Skip to content

Spear Phishing Deep Dive Primer: The Malware

2011-10-27

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Malware can come from almost anywhere, but when it comes wrapped up in a ribbon and bow addressed to you, it just feels that much more special. When some Solera Networks employees became ensnared in a social engineering-enhanced spam campaign pushing a Trojan as its payload, as I wrote about in my previous post, we didn’t take it lying down.

Instead, we gleefully scooped up the malware samples and ran them in controlled test environments. In so doing, we learned a lot about this Trojan: The day it arrived, we submitted the sample through Virustotal, but it wasn’t detected by any antivirus vendors. After a couple of weeks, most AV companies now detect it — the initial installer, at least — and split their verdict on the file as either a worm called Ainslot, a backdoor called Shades RAT, or the ubiquitous Zeus/Zbot (which this definitely is not).

In this, the second in a series of three posts, I’m taking a close look at the malware payload itself. Practically speaking, the campaign was a failure, at least as far as we were concerned — nobody targeted here fell for the social engineering trap set by the spammers. But the malware itself was a spectacular success — both for the purposes of analysis, and for our subsequent mockery of the malware distributor, who is not, shall we say, the sharpest tack in the box.

The the targeted spam email links directly to the malware sample, which is a Zip file named Invoice-Y4C20111010C34.zip. Inside that Zip file was a file named Yesasia Invoice Y4C20111010C34 2011-10-10.exe, but the 831kb dropper, written in Visual Basic, isn’t much to look at. It was stored in the /support/invoices/ subdirectory on yesasia-invoices.com.

Jane, stop this crazy thing. And I just know you don’t use an email address at Domizine, the go-to site for FemDom fetishists, to register domains through NIC.RU with WHOIS data pointing to your “home” in “Michigan.” But I have to give you credit for registering the domain the same day the attack fired off. Weirdly enough, the domain’s expiration date is listed as the same as its registration date.

On 10/10, the day we got a copy of it, Virustotal had zero results, but the file’s been in the hands of the AV community for a while now, so the cloak of secrecy is shot. AV companies split their verdict on the file as a worm called Ainslot, a backdoor called Shades RAT, and Zbot.

In fact, it shares behavioral characteristics with all three of those malware families.


The file’s Comments property in the properties sheet. What do you even say? CharlottesvilleGreekMuong CheshireLeila Shulman NixonWharton TexacoGresham — it’s a proper noun generator. I’d read a TexacoGresham any summer.

As it turns out, the strings in the file tell an interesting story. Build paths seem to point to the culprit as the Blackshades RAT

but other strings indicate that the Trojan borrows code segments from Solitude RAT, Bandook RAT, Apocalypse RAT, Schwarze Sonne RAT…

…DarkComet, SpyNet, and Zeus.

Somebody has a fetish for mediocre malware, or an insecurity complex whose primary symptom is an uncontrollable urge to name-drop Grade N malware in your code comments. Code segments indicate an untoward interest in phishing bankofamerica.com and Facebook passwords. Why only target the load balancers used by Bank of America in the eastern half of the country?

It’s an efficient self-installer  — it adds a run key (named Google Update) in the Registry, and modifies the Windows firewall to allow uninterrupted communications between the Internet and both a copy of itself, and a duplicate called newegg.exe, located in the current user’s %appdata% directory.

The newegg.exe malware also features Proper Name Salad as its Comments property: “Stafford Slovakia Eulerian Pfizer Eulerian Lumpur Diocletian GeigyPyhrric Gruyere.” I always love a well-made, grilled pyhrric gruyere on sourdough. With pickles.

Newegg (the malware, not the geek-centric online store) then disabled all Web Proxy settings in each of Windows’ Security Zones. It also performed a geolocation lookup of the infected machine’s IP address using a Malaysian geolocation service called IPINFODB.COM.

And we all know from past experience that malicious programs frequently install themselves right in the root of %appdata%. Call it part of Windows’ built-in Red Light District. You just know you shouldn’t be here, and if you stay too long, trouble is sure to show up.


Sir,we’ve picked something up on the scanners. It’s an exploit, heading straight for us.

Evasive action!

Then we extracted this DLL, vncdll.dll with the single ReflectiveLoader function call, from the network stream. Apparently someone was doing a little downloading in the background.

Then metsrv.dll popped into memory. Microsoft calls it Swrort. What a name! How do you pronounce it, Microsoft malware analyst person? Swuh-rawr’t? Swear-ort? Seew-rort? Why not just go full fnord and get it over with? Based on the utter unpronouncability of that name, I proclaim Ahn Labs’ Xema the winner of the naming contest, even though it’s just a generic definition name.

It also creates a file called windows in the %appdata% directory and writes a log that includes the contents of the title bar of any active window, and whatever characters the user types into that window. Yes, it’s a very cheesy keylogger. The output isn’t even encrypted. And look at all that valuable data it found.

The malware also creates a registry subkey, the value of which represents a unique identifier for this infection, in this key path:

HKCU\Software\VB and VBA Program Settings\SrvID\ID

You see that key value over and over again if you let the software run and watch its network traffic. It passes the value as a query to its CnC server whenever it checks in. In my case, it created the key HKCU\Software\VB and VBA Program Settings\SrvID\ID\3PLFMGD6HV and gave it a value of Newegg.

It also, curiously, dropped and installed a copy of the (legitimate) decompiler, AS3 Sorcerer. The program opens Adobe Flash SWF files so you can read the ActionScript code inside, a useful tool for malware researchers working with malicious Flash files. But why would the malware author bundle it with the malware?

After installing itself and AS3 Sorcerer, the Invoice malware downloaded another file, named newpoe.exe, which had been hosted in the /support/invoices/ subdirectory — that seems oddly familiar — on a different domain (the laughably-named deleted-host.zapto.org, which resolves to 108.59.252.112) and executed it, then self-terminated.

The newpoe.exe file runs from the %temp% directory and uses a five-random-number filename that changes each time it’s run. Between the names the AV companies have given this malware, Gendal and FSteal, I think I’m going with FSteal.

Wait a minute…what was that? I think something just got fstolen.

It stole my FTP credentials and passed them to a Russian-registered domain.

Well, it didn’t exactly steal any credentials. What it stole was the contents of sitemanager.xml, a file that the FTP client FileZilla creates. If you save your passwords using the program, stealing those passwords is rudimentary. We saw it send the password to the exfiltration destination as an argument in an HTTP GET query string. Aw, gosh darn it, now the h4x0rs know that the FTP credentials for the user named testuser on the server test.test is omfgmypasswordgotstolen! Those devious, cunning morons will be able to deface my make-believe Web server with wild abandon.

All of the above happened in the first 37 seconds of the infection. In tomorrow’s post, a bit of analysis about who might have been behind the attack, through looking at the destination of the stolen data, as well as closing thoughts and, perhaps, a few notes on best practices. Solera blog stats

%d bloggers like this: