There's been a recent campaign of "Payment Advice" themed emails which fit under these 419 variations. I had a chance to dive a bit deeper and realized that the attachment they sent seemed to be a commodity based DarkComet RAT (Remote Access Tool) which currently is not in VirusTotal. (PM me off list for samples and MD5s). Older variation and sample can be located here:
https://www.virustotal.com/en/file/c8c69009509dd5665e3913e164f95ccccf0c818c4c832c06755f4849e54a5fa1/analysis/
Getting right into it let's just pretend you received an email with a body message with something like this:
"... Good day, If you are the owner of this email address and contact above, I wish to inform you that the sum of $45,000,000.00 USD was deposited in our bank...
If you are a true relation to the depositor please download payment advice report on attachment..."
Oh happy day $45 million in my bank account?! I can't wait!... I'm sure all of you look at file metadata up close before you execute things so here you go.
File: MalwareFile.exe
Size: 942592
MD5:
[redacted]
Verified: Unsigned
Link
date: 5:22 PM 6/19/1992
Compiled: Fri, Jun 19 1992, 22:22:17 - 32 Bit EXE
File Modification Date/Time :
2014:01:13 11:44:18-05:00
File Access
Date/Time :
2014:01:13 15:09:05-05:00
File Creation
Date/Time : 2014:01:13
15:09:05-05:00
File
Permissions
: rw-rw-rw-
File
Type
: Win32 EXE
MIME
Type
: application/octet-stream
Machine
Type
: Intel 386 or later, and compatibles
Time
Stamp
: 1992:06:19 18:22:17-04:00
PE
Type
: PE32
Linker
Version
: 2.25
Code
Size
: 819200
Initialized Data
Size : 126976
Uninitialized Data
Size : 2965504
Entry
Point
: 0x39c060
OS
Version
: 4.0
Image
Version
: 0.0
Subsystem
Version
: 4.0
Pay close attention to that compile time which we can assume was compiled in 1992 (though this field may be spoofed from time to time)
Now for the juicy part. While paying attention to both host based and network based behavior I'm going to be running this on a fully patched Windows 7 virtual machine with admin privileges. I wont go into debugging on this post, but this was pretty straight forward.
After detonation this malware drops its payload directly into:
C:\Users\~\Documents\MSDCSC\msdcsc.exe
MD5: [redacted]
Size: 942592
Compiled: Fri, Jun 19 1992, 22:22:17 - 32 Bit EXE
which then executes a bogus notepad.exe and runs it in memory under it's parent process of msdcsc.exe
Keep in mind MSDCSC is a common path used by DarkComet and most likely a default path in the builder.
This malware then establishes its persistence mechanism here:
\REGISTRY\USER\S-1-5-21-2410237121-4616876-267966928-1001\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate
Why is this all important? Well i'm glad you asked, this is where this malicious remote access tool installs and persists itself in your machine and depending on detection capabilities you may have in your enterprise environment this is what modern access protection will track and detect on. For bonus points you can try and pull the configuration in memory since most of it will be in memory once the binary is unpacked, but I'll try to keep this as simple as possible due to the audience most likely reading this.
After installation the malware will "phone home" which in this particular case the server will attempt to connect over TCP to the chosen IP/domain over the chosen port. This traffic will be encrypted via RC4-256 which is fairly common for commodity based malware, but if no active command and control traffic occurs the network connection is maintained with a series of TCP requests [PSH, ACK] containing the word "KeepAlive" (no spaces), followed by a string of 7 digits.
All command and control traffic is encrypted with a form of this RC4-256 algorithm and depending on which version malware you received the key will be different. At default the encryption key will be as follows
Version 4 Key: #KCMDDC4#-890
Version 3 Key: #KCMDDC2#-890
If a security password is provided during the server build stage the password will be appended to the default key, so for example for version 4 with the default password enabled, the encryption key would become #KCMDDC4#-8900123456789
An example of a decoded packet capture is followed in this example (for those who care, the location of the encryption key is stored in the EAX register at offset [Imagebase + 00003104]):
Client Says: IDTYPE
Server Says: SERVER
Client Says: GetSIN192.168.93.130|120826718
Server Says: infoesGuest16|192.168.93.130 / [192.168.93.130] : 1604|XP-CLIENT / Administrator|120826718|0s|Windows XP Service Pack 2 [2600] 32 bit ( C:\ )|x||US|Program Manager|b4c7d186b435fc77626a5ae904879815|275.65 MB/511.48 MB [235.84 MB Free]|English (United States) US / -- |9/22/2011 at 2:58:57 PM
As you can see your encrypted computer information is being passed back to the configured command and control server which the advisory is most likely logging. From here on out your machine is now compromised and is at the mercy of the operator which had sent it. For a full list of commands and functionality the DarkComet RAT offers see here:
http://contextis.com/research/blog/malware-analysis-dark-comet-rat/
Conclusion:
I can't really say what will happen once the operator is on your machine, as motivations will differ between hackers and countries of origin, (the last time I let malware talk out live on a honeypot, my VM was reformatted lol) but from my experience commodity based malware operators are the most interested in monetary gain rather than proprietary intelligence, so remember don't click on links or open attachments you don't know about and keep your data safe! Thanks for reading.
No comments:
Post a Comment