- Jan 24, 2011
- 9,379
Two weeks ago, multiple Cisco Managed Threat Defense (MTD) customers received an email that appeared to come from the Microsoft Volume Licensing Service Center (VLSC). The email shown below is very similar to the real email Microsoft sends. It had a personalized welcome line and appears to contain a link to login to the Volume Licensing Service Center:
The phish email supposedly from Microsoft Volume Licensing
The email address of the recipient was in the fake Microsoft.com link to make it look more credible. The real link, that was visible if you hovered with the mouse over the link, went to one of the following domains:
Analysis of what these domains have in common found that they are all compromised WordPress servers. Hackers added extra pages to the legitimate ones at a location like:
http:// tirillycompagnie [.]com/wp-content/tinymce-advanced/mc/searchreplace/1.php
Microsoft licenses products like Windows and Office in volume to corporate customers. The VLSC is where customers login to get their licenses, usually in the form of an activation code. If a user clicks on the link in the email, they would see the screenshot below:
Clicking on the link ending in 1.php runs a function that uses Javascript to display the real Microsoft Volume License Center login page and starts a download of the fake volume license trojan as a .zip file. If you look closely in the download window for the .Zip file, the source of the download is from: http:// tirillycompagnie [.]com, but most users would not notice this and instead believe they were downloading something from Microsoft.com.
The Microsoft VLSC site overlaid by the malware download
Analyst Alerted by a Wonky File
MTD security analysts were first alerted to this attack by Sourcefire file events for a file named 1.php:
Sourcefire alerts were for a wonky 1.php file, which contained the JavaScript to overlay the download against the Microsoft.com site
To discover the nature of the threat, the analyst grabbed the .ZIP file. Our malware analysis determined that if opened, the .ZIP contained a Windows executable with .SCR extension named, Volume_Licensing_Service_Center_details_7834892334.scr
The file had the following hashes and size:
MD5: 1b147fc9d5342ca0fa59207d366ec4fb
SHA256: 53365e66e87a46fe8c2838aed30f099b275a816129af0c3e9bce4dcc0d58fdd0
File Size: 51.9541 KB
Sandbox Evaluation Failed
Initially, the detection by antivirus software was a low 9 out of 57 antivirus programs.
MTD investigators turned to sandbox analysis for the file. Detonating the malware on three commercial and one open source sandbox solution yielded no success. The malware seemed to know it was being analyzed and exited after 20 seconds without doing anything. The name given by antivirus programs was “Chanitor” which is used to download other malware. This downloader has been used in many attacks such as fake fax, fake voicemail, fake invoice and fake purchase order email attacks.
Investigator Used Debugger for Analysis
To analyze the malware completely and determine what command and control servers it connected to, investigators ran the malware on real hardware with network capture, memory capture and file system monitoring software installed. The analysis clearly revealed programmatic delays to prevent the sandbox from detonating the malware.
Running the malware in a debugger revealed the programmatic delays to evade detonation
This produced better results and revealed one of the anti-forensics measures in this variant of Chanitor. This variant of Chanitor goes to sleep for a total of over 30 minutes when first run. Upon execution, Volume_Licensing_Service_Center_details_7834892334.scr unpacks and decodes itself and then starts a process called winlogin.exe. winlogin.exe goes to sleep many times for the times in milliseconds shown below:
winlogin.exe delays execution by calling the sleep function over and over
"winlogin.exe" sleep "00313623" milliseconds
"winlogin.exe" sleep "00301713" milliseconds
"winlogin.exe" sleep "00289634" milliseconds
"winlogin.exe" sleep "00326947" milliseconds
"winlogin.exe" sleep "00319869" milliseconds
"winlogin.exe" sleep "00290436" milliseconds
"winlogin.exe" sleep "00304573" milliseconds
"winlogin.exe" sleep "00300983" milliseconds
"winlogin.exe" sleep "00300131" milliseconds
"winlogin.exe" sleep "00305685" milliseconds
winlogin.exe sleeps to wait out automatic sandbox analysis before starting to communicate on the internet. The program displays no output, but the metadata indicated that it was compiled on a computer using English for output. When launched, the malware creates several files as shown below:
Created Files and Types
cmd /D /R type “C:\Users\PSPUBWS\AppData\Roaming\Windows\winlogin.exe” > ___ && move /Y ___ “C:\Users\PSPUBWS\AppData\Roaming\Windows\winlogin.exe”
This is done to cause some sandbox analysis systems to fail.
Read more: http://blogs.cisco.com/security/fak...-targets-corporate-users-and-evades-sandboxes
The phish email supposedly from Microsoft Volume Licensing
The email address of the recipient was in the fake Microsoft.com link to make it look more credible. The real link, that was visible if you hovered with the mouse over the link, went to one of the following domains:
- livihome[.]pl
- tirillycompagnie[.]com
- redwoodrecycling[.]com
- gdc[.]travel
Analysis of what these domains have in common found that they are all compromised WordPress servers. Hackers added extra pages to the legitimate ones at a location like:
http:// tirillycompagnie [.]com/wp-content/tinymce-advanced/mc/searchreplace/1.php
Microsoft licenses products like Windows and Office in volume to corporate customers. The VLSC is where customers login to get their licenses, usually in the form of an activation code. If a user clicks on the link in the email, they would see the screenshot below:
Clicking on the link ending in 1.php runs a function that uses Javascript to display the real Microsoft Volume License Center login page and starts a download of the fake volume license trojan as a .zip file. If you look closely in the download window for the .Zip file, the source of the download is from: http:// tirillycompagnie [.]com, but most users would not notice this and instead believe they were downloading something from Microsoft.com.
The Microsoft VLSC site overlaid by the malware download
Analyst Alerted by a Wonky File
MTD security analysts were first alerted to this attack by Sourcefire file events for a file named 1.php:
Sourcefire alerts were for a wonky 1.php file, which contained the JavaScript to overlay the download against the Microsoft.com site
To discover the nature of the threat, the analyst grabbed the .ZIP file. Our malware analysis determined that if opened, the .ZIP contained a Windows executable with .SCR extension named, Volume_Licensing_Service_Center_details_7834892334.scr
The file had the following hashes and size:
MD5: 1b147fc9d5342ca0fa59207d366ec4fb
SHA256: 53365e66e87a46fe8c2838aed30f099b275a816129af0c3e9bce4dcc0d58fdd0
File Size: 51.9541 KB
Sandbox Evaluation Failed
Initially, the detection by antivirus software was a low 9 out of 57 antivirus programs.
MTD investigators turned to sandbox analysis for the file. Detonating the malware on three commercial and one open source sandbox solution yielded no success. The malware seemed to know it was being analyzed and exited after 20 seconds without doing anything. The name given by antivirus programs was “Chanitor” which is used to download other malware. This downloader has been used in many attacks such as fake fax, fake voicemail, fake invoice and fake purchase order email attacks.
Investigator Used Debugger for Analysis
To analyze the malware completely and determine what command and control servers it connected to, investigators ran the malware on real hardware with network capture, memory capture and file system monitoring software installed. The analysis clearly revealed programmatic delays to prevent the sandbox from detonating the malware.
Running the malware in a debugger revealed the programmatic delays to evade detonation
This produced better results and revealed one of the anti-forensics measures in this variant of Chanitor. This variant of Chanitor goes to sleep for a total of over 30 minutes when first run. Upon execution, Volume_Licensing_Service_Center_details_7834892334.scr unpacks and decodes itself and then starts a process called winlogin.exe. winlogin.exe goes to sleep many times for the times in milliseconds shown below:
winlogin.exe delays execution by calling the sleep function over and over
"winlogin.exe" sleep "00313623" milliseconds
"winlogin.exe" sleep "00301713" milliseconds
"winlogin.exe" sleep "00289634" milliseconds
"winlogin.exe" sleep "00326947" milliseconds
"winlogin.exe" sleep "00319869" milliseconds
"winlogin.exe" sleep "00290436" milliseconds
"winlogin.exe" sleep "00304573" milliseconds
"winlogin.exe" sleep "00300983" milliseconds
"winlogin.exe" sleep "00300131" milliseconds
"winlogin.exe" sleep "00305685" milliseconds
winlogin.exe sleeps to wait out automatic sandbox analysis before starting to communicate on the internet. The program displays no output, but the metadata indicated that it was compiled on a computer using English for output. When launched, the malware creates several files as shown below:
Created Files and Types
- agmas.dll – PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- agmas.msy – binary data
- winlogin.exe – PE32 executable (GUI) Intel 80386, for MS Windows, self-extracting archive
cmd /D /R type “C:\Users\PSPUBWS\AppData\Roaming\Windows\winlogin.exe” > ___ && move /Y ___ “C:\Users\PSPUBWS\AppData\Roaming\Windows\winlogin.exe”
This is done to cause some sandbox analysis systems to fail.
Read more: http://blogs.cisco.com/security/fak...-targets-corporate-users-and-evades-sandboxes
