FIGUREhkcmd.exe

TrendMicroIncorporatedResearchPaper2013FAKEMRATMalwareDisguisedasWindowsMessengerandYahoo!
MessengerBy:NartVilleneuveJessadelaTorreContentsIntroduction.
1Distribution.
2Installation.
3Backdoor.
3NetworkTrafficEncryption.
5Infrastructure.
7Conclusion.
81|FAKEMRATIntroductionTheperpetratorsoftargetedattacksaimtomaintainpersistentpresenceinatargetnetworkinordertoextractsensitivedatawhenneeded.
Tomaintainpersistentpresence,attackersseektoblendinwithnormalnetworktrafficanduseportsthataretypicallyallowedbyfirewalls.
Asaresult,manyofthemalwareusedintargetedattacksutilizetheHTTPandHTTPSprotocolstoappearlikewebtraffic.
However,whilethesemalwaredogiveattackersfullcontroloveracompromisedsystem,theyareoftensimpleandconfiguredtocarryoutafewcommands.
AttackersoftenuseremoteaccessTrojans(RATs),whichtypicallyhavegraphicaluserinterfaces(GUIs)andremotedesktopfeaturesthatincludedirectorybrowsing,filetransfer,andtheabilitytotakescreenshotsandactivatethemicrophoneandwebcameraofacompromisedcomputer.
AttackersoftenusepubliclyavailableRATslikeGh0st,PoisonIvy,Hupigon,andDRAT,and"closed-released"RATslikeMFCHunterandPlugX.
1However,thenetworktraffictheseRATsproduceiswell-knownandeasilydetectablealthoughattackersstillsuccessfullyusethem.
2Attackersalwayslookforwaystoblendtheirmalicioustrafficwithlegitimatetraffictoavoiddetection.
WefoundafamilyofRATsthatwecall"FAKEM"thatmaketheirnetworktrafficlooklikevariousprotocols.
SomevariantsattempttodisguisenetworktraffictolooklikeWindowsMessengerandYahoo!
Messengertraffic.
AnothervarianttriestomakethecontentofitstrafficlooklikeHTML.
WhilethedisguisestheRATsusearesimpleanddistinguishablefromlegitimatetraffic,theymaybejustgoodenoughtoavoidfurtherscrutiny.
1Gh0st:http://download01.
norman.
no/documents/ThemanyfacesofGh0stRat.
pdfandhttp://www.
mcafee.
com/ca/resources/white-papers/foundstone/wp-know-your-digital-enemy.
pdf;PoisonIvy:https://media.
blackhat.
com/bh-eu-10/presentations/Dereszowski/BlackHat-EU-2010-Dereszowski-Targeted-Attacks-slides.
pdf;Hupigon:http://www.
f-secure.
com/v-descs/backdoor_w32_hupigon.
shtml;DRAT:http://blog.
trendmicro.
com/trendlabs-security-intelligence/watering-holes-and-zero-day-attacks/;MFCHunter:http://blog.
trendmicro.
com/trendlabs-security-intelligence/japan-us-defense-industries-among-targeted-entities-in-latest-attack/;andPlugX:http://about-threats.
trendmicro.
com/us/webattack/112/Pulling+the+Plug+on+PlugX2http://www.
trendmicro.
com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.
pdf2|FAKEMRATDistributionAllthreeversionsoftheFAKEMRATthatweinvestigatedweredistributedviaspear-phishingemailsusingsocialengineeringtoluretargetsintoexecutingamaliciousattachment.
Whileweobservedtheuseofdifferentthemes,thecontentoftheemailswerealwaysinterestingtopotentialtargets.
FIGURE1:Samplespear-phishingemailswithattachmentsthatdropFAKEMRATThemaliciousattachmentsweremostoftenMicrosoftWorddocumentswithcodethatexploitsthefollowingvulnerabilities:CVE-2010-3333:RTFStackBufferOverflowVulnerabilityaddressedinMicrosoftSecurityBulletinMS10-087.
3CVE-2012-0158:MSCOMCTL.
OCXRCEVulnerabilityaddressedinMicrosoftSecurityBulletinMS12-027.
4WealsofoundaMicrosoftExcelfilethatexploitsCVE-2009-3129,theExcelFeatheaderRecordMemoryCorruptionVulnerabilityaddressedinMicrosoftSecurityBulletinMS09-067.
5Wealsosawsamplesthatweresimplyexecutable(.
EXE)files.
3http://technet.
microsoft.
com/en-us/security/bulletin/MS10-0874http://technet.
microsoft.
com/en-us/security/bulletin/ms12-0275http://technet.
microsoft.
com/en-us/security/bulletin/MS09-0673|FAKEMRATInstallationAfterexploitation,an.
EXEfilepackedwithUPXisdropped.
6Afterinitiallydroppingthemaliciousfilenamedhkcmd.
exetothe%Temp%folder,themalwaretypicallycopiesitselfusingthename,tpframe.
exe,tothe%System%folder.
Itthenaddsthefollowingregistryentrytoenableitsautomaticexecutionateverysystemstartup:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\runtpbar="%System%\tpframe.
exe"BackdoorThenetworktrafficthemalwareproducesisdesignedtolooklikeWindowsMessengertraffic.
MalwareofthistypewerediscussedonTwitter,notedbySonicWALL,andfoundtohavebeenactiveasfarbackasSeptember2009.
7However,itremainsunclearifalltheattacksthatusedthismalwarewereconnected.
ThemalicioustrafficbeginswithheaderssimilartoactualWindowsMessengertraffic:MSG5N130MIME-Version:1.
0However,beyondthis,youwillseethatthetrafficisnotvalidWindowsMessengertrafficbutmaybesufficientlydisguisedassuchtoescapefurtherscrutiny.
6UPXisafreetoolthatcompressesexecutablefiles.
However,itiscommonlyusedtopackmalwarefiles,seehttp://upx.
sourceforge.
net/formoredetails.
7https://twitter.
com/mikko/status/232851667446538241,https://www.
mysonicwall.
com/sonicalert/searchresults.
aspxev=article&id=464,andhttps://twitter.
com/diocyde/statuses/2328730236513361924|FAKEMRATFIGURE4:MalicioustrafficdisguisedasYahoo!
MessengertrafficFIGURE3:LegitimateWindowsMessengertrafficFIGURE2:MalicioustrafficdisguisedaslegitimateWindowsMessengertrafficComparedwithactualWindowsMessengertrafficshowninFigure3,itiseasytodistinguishthemalicioustrafficshowninFigure2.
Duringourinvestigationofthefake"WindowsMessenger"RAT,wefoundanotherversionthatattemptstodisguiseitsnetworktrafficasYahoo!
Messengertraffic.
ThenetworkcommunicationthisversionusesbeginswithYMSG,theYahoo!
Messengertrafficheader.
FIGURE5:LegitimateYahoo!
MessengertrafficHowever,thenetworktrafficshowninFigure4doesnotresemblelegitimateYahoo!
Messengertrafficbeyondtheuseoftheheader,YMSG.
ComparedwiththelegitimateYahoo!
MessengertrafficshowninFigure5,itiseasytodistinguishbetweenthetwo.
AthirdversionoftheFAKEMRATattemptstodisguisethenetworktrafficitproducesasHTML.
Themalicioustrafficbeginswithstringslike1.
.
56or12356.
88ThisvariantwasreferencedduringanincidentdocumentedbyAlienVaultinMarch2012inhttp://labs.
alienvault.
com/labs/index.
php/2012/alienvault-research-used-as-lure-in-targeted-attacks/.
5|FAKEMRATFIGURE6:MalicioustrafficdisguisedasHTMLtrafficThisisafairlyrudimentarydisguiseandoddbecauseyouwouldexpectHTMLtobetheresultofarequesttoawebserverandnotassomethingaclientwouldsendtoawebserver.
NetworkTrafficEncryptionThenetworkcommunicationbetweenthecompromisedcomputerandtheRATcontrollerisencrypted.
Theencryptionisthesameacrossvariantsanddoneatthebitlevel.
EachbyteisXOR-edbyeveryletterinthestring,YHCRA,androtated3bitstotherightaftereveryXORoperation.
Encryptingthecommunicationensuresthatthesuspiciousdatapassedbetweenthecompromisedhostandtheattackerscannotbeeasilyviewedinplaintext.
Thecommunicationcomesin1024-byteblobsofdatathatstartwiththe32-byteheader.
Itappearsthatattackersmayspecifyanykindoffakeheaderswithinthefirst32bytesinordertodisguisethesubsequentnetworktraffic.
Thefollowingbitsofinformationareinitiallysentbythecompromisedhostwhenthecommunicationstarts:UsernameComputernameOEMcodepageidentifierWhatlookslikeacampaigncodebutonlyforsomesamplesThecommandsarenotpreconfiguredasthemalwarereliesonthedatasentbytheserver.
Forinstance,whenaclientreceivesthecommand,0211,thissignifiesthatitshouldexecutetheaccompanyingdatainmemory.
6|FAKEMRATThefollowingarethecommandstheserverissuesandtheirmeanings:0211:Executecode.
0212:Reconnecttoreceivedata.
0213:Sleep,closesocket,andreconnect.
0214:Exit.
TodeterminetheRAT'scapabilities,weallowedtheattackerstoinfiltrateahoneypotcomputerandcapturedallofthenetworktrafficitgenerated.
Wedecryptedthenetworktrafficanddeterminedthecommandstheattackersused,whichinclude:CmdMana:CommandManagerallowsattackerstoexecuteshellcommands.
FileMan:FileManagerallowstheattackerstobrowsedirectories.
HostIn:HostInformationprovidesinformationaboutthecompromisedcomputer.
ProcMan:ProcessManagergivesattackersaccesstorunningprocesses.
RegMana:RegistryManagergivesattackersaccesstotheWindowsregistry.
Scree:Screentakesasnapshotofthedesktop.
ServiceMa:ServiceManagerallowsaccesstoservices.
Passwo:PasswordaccessesstoredpasswordslikethosesavedinInternetExplorer(IE).
UStea:Uploadsfilesfromacompromisedcomputer.
7|FAKEMRATInfrastructureTheWindowsMessengersamplesweanalyzedwereclusteredintofivegroupsthatdidnothaveoverlappinglinkages.
Fouroftheclusterswererelativelysmallandfocusedonfourdifferentdomains:vcvcvcvc.
dyndns.
orgzjhao.
dtdns.
netavira.
suroot.
com*.
googmail.
comThevcvcvcvc.
dyndns.
orgdomainisparticularlyinterestingbecausewealsofounditbeingusedasacommand-and-control(C&C)serverforProtux—awell-knownmalwarefamilythathasbeenusedinmanytargetedattacksovertheyears.
Wealsofoundthattheavira.
suroot.
comdomainusedasaC&Cserverforyetanothermalwarefamilywecall"cxgid.
"The*.
googmail.
comdomainwasslightlylargerandincludednameslikeapple12.
crabdance.
comandapple12.
co.
cc.
However,thelargestclusterrevolvedaroundthe*.
yourturbe.
orgdomainandoverlappedwiththeHTMLvariant.
WealsofoundsmallclustersoftheHTMLvariantthatrevolvedaroundthedomain,endless.
zapto.
org,whichwasdownloadedasasecond-stagemalwarebyProtux.
FIGURE7:FAKEMdomainsassociatedwiththeWindowsMessengerandHTMLvariants8|FAKEMRATMeanwhile,theYahoo!
Messengersamplesweanalyzedallaccessedfreeavg.
sytes.
net—adomainnamethatfrequentlyresolvedtodifferentIPaddresses.
FIGURE8:FAKEMdomainsassociatedwiththeYahoo!
MessengervariantThevarioussampleswecollectedappeartobelongtogroupsthatoverlappedalittle.
Thissuggeststhatratherthanbeingassociatedwithaparticularcampaign,theuseofvariousFAKEMRATscouldbedistributedamongmultiplethreatactors.
ConclusionKnowledgeoftheattacktools,techniques,andinfrastructureofadversariesiscriticalfordevelopingdefensivestrategies.
ThisresearchpaperexaminedthreevariantsofaRAT—FAKEM—thatattempttodisguisethenetworktraffictheyproducetostayundertheradar.
NowthatpopularRATslikeGh0standPoisonIvyhavebecomewell-knownandcaneasilybedetected,attackersarelookingformethodstoblendinwithlegitimatetraffic.
WhileitispossibletodistinguishthenetworktrafficFAKEMRATvariantsproduceforthelegitimateprotocolstheyaimtospoof,doingsointhecontextofalargenetworkmaynotbenoteasy.
TheRAT'sabilitytomaskthetrafficitproducesmaybeenoughtoprovideattackersenoughcovertosurvivelongerinacompromisedenvironment.
Fortunately,solutionslikeTrendMicroDeepDiscoverycanhelpnetworkadministratorsprotecttheirorganizationsfromattacksthatusetheFAKEMRATbydetectingthetrafficitsvariantsproduce.
TRENDMICROINCORPORATEDTrendMicroIncorporated(TYO:4704;TSE:4704),aglobalcloudsecurityleader,createsaworldsafeforexchangingdigitalinformationwithitsInternetcontentsecurityandthreatmanagementsolutionsforbusinessesandconsumers.
Apioneerinserversecuritywithover20years'experience,wedelivertop-rankedclient,serverandcloud-basedsecuritythatfitsourcustomers'andpartners'needs,stopsnewthreatsfaster,andprotectsdatainphysical,virtualizedandcloudenvironments.
Poweredbytheindustry-leadingTrendMicroSmartProtectionNetworkcloudcomputingsecurityinfrastructure,ourproductsandservicesstopthreatswheretheyemerge—fromtheInternet.
Theyaresupportedby1,000+threatintelligenceexpertsaroundtheglobe.
TRENDMICROINCORPORATED10101N.
DeAnzaBlvd.
Cupertino,CA95014U.
S.
tollfree:1+800.
228.
5651Phone:1+408.
257.
1500Fax:1+408.
257.
2003www.
trendmicro.
com2013byTrendMicroIncorporated.
Allrightsreserved.
TrendMicroandtheTrendMicrot-balllogoaretrademarksorregisteredtrademarksofTrendMicroIncorporated.
Allotherproductorcompanynamesmaybetrademarksorregisteredtrademarksoftheirowners.