A new virus is in circulation and this time it is again targeting the Middle-East countries. Interesting enough last month the Middle east was (still might be) plagued with Shamoon 2.0, the deadly virus that made its comeback from the dead.
This new campaign is dubbed as the "Magic.Hound" by the Palo-Alto Networks research. It is interesting to note that within such a short time span of time this is the second time the middle east is targeted. And this attack like the previous Shamoon 2.0 attack is not only limited to the Government sector but Private Corporations are in the cross-hairs as well. According to a report, Middle-east has spent 5.2 Billion AED (United Arab Emirates Dirham) alone last year to prevent and counter cyber crime but the statics tells us a different story:
- 49% online users feel it is more difficult to stay safe online than physical world.
- 59% users are hesitant to use their credit cards when connected to public wifi-hotspots
- 55% users feel that unauthorized access from home network is more likely than a physical breach in their homes.
Now one such reason why users feel the above is because of the unsecure habits that the people follow, Corporate and Non-corporate users alike follow some the mentioned habits that make them a very desirable target for an attacker to attack:
- Three in ten (30 percent) UAE consumers cannot detect a phishing attack, and another nine percent have to guess between a real message and a phishing email, meaning nearly four in 10 UAE users are vulnerable.
- Nearly one-third UAE users (31 percent) share their passwords with others, (31 percent) fail to see the danger of using the same passwords across multiple accounts.
- Almost 23 percent of UAE consumers are willing to access public Wi-Fi rather than go without.
- One in five (21 percent) of people have at least one unprotected device, leaving their other devices vulnerable to ransomware, malicious websites, zero days and phishing attacks.
The new virus which is spreading in the Middle-East takes advantages of the above mentioned facts.
- We analyzed nearly a dozen of samples which were such "traps" to UAE consumers.
- Upon analysis we found that for the malicious sample spread through office documents, using the macros feature.
- The following analysis is obtained from the Office files such as Word Documents and Excel Sheets.
- Now the images below are some samples of classic phishing attacks which are used to target users.
Image above shows how in disguise of a shopping offer in an XML file, the user is tempted to click on the "Click to see more" button which will enable the macros of the file.
While this image above us shows how in pretext of "job opportunity" the users are tempted to click. According to reports for the year 2015, the unemployment was about 11.5 % which is a pretty large of population which can be affected by such fake ads.
Figure shows how fake documents in name of Ministry of Health Portals are being circulated.
As we mentioned earlier, government sectors have always been a favourite target for attackers. The samples that we have target the Ministry of Health. Following image show how the macros are tailored so that the common UAE users are mislead:
The metadata information on investigation of the file showed that the author of the file was listed as :
gerry.knight
Now, upon analysing the macros which were embedded inside the documents, we found the following :
For the above code snippet, we can clearly see that upon execution of the macros,
There is a function called "DownloadFile" which will be executed. A directory is made in "c:\temp" and a powershell is executed. The function DownloadFile also makes the the connections to the following addresses:
"http://analytics-google.org :69/checkFile.aspx" now clearly this is a unsecure website since it uses http instead of https.
One more connection that is established is with the website "http://104.218.120.128/pro.bat"
Upon reverse-lookup for the above mentioned address we got the following:
| Country: Netherlands (NL) | Continent: Europe (EU) | ISP: 247RACK.com |
| Time Zone:Europe/Amsterdam | City: Rotterdam |
Some of the code snippet was also found in other various documents which we analysed,
As shown in the above snippet, powershell.exe is being executed with "Y"
This very much confirms that the powershell is spawned to gain access on the victim's machine.
One insight on the macros code is that, we can see in the code snippet is of the structure:
Private Sub Document_Open()
Malicious Code
End Sub
Above structure can be translated as:
"If the event procedure is stored in a template, the procedure will run when a new document based on that template is opened and when the template itself is opened as a document." This shows that the macros code will run whenever the document is opened.
Another insight on the code snippet is that we see the class module ThisDocument in the document.
This class module is necessary since it consists all the objects for the Visual Basic Application (VBA). The structure of the code as shown below:
Upon decoding the code snippet which was encoded in Base64. We obtained the following code given below :
These code snippets have been taken from an existing open source project called the "unicorn.py" this project is written by: Dave Kennedy (@HackingDave) Website: https://www.trustedsec.com.
The description of the project is as follows:
"Magic Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
Usage is simple, just run Magic Unicorn (ensure Metasploit is installed and in the right path) and magic unicorn will automatically generate a powershell command that you need to simply cut and paste the powershell code into a command line window or through a payload delivery system."
Following below is the code snippet of the unicorn.py code:
As we can see clearly that this is the exact same code that the malware writers have used with very few modification. It is clear now that the attackers are not focused on tailoring the code, they are more focused on using the open source tools so that they can utilize and focus more on the phishing aspect of the the campaign.
We also acquired the the following DownloadString having the addresses:
'http://89.107.62.39:13569/eiloShaegae1')
'http://69.87.223.26:8080/eiloShaegae1')
We say that the code tries to communicate with the above listed addresses. The above images shows two different snippets which were acquired from a xml file and docx file respectively which were subjected to phishing campaign.
During the analysis one interesting code snippet that caught our attention was that the Macros which was found in the XLS Excel file had an embedded value of the following:
- 0{00020820-0000-0000-C000-000000000046}
- 0{00020819-0000-0000-C000-000000000046}
What makes these numbers interesting to observe are because the *Microsoft Windows Registry* contains a set of Globally Unique Identifier keys.The following Unique Identifier keys are used as Class Identifiers within the Microsoft Windows registry, and are stored as a subclass of the HKEY_CLASSES_ROOT\CLSID registry subset entry:
- 00020820-0000-0000-C000-000000000046 - Microsoft Excel Object (Unknown)
This supports the fact that the attack wants to create persistent remote connection.
One more technique that the campaign is using to spread the malware other than office documents and excel sheets is using executable to deliver the payload.
We analysed the executable with the SHA256 value
2f7f3582504fbce349a6991fbb3b5f9577c5c014b6ce889b80d51977fa6fb31a. A VirusTotal lookup of the SHA256 confirmed it as a malicious Trojan
We also found that the executable was compiled using Microsoft Visual C++ and we also get to understand from the screenshot below where the entry point of the executable starts from.
Further analysis tells us (as shown in the picture below) the the program is obfuscated using 2 hash functions:
Base64 and Rijndael S-Box are the two crypto signatures functions. Rijndael S-Box uses matrix technique to encrypt and S-Box stands for the Substitution method. This is a AES type cryptographic algorithm.
The Import Functions that the executable used are listed as :
KERNEL32.dll
|
DeleteCriticalSection |
IsBadWritePtr |
GetCurrentThreadId |
| urlmon.dll | NETAPI32.dll | COMCTL32.dll | SHELL32.dll: |
| ShellExecuteA | None | Netbios | URLDownloadToFileA |
USER32.dll
|
RemovePropA |
CopyRect |
WINSPOOL.DRV
| ClosePrinter | OpenPrinterA | DocumentPropertiesA |
GDI32.dll
|
PtVisible |
GetClipBox |
| GetFileTitleA | comdlg32.dll |
The following files were :
Read:
- \\?\PIPE\ROUTER
Written:
- c:\temp\re
- c:\temp\dc
- c:\temp\t
- c:\temp\rr.exe
- \\?\PIPE\ROUTER
Opened:
- c:\temp\t
- c:\temp\rr.exe
- c:\temp\re
- \Device\Netbios
- \\?\PIPE\ROUTER
- c:\temp\dc
- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202
- C:\WINDOWS\system32\credssp.dll
Directory-Created
- c:\temp\
Directory-Enumerated
- C:\WINDOWS\system32\ras\*.pbk
- C:\Documents and Settings\M0rt\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
- C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
- C:\Documents and Settings
- C:\Documents and Settings\M0rt\Local Settings\Temp
- C:\Documents and Settings\M0rt\Local Settings
- C:\Documents and Settings\M0rt
- C:\Documents and Settings
- C:\Documents and Settings\M0rt\Local Settings
- C:\WINDOWS\system32\attrib.exe
- C:\Documents and Settings\M0rt\Local Settings\Temp\attrib
- C:\Documents and Settings\M0rt\Local Settings\Temp
- C:\Documents and Settings\M0rt\Local Settings\Temp\attrib.*
- C:\WINDOWS\system32\attrib.*
- C:\WINDOWS\system32\attrib.COM
- C:\Documents and Settings\M0rt
- C:\temp
Registry Keys Open:
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DnsCache\Parameters
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DnsClient
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll
- HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SaslProfiles
- HKEY_LOCAL_MACHINE\System\Setup
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
- HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\2f7f3582504fbce349a6991fbb3b5f9577c5c014b6ce889b80d51977fa6fb31a.bin
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32\Performance
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSClient
- HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor
- HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor
- HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
Registry Key-Read
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\UseDomainNameDevolution
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll\Capabilities
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DefaultRegistrationRefreshInterval
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32\EnableConsoleTracing
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\WinSock_Registry_Version
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationRefreshInterval
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32\FileTracingMask
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SecurityProviders
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll\TokenSize
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MulticastListenLevel
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll\Comment
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService\10
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\QueryAdapterName
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutodial
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxCacheTtl
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationEnabled
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll\RpcId
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\UpdateSecurityLevel
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Hostname
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AllowUnqualifiedQuery
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UpdateZoneExcludeFile
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationTtl
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseHostsFile
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll\Name
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseDomainNameDevolution
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32\ConsoleTracingMask
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ScreenBadTlds
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll\RpcId
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ldap\LdapClientIntegrity
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll\Type
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll\Version
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterReverseLookup
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll\Type
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\FilterClusterIp
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DnsTest
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxNegativeCacheTtl
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableReverseAddressRegistrations
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll\Capabilities
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UpdateSecurityLevel
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll\Version
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll\Comment
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll\RpcId
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\PrioritizeRecordData
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll\Type
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll\Capabilities
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DnsNbtLookupOrder
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll\TokenSize
- HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ServerPriorityTimeLimit
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll\TokenSize
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\WaitForNameErrorOnAll
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DnsQuickQueryTimeouts
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterWanAdapters
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DomainNameDevolutionLevel
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UpdateTopLevelDomainZones
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\PrioritizeRecordData
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DnsMulticastQueryTimeouts
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AdapterTimeoutLimit
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationMaxAddressCount
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DefaultRegistrationTTL
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableDynamicUpdate
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\AllowUnqualifiedQuery
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DnsQueryTimeouts
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll\Comment
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxCacheSize
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll\Name
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseEdns
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A10
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MulticastSendLevel
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32\EnableFileTracing
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AppendToMultiLabelName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableAdapterDomainName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterPrimaryName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\EnableAdapterDomainNameRegistration
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\MaxNumberOfAddressesToRegister
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ScreenUnreachableServers
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll\Version
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxCachedSockets
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterAdapterName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32\MaxFileSize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32\FileDirectory
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AutodialDLL
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll\Name
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\QueryIpMatching
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Domain
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DomainNameDevolutionLevel
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableWanDynamicUpdate
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
Registry Key-Written
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
Furthermore upon Memory forensics on the Portable executable we found that it had hooked a lot of different API some of them as mentioned below:
|
!RegQueryInfoKeyW |
!GetInterfaceInfo |
!CoCreeInstance |
This shows that the portable executable will do all that is possible to connect with the network and establish so that the attacker can have a remote access.
One more element that the Campaign has is the dropper element:
During our analysis it showed that the dropper component made connection with the following address:
http://shell.windows.com/fileassoc/0409/xml/redir.asp?Ext=gz
During our analysis the there were many file operations performed however one file operation, File read for one query stands out among the rest of the other which is listed below:
- C:\Documents and Settings\M0rt\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Web Slice Gallery~.feed-ms
- C:\Documents and Settings\M0rt\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
And the reason they stand out is because they are hosted by the http://server.pakdevs.com
This is a web-hosting site which upon further analysis prompts the user to download a file which looks exactly with the one which had performed a File Read operation, the following image shows the real-time site prompt which was acquired when visited:
As shown in the above figure, Web Slice Gallery~.feed-ms from the browser prompt is exactly same to which was discovered on the analysis machine.
There is another component in the campaign called the Dropper Component. This component spread if the campaign does not uses the word/xml type document to infect, then in such cases the malware spreads through this way.
During our analysis of the Dropper component we came across some of the more concerning facts which are mentioned:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\sloo.exe
- C:\Documents and Settings\M0rt\Local Settings\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms
- C:\Documents and Settings\M0rt\Favorites\Links\Web Slice Gallery.url
Now it should be noted that the Web Slice Gallery is actually a feature in Internet Explorer 8.0 which checks, which all websites you have visited and updates if there is any update in that website. This is a very convenient way to gain access of the history of websites that you have visited. Sometimes the user might have auto-logged-in feature enables, in such cases it is very harmful for that user since this feature will gain direct access to the user's profile.
Another interesting fact is the ShellCompatibility\Applications\sloo.exe and the reason that this is very important is because researchers from Arbor Networks' Security Engineering and Response Team have found this same exact file in the Shamoon 2.0 attack, that took place last month in the Middle-east.
This shows that the previous attack on the Middle-east and the Recent attack that we are discussing are connected with one another.
However this attack is more focused on gaining the shell access of the victim's computer, and this is because once a shell access is gained an attacker can practically own that victim's computer.
We also found the the sample which had the SHA256 as ea139a73f8ec75ea60dfa87027c7c3ef4ed61b45e1acb5d1650cc54e658984ba
Was a backdoor malware which is still in the wild. Some of the intresting commands that the file made changes are as follows:
● HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
Now what does it means that When disabled, the FEATURE_HTTP_USERNAME_PASSWORD_DISABLE feature allows usernames and passwords to be included in HTTP or HTTPS URLs.
If we take a look at the following statics by statsmonkey.com we see that
As we see that 78.67 % of the Saudi users use Windows and hence the scale of people affected by the malware is more and it should be also reminded that last month Shamoon 2.0 attack also took place which can help us draw a conclusion that Saudi users have still not taken preventive measures.
The following keys were Deleted from the Registry:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
These are essential because they decide the access of the Internet Settings. By deleting these values we are opening the access for the outside attacker by exploiting these because by default these zones are locked so that they can improve the security of the machine.
Another element in the campaign known as the Retrieve:
The analysis showed that the strings inside our sample {1c550dc73b7a39b0cd21d3de7e6c26ece156253ac96f032efc0e7fcc6bc872ce}
{7cdbf5c035a64cb6c7ee8c204ad42b4a507b1fde5e6708ea2486942d0d358823} are the two files that were analysied.
A quick VirusTotal lookup confirmed and cleared any remaining doubts of the file being malicious or not. A screenshot of the VirusTotal result is shown below:
And
These files are just responsible to establish connection to the web-servers which are hosting the malicious files and then downloading the malicious files on the victim's machine.
The traces of strings such as $7c5fd882-1160-4075-ad8a-3b4e86772aeb, and http://tempuri.org/GetNameAbById , now these strings are found in other malicious file, one such file listed as follows: 04c587965d070f936d82a0629a494b1213bba345c87e5f081fe4d028cb2b9bb7
Conclusion:
From the information that was collected during our analysis we conclude the following that :
- The attack was intended towards the Middle-East. This is the second attack as the previous attack was from the Shamoon 2.0 campaign.
- The attack was more sophisticated than the Shamoon 2.0. Which makes us believe that the attackers are learning from the previous campaigns and modifying their attacks with every new campaign.
- This attack's main motive appears to gain a backdoor access and hence from the analysis we could also observe that it tried to make use of windows powershell over and over.
- The various components that we analysed from the campaign show us that the attackers did not take much efforts as to writing and customising the malware all by themselves but focused more on how to spread and propagate to maximum users.
- We strongly advise the users of Middle east to be very careful with mails from unknown senders since both the Shamoon 2.0 and this recent attack rely heavily on phishing attacks.
