Category Archives: Malware

[ Technical Teardown: Exploit & Malware in .HWP files ]

This article will focus on teaching analysts on analysing malicious JavaScript code within the HWP files and a walkthrough of how we can analyse .HWP files that was used to deliver malware.

[ 1st Sample used in the analysis ]
MD5: 8EB5A3F38EB3DE734037AA463ADE7665
SHA256: D0361ADB36E81B038C752EA1A7BDC5517B1E44F82909BC2BD27B77B2652667EE
As of writing, the detection rate for this sample according to VT is 12/54

[ Part 1 : Understanding OLE compound file ]
We need to first understand how OLE compound files work.
Inside these OLE compound files, there are folder (storage) and file (stream). We will use SSViewer(http://www.mitec.cz/ssv.html) to take a look into the interior of the malicious .hwp file.

Most of the Streams in .hwp files are “zlib compressed“. We can see from the image below that the structure in .HWP files differs from .doc files.

However, today we are going to focus on “DefaultJScript“. You may ask why that? Well, think of “DefaultJScript” as VBA in Office documents.

1

 

[ Part 2 : Getting Started ]
For those who want to follow along. Do note, this is a MALICIOUS file, so please do the analysis in a “safe” environment.

Now, let’s start getting our hands dirty…and open the suspicious .hwp file with Cerbero Profiler.

As we can see from the image below, the data within “DefaultJScript” looks gibberish. So how do we make sense out of it?

2

As i’ve mentioned earlier, most of the streams within .hwp are “zlib compressed
So let’s “Select All” within the “DefaultJScript” stream and press “Ctrl+T

Now let’s add “Unpack Zlib” and remember to check the “Raw” checkbox and add it as shown in the image below.

3

Then let’s press “Preview” and have a look.

4

After decompressing the raw bytes, we can start to see some readable words. But it seems to be in Unicode.

Now let’s add in another filter to remove the “00” bytes.
Select “Replace“, change the mode to “Bytes” and add in “00” for the “In” value as shown below.

5

We should get back something like the one shown below.

6

If we were to analysed the decoded JavaScript, we can see more interesting stuff as shown in the image below.

7

So it seems that the JavaScript is doing Base64 decoding of the very long string and dropping it as “msvcr.exe”
I wrote the following Ruby script to decode the Base64 String.

After Base64 decoding the string, the output file looks like this,
8

The hash of this malware is 765834b1b780dacda8baa671c76328445cb8278099bad375ee22130f48920a7a
We won’t be going through this malware this time round.

[ 2nd Sample used in the analysis ]
MD5: a986a3fdf2afba98de21f0596a022b9b
SHA256: bd8fa7793f2192d4ff3979526955d5d6c965218eb0c0fe579f8ef0602357d5a9
As of writing, the detection rate according to VT is still pretty low. 3/53

[ Part 3 : Getting Started on analysing Exploits in .HWP files ]
This is a .hwp file containing an exploit (Most probably CVE-2013-4979 or CVE-2013-0808).
I drew a diagram like the one shown below to illustrate the general idea of how this exploit works.

9

For this particular exploit, the first thing we should be looking at is BinData/BIN0001.EPS as shown below.
10

There is an unknown error upon opening the document using hwp2010.
11

Nevertheless analysis can still be done by extracting the EPS files from the doc
Let’s do a quick network check by opening the eps file using hwp2010 and we can see that the exploit was indeed executed and connect to www.ethanpublishing[.]com/ethanpublishing/phpcms/templates/default/member/account_manage/teacup.jpg if we use FakeNet or similar tools.

We suppose that teacup.jpg” is most likely the payload. However, the jpg file is no longer found using the url so we cannot conduct further analysis on it.

12

Let’s go on to focus our analysis on the vulnerablity that was exploited by the eps file.

Opening the file eps file in the text editor we can identify a few components of the exploit.
The green block represents a NOP sled using 0xB5.
The blue block represents a NOP sled using 0x90.
The red block represents the shellcode.

13

Following the shellcode is this line of post script command

This command would execute a “Heap spray”. 500 blocks of the NOP sleds and shellcodes would be ‘sprayed’ in the memory. The NOP sleds and shellcodes is allocated as a string with a length of 65535 characters.

Next we want to determine which vulnerable process is the exploit targetting.
We do so by trying to search for traces of the NOP sleds and shellcodes in the memory of the vulnerable process.
At first it looks like the vulnerable process is likely hwp.exe or HimTrayIcon.exe

14

However, we could not locate any trace of NOP sleds and shellcodes in both processes.

At this point, I wonder if other child processes could be created by Hwp.exe. These child processes could have termininated after the execution of the shellcode.

One ‘trick’ we used was to modify the start of the shellcode with the opcode “0xEBFE” which is actually an infinite loop. This would allow the process that executed the shellcode to run continously without terminating.

15

Now we can attach our debugger into the gbb.exe process and we located the NOP sleds and shellcodes

16

Now after locating the vulnerable process, we have to debug into it to locate where the vulnerable code is exploited.
We now located the code in where hwp.exe created the gbb.exe process.

17

We shall modify the “CreationFlags” to CREATE_SUSPENDED. This would allow us to attach debugger at the start of the execution of the gbb.exe process.

18

After tracing the code we located the instructions in gsdll32.dll that executed the NOP sled “0xB5B5” which is MOV CH,B5

19

From the vulnerable instructions, we can more or less conclude that the vulnerablity is indeed based on CVE-2013-0808
For more information on CVE-2013-0808, you can read it up this article by CoreSecurity.
https://www.coresecurity.com/advisories/eps-viewer-buffer-overflow-vulnerability

In the meantime, we hope you enjoyed reading this and we would be happy to receive your feedback!

Best Regards
Jacob Soo & peta909

[ Sharing ] Where’s Wally! – Tracking where did victims come from.

I’ve written about shortened urls for 4 times. Twice in this blog and twice in an older website that i didn’t maintained anymore.

I have seen recently that a lot of people still blindly click on shortened URL that they see in FaceBook, forums or “familiar names” on their smartphones.
Today, i will do a quick short post about 2 recent shortened URLs, what’s the purposes and where did the victims come from.

[ Case Study #1 ]
The 1st link here is where : https://bitly[.]com/1TVH4va will lead to : http://onedayonemillion[.]com/postdk[.]apk
This .apk file is actually MazarBot.

You can read more about MazarBot here:

As alot had been written about MazarBot, we also want to know more about the Bit.ly url and the following Bit.ly url will show the statistics of where did victims come from.
https://bitly.com/1TVH4va+

As you can see from the image below, there are 5, 037 clicks on this shortened url since 25th May 2016.
4,569 clicks on 25th May 2016 alone.
tracker69.0x0001

8 of the clicks were coming from FaceBook and 15 clicks were from forums, mobile, etc. The rest are direct, meaning click on this shortened url. Possibly via sms, WhatsApp, etc.
tracker69.0x0002
tracker69.0x0003

We can also see the Geographical distribution of the victims who clicked on this shortened url.
tracker69.0x0004

Basd on the image above, it seems like most of the people were from Denmark and some parts of Europe.
One thing that puzzled me and got me curious…. why is the author of MazarBot targeting Danish people?

 

[ Case Study #2 ]
The next shortened url which we will be looking at is https://bitly[.]com/22kQ0Am

Again, let’s check the statistics and where is the final url by appending “+” without the double quotes as shown here: https://bitly.com/22kQ0Am+
h–ps://bitly[.]com/22kQ0Am will redirect to h–p://dl[.]dropboxusercontent[.]com/s/rlqrbc1211quanl/accountinvoice.htm

Nice, the link is on DropBox. Let’s download the page using wget or anything that you prefer.
I decided to use wget as i already have it on this particular machine.

I just did a quick wget to check what is inside this accountinvoice.htm and i got back the following:

You can change document.write to console.log or alert to get back the unescape string. But for the benefit of non-technical users, you can just go to http://meyerweb.com/eric/tools/dencoder/
and paste the escaped string and decode it.
You should get back the following:

Great, it’s doing a redirect. Let’s do a base64 decode and we should get back this.

Hmmmm…seems like it’s a Phishing link more than an ExploitKit link since the title is “Sign In“.

As i don’t want to alert the phisherman too much, i tweak my wget as followed:

After i grab the page, we can see that it’s indeed a “Google Drive” phishing page.
tracker69.0x0005

I hope this short post will serve as a good reminder to all not to blindly click on shortened urls unless you totally trust the source or verify it yourself.

Happy Reversing
Jacob Soo

[ Walkthrough : X-CTF 2016 – Worm ]

Quest: A malware was caught infecting “NUS GOVT” thumb drive. Encryption was used to encrypt outgoing data. Please submit the answer in the following format: XCTF{SHA1 of (key1 + key2 + key3)}

File: add4f352cbcb62fffe01eccf78a912b8

SHA1 Hash: 16e9245a14e223b83fde700aa6904e2f487ef07b

Let’s begin by firing up IDA Pro to see what we can find.

Going through the IAT, we can see that SetupDI… are called. A quick reference to MSDN reveals that these functions are used to enum plug and play devices.

SetupDiGetDeviceRegistryProperty function retrieves a specified Plug and Play device property.

imports
Figure 1. Imports

Cross-referencing (Press x in IDA Pro) the function reveals much more stuff… It seems like the malware is trying to find a USBSTOR device. This definitely makes sense since the quest already stated that the malware infected a “NUS GOVTthumb drive. Let’s do a breakpoint later in ollydbg to see what is really going on.  Further down the disassembly, we can see that it is trying to match with a String “NUS GOVT“. Just take note of this for now.

IDA
Figure 2. Checking for SPDRP_ENUMERATOR_NAME & SPDRP_FRIENDLYNAME

In the strings, we could see interesting artifacts as well… looks like the malware is trying to infect via autorun.inf… OK let’s take note of that for now. We could also see stuff like wsock32.dll, Ws2_32.dll… but in imports, we did not see any functions with relation to these libraries. Probably GetProcAddress is being used…

strings
Figure 3. autorun.inf in strings

Ok let’s fire up ollydbg. Crap we encountered access violation! Scrolling upwards we will realize what the malware is doing… Anti Debugging mechanism!

accessViolationDebugger
Figure 4. Access Violation

A jmp is made to 0x4141FD+1 if a debugger is found else the next eip should be 0x4041F4. We can simply just set new origin to 0x4041F4 to bypass the anti-debug stuff.

antiDebugger
Figure 5. fs[18h]
Let’s set a breakpoint @0x4026D1, refer to Figure 2 with a thumb drive plug in =).

NUSGOVT
Figure 6. Matching Thumb drive name with NUS GOVT

Ok… let’s just change the extracted device name to NUS GOVT manually as shown below.

mod
Figure 7. Changing name to NUS GOVT

Run the binary and see what happens…

The binary crashes again… but this time round some files are dropped into my thumb drive.

droppedFile
Figure 8. autorun.inf

Seems like there is a binary dropped into the RECYCLER folder. It seems to be hidden. Let’s use “attrib -h -s” to unhide the folders.

secure
Figure 9. Dropped Binary

Firing up the binary in IDA pro, it seems like the binaries are the same… But the hash is different. Loading the binary in OllyDbg, we encountered the same anti-debugger code. So let’s set up the same breakpoint again @0x4026D1 and change the thumb drive name to “NUS GOVT“… Being lazy i just hit on the run button and monitor any dynamic traces. Wireshark sniffed some http traffic!

traffic
Figure 10. HTTP traffic detected!

Remember earlier we suspect that GetProcAddress is used since we can’t see any network related API in imports and we noticed such libraries in the strings segment. Set a breakpoint @GetProcAddress and see if we can find anything useful.

WSA
Figure 11. WSAStartup via GetProcAddress

Returning back to user code… we see this in ollydbg… =(

1
Figure 12. Rubbish Codes?

Re-analyse the code to see a more english representation of the above =)

2
Figure 13. Assembly codes =)

Analyzing the functions above, we can see outgoing connections to nus.edu.sg/ctf.php with some stuff(passed in via arguments) appended to user agent string…. Lets return to see who call this function.

encryptedData
Figure 14. Encrypted Data?

It seems like the function @0x403210 is protected. Therefore if you were to put a software breakpoint inside 0x403210, it would become useless when the codes get rebuild in runtime. For this case, we should use hardware breakpoint instead. Seems like before calling 0x403210, a function @0x401FD0 is called twice to deobfuscate the code @0x403210. Then after invoking the function @ 0x403210, @0x401FD0 gets called twice again to re-obfuscate the code.

caller
Figure 15. Send Data out

Scrolling up from figure 15, we can see a pattern… It seems that a function @0x401090 is deobfuscated&reobfuscated 3 times before a call was made to the above send function (0x403210).

401090
Figure 16. 0x401090 the encryption method

Putting a breakpoint @0x401090. We can observe something pretty interesting… It seems like the function is passing in my Computer Name and a string which might be the encryption key.

key1
Figure 17. Key 1 found

Running through 2 more breakpoints, we would have collected the 3 keys!

key2
Figure 18. 2nd Key found
key3
Figure 19. 3rd key found

OK so the flag should be

sha1(“MED DNI PTS oRTO RUO VAN MOC iASP VED MDA IONDEADBEEFNU5_MA5T3R”)

XCTF{1f5020e4c091d1464c16c157bc0e56f3d81a3b3a}

WRONG!

It turns out that the above flag is wrong. Remember the autorun.inf… there are some parameters passed in… refer to Figure 8.

Lets try to re-run the steps with the parameters passed in…

newkey
Figure 20. A different 2nd Key

and… we got a different 2nd key!

sha1(“MED DNI PTS oRTO RUO VAN MOC iASP VED MDA IONMEDiCINENU5_MA5T3R”)

AND THE ACTUAL FLAG IS: XCTF{db8496580ff636bc51ade827d1999d32d5dabb1c}

40 points =D

[ Technical Teardown: Maybank Phishing Malware – Part 1 ]

Recently, Jacob discovered 2 interesting phishing websites, http://maybankk2u[dot]com  and http://maybank2u-my[dot]com This 2 websites had the same identical codes and come with a malware in it.

The malware that we discovered is a file infector virus. It scans the system for .html files, .exe and autorun.inf and insert malicious codes into the files.

[ Sample used in the analysis ]
MD5: 44A604F9D96368A83DF55E19644321D3
SHA1: CDBF41310DAE6EFF1127BB92A217369FD2F90B37896568D4F34528AC20468B5C
Malware Sample: index page
Password is “infected29A”

[Backdoor Analysis]
A brief high level overview of the malware infection process flow.

Figure 1 – Infection process

[ Initial Exploitation ]
The backdoor was dropped onto victims’ machine via a malicious VBScript in phishing home page.

Maybank Phishing homepage

Figure 2 – Maybank Phishing homepage

[ VBScript analysis ]
Scrolling down the html source of the webpage, you will come across a large chunk of alphanumeric text. If you look closer at the start of this large chunk of text, you will see the hexadecimal “0x5A4D” which stands for MZ in ascii. Files that start with a MZ header suggests that it is a PE file. You may refer to the following website http://wiki.osdev.org/PE for more information about PE files.

To download the payload you may either run the VBScript (which I don’t really recommend) or simply copy the entire hexadecimal wall of text into a hex editor and save it as a .exe file.

MZ

Figure 3 – MZ header spotted

MZ-end

Figure 4 – Dropping malware into temporary folder

When the VBScript is executed, it drops an executable into the targets’ temp folder. The file names are hard-coded as the malware author is probably trying to hide the malware in plain sight by using a common windows executable name, svchost.exe

The details of the extracted malware from the HTML is as follows:
SHA256: FD6C69C345F1E32924F0A5BB7393E191B393A78D58E2C6413B03CED7482F2320
VirusTotal Report: 50/54 (link); 2016-02-03 11:56:14 UTC
Compiled Date/Time: 2008-02-12 11:02:20
Packed: UPX

Let’s unpack the malware using UPX tool itself.

upx decompile

Figure 5 –Unpacking using upx -d

The details of the unpacked malware is as follows:
SHA256: 876C5CEA11BBBCBE4089A3D0E8F95244CF855D3668E9BF06A97D8E20C1FF237C
VirusTotal Report: 44/54 (link); 2016-02-02 23:21:33 UTC
Compiled Date/Time: 2008:02:12 12:02:20+01:00

The malware camouflage itself as a bitdefender management console. Another interesting thing to note is that both the product version and the file version seems to be an ip address (106.42.73.61).

stealth

Figure 6 – Possibly IP address

[ Dynamic Analysis ]
Let’s begin our journey in analyzing this piece of malware. The malware author had used anti reversing techniques to deter malware analyst from reversing it. Using IDA Pro to see the binary isn’t of much use. Using Procmon surface some interesting stuff.

writefile

Figure 7 –New file dropped

As we can see from Figure 7, the malware is writing a new executable into “C:\Program Files\Microsoft\DesktopLayer.exe“. After examining the hashes of the newly dropped executable, I can conclude that the malware simply copy and pasted itself into the new location.

processcreate

Figure 8 – Executing DesktopLayer.exe

After the file has been copied to the new location, A ProcessCreate function is called to execute the newly dropped executable. The current executable will then terminates.

DefaultBrowseri

Figure 9 – Executing Default Browser

Analyzing DesktopLayer.exe via olly debugger shows that the malware is attempting to run the default browser in the operating system. For this case here, it is attempting to execute IEXPLORE.EXE. On further examination, we will notice that the malware is actually trying to write process memory into the suspended IEXPLORE.exe process. This technique is known as process hollowing. Once the malware has finished writing its code into IEXPLORE.EXE process, it will then resume the suspended thread.

mutant

Figure 10 – Mutex

Based on Figure 10 taken from process explorer tool. We can observe that the malware uses a unique string (KyUffThOkYwRRtgPP) as it’s mutex.

It is also noted that the malware adds the following key into the registry “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit“. By doing so, it is able to maintain it persistency in the victims’ machine.

registry

Figure 11 – Persistent Registry Key

To get the actual malware codes that is running off IEXPLORE.exe, we would need to attach ollydbg into the running process and by using the OllyDumpEx plugin we can dump out the running process.

The dumped process contains some interesting strings.

processDump_strings

Figure 12 – Script Tags and Autorun?

There are some more interesting strings in the dump that suggests that there is an Antidote for this virus. It also contained the mutex key and a domain name.

otherstrings

Figure 13 – Antidote is available

I am interested in using the antidote. Analyzing the injected process memory dump we come to this assembly codes. To activate the “Antidot”, we would just need to add a registry key; “HKLM\Software\WASAntidot\disable“.

antidote

Figure 14 – Disable Malware

As shown in Figure 15, we can prevent mass infection of the virus by adding the registry key as earlier . We even get to see a nice message box telling us that Antidot is activated.

enabling antidote

Figure 15 – Antidot Activated

The malware loop through the folders in the victims’ machine and edit all html file it come across with the same malicious code we found in the phishing website. It also attempts to infect suitable .exe files with malicious codes. Once these infected executable gets executed, a copy of the same malware will be dropped and executed on the machine.

The malware also infects removable drives by editing the autorun.inf and planting itself in the RECYCLER sub folder. Better unplug your removable drives from the VM before you try analysing this!

The malware attempts to resolve a domain, fget-career.com. It also attempts to resolve google.com.

wireshark

Figure 16 – DNS queries in Wireshark

Spawning Shell

Figure 17 – Spawning Shell

Once the malware calls fget-career url. It can executes shell on the target machine if commands are given.

port 4678

Figure 18 – Open port 4678

The malware also attempts to listen on port 4678.

tcpmon

Figure 19 – Port 4678 Opened

One of the common ways to find infected or breached systems that most AV companies use is using IOC.  We should be looking for known (or suspicious) command and control (C&C) traffic on the network and looking for known bad or suspicious indicators on the hosts.

Based on our dynamic analysis, below are the known IOC that we can scan our PCs.

[ Host based Indicator ]

  1. Mutex – KyUffThOkYwRRtgPP
  2. File – C:\Program Files\Microsoft\DesktopLayer.exe
  3. File – temp folder\svchost.exe
  4. Registry Key – HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
  5. Process – Default Browser with no parent
  6. C:\Program Files\Internet Explorer\complete.dat (Default browser path)
  7. C:\Program Files\Internet Explorer\dmlconf.dat (Default browser path)

[ Network based Indicator ]

  1. fget-career.com (DNS)
  2. User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
  3. Listener on port 4678

[ Whois information ]

Domain Name: MAYBANKK2U.COM
Registrar: CHENGDU WEST DIMENSION DIGITAL TECHNOLOGY CO., LTD.
Sponsoring Registrar IANA ID: 1556
Whois Server: whois.west263.com
Referral URL: http://www.west.cn
Name Server: NS3.MYHOSTADMIN.NET
Name Server: NS4.MYHOSTADMIN.NET
Status: ok https://www.icann.org/epp#OK
Updated Date: 02-feb-2016
Creation Date: 02-feb-2016
Expiration Date: 02-feb-2017

IP Address:  207.226.137.64

Domain Name: MAYBANK2U-MY.COM
Registrar: CHENGDU WEST DIMENSION DIGITAL TECHNOLOGY CO., LTD.
Sponsoring Registrar IANA ID: 1556
Whois Server: whois.west263.com
Referral URL: http://www.west.cn
Name Server: NS3.MYHOSTADMIN.NET
Name Server: NS4.MYHOSTADMIN.NET
Status: ok http://www.icann.org/epp#OK
Updated Date: 02-feb-2016
Creation Date: 02-feb-2016
Expiration Date: 02-feb-2017

IP Address:  207.226.137.64

networkwhois

Once again network whois on the suspicious ip we got from the product version earlier on points back to China.

However, based on the analysis done on the malware and based on passive DNS and past whois records from Virustotal and who.is, the ip address we got from product version earlier could likely to be a fake to throw us off.

Another thing to note is that fget-career.com seems to be offline at the moment and it will be expiring in March 2016. Therefore if we are interested to know/plot the infection widespread of this malware or to takeover this malware we can attempt to buy this domain and host our own C&C server.

D O

[ Sharing ] Analysing and retrieving the Statistics from shortened URLs

I’m going to talk about how you can view or check whether someone else clicked on the same shortened url as you.
This is also pretty useful if you want to know whether you are a target of a scam or being targetted to a drive-by.

The url which i’m going to test today is this:
http://www.dailychanges.com/

Let’s go through some of the URL shorteners and how we can get more info from these shortened URLs.
Bit.do
======
The original shortened link is http://bit.do/bKoMw
But if you append a “-” without the double quotes like this http://bit.do/bKoMw-
You will get to the statistics page for this shortened url.
It gave some important information about Referer sites, Referer pages and even visitors IP.
Probably dangerous if users are being targetted.

Next we will talk about Is.gd
Is.gd
======
The original shortened link is http://is.gd/MyG7K6
However, if users want to look at the statistics, they can simply change the url to something like the one below.
http://is.gd/stats.php?url=MyG7K6

Next we will talk about
Goo.gl
======
The original shortened link is http://goo.gl/z8w84
But if you append a “.” without the double quotes or “info” like this http://goo.gl/z8w84+ or http://goo.gl/z8w84.info
Once you go to the statistics pages, you will be redirected to something like this below.
https://goo.gl/#analytics/goo.gl/z8w84/all_time

Next we will talk about
Bit.ly
======
The original shortened link is https://bit.ly/1LsiFyY
But if you append a “.” without the double quotes like this https://bit.ly/1LsiFyY+
Using the statistics page, you can also check which other user are also sharing the exact same url as you did.
Please note that if the other user(s) used Google analytics in the url, you might not be able to see them in your statistics page.

Next we will talk about
crop.is
=======
The original shortened link is http://crop.is/NV8
However, if users want to look at the statistics, they can simply change the url to something like the one below.
http://crop.is/NV8+

tiny.ph
=======
The original shortened link is http://tiny.ph/2mCe
In order to access the statistics, they can simply change the url to something like the one below.
http://tiny.ph/2mCe+

tny.im
=======
The original shortened link is http://tny.im/3Bm
In order to access the statistics, they can simply change the url to something like the one below.
http://tny.im/3Bm+

tiny.cc
=======
The original shortened link is http://tiny.cc/xtad8x
In order to access the statistics, they can simply change the url to something like the one below.
http://tiny.cc/xtad8x~

Then again, if there isn’t any means to check the stats of the shortened URL.
Always make sure to use online services like http://longurl.org/ to make sure the shortened url is not redirecting to some malicious url.

I hope that readers will find all the information written here useful.

Have Phun
Jacob Soo

[ Technical Teardown: Malware Targetting Singapore Banks ]

[ Background ]
Originally i wanted to let one of the local student to write about it but he was busy with school, internship and solving challenges.
It’s also been a very long time since we written any “Technical Teardown” on malware/exploits here.

I got hold of this particular malware sample just days after these 2 reports.
http://www.abs.org.sg/pdfs/Newsroom/PressReleases/2015/MediaRelease_20151201.pdf
http://www.channelnewsasia.com/news/singapore/50-smartphone-users-in/2308976.html

The Association of Banks in Singapore (ABS) released an advisory to alert consumers on malware targeting mobile banking customers in Singapore.
We hope this technical teardown might be interesting to some of you.

[ Sample used in the analysis ]
MD5: 76745CE873B151CFD7260E182CBFD404
SHA1: 0F7C012466157891C1D12ADDDD4DFA0B8291DD75
Malware Sample: 76745ce873b151cfd7260e182cbfd404
Password is “infected29A”

Since it’s an Android malware, let’s check the permissions of this malware and further dissect it. Now, use apktool and run the following command:

Now let’s take a look at the AndroidManifest.xml file, you should see the following and the permissions requested by the APK file.

As we can see from the AndroidManifest.xml, it ask for quite a lot of permissions and it’s probably obfuscated.

Looking at the strings.xml and styles.xml, we can see that customised themes had been created for various banking applications.
This malware targets a number of banks by trying to mimic the authentic one and phishes for important banking information from the infected user as shown below.
0x0003
Figure 1 – Customised Themes

[ Junk Codes as Anti-Analysis? ]
It took me 20-30mins to realise that this author uses lots of junk code. Possibly with the purpose of deterring people like me from reversing the malware.
Import metadata such as strings and function names are also obfuscated as shown in the image below.
0x0001

Figure 2 – Junk Code with no useful functionality

Since the malware sample is heavily obfuscated, some of the things that i usually look out for is commands like Base64.decode or loadDataWithBaseURL or sendTextMessage

[ Revealing of Hidden Configuration Strings ]
So i did a quick grep and found out that it did use “Base64.decode” as shown below.
0x0002
Figure 3 – Base64 encoded string

The following is the base64 string which i extracted from the malware.

After doing a base64 decoding on it, i got back the following strings.

As we can see, the decoded strings contained IP addresses and other interesting strings. We also can safely assume that the malware author uses “@” as a delimiter.
For better illustration, i replaced all the “@” with newline.

[ Assessment of Malware ]
We can see that the IP addresses are the C&C servers communicating on port 34580.
http://37.235.48.177:34580/
http://46.108.39.12:34580/

Within the malware sample, we also found out that it is targeting victims with the following bank accounts.
Austria
=======

Dexia Kommunalkredit Bank
Bank Austria
Erste Bank und Sparkassen (Thanks to Alex Inführ for pointing my mistake.)
RGB (Raiffeisen Banking Group)
George (https://mygeorge.at/)
DK (Deutsche Kreditbank AG)
Bawag (BAWAG P.S.K)

Australia
=========

Westpac
St George
Gomoney
National Australia Bank
Commbank

New Zealand
===========

Westpac
Bank of New Zealand
ANZ Bank New Zealand

Singapore
=========

DBS
OCBC
POSB

Hong Kong
=========

Citibank
Bank Of China
Hang Seng Bank
Breeze

I’ll update this post later on how we can reverse such malware much more easily.
In the meantime, i do hope you enjoy reading it.

Happy Reversing,
Jacob Soo

[ Walkthrough : SyScan 2015 Badge Challenge ]

2days ago, a few of us recently went to SyScan and completed the Badge Challenge that was put together by the SyScan crew.
Here is the a short writeup of our experience with all of the puzzles, their solutions, and the steps to solve them.
Of course, @miaubiz gave us a huge clue for solving the last stage and he also found the “Easter Egg” or “Debug Mode” in it.

Spoiler Alert: The following article is a detailed and methodical walk through of how to solve the challenge.
So please do take note and understand that this document contains MASSIVE spoilers!
If you’d rather try it for yourself, stop reading now and go and play NOW!

 

 

 

 

 

 

 

 

 

 

 

 

Still here?
Alright, lets go!

[ Stage 1 ]

One of the options we had when we power up the badge is “Unlock 1”
So we tried a bunch of options like “Open”, “Open Sesame”, “Open now God Damn It”. But we are always returned with the following QR Code.
IMG_0073
The above QR Code translate to “Try \”Unlock\”
So we thought, why not just try “Unlock”

Surprisingly, we got back another QR Code.
IMG_0075
This QR code translate to “insufficient privilege
Initially, we thought that maybe we need to have a special “Username” before we can unlock this.
So we started brute-force all the possible “usernames” used by “admin”.
But all these still failed until after the 1st tea break, we tried “sudo unlock” as shown in the image below.
IMG_20150328_012534288[1]
w00t h00t, we have successfully unlocked “Stage 1

[ Stage 2 ]
When we tried to unlock “Stage 2” using the same password as “Stage 1”, we got back something that looked like “morse code
IMG_20150328_012730132[1]
After decoding the “morse code“, we got back “ttall
We tried that but alas, it didn’t work at all. Then Thomas give everyone this clue, it’s not a full morse code.

We are wondering could it be “–all” since it sounds and looks like it.
So we entered “–all” but it wasn’t the key to “Stage 2
After another round of tea break, we thought whether could it be that “–all” is be appended to the answer for “Stage 1
So we tried “sudo unlock –all“. “Stage 2” unlocked.

[ Stage 3 ]
For “Stage 3“, we saw a new option for us to choose, “Crypt-analysis
Firing this option, we can see the following instruction.
IMG_0084

Our initial thoughts were, “Let’s use Base32 to decrypt it”.
However, we tried and it failed. We overcome this when @miaubiz gave me a clue, “Try bit flipping technique like +1 and -1 to the character.”
So we listened to his sagely advice and start brute-forcing by using “Ask Oracle
For simplicity sake, we tried the first 2 characters and we saw this english looking-like word.
IMG_0085

srueamishossifrage” seems like an english word so we started “Googling” for this word but no results…then we pondered for a while and realised it could be “squeamishossifrage” and we found this page.
Hmmmm…”The Magic Words” and “Cipher” were found in this Wikipedia page.

So we tried “squeamishossifrage” and Bingo we solved this.
IMG_0086

[ Easter Egg or Debug Mode ]
@miaubiz found this interesting “Easter Egg” or is it “Debug Mode“. It bypass “Stage 1” and “Stage 2” and go straight to “Stage 3“. O_O

So what @miaubiz did was took out the battery, push the joystick to “Up” position and then re-inserted the battery.
Next thing you know, the username is adm1n and you have reached “Stage 3

This “Easter Egg” is useful if you don’t want to keep repeating the process of solving the first 2 stages if your badge resets itself back to default.

Let me repeat this again. @miaubiz is a GENIUS.

Another thing we found out but we are still unclear what use does it have is the secret number in “Waste of Time

When you start the Game, it showed “Game of Life”. One of us are very familiar with “Game of Life” and immediately he found this secret number.
IMG_0064
Could “Godfather” Thomas Lim be giving us 8696 as the winning number for this week’s 4D? xDDD

We hope that this walkthrough is simple to understand. Please let us know if we did anything wrong in our process in solving this.

Well, all the guys here wished that the “Godfather” Thomas will organise another wonderful .SG conference in 2016 if there is no SyScan 2016….or will SyScan 2016 happen? xDDD

Happy Reversing,
Jacob, Damian & Glenn

[ Technical Analysis: Deceiving ‘Parked Domain’ & several .SG sites serves exploits ]

I have reported the following Singapore website(s) which might be serving malicious content to SingCERT back in 29th November 2014.
But i have just checked today and all of these site(s) are still serving the same malicious content.
Even though they told me back in 1st December that they have notified all relevant partie(s). O_o”

For the 1st website, I happened to chanced upon this while checking out of Lego related stuff.
Severity: Malware Hidden Inside JPG EXIF Headers
Confidence: Certain
Host: h–p://www[.]thebroerscafe[.]sg
Path: /wp-content/uploads/2013/05/Lego-workshop[.]jpg

Issue Description:
The malicious content hide its data in the EXIF headers of a JPEG image.
So how does malicious content in the EXIF headers of a JPEG image get executed.
Basically, it used the exif_read_data and preg_replace PHP functions to read the headers and execute itself.
If you were to view the EXIF info of the following image:
h–p://www[.]thebroerscafe[.]sg/wp-content/uploads/2013/05/Lego-workshop[.]jpg

You will see something like this.

Image 1 : Exif info of Malicious JPG file

So if you look at it from Notepad++ or from a Hex Editor.
It’s hidden here as shown in the image below.

Image 2 : Malicious JPG opened in Notepad++

Please note the EXIF PHP code in Model information, but also the string /.*/e in Maker.
Once the base64 string is being decoded, the code translates into:

Basically, it evaluates whatever it gets through the POST parameter zz1.
But this is an image, how does this code get executed?
Thanks to the PHP exif_read_data function –

The PHP function preg_replace will interpret the content as PHP code thanks to the string /e (the Maker field in the EXIF data). This will execute the eval code in the second EXIF field (Model). So basically this is a backdoor that will execute any command inside the zz1 POST parameter. The /e pattern modifier is deprecated since PHP 5.5.0, thats good news.

So basically this is a two component backdoor that comprises of a JPEG file with malicious EXIF data, and a PHP code that executes it.
This PHP code can be easily inserted into any other PHP file found in the server, probably not noticed easily.

As the website is using TimThumb and TimThumb had been known to have several security vulnerabilities for years. I would probably recommend the website owner to discontinue the usage of TimThumb.

If anyone is interested to learn about about this, you can read it here.
Related Links:
http://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-exif-headers.html
http://securelist.com/blog/research/58196/malware-in-metadata/

For the 2nd website,
Severity: Redirection to possibly ExploitKit
Confidence: Certain
Host: h–p://www[.]hinhuatdj[.]com
Path: /index[.]html

Issue Description:
If you take a look at page source of index.html, you will find this malicious Javascript at the bottom of the page.

Image 3 : Source of Index.html in www[.]hinhuatdj[.]com

Please don’t run the script unless you know what you are doing. Once you safely decoded it, you will see this.

Image 4 : Decoded Javascript pointing to Malicious website

A quick check against VirusTotal, you will see that it’s been flagged as malicious previously by Kaspersky and Sucuri

This is the Virustotal report on the website.
https://www.virustotal.com/en/url/57186289dcea318fc52dbfe1ccd850cb5c2e1ffdf3b6be136330cfad1a169f40/analysis/1417239062/

For the 3rd website,
Severity: Compromised website
Confidence: Certain
Host: h–p://www[.]mdas[.]org[.]sg
Path: /

Issue Description:
If you were to view the page source of the website in a safe manner.
You will be able to see that the page had been injected with malicious html codes as shown below.
The links seem to be be porn urls.

Image 5 : Injected html codes

Visitors to this website might accidentally clicked on the porn urls and potentially be exposed to other malicious stuff..
The IP address of this website is currently at 111.235.138.70
111.235.138.70 currently belongs to Vodien Internet Solutions Pte Ltd which is a local web hosting company.

For the 4nd website,
Severity: ExploitKit
Confidence: Certain
Host: h–p://333bakkutteh[.]com
Path: /index[.]html

Issue Description:
If you were to view the page source of the website in a safe manner. You may find that this website is currently being “Parked” or not in use.

However, if you were take a look at page source of index.html, you will find this malicious Javascript at the bottom of the page.

Image 6 : Injected html codes

Based on personal experiences, i can straight away recognise this as ExploitKit.
Visitors to this website will be exposed to the exploits served by this ExploitKit immediately.
The IP address of this website is currently at 112.140.185.140
112.140.185.140 currently belongs to sparkstation.net which is a .SG web hosting company.

For the 5th website,
Severity: Serving ExploitKit
Confidence: Certain
Host: h–p://fonghsiang[.]com[.]sg/
Path: /

Issue Description:
If you were to view the page source of the website in a safe manner.
You will be able to see that the page had been injected with malicious html codes as shown below.

Image 7 : Injected html codes

For the 6th website,
Severity: ExploitKit
Confidence: Certain
Host: h–p://hychem-ap[.]com[.]sg
Path: /

Issue Description:
If you were to view the page source of the website in a safe manner.
You will be able to see that the page had been injected with malicious html codes as shown below. It’s the same as the 5th website.

Image 8 : Injected html codes

For the 7th website,
Severity: ExploitKit
Confidence: Certain
Host: h–p://actinium[.]sg/
Path: /

Issue Description:
If you were to view the page source of the website in a safe manner.
You will be able to see that the page had been injected with malicious html codes as shown below. It’s the same as the 5th website.

Image 9 : Injected html codes

Based on personal experiences, i can straight away recognise that all are ExploitKit.
Visitors to these website(s) will be exposed to the exploits served by this ExploitKit immediately.
The IP address of both h–p://fonghsiang[.]com[.]sg/ & h–p://hychem-ap[.]com[.]sg are currently at 203.142.25.182 & h–p://actinium[.]sg/ is currently at 202.157.153.5

Both 203.142.25.182 & 202.157.153.5 currently belong to Webvisions Pte Ltd which is a .SG web hosting company.
The impact of these domains is that innocent visitors with no protection could become the next victims if both the malicious scripts and C2 are still working.
This is a “REMINDER” to everyone not to trust a “site” by its cover and always exercise caution. Attacker(s) are always thinking of new ways to trojanised victim(s).
The attacker(s) here are clever to hide the malicious code like they did here because they can easily trick victim(s) who might have thought that the site(s) as “already expired” or “suspended” by the hosting provider”.
But in reality, it’s not the case.

Happy Reversing
Jacob Soo

[ Technical Teardown: PHP WebShell ]

[ How it starts ]
Today, my personal scanner found yet another PHP WebShell.
Since we at VXSecurity.sg haven’t write anything on PHP WebShell, I will be writing one on it today.
So what is a “PHP WebShell”?
A PHP WebShell can give a malicious hackers access to perform the following actions:

  • Archive or extract files
  • Brute-force logins for FTP, MySQL, pgsql
  • Create or delete folders
  • Download files
  • Encode or decode files
  • Open a bash shell command, which allows the remote attacker to execute remote commands
  • Open files
  • Rename files
  • Run SQL commands
  • Search folders
  • Show active connections
  • Show computers the infected computer had access to
  • Show running services
  • Show user accounts
  • Show IP configuration
  • Connects to certain servers

A PHP WebShell also allows attacker(s) to connect to the server(s) for the purpose of receiving arbitrary information, sent by a malicious hacker, about your PC and/or server.
Today, i found this PHP WebShell from http://www[.]motorossarkany[.]hu/images/hir_41_1[.]jpg

[ Sample used in the analysis ]
MD5: 379f63c3df8570a479017757c0826d2e
SHA1: 3f86bd230c01c54d356d910c5ba161b2857ee5fb
PHP WebShell Sample
The pw to the zip is “infected29A

[ Tool Used ]
Notepad++

[ Analysis of the .JPG file ]
If we were to use any hex editor or Notepad++ to open up this .jpg file, the following image is what you will see.

php.webshell.01 Image 1 : hir_41_1.jpg

We can see right here that it’s basically a .php file instead of a .jpg file.
In this case, we can safely say that the .htaccess file is set to run JPG as PHP files. This is why although the file extention is GIF or JPG the PHP code will be executed.

Let’s try decoding the top portion of the script and we should get back this..

Hmmm…seems like $_F and $_X is not used. Or is it?
As we reach the bottom of the file, we saw another interesting part of the script as shown in the image below.

php.webshell.02 Image 2 : Decoding 2nd part of the PHP WebShell

As we can see here, we already got the value of “$OOO0000O0“. The value is “base64_decode”
So basically, it’s just base64 decoding of

Image 3 : String to be base64 decoded

After we had base64 decode it, we will get back the following piece of code.

To avoid anyone from accidentally running the script.
Just replace the above code snippet with the following code snippet.

Now if you run the script again, you should be able to get back 2 .txt files (“file_x.txt” & “file_R.txt”).
I did this just to show you what are the differences between the 2 for those who are not familiar with PHP.

Ok we should be able to see the actual PHP WebShell as shown below.
php.webshell.03
Image 3 : Final Deobfuscated PHP WebShell

So the things that i hope SysAdmins learnt here is that always do your due diligence checks on your webserver and check your .htaccess files if there are any.
If you see new image files and lots of entries in the access logs, do check the files.

I hope this is useful to someone out there.

Happy Reversing
Jacob Soo

[ Technical Analysis: Scoop.apk ]

[ How it starts ]
I started to write about this particular malware before Christmas in 2014 but it was left sitting in the draft for so long until i decided to take a break from #EquationAPT today. It all started when i got a sms as shown below.

IMG-20141220-WA0002
Figure 1 – Initial SMS

I hardly take any photos and the Sarah i knew don’t even SMS me. So i found a bit weird. So what is special about this sample was that it uses a technique typical of computer worms to spread itself.

This particular piece of malware rely on social engineering to convince the user to click on the shortened link in the sms and install/run the malicious APK package.

[ Sample used in the analysis ]
MD5: 9187B180E741312AA0FF36EF6FE7DC51
SHA1: 322ABA633607F635F5581E8D7F53794566BCB80B
Malware Sample: Scoop
Password is “infected29A

[ Initial Analysis ]
Since it’s an Android malware, let’s check the permissions of this malware and further dissect it. Now, use apktool and run the following command:

Now let’s take a look at the AndroidManifest.xml file, you should see the following and the permissions requested by the APK file.

As you can see from the AndroidManifest.xml, it ask for quite a lot of permissions.

[ SMS Propagation ]
One of the more interesting functions that i’ve found is how it tried to spread itself.
As you can see from the image below.
sms.sending.code
Figure 2 – The worm’s SMS sending code

What is rather typical of this malware is that it is leaking SMS messages, call history & contact lists of the victim(s).
One of the characteristic of this malware is that it will fetch data from one of the hardcoded URLs in the APK with a HTTP POST.
The typical data that it will fetch will look like the code snippet below.

Other interesting stuff is that it will go to “http://topemarketing.com/app[.]html” to fetch a new copy of Scoop.apk

The malicious url in the SMS, https://bit[.]ly/s_-c will redirect you to http://secret-message[.]net/

This malicious page will refresh and direct user to this malicious .APK file.

As i’ve already done quite a number of articles on reversing Android Malware.  Today we will be going through other stuff which might aid us in our investigation and see how this malware operate. The interesting thing here is we can see the statistics kindly provided to us by Bit.ly for all Bit.ly shortened URLs by appending a “+” sign without the double quotes like this:
https://bitly[.]com/s_-c+

You will see the stats as of then when i analyse this .apk. From the statistics given, we can see that most of the target(s) are from Singapore. 🙁

secret-message.net.001

Figure 3 – Statistics of bit.ly url

What is even more interesting sir, the same author of the malicious .APK file actually got several other domains spreading same .APK file.
You can check out the other shortened bit.ly links by the same guy here.
https://bitly.com/u/othv2

Interestingly, one of the links leads to the Android app in PlayStore.
https://play.google.com/store/apps/details?id=com.savemebeta

secret-message.net.002

Figure 4 – Another app by Malware Author

Sadly, the app was removed before i downloaded it.  The URL in the PlayStore belongs to same domain as the other malicious links.

Could it be same guy? 😛

topemarketing[.]com points to 162.255.116.80
tombolaworld[.]com points to 192.64.112.120
secret-message[.]net points to 62.210.83.139

One other interesting thing is…2 of the domains are bought around 2009 and 2010 and expired in 2011 according to who.is as shown here. http://who.is/domain-history/topemarketing.com

But did this guy bought them in 2014?
Or did she/he bought all those expired domains so that user(s) might think it’s still legit. Or it had been the malware author all along and she/he decides to use WhoisGuard later on.  Probably need the whois records to verify here. 🙁

The worm is targeted mostly against Singapore and French Android users according to the statistics from Bit.ly.  Not sure why the domains are still alive.  Our advice to user(s) on how they can protect themselves effectively are:

  1. Restrict the installation of applications from unknown source
  2. Don’t click on suspicious links as Malware authors might use it as their social engineering tricks
  3. Always use an updated anti-virus solution on your Android device if you don’t know how to analyse the application

Happy Reversing,
Jacob Soo