{"id":8323,"date":"2017-07-12T08:10:10","date_gmt":"2017-07-12T16:10:10","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/07\/12\/news-2097\/"},"modified":"2017-07-12T08:10:10","modified_gmt":"2017-07-12T16:10:10","slug":"news-2097","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/07\/12\/news-2097\/","title":{"rendered":"A .NET malware abusing legitimate ffmpeg"},"content":{"rendered":"<p><strong>Credit to Author: Malwarebytes Labs| Date: Wed, 12 Jul 2017 15:00:52 +0000<\/strong><\/p>\n<p>There is a growing trend among malware authors to incorporate legitimate applications in their malicious package. This time, we encountered a malware downloading a legitimate <a href=\"https:\/\/virustotal.com\/en\/file\/ac85032ffb2f22d6d0f903217e73bbdcacd4ac5a0197bd7e69b13709a7a1b70f\/analysis\/\" target=\"_blank\" rel=\"noopener noreferrer\">ffmpeg<\/a>. Thanks to it, this simple spyware written in .NET got a powerful feature. Most of the malware is sufficient with sending screenshots, made periodically on the infected machine. This malware goes a step further and records full videos, spying on user activities. In this post, we will have a look at this and the other threats possessed by this sample.<\/p>\n<h3>Analyzed samples<\/h3>\n<ul>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/b920e5f907caced96cebd946cbf6aad02b10676712c2663f2187a8a9fad5b311\/analysis\/\" target=\"_blank\" rel=\"noopener noreferrer\">2a07346045558f49cad9da0d249963f1<\/a> &#8211; dropper (JS)\n<ul>\n<li><a href=\"https:\/\/www.virustotal.com\/en\/file\/91df20cfd25c140da8728f67e004dc42277922aac62b8dce7589ee82f84ca52a\/analysis\/\" target=\"_blank\" rel=\"noopener noreferrer\">049af19db6ddd998ac94be3147050217<\/a> &#8211; dropped executable (C#)\n<ul>\n<li><a href=\"https:\/\/www.virustotal.com\/en\/file\/5981576009cd18282cad4eed8dbc33d8f2e7c7a7222c1de31ac6c1f4b8f3aff2\/analysis\/\" target=\"_blank\" rel=\"noopener noreferrer\">9c9f9b127becf7667df4ff9726420ccb<\/a> &#8211; loader\n<ul>\n<li><a href=\"https:\/\/www.reverse.it\/sample\/52a481fda8d5d674beb46faddfdec6329c1c63f1ef00f439aaa7e8ef947d7512?environmentId=100\" target=\"_blank\" rel=\"noopener noreferrer\">85d35dd33f898a1f03ffb3b2ec111132<\/a> &#8211; final payload<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Downloaded plugins:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.virustotal.com\/en\/file\/7d822d00cd31f4e3bc7bad3535a6590e2f838cc575b8128e716db59b37eb6fb5\/analysis\/1497891080\/\" target=\"_blank\" rel=\"noopener noreferrer\">e907ebeda7d6fd7f0017a6fb048c4d23<\/a> &#8211; remotedesktop.dll<\/li>\n<li><a href=\"https:\/\/www.virustotal.com\/en\/file\/dfe4222c135c369797b101929bcb8b7cb303fd446dee7a24fd312395842cd070\/analysis\/1497890732\/\" target=\"_blank\" rel=\"noopener noreferrer\">d628d2a9726b777961f2d1346f988767<\/a> &#8211; processmanager.dll<\/li>\n<\/ul>\n<h3>Behavioral analysis<\/h3>\n<p>The JS file drops the contained executable inside the %TEMP% folder and then runs it. The executable installs itself under the random name, creating its own folder in %APPDATA%. Persistence is achieved with the help of run key. Additional copy of the malware is also dropped in the startup folder:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18328\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/persistence.png\" alt=\"\" width=\"728\" height=\"82\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/persistence.png 728w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/persistence-300x34.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/persistence-600x68.png 600w\" sizes=\"auto, (max-width: 728px) 100vw, 728px\" \/><\/p>\n<p>During it&#8217;s run, the executable creates .tmp files inside it&#8217;s installation folder. File content is not encrypted and if we look inside we can notice that it is saving keystrokes and logging the running applications:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18401\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/keylog.png\" alt=\"\" width=\"693\" height=\"268\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/keylog.png 693w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/keylog-300x116.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/keylog-600x232.png 600w\" sizes=\"auto, (max-width: 693px) 100vw, 693px\" \/><\/p>\n<p>Another interesting thing we noted is, that the malware downloads legitimate applications: <em><a href=\"https:\/\/virustotal.com\/en\/file\/65d41340cc826c70d2fad878b83b63291128496888b91844b55e360068e83bd5\/analysis\/\" target=\"_blank\" rel=\"noopener noreferrer\">Rar.exe<\/a><\/em>, <a href=\"https:\/\/virustotal.com\/en\/file\/ac85032ffb2f22d6d0f903217e73bbdcacd4ac5a0197bd7e69b13709a7a1b70f\/analysis\/\" target=\"_blank\" rel=\"noopener noreferrer\"><em>ffmpeg.exe<\/em><\/a> and related DLLs: <em><a href=\"https:\/\/virustotal.com\/en\/file\/dfbaba45f89b259a9038cb6de091f095c92a9979838c133f761be03a0837f4b9\/analysis\/\" target=\"_blank\" rel=\"noopener noreferrer\">DShowNet.dll<\/a><\/em>, <em><a href=\"https:\/\/virustotal.com\/en\/file\/5bf397047e7d8c5950f6ba96e851aa8a8909e681a5bc4690324bf8ce1c8b319f\/analysis\/\" target=\"_blank\" rel=\"noopener noreferrer\">DirectX.Capture.dll<\/a><\/em><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18400\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/ffmpeg.png\" alt=\"\" width=\"592\" height=\"236\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/ffmpeg.png 592w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/ffmpeg-300x120.png 300w\" sizes=\"auto, (max-width: 592px) 100vw, 592px\" \/><\/p>\n<p>The malware has been observed closing and deleting some applications while it is running. During the tests, it removed i.e. <em>ProcessExplorer<\/em> and <em>baretail<\/em> from the attacked machine.<\/p>\n<h3>Network communication<\/h3>\n<p>The malware communicates with the CnC server over TCP using port 98.<\/p>\n<p>The server sends to the client a command &#8220;idjamel&#8221; and the client responds with the basic info collected about the victim machine, such as machinename\/username, the operating system installed, and a list of running processes. After the beaconing, the server sends to the client the configuration, i.e. list of the targeted banks.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18408\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/beacon.png\" alt=\"\" width=\"741\" height=\"456\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/beacon.png 741w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/beacon-300x185.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/beacon-600x369.png 600w\" sizes=\"auto, (max-width: 741px) 100vw, 741px\" \/><\/p>\n<p>Bot saves the configuration in the registry:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18404\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/software-1.png\" alt=\"\" width=\"1050\" height=\"182\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/software-1.png 1050w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/software-1-300x52.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/software-1-600x104.png 600w\" sizes=\"auto, (max-width: 1050px) 100vw, 1050px\" \/><\/p>\n<p>After that, the CnC sends a set of Base64 encrypted PE files. The content of each file is prepended by its name. The non-malicious helper binaries cab be identified by the keyword: &#8220;djamelreference&#8221;. Malicious plugins are identified by &#8220;djamelplugin&#8221;.<\/p>\n<p>Downloading <em>DShowNET.dll<\/em>:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18411\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/dshow.png\" alt=\"\" width=\"773\" height=\"94\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/dshow.png 773w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/dshow-300x36.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/dshow-600x73.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/dshow-767x94.png 767w\" sizes=\"auto, (max-width: 773px) 100vw, 773px\" \/><\/p>\n<p>Downloading a plugin &#8211; <em>remotedesktop.dll<\/em> (<a href=\"https:\/\/www.virustotal.com\/en\/file\/7d822d00cd31f4e3bc7bad3535a6590e2f838cc575b8128e716db59b37eb6fb5\/analysis\/1497891080\/\" target=\"_blank\" rel=\"noopener noreferrer\">e907ebeda7d6fd7f0017a6fb048c4d23<\/a>):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18413\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/remotedesk.png\" alt=\"\" width=\"776\" height=\"106\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/remotedesk.png 776w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/remotedesk-300x41.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/remotedesk-600x82.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/remotedesk-767x106.png 767w\" sizes=\"auto, (max-width: 776px) 100vw, 776px\" \/><\/p>\n<p>The <em>ffmpeg<\/em> application is downloaded from the URL (pointed by the CnC):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18422\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/get_ffmpeg.png\" alt=\"\" width=\"584\" height=\"317\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/get_ffmpeg.png 584w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/get_ffmpeg-300x163.png 300w\" sizes=\"auto, (max-width: 584px) 100vw, 584px\" \/><\/p>\n<p>Following the address we can see some dummy page, that may possibly be owned by the attackers. The Facebook like button points to the account &#8220;AnonymousBr4zil&#8221;:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-18423\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/site.png\" alt=\"\" width=\"714\" height=\"639\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/site.png 912w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/site-300x268.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/site-600x537.png 600w\" sizes=\"auto, (max-width: 714px) 100vw, 714px\" \/><\/p>\n<p>The bot reports to the server about the running applications, i.e. sending the text from the title bars encoded in Base64:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18419\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/base64_report.png\" alt=\"\" width=\"763\" height=\"219\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/base64_report.png 763w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/base64_report-300x86.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/base64_report-600x172.png 600w\" sizes=\"auto, (max-width: 763px) 100vw, 763px\" \/><\/p>\n<p>Example:<\/p>\n<pre>awt||UHJvY2VzcyBFeHBsb3JlciAtIFN5c2ludGVybmFsczogd3d3LnN5c2ludGVybmFscy5jb20gW3Rlc3RtYWNoaW5lXHRlc3Rlcl0=djamel  <\/pre>\n<p>Decoded:<\/p>\n<pre>Process Explorer - Sysinternals: www.sysinternals.com [testmachinetester]  <\/pre>\n<h3>Inside<\/h3>\n<h4>Unpacking<\/h4>\n<p>The sample is packed with the help of <a href=\"http:\/\/cloudprotector.pw\/\" target=\"_blank\" rel=\"noopener noreferrer\">CloudProtector<\/a>\u00a0&#8211; (thanks to @<span class=\"DMUpdateName-name DMConversation-name u-textTruncate\"><a href=\"https:\/\/twitter.com\/malwrhunterteam\" target=\"_blank\" rel=\"noopener noreferrer\">MalwareHunterTeam<\/a> for the tip). It is the same protector that was used in some other cases that we analyzed earlier (read more <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2016\/07\/unpacking-yet-another-net-crypter\/\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>). Just like in the previous case, it decrypts the payload using the custom algorithm and the key supplied in the configuration. Then, decrypted executable is loaded in the memory with the help of the RunPE technique (also known as ProcessHollowing).<br \/> <\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18329\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/decrypt.png\" alt=\"\" width=\"1137\" height=\"526\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/decrypt.png 1137w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/decrypt-300x139.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/decrypt-600x278.png 600w\" sizes=\"auto, (max-width: 1137px) 100vw, 1137px\" \/><\/p>\n<h4>The core<\/h4>\n<p>The unpacked payload is the layer containing all the malicious features. It is not further obfuscated, so we can easily decompile it (i.e. using dnSpy) and read the code.<\/p>\n<p>We can see some classes with descriptive names, i.e. ProtectMe, ScreemCapture, SocketClient.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18330\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/sbuild.png\" alt=\"\" width=\"257\" height=\"257\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/sbuild.png 257w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/sbuild-150x150.png 150w\" sizes=\"auto, (max-width: 257px) 100vw, 257px\" \/><\/p>\n<p>At the first sight, we can see the purpose of this malware: spying the user and backdooring the infected machine.<\/p>\n<p>The class Form1 is the main module, responsible for communicating with the CnC and coordinating actions. It contains hardcoded data used for the malware installation and the address of the CnC server:<\/p>\n<pre>37.187.92.171:98  <\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18407\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/hardcoded_data.png\" alt=\"\" width=\"554\" height=\"207\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/hardcoded_data.png 554w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/hardcoded_data-300x112.png 300w\" sizes=\"auto, (max-width: 554px) 100vw, 554px\" \/><\/p>\n<p>The victim name is copied from the binary and saved in the registry key:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18437\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/victim_name.png\" alt=\"\" width=\"286\" height=\"22\" \/><\/p>\n<p>In case the bot detected a software for e-Carte Bleue (a French payment card), it adds the corresponding string to the identifier, and also sends additional information to the server:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18436\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/search_carte_bleue.png\" alt=\"\" width=\"1160\" height=\"592\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/search_carte_bleue.png 1160w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/search_carte_bleue-300x153.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/search_carte_bleue-600x306.png 600w\" sizes=\"auto, (max-width: 1160px) 100vw, 1160px\" \/><\/p>\n<h4><\/h4>\n<p>Each module runs independently, started in a new thread:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18333\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/start_modules.png\" alt=\"\" width=\"551\" height=\"492\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/start_modules.png 551w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/start_modules-300x268.png 300w\" sizes=\"auto, (max-width: 551px) 100vw, 551px\" \/><\/p>\n<h4>Video recording<\/h4>\n<p>We can see the fragment of code responsible for downloading the ffmpeg application:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18337\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/download_ffmpeg.png\" alt=\"\" width=\"777\" height=\"358\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/download_ffmpeg.png 777w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/download_ffmpeg-300x138.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/download_ffmpeg-600x276.png 600w\" sizes=\"auto, (max-width: 777px) 100vw, 777px\" \/><\/p>\n<p>The main goal of the malware authors is to spy on user&#8217;s banking activities. That&#8217;s why, the video recording event is triggered when the victim opens a particular site, related to online banking. The list of targets is supplied by the CnC and saved in the registry under the key &#8220;ve&#8221;, for example:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18434\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/targets-1.png\" alt=\"\" width=\"585\" height=\"25\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/targets-1.png 585w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/targets-1-300x13.png 300w\" sizes=\"auto, (max-width: 585px) 100vw, 585px\" \/><\/p>\n<p>Periodically, the check is made, whether the target from the list has been open in the browser. In case if it was detected, the malware deploys video recorder:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18427\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/record_video.png\" alt=\"\" width=\"1038\" height=\"712\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/record_video.png 1038w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/record_video-300x206.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/record_video-600x412.png 600w\" sizes=\"auto, (max-width: 1038px) 100vw, 1038px\" \/><\/p>\n<p>The function &#8220;VeifyingTime&#8221; compares the title bar with the supplied string.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18432\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/check_win.png\" alt=\"\" width=\"669\" height=\"289\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/check_win.png 669w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/check_win-300x130.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/check_win-600x259.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/check_win-195x85.png 195w\" sizes=\"auto, (max-width: 669px) 100vw, 669px\" \/><\/p>\n<p>Videos are recorded with the help of the <em>ffmpeg<\/em> application:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18429\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/start_rec.png\" alt=\"\" width=\"1171\" height=\"547\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/start_rec.png 1171w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/start_rec-300x140.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/start_rec-600x280.png 600w\" sizes=\"auto, (max-width: 1171px) 100vw, 1171px\" \/><\/p>\n<p>After that they are sent to the CnC, encoded in Base64:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18435\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/send_video_as_b64.png\" alt=\"\" width=\"616\" height=\"215\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/send_video_as_b64.png 616w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/send_video_as_b64-300x105.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/send_video_as_b64-600x209.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/send_video_as_b64-470x165.png 470w\" sizes=\"auto, (max-width: 616px) 100vw, 616px\" \/><\/p>\n<p>The malware also has a feature of making simple screenshots, saved as JPG. The pictures and the captured logs are periodically compressed by the Rar application, and then also sent to the CnC:<\/p>\n<h4><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18430\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/periodic_rar.png\" alt=\"\" width=\"834\" height=\"588\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/periodic_rar.png 834w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/periodic_rar-300x212.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/periodic_rar-600x423.png 600w\" sizes=\"auto, (max-width: 834px) 100vw, 834px\" \/><\/h4>\n<h4>Keylogger<\/h4>\n<p>The kyl class name stands for keylogger:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18334\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/tap_keys.png\" alt=\"\" width=\"475\" height=\"405\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/tap_keys.png 475w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/tap_keys-300x256.png 300w\" sizes=\"auto, (max-width: 475px) 100vw, 475px\" \/><\/p>\n<p>It has also the ability to enumerate opened windows:<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/tap_windows.png\" target=\"_blank\" rel=\"noopener noreferrer\" data-rel=\"lightbox-0\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18335\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/tap_windows.png\" alt=\"\" width=\"1188\" height=\"361\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/tap_windows.png 1188w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/tap_windows-300x91.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/tap_windows-600x182.png 600w\" sizes=\"auto, (max-width: 1188px) 100vw, 1188px\" \/><\/a><\/p>\n<p>This is the class responsible for creating the .tmp file that was mentioned before:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18336\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/log_to_tmp.png\" alt=\"\" width=\"495\" height=\"125\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/log_to_tmp.png 495w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/log_to_tmp-300x76.png 300w\" sizes=\"auto, (max-width: 495px) 100vw, 495px\" \/><\/p>\n<h4>Protect Me<\/h4>\n<p>This class is responsible for disabling the applications that may be used to monitor malware&#8217;s activity:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-18424\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/find_and_close_win.png\" alt=\"\" width=\"798\" height=\"574\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/find_and_close_win.png 894w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/find_and_close_win-300x216.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/find_and_close_win-600x432.png 600w\" sizes=\"auto, (max-width: 798px) 100vw, 798px\" \/><\/p>\n<h4>Plugins<\/h4>\n<p>The basic functionality of the bot can be extended by additional plugins, downloaded from the CnC:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18438\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/plugin1.png\" alt=\"\" width=\"709\" height=\"136\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/plugin1.png 709w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/plugin1-300x58.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/plugin1-600x115.png 600w\" sizes=\"auto, (max-width: 709px) 100vw, 709px\" \/><\/p>\n<p>In the observed case, the bot downloaded two plugins, giving to it capabilities typical for a RAT:<\/p>\n<p><em>processmanager.dl, <\/em>written in 2015:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18415\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/processmanager_info.png\" alt=\"\" width=\"370\" height=\"61\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/processmanager_info.png 370w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/processmanager_info-300x49.png 300w\" sizes=\"auto, (max-width: 370px) 100vw, 370px\" \/><\/p>\n<p>and <em>remotedesktop.dll, <\/em>written in 2016:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18414\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/remote_desk.png\" alt=\"\" width=\"420\" height=\"60\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/remote_desk.png 420w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/remote_desk-300x43.png 300w\" sizes=\"auto, (max-width: 420px) 100vw, 420px\" \/><\/p>\n<p>In contrary to the main module and the previous plugin, the <em>remotedesk.dll<\/em> is obfuscated. Names of its classes and variables are no longer meaningful:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18417\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/remotedesk_classes.png\" alt=\"\" width=\"288\" height=\"281\" \/><\/p>\n<h3>Conclusion<\/h3>\n<p>This malware is prepared by an unsophisticated actor. Neither the binary nor the communication protocol is well obfuscated. The used packer is well-known and easy to defeat. However, the malware is rich in features and it seems to be actively maintained. It&#8217;s capabilities of spying on the victim and backdooring the attacked machine should not be taken lightly because even a simple threat actor can cause a lot of damage when neglected.<\/p>\n<p>This malware is detected by <a href=\"https:\/\/www.malwarebytes.com\/premium\/\" target=\"_blank\" rel=\"noopener noreferrer\">Malwarebytes <\/a>as <em>Backdoor.DuBled<\/em>.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/07\/malware-abusing-ffmpeg\/\">A .NET malware abusing legitimate ffmpeg<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/07\/malware-abusing-ffmpeg\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Malwarebytes Labs| Date: Wed, 12 Jul 2017 15:00:52 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/07\/malware-abusing-ffmpeg\/' title='A .NET malware abusing legitimate ffmpeg'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2015\/03\/photodune-8894073-cyber-spy-mode-on-s.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>There is a growing trend among malware authors to incorporate legitimate applications in their malicious package. This time, we encountered a malware downloading a legitimate ffmpeg. <\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/malware-threat-analysis\/\" rel=\"category tag\">Malware<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/\" rel=\"category tag\">Threat analysis<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/net\/\" rel=\"tag\">.NET<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/ffmpeg\/\" rel=\"tag\">ffmpeg<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/malware\/\" rel=\"tag\">malware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/payload\/\" rel=\"tag\">payload<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/rat\/\" rel=\"tag\">rat<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/07\/malware-abusing-ffmpeg\/' title='A .NET malware abusing legitimate ffmpeg'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/07\/malware-abusing-ffmpeg\/\">A .NET malware abusing legitimate ffmpeg<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[12999,13000,3764,13001,1810,10494],"class_list":["post-8323","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-net","tag-ffmpeg","tag-malware","tag-payload","tag-rat","tag-threat-analysis"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8323","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=8323"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8323\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=8323"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=8323"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=8323"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}