Threat Research

OffensiveWare: A New Malware-as-a-Service Platform Takes a Fitting Label

By Joie Salvio | October 11, 2016

In recent years, with the active efforts of law enforcements to takedown infamous Trojan spywares such as Dridex and GameOver Zeus, one could claim that their status as a predominant threat has died down and given way to ransom malware. But this has not stopped small groups of individuals from trying to keep this lineage of malware alive.

The increasing popularity of Malware-as-a-Service (MaaS) platforms has provided a new way for criminals to keep themselves on the malware profit chain by enticing a wider audience with their malicious propaganda - because why not? It’s very easy and convenient – just pay, point, and shoot.

Just a month ago, Fortinet discovered Ozone, a RAT service that was used to attack German-speakers. Now, a new spam attack has been discovered that utilizes a new MaaS platform that has been receiving good feedback in the malware market called OffensiveWare.

Fake Mail and the Downloader

The spam email is disguised as an order confirmation from a Dubai-based trading company. To further assure the user of its legitimacy, it claims to have already passed an anti-virus scan.

Fig1. Fake order confirmation mail

Attached to the mail is a fake order list document with an embedded malicious macro. Not surprisingly, the document convinces the unsuspecting user to enable the execution of this macro (see Figure 2, below.) Typically, such a macro downloads a malicious payload. However, this variant used another classic setup where the generated document body contains an encrypted executable file (the downloader) in the form of a long stream of text. It is displayed in a white font to trick the user into thinking that there’s nothing but a blank page.

Fig.2 Enable Macro Instruction with encrypted binary (changed color for demo)

The binary is executed after it is decrypted from the text content, and then written to %TEMP%/ as .src.

Fig.3 Macro decrypts binary from text content

The executed file then downloads a spyware package. To protect it from anyone trying to directly access the download site, it is zip-compressed with the password, “ork”, which we believe stands for “OffensiveWare Remote Keylogger.” This claim is based on the analysis of the spyware, provided later in this article.

Fig.4 Download behavior of the executable

Spyware Payload

This spyware variant utilizes publicly available password-extraction tools developed by SecurityXploded. Because the file properties of these tools make their purposes obvious, they have been stripped off.

The downloaded package is extracted to %ALLUSERSPROFILE% and contains the following components:

  • msupd.exe – main executable with keylogger
  • em.exe – extracts email passwords (EmailPasswordDump by securityxploded)
  • fb.exe - extracts social network passwords (SocialPasswordDump by securityxploded)
  • ie.exe - extracts IE passwords (IEPasswordDump by securityxploded)
  • upd.exe – updates components (package downloader)
  • x.Cmd – terminates msupd.exe and delete executable components
  • msvcp140.dll – auxiliary library (legit)
  • msvcr71.dll – auxiliary library (legit)
  • sqlite3.7.11.dll – auxiliary library (legit)
  • ssleay32.dll – auxiliary library (legit)
  • libeay32.dll – auxiliary library (legit)

Before the stolen information is sent to the attacker’s email, they are stored locally in the following files:

  • %ALLUSERSPROFILE%\bigchunk\em.txt – extracted email passwords
  • %ALLUSERSPROFILE%\bigchunk\fb.txt – extracted social network passwords
  • %ALLUSERSPROFILE%\bigchunk\ie.txt – extracted stored passwords in IE
  • %ALLUSERSPROFILE%\logs\log.txt – keystrokes logged
  • %ALLUSERSPROFILE%\logs\*.jpg – screenshots

Fig.5 Extracted passwords stored in em.txt, fb.txt, and ie.txt

 

Fig.6 Extracted credentials, logged keystrokes, and system screenshots are sent via email

 

An inspection of the binary’s strings reveals that this malware has been provided through the OffensiveWare platform. This assertion is further supported by the fact that the IP address of the package download site is the same as the platform’s official website.

Fig.7 Strings relating the binary to OffensiveWare

Fig.8 Download site and Offensiveware site shares same IP

 

OffensiveWare

Fig.9 OffensiveWare website

OffensiveWare’s website has only been up for two months, offering builders for macros ($49), various exploits ($290), and a remote keylogger ($80). It also claims to extract credentials and conversation histories from the following applications:

Fig.10 List of target applications

The OffensiveWare is now being actively developed by the same person who released the Aaron Remote Installable Keylogger (ARIK) and Ancalog Exploit Builder. In fact, in the middle of researching and writing this article, both sites were redirected to OffensiveWare. These transitions seem to demonstrate that this author is serious about the spyware business.

Conclusion

This article shows just how easy it is for someone to extract sensitive information from a system using a commercialized malware builder – a propaganda message that MaaS business owners have been promoting to lure buyers.

The commercialization of malware builders is likely to have a growing impact on the cybercriminal industry. Opening these tools to the public can make anyone, regardless of skill, a potential attacker. People don’t need to scour the deep underground forums or the Dark Web to find these tools anymore. A simple Google search and a coin purse are all it takes to get to the other side of the fence.

 

-= FortiGuard Lion Team =-

 

IOC’s

2262a78c1fa3a1916b9c6bba366eb0fb5ed5176591c2b1d31b4d6d3d88ea0c51 (FINECO_ORDER_LIST_20092016.docx.doc) –
WM/Oware.PR!tr

c9cd8dc47b648dfaab40f0f4b19717fe001e3e97002eebb1290e703c6d0bec87 (.src) – W32/Oware.PR!tr.dldr

5eb3c1800715744438a4382e69d042346a3f4b9ffd2c0308ac4a5c864e26fb28 (msupd.exe) – W32/Oware.PR!tr.spy

17e2143a6018e7fa9d69c52f0be5ac3aed91e0496a1832b91ad28d14417d4059 (upd.exe) – W32/Oware.PR!tr.dldr

03f24b17beebbeedc63fa47c781e480c7eac93ac3068bfbbea45919fb643881f (ie.exe) – Riskware/SecurityXploded

2e149eae2956d2d749110f803044ff8b252dcbaf3ae09bdcf30a58b74bbd7329 (em.exe) - Riskware/SecurityXploded

71a2501786a808512236d2cb32ff7b583ce5e9294dc026cdfb15ca2fd14b8b98 (fb.exe) - Riskware/SecurityXploded

Presence of the following files in the system:

  • %ALLUSERSPROFILE%\bigchunk\em.txt
  • %ALLUSERSPROFILE%\bigchunk\fb.txt
  • %ALLUSERSPROFILE%\bigchunk\ie.txt
  • %ALLUSERSPROFILE%\logs\log.txt
  • %ALLUSERSPROFILE%\logs\*.jpg
  • %AULLUSERSPROFILE%\msupd.exe
  • %AULLUSERSPROFILE%\em.exe
  • %AULLUSERSPROFILE%\fb.exe
  • %AULLUSERSPROFILE%\ie.exe
  • %AULLUSERSPROFILE%\upd.exe
  • %AULLUSERSPROFILE%\x.Cmd