360 Security Guard · 2016/06/24 13:25

Author: 360 Eye Safety Laboratory

0 x00 background

Man is doing, god is watching.

Powershell execution attacks because of its effectiveness in bypassing the existing virus detection and killing system, has become an increasingly widespread means of attack, no matter widespread ransomware or targeted targeted attacks may be adopted. 360 Dayeye has been monitoring these samples continuously. Since May, we have noticed a particular type of samples with two distinct characteristics.

  1. Using Excel tables to store decoy data, forgery warnings to trick users into enabling macro, macro code will read data from the table, and then release and execute;

  2. Use Powershell script to transfer data through DNS request, write the data into batch file (.bat), and then execute the data. After execution, send back the result in the same way, and then delete traces. This realizes the remote control function, and the control mode is very hidden.

FireEye on May 22 published an analysis of these samples and related attacks, detailing the technical details of their implementation and describing it as a targeted attack on banks in the Middle East. After June, we also found that some new samples of the same type were submitted.

Note that these samples have a very low kill rate on VT, only 2/56 as of the time we finished this article:

Interestingly, we found that the new sample code was almost the same as the previous one, except that some comments were removed and the C&C domain name was changed, while a special comment was added to the code, as shown in the image below.

0x01 Sample analysis

An overview of the

The basic information of the Trojan we obtained is as follows. It was submitted to VirusTotal on June 15, 2016.

MD5:3 e63d55f1e44a71041311c44e34baaa9

File name: final345.xls

The sample is an Excel file embedded with a macro. When the file is opened, the macro state is opened. Then the malicious code in the macro will release a VBS and a PS1 script file. VBS downloads and executes files from the server, and uploads the files in the specified directory to the server. Ps1 is a malicious script that uses DNS requests to fetch data and execute remote commands.

Execution details

After opening the XLS file, you can see that the attacker has forged a warning:

The contents of the first row, column 25, and column 26 cells are set to be invisible, but the data can be seen from the contents column. If you click enable content, the malicious code in the macro will be executed.

Macro code

The functions of the macro code in the figure above are mainly described as follows:

  1. Write to %public%/Library/ Fireeye.vbs by reading data from the cells in row 1, column 25 (that is, [1,Y]) and calling Powershell execution.

  2. Read data from the cells in row 1, column 26 (that is, [1,Z]) of the table and call Powershell execution to %public%/Library/ Fireeye.ps1.

  3. Create directory %public%/Library/up, dn, tp.

  4. Add the released Fireeye. VBS file to the scheduled task.

It is worth noting that the sample that appeared in May ended up in Table 2, which had some data to confuse the user, while this sample has no data in Table 2.

fireeye.vbs

Fireeye. VBS uses powshell to download files from server to directory %Public% Libraries\dn, then download bat files to directory \dn and execute, then upload files from directory %Public% Libraries\up to server. Finally, delete these files and start Fireeye.ps1. The specific process is as follows:

  1. Download the file from http://update-kernal.net/update-index.aspx?req=2062203590\dwn&m=d and save it in the %PUBLIC%\Libraries\dn\ directory, The saved filename is obtained in filename in the content-disposition field of the server response.

  2. Get the contents of the batch file from http://update-kernal.net/update-index.aspx?req=2062203590\bat&m=d, After Base64 encoding is executed and the result is saved as %PUBLIC%\Libraries\up\[RandomNumber].txt, rename the TXT file with the filename taken from filename in the Content-Disposition field of the server response.

  3. Upload the TXT file after Base64 encoding to http://update-kernal.net/update-index.aspx?req=2062203590\ UPL&m =u and delete the file after uploading.

  4. Perform fireeye. Ps1.

The relevant codes are as follows:

fireeye.ps1

Fireeye.ps1 is a script that makes clever use of DNS requests to receive commands and transfer data. The overall behavior is as follows:

  • Gets the ID used to identify the identity

  • By obtaining the IP address of DNS resolution, receive 4 bytes at a time and write them to the batch file

  • Execute batch file, output result to TXT file

  • Send TXT to server

  • cleanliness

The key code is as follows, because the server has resolved the A record of the subdomain name to different IP addresses, one IP address can just represent 4 bytes of data, and the sample can obtain the corresponding IP address, that is, data, by constantly combining different subdomain names.

Parsing command code is as follows:

Compared to the previous sample, the acquisition subdomain code has also been modified:

  • Ww00000 [Base36(RandomNumber)]30.update-kernel.net: Get the id of the identity

  • Ww [id]00000[Base36(RandomNumber)]30.update-kernel.net: Initiates a session

  • Ww [id]00000[Base36(RandomNumber)] 232A[filename][I]. Update-kernel.net: Receive command

  • Ww [id][upfilename][Base36(Filelen)][filecontext]. Update-kernel.net: upload a file

0x03 Behind the scenes Gang

Now the C&C server can’t return data properly, but we can get some information from the address parsed in step 2:

The C&C’s primary domain name in the sample was update-kernal.net, which was resolved to IP 5.39.112.87. A query to the 360 Threat Intelligence Center found that the associated tag included “OilRig” from a report published in May by Palo Alto Networks, Consistent with the FireEye article is the same alleged target. As a result, entries related to the Update-Kernal.net domain name at the Threat Intelligence Center were tagged with OilRig.

The domain name go0gie.com connected to the sample mentioned in PAN’s report was also resolved to 5.39.112.87. It can be seen that both the code and the network infrastructure involved in the sample we obtained are consistent with the previously disclosed attack activities, and constitute a part of the known attack activities.

0x04 IOC

type value
For C&C domain name update-kernal.net

0 x05 summary

Search tools and malicious code attack and defense competition has been ongoing, in the PE file as a strict defense object today, Office macro, VBS, Powershell, Javascript and other non-PE script attack payload due to convenient encryption and confusion has a very good kill free, Vendors fighting malicious code need to take more steps to counter such threats.

0x06 Reference link

  • http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-he lminth-backdoor/

  • http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-he lminth-backdoor/