0 분 읽기
Unseen Dangers Lurking Behind Evasive Secureserver.net URLs
Prashant Kumar
Banking trojans continue to evolve quickly, affecting major banking organizations across the globe. We’ve seen an increase in malware using secureserver[.]net to target Spanish and Portuguese-speaking regions covering Latin America financial institutions.Additionally, hackers are also targeting Spanish and Portuguese-speaking European countries and other parts of the world.
This campaign is spread via URL secureserver[.]net, which is a hosting site that also offers domain name registration and web hosting services worldwide. During our research within X-Labs, we have observed that this domain is frequently abused to host malicious content.
Initial Access
Fig. 1 - Initial access
Fig. 2 - Initial access #2
The email contains embedded secureserver[.]net hosted url following pattern: https:\/\/\d{2,3}\.\d{2,3}\.\d{2,3}\.\d{2,3}\.host\.secureserver\.net
The URL when browsed from locations other than North and South American region either shows a blank page or redirects to some other clean pages. We tried to browse similar URL in Portugal and it downloaded an archive file. The archive file contains an .hta file, which itself contains bit of obfuscation.
HTA file:
The file contains URL which contains code:
198.148.167.72.secureserver[.]net/OQQst11/gV7Pus771.js
Fig. 3 - HTA file
JavaScript Code:
Fig. 4 - JavaScript code
JavaScript code again resolves to an URL, “198.148.167.72.host.secureserver[.]net/VFb51.vbs” which contains VBS code.
First Stage VBS Code
Fig. 5 - First stage VBS code
The script on execution drops itself in C:\Public as {{randomfilename}}.vbs and executes that VBS using shell. The VBS script contains the URL which is browsed, and another level of execution is performed:
2nd Stage VBS code snip
Fig 6 - Second stage VBS code
From here actual behavior of malware starts when it tries to connect to URL “198.148.167[.]72.host.secureserver.net/g1” and download encoded JS.
The URL downloads malicious JavaScript Obfuscated payload:
Obfuscated JavaScript
Fig. 7 Obfuscated JavaScript
The script is obfuscated using JS, which is specifically tailored to run in web browsers.
On Deobfuscating the code, we can depict behavior of the campaign statically.
Deobfuscated code and static analysis:
On Deobfuscation the code, we found it checks for various criteria before dropping actual payload: 1) Antivirus check 2) VM check 3) OS and BIOS check
Antivirus check:
Fig. 8 - Antivirus check
VM and BIOS check
Fig. 9 - VM and BIOS check
Operating system and OS language check
Fig. 10 - Operating system and OS language check
Fig. 11 - Operating system and OS language check (continued)
If all the above criteria is satisfied, it creates folder in the HOMEDRIVE network and downloads AutoIt executable and encoded script in the folder and creates a shortcut for that folder in Startup:
Fig 12 - AutoIT executable
The above image shows three URLs, which when browsed, drop file in a system network location:
- Hxxps://45[.]40.96.231\/AutoIt3 – AutoIt script
- Hxxps://45[.]40.96.231\/AutoIt3.exe – AutoIt executable
- Hxxps://45[.]40.96.231\/jama1crt – Some dependency file which is responsible for malicious activity
From here, it creates a shortcut that runs on startup:
Fig. 13 - Shortcut runs on startup
AutoIt encoded and de-coded script and analysis:
Fig. 14 - AutoIt encoded header (see top left)
Decoded Script
The decoded script is huge with lots of checks, primarily doing process injection in memory. A part of decoded script shows injection in a PE file which starts with 0x4D5A header for Executable file followed by a BinaryToString conversion of the hexadecimal code responsible for loading DLL into memory and invoking its export function:
Fig. 15 - Decoded script
On execution of AutoIt encoded file and autoit.exe along with dependency file jama1crt mentioned above, it drops a memory dump file. On statically analyzing the memory dump file, we found it again contained embedded AutoIt file:
Fig. 16 - Memory dump file contains AutoIt
This encoded script does rest of the injection in memory by using process like ALLOCATEEXESPACE, UNMAPVIEWSECTION, ALLOCATEEXESPACEATADDRESS and injects malicious code in one of the Microsoft’s legit Process, mobsync.exe:
Fig. 17 - Injecting malicious code in mobsynch
Fig. 18 - Injecting malicious code in mobsync (continued)
Some important behavior performed by the malware that’s worth noting: 1) It checks system language and location 2) It adds processor information to the registry to detect sandboxing and 3) It checks system info
After execution and performing malicious injection in mobsync.exe, it connects to malicious C2s giving out important information such as Computer Name, System Information, User, and admin details and other important information’s.
Conclusion:
The malware is distributed via geo-fenced URLs embedded in the email with the main motive being to steal the credentials from victim’s system by infecting victim’s system with process injection using the AutoIt script and tools. URLs mostly work in the North and South American regions with the intention to steal banking information and act as banking trojans or infostealers.
Once browsed from the email, the URL drops an archive file that contains an .HTA file. The HTA file then connects to a malicious URL and performs a series of activities, including browsing encoded JS via the browser. It later results in dropping the AutoIt script, executable and dependency payload.
When all are executed together, it performs process injection in memory of the system. Being evasive in nature, the file executes checking the system language, location, and other environment variables. After successful execution, it connects to malicious C2s providing sensitive information to attackers.
Additional Information:
While working on the campaign, it was observed apart from following the pattern which is mentioned before, it also actively stole information by phishing techniques and directly dropping executables in archive file.
Protection Statement
Forcepoint customers are protected against this threat at the following stages of attack:
- Stage 2 (Lure) – Delivered via weaponized URL embedded in an email. Emails and embedded URLs are blocked by email analytics, web analytics respectively and Real Time Security Analytics.
- Stage 3 (Redirect) – Identified redirections to download multiple payloads are categorized and blocked under security classification.
- Stage 5 (Dropper File) - The dropper files are added to Forcepoint malicious database and are blocked.
- Stage 6 (Call Home) - The malware contacts command and control servers (C&C) for giving out sensitive user data are categorized and blocked under security classification.
Indicator of Compromise:
Initial URL pattern | https:\/\/\d{2,3}\.\d{2,3}\.\d{2,3}\.\d{2,3}\.host\.secureserver\.net |
HTA files | 37768083ff57e77850667394e0d27e8717e3eb35 c76eff517bd7c5e6d1f8ede73e9d260195e42c42 354b48288f2cc0eeefef2011e5ab38a7cb20fbf7 70ebed2ed13a350e59faa5c254ee099e2653c61e d3402ca43a7ebf6f2b944bf83e62261312761c53 |
VBS file | 8ae1dfa8e9544c0b9a6079aa18708f5fe5a82ee5 4114fb23a7211f0721f87947e8b5b5258f5ed47a 8655717e2a3ced90d352a7faf2586a73cefea7d8 |
Obfuscated JScript | e156707c3ee3c40ca64f66447c5e36de3ae90eba |
AutoIt Script | c1e2c1fddec0ed9676ed8ce38dbaf2006b50a31e |
URLs | hxxp://45.40.96[.]231/AutoIt3 hxxp://45.40.96[.]231/AutoIt3.exe hxxp://45.40.96[.]231/jama1crt hxxps://www.rekemchiwdnas.com\/jm1 hxxps:// 198.148.167[.]72.host.secureserver.net/OQQst11/gV7Pus771.js hxxps://198.148.167[.]72.host.secureserver.net/ VFb51.vbs |
C2s | jpmorgan-fisrt.homelinux[.]com |
Prashant Kumar
더 많은 기사 읽기 Prashant KumarPrashant serves as a Security Researcher for the X-Labs Threat Research Content. He spends his time researching web and email-based cyberattacks with a particular focus on URL research, email security and analyzing malware campaigns.