Threat Analysis Report from FortiGuard Labs
In November, FortiGuard Labs uncovered a spam campaign that included a tsunami alert for Japanese citizens. The spam e-mails contained a fake link to the Japan Meteorological Agency (JMA), which when clicked downloaded the Smoke Loader trojan. After monitoring the fake site, we found that the link for downloading Smoke Loader was replaced at the end of November by a new link that deployed another high performance trojan, AZORult, that harvests and exfiltrates data from compromised systems.
Both of these malware versions are only sold at Russian underground forums. Currently, the fake JMA site is still acting as an AZORult C&C server that redirects users to the legit JMA site. After further research into the domain information behind the fake JMA site, we found another campaign related to the same actor.
In this article, we analyze the malware downloaded from the fake JMA website and research another campaign by the same actor.
Fake Tsunami Alert
During November 2018, JMA twice announced that a fake tsunami alert mail campaign was underway targeting people living in North East Region of Japan. The official announcements can be found in the following links:
The content of these spams do not use native Japanese. Because of their grammar issues, they were likely either written by a foreigner or translated by machine. Both of these spams lead victims to inadvertently download a malicious file. The download link is below:
The domain name attempts to look like a legit JMA domain - https://www.jma.go.jp, but instead of "."(dot) it has a "-"(hyphen) character in the name. The Japan Meteorological Agency alerted users through twitter about this difference.
Website Payload Changes Over Time
We have monitored the malware download link for a month, and have recorded the following changes made to the downloaded malware.
The file 1.exe was removed from the website in late November.
After the 25th of November, the downloaded malware was changed from Smoke Loader to AZORult. Both of them use the jma-go[.]jp domain as C&C server.
Smoke Loader C&C server:
AZORult C&C server:
All four samples belonging to Smoke Loader family use the same shellcode loader and final payload. Once downloaded, they try to download extra plugin DLLs or next stage malware. Unfortunately, we could not observe the next stage attack in this campaign. Here is a detailed report for Smoke Loader written by CERT.PL. We will mention some parts of the functionalities in the next section.
Smoke Loader uses multiple anti-analyzing techniques before it runs its final payload.
We found that a variety of techniques are used in this campaign, including some basic techniques like anti-debugging checking for PEB flag and jump chains.
It checks the usage of sbiedll to detect if it is being run in a sandbox.
It also checks the usage of virtual machine using some famous virtual machine names when comparing values in the following registry entries:
Keyboard Layout Check
It also checks the keyboard language of the victim to ensure that it does not infect Russian and Ukrainian users.
PROPagate Code Injection
This injection technique was originally found in 2017, and we noticed that Smoke Loader has used this technique since July, 2018. Here is a technical report which discusses this trick.
We found the following code at the end. It configures a UxSubclassInfo structure with a callback function to run explorer.exe, and triggers injected code that then sends a message to a window. After triggering the callback function, it then runs the injected decrypted payload of AZORult.
Before it connects to the C&C server, it creates two threads for monitoring processes and windows as another anti-analyzing functionality. In these threads it calculates the hash of process name and window name, and compares them with the hard-coded name hash in its payload. If it finds such a process or window, it will terminate the process or window immediately.
All of the Smoke Loader samples in this campaign use the following URL as their C&C server.
This URL is decrypted from the structure shown in Figure 8. It is an easy algorithm for decrypting the string. The decrypted algorithm in these samples is shown below.
decrypted_byte = not (encrypted_byte xor 0x36 xor 0x04 xor 0xAE xor 0xB8)
Second Stage Malware Execution
There are three ways for Smoke Loader to install the downloaded second stage malware or its plugin.
1. Fileless method: Maps the downloaded payload into memory and then runs it immediately.
2. Downloads a DLL and loads it immediately.
3. Downloada a DLL or EXE file, and registers it as a service with regsvr32.
AZORult used in this campaign is version 3.3. This version was first found in October, 2018. AZORult in this campaign has the same characteristics and nothing has been changed from the previously discovered AZORult version 3.3 samples. We will summarize some of those characteristics in this section.
Information Stealing Functionalities
AZORuly includes functionalities to search through the following applications’ information in victim’s system.
1. Browser history
2. Cryptocurrency wallet
In this campaign, the domain “jma-go[.]jp” is used as the C&C server for the malware.
In AZORult version 3.3, it uses the key buffer and specified weight for the key buffer element to decrypt the encrypted URL.
Figure 9 shows an example for decrypting the first character of the domain.
Second Stage Malware Execution
It then connects to C&C server and try to download the second stage malware. There are two kinds of execution methods: CreateProcessW and ShellExecuteExW. Which one is used depends on the URI extension whether if it is an .exe or not.
Spread through Different Routes
This campaign uses different routes to spread AZORult.
This site is used an affiliate program for advertising things in Japan, and we found that there is an address to download Coupon.scr, which is malware belonging to AZORult. It is the same file we mentioned earlier with the hash value of: 748c94bfdb94b322c876114fcf55a6043f1cd612766e8af1635218a747f45fb9.
This is the same file we mentioned earlier, with the hash value of: 70900b5777ea48f4c635f78b597605e9bdbbee469b3052f1bd0088a1d18f85d3.
Discovering other Activities
We decided to investigate this case further to try to find the possible actors behind this malicious campaign.
First, we started analyzing the malicious domain “jma-go[.]jp”. When someone directly accesses the malicious website, it redirect the user to the legit JMA website.
When checking the website redirection script, we observed several comments written in Cyrillic.
It's quite interesting that someone left those in the real campaign, so we decided to search for the comments on the Net—and we soon had a hit on one of those: a user with the nickname "vladvo" made a post on one of the Russian forums, asking about redirection and iframe. The code he provided as a solution made by himself exactly matches the redirection code used on the malicious website. Even the comments and spaces are the same.
The only thing the actor changed here was the link in the "window.location" argument. Unfortunately, we cannot be sure that the "vladvo" user is connected to this case. He posted this message on 20.10.2012, so the post is currently 6 years old. It's just as likely that someone just re-usedhis code for the campaign.
After analyzing the script, we then decided to check for the WHOIS information of the malicious domain. Here, we found interesting information that later provided us with details for finding other campaigns possibly run by the same actors.
First of all, we found other websites registered using the e-mail referenced in the WHOIS information — lixiaomraz[@]gmail.com
We then found that the first website is already being used in the MPS bank phishing campaign:
We can assume that the hxxp://www.posteweb-sicurezza[.]com website could also be used in a current or new campaign.
Next, searching in WHOIS history we found five other domains that were registered by the same actor on 09.02.2018:
All the data listed in the older WHOIS entries matches the registrar information listed for jma-go[.]jp:
All the websites pretend to look like music, video streaming, or torrent websites. But their real behavior is much different.
Once a user tries to download any file from those, they are redirected to other websites, and finally, a legit 7zip 16.02 (1f662cf64a83651238b92d62e23144fd) software installer is downloaded. It looks like the websites still have no payload, or they have already been changed. It is likely that the actor is using 7zip package as a stub for testing their functionality.
We were able to retrieve several redirection hosts used in the campaign:
All of the domains are much younger than the main .biz domains. This could mean that the actor is still developing his new campaign and we could soon observe another malicious activity connected to the 5 websites we found. Unfortunately, the WHOIS information for the redirection domains did not give us any clues as to whether the same actor owns them or if it’s a fresh “partnership” for testing malware spreading techniques.
Besides the possible malware spreading feature, we found other interesting activity happening in the background of the websites. Checking the page source code, a stealthy iframe object has been found. The size of the object is 1x1, hidden in the lower left corner.
As we can see, the iframe object contains a link to a YouTube video player. Besides that, the autoplay feature is turned on. That means the video is stealthy played in the background. This technique is often used for “black” methods of promoting videos and increasing view counts. Besides the link to YouTube, several iframes to Twitter and Facebook were also observed.
As the five websites we discovered are, obviously, not crowded with users, it’s quite strange to see those promotion techniques being used. So possible alternative explanations for such activity are that the campaign has just started. or the actors are using the domains as a testing environment.
Apart from the domains we stated, two other websites registered by “Kupriushin Anton” were found:
The websites are currently unavailable, but it’s obvious that the actor tried to disguise the name of popular Craigslist website.
To summarize, we can say that the actor is quickly developing and changing his tools and trying to profit from different methods of malicious activity.
FortiGuard Labs has monitored this fake tsunami alert campaign since November and researched the possible actor or actors behind the campaign.
We found that the downloaded malware used In the campaign for infecting victims and stealing information changed to make it more efficient, switching from Smoke Loader to AZORult.
At the same time, we have detected that the fake JMA site registrant also creates other sites for different phishing or malicious campaigns.
FortiGuard Lab will continue to monitor all of these domains and research for the actors behind them.
Fortinet users are protected from malicious threats mentioned above with the following solutions:
· Files are detected by FortiGuard Antivirus
27aa9cdf60f1fbff84ede0d77bd49677ec346af050ffd90a43b8dcd528c9633b - W32/Kryptik.GMMP!tr
42fdaffdbacfdf85945bd0e8bfaadb765dde622a0a7268f8aa70cd18c91a0e85 - W32/Kryptik.GMOP!tr
fb3def9c23ba81f85aae0f563f4156ba9453c2e928728283de4abdfb5b5f426f - W32/Kryptik.GMVI!tr
70900b5777ea48f4c635f78b597605e9bdbbee469b3052f1bd0088a1d18f85d3 - W32/GenKryptik.CSCS!tr
a1ce72ec2f2fe6139eb6bb35b8a4fb40aca2d90bc19872d6517a6ebb66b6b139 - W32/Generik.CMTJTLW!tr
748c94bfdb94b322c876114fcf55a6043f1cd612766e8af1635218a747f45fb9 - W32/Generik.JKNHTRB!tr
hxxp://www.jma-go[.]jp/jma/tsunami/tsunami_regions.scr - Malware
hxxp://jma-go[.]jp/jma/tsunami/1.exe – Malware
hxxp://thunderbolt-price[.]com/Art-and-Jakes/Coupon.scr – Malware
hxxp://bite-me.wz[.]cz/1.exe – Malware
hxxp://jma-go[.]jp/js/metrology/jma.php - Malicious
hxxp://www.jma-go[.]jp/java/java9356/index.php - Malicious
hxxp://montepaschi-decreto-gdpr[.]net/ - Phishing
hxxp://montepaschi-decreto-gdpr[.]net/procedura-per-sblocco-temporaneo-decreto/conferma_dati.html – Phishing
hxxp://certificazione.portalemps[.]com/ - Phishing
hxxp://certificazione.portalemps[.]com/verifica-conto/ - Phishing
hxxp://Craigslist[.]business - Phishing
hxxp://Craiglist[.]news – Phishing
hxxp://www.3djks92lsd[.]biz - Phishing
hxxp://www.38djkf92lsd[.]biz - Phishing
hxxp://www.38djks92lsd[.]biz - Phishing
hxxp://www.348djks92lsd[.]biz - Phishing
hxxp://www.38djks921lsd[.]biz - Phishing
hxxp://writingspiders[.]xyz - Malicious
hxxp://catsamusement[.]xyz - Malicious
hxxp://oatmealtheory[.]xyz - Malicious
hxxp://canvasporter[.]pw - Malicious
-= FortiGuard Lion Team =-
Know your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can help you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and Performance.
Read about the FortiGuard Security Rating Service, which provides security audits and best practices.