Dridex Code Breaking – Modify the Malware to Bypass the VM Bypass

Post Updated on March 25

The arrival of spring brings many good things, but it’s also prime season for tax-themed phishing emails. A partner of ours recently reported an email with the subject “Your Tax rebate” that contained an attachment with Dridex and password-protected macros to hinder analysis. If you read this blog, this story should sound familiar, but this particular strain took new precautions, such as adding a longer password and using VM detection inside of the code.

Decoding ZeuS Disguised as an .RTF File

While going through emails that were reported by our internal users using Reporter, I came across a particularly nasty looking phishing email that had a .doc attachment. At first when I detonated the sample in my VM, it seemed that the attackers weaponized the attachment incorrectly. After extracting and decoding the shellcode, I discovered a familiar piece of malware that has been used for some time.

Dridex – Password Bypass, Extracting Macros, and Rot13

When attackers decide to password protect something, it can be very frustrating as an analyst, because we are often left with few options to find out what they are protecting. If this happens, we can always try to straight up brute force the password, but unless the attackers use something like 1q2w3e4r, we’re up a creek without an oar. If it’s an MD5 hash of a password, we have many more options to crack it. In the case of xls files, we have the option to essentially “wipe out” the password and give it our own password. In a recent wave of Dridex phishing emails, this is what we saw. Here’s the phishing email sent to one PhishMe employee:

Dyre Trojan Expands to Career Website Targets

The MAAWG conference in San Francisco provides an opportunity for the leading hosting companies, Internet Service Providers, and Internet and email security companies to collaborate, develop best practices, and share information. We took the opportunity to speak to attendees about Dyre malware, and how the Trojan is now a serious concern. In recent days, we have seen an aggressive expansion in the targets that Dyre is configured to steal credentials from. Dyre malware is currently being spread via spam email and the Upatre downloader.

We have already reached out to many of the newly impacted brands, several of which had a presence at MAAWG.  The relationships at MAAWG are so critical for maintaining effective response capabilities in the security industry.  Shaking hands and breaking bread with those in charge of security in very large organizations is critical to how the community actually gets things done!

PhishMe Intelligence subscribers will have already have received our report on the Dyre Trojan, although, before the report was issued, their SIEMs and scripts will have been able to retrieve the campaign information and Indicators of Compromise (IOCs) to help protect their network and identify potentially compromised hosts.

PhishMe Analysis of the Upatre / Dyre Campaign

Today’s Dyre campaign was quite different than many of the previous Dyre campaigns that used a spam “lure” of a range of British brand names, with financial services companies extensively spoofed.  This campaign was quite high volume, with well over a thousand emails identified early in the morning.

The actual messages attempt to convince the user that their credit card has been charged several thousand dollars by the New York City Department of Finance.  The spam messages all have the “Subject: Thank you for your payment” and the sender appears to be nycserv@finance.nyc.gov.

The attachment, which claims to have more details about the parking fines that have been paid, is in .zip form.

The MAAWG conference in San Francisco provides an opportunity for the leading hosting companies, Internet Service Providers, and Internet and email security companies to collaborate, develop best practices, and share information. We took the opportunity to speak to attendees about Dyre malware, and how the Trojan is now a serious concern. In recent days, we have seen an aggressive expansion in the targets that Dyre is configured to steal credentials from. Dyre malware is currently being spread via spam email and the Upatre downloader.

We have already reached out to many of the newly impacted brands, several of which had a presence at MAAWG.  The relationships at MAAWG are so critical for maintaining effective response capabilities in the security industry.  Shaking hands and breaking bread with those in charge of security in very large organizations is critical to how the community actually gets things done!

PhishMe Intelligence subscribers will have already have received our report on the Dyre Trojan, although, before the report was issued, their SIEMs and scripts will have been able to retrieve the campaign information and Indicators of Compromise (IOCs) to help protect their network and identify potentially compromised hosts.

PhishMe Analysis of the Upatre / Dyre Campaign

Today’s Dyre campaign was quite different than many of the previous Dyre campaigns that used a spam “lure” of a range of British brand names, with financial services companies extensively spoofed.  This campaign was quite high volume, with well over a thousand emails identified early in the morning.

The actual messages attempt to convince the user that their credit card has been charged several thousand dollars by the New York City Department of Finance.  The spam messages all have the “Subject: Thank you for your payment” and the sender appears to be nycserv@finance.nyc.gov.

The attachment, which claims to have more details about the parking fines that have been paid, is in .zip form.

The PDF file is the Upatre executable, the TXT file is the Upatre-encoded version of the binary, while the “cube icon” file is the Dyre Trojan.

Career Sites Now Targeted

The Dyre Trojan uses a special configuration file to prioritize the credentials that it desires to steal.  PhishMe Intelligence subscribers will be familiar with several previous Dyre reports on how these configuration files work.  The current version is the first time that we have seen “Career Sites” targeted by Dyre.  The criminals have posed as employers on the following sites:

SimplyHired, Indeed.com, Monster.com, GlassDoor, CareerBuilder.

The URL substrings that will trigger Dyre’s special actions are listed below:
ads.simplyhired.com/simplypost/sign-in/*
ads.simplyhired.com/v/favicon.ico[?]*

secure.indeed.com/account/login*
employers.indeed.com/jobs?ts=*
employers.indeed.com/candidates?ts=*
*.indeed.com/v/favicon.ico[?]*

hiring.monster.com/Login.aspx*
hiring.monster.com/Challenge.aspx*
hiring.monster.com/jpw/Services/Secure/JCMIIWebServices/Jobs.asmx/GetJobs*
hiring.monster.com/v/favicon.ico[?]*

www.glassdoor.com/partners/login_input.htm*
www.glassdoor.com/v/favicon.ico[?]*

www.careerbuilder.com/share/verifyidentity.aspx*
www.careerbuilder.com/share/setchallengequestions.aspx*
www.careerbuilder.com/share/login.aspx*
www.careerbuilder.com/share/favicon.ico[?]*
www.careerbuilder.com/AJAX/GetProductsByUserGroup.aspx*
www.careerbuilder.com/jobposter/mycb/loadaccountwidgetdata.aspx*
www.careerbuilder.com/jobposter/ajax/myjobs/loadmyjobs.aspx*

Non-Career Sites Also Added Today

We’re not sure why the following were also added.  Perhaps the NewEgg indicates a desire to do a little shopping, or perhaps something more sinister may be occurring.

secure.newegg.com/NewMyAccount/AccountLogin.aspx*
secure.newegg.com/Shopping/ShoppingLogin.aspx*
secure.newegg.com/*/CheckoutStep1.aspx*
secure.newegg.com/*/CheckoutStep2.aspx*
sellerportal.newegg.com/Pages/Account/LandingPage.aspx*
*.newegg.com/v/favicon.ico[?]*

The criminals also are targeting the administrators of mailing lists hosted by MailChimp, which could allow them to deliver malicious emails on behalf of a “trusted” source, helping the criminals to bypass spam filtering controls.

  • mailchimp.com
  • *.admin.mailchimp.com/campaigns*
  • *.admin.mailchimp.com/lists*
  • *.admin.mailchimp.com/account/domains*
  • *.admin.mailchimp.com/reports*
  • mailchimp.com/v/favicon.ico[?]*

GoDaddy accounts would allow creation of domains and also modification of existing domains for malicious purposes.

*.godaddy.com*
*.godaddy.com/v/favicon.ico[?]*

Lastly, Accurint refers to the LexisNexis Accurint database.  This is a very rich collection of Public Records with more than 37 billion entries that can be used for verifying identities.

  • accurint.com/app/bps/main
  • accurint.com/1/favicon.ico[?]*
  • accurint.com

 

 

CTB-Locker: The Latest Crypto Malware Coming to you Via Email Spam

The latest crypto malware threat – CTB-Locker – promises to be one of the most serious security threats seen in recent years. The latest crypto malware is one of many of its ilk that have emerged in the past two years. This form of malware encrypts files on victims’ computers and will not unlock them until a ransom is paid. Only then will the key to decrypt data be provided.

Crypto malware has been around for some time, although its popularity has been increasing over the past couple of years. One of the first major crypt malware variants was CryptoLocker. CryptoLocker first emerged in late 2013 and has been particularly active throughout the first half of 2014.

CryptoLocker malware was a major concern for many businesses and individuals.  In June of 2014, the FBI was able to successfully disrupt CryptoLocker, along with Game Over Zeus, but according to the figures in their legal complaint against Evgeniy Bogachev, not before his malware had encrypted more than 230,000 computers, 120,000 of which were in the United States.

The second major crypto malware variant was CryptoWall. PhishMe documented 24 separate spam campaigns in Q3 that pushed CryptoWall.  But that number declined sharply in quarter 4, with only 10 CryptoWall spam campaigns seen in October, only 4 in November, and none at all in December.

The latest crypto malware threat emerged today. This new wave of crypto malware is being distributed via spam email.

PhishMe detected this new threat today when spam messages were intercepted containing an attachment that appeared to be some form of faxed document.  There were many variants of the spam messages including the one below:

  • Fax from RAMP Industries Ltd
  • [Fax server]= +07955-168045
  • [Fax server] : LPY.5705BBC7.1118
  • Incoming fax, NB-112420319-8448
  • New incoming fax message from +07829 062999
  • [Operational Support Ltd] Fax transmission=U2W9MABD921532EC5

 

The messages themselves contained very simple text explaining that your inbound fax was attached.
No.: +07434 20 65 74

Date: 2015/01/18 14:56:54 CST

Pages: 5

ID: TVZ.79483B95A.8086

Filename: headband.zip

Peter Brett Associates

Eun Gransberry

The attached file used a seemingly random dictionary word.  Some of the .zip files observed by PhishMe were:

  • zip
  • zip
  • zip
  • zip
  • zip
  • zip
  • zip

Many anti-spam tools now unzip .zip attachments to check for the presence of an .exe within the compressed file.  This spam attempts to avoid tripping spam filtering solutions by containing a .zip file, which also contains a .zip file, which includes an .scr file.

No two files that we reviewed had the same malware hash.  One of the many ways the anti-virus industry inflates their numbers is to count each unique hash as a separate file.  PhishMe prefers to refer to the malware by the campaign name.  Since every .scr file was unique, we could claim that each was a new malware variant; however, that would have no meaningful value since each of these samples performs the same action and is structurally identical, if not actually identical. The only thing different in each is the hash.

The “.scr” file, which will be named with the same dictionary word as the .zip file from which it was extracted, is a downloader known as Dalexis.

Dalexis performs a similar role to the more common UPATRE malware.  Its job is to covertly download additional malware, unpack it, and execute it.  In this case, it does so by retrieving a file named “pack.tar.gz” from a variety of websites, such as:

  • breteau-photographe.com   /  tmp   / pack.tar.gz
  • com  / assets  / pack.tar.gz
  • asso.fr   / piwigotest   / pack.tar.gz
  • org   / histoiredesarts    / pack.tar.gz
  • voigt-its.de   /   fit  / pack.tar.gz

These files are not actually .tar.gz archive files, they are copies of the latest crypto malware – CTB-Locker – which have been XOR’ed in a special way that Dalexis knows how to reverse.  By passing through the network perimeter in an encoded format, the download is not scanned, since the file is not an executable or commonly known file type.

At that point, CTB-Locker takes over.  CTB is an acronym for Curve Tor Bitcoin.  Curve refers to the fact that the malware uses Eliptical Curve Encryption, which the author claims is the equivalent of RSA-encryption with a 3072 bit key.  The first time we saw CTB being described was by the malware blogger Kaffeine back in July 2014.  At that time, CTB was primarily associated with the Angler Exploit Kit.

The author of the malware announced CTB to the criminal underworld in June, with a couple interesting points.

The criminal, who uses the handle Tapkin, was offering his malware for $3,000, with a discount of 50% to the first purchaser.  He also advertised that he was planning to offer his/her latest crypto malware under an affiliate model. Under such a scheme, Tapkin or another criminal would host CTB, while affiliates could earn commission by infecting people. When a ransom demand is paid, the affiliate gets a cut of the profits, as does Tapkin. It is a common online marketing tactic used by retailers. They get others to do the hard work of getting sales. The retailer gets a smaller cut of the profits, although since they get sales that they would unlikely have otherwise made, everyone is a winner.

We are not sure yet whether today’s spam will be revealed to be part of such an affiliate program, or if this is just one of Tapkin’s customers.  We believe that the Angler Exploit Kit will continue to be used to deliver some forms of CTB-Locker, but expect that this will be the beginning of a long series of similar spam messages.  The challenge is criminals may find the TOR network requirement to be a barrier to their efforts.

Regardless of how it is distributed, the sequence of infection with this latest crypto malware is as follows:

  1. After CTB has been downloaded, it encrypts files on the local machine.  Many filetypes that have not been encrypted by previous Crypto Malware have been added into this latest crypto malware. Most interestingly, several extensions related to computer source code have been added. Extensions that would likely be found on a programmer’s computer.

2. Once the encryption process is completed, the Count Down Begins! There is a payment window for sending the ransom payment. Failure to pay on time will see files encrypted forever.

(2A). Choosing the “View” screen displays a list of the victim’s encrypted files.

  1. When the victim is ready to decrypt their files, clicking NEXT results in a request for the Private Decryption Key:

  1. But of course they aren’t going to give that to you for FREE!

  1. The only payment type accepted is BitCoin, but several helpful links are included to educate the victim on how they can buy Bitcoin.  The latest crypto malware requires a substantial payment – The highest price we’ve seen in crypto malware to date.  This version asks for EIGHT BitCoin, which have a current value of around $1520 USD:

  1. The addresses offered for contacting the criminal’s website requires the use of the TOR network.  If you have TOR installed, you can use the “.onion.cab” address. If you don’t have TOR, you can use a “tor2web.org” gateway.

A more detailed analysis of this report has been provided PhishMe Intelligence subscribers. The campaign ID is #2644.

The Evolution of Upatre and Dyre

Over the last few months, we’ve been tracking Dyre and reporting changes to the malware on this blog.  Dyre’s latest iteration shows  yet another shift in tactics – one that combines characteristics of Dyre with Upatre code to create a new downloader… Figures 1, 2, 3 and 4 shows three different emails, all with the same content but with different malicious links, which we we’ll use interchangeably in our examples.

Cridex Malware Authors Warn Lloyds users of Dyre

PhishMe malware researchers have been helping you protect your network by sharing information about the Dyre Trojan and Cridex malware on a daily basis for several months; however, in that time we have not seen any actions as bold as those used by the Cridex malware authors today.

Dyre is the current top banking Trojan being distributed by email, and it poses a significant threat to businesses and consumers. The Trojan steals credentials and the attackers use that information for financial fraud.

Threat Analyst Neera Desai let us know about this new threat from today’s Cridex attack, which uses a malicious Microsoft Word document to infect victims by pretending to be a Failed Fax Transmission.  On November 17, 2014, we received approximately 1,000 copies of this spam message before noon. The sending domain in the ‘From’ field was “interfax.net” in all of those samples.

Here’s the thing we’ve never seen before – A warning about Dyre malware FROM THE AUTHORS OF THE CRIDEX MALWARE!  If – and only if – you are infected with this version of Cridex malware, and you visit a website at www.lloydsbankcommercia.com, you will receive the following pop-up message when you visit LloydsLink.  PhishMe analysts spoke with Lloyds and learned that the message being propagated by Cridex malware was previously used on the Lloyds website in a now discontinued security advisory, but confirmed that if someone is seeing that message now it is a sign of a Cridex malware infection.

The security warning displayed to users that have been infected with Cridex malware is as follows:

IMPORTANT SECURITY INFORMATION
21 October
Lloyds Banking Group is aware that the Dyre malware (also known as Dyreza) is currently actively targeting financial institutions across the UK including customers of LloydsLink online.

This is not a vulnerability within LloydsLink online but malware that resides on infected computer systems designed to steal user log-in credentials.

We recommend you:

1. Work with your IT security providers to confirm that your anti-malware solution is capable of detecting and removing the very latest variants of Dyre.
2. Carry out comprehensive scans of any systems used to access LloydsLink, as well as any other financial service institution or financial orientated software that you use and transact on.
3. Change Passwords and memorable information, following the comprehensive scans of your systems.

Please remember it is important to check all beneficiary details, especially bank sort codes and account numbers, before creating and approving all payments.
For more information on protecting your payments please visit our Security Centre.

3) KEEPING YOUR PC SECURE

Protect against viruses
Use anti-virus software and ensure that it is kept up to date – this should protect your computer against the latest viruses
Use up-to-date anti-spyware software to protect against programs that fraudsters can use to collect information about your Internet usage

Keep your software up-to-date

Occasionally publishers discover vulnerabilities in their products and issue \’patches\’ to protect against any security threats. It is important that you regularly visit the website of the company which produces your operating system (e.g. Windows XP) and browser (e.g. Internet Explorer) to check for any patches or updates they may have issued.


While it would appear that the content above is being provided by Lloyds, that is not the case. The content is being pushed into your browser by the Cridex malware in what is known as a “web inject”. The web inject occurs if the malware senses that a user is visiting Lloyds commercial banking services.

Astute network monitoring professionals will want to watch for network traffic to the IP addresses 37.59.136.102 and 91.121.134.223. Both addresses are hosted on OVH France, a network that has great loyalty from the criminals behind this malware.

While nearly 300 other banks are also specifically targeted by this version of Cridex, the only other one with a special “web inject” pop-up message from the criminals are customers of Barclays Bank. They receive this special message:

Your security obligations
Due to our recent security changes you should keep your smart card inserted in your card reader.
This security message will appear periodically.
Please tick the box to acknowledge these security obligations.

In addition to many UK-based banks, banks in Austria, Belgium, Bulgaria, Germany, Hungary, Ireland, Indonesia, Israel, Italy,  India, Malaysia, Netherlands, Norway, Qatar, Romania, Singapore, Switzerland, United Arab Emirates, United States of America, and Vietnam have also been targeted.

Several companies offering services to small and regional banks and credit unions are also being targeted, including CardinalCommerce, Electracard.com, ElectraPay.com, and Enstage.com.

PhishMe Intelligence subscribers can review further details of this attack online under Threat ID 2361.

The New GameOver Zeus Variant (newGOZ) Spams Again

Almost two weeks ago, PhishMe identified a new Trojan based almost entirely on the notorious GameOver Zeus variant. The new GameOver Zeus variant demonstrated many of the same behaviors and characteristics of the original. The most notable change between these two Trojans was the abandonment of the peer-to-peer botnet used by the older GameOver Zeus. Instead, the new variant used a new fast-flux infrastructure. However, much of the behavior—and malicious capabilities— of the original was retained in this newer form of the malware.

Today, a large number of spam emails were received and analyzed by PhishMe in one of the most intense attacks of recent days. Furthermore, analysis of this emerging threat demonstrated that criminals are not only attempting to capitalize on the heritage of functionalities associated with GameOver Zeus but, they are also making incremental advancements.

The new GameOver Zeus malware variant utilized new spam email templates, with the emails distributed by the Cutwail spam botnet. These entirely new sets of message content present the greatest likelihood of evading spam detection and mitigation—thereby increasing the likelihood that the hostile emails will be delivered to end users and the malware payload will be delivered.

The spam email messages distributing this malware make use of common malicious spam themes. The new spam email templates were recently confirmed by Brett Stone-Gross of Dell SecureWorks as having been distributed by the Cutwail botnet.

The file attached to these spam messages is downloader that was once specific to the peer-to-peer GameOver Zeus Trojan. This downloader has previously been known to make use of as many as 50 locations to obtain payload files. This helps to ensure the malicious payload is delivered. If one location is blocked, there are 49 other possible download locations that can be used.  Today’s sample was delivered with a single hard-coded payload URL rather than the large list seen in previous deployments of this downloader.

The risk of infection – and the chance of infections spreading like wild fire – is considerable. Only 5 of 53 antivirus software vendors – as reported by VirusTotal – correctly identified the downloader as malware. Furthermore, the GameOver payload obtained by this downloader was only marked as malicious software by only 4 of 53 antivirus software products. Like its predecessor, the new malware variant drops a modified copy of itself that generates a unique checksum for every new infection.

Once the newGoZ binary has been executed, it begins to cycle through domain names produced by a domain generation algorithm seeking out an active command and control host. At the time of analysis, four such hosts were active and distributing configuration data to infected bots.

dwgu4j8n210w18spq9rsz0uzj[.]biz
178.211.41[.]246
211.108.69[.]117
4.30.111[.]88
hmeyx8mxqrxe1uwcn5w1win68w[.]net
178.211.41[.]246
211.108.69[.]117
4.30.111[.]88
szaj031k3ha447pniqr1003qx6[.]org
178.211.41[.]246
211.108.69[.]117
4.30.111[.]88
1stze0f1u7of3z18wu4in5prafy[.]net
178.211.41[.]246
211.108.69[.]117
4.30.111[.]88

One of the most notable aspects of this malware’s behavior is its list of targeted URLs, obtained from the command and control infrastructure following infection. These URLs primarily represent those locations on the Web at which the threat actor hopes to steal private information from victims. Many of these URLs are locations involved with online banking and are specific to certain banking institutions. Others are related to online shopping, the intention being to obtain card details that are used to pay for goods purchased online. The following represent examples of some of those targeted URLs.

Some of those URLs are included with nomenclature used by the older GameOver Zeus Trojan, which denotes that a specific activity is to be carried out at those URLs such as the taking of screenshots or the addition of malicious content to a webpage via web inject.

When we first announced the new GameOver Zeus variant – we have named it newGOZ internally -the malicious actors behind the malware were using a fairly limited spam distribution method.  The light spam volume may have been in part due to a desire to take a test run with the new malware. With today’s higher volume spam campaign, we believe we will be seeing much more of the newGOZ malware in the coming days and weeks.  While it is too early to tell if this will become a dominant malware system like the old GameOver Zeus, PhishMe is sharing information widely about the new threat in the hope that we can stop this botnet before it grows out of control.