{"id":7022,"date":"2017-03-17T10:41:21","date_gmt":"2017-03-17T18:41:21","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/17\/news-813\/"},"modified":"2017-03-17T10:41:21","modified_gmt":"2017-03-17T18:41:21","slug":"news-813","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/03\/17\/news-813\/","title":{"rendered":"Grabbot is Back to Nab Your Data"},"content":{"rendered":"

Credit to Author: David Wang and He Xu| Date: Fri, 17 Mar 2017 10:59:31 -0700<\/strong><\/p>\n

\n

Introduction<\/h2>\n

Fortinet<\/a> has discovered a new botnet capable of stealing large amounts of user information, as well as remotely manipulating compromised machines. The malware appears to be based on an older botnet known as Grabbot, which was first discovered back in November of 2014. This new variant improves on that existing functionality while adding several dangerous new features. This blog aims to offer a quick insight into how Grabbot functions.<\/p>\n

Replication<\/h2>\n

The bot can be found hosted on a number of compromised websites with a random filename. We currently suspect that Grabbot may arrive on these hosts through Exploit Kits or other malicious campaigns.<\/p>\n

The bot may drop several files in the following paths:<\/p>\n

\u25cf"%AppData%{GUID}{generated filename}.exe"<\/p>\n

\u25cf"%AppData%{GUID}{generated filename}.bat"<\/p>\n

\u25cf"%AppData%{GUID}{generated filename}"<\/p>\n

Note that each generated filename is different, with the host machine’s System Volume Information. Several mutexes are created in the same way. Each drop file also has its file time information set to be the same as “cmd.exe” in Windows.<\/p>\n

The malware creates the following registry entry to survive system reboots:<\/p>\n

\u25cfHKEY_CURRENT_USERSoftwareMicrosoft WindowsCurrentVersionRun<\/p>\n

\u25cb{GUID} = "%AppData%{GUID}{generated filename}.exe"<\/p>\n

During execution, the bot may inject the main payload into explorer.exe and delete the original file.<\/p>\n

Browser Targeting<\/h2>\n

The bot enters a sleep loop and will not perform the rest of its functionality unless one of the following internet browsers is found in the active process list:<\/p>\n

\u25cfInternet Explorer (iexplore.exe)<\/p>\n

\u25cfFirefox (firefox.exe)<\/p>\n

\u25cfGoogle Chrome (chrome.exe)<\/p>\n

\u25cfOpera (opera.exe)<\/p>\n

Anti-analysis measures<\/p>\n

The bot also scans active processes for the presence of certain system analysis tools, such as Wireshark or Process Explorer. If any is found, the bot may branch into a fake set of behaviours instead of the actual payload.<\/p>\n

\"\"<\/p>\n

Fig.1: Searching for hashes of specific process names<\/p>\n

\"\"<\/p>\n

Fig. 2: Part of the fake behaviour – Random domain name generation and contact<\/p>\n

C&C Connection<\/h2>\n

Before the bot attempts to contact the command and control (C&C) server, it first makes a connection to www.microsoft.com<\/em> to verify internet connectivity. If a connection can be established, the bot will iterate through a list of possible C&C servers and contact each until a response is received. The list of C&Cs observed in this sample are:<\/p>\n

\u25cfhttp:\/\/de{REMOVED}is.site<\/p>\n

\u25cfhttp:\/\/ge{REMOVED}et.site<\/p>\n

\u25cfhttp:\/\/bi{REMOVED}ys.info<\/p>\n

\u25cfhttp:\/\/on{REMOVED}nc.site<\/p>\n

\u25cfhttp:\/\/de{REMOVED}is.info<\/p>\n

\u25cfhttp:\/\/ss{REMOVED}rs.info<\/p>\n

When a connection is established, the bot may attempt to download the following data files:<\/p>\n

\u25cf\/wordpress\/ajax\/d.dat<\/p>\n

\u25cf\/wordpress\/ajax\/e.dat<\/p>\n

\u25cf\/wordpress\/ajax\/f.dat<\/p>\n

\u25cf\/wordpress\/ajax\/out.dat<\/p>\n

\u25cf\/wordpress\/ajax\/g.dat<\/p>\n

\u25cf\/wordpress\/ajax\/h.dat<\/p>\n

The files are saved on the disk with a generated filename. Notably, the file “out.dat” is renamed to the executable file in the autorun registry. All communication between the bot and the C&C are encrypted and done through HTTP. In any contact with a C&C, the bot will try twice to establish connection before trying a different C&C.<\/p>\n

\"\"Fig.3: C&C communication<\/p>\n

C&C Commands<\/h2>\n

The botnet is capable of responding to the following commands:<\/p>\n

Compared to the previous known version of Grabbot, there are several new commands labeled “conf_update2”, “install_bd1”, “grab_pop”, “run_plugin_exe” and “run_plugin_dll”.<\/p>\n

Sending Back Debug Information<\/h2>\n

The bot is able to extract current system information, including a list of active processes, detected AV products, and a list of installed applications. The bot may send this information to the C&C on command.<\/p>\n

\"\"<\/p>\n

Fig.4: System debug information<\/p>\n

Banking Backdoor<\/h2>\n

The bot is also capable of tracking if specific sites, namely financial institutions and services, are accessed, and may launch a proxy or remote access backdoor to steal information. Some targeted sites from the list are as follows (in the format of *[URL]*;[backdoor cmd][arguments]):<\/p>\n

\u25cf*paypal.com*;socks_bc 5.{REMOVED}.250:7777<\/p>\n

\u25cf*https:\/\/www1.royalbank.com\/cgi-bin\/rbaccess\/*;run_vnc<\/p>\n

\u25cf*https:\/\/easyweb.td.com\/*;run_vnc<\/p>\n

\u25cf*https:\/\/www1.bmo.com\/onlinebanking\/cgi-bin\/netbnx\/NBmain?product=5*;run_vnc<\/p>\n

Crypto-Currency Wallet Stealing<\/h2>\n

The bot recursively scans the %AppData% directory looking for files with the name “wallet.dat”, “electrum.dat” or “wallet”. If any match is found, the contents of the file are read and encrypted, then stored into a temporary file for retrieval.<\/p>\n

\"\"<\/p>\n

Fig.5: Wallet data to be retrieved<\/p>\n

Conclusion<\/h2>\n

Grabbot was a relatively unknown bot in the past, but from our brief analysis of this new variant it is apparent that Grabbot now has the potential to be very dangerous. Although we are still investigating its current distribution method, Fortinet is able to detect this new variant and we will keep you updated on any further changes.<\/p>\n

Sample MD5: d439c468d59f117c584bda463b03aea9<\/p>\n

Sample SHA256: 6d8ce2d1b33ff42ba04ded09fe79cff158e6dfffa82f6ceada12f4fda6d0c221<\/p>\n

Fortinet Detection Name: W32\/Kryptik.VVV!tr<\/p>\n

 <\/p>\n

Sign up<\/i><\/a> for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.<\/i><\/p>\n<\/div
https:\/\/blog.fortinet.com\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: David Wang and He Xu| Date: Fri, 17 Mar 2017 10:59:31 -0700<\/strong><\/p>\n

Introduction Fortinet recently discovered a new botnet capable of stealing large amounts of user information, as well as remotely manipulating compromised machines. The malware appears to be based on an older botnet known as Grabbot, which was first discovered back in November of 2014[1]. This new variant improves on that existing functionality while adding several dangerous new features. This blog aims to offer a quick insight into how Grabbot functions. Replication The bot can be found hosted on a number of compromised websites with a…<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-7022","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7022","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7022"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7022\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7022"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7022"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7022"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}