Monday, October 12, 2015

Trojan.Fareit IIV

Phishing Email lands

The malicious attachment was extracted from the .eml file 
OfficeMalScanner was used to extract the malicious VB macro code

We can see three modules

Different functions lead to run the same function Itkadata(). All the VB code is obfuscated and the suspicious reserved keywords are either broken into multiple strings and concatenated at run time or Chr() and Int() functions are used to hide the actual words.   

The code creates a URL which seems to be pointing towards a .txt resource

This is what the text file looks like which is also obfuscated but from the looks of it we can see that there seem to be a mix of VBS and .bat script code

We can see another URL being created in parallel. We will come to know what it is as we proceed. 

We can see MSXML2.ServerXMLHTTP object being created which will be used to create GET request

We can see that the response of the sever (the .txt file containing vbs and bat code) is stored in a variable as a string

It looks like that the other URL which was being created in parallel is also pointing towards a text file resource pipi.txt. But this is not the case, in fact the pipi.txt is part of the URL path and the resource is an index.html file. Going to this URL brings us to the following page:  

The response to the GET request to the index.html file is also stored in a string and VOILA! the response is actually the URL to the second stage binary (exe) hosted on the domain  

The previous response containing the vbs and the bat code is modified and the second response containing the URL to second stage binary replaces the string "paytina" and strTecation is now equal to the path where the binary will be placed as "10.exe"

We can see that the macro is creating a vbs file

The 11821.vbs file is also created in the temp folder

Looking at the obfuscated vbs code indicates that MSXML2.ServerXMLHTTP object is being created which GETs the second stage binary s1.exe and saves it as 10.exe in the temp folder

We can see that the macro is also creating a .bat file 

The bat file is also created in the tmp folder

We can see that the bat file is executing the 11821.vbs script created previously (which downloads the second stage binary and puts it in temp folder as 10.exe), then it sends 4 pings to a seemingly random ip, most probably as a wait mechanism so that the binary gets downloaded and is ready to be executed. The bat file then executes the 10.exe. After this the bat files simply loops and tries to delete the vbs file, once the vbs is executed it is deleted by the bat file and then it deletes itself and exits the loop. 

We can see that after creating the above two scripts in the temp folder the macro is executing the bat file using Shell()

We can see the process hacker's process tree and can clearly see the cmd.exe, conhost.exe, cscript.exe and ping.exe as child processes.

The above code is just throwing and error and is irrelevant

Unfortunately I was not able to get my hands on the second stage binary as the resource is unavailable and cannot be found. Throws a 404.

The call back to the address was detected as a C2 communication at the perimeter and the malware being downloaded is classified as Trojan.Fareit, which is a password stealer. A good amount of technical information for the second stage binary can be found at:

No comments:

Post a Comment