English
EspañolInfection campaign by the downloader Upatre and the Trojan Dyre through emails
Abstract
On this report we show the analysis of a variant of Upatre, which is a trojan downloader that has as its primary function to download other files from remote servers, such as a sample of the Dyre family. These variants are sent through spam emails with attachments.
Introduction
During the last days we’ve received several emails, both in English and Spanish, where the user is asked to download the attachment with “zip” extension. The content of the messages varies, however, the following subjects were observed:
· Received payments
· Safe or “encrypted” messages
· Information update
· Received faxes
The email, in which the analyzed sample was sent, can be seen on the image above.
Once the user downloads and decompresses the attachment file, it can be observed that the sample has a shortcut icon similar to the one on PDF files and the “exe” or “scr” extension.
Below is the detailed analysis of “details.exe” that came as an attachment on the email shown on the first image.
On its properties it indicates that the version of the executable is 1.0.5.2 and that its language is Polish, although this doesn’t necessarily gives clues about the sample’s origin. The MD5 hash of the malicious executable is 9d1d9c866ee1c3d4124980dc772a64eb and the VirusTotal report can be consulted on this link.
The string analysis with BinText showed the following lines, which seem to be a message of the sample’s developer.
Some resources, such as a dialog window with a fragment of the story “Eveline” by James Joyce, were also found using Resource Hacker.
As well as details of the executable that cannot be seen on the file’s properties, such as the original name of the sample.
Network Activity
The sample constantly checks for network connectivity making requests to websites like google.com and checkip.dyndns.org, which returns the public IP of the computer. If it obtains a response from “checkip.dyndns.org”, it sends a GET request to 94.41.208.125, the IP address of its C&C, with the name of the infected computer. The string “0902uk12” is the campaign’s ID, in this case it refers to the ninth campaign in the UK, as mentioned on these reports: [1] [2].
This IP is of Russian origin and, as shown on this VirusTotal report, it is related to malicious activity from other variants of the Upatre family.
Downloaded Files
Subsequently, it attempts to download the file “arrowb.jpg” from the domains sxxxphael.org.uk and canxxxake.com.mx. The file command indicates that the file “arrowb.jpg” is of type data and, as shown on the image below, does not contain an identification constant or magic number.
The IP addresses of the mentioned domains are shown below:
65.xx.205.xx canxxxake.com.mx
91.xx.216.xx sxxxphael.org.uk
C&C Server
Once this file is downloaded, the sample sends another GET request to its C&C. The User-Agent “Malzilla/5.0” is another indicator of infection by Upatre, so this string can be used to create IPS rules.
STUN (Session Traversal Utilities for NAT) servers
Afterwards, it starts making STUN requests (Session Traversal Utilities for NAT), which is a network protocol that helps to determine the public IP of the infected computer inside a internal network that uses NAT. In the case that the STUN requests do not return the expected reply, the sample attempts to obtain the public IP through icanhazip.com, as shown on the image below:
If it does not receive an answer of a STUN server, the sample tries with others. Some of the STUN servers observed in the network traffic, which are not displayed on the image below, are the following:
- S2.taraba.net
- numb.viagenie.ca
- stun.sipgate.net
- stun.iptel.org
- stun.phonepower.com
- stun.2talk.co.nz
A STUN server was enabled in the lab to observe the behavior of the sample once it receives a reply to its requests.
The URL “vovida.org” belongs to another STUN server. As shown on the image below, the infected computer makes UDP requests of type “Binding” to the server vovida.org to determine the IP address of the infected computer. The details of the request made from the infected computer to the STUN server can be seen on the following picture.
Use of the I2P (Invisible Internet Project) anonymous network
There were also requests to URLs of the I2P network, similar to TOR, which provides anonymity to the malicious server, hindering its detection. However, to access an I2P address is necessary to have the service installed.
Other Downloaded Files
On the network traffic captured there was a GET request to download the file ml1from1.tar from the website tdyxxx.com.
.PNG)
After checking the website, the files ml1from1.tar and ml1from2.tarwere found.
ml1from1.tar 414f51cfa7a773fcc0e71bcf4a886c99
ml1from2.tar 1a4f795ee3fe1bf5f6fc51b7a7f3e368
File System Activity
When the sample was executed, it created a copy of the file “details.exe” in C:\Users\<user>\AppData\Local\Temp\ with the name “planeris.exe”. After the execution, the process deleted the original file. RegShot’s report indicated that the following files were also created.
Its MD5 hashes are shown below:
arrowb[1].jpg 3385c28c67450ee85a99a853d7f3a672
sep6547.jpg 3385c28c67450ee85a99a853d7f3a672
CvCLfXqT.exe a8e5daab6fcefcdca82e03418d438394
A file called D4B7.tmp was created in C:\Windows, this is actually an executable and its name is randomly generated.
D5B7.tmp b7d0e5130c130b40b5c5695d782c4b15
The files sep6547.tmp and planeris.exe were created by the process details.exe. Shortly after this, the process planeris.exe got created, while details.exe terminated and its executable was deleted from the system. The file stored in C:\Windows was created from a sample generated in C:\Users\<user>\AppData\Local\Temp. After this new copy was executed, it deleted the program that created it, that is, the file on the user’s %temp% folder.
Every time the user executes the file “details.exe”, more malicious executables with random names are generated on C:\Windows.
Persistence
Once the sample downloaded all the necessary files, a process called “Google Update Service” gets created.
This process was created by the randomly named executable stored in C:\Windows.
The persistence method used consists of creating the necessary registry keys to make the malicious executable appear as a legitimate service, so that the system runs it at start. The key HKLM\SYSTEM\CurrentControlSet\Services contains a subkey for each of the services installed on the computer.
In this case, the type “Own Process”indicates that the service gets executed in its own process, which means it doesn’t share an executable file with other services. The field “Start Type” indicates that the system starts the service automatically, even if no users logs in, and not under demand.
The key HKLM\SYSTEM\ControlSet001\Services contains a copy of the services database stored in HKLM\SYSTEM\CurrentControlSet\Services, with the last good configuration known, so that if a change to the active service database causes the system to fail at start, this copy is restored .
The second time this sample was executed, a message appeared saying the “Google Update Service” had been deleted.
.
Additional Details
During the execution of the process planeris.exe, the memory used by the process was dumped to obtain additional information about the sample. On the strings obtained from the memory dump there were several that referenced antivirus software such as: ESET, Avg, Avira and Malwarebytes.
There was also a long list of URLs, some of which are shown below.
