{"id":12055,"date":"2018-04-18T08:10:08","date_gmt":"2018-04-18T16:10:08","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/04\/18\/news-5824\/"},"modified":"2018-04-18T08:10:08","modified_gmt":"2018-04-18T16:10:08","slug":"news-5824","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2018\/04\/18\/news-5824\/","title":{"rendered":"PBot: a Python-based adware"},"content":{"rendered":"<p><strong>Credit to Author: hasherezade| Date: Wed, 18 Apr 2018 15:00:00 +0000<\/strong><\/p>\n<p>Recently, we came across a Python-based sample dropped by an exploit kit. Although it arrives under the disguise of a MinerBlocker, it has nothing in common with miners. In fact, it seems to be PBot\/PythonBot: a Python-based adware.<\/p>\n<p>Apart from a <a href=\"https:\/\/forum.drweb.com\/index.php?showtopic=326467\" target=\"_blank\" rel=\"noopener\">couple of posts on forums in Russian language<\/a> and brief <a href=\"http:\/\/www.virusradar.com\/en\/Python_Adware.PBot\/detail\" target=\"_blank\" rel=\"noopener\">threat notes<\/a>, we couldn&#8217;t find any detailed publication.<\/p>\n<p>Some of its features are pretty interesting, so we decided to take a closer look. The malware performs MITB (man-in-the-browser) attacks and injects various scripts into legitimate websites. Its capabilities may go beyond simple injections of ads, depending on the intentions of its distributors.<\/p>\n<h3>Analyzed samples<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.virustotal.com\/#\/file\/46e84da66d1d3293b2d41859fcf0d11c588ae64016d649045c2efa03b258a581\/detection\" target=\"_blank\" rel=\"noopener\">5ffefc13a49c138ac1d454176d5a19fd<\/a> &#8211; the downloader (dropped by the EK)\n<ul>\n<li><a href=\"https:\/\/www.virustotal.com\/#\/file\/366d237568f2d12e71ce6cbea1732aca267debf12b558f530fa31f6c4a546959\/detection\" target=\"_blank\" rel=\"noopener\">b508908cc44a54a841ede7214d34aff3<\/a> &#8211; malicious installer (named MinerBlocker)\n<ul>\n<li><a style=\"font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen-Sans, Ubuntu, Cantarell, 'Helvetica Neue', sans-serif\" href=\"https:\/\/www.virustotal.com\/#\/file\/22b823021d45299276285a0bbdfcc734f8ee95bb1a8c650030c9dbb4d8208fb0\/details\" target=\"_blank\" rel=\"noopener\">e5ba5f821da68331b875671b4b946b56<\/a><span style=\"font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen-Sans, Ubuntu, Cantarell, 'Helvetica Neue', sans-serif\"> &#8211; the main DLL (injected into Python.exe)<\/span>\n<ul>\n<li><a href=\"https:\/\/www.virustotal.com\/#\/file\/662712a7298b32b3b64443ab85c93e5dbfb3f8c090fd85ea1f80867bcc5869ff\/detection\" target=\"_blank\" rel=\"noopener\">596dc36cd6eabd8861a6362b6b55011a<\/a> &#8211; injecteex64 (the DLL injected into browsers, 64-bit version)<\/li>\n<li><a href=\"https:\/\/www.virustotal.com\/#\/file\/8e6e908e89d7a4ce88ab065226e65c53c2f326744124d2d4e7a2b62fb6ad2483\/details\" target=\"_blank\" rel=\"noopener\">645176c6d02bdb8a18d2a6a445dd1ac3<\/a> &#8211; injecteex86 (the DLL injected into browsers, 32-bit version)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Distribution method<\/h3>\n<p>The described sample was dropped by the RIG exploit kit:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"22824\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/04\/pbot-python-based-adware\/attachment\/traffic_view-5\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/Traffic_view.png\" data-orig-size=\"804,716\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Traffic_view\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/Traffic_view-300x267.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/Traffic_view-600x534.png\" class=\"alignnone size-full wp-image-22824\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/Traffic_view.png\" alt=\"\" width=\"804\" height=\"716\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/Traffic_view.png 804w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/Traffic_view-300x267.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/Traffic_view-600x534.png 600w\" sizes=\"auto, (max-width: 804px) 100vw, 804px\" \/><\/p>\n<h3>Behavioral analysis<\/h3>\n<h4>Installation<\/h4>\n<p>The main executable, dropped by the exploit kit, is a downloader. The downloader is pretty simple and not obfuscated. We can see the scripts in the resources:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"22815\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/04\/pbot-python-based-adware\/attachment\/in_downloader\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/in_downloader.png\" data-orig-size=\"849,307\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"in_downloader\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/in_downloader-300x108.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/in_downloader-600x217.png\" class=\"alignnone size-full wp-image-22815\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/in_downloader.png\" alt=\"\" width=\"849\" height=\"307\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/in_downloader.png 849w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/in_downloader-300x108.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/in_downloader-600x217.png 600w\" sizes=\"auto, (max-width: 849px) 100vw, 849px\" \/><\/p>\n<p>Its role is to fetch the second installer that has all the malicious Python scripts inside. The second component is named MinerBlocker.<\/p>\n<p>The interesting thing is, if the downloaded component is run as a standalone, it behaves like a normal, legitimate installer, displaying a EULA and installation wizard. We can see the following information:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"22816\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/04\/pbot-python-based-adware\/attachment\/miner_blocker\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/miner_blocker.png\" data-orig-size=\"512,394\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"miner_blocker\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/miner_blocker-300x231.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/miner_blocker.png\" class=\"alignnone size-full wp-image-22816\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/miner_blocker.png\" alt=\"\" width=\"512\" height=\"394\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/miner_blocker.png 512w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/miner_blocker-300x231.png 300w\" sizes=\"auto, (max-width: 512px) 100vw, 512px\" \/><\/p>\n<p>It pretends to be a legitimate application dedicated to blocking malicious miners. However, we could not find any website corresponding to the mentioned product, so at the moment we suspect that it is fully made up.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"22817\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/04\/pbot-python-based-adware\/attachment\/license\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/license.png\" data-orig-size=\"511,403\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"license\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/license-300x237.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/license.png\" class=\"alignnone size-full wp-image-22817\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/license.png\" alt=\"\" width=\"511\" height=\"403\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/license.png 511w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/license-300x237.png 300w\" sizes=\"auto, (max-width: 511px) 100vw, 511px\" \/><\/p>\n<p>When the same component is run by the original downloader, the installation is fully stealthy instead. It drops the package in %APPDATA%.<\/p>\n<h4>Components<\/h4>\n<p>The dropped application consists of multiple elements. We can see a full installation of Python prepared in order to run the dropped scripts. The bundle has also its own uninstaller (uninstall.exe) that, once deployed, fully removes the package.<\/p>\n<p class=\"alignnone size-full wp-image-22818\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"22818\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/04\/pbot-python-based-adware\/attachment\/installation_dir\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/installation_dir.png\" data-orig-size=\"595,421\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"installation_dir\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/installation_dir-300x212.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/installation_dir.png\" class=\"alignnone size-full wp-image-22818\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/installation_dir.png\" alt=\"\" width=\"595\" height=\"421\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/installation_dir.png 595w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/installation_dir-300x212.png 300w\" sizes=\"auto, (max-width: 595px) 100vw, 595px\" \/><\/p>\n<p>In the directory js, as the name suggests, we can find a file with JavaScript, i.js:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"22820\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/04\/pbot-python-based-adware\/attachment\/script-10\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/script.png\" data-orig-size=\"615,141\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"script\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/script-300x69.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/script-600x138.png\" class=\"alignnone size-full wp-image-22820\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/script.png\" alt=\"\" width=\"615\" height=\"141\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/script.png 615w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/script-300x69.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/script-600x138.png 600w\" sizes=\"auto, (max-width: 615px) 100vw, 615px\" \/><\/p>\n<p>In configs, there are two configuration files: rules.ini and settings.ini.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"23145\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/04\/pbot-python-based-adware\/attachment\/config_files\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/config_files.png\" data-orig-size=\"260,146\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"config_files\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/config_files.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/config_files.png\" class=\"alignnone size-full wp-image-23145\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/config_files.png\" alt=\"\" width=\"260\" height=\"146\" \/><\/p>\n<p>The configuration file rules.ini specifies the path to the JavaScript and suggests that it will be injected somewhere:<\/p>\n<style>.gist table { margin-bottom: 0; }<\/style>\n<div class=\"gist-oembed\" data-gist=\"hasherezade\/df11c8590217fdcc096c57a8cc315a2d.json?file=rules.ini\"><\/div>\n<p>The file <a href=\"https:\/\/gist.github.com\/malwarezone\/b650efdd412b3b0dee8f8d68b37ff8e5#file-settings-ini\" target=\"_blank\" rel=\"noopener\">settings.ini<\/a> contains various interesting parameters. It contains, among others:<\/p>\n<p>1) The ports on which the service will be running, and the issuer of the used certificate:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"23151\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/04\/pbot-python-based-adware\/attachment\/ports_and_cert\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/ports_and_cert.png\" data-orig-size=\"203,243\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"ports_and_cert\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/ports_and_cert.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/ports_and_cert.png\" class=\"alignnone size-full wp-image-23151\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/ports_and_cert.png\" alt=\"\" width=\"203\" height=\"243\" \/><\/p>\n<p>2) A list of processes (browsers) that will possibly be attacked:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"23150\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/04\/pbot-python-based-adware\/attachment\/processes-6\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/processes.png\" data-orig-size=\"209,207\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"processes\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/processes.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/processes.png\" class=\"alignnone size-full wp-image-23150\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/processes.png\" alt=\"\" width=\"209\" height=\"207\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/processes.png 209w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/processes-150x150.png 150w\" sizes=\"auto, (max-width: 209px) 100vw, 209px\" \/><\/p>\n<p>3) A set of whitelisted IPs and domains. The domains are in Base64 format and, after decoding them, we can see various Russian banking sites. The full list of the decoded sites is available <a href=\"https:\/\/gist.github.com\/malwarezone\/b650efdd412b3b0dee8f8d68b37ff8e5#file-whitelisted_domains-txt\" target=\"_blank\" rel=\"noopener\">here<\/a>. As we later confirmed, those sites are exempted from the infection.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"23149\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/04\/pbot-python-based-adware\/attachment\/whitelisted_b64\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/whitelisted_b64.png\" data-orig-size=\"272,303\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"whitelisted_b64\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/whitelisted_b64-269x300.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/whitelisted_b64.png\" class=\"alignnone size-full wp-image-23149\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/whitelisted_b64.png\" alt=\"\" width=\"272\" height=\"303\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/whitelisted_b64.png 272w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/whitelisted_b64-269x300.png 269w\" sizes=\"auto, (max-width: 272px) 100vw, 272px\" \/><\/p>\n<p>Persistence is achieved by Run keys in the registry:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"22819\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/04\/pbot-python-based-adware\/attachment\/persistence-5\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/persistence.png\" data-orig-size=\"1025,227\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"persistence\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/persistence-300x66.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/persistence-600x133.png\" class=\"alignnone size-full wp-image-22819\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/persistence.png\" alt=\"\" width=\"1025\" height=\"227\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/persistence.png 1025w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/persistence-300x66.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/persistence-600x133.png 600w\" sizes=\"auto, (max-width: 1025px) 100vw, 1025px\" \/><\/p>\n<p>They lead to one of the scripts called &#8220;ml.py.&#8221; Once this script is run, it deploys another Python component: &#8220;httpfilter.py&#8221; with the dropped .ini files:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"22814\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/04\/pbot-python-based-adware\/attachment\/running_app\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/running_app.png\" data-orig-size=\"502,285\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"running_app\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/running_app-300x170.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/running_app.png\" class=\"alignnone size-full wp-image-22814\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/running_app.png\" alt=\"\" width=\"502\" height=\"285\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/running_app.png 502w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/running_app-300x170.png 300w\" sizes=\"auto, (max-width: 502px) 100vw, 502px\" \/><\/p>\n<h4>Functionality<\/h4>\n<p>If we look at the packaging, which contains an uninstaller, the application could look legitimate. However, its functionality is far form something that any user would desire to have on his\/her computer. First of all, it injects scripts into each website you visit. The injected script comes from the path specified in the configuration, however, it further loads a second stage from the remote server (captured content of the second stage available <a href=\"https:\/\/gist.github.com\/malwarezone\/b650efdd412b3b0dee8f8d68b37ff8e5#file-loaded_remote-js\" target=\"_blank\" rel=\"noopener\">here<\/a>).<\/p>\n<p>So, once it is injected, the attackers are in control of the contents displayed in our browser. They can inject ads, but also any other much more malicious content.<\/p>\n<p>Example of a site with the script injected by the malware that impersonates a domain belonging to Google:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"23147\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/04\/pbot-python-based-adware\/attachment\/injected_script\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/injected_script.png\" data-orig-size=\"1058,228\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"injected_script\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/injected_script-300x65.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/injected_script-600x129.png\" class=\"alignnone size-full wp-image-23147\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/injected_script.png\" alt=\"\" width=\"1058\" height=\"228\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/injected_script.png 1058w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/injected_script-300x65.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/injected_script-600x129.png 600w\" sizes=\"auto, (max-width: 1058px) 100vw, 1058px\" \/><\/p>\n<p>Compare it with the script that was in the directory js, i.js (formatted version available <a href=\"https:\/\/gist.github.com\/malwarezone\/b650efdd412b3b0dee8f8d68b37ff8e5#file-i-js\" target=\"_blank\" rel=\"noopener\">here<\/a>):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"23143\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/04\/pbot-python-based-adware\/attachment\/script_content\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/script_content.png\" data-orig-size=\"812,230\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"script_content\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/script_content-300x85.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/script_content-600x170.png\" class=\"alignnone size-full wp-image-23143\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/script_content.png\" alt=\"\" width=\"812\" height=\"230\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/script_content.png 812w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/script_content-300x85.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/script_content-600x170.png 600w\" sizes=\"auto, (max-width: 812px) 100vw, 812px\" \/><\/p>\n<p>Also, the malware forges certificates and performs the man-in-the-browser attack. The legitimate certificates on the sites with HTTPS are replaced by fake certificates issued by &#8220;The Filter&#8221; that is a malicious entity:<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/certificates.png\" target=\"_blank\" rel=\"noopener\" data-rel=\"lightbox-0\" title=\"\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"22821\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/04\/pbot-python-based-adware\/attachment\/certificates-2\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/certificates.png\" data-orig-size=\"1351,657\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"certificates\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/certificates-300x146.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/certificates-600x292.png\" class=\"alignnone size-full wp-image-22821\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/certificates.png\" alt=\"\" width=\"1351\" height=\"657\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/certificates.png 1351w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/certificates-300x146.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/certificates-600x292.png 600w\" sizes=\"auto, (max-width: 1351px) 100vw, 1351px\" \/><\/a><\/p>\n<p>Looking at the sockets opened by a browser (i.e. by ProcessExplorer) and comparing them with the sockets opened by the Python instance, we find that they are paired together. It is an indicator that the browser communicates with the malware and works under its control.<\/p>\n<p>Example: Internet Explorer connected to a socket 24681. We can see that this socket was opened by the Python process running the malware:<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/paired_with_ie.png\" target=\"_blank\" rel=\"noopener\" data-rel=\"lightbox-1\" title=\"\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"23148\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/04\/pbot-python-based-adware\/attachment\/paired_with_ie\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/paired_with_ie.png\" data-orig-size=\"996,591\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"paired_with_ie\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/paired_with_ie-300x178.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/paired_with_ie-600x356.png\" class=\"alignnone size-full wp-image-23148\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/paired_with_ie.png\" alt=\"\" width=\"996\" height=\"591\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/paired_with_ie.png 996w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/paired_with_ie-300x178.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/paired_with_ie-600x356.png 600w\" sizes=\"auto, (max-width: 996px) 100vw, 996px\" \/><\/a><\/p>\n<h3>Inside<\/h3>\n<h4>The loader (written in Python)<\/h4>\n<p>The first layer of the malware is the obfuscated Python scripts.<\/p>\n<p>As mentioned before, at the beginning, the script <a href=\"https:\/\/gist.github.com\/malwarezone\/b650efdd412b3b0dee8f8d68b37ff8e5#file-ml-py\" target=\"_blank\" rel=\"noopener\">ml.py<\/a> is run. This script is obfuscated. Its role is to run the second Python layer that is <a href=\"https:\/\/gist.github.com\/malwarezone\/b650efdd412b3b0dee8f8d68b37ff8e5#file-httpfilter-py\" target=\"_blank\" rel=\"noopener\">httpfilter.py<\/a>.<\/p>\n<p>The script <code>httpfilter.py<\/code> is supposed to decrypt a DLL stored in the file <code>httpfilter.bin<\/code>.<\/p>\n<p>Then, it injects the DLL into the Python executable. It is interesting because PE injectors written in Python are not so common.<\/p>\n<h4>The injector (DLL)<\/h4>\n<p>The DLL injected in Python (<a href=\"https:\/\/www.virustotal.com\/#\/file\/22b823021d45299276285a0bbdfcc734f8ee95bb1a8c650030c9dbb4d8208fb0\/details\" target=\"_blank\" rel=\"noopener\">e5ba5f821da68331b875671b4b946b56<\/a>) is the main component of the malware. This component expects to be injected into Python executable:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"22829\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/04\/pbot-python-based-adware\/attachment\/in_python\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/in_python.png\" data-orig-size=\"370,466\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"in_python\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/in_python-238x300.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/in_python.png\" class=\"alignnone size-full wp-image-22829\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/in_python.png\" alt=\"\" width=\"370\" height=\"466\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/in_python.png 370w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/in_python-238x300.png 238w\" sizes=\"auto, (max-width: 370px) 100vw, 370px\" \/><\/p>\n<p>It also fetches the passed parameters (settings.ini and rules.ini). So we can see that they were not meant to be parsed by the script to which they were previously passed.<\/p>\n<p>The authors left some debug strings that makes the execution flow easy to follow. For example:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"22830\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/04\/pbot-python-based-adware\/attachment\/injector_debug\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/injector_debug.png\" data-orig-size=\"502,105\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"injector_debug\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/injector_debug-300x63.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/injector_debug.png\" class=\"alignnone size-full wp-image-22830\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/injector_debug.png\" alt=\"\" width=\"502\" height=\"105\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/injector_debug.png 502w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/injector_debug-300x63.png 300w\" sizes=\"auto, (max-width: 502px) 100vw, 502px\" \/><\/p>\n<p>This DLL is responsible for parsing the configuration and setting up the malicious proxy.<\/p>\n<p>It comes with two hardcoded DLLs: one 32-bit and one 64-bit (both stored in overlay of the PE file and not obfuscated). Those DLLs are the components that are further injected into browsers that are selected by the configuration.\u00a0Their names are appropriately: injectee-x86.dll and injectee-x64.dll:<\/p>\n<h4>The injectee (DLL)<\/h4>\n<p>The execution of injectee DLL starts in the exported function, InjectorEntry:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"22823\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/04\/pbot-python-based-adware\/attachment\/implant_dll\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/implant_dll.png\" data-orig-size=\"574,366\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"implant_dll\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/implant_dll-300x191.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/implant_dll.png\" class=\"alignnone size-full wp-image-22823\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/implant_dll.png\" alt=\"\" width=\"574\" height=\"366\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/implant_dll.png 574w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/implant_dll-300x191.png 300w\" sizes=\"auto, (max-width: 574px) 100vw, 574px\" \/><\/p>\n<p>The injectee is implanted in a browser and responsible for hooking its DLLs. Here&#8217;s the beginning of the hooking function:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"22825\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/04\/pbot-python-based-adware\/attachment\/hook_functions\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/hook_functions.png\" data-orig-size=\"464,534\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"hook_functions\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/hook_functions-261x300.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/hook_functions.png\" class=\"alignnone size-full wp-image-22825\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/hook_functions.png\" alt=\"\" width=\"464\" height=\"534\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/hook_functions.png 464w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/hook_functions-261x300.png 261w\" sizes=\"auto, (max-width: 464px) 100vw, 464px\" \/><\/p>\n<p>The hooking function is pretty standard for this type of event. It retrieves the addresses of the specified exported functions, then it overwrites the beginning of each function redirecting it to the corresponding function within the malicious DLL.<\/p>\n<p>The targets are functions responsible for parsing certificates (in Crypt32.dll), as well as functions responsible for sending and receiving data (in ws32_dll):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"22826\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/04\/pbot-python-based-adware\/attachment\/hook_ws32\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/hook_ws32.png\" data-orig-size=\"410,401\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"hook_ws32\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/hook_ws32-300x293.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/hook_ws32.png\" class=\"alignnone size-full wp-image-22826\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/hook_ws32.png\" alt=\"\" width=\"410\" height=\"401\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/hook_ws32.png 410w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/hook_ws32-300x293.png 300w\" sizes=\"auto, (max-width: 410px) 100vw, 410px\" \/><\/p>\n<p>When we dump the hooks via <a href=\"https:\/\/hshrzd.wordpress.com\/pe-sieve\/\" target=\"_blank\" rel=\"noopener\">PE-sieve<\/a>, we can directly see how those functions have been redirected to the malware. Here is the list of tags gathered from the appropriate DLLs:<\/p>\n<p>From Crypt32:<\/p>\n<pre>16ccf;CertGetCertificateChain-&gt;510b0;5  1cae2;CertVerifyCertificateChainPolicy-&gt;513d0;5  1e22b;CertFreeCertificateChain-&gt;51380;5  <\/pre>\n<p>From ws32_dll:<\/p>\n<pre>3918;closesocket-&gt;50c80;5  4406;WSASend-&gt;50d90;5  6b0e;recv-&gt;50ea0;5  6bdd;connect-&gt;50780;5  6f01;send-&gt;50c90;5  7089;WSARecv-&gt;50fa0;5  cc3f;WSAConnect-&gt;50ab0;5  1bfdd;WSAConnectByList-&gt;50c70;5  1c52f;WSAConnectByNameW-&gt;50c50;5  1c8b6;WSAConnectByNameA-&gt;50c60;5  <\/pre>\n<p>In both cases, we can see that the addresses have been redirected to the injectee DLL that was loaded at the base 50000.<\/p>\n<p>So, for example, the function WSASend gets intercepted and the execution is redirected to a function at RVA 0xd90 in the injectee dll:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"22827\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/04\/pbot-python-based-adware\/attachment\/intercepted\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/intercepted.png\" data-orig-size=\"963,244\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"intercepted\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/intercepted-300x76.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/intercepted-600x152.png\" class=\"alignnone size-full wp-image-22827\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/intercepted.png\" alt=\"\" width=\"963\" height=\"244\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/intercepted.png 963w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/intercepted-300x76.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/intercepted-600x152.png 600w\" sizes=\"auto, (max-width: 963px) 100vw, 963px\" \/><\/p>\n<p>The beginning of the intercepting function:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"22828\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/04\/pbot-python-based-adware\/attachment\/interceptor\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/interceptor.png\" data-orig-size=\"433,335\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"interceptor\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/interceptor-300x232.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/interceptor.png\" class=\"alignnone size-full wp-image-22828\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/interceptor.png\" alt=\"\" width=\"433\" height=\"335\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/interceptor.png 433w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/03\/interceptor-300x232.png 300w\" sizes=\"auto, (max-width: 433px) 100vw, 433px\" \/><\/p>\n<p>By this way, all the requests are redirected to the malware. It can work as a proxy, altering data on the way.<\/p>\n<p>After the proxy function finishes, it jumps back to the original function, so the user doesn&#8217;t realize any change in the functionality.<\/p>\n<h3>Conclusion<\/h3>\n<p>This malware is pretty simple, does not contain much obfuscation and was probably not intended to be stealthy. Rather than hiding, it tries to look harmless and legitimate. However, the functionality that it delivers is powerful enough to cause serious harm. It may be configured to display harmless ads, but it could also be configured to display <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/08\/inside-kronos-malware-p2\/\" target=\"_blank\" rel=\"noopener\">phishing pop-ups, such as it was implemented in Kronos<\/a>. Also, the fact that it forges certificates of the sites should raise concerns.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/04\/pbot-python-based-adware\/\">PBot: a Python-based adware<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/04\/pbot-python-based-adware\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: hasherezade| Date: Wed, 18 Apr 2018 15:00:00 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/04\/pbot-python-based-adware\/' title='PBot: a Python-based adware'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/04\/animal-close-up-green-45246.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>Recently, we came across a Python-based sample dropped by an exploit kit. Although it arrives under the disguise of a MinerBlocker, it has nothing in common with miners. In fact, it seems to be PBot: a Python-based adware.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/malware-threat-analysis\/\" rel=\"category tag\">Malware<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/\" rel=\"category tag\">Threat analysis<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/adware\/\" rel=\"tag\">adware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/pbot\/\" rel=\"tag\">PBot<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/pbot-adware\/\" rel=\"tag\">pbot adware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/python\/\" rel=\"tag\">python<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/python-based-adware\/\" rel=\"tag\">python-based adware<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/04\/pbot-python-based-adware\/' title='PBot: a Python-based adware'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/04\/pbot-python-based-adware\/\">PBot: a Python-based adware<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[10468,3764,18141,18142,18143,18144,10494],"class_list":["post-12055","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-adware","tag-malware","tag-pbot","tag-pbot-adware","tag-python","tag-python-based-adware","tag-threat-analysis"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/12055","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=12055"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/12055\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=12055"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=12055"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=12055"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}