Last week, Minerva prevented a new malware variant that was distributed via phishing emails in south-east Asia. This threat is not an impressive APT, it dosen’t utilize any 0-day exploits and is far from being perfect, yet – during the first couple of days after its release it wasn't detected by the vast majority of security solutions.

Its ability to evade detection, even only for a couple of days, combined with the info-stealing capabilities this malware possses, can be devastating. This malware varient provides another live example of the blind spots in current security products At the same time we are able to showcase Minerva's prevention before detection methodology and its effectiveness.

This blog post will detail the infection method, the malaware's charechristics and capabilities and will provide IoC.

Infection Method

We are seeing a trend in which most cybercrime attacks are initiated either by phishing emails or by exploit kits. This case is no exception – the malware in question was sent via a ZIP archive as an email attachment. The content trying to lure the victim to open the attachment is typical to these campaigns: an invoice from the customer support manager of the south-east-Asian branch of a large shipping company:

‍Figure 1: the malware, attached within a ZIP file

Although the real sender is clearly not the manager, the content of the email looks credible and plausible. We suspect that recipient was victim to previous phishing campaign, and that his original emails and details were used by the attackers to optimize their current wave of attacks.

The attacker’s electing the identity of the manager at the South-East Asia branch of the shipping company along with the fact that we were able to detect victims of this attack in multiple countries in this region leads us to believe that this wave of phishing emails was geographically focused.

Hiding as Navicat

This new threat disguised as the common MySQL utility called Navicat.[1]

The cyber criminals behind this threat tried very hard to make it look like a benign copy of Navicat, editing the metadata so it will be the same as the genuine binary.

The version mimicked by the malware (on the left) is obsolete when compared to the latest Navicat (on the right), while the rest of the properties were carefully copied by the attackers. Another issue the attackers missed was the icon, instead of Navicat's original icon they used a generic one:

‍Figure 2: the malware on the left, Navicat on the right

For the attackers, editing the metadata wasn't enough, so they signed the malware – with a cryptographically corrupted certificate, suggesting either the certificate or the signed binary were altered:

‍Figure 3: malware on the left, Navicat on the right

Fortunately enough, not only did the tampered code signature fail verification – it can also be easily spotted by the different chain of CAs which signed it. The certificate for the real Navicat was issued by Digicert and for the rogue Navicat by Certum.

Capabilities and Features

The fact that Navicat was selected as the disguise shows us that the attackers probably targeted users who wouldn’t suspect it, e.g. – DBAs and IT personnel. Combining the malware's extensive info-stealing capabilities with the high-level privileges of targeted users can highly dangerous for an enterprise.

As seen in the image below, the malware (under the name atiedxx.exe and tmpf_Moc7.exe) executes its own binary nine times. Each of the nine iterations gets a new argument and has a different role in its effort to evade detection, collect data and gain persistency:

‍Figure 4: process tree, including nine different copies of the malware

We will go through the techniques used by this malware in detail later in this section.

Persistency

The techniques used to gain persistency are all well-known:

Copying itself to: %APPDATA%\com3.{025A5937-A6BE-4686-A844-36FE4BEC8B6D}\atiedxx.exe and afterwards,

%APPDATA%\com3.{025A5937-A6BE-4686-A844-36FE4BEC8B6D}\atiedxx.exe and afterwards, Creating references to this path under the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\atiedxx

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\atiedxx

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\atiedxx

Creating a scheduled task to run on each user logon by executing: "C:\Windows\System32\schtasks.exe" /create /sc ONLOGON /tn atiedxx.exe /tr "C:\Users\RW2\AppData\Roaming\com3.{025A5937-A6BE-4686-A844-36FE4BEC8B6D}\atiedxx.exe"

"C:\Windows\System32\schtasks.exe" /create /sc ONLOGON /tn atiedxx.exe /tr "C:\Users\RW2\AppData\Roaming\com3.{025A5937-A6BE-4686-A844-36FE4BEC8B6D}\atiedxx.exe" Copying itself to the startup folder: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.exe

‍Figure 5: five different persistency methods

The fact that this malware uses so many techniques simultaneously "just to be on the safe side", created an interesting situation – on each reboot of an endpoint multiple instances of the malware will start:

‍Figure 6: infected machine after a reboot

This issue was partially solved by using mutex objects, however – we still encountered some collisions when multiple instances were executed.

Stealing Sensitive Information

Multiple core components of the malware implement many techniques for stealing various data types, they target:

Browser Form and Passwords Cache - The malware tries to steal credentials from many browsers, ranging from IE and FireFox to the Yandex Browser which is popular in Russian-speaking countries.

The malware tries to steal credentials from many browsers, ranging from IE and FireFox to the Yandex Browser which is popular in Russian-speaking countries. Email Clients - The malware tries to exfiltrate the credentials using known techniques. Among the covered products are Thunderbird and Outlook (2010 to 2016).

The malware tries to exfiltrate the credentials using known techniques. Among the covered products are Thunderbird and Outlook (2010 to 2016). FTP Servers - The malware seeks the file recentservers.xml used by FileZilla to store the credentials to recently accessed FTP servers. The latest FileZilla doesn't save the password in plaintext, but instead of safely storing it – the sensitive information is saved in base64 encoding:

Figure 7: example for FileZilla recentservers file, the encoded password is 1234

RDP - Another module searches files in the Documents folder with.rdp extension. Those may store the hostnames and sometimes even passwords of recently accessed remote machines.

Another module searches files in the Documents folder with.rdp extension. Those may store the hostnames and sometimes even passwords of recently accessed remote machines. Running Process Memory - In order to give the attacker the ability to assess how dangerous or valuable a victim is, a routine which enumerates all running processes is implemented.

All the information collected is first saved locally in the following format

Figure 8: login storage format

Afterwards it is encrypted, and exfiltrated to the attackers, and can be in order to gain control over more assets the victim may have access to.

VNC

The malware searches for multiple VNC products and versions including RealVNC, WinVNC, UltraVNC and TightVNC. The versions it searches are obsolete, e.g. RealVNC 4 which was already superseded by version 5 in 2013. This may hint to us that this module was created over four years ago.

Keylogger

A "traditional" Keylogger, Calling SetWindowsHookA with the WH_KEYBOARD_LL parameter. The exfiltrated data will be sent as plaintext over HTTP requests:

‍Figure 9: BadCat Keylogger exfiltration session

Looking after Point-of-Sale Systems

Just like BlackPOS[2], used in the Target breach, this malware checks whether an executable called POS.exe is present on the victim's machine. We have yet to observed any card scraping capability in this malware, but it signals to the C2 server once this file is found – possibly as a request for an advanced module which implements POS-specific capabilities.

File Type Tricks

One of the most interesting anti-analysis tricks used by this malware is the folder it uses to store a persistent copy of its binary and various other logs and configuration files. It is named com3 and is followed by an extension which is the CLSID of Windows power management utility:

Figure 10: the folder storing the malware's persistent copy

As you can see, the malware is identified by Explorer as a "file folder", however, its filetype causes Windows to open the power management control panel when simply double clicked. Moreover, using "com" as part of the folder name confuses other utilities like cmd.exe, but we overcame this obstacle as well by referencing this folder as a network path:

Figure 11: bypassing the com folder anti-analysis technique

Above, you can see how in the first DIR command the com3 folder was found and detected as directory, however when we tried to enumerate it directly, it returned a "File Not Found" error.

Payload Encryption

In order to evade detection this malware (like many others) used a commercial product called Themida.

It provides a framework which allows you to "recompile" your code, maintaining its original functionality while altering the binary. It has legitimate uses, like protecting intellectual property embedded in software, but if Themida's input is a malicious, it will alter the malware in a way that it will make both automatic analysis (e.g. – by an anti-virus solution) and manual analysis much more difficult.

C2 Infrastructure

Linked Samples

Our sample resolved the URL iamthecause[.]top to the IP address 91[.]134[.]207[.]32 was located in Bulgaria. After going through multiple sources[3], [4] we found an older brother to our malware.[5] It had the exact same properties as the original sample but was not signed. This suggests that the capability to sign binaries, even with a corrupted signature, was obtained by the attackers only recently.

Signing the binary, even with invalid signature, minimizes the chances it will be detected. Some security programs do not verify the validity of signatures but have exceptions for signed binaries. This kind of behavior can allow the newer sample to disguise as the original Navicat, or to fly under the radar by simply being a generic signed program.

Communication

Once the malware has landed, if starts sending repetitive signals to its C2 server in regular intervals, in this case – it does so every 64 seconds. Each signal contains basic identifying parameters and some optional flags:

Figure 12: beacon frame on a machine with POS.exe

The parameter a45 is always present in this "beacon frames", however z=1 and y=1 are optional and depend on the victim machine. y=1 for example will be sent to the C2 only if the file POS.exe is present on the infected machine, supporting our theory about a POS-specific module which can be deployed.

In an attempt to lure the malware to download and deploy this "mystery module" we caused the malware to believe that POS.exe is present. Unfortunately, although our machine broadcasted the unique parameter notifying the C2 that POS.exe is present – we haven't witnessed a case where a POS specific module was downloaded.

Another type of communication between the agent and the C2 servers was the keylogger output, sent as plaintext file with the parameter a63:

Figure 13: an example for keylogger output broadcast

Hiding in Plain Sight

The attackers used at least two different URLs, the older sample resolved fraternitylaw[.]co[.]in and the newer sample resolved iamthecause[.]top as already mentioned. In both cases a legitimate website was replicated to give a seemingly benign façade to the C2 gate:

Figure 14: C2 façade on top and the real website bellow

Going through the source of this C2 fake façade gave us an interesting glimpse into the timeline of the phishing campaign:

Figure 15: source of the C2 benign front

We found out that the attackers used the free website copier utility HTTrack[6], and more importantly, as the attackers forgot to remove HTTrack's imprinted logs from the page – we were able to verify the timeline. The content of the URL resolved by the "older brother" was created three months before the one resolved by the newer sample.

PREVENTED by Minerva!

At first glance this complex intrusive threat might sound a bit frightening– but if your Enterprise is protected by Minerva you need not worry even a bit. Minerva Anti-Evasion Platform makes the malware believe that its greatest fears have been realized, causing it to immediately halt its execution.

Summary

The analyzed phishing campaign and dropped malware are just another example of a fast growing and worrisome trend fish in an overflowing ocean of dangerous threats. Although we assess this campaign was assembled from an eclectic collection of different modules, some significantly older than others, it was almost undetectable when it initially came out. Nevertheless, the potential damage it may cause to an enterprise is severe, considering the effect the leaked sensitive credentials of high-level privileged users might have.

The emergence of these generic, yet-dangerous threats emphasizes the need for a paradigm shift. Countless similar threats are created daily. At Minerva, our goal is to make sure that you have nothing to worry about. We do so by using the Malware's capabilities against itself, preventing it without the need to first detect it.

Interested in a demo?

‍

[1]https://www.virustotal.com/en/file/8159704f8517ba8d8a2f9ea6ec42f5fd4e18438c940806e48dcdd726b923ab66/analysis/

[2]https://www.nuix.com/2014/09/08/blackpos-v2-new-variant-or-different-family

[3]https://www.virustotal.com/en/ip-address/91.134.207.32/information/

[4]https://www.passivetotal.org/search/91.134.207.32

[5]https://www.virustotal.com/en/file/505b236071e09d0c8f64283123b8a64a9eee1d3f760686fd13c4c63a0b3a2df8/analysis/

[6]https://www.httrack.com/

‍

IoC

URLs

Older version

fraternitylaw[.]co[.]in

New version

iamthecause[.]top

IP Address

91[.]134[.]207[.]32

SHA-256

Older sample

505b236071e09d0c8f64283123b8a64a9eee1d3f760686fd13c4c63a0b3a2df8

New samples

8159704f8517ba8d8a2f9ea6ec42f5fd4e18438c940806e48dcdd726b923ab66t

7ebc8f45c095922de5a38ba6e92f9a9fed45c233461d5b67d58d6b2c9e28f262

Registry Keys

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\atiedxx

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\atiedxx

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\atiedxx

Files

%APPDATA%\com3.{025A5937-A6BE-4686-A844-36FE4BEC8B6D}\atiedxx.exe

%APPDATA%\com3.{025A5937-A6BE-4686-A844-36FE4BEC8B6D}\dwn.exe

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.exe

Mutex