Threat Research
Recently we received a SPAM with an attachment, which is a password-protected Word document. Its MD5 is 6619356e9e0c9d2445bf777a8bea5d6a, which is detected as “WM/Agent.60F9!tr” by the Fortinet AntiVirus service. When the document is opened, the attached malicious VB script code is executed and additional malware is created and executed.
Based on our analysis, this is information-stealing malware. In this blog, we’ll show you how the malware works, what information is stolen from a victim’s system, and how the stolen data is sent to attacker.
Figure 1, below, is a screenshot of the SPAM email we received. The message looks like a transaction notification from “Hendrerit Donec Porttitor Associates”. The password of the attached Word document is provided in the message body.
Figure 1 - SPAM Sample
When the Word document is opened, a dialog pops up requesting the password. See Figure 2, below.
Figure 2 – Password is required to open the Word document
After the password provided in the message body is input, the Word document is opened, as shown in Figure 3.
Figure 3 – The Word document is opened
As you can see, a warning is shown. After enabling “Macros” in Word options, the VB script code inside it is executed automatically.
Here is a snippet of the malicious VB script code.
As you can see, in the function doCUmENT_Open, variable names are random strings. The characters in variable and function names are in upper-case or lower-case randomly. Other evasion techniques are also used, like JCrfd = 87 * 4. It’s difficult to understand the meaning of the code due to the obfuscation, but its purpose is to create a VBS file (like “22474.vbs”) and execute it.
In the newly-created VBS file, all strings are encrypted and obfuscated. After decrypting the strings at runtime, we can understand what it is going to do. See the following code snippet with decrypted strings. Comments we added are highlighted in green.
The VB script code snippet above shows that it tries to download a file from hxxp://www.polonews.info/er.txt or hxxp://doktrine.fr/mg.txt. The function JGfe3yG handles the downloaded data, which is actually an encrypted exe file. The decrypted data is saved into “%AppData%\434349.fyn”. The file name is random, and its MD5 is 4df3ce5c9a83829c0f81ee1e3121c6ea, which is detected as “W32/Malicious_Behavior.VEX” by the Fortinet AntiVirus service. Finally, the newly-created file is executed by calling the command “cmd.exe /C START "" "%AppData%\434349.fyn”“.
Once 434349.fyn starts running, it soon creates itself as a child process by calling the function CreateProcessW with the flag CREATE_SUSPENDED. This allows the code to be modified later. This is a common strategy that malware uses to protect itself against analysis. Next, the code of the child process is overwritten by another exe file that is dumped from 434349.fyn. After that, it calls the function ResumeThread to resume the child process, and then terminates itself.
The new code of the child process uses anti-sandboxing and anti-VM techniques. See the code snippet below.
The code continually captures the current mouse cursor position, which is used in the function sub_403894 to decrypt the data in .bss section that contains some important strings. For the malicious code to execute, we have to keep the mouse moving. This is one of its anti-sandboxing techniques.
From the following code snippet we can also see some VM detections. From MSDN, we know that the function SetupDiGetDeviceRegistryProperty retrieves a specific Plug and Play device property. The malware uses this function to get a string related to Removable and DockDevice device information. Then it checks if the string contains “vbox”, “gemu”, “vmware”, or “virtual hd”. If the result is yes, this child process terminates directly. This is one of its anti-VM techniques.
The malware then copies itself to “%AppData%\” and changes its name. This time it was called “%AppData%\bootames\audiider.exe”. However, note that the folder and file name are not fixed. They come from a name generation function that depends on the creation time and name of the DLL files in the system folder.
The malware also adds itself into the system registry “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\” so that this malware can be executed automatically when the system starts. See Figure 4, below.
Figure 4 - Add the malware to startup group
It then creates a .bat file and executes it, which actually executes the relocated and renamed exe file with an argument, by using the command "%AppData%\bootames\audiider.exe" "%AppData%\434349.fyn".
On our test system, audiider.exe injected malicious code into explorer.exe, which is designed to later steal information from a victim’s system and submit it to the attacker. The process (explorer.exe) to be injected with malicious code might be different on different systems.
It also calls the function CreateRemoteThread with the flag CREATE_SUSPENDED to create a remote thread to explorer.exe. Later, it calls the functions ZwCreateSection and ZwMapViewOfSection to allocate a buffer in explorer.exe where the malicious code will be copied to by calling the function ZwWriteVirtualMemory. It then modifies the eip register of the remote thread to point to the malicious code by calling the function ZwSetContextThread. Finally, it calls the function ResumeThread to run the malicious code and then audiider.exe terminates itself. Following is a code snippet that shows the details:
[...]
0404D6F lea ecx, [ebp+var_4]
0404D72 push ecx ;
0404D73 push 4 ;; with creation flag "CREATE_SUSPENDED"
0404D75 push ebx
0404D76 push edi
0404D77 push ebx
0404D78 push ebx
0404D79 push [ebp+var_10] ; handle of explorer.exe, hProcess
0404D7C call eax ;;;; CreateRemoteThread
0404D7E mov [ebp+var_C], eax ;
0404D81 cmp eax, ebx
0404D83 jz short loc_404D9E
0404D85 push edi ;
0404D86 push [ebp+arg_0]
0404D89 lea eax, [ebp+var_10]
0404D8C call sub_404BCA ;
0404D91 push [ebp+var_C] ;
0404D94 mov esi, eax
0404D96 call ds:CloseHandle
0404D9C jmp short loc_404DAD
[...]
0404697 lea eax, [eax+ecx+0C50h]
040469E lea ecx, [ebp+var_10]
04046A1 push ecx
04046A2 lea ecx, [ebp+var_C]
04046A5 push ecx
04046A6 push eax
04046A7 call sub_405047 ; ;;will call ZwCreateSection and ZwMapViewOfSection inside.
04046AC mov [ebp+var_4], eax
04046AF cmp eax, ebx
04046B1 jnz loc_4047EC
04046B7 mov ebx, ds:dword_409878
04046BD lea eax, [ebp+var_8]
04046C0 push eax
04046C1 mov eax, [ebp+arg_0]
04046C4 push dword ptr [eax]
04046C6 xor ebx, 0EE55371Eh
04046CC push [ebp+var_10]
04046CF add ebx, edi
04046D1 add ebx, [ebp+var_C]
04046D4 mov [ebp+var_1C], ebx
04046D7 call sub_405008 ;;;ZwMapViewOfSection
04046DC mov [ebp+var_4], eax
04046DF test eax, eax
04046E1 jnz loc_4047EC
04046E7 push [ebp+var_8]
04046EA push [ebp+var_14]
[...]
04047D1 mov eax, [ebp+var_8]
04047D4 add esp, 0Ch
04047D7 push [ebp+arg_4]
04047DA add edi, eax
04047DC push edi
04047DD add edi, 40h
04047E0 push edi
04047E1 push [ebp+arg_0]
04047E4 call sub_4030EF ;; will call ZwWriteVirtualMemory and ZwSetContextThread inside.
04047E9 mov [ebp+var_4], eax
[...]
0404CCC loc_404CCC:
0404CCC push dword ptr [edi+4]
0404CCF call ds:ResumeThread ;;To execute malicious code inside explorer.exe
0404CD5 pop edi
0404CD6 mov eax, esi
0404CD8 pop esi
0404CD9 pop ebx
0404CDA leave
0404CDB retn 8
Based on a quick analysis of the malicious code, this malware is able to steal email related information from a victim’s system. It can get all the contact addresses from following files on the victim’s device:
The targets are several email applications: Windows Mail, Windows Live Mail, Outlook Express, and Office Outlook. It also collects additional email data from the system registry, such as Email, Account Name, IMAP Server, IMAP Port, IMAP User, IMAP Password, IMAP Use SSL, POP3 User, POP3 Server, POP3 Port, POP3 Password, POP3 Use SSL, SMTP User, SMTP Server, SMTP Port, SMTP Password and SMTP Use SSL.
The relevant registry keys are:
The data stolen from system registry is formatted as follows:
The stolen data is then saved in a local file, which is compressed in a zip file with the name “*.bin” in the “%temp%” folder.
During runtime, it continues to steal information from the system Clipboard as well as the applications from where you copy data to Clipboard. Also it sets up a keyboard hook function that can steal your input in applications such as Notepad.
The following code snippet shows how the malware steals information from the system Clipboard.
This function is called when the Clipboard copy operation happens (press ctrl+c). That means that the malware registers a Window message handling function to receive messages from the system.
Here is an example to clearly show you how the malware steals data from a victim’s system. In Figure 5, I typed some characters in Notepad, then copied (ctrl+c) the login password “123456”.
Figure 5 - Type in Notepad
Figure 6 – The stolen information by malware
In Figure 6, we can see the file “5463.bin” is created and it’s actually a compressed file. After decompressing it, we can access the file “01D21D1e661D80000B” where you can see all the data stolen by the malware from Notepad and the system Clipboard.
All the stolen data is compressed and stored in “%temp%\{random}.bin” files. Finally, the malware encrypts them and sends them to attacker. Here is an example that shows the bin file that is encrypted and sent to the attacker.
Figure 7 - Encrypt bin file
Figure 8 – The encrypted bin file
Figure 9 - Sending an encrypted file to attacker’s server
The HTTP POST request has been detected by Fortinet IPS signature JeanAloup.Trojan.Credentials.Disclosure.
According to our analysis, this malware uses 5 domains that are encrypted by default inside the malware to submit the stolen data. They are shown below:
All the domains and malware download links mentioned above have been rated as “Malicious” by the Fortinet Web Filtering service.
Based on the above analysis, we can see how this malware works and what information is stolen from a victim’s system. The most dangerous aspect is that it’s able to monitor the system Clipboard and keyboard input, collect data from them, and send the stolen data to the attacker. Imagine you are editing a very confidential document and the remote attacker can get all of your input. The potential for compromise is very serious.