{"id":5866,"date":"2017-01-18T22:53:19","date_gmt":"2017-01-18T22:53:19","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/18\/news-71\/"},"modified":"2017-01-18T22:53:19","modified_gmt":"2017-01-18T22:53:19","slug":"news-71","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/18\/news-71\/","title":{"rendered":"Post-holiday spam campaign delivers Neutrino Bot"},"content":{"rendered":"<p><em>This post was co-authored by\u00a0<span class=\"s2\">@<a href=\"https:\/\/twitter.com\/hasherezade\" target=\"_blank\">hasherezade<\/a>\u00a0and\u00a0<a href=\"https:\/\/blog.malwarebytes.com\/author\/jeromesegura\/\" target=\"_blank\">J\u00e9r\u00f4me Segura<\/a><\/span><\/em><\/p>\n<p>During the Christmas season and early into the new year, we noticed a sharp decrease in spam volume, perhaps as online\u00a0criminals took a break from their malicious activities and popped the champagne to celebrate. It could also have been a time to regroup and plan new strategies for the upcoming year.<\/p>\n<p>In any case, over the weekend we observed a large new campaign purporting to be an email from &#8216;Microsoft Security Office&#8217; with a link to a full security report (<em>Microsoft.report.doc<\/em>). This was somewhat unexpected, as typically the malicious Office files are directly attached to the email. Instead, the files are hosted on various servers with a short time to live window.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/email.png\" data-rel=\"lightbox-0\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15959\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/email.png\" alt=\"email\" width=\"949\" height=\"800\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/email.png 949w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/email-300x253.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/email-600x506.png 600w\" sizes=\"auto, (max-width: 949px) 100vw, 949px\" \/><\/a><\/p>\n<p>The booby-trapped document asks users to enable macros in order to launch the malicious code.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/macro_blocked.png\" data-rel=\"lightbox-1\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15963\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/macro_blocked.png\" alt=\"macro_blocked\" width=\"1148\" height=\"822\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/macro_blocked.png 1148w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/macro_blocked-300x215.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/macro_blocked-600x430.png 600w\" sizes=\"auto, (max-width: 1148px) 100vw, 1148px\" \/><\/a><\/p>\n<h3>Neutrino Bot<\/h3>\n<p>If the macro executes, the final payload will be\u00a0downloaded and executed<span class=\"s1\">.\u00a0<\/span>This is Neutrino bot &#8211; which we had\u00a0<a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2015\/08\/inside-neutrino-botnet-builder\/\" target=\"_blank\">analyzed over a year ago<\/a>\u00a0and that can:<\/p>\n<ul>\n<li>perform DDoS attacks<\/li>\n<li>capture keystrokes, do form grabbing, take screenshots<\/li>\n<li>spoof DNS requests<\/li>\n<li>download additional malware<\/li>\n<\/ul>\n<h4>Analyzed sample<\/h4>\n<ul>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/87b7e57140e790b6602c461472ddc07abf66d07a3f534cdf293d4b73922406fe\/analysis\/\" target=\"_blank\">2b796c0e248b02aa0c6fda288cb62531<\/a> &#8211; original sample\n<ul>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/b1ae6fc1b97db5a43327a3d7241d1e55b20108f00eb27c1b8aa855f92f71cb4b\/analysis\/\" target=\"_blank\">621ea6c1f02470a137569be2f8412326<\/a> &#8211; unpacked stage 1 (loader)\n<ul>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/ca64848f4c090846a94e0d128489b80b452e8c89c48e16a149d73ffe58b6b111\/analysis\/1484000279\/\" target=\"_blank\">084f562da639bd4bfc6b92b7d5cdc014<\/a> &#8211; core bot<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h4>Details<\/h4>\n<p>After deploying the sample, it installs itself in %APPDATA% in a folder called &#8220;<em>UmJn<\/em>&#8220;. This folder name is typical for the particular edition of Neutrino Bot:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15970\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/dropped.png\" alt=\"dropped\" width=\"598\" height=\"138\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/dropped.png 598w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/dropped-300x69.png 300w\" sizes=\"auto, (max-width: 598px) 100vw, 598px\" \/><\/p>\n<p>It starts connecting to\u00a0the C&amp;C in order to fetch the commands and perform the malicious actions by querying a\u00a0script called &#8220;<em>tasks.php<\/em>&#8220;.<\/p>\n<p>The list of URLs is hardcoded in the bot in the form of a Base64 string:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15979\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/decoding_urls-1.png\" alt=\"decoding_urls\" width=\"887\" height=\"216\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/decoding_urls-1.png 887w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/decoding_urls-1-300x73.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/decoding_urls-1-600x146.png 600w\" sizes=\"auto, (max-width: 887px) 100vw, 887px\" \/><\/p>\n<p>URLs extracted from this sample:<\/p>\n<pre>http:\/\/saferunater.top\/n\/tasks.php  http:\/\/saferunater.xyz\/n\/tasks.php  http:\/\/saferunater.space\/n\/tasks.php  http:\/\/godomenbit.bit\/n\/tasks.php<\/pre>\n<p>Neutrino uses a very simple method of authentication &#8211; it sends a cookie with a hardcoded value:<\/p>\n<pre>POST %s HTTP\/1.0  Host: %s  User-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko\/20100101 Firefox\/38.0  Content-type: application\/x-www-form-urlencoded  Cookie: auth=bc00595440e801f8a5d2a2ad13b9791b  Content-length: %i  <\/pre>\n<p>In the <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2015\/08\/inside-neutrino-botnet-builder\/\" target=\"_blank\">previously described version<\/a> it was md5(&#8220;admin&#8221;). This time it is:<\/p>\n<pre>\"bc00595440e801f8a5d2a2ad13b9791b\" -&gt; md5(\"just for fun\")<\/pre>\n<p>While the goals of the bot and major features didn&#8217;t change much, the code seems to be partially rewritten in comparison to <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2015\/08\/inside-neutrino-botnet-builder\/\" target=\"_blank\">the leaked version 3.9.4<\/a>.<\/p>\n<p>Here is the old version, reporting to the CnC:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15984\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/old_report.png\" alt=\"old_report\" width=\"834\" height=\"302\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/old_report.png 834w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/old_report-300x109.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/old_report-600x217.png 600w\" sizes=\"auto, (max-width: 834px) 100vw, 834px\" \/><\/p>\n<p>The new version &#8211; that seems to be <strong><em>5.2<\/em><\/strong> &#8211; is much less verbose. It doesn&#8217;t use any strings that will indicate purpose of any particular value. Additionally, some of the used functions are loaded dynamically and identified by checksums for the purpose of decreasing code readability:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15982\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/bot_version.png\" alt=\"bot_version\" width=\"1026\" height=\"290\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/bot_version.png 1026w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/bot_version-300x85.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/bot_version-600x170.png 600w\" sizes=\"auto, (max-width: 1026px) 100vw, 1026px\" \/><\/p>\n<p>The features are also reorganized. For example, there is still a feature of making screenshots of the victim&#8217;s desktop &#8211; but its implementation details have changed:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15972\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/screenshot-1.png\" alt=\"screenshot\" width=\"502\" height=\"596\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/screenshot-1.png 502w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/screenshot-1-253x300.png 253w\" sizes=\"auto, (max-width: 502px) 100vw, 502px\" \/><\/p>\n<p>Screen grabbing is a triggered by a command from the C&amp;C:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15976\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/commands_switch-1.png\" alt=\"commands_switch\" width=\"713\" height=\"321\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/commands_switch-1.png 713w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/commands_switch-1-300x135.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/commands_switch-1-600x270.png 600w\" sizes=\"auto, (max-width: 713px) 100vw, 713px\" \/><\/p>\n<p>The created screenshot is immediately sent to the C&amp;C.<\/p>\n<p>In the past, the same feature was implemented along with the keylogger.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15980\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/old_screenshot.png\" alt=\"old_screenshot\" width=\"418\" height=\"405\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/old_screenshot.png 418w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/old_screenshot-300x291.png 300w\" sizes=\"auto, (max-width: 418px) 100vw, 418px\" \/><\/p>\n<p>The responsible thread is\u00a0deployed and the screenshot taken periodically and saved to the logs along with other grabbed content. When the logs&#8217; size exceeds a\u00a0defined threshold, they are\u00a0uploaded to the C&amp;C:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15973\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/oldn_send_logs.png\" alt=\"oldn_send_logs\" width=\"956\" height=\"695\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/oldn_send_logs.png 956w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/oldn_send_logs-300x218.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/oldn_send_logs-600x436.png 600w\" sizes=\"auto, (max-width: 956px) 100vw, 956px\" \/><\/p>\n<p>The implemented changes improved code quality separating the particular features and give\u00a0the operator more control on its\u00a0execution. Still, the code is not obfuscated but the authors tried to hide some strings that explicitly show the purpose of the particular commands.<\/p>\n<p>Just like in the previous case we are dealing with a fully-fledged multipurpose bot &#8211; with various features allowing to steal data and invade privacy, but also to use infected computers for DDoS attacks or download other malware.<\/p>\n<h3>Protection<\/h3>\n<p>It is important to remember to be particularly careful with Office documents masquerading as invoices, or other such reports that leverage the macro feature to execute code that will download and retrieve the actual payload. As an end user, do not enable macros unless you completely trust the file or are running it in a virtualized environment. As an IT admin, you can set policies to <a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2016\/03\/22\/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection\/\" target=\"_blank\">permanently disable macros<\/a>.<\/p>\n<p>Malwarebytes users are protected from this threat via the web or\u00a0exploit protection modules.<\/p>\n<h3>IOCs:<\/h3>\n<p><span style=\"text-decoration: underline\">Malicious doc<\/span>:<\/p>\n<p><em>agranfoundation[.]org\/Microsoft[.]report[.]doc<\/em><br \/> <em>xn--hastabakc-2pbb[.]net\/Microsoft[.]report[.]doc<\/em><br \/> <em>ecpi[.]ro\/Microsoft[.]report[.]doc<\/em><br \/> <em>ilkhaberadana[.]com\/Microsoft[.]report[.]doc<\/em><br \/> <em>cincote[.]com\/Microsoft[.]report[.]doc<\/em><br \/> <em>mallsofjeddah[.]com\/Microsoft[.]report[.]doc<\/em><br \/> <em>dianasoligorsk[.]by\/Microsoft[.]report[.]doc<\/em><\/p>\n<p><em>8dd66dd191c9f0d2f4b5407e5d94e815e8007a3de21ab16de49be87ea8a92e8d<\/em><\/p>\n<p><span style=\"text-decoration: underline\">Neutrino bot<\/span>:<\/p>\n<p><em>www.endclothing[.]cu[.]cc\/nn.exe<\/em><\/p>\n<p><em>87b7e57140e790b6602c461472ddc07abf66d07a3f534cdf293d4b73922406fe<\/em><br \/> <em> b1ae6fc1b97db5a43327a3d7241d1e55b20108f00eb27c1b8aa855f92f71cb4b<\/em><br \/> <em> ca64848f4c090846a94e0d128489b80b452e8c89c48e16a149d73ffe58b6b111<\/em><\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/01\/post-holiday-spam-campaign-delivers-neutrino-bot\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/01\/post-holiday-spam-campaign-delivers-neutrino-bot\/' title='Post-holiday spam campaign delivers Neutrino Bot'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2015\/11\/photodune-6673197-spam-email-m-965x395.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>Spammers took a break over the holidays but are back in form with a campaign pushing the Neutrino Bot.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/cybercrime\/\" rel=\"category tag\">Cybercrime<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/ddos\/\" rel=\"tag\">ddos<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/macro\/\" rel=\"tag\">macro<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/microsoft\/\" rel=\"tag\">microsoft<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/microsoft-security-office\/\" rel=\"tag\">Microsoft Security Office<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/neutrino-bot\/\" rel=\"tag\">neutrino bot<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/spam\/\" rel=\"tag\">spam<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/01\/post-holiday-spam-campaign-delivers-neutrino-bot\/' title='Post-holiday spam campaign delivers Neutrino Bot'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[4503,10514,10515,10516,10517,10501,10518],"class_list":["post-5866","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-cybercrime","tag-ddos","tag-macro","tag-microsoft","tag-microsoft-security-office","tag-neutrino-bot","tag-spam"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/5866","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=5866"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/5866\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=5866"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=5866"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=5866"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}