Search This Blog

Ring Ø Labs DOES NOT advocate using any of the malware, techniques, or information presented here for harm and doing so may violate the law. These topics are for mitigation and educational purposes only. Read more about us here

Thursday, August 31, 2017

Worms Caught In Brambuls

Today we analyze an SMB worm that uses GMAIL for C&C checkins and drops a backdoor on infected machines.






WARNING: USE OF INFORMATION IN THIS REPORT FOR ANY ACTION AGAINST A MACHINE WITHOUT THE OWNERS CONSENT MAY VIOLATE THE LAW.



DETAILS

Filename
smb-4ppzilmr.tmp
Protection
None
MD5
3844EC6EC70347913BD1156F8CD159B8
Sample
Type
SMB Worm w/Backdoor
Video


The last Worm I analyzed was Wannacry Ransomware. Wannacry propagated through the use of a Worm that weaponized the ETERNALBLUE SMB exploit to penetrate remote machines and further spread the infection.

Today's example is not quite that fancy. There are no exploits involved and no flashy ransomware to display to users. The various parts of this malware are very much reminiscent of the olden days of worm propagation and backdoor installation. So kick back, relax, and join me for some analysis on a blast from the past.



We begin todays analysis in IDAPRO and are immediately greeted with an enumeration function that gathers the current username. The result is then compared to the string of "SYSTEM". This is a seemingly odd comparison, especially if this EXE is an initial infection vector. We would not expect normal users to be running under the "SYSTEM" account and thus the comparison would always fail and go to the path on the left (we will come back to this comparison later.)



For now, we take the path to the left which spins off ~50 threads on the local machine in a loop. Each thread is created with the same function entry point.



We are then led to a rather long function which utilizes four distinct loops that call GetTickCount and rand. These four loops ultimately calculate the four octets we need to create an IP address.



By using the combination of GetTickCount and rand we essentially generate random IP addresses. With ~50 threads all doing this at once, we can surmise that this is indeed a worm and it will reach out to an immense amount of IPs.



When an IP is successfully contacted, the worm will issue a port check for SMB 445. If the port is deemed to be open, the worm will proceed.



Next the worm will attempt a connection to the remote IPC$ share as well as the ADMIN$ share using one of two usernames: "administrator" or "db2admin" and a password list of ~60 very common passwords. If a successful connection is made with the correct authentication, the malware will check in with the author.



The checkin portion of this malware is interesting to me because I don't believe it works anymore. Let me explain. After Google went to the secure SMTP ports they use today (465, 587, etc) they continued to offer SMTP services on port 25 for devices which were unable to utilize SSL (printers, fax, scanners, etc) with certain restrictions in-place like only being able to send to other GMAIL accounts. It appears that this malware author is attempting to use this service, however, in my testing I was not able to successfully connect to any of the servers hardcoded in the malware over port 25.



I was curious if Google still offered this service to devices without the ability to use SSL and according to their website they do; but it is on a different server than those listed in the malware.





So, it looks like this may be a deprecated function or the authors didn't know the servers changed. Either way, with our analysis tools we are able fully analyze the SMTP session as if it had fully connected. Over SMTP port 25 the malware will issue commands to generate an email to "[email protected]". This email contains the computer's IP address, OS version, and user name/password used to connect to the remote machine.



After checking in with the author, the worm will create a remote service that opens the remote ADMIN$ share on the target machine. This service is started and then immediately deleted from the remote machine.



Once the remote ADMIN$ share is open and shared, the worm will copy itself to the remote share as CSRSS.EXE in the %SYSTEMROOT% directory. It will then create another remote service with CSRSS.EXE as the target executable and start the service.



Now, if you'll recall from the beginning of this analysis the first thing this worm does is check whether it is running as the user "SYSTEM". One important thing to note is that Windows Services run under the LocalSystem account and this account is considered a higher privilege level than the Administrator account. Since this worm copied itself to the remote machine and launched that copy as a service, the new copy is now running as "SYSTEM". This means we start analysis over from the beginning and instead of taking the path to the left, we head right.



The path to the right is fairly straightforward though. The worm will drop out a PETITE packed backdoor named "lsasvc.exe", setup persistence in the registry, and email the author with the current machines details. It will then start the worm propagation process all over again searching for new victims out on the interwebz.


CONCLUSION

Due to the very straightforward nature of this file, lack of protections, antiquated SMB propagation technique, and deprecated use of GMAILs SMTP service; it is fair to say that this malware is quite old. Precursory looks for this malware reveal that it is most likely the Brambul worm from 2015 and it was potentially used to drop something known as the Duuzer backdoor. At the time of this analysis the file was seen active in sandbox databases within the past week. Perhaps this was automatically submitted for archival purposes or perhaps someone is aiming to repurpose this blast from the past. Either way, be careful out there. Happy hunting.


INDICATORS

REGISTRY
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Windows Update" = "[PATH TO MALWARE]"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wglmgr\"ImagePath" = "cmd.exe /c "net share admin$""
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wglmgr\"DisplayName" = "Windows Genuine Logon Manager"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wgudtr\"ImagePath" = "%SystemRoot%\csrss.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wgudtr\"DisplayName" = "Microsoft Windows Genuine Updater"


DROPPED FILES
lsasvc.exe
CSRSS.exe