English
EspañolMalicious emails invite users to download malware
In these days, it has been spread an alleged email from SAT (Servicio de Administración Tributaria), which, through tricks, invites users to download a file where there are instructions to not being sanctioned for the supposed anomalies in the business tax situation.
It was commented that this email was only sent to small Mexican companies.
Clicking on the link Verindicaciones, we open a page external to the Secretaria de Hacienda, though the URL contains the initials of Secretaria de Hacienda (SHCP), the site is hosted in Spain.
When we visited that link, it invites to download a file called exp_235297512.scr, which, when is saved in the computer, shows an icon identical to a Microsoft Word Application.
The captured traffic was the following:
The sample is recognized by 22 antivirus engines as a Downloader.
Its hashes are the following:
The sample starts its execution modifying the following registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Paths
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CachePath
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CachePath
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CachePath
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CachePath
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CacheLimit
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CacheLimit
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CacheLimit
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CacheLimit
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
KCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet Then it downloads an html file from Internet and stores it in temporal Internet files
C:\Documents and Settings\[Usuario]\Configuración local\Archivos temporales de Internet\Content.IE5\07W9UVAL\archivo[1].htm
As well it creates a file in the temporal Internet directory C:\Documents and Settings\[Usuario]\Configuración local\Temp\hiphelp.exe, the exp_235297512 process opens the UDP 1067 port and remains listening.
The exp_235297512.scr process executes hiphelp.exe and it is sored in memory.
C:\Documents and Settings\[Usuario]\Configuración local\Temp\hiphelp.exe
Then, the exp_235297512.src process finishes and it is replaced by hiphelp.exe and reg.exe, hiphelp.exe requestsan http query to an external site generating DNS traffic for that site.
After that, it downloads a gzip file.
El archivo hiphelp.exe es reconocido por 17 motores antivirus.
Its hashes are the following:
The downloaded file in gzip format contains an html document, which is saved in the temporal Internet directory, this document contains tags associated to an html document, is unusual that in the tag textarea, adds a string with number and letters, as a key.
The hiphelp.exe process remains in memory with a UDP port listening.
Another file created by exp_235297512.scr is reg.exe, which is saved in the temporal Internet directory as well as hiphelp. The reg.exe process performs the registry key modification to guarantee hiphelp execution in every system startup.
SetValueKey C:\Documents and Settings\[Usuario]\Configuración local\Temp\reg.exe ->
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ayuda
SetValueKey C:\Documents and Settings\Administrador\Configuración local\Temp\hiphelp.exe ->
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData
SetValueKey C:\Documents and Settings\Administrador\Configuración local\Temp\hiphelp.exe ->
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
SetValueKey C:\Documents and Settings\Administrador\Configuración local\Temp\hiphelp.exe ->
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy
SetValueKey C:\Documents and Settings\Administrador\Configuración local\Temp\hiphelp.exe ->
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable This file is recognized by 11 antivirus engines.
It contains the following hashes.
We were monitoring this sample for an entire day, but it did not perform any other malicious behavior. However, users comment they were asked extra uncommon information. Therefore, we conducted a deep analysis debugging the hiphelp.exe as it remains in memory.
In a string analysis we found some strings that make us consider the process is monitoring the web browser, as well as the capture and information sending.
Moreover, when debugging we could see several instances of a possible sshd service executed using a timer.
We were monitoring the hiphelp.exe process and the generated computer traffic, but again it did not perform any query to external sites, the process remains in the memory address 7C91E4F2.
We can say that this malware is probably injecting html code in the affected bank page, then in a specified hour by the attacker, sends that information through ssh to the attacker's site, using the downloaded key in the Textarea tag contained in the html file.
For that reason we saw references to sshd in the hiphelp code, it was also possible to see some timers inside the code.
