{"id":11792,"date":"2018-03-21T09:27:41","date_gmt":"2018-03-21T17:27:41","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/03\/21\/news-5562\/"},"modified":"2018-03-21T09:27:41","modified_gmt":"2018-03-21T17:27:41","slug":"news-5562","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/03\/21\/news-5562\/","title":{"rendered":"An in-depth analysis of a new, emerging “.url” malware campaign – by Quick Heal Security Labs"},"content":{"rendered":"

Credit to Author: Pradeep Kulkarni| Date: Mon, 19 Mar 2018 14:19:13 +0000<\/strong><\/p>\n

Last week, we had blogged about the emergence of a new attack vector \u2018.url\u2019 which is used to spread malware. In this blog post, we will deep-dive into the attack chain of this \u2018.url\u2019 vector and elaborate on the Quant Loader malware which is actively making use of it. Let\u2019s take a look at the below attack chain which depicts the execution sequence observed in this attack where a “.url” file is being used to spread malware. Fig 1. Attack Chain Following is the figure of process summary of the attack chain. Fig 2. Process Summary As explained above, generally \u201c.url\u201d contains URL (\u201chttp:\/\/\u201d or \u201chttps:\/\/\u201d), but in this case, we have observed SMB shares being accessed to execute a malicious JavaScript. Fig 3. .URL File accessing SMB share The above file is related to CVE-2016-3353 where an Internet Explorer mishandles \u2018.url\u2019 files from the Internet zone and allows remote attackers to bypass intended access restrictions via a crafted file. These SMB shares are publicly accessible and can be accessed without authentication. Fig 3 and 4 show public SMB share location \u201cbuyviagraoverthecounterusabb[.]net\/documents\/\u201d where the malicious JavaScript files are stored. The malicious SMB share location IP address is \u201c91.102.153.90\u201d. Fig 4. Communication captures while SMB shares access Fig 5. JavaScript Files stored publicly The following figure shows a malicious JavaScript being delivered to the victim via SMB protocol. Fig 6. SMB request Upon opening the malicious JavaScript, it\u2019s opening by \u2018wscript.exe\u2019 application. Fig 7. User Prompt The second stage malware is downloaded by a malicious JavaScript once the victim clicks on \u2018Open\u2019, as shown in Fig 5. This malicious JavaScript is highly obfuscated and is only used as a first stage downloader. Fig 8. Malicious JavaScript downloader The second stage malware is downloaded in \u2018%TEMP%\u2019 location by JavaScript and spawned through \u2018cmd.exe\u2019. This is a heavily obfuscated executable which gets directly executed in the memory. This malware appears to be a variant of \u2018Quant Loader\u2019 and can be used to download other malware. At the time of analysis by Quick Heal Security Labs, we did not observe malware downloaded by Quant Loader. Let\u2019s take a look at the working of the Quant Loader malware. The Quant Loader malware checks for all of the keyboard locale of the system through \u201cKeyboard LayoutPreload\u201d. It exits if the locale is any amongst the Russian, Ukraine, and Kazakhstan. Fig 9. Check for the locale of the system Quant Loader makes use of the following registry key to identify the 32\/64 bit configuration of the victim\u2019s system. It then uses the same information as part of CNC request while communicating with the CnC server. HKLM SOFTWARE Microsoft Windows CurrentVersion\u00a0 ProgramFilesDir (x86) It also checks for the presence of following registry entries. Fig 10. Check presence of different security products It drops a self-copy by the name \u2018dwm.exe\u2019 in \u2018<Appdata ShellFolder><8DigitNumeric>\u2019 folder and sets the same for auto execution through \u201cRun\u201d entry in registry. This is done to achieve persistence in the system. Fig 11. Self-copy of the malware file This 8 Digit Number is used as a Bot ID (BotId) while communicating with the CNC Server. It generates the BotId through the following steps: Read \u2018HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyMachineGuid\u2019 Extracts only digits from the value of Machine ID in occurring sequence Omit first 5 numbers and considers 8 digits from 5 onwards Fig 12. Use of MachineGuid as BotId It then changes the user access permission of 8 digit folder and \u2018dwm.exe\u2019 file to read mode for the logged-in user. This restricts the user to delete or modify the folder and \u2018dwm.exe\u2019. This is achieved by making use of a genuine CACLS windows file through the following command. cmd \/c echo Y|CACLS “c:users<username>appdataroaming48378942dwm.exe” \/P “<username>:R” \u00a0The Quant Loader then adds the below rule in the Firewall with the name “Quant” which allows the malware to communicate on the Internet bypassing Firewall rules. netsh advfirewall firewall add rule name=”Quant” program=”c:users<username>appdataroaming48378942dwm.exe” dir=Out action=allow It also tries to connect to the CNC domain \u2018wassronledorhad[.]in\u2019 and download other malicious files. The CNC was not responding when the analysis was carried out. However, the static analysis gives some insights into the probable CNC communication and other functionalities of Quant Loader. The…
http:\/\/blogs.quickheal.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Pradeep Kulkarni| Date: Mon, 19 Mar 2018 14:19:13 +0000<\/strong><\/p>\n

Last week, we had blogged about the emergence of a new attack vector \u2018.url\u2019 which is used to spread malware. In this blog post, we will deep-dive into the attack chain of this \u2018.url\u2019 vector and elaborate on the Quant Loader malware which is actively making use of it. Let\u2019s…<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10459,10378],"tags":[10410,11810,11222,10871,3764,3924,714,12321,17820,12015],"class_list":["post-11792","post","type-post","status-publish","format-standard","hentry","category-quickheal","category-security","tag-botnet","tag-cve","tag-email","tag-javascript","tag-malware","tag-phishing","tag-security","tag-smb","tag-spam-campaign","tag-url"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11792","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11792"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11792\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11792"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11792"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11792"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}