Article

New gootkit campaign from italian certified mail

07-05-2019

During malware analysis activities for a customer of ours, I was facing a new Gootkit version, detected from a certified email message (PEC).

With this article I would like to describe the malware structure, producing IOC’s and commenting on the reversed malware code.

Analysis

All is starting from the mail below. As you can see the mail is coming from pec.it domain, a paid service for certified mails. Red Teams and cyber criminals are using many compromised pec.it domains to make the user believe he can trust the mail and subsequently feels free to open the attachment. 

The attachment is a zip file named ScanDocumentoXXXXXXX.zip, where XXXXXXX is a random number string.

Inside the archive there is a vbs (Visual Basic Script) file IT717183297354171106419889455702.vbs.

The following image shows a detail of the VB script:

As you can see the above image shows as VB content is an obfuscated payload. The resulting code has been extracted after debugging the script and is shown below:

From an int array, a powershell code builds an array of corresponding ASCII chars. The result is following: 

From the image the above code performs the following checks:

  • The language used by the system is different from Chinese, Romanian, Russian, Ukrainian and Belarusian language;
  • The execution environment is NOT virtualized.

If conditions are satisfied, the code will download three files from the following URLs:

SkypeApp64.exe hxxp://giko.emeraldsurfscience.com/api?jczevfc
SearchI32.js hxxp://irm.skofirm.net/l2.php?vid=pec6
gsahgvt.pdf hxxp://irm.skofirm.net/l2.php?vid=pec6

At the time of analysis the domain emeraldsurfscience.com is not available.

However, navigating to the URL

hxxp: //irm.skofirm.net/l2.php?vid=pec6

and deobfuscating the content, you get the following script: 

Once again the script checks that the language of the system is different from Chinese, Romanian, Russian, Ukrainian, Belarusian language.
If the check is successful, the script downloads 2 files from the following URLs:

SearchI32.txt hxxp://green.nogel.tech/cryptbody2.php
SearchI32.js hxxp://green.nogel.tech/loadercrypt_
823EF8A810513A4071485C36DDAD4CC3.php

Browsing the second URL

hxxp: //green.nogel.tech/loadercrypt_823EF8A810513A4071485C36DDAD4CC3.php

and deobfuscating the code obtained in response, can be reported the presence of the same URLs collected in the previous step. The following is the evidence:  

Instead, by downloading the SearchI32.txt file, from the following URL

hxxp: //green.nogel.tech/cryptbody2.php

and explicating the content, is obtained a code that performs the following operations:

  • Checks again the localization of the victim’s machine O.S. through the method (Get-UICulture).Name
  • Also checks that the target O.S. is not a virtualized system. 

Extracts the victim’s PC product code as shown by the following evidence (the product code will be used by C2 to identify the victm): 

Also extracts information such as domain credentials, O.S version in use, partitions number and HDs type. Through the following instruction, the snippet prepares the GET query to contact C2. 

Creates and executes a local shortcut link through the following instruction with which it will download and run again the code present in the file SearchI32.js, previously analyzed: 

From the snippets described above, has been created a GET query (
with fictitious data as GET parameters ) to simulate the successful infection of an hypothetical PC. Below the URL created:

hxxp: //green.nogel.tech/?b=PC_To%20be%20filled%20by% 20O.E.M._281b38d914d9019c&os=10.0.10586.117&v=502.1&psver = 5

In response to the GET request at the above URL, there is an URL:

hxxp: //red.340airport.com//u2

Following is the evidence:

Browsing on the URL (highlighted in red), I got the following answer: 

By rearranging and indenting the code, it is clear that the code prepares an additional URL:

hxxp: //red.340airport.com/v2i.php?need=js

In addition to this, the code in the response schedules a process using the schtasks.exe utility, with whom it contacts the URL shown above every 20 minutes.
The code becomes persistent by adding a shortcut to the system’s automatic execution folder. In this way, at every startup the contents of the file created on the following local path will be executed:

C:\Users\Public\Libraries\WindowsIndexingService.js

In the WindowsIndexingService.js file, is written the result of the GET query at the URL

hxxp: //red.340airport.com/v2i.php?Need=js

The following code is present in the WindowsIndexingService.js file, a portion of which is shown below: 

After a bit of work, the following code is revealed:

Decoding the character array gives you the following snippet (cleaned and indented): 

The above code snippet highlighted in red prepares the following URL and contacts it:

hxxp: //red.340airport.com/v2i.php?need=body& _=zxwxgaaa

Again, after some deobfuscation and decoding I obtain the last malware component, which carries out the following checks:

  • Again the source country of the machine that is performing the operations;
  • The presence of a possible virtualization system.

The following is the evidence: 

If above checks are successful, the BG_Send() function is called: 

BG_Send() function creates a new URL starting from the creation of a UUID that uniquely identifies the infected system, using guid and v parameters:

hxxp://red.340airport.com/v2i.php?Guid=<GUID>&v=505.3

In addition, the BG_SelectDomen() function checks that the outcome of the contact with the URL shown above is successful. 

If the request to the URL is not successful, the code generates five DGA (Domain Generation Algorithms) starting from the current date, together with five strings (snippet in the green box).
For instance the following DGA are generated for the following dates:

DGA for date 06/05/2019 DGA for date 07/05/2019
hxxp://zgzimdywnt.top/ hxxp://zgzimdcwnt.top
hxxp://otnhmdywnt.top/ hxxp://otnhmdcwnt.top/
hxxp://mjvjmdywnt.top/ hxxp://mjvjmdcwnt.top/
hxxp://ogy5mdywnt.top/ hxxp://ogy5mdcwnt.top/
hxxp://z2g3mdywnt.top hxxp://z2g3mdcwnt.top/

The actions described so far are repeated every 20 minutes with a task scheduled through the utility schtasks.exe.
Furthermore, the code present in this last stage of infection becomes persistent again, completing the operations described so far each time the operating system is started.

Conclusions

After few hours of decoding and deobfuscating powershell and VB scripts, is found this threat to belongs to Gootkit malware, for the typical structure detected in responses, such as VB code with push() method to build array of string, recursive download of same resources from different locations and URLs containing the words “cryptbody” or “loadercrypt”. As usual this kind of threat checks the target O.S. language is different from Chinese, Romanian, Russian, Ukrainian, Belarusian ones.

Ioc

  • hxxp://giko.emeraldsurfscience.com/api?jczevfc
  • hxxp://irm.skofirm.net/l2.php?vid=pec6
  • hxxp://green.nogel.tech/cryptbody2.php
  • hxxp://green.nogel.tech/loadercrypt_823EF8A810513A4071485C36DDAD4CC3.php
  • hxxp://red.340airport.com//u2
  • hxxp://red.340airport.com/v2i.php?need=js
  • hxxp://red.340airport.com/v2i.php?need=body&_=zxwxgaaa
  • hxxp://red.340airport.com/v2i.php?guid=&v=505.3
L'hai trovato interessante?