2016-05-12 Locky

Attachments:
Photo 05-12-2016, 56 65 32.zip (md5: 16d828986e5bb9b454d225ce95de5e49)
Photo 05-12-2016, 06 12 35.js (md5: d97fc6f8cc7ce4943f5dd33b50e1bd6f)
Photo 05-12-2016, 35 06 37.zip (md5: 8aace677570b5140c9789a70407892ff)
Photo 05-12-2016, 35 06 37.js (md5: 46fd748dbbd80059b9e60e735cfe29f1)
Photo 05-12-2016, 10 11 47.zip (md5: 0813eef8fe2d1043585ee1da261c62c3)
Photo 05-12-2016, 10 11 47.js (md5: 432e401b205f29dcc1c787a1574c08e1)

Payload:
md5: b6ab1e3d440f8975d5eaef1505f60345
hxxp://canadamalpractice[.]com/8977g78bi (dropped-as: "%TEMP%\lTsrBCmoGiQ.exe")
hxxp://leoskov[.]dk/8977g78bi (dropped-as: "%TEMP%\nrgyOX.exe")
hxxp://mosaicmutts[.]com/8977g78bi (dropped-as: "%TEMP\yKUYtVS.exe")

Extended List of Payload URLs (ref: https://myonlinesecurity.co.uk/spam-malware-emailing-photo-05-11-2016-82-95-82-delivers-locky/)
hxxp://16industries[.]com/8977g78bi
hxxp://hila.co[.]kr/8977g78bi
hxxp://majaz.co.uk/8977g78bi
hxxp://www.johnlodgearchitects[.]com/8977g78bi
hxxp://cdgame.kgb[.]pl/8977g78bi
hxxp://www.komplettraeder-24[.]de/8977g78bi
hxxp://jkol.za[.]pl/8977g78bi
hxxp://www.cdc-ccd[.]org/8977g78bi
hxxp://ilabell.za[.]pl/8977g78bi

Other Network Activity:
http-post
hxxp://185.82.202[.]170/userinfo.php
hxxp://5.34.183[.]40/userinfo.php

References:
https://myonlinesecurity.co.uk/spam-malware-emailing-photo-05-11-2016-82-95-82-delivers-locky/
https://www.virustotal.com/en/file/49396fee2162109ef10866c8927359b5847dc47d4f70fdc5bf1f4d6caf8e58e5/analysis/
https://www.virustotal.com/en/file/5b9d5034db65fbdf3bcf3c49e4acf17df18f50a70344bae75a3d142d12c1f3f5/analysis/
https://www.virustotal.com/en/file/6af7c33385ba10e2452a51f13e9229ddfbb680a1656982705c0dc8b6c30afbcb/analysis/
https://www.virustotal.com/en/file/9d019fa03ecea2ea9b9569a35b90933b551e00087730e2100cb91ddb051a515c/analysis/

Hello Locky:

Security Bytes 0x1335433 [Open Source Digest]

Forensics
> Carving for Cookies: Supersize your Internet History Timeline using Google Analytic Artifacts

• [2013-12-30] http://az4n6.blogspot.sg/2013/12/carving-for-cookies-supersize-your.html?m=1 

Malware/APT
> Sandworm APT exploits, BlackEnergy malware

• [2014-11-04] http://www.scmagazine.com/experts-share-new-insight-on-sandworm-apt-exploits-blackenergy-malware/article/381378/
• [2014-11-03] http://securelist.com/blog/research/67353/be2-custom-plugins-router-abuse-and-target-profiles/

> Spin.com site sent visitors to Rig exploit kit to infect them with a range of malware including Infostealer.Dyranges and Trojan.Zbot.

• [2014-11-04] http://www.symantec.com/connect/blogs/spincom-visitors-served-malware-instead-music
• [2014-11-04] http://www.scmagazine.com/the-popular-music-news-site-redirected-visitors-to-the-rig-exploit-kit/article/381364/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineHome+(SC+Magazine)

> ROM – A New Version of the Backoff PoS Malware

• [2014-11-05] http://www.net-security.org/malware_news.php?id=2906&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+HelpNetSecurity+(Help+Net+Security)
• [2014-11-03] http://blog.fortinet.com/post/rom-a-new-version-of-the-backoff-pos-malware

> Apple iWorm Malware

• [2014-11-05] http://www.macworld.co.uk/news/mac-software/apple-security-checks-may-miss-iworm-malware-3584239/
• [2014-10-31] https://www.virusbtn.com/virusbulletin/archive/2014/10/vb201410-iWorm
• [2014-09-29] http://news.drweb.com/show/?i=5977&lng=en

> Dridex Banking Trojan

• [2014-11-06] http://www.spamfighter.com/News-19279-Cybercriminals-Changed-Tactics-and-Started-Using-Dridex-to-Steal-Banking-Credentials.htm
• [2014-11-05] http://blog.trendmicro.com/trendlabs-security-intelligence/banking-trojan-dridex-uses-macros-for-infection/
• [2014-10-24] http://researchcenter.paloaltonetworks.com/2014/10/dridex-banking-trojan-distributed-word-documents/
• [2014-08-03] http://stopmalvertising.com/malware-reports/analysis-of-dridex-cridex-feodo-bugat.html
• [2014] https://feodotracker.abuse.ch/?filter=version_d

> Dyre/Dyreza packaged with PDF exploits (namely CVE-2013-2729)

• [2014-11-06] http://www.spamfighter.com/News-19280-DHS-Warns-Dyre-Being-Used-to-Rob-Banking-Credentials.htm
• [2014-11-06] http://mdaily.bhaskar.com/news/4444/top-news/GAD-dyreza-trojan-email-attachmnet-zip-pdf-ppt-warning-cert-4798124-NOR.html?referrer_url=http://feedly.com/index.html

> Rovnix Malware

• [2014-10-10] http://www.infosecurity-magazine.com/news/rovnix-malware-reloads/
• [2014-10-09] https://www.csis.dk/en/csis/news/4472/
• [2012-02-22] http://www.welivesecurity.com/2012/02/22/rovnix-reloaded-new-step-of-evolution/

> WireLurker Apple iDevice Malware

• [2014-11-06] http://www.forbes.com/sites/thomasbrewster/2014/11/06/china-wirelurker-ios-malware/
• [?] https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf

Exploits/Vulnerabilities
> FreeBSD Vulnerability (CVE-2014-8517)

• [2014-11-05] http://malwarelist.net/2014/11/05/remote-command-execution-in-freebsd/
• [2014-11-05] https://lists.freebsd.org/pipermail/freebsd-announce/2014-November/001601.html

> "Rootpipe" Privilege Escalation Vulnerability in Mac OSX Yosemite

• [2014-11-04] http://iphone.appleinsider.com/articles/14/11/04/truesec-outlines-rootpipe-privilege-escalation-vulnerability-in-mac-os-x-yosemite

> CVE-2014-0569 Analysis (seen to be integrated into the Fiesta EK)

• [2014-11-05] http://blogs.technet.com/b/mmpc/archive/2014/11/05/cracking-the-cve-2014-0569-nutshell.aspx

> CVE-2014-1772 Analysis (IE Use-After-Free Vulnerability)

• [2014-11-05] http://blog.trendmicro.com/trendlabs-security-intelligence/root-cause-analysis-of-cve-2014-1772-an-internet-explorer-use-after-free-vulnerability/

> CVE-2014-4113 Analysis (Windows Kernel Mode Vulnerability, AKA Sandworm Vulnerability)

• [2014-10-19] http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/

> CVE-2014-4115 Analysis (Malicious USB Disks Allow for Possible Whole System Control)

• [2014-10-31] http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2014-4115-analysis-malicious-usb-disks-allow-for-possible-whole-system-control/

Phishing
> Operation Huyao

• [2014-11-06] http://blog.trendmicro.com/trendlabs-security-intelligence/whos-behind-operation-huyao/

• [2014-11-05] http://blog.trendmicro.com/trendlabs-security-intelligence/new-phishing-technique-outfoxes-site-owners-operation-huyao/

RIG Exploit Kit Malware Triage

Hashes:
250819688dc109a79a4de24eeabbb3de (Dropper) [24 / 55] as of 2014-09-12 07:49:15 UTC
bc183d917bc4dcffa954adb437bdcb96 (Backdoor) [2 / 53] as of 2014-09-09 23:33:47 UTC

VirusTotal:
https://www.virustotal.com/en/file/689fb4c908b29aa44859bfc8eef9f6b345ac5601d1046b4f26a5bfb5ff343ecd/analysis/ 

https://www.virustotal.com/en/file/bb58953495d1e4c0791b73abd59930c6240036d152d93c1c5dab3ebce84e50d1/analysis/

Introduction:
This post details a triage of a malware sample retrieved from 2014-09-09 - RIG EK FROM 178.132.204.97 - SDFI.APARTMENTPERCH.COM. The initial sample executed after exploitation is 250819688dc109a79a4de24eeabbb3de.

Creation & Deletion of *.tmp Files:
The startup routine of the Dropper includes the creation and deletion of *.tmp files in the "%TEMP%" folder path. The naming convention of the files are ns[random alphabet][random digit].tmp.
Examples include:

• %TEMP%\nsx6.tmp
• %TEMP%\nsr7.tmp

Creation of Staging Folder:
The Dropper

• Creates the folder "%APPDATA%\NVIDIA Corporation\Updates\". The naming convention is made to look legitimate by likely mimicking a NVIDIA software update folder.

Dropping of Persistent Backdoor:
The Dropper

• Creates the Backdoor "%APPDATA%\NVIDIA Corporation\Updates\nvid_upd.exe" (md5: bc183d917bc4dcffa954adb437bdcb96).
• Creates the registry key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\NvUpdSrv" for persistence. The persistence key points to the file path of the earlier created Backdoor.
• Creates a new process from the Backdoor (using CreateProcessA) .
• Deletes itself (using DeleteFileA).

Backdoor Callback:
The Backdoor

• Initiates a TCP handshake with the IP address "80.91.80.158"
• If the TCP handshake is successful, the Backdoor sends an additional ACK, with additional data appended to the network traffic:

Notice the additional TCP ACK has an additional 178 bytes of data.

Hex view of the additional bytes appended to the additional TCP ACK.

• After the initial callback is sent, the backdoor remains dormant until commands are sent to it.

Breakdown of the additional appended Data: 

• GET /stat?uid=100&downlink=1111&uplink=1111&id=01F7906A&statpass=bpass&version=11140907&features=30&guid=0969e6cd-f722-4f9f-a6e4-35128ffe7946&comment=11140907&p=0&s= HTTP/1.0