in analysis

First look into new malware attacking Vietnam’s infrastructure provider

In July, the large service providers in Vietnam (name is deducted due to privacy reason) were attacked, which has been causing serious consequences. At the time, we found a very new malware sample and selected it to analyze and publish this report to aware the community.

We found another malware that had been stored in directory: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ with suspicious name VNA.exe.

paint_01

VNA.exe

The primary function of VNA initializes the environment, install the files into the system.

Anti-debug, Anti-VM, Anti-AV

  • The malware using a decryption function to avoid detecting some important strings. An encrypted byte has been started to be decoded when the/a program needed it.paint_02
  • Check the running processes to see if the name is matched with the following:
    • DF5Serv.exe (Deep Freeze)
    • VBoxService.exe (VirtualBox Service)
    • shieldclnt.exe (Shield ClientService)
    • DefenderDaemon.exe (Shadow Defender)
    • censtat.exe (Censtat)
  • Get values in SYSTEM\ControlSet001\Services\Disk\Enum with key “0” then check if match the following text “VMWARE”, “VBOX”, “VIRTUAL”, “DiskQEMU”.
  • Check if module dll loaded.
  • Check if program Process Monitor is running.
    => If one of the conditional clauses is true, the malicious code would drop a 64KB file size xxx.tmp with xxx is a random name, have a PE file header header but the content is the random value generator based on the current time. After creating the file, the program ends operations.

paint_03Header of file

paint_04 Content is a random value.

VNA.exe drop files into folders are named:

  1. %AppData%\ZTEEVDO\addressb.conf with value is an integer, the default value is 5.
  2. C:\WINDOWS\system32\NVNetworkServiceAPI.acm.
  3. %AppData%\Microsoft\Windows\oobe\licensingdiag.exe.
  4. C:\Program Files\Common Files\Intel Corporation\PSI\Windows.UI.Search.pri and ras.pri with same content.
  5. If it doesn’t have a parameter, the malware creates the file C:\WINDOWS\Sun\lost.dat of which the value is the current time on the system (the time when the malware is installed). Then, the malware creates an encoded file C:\WINDOWS\Media Player Classic\play.mpc of which the original content is “jPIPNlz5sAhQ3r + L8G211w ==”.
  6. If it has a parameter, the malware creates the file %AppData%\Media Player Classic\playlist.mpcpl which has the same content as play.mpc and %AppData%\Sun\Java\secure.dat, same content as lost.dat.

    VNAInstallation Overview

LicensingDiag.exe

  • Drop 2 files AuthBroker.cfg and AuthBroker.crc with default values as 0x16A43 and 0x16A4F.
  • Decrypt AuthBroker.dll from the memory by xor 0x7C.
  • In case it doesn’t have parameter, the malicious code will use rundll32.exe to run

AuthBroker.dll with the following parameters: paint_06

  • In another case, which called by VNA.exe, licensingdiag called with parameter “:: S”, so AuthBroker run with parameter:

paint_08

AuthBroker.dll

  • Anti-Disassembly:

Malicious code creates a new memory space and then copy all the DWORD value to that memory area, then subtract those values for 0x10000000h. Once the calculation is done, the program jumps to the memory area to execute the command.

paint_09

  • Anti-Antivirus:
    Check the running processes to see if the name is matched with the following:

    • Vp.exe (Kaspersky)
    • VGIDSAgent.exe (AVG)
  • Activities:
    Function AuthBrokerCreateClientContext have parameter “::X\Path_to_licensingdiag.exe”, including cases:

    • X = I: load dll Transcode_003.dat, and call function GetResourceString.
    • X = S: load dll NVNetworkServiceAPI.acm and call function GetResourceString.
    • X = R: load dll ras.pri into memory space of explorer.exe.

Load dll into memory space:

  • Malware find ProcessID of explorer.exe, creates 3 memory space with read, write and execute permission:
    paint_10

    Memory space with reading, writing and executing permission

  • The first memory space has some instruction below:
    paint_11

      • The second memory space stores the full path of ras.pri.
      • The third memory space stores pointer to second memory (or full path of ras.pri) and address of function LoadLibrary in Kernel32.dll.
      • ESP and EIP of main thread of explorer.exe are changed to execute the above
      • command to load the dll ras.pri.

    NVNetworkServiceAPI.acm

    • Function GetResourceString
      • Get the key values “netsvcs” in the SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost, which contains the names of the services are loaded by Windows svchost. Then, the name services are added, specifically here is “Nwsapagent”.
      • Creates a new service named “Nwsapagent”, with description “NVIDIA Monitor Service” and image path %SystemRoot%\System32\svchost.exe -k netsvcs.
        paint_12
      • Add new key “ServiceDll” in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ Nwsapagent\Parameters with the value is its path.
        => The malware is automatically run whenever Windows launches and run function ServiceMain.
    • Function ServiceMain:
      • Find process exprorer.exe, load dll Windows.UI.Search.pri with same way that describe above.
        paint_13
      • Continuously check that the module has been loaded.

Windows.UI.Search.pri (ras.pri)

  • Creating a thread which continuously checks to see if any process is monitoring network:
    • wireshark.exe (Wireshark)
    • smsniff.exe (WiSmartSniff)
    • etherD.exe (YEtherDetec)
    • Tcpview.exe (TCPView)
  • Get the contents of the file addressb.conf to time request to the server (the default is 5 minutes).
  • Decrypt domain string:
    • cdn.verfolder.net
    • drama.mine.nu
    • text.fsx3dmar.com
    • tt0078748.from-de.com
    • raid.preminds.info
  • Encrypted and sent to the server some information about the victim’s computer
    paint_14

    Clear text infomation

    paint_15

    After encryption

Some of the data exchange between client and server has not been analyzed due to C&C server is no longer online anymore. We will continue to update the information analyzed in the near future.

APPENDIX A – DOMAINS

In the process of analysis and follow-up, we know that the original IP domains pointing to is 37.46.114.125.
paint_16

After that, domains pointing to IP 194.187.249.80.

paint_17

APPENDIX B – FILES

MD5 Size (bytes) Detect
8014C13AD413AAFB4B5C439209D5CC03 605184 05/53 (8/8/2016)
A389F047D49D977AA5BC5F6639B1A1DD 319488 12/56 (15/8/2016)
313ECD4CCB848271151DBFA1C3B09B4B 151552 00/56 (24/8/2016)
C9DCD1CF445480310F0A342D3B4FF76B 283648 13/53 (8/8/2016)
7604EECF48037EA808E83013C3787E44 88064 00/56 (22/8/2016)
64C906E643EA116F710B9780277BBF43 148992 11/55 (8/8/2016)

 

References

[1] http://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/

[2] https://aleandrosy.wordpress.com/2012/08/02/debugging-a-dll-in-ida-pro

[3] http://www.codeproject.com/Articles/4610/Three-Ways-to-Inject-Your-Code-into-Another-Proces

Write a Comment

Comment