Today I’d like to share another interesting analysis made by my colleagues and I. It would be a nice and interesting analysis since it targeted many Italian and European companies. Fortunately the attacker forgot the LOG.TXT freely available on the dropping URL letting us know the IP addresses who clicked on the first stage analysed stage (yes, we know the companies who might be infected) . Despite what we did with TaxOlolo we will not disclose the victims IP addresses and so the companies which might be infected. National CERTs have been involved and they’ve got alerted. Since we believe the threat could radically increase its magnitude in the following hours, we decided to write up this quick’n dirty analysis focusing on speed rather than on details. So please forgive some quick and undocumented steps.
Everything started from an eMail (how about that ?!). The eMail we’ve got had the following body.
Second Stage: Obfuscated JSE
Unfortunately the second stage is not the final one. Indeed once de-obfuscated it we figured out that it was dropping and executing another file having the .SCR mimetype. From this stage it’s interesting to observe that only one dropping URL was called. It’s a strange behaviour, usually the attackers use multiple dropping URLs in order to get more chances to infect the victims. The found URL was the following one:
The JSE file dropped the Third Stage into \User\User\AppData\Local\Temp\38781520.scr having the following hash: 77ad9ce32628d213eacf56faebd9b7f53e6e33a1a313b11814265216ca2c4745 which has been previously analysed by 68 AV but only 9 of them recognised as malicious generic file. The following image shows the VirusTotal analysis.
Third Stage: Executable SCR file
Unfortunately we are still not at the end of the infection Stage. The Third stage drops and executes another payload. It does not download and execute from a different dropping website but it drops from a special and crafted memory address (fixed from .txt:0x400000). The following image shows the execution of the Fourth Stage payload directly from the victim’s memory
Fourth Stage: Dropped PE File
Following the analysis it has been possible to figure out that the final payload is something very close to ursnif which grabs victims email information and credentials. The following image shows the temporary file built before sending out information to Command and Controls servers.
Temporary File Before Sending data to Command and Control
Like any other ursnif the malware tries to reach a command and control network located both on the clearnet and on the TOR network. A following section will expose the recorded IoCs.
An interesting approach that was adopted by attackers is the black listing. We observed at least 3 black lists. The first one was based on victims IP. We guess (but we have not evidences on that) that the attacker would filtering responses based on Country in order to make possible a country targeted attack by blacklisting not-targeted countries. The following image shows the used temporary file to store Victim IP. The attacker could use this information in order to respond or not to a specific malware request.
Temporary File Storing IP Victim IP Address
A second black list that we found was on the dropping URL web site which was trained to do not drop files to specific IP addresses. The main reasons found to deny the dropping payload were three:
geo (Out of geographical scope). The threat is mainly focused to hit italy.
asn (internet service providers and/or cloud providers). The threat is mainly focused on clients and not on servers, so it would have no sense to give payload to cloud providers.
MIT. THe attacker does not want the dropping payload ends up to MIT folks, this is quite funny, isn’t it ?
A small section of black listing drop payload
The black lists are an interesting approach to reduce the chance to be analysed, in fact the black listed IPs belong to pretty known CyberSecurity Companies (Yoroi is included) which often use specific cloud providers to run emulations and/or sandboxes.
Personal note: This is a reverse targeting attack, where the attacker wants to attack an entire set of victims but not some specific ones, so it introduces a blocking delivery of payload technique. End personal note.
Now we know how the attack works, so lets try to investigate a little bit what the attacker messed out. For example lets try to analyse the content of the Dropping URL. Quite fun to figure out the attacker let freely available his private key ! I will not disclose it …. let’s say… for respect to the attacker (? really ?)
Attacker Private Key !
While the used public certificate is the following one:
By decoding the fake certificate the analyst would take the following information, of course none of these informations would be valuable, but make a nice shake of analysis .
Common Name: test.dmosk.local
Organization: Global Security
Organization Unit: IT Department
Valid From: June 5, 2018
Valid To: June 5, 2022
Issuer: Global Security
Serial Number: 12542837396936657430 (0xae111c285fe50a16
Maybe the most “original string”, by meaning of being written without thinking too much from the attacker, on the entire malware analysis would be the string “dmosk” (in the decoded certificate), from here the Malware name.
As today we observed: 6617 eMail addresses that potentially could be compromised since they clicked on First stage (evidences on dropping url). We have evidences that many organisations have been hit from this malware able to bypass most of the known security protections since it was behind CloudFlare and with not a specific bad reputation. We decided to not disclose the “probably infected” companies. Nation Wide CERTs have been alerted (June 7 2018) and together we will contact the “probably infected” companies to help them to mitigate the threat.
Please update your rules, signature and whatever you have to block the infection.
PS: the threat is quite a bit bigger than what I described, there are several additional components including APK (Android Malware), base ciphers, multi stage obfuscators and a complete list of “probably infected” users, but again, we decided to encourage the notification speed rather than analysis details.