360 Security Guard · 2016/06/22 14:53
You’ll never wake up a fool. But the delivery guy can!
Although it is a joke, but it does reflect the importance of express in everyone’s heart. If you get an E-mail notification from a delivery company, don’t you want to open it to see if a friend has something waiting for you? We recently received one such email attachment with the tracking number. The only thing that doesn’t suit you is that there aren’t many people using FedEx in China… Uppercase PITY…
0x00 Trojan start — fedex_ID_00645987.doc.js
This so-called doc document is actually a javascript script, and the contents of the script… What a mess…
After simple decryption and formatting, we present a beautiful script format as follows:
The main function of the script is to cycle download and execute the Trojan. 5 domain names are provided for download in the script (the domain name is used as a backup, if the previous domain name can be downloaded, do not try the following domain name) :
The script obtains different files by passing different parameters to the URL (if the status code is 200 and the content returned is larger than 1000 bytes, the download is judged as successful).
Finally, muma obtained the following files (P.S. according to follow-up measurement, these five files are still being updated irregularly on the server side, and this paper only describes the behavior of the samples downloaded at the time of writing this article) :
As shown in the above table, the five files downloaded to the local script are actually divided into three groups: A1. exe and a2.exe run independently. A.exe, php4ts.dll, and a.hp are in the same group. All three files must exist for the script to execute the Trojan, and it also cleans up the battlefield after the third set — removing the Trojan file and changing the registry value to associate with the encrypted file:
According to VT scan results, 12 products out of 54 global mainstream software can detect the Trojan:
0x01 PHP Trojan Analysis
In fact, this Trojan first aroused our interest is the following download of the group of three files. We were interested because, for our record, a.exe and PHP4ts.dll are both harmless legal programs. PHP Thread Safe CGI (PHP Thread Safe common network management interface) and php4ts.dll (PHP Thread Safe common network management interface) is a dynamic library that must be imported to run the program:
In layman’s terms, these two programs are essentially interpreters for a PHP script. They were downloaded for the sole purpose of making A.hp executable. So let’s take a look at this A.P.P.
The code logic is not complicated. The script iterates through all the files on drives C to Z and skips directories that contain the following strings:
- \winnt
- \boot
- \system
- \windows
- \tmp
- \temp
- \program
- \appdata
- \application
- \roaming
- \msoffice
- \temporary
- \cache
- recycle
Find files with these extensions:
#! shell zip|rar|r00|r01|r02|r03|7z|tar|gz|gzip|arc|arj|bz|bz2|bza|bzip|bzip2|ice|xls|xlsx|doc|docx|pdf|djvu|fb2|rtf|ppt|pptx|pps |sxi|odm|odt|mpp|ssh|pub|gpg|pgp|kdb|kdbx|als|aup|cpr|npr|cpp|bas|asm|cs|php|pas|class|py|pl|h|vb|vcproj|vbproj|java|bak |backup|mdb|accdb|mdf|odb|wdb|csv|tsv|sql|psd|eps|cdr|cpt|indd|dwg|ai|svg|max|skp|scad|cad|3ds|blend|lwo|lws|mb|slddrw|s ldasm|sldprt|u3d|jpg|jpeg|tiff|tif|raw|avi|mpg|mp4|m4v|mpeg|mpe|wmf|wmv|veg|mov|3gp|flv|mkv|vob|rm|mp3|wav|asf|wma|m3u|m idi|ogg|mid|vdi|vmdk|vhd|dsk|img|isoCopy the code
Open each file that meets the extension requirement, read the first 1024 bytes and encrypt it with the key cyclic xor. Once the encryption is complete, add a. Crypted extension to the modified file.
It just leaves us wondering – how did the Trojan author use PHP, the world’s best language (ok, it’s just a meme), to implement asymmetrically encrypted blackmailer code in such a fairly short piece of code?
A closer look at the code and an Epiphany — it wasn’t implemented… The encryption method of this code adopts symmetric encryption algorithm, to be precise, it is cyclic xOR encryption. Even more humanely, the PHP encryption code is actually dual-use, changing one parameter in the script instantly makes the whole script a decryption script. You can decrypt the encrypted document directly back:
So the world has been so messy, asymmetric encryption racketeers flying today, symmetric encryption racketeers can not add to the mess?
Of course, this is not to say that the script is harmless — symmetric encryption without a key is still a hassle, although we have the key here, but it says: Trojan author and server still continue to update the contents of the Trojan, and Trojan will be deleted after running, so although it is symmetric encryption, but it is still possible to find the encryption key is still difficult to unlock the file (difficult, but not without solution)……
But that’s not the point. The point is that the Trojan sends a blackmail message after encrypting the file:
Compared to the two or three bitcoins racketeer trojans, 0.40290 bitcoins is an obscene amount of zeros and rounders, but it’s a decent price. But what the hell is this “RSA-1024”? Clearly is a simple cyclic xOR encryption good! Don’t pretend to be some fancy asymmetric encryption! WTF…
0x02 POWERSHELL Trojan Analysis
Then let’s talk about two powershell Trojans that run independently. Although a1.exe and A2. exe run independently, their behaviors are basically the same, so we merge them into one to make unified explanation.
The sample first performs injection:
Then restore the thread to execute the injected code:
When this is done, the malicious code detects the machine environment — install Microsoft’s KB968930 patch (www.microsoft.com/en-us/downl…) on powerShell systems you don’t know. Add support for Powershell:
After ensuring that the user environment can execute Powershell, register a file association and execute a script in shell Command where the file is opened:
This is a short, snappy script, but the system accesses the registry again to execute another piece of malicious code in the registry:
In this way, the malicious program stores all the malicious code in the registry, and the landing file is only used to trigger the execution of the malicious code, not the malicious code itself. Files landed locally have no malicious code at all, making it easier to bypass scanning by security software.
We export the contents of the registry containing malicious code as follows:
Although it is already in the registry, the Trojan’s author is clearly not at ease — it is still using multiple encryption to mask the code’s intent. When decrypted, the final code we get is powershell code:
Obviously, even at the end of the decryption, the variable “$sc32” in the middle still looks a bit confusing… But when you look at the end of the PS1 code, you realize that this is actually the final code. $sc32; $sc32; $sc32;
We dump the data, find out that the code downloads files from the remote side to execute locally, and determine if the files are valid executables — typical downloader trojans:
0x03 Non-PE gradually becomes a trend
With the popularity of security software, Trojan virus against security software also gradually became the “melee hand-to-hand combat”, everyone in the drilling and details, ignored by the other party, all want to do single point to a small point of breakthrough, so that various scripts are evident even the script is not data files in addition to the Trojan more advantages compared with traditional PE format.
The blackmailer Trojan is a classic example — a javascript Trojan that releases a PHP script Trojan and two Powershell scripts. Powershell trojans don’t even have ps1 scripts, but are stored directly in the registry. PHP trojans have landed PHP files, but since PHP scripts can implement symmetric encryption, can a higher level of asymmetric encryption extortion trojans really be far behind?
Of course, it is not to say that non PE can do whatever it wants, since it is a melee, the response of security software will not be at a disadvantage – we are ready to fight.