Malware Analysis Report

Transcription

1 NSHC Malware Analysis Report [ Xtreme RAT ] A server program of Xtreme RAT, a type of RAT (Remote Administration Tool), is distributed recently. The system which is infected with the server program becomes a client of attacker who control the system by remote control. The attacker can steal the information of the infected system such as inputting data from keyboard, MSN , and clipboard data. In the system that is suspected to be infected, countermeasures according to the action and treatment through A/V are required. Information Service about a new vulnerability Version 1.0 External 2014 Red Alert. All Rights Reserved.

2 Index 1. Malware Stub Technical Details Red Alert of Opinion Removal Recommendations Reference facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 1

3 Confidentiality Agreements This report was written from the Red Alert team. There is no problem user for research purpose, but we don t care about Legal responsibility. This code is a living document and will be updated from time to time. Please refer to the Red Alert SNS Page to download updates. ( Analysis reports that are updated on Facebook, including other materials and article, sample can offer premium services the ISAC on the page. ( facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 2

4 1. Malware Stub Malware Name pdfviewer.exe File Size 133,624 bytes MD5 50f7368f4b81d4c2891d7a890e8d5b44 Compiled Date :35:52 Etc N/A Table 1. File Info-1 Malware Name dmw.exe File Size 59,823 bytes MD5 c674a56b67332c033d1a041f32f0daac Compiled Date :22:17 Etc N/A Table 2. File Info-2 - dl.**********rcontent.com/s/pn*********5zhh/pdfviewer.exe Index Description OS Windows XP SP3 KR Browser Windows Internet Explorer 8 Table 3. Analysis Environment The malware runs by injecting its module to svchost.exe and explorer.exe. A dwm.exe is registered on Windows Auto-startup that it can the malware resides on the system. Figure 1. Drop Flow facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 3

5 This is a server which is connected with the malware information. Figure 2. IP Info-1 Figure 3. IP Info-2 The data of malware and Keylogging are stored in the specific folder. Figure 4. Malware Output Data facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 4

6 Also, users can see that explorer.exe is running more than one because the malware injects the module of explorer.exe. Figure 5. Injected Process When the infected explorer.exe is running, Windows that have the objects symbolizing the Xtreme RAT are created. Figure 6. Malware's Object facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 5

7 2. Technical Details The XtremeKeylogger created by the infected explorer.exe is registered as a clipboard viewer. Figure 7. Set Clipboard Viewer In XtremeKeylogger procedure, the routine exists that handling the message of WM_DRAWCLIPBOARD. The WM_DRAWCLIPBOARD occurs if the new data is generated to the clipboard. The data of clipboard can be checked in the Windows that is registered as the clipboard viewer. Figure 8. Branches 'WM_DRAWCLIPBOARD' In the routine of WM_DRAWCLIPBOARD message handling, it stores the Unicode text in the buffer. Figure 9. Get Clipboard Data The stored data is recorded separately in the file, and the file is as follows: - %APPDATA%\Microsoft\Windows\((Mutex)).dat - %APPDATA%\Microsoft\Windows\gzAdbdgue.dat Figure 10. Logging Data facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 6

8 The signatures that 0xAA, 0xFE is existed on the starting point in the data of file. And it is stored in single-byte encryption(xor 0x55) an Unicode characters excluding CRLF(Carriage Return Lin Feed : 0x0D, 0x0A) and 0x00. Figure 11. XOR Encode Routine The decoded data excluding the Unicode Text is as follows: Figure 12. Decoding Data facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 7

9 It attempts to hook the system using SetWindowsHookExW function on the XremeKeylogger windows made by the infected explorer.exe. Figure 13. Set Keyboard Hook A routine that processing of keyboard input message is existed on LowLevelKeyboardProc which is executing through global hooking. - WM_SYSKEYDOWN : Input System key - WM_KEYDOWN : Input Keyboard key Figure 14. Branches Key Down Messages It is divided the windows using Foreground Window. Figure 15. Get Foreground Wnd Caption facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 8

10 The time information is also recorded in the form of DATE_SHORTDATE along with the name of windows caption. Figure 16. Local Time Format It is saved the contents with single byte encryption (XOR 0x55) in the keylogging data file the same way as Clipboard Hooker. The decoded data excluding the Unicode type is same the below. Figure 17. Key Logging Data The keylogging data file is sent with the clipboard data to FTP Server. Figure 18. Logging File Transfer facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 9

11 It attempts to hook the system using SetWindowsHookExW function on the XremeKeylogger windows made by the infected explorer.exe. Figure 19. Set Mouse Hook A routine that processing of mouse input message is existed in LowLevelMouseProc. - WM_LBUTTONDOWN : Click the left button of mouse - WM_RBUTTONDOWN : Click the right button of mouse - WM_MBUTTONDOWN : Click the wheel of mouse - WM_LBUTTONDBLCLK : Double click the left button of mouse - WM_RBUTTONDBLCLK : Double click the right button of mouse Figure 20. Branches Mouse Click Messages It is also divided the windows using Foreground Window. Figure 21. Get Foreground Wnd Caption facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 10

12 By using BtiBlt function, it captures the screen contents in the memory. Figure 22. Screen Capture The captured screen is stored as a.jpg. Figure 23. Saved Capture facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 11

13 3. Red Alert of Opinion The RAT (Remote Administration Tool) can do Capture screen, Keylogging, Steal clipboard data, proxy server, handle process, handle windows, and handle registry. The case to exploit for stealing the personal information is increasing. Please note the damage of RAT.. 4. Removal Recommendations By releasing the check box of Hide protected operation system files (Recommended) and applying Show hidden files and folders in the folder option of Windows Explorer. After this, please delete the files are as follows: - %APPDATA%\Microsoft\Windows\((Mutex)).cfg - %APPDATA%\Microsoft\Windows\((Mutex)).dat - %APPDATA%\Microsoft\Windows\gzAdbdgue.cfg - %APPDATA%\Microsoft\Windows\gzAdbdgue.dat - %APPDATA%\Microsoft\Windows\gzAdbdgue.xtr - %APPDATA%\System\dmw.exe Figure 24. Folder Option facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 12

14 Delete the registry related on the malware. - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value Name : HKLM Value Data : %APPDATA%\System\dmw.exe - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value Name : HKCU Value Data : %APPDATA%\System\dmw.exe - HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ {54F31X8D-X7YK-MYWP-XFCM-1M6UNSJ65AWU} Name : StubPath Value Data : %APPDATA%\System\dmw.exe restart - HKCU\Software\gzAdbdgue - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows Value Name : Load - HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Value Name : Load Please get a thorough system examination by referring Reference. [1] Virus Total and treat the malware through A/V. facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 13

15 5. Reference [1] Virus Total d4cc62604a6a20/analysis/ [2] Xtreme RAT facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 14