In this blogpost we will look deep into a spam campaign, where unlike other possible scenarios, the victim is infected by opening and running an email attachment. In the beginning of this year, we blogged about a spam campaign with a different spam message - a fake email from the popular WhatsApp messenger. This time we will look at spam email which tries to convince the victim that it originates from his bank. The malicious email contains contents similar to the following one:
Subject: FW: Bank docs
We have received this documents from your bank, please review attached documents.
As mentioned in other sources (1, 2, 3), the scenario is always similar. A victim is sent an email with an attachment. In the subject of email, there is information like bank documents, statement, important docs, UPS delivery info, invoice, receipt, online submission, etc.
The body of the email advises the victim to download and open an attachment. The attachment is usually a zip archive with a malicious file inside. The file is usually very small (around 20KB), has a PDF icon and the extension .exe or .scr, which are both Windows executable files. On Windows machines with default settings, extensions of files opened by known programs are not displayed, therefore executable extensions are often hidden.
The enclosed file is a downloader which tries to download another payload(s). First, it moves itself to %TEMP% directory and runs from there. After deobfuscation in memory, we see some interesting strings. It tells to which domains it is supposed to connect, and which files it is supposed to download and execute. Our sample attempts to download 1203a.ton file and 13003UKp.ton file.
After downloading, both files are blocks of binary data, starting with ZZP signature.
This blob is then decrypted, DWORD by DWORD, by a simple xor operation. The key for decryption is hardcoded in the downloader file. In our case, it is 0xAC0CC81C. After decryption, we get an executable file packed with LZ method. Decompression of the buffer in the figure below is achieved by RtlDecompressBuffer function.
As mentioned above, the downloader downloads several different payloads at the same time. The first payload is Zbot/Gameover, which was recently covered by Sophos. The other one is Tuscas spyware.
Win32/64: Tuscas spyware
Let's look more deeply into the second payload. After removing the cryptor, we see 6 different resources, packed with aplib. Notice the signature M8Z, which is beginning of MZ header packed with aplib.
When the dropper is executed, it unpacks several of these files and drops them into the %WINDOWS% directory. These files are client.dll, client64.dll, 64bit injector, zlib1.dll, aplib.dll, aplib64.dll. Client.dll and client64.dll are the most interesting ones, because they are injected into interesting processes - explorer.exe, iexplore.exe, chrome.exe, firefox.exe. Client.dll is injected into 32-bit processes, client64.dll is injected into 64-bit processes.
The figure below shows an infected machine with client.dll injected into Internet Explorer.
Except for dropping the dll files, the dropper also executes several system commands, saves their output to the file, packs them into a cabinet archive and sends this archive to C&C.
These commands are:
1) cmd /C \"systeminfo.exe > %s\"
returns various system information, including host name, OS name and version, local settings, installed hotfixes, network card and network info
2) cmd /C \"tasklist.exe /SVC >> %s\"
returns list of running processes
3) cmd /C \"driverquery.exe >> %s\"
returns list of kernel drivers
4) cmd /C \"reg.exe query \"HKLM\\SOFTWARE\\Microsoft\Windows\CurrentVersion\Uninstall" /s
enumerates all keys and values in Uninstall Registry Key
5) cmd /C \"echo -------- >> %s\"
6) cmd /C \"makecab %s %s\"
compresses all the acquired information into an CAB archive
The dropper also sets persistence of the dropped client.dll module. Persistence is achieved via adding an entry to the Run registry key.
Main module and form grabbing
Client.dll is the main module. It hooks several API function - CreateProcessA, CreateProcessW, CreateProcessAsUserA, and CreateProcessAsUserW. These hooks monitor newly launched processes, and if any of the processes are explorer.exe, iexplore.exe, chrome.exe or firefox.exe, it signalized it by setting an event. In the case of Internet Explorer, it hooks InternetConnectA, InternetConnectW, HttpSendRequestA, HttpSendRequestW, HttpSendRequestExA, HttpSendRequestExW, InternetReadFile, InternetReadFileExA, InternetReadFileExW, and InternetQueryDataAvailable. The most interesting hooked methods are the hooks of HttpSendRequestA/W, which filter out all the internet traffic to keep just POST requests. These requests are used for sending data from website forms, which are usually used for login and password text fields on websites. Hooking HttpSendRequestA/W enables the client.dll to obtain the form data before encryption occurs, as you can see from the screenshot below.
For example, if the user attempts to log into his PayPal account, spyware hooks the browser functions and receives login_email and login_password in unencrypted form. Client.dll performs man-in-the-browser attack. The screenshots below shows the unencrypted user's credentials.
In the analyzed sample, there are also several functions hooked in Firefox browser - PR_Read, PR_Write, PR_Close, PR_Connect. These functions, at the time of writing this blog post, do not contain anything yet, they just call original functions. It seems that this form grabber is probably still in development and not all functions are implemented yet.
In the case of Chrome browser, WSASend from WS2_32 is hooked to obtain the same functionality as HttpSendRequest in the case of Internet Explorer. The client regularly calls home via the following request.
The IP address of C&C server is hardcoded in client.dll binary.
In case of a 64-bit version (client64.dll), it is necessary to drop a 64-bit injector, which scans through all 64-bit processes and injects payload to them. This step is necessary because the original dropper is 32-bit and it would be very complicated to inject data from 32-bit to 64-bit process. Having a 32-bit dropper has the advantage of being able to run on both a 32-bit operating system or a 64-bit operating system (under WoW64 emulation). This dropper does not utilize 32-bit to 64-bit code transition as we have seen in case of Win32/64:Blackbeard.
The following graph shows unique hits of the Upatre downloader, which is the initial stage of the infection.
The author would like to thank to Peter Kalnai for help and consultations related to this analysis.
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.