and DNS records. The host computer is remotely controllable, and recordings of key inputs, the microphone, or the webcam can be recorded.
The Surveillance Plugin can receive four commands:
- Password: SendTools, EmailClient, InternetBrowser
- Logging: (KeyboardLogging, ApplicationLogging, DNSLogging, GetLogs, DeleteLogs, ExportLogs, ViewLogs)
- Keyboard: Write, Download, LogToServer
- Dns: GetRecords
Generally speaking, it is a comprehensive toolkit to remotely control and monitor the infected computer.
No getting through thanks to Hornetsecurity ATP
As sophisticated as the obfuscation methods of this NanoCore attack are, the true intent of the tool is recognized by the behavioral analysis of the Hornetsecurity ATP Sandbox. It recognizes both the unpacking of the files, the creation of new files, the process injection of the NanoCore DLLs into a legitimate process, the modification of the registry entries as well as the network communication.
Analysis activities of Hornetsecurity ATP
Indicators of Compromise
Die folgenden Dateien mit ihren sha256-Hashwerten wurden in dem Angriff verwendet. Da AutoIT eine legitime Software ist, führen wir das Tool hier nicht mit auf.
- inquiry.pdf** 9c5d693e7c86f8f0c05af495d95a9d6f998ec93bec5c6f8d560d54f8a945f866
- inquiry.zip** e0d88bab6749297eb1c03ec1e86bb0d9b7e53d10de8c05dcde032e5f040d03a2
- inquiry.scr** 4a71602852c7a1a2b3c3c9690af9a96b57c622b459e4fff4f34d43c698b034b8
- DIENU** 5612ac210a8df891f9ed07c5a472beb0d78f1f714f9f37e31320ec1edbc41d9c
- SurveillanceExClientPlugin.dll** 01e3b18bd63981decb384f558f0321346c3334bb6e6f97c31c6c95c4ab2fe354
- ClientPlugin.dll** 61e9d5c0727665e9ef3f328141397be47c65ed11ab621c644b5bbf1d67138403
- qoa.docx** f36603bf7558384d57a9f53dfcd1e727bd6f56d4a664671f06fd5ca1383413d0
- stt=dsr** 6236beb6702dd8396339fdad8c4539d7e177733a0f7cff1ded06f060895feac1
Domain from which the zip archive was downloaded: htXp://ibeitou.com/inquiry.zip
A short while ago, security experts discovered the security breach CVE-2017-11882 in the Microsoft Office suite. Microsoft reacted quickly and closed the breach with a security update. Due to the publication of the exploit, however, attackers are now aware of the breach and target systems that haven’t been patched yet.
All Office versions besides Office 365 are affected by the security breach. The exploit is located in the Equation editor of Microsoft, which is a former version of the formula editor. It uses a buffer overflow which allows the attacker to execute his hazardous code on the user’s system. Through this, it is possible to download malware from the Internet and to install them.
Breach existed for 17 years
The Equation editor was compiled in 2000 and since then never reconditioned. Due to this, it is not fulfilling current security standards and allows a buffer overflow to happen which leads to the exploit. Even though the causing formula editor was replaced in Office 2007, it is still part of the package in order to ensure backward compatibility with older document versions, where the 17-year-old piece of software is needed to display and edit mathematical formula.
The only interaction necessary for the exploit to be executed is for a user to open the infected document. After that, the hazardous code will be executed automatically. Only the protected view, the so-called sandbox of the Office programs, is prohibiting its execution.
Hornetsecurity detects exploit in documents
Since the security breach was published, attackers are increasingly trying to distribute infected Office documents using the exploit. However, Hornetsecurity adapted its filters so it can detect infected documents before they appear in the mailbox. Nevertheless, we advise you to perform the security update as soon as possible.
Some time has passed since the last huge wave of ransomware attacks has been detected. Now, a new type has appeared and it is causing considerable damage. Especially in Eastern Europe and Russia the trojan was successful and infected several companies. But Germany has seen those attacks, too.
The malware Bad Rabbit, named after a specific site in the darknet, where the victims are supposed to pay the ransom. It encrypts local data and demands 0,05 Bitcoins to provide the decryption key. Considering the recent change rates this amounts to 293 USD or 255 Euro.
Down the Rabbit-Hole
The crypto-trojan spreads mainly through compromised news sites. By using so called watering hole attacks, the cyber criminals can target certain user groups and companies. If a user visits an infected website, an automated drive-by-download is initiated and a forged Adobe Flash update is downloaded. As soon as this file is executed, Bad Rabbit enters the system and all data are encrypted after a forced reboot of the computer.
Payment page in the TOR network
Click on the image to enlarge
Like WannaCry and Petya before, Bad Rabbit can spread within a network. However, instead of using the EternalBlue exploit in the Version 1.0 of the SMB protocol, the malware infects other computers through the Windows Management Instrumentation (WMI). To prevent a local distribution of Bad Rabbit, it is advisable to deactivate WMI if it is not in use.
Hornetsecurity recognizes the malware and protects with URL rewriting
The URL rewriting feature of Hornetsecurity Advanced Threat Protection recognizes Bad Rabbit on compromised websites and blocks it. Using Hornetsecurity ATP, you can continue clicking on news links in your emails without fearing to catch the malware.
Nevertheless, we recommend you to create backups on a regular basis and to not download unknown files or even execute them. Especially Adobe Flash updates should only be downloaded from the software producer itself. In case of an infection, do not pay the ransom, because it is unclear whether you will receive the keys necessary to recover your files.