My first post on the Roboto Condensed social engineering scheme can be seen HERE. BleepingComputer.com also wrote an article on this, which can be seen HERE.
The page presented to both Chrome and Firefox users:
Looking at the page source shows a different .ZIP file for Chrome and Firefox users:
Chrome users download “Chrome_Font.zip”, which is being hosted on a hacked website called ithacafirst.org (resolves to 205.251.94.116).
Chrome_Font.zip contains “Chrome_Font.js”. Pastebin of Chrome_Font.js.
Firefox users download “Mozilla_Font.zip”, which is being hosted on a hacked website called karisandsazii.com (resolves to 198.54.116.36).
Mozilla_Font.zip contains “Mozilla_Font.js”. Pastebin of Mozilla_Font.js.
Executing both JScript downloaders resulted in GET requests for the same file, “Font-update09042017-criticalfix.exe”, which is being hosted on a hacked website called intralynx.net (resolves to 198.54.126.10).
The malware payload being downloaded by the malicious JScript files is DELoader (aka Terdot). Thanks to @Antelox for identifying the sample! According to Forcepoint, “DELoader seems to be solely used to distribute a specific variant of the Zeus banking trojan.”
https://blogs.forcepoint.com/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks
Something to note, Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729) was the User-Agent string used during the GET request.
TCP event captured during the GET request:
Remote Address : 198.54.126.10 Remote Host Name : host56.registrar-servers.com Remote Port : 80 Process Name : WScript.exe Process Path : C:WindowsSystem32WScript.exe
WScript.exe is used to create the file in C:Users\[username]AppDataRoaming\[malware payload].exe.
I found DNS queries for chinaandkoreacriminalaffairs.kz, which resolved to 185.82.200.159. This is followed by connections to that host via TCP port 443:
TCP event captured during the connections 185.82.200.159:
Remote Address : 185.82.200.159 Remote Port : 443 Process Name : explorer.exe Process Path : C:Windowsexplorer.exe
This is followed by a GET request for checkip.dyndns.com, which returns the external IP address of the infected host:
The GET request for the IP check is also using the same User-Agent string as the GET request for the payload.
TCP event captured during the GET request for the IP/connectivity check:
Remote Address : 216.146.43.70 Remote Host Name : checkip.dyndns.com Remote Port : 80 Process Name : msiexec.exe Process Path : C:Windowssystem32msiexec.exe
The DNS query and GET request for checkip.dyndns.com triggered the following ET rules:
- ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
- ET POLICY External IP Lookup
- ET TROJAN Zeus Bot Connectivity Check
A copy of the malware is created in a new folder located in %AppData%. Later we see the initial malware payload being deleted from %AppData%.
start.lnk is created, for persistence, in “C:Users\[username]AppDataRoamingMicrosoftWindowsStart MenuProgramsStartup”:
Tor.exe is downloaded and dropped in “C:Users\[username]AppDataRoaming”.
Below are some TCP connections found after Tor.exe was executed:
Remote Address : 188.165.194.195 Remote Host Name : ns3096483.ip-188-165-194.eu Remote Port : 9001 Process Name : tor.exe Process Path : C:Users[username]AppDataRoamingtor.exe Remote Address : 144.76.26.175 Remote Host Name : liz.dereferenced.net Remote Port : 9011 Process Name : tor.exe Process Path : C:Users[username]AppDataRoamingtor.exe Remote Address : 209.141.35.232 Remote Host Name : node2930.dynamic.netjdn.com Remote Port : 9001 Process Name : tor.exe Process Path : C:Users[username]AppDataRoamingtor.exe Remote Address : 91.221.66.21 Remote Host Name : mxs1.creanova.org Remote Port : 444 Process Name : tor.exe Process Path : C:Users[username]AppDataRoamingtor.exe Remote Address : 62.210.244.146 Remote Host Name : regar42.fr Remote Port : 9001 Process Name : tor.exe Process Path : C:Users[username]AppDataRoamingtor.exe Remote Address : 78.47.18.110 Remote Host Name : tor.sebastianhahn.net Remote Port : 80 Process Name : tor.exe Process Path : C:Users[username]AppDataRoamingtor.exe Remote Address : 82.223.21.74 Remote Host Name : rocket.plastic-spoon.de Remote Port : 9001 Process Name : tor.exe Process Path : C:Users[username]AppDataRoamingtor.exe Remote Address : 141.255.161.167 Remote Host Name : gorgeoustransit.com Remote Port : 443 Process Name : tor.exe Process Path : C:Users[username]AppDataRoamingtor.exe Remote Address : 79.137.33.131 Remote Host Name : n6.servbr.net Remote Port : 443 Process Name : tor.exe Process Path : C:Users[username]AppDataRoamingtor.exe Remote Address : 176.10.107.180 Remote Host Name : torexit.schokomil.ch Remote Port : 9001 Process Name : tor.exe Process Path : C:Users[username]AppDataRoamingtor.exe
Below are images of some files created in %Temp% and %AppData%:
Certutil.exe is downloaded and dropped in %Temp%, along with along with dependencies (legitimate DLLs) and .crt files:
The certificate is installed with the help of the certutil and is used for Man-in-the-Broswer attacks.
BoA MiTB attack on Internet Explorer:
Chase bank MiTB attack on Firefox:
Read more about the MiTB attack at https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/
Hashes:
SHA256: c9c738f58a8f0fde37edea09342e1378e110cfca73ee9244bb065539632ce484
File name: Mozilla_Font.js
SHA256: 1dd41148e5b86cac94363e97b08186ace1a796658101b59a090a763d442ad2a2
File name: Chrome_Font.js
SHA256: ec2f39ba3e4ebcf5af07aa49127a814a06b58d509a0324df6215e7aa3e99af87
File name: Sample.exe
Hybrid-Analysis Report
Malwr Report
Downloads:
Malicious Artifacts.zip
Password is “infected”
Until next time!
Malware breakdown 