Came across this familia via this tweet.
This malware uses a single .rar file downloaded from a remote resource and is geofenced to MX IP addresses and contains within a .CMD file with the payload inside it. In essence it targets Outlook stored passwords in registry and chrome databases.
Analysis
Once the .cmd file runs, it calls the following commands in sequence:
more +5 C:\Users\user\Desktop\FichaReembolso.cmd
certutil -decode -f ~~ "C:\Users\user\AppData\Roaming\jkjlhkj\exe\v3.3.14.5_20180315\RINDI%xxxxx%.exe
cmdline: certutil -decode -f C:\Users\user\Desktop\FichaReembolso.cmd "C:\Users\user\AppData\Roaming\jkjlhkj\a3x\X2NI\FichaReembolso.a3x"
wmic process call create '"C:\Users\user\AppData\Roaming\jkjlhkj\exe\v3.3.14.5_20180315\RINDI%xxxxx%.exe
It uses the more cmd to check that the file does indeed exist and then proceeds to decode the payload contained within the CMD line file. This payload contains an autoit binary as well as a compiled autoit3 script to execute the payload. The following structure is created:
The folder A3X/X2NI contains the compiled autoit script which once decompiled allows us to continue extracting data. The decompiled autoit3 script contains auxiliary functions to download files and checks if all the required files are present. It needs the SQLite3 DLLs to query the browser's database files and check for the history via this query:
In these samples the list of banks targeted are all from MX, as expected from the geofencing restrictions:
enlaceapp.santander.com.mx
see.sbi.com.mx/invernet2000
enlace.santander.com.mx
security.online-banking.hsbc.com.mx
bbvanetcash
scotiaweb.scotiabank.com.mx
empresas.bbvanet.com.mx
If any of the URLs is present in the database, then the data is posted to the remote server (OS Language, Keyboard layout, ISADMIN, Architecture) and uses taskkill to kill the chrome.exe process. It uses the user-agent Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
It does not only target chrome but also tries to steal stored outlook POP3/SMTP/IMAP credentials found on the target machine by extracting them from the registry. Auxiliary functions allow the script to decode the stored data and unprotect it by making use of WINAPIs (CryptUnprotectData)
The script makes use of binaries that are already present in the system to gather all the required information, it takes advantage of WMIC to identify the infected OS operative system. Additionally, it has an auxiliary function to check if it is Windows 7:
Only after it has finished its tasks it will prompt a MessageBox containing saying there was an error during the execution and attempts to run a VBS file. I suspect the VBS file is some sort of cleanup file OR the next stage, but I was not able to get it during my analysis. (If you came across it, please let me know)
VT Collection
https://www.virustotal.com/gui/collection/ee82e5de022753696c4508aa5ca2b37f90ed2fe77de462a351021588abaed625/graph
IOCs
https://documents.drive.dreamixcorporation.com
https://documents.drive.dreamixcorporation.com/do/it.php?f=2&w=Windows%2010
https://documents.drive.dreamixcorporation.com/do/it.php?f=3&w=Windows%2010
https://documents.drive.dreamixcorporation.com/do/it.php?f=4&w=Windows%2010
https://documents.drive.dreamixcorporation.com/do/it.php?f=r3&w=Windows%2010
https://documents.drive.dreamixcorporation.com/do/it.php?f=6&w=Windows%2010
https://documents.drive.dreamixcorporation.com/do/it.php?f=7&w=Windows%2010
https://documents.drive.dreamixcorporation.com/do/it.php?f=8&w=Windows%2010
https://documents.drive.dreamixcorporation.com/do/it.php?b1
https://documents.drive.dreamixcorporation.com/do/it.php?f=9&w=Windows%2010
https://www.autoitscript.com/autoit3/pkgmgr/sqlite/sqlite3.dll
https://documents.drive.dreamixcorporation.com/do/it.php?b1
1b2ed5b0f4b63e24ce9fdfb3d56645e9cd9eab5a
af3fa2057b618c31a46633c50150e2c70eeae2e5
3d483a4726a6e959c3b636be154569f20a287834
4ef8c96c5601435494d4b0f6e7068695ab20509d
137a312c8ab7389afb5af0d3980ffb7c6a7dd5e1
ab01d12bb8378cb434b148d5187eb43914032402
15f454e11784c54dd289cd97b972888147a1920d
bcc74050fc4618eaadee788221c173ff9825b919
dd442d63405275ba64c2d6ade804bbefb797b7ea
fc62e0658eda805bd8c91c6badb2fc3e30726250
No comments:
Post a Comment