TG Soft Cyber Security Specialist - Vir.IT eXplorer: AntiVirus, AntiSpyware, AntiMalware, AntiRansomware and Crypto-Malware protection
Detects viruses and malwareIdentifies polymorphic viruses thanks to DEEP SCANMacro Virus AnalyzerINTRUSION DETECTION TechnologyVirus/malware removal toolsInstallation on Active Directory16/32/64 bit Real-Time ProtectionVir.IT Scan MailVir.IT Console Client/ServerVir.IT WebFilter ProtectionAutomatic Live-UpdateVir.IT Personal FirewallItalian Tech SupportAntiMalware Reserch Center


Submit suspicious file
fb rss linkedin twitter

ICSA Lab

Vir.IT eXplorer PRO pass the test VB100 2017-04

AMTSO

OpsWat

EICAR Membro SERIT - SEcurity Research in ITaly

27/06/2018 12:20:20 - Cyber-espionage: Italian services centers of Samsung spied by malware

      
 
 
 
 
TG Soft's Research Centre (C.R.A.M.) has analyzed the campaign of spear-phishing on 2 april 2018 targeting the service centers of Samsung Italy.
The campaign analyzed is targeting only the service centers of Samsung Italy,  it's an attack multi-stage and we have monitored it until july 2018.
We thank Samsung Italy for the effective collaboration that has allowed a detailed reconstruction of the spy case targeting own service centers.

Download the report in PDF (in italian): "Centri assistenza Samsung sotto attacco"
 
 
Analysis by: Gianfranco Tonello, Federico Girotto, Michele Zuin
Last revision: 12 luglio 2018

INDEX

 

Campaign of spear-phishing targeting the service centers of Samsung Italy

At the beginning of the month of April 2018 a spear-phishing campaign spread to the italian service centers of Samsung. The attack campaign started on 2 April 2018 at 2.15 pm with the spread of an email with the subject: "Comunicazione 18-061: gestione centri non autorizzati".

The attack seem targeting only the service centers of Samsung Italy and it isn't a massive malspam campaign.

It would seem that a similar attack was made at the end of March 2018 towards Samsung's Assistance Centers in Russia with the same modus operandi, as indicated by the Fortinet report:  "Non-Russian Matryoshka: Russian Service Centers Under Attack".

Now we will analyze the spear-phishing campaign that has spread in Italy.
The work to build the spear-phishing mail to perform the attack was perfect:
  • the email seems to arrive from the official Samsung Italy house
  • the body of the message is written in perfect Italian, contains elements and references to the Samsung company, the topics covered are known to the recipients of the message
  • the attached file is an Excel document: "QRS non autorizzati.xlsx"
  • the message is signed by the IT Service Manager of Samsung, a real person in Samsung Italy, where are indicated all his personal information as email and telephone numbers
In the figure we can see the spear-phishing mail sent to the Samsung Service Centers:


 

As you can see in the body of the message very specific terms are used, such as:
  • Dealer che spediscono prodotti non scontrinati con la propria ragione sociale
  • Centri assistenza non autorizzati che vi inoltrano i volumi in garanzia che non possono gestire
The analysis of the text, makes us suppose that the message was written by an Italian mother tongue and no automatic translators were used, also terms of the sector were used as "non scontrinati" or "volumi in garanzia" that are directly connected to the recipients of the message.
As you can see from the figure of the email, the logo and company data are shown in the bottom of the message:
  • "SAMSUNG ELECTRONICS ITALIA SPA", Via Mike Bongiorno, 9 - 20124 Milano (MI)  - Italy
  • internal telephone number of the IM & IT Service Manager
  • email address of the IM & IT Service Manager
The data indicated in the email are real and correspond effectively to the person indicated in the message.

The email sent to Samsung's service centers contains the following Excel document:
 
Name: QRS non autorizzati.xlsx
Size: 18454 byte
MD5: 47EF2AE50AAE4AADF3B6BAEB412C7C6C
VirIT: X97M.DownloaderSam.A

The file "QRS non autorizzati.xlsx" contains the vulnerability CVE-2017-11882 (Microsoft Office Memory Corruption Vulnerability) on the module "eqnedt32.exe" Equation Editor of Excel, which downloads the malware from the site: lnx.hdmiservice[.]com/im6.exe.

Interestingly, the Excel document "QRS non autorizzati.xlsx" (Quick Repair Service) actually contains the list of unauthorized service centers, as we can see in the picture (for privacy reasons names and addresses have been obfuscated):



At this point we have checked if the e-mail sent to the Service Centers, had actually started from Samsung Italy.
In the figure we can see the header of the infected email sent:
Received: from MT01EX03N01.MT01.mse.messcube.it (10.35.253.12) by
 MT01EX03N04.MT01.mse.messcube.it (10.35.253.15) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
 15.1.1415.2 via Mailbox Transport; Mon, 2 Apr 2018 14:42:09 +0200
Received: from MT01EX06N04.MT01.mse.messcube.it (10.35.253.27) by
 MT01EX03N01.MT01.mse.messcube.it (10.35.253.12) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
 15.1.1415.2; Mon, 2 Apr 2018 14:42:09 +0200
Received: from mx1.mse.messcube.it (10.35.254.147) by
 MT01EX06N04.MT01.mse.messcube.it (10.35.253.27) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
 15.1.1415.2 via Frontend Transport; Mon, 2 Apr 2018 14:42:09 +0200
Received: from localhost (unknown [127.0.0.1])
    by mx1.mse.messcube.it (MSG3smtpd) with ESMTP id 70736199B
    for <galXXX@XXXXXXXX.191.it>; Mon,  2 Apr 2018 12:42:09 +0000 (UTC)
X-Virus-Scanned: amavisd-new at mse.messcube.it
X-Spam-Flag: NO
X-Spam-Score: 2.001
X-Spam-Level: **
X-Spam-Status: No, score=2.001 tagged_above=-9999 required=10
    tests=[HTML_IMAGE_ONLY_24=2, HTML_MESSAGE=0.001,
    RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01,
    RCVD_IN_MSPIKE_WL=-0.01, SPF_SOFTFAIL=0.01, URIBL_BLOCKED=0.01]
    autolearn=disabled
Received: from mx1.mse.messcube.it ([127.0.0.1])
    by localhost (mx1.mse.messcube.it [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id 0BgHMPCU_p-2 for <galXXX@XXXXXXXX.191.it>;
    Mon,  2 Apr 2018 14:42:08 +0200 (CEST)
X-Greylist: delayed 00:24:41 by SQLgrey-1.8.0
Received: from qproxy4-pub.mail.unifiedlayer.com (qproxy4-pub.mail.unifiedlayer.com [66.147.248.250])
    by mx1.mse.messcube.it (MSG3smtpd) with ESMTPS id 660B91998
    for <galXXX@XXXXXXXX.191.it>; Mon,  2 Apr 2018 14:42:07 +0200 (CEST)
Received: from cmgw2 (unknown [10.0.90.83])
    by qproxy4.mail.unifiedlayer.com (Postfix) with ESMTP id B2763A0328
    for <galXXX@XXXXXXXX.191.it>; Mon,  2 Apr 2018 06:17:24 -0600 (MDT)
Received: from box1125.bluehost.com ([50.87.248.125])
    by cmgw2 with
    id VQHM1x0012j4P7W01QHQoF; Mon, 02 Apr 2018 06:17:24 -0600
X-Authority-Reason: s=1
X-Authority-Analysis: v=2.2 cv=M5g9E24s c=1 sm=1 tr=0
 a=ip9sk82UPAQ/lpE5utroiw==:117 a=ip9sk82UPAQ/lpE5utroiw==:17
 a=Kd1tUaAdevIA:10 a=VNXQTJTquIlysLCTy2YA:9 a=QEXdDO2ut3YA:10 a=hD80L64hAAAA:8
 a=xGSJWl63D5C4vKWM0foA:9 a=OMArbbpFsjqrJjHB:21 a=_W_S_7VecoQA:10
 a=4k4lOSeL9kw-s91eC94A:9 a=gNstRkxIVkbMzKS_:18 a=HXjIzolwW10A:10
 a=KwgpVZE-ergA:10 a=Fx9ydsAayyh_TJjkqnAA:9 a=IKIoO-ieCDEA:10
 a=7qx8gLC0iM8A:10 a=oQrlS-b8-hQA:10 a=ckal8g68nOMA:10
 a=08aomhM6C-o7A7omF0Fb:22 a=X1c0k9nRQnjIoBfxGzdG:22
Received: from [127.0.0.1] (port=52965 helo=box1125.bluehost.com)
    by box1125.bluehost.com with esmtpa (Exim 4.89_1)
    (envelope-from <XXXXXXXX@samsung.com>)
    id 1f2yMD-003zSm-6f; Mon, 02 Apr 2018 06:14:41 -0600
Content-Type: multipart/mixed; boundary="=_2c36885fcd61b6cbe3b9c4eecddf1ca4"
Date: Mon, 2 Apr 2018 06:14:39 -0600
From: XXXXXXXX <XXXXXXXX@samsung.com>
To: undisclosed-recipients:;
Subject: Comunicazione 18-061: gestione centri non autorizzati
Message-ID: <1c943c1a0c12fc59f4afdb39704d4d3f@samsung.com>
X-Sender: XXXXXXXX@samsung.com
User-Agent: Roundcube Webmail/1.2.7
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - box1125.bluehost.com
X-AntiAbuse: Original Domain - XXXXXXXX.191.it
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - samsung.com
X-BWhitelist: no
X-Source-IP: 127.0.0.1
X-Exim-ID: 1f2yMD-003zSm-6f
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (box1125.bluehost.com) [127.0.0.1]:52965
X-Source-Auth: zaragoza1@sam.gruposim.mx

X-Email-Count: 325
X-Source-Cap: Z3J1cG9zaW07Z3J1cG9zaW07Ym94MTEyNS5ibHVlaG9zdC5jb20=
X-Local-Domain: no
Return-Path: XXXXXXXX@samsung.com
X-MS-Exchange-Organization-Network-Message-Id: 809f8a03-b5df-4845-3b98-08d598972667
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
X-MS-Exchange-ABP-GUID: d7d8dc25-011d-41eb-8635-bf56c3cd3286
X-MS-Exchange-Organization-AuthSource: MT01EX06N04.MT01.mse.messcube.it
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.4068414
X-MS-Exchange-Processed-By-BccFoldering: 15.01.1415.002
MIME-Version: 1.0

In the figure we can see the steps of sending the infected email:

 


The analysis of the header of the infected message showed that the email was sent by a webmail provider "bluehost.com". The webmail used would correspond to the machine box1125.bluehost.com (ip: 50.87.248.125) which is assigned to the Mexican company GrupoSim (gruposim.mx). As we can see from the MxToolbox record:

The access to the webmail seems to have happened with the email address: zaragoza1@sam.gruposim.mx.
So the infected email was not sent by Samsung Italy, but it was sent from a webmail of the Mexican company GrupoSim, whose login credentials to the email zaragoza1@sam.gruposim.mx may have been stolen by the actors of this cyber-espionage attack.



Torna ad inizio pagina


Service center: HDMI SERVICE

As we have written previously, opening the infected document "QRS non autorizzati.xlsx", it runs an OLE object embedded in the document, which exploits the CVE-2017-11882 vulnerability to download malware from the site: lnx.hdmiservice[.]com/im6.exe. Without bothering you with the shellcode technique used, we focus instead on the domain from where the malware from this espionage campaign is downloaded.

The domain under observation is  lnx.hdmiservice[.]com hosted on Aruba, you can see the homepage in the picture.
This domain is connected to an authorized Samsung service center, which for now is not considered appropriate to indicate the name.
  • [...Omissis...] (CENTRO ASSISTENZA SAMSUNG - TOSHIBA - HISENSE)
  • Via [...Omissis...]
  • Cap: [...Omissis...] Città: [...Omissis...] Prov.: [...Omissis...]

Public informations obtained from the service "Pagine Bianche":



The home page of the site lnx.hdmiservice[.]com is very "skinny", it seems that the site has been left to itself, there is no information about the company, but according to our research this domain seems to be connected to an official Samsung service center, as we can see from the website of the Korean manufacturer, see figure.


To complete the perfection of the spear-phishing campaign against Samsung service centers, the document infected with the EX-QRS list downloads the malware from a site of a service center of Samsung Italy.

It is assumed that the domain of the "HDMI Service" was compromised before March 19, 2018, and the attack took place according to this scheme:
 

  1. On March 19, 2018 Samsung Italy sends the communication "Comunicazione 18-061: gestione centri non autorizzati" to its authorized service centers.
  2. It is assumed that one of these centers is spied on and that the email credentials where they received the communication 18-061 were stolen by the actors of the attack. The original Samsung email is then exfiltrated by the cyber-criminal group.
  3. The cybercriminal group re-packs the original email of Samsung, keeping the body of the message in perfect Italian and relevant to the recipients, but modifies the document  "QRS non autorizzati.xlsx" making it malevolent inserting the infected OLE object;
  4. The fake email of Samsung infected is sent on 02/04/2018 (Easter Monday) through the webmail of GrupoSim (Bluehost provider) to service centers of Samsung Italy.


Torna ad inizio pagina


Technical analysis of payload im6.exe

The opening of the infected document "QRS non autorizzati.xlsx", which exploits the CVE-2017-11882vulnerability, involves the download and execution of the malware from the site: lnx.hdmiservice[.]com/im6.exe. The downloaded im6.exe file is saved with name notepad.exe inside the folder: %appdata%\notepad.exe

Name: notepad.exe
Size: 675840 byte
Description of file: Pidgin - Versione 2.3.7.2 - Copyright (C) 1998-2010 The Pidgin developer community (See the COPYRIGHT file in the source distribution).
MD5: C750536CD26C071C97B91CB3CEDF50B0
Compilation timestamp: 02 april 2018 12.24.36
Malware family
: Spyware - RAT
VirIT: Backdoor.Win32.SamRATim.A

Description
:
The notepad.exe file is compiled in MSIL and is obfuscated with the ConfuserEx v0.6.0. Inside notepad.exe twe find another executable file called BootstrapCS.exe in encrypted form

Name: BootstrapCS.exe
Size: 352768 byte
Description of file: BootstrapCS - Versione 1.0.0.0 - Copyright ©  2017
MD5: FBF757927F16ABE4F80B051C56445798
Compilation timestamp: 02 april 2018 12.24.36
VirIT:
Backdoor.Win32.SamRATim.B

The BootstrapCS.exe file is compiled in MSIL, but isn't obfuscated . Inside we can find a resource called  "settings" for the malware configuration.
As we can see in the figure, in the configuration resource there are several anti-analysis checks indicated. The malware in question has enabled the controls of:
  • anti_fiddler
  • anti_sandboxie
  • anti_vm
  • anti_wireshark
This allows the malware to recognize if it is running in a virtual environment or sandbox, and to check if the Wireshark program and the Fiddler web debugger are active.

Interesting is the parameter "injection" set to 2, which allows you to indicate in which application to perform the injection of malware. In this case, it executes the injection on the RegAsm.exe process, as we can see from the figure below.
 
 



The malware injects the resource "_mainFile" into the RegAsm.exe process. The "_mainFile" resource is encrypted with a simple "xor" with a 0x20 key. From the decrypted resource "_mainFile", you get another executable file im3.exe:

Name: im3.exe
Size: 330240 byte
Description of file: im3.exe - Versione 1.0.0.0
MD5: 8568B119697FC8187E31988887599DAB
Compilation timestamp: 13/03/2018 07.39.57
VirIT:
Backdoor.Win32.SamRATim.H


The im3.exe file is nothing more than the Imminent-Monitor client, a commercial remote administration program (https://imminentmethods.net), in which we can read the following watermark:
please contact abuse@imminentmethods.net with the hardware id: "916581c30ad99fa570e8172ea42e3af8" and company name: "test" if this assembly was found being used maliciously. this file was built using invisible mode


Injection scheme used by notepad.exe to inject im3.exe into the RegAsm.exe process:  


The client Imminent-Monitor inside the file im3.exe is a commercial remote administration program, which allows:


  • File Explorer
  • Gathering Computer Specifications (Client Identifier, Unique Identifier, Public IP Address, Private IP Address, MAC Address, Operating System, Computer Name, Computer Username, System Privileges, Installed Screens, Processor, Graphics Card, Ram, Ram Usage, Battery Usage, Last Reboot, Installed Anti-Virus, Firewall Status)
  • Clipboard Manager
  • RDP Manager
  • Password Recovery
  • Camera Surveillance
  • Remote Desktop
  • Task Manager
  • Window Manager
  • Registry Manager
  • Startup Manager
  • Command Prompt
  • TCP View
  • Reverse Proxy
  • Machine Management
  • Keystroke Logging
  • Elevate Client Permissions
  • Remote Execute
  • Scripting
 

The file im3.exe is written in MSIL, we find 3 resources:
  • 0x90
  • im3.Resources.resources -> _7z
  • im3.Resources.resources -> application
The resource 0x90 contains 7 strings in Base64, these strings are encrypted:
  • im3.Resources
  • application
  • 28d6cea3-468a-47a7-99e1-ad87edd5d5ab
  • System.Reflection.Assembly
  • Load
  • im3.Resources
  • _7z
The resource 0x90 is used to decrypt the resource "application" through the key "28d6cea3-468a-47a7-99e1-ad87edd5d5ab". The decrypted resource obtained is compressed with 7z (lzma), after decompressing it, the malware run it.

Inside the "application" resource we find Imminent, which creates the folder of the same name in %appdata% (%appdata%\roaming\Imminent), in which we find 2 subfolders:
  • Logs
  • Monitoring
In the "Logs" folder we find the daily log files captured by Imminent (eg 02-07-2018), instead in the "Monitoring" folder we find two files:
  • network.dat
  • system.dat
The malware connects to the command and control server (C2) cb5cb5.noip[.]me through port 3339.
The command and control server is not always active, but when the RAT can connect to cb5cb5.noip[.]me through port 3339, the first command it receives is to connect to the domain www.iptrackeronline.comto get the victim's IP address. At this point, in addition to sending the exfiltrated information to the C2 server, it can receive commands to download new versions of RAT malware.

In the analyzed campaign we saw that it has downloaded new RAT malware from:
  • lnx.hdmiservice[.]com/WM.exe
  • lnx.hdmiservice[.]com/nj.exe
The first malware "WM.EXE" belongs to the Revcode WebMonitor family, whereas the second "nj.exe" belongs to the njRAT (Bladabindi) family.


Torna ad inizio pagina


Technical analysis of RAT Revcode WM.exe

As we have seen, from the command and control server cb5cb5.noip[.]me, the actors of this attack can download other types of RAT into the victim's computer. In the attack analyzed the malware was downloaded and executed from the site: lnx.hdmiservice[.]com/WM.exe. The downloaded WM.exe file is saved with the name VBC.exe inside the startup menu folder:
%appdata%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe

Name: vbc.exe
Size: 802816 byte
Description of file: Pidgin - Versione 2.10.12 - Copyright (C) 1998-2010 The Pidgin developer community (See the COPYRIGHT file in the source distribution).
MD5: C966F4A0916A1B5403E10F15F3591F06
Compilation timestamp: 01/04/2018 22.07.17
Malware family
: Spyware - RAT Revcode
VirIT: Backdoor.Win32.SamRATwm.F

Description
:
The vbc.exe file is compiled in MSIL and is obfuscated with the SmartAssembly. When running the vbc.exe file, the following files are created in %temp%: 
  • thfdfdnewa-.txt
  • agdfdffhit.bat
  • agdfnwinvss.vbs
  • ru33dde11.bat
The file thfdfdnewa-.txt is a copy of vbc.exe
The file ru33dde11.bat contains the command: wscript.exe "%temp%\agdfnwinvss.vbs" "%temp%\agdfdffhit.bat
The file agdfnwinvss.vbs contains the comamnd: CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
The file agdfdffhit.bat runs the command dos copy:
copy "%users%\AppData\Local\Temp\thfdfdnewa-.txt" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe"

Inside vbc.exe we can fined in encrypted form an other executable file compressed with UPX, this file isn't saved on the disk, but is used for the injection on RegAsm.exe process.

Name: <without name
Size: 147968  byte
Description file:
MD5: 31664036A9917EE12DDA6688C72E878F
Compilation timestamp: 29/12/2017 00.08.39
VirIT:
Backdoor.Win32.SamRATwm.G

The file compressed with UPX,
it is decrypted in memory through this algorithm:

and after that injected into the RegAsm.exe process.
The module compressed with UPX is a commercial RAT (written in Visual Basic) called  Revcode WebMonitor (https://revcode.eu/), cwhich allows to perform various operations of data exfiltration as:
  • WebCam
  • Screen Capture
  • Keylogger
  • Audio recorder
  • Injection
  • Clipboard
The RAT WM.exe (vbc.exe), aka RevCode, connects to the following C3 server irvingl.wm01 [.] to (ip: 5.206.224 [.] 22), to the following page: https: // irvingl. WM01 [.] to / recv3.php

The exfiltrated information is sent via "post", with the following structure:
code=bF6kAccY8yON[..]Jw== &data=BnvYaTa52ClOqYNyUuGC[..]EB47jQ== &key=YuqeS5by2ufBL[..]y &uid=57823F7953[..]20 &cmp=1 &enc=1



Torna ad inizio pagina


Technical analysis of payload njRAT nj.exe (Bladabindi)

In the attack analyzed, in addition to being downloaded the previous RAT, in some cases it was observed that in the victim's computer was downloaded and executed another malware from the site: lnx.hdmiservice[.]com/nj.exe. The downloaded file nj.exe is saved with the name server.exe inside the folder %appdata%\Roaming.

Name: server.exe
Size: 365056 byte
Description of file: Sonork Messenger - Versione 4.2.0.0 - Copyright © 2003-2006 by GTV Solutions, Incorporated
MD5: D1642488C5A0181FE57C474069DF8C04
Compilation timestamp: 02 april 2018 12.33.27
Malware family
: Spyware - njRAT (Bladabindi)
VirIT: Backdoor.Win32.SamRATnj.B

Description
:
The file server.exe is compiled in MSIL and is obfuscated with the ConfuserEx v0.6.0 program. Inside server.exe we find another executable file in encrypted form BootstrapCS.exe

Name file: BootstrapCS.exe
Size: 46592 byte
Description of file: BootstrapCS - Versione 1.0.0.0 - Copyright ©  2017
MD5: ABBE16193144DAC74DAE7B9DE653D84F
Compilation timestamp: 02 april 2018 12.33.27
VirIT:
Backdoor.Win32.SamRATnj.E


The file BootstrapCS.exe is compiled in MSIL, but isn't obfuscated. Inside we can find a resource called  "settings" for the malware configuration.
As we can see in the figure, in the configuration resource there are several anti-analysis checks indicated. The malware in question has enabled the controls of:
  • anti_fiddler
  • anti_sandboxie
  • anti_vm
  • anti_wireshark
This allows the malware to recognize if it is running in a virtual environment or sandbox, and to check if the Wireshark program and the Fiddler web debugger are active.

Interesting is the parameter "injection" set to 6, which allows you to indicate in which application to perform the injection of malware.
In this case, it executes the injection on itself, ie on the server.exe process, as we can see from the figure below.
 



The malware injects the "_mainFile" resource into the server.exe process. The "_mainFile" resource is encrypted with a simple "xor" with a 0x20 key. From the decrypted resource "_mainFile", you get another executable file in memory for injection:

Name: <without name>
Size: 24064 byte
Description:
MD5: B2A604500E1555A7A13413C0F7A69732
Compilation timestamp: 18/07/2017 08.10.01
VirIT:
Backdoor.Win32.Generic.AWM

The decrypted file in memory, which we will call again server.exe, is none other than the njRAT, known by the name of Bladabindi, a remote administration program.

The version used is 0.7d, as we can see from the configuration parameters.
 
 

The njRAT (Bladabindi) malware used in this campaign connects to the command and control server cb4cb4.ddns [.]net port 1604, where the exfiltrated data is sent. The peculiarities of this RAT are: keylogging, screen capture, update and data exfiltration.

In the table below, we can see some commands used by njRAT (Bladabindi):

Commands Options Comments
 ll    informations of system (ID campaign, name pc, user, version of o.s., version of RAT, etc)
 inf    parametersi of configuration (name  server C2, port, process, etc)
 act    name of active window
 kl    keylogger
 prof ~ ! @  write/read/delete value of registry
 rn    download and execute  file
 inv    open a local port
 ret    ???
 pl    ???
 CAP    screen capture
 un ~ ! @  uninstall
 sc ~ PK  partial screen capture  (area)
 up    update file
 Ex  fm ~ ! @  execute shell comands
 FM ! # @  file manager: enumerate file e directory
 PLG    plugin
 MSG    message



Torna ad inizio pagina


Campaign evolution from May to July 2018

In the months from May to July 2018, we have monitored the current campaign by analyzing each individual stage.

24 May 2018

On May 24th the Imminent RAT (payload im6.exe), after it was injected into the RegAsm.exe process, connected to the command and control server cb5cb5.noip[.]me, from which the command was sent to download and run malware from the site: lnx.hdmiservice[.]com/net.exe. The downloaded net.exe file is saved with the random name 61869.exe inside the folder%temp%, and then copied into %appdata%\Roaming\Oracle\svhost.exe.

Name: net.exe (61869.exe)
Size: 512352 byte
Description of file: SoftEther VPN - Versione 4.22.0.9634
MD5: F16108CF7A03F9E94F91EDEEA32EBE22
Compilation timestamp: 18/05/2018 23.06.49
Malware family
: Spyware - RAT
VirIT: Backdoor.Win32.SamRATnet.A

Description
:
The net.exe file is compiled in MSIL and is obfuscated with the SmartAssembly program.
Inside net.exe we find another executable file in encrypted form, this file is not saved on disk, but used to inject the svhost.exe process (itself). In the figure we can see a part of the decryption algorithm used.

Interesting is the string we found inside net.exe:


where it is indicated a date (in English format) that coincides with that of compilation, most likely it was inserted by the obfuscator SmartAssembly.

Net.exe
is another RAT of the Netwire family (https://www.rekings.com/shop/netwire/), with keylogger functionality, password recovery (Firefox, Thunderbird, SeaMonkey, Microsoft Outlook, Internet Explorer), etc. Inside the folder %appdata%\roaming we find the subfolder "Logs", inside which there are logs divided by day with the information exfiltered. This exfiltrated information is sent to the command and control server cb7cb7.ddns[.]net port 3333.
We do not have much information on this RAT, because during the analysis phase, the attackers have always preferred to send the command to uninstall their malware, most probably the computer was not of interest to them.

28 May 2018

On May 28th "re-download" a new version of the Imminent RAT, from lnx.hdmiservice[.]com/im6.exe (md5: 10349A36CBD8AA3A5F13B3A591432218). The im6.exe file is obfuscated with SmartAssembly. At the execution it is copied into %temp% with the name svchost.exe and does the injection in the process %temp%\svhost.exe. This version also connects to the command and control server cb5cb5.noip[.]me, from which it receives the command to download and run malware from the site: tafe[.]org/net.exe. The domain tafe[.].org is a site linked to the association of firefighters in Texas (Texas Association of Fire Educators), which has most likely been compromised.
The downloaded net.exe file is saved with the random name 10800.exe inside the folder %temp%, and then copied to %appdata%\Roaming\Oracle\svhost.exe.  

Name: net.exe (10800.exe)
Size: 432128 byte
Description: GTV Program Launcher (CAB Type) - Versione 2.9.2.4
MD5: 4AFFDFB7FB38DE5065FDA1B5CE87EC8E
Compilation timestamp: 27/05/2018 17.27.04
Malware family
: Spyware - RAT
VirIT: Backdoor.Win32.SamRATnet.B

Description
:
The file Net.exe is compiled in MSIL and is obfuscated with the program ConfuserEx v0.6.0.
Inside net.exe we find another executable file in an encrypted form, this file is not saved on the disk, but used to inject the processsvhost.exe. This is the RAT Netwire, another variant of the case seen on May 24, 2018, with keylogger functionality and password exfiltration. Inside the folder %appdata%\roaming
we find the subfolder "Logs", in which there are logs divided by day with the information exfiltrated. This exfiltrated information is sent to the command and control server cb7cb7.ddns[.]net port 3333.


28 June 2018

On June 28th we have downloaded a new version of njRAT (Bladabindi), from lnx.hdmiservice[.]com/nj.exe (md5: 7B777263642CD694415ACCDB45B19DE6). The nj.exe file, after being copied into %appadata%\roaming\server.exe, connects to the command and control server cb4cb4.ddns[.]net through port 1604. This time the file is downloaded from the C2 server tmpCEE0.tmp.exe and saved inside the folder %temp%.

Name: tmpCEE0.tmp.exe
Size: 829440 byte
Description: Microsoft Corporation - Versione 60.48.6058.5862
MD5: 124CFF35E00D6F361E1DD73161833638
Compilation timestamp: 16/01/2016 06.27.22
Malware family
: Downloader
VirIT: Trojan.Win32.DownloaderSam.A

The file tmpCEE0.tmp.exe contains within the resource ">AHK WITH ICON<", as we see in the picture:



The resource ">AHK WITH ICON<" contains a script, which is executed by the malware, to download 2 files from https://paste.ee:
  • https://paste[.]ee/r/hW6I2
  • https://paste[.]ee/r/fsU10

The site https://paste.ee  is similar to Pastebin, but in this case it downloads 2 pages in Base64.
In the page https://paste[.]ee/r/fsU10 there is a binary code (shellcode), instead in the https://paste[.]ee/r/hW6I2 page another malware is contained, which we will call im.exe.
The tmpCEE0.tmp.exe file connects to the two url of https://paste.ee to download the malware im.exe and to inject it into the process: C:\WINDOWS\Microsoft.NeT\Framework\v2.0.50727\MSBuild.exe

Name im.exe (https://paste[.]ee/r/hW6I2 decodificato)
Size: 330240 byte
Description of file: im.exe - Versione 1.0.0.0
MD5: 1D85471A6C233A1BC926494A5EB3E400
Compilation timestamp: 06/03/2018 07.12.01
Malware family
: Spyware - RAT
VirIT: Backdoor.Win32.SamRATim.I

The  im.exe  file is nothing more than the Imminent-Monitor client, a commercial remote administration program (https://imminentmethods.net),  where we can read the following watermark::
please contact abuse@imminentmethods.net with the hardware id: "b3cd0d50be0504f870d91ece52b73941" and company name: "test" if this assembly was found being used maliciously. this file was built using invisible mode

This version of Imminent connects to the following command and control server:
Server: frpfrp.ddns[.]net
Port: 3338


03 July 2018

On July 3rd we have downloaded a new version of Imminent, from  lnx.hdmiservice[.]com/im6.exe (md5: 10349A36CBD8AA3A5F13B3A591432218). The im6.exe file, after having been injected on RegAsm.exe, connects to the command and control server cb5cb5.noip[.]me. This time we get the WM.EXE file from http://tafe[.]org/WM.exe and saved in the folder %temp% with the name 17303.exe.

Name: WM.exe (17303.exe)
Size: 811008 byte
Description: Versione 1.1.23.0
MD5: 5094EBA48CCF4225D8AB547A2D88F5A0
Compilation timestamp: 16/01/2016 06.27.22
Malware family
: Downloader
VirIT: Trojan.Win32.DownloaderSam.B

The file 17703.exe (WM.exe) contains within the resource ">AHK WITH ICON<", as we saw in the case of June 28th.

The resource ">AHK WITH ICON<" contains a script, which is executed by the malware, to download 2 files from https://paste.ee:
  • https://paste[.]ee/r/KC3M6
  • https://paste[.]ee/r/fsU10
The page https://paste[.]ee/r/fsU10 contains a binary code (shellcode), whereas on the https://paste[.]ee/r/KC3M6 page another malware is contained, dubbed Revcode Rat, which will perform an injection on the RegAsm.exe process

Name: Revcode Rat (https://paste[.]ee/r/KC3M6 decodificato)
Size: 351232 byte
Description:
MD5: 733F247FED91B9ACB833C547C6988C8E
Compilation timestamp: 25/06/2018 17.21.26
Malware
family: Spyware - RAT
VirIT: Backdoor.Win32.SamRATwm.H

This module is a commercial RAT (written in Visual Basic) called  Revcode WebMonitor (https://revcode.eu/), cwhich we have already previously seen in the month of April.
This new release connects to the C2 server irvingl.wm01[.]to (ip: 5.206.224[.]22) and to the page: https://irvingl.wm01[.]to/recv4.php


09 July 2018

On July 9th from the control command server of the Rat Imminent frpfrp.ddns[.]net  we have received the command to download the WM.EXE file from http://tafe[.]org/WM.exe and save it inside the folder %temp% with the name 3064.exe.

Name: WM.exe (3064.exe)
Size: 781312 byte
Description: muUwRdRRkCsIliuyGILx - Versione 2.3.2.0
MD5: 22DF9F6F208CAE2FDAD6EB76954B56B4
Compilation timestamp: 06/07/2016 06.57.39
Malware family
: Spyware - RAT
VirIT:  Backdoor.Win32.SamRATwm.E

This downloaded module is the commercial RAT Revcode WebMonitor (https://revcode.eu/), which always connects to the C2 server irvingl.wm01[.]to (ip: 5.206.224[.]22) and to the page: https://irvingl.wm01[.]to/recv4.php



Torna ad inizio pagina


Map of the infrastructure of cyber-attack

In the figure below, we can see the infrastructure used by the attackers at Samsung Italy's service centers. The infrastructure was rebuilt starting from the spear-phishing attack on 2 April 2018. From here the multi-stage attack was analyzed from 3 April to the beginning of July 2018.




Attack actors use 5 command and control servers:
  • cb5cb5.noip[.]me
  • cb4cb4.ddns[.]net
  • cb7cb7.ddns[.]net
  • frpfrp.ddns[.]net
  • irvingl.wm01[.]to
A RAT is placed on each command and control server:
  1. Imminent -> cb5cb5.noip[.]me
  2. Imminent -> frpfrp.ddns[.]net
  3. njRAT -> cb4cb4.ddns[.]net
  4. Netwire -> cb7cb7.ddns[.]net
  5. RevCode WebMonitor -> irvingl.wm01.to


Torna ad inizio pagina


Conclusion

We analyzed the campaign of spear-phishing targeting the service centers of Samsung Italy started on 2 april 2018. The attack campaign is a multi-stage type, that means it starts to download an Excel file containing a vulnerability (payload im6.exe), if the computer hacked is of some interest for the authors of the campaign, then new payloads (RAT) are downloaded for the next stage.

The target of these attack campaign are the service centers of Samsung Italy, therefore it is a targeted and not massive campaign, it is assumed that the possible victims are between 200 and 300.  A perfectly campaign of spear-phishing was implemented with a spread of an email written in perfect italian sent from Samsung, with attached an Excel document relevant to the recipients. The fake email for spear-phishing was realized from the one original sent from Samsung Italy on 19th March 2018.
A similar attack campaign was registered at the end of March 2018 targeting the service centers of Samsung Russia. In that case was used an email written in russian, that seemed to be sent from Samsung Russia, with attached an Excel file infected, probably stolen from an egyptian company connected to Samsung and called "MTI MM Group" (https://mti-mmgroup.com/samsung/).
This attack campaign against Samsung may involve more countries not only italian service centers, but as we saw already also Russia.

The vulnerability used is CVE-2017-11882 (Microsoft Office Memory Corruption Vulnerability), linked to the Equation Editor, it can work on all versions of Microsoft Office.

The attack campaign used mainly commercial RAT, which can exfiltrate data and spy the victim. We did not found "custom" spy programs, as can applies to cases of APT attack.

The comand and control servers use services, such as noip.me or ddns.net, in the coupling mode with a VPN, that make it impossible to identify the PC and / or the true IP address, to which exfiltrated information are sent. During the analysis phase it happened that C2 servers were not online and the RAT failed the connection for many hours, and then back on line with a new IP address.

The actors of this attack remain unknown, even if the comand and control servers have already been used in previous campaign.

Torna ad inizio pagina


IOC

MD5:
47EF2AE50AAE4AADF3B6BAEB412C7C6C
C750536CD26C071C97B91CB3CEDF50B0
C966F4A0916A1B5403E10F15F3591F06
ABC976902AAFC4AE48373CE9728EA03E
D1642488C5A0181FE57C474069DF8C04
658C87F92BD85C50E8A904DE184187C4
FBF757927F16ABE4F80B051C56445798
8568B119697FC8187E31988887599DAB
ABBE16193144DAC74DAE7B9DE653D84F
31664036A9917EE12DDA6688C72E878F
F16108CF7A03F9E94F91EDEEA32EBE22
10349A36CBD8AA3A5F13B3A591432218
CC874C0874C45ECE5035E259AB1CD40A
4AFFDFB7FB38DE5065FDA1B5CE87EC8E
8BB1FF448A94DD0BCE048C1651FA0A59
7B777263642CD694415ACCDB45B19DE6
124CFF35E00D6F361E1DD73161833638
1D85471A6C233A1BC926494A5EB3E400
7F281EB52F4D14C9E858CA29CC992722
87E143682C3160801B8275CAFDC85451
45C593B648198F447483D3E4DBA68A91
488636DD380E75ED666C8A590583AF64
5094EBA48CCF4225D8AB547A2D88F5A0
742FA4D87468C0627133EC45629C692D
733F247FED91B9ACB833C547C6988C8E
807204EAFBD7B9AB96AD476B527C8518
B22E9254F06F822997996A8556CCC5E3
22DF9F6F208CAE2FDAD6EB76954B56B4
D1107D60EBAEA08FA3C3569CCACCDC6A

URL:
lnx.hdmiservice[.]com
tafe[.]org
paste[.]ee


Server C2:
cb4cb4.ddns[.]net
cb5cb5.noip[.]me
cb7cb7.ddns[.]net
frpfrp.ddns[.]net
https://irvingl.wm01[.]to


 
Torna ad inizio pagina

 

How to protect yourself

Experience and common sense are the first weapons not to be victims of this kind of fraud.
A careful reading of the e-mails is essential, in all its elements. Be wary of attachments in ZIP format and if possible, do not enable the automatic execution of macros, a setting that could make the hasty opening of Word and Excel files dangerous. Another little help can be to check where any link is pointing, even if this type of evaluation can be very difficult.

In the event that you were infected by a Banker, the advice from the C.R.A.M. (TG Soft) is to take appropriate security measures even after the remediation of the systems involved as the change of passwords most commonly used on the web navigation.
In the event that the workstation involved was used for home-banking operations, it is also advisable to check with your credit institution.


How to send suspicious e-mails for analysis as possible viruses / malware / ransomware and / or phishing attempts

Sending materials to be analyzed at the TG Soft Anti-Malware Research Center for analysis that is always free and can be done safely in two ways:
  1. Any e-mail that can be considered a suspect can be sent directly by the recipient's e-mail choosing as sending mode "Forward as Attachment" and inserting in the object section "Possible phishing page to verify" rather than "Possible Malware to verify" to the following mail:  lite@virit.com
  2. save as an external file to the e-mail program used the e-mail to be sent to the C.R.A.M. TG Soft for analysis. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Of course, to have a feed-back compared to the analysis of the infected files sent, you will need to indicate an e-mail address and a brief description of the reason for sending the file (for example: possiible / probable phishing; possible / probable malware or other) .


Integrate your PC / SERVER protection with Vir.IT eXplorer Lite

Vir.IT eXplorer PRO has been designed and implemented in such a way to increase the security of your computers, PCs and servers alike, Vir.IT eXplorer Lite -FREE Edition-.

Vir.IT eXplorer Lite has the following characteristics:
  • freely usable both in the private sector and in the business environment with Engine + Signature updates without time limitations;
  • It works with any other AntiVirus, AntiSpyware, AntiMalware or Internet Security already present on PC and SERVER, recommended to be used as an integration of the AntiVirus already in use as it does not conflict or slow down the system but significantly increases the security in terms of identification and remediation of infected files;
  • identifies and, in many cases, also removes most of the viruses / malware actually circulating or, alternatively, allows it to be sent to the C.R.A.M. Anti-Malware Research Center for further analisys;
  • thanks to the Intrusion Detection technology, made available also in the Lite version of Vir.IT eXplorer, the software is able to report any new generation viruses / malware that are placed in automatic execution and proceed to send the files reported to the C.R.A.M. of TG Soft.
  • Proceed to download Vir.IT eXplorer Lite from the official TG Soft site distribution page.

For Vir.IT eXplorer PRO users...

For Vir.IT eXplorer PRO owners it is always possible to contact or forward suspicious e-mails for free to the TG Soft technical support, the e-mail address for sending suspicious e-mails is: assistenza@viritpro.com (the suspicious e-mail goes sent as an attachment).  C.R.A.M. Technicians will analyze the material recived to evaluate every possible danger without any risk for our customers.
 
Go check our TG Soft support.

C.R.A.M.
Anti Malware Research Center by TG Soft
Torna ad inizio pagina



Any information published on our website can be used and posted on other websites, blogs, forums, facebook and/or in any other form both on paper and electronically so long as you always cited source explicitly "Fonte: C.R.A.M. by TG Soft www.tgsoft.it"
fb rss linkedin twitter
 




Legal & Eula | Privacy | Uninstall

TG Soft S.r.l. - via Pitagora 11/B, 35030 Rubàno (PD), ITALY - C.F. e P.IVA 03296130283