English
EspañolFareit troyan sent by mail that steals passwords from FTP services and browsers
Summary
This report presents the analysis of a variant of the Fareit family. This malware has characteristics of dropper because it contains a malicious batch script that is created and executed on the infected computer, and of spyware, as it collects information of the accounts stored on the FTP applications, browsers and email clients of the users without their consent.
Introduction
The malware discussed in this report was sent by a colleague, who told us that the sample had been collected by a FireEye appliance of his company and that, at the time of sending it to the Malware Analysis Team of UNAM-CERT, was detected as malicious by few antivirus engines.
Below are some details of the sample “ORD 119076 AAB-6674 KARAK-096.exe”:
MD5 Hash: e50372a14010dbba9260914597c615d5
SHA1: 4a52dfea387bfec400927c81280f6a84174659f1
SHA256: 3fc642a5908d7f25880290b43f795ba4cda120440743b12631df94de6f661875
Packed: No
The VirusTotal report can be found on this link.
Processes
After executing the sample, the following process tree was created:
ORD 119076 AAB-6674 KARAK-096.exe
File System Activity
The sample creates a file with “bat” extension and a name formed by 7 or 8 random numbers on the path C:\Users\<usuario>\AppData\Local\Temp\. Each time the sample is executed it creates the same file but with a different name, as observed on the image below:
This file contains a cycle that repeats until the file which name is stored in %1 gets deleted. %1 is the first parameter passed to the bat file by command line. It then tries to delete the file referenced by %0, which contains the name of the bat file, i.e., it attempts to delete itself.
On the following image it can be observed that is the process cmd.exe the one that executes the bat file and that it passes as parameter the path of the file svchost.exe. In other words, the script tries to delete the file C:\Windows\system32\svchost.exe and then itself, as mentioned above.
It also creates two temporal files in C:\Users\<user>\AppData\Local\Temp and copies the content of the first file into the second.
The trojanized process svchost.exe makes a recursive search in the directories C:\Users\<user>\AppData\Roaming\ and C:\ProgramData trying to find the FTP applications installed on the computer.
It also attempts to get the files that contain the passwords stored by the user related to the following applications:
- Windows Mail
- Becky Internet Mail
- PocoMail
- Bat! Mail
- Outlook
* Browsers
- Bromium
- Nichrome
- Comodo Dragon
- RockMelt
Windows Registry Activity
The sample creates the following registry key during its installation:
And continues the search of installed FTP software on the registry keys.
The full list of applications searched by this malicious program is below:
| CuteFTP 6 Home | VanDyke Software | FTP Server de RhinoSoft |
| CuteFTP 6 Professional | FTP Rush | LeechFTP |
| CuteFTP 7 Home | Web Site Publisher by Brian | FTPGetter |
| CuteFTP 7 Professional | Cryer | ALFTP |
| CuteFTP 8 Home | BitKinex | AceFTP de Visicom Media |
| CuteFTP 8 Professional | ExpanDrive | BlazeFtp |
| FlashFXP 3 | Classic FTP | FTP++ |
| FlashFXP 4 | Fling File Transfer | 3D-FTP |
| FileZilla Client | FTP Client | NetSarang |
| Bullet Proof FTP | Directory Opus | Robo-FTP 3.7 |
| SmartFTP | LeapFTP | LinasFTP |
| TurboFTP | WinSCP | Cyberduck |
| Sota FFFTP | 32BitFtp | Putty |
| CoffeeCup Software | NetDrive | NppFTP |
| FTPWare | WebDrive FTP Client | FTPInfo |
| FTP Explorer | WISE FTP de AceBIT | WinZip FTP |
| Frigate 3 | Opera FTP Clients |
Once it discovers that a program on the list is installed, it searches recursively on the subkeys, trying to obtain data such as: passwords, usernames, hostnames, user names, ports, etc.
It also looks for the path of the Mozilla Firefox executable on the value stored by PathToExe in the subkey HKLM\SOFTWARE\Mozilla\Firefox.
The sample checks the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Url History\ and the value in DaysToGo to know the amount of days that the website history must be kept before being deleted. And the browsing history in the file %systemdir%\Users\%username%\AppData\Local\Microsoft\Windows\Temporary Internet Files\index.dat
It also searches for the Internet Explorer passwords stored because of the autocomplete function on the subkey HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2.
And the user certificates stored in C:\Users\<user>\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\. The name of each file corresponds to its SHA1 hash.
Network Activity
The sample makes GET requests to the domains ocsp.verisign.com, sf.symcd.com, sf.symcb.com and crl.verisign.com to download files with the extension “crl” (Certificate Revocation List).
These certificates, according to this Microsoft Technet site, were issued by different CAs for software developers around the world and are used by some variants of the Fareit family.
In this case, the sample contained a certificate supposedly signed by “TeamViewer” and on the countersigned, which guarantees the certificate, indicated that the signer was “Symantec Time Stamping Services Signer”.
As mentioned on the previous section, this sample consults the certificates stored in C:\Users\<user>\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\, possibly with the intention of making copies and sending them to its C&C (Command and Control) to validate new Fareit variants.
Command & Control
The malicious sample attempts to contact its C&C to send the collected data through a POST request to the URL onxxxxxxember.3eeweb.com.
The following image showsthe connection established by the infected system to the IP address of the C&C server on port 80.
Static Analysis
The sampleonly calls the function _CorExeMain from the library MSCorEE.dll (Microsoft Component Execution Engine runtime object). In a .NET executable, the sample sends its entry point to the _CorExeMain function and, after loading the CLR (Common Language Runtime), walks over the program’s metadata and executes the CLR entry point.
After decompiling the sample with dotPeek, it was observed that the sample was obfuscated using complex names for the variables and the functions to difficult its analysis.
