[ Technical Teardown: Exploit & Malware in .HWP files ]

This article will focus on teaching analysts on analysing malicious JavaScript code within the HWP files and a walkthrough of how we can analyse .HWP files that was used to deliver malware.

[ 1st Sample used in the analysis ]
MD5: 8EB5A3F38EB3DE734037AA463ADE7665
SHA256: D0361ADB36E81B038C752EA1A7BDC5517B1E44F82909BC2BD27B77B2652667EE
As of writing, the detection rate for this sample according to VT is 12/54

[ Part 1 : Understanding OLE compound file ]
We need to first understand how OLE compound files work.
Inside these OLE compound files, there are folder (storage) and file (stream). We will use SSViewer(http://www.mitec.cz/ssv.html) to take a look into the interior of the malicious .hwp file.

Most of the Streams in .hwp files are “zlib compressed“. We can see from the image below that the structure in .HWP files differs from .doc files.

However, today we are going to focus on “DefaultJScript“. You may ask why that? Well, think of “DefaultJScript” as VBA in Office documents.

1

 

[ Part 2 : Getting Started ]
For those who want to follow along. Do note, this is a MALICIOUS file, so please do the analysis in a “safe” environment.

Now, let’s start getting our hands dirty…and open the suspicious .hwp file with Cerbero Profiler.

As we can see from the image below, the data within “DefaultJScript” looks gibberish. So how do we make sense out of it?

2

As i’ve mentioned earlier, most of the streams within .hwp are “zlib compressed
So let’s “Select All” within the “DefaultJScript” stream and press “Ctrl+T

Now let’s add “Unpack Zlib” and remember to check the “Raw” checkbox and add it as shown in the image below.

3

Then let’s press “Preview” and have a look.

4

After decompressing the raw bytes, we can start to see some readable words. But it seems to be in Unicode.

Now let’s add in another filter to remove the “00” bytes.
Select “Replace“, change the mode to “Bytes” and add in “00” for the “In” value as shown below.

5

We should get back something like the one shown below.

6

If we were to analysed the decoded JavaScript, we can see more interesting stuff as shown in the image below.

7

So it seems that the JavaScript is doing Base64 decoding of the very long string and dropping it as “msvcr.exe”
I wrote the following Ruby script to decode the Base64 String.

After Base64 decoding the string, the output file looks like this,
8

The hash of this malware is 765834b1b780dacda8baa671c76328445cb8278099bad375ee22130f48920a7a
We won’t be going through this malware this time round.

[ 2nd Sample used in the analysis ]
MD5: a986a3fdf2afba98de21f0596a022b9b
SHA256: bd8fa7793f2192d4ff3979526955d5d6c965218eb0c0fe579f8ef0602357d5a9
As of writing, the detection rate according to VT is still pretty low. 3/53

[ Part 3 : Getting Started on analysing Exploits in .HWP files ]
This is a .hwp file containing an exploit (Most probably CVE-2013-4979 or CVE-2013-0808).
I drew a diagram like the one shown below to illustrate the general idea of how this exploit works.

9

For this particular exploit, the first thing we should be looking at is BinData/BIN0001.EPS as shown below.
10

There is an unknown error upon opening the document using hwp2010.
11

Nevertheless analysis can still be done by extracting the EPS files from the doc
Let’s do a quick network check by opening the eps file using hwp2010 and we can see that the exploit was indeed executed and connect to www.ethanpublishing[.]com/ethanpublishing/phpcms/templates/default/member/account_manage/teacup.jpg if we use FakeNet or similar tools.

We suppose that teacup.jpg” is most likely the payload. However, the jpg file is no longer found using the url so we cannot conduct further analysis on it.

12

Let’s go on to focus our analysis on the vulnerablity that was exploited by the eps file.

Opening the file eps file in the text editor we can identify a few components of the exploit.
The green block represents a NOP sled using 0xB5.
The blue block represents a NOP sled using 0x90.
The red block represents the shellcode.

13

Following the shellcode is this line of post script command

This command would execute a “Heap spray”. 500 blocks of the NOP sleds and shellcodes would be ‘sprayed’ in the memory. The NOP sleds and shellcodes is allocated as a string with a length of 65535 characters.

Next we want to determine which vulnerable process is the exploit targetting.
We do so by trying to search for traces of the NOP sleds and shellcodes in the memory of the vulnerable process.
At first it looks like the vulnerable process is likely hwp.exe or HimTrayIcon.exe

14

However, we could not locate any trace of NOP sleds and shellcodes in both processes.

At this point, I wonder if other child processes could be created by Hwp.exe. These child processes could have termininated after the execution of the shellcode.

One ‘trick’ we used was to modify the start of the shellcode with the opcode “0xEBFE” which is actually an infinite loop. This would allow the process that executed the shellcode to run continously without terminating.

15

Now we can attach our debugger into the gbb.exe process and we located the NOP sleds and shellcodes

16

Now after locating the vulnerable process, we have to debug into it to locate where the vulnerable code is exploited.
We now located the code in where hwp.exe created the gbb.exe process.

17

We shall modify the “CreationFlags” to CREATE_SUSPENDED. This would allow us to attach debugger at the start of the execution of the gbb.exe process.

18

After tracing the code we located the instructions in gsdll32.dll that executed the NOP sled “0xB5B5” which is MOV CH,B5

19

From the vulnerable instructions, we can more or less conclude that the vulnerablity is indeed based on CVE-2013-0808
For more information on CVE-2013-0808, you can read it up this article by CoreSecurity.
https://www.coresecurity.com/advisories/eps-viewer-buffer-overflow-vulnerability

In the meantime, we hope you enjoyed reading this and we would be happy to receive your feedback!

Best Regards
Jacob Soo & peta909

[ Sharing ] Where’s Wally! – Tracking where did victims come from.

I’ve written about shortened urls for 4 times. Twice in this blog and twice in an older website that i didn’t maintained anymore.

I have seen recently that a lot of people still blindly click on shortened URL that they see in FaceBook, forums or “familiar names” on their smartphones.
Today, i will do a quick short post about 2 recent shortened URLs, what’s the purposes and where did the victims come from.

[ Case Study #1 ]
The 1st link here is where : https://bitly[.]com/1TVH4va will lead to : http://onedayonemillion[.]com/postdk[.]apk
This .apk file is actually MazarBot.

You can read more about MazarBot here:

As alot had been written about MazarBot, we also want to know more about the Bit.ly url and the following Bit.ly url will show the statistics of where did victims come from.
https://bitly.com/1TVH4va+

As you can see from the image below, there are 5, 037 clicks on this shortened url since 25th May 2016.
4,569 clicks on 25th May 2016 alone.
tracker69.0x0001

8 of the clicks were coming from FaceBook and 15 clicks were from forums, mobile, etc. The rest are direct, meaning click on this shortened url. Possibly via sms, WhatsApp, etc.
tracker69.0x0002
tracker69.0x0003

We can also see the Geographical distribution of the victims who clicked on this shortened url.
tracker69.0x0004

Basd on the image above, it seems like most of the people were from Denmark and some parts of Europe.
One thing that puzzled me and got me curious…. why is the author of MazarBot targeting Danish people?

 

[ Case Study #2 ]
The next shortened url which we will be looking at is https://bitly[.]com/22kQ0Am

Again, let’s check the statistics and where is the final url by appending “+” without the double quotes as shown here: https://bitly.com/22kQ0Am+
h–ps://bitly[.]com/22kQ0Am will redirect to h–p://dl[.]dropboxusercontent[.]com/s/rlqrbc1211quanl/accountinvoice.htm

Nice, the link is on DropBox. Let’s download the page using wget or anything that you prefer.
I decided to use wget as i already have it on this particular machine.

I just did a quick wget to check what is inside this accountinvoice.htm and i got back the following:

You can change document.write to console.log or alert to get back the unescape string. But for the benefit of non-technical users, you can just go to http://meyerweb.com/eric/tools/dencoder/
and paste the escaped string and decode it.
You should get back the following:

Great, it’s doing a redirect. Let’s do a base64 decode and we should get back this.

Hmmmm…seems like it’s a Phishing link more than an ExploitKit link since the title is “Sign In“.

As i don’t want to alert the phisherman too much, i tweak my wget as followed:

After i grab the page, we can see that it’s indeed a “Google Drive” phishing page.
tracker69.0x0005

I hope this short post will serve as a good reminder to all not to blindly click on shortened urls unless you totally trust the source or verify it yourself.

Happy Reversing
Jacob Soo

[ Walkthrough : X-CTF 2016 – Worm ]

Quest: A malware was caught infecting “NUS GOVT” thumb drive. Encryption was used to encrypt outgoing data. Please submit the answer in the following format: XCTF{SHA1 of (key1 + key2 + key3)}

File: add4f352cbcb62fffe01eccf78a912b8

SHA1 Hash: 16e9245a14e223b83fde700aa6904e2f487ef07b

Let’s begin by firing up IDA Pro to see what we can find.

Going through the IAT, we can see that SetupDI… are called. A quick reference to MSDN reveals that these functions are used to enum plug and play devices.

SetupDiGetDeviceRegistryProperty function retrieves a specified Plug and Play device property.

imports
Figure 1. Imports

Cross-referencing (Press x in IDA Pro) the function reveals much more stuff… It seems like the malware is trying to find a USBSTOR device. This definitely makes sense since the quest already stated that the malware infected a “NUS GOVTthumb drive. Let’s do a breakpoint later in ollydbg to see what is really going on.  Further down the disassembly, we can see that it is trying to match with a String “NUS GOVT“. Just take note of this for now.

IDA
Figure 2. Checking for SPDRP_ENUMERATOR_NAME & SPDRP_FRIENDLYNAME

In the strings, we could see interesting artifacts as well… looks like the malware is trying to infect via autorun.inf… OK let’s take note of that for now. We could also see stuff like wsock32.dll, Ws2_32.dll… but in imports, we did not see any functions with relation to these libraries. Probably GetProcAddress is being used…

strings
Figure 3. autorun.inf in strings

Ok let’s fire up ollydbg. Crap we encountered access violation! Scrolling upwards we will realize what the malware is doing… Anti Debugging mechanism!

accessViolationDebugger
Figure 4. Access Violation

A jmp is made to 0x4141FD+1 if a debugger is found else the next eip should be 0x4041F4. We can simply just set new origin to 0x4041F4 to bypass the anti-debug stuff.

antiDebugger
Figure 5. fs[18h]
Let’s set a breakpoint @0x4026D1, refer to Figure 2 with a thumb drive plug in =).

NUSGOVT
Figure 6. Matching Thumb drive name with NUS GOVT

Ok… let’s just change the extracted device name to NUS GOVT manually as shown below.

mod
Figure 7. Changing name to NUS GOVT

Run the binary and see what happens…

The binary crashes again… but this time round some files are dropped into my thumb drive.

droppedFile
Figure 8. autorun.inf

Seems like there is a binary dropped into the RECYCLER folder. It seems to be hidden. Let’s use “attrib -h -s” to unhide the folders.

secure
Figure 9. Dropped Binary

Firing up the binary in IDA pro, it seems like the binaries are the same… But the hash is different. Loading the binary in OllyDbg, we encountered the same anti-debugger code. So let’s set up the same breakpoint again @0x4026D1 and change the thumb drive name to “NUS GOVT“… Being lazy i just hit on the run button and monitor any dynamic traces. Wireshark sniffed some http traffic!

traffic
Figure 10. HTTP traffic detected!

Remember earlier we suspect that GetProcAddress is used since we can’t see any network related API in imports and we noticed such libraries in the strings segment. Set a breakpoint @GetProcAddress and see if we can find anything useful.

WSA
Figure 11. WSAStartup via GetProcAddress

Returning back to user code… we see this in ollydbg… =(

1
Figure 12. Rubbish Codes?

Re-analyse the code to see a more english representation of the above =)

2
Figure 13. Assembly codes =)

Analyzing the functions above, we can see outgoing connections to nus.edu.sg/ctf.php with some stuff(passed in via arguments) appended to user agent string…. Lets return to see who call this function.

encryptedData
Figure 14. Encrypted Data?

It seems like the function @0x403210 is protected. Therefore if you were to put a software breakpoint inside 0x403210, it would become useless when the codes get rebuild in runtime. For this case, we should use hardware breakpoint instead. Seems like before calling 0x403210, a function @0x401FD0 is called twice to deobfuscate the code @0x403210. Then after invoking the function @ 0x403210, @0x401FD0 gets called twice again to re-obfuscate the code.

caller
Figure 15. Send Data out

Scrolling up from figure 15, we can see a pattern… It seems that a function @0x401090 is deobfuscated&reobfuscated 3 times before a call was made to the above send function (0x403210).

401090
Figure 16. 0x401090 the encryption method

Putting a breakpoint @0x401090. We can observe something pretty interesting… It seems like the function is passing in my Computer Name and a string which might be the encryption key.

key1
Figure 17. Key 1 found

Running through 2 more breakpoints, we would have collected the 3 keys!

key2
Figure 18. 2nd Key found
key3
Figure 19. 3rd key found

OK so the flag should be

sha1(“MED DNI PTS oRTO RUO VAN MOC iASP VED MDA IONDEADBEEFNU5_MA5T3R”)

XCTF{1f5020e4c091d1464c16c157bc0e56f3d81a3b3a}

WRONG!

It turns out that the above flag is wrong. Remember the autorun.inf… there are some parameters passed in… refer to Figure 8.

Lets try to re-run the steps with the parameters passed in…

newkey
Figure 20. A different 2nd Key

and… we got a different 2nd key!

sha1(“MED DNI PTS oRTO RUO VAN MOC iASP VED MDA IONMEDiCINENU5_MA5T3R”)

AND THE ACTUAL FLAG IS: XCTF{db8496580ff636bc51ade827d1999d32d5dabb1c}

40 points =D

[ Technical Teardown: Maybank Phishing Malware – Part 1 ]

Recently, Jacob discovered 2 interesting phishing websites, http://maybankk2u[dot]com  and http://maybank2u-my[dot]com This 2 websites had the same identical codes and come with a malware in it.

The malware that we discovered is a file infector virus. It scans the system for .html files, .exe and autorun.inf and insert malicious codes into the files.

[ Sample used in the analysis ]
MD5: 44A604F9D96368A83DF55E19644321D3
SHA1: CDBF41310DAE6EFF1127BB92A217369FD2F90B37896568D4F34528AC20468B5C
Malware Sample: index page
Password is “infected29A”

[Backdoor Analysis]
A brief high level overview of the malware infection process flow.

Figure 1 – Infection process

[ Initial Exploitation ]
The backdoor was dropped onto victims’ machine via a malicious VBScript in phishing home page.

Maybank Phishing homepage

Figure 2 – Maybank Phishing homepage

[ VBScript analysis ]
Scrolling down the html source of the webpage, you will come across a large chunk of alphanumeric text. If you look closer at the start of this large chunk of text, you will see the hexadecimal “0x5A4D” which stands for MZ in ascii. Files that start with a MZ header suggests that it is a PE file. You may refer to the following website http://wiki.osdev.org/PE for more information about PE files.

To download the payload you may either run the VBScript (which I don’t really recommend) or simply copy the entire hexadecimal wall of text into a hex editor and save it as a .exe file.

MZ

Figure 3 – MZ header spotted

MZ-end

Figure 4 – Dropping malware into temporary folder

When the VBScript is executed, it drops an executable into the targets’ temp folder. The file names are hard-coded as the malware author is probably trying to hide the malware in plain sight by using a common windows executable name, svchost.exe

The details of the extracted malware from the HTML is as follows:
SHA256: FD6C69C345F1E32924F0A5BB7393E191B393A78D58E2C6413B03CED7482F2320
VirusTotal Report: 50/54 (link); 2016-02-03 11:56:14 UTC
Compiled Date/Time: 2008-02-12 11:02:20
Packed: UPX

Let’s unpack the malware using UPX tool itself.

upx decompile

Figure 5 –Unpacking using upx -d

The details of the unpacked malware is as follows:
SHA256: 876C5CEA11BBBCBE4089A3D0E8F95244CF855D3668E9BF06A97D8E20C1FF237C
VirusTotal Report: 44/54 (link); 2016-02-02 23:21:33 UTC
Compiled Date/Time: 2008:02:12 12:02:20+01:00

The malware camouflage itself as a bitdefender management console. Another interesting thing to note is that both the product version and the file version seems to be an ip address (106.42.73.61).

stealth

Figure 6 – Possibly IP address

[ Dynamic Analysis ]
Let’s begin our journey in analyzing this piece of malware. The malware author had used anti reversing techniques to deter malware analyst from reversing it. Using IDA Pro to see the binary isn’t of much use. Using Procmon surface some interesting stuff.

writefile

Figure 7 –New file dropped

As we can see from Figure 7, the malware is writing a new executable into “C:\Program Files\Microsoft\DesktopLayer.exe“. After examining the hashes of the newly dropped executable, I can conclude that the malware simply copy and pasted itself into the new location.

processcreate

Figure 8 – Executing DesktopLayer.exe

After the file has been copied to the new location, A ProcessCreate function is called to execute the newly dropped executable. The current executable will then terminates.

DefaultBrowseri

Figure 9 – Executing Default Browser

Analyzing DesktopLayer.exe via olly debugger shows that the malware is attempting to run the default browser in the operating system. For this case here, it is attempting to execute IEXPLORE.EXE. On further examination, we will notice that the malware is actually trying to write process memory into the suspended IEXPLORE.exe process. This technique is known as process hollowing. Once the malware has finished writing its code into IEXPLORE.EXE process, it will then resume the suspended thread.

mutant

Figure 10 – Mutex

Based on Figure 10 taken from process explorer tool. We can observe that the malware uses a unique string (KyUffThOkYwRRtgPP) as it’s mutex.

It is also noted that the malware adds the following key into the registry “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit“. By doing so, it is able to maintain it persistency in the victims’ machine.

registry

Figure 11 – Persistent Registry Key

To get the actual malware codes that is running off IEXPLORE.exe, we would need to attach ollydbg into the running process and by using the OllyDumpEx plugin we can dump out the running process.

The dumped process contains some interesting strings.

processDump_strings

Figure 12 – Script Tags and Autorun?

There are some more interesting strings in the dump that suggests that there is an Antidote for this virus. It also contained the mutex key and a domain name.

otherstrings

Figure 13 – Antidote is available

I am interested in using the antidote. Analyzing the injected process memory dump we come to this assembly codes. To activate the “Antidot”, we would just need to add a registry key; “HKLM\Software\WASAntidot\disable“.

antidote

Figure 14 – Disable Malware

As shown in Figure 15, we can prevent mass infection of the virus by adding the registry key as earlier . We even get to see a nice message box telling us that Antidot is activated.

enabling antidote

Figure 15 – Antidot Activated

The malware loop through the folders in the victims’ machine and edit all html file it come across with the same malicious code we found in the phishing website. It also attempts to infect suitable .exe files with malicious codes. Once these infected executable gets executed, a copy of the same malware will be dropped and executed on the machine.

The malware also infects removable drives by editing the autorun.inf and planting itself in the RECYCLER sub folder. Better unplug your removable drives from the VM before you try analysing this!

The malware attempts to resolve a domain, fget-career.com. It also attempts to resolve google.com.

wireshark

Figure 16 – DNS queries in Wireshark

Spawning Shell

Figure 17 – Spawning Shell

Once the malware calls fget-career url. It can executes shell on the target machine if commands are given.

port 4678

Figure 18 – Open port 4678

The malware also attempts to listen on port 4678.

tcpmon

Figure 19 – Port 4678 Opened

One of the common ways to find infected or breached systems that most AV companies use is using IOC.  We should be looking for known (or suspicious) command and control (C&C) traffic on the network and looking for known bad or suspicious indicators on the hosts.

Based on our dynamic analysis, below are the known IOC that we can scan our PCs.

[ Host based Indicator ]

  1. Mutex – KyUffThOkYwRRtgPP
  2. File – C:\Program Files\Microsoft\DesktopLayer.exe
  3. File – temp folder\svchost.exe
  4. Registry Key – HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
  5. Process – Default Browser with no parent
  6. C:\Program Files\Internet Explorer\complete.dat (Default browser path)
  7. C:\Program Files\Internet Explorer\dmlconf.dat (Default browser path)

[ Network based Indicator ]

  1. fget-career.com (DNS)
  2. User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
  3. Listener on port 4678

[ Whois information ]

Domain Name: MAYBANKK2U.COM
Registrar: CHENGDU WEST DIMENSION DIGITAL TECHNOLOGY CO., LTD.
Sponsoring Registrar IANA ID: 1556
Whois Server: whois.west263.com
Referral URL: http://www.west.cn
Name Server: NS3.MYHOSTADMIN.NET
Name Server: NS4.MYHOSTADMIN.NET
Status: ok https://www.icann.org/epp#OK
Updated Date: 02-feb-2016
Creation Date: 02-feb-2016
Expiration Date: 02-feb-2017

IP Address:  207.226.137.64

Domain Name: MAYBANK2U-MY.COM
Registrar: CHENGDU WEST DIMENSION DIGITAL TECHNOLOGY CO., LTD.
Sponsoring Registrar IANA ID: 1556
Whois Server: whois.west263.com
Referral URL: http://www.west.cn
Name Server: NS3.MYHOSTADMIN.NET
Name Server: NS4.MYHOSTADMIN.NET
Status: ok http://www.icann.org/epp#OK
Updated Date: 02-feb-2016
Creation Date: 02-feb-2016
Expiration Date: 02-feb-2017

IP Address:  207.226.137.64

networkwhois

Once again network whois on the suspicious ip we got from the product version earlier on points back to China.

However, based on the analysis done on the malware and based on passive DNS and past whois records from Virustotal and who.is, the ip address we got from product version earlier could likely to be a fake to throw us off.

Another thing to note is that fget-career.com seems to be offline at the moment and it will be expiring in March 2016. Therefore if we are interested to know/plot the infection widespread of this malware or to takeover this malware we can attempt to buy this domain and host our own C&C server.

D O

[ Sharing ] Analysing and retrieving the Statistics from shortened URLs

I’m going to talk about how you can view or check whether someone else clicked on the same shortened url as you.
This is also pretty useful if you want to know whether you are a target of a scam or being targetted to a drive-by.

The url which i’m going to test today is this:
http://www.dailychanges.com/

Let’s go through some of the URL shorteners and how we can get more info from these shortened URLs.
Bit.do
======
The original shortened link is http://bit.do/bKoMw
But if you append a “-” without the double quotes like this http://bit.do/bKoMw-
You will get to the statistics page for this shortened url.
It gave some important information about Referer sites, Referer pages and even visitors IP.
Probably dangerous if users are being targetted.

Next we will talk about Is.gd
Is.gd
======
The original shortened link is http://is.gd/MyG7K6
However, if users want to look at the statistics, they can simply change the url to something like the one below.
http://is.gd/stats.php?url=MyG7K6

Next we will talk about
Goo.gl
======
The original shortened link is http://goo.gl/z8w84
But if you append a “.” without the double quotes or “info” like this http://goo.gl/z8w84+ or http://goo.gl/z8w84.info
Once you go to the statistics pages, you will be redirected to something like this below.
https://goo.gl/#analytics/goo.gl/z8w84/all_time

Next we will talk about
Bit.ly
======
The original shortened link is https://bit.ly/1LsiFyY
But if you append a “.” without the double quotes like this https://bit.ly/1LsiFyY+
Using the statistics page, you can also check which other user are also sharing the exact same url as you did.
Please note that if the other user(s) used Google analytics in the url, you might not be able to see them in your statistics page.

Next we will talk about
crop.is
=======
The original shortened link is http://crop.is/NV8
However, if users want to look at the statistics, they can simply change the url to something like the one below.
http://crop.is/NV8+

tiny.ph
=======
The original shortened link is http://tiny.ph/2mCe
In order to access the statistics, they can simply change the url to something like the one below.
http://tiny.ph/2mCe+

tny.im
=======
The original shortened link is http://tny.im/3Bm
In order to access the statistics, they can simply change the url to something like the one below.
http://tny.im/3Bm+

tiny.cc
=======
The original shortened link is http://tiny.cc/xtad8x
In order to access the statistics, they can simply change the url to something like the one below.
http://tiny.cc/xtad8x~

Then again, if there isn’t any means to check the stats of the shortened URL.
Always make sure to use online services like http://longurl.org/ to make sure the shortened url is not redirecting to some malicious url.

I hope that readers will find all the information written here useful.

Have Phun
Jacob Soo

[ Technical Teardown: Malware Targetting Singapore Banks ]

[ Background ]
Originally i wanted to let one of the local student to write about it but he was busy with school, internship and solving challenges.
It’s also been a very long time since we written any “Technical Teardown” on malware/exploits here.

I got hold of this particular malware sample just days after these 2 reports.
http://www.abs.org.sg/pdfs/Newsroom/PressReleases/2015/MediaRelease_20151201.pdf
http://www.channelnewsasia.com/news/singapore/50-smartphone-users-in/2308976.html

The Association of Banks in Singapore (ABS) released an advisory to alert consumers on malware targeting mobile banking customers in Singapore.
We hope this technical teardown might be interesting to some of you.

[ Sample used in the analysis ]
MD5: 76745CE873B151CFD7260E182CBFD404
SHA1: 0F7C012466157891C1D12ADDDD4DFA0B8291DD75
Malware Sample: 76745ce873b151cfd7260e182cbfd404
Password is “infected29A”

Since it’s an Android malware, let’s check the permissions of this malware and further dissect it. Now, use apktool and run the following command:

Now let’s take a look at the AndroidManifest.xml file, you should see the following and the permissions requested by the APK file.

As we can see from the AndroidManifest.xml, it ask for quite a lot of permissions and it’s probably obfuscated.

Looking at the strings.xml and styles.xml, we can see that customised themes had been created for various banking applications.
This malware targets a number of banks by trying to mimic the authentic one and phishes for important banking information from the infected user as shown below.
0x0003
Figure 1 – Customised Themes

[ Junk Codes as Anti-Analysis? ]
It took me 20-30mins to realise that this author uses lots of junk code. Possibly with the purpose of deterring people like me from reversing the malware.
Import metadata such as strings and function names are also obfuscated as shown in the image below.
0x0001

Figure 2 – Junk Code with no useful functionality

Since the malware sample is heavily obfuscated, some of the things that i usually look out for is commands like Base64.decode or loadDataWithBaseURL or sendTextMessage

[ Revealing of Hidden Configuration Strings ]
So i did a quick grep and found out that it did use “Base64.decode” as shown below.
0x0002
Figure 3 – Base64 encoded string

The following is the base64 string which i extracted from the malware.

After doing a base64 decoding on it, i got back the following strings.

As we can see, the decoded strings contained IP addresses and other interesting strings. We also can safely assume that the malware author uses “@” as a delimiter.
For better illustration, i replaced all the “@” with newline.

[ Assessment of Malware ]
We can see that the IP addresses are the C&C servers communicating on port 34580.
http://37.235.48.177:34580/
http://46.108.39.12:34580/

Within the malware sample, we also found out that it is targeting victims with the following bank accounts.
Austria
=======

Dexia Kommunalkredit Bank
Bank Austria
Erste Bank und Sparkassen (Thanks to Alex Inführ for pointing my mistake.)
RGB (Raiffeisen Banking Group)
George (https://mygeorge.at/)
DK (Deutsche Kreditbank AG)
Bawag (BAWAG P.S.K)

Australia
=========

Westpac
St George
Gomoney
National Australia Bank
Commbank

New Zealand
===========

Westpac
Bank of New Zealand
ANZ Bank New Zealand

Singapore
=========

DBS
OCBC
POSB

Hong Kong
=========

Citibank
Bank Of China
Hang Seng Bank
Breeze

I’ll update this post later on how we can reverse such malware much more easily.
In the meantime, i do hope you enjoy reading it.

Happy Reversing,
Jacob Soo

[ Walkthrough : SANS 2015 CDI DFIR Challenge ]

Sorry that we haven’t been able to write anything interesting for the last few months.

I thought of publishing this first thing right after the competition had ended but Real Life gets the better of most of us. I totally forgotten about this as i was busy helping NUSGreyhats with their CTF and with my own personal stuff. It was lying on the draft folder collecting virtual dust just like my entry for SANS HolidayHackChallenge. 🙁
I don’t remember whether did i submit my answers for this challenge. 🙁

Below is my walkthrough for SANSCDI Forensic Challenge and i hope the process of solving the questions might be useful to someone out there. The entire challenge consists of 3 parts.

[ NTUSER.DAT CHALLENGE ]
In Part 1, we were given a link, http://dfir.to/EVIDENCE1 to download the data.
I have attached the file here incase the link is gone. Vibranium-NTUSER
On the page, we were asked the following questions.

1. What was the most recent keyword that the user vibranium searched using Windows Search for on the nromanoff system?
2. How many times did the vibranium account run excel.exe on the nromanoff system?
3. What is the most recent Typed Url in the Vibranium NTUSER.dat? (Enter in the following format: http:///)

On Windows XP, there is actually the ACMru key located in the following registry key:
ntuser.dat\Software\Microsoft\Search Assistant\ACMru
This key stores the search terms that have been typed into a Windows search dialog box.
The following subkeys define where the search term was used:
5001 – List of terms used for the Internet Search Assistant
5603 – List of terms used for the Windows XP files and folders search
5604 – List of terms used in the “word or phrase in a file” search
5647 – List of terms used in the “for computers or people” search

Unfortunately on Windows Vista, it did not include a registry key for user searches.
However on Windows 7, the history of search terms using Windows Search can be found in the following registry key:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
The WordWheelQuery subkey records information about user searches.

There are many great registry tools out there. But for this particular challenge, i will be using Windows Registry Recovery.

Challenge.0x0001

As we can see from the above image, the very first entry in the MRUListEx is “01 00 00 00.”
This simply means that the entry “1” is the most recently searched item.

In this particular case, we can see that the value for the first entry is “alloy” and that’s our answer.
Challenge.0x0002

Moving on to the 2nd question, 2. How many times did the vibranium account run excel.exe on the nromanoff system?
For this particular question, we are required to check the following registry key:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

Challenge.0x0003

As we can see, the entries are all encoded using Rot13, the value we should be looking at is:
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\RKPRY.RKR
After decoding, the value will be:
{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office14\EXCEL.EXE

The number of times EXCEL.EXE was executed can be found at offset 0x04 in the UserAssist entry.
In this instance, the value is 4, which means that EXCEL.EXE was executed four times and that is our answer. 😀

Next we are asked, 3. What is the most recent Typed Url in the Vibranium NTUSER.dat? (Enter in the following format: http:///)
For this particular question, we need to check the following registry key.
NTUSER.DAT\Software\Microsoft\Internet Explorer\TypedURLs

Challenge.0x0004

As we can see from the image above, the most recent typed url is “http://199.73.28.114:53/” and that is the answer.

[ SYSTEM and SOFTWARE CHALLENGE ]
In Part 2, we were given a link, http://dfir.to/EVIDENCE2 to download the data.
I have attached the file here incase the link is gone. SOFTWARE-SYSTEM-HIVES.zip
On the page, we were asked the following questions.

1. The Windows Registry shows evidence of one USB device connecting to the nromanoff system. What is the serial number for this device?
2. What was the volume letter assigned to this USB device? (Enter just the letter for the volume.)
3. What is the volume name for the USB device that was inserted into the nromanoff system? (Enter the volume name in ALL CAPS.)

For the 1st question, there are many different methods to find out the answer. So i will go through 2 of the common methods.
The first method that i will be using is to check the following registry:
SYSTEM\ControlSet001\Enum\USBSTOR

As we can see from the image below, the serial number of the usb device is “AA951D0000007252”
Challenge.0x0001

For the 2nd method, we can check the following registry:
SYSTEM\MountedDevices

As you can see from the below image, we found out usb device and also the volume letter, “E” assigned to it. We have found the answer to question #2 too.
Challenge.0x0002

Moving to question #3, 3. What is the volume name for the USB device that was inserted into the nromanoff system? (Enter the volume name in ALL CAPS.)
We need to check the following registry key:
SOFTWARE\Microsoft\Windows Portable Devices\Devices

Challenge.0x0003

Once again, we found out the volume name for the usb device, “SECRETPLANS”

[ MEMORY ANALYSIS CHALLENGE ]
In Part 3, we were given a link, http://dfir.to/EVIDENCE3 to download the data.
I have attached the file here incase the link is gone. memory-raw.zip
On the page, we were asked the following questions.

1. To what remote IP address did the spinlock.exe process (PID 1328) have a connection?
2. What is the name of the user who is logged into Romanoff at the time the system memory was acquired?
3. Enter the time/date the system last booted according to the creation time of the initializing Windows process in the memory image. (Enter UTC time/date in the following format: YYYY-MM-DD HH:MM:SS)

For this particular challenge, we were given a memory dump file. The best way to solve this is to use Volatility
As i am unsure of the profile to use, i used the imageinfo option to see what profiles should i use.
volatility-2.5.standalone.exe -f memory-raw.img imageinfo

As we can see from the image below, we can use the following profile. Win7SP0x86, Win7SP1x86
Challenge.0x0001

The first question, 1. To what remote IP address did the spinlock.exe process (PID 1328) have a connection?
The option that we should be using is “netscan” and the command is
volatility-2.5.standalone.exe –profile=Win7SP0x86 -f memory-raw.img netscan

The returned results should look like the following image.
Challenge.0x0002

However, we are suppose to look for the remote IP address that spinlock.exe connected to.
We can see that spinlock.exe (PID 1328) is connected to “199.73.28.114” and that is our answer.
Challenge.0x0003

For the 2nd question, 2. What is the name of the user who is logged into Romanoff at the time the system memory was acquired?
We should check the following registry key in order to know the name of the user who is logged into Romanoff.
HKEY_CURRENT_USER\Volatile Environment

The option that we will be using for volatility is “printkey -K ‘Volatile Environment'”
volatility-2.5.standalone.exe –profile=Win7SP0x86 -f memory-raw.img printkey -K “Volatile Environment”

As we can in the image below, the username is “vibranium”
Challenge.0x0004

Hooray, we are moving to the last question of this challenge.
3. Enter the time/date the system last booted according to the creation time of the initializing Windows process in the memory image. (Enter UTC time/date in the following format: YYYY-MM-DD HH:MM:SS)

This is fairly straight forward, according to https://technet.microsoft.com/en-us/library/bb457123.aspx.
“ntoskrnl.exe” is the first to load, we know that the process”System” will be process we should be checking

Using “pslist” option,
volatility-2.5.standalone.exe –profile=Win7SP0x86 -f memory-raw.img pslist

As we can see in the image below, the time for “System” is 2012-04-04 11:47:29 UTC+0000 and that is our answer to the last question.
Challenge.0x0005

I hope that the entire walkthrough is simple enough to follow and do on your own.

Happy Reversing
Jacob Soo

[ Walkthrough 2015移动安全挑战赛(第二届): iOS Challenge 1 ]

It’s been a long time since we wrote something here.
Today i will be writing on a simple iOS crackme which i found some time to play with 10days ago.

To make it easier for everyone to follow this lame guide of mine.
I’ve attached the file here: iOS Crackme

iOS.0x0001

The original question given to participants is like above.

But i’ve loosely translated the above text for simplicity sake. 😀

Opening the binary file in IDA Pro, the first thing that i usually look for in iOS Crackmes are “Strings” or “onClick” first.

In this case, i went for “strings”. The first thing that caught my eye is “decryptPassword
iOS.0x0001_1

Double click that string and then press “X” to list the cross references. I selected the method using that.

iOS.0x0001_2

After selecting that, you will get the following.

iOS.0x0001_3

As i’m on of those lucky ones to have the “Decompiler”, pressing “tab” and we will see this beautiful pseudo code.

iOS.0x0001_4

I’ve extracted out the codes for better reading purposes.

 

Based on the above pseudo codes, we can identify several things.

1.) There are 5 loops. Each loop started off by doing Caesar Cipher on the following base64 encoded string.

2.) After the Caesar Cipher, it base64 decoded the returned result .

3.)  Then it did a AES decrypt with the base64 decoded string and the key is the following:

4.) Then it repeats this process until the loop ended.

5.) Finally it compared the final result with the entered input by the user.

I made a simple python script to illustrate the steps.

 

The key for this challenge is “Sp4rkDr0idKit

Happy Reversing
Jacob Soo

[ Technical MeetUp ] Hack The World : Scada Hacking

The next technical meetup is another of our collaboration with the students from NUS GreyHats.
We try to be an open, inclusive and responsible volunteer driven community.

We are also committed to the spread of hacker culture & free/open-source software by continuously writing technical articles.
We hope that all these technical meetups not only helps to spread information security awareness but also allow us to learn from other members of the community as well.

We are also glad that NSHC had not only one of their employee, HyungWoo Kim, presenting for this event but also their CEO, Louis Hur. Grateful to the students from NUSGreyHats are helping me setting this up.

All the technical meetups are free for anyone to attend.
Thanks a lot to everyone involved. 😀

When Wednesday 12th August 2015
Where NUS, 13 Computing Drive
Singapore, School of Computing, COM1 Level 2 Seminar Room 3
Time 5:00 PM – 6:30 PM
After Talks Nothing planned at this point of time
Organisers NSHC, NUS GreyHats
Contact Comments below.

 

You can indicate your interest in attending here:
https://www.facebook.com/events/844396792303482/

In case you are lost in NUS, here is floorplan provided by NUS GreyHats.
COM1_L2_V21

PRESENTATIONS: 
The state of Scada System Security – Louis Hur
Hack The World : Scada Hacking – HyunWoo Kim

Level:
Beginner-Intermediate

Nowadays, many attack methodologies against SCADA systems are published on conferences or papers. However, it is a little hard to apply them on real world. So, we will discuss attack scenario and methodology to SCADA systems, focusing on Korea’s SCADA systems. but i think other country also very similar. Of course, there will be an attack demo in a simulated network.

Bio:
Mr Louis Hur is CEO & Founder of NSHC Inc. Mr. Louis brings more than 15 years of field-proven experience security businesses that help clients reduce their enterprise-wide IT security risk. Prior to starting NSHC, Mr. Louis served as the Pen-Tester and General Manager of TSONNET Global Professional Services organization. He specialised in pen-testing, Bug Hunting, Malware Analysis & Cyber-espionage investigation.
He is also the Team leader for Korea Cyber Terror Response Team. He has presented at Black Hat, HITCON, ISEC, CSS, etc.

Bio: 
HyunWoo Kim is a Security Researcher at NSHC.
In this role, HyunWoo analyzes and performs root-cause analysis of vulnerabilities.
His primary focus includes performing root-cause analysis and exploit development.
In 2015, he is one of the top 10 finalist from KITRI ‘Best of the Best’ 3rd edition.
He has spoken at numerous security related events, including CODEGATE 2015, SECUINSIDE 2015, CIISCON 2014, and POC 2014
BigBossMan

Thanks & Regards
Jacob Soo

[ VXSecurity.sg Vulnerability Research Advisory : IZArc file extension spoofing ]

This is another bug which i’ve found long ago while i was bored.
This could be a problem for IZArc users if they were targeted. If not, it’s not really serious.
I had written it previously in my old blog but i’m slowing moving some of the stuff over as i’m discontinuing the other blog.

[ Summary: ]
This article is on the following bug found in IZArc v4.1.8 – v4.1.9,
The bug had been assigned the CVE identifier CVE-2014-2720.

[ Tested Versions: ]
IZArc version 4.1.8 – 4.1.9

[ Tools Used: ]
HexEdit

[ Details: ]
I’ve created a zip file using WinRar containing putty.exe.
I’ve changed the filename at offset 0x460AE to putty.jpg as shown in the image below.
izarc.0x01

When i am modifying the offset at 0x460AE, I am basically modifying the Central Directory entry.
This is done so that it will appear on IZArc as “putty.jpg” instead of “putty.exe”.

Opening the newly modified zip file in IZArc version 4.1.9, we will see something like this.
izarc.0x02

This seems like a “File extension spoofing”.
While after decompression the user will get the real file name, putty.exe.
However, if the user double click “putty.jpg” instead. “putty.exe will execute as an application instead of executing using user’s imager viewer.

However if attackers were to use RTLO (Right to Left Order) in unicode: U+202E.
So, U+202E converts to 0xE280AE.
With a simple RTLO, we can reverse the right side of the filename, so “puttygnp.exe” looks like “puttyexe.png”.

This will pose a problem to all users of IZArc.
To date, according to download.com by CNET. IZArc had 2,153,572 downloads.
izarc.0x03

To make this a more comprehensive blog entry, the following are the tests which i did during this bug finding process.
It may be useful to list all of the different cases and their security properties.

Test Case 1:
============

Central Directory entry filename = putty.jpg
Local file header filename = putty.exe
File content = Microsoft EXE format
The user sees: putty.jpg
If the user clicks: putty.exe is executed

Test Case 2:
============

Central Directory entry filename = putty.jpg
Local file header filename = putty.jpg
File content = Microsoft EXE format
The user sees: putty.jpg
If the user clicks, user’s default JPEG viewer is launched instead.
This is safe behavior.

Test Case 3:
============

Central Directory entry filename = putty\xE2\x80\xAEexe.png
Local file header filename = putty\xE2\x80\xAEexe.png
File content = Microsoft EXE format
The user sees: puttygnp.exe
If the user clicks, puttygnp.exe is executed
This is normal behavior as user will see that this is an executable.

Test Case 4:
============

Central Directory entry filename = puttyexe.png
Local file header filename = putty\xE2\x80\xAEexe.png
File content = Microsoft EXE format
The user sees: puttyexe.png
If the user clicks, puttygnp.exe is executed

This is a valid spoofing attack. However, it is exactly the same
problem as test case 1. The attack methodology (using a “graphics image” file extension in the Central Directory entry) is the same.
The only part that is different is the real filename in the original unmodified ZIP file.

Test Case 5:
============

Central Directory entry filename = putty\xE2\x80\xAEgnp.exe
Local file header filename = puttygnp.exe
File content = Microsoft EXE format
The user sees: puttyexe.png
If the user clicks, puttygnp.exe is executed

This is also same as test case 1.

The people at mitre.org had been patient with me and very helpful while i am reporting this bug.
Probably other file archive tools have similar problems as well.
I’ve attached the files for Test Cases 1,3 & 5 for reference.
IZArc_POC

Below is the timeline of my disclosure.

Timeline:
=========

Date Discovered: 24 March 2014 – Vulnerability Discovered.
Vendor notified: 24 March 2014 – Initial Vendor Notification, no reply.
Vendor notified: 01 April 2014 – Second Vendor Notification, no reply.
Advisory posted: 05 May 2014 – No response from Vendor, published.
Version checked: 30 July 2015 – Bug still exists in new version

Thanks & Regards
Jacob Soo