On 4/6, the Phishing Intelligence team came across a wave of phishing emails that contained a .js file packaged inside of a zip file used to deliver malware. This is nothing new, and has been seen being pushed out by resources associated with the Dridex botnet and the Locky encryption ransomware. The interesting piece is that the attackers are using a new piece of malware called RockLoader to download and install the malware on remote systems. Downloaders are nothing new, as Upatre was used with Dyre and Gameover ZeuS in the past. RockLoader has several tricks up its sleeve.
For this set of phishing emails, the attackers used a Voicemail message theme for their lure.
Once the user opens the zip and executes the .js file, the malware will make a GET request for the RockLoader, the new dropper.
During initial testing, the malware didn’t function as intended, and kept crashing when trying to access different things.
Next, a prompt for the SQL Server Client Network Utility popped up, and explorer.exe crashed, making this particular sample even more curious.
Upon further analysis, RockLoader is experimenting with a method for facilitating a Windows User Account Control (UAC) bypass. The compile path for the shellcode can be seen in figure 5. It’s also worth mentioning that the shellcode was compiled as a 64-bit binary, and the original RockLoader is compiled for 32-bit OS’s. If UAC is enabled on a victim’s computer, RockLoader will attempt to bypass it.
At runtime, once this UAC bypass has been achieved, RockLoader will make HTTP POST requests to the /api/ directory on its command and control host to elicit encoded commands for its next step. By looking at a network packet capture from this C2 callback process, we can see encoded commands sent back and forth between the host and server. Here’s an example of the traffic response:
Reversing the binary and stepping through with IDA, reveals how the malware decodes the traffic.
Since the algorithm uses shifts based on 4, the malware writers have made it easy to understand how the algorithm works. By translating the assembly to something more human readable, here are the steps that you can take to decode the traffic on your network:
- Read first and second characters into memory
- XOR low-order bits of the first character with the high order bits of the second character.
- This value becomes the high-order bits of our decoded value
- Combine low-order bits of the second character with high-order bits of decoded value
- This is our decoded value
Here’s what a decoded command looks like:
Once decoded, the malware checks the beginning of the decoded data for “true”, “false”, or one of the following several symbols. (figure 9) The ability to look for multiple arguments means the loader can accept several possible commands.
For example, the malware has the ability to receive instructions such as “command” and “UPDATE”.
The “NOTASKS” instruction is a special and interesting case. If “NOTASKS” is set, the malware process will create and run the file “1.bat” in the temp directory in order to try and delete itself.
By decoding more commands, we can see that the attackers have the ability to pass multiple arguments and commands to the malware in one request. This vastly increases the economy and extensibility of this malware’s operation. Stacking commands in this way is where this new malware downloader really shines. With this capability, the attackers are able to drop several malware payloads to the system at once, or pass multiple commands to a single victim. By browsing to the /files/ directory, we can see that our attackers left directory open, giving us a list of other files they are installing to victims.
One of the files looks to be a calculator using the WinAPI, created by [email protected] (Figure 14) The source code can be downloaded from here. (Figure 15)RockLoader has also been observed downloading other malware samples as well. In collaborations with Palo-Alto Networks, a3d090f64b9dbca420f232966d65ecdca333cb497308cea94477e5219af685ae was observed to download both the Kegotip and Pony information stealer malware. Examining leaked Pony source code, demonstrates that this malware has the ability to steal credentials as well as steal Bitcoin wallets—a notable functionality when juxtaposed with the delivery of the Locky encryption ransomware which demands a Bitcoin ransom to release victims’ files.
On 4/7, we saw another wave of emails using .docm phishing to target victims. The malware in this case was a word document with a macro file, which was used to infect users. This phishing email was themed for Angel Springs, a UK supplier of water dispensers.
The initial spam campaign contains an Office Document with malicious macros that downloaded RockLoader. The RockLoader executable then downloaded several executables from hxxp://185.103.252[.]148/files/. One of these executables is the Locky Loader.
Another executable downloaded was Pony (hxxp://185.103.252[.]148/files/Qlk7Yx[.]exe). It is believed that cybercriminals utilize Pony infostealer in an effort to expand their C2 infrastructure since Pony can also harvest FTP credentials from infected machines. Here is some information about the Pony file:
File type PE32 executable (GUI) Intel 80386, for MS Windows
File name Qlk7Yx.exe
File size 213504
Hash MD5 9649061beee87fb3692e02177ad23308
Compile time 2016-04-07 04:30:45
Sections 6 (1 suspicious)
Directories import, resource, relocation
Detected packer, antidbg
Import Hash 3fa8e98760e737c8a16039cbce251101
Microsoft Visual C++ 8
VC8 -> Microsoft Corporation
RT_ICON 1128 ( @t?t?t?t?t?t?t?rrrt?rrrt?RMWOh+R
RT_DIALOG 172 [email protected]>MS Shell DlgP 0(PStaticPF
RT_GROUP_ICON 132 ( h h
RT_VERSION 760 4VS_VERSION_INFO?XStringFileInfo404
LegalCopyright Copyright (C) 2016
CompanyName TODO: <Company name>
ProductName TODO: <Product name>
FileDescription TODO: <File description>
Translation 0x040c 0x04b0
Here’s a screenshot of the Pony icon:
For further clarification, we can look at network data based on Suricata signatures which point to the POST request being Pony check-ins:
We can also see the POST requests to r56.php by looking at our pcap. (Figures 20 and 21)
For this sample, the following C2 is active.
Historical IP: 22.214.171.124
By looking at passive DNS for the IP address, we can see other possible domains used by the attackers.
Passive DNS 126.96.36.199
In yet another wave of attacks, we can see RockLoader used to pull down Locky based on the strings in memory:
The introduction of a new malware downloader demonstrates that these attackers are continuing to innovate and experiment with ways to increase their infection rates. Furthermore, we believe RockLoader is intended to fill the gap left in Upatre’s absence by echoing many of the strengths that made Upatre so successful. However, RockLoader seeks to incorporate additional extensibility and functionality, pursuing the goal of widening the ability for threat actors to leverage infected machines by delivering not just Locky but also the Pony and Kegotip information stealers.
For awareness, a scenario has been added to PhishMe Simulator to train users to spot these types of attacks!
Triage customers are protected against these threats. Here’s an example of one of the macro-based phishing emails.