Share:

A few weeks ago, we received a round of phishing emails with malware that seemed a little more special than your run-of-the-mill ZeuS, so we decided to give it some analysis. The email was reported by a user at PhishMe. We really do drink our own kool-aid. Figure 1 shows a screenshot of the email that is being analyzed.

Figure 1

Figure 1 — Original Message

If the user was expecting something from their attorney, this may be misconstrued to be a legitimate message from one of the neighbors. There are a few things, however, that look phishy, as shown in Figure 2.

Figure 2

Figure 2 — Indications of Phishing

1. Lowercase subject line – While not 100% bad, this can be a sign of bad things to come
2. Russian sender – Is your neighbor Russian? If so, this may be legit. In this case, the neighbor of the person who reported this is not.
3. Zip file – It is uncommon to receive a legitimate zip file in an email. More times than not, it’s bad.
4. “Hi, there!” – Incorrect grammar can be another tell. Here, no comma is needed.
5. “your attorney popped you” – Typically, attorneys won’t pop you, but they will “pop in on you”
6. No trailing period at the end – Again, punctuation
7. “Have a good night!” – While this could be an honest mistake, from 6 AM – 12 AM is “good morning”, 12 PM – 6 PM is “good evening”, and 6 PM and on is “good night”. The user received the email at 6:15 AM, making it morning. By the person on the other end saying “have a good night”, this would infer that the attacker is from a time zone where it’s night at 6:15 AM EST.

Let’s assume for a minute that the user still opened the .zip file, after all of the signs of this email being suspicious. What would happen?

Figure 3

Figure 3 — Zip File

Upon opening the file attached to the email as shown in Figure 3, the user is presented with a .zip file containing a folder that was modified 40 minutes prior to the email being sent. However, inside the folder, we have something more interesting, as indicated in Figure 4.

Figure 4

Figure 4 — Executable File

Ah, the wonderful zip with an executable. A tactic used by attackers of all ages. Let’s poke the malware and see what it does.

In this example, we’re using REMNux and Windows 7 virtual machine environments. To run the malware in a closed sandbox, we pointed Windows to REMNux, so that we could analyze and modify the traffic accordingly.

I’m a fan of httpd and fakedns in REMNux, but feel free to pick your poison. Figure 5 shows initiation of httpd and fakedns services.

Figure 5

Figure 5 — Running httpd and fakedns

After everything is set up with Internet connectivity, Figure 6 indicates opening and executing the file obtained from the suspicious email. Once executed, we see a child process spawning from this exe (Figure 7), as well as a prompt for firewall access, as indicated in Figure 8.

Figure 6

Figure 6 — Running the executable

 

Figure 7

Figure 7 — Child process spawned by exe

 

Figure 8

Figure 8 — Prompt for firewall access

After a few strange DNS queries to IP addresses and allowing the firewall request as indicated in Figure 9, the malware attempts to connect to several domains, most of which appear randomly named.

Figure 9

Figure 9 — DNS Queries

The content of the packets show data being posted out. The “host:” field should contain the domain name of the site that’s being requested. “default” is not a domain name (Figure 10), and this would make a good IDS signature.

Figure 10

Figure 10 — Packet Data

Comparing user-agent strings of the POST requests made by the executable versus a typical HTTP request made from Internet Explorer, indicates one slight variation. The user agent listed in the top two-rows in Figure 11 is from a legitimate request made through Internet Explorer, whereas the bottom one is our executable’s custom user-agent. When looking in network logs, seeing varying user-agents coming from the same IP address can be an indication of suspicious activity in this host.

Figure 11

Figure 11 — Comparison of user agent strings

We can track changes using Regshot to see what happened on the system. Here, we can see that the following file was created on the volume (this is our malware), as observed in Figure 12:

C:Usersb4dn3ssAppDataLocalTempMucihuipky.exe

The malware will also run at startup for persistence.

Figure 12

Figure 12 — Registry Entry

Remember that prompt for firewall access in Figure 8? Here are the entries in the registry that are being written. This gives some insight that the malware is able to communicate over UDP and TCP.

HKLMSYSTEMControlSet001servicesSharedAccessParametersFirewallPolicyFirewallRulesTCP Query User{7E1DD870-D017-4A4E-BBA3-27F92F36225B}C:usersb4dn3ssappdatalocaltempmucihuipky.exe: “v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:usersb4dn3ssappdatalocaltempmucihuipky.exe|Name=huipky.exe|Desc=huipky.exe|Defer=User|”
HKLMSYSTEMControlSet001servicesSharedAccessParametersFirewallPolicyFirewallRulesUDP Query User{A3DEEB87-3ECA-4B43-BA13-7792B22DDF65}C:usersb4dn3ssappdatalocaltempmucihuipky.exe: “v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:usersb4dn3ssappdatalocaltempmucihuipky.exe|Name=huipky.exe|Desc=huipky.exe|Defer=User|”
HKLMSYSTEMCurrentControlSetservicesSharedAccessParametersFirewallPolicyFirewallRulesTCP Query User{7E1DD870-D017-4A4E-BBA3-27F92F36225B}C:usersb4dn3ssappdatalocaltempmucihuipky.exe: “v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:usersb4dn3ssappdatalocaltempmucihuipky.exe|Name=huipky.exe|Desc=huipky.exe|Defer=User|”
HKLMSYSTEMCurrentControlSetservicesSharedAccessParametersFirewallPolicyFirewallRulesUDP Query User{A3DEEB87-3ECA-4B43-BA13-7792B22DDF65}C:usersb4dn3ssappdatalocaltempmucihuipky.exe: “v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:usersb4dn3ssappdatalocaltempmucihuipky.exe|Name=huipky.exe|Desc=huipky.exe|Defer=User|”

Here’s how you can spot this in your enterprise based on the above analysis:

  • IDS signature for “host: default” via HTTP
  • Slight variations of UA’s from a single host?
  • Exe’s running from temp directories
  • Firewall rules for files running from “temp”
  • Strange entries in startup
  • File hashes (may not be the best in this case, but still possible)
  • Should your users be going to these domains? Probably not.
Figure 13

Figure 13 — Phishy Domains

To further confirm the malicious nature of the analyzed sample, several AV vendors are picking this up as ZeuS / ZBot, see Figure 14.

Figure 14

Figure 14 — Anti-virus report

Zip hash: 3e33b04161a5bc3d08c337ea4160d633
Exe hash: 1040d52fe3677192eabba383f6d81b34

This malware could have been used to harvest credit cards, SSN’s, passwords, and anything else on the system, if a user clicks on this attachment and executed the file as shown in our analysis. This is a common technique used by the attackers because it is a simple and very effective lure to make users believe that it was a legitimate email.

–Ronnie Tokazowski