Malware microevolution

19 September 2014

View Tom Lancaster’s profile on LinkedIn

Earlier this September, our friends at FireEye blogged[1] about how malware authors often change their tactics in response to the work of those investigating them. However, most of the time, this evolution isn’t a wholesale change as was the case with APT12. Just as in nature, it’s instead often a gradual process where small things change with each new iteration of a specific family.

PwC’s threat intelligence analysts have been following the evolution of a specific family of malware known as ‘Stealer’, which was first discussed by FireEye[2], and later covered by NCC Group[3] as ‘Sayad’. In this post we’ll briefly go through the latest iteration of what we refer to as ‘MSSUp’.

Malware analysis

The sample we’re reviewing was initially compiled on 2014-09-03 and the threat actor had staged it for download from britishislesshoppe[.]com/mail/Anti-vir.rar.

Once the RAR file is unpacked, the contents turn out to be a single file, setup.exe, c14690b90459744a300a02f45b32168a.

Set-up

 

 

 

 

 

This is a self-extracting CAB archive, which extracts the files MSSUP.exe 8083ee212588a05d72561eebe83c57bb and MSSUP.exe.config, db316f7d3bb961cdd4d89af85f6190ce, to %AppData%\MSI93153, and executes the former of the two.

As with previous versions of this malware, MSSUP.exe is the main dropper and information stealing module, whose first objective is to establish which version of the .NET framework is installed and to extract and drop an additional module compiled for the appropriate version.

As MSSUP.exe is a .NET executable, converting it back to C# for review is pretty straightforward.
  Private static
One of the first things the dropper does is establish persistence. The SetStartup() function decodes the following Base64 value, which equates to the commonly used persistence key “SOFTWARE\Microsoft\Windows\CurrentVersion\Run” :

Public static void

The dropper creates a “BlackBerry” key and sets the value to its own path.

As the screenshot of Main() then suggests, different files are dropped depending on the outcome of the .NET version comparison, which are extracted from embedded resources UD2 and UD4 respectively.

Blackberry

In our case, it dropped 6518f0d6aaf8e31379331093dd87c081 for MS-SecurityUpdate-93153U.dll.

The DownloadSqlLite() function in Main() launches the newly dropped dll with the following command line: “rundll32.exe "%APPDATA%\MSI93153\MS-SecurityUpdate-93153U.dll",DownloadSqlite”

As you would expect from the command line argument, MS-SecurityUpdate-93153U.dll then reaches out to grab http://88.150.239.157:80/key/sqlite3.dll, which, at the time of writing is 529ecf76409537ab5ac140a5e6fec79d.

MS-SecurityUpdate-93153U.dll is another .NET file, referred to as ‘UploadDownload’ by the developers, which explains its sole purpose, and which uses the config file dropped earlier for its settings.

Configuration

The config file contains:

  • NET Compatibility settings (as with previous samples of the malware)
  • MSSUP.Properties.Settings -> this key contains details of HTTP headers that the malware will use for communication
  • AppSettings – This key contains details of how the malware will communicate, these are now named “SQlite URL” and “PostData URL”

Once MSSUP has established persistence, dropped UploadDownload and grabbed  sqlite3.dll, it sets about its core task of gathering information, much of which is covered in other articles. Keylogging is one of the key components of MSSUp and it has an interesting trick of deleting Outlook credentials, before killing any process containing ‘Outlook’ in its name – thus forcing users to re-enter details.

Information collected is encrypted with AES, using the key “BluePillIsRedOrBlack”, before being posted by UploadDownload to the address in the config file.

Data name

MSSUp also contains two new debug paths (note: although the path contains the string ‘Blackberry’ we do not yet have any samples compatible with BlackBerry devices!).

D:\Programming\CSharp\BlackBerry\UploadDownload\bin\x86\Debug\UploadDownload.pdb

D:\\Programming\\CSharp\\BlackBerry\\UploadDownload\\bin\\x86\\Debug\\UploadDownload.pdb

Given the various permutations of debug paths, debug messages left in the code, and minor code tweaks, that this is a malware family which may now have several strands of development and is one which is likely to remain in active and evolving for at least the short term.

Coverage in Iranian media

It’s also worth noting that this sample has already been covered in an Iranian technology blog[4]. The blog gives a number of interesting details[5] relating to the delivery of the malware, suggesting that the malware was delivered in an e-mail designed to appear from “BBC Persia” and was sent to social activists in Iran. Other details included suggest that, as you might guess from the download URL – that the spearphishing e-mail informs users that “political websites are infected with viruses and anti-virus programmers have written a program to solve this problem”.

Insight into other stealer campaigns

In the sample (hash) we analysed, the IP address the malware used for communications with its owner was 88.150.239.157 – pivoting on this yields additional data which hints at the likely targets of ongoing campaigns by the attackers. PassiveTotal shows earlier this month the IP address began to host the domain ‘support-paypal.com’:

Activity

The domain looks like the kind typically used in financially motivated attacks – checking the registration details for the domain shows it was registered recently, using obviously false credentials: 
Whois record

The e-mail address ‘reynadia.mcphee@gmail.com’ is also associated with several other domains – the domains, and the entities they are similar to are given in the table below:

Attacker's domain Similar to Description
ratsaa.org Unknown Unknown
support-paypal.com Support.paypal.com Paypal - Western payments processor
partotarvij.org PARTO Iranian nuclear powerplant supplier
khokidschool.org Khorshidschool.org Iranian school for women
6ranq.org 6rang.org Iranian Lesbian & Transgender Network
lranhrdc.org lranhrdc.org (note the i->l) Iran Human Rights Documentation Center (based in the US)
adpdiqital.com Adpdigital.com Tech company in Iran
socialitecenter.com Unknown Unknown

 Several of the domains touch on sensitive issues in Iran at the moment – it’s common for attackers to register domains which appear similar to domains that the target would normally visit. With this information, and using the details present in the Iranian technology blog cited earlier, we can comfortably suggest that the attackers are still focusing their effort on targeting Iranian Dissidents/Socialists.

Conclusion

Sometimes when an attacker has their malware analysed in the public domain they do burn operations & start again – however as part of their day-to-day operations we often observe attackers making continuous small changes to their malware. These small changes, whether it’s how a configuration file is loaded, or how a DLL import is called can have a significant impact on whether a signature hits, and often allows malware to go undetected.

The evolution of the Stealer malware in this case has been fairly slow – the final binary still bears a significant resemblance to those used several months ago,

Although the evolutions of the malware in this case are small, the final binary rendered (8083ee212588a05d72561eebe83c57bb) managed to evade file-based detection by every anti-virus provider at the time we first identified it.

 IOCS

IOC Type Description Value
MD5 Initial RAR file 895d4fafce0a905c4d6cf53e76e40026
MD5 Dropper c14690b90459744a300a02f45b32168a
MD5 Dropped File (malware) 8083ee212588a05d72561eebe83c57bb
MD5 Dropped File (config) db316f7d3bb961cdd4d89af85f6190ce
IPv4 Address C2 Address 88.150.239.157
IPv4 Address Suspected C2 Address 93.120.27.30
Domain Suspected C2 Address khoshidschool.org
Domain Suspected C2 Address 6ranq.org
Domain Suspected C2 Address socialitecenter.com
Domain Suspected C2 Address adpdiqital.com
Domain Suspected C2 Address ratsaa.org
Domain Suspected C2 Address lranhrdc.org
Domain Suspected C2 Address support-paypal.com
Domain Suspected C2 Address partotravij.org

YARA rule

 rule MSSUP : AST

{

meta:

       author="PwC Cyber Threat Operations"

       date="2014-09-11"

       hash="8083ee212588a05d72561eebe83c57bb"

 

strings:

       $debug1="d:\\Programming\\CSharp\\BlackBerry\\BlackBerry\\obj\\Debug\\MSSUP.pdb" nocase

       $debug2="D:\\Programming\\CSharp\\BlackBerry\\UploadDownload\\bin\\x86\\Debug\\UploadDownload.pdb" nocase

       $debug3="Unexpected error has been occurred in {0}, the process must restart for some reason, if it's first time you see this message restart the {0}, if problem was standing contacts the support team ."

       $fileheader1="MSSUP" ascii wide

       $fileheader2="1.0.0.0" ascii wide

       $fileheader3="2014" ascii wide

       $configload1="sqlite3.dll"

       $configload2="URLExtractRegex"

       $configload3="HTTPHeaderName"

       $configload4="HTTPHeaderType"

       $configload5="MsupPath"

 

condition:

       (all of ($fileheader*) or 3 of ($configload*)) and filesize < 200KB or any of ($debug*)

}


[3] https://www.nccgroup.com/en/blog/2014/07/a-new-flying-kitten/

[5] In this instance we have used Google Translate rather than a native speaker, and so we apologise if any translation nuances affect the meaning of what we’ve quoted.

Twitter
LinkedIn
Facebook
Google+

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated and will not appear until the author has approved them.