RockLoader – New Upatre-like Downloader Pushed by Dridex, Downloads all the Malwares

On 4/6, the Phishing Intelligence team came across a wave of phishing emails that contained a .js file packaged inside of a zip file used to deliver malware. This is nothing new, and has been seen being pushed out by resources associated with the Dridex botnet and the Locky encryption ransomware. The interesting piece is that the attackers are using a new piece of malware called RockLoader to download and install the malware on remote systems. Downloaders are nothing new, as Upatre was used with Dyre and Gameover ZeuS in the past. RockLoader has several tricks up its sleeve.

For this set of phishing emails, the attackers used a Voicemail message theme for their lure.

Once the user opens the zip and executes the .js file, the malware will make a GET request for the RockLoader, the new dropper.

During initial testing, the malware didn’t function as intended, and kept crashing when trying to access different things.

Next, a prompt for the SQL Server Client Network Utility popped up, and explorer.exe crashed, making this particular sample even more curious.

Upon further analysis, RockLoader is experimenting with a method for facilitating a Windows User Account Control (UAC) bypass. The compile path for the shellcode can be seen in figure 5. It’s also worth mentioning that the shellcode was compiled as a 64-bit binary, and the original RockLoader is compiled for 32-bit OS’s. If UAC is enabled on a victim’s computer, RockLoader will attempt to bypass it.

At runtime, once this UAC bypass has been achieved, RockLoader will make HTTP POST requests to the /api/ directory on its command and control host to elicit encoded commands for its next step. By looking at a network packet capture from this C2 callback process, we can see encoded commands sent back and forth between the host and server. Here’s an example of the traffic response:

Reversing the binary and stepping through with IDA, reveals how the malware decodes the traffic.

Since the algorithm uses shifts based on 4, the malware writers have made it easy to understand how the algorithm works. By translating the assembly to something more human readable, here are the steps that you can take to decode the traffic on your network:

1. Read first and second characters into memory
2. XOR low-order bits of the first character with the high order bits of the second character.
3. This value becomes the high-order bits of our decoded value
4. Combine low-order bits of the second character with high-order bits of decoded value
5. This is our decoded value

Here’s what a decoded command looks like:

Once decoded, the malware checks the beginning of the decoded data for “true”, “false”, or one of the following several symbols. (figure 9) The ability to look for multiple arguments means the loader can accept several possible commands.

For example, the malware has the ability to receive instructions such as “command” and “UPDATE”.

The “NOTASKS” instruction is a special and interesting case. If “NOTASKS” is set, the malware process will create and run the file “1.bat” in the temp directory in order to try and delete itself.

By decoding more commands, we can see that the attackers have the ability to pass multiple arguments and commands to the malware in one request. This vastly increases the economy and extensibility of this malware’s operation. Stacking commands in this way is where this new malware downloader really shines. With this capability, the attackers are able to drop several malware payloads to the system at once, or pass multiple commands to a single victim. By browsing to the /files/ directory, we can see that our attackers left directory open, giving us a list of other files they are installing to victims.

One of the files looks to be a calculator using the WinAPI, created by [email protected] (Figure 14) The source code can be downloaded from here. (Figure 15)

RockLoader has also been observed downloading other malware samples as well. In collaborations with Palo-Alto Networks, a3d090f64b9dbca420f232966d65ecdca333cb497308cea94477e5219af685ae was observed to download both the Kegotip and Pony information stealer malware. Examining leaked Pony source code, demonstrates that this malware has the ability to steal credentials as well as steal Bitcoin wallets—a notable functionality when juxtaposed with the delivery of the Locky encryption ransomware which demands a Bitcoin ransom to release victims’ files.

On 4/7, we saw another wave of emails using .docm phishing to target victims. The malware in this case was a word document with a macro file, which was used to infect users. This phishing email was themed for Angel Springs, a UK supplier of water dispensers.

The initial spam campaign contains an Office Document with malicious macros that downloaded RockLoader. The RockLoader executable then downloaded several executables from hxxp://185.103.252[.]148/files/. One of these executables is the Locky Loader.

Another executable downloaded was Pony (hxxp://185.103.252[.]148/files/Qlk7Yx[.]exe). It is believed that cybercriminals utilize Pony infostealer in an effort to expand their C2 infrastructure since Pony can also harvest FTP credentials from infected machines. Here is some information about the Pony file:

File type       PE32 executable (GUI) Intel 80386, for MS Windows

File name       Qlk7Yx.exe

File size       213504

Hash MD5       9649061beee87fb3692e02177ad23308

Compile time   2016-04-07 04:30:45

Sections       6 (1 suspicious)

Directories     import, resource, relocation

Detected       packer, antidbg

Import Hash     3fa8e98760e737c8a16039cbce251101

Packer info

————————————————————

Microsoft Visual C++ 8

VC8 -> Microsoft Corporation

Resources info

————————————————————

RT_ICON         1128     ( @t?t?t?t?t?t?t?rrrt?rrrt?RMWOh+R

RT_DIALOG       172     [email protected]>MS Shell DlgP 0(PStaticPF

RT_GROUP_ICON   132       ( h h

RT_VERSION     760     4VS_VERSION_INFO?XStringFileInfo404

Sections suspicious

————————————————————

hash_md5       e93c3c7762b55184b8d224989c05b8c3

virtual_address 0x1f000

name          .reloc8

size_raw_data   105984

suspicious     True

hash_sha1       0086bd086da957aa2cb315c7afb9f3cb51101861

virtual_size   0x1a000

Import function

————————————————————

ADVAPI32.dll   1

KERNEL32.dll   68

USER32.dll     1

Antidbg info

————————————————————

GetLastError

IsDebuggerPresent

IsProcessorFeaturePresent

RaiseException

TerminateProcess

UnhandledExceptionFilter

Apialert info

————————————————————

CloseHandle

CreateFileW

DeleteCriticalSection

ExitProcess

GetCommandLineA

GetCurrentProcess

GetCurrentProcessId

GetModuleFileNameA

GetModuleFileNameW

GetModuleHandleW

GetProcAddress

GetStartupInfoW

GetTickCount

HeapAlloc

InitializeCriticalSectionAndSpinCount

IsDebuggerPresent

LoadLibraryW

SetFilePointer

Sleep

TerminateProcess

UnhandledExceptionFilter

WriteFile

Filename found

————————————————————

Library         WUSER32.DLL

Library        nKERNEL32.DLL

Library         mscoree.dll

Library         ADVAPI32.dll

Library         USER32.dll

Library         KERNEL32.dll

IP found

————————————————————

1.0.0.1

Meta info

————————————————————

LegalCopyright Copyright (C) 2016

InternalName   Pchild3.exe

FileVersion     1.0.0.1

CompanyName     TODO: <Company name>

ProductName     TODO: <Product name>

ProductVersion 1.0.0.1

FileDescription TODO: <File description>

Translation     0x040c 0x04b0

OriginalFilename Pchild3.exe

 

Here’s a screenshot of the Pony icon:

For further clarification, we can look at network data based on Suricata signatures which point to the POST request being Pony check-ins:

We can also see the POST requests to r56.php by looking at our pcap. (Figures 20 and 21)

For this sample, the following C2 is active.

C2:

Fifterax[.]com/2Ty8AT8522zaRo9R/r56.php

Historical IP: 185.130.7.22

 

By looking at passive DNS for the IP address, we can see other possible domains used by the attackers.

 
Passive DNS 185.130.7.22
clastermastercash.com

compowalkers.com

dennyarca.com

drebedenia.com

fifterax.com

gangfinancestory.com

housetradingmoldova.com

masterboosteroof.com

mineraring.com

moldovaband.com

ninerabula.com

puperclan.com

raprockacademy.com

securedproworkers.com

testpupertest.com

tradingband.com

www.puperclan.com

www.moldovaband.com

www.tradingband.com

www.testpupertest.com

www.raprockacademy.com

www.gangfinancestory.com

www.masterboosteroof.com

www.clastermastercash.com

www.securedproworkers.com

www.housetradingmoldova.com

In yet another wave of attacks, we can see RockLoader used to pull down Locky based on the strings in memory:

https://www.hybrid-analysis.com/sample/f575c0775e603e2dddbb662884180017195c19380af53e5bbbee9e4bfcc3e6ac?environmentId=1

The introduction of a new malware downloader demonstrates that these attackers are continuing to innovate and experiment with ways to increase their infection rates. Furthermore, we believe RockLoader is intended to fill the gap left in Upatre’s absence by echoing many of the strengths that made Upatre so successful. However, RockLoader seeks to incorporate additional extensibility and functionality, pursuing the goal of widening the ability for threat actors to leverage infected machines by delivering not just Locky but also the Pony and Kegotip information stealers.

For awareness, a scenario has been added to PhishMe Simulator to train users to spot these types of attacks!

Triage customers are protected against these threats. Here’s an example of one of the macro-based phishing emails.

Indicators can be downloaded from here, yara rules can be downloaded from here, and the decoder script can be downloaded from here.