A phishing email received by LogRhythm Labs, originating from a fake Facebook email address (email@example.com), encourages the recipient to click on the link to download a “private photo archive.”
Figure 1 : Phishing email
Following the link navigates the default browser to hxxp://sv-poesel.de/get_photo.php, initiating a download of “private_photo_archive.zip” (md5 => 3a1c8aa265732bb21e3a105c4f50ee33). Decompressing the file presents an executable “private_photo_archive.exe” (md5 => c35f18a4e4bd4c15f15e8c66f8293cce).
Figure 2 : private_photo_archive.zp properties
The file is packed, and attempting to run the sample through a debugger or inside a sandbox will cause the program to halt execution and exit. PE Explorer was used to further examine and unpack the file and view its contents, which uncovered the following malicious actions:
- Evaluates the OS license to determine if the host is an unlicensed VM and thus a potential sandbox environment
- Also checks file access across the OS for sandbox evidence
- Hijacks the currently installed anti-virus software and runs as a mirror process in memory
- Attempts to gather stored account credentials from popular FTP clients
- Attempts to steal the Microsoft License, if valid
- Communicates using popular User Agent Strings to avoid network-layer detection
- Erases itself and resides in memory either injected into or masquerading as a legitimate process following execution
When launched, the executable disappears without any visible effect. In actuality, the malware hijacks another legitimate process if available or spawns the WerFault.exe process. Interestingly, if the host is running AntiVirus software that does not detect the threat, the malware hijacks and hides behind the AV process. This was observed when running the malware using Avast AntiVirus (which has since been updated and now accurately detects the malware).
Figure 3 : Hijacking and hiding behind Avast
The malware makes several registry changes before disabling and then corrupting the Windows Firewall configuration—any attempts to re-enable the firewall result in error messages.
Figure 4 : Trying to enable the firewall resulting in an error
Next, a scheduled task is set…
Figure 5 : Scheduled tasks
…that proactively disables Windows Defender—evident when comparing the scheduled tasks before and after the malware was launched.
Figure 6 : Removing Windows Defender from scheduled tasks
The user’s home directory contents are also corrupted, but it’s not clear why this occurs.
Figure 7 : Corrupted home folder error
The process in its entirety running on a host with no anti-virus installed can be viewed easily using ProcDOT:
Figure 8 : Malware propagation
ProcDOT also shows outbound communication initiated when the malware is run on a host running AntiVirus:
Figure 9 : Outbound HTTP communication
When launched, beaconing is initiated from the infected client over HTTP POSTs to “nigazz.com.”” It should be noted that the IP is not preloaded and a DNS request is required. In this case, the IP resolves to Russian IP 22.214.171.124. The POSTs use port 80, URI path ““/neg/order.php,”” and payloads that contain standard URL encoding with about 700B of hex data that appears to have obfuscated or encrypted values. The server then responds with about 150B of binary data—probably instructions.
Figure 10 : HTTP POST request
The beacons occur over a periodic interval of 10 minutes, which is clearly visible in LogRhythm Network Monitor.
Figure 11 : Periodic communication
Twelve hours after the initial infection, the beacon changed to “niggazz.com,”” also hosted on the same Russian IP.
Based on the network traffic and open source research, it’s clear that the infected machine is part of a botnet—silobreaker.com identified the botnet as Betabot on Nov 25, 2013 with the domain being hosted from Ukraine (126.96.36.199). It should be noted that well known Zeus variants were hosted on that same IP within a few days.
Since late November, the server has changed its physical location to Russia, the malware itself continues to evade detection AV detection, and there is little other information available—as of 2014-01-16, only Websense ThreatSeeker identifies the domain as malicious out of all URL Scanners used on VirusTotal. This malware still poses a very good chance of going undetected and poses a credible threat.
Both LogRhythm System Agent and LogRhythm Network Monitor collect evidence of the beaconing and can be used for gathering and connecting evidence of infection. After collecting indicators, the activity can be blocked via IPS or Firewall. Infected machines need to be completely wiped—there is little chance of completely removing the virus otherwise.
Figure 12 : Beaconing evidence in the logs