Today we analyze an SMB worm that uses GMAIL for C&C checkins and drops a backdoor on infected machines.
WARNING: USE OF INFORMATION IN THIS REPORT FOR ANY ACTION AGAINST A MACHINE WITHOUT THE OWNERS CONSENT MAY VIOLATE THE LAW.
SMB Worm w/Backdoor
The last Worm I analyzed was Wannacry Ransomware. Wannacry propagated through the use of a Worm that weaponized the ETERNALBLUE SMB exploit to penetrate remote machines and further spread the infection.
Today's example is not quite that fancy. There are no exploits involved and no flashy ransomware to display to users. The various parts of this malware are very much reminiscent of the olden days of worm propagation and backdoor installation. So kick back, relax, and join me for some analysis on a blast from the past.
We begin todays analysis in IDAPRO and are immediately greeted with an enumeration function that gathers the current username. The result is then compared to the string of "SYSTEM". This is a seemingly odd comparison, especially if this EXE is an initial infection vector. We would not expect normal users to be running under the "SYSTEM" account and thus the comparison would always fail and go to the path on the left (we will come back to this comparison later.)
By using the combination of GetTickCount and rand we essentially generate random IP addresses. With ~50 threads all doing this at once, we can surmise that this is indeed a worm and it will reach out to an immense amount of IPs.
So, it looks like this may be a deprecated function or the authors didn't know the servers changed. Either way, with our analysis tools we are able fully analyze the SMTP session as if it had fully connected. Over SMTP port 25 the malware will issue commands to generate an email to "[email protected]". This email contains the computer's IP address, OS version, and user name/password used to connect to the remote machine.
Due to the very straightforward nature of this file, lack of protections, antiquated SMB propagation technique, and deprecated use of GMAILs SMTP service; it is fair to say that this malware is quite old. Precursory looks for this malware reveal that it is most likely the Brambul worm from 2015 and it was potentially used to drop something known as the Duuzer backdoor. At the time of this analysis the file was seen active in sandbox databases within the past week. Perhaps this was automatically submitted for archival purposes or perhaps someone is aiming to repurpose this blast from the past. Either way, be careful out there. Happy hunting.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Windows Update" = "[PATH TO MALWARE]"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wglmgr\"ImagePath" = "cmd.exe /c "net share admin$""
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wglmgr\"DisplayName" = "Windows Genuine Logon Manager"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wgudtr\"ImagePath" = "%SystemRoot%\csrss.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wgudtr\"DisplayName" = "Microsoft Windows Genuine Updater"