viernes, 25 de julio de 2014

New Feodo variant follows Geodo steps

Cridex (aka Feodo/Bugat) activity reached its zenith towards the end of 2013 and early 2014 in which it almost disappeared until it returned again in June reincarnated as what the guys at abuse.ch baptized as Geodo.



Earlier this week, S21sec's Ecrime team detected what seems to be an evolution of one of the old variants -unrelated to Geodo- which has new and noteworthy features.

First of all, it uses a loader with limited functionality as the first infection step used to download the main trojan module in the form of a DLL using the following paths and injecting itself into explorer.exe as in earlier versions:


Trojan network communication is done through the typical 8080 although the path is a bit different from what we are used to:


Once the installation step is completed, the trojan downloads the configuration file which is just a gzip file with a fake header:


The config file uses the XML like format seen on previous versions which has the following structure:
  • modules: Embedded new modules encoded in Base64:
    • vnc_x32
    • vnc_x64
    • socks_x32
    • socks_x64
    • bot_x32
    • bot_x64
  • httpshots y clickshots: URL patterns for which the trojan must perform screenshots
  • formgrabber: URL patterns used for form grabbing
  • bconnect: Back Connect Server
  • vncconnect: VNC Server
  • redirects: External resources references used on injections
  • httpinjects: Entity URL patterns with their corresponding injections

Affected entities seems to be mainly from UK, Ireland, United Arabian Emirates and Qatar, with some injections designed to bypass second authentication factor which, in combination with the VNC module, will allow the attacker to supplant the victim's online banking session.

So it seems that after some months of silence on Cridex world, a new old friend (dressed up for the ocassion) joins Geodo on its journey.


Note: Originally published on S21sec's blog
Follow me on Twitter: @smvicente

--
The MD5 signatures of the files analyzed by S21sec were:
  • loader: 9d81ac7604ef2a0096537396a4a91193   
  • bot_x32: 04b55edf43a006f9c531287161fa2fa8               
  • vnc_x32: c73c3c18b74c67e88d5b3f4658016dcd
Other hashes for the rest of the modules are:
  • vnc_x64: 5ecfc1d3274845bf5ff3f66ca255945e
  • socks_x32: 53eb0e59b5bb574df5755527dc3d4f47
  • socks_x64: 0dfc66eadbd9e88b2262ac848eadee8f
  • bot_x64: 4df1cef98bbc174ba02f17d2ca6c0a58

jueves, 24 de julio de 2014

New GOZ first steps

From the very begining of the operation against the infamous Murofet/Gameover/ZeusP2P banking trojan (known as Operation Tovar) the botnet growth has stalled and it seems it has been abandoned since then. Instead of recovering control over the botnet, it seems that botmasters decided to create a new botnet from scratch using  a new GOZ version. We will analyze the main new features throughout the post.

Communication:
  • The new trojan has replaced the Peer-to-Peer (P2P) mechanism in favor of a Fast-Flux network using a new domain generation algorithm (DGA).
  • The public key included within the trojan (which is XORed in the same way) is no longer used to verify the signature of the resources exchanged via P2P and is now used as part of the classic symmetric + asymmetric communication schema in which the payload is ciphered with the symmetric key whilst the random generated key is ciphered with the public key before it is sent to the command and control server. The scheme is similar to the one used, for instance, by Cridex/Bugat/Feodo/Geodo.
Taking into account DGA is based on a hardcoded seed, creating a new botnet is just a matter of changing both, the seed, and the public key in the binary.



Encryption:

Whereas the cypher has been kept unchanged in some way, there has been some modifications due to the new communication scheme seen above. In short:
  • RC4 is maintained for the configuration stored in the system registry
  • The communication with the command and control panel is now based on AES256 + RSA.



Configuration:

The configuration has remained largely unchanged. In fact, most injections and target entities are old and they even contain variables which belongs to features no longer present on the current version like those related with the P2P proxy:



Therefore, it seems that we are facing what seems to be a lite version of GOZ which, somehow, reminds us Licat, its predecessor. Far from reducing the prominence of the trojan, even if the configuration files may lead us to think that it has been released in haste, features such as the DGA seed may lead to a boom of new GOZ botnets which will start a new cat and mouse chase.


Note: Originally published on S21sec's blog

--
Follow me on Twitter: @smvicente