Wednesday, July 3, 2013

Exploring the Darkleech Rabbit Hole - Part 3

Last week, we left off right after my VM was hijacked by a lovely piece of FakeAV malware - this is a very generic malware that effectively stops the victim from doing anything on their system under the guise of their programs being "infected". The ultimate goal of this malware is to fool the victim into purchasing a fake antivirus program in hopes of clearing up the supposed infection. In actuality, the fake AV is the infection, as opposed to the other "infections" it reports.

So, let's get to it, shall we?

6.exe FakeAV Analysis



To summarize from the last post, here's some basic info about the sample I'm working with:

File Hash: F604DAF8E12EFAE8302F0ECC2BEDC5CA

 Prior to executing the malware, I started up Desktops from Sysinternals, since I know the malware is designed to hijack the desktop (and other functionality). This should allow me to retain some functionality after the malware starts it's hijack routine. 

Upon launching the malware, like last time, nothing visible happens (at least not immediately). Procmon confirms that there are lot of changes to the Windows Registry prior to the actual hijacking. There are simply too many of these changes to list, but they're all related to disabling any built-in firewall/AV protection on the host. Here's a snapshot of some of the changes happening in procmon: 


You'll notice that most of the changes happen under the following Registry keys:

HKLM\Software\Wow6432Node\Microsoft\Security Center\

There are a few other outliers, but for the most part that's where the changes take place. This goes on for approximately 4 minutes before we see the first sign of infection:


The Windows Security Center service being disabled matches up with the Registry changes we saw moments prior. The process continues and we see another warning within another minute or two:


At this point we still have full control over the host, but that doesn't last long... moments later we get this lovely window that pops up right in the middle of the screen:


This is the first time the user is required to interact with something generated by the malware. It doesn't take long after clicking OK or Cancel on this window before the whole system is hijacked by what we saw at the end of Part 2 of this post. As a quick reminder, here's what the next screen looks like:


This particular malware isn't very resilient, but it DOES do a great job of protecting itself from any sort of modification. One thing I found very interesting is that this malware seems to be VM-aware, as evidenced by it disabling my virtualbox service. Here's the warning that reflects this change (this happened right before the above window pops up):


At this point, the system has been fully hijacked. Remember earlier when I started Sysinternals Desktops in an attempt to retain control over my VM? Well, this malware doesn't seem to care, because it killed Desktops and left me with nothing to switch to. At this point I'm back where I left off at the end of Part 2. So let's talk a little more about what we do know about the malware. 

I had wireshark running on my other VM the whole time this was running and didn't notice a whole lot that was unusual. There was one single UDP request that didn't look right: a DNS query for 109.206.174.48. 

After looking this up, this is definitely not something normal, here's some info on it:

IP Address: 109.206.174.48
Country of origin: Amsterdam, EU
Registrant: Serverel Corp.

A quick search on urlquery reveals that this is the same IP I noted at the end of Part 2. This is the IP that the FakeAV reaches out to when the user attempts to register or "purchase" the AV software. UrlQuery results are here: http://urlquery.net/report.php?id=3339733
That URL is the same one I noted in Part 1: 

  • hxxp://109.206.174.48/payform2/?&lid=3070033&affid=03600&nid=B6E71275&group=sca

So, what else? At this point, I can't do anything useful with my VM, so I reboot in safe mode to look around, where I was able to discover its persistence method. As mentioned in my last post, the malware creates some new files under the ProgramData directory, seen here:


The .exe file is simply a renamed copy of the original exe. The hash matches as well. The .ico file is just that - an icon. The icon is used by the desktop shortcut that is created (System Care Antivirus.lnk). As for persistence, the malware creates an entry under the following registry key:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    • C:\ProgramData\B6EF0443E25512750000B6EE4D5C18F9\B6EF0443E25512750000B6EE4D5C18F9.exe

Unfortunately there's not a lot else to say about this malware. It's really quite good at serving its purpose in hijacking the OS and is the first VM-aware malware I've seen. I suspect we'll only see more and more VM-aware malware in the future, which is bad news for us. But thankfully, everything that can be done, can be undone.

Getting rid of this malware is really quite easy. Note: These filenames are randomized, but they always follow a similar format and should be easy to recognize.
  1. Boot into Safe Mode.
  2. Delete the following registry key:
    • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
      • C:\ProgramData\B6EF0443E25512750000B6EE4D5C18F9\B6EF0443E25512750000B6EE4D5C18F9.exe
  3. Delete the following files:
    • C:\ProgramData\B6EF0443E25512750000B6EE4D5C18F9\B6EF0443E25512750000B6EE4D5C18F9.exe
    • C:\ProgramData\B6EF0443E25512750000B6EE4D5C18F9\B6EF0443E25512750000B6EE4D5C18F9.ico
That's it. Pretty simple. I may try to find some more time to do some static analysis of this particular malware and see if I can gain some measure of control over it, but we'll see. 

Thanks for reading - hope you enjoyed it!

-SM

No comments:

Post a Comment