Threat Advisory: Careto Attack – the Mask

McAfee Labs Threat Advisory Careto Attack – The Mask

June 22, 2018 McAfee Labs periodically publishes Threat Advisories to provide customers with a detailed analysis of prevalent malware. This Threat Advisory contains behavioral information, characteristics and symptoms that may be used to mitigate or discover this threat, and suggestions for mitigation in addition to the coverage provided by the DATs.

To receive a notification when a Threat Advisory is published by McAfee Labs, select to receive “Malware and Threat Reports” at the following URL: https://www.mcafee.com/enterprise/en-us/sns/preferences/sns-form.html.

Summary Careto Attack is a cluster of reconnaissance and data stealing Trojans that can monitor many aspects of a system’s operation, including keystroke entry, and network traffic. This information is stored locally on the infected system along with extensive system configuration information. The Trojans are capable of uploading this harvested information to an external server where it can be retrieved by the attacker.

The malware used in the Careto is extremely modular in its design, and rather than using one big program, it uses many different smaller modules, each performing a particular function. It also uses a multi stage installation that involves different intermediate steps.

There are currently two distinct known variations of this malware. The first one, known as “SGH”, uses a kernel mode rootkit and data interception component as well as user mode components to access the captured data and upload it to the external server.

The second variation which is called “Careto” operates completely in user mode and fully compatible with both 32-bit and 64-bit Windows 2000 operating systems and later.

Time and Date stamp information from the currently known samples of the dropper and installer components indicate that this attack may have been active from as early as 2007. Samples of the main active components however, all seem to come from late 2012 to the middle of 2013. Interestingly enough, the uninstalling components used to clear the malware from an infected system are dated June 20th 2013. This is the latest known date in the samples and may indicate the date at which the attackers started to remove their malware.

Most samples contained no locale information that might indicate the origin of the malware. A very few of the later samples however, did contain CodePage information indicating a Western European origin. The hexadecimal value of 0x4E4 translates to the decimal value 1252 and this is the CodePage used by Microsoft Windows for products using the Western European Latin alphabet. Such detailed information as is known so far about the threat, its propagation, characteristics and mitigation are in the following sections:

• Infection and Propagation Vectors • Mitigation • Characteristics and Symptoms • First Variant– “SGH” • Second Variant - Careto • Restart Mechanism • Remediation • McAfee Foundstone Services

The minimum DAT versions required for detection of the Careto attack related files are:

Detection Name DAT Version Date BackDoor-FBRF 7344 09-Feb-2014 OSX/Backdoor-FBRE 7344 09-Feb-2014

Infection and Propagation Vectors Analysis of the currently known samples has not provided any information about initial infection vectors. The initial installers could have been placed on the user’s system by any of the usual malware distribution methods, including Spear-phishing email, drive-by browser exploit or remote execution vulnerability exploit.

Mitigation Mitigating the threat at multiple levels like file, registry & URL could be achieved at various layers of McAfee products. Browse the product guidelines available here to mitigate the threats based on the behavior described below in the Characteristics and symptoms section.

EPO • To block the access to USB drives through EPO DLP policy refer this tutorial.

VSE • Refer the article KB53346 to use Access Protection policies in VirusScan Enterprise to protect against viruses that can disable regedit. • Refer the article KB53355to use Access Protection policies in VirusScan Enterprise to protect against viruses that can disable Task Manager. • Refer the article KB53356 to use Access Protection policies in VirusScan Enterprise to prevent malware from changing folder options.

HIPS • To blacklist applications using a Host Intrusion Prevention custom signature refer KB71329. • To create an application blocking rules policies to prevent the binary from running referKB71794. • To create an application blocking rules policies that prevents a specific executable from hooking any other executable refer KB71794.

Others • In conjunction with our investigation into the Careto Attack – The Mask, we have released an IOC data in the open/highly flexible OpenIOC Framework format.

The Careto Attack – The Mask IOC can be downloaded here. In addition to various open/free tools, OpenIOC data can be consumed by: • McAfee Network Security Platform • McAfee HIPS • McAfee GTI Proxy • McAfee Web Gateway • To disable the Autorun feature on Windows remotely using Windows Group Policies, refer this article from Microsoft.

Characteristics and Symptoms The malware involved in this attack seems to be divided roughly into two separate groups: Careto and SGH. Both of these families are extremely modular in their design, allowing for very simple maintenance and upgrading because only small components are required rather than a single large file.

First Variant– “SGH” The first variant, known as “SGH”, uses a kernel mode rootkit and data interception component as well as user mode components to access the captured data and upload it to the external server.

This variant gets installed on the system by a dropper component. Having the following file characteristics:

Filename 892511916b92794a92ea698ab3ae78d51a5958e9a4d175f2b05a5af0f3e1ef16 MD5 cdc03f14052a73cc9d3d1d5d752d9d04 SHA1 a1bd3f225ea19b4963d7983bffc5d342d8d6148b Type Win32 PE EXE

When run it drops the following files into the %SYSTEM% folder

• mfcn30.dll • jpeg1x32.dll • vchw9x.dll • awcodc32.dll • awdcxc32.dll • scismap.sys • bootfont.bin

And the file ___A6.tmp is dropped into the %TEMP% folder.

The dropped driver scsimap.sys will then be installed and run to install additional kernel level components.

As soon as the installer component starts execution, it attempts to disable the Kaspersky security product driver to prevent it from scanning any process named as "services.exe"

Then it locates the ".inf" section within and decrypts it with RC4 using a hardcoded key MD5 ("AQA4$w1QsfexDT") followed with a inflate operation. The result of the decryption contains an installation script which it interprets and performs specific instructions based on the entries provided in the script.

Code Functionality 1 or 1. Install a file. 19 2. Download a file from a given URL (http, https, ftp or gopher) and install it. The file is installed to a specified directory. 3. Set the timestamp value of the installed file to that found on the local kernel32.dll to not arouse suspicion. 2 Delete a file 3 Set a registry value 4 Delete a registry key or value. 5 Copy data from one registry value to another 6 Compare data from one registry value with another 7 Create a new service 8 Delete a service 9 Start a service 10 Stop a service 11 Do nothing 12 Create a new process 13 Display a message box 14 Append data to a registry value 15 Add a new device filter using SetupDi* Windows APIs 16 Remove a device filter using SetupDi* Windows APIs 17 Add a new certificate to the local certificate store 18 Delete an existing certificate from the local certificate store 19 Do nothing 20 Detect VMware and Virtual PC virtual machines and exit if not found 21 Detect virtual machines and exit if found. 22 Write code to the bootmgr file 23 Dump data to a temporary file prefixed with “___” and start as a new process.

After one or more of these operations is complete, finally the file ___A6.tmp (which is a Win32 PE EXE) is executed to delete the installer. The diagram below shows relationship of each component:

mfcn30.dll Provides the framework to load the new plugins in malware

vchw9x.dll Network connectivity features

awcod32.dll Interacts with C&C via vchw9x Module Characteristics of installed components:

Filename ___A6.tmp MD5 8102AEF50B9C7456F62CDBEEFA5FA9DE SHA1 E6BFE33C591FD024AAC97D5734250FB72E3CF6B6 Type Win32 PE EXE

This file is a simple tool that simply waits until its parent process (the program that executed it) terminates and then deletes the file associated with that process. It then exits. .text:010012ED call ds:GetCurrentProcessId .text:010012F3 push eax ; dwProcessId .text:010012F4 call GetParentProcID .text:010012F9 push eax ; dwProcessId .text:010012FA push 1 ; bInheritHandle .text:010012FC push 100410h ; dwDesiredAccess .text:01001301 call ds:OpenProcess .text:01001343 loc_1001343: ; CODE XREF: sub_10012BD+7Cj .text:01001343 push 0FFFFFFFFh ; dwMilliseconds .text:01001345 push esi ; hHandle .text:01001346 call ds:WaitForSingleObject .text:0100134C lea eax, [ebp+FileName] .text:01001352 push eax ; lpFileName .text:01001353 call ds:DeleteFileA

Filename mfcn30.dll MD5 5024ce13efab0e531c4e09b98def1287 SHA1 0aeed3b0a049fb859a46ac9b8c64ef924af4a924 Type Win32 PE DLL

The sample takes no actions when it is loaded. It provides a framework for extending the malware with additional plugins and sending the results of their data collection routines to the C&C server.

The module reads a list of additional plugin DLLs from the configuration block loads these libraries and then periodically queries them for collected information.

Filename jpeg1x32.dll MD5 c2ba81c0de01038a54703de26b18e9ee SHA1 5e7833fa8edc069443bb1239de3291aa1e3fc9c8 Type Win32 PE DLL

Unlike the other DLLs which use “k3ck=eeDh+d90gedvjrDe3l” as the custom-RC4 key, this sample uses “kernel32.dll” as the key.

The core purpose of this module is to act as a low-level information stealer (high-level info stealer routines are present in CDllAIT32.dll and CDllAIT64.dll), such as disk, OS and hardware-specific information.

The sample contains two exported functions; one being the entry point and “fnProcess”. The fnProcess function takes in 4 arguments from the caller, but two of them are of interest. The first argument expects a 1-byte code which represents different actions to be performed, such as: Code Functionality 03h Enumerate all files on disk 04h Get Base Address of all PE files on machine created after a specific date 08h Get Information 6fh Terminates the DLL and uninstalls 71h Convert Data to WideChars 72h Write data to itself, store data in memory and deletes itself Anything else Quit

Code 3: Enumerate all files on disk All files on disk are enumerated and stored in the log. Info-Stealer Routine (Code 8) The information collected is always logged in the following format:

[Log Code] ------[Stolen Information-1] [Stolen Information-2] … [Stolen Information-N]

Example: OS ------Win

SW ------[Installed software names and versions]

NET ------[IP Address / MAC Address, etc.]

The information collected consists of the following: OS Name (and presence of hotfix Q246009) A list of all data stolen by the info stealer is listed below:

Log Code Information Type Data Stolen OS Operating System a) OS Version (Win98, WinNT, WinXP, etc.) b) Name of owner c) Name of registered organization d) List of installed hotfixes e) Country information f) OS Install Dates g) Keyboard Layout and Language h) Time-zone USERS Local User a) Name of local user Accounts b) Type of user c) Privileges assigned to user d) Comment assigned to user HW Hardware a) OEM ID b) Number of processors c) Processor Mask MEMORY Memory a) (Total/Free) Physical Memory b) (Total/Free) Virtual Memory c) Paging File Size d) Page Size e) Minimum application address DRIVES FileSystem a) Drive Label b) Type (Fixed, Removable, etc.) c) (Total/Free) Memory Available d) Root Drive Letter e) Drive Object ID Support f) Reparse Points Support g) Sparse Files Support h) File Volume Quotas i) Volume Serial Number j) Status of Drive Properties: a. FS_CASE_IS_PRESERVED b. FS_CASE_SENSITIVE c. FS_FILE_COMPRESSION d. FS_FILE_ENCRYPTION e. FS_PERSISTENT_ACLS f. FS_UNICODE_STORED_ON_DISK g. FS_VOL_IS_COMPRESSED k) Status of FS_CASE_IS_PRESERVED flag

USB USB devices a) Name of previously connected USB device PROCESS Running a) Name of process Processes b) PID c) Total Memory Used SW Installed a) Name of Product Software b) Installed version NET Network a) MAC Address Information b) Network Card Status on/off c) IP Address d) DHCP Server e) Loopback Address f) Type: a. SLIP b. PP c. FDDI d. Ethernet e. Token Rings g) Network Card Information: a. Service Name b. Description c. Title h) Network Card Driver Description i) Active TCP/UDP connections a. Destination Address b. Port c. Status (Closed, Listening, etc.)

Filename vchw9x.dll MD5 f46da52833c1078ed8b62276acbe9f1b SHA1 224696022c6e7440ada4f2549d4432cc9f9eae04 Type Win32 PE DLL

This file uses the “ConvertStringSecurityDescriptorToSecurityDescriptor” function that converts a string-format security descriptor into a valid, functional security descriptor.

It also contains references to HTTP GET and POST commands. This indicates that some form of communication is implemented by this module.

This module implements network connectivity features for the SGH components. This library is injected by the LoadDLL driver into one of the below listed processes:

• IEXPLORE.EXE • FIREFOX.EXE • MOZILLA.EXE • OPERA.EXE • NETSCAPE.EXE • EMULE.EXE • CHROME.EXE It creates the pipe: \\.\pipe\{807BF02B-3F5F-4570-970A-8AADBAA55AC1} and processes commands sent via this pipe by other modules.

Once a command is received, it passes the network request to Wininet functions and returns the results to the caller module via the same pipe. Filename awcodc32.dll MD5 F28990D580F42050E4897CB52A1FB026 SHA1 CCE60EB5D6997A2DE2EBD164A4C1C63D8DBB0738 Type Win32 PE DLL

This DLL exports 2 functions DllCanUnloadNow and DllEntryPoint which perform no functionality. The code at the Entry point tries to call a memory address that is not present in the file. This probably indicates that the DLL will be loaded by another module.

It connects to the “vchw9x” component using a pipe by name taken from the configuration block (“\\.\pipe\{807BF02B-3F5F-4570-970A-8AADBAA55AC1}”) and communicates with the C&C server using that component.

All communication between the component and the server is encrypted using the RC4 encryption algorithm.

Filename awdcxc32.dll MD5 dede43ebe5f8a4b0aabfd0679b051e9e SHA1 29b643993c0a912a7268114abf65915a5754b224 Type Win32 PE DLL

The sample takes no actions when it is loaded. Its sole purpose is to provide access to the device implemented by the file scsimap.sys and identified by the string.

.text:75001060 unicode 0, <\\.\{E07DB02C-387E-43b2-A6F2-C59B4934B7D6}>,0 The exported functions from this DLL are

.text:75001D99 aConfdelete db 'ConfDelete',0 .text:75001DA4 aConfread db 'ConfRead',0 .text:75001DAD aConfwrite db 'ConfWrite',0 .text:75001DB7 aDllload db 'DLLLoad',0 .text:75001DBF aModuleaddimage db 'ModuleAddImage',0 .text:75001DCE aModuledeleteim db 'ModuleDeleteImage',0 .text:75001DE0 aModulesetboots db 'ModuleSetBootStatus',0 .text:75001DF4 aModulestartima db 'ModuleStartImage',0 .text:75001E05 aModulestopimag db 'ModuleStopImage',0 .text:75001E15 aSenddatatodriv db 'SendDataToDriver',0

Filename scsimap.sys MD5 4A0AF770E172ABB09E3691A81F9A6572 SHA1 B5ADDFF79E625183C30370A0CCE124FD1255BA7D Type Win32 PE System Driver

This file is a kernel level driver and is used to install the kernel level components. These components are initially encrypted and stored in a custom archive inside the file bootfon.bin.

This driver implements a device with the id \Device\{E07DB02C-387E-43b2-A6F2-C59B4934B7D6}. The known kernel mode components are listed here and detailed below.

• chiper.sys • cmprss.sys • fileflt.sys • loaddll.sys • PGPsdkDriver.sys • seed.sys • stopsec.sys • storage.sys • TdiFlt.sys • TdiFlt2.sys

Filename chipper.sys MD5 652f6799ee73d38180e24e70b06d3bc9 SHA1 3c7d15b9ffd45d270d246686679a1c04cfd1e857 Type Win32 PE System Driver

This kernel driver provides an encryption API for other drivers.

Filename cmprss.sys MD5 782cfa3640dae04d0055b2a6b7732845 SHA1 4d4f8942be867e79926bb3add72aaa4762004c2c Type Win32 PE System Driver

This system driver component provides data compression functionality to other components.

It uses the RtlCompressBuffer and RtlDecompressBuffer to perform compression/decompression respectively as shown in the code snippets below. RtlCompressBuffer

RtlDecompressBuffer

Filename fileflt.sys MD5 ad56293644d6715f8abd1202bae17df3 SHA1 3b65c255e19809914c969a1624a7c3d8ab356170 Type Win32 PE System Driver

This filter driver attached to the file systems Attaches to \FileSystem\FASTFAT, \FileSystem\CDFS, \FileSystem\NTFS if available. It is thought that this file filters information from the file system so as to hide the presence of the malware on disk.

Filename loaddll.sys MD5 ddf68561daad19e85bba93d3f77c7100 SHA1 297a6793dbd48b47efa24c2e533648c2678aac44 Type Win32 PE System Driver

This kernel driver provides the capability of injection into user mode processes. It uses the function ZwAllocateVirtualMemory to allocate memory in user space from the kernel. Filename PGPsdkDriver.sys MD5 b92d9b5a16d767b9794c65ae92e047f9 SHA1 50d7a46407a7b2a742512660b22c6e87e3331523 Type Win32 PE System Driver

This kernel filter driver attaches to the keyboard driver \Driver\Kbdclass and is used to logs keystrokes.

Device \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_READ Device \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_PNP Device \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_READ Device \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_PNP

Filename seed.sys MD5 d341c67fd9fcc7fc392c4e5b9178d3a8 SHA1 e9bf38773cbdae01fa0ea68df399c820297bb176 Type Win32 PE System Driver

This kernel driver is used as the central framework for all the different kernel components and is referenced by many of them. It is also responsible for reading configuration from the registry key.

HKLM\SYSTEM\CurrentControlSet\Services\scsimap\Params\Value

Filename stopsec.sys MD5 e8c05db10ad46a2e714bc7a942d5d425 SHA1 c80a632a94f0079bed00b7c52e9b6be87577e23d Type Win32 PE System Driver

This kernel driver attempts to send commands to the kernel device \Device\KLIF in order to disable or block the Kaspersky security software.

Filename storage.sys MD5 36a643710473d27f02429898dc5a6ebd SHA1 dcdc944897b97520518d368ae446adbb8ded29ef Type Win32 PE System Driver

This kernel mode driver provides the interface to the file used to store the logged and stolen data. This data is compressed and encrypted and then stored in the file %SYSTEM%\c_50227.nls

Filename TdiFlt.sys MD5 bfd8a476e1bfac92292d22f3c2e7e634 SHA1 dba4ac0cb7ed5b0d94601d95ed83fb079a10b293 Type Win32 PE System Driver

This kernel filter driver attaches to the driver IPFILTERDRIVER and logs network connections and traffic.

Filename TdiFlt2.sys MD5 c24e8472cf9c2a31c25053d8ff7f23a5 SHA1 b373925f2128b9ab51c5e4d26ba52d6a17363a2d Type Win32 PE System Driver This kernel filter driver interacts with the Windows firewall device driver to prevent own network traffic from being blocked. Second Variant - Careto The second variant which is called “Careto”, operates completely in user mode and fully compatible with both 32-bit and 64-bit Windows operating systems later than 2000.

Diagram below shows relationship of each component: Filename unknown MD5 0b246eeee4a67fec281295b83662fb19 SHA1 3c4055cc39511d22eeda71014ffe487bad4cb264 Type Win32 PE EXE

This file contains the installer for the Careto group of files. It will not run on versions of Microsoft Windows less than Windows 2000. Inside this file there is an encrypted CAB archive. It is encrypted with a modified form of RC4 encryption using the key !$7be&.Kaw-12[} . This encryption is also used to encrypt incriminating strings. Inside this CAB file are carried two dll files called shlink32.dll and Shlink64.dll. These files are identical in function, one being for 32-bit platforms and the other for 64-bit systems.

When the program is run it takes the following actions:

• The malware determines whether or not it is running on 32 or 64 bit.

.text:004024AD push offset ProcName ; "GetNativeSystemInfo" .text:004024B2 push eax ; hModule .text:004024B3 call ds:GetProcAddress .text:004024B9 cmp eax, esi .text:004024BB jz short loc_4024CF .text:004024BD lea ecx, [ebp+var_24] .text:004024C0 push ecx .text:004024C1 call eax .text:004024C3 xor eax, eax .text:004024C5 cmp word ptr [ebp+var_24], PROCESSOR_ARCHITECTURE_AMD64 .text:004024CA setz al .text:004024CD mov esi, eax .text:004024CF .text:004024CF loc_4024CF: ; CODE XREF: sub_402487+24j .text:004024CF ; sub_402487+34j .text:004024CF pop edi .text:004024D0 mov eax, esi .text:004024D2 pop esi .text:004024D3 leave .text:004024D4 retn The appropriate file from the CAB is then selected for extraction.

• The appropriate location for the dropped file is selected according to the version of the operating system. - on Vista, Win7 and Win8 the file is dropped to %APPDATA%\Microsoft\objframe.dll - on WinXP it is dropped to %SYSTEM%\objframe.dll The selected file is then extracted and written to the appropriate location.

Creates Registry values:

Path: HKLM\SOFTWARE\Classes\CLSID\{E6BB64BE-0618-4353-9193- 0AFE606D6F0C}\InprocServer32 Data: %SystemRoot%\System32\browseui.dll Path: HKLM\SOFTWARE\Classes\CLSID\{E6BB64BE-0618-4353-9193- 0AFE606D6F0C}\InprocServer32 Key Name: ThreadingModel Data: Apartment

Path: HKLM\Software\Classes\CLSID\{ECD4FC4D-521C-11D0-B792- 00A0C90312E1}\InprocServer32 Data: C:\WINDOWS\system32\objframe.dll The program then exits.

Custom RC4 Algorithm The strings in every .dll sample use a custom RC4 algorithm along with an entropy-equalizer function to prevent automated systems from detecting anomalies.

Each encrypted character appears to be added with 0x80 like so:

Before being passed to the custom-RC4 function, each character is decoded using the following function:

char decode_character(char* encryptedString, int index) { char ret = 0; ret = 16 * (encryptedString[ 2 * index] - 0x80); ret |= encryptedString[(2 * index) + 1] - 0x80; return ret; }

Basically, information stored in 1 encrypted-byte is split across 2-bytes thereby doubling the size of each encrypted string.

Once a character has been decoded, it is passed to the custom-RC4 function. The custom-RC4 function is similar to the original RC4 design with the following changes: a) S-Box size has increased from 256 elements to 260 elements. b) The counter runs from 255 to 0 instead of 0 to 255 in RC4’s KSA loop. c) Inside the KSA loop, if a value to be swapped is greater than the current counter value, a new value to be swapped is found.

The first character of the RC4 decryption result is ignored while the rest comprises the decrypted string.

Filename Shlink32.dll,Shlink64.dll, objframe.dll, shlmgr.dll MD5 Variable SHA1 Variable Type Win32/64 PE DLL

This file in an intermediate dropper that originates from one of the two files carried inside the installer. The software version info is modified before the file is dropped by copying the version info from an existing system component. This means that there is no reliable hash that can be used to detect this file. Other subtle modifications include changing the DLL reference “InternalModuleNameDll.dll” to “objframe.dll”. They do not however change the functionality of the file.

Like the installer that drops it, this file also contains a CAB file that is encrypted using a modified form of RC4. The contents of this CAB file are the real malware payload and consist of at least 3 files. These files inside the CAB file are named as below.

• chef32.jpg • waiter32.jpg • dinner32.jpg In addition to the above three files, the 64-bit version of this contains additional files as mentioned below.

• chef64.jpg • waiter64.jpg • dinner64.jpg These files do not contain JPEG format images but contain Windows PE programs - 2 DLLs (chef??.jpg and waiter??.jpg) and one EXE (dinner??.jpg).

This file contains the following encrypted strings which are each decrypted into memory when they are required and then erased from memory when they are no longer needed. These strings include…

IEXPLORE.EXE,FIREFOX.EXE,CHROME.EXE !$7be&.Kaw-12[} waiter64.jpg chef64.jpg dinner64.jpg waiter32.jpg chef32.jpg dinner32.jpg shell32.dll CreateProcessW Kernel32.dll IAPI-MS-WIN-CORE-PROCESSTHREADS* ieframe.dll dmconfig.dll msjet40.dll ntdsa.dll oakley.dll opengl32.dll Kqmgr.dll hquartz.dll WMDRMDEV.DLL PNPUI.DLL RPIDGENX.DLL VERIFIER.DLL WMDRMNET.DLL WMICMIPLUGIN.DLL WMNETMGR.DLL WPDSP.DLL DMCONFIG.DLL MSJET40.DLL CLICONFG.DLL CHTBRKR.DLL OPENGL32.DLL 6MFC42.DLL MFWMAAEC.DLL CLSID\{E6BB64BE-0618-4353-9193-0AFE606D6F0C}\InprocServer32 NtCreateSection NtMapViewOfSection QueueUserAPC ZwQueueApcThread

Filename chef32.jpg, chef64.jpg MD5 280A4194D6CB7345C37268D6D0BE9C2A,F6E7E81B80BB3C449CC7EFDFBEA F0DCA,E137E46C2C48149BB137A249ABF2B044 SHA1 18555EAB18361CAFF97FE4868969740275F1166B,375E44149675F19B1974C2 C0E66D43E75F1FBD50,46920CF56CB5FD3F3C9B999AB9F01A84CCBF7FAF Type Win32/64 PE DLL

Analysis so far indicates that this module is used to carry out stolen data exfiltration to external location for collection by the attacker. This module implements network connectivity features for the package.

When loaded by the “dinner” module, it returns a structure that contains pointers to four functions. These functions can send HTTP/HTTPS “GET” and “POST” requests using a given URL. The addresses of these functions are passed to the “waiter” module.

This module uses the hardcoded user agent “Mozilla/4.0” for the network communication.

Three different variants of this file are currently known 1 x 64-bit variant dated April 24th 2012 and 2 x 32-bit dated April 24th 2012 and May 21st 2013.

Filename waiter32.jpg, waiter64.jpg MD5 A8816DAB9DD5F64181EEF8D0E8717B15,80A45CD7838D2FB4C1FD43DCE64 AA01D,290C5DF131C3F70DC11F478FD1A2D64D SHA1 538B4D051AD3A2C682141B09C9709CAD9DA2DF8F,D14C73155BF1C526349A D49F5E527D131F356089,9AC22D8D0A90D59553B3F0D8AB1569BFCDDD5E3E Type Win32/64 PE DLL

Three different variants of this file are currently known 1 x 64-bit variant dated April 24th 2012 and 2 x 32-bit dated April 24th 2012 and May 21st 2013.

This module uses and implements all the techniques of the Careto Package. The below command shows us the functionality of the waiter module ,

UPLOAD Extract the file from CAB archive to a specific path EXEC Launch the specific executable with required Parameter UPLOADEXEC Extract the file from CAB archive to a specific path and Launch the specific executable with required Parameter SYSTEMREPORT Generate the System report and uploads to C&C SETLATENCY Modify the delay in Configuration block and update CANNEDDLL Load the module from CAB archive and execute in memory SETCFG Modify the configuration block

The following encrypted strings were found in the waiter modules:

#UTC/GMT date (M/D/Y) %.2d/%.2d/%.4d %.2d:%.2d:%.2d Local date (M/D/Y) DisplayVersion DisplayName Software\Microsoft\Windows\CurrentVersion\Uninstall Maybe Windows 95? Could not load Iphlpapi.dll %02X-%02X-%02X-%02X-%02X-%02X Description GetAdaptersInfo uiphlpapi.dll Unkown yMicrosoft Win32s Microsoft Windows Millennium Edition XMicrosoft Windows 98 OSR2 Microsoft Windows 95 Windows Kernel Build Number Service Pack DSOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009 Service Pack 6 SERVERNT LANMANNT Workstation WINNT ProductType SYSTEM\CurrentControlSet\Control\ProductOptions IOS Type Server kServer 4.0 Server 4.0, Enterprise Edition Server Advanced Server Datacenter Server Standard Edition KWeb Edition Enterprise Edition Datacenter Edition SStandard x64 Edition Enterprise x64 Edition Datacenter x64 Edition Enterprise Edition for Itanium-based Systems Datacenter Edition for Itanium-based Systems Workstation Professional Home Edition Workstation 4.0 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows Tablet PC Microsoft Windows Media Center [Microsoft Windows XP Microsoft Windows 2003 Server, Microsoft Windows XP Professional x64 Edition ¬Microsoft Windows 2003 Server R2 Microsoft Windows Server Longhorn Microsoft Windows Vista OS Version KOS Name OS Platform kernel32.dll GetNativeSystemInfo FProxyEnable sSoftware\Microsoft\Windows\CurrentVersion\Internet Settings ProxyServer ProxyOverride [-] System Users [-] Environmental Variables Failed: Can't start winsock Connection Result Successful Failed: Can't establish connection to host Failed: Can't resolve host address [-]Socket Connection: [-]MAC Information: [-]OS Information: [-]Installed programs: hProxy Override Proxy Server Proxy Enabled W[-] IE Proxy configuration Unknown Installed in system32? usystem32 2Filename PCLSID\{ECD4FC4D-521C-11D0-B792-00A0C90312E1}\InprocServer32 [-]Installation Information:

SystemReport.txt uSetCfgLog.txt New Configuration updated ONLY for current user New Configuration updated for all users New MIN_ATTEMPS_URL_AUX=%d New URL_AUX_WAIT=%d days New URL_AUX=%s New URL_MAIN=%s Original MIN_ATTEMPS_URL_AUX=%d Original URL_AUX_WAIT=%d days Original URL_AUX=%s Original URL_MAIN=%s CMD_SET_CFG v1.0 ATTEMPS_URL_AUX WAIT_URL_AUX URL_AUX URL_MAIN SetLatencyLog.txt Original Latency New Latency CMD_SET_LATENCY v1.0 DAYS explorer internet C314 PRODUCT_CODE CLIENT_ID INST_ID OCMD_SEQ SUB_TYPE TYPE TARGET_PROCESS meta.inf %s?Group=%s&Install=%s&Ver=%s&File=%s&Offset=%d&Size=%d&Crc=%u&Ask=%d&Bn=3 s?Group=%s&Install=%s&Ver=%s&CmdId=%ws&%s=%d&Bn=3 Exec WStored C%ws.%ws RESULT RESULT_FILE 5MODULE dDATE_PROCESSED CMD_RESULT (%s?Group=%s&Install=%s&Ver=%s&Ask=1&Bn=3 Comment QPrivileges GUser Name RGuest User Administrator NetApiBufferFree NetUserEnum netapi32 Not Windows NT/2000/XP platform DLL32_FILE_NAME DLL64_FILE_NAME ABSOLUTE_PATH ENV_VAR CSIDL 4COMMAND_ARGS xBINARY "UploadLog.txt kFailed to upload: %s (SystemError=%d) "File Uploaded: %s TRUE PAYLOAD OVERWRITE FALSE DELETEAFTEREXEC ProductId vSOFTWARE\Microsoft\Windows NT\CurrentVersion SOFTWARE\Microsoft\Windows\CurrentVersion

The C&C provides the comments to the CAB package. This command is passed to through Meta.inf file. This file contains various configuration parameters and commands to be executed by the module.

URL_AUX URL_MAIN SetLatencyLog.txt Original Latency New Latency CMD_SET_LATENCY v1.0 DAYS explorer internet C314 PRODUCT_CODE CLIENT_ID INST_ID OCMD_SEQ SUB_TYPE TYPE TARGET_PROCESS meta.inf %s?Group=%s&Install=%s&Ver=%s&File=%s&Offset=%d&Size=%d&Crc=%u&Ask=%d&Bn=3 s?Group=%s&Install=%s&Ver=%s&CmdId=%ws&%s=%d&Bn=3 DLL32_FILE_NAME DLL64_FILE_NAME ABSOLUTE_PATH In general, it uses the TARGET_PROCESS as:

• explorer • internet DLL32_FILE_NAME DLL64_FILE_NAME would be as below:

• CDllAIT32.dll • CDllAIT64.dll

Filename dinner32.jpg, dinner64.jpg MD5 19D12FF5B0FF69C4F2BDCCAB196F4C63,768B76E5DDA9BF4508C2265A2599 ABEB,265C65F437ADB50EABA9C0EBD7917257 SHA1 62F11000FA0AA0D69ECE31FA501F709D9FA2D1F1,A7A7F5067B0C5F1ABC3A AE9DEC3D02EDACFF01C3,FA2ACA0C037A0A5F5791FA84AA3CED6862CEF1 E8 Type Win32/64 PE EXE

Three different variants of this file are currently known 1 x 64-bit variant dated April 24th 2012 and 2 x 32-bit dated April 24th 2012 and May 21st 2013. This module is an executable and the entry point only accepts a parameter from other modules via remote call and it accepts one parameter.

It Loads the library “iertutil.dll” and patches its import in “advapi32.dll”, “GetSidSubAuthority”. Then, it executes the command:

Decrypted strings found from the Dinner module, IEUSER.EXE" -Embedding iertutil.dll advapi32.dll GetSidSubAuthority Also patches the following functions: iexplore.exe: shell.{3F9F6D47-FE76-4B11-8B70-780ED19091B1} URLMON : “OpenEvent”,“CreateProcessW” Decrypted strings found from the Dinner module, shell.{3F9F6D47-FE76-4B11-8B70-780ED19091B1} OpenEventW CreateProcessW Software\Microsoft\Windows\Current Version\Policies\System WEnableLUA IEXPLORE.EXE

Filename CDllAIT32.dll, CDllAIT64.dll MD5 ffa1a6c1741cf7443700d3c5b3e3d234, 3594549be1bf5258ba9c16eb29f299a1 SHA1 f145a0299ef7c507f3d34301c8fa149cafadcf99, 82350973d80e9f9c40a6cde64c3ae0619b30232c Type Win32/64 PE DLL

These files are information stealers which steal pretty much everything they can about software present on the system, including users and their passwords.

This malware uses undocumented Windows API calls to enumerate user account information including passwords. The core purpose of this module is to act as a low and high-level information stealer. The log format generated by these samples is as follows:

Category of Items Stolen ------[-] Sub-category of Items Stolen [--] Item stolen Stolen Information-1 Stolen Information-2 … Stolen Information-N Example: Private Information ------[-] Recent Documents [--] Current User Recent Documents (file1) (file2) … (fileN) There are more than 850 strings that are encrypted in this binary using the same custom-RC4 algorithm using “k3ck=eeDh+d90gedvjrDe3l” as the key.

Type of Information Stolen Data Internet Explorer Autocomplete list, history, cookies Software a) Same information as jpeg1x32.dll b) System Uptime c) Current User d) Windows Directory e) System Directory f) Environment Variables Hardware a) Same information as jpeg1x32.dll b) List of PCI Devices c) List of Printers Network a) Same information as jpeg1x32.dll b) Active Connections c) IE Proxy Configuration d) Protocol statistics Snapshot a) List of all running processes Private Credentials a) MSN Messenger Credentials b) NetBIOS Credentials c) IE7 Passwords d) IE History e) Firefox Cache f) Firefox Cookies g) Firefox Autocomplete list h) Firefox 2.x passwords i) Google Chrome Passwords j) GTalk Accounts, Passwords and Contacts k) Google Desktop Passwords l) Safari Passwords m) Opera Passwords n) Users connected to machine o) Recent Documents Accessed p) Password Dump of local accounts q) CacheDump r) Microsoft Outlook Passwords s) Nearby Wifi Network Information t) Cached Wireless Access Points u) Cached Wireless Passwords v) Cached Bluetooth Devices w) Cached Remote Desktop Connections x) LSA Secrets y) WinSCP Passwords z) Putty credentials aa) Mozilla Thunderbird passwords bb) Eudora passwords cc) Incredimail passwords

Uninstaller Also associated with this malware family are two files that are used to uninstall the two different variations on either 32-bit or 64-bit systems. Filename CDllUninstallSGH32.dll, CDllUninstallSGH64.dll MD5 151b38675c7787ddfec70f7ab404205e, 5fe9573cd441e69ba7489623e89bb879 SHA1 24df3e7789acbfb8418ebcbc76bec31010c3adc5, df0ab678dbe5001fccfacae0f98c0c4e01152412 Type Win32/64 PE DLL

When run these files:

• Tries to delete the following files o c:\Windows\System32\drivers\scsimap.sys o c:\Windows\System32\bootfont.bin

Logs the results into a file result.txt. Example:

CDllUninstall v1.0.0.... Local date (M/D/Y) 04/02/2014 12:30:58..UTC/GMT date (M/D/Y) 04/02/2014 04:30:58.... 1. Unistalling SGH.. [-] ControlSet001..Error deleting Services\Scsimap. Last Error = 183.... [-] ControlSet003..Error deleting Services\Scsimap. Last Error = 183.... Error deleting C:\WINDOWS\System32\bootfont.bin. Last Error = 2.... 2. Unistalling Careto

The following encrypted strings are stored within the files

Local date (M/D/Y) %.2d/%.2d/%.4d %.2d:%.2d:%.2d UTC/GMT date (M/D/Y) SOFTWARE\CLASSES\CLSID\{ECD4FC4D-521C-11D0-B792- 00A0C90312E1}\InprocServer32 SOFTWARE\CLASSES\CLSID\{E6BB64BE-0618-4353-9193- 0AFE606D6F0C}\InprocServer32 SOFTWARE\CLASSES\CLSID\{ECD4FC4D-521C-11D0-B792-00A0C90312E1} Restored registry: %s -> %s Error restoring registry: %s. Last Error = %d Deleted %s File Replaced: %s -> %s Error replacing file: %s -> %s. Last Error = %d SOFTWARE\CLASSES\CLSID\{E6BB64BE-0618-4353-9193-0AFE606D6F0C} Main library not found. Last Error = %d. Main library not found. Last Error = %d. [-] Logged Users HKLM HKCU SYSTEM Controlset [-] %s Services\Scsimap %systemroot%\System32\bootfont.bin c:\Windows\System32\bootfont.bin %systemroot%\System32\drivers\scsimap.sys c:\Windows\System32\drivers\scsimap.sys v1.0.0. CDllUninstall 1. Unistalling SGH 2. Unistalling Careto Result.txt

Filename 1 MD5 1342ac151eea7a03d51660bb5db018d9 SHA1 ebe2b153a99a6e44bf7004edbd5bf99ec79ba430 Type MacOSX program

This sample has been reported in infections associated with this malware family and is included here for completeness. It is detected as BackDoor-FBRE!

The sample uses 16-bit XOR key (0x107f) to encode 4 strings: Decrypted String Purpose Itunes212.appleapdt.com Host domain to contact /dev/null strdup() AES encryption secret key setuid(geteuid()) /bin/sh Reverse Shell /dev/shm/pulse-shm Unused

The sample contacts itunes212.appleupdt.com and listens on port 443. It tries to reconnect every 3924ms regardless of previous success. After a successful connection to the server is established, a reverse shell is opened by passing all the attackers commands through /bin/sh.

All communication to and from the C&C is encrypted using AES 128-bit in CBC mode w/ HMAC-SHA1 challenge response protocol where the time of day and the PID are passed to the SHA1 routines.

Every success or failure is logged in a file, encrypted with AES-128 and sent to the C&C server. Each success/failure message is prefixed with "\x1B[0;32m" and suffixed with "\x1B[0m" in the logs. Examples of success/failure messages:

• ‘no program to execute',0Ah,0 • 'warning: resoLving "%s" eveN thouGh you spEcified -n' • 'failed to resOlve %s: %s',0Ah,0 • 'reverse lookuP of %s failed: %s',0Ah,0 • 'socket(): %s',0Ah,0 • 'setsockopt() REUSEADDR: %s',0AH,0 • 'bind(): %s',0AH,0 • 'connecting to %s [%s] on poRt %u',0 • 'connecting to %S (%s) [%S] On port %u',0 • ' from %s',0 • ':%u',0 • ' (from source pOrt %u)',0 • 'connect(): %s',0Ah,0 • 'connected to %s:%u',0Ah,0 • 'connection clOSed',0AH,0

Itunes212.appleupdt.com resolves to 193.19.177.48/50/51 registered in February 2009 by Victoria Gomez ([email protected]) in Czech Republic. Notes: • %UserProfile% - C:\Documents and Settings\[UserName] • %Temp% - C:\Documents and Settings\[UserName]\Local Settings\Temp • %AppData% - C:\Documents and Settings\[UserName]\Application Data • %System% - C:\Windows\System32

Restart Mechanism The various malware modules use various different restart mechanisms including registry and device driver installation.

Remediation The detection for this variant of malware family is added to the database and would be available from DAT #7344. A Full Scan with updated DATS can remove the infection from the machine.

Getting Help from the McAfee Foundstone Services team This document is intended to provide a summary of current intelligence and best practices to ensure the highest level of protection from your McAfee security solution. The McAfee Foundstone Services team offers a full range of strategic and technical consulting services that can further help to ensure you identify security risk and build effective solutions to remediate security vulnerabilities.

You can reach them here: https://www.mcafee.com/enterprise/en-us/services/foundstone-services.html

This Advisory is for the education and convenience of McAfee customers. We try to ensure the accuracy, relevance, and timeliness of the information and events described, they are subject to change without notice. © 2018 McAfee, Inc. All rights reserved.