{"id":6797,"date":"2017-02-27T12:11:10","date_gmt":"2017-02-27T20:11:10","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/02\/27\/news-588\/"},"modified":"2017-02-27T12:11:10","modified_gmt":"2017-02-27T20:11:10","slug":"news-588","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/02\/27\/news-588\/","title":{"rendered":"New Neutrino Bot comes in a protective loader"},"content":{"rendered":"<p><strong>Credit to Author: Malwarebytes Labs| Date: Mon, 27 Feb 2017 19:30:31 +0000<\/strong><\/p>\n<p><em>Co-authored by <a href=\"https:\/\/twitter.com\/hasherezade\" target=\"_blank\">Hasherezade<\/a> and <a href=\"https:\/\/blog.malwarebytes.com\/author\/jeromesegura\" target=\"_blank\">J\u00e9r\u00f4me Segura<\/a>.<\/em><\/p>\n<p>In this blog post we will cover a recent version of the multi-purpose\u00a0Neutrino Bot (AKA Kasidet) which ironically was distributed by an exploit kit of the same name.\u00a0Earlier in January this year, we had described <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/01\/post-holiday-spam-campaign-delivers-neutrino-bot\/\" target=\"_blank\">Neutrino Bot that came via spam<\/a> so we won&#8217;t go over those details again, but instead will focus on an interesting loader.<\/p>\n<p>Anti VM detection is\u00a0complemented by multiple layers hiding the actual core which made extraction of the final payload a bit of challenge.<\/p>\n<h3>Distribution method<\/h3>\n<p>This sample was collected via a malvertising campaign in the US that leveraged\u00a0the Neutrino exploit kit. The infection flow starts with a fingerprinting check for virtualization, network traffic capture and antivirus software. If any are found (i.e. not a genuine victim), the infection will not happen. This check is done via heavily obfuscated JavaScript code in the pre-landing pages, rather than within the Flash exploit itself, <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/exploits\/2016\/06\/neutrino-ek-fingerprinting-in-a-flash\/\" target=\"_blank\">like it used to in the past<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/pre-landing.png\" data-rel=\"lightbox-0\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-16508\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/pre-landing.png\" alt=\"\" width=\"519\" height=\"442\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/pre-landing.png 1068w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/pre-landing-300x255.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/pre-landing-600x511.png 600w\" sizes=\"auto, (max-width: 519px) 100vw, 519px\" \/><\/a><\/p>\n<p>Once the initial check has passed, the next step is to launch a specially crafted Flash file containing a bunch of exploits for Internet Explorer and the Flash Player (similar to what was described <a href=\"http:\/\/malware.dontneedcoffee.com\/2017\/01\/CVE-2016-7200-7201.html\" target=\"_blank\">here<\/a>). The final step is the download and execution\u00a0of the\u00a0RC4 encoded payload via wscript.exe to bypass proxies.<\/p>\n<p>The overall infection flow is summarized in the diagram below (click to enlarge):<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/Neutrino_EK-flow.png\" data-rel=\"lightbox-1\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16524\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/Neutrino_EK-flow.png\" alt=\"\" width=\"937\" height=\"1288\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/Neutrino_EK-flow.png 937w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/Neutrino_EK-flow-218x300.png 218w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/Neutrino_EK-flow-436x600.png 436w\" sizes=\"auto, (max-width: 937px) 100vw, 937px\" \/><\/a><\/p>\n<p><em>A <a href=\"https:\/\/github.com\/mak\/ekdeco\/tree\/master\/neutrino\" target=\"_blank\">script<\/a> from Maciej Kotowicz was used to extract artifacts from the Flash file.<\/em><\/p>\n<h3>Analyzed samples<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.virustotal.com\/en\/file\/3ab39c77bde831dc734139685cada88ef7f17a6881f4ea7525a522c323562b3c\/analysis\/\" target=\"_blank\">b2be7836cd3edf838ca9c409ab92b36d<\/a> &#8211; original sample (dropped by the EK)\n<ul>\n<li><a href=\"https:\/\/www.virustotal.com\/en\/file\/2919dad5f685e7c14343c2eb4ba8a28d6d145c776f58168edb42efd61334c3de\/analysis\/\" target=\"_blank\">349f5eb7c421ed49f9a260d17d4205d3<\/a> &#8211; loader\n<ul>\n<li><a href=\"https:\/\/www.virustotal.com\/en\/file\/45abc50e837a3e0c4df842fe8c3aa54e103d690d67f89d78059878bd3acc67ab\/analysis\/\" target=\"_blank\">6239963eeda5df72995ad83dd4dedb18<\/a>\u00a0&#8211; payload (Neutrino bot)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Behavioral analysis<\/h3>\n<p>The sample was well protected against being deployed in a controlled environment. When it detects that it is being run in a VM\/sandbox it just deletes itself:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16481\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/ping_and_delete.png\" alt=\"\" width=\"568\" height=\"75\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/ping_and_delete.png 568w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/ping_and_delete-300x40.png 300w\" sizes=\"auto, (max-width: 568px) 100vw, 568px\" \/><\/p>\n<p>If the environment passed the checks, it drops its copy into: <em>%APPDATA%\/Y1ViUVZZXQxx\/&lt;random_name&gt;.exe\u00a0\u00a0<\/em>(during tests we observed the following names: <em>abgrcnq.exe<\/em>,<em> uu.exe<\/em>):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16478\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/dropped.png\" alt=\"\" width=\"633\" height=\"122\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/dropped.png 633w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/dropped-300x58.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/dropped-600x116.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/dropped-630x122.png 630w\" sizes=\"auto, (max-width: 633px) 100vw, 633px\" \/><\/p>\n<p>The folder and the sample are hidden.<\/p>\n<p>Persistence is achieved via the Task Scheduler:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16479\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/sched_task1.png\" alt=\"\" width=\"953\" height=\"217\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/sched_task1.png 953w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/sched_task1-300x68.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/sched_task1-600x137.png 600w\" sizes=\"auto, (max-width: 953px) 100vw, 953px\" \/><\/p>\n<p>The malware adds and modifies several registry keys. It adds some basic settings, including the installation date:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16480\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/properties.png\" alt=\"\" width=\"726\" height=\"161\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/properties.png 726w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/properties-300x67.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/properties-600x133.png 600w\" sizes=\"auto, (max-width: 726px) 100vw, 726px\" \/><\/p>\n<p>It modifies some keys in order to remain hidden in the system. Hidden\/<a href=\"http:\/\/www.msfn.org\/board\/topic\/9950-whats-superhidden-for-exactly\/\" target=\"_blank\">SuperHidden<\/a> features allows its dropped copy to remain unnoticed by the user. It disables viewing such files by modifying the following registry keys:<\/p>\n<pre>SoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHidden  SoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedShowSuperHidden<\/pre>\n<p>It also adds itself into the firewall&#8217;s whitelist with this command:<\/p>\n<pre>cmd.exe \" \/a \/c netsh advfirewall firewall add rule name=\"Y1ViUVZZXQxx\" dir=in action=allow program=[full_executable_path]  <\/pre>\n<p>Similarly, path to the malware is added to Windows Defender&#8217;s exclusions:<br \/> <img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16482\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/exclusions.png\" alt=\"\" width=\"631\" height=\"122\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/exclusions.png 631w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/exclusions-300x58.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/exclusions-600x116.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/exclusions-630x122.png 630w\" sizes=\"auto, (max-width: 631px) 100vw, 631px\" \/><br \/> It disables reporting incidents to Microsoft&#8217;s\u00a0cloud service (SpyNet):<\/p>\n<pre>HKLMSOFTWAREMicrosoftWindows DefenderSpyNetSpyNetReporting<\/pre>\n<p>It modifies settings of terminal services, setting MaxDisconnectionTime and MaxIdleTime to 0. Modified keys:<\/p>\n<pre>HKLMSOFTWAREPoliciesMicrosoftWindows NTTerminal ServicesMaxDisconnectionTime  HKLMSOFTWAREPoliciesMicrosoftWindows NTTerminal ServicesMaxIdleTime<\/pre>\n<p>If the full installation process went successfully, it finally loads the malicious core, and we can see a traffic typical for the Neutrino Bot. You can see below the beacon &#8220;enter&#8221; and the response &#8220;success&#8221;, encoded in base64. The response is sent as a comment in the retrieved blank html page, in order to avoid being noticed:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16492\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/enter_success.png\" alt=\"\" width=\"789\" height=\"405\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/enter_success.png 789w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/enter_success-300x154.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/enter_success-600x308.png 600w\" sizes=\"auto, (max-width: 789px) 100vw, 789px\" \/><\/p>\n<p>In the next request the bot sends information about itself, and in response the CnC gives it commands to be executed. Requests and responses are also base64 encoded. Example after decoding:<\/p>\n<p>req:<\/p>\n<pre>cmd&amp;9bc67713-9390-4bcd-9811-36457b704c9c&amp;TESTMACHINE&amp;Windows%207%20(32-bit)&amp;0&amp;N%2FA&amp;5.2&amp;22.02.2017&amp;NONE  <\/pre>\n<p>resp:<\/p>\n<pre>1463020066516169#screenshot#1469100096882000#botkiller#1481642022438251#rate 15#  <\/pre>\n<p>The first command was to take\u00a0a screenshot, and indeed, soon after we can see the bot sending a screenshot in JPG format:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone  wp-image-16587\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/enc_screenshot.png\" alt=\"\" width=\"952\" height=\"400\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/enc_screenshot.png 1007w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/enc_screenshot-300x126.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/enc_screenshot-600x252.png 600w\" sizes=\"auto, (max-width: 952px) 100vw, 952px\" \/><\/p>\n<p>From the sent version number we can conclude, that the version of the bot is 5.2 (similarly to <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/01\/post-holiday-spam-campaign-delivers-neutrino-bot\/\" target=\"_blank\">this<\/a> campaign).<\/p>\n<h3>Inside<\/h3>\n<p>The first layer is a stub of a crypter, that overwrites the initial PE in memory by the image of the loader. Unpacking it is demonstrated in\u00a0this video: <a href=\"https:\/\/www.youtube.com\/watch?v=m_xh33M_CRo\" data-rel=\"lightbox-video-0\" target=\"_blank\">https:\/\/www.youtube.com\/watch?v=m_xh33M_CRo<\/a>.<\/p>\n<p>The second layer is a loader that prevents from running the core bot in a controlled environment (i.e. on VM or under a debugger). This element is probably new (we didn&#8217;t observe it so far in previous campaigns of Neturino Bot, i.e. the one described <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/01\/post-holiday-spam-campaign-delivers-neutrino-bot\/\" target=\"_blank\">here<\/a>). We found the loader very effective in its protective task. Most of the sandboxes and test VMs used during tests failed to provide any useful results.<\/p>\n<p>The final payload had features typical for Neutrino Bot family.<\/p>\n<p>The loader code\u00a0shows that it is an integral part of the full Neutrino Bot package &#8211; not yet another layer added by an independent crypter. Both, the payload and the loader are written in C++, use similar functions and contain overlapping strings. It\u00a0 will be demonstrated in details later in this\u00a0article. They both also have very close compilation timestamps: payload: <em>2017-02-16 17:15:43<\/em>, loader: <em>2017-02-16 17:15:52<\/em>.<\/p>\n<p>A patched version of the loader, with environment checks disabled can be viewed <a href=\"https:\/\/www.hybrid-analysis.com\/sample\/6f22f22ea510f35d3b6f9edd610e6ba3e6499ff6867f52a3361709c48d886c41?environmentId=100\" target=\"_blank\">here<\/a>.<\/p>\n<h4>Loader<\/h4>\n<h5>Obfuscation techniques<\/h5>\n<p>The code inside contains some\u00a0level of obfuscation. A few strings are visible:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16566\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/open_strings.png\" alt=\"\" width=\"617\" height=\"271\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/open_strings.png 617w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/open_strings-300x132.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/open_strings-600x264.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/open_strings-195x85.png 195w\" sizes=\"auto, (max-width: 617px) 100vw, 617px\" \/><\/p>\n<ul>\n<li>Directory name<\/li>\n<li>Some\u00a0functions<\/li>\n<li>Registry keys related with Windows Security features that are going to be disabled<\/li>\n<li>Strings used to add a new scheduled task.<\/li>\n<\/ul>\n<p>However, that\u00a0is not all. Most of the strings are decrypted at runtime. Here is an example of loading an\u00a0encrypted string:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16485\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/enc_str1.png\" alt=\"\" width=\"464\" height=\"300\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/enc_str1.png 464w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/enc_str1-300x194.png 300w\" sizes=\"auto, (max-width: 464px) 100vw, 464px\" \/><\/p>\n<p>First, the obfuscated string is written to the dynamically loaded memory by a dedicated function. Then, it is decrypted using a simple, XOR-based algorithm:<\/p>\n<pre>def decode(data):      maxlen = len(data)      decoded = bytearray()      for i in range(0, maxlen):          dec = data[i] ^ 1          decoded.append(dec)       return decoded  <\/pre>\n<p>The same string after decryption:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16486\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/decrypting_proc.png\" alt=\"\" width=\"487\" height=\"355\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/decrypting_proc.png 487w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/decrypting_proc-300x219.png 300w\" sizes=\"auto, (max-width: 487px) 100vw, 487px\" \/><\/p>\n<p>Most of the API calls are also dynamically resolved. Example:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16555\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/load_func.png\" alt=\"\" width=\"438\" height=\"114\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/load_func.png 438w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/load_func-300x78.png 300w\" sizes=\"auto, (max-width: 438px) 100vw, 438px\" \/><\/p>\n<p>Tracing API calls helps to understand the programs&#8217;s functionality. For this reason, the authors of this malware file implemented some of the functions without using API calls at all. In the below example you can see the function <em>GetLastError()<\/em> implemented by reading a low-level structure: <a href=\"http:\/\/www.geoffchappell.com\/studies\/windows\/win32\/ntdll\/structs\/teb\/index.htm\" target=\"_blank\">Thread Envioroment Block (TEB)<\/a>:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16554\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/get_last_err.png\" alt=\"\" width=\"460\" height=\"91\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/get_last_err.png 460w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/get_last_err-300x59.png 300w\" sizes=\"auto, (max-width: 460px) 100vw, 460px\" \/><\/p>\n<h5>Functionality<\/h5>\n<p>In order to prevent from being executed more than once, the loader creates a mutex with a name that is hardcoded in the binary: <em>1ViUVZZXQxx<\/em>.<\/p>\n<p>The primary task of the loader is to check the environment, in order to make sure that the execution is not being watched. But, in contrary to most of the malware, the check is not just done once. There is a dedicated thread deployed:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16556\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/env_check.png\" alt=\"\" width=\"408\" height=\"101\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/env_check.png 408w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/env_check-300x74.png 300w\" sizes=\"auto, (max-width: 408px) 100vw, 408px\" \/><\/p>\n<p>It runs checks in a never ending loop:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16573\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/checking_loop.png\" alt=\"\" width=\"831\" height=\"215\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/checking_loop.png 831w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/checking_loop-300x78.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/checking_loop-600x155.png 600w\" sizes=\"auto, (max-width: 831px) 100vw, 831px\" \/><\/p>\n<p>If at any time, the loader detects i.e. some blacklisted process being deployed, execution is terminated.<\/p>\n<p>Examples of the checks performed:<\/p>\n<p>1. Enumerates through the list of the running processes (using dynamically loaded functions <em>CreateToolhelp32Snapshot<\/em> &#8211; <em>Process32First<\/em>&#8211; <em>Process32Next<\/em>). Calculates checksum from each retrieved process name and compares it with the built-in blacklist:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16567\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/search_process-1.png\" alt=\"\" width=\"500\" height=\"211\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/search_process-1.png 500w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/search_process-1-300x127.png 300w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/p>\n<p>The blacklisted checksums:<\/p>\n<style>.gist table { margin-bottom: 0; }<\/style>\n<div class=\"gist-oembed\" data-gist=\"hasherezade\/aefabdb9a67193ef05c93228a78c20c6.json?file=processes_blacklist.txt\"><\/div>\n<p>Implementation of the function searching blacklisted processes &#8211; as we can see, every function is loaded dynamically with the help of a corresponding checksum:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-16584\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/enc_searching_blacklisted.png\" alt=\"\" width=\"779\" height=\"623\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/enc_searching_blacklisted.png 860w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/enc_searching_blacklisted-300x240.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/enc_searching_blacklisted-600x480.png 600w\" sizes=\"auto, (max-width: 779px) 100vw, 779px\" \/><\/p>\n<p>2. Searches blacklisted modules within the current process (using dynamically loaded functions <em>CreateToolhelp32Snapshot<\/em> &#8211; <em>Module32First<\/em>&#8211; <em>Module32Next<\/em>). Similarly, it calculates the checksum from each retrieved process name and compares it with the built-in blacklist.<\/p>\n<p>Checksum calculation algorithm (<a href=\"https:\/\/gist.github.com\/hasherezade\/aefabdb9a67193ef05c93228a78c20c6#file-checksum-cpp\" target=\"_blank\">implementation<\/a>):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16558\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/calc_checksum.png\" alt=\"\" width=\"286\" height=\"277\" \/><\/p>\n<p>The blacklisted checksums:<\/p>\n<style>.gist table { margin-bottom: 0; }<\/style>\n<div class=\"gist-oembed\" data-gist=\"hasherezade\/aefabdb9a67193ef05c93228a78c20c6.json?file=modules_blacklist.txt\"><\/div>\n<p>3, Checking if the process is under the debugger, using: <em>IsDebuggerPresent<\/em>, <em>CheckRemoteDebuggerPresent<\/em><\/p>\n<p>4. Detecting single-stepping with the help of time measurement, using <em>GetTickCount &#8211; Sleep &#8211; GetTickCount<br \/> <\/em><\/p>\n<p>5. Anti-VM check with the help of detecting blacklisted devices &#8211; using <em><a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa365461(v=vs.85).aspx\" target=\"_blank\">QueryDosDevices <\/a><\/em>i.e. VBoxGuest<\/p>\n<p>6. Searching and hiding blacklisted windows by their classes &#8211; using\u00a0 <em>EnumWindows<\/em> &#8211; <em>GetClassName<\/em> (i.e. <em>procexpl<\/em>)<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-16568\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/search_window.png\" alt=\"\" width=\"454\" height=\"547\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/search_window.png 577w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/search_window-249x300.png 249w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/search_window-498x600.png 498w\" sizes=\"auto, (max-width: 454px) 100vw, 454px\" \/><\/p>\n<p>The blacklisted checksums:<\/p>\n<style>.gist table { margin-bottom: 0; }<\/style>\n<div class=\"gist-oembed\" data-gist=\"hasherezade\/aefabdb9a67193ef05c93228a78c20c6.json?file=windows_blacklist.txt\"><\/div>\n<p>In another thread, the malware performs operations related to the bot installation &#8211; adding a task to the Windows Scheduler, adding exclusions to the\u00a0Firewall etc.<\/p>\n<p>Finally, it unpacks the final payload and runs it with the help of the Run PE method. First, it creates another instance of its own:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16574\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/run_pe.png\" alt=\"\" width=\"585\" height=\"42\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/run_pe.png 585w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/run_pe-300x22.png 300w\" sizes=\"auto, (max-width: 585px) 100vw, 585px\" \/><\/p>\n<p>Then, it maps a new PE file on this place:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16575\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/loading_new_pe.png\" alt=\"\" width=\"448\" height=\"378\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/loading_new_pe.png 448w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/loading_new_pe-300x253.png 300w\" sizes=\"auto, (max-width: 448px) 100vw, 448px\" \/><\/p>\n<h4>Payload<\/h4>\n<p>The loaded payload is a Neutrino Bot, with very similar features to the one that we described in <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/01\/post-holiday-spam-campaign-delivers-neutrino-bot\/\" target=\"_blank\">a previous post.<\/a>\u00a0However, we can find some similar elements like in the loader, for example matching strings:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16576\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/matching_strings.png\" alt=\"\" width=\"447\" height=\"191\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/matching_strings.png 447w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/matching_strings-300x128.png 300w\" sizes=\"auto, (max-width: 447px) 100vw, 447px\" \/><\/p>\n<h3>Conclusion<\/h3>\n<p>Neutrino Bot has been\u00a0on the market for a\u00a0few years. It is rich in features but its\u00a0internal structure was never impressive. This time also, the malware authors did not make any significant improvements to\u00a0the main bot&#8217;s structure. However, they added one more protection layer which\u00a0is very scrupulous in its task of fingerprinting the environment and not allowing the bot to be discovered.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/02\/new-neutrino-bot-comes-in-a-protective-loader\/\">New Neutrino Bot comes in a protective loader<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/02\/new-neutrino-bot-comes-in-a-protective-loader\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Malwarebytes Labs| Date: Mon, 27 Feb 2017 19:30:31 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/02\/new-neutrino-bot-comes-in-a-protective-loader\/' title='New Neutrino Bot comes in a protective loader'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2013\/07\/blue_virus.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>We take another look at the Neutrino bot, known for its diverse feature set ranging from snooping on victims to performing DDos attacks. This latest version includes a hardened protective layer aimed at defeating sandboxes and hiding the bot from discovery.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/cybercrime\/\" rel=\"category tag\">Cybercrime<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/cybercrime\/malware\/\" rel=\"category tag\">Malware<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/\" rel=\"category tag\">Threat analysis<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/exploit-kit\/\" rel=\"tag\">exploit kit<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/malvertising\/\" rel=\"tag\">malvertising<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/malware\/\" rel=\"tag\">malware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/neutrino-bot\/\" rel=\"tag\">neutrino bot<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/neutrino-ek\/\" rel=\"tag\">neutrino ek<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/packer\/\" rel=\"tag\">packer<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/02\/new-neutrino-bot-comes-in-a-protective-loader\/' title='New Neutrino Bot comes in a protective loader'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/02\/new-neutrino-bot-comes-in-a-protective-loader\/\">New Neutrino Bot comes in a protective loader<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[4503,10534,10531,3764,10501,11482,11483,10494],"class_list":["post-6797","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-cybercrime","tag-exploit-kit","tag-malvertising","tag-malware","tag-neutrino-bot","tag-neutrino-ek","tag-packer","tag-threat-analysis"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6797","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6797"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6797\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6797"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6797"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6797"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}