Malware directed against Polish banks and institutions in Latin america - "TechnoTron"

MALWARE


Recently, news surfaced of attacks on Polish banks in the site security of Poland ZaufanaTrzeciaStrona.pl (translated to English here). The impact of the attacks described with drama, calling it “the most serious”, and the initial reports were confirmed by two articles from Symantec and BAE Systems. The institutions affected are of various nationalities all over the world and spread to Latin america, including Mexico and Uruguay, with the goals of high-profile in the viewer of the attackers.

There are many interesting aspects of these attacks, starting with their targets, going through your vector of and commitment to the specific functionalities of the malicious executables are used. While the first two axes were examined in detail, binary malicious involved did not attract much attention until the time. The purpose of this article is to provide technical details of this malware for now is very poorly documented.


MALWARE

Distribution channel

As mentioned in the news portal of Poland, the threat is sent with stealth via an attack watering hole, thanks to which a trusted site that was compromised redirected to a fraudulent page that hides an exploit. In the case of the attacks of poles, the starting point was the official site of Komisja Nadzoru Finansowego (the Financial Supervision Authority of Poland):

MW1


However, our data indicated that the site of the authority, equivalent in Mexico, the National Banking Commission and Values, it was also redirects to malicious identical; unfortunately, the information published by services of web crawl or for the institution itself had neither confirmed nor mentioned it. According to our records, the redirects came from this site page:

MW2


Phase 1: Dropper

If the exploit kit manages to malware infection desired, the payload malicious (a console application, 64-bit) runs on the computer of the victim. Unlike the dropper reported by BAE Systems, this program expects one of three arguments: -l, -e, or - (section 2 in the following figure). While the argument to-l has the same meaning, the remaining two are required to extract binary the next stage from the resources (section 4 in the figure) and to automatically start one of them as a service (section 5):

DW2

In section 5 the above figure, the dropper is changing the configuration of a system service to do the malicious payload as a service. The service is configured from the services control manager to start automatically during the system startup; to do so, you need administrator privileges.

Unlike the subsequent phases, in the first one, the threat is not hidden very carefully. It even contains detailed statements that provide information on the state of the execution (in this case, related to the extraction of encrypted resources; however, the debug information as the original names of functions is not present).

The dropper used in a load API dynamically instead of having Windows functions in your import table, which is very well explained in the report by Novetta “Operation Blockbuster” about the Lazarus Group, on page 34. Section 3 of the figure above shows a wrapper of this functionality, which is a system library after the other.

It seems that the attackers denote the second phase as “loader” and the third, which contains the main function of the malware, such as “module”. The loader is decryption, while the module only extracts and runs as well as it is. To reduce their visibility during the forensics analysis, the files take to borrow its time of creation of the shlwapi.dll system. An important feature of the encryption algorithm used is that is it is a chain of encryption similar to RC-4, fairly recent called Spritz. There are already available implementations in C and Python Spritz, and correspond to the following disassembled code for the dropper:

MW3



Fase 2: Loader

There are more indicators of the intention to preserve the low profile of the threat. The loader is protected by a packer commercial called the Enigma Protector, and we realized that the module is stored, encrypted, waiting for the loader decipher and release. After a closer look at this protection, we found that there was a not registered copy of Enigma v. 1.31 for 64-bit. It was just as we expected, since malware creators with this level of capacity would not make a mistake as basic as leaving your identity at potential risk of being discovered thanks to the use of a copy, duly registered. However, it is not uncommon for criminals to take advantage of an application-filtered or pirated if it is available.

The attackers that attempt to build a large botnet, in general, do not use packers trade because a good proportion of the manufacturers ' anti-malware detect them in a generic way. Therefore, restrict the potential size of the botnet. But in the case of a targeted attack, using such protection has advantages. An obvious one is that the reconstruction of the original binary, that is, to determine how it was before entering in the process of camouflage, it is almost never easy.

The impression sometimes is that the only machines with 64-bit Windows can be a target of this threat is wrong, since it also drew a variant for 32-bit computers of some of the institutions affected. Although it has the same general structure, this last is not a mere recompilation of the first, but has slight differences: the phases of dropper and loader are combined into one, it uses RC4 encryption in classic and not Spritz, and the phase module is stored in the registry instead of in the file system. In addition, the version of the protector Enigma applied was 3.7, with a single developer license, and apparently was used to protect the binary on January 11, 2017.






Fase 3: Módule

The third and final stage module is relatively large (~730 KB), which contains the main functions of the malware communicated with the C&C and receive orders from the operators. In addition, injected himself in all the sessions started in the Windows system compromised.

The following screenshot shows the situation after loading the module in the tool for disassembly, IDA Pro. The top bar shows the various parts of the binary: the sections of code in blue, and the sections of data in grey and yellow. The difference between the parties-and blue-celestial is that the latter represent the code statically linked to the existing libraries. In addition to the C run-time usual, we identify the link of a library file transfer multi-protocol open source call libcurl (version 7.47.1, published in the February 8, 2016), along with bits of code from projects like OpenSSL and XUnzip. The effect of colors on the bar is not generated in an automatic way: in this case, we had to explicitly marking parts that we consider as code of the linked library and import all of the names of the functions. The sections in blue represent the code written by the attackers..

MW4

There is only a URL encrypted housed in the module. The communication is encrypted, but we do not log any because the remote server did not respond at the time of analysis. The module supports quite a few commands; more than enough are of the that characterize him as a Remote Access Trojan (RAT). The dictionary of commands is as follows: “SLEP”, “HIBN”, “DRIV”, “DIR”, “DIRP”, “CHDR”, “RUN”, “RUNX”, “DEL”, “WIPE”, “MOVE”, “FTIM”, “NEWF”, “DOWN”, “ZDWN”, “UPLD”, “PVEW”, “PKIL”, “CMDL”, “DIE”, “GCFG”, “SCFG”, “TCON”, “PEEX”, “PEIN”. Many are self-explanatory (“SLEP” is similar to the English “sleep” for “sleep”, “PKIL” is to kill a process, “UPLD” is the exfiltration of information, “DOWN” is to download, “THE” is to erase a file, etc). It is possible that the original functions of libcurl have been customized to fit the needs of the attackers. Anyway, libcurl is a large project with hundreds of contributors, tens of thousands of lines of code and hundreds of options. The inspection and the accurate analysis of the connection are in process.



Kits of tools, similar to Lazarus

Researchers from BAE Systems have to say about the dropper 32-bit protected with Enigma: “once unpacked it runs a variant of known malware, which was sent as part of the kit of tools of the group Lazarus...”. In addition, Symantec states: “Some strings of code views in the malware used to share common aspects with the code of the malware used by the threat group known as Lazarus”. It is also possible to find a connection in the report by Novetta, such as the already mentioned dynamic loading of API. All these signs lead us to describe the properties crucial a tool kit similar to Lazarus in the following way:

  1. Malware multi-stage running in cascade
  2. The initial phase is a console application that expects at least one parameter
  3. Loaded WINAPIs in a dynamic way
  4. It uses RC4 or similar with a long key for decryption of the next phase
  5. The following phases are libraries linked in dynamically loaded as service with the start type SERVICE_AUTO_START (administrator privileges are required for this action)
Our records show activity of various malware like Lazarus in-the-wild recently. However, in order to provide a clearer picture of the case, we need time to gather more relevant information.



A discovery strange

During our research, we found another interesting sample that belongs to the same family of malware. A console application waiting for four parameters call fdsvc.exe (2), which runs in cascade (1). In addition, decrypts the next phase using RC4 with a key of 32 bytes (4). You do not have the last two properties. On the other hand, injects the payload in all of the sessions in the course of Windows; the payload has libcurl v. 7.49.1 linked in statically. What makes this sample particularly interesting is the way in which the final stage parses commands from the operators, who use the Russian language with translit, a method of coding of the cyrillic alphabet with letters of the Latin.


MW5


But we must be careful with the attribution. The language used could be a false trail, mainly because the creators of malware usually implemented commands through numbers or shortcuts in English. Having a command of twelve letters is quite impractical.



Conclusion


Taking into account the tricks in the code, we venture to say that this is not a re-use of existing code long before these attacks on Polish banks, nor a project discontinued and forgotten. In fact, we observed malware that looks like this example in the last few weeks.

The attackers behind this threat they know well what they are doing, by what the teams response to incidents of financial institutions and other high-profile organizations will not be able to rest fully in the near future. To tell you the truth, that is your work today: I suffer nights without rest!

MALWARE

Comments

Post a Comment

Popular posts from this blog

Twitter: change your profile image by default, the end of snake eggs - "TechnoTron"

Image
Twitter: change your profile image by default TWITTER, TRENDS, SOCIAL NETWORKS, INTERNET, TECHNOLOGY The image of an egg that was assigned to new comers to the social network became synonymous with accounts created for the purpose of attacking others from anonymity. After having been replaced as the solution to the problem is still far. Since 2010, the default image that appeared in the new profiles of Twitter was a white egg, accompanied by a different background for each account. An entry of the blog you write responsible for the layout of the page, explains how the people who use the network to attack other users motivated change that image and the process that led to the gray silhouette that now replaces it. The idea behind the image that represents the rookies in the social network was simple: eggs were a temporary measure until the users choose an image that would be identified. It is positioning that after leaving the eggs, the users were as birds that fed
Keep reading

WhatsApp: discover if you are spied on when using WhatsApp Web

Image
Index : Prologue 1.- WhatsApp Web, a tool that is too quiet 2.- How to protect your account from WhatsApp so no one can spy on web Prologue " WhatsApp Web goes well to use the messaging on the computer, but it is easy to spy on another person if you are logged in the browser with your mobile phone. Avoid this. "   The messaging application for excellence not only drag behind itself a huge popularity, a huge amount of controversy. Security, partnerships with Facebook... And a large number of users they see violating your privacy for couples, friends, family... that try to spy on their conversations. Spy on WhatsApp is one of the most common. And it is because it is in this application where we turned over our side more intimate. The worst thing is that it is quite easy to gain access to the conversations of another person with WhatApp Web . The company added few months ago a notification when you use the session in another part, but can be overlook
Keep reading

Windows 10: with Ubuntu Bash Console how to use it - TechnoTron

Image
Posted by: TechnoTron 2/28/2017 Source:     Xataka                                                                                                                                                     In April 2016 Microsoft had announced one of the great new features of Windows 10: the possibility of using a Linux console natively in this operating system thanks to the collaboration of Canonical, the company responsible for the development of Ubuntu. That option is available thanks to the arrival of the compilation 14316 of Windows 10, in which apart from other news we can start using the bash console of Ubuntu directly in Windows 10. If you are Windows Insiders and you are inside the ring of quick updates, You can now apply that update and enjoy that console easily. This has been our experience in taking advantage of this feature.
Read more