Fnut 2016/04/26 12:45

Links:researchcenter.paloaltonetworks.com/2016/04/uni…

0 x00 preface

We found a family of malware called “PWOBot”, which is quite unique in that it is written entirely in Python and compiled with the PyInstaller to produce an executable program for Windows. The malware proved to affect a number of European organizations, particularly in Poland. Furthermore, the malware only spread through a popular Polish file-sharing Web service.

The malware itself provides a wealth of functionality, including the ability to download and execute files, execute Python code, record keyboard input, generate an HTTP server, and mine bitcoin through the victim’s CPU and GPU.

There are at least 12 variants of PWOBot, and the malware has been active since late 2013. More recent attacks affecting European organizations took place between mid-2015 and the end of 2015.

0 x01 target

Over the past six months, we have found that PWOBot has affected the following organizations:

• Polish National Research Institute
• Polish Shipping Line
• A large Polish retailer
• Polish information Technology Company
• Danish construction company
• French optical equipment provider

Most of the PWOBot samples were downloaded from Chomikuj.pl, a popular Polish file-sharing Web service. The following bizarre urls were found to provide a copy of PWOBot:

s6216.chomikuj[.]pl/File.aspx? e=Pdd9AAxFcKmWlkqPtbpUrzfDq5_SUJBOz s6102.chomikuj[.]pl/File.aspx? e=Hc4mp1AqJcyitgKbZvYM4th0XwQiVsQDW s8512.chomikuj[.]pl/File.aspx? e=h6v10uIP1Z1mX2szQLTMUIoAmU3RcW5tv s6429.chomikuj[.]pl/File.aspx? e=LyhX9kLrkmkrrRDIf6vq7Vs8vFNhqHONt s5983.chomikuj[.]pl/File.aspx? e=b5Xyy93_GHxrgApU8YJXJlOUXWxjXgW2w s6539.chomikuj[.]pl/File.aspx? e=EH9Rj5SLl8fFxGU-I0VZ3FdOGBKSSUQhl s6701.chomikuj[.]pl/File.aspx? e=tx0a8KUhx57K8u_LPZDAH18ib-ehvFlZl s6539.chomikuj[.]pl/File.aspx? e=EH9Rj5SLl8fFxGU-I0VZ3ISlGKLuMnr9H s6539.chomikuj[.]pl/File.aspx? e=EH9Rj5SLl8fFxGU-I0VZ3OFFAuDc0M9m0 s6179.chomikuj[.]pl/File.aspx? e=Want-FTh0vz6www2xalnT1Nk6O_Wc6huR s6424.chomikuj[.]pl/File.aspx? e=o_4Gk0x3F9FWxSDo4JWYuvGXDCsbytZMYCopy the code

In addition, once the malicious software was from http://108.61.167.105/favicon.png. The IP address is associated with Tracking.huijang.com, a domain name used by a significant number of Pwobots.

The following file names were found to propagate PWOBot:

• favicon.png
• Quick PDF to Word 3.0.exe
• XoristDecryptor 2.3.19.0 full ver. Exe
• Easy Barcode Creator 2.2.6. Exe
• Kingston Format Utility 1.0.3.0. Exe
• Oracle Database 8.05.05 Premium. Exe
• The Six Sigma Toolbox 1.0.122. Exe
• Fizjologia sportu. Krtkie wykady.exe [Physiology of sports. Short lectures.exe]

As you can see from the file names used, quite a few PWOBot samples were disguised as various software. In some cases, Polish is considered an easier target file name.

It is unclear how the malware was sent to end users in the first place. We can infer from the file name that the malware was most likely spread when the end user downloaded other software. Thus, phishing attacks can be used to lure victims into downloading these files.

0x02 Malware Analysis

As mentioned at the outset, PWOBot is written entirely in Python. An attacker uses PyInstaller to convert Python code into a Windows executable. Therefore, because Python is used, it can be easily ported to other operating systems, such as Linux or OSX.

In addition to the initial run, PWOBot will first uninstall any previous versions of PWOBot that it may find. It queries the Run registry key to see if a previous version exists. The main VERSION uses a pwo[VERSION] format for the registry key Run, where [VERSION] represents the VERSION number of the PWOBot.

Figure 1 PWOBot uninstalling previous Versions

After all previous versions have been uninstalled, PWOBot installs itself and creates a copy of its own executable file in the following location:

%HOMEPATH%/pwo[version]

It then sets the following registry keys to point it to the newly copied executable:

HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/pwo[VERSION]

If this is the malware’s first run, PWOBot will execute the newly copied file in a new process.

Once installed, PWOBot hooks various keyboard and mouse events, which will be used in subsequent keyloggers. PWOBot is written in a modular style, allowing an attacker to include various modules at run time. Based on the analysis of the existing samples, the following services were found to have PWOBot:

• PWOLauncher: Download/execute files, or execute local files
• PWOHTTPD: Mass generation of HTTP servers on victim machines
• PWOKeyLogger: Keylogging on the victim’s machine
• PWOMiner: Mines bitcoin using the CPU/GPU of the victim’s machine
• PWOPyExec: Runs Python code
• PWOQuery: Queries the remote URL and returns the result

PWOBot has two profiles, one specifying the various configurations of the malware and the other determining which remote server PWOBot should connect to when it executes.

Figure 2 PWOBot Settings Configuration

Figure 3 PWOBot Remote Server Configuration

As you can see in the configuration diagram, PWOBot contains many Windows executables that are included when the attacker uses PyInstaller to compile the code. These executables are used for bitcoin mining and for sending proxy server requests using TOR. Bitcoin mining is a compiled version of Minerd and CGMiner. These files are used for bitcoin mining by cpus and gpus, respectively.

PWOBot also uses the Tor Anonymous Network to encrypt communications from attackers’ remote servers. PWOBot uses a Python dictionary as the network protocol. At each specified time, PWOBot sends a notification to the remote server. An example of such a notification message might look like this:

{
  1: '16ea15e51a413f38c7e3bdb456585e3c', 
  3: 6, 
  4: '[REDACTED-USERNAME]', 
  5: True, 
  6: {
       1: 'Darwin', 
       2: 'PANHOSTNAME', 
       3: '14.5.0', 
       4: 'Darwin Kernel Version 14.5.0: Tue Sep  1 21:23:09 PDT 2015; root:xnu-2782.50.1~1/RELEASE_X86_64', 
       5: 'x86_64', 
       6: 'i386', 
       7: 8
     }, 
  7: {
       1: 'en_US', 
       2: 'UTF-8', 
       3: 25200
     }
}
Copy the code

There are different enumeration types for each of the data listed in the examples above. After the substitution we can see more complete data that was sent.

{ BOT_ID: '16ea15e51a413f38c7e3bdb456585e3c', VERSION: 6, USER: '[REDACTED-USERNAME]', IS_ADMIN: True, PLATFORM: {SYSTEM: 'Darwin', NODE: 'PANHOSTNAME', RELEASE: '14.5.0', VERSION: 'Darwin Kernel VERSION 14.5.0: Tue Sep 1 21:23:09 PDT 2015; Root :xnu-2782.50.1~1/RELEASE_X86_64', MACHINE: 'x86_64', PROCESSOR: 'i386', CORES: 8}, LOCALE: {LANGUAGE: 'en_US', ENCODING: 'UTF-8', TIMEZONE: 25200 } }Copy the code

After the notification is sent, the attacker may choose to provide an instruction to the PWOBot to perform one of the previously defined services. The results of the above actions are subsequently uploaded to the attacker using the same format.

In all, 12 variants of PWOBot currently exist in the most recent version found based on Palo Alto Networks’ Unit 42. Of these 12 versions, we have found versions 5, 6, 7, 9, 10 and 12 on the Web. The differences between versions are minimal and there are performance differences.

0 x03 conclusion

PWOBot is interesting as a family of malware because it is written entirely in Python. Although it has historically only affected Windows platforms, it can be easily ported to Linux and OSX because its underlying code is cross-platform. This fact and its modular design make PWOBot a potentially significant threat.

The malware family has not been publicly disclosed before. It is currently confirmed to have affected several organizations in Europe.

Users of Palo Alto Networks are protected in the following ways:

• All PWOBot samples are properly judged to be malicious by WildFire service.
• Domain names associated with PWOBot were classified as malicious.
• AutoFocus users can use the PWOBot tag to monitor this threat.

Relevant documents:

1. http://www.pyinstaller.org/
2. https://www.torproject.org/
3. https://github.com/pan-unit42/iocs/tree/master/pwobot/hashes.txt