Threat Advisory: Careto Attack – The Mask

Transcription

McAfee Labs Threat Advisory
Careto Attack – The Mask
February 12, 2014
McAfee Labs periodically publishes Threat Advisories to provide customers with a detailed analysis of
prevalent malware. This Threat Advisory contains behavioral information, characteristics and symptoms that
may be used to mitigate or discover this threat, and suggestions for mitigation in addition to the coverage
provided by the DATs.
To receive a notification when a Threat Advisory is published by McAfee Labs, select to receive “Malware and
Threat Reports” at the following URL:
https://sns.snssecure.mcafee.com/content/signup_login
Summary
Careto Attack is a cluster of reconnaissance and data stealing Trojans that can monitor many aspects of a
system’s operation, including keystroke entry, and network traffic. This information is stored locally on the
infected system along with extensive system configuration information. The Trojans are capable of uploading
this harvested information to an external server where it can be retrieved by the attacker.
The malware used in the Careto is extremely modular in its design, and rather than using one big program, it
uses many different smaller modules, each performing a particular function. It also uses a multi stage
installation that involves different intermediate steps.
There are currently two distinct known variations of this malware. The first one, known as “SGH”, uses a
kernel mode rootkit and data interception component as well as user mode components to access the
captured data and upload it to the external server.
The second variation which is called “Careto” operates completely in user mode and fully compatible with
both 32-bit and 64-bit Windows 2000 operating systems and later.
Time and Date stamp information from the currently known samples of the dropper and installer components
indicate that this attack may have been active from as early as 2007. Samples of the main active components
however, all seem to come from late 2012 to the
middle of 2013. Interestingly enough, the
uninstalling components used to clear the
malware from an infected system are dated June
20th 2013. This is the latest known date in the
samples and may indicate the date at which the
attackers started to remove their malware.
Most samples contained no locale information
that might indicate the origin of the malware. A
very few of the later samples however, did contain
CodePage information indicating a Western
European origin. The hexadecimal value of 0x4E4
translates to the decimal value 1252 and this is
the CodePage used by Microsoft Windows for
products using the Western European Latin
alphabet.
Such detailed information as is known so far about the threat, its propagation, characteristics and mitigation
are in the following sections:
•
•
•
•
•
•
•
•
Infection and Propagation Vectors
Mitigation
Characteristics and Symptoms
First Variant– “SGH”
Second Variant - Careto
Restart Mechanism
Remediation
McAfee Foundstone Services
The minimum DAT versions required for detection of the Careto attack related files are:
Detection Name
BackDoor-FBRF
OSX/Backdoor-FBRE
DAT Version
7344
7344
Date
09-Feb-2014
09-Feb-2014
Infection and Propagation Vectors
Analysis of the currently known samples has not provided any information about initial infection vectors. The
initial installers could have been placed on the user’s system by any of the usual malware distribution
methods, including Spear-phishing email, drive-by browser exploit or remote execution vulnerability exploit.
Mitigation
Mitigating the threat at multiple levels like file, registry & URL could be achieved at various layers of McAfee
products. Browse the product guidelines available here to mitigate the threats based on the behavior
described below in the Characteristics and symptoms section.
EPO
•
VSE
•
•
•
To block the access to USB drives through EPO DLP policy refer this tutorial.
Refer the article KB53346 to use Access Protection policies in VirusScan Enterprise to protect against
viruses that can disable regedit.
Refer the article KB53355to use Access Protection policies in VirusScan Enterprise to protect against
viruses that can disable Task Manager.
Refer the article KB53356 to use Access Protection policies in VirusScan Enterprise to prevent
malware from changing folder options.
HIPS
• To blacklist applications using a Host Intrusion Prevention custom signature refer KB71329.
• To create an application blocking rules policies to prevent the binary from running referKB71794.
• To create an application blocking rules policies that prevents a specific executable from hooking any
other executable refer KB71794.
• To block attacks from a specific IP address through McAfee NitroSecurity IPS refer KB74650.
Others
• In conjunction with our investigation into the Careto Attack – The Mask, we have released an IOC data
in the open/highly flexible OpenIOC Framework format.
The Careto Attack – The Mask IOC can be downloaded here.
•
In addition to various open/free tools, OpenIOC data can be consumed by:
• McAfee Network Security Platform
• McAfee HIPS
• McAfee GTI Proxy
• McAfee Web Gateway
To disable the Autorun feature on Windows remotely using Windows Group Policies, refer this article
from Microsoft.
Characteristics and Symptoms
The malware involved in this attack seems to be divided roughly into two separate groups: Careto and SGH.
Both of these families are extremely modular in their design, allowing for very simple maintenance and
upgrading because only small components are required rather than a single large file.
First Variant– “SGH”
The first variant, known as “SGH”, uses a kernel mode rootkit and data interception component as well as
user mode components to access the captured data and upload it to the external server.
This variant gets installed on the system by a dropper component. Having the following file characteristics:
Filename
MD5
SHA1
Type
892511916b92794a92ea698ab3ae78d51a5958e9a4d175f2b05a5af0f3e1ef16
cdc03f14052a73cc9d3d1d5d752d9d04
a1bd3f225ea19b4963d7983bffc5d342d8d6148b
Win32 PE EXE
When run it drops the following files into the %SYSTEM% folder
•
•
•
•
•
•
•
mfcn30.dll
jpeg1x32.dll
vchw9x.dll
awcodc32.dll
awdcxc32.dll
scismap.sys
bootfont.bin
And the file ___A6.tmp <random file name> is dropped into the %TEMP% folder.
The dropped driver scsimap.sys will then be installed and run to install additional kernel level components.
As soon as the installer component starts execution, it attempts to disable the Kaspersky security product
driver to prevent it from scanning any process named as "services.exe"
Then it locates the ".inf" section within and decrypts it with RC4 using a hardcoded key MD5
("AQA4$w1QsfexDT") followed with a inflate operation.
The result of the decryption contains an installation script which it interprets and performs specific instructions
based on the entries provided in the script.
Code
1 or
19
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Functionality
1. Install a file.
2. Download a file from a given URL (http, https, ftp or gopher) and install it. The file is installed to
a specified directory.
3. Set the timestamp value of the installed file to that found on the local kernel32.dll to not arouse
suspicion.
Delete a file
Set a registry value
Delete a registry key or value.
Copy data from one registry value to another
Compare data from one registry value with another
Create a new service
Delete a service
Start a service
Stop a service
Do nothing
Create a new process
Display a message box
Append data to a registry value
Add a new device filter using SetupDi* Windows APIs
Remove a device filter using SetupDi* Windows APIs
Add a new certificate to the local certificate store
Delete an existing certificate from the local certificate store
Do nothing
Detect VMware and Virtual PC virtual machines and exit if not found
Detect virtual machines and exit if found.
Write code to the bootmgr file
Dump data to a temporary file prefixed with “___” and start as a new process.
After one or more of these operations is complete, finally the file ___A6.tmp (which is a Win32 PE EXE) is
executed to delete the installer.
The diagram below shows relationship of each component:
mfcn30.dll
Provides the
framework to
load the new
plugins in
malware
vchw9x.dll
Network
connectivity
features
awcod32.dll
Interacts with
C&C via
vchw9x
Module
Characteristics of installed components:
Filename
MD5
SHA1
Type
___A6.tmp <random file name>
8102AEF50B9C7456F62CDBEEFA5FA9DE
E6BFE33C591FD024AAC97D5734250FB72E3CF6B6
Win32 PE EXE
This file is a simple tool that simply waits until its parent process (the program that executed it) terminates and
then deletes the file associated with that process. It then exits.
.text:010012ED
call
ds:GetCurrentProcessId
.text:010012F3
push
eax
; dwProcessId
.text:010012F4
call
GetParentProcID
.text:010012F9
push
eax
; dwProcessId
.text:010012FA
push
1
; bInheritHandle
.text:010012FC
push
100410h
; dwDesiredAccess
.text:01001301
call
ds:OpenProcess
.text:01001343 loc_1001343:
; CODE XREF:
sub_10012BD+7Cj
.text:01001343
push
0FFFFFFFFh
; dwMilliseconds
.text:01001345
push
esi
; hHandle
.text:01001346
call
ds:WaitForSingleObject
.text:0100134C
lea
eax, [ebp+FileName]
.text:01001352
push
eax
; lpFileName
.text:01001353
call
ds:DeleteFileA
Filename
MD5
SHA1
Type
mfcn30.dll
5024ce13efab0e531c4e09b98def1287
0aeed3b0a049fb859a46ac9b8c64ef924af4a924
Win32 PE DLL
The sample takes no actions when it is loaded. It provides a framework for extending the malware with
additional plugins and sending the results of their data collection routines to the C&C server.
The module reads a list of additional plugin DLLs from the configuration block loads these libraries and then
periodically queries them for collected information.
Filename
MD5
SHA1
Type
jpeg1x32.dll
c2ba81c0de01038a54703de26b18e9ee
5e7833fa8edc069443bb1239de3291aa1e3fc9c8
Win32 PE DLL
Unlike the other DLLs which use “k3ck=eeDh+d90gedvjrDe3l” as the custom-RC4 key, this sample uses
“kernel32.dll” as the key.
The core purpose of this module is to act as a low-level information stealer (high-level info stealer routines are
present in CDllAIT32.dll and CDllAIT64.dll), such as disk, OS and hardware-specific information.
The sample contains two exported functions; one being the entry point and “fnProcess”.
The fnProcess function takes in 4 arguments from the caller, but two of them are of interest. The first
argument expects a 1-byte code which represents different actions to be performed, such as:
Code
03h
04h
08h
6fh
71h
72h
Anything else
Functionality
Enumerate all files on disk
Get Base Address of all PE files on machine created after a specific date
Get Information
Terminates the DLL and uninstalls
Convert Data to WideChars
Write data to itself, store data in memory and deletes itself
Quit
Code 3: Enumerate all files on disk
All files on disk are enumerated and stored in the log.
Info-Stealer Routine (Code 8)
The information collected is always logged in the following format:
[Log Code]
-----[Stolen Information-1]
[Stolen Information-2]
…
[Stolen Information-N]
Example:
OS
-----Win
SW
-----[Installed software names and versions]
NET
-----[IP Address / MAC Address, etc.]
The information collected consists of the following:
OS Name (and presence of hotfix Q246009)
A list of all data stolen by the info stealer is listed below:
Log Code
OS
Information Type
Operating System
USERS
Local User
Accounts
HW
Hardware
MEMORY
Memory
DRIVES
FileSystem
USB
USB devices
PROCESS
Running
Processes
SW
Installed
Software
Network
Information
NET
Data Stolen
a) OS Version (Win98, WinNT, WinXP,
etc.)
b) Name of owner
c) Name of registered organization
d) List of installed hotfixes
e) Country information
f) OS Install Dates
g) Keyboard Layout and Language
h) Time-zone
a) Name of local user
b) Type of user
c) Privileges assigned to user
d) Comment assigned to user
a) OEM ID
b) Number of processors
c) Processor Mask
a) (Total/Free) Physical Memory
b) (Total/Free) Virtual Memory
c) Paging File Size
d) Page Size
e) Minimum application address
a) Drive Label
b) Type (Fixed, Removable, etc.)
c) (Total/Free) Memory Available
d) Root Drive Letter
e) Drive Object ID Support
f) Reparse Points Support
g) Sparse Files Support
h) File Volume Quotas
i) Volume Serial Number
j) Status of Drive Properties:
a. FS_CASE_IS_PRESERVED
b. FS_CASE_SENSITIVE
c. FS_FILE_COMPRESSION
d. FS_FILE_ENCRYPTION
e. FS_PERSISTENT_ACLS
f. FS_UNICODE_STORED_ON_DISK
g. FS_VOL_IS_COMPRESSED
k) Status of FS_CASE_IS_PRESERVED flag
a) Name of previously connected USB
device
a) Name of process
b) PID
c) Total Memory Used
a) Name of Product
b) Installed version
a) MAC Address
b) Network Card Status on/off
c) IP Address
d) DHCP Server
e) Loopback Address
f) Type:
a. SLIP
b. PP
c. FDDI
d. Ethernet
e. Token Rings
g) Network Card Information:
a. Service Name
b. Description
c. Title
h) Network Card Driver Description
i) Active TCP/UDP connections
a. Destination Address
b. Port
c. Status (Closed, Listening,
etc.)
Filename
MD5
SHA1
Type
vchw9x.dll
f46da52833c1078ed8b62276acbe9f1b
224696022c6e7440ada4f2549d4432cc9f9eae04
Win32 PE DLL
This file uses the “ConvertStringSecurityDescriptorToSecurityDescriptor” function that
converts a string-format security descriptor into a valid, functional security descriptor.
It also contains references to HTTP GET and POST commands. This indicates that some form of
communication is implemented by this module.
This module implements network connectivity features for the SGH components.
This library is injected by the LoadDLL driver into one of the below listed processes:
•
•
•
•
•
•
•
IEXPLORE.EXE
FIREFOX.EXE
MOZILLA.EXE
OPERA.EXE
NETSCAPE.EXE
EMULE.EXE
CHROME.EXE
It creates the pipe:
\\.\pipe\{807BF02B-3F5F-4570-970A-8AADBAA55AC1} and processes commands sent via this pipe
by other modules.
Once a command is received, it passes the network request to Wininet functions and returns the results to the
caller module via the same pipe.
Filename
MD5
SHA1
Type
awcodc32.dll
F28990D580F42050E4897CB52A1FB026
CCE60EB5D6997A2DE2EBD164A4C1C63D8DBB0738
Win32 PE DLL
This DLL exports 2 functions DllCanUnloadNow and DllEntryPoint which perform no functionality.
The code at the Entry point tries to call a memory address that is not present in the file. This probably
indicates that the DLL will be loaded by another module.
It connects to the “vchw9x” component using a pipe by name taken from the configuration block
(“\\.\pipe\{807BF02B-3F5F-4570-970A-8AADBAA55AC1}”) and communicates with the C&C server
using that component.
All communication between the component and the server is encrypted using the RC4 encryption algorithm.
Filename
MD5
SHA1
Type
awdcxc32.dll
dede43ebe5f8a4b0aabfd0679b051e9e
29b643993c0a912a7268114abf65915a5754b224
Win32 PE DLL
The sample takes no actions when it is loaded. Its sole purpose is to provide access to the device
implemented by the file scsimap.sys and identified by the string.
.text:75001060
unicode 0, <\\.\{E07DB02C-387E-43b2-A6F2-C59B4934B7D6}>,0
The exported functions from this DLL are
.text:75001D99
.text:75001DA4
.text:75001DAD
.text:75001DB7
.text:75001DBF
.text:75001DCE
aConfdelete
aConfread
aConfwrite
aDllload
aModuleaddimage
aModuledeleteim
db
db
db
db
db
db
'ConfDelete',0
'ConfRead',0
'ConfWrite',0
'DLLLoad',0
'ModuleAddImage',0
'ModuleDeleteImage',0
.text:75001DE0
.text:75001DF4
.text:75001E05
.text:75001E15
Filename
MD5
SHA1
Type
aModulesetboots
aModulestartima
aModulestopimag
aSenddatatodriv
db
db
db
db
'ModuleSetBootStatus',0
'ModuleStartImage',0
'ModuleStopImage',0
'SendDataToDriver',0
scsimap.sys
4A0AF770E172ABB09E3691A81F9A6572
B5ADDFF79E625183C30370A0CCE124FD1255BA7D
Win32 PE System Driver
This file is a kernel level driver and is used to install the kernel level components. These components are
initially encrypted and stored in a custom archive inside the file bootfon.bin.
This driver implements a device with the id \Device\{E07DB02C-387E-43b2-A6F2-C59B4934B7D6}.
The known kernel mode components are listed here and detailed below.
•
•
•
•
•
•
•
•
•
•
chiper.sys
cmprss.sys
fileflt.sys
loaddll.sys
PGPsdkDriver.sys
seed.sys
stopsec.sys
storage.sys
TdiFlt.sys
TdiFlt2.sys
Filename
MD5
SHA1
Type
chipper.sys
652f6799ee73d38180e24e70b06d3bc9
3c7d15b9ffd45d270d246686679a1c04cfd1e857
This kernel driver provides an encryption API for other drivers.
Filename
MD5
SHA1
Type
cmprss.sys
782cfa3640dae04d0055b2a6b7732845
4d4f8942be867e79926bb3add72aaa4762004c2c
This system driver component provides data compression functionality to other components.
It uses the RtlCompressBuffer and RtlDecompressBuffer to perform compression/decompression
respectively as shown in the code snippets below.
RtlCompressBuffer
RtlDecompressBuffer
Filename
MD5
SHA1
Type
fileflt.sys
ad56293644d6715f8abd1202bae17df3
3b65c255e19809914c969a1624a7c3d8ab356170
This filter driver attached to the file systems Attaches to \FileSystem\FASTFAT, \FileSystem\CDFS,
\FileSystem\NTFS if available. It is thought that this file filters information from the file system so as to hide
the presence of the malware on disk.
Filename
MD5
SHA1
Type
loaddll.sys
ddf68561daad19e85bba93d3f77c7100
297a6793dbd48b47efa24c2e533648c2678aac44
This kernel driver provides the capability of injection into user mode processes. It uses the function
ZwAllocateVirtualMemory to allocate memory in user space from the kernel.
Filename
MD5
SHA1
Type
PGPsdkDriver.sys
b92d9b5a16d767b9794c65ae92e047f9
50d7a46407a7b2a742512660b22c6e87e3331523
This kernel filter driver attaches to the keyboard driver \Driver\Kbdclass and is used to logs keystrokes.
Device
Device
Device
Device
Filename
MD5
SHA1
Type
\Driver\Kbdclass
\Driver\Kbdclass
\Driver\Kbdclass
\Driver\Kbdclass
\Device\KeyboardClass0
IRP_MJ_READ
IRP_MJ_PNP
IRP_MJ_READ
IRP_MJ_PNP
seed.sys
d341c67fd9fcc7fc392c4e5b9178d3a8
e9bf38773cbdae01fa0ea68df399c820297bb176
This kernel driver is used as the central framework for all the different kernel components and is referenced
by many of them. It is also responsible for reading configuration from the registry key.
HKLM\SYSTEM\CurrentControlSet\Services\scsimap\Params\Value
Filename
MD5
SHA1
Type
stopsec.sys
e8c05db10ad46a2e714bc7a942d5d425
c80a632a94f0079bed00b7c52e9b6be87577e23d
This kernel driver attempts to send commands to the kernel device \Device\KLIF in order to disable or
block the Kaspersky security software.
Filename
MD5
SHA1
Type
storage.sys
36a643710473d27f02429898dc5a6ebd
dcdc944897b97520518d368ae446adbb8ded29ef
This kernel mode driver provides the interface to the file used to store the logged and stolen data. This data is
compressed and encrypted and then stored in the file %SYSTEM%\c_50227.nls
Filename
MD5
SHA1
Type
TdiFlt.sys
bfd8a476e1bfac92292d22f3c2e7e634
dba4ac0cb7ed5b0d94601d95ed83fb079a10b293
This kernel filter driver attaches to the driver IPFILTERDRIVER and logs network connections and traffic.
Filename
TdiFlt2.sys
MD5
c24e8472cf9c2a31c25053d8ff7f23a5
SHA1
b373925f2128b9ab51c5e4d26ba52d6a17363a2d
Type
This kernel filter driver interacts with the Windows firewall device driver to prevent own network traffic from
being blocked.
Second Variant - Careto
The second variant which is called “Careto”, operates completely in user mode and fully compatible with both
32-bit and 64-bit Windows operating systems later than 2000.
Diagram below shows relationship of each component:
Filename
MD5
SHA1
Type
unknown
0b246eeee4a67fec281295b83662fb19
3c4055cc39511d22eeda71014ffe487bad4cb264
Win32 PE EXE
This file contains the installer for the Careto group of files. It will not run on versions of Microsoft Windows
less than Windows 2000.
Inside this file there is an encrypted CAB archive. It is encrypted with a modified form of RC4 encryption using
the key !$7be&.Kaw-12[} . This encryption is also used to encrypt incriminating strings.
Inside this CAB file are carried two dll files called shlink32.dll and Shlink64.dll. These files are identical in
function, one being for 32-bit platforms and the other for 64-bit systems.
When the program is run it takes the following actions:
•
The malware determines whether or not it is running on 32 or 64 bit.
.text:004024AD
.text:004024B2
.text:004024B3
.text:004024B9
.text:004024BB
.text:004024BD
.text:004024C0
.text:004024C1
.text:004024C3
.text:004024C5
PROCESSOR_ARCHITECTURE_AMD64
.text:004024CA
.text:004024CD
.text:004024CF
.text:004024CF loc_4024CF:
sub_402487+24j
.text:004024CF
.text:004024CF
.text:004024D0
.text:004024D2
.text:004024D3
.text:004024D4
push
push
call
cmp
jz
lea
push
call
xor
cmp
offset ProcName ; "GetNativeSystemInfo"
eax
; hModule
ds:GetProcAddress
eax, esi
short loc_4024CF
ecx, [ebp+var_24]
ecx
eax
eax, eax
word ptr [ebp+var_24],
setz
mov
al
esi, eax
; CODE XREF:
; sub_402487+34j
pop
mov
pop
leave
retn
edi
eax, esi
esi
The appropriate file from the CAB is then selected for extraction.
•
The appropriate location for the dropped file is selected according to the version of the operating
system.
- on Vista, Win7 and Win8 the file is dropped to %APPDATA%\Microsoft\objframe.dll
- on WinXP it is dropped to %SYSTEM%\objframe.dll
The selected file is then extracted and written to the appropriate location.
Creates Registry values:
Path: HKLM\SOFTWARE\Classes\CLSID\{E6BB64BE-0618-4353-91930AFE606D6F0C}\InprocServer32
Data: %SystemRoot%\System32\browseui.dll
Path: HKLM\SOFTWARE\Classes\CLSID\{E6BB64BE-0618-4353-91930AFE606D6F0C}\InprocServer32
Key Name: ThreadingModel
Data: Apartment
Path: HKLM\Software\Classes\CLSID\{ECD4FC4D-521C-11D0-B79200A0C90312E1}\InprocServer32
Data: C:\WINDOWS\system32\objframe.dll
The program then exits.
Custom RC4 Algorithm
The strings in every .dll sample use a custom RC4 algorithm along with an entropy-equalizer function to
prevent automated systems from detecting anomalies.
Each encrypted character appears to be added with 0x80 like so:
Before being passed to the custom-RC4 function, each character is decoded using the following function:
char decode_character(char* encryptedString, int index)
{
char ret = 0;
ret = 16 * (encryptedString[ 2 * index] - 0x80);
ret |= encryptedString[(2 * index) + 1] - 0x80;
return ret;
}
Basically, information stored in 1 encrypted-byte is split across 2-bytes thereby doubling the size of each
encrypted string.
Once a character has been decoded, it is passed to the custom-RC4 function. The custom-RC4 function is
similar to the original RC4 design with the following changes:
a) S-Box size has increased from 256 elements to 260 elements.
b) The counter runs from 255 to 0 instead of 0 to 255 in RC4’s KSA loop.
c) Inside the KSA loop, if a value to be swapped is greater than the current counter value, a new value to
be swapped is found.
The first character of the RC4 decryption result is ignored while the rest comprises the decrypted string.
Filename
MD5
SHA1
Type
Shlink32.dll,Shlink64.dll, objframe.dll, shlmgr.dll
Variable
Variable
Win32/64 PE DLL
This file in an intermediate dropper that originates from one of the two files carried inside the installer. The
software version info is modified before the file is dropped by copying the version info from an existing system
component. This means that there is no reliable hash that can be used to detect this file.
Other subtle modifications include changing the DLL reference “InternalModuleNameDll.dll” to “objframe.dll”.
They do not however change the functionality of the file.
Like the installer that drops it, this file also contains a CAB file that is encrypted using a modified form of RC4.
The contents of this CAB file are the real malware payload and consist of at least 3 files. These files inside the
CAB file are named as below.
•
•
•
chef32.jpg
waiter32.jpg
dinner32.jpg
In addition to the above three files, the 64-bit version of this contains additional files as mentioned below.
•
•
•
chef64.jpg
waiter64.jpg
dinner64.jpg
These files do not contain JPEG format images but contain Windows PE programs - 2 DLLs (chef??.jpg and
waiter??.jpg) and one EXE (dinner??.jpg).
This file contains the following encrypted strings which are each decrypted into memory when they are
required and then erased from memory when they are no longer needed. These strings include…
IEXPLORE.EXE,FIREFOX.EXE,CHROME.EXE
!$7be&.Kaw-12[}
waiter64.jpg
chef64.jpg
dinner64.jpg
waiter32.jpg
chef32.jpg
dinner32.jpg
shell32.dll
CreateProcessW
Kernel32.dll
IAPI-MS-WIN-CORE-PROCESSTHREADS*
ieframe.dll
dmconfig.dll
msjet40.dll
ntdsa.dll
oakley.dll
opengl32.dll
Kqmgr.dll
hquartz.dll
WMDRMDEV.DLL
PNPUI.DLL
RPIDGENX.DLL
VERIFIER.DLL
WMDRMNET.DLL
WMICMIPLUGIN.DLL
WMNETMGR.DLL
WPDSP.DLL
DMCONFIG.DLL
MSJET40.DLL
CLICONFG.DLL
CHTBRKR.DLL
OPENGL32.DLL
6MFC42.DLL
MFWMAAEC.DLL
CLSID\{E6BB64BE-0618-4353-9193-0AFE606D6F0C}\InprocServer32
NtCreateSection
NtMapViewOfSection
QueueUserAPC
ZwQueueApcThread
Filename
MD5
SHA1
Type
chef32.jpg, chef64.jpg
280A4194D6CB7345C37268D6D0BE9C2A,F6E7E81B80BB3C449CC7EFDFBEA
F0DCA,E137E46C2C48149BB137A249ABF2B044
18555EAB18361CAFF97FE4868969740275F1166B,375E44149675F19B1974C2
C0E66D43E75F1FBD50,46920CF56CB5FD3F3C9B999AB9F01A84CCBF7FAF
Win32/64 PE DLL
Analysis so far indicates that this module is used to carry out stolen data exfiltration to external location for
collection by the attacker. This module implements network connectivity features for the package.
When loaded by the “dinner” module, it returns a structure that contains pointers to four functions. These
functions can send HTTP/HTTPS “GET” and “POST” requests using a given URL. The addresses of these
functions are passed to the “waiter” module.
This module uses the hardcoded user agent “Mozilla/4.0” for the network communication.
Three different variants of this file are currently known 1 x 64-bit variant dated April 24th 2012 and 2 x 32-bit
dated April 24th 2012 and May 21st 2013.
Filename
MD5
SHA1
Type
waiter32.jpg, waiter64.jpg
A8816DAB9DD5F64181EEF8D0E8717B15,80A45CD7838D2FB4C1FD43DCE64
AA01D,290C5DF131C3F70DC11F478FD1A2D64D
538B4D051AD3A2C682141B09C9709CAD9DA2DF8F,D14C73155BF1C526349A
D49F5E527D131F356089,9AC22D8D0A90D59553B3F0D8AB1569BFCDDD5E3E
Win32/64 PE DLL
This module uses and implements all the techniques of the Careto Package.
The below command shows us the functionality of the waiter module ,
UPLOAD
EXEC
UPLOADEXEC
SYSTEMREPORT
SETLATENCY
CANNEDDLL
SETCFG
Extract the file from CAB archive to a specific path
Launch the specific executable with required Parameter
Extract the file from CAB archive to a specific path
and Launch the specific executable with required
Parameter
Generate the System report and uploads to C&C
Modify the delay in Configuration block and update
Load the module from CAB archive and execute in memory
Modify the configuration block
The following encrypted strings were found in the waiter modules:
#UTC/GMT date (M/D/Y)
%.2d/%.2d/%.4d %.2d:%.2d:%.2d
Local date (M/D/Y)
DisplayVersion
DisplayName
Software\Microsoft\Windows\CurrentVersion\Uninstall
Maybe Windows 95?
Could not load Iphlpapi.dll
%02X-%02X-%02X-%02X-%02X-%02X
Description
GetAdaptersInfo
uiphlpapi.dll
Unkown
yMicrosoft Win32s
Microsoft Windows Millennium Edition
XMicrosoft Windows 98
OSR2
Microsoft Windows 95
Windows
Kernel Build Number
Service Pack
DSOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
Service Pack 6
SERVERNT
LANMANNT
Workstation
WINNT
ProductType
SYSTEM\CurrentControlSet\Control\ProductOptions
IOS Type
Server
kServer 4.0
Server 4.0, Enterprise Edition
Server
Advanced Server
Datacenter Server
Standard Edition
KWeb Edition
Enterprise Edition
Datacenter Edition
SStandard x64 Edition
Enterprise x64 Edition
Datacenter x64 Edition
Enterprise Edition for Itanium-based Systems
Datacenter Edition for Itanium-based Systems
Workstation
Professional
Home Edition
Workstation 4.0
Microsoft Windows NT
Microsoft Windows 2000
Microsoft Windows Tablet PC
Microsoft Windows Media Center
[Microsoft Windows XP
Microsoft Windows 2003 Server,
Microsoft Windows XP Professional x64 Edition
¬Microsoft Windows 2003 Server R2
Microsoft Windows Server Longhorn
Microsoft Windows Vista
OS Version
KOS Name
OS Platform
kernel32.dll
GetNativeSystemInfo
FProxyEnable
sSoftware\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyServer
ProxyOverride
[-] System Users
[-] Environmental Variables
Failed: Can't start winsock
Connection Result
Successful
Failed: Can't establish connection to host
Failed: Can't resolve host address
[-]Socket Connection:
[-]MAC Information:
[-]OS Information:
[-]Installed programs:
hProxy Override
Proxy Server
Proxy Enabled
W[-] IE Proxy configuration
Unknown
Installed in system32?
usystem32
2Filename
PCLSID\{ECD4FC4D-521C-11D0-B792-00A0C90312E1}\InprocServer32
[-]Installation Information:
SystemReport.txt
uSetCfgLog.txt
New Configuration updated ONLY for current user
New Configuration updated for all users
New MIN_ATTEMPS_URL_AUX=%d
New URL_AUX_WAIT=%d days
New URL_AUX=%s
New URL_MAIN=%s
Original MIN_ATTEMPS_URL_AUX=%d
Original URL_AUX_WAIT=%d days
Original URL_AUX=%s
Original URL_MAIN=%s
CMD_SET_CFG v1.0
ATTEMPS_URL_AUX
WAIT_URL_AUX
URL_AUX
URL_MAIN
SetLatencyLog.txt
Original Latency
New Latency
CMD_SET_LATENCY v1.0
DAYS
explorer
internet
C314
PRODUCT_CODE
CLIENT_ID
INST_ID
OCMD_SEQ
SUB_TYPE
TYPE
TARGET_PROCESS
meta.inf
%s?Group=%s&Install=%s&Ver=%s&File=%s&Offset=%d&Size=%d&Crc=%u&Ask=%d&Bn=3
s?Group=%s&Install=%s&Ver=%s&CmdId=%ws&%s=%d&Bn=3
Exec
WStored
C%ws.%ws
RESULT
RESULT_FILE
5MODULE
dDATE_PROCESSED
CMD_RESULT
(%s?Group=%s&Install=%s&Ver=%s&Ask=1&Bn=3
Comment
QPrivileges
GUser Name
RGuest
User
Administrator
NetApiBufferFree
NetUserEnum
netapi32
Not Windows NT/2000/XP platform
DLL32_FILE_NAME
DLL64_FILE_NAME
ABSOLUTE_PATH
ENV_VAR
CSIDL
4COMMAND_ARGS
xBINARY
"UploadLog.txt
kFailed to upload: %s (SystemError=%d)
"File Uploaded: %s
TRUE
PAYLOAD
OVERWRITE
FALSE
DELETEAFTEREXEC
ProductId
vSOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
The C&C provides the comments to the CAB package. This command is passed to through Meta.inf file. This
file contains various configuration parameters and commands to be executed by the module.
URL_AUX
URL_MAIN
SetLatencyLog.txt
Original Latency
New Latency
CMD_SET_LATENCY v1.0
DAYS
explorer
internet
C314
PRODUCT_CODE
CLIENT_ID
INST_ID
OCMD_SEQ
SUB_TYPE
TYPE
TARGET_PROCESS
meta.inf
%s?Group=%s&Install=%s&Ver=%s&File=%s&Offset=%d&Size=%d&Crc=%u&Ask=%d&Bn=3
s?Group=%s&Install=%s&Ver=%s&CmdId=%ws&%s=%d&Bn=3
DLL32_FILE_NAME
DLL64_FILE_NAME
ABSOLUTE_PATH
In general, it uses the TARGET_PROCESS as:
•
•
explorer
internet
DLL32_FILE_NAME
DLL64_FILE_NAME would be as below:
•
•
CDllAIT32.dll
CDllAIT64.dll
Filename
MD5
SHA1
Type
dinner32.jpg, dinner64.jpg
19D12FF5B0FF69C4F2BDCCAB196F4C63,768B76E5DDA9BF4508C2265A2599
ABEB,265C65F437ADB50EABA9C0EBD7917257
62F11000FA0AA0D69ECE31FA501F709D9FA2D1F1,A7A7F5067B0C5F1ABC3A
AE9DEC3D02EDACFF01C3,FA2ACA0C037A0A5F5791FA84AA3CED6862CEF1
E8
Win32/64 PE EXE
This module is an executable and the entry point only accepts a parameter from other modules via remote
call and it accepts one parameter.
It Loads the library “iertutil.dll” and patches its import in “advapi32.dll”, “GetSidSubAuthority”. Then, it
executes the command:
Decrypted strings found from the Dinner module,
IEUSER.EXE" -Embedding
iertutil.dll
advapi32.dll
GetSidSubAuthority
Also patches the following functions:
iexplore.exe: shell.{3F9F6D47-FE76-4B11-8B70-780ED19091B1}
URLMON : “OpenEvent”,“CreateProcessW”
Decrypted strings found from the Dinner module,
shell.{3F9F6D47-FE76-4B11-8B70-780ED19091B1}
OpenEventW
CreateProcessW
Software\Microsoft\Windows\Current Version\Policies\System
WEnableLUA
IEXPLORE.EXE
Filename
MD5
SHA1
Type
CDllAIT32.dll, CDllAIT64.dll
ffa1a6c1741cf7443700d3c5b3e3d234,
3594549be1bf5258ba9c16eb29f299a1
f145a0299ef7c507f3d34301c8fa149cafadcf99,
82350973d80e9f9c40a6cde64c3ae0619b30232c
Win32/64 PE DLL
These files are information stealers which steal pretty much everything they can about software present on
the system, including users and their passwords.
This malware uses undocumented Windows API calls to enumerate user account information including
passwords. The core purpose of this module is to act as a low and high-level information stealer. The log
format generated by these samples is as follows:
Category of Items Stolen
-----------------------------------------------------------------------------[-] Sub-category of Items Stolen
[--] Item stolen
Stolen Information-1
Stolen Information-2
…
Stolen Information-N
Example:
Private Information
---------------------------------------------------------------------[-] Recent Documents
[--] Current User Recent Documents
(file1)
(file2)
…
(fileN)
There are more than 850 strings that are encrypted in this binary using the same custom-RC4 algorithm using
“k3ck=eeDh+d90gedvjrDe3l” as the key.
Type of Information
Internet Explorer
Software
Hardware
Network
Snapshot
Private Credentials
Stolen Data
Autocomplete list, history, cookies
a) Same information as jpeg1x32.dll
b) System Uptime
c) Current User
d) Windows Directory
e) System Directory
f) Environment Variables
b) List of PCI Devices
c) List of Printers
b) Active Connections
c) IE Proxy Configuration
d) Protocol statistics
a) List of all running processes
a) MSN Messenger Credentials
b) NetBIOS Credentials
c) IE7 Passwords
d) IE History
e) Firefox Cache
f) Firefox Cookies
g) Firefox Autocomplete list
h) Firefox 2.x passwords
i) Google Chrome Passwords
j) GTalk Accounts, Passwords and Contacts
k) Google Desktop Passwords
l) Safari Passwords
m) Opera Passwords
n) Users connected to machine
o) Recent Documents Accessed
p) Password Dump of local accounts
q) CacheDump
r) Microsoft Outlook Passwords
s) Nearby Wifi Network Information
t) Cached Wireless Access Points
u) Cached Wireless Passwords
v) Cached Bluetooth Devices
w) Cached Remote Desktop Connections
x) LSA Secrets
y) WinSCP Passwords
z) Putty credentials
aa)
Mozilla Thunderbird passwords
bb)
Eudora passwords
cc)
Incredimail passwords
Uninstaller
Also associated with this malware family are two files that are used to uninstall the two different variations on
either 32-bit or 64-bit systems.
Filename
MD5
SHA1
Type
CDllUninstallSGH32.dll, CDllUninstallSGH64.dll
151b38675c7787ddfec70f7ab404205e,
5fe9573cd441e69ba7489623e89bb879
24df3e7789acbfb8418ebcbc76bec31010c3adc5,
df0ab678dbe5001fccfacae0f98c0c4e01152412
Win32/64 PE DLL
When run these files:
•
Tries to delete the following files
o c:\Windows\System32\drivers\scsimap.sys
o c:\Windows\System32\bootfont.bin
Logs the results into a file result.txt.
Example:
CDllUninstall v1.0.0....
Local date (M/D/Y)
04/02/2014 12:30:58..UTC/GMT date (M/D/Y)
04/02/2014 04:30:58....
1. Unistalling SGH..
[-] ControlSet001..Error deleting Services\Scsimap. Last Error = 183....
[-] ControlSet003..Error deleting Services\Scsimap. Last Error = 183....
Error deleting C:\WINDOWS\System32\bootfont.bin. Last Error = 2....
2. Unistalling Careto
The following encrypted strings are stored within the files
Local date (M/D/Y)
%.2d/%.2d/%.4d %.2d:%.2d:%.2d
UTC/GMT date (M/D/Y)
SOFTWARE\CLASSES\CLSID\{ECD4FC4D-521C-11D0-B79200A0C90312E1}\InprocServer32
SOFTWARE\CLASSES\CLSID\{E6BB64BE-0618-4353-91930AFE606D6F0C}\InprocServer32
SOFTWARE\CLASSES\CLSID\{ECD4FC4D-521C-11D0-B792-00A0C90312E1}
Restored registry: %s -> %s
Error restoring registry: %s. Last Error = %d
Deleted %s
File Replaced: %s -> %s
Error replacing file: %s -> %s. Last Error = %d
SOFTWARE\CLASSES\CLSID\{E6BB64BE-0618-4353-9193-0AFE606D6F0C}
Main library not found. Last Error = %d.
Main library not found. Last Error = %d.
[-] Logged Users
HKLM
HKCU
SYSTEM
Controlset
[-] %s
Services\Scsimap
%systemroot%\System32\bootfont.bin
c:\Windows\System32\bootfont.bin
%systemroot%\System32\drivers\scsimap.sys
c:\Windows\System32\drivers\scsimap.sys
v1.0.0.
CDllUninstall
1. Unistalling SGH
2. Unistalling Careto
Result.txt
Filename
MD5
SHA1
Type
1
1342ac151eea7a03d51660bb5db018d9
ebe2b153a99a6e44bf7004edbd5bf99ec79ba430
MacOSX program
This sample has been reported in infections associated with this malware family and is included here for
completeness. It is detected as BackDoor-FBRE!
The sample uses 16-bit XOR key (0x107f) to encode 4 strings:
Decrypted String
Purpose
Itunes212.appleapdt.com
Host domain to contact
/dev/null strdup()
AES encryption secret key
setuid(geteuid())
/bin/sh
Reverse Shell
/dev/shm/pulse-shm
Unused
The sample contacts itunes212.appleupdt.com and listens on port 443. It tries to reconnect every 3924ms
regardless of previous success. After a successful connection to the server is established, a reverse shell is
opened by passing all the attackers commands through /bin/sh.
All communication to and from the C&C is encrypted using AES 128-bit in CBC mode w/ HMAC-SHA1
challenge response protocol where the time of day and the PID are passed to the SHA1 routines.
Every success or failure is logged in a file, encrypted with AES-128 and sent to the C&C server.
Each success/failure message is prefixed with "\x1B[0;32m" and suffixed with "\x1B[0m" in the logs.
Examples of success/failure messages:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
‘no program to execute',0Ah,0
'warning: resoLving "%s" eveN thouGh you spEcified -n'
'failed to resOlve %s: %s',0Ah,0
'reverse lookuP of %s failed: %s',0Ah,0
'socket(): %s',0Ah,0
'setsockopt() REUSEADDR: %s',0AH,0
'bind(): %s',0AH,0
'connecting to %s [%s] on poRt %u',0
'connecting to %S (%s) [%S] On port %u',0
' from %s',0
':%u',0
' (from source pOrt %u)',0
'connect(): %s',0Ah,0
'connected to %s:%u',0Ah,0
'connection clOSed',0AH,0
Itunes212.appleupdt.com resolves to 193.19.177.48/50/51 registered in February 2009 by Victoria
Gomez ([email protected]) in Czech Republic.
Notes:
•
•
•
•
%UserProfile% - C:\Documents and Settings\[UserName]
%Temp% - C:\Documents and Settings\[UserName]\Local Settings\Temp
%AppData% - C:\Documents and Settings\[UserName]\Application Data
%System% - C:\Windows\System32
Restart Mechanism
The various malware modules use various different restart mechanisms including registry and device driver
installation.
Remediation
The detection for this variant of malware family is added to the database and would be available from DAT
#7344. A Full Scan with updated DATS can remove the infection from the machine.
Getting Help from the McAfee Foundstone Services team
This document is intended to provide a summary of current intelligence and best practices to ensure the
highest level of protection from your McAfee security solution. The McAfee Foundstone Services team offers
a full range of strategic and technical consulting services that can further help to ensure you identify security
risk and build effective solutions to remediate security vulnerabilities.
You can reach them here: https://secure.mcafee.com/apps/services/services-contact.aspx
This Advisory is for the education and convenience of McAfee customers. We try to ensure the accuracy,
relevance, and timeliness of the information and events described, they are subject to change without notice.
© 2014 McAfee, Inc. All rights reserved.

Threat Advisory: Careto Attack – The Mask

Transcription

Documents pareils

Poms questionnaire free pdf

Autodata cda 3 free

PSIM SIMULATION SOFTWARE TUTORIAL How to use

Adobepdf dll vista 64 cs3

Le gadget Calendrier dans le volet Windows est

Adobepdf dll for vista

Implementation of Telemedical Network: Application for Health

Pdf creator ghostscript gsdll32 dll

EXCH OWA Exchange 2003 urlscan.ini anpassen

1 Getting Started 2 Modules

Printer driver konica minolta bizhub c550