Unseen Dangers Lurking Behind Evasive Secureserver.net URLs

Banking trojans continue to evolve quickly, affecting major banking organizations across the globe. We’ve seen an increase in malware using secureserver[.]net to target Spanish and Portuguese-speaking regions covering Latin America financial institutions.Additionally, hackers are also targeting Spanish and Portuguese-speaking European countries and other parts of the world.

This campaign is spread via URL secureserver[.]net, which is a hosting site that also offers domain name registration and web hosting services worldwide. During our research within X-Labs, we have observed that this domain is frequently abused to host malicious content.

Initial Access 

_{Fig. 1 - Initial access}
 

_{Fig. 2 - Initial access #2}
 

The email contains embedded secureserver[.]net hosted url following pattern: https:\/\/\d{2,3}\.\d{2,3}\.\d{2,3}\.\d{2,3}\.host\.secureserver\.net

The URL when browsed from locations other than North and South American region either shows a blank page or redirects to some other clean pages. We tried to browse similar URL in Portugal and it downloaded an archive file. The archive file contains an .hta file, which itself contains bit of obfuscation.
 

HTA file:

The file contains URL which contains code:

198.148.167.72.secureserver[.]net/OQQst11/gV7Pus771.js

_{Fig. 3 - HTA file}

JavaScript Code:

_{Fig. 4 - JavaScript code}
 

JavaScript code again resolves to an URL, “198.148.167.72.host.secureserver[.]net/VFb51.vbs” which contains VBS code.

First Stage VBS Code

_{Fig. 5 - First stage VBS code}
 

The script on execution drops itself in C:\Public as {{randomfilename}}.vbs and executes that VBS using shell. The VBS script contains the URL which is browsed, and another level of execution is performed:
 

2nd Stage VBS code snip

_{Fig 6 - Second stage VBS code}

Obfuscated JavaScript

_{Fig. 7 Obfuscated JavaScript}
 

The script is obfuscated using JS, which is specifically tailored to run in web browsers. 

On Deobfuscating the code, we can depict behavior of the campaign statically.

Deobfuscated code and static analysis:

On Deobfuscation the code, we found it checks for various criteria before dropping actual payload: 1) Antivirus check 2) VM check 3) OS and BIOS check

Antivirus check:

_{Fig. 8 - Antivirus check} 

VM and BIOS check

_{Fig. 9 - VM and BIOS check}

Operating system and OS language check

 _{Fig. 10 - Operating system and OS language check}
 

 _{Fig. 11 - Operating system and OS language check (continued)}

If all the above criteria is satisfied, it creates folder in the HOMEDRIVE network and downloads AutoIt executable and encoded script in the folder and creates a shortcut for that folder in Startup: 

_{Fig 12 - AutoIT executable}

The above image shows three URLs, which when browsed, drop file in a system network location:

• Hxxps://45[.]40.96.231\/AutoIt3 – AutoIt script
• Hxxps://45[.]40.96.231\/AutoIt3.exe – AutoIt executable
• Hxxps://45[.]40.96.231\/jama1crt – Some dependency file which is responsible for malicious activity 

From here, it creates a shortcut that runs on startup:

 _{Fig. 13 - Shortcut runs on startup}
 

AutoIt encoded and de-coded script and analysis:

_{Fig. 14 - AutoIt encoded header (see top left)} 

 Decoded Script

The decoded script is huge with lots of checks, primarily doing process injection in memory. A part of decoded script shows injection in a PE file which starts with 0x4D5A header for Executable file followed by a BinaryToString conversion of the hexadecimal code responsible for loading DLL into memory and invoking its export function:

_{Fig. 15 - Decoded script} 

On execution of AutoIt encoded file and autoit.exe along with dependency file jama1crt mentioned above, it drops a memory dump file. On statically analyzing the memory dump file, we found it again contained embedded AutoIt file: 

 _{Fig. 16 - Memory dump file contains AutoIt}

This encoded script does rest of the injection in memory by using process like ALLOCATEEXESPACE, UNMAPVIEWSECTION, ALLOCATEEXESPACEATADDRESS and injects malicious code in one of the Microsoft’s legit Process, mobsync.exe:

_{Fig. 17 - Injecting malicious code in mobsynch}

 _{Fig. 18 - Injecting malicious code in mobsync (continued)}

Some important behavior performed by the malware that’s worth noting: 1) It checks system language and location 2) It adds processor information to the registry to detect sandboxing and 3) It checks system info

 After execution and performing malicious injection in mobsync.exe, it connects to malicious C2s giving out important information such as Computer Name, System Information, User, and admin details and other important information’s.

Conclusion:

The malware is distributed via geo-fenced URLs embedded in the email with the main motive being to steal the credentials from victim’s system by infecting victim’s system with process injection using the AutoIt script and tools. URLs mostly work in the North and South American regions with the intention to steal banking information and act as banking trojans or infostealers. 

Once browsed from the email, the URL drops an archive file that contains an .HTA file. The HTA file then connects to a malicious URL and performs a series of activities, including browsing encoded JS via the browser. It later results in dropping the AutoIt script, executable and dependency payload. 

When all are executed together, it performs process injection in memory of the system. Being evasive in nature, the file executes checking the system language, location, and other environment variables. After successful execution, it connects to malicious C2s providing sensitive information to attackers. 

Additional Information:

While working on the campaign, it was observed apart from following the pattern which is mentioned before, it also actively stole information by phishing techniques and directly dropping executables in archive file. 

Protection Statement

Forcepoint customers are protected against this threat at the following stages of attack:

• Stage 2 (Lure) – Delivered via weaponized URL embedded in an email. Emails and embedded URLs are blocked by email analytics, web analytics respectively and Real Time Security Analytics.
• Stage 3 (Redirect) – Identified redirections to download multiple payloads are categorized and blocked under security classification.
• Stage 5 (Dropper File) - The dropper files are added to Forcepoint malicious database and are blocked.
• Stage 6 (Call Home) - The malware contacts command and control servers (C&C) for giving out sensitive user data are categorized and blocked under security classification. 

Indicator of Compromise: