Friday, May 27, 2016

What have H1N1 Loader, TreasureHunter and Jolly Roger Stealer in common?

Sometimes, when analysing a malware sample you think: "Wait a minute, I have seen this before". While it's already known that the author of Jolly Roger Stealer is also behind TreasureHunter, this person also wrote H1N1 Loader. When you take a look at the disassembly of Jolly Roger Stealer and H1N1 Loader it becomes clear that it's the same coding style. Also, the two malware use the same techniques to obfuscate strings, hashing API functions, using shellcode and patching Windows files to bypass UAC.

Comparison of Jolly Roger Stealer and H1N1 Loader (v2)

Jolly Roger Stealer comes in the form of a Visual Basic executable with the encrypted payload in the resource section. Interestingly, the decryption algorithm uses the PXOR instruction (MMX) along with the registers MM0 and MM1.

Figure 1: Decryption algorithm of Jolly Roger Stealer

Once decrypted into memory, it in turn decrypts the final payload from its .data section and stores it to the Windows registry. Moreover, it creates either a process of svchost.exe or wuauclt.exe and patches its entrypoint with a shellcode. This shellcode than loads the final payload from the registry into memory, unpacks (Upack) and executes it.

H1N1 Loader comes in the form of an executable with no imports. It carries the encrypted and Upack compressed payload in the .text section. To bypass UAC it uses a modified version of the Wusa.exe method which also includes the patching of a Windows file with a shellcode.

A comparison of both malware can be seen in the following flowchart:

Figure 2: Comparison of the functionalities of Jolly Roger Stealer and H1N1 Loader

As you can see, the final payload is always a DLL file which is compressed with Upack. Patching the entrypoint of Windows system files seems to be the preferred method of the author to bypass UAC. The final payload of Jolly Roger Stealer doesn't use any string obfuscation and API function hashing. One can think that it was only encrypted with the help of a crypter which was written by the H1N1 Loader. However, I think it's more likely that both malware are written by the same person, since also the advertises share some similarities. Moreover, I have neither seen nor read about any crypter which uses the described techniques.

As mentioned above, both malware use the same method to obfuscate sensitive strings:

Figure 3: Comparison of the string obfuscation techniques

And the almost identical hashing algorithm for API functions and library names:

Figure 4: Comparison of the hashing algorithms

Conclusion

Sometimes it happens that you can connect the dots between several malware. My theory is that the author first released Jolly Roger Stealer at the end of 2013, but dropped the project for some reasons. He went on with TreasureHunter which first appeared around one year after the first Jolly Roger Stealer samples were seen. Later, he started to write H1N1 Loader which is based on his former project Jolly Roger Stealer.

Hashes (SHA-256)

Jolly Roger Stealer: c0b4f9060a9d02904a279db05292cafa360f91b9350742354987b55acebfec0d
H1N1 Loader (v2): 7b49fcc3c8d77e1da69fb36c747028855ce187cf60073caeb199a5b49fadf9cb
Share:

Monday, May 23, 2016

Geographical distribution of Furtim malware infections

One month ago, someone posted a malware sample on the Kernelmode forum that uses a huge blacklist of security related programs. If one of this programs is found on the victims system the malware stops execution. Probably, this is the reason why this malware stayed undetected for quite some time. A description and an analysis of this threat called Furtim can be found here:
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4341
http://breakingmalware.com/malware/furtim-malware-avoids-mass-infection/

Due to a misconfigured C&C server which allowed a public directory listing, I was able to obtain over 1 GB of data from the victims. With this information, I can draw the geographical distribution of victims and present the top countries of infection.

The data

The C&C server contained several directories with text files named after the IP address of the victim. The earliest file dates back to 24. February 2016, so it stayed undetected for 2 months according to this data. Each file contains the following information:

- The CPU model
- A list of system drivers with path names
- The Network interfaces
- A list of processes along with the modules and their path names
- A list of installed programs
- A list of programs in the registry Run key
- A list of running Windows services with path names

It looks like the operators run different campaigns to spread their malware, because there are several directories which contain files with different creation date. For example, there is a directory named "1" which contains only victim data files created on 24. February 2016. Another folder named "2" contains only files created on 24., 25. and 26. February 2016 and so on.

Infection statistics

I assume the malware sends the information about a victim only once to the C&C server. Otherwise, you would have a ton of duplicate files from the same victim which would only differ in the volatile information (e.g. process list). Based on this assumption we have a total number of 15060 infected hosts during the period from 24. February - 26. April 2016.

The geographical distribution of the victims is presented in the following map:

Figure 1: Geolocation of Furtim infections

The markers on the map are based on the GeoLite databases which gives only an imprecise geolocation of IP addresses. For example, if there are multiple IP addresses located in and around a city, the geolocation results in the same coordinates. A lot of duplicate geolocations were therefore removed and thus not all of the 15060 victims are present in the map. However, the map should give a good overview of the distribution of victims.

The absolute numbers associated with countries are given in the following diagrams:

Figure 2: Top 30 countries of Furtim infections (logarithmic)
Figure 3: Top 30 countries of Furtim infections (linear)

 

Conclusion

Given the period of 2 months a total of 15060 victims were infected with Furtim. The malware is spread all over the world and the country with the highest infection rates is the Ukraine.
Share: