Malware microevolution

19 September 2014


View Tom Lancaster’s profile on LinkedIn

Earlier this September, our friends at FireEye blogged[1] about how malware authors often change their tactics in response to the work of those investigating them. However, most of the time, this evolution isn’t a wholesale change as was the case with APT12. Just as in nature, it’s instead often a gradual process where small things change with each new iteration of a specific family.

PwC’s threat intelligence analysts have been following the evolution of a specific family of malware known as ‘Stealer’, which was first discussed by FireEye[2], and later covered by NCC Group[3] as ‘Sayad’. In this post we’ll briefly go through the latest iteration of what we refer to as ‘MSSUp’.

Malware analysis

The sample we’re reviewing was initially compiled on 2014-09-03 and the threat actor had staged it for download from britishislesshoppe[.]com/mail/Anti-vir.rar.

Once the RAR file is unpacked, the contents turn out to be a single file, setup.exe, c14690b90459744a300a02f45b32168a.







This is a self-extracting CAB archive, which extracts the files MSSUP.exe 8083ee212588a05d72561eebe83c57bb and MSSUP.exe.config, db316f7d3bb961cdd4d89af85f6190ce, to %AppData%\MSI93153, and executes the former of the two.

As with previous versions of this malware, MSSUP.exe is the main dropper and information stealing module, whose first objective is to establish which version of the .NET framework is installed and to extract and drop an additional module compiled for the appropriate version.

As MSSUP.exe is a .NET executable, converting it back to C# for review is pretty straightforward.
  Private static
One of the first things the dropper does is establish persistence. The SetStartup() function decodes the following Base64 value, which equates to the commonly used persistence key “SOFTWARE\Microsoft\Windows\CurrentVersion\Run” :

Public static void

The dropper creates a “BlackBerry” key and sets the value to its own path.

As the screenshot of Main() then suggests, different files are dropped depending on the outcome of the .NET version comparison, which are extracted from embedded resources UD2 and UD4 respectively.


In our case, it dropped 6518f0d6aaf8e31379331093dd87c081 for MS-SecurityUpdate-93153U.dll.

The DownloadSqlLite() function in Main() launches the newly dropped dll with the following command line: “rundll32.exe "%APPDATA%\MSI93153\MS-SecurityUpdate-93153U.dll",DownloadSqlite”

As you would expect from the command line argument, MS-SecurityUpdate-93153U.dll then reaches out to grab, which, at the time of writing is 529ecf76409537ab5ac140a5e6fec79d.

MS-SecurityUpdate-93153U.dll is another .NET file, referred to as ‘UploadDownload’ by the developers, which explains its sole purpose, and which uses the config file dropped earlier for its settings.


The config file contains:

  • NET Compatibility settings (as with previous samples of the malware)
  • MSSUP.Properties.Settings -> this key contains details of HTTP headers that the malware will use for communication
  • AppSettings – This key contains details of how the malware will communicate, these are now named “SQlite URL” and “PostData URL”

Once MSSUP has established persistence, dropped UploadDownload and grabbed  sqlite3.dll, it sets about its core task of gathering information, much of which is covered in other articles. Keylogging is one of the key components of MSSUp and it has an interesting trick of deleting Outlook credentials, before killing any process containing ‘Outlook’ in its name – thus forcing users to re-enter details.

Information collected is encrypted with AES, using the key “BluePillIsRedOrBlack”, before being posted by UploadDownload to the address in the config file.

Data name

MSSUp also contains two new debug paths (note: although the path contains the string ‘Blackberry’ we do not yet have any samples compatible with BlackBerry devices!).



Given the various permutations of debug paths, debug messages left in the code, and minor code tweaks, that this is a malware family which may now have several strands of development and is one which is likely to remain in active and evolving for at least the short term.

Coverage in Iranian media

It’s also worth noting that this sample has already been covered in an Iranian technology blog[4]. The blog gives a number of interesting details[5] relating to the delivery of the malware, suggesting that the malware was delivered in an e-mail designed to appear from “BBC Persia” and was sent to social activists in Iran. Other details included suggest that, as you might guess from the download URL – that the spearphishing e-mail informs users that “political websites are infected with viruses and anti-virus programmers have written a program to solve this problem”.

Insight into other stealer campaigns

In the sample (hash) we analysed, the IP address the malware used for communications with its owner was – pivoting on this yields additional data which hints at the likely targets of ongoing campaigns by the attackers. PassiveTotal shows earlier this month the IP address began to host the domain ‘’:


The domain looks like the kind typically used in financially motivated attacks – checking the registration details for the domain shows it was registered recently, using obviously false credentials: 
Whois record

The e-mail address ‘[email protected]’ is also associated with several other domains – the domains, and the entities they are similar to are given in the table below:

Attacker's domain Similar to Description Unknown Unknown Paypal - Western payments processor PARTO Iranian nuclear powerplant supplier Iranian school for women Iranian Lesbian & Transgender Network (note the i->l) Iran Human Rights Documentation Center (based in the US) Tech company in Iran Unknown Unknown

 Several of the domains touch on sensitive issues in Iran at the moment – it’s common for attackers to register domains which appear similar to domains that the target would normally visit. With this information, and using the details present in the Iranian technology blog cited earlier, we can comfortably suggest that the attackers are still focusing their effort on targeting Iranian Dissidents/Socialists.


Sometimes when an attacker has their malware analysed in the public domain they do burn operations & start again – however as part of their day-to-day operations we often observe attackers making continuous small changes to their malware. These small changes, whether it’s how a configuration file is loaded, or how a DLL import is called can have a significant impact on whether a signature hits, and often allows malware to go undetected.

The evolution of the Stealer malware in this case has been fairly slow – the final binary still bears a significant resemblance to those used several months ago,

Although the evolutions of the malware in this case are small, the final binary rendered (8083ee212588a05d72561eebe83c57bb) managed to evade file-based detection by every anti-virus provider at the time we first identified it.


IOC Type Description Value
MD5 Initial RAR file 895d4fafce0a905c4d6cf53e76e40026
MD5 Dropper c14690b90459744a300a02f45b32168a
MD5 Dropped File (malware) 8083ee212588a05d72561eebe83c57bb
MD5 Dropped File (config) db316f7d3bb961cdd4d89af85f6190ce
IPv4 Address C2 Address
IPv4 Address Suspected C2 Address
Domain Suspected C2 Address
Domain Suspected C2 Address
Domain Suspected C2 Address
Domain Suspected C2 Address
Domain Suspected C2 Address
Domain Suspected C2 Address
Domain Suspected C2 Address
Domain Suspected C2 Address

YARA rule

 rule MSSUP : AST



       author="PwC Cyber Threat Operations"





       $debug1="d:\\Programming\\CSharp\\BlackBerry\\BlackBerry\\obj\\Debug\\MSSUP.pdb" nocase

       $debug2="D:\\Programming\\CSharp\\BlackBerry\\UploadDownload\\bin\\x86\\Debug\\UploadDownload.pdb" nocase

       $debug3="Unexpected error has been occurred in {0}, the process must restart for some reason, if it's first time you see this message restart the {0}, if problem was standing contacts the support team ."

       $fileheader1="MSSUP" ascii wide

       $fileheader2="" ascii wide

       $fileheader3="2014" ascii wide








       (all of ($fileheader*) or 3 of ($configload*)) and filesize < 200KB or any of ($debug*)



[5] In this instance we have used Google Translate rather than a native speaker, and so we apologise if any translation nuances affect the meaning of what we’ve quoted.