An in-depth analysis of a new, emerging “.url” malware campaign – by Quick Heal Security Labs

Credit to Author: Pradeep Kulkarni| Date: Mon, 19 Mar 2018 14:19:13 +0000

Last week, we had blogged about the emergence of a new attack vector ‘.url’ which is used to spread malware. In this blog post, we will deep-dive into the attack chain of this ‘.url’ vector and elaborate on the Quant Loader malware which is actively making use of it. Let’s take a look at the below attack chain which depicts the execution sequence observed in this attack where a “.url” file is being used to spread malware. Fig 1. Attack Chain Following is the figure of process summary of the attack chain. Fig 2. Process Summary As explained above, generally “.url” contains URL (“http://” or “https://”), but in this case, we have observed SMB shares being accessed to execute a malicious JavaScript. Fig 3. .URL File accessing SMB share The above file is related to CVE-2016-3353 where an Internet Explorer mishandles ‘.url’ files from the Internet zone and allows remote attackers to bypass intended access restrictions via a crafted file. These SMB shares are publicly accessible and can be accessed without authentication. Fig 3 and 4 show public SMB share location “buyviagraoverthecounterusabb[.]net/documents/” where the malicious JavaScript files are stored. The malicious SMB share location IP address is “91.102.153.90”. Fig 4. Communication captures while SMB shares access Fig 5. JavaScript Files stored publicly The following figure shows a malicious JavaScript being delivered to the victim via SMB protocol. Fig 6. SMB request Upon opening the malicious JavaScript, it’s opening by ‘wscript.exe’ application. Fig 7. User Prompt The second stage malware is downloaded by a malicious JavaScript once the victim clicks on ‘Open’, as shown in Fig 5. This malicious JavaScript is highly obfuscated and is only used as a first stage downloader. Fig 8. Malicious JavaScript downloader The second stage malware is downloaded in ‘%TEMP%’ location by JavaScript and spawned through ‘cmd.exe’. This is a heavily obfuscated executable which gets directly executed in the memory. This malware appears to be a variant of ‘Quant Loader’ and can be used to download other malware. At the time of analysis by Quick Heal Security Labs, we did not observe malware downloaded by Quant Loader. Let’s take a look at the working of the Quant Loader malware. The Quant Loader malware checks for all of the keyboard locale of the system through “Keyboard LayoutPreload”. It exits if the locale is any amongst the Russian, Ukraine, and Kazakhstan. Fig 9. Check for the locale of the system Quant Loader makes use of the following registry key to identify the 32/64 bit configuration of the victim’s system. It then uses the same information as part of CNC request while communicating with the CnC server. HKLM SOFTWARE Microsoft Windows CurrentVersion  ProgramFilesDir (x86) It also checks for the presence of following registry entries. Fig 10. Check presence of different security products It drops a self-copy by the name ‘dwm.exe’ in ‘<Appdata ShellFolder><8DigitNumeric>’ folder and sets the same for auto execution through “Run” entry in registry. This is done to achieve persistence in the system. Fig 11. Self-copy of the malware file This 8 Digit Number is used as a Bot ID (BotId) while communicating with the CNC Server. It generates the BotId through the following steps: Read ‘HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyMachineGuid’ Extracts only digits from the value of Machine ID in occurring sequence Omit first 5 numbers and considers 8 digits from 5 onwards Fig 12. Use of MachineGuid as BotId It then changes the user access permission of 8 digit folder and ‘dwm.exe’ file to read mode for the logged-in user. This restricts the user to delete or modify the folder and ‘dwm.exe’. This is achieved by making use of a genuine CACLS windows file through the following command. cmd /c echo Y|CACLS “c:users<username>appdataroaming48378942dwm.exe” /P “<username>:R”  The Quant Loader then adds the below rule in the Firewall with the name “Quant” which allows the malware to communicate on the Internet bypassing Firewall rules. netsh advfirewall firewall add rule name=”Quant” program=”c:users<username>appdataroaming48378942dwm.exe” dir=Out action=allow It also tries to connect to the CNC domain ‘wassronledorhad[.]in’ and download other malicious files. The CNC was not responding when the analysis was carried out. However, the static analysis gives some insights into the probable CNC communication and other functionalities of Quant Loader. The…
http://blogs.quickheal.com/feed/