Since the end of last year, we have begun monitoring a new malicious campaign to spread a banking Trojan. The attackers focused on compromising Russian companies, i.e. corporate users. The malicious campaign was active for at least a year, and in addition to the banking Trojan, the attackers resorted to using various other software tools. These include a special bootloader packaged using
The attackers installed malware only on computers that used the Russian language in Windows (localization) by default. The Trojan's main vector of distribution was a Word document with an exploit
Rice. 1. Phishing document.
Rice. 2. Another modification of the phishing document.
The following facts indicate that the attackers were targeting Russian business:
- distribution of malicious software using fake documents of the specified subject;
- tactics of attackers and the malicious tools they use;
- links to business applications in some executable modules;
- names of malicious domains that were used in this campaign.
Special software tools that attackers install on a compromised system allow them to gain remote control over the system and monitor user activity. To perform these functions, they install a backdoor, and also try to get the password from the Windows account account or create a new account. Attackers also resort to the services of a keylogger (keylogger), a Windows clipboard stealer, and special software for working with smart cards. This group also tried to compromise other computers that were on the same local network as the victim's computer.
Our ESET LiveGrid telemetry system, which allows you to quickly track malware distribution statistics, provided us with interesting geographical statistics on the distribution of malware used by attackers in the mentioned campaign.
Rice. 3. Statistics on the geographical distribution of the malware that was used in this malicious campaign.
Malware installation
After a user opens a malicious document with an exploit on a vulnerable system, a special downloader packaged with NSIS will be loaded and executed there. At the beginning of its work, the program checks the Windows environment for the presence of debuggers there or for running in the context of a virtual machine. It also checks the localization of Windows and whether the user has visited the URLs listed in the table below in a browser. APIs are used for this. FindFirst/NextUrlCacheEntry and the SoftwareMicrosoftInternet ExplorerTypedURLs registry key.
The bootloader checks for the presence of the following applications on the system.
The list of processes is really impressive and, as you can see, there are not only banking applications in it. For example, the executable file named "scardsvr.exe" refers to the smart card software (Microsoft SmartCard reader). The banking trojan itself includes the ability to work with smart cards.
Rice. 4. General scheme of the malware installation process.
If all checks are successful, the loader downloads a special file (archive) from a remote server that contains all the malicious executable modules used by the attackers. It is interesting to note that depending on the performance of the above checks, the archives downloaded from the remote C&C server may differ. The archive may or may not be malicious. If not malicious, it installs the user's Windows Live Toolbar. Most likely, the attackers resorted to such tricks to deceive automatic file analysis systems and virtual machines running suspicious files.
The file downloaded by the NSIS loader is a 7z archive that contains various malware modules. The figure below shows the entire installation process of this malware and its various modules.
Rice. 5. General scheme of malware operation.
Although the downloaded modules serve different purposes for attackers, they are packaged in the same way and many of them have been signed with valid digital certificates. We found four such certificates that the attackers have been using since the beginning of the campaign. After our complaint, these certificates were revoked. It is interesting to note that all certificates were issued to companies registered in Moscow.
Rice. 6. The digital certificate that was used to sign the malware.
The following table lists the digital certificates that the attackers used in this malicious campaign.
Almost all malicious modules used by attackers have an identical installation procedure. They are self-extracting 7zip archives that are password protected.
Rice. 7. Fragment of the batch file install.cmd.
The batch .cmd file is responsible for installing malware into the system and launching various malicious tools. If the execution requires missing administrator rights, the malicious code uses several methods to obtain them (bypassing UAC). To implement the first method, two executable files named l1.exe and cc1.exe are involved, which specialize in bypassing UAC with a mechanism from
During the tracking of this campaign, we analyzed several archives downloaded by the uploader. The contents of the archives varied, i.e. the attackers could adapt the malicious modules for different purposes.
User compromise
As we mentioned above, attackers use special tools to compromise users' computers. These tools include programs with executable file names mimi.exe and xtm.exe. They help attackers gain control over the victim's computer and specialize in performing the following tasks: obtaining/recovering passwords for Windows accounts, enabling the RDP service, creating a new account (account) in the OS.
The executable file mimi.exe includes a modified version of a well-known open source tool
Another executable file, xtm.exe, launches special scripts that turn on the RDP service in the system, try to create a new account in the OS, and also change system settings in such a way as to allow multiple users to simultaneously connect to the compromised computer via RDP. Obviously, these steps are necessary to gain complete control over the compromised system.
Rice. 8. Commands executed by xtm.exe in the system.
Attackers use another executable file called impack.exe, which installs special software on the system. This software is called LiteManager and is used by attackers as a backdoor.
Rice. 9. LiteManager interface.
Once installed on a user's system, LiteManager allows attackers to directly connect to that system and control it remotely. This software has special command-line options for installing it behind the scenes, creating special firewall rules, and running its module. All parameters are used by attackers.
The last module of the malware bundle used by the attackers is a banking malware (banker) with the executable file name pn_pack.exe. She specializes in spying on the user and is responsible for interacting with the controlling C&C server. The banker is launched using legitimate Yandex Punto software. Punto is used by attackers to launch a malicious DLL library (DLL Side-Loading method). The malware itself can perform the following functions:
- track keystrokes on the keyboard and the contents of the clipboard for their subsequent transfer to a remote server;
- list all smart cards that are present in the system;
- interact with a remote C&C server.
The malware module that is responsible for performing all these tasks is an encrypted DLL. It is decrypted and loaded into memory during Punto execution. To perform the above tasks, the executable DLL code starts three threads.
The fact that the attackers chose the Punto software for their purposes is not a surprise: some Russian forums openly provide detailed information on such a topic as using flaws in legitimate software to compromise users.
The malicious library uses the RC4 algorithm to encrypt its strings, as well as during network interaction with the C&C server. It contacts the server every two minutes and transfers there all the data that was collected on the compromised system during this period of time.
Rice. 10. A fragment of the network interaction between the bot and the server.
The following are some of the C&C server instructions that the library can receive.
In response to receiving instructions from the C&C server, the malware responds with a status code. It is interesting to note that all of the banker modules we have analyzed (the most recent with a compilation date of January 18th) contain the string "TEST_BOTNET" that is sent in every message to the C&C server.
Conclusion
In order to compromise corporate users, attackers at the first stage compromise one employee of the company by sending a phishing message with an exploit. Further, as soon as the malware is installed in the system, they will use software tools that will help them significantly increase the authority in the system and perform additional tasks on it: compromise other computers on the corporate network and spy on the user, as well as on bank transactions that he performs.
Source: habr.com