Friday, October 19, 2012

FedEx Malware Overnight

** Updated with new IP/URL at bottom **


This post started off as a look back on one of my first deep dives into understanding some malware that I came across my desk at work. I had planned to do a brief overview of what I found, and what I learned.. Needless to say it has been 2 months since this has happened, I haven’t been able to delve in as quickly as I wanted to, but I keep going back and learning more things about this.

So this post will become multiple posts as I walk through the steps taken, tools used and what I learned. Hopefully it will allow me to make sure I understand what I have done, and I can help someone else learn the steps needed to resolve this.  This first post will provide the background of the infection, and what was discovered. While I do not have the Memory from the original machine and I have yet been able to reproduce everything, I still find this an interesting case.

So here we go.

Background:

One Monday in August I came into the office and noticed a few alerts that fired off for a virus called FakeAVLock. Looking at the first alert that fired I noticed that the alert had fired off on two different files on the same machine. The file names were:
1.     sxhhmslg.exe
2.     Label_Copy_FedEx.exe (was contained in Label_Copy_Fedex.zip)
The interesting thing about these alerts was the first one was a Real Time scan, and the other one was a Scheduled Scan. Contacting the user I was able to get access to the machine and the questions started coming as I looked at the machine.

My first step was to run a modified version of TriageIR. As that was running I navigated to the users Temporary Internet files where both binaries were found and noticed that the Label_Copy_FedEx.Zip had a create date timestamp 4.5 hours BEFORE the initial alert of the fqucxldq.exe. I also noticed a few 8 random characters named files that were created about every 4 hours. This was a remote machine, and I was unable to pull a Memory Image from it, and analysis was painful.

At this point this infection started to get interesting.
1.     AV Vendor claimed it Cleaned up the infection in Real Time Scan
2.     Real Time scan was 4.5 hours AFTER initial Infection
3.     Real Time Scan Alert time was 4 hours AFTER user had left the office
4.     No related symptoms to FakeAvLock was found on machine
1.     No Registry Settings
2.     No Scheduled Tasks
5.     Machine was still calling home every 4 hours after being “Cleaned”
Who Said Monday isn’t a fun day? 

Once I determined that the machine was infected I submitted a query to our network logs to find out if I had any other machines that had downloaded the file, and another one to see the traffic of this machine over the weekend. The initial logs I got back from the user query showed a very noisy calling home pattern. I decided to open it up in Mandiant's Highlighter to do some analysis on the machine. In the initial analysis I noticed that we have over 2500 connections to 91.217.162.127, almost 800 of which were from the machine I initially started to analyze.

With this information I sent another query to find out what these other machines that were connecting had visited, if we had any virus alerts for them, and what other information that was shared to these users. Looking at the pattern and the name of the file I found the following email that was received by all of these users. We also received a UPS phish a week later, same behavior.


Depending on the user who received this email if you clicked on the Print a Shipping Label you would be redirected to one of these domains:

  • hxxp://www.masrecargaenlineacolombia.com/Label_Copy_Fedex.zip 
  • hxxp://www.sentrysystems.co.uk/Label_Copy_Fedex.zip 
  • hxxp://treebuu.com/Label_Copy_Fedex.zip 
  • hxxp://petitemer.com/Label_Copy_Fedex.zip 
  • hxxp://www.babyboomerconnections.com.au/Label_Copy_Fedex.zip 
  • hxxp://2013kentuckyderbytickets.com/Label_Copy_Fedex.zip .
  • hxxp://fitinyourjeanscuisine.com/Label_Copy_Fedex.zip 
  • hxxp://synergicconsulting.com/Label_Copy_Fedex.zip
  • hxxp://www.apolarisa.gr/Label_Copy_Fedex.zip
  • hxxp://cambal.net/Label_Copy_Fedex.zip
  • hxxp://www.hotelbergama.com/Label_Copy_Fedex.zip
  • hxxp://resetonline.com/Label_Copy_Fedex.zip 
  • hxxp://qt-research.com/Label_Copy_Fedex.zip
  • hxxp://www.nilosasia.com/Label_Copy_Fedex.zip
  • hxxp://www.trevorfire.org/Label_Copy_Fedex.zip 
  • hxxp://serainsaat.com.tr/Label_Copy_Fedex.zip 
  • hxxp://boxerdelnettuno.it/Label_Copy_Fedex.zip
From what we had seen, once you extracted the Label_Copy_Fedex.Exe and ran the binary it would appear not to do anything,  as it reached out to one of the following sites and downloaded the FakeAV software.


hXXp://91.217.162.127//get/3b0c6a8305cc89cf77f3c9616a569e78.exe
hXXp://77.81.225.253:84//get/3b0c6a8305cc89cf77f3c9616a569e78.exe
hXXp://183.83.228.156:84//get/3b0c6a8305cc89cf77f3c9616a569e78.exe
hXXp://173.23.131.12//get/3b0c6a8305cc89cf77f3c9616a569e78.exe
hXXp://209.87.230.83:84//get/3b0c6a8305cc89cf77f3c9616a569e78.exe
hXXp://95.131.66.34:84//get/3b0c6a8305cc89cf77f3c9616a569e78.exe
hXXp://24.79.200.234//get/3b0c6a8305cc89cf77f3c9616a569e78.exe

After the machine became infected with the Fake AV software it started calling back to these ip’s. It also attempted to download two files from 91.217.162.127 called sb.dll.crp and p3.dll.crp

hxxp://125.214.75.185/b6377f4aF71C537719566C61CBA309A4F507D38BEF4C51EDC92B54125F54F3C712F1B49AE87E2243ED0FB907   
hxxp://190.12.134.226/b6377f4aF71C537719566C61CBA309A4F507D38BEF4C51EDC92B54125F54F3C712F1B49AE87E2243ED0FB907   
hxxp://200.46.60.61/b6377f4aF71C537719566C61CBA309A4F507D38BEF4C51EDC92B54125F54F3C712F1B49AE87E2243ED0FB907   
hxxp://209.87.230.83/b6377f4aF71C537719566C61CBA309A4F507D38BEF4C51EDC92B54125F54F3C712F1B49AE87E2243ED0FB907   
hxxp://62.75.163.172/b6377f4aF71C537719566C61CBA309A4F507D38BEF4C51EDC92B54125F54F3C712F1B49AE87E2243ED0FB907   
hxxp://68.0.148.151/b6377f4aF71C537719566C61CBA309A4F507D38BEF4C51EDC92B54125F54F3C712F1B49AE87E2243ED0FB907   
hxxp://72.55.174.23/b6377f4aF71C537719566C61CBA309A4F507D38BEF4C51EDC92B54125F54F3C712F1B49AE87E2243ED0FB907   
hxxp://74.2.199.169/b6377f4aF71C537719566C61CBA309A4F507D38BEF4C51EDC92B54125F54F3C712F1B49AE87E2243ED0FB907   
hxxp://74.208.73.243/b6377f4aF71C537719566C61CBA309A4F507D38BEF4C51EDC92B54125F54F3C712F1B49AE87E2243ED0FB907   
hxxp://85.197.78.132/b6377f4aF71C537719566C61CBA309A4F507D38BEF4C51EDC92B54125F54F3C712F1B49AE87E2243ED0FB907   
hxxp://91.217.162.127/b6377f4aF71C537719566C61CBA309A4F507D38BEF4C51EDC92B54125F54F3C712F1B49AE87E2243ED0FB907   
hxxp://96.22.19.143/b6377f4aF71C537719566C61CBA309A4F507D38BEF4C51EDC92B54125F54F3C712F1B49AE87E2243ED0FB907



Infection Fun Times

Based on what we knew at the time, we initiated our mitigation response. I continued to be puzzled with the fact that the initial machine kept calling home after it was supposed to be clean. So I went back to analyzing and trying to understand what I was seeing. 

By this time I had spent a couple of hours analyzing the registry with RegRipper, scheduled tasks, created files trying to build out a timeline. I looked for the “known” indicators for this virus on the machine and came up empty. I still could not find out what was calling home. Reaching out to the Twitter community for assistance, they pointed me to TCPView and ProcessExplorer.  

With the help from Twitter and those tools I was able to determine that my evil process was a hijacked SVCHOST.EXE (Pid 3708), it was maintaining a connection to maintaining connection to the proxies and 91.217.162.127. All other infections of this malware were “cleaned” except for the calling home method. If the machine had been rebooted I would never have seen this…


Whats next?

In order for me to understand this a little better I have kept a copy of this malware, and I have been analyzing as I can. This is a nice piece of Ransom Ware. In the next few posts I will show what I have done with the malware and the tools I have used.

And a few other tools that I might come across that looks promising. By doing this I hope it will allow me to increase my skill set by working on a binary that I am “knowledgable” in its behavior.. 




*** Updated Domain Lists ***
Came across the following IPs and Domains from a similar UPS Phish:



190.12.32.12
184.154.20.226
50.22.136.150  <- appears to be primary site
46.105.112.99
173.224.211.194
78.46.31.53
217.160.236.108
188.212.156.180
188.165.212.160
202.169.224.202
178.77.103.54
213.175.218.180
64.151.87.152
79.170.89.209
188.40.141.4
91.205.63.194
219.99.160.150
88.84.137.174
210.48.154.254
222.255.237.132
213.175.218.181
209.160.32.158

These are dropping a Zip with the following executable in them. 
Virus Total Results  Anubis
 hXXp://www.eternalflower.com.ec/KKYJCYJMWS.jpg 
 hXXp://www.eternalflower.com.ec/IPFPYZPUPI.html 
 hXXp://www.eternalflower.com.ec/Copy_of_UPS_Label.zip 

hXXp://www.lacasettadipaolo.eu/Copy_of_UPS_Label.zip 
hXXp://organizacoeslimger.com.br/Copy_of_UPS_Label.zip