From Fake to Subtle

 After seeing so many fake antivirus programs lately, it is interesting to take a look at other types of threats.  Yesterday, we received an example of malware that tries to be very subtle about its installation process.  The malware spreads through email.  After infecting a computer, it will monitor the mailbox of its victim and send an automatic response to incoming mails, sending a copy of itself.  This propagation scheme is slower than the common practice of sending a copy of the malware to every entry in an address book.  On the other hand, it is more effective in terms of social engineering since new victims are expecting an answer from their counter parts. W32 Navidad did something rather similar at the beginning of this decade: it mailed itself out in response to messages that included a single attachment, presumably on the grounds that victims would not be surprised to receive an attachment back.

The second characteristic of this malware that makes it hard to identify for a user is that it comes with a RTF document that will be written to disk and viewed in the default reader when the victim double clicks on the malware.  The effect of this strategy is that a user thinks he just opened a document and doesn’t notice that a malware has installed itself on the system at the same time. 

Lets take a close look at the infection process.  The following code was found in the first stage dropper that extract the RTF document from its own image by using calls to FindResourceA and LoadResourceA.

 

PUSH 0F3

PUSH Hinweis.004002A8                    ; ASCII "112"

PUSH 0

CALL DWORD PTR DS:[400298]               ; kernel32.FindResourceA

MOV DWORD PTR SS:[EBP-4],EAX

MOV EAX,DWORD PTR SS:[EBP-4]

PUSH EAX                                 ; Loads the RTF file from the executable

PUSH 0                                   ; That is loaded in memory

CALL DWORD PTR DS:[400294]               ; kernel32.LoadResource

 

Once the content of the RTF file is loaded, it is written to disk and opened with the default reader by using the command "open" from a standard shell command:

 

CALL Hinweis.WriteRTFToDisk

ADD ESP,0C

PUSH 1

PUSH 0

PUSH 0

LEA EDX,DWORD PTR SS:[EBP-104]           ; Path to dropped RTF File

PUSH EDX                                 ; Parameter to the open command

PUSH Hinweis.004002AC                    ; ASCII "open"

PUSH 0

CALL DWORD PTR DS:[4002A0]               ; SHELL32.ShellExecuteA

 

The content of the RTF file is a text in German explaining that "Due to several complaints, your email has been blocked for the next 24 hours."  This is very convincing to an unsuspecting user!

The second file that is dropped to disk while the RTF is displayed to the user is named win.exe and is written to the %system32% folder.  This file is the real payload and is detected as Win32/AutoRun.FakeAlert.AI by ESET NOD32 Antivirus.  It communicates with a host located in Russia using the HTTP protocol for command and control.

One last interesting note about this malware is its packer.  It is a good example of a decoding routine that also has anti emulation:

 

PUSH EAX

PUSH ECX                                 ; Useless call to

CALL DWORD PTR DS:[<&user32.GetFocus>]   ; [GetFocus

MOV EDX,EAX

POP ECX                                  ; Restore register value

POP EAX                                  ; Restore register value

XOR BYTE PTR DS:[EDI],AL                 ; First decoding of one byte

SUB AL,4

PUSH EDX

PUSH EAX

PUSH ECX                                 ; Useless call to

CALL DWORD PTR DS:[<&user32.GetFocus>]   ; [GetFocus

POP ECX                                  ; Restore register value

POP EAX                                  ; Restore register value

POP EDX

ADD BYTE PTR DS:[EDI],DL                 ; Second decoding operation

DEC EDI                                  ; on the same byte

LOOPD SHORT win.00402080                 ; Jump to the beginning of the loop

 

The purpose of the anti emulation trick is to take as much time as possible to force an emulator to exit before the malware completely reveals itself in memory.  In this case, the decoding routine calls the user32.GetFocus function twice for every byte that is decoded.  These operations are performed more than 23000 times, something that is acceptable for a program on a normal system but way too long for an emulator that needs to keep the analysis time to a minimum.

More information on this wave of malware can be found at the following page (in German): http://www.heise.de/newsticker/Trojaner-Mails-drohen-mit-E-Mail-Sperrung-Update–/meldung/119713

 

Pierre-Marc Bureau

Researcher

Author Pierre-Marc Bureau, ESET

Follow us

Copyright © 2016 ESET, All Rights Reserved.