dimanche 26 novembre 2017

Rules #22 - Copypasta is made to ruin every last bit of originality

Hi,
3 months since the last blogpost, it's time for an update \o.

By looking at some public sandbox feeds (ping @fumik0_) I've found an unusual patterns, reminding me old stuff:
[+] e2dbbc71f807717a49b74d19c155a0ae9cce7d6e74f24c63ea5d0ed81ddb24d6 GET -> rpc2.gdn/start/includes/tasks.php?hwid=71D7D653-460A-8BE7-264F6AF5
[+] e2dbbc71f807717a49b74d19c155a0ae9cce7d6e74f24c63ea5d0ed81ddb24d6 POST -> rpc2.gdn/start/inc.php/start/inc.php
[+] 0c4d34cd4a11960ff3f7d205a0196084700f8d6f171ea052f8c9563f9ddc2e2e GET -> rpc2.gdn/start/includes/tasks.php?hwid=49C78CBD-165E-D0CF-474D92B
[+] 0c4d34cd4a11960ff3f7d205a0196084700f8d6f171ea052f8c9563f9ddc2e2e POST -> rpc2.gdn/start/inc.php/start/inc.php

This is a "rat" (I don't know the name) that uses TeamViewer for spying on victims.


Panel overview

Let's start with a usual panel overview.
The interface is very simple, main page (click to enlarge):

With that, the botmaster can see when somebody is connected to the infected machine or not, if he has webcam or mic and basics system information.
There was 125 bots in this CNC.
The only other page is a quick settings:

This is very basic but enough for spying on people.

Now look at the interesting part: the binary.

TeamViewer_Test_Pub

The sample came from email with an attachment named probably "invoice.js" (e2dbbc71f807717a49b74d19c155a0ae9cce7d6e74f24c63ea5d0ed81ddb24d6) that drops the RAT via store4caroption-support.info/KKK.exe (0c4d34cd4a11960ff3f7d205a0196084700f8d6f171ea052f8c9563f9ddc2e2e)

The sample is a big package used to deploy TeamViewer and the RAT in %APPDATA\WebNet\ as hidden files:

SensApi.dll (833ff902452e5fb10b39ef90c2f1ec96beb0d8d0486dc378eb07c10b3672276c) is the RAT controller.
A quick static analyze with PEBear show us that this dll as 4 exports:
  • Entrypoint
  • IsDestinationReachableA
  • IsDestinationReachableW
  • isNetworkAlive.
IsDestinationReachableA, IsDestinationReachableW and isNetworkAlive are just wrapper to sensApi.dll (the real one, note the rat :)

Before jumping into the EntryPoint let's have a quick look at the strings:
rpc2.gdn
num1.gdn
process call create "%s"
runas
wmic
TV started from Admin!!!
uac
This OS is not supported!!!
\Policies\System
\CurrentVersion
\Windows
\Microsoft
Software
%s%s%s%s%s
EnableLUA
Off
High (Always Notify)
Medium (Default Notification)
Low (Default Notification)
N/A
error args
Request successfully!!!
cmdshow
cmd
COMSPEC
/C
run error
wait...
error
closed. exitcode: %d (%s)
tasklist
(x64)
(Win32)
%s PID:%d%s
plugin_start
tiff
plugin_del
%s\%s.%s
admin
Yes
UAC LVL: %s
Elevated: %s
RunAsAdmin: %s
AdminGroup: %s
webcam
mic
device is missing
device is available
off
*.tiff
Command not found!!!
Error
%s%s%s
%06lX-%04lX-%04lX-%06lX
%s%s
HTTP/1.0
Windows Server 2016
Windows 10
Windows Server 2012 R2
Windows 8.1
Windows Server 2012
Windows 8
Windows Server 2008 R2
Windows 7
Windows Server 2008
Windows Vista
Windows XP x64
Windows Server 2003
Windows XP
Windows 2000
unknown
TeamViewer
/start/includes/tasks.php?hwid=
hwid=%s
Content-Type: application/x-www-form-urlencoded
start/includes/act_user.php
hwid=%s&tv_id=%s&tv_pass=%s
start/includes/pass_tv.php
uuid=%s&tv_id=%s&tv_pass=%s&winver=%s&username=%s&webcam=%sµ=%s
start/inc.php
\start
.exe
open
IsDestinationReachableA
SensApi.dll
IsDestinationReachableW
IsNetworkAlive
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TeamViewer_Desktop.exe
Windows Core Services
%s\%s
.log
.txt
.tmp
resource DLL
TeamViewer
TV_Marker
TVWidget
ATL:00BDE7D8
ATL:00BE38B8

This binary seems very verbose with some recurrent patterns like "!!!".
I don't think it's common for skid to deal with TeamViewer so before reversing let's have a look on Google if the dev hasn't copy paste some functions from stackoverflow.
By searching strings like "High (Always Notify)" I've found some matching source code from a curious Github account:


Commands

After looking deeper in this github account and in the RAT, it look like the RAT is a fork, or an update of the source code in the github account.
We can found a lot for similar functions: (click to enlarge)



The RAT execute commands from CNC via the function RunCmd() in main.cpp. There is the available cmd in both version:
GithubIDADetails
setintervalSet new interval for CNC ping
setserverSet new CNC
setpassSet new crypt config password
killKill TeamViewer
runexeDownload and run exes
deldllDelete dll
updateUpdate
rundllDownload and run dlls
rebootRestart PC
poweroffShut down PC
restartRestart Process
terminateKill process
mydirReturn current dir
adminadminIs process admin ?
tasklisttasklistSend tasks list
cmdwndcmdwndRun hidden cmd
cmdcmdRun cmd
uacRe-run itself elevated via wmic process call create
plugin_startDownload, copy as .tiff and run an exe
plugin_delDelete a file
webcamWebcam on/off
micMic on/off
As you can see, only a few commands are copied from the github code. The major modification are around dealing with elevated process / UAC (because the original code seems really old).

CNC communication

The in the wild rat seems to have a different way to communicate with CNC. It communicate over HTTP in plain text (The github version used obfuscated HTTP requests).
  • /includes/tasks.php - GET hwid=%s
  • /includes/act_user.php - POST hwid=%s&tv_id=%s&tv_pass=%s
  • /includes/inc.php - POST uuid=%s&tv_id=%s&tv_pass=%s&winver=%s&username=%s&webcam=%s&mic=%s

There is 2 domains as CNC: rpc2.gdn and num1.gdn

Notes

The Teamviewer part and the global architecture of the code are the same but that "in the wild" version looks like an updated light version.
This is a very basic malware but it work and it's very easy to use.

The Readme.md of the github version mention a forum post: http://ander-pub.cc/forum/threads/isxodniki-skrytogo-teamviewer.73/ that is actually down. If someone here has more information about this forum I'm very curious :)

Victims overview

In this campaign, crooks are targeting small company in different country (CN, AU, US, RU...).
I've found call centers, accounting etc.
Example of call center:


I don't think that victims are targeted by country but more by business or "money capacity"

Conclusion

I don't know if it's a fork or a copy pasta but i'm curious to know the story behind this malware and this campaign.


Code not packed, few victims, screencasting, all these stuff reminds me a targetted attack more than typical mass cybercrime.

Yara rules


Happy Hunting !