Back on some old material, due to a 'recent' compromission of off-sho.re servers, and the circulation between AVs of Cyberbunker sinkholes logs. (Especially the Alina connections was interesting, but that not the topic)
Did you remember Dexter ? nah not the TV Series, but the PoS Malware.
Systems infected by Dexter are various in our case (gas stations, pawn shops, logistics, luxury shops, doctors, clinics, pharma, labs, etc...)
This malware was coded by a guys know as 'dice' (there was an advert on Darkode made by him around November 2012 if i remember, but he requested an admin to remove the thread so it's not anymore available)
Visa USA have released an alert one month after.
Sample who come from the compromised server:
Let's see so, i will avoid you the Visual Basic 6 unpacking step, if you want the hashs.
Original: bb0b17c2f66a868cf1e8a46626366a32
Depack: e74593552b66a4638b80a4fbf2fb7438
Create a mutex:
WriteProcess Memory on Internet Explorer with the content of the exe:
Ok, what's happend with the injected IE ?
I've patched the executable by taking some jumps he have not took at the begining to make it think we are in IE and see what's happend.
Create a subkey 'HelperSolutions Software':
Do a RegCreateKey/RegSetValue/RegCloseKey with 'digit' as registry entry and 'cc98afca-1a04-4c5d-80cf-1cc78244b63e' as value for me.
Create a registry persistance 'Sun Java Security Plugin':
Do the same but this time in HKCU:
Create another registry entry but this time:
HKCU Software\Microsoft\Windows\CurrentVersion\Policies\Associations
With 'LowRiskFileTypes' and '.exe;.bat;.reg;.vbs;' as value
The attachment manager in windows can help protect your computer from unsafe attachments that you might receive with an e-mail message and from unsafe files that you might save from the Internet.
Edit a value at HKCU: Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Registry entry '1806' and '0' as value
The value can be zero, one, or three, typically, a setting of zero sets a specific action as permitted, a setting of one causes a prompt to appear and a setting of three prohibits the specific action.
Do the same operation but in HKLM this time:
The file initialyse a thread:
Create a DLL 'SecureDll.dll' with the extracted ressource and attribute Hidden:
'val1' and with value 'C:\Documents and Settings\Administrateur\Bureau\strokes.log'
Create a second reg key at Software\HelperSolutions Software
'val2' and with value 'C:\Documents and Settings\Administrateur\Bureau\tmp.log'
Hook the keyboard:
Refer to the MSDN for explanation:
Okay... let's have a look on what's this SecureDll.dll do, seem it's not that secure.
Look for previous reg key:
val1 and val2.
Look for some specific process who run on the system:
Here is a list:
wmiprvse.exe (Microsoft Windows Management Instrumentation)
LogonUI.exe (Windows LogOn User Interface)
svchost.exe (Service Host Process)
iexplore.exe (Internet Explorer)
explorer.exe (generic Windows process)
System (Internal Windows system process)
smss.exe (Session Management Subsystem)
csrss.exe (Client/Server Runtime Subsystem)
winlogon.exe (Windows LogOn Process)
lsass.exe Local (Security Authority Subsystem Service)
spoolsv.exe (Printer Spooler Service)
alg.exe (Application Layer Gateway)
wuauclt.exe (Windows Update client for WindowsME)
firefox.exe
chrome.exe
devenv.exe (Microsoft Visual Studio)
Then he start to open process and look for track1/2/3
The first will just do a new scan of process.
Second thread make sure everything is ok with the registry key 'run'
Tree do a loop
4 detect if the pc will got shutdown (i've not looked but DetectShutdownClass seem enought explicit)
Then he start to enter in a procedure to call home:
Get the computer name:
Retrieve the string used to identify the machine who was stored on the registry database
(cc98afca-1a04-4c5d-80cf-1cc78244b63e)
Open strokes.log and read it
And delete tmp.log:
Take our hwid and enter on the routine to code it:
From the original source code:
At the end we have a huge strings like:
page=RUUZTk9FSURRTk1OHVFIGBhJUUQYRUpRSkQaTUwYSUhNTx0f&ump=ACgZHREqFRkLGQ4jLxkOChUfGVIZBBlGR0hNTU1NTU1NTU1NTU1NTU1BTU9MS01MTUxMTExMTExMTExKSkpDWT5ITU1NTU1NTU1NTU1NTU1NIiQlMDU+MyRTMD0+L1wxLiJNT0xLTUxNTExMTExMTExMTExMTExMTExMTExKSkpMTE
C&C domain and gate path are given via pointers due to the internet explorer injection.
After having called the gateway, then Dexter do a 600000 ms sleep (10 mins):
Now about the C&C responses, i noticed these actions
update-
chekin:
scanin:
unistall
download-
I've not searched how works the following commands, Josh Grunzweig of SpiderLabs already explained it.
So... enough boring reversing infos, let's have a look on the panel now.
Login:
Dashboard:
Like Alina, Dexter use colors code, dead bots appear in red and recent dead bots in blue:
Dumps (stolen credit cards):
Keylogger logs (here, that seem to be a UPS dispatch center, or something like this):
Process viewer (not working):
Another but small Dexter panel:
I've found also an older version of Dexter, i thought it was Alina at first but nope, Dexter v1:
Dashboard:
Dumps:
Bots:
Process list (this time it work):
Dexter 'v2' C&C structure:
Just ignore the 'installer' folder that something homemade for a video PoC.
Get track type function:
That even grab track3.
600 posts reached ;)
Pic 38 and 39 the same?
ReplyDeleteloop on the code or mistake can't remember i will check it later
DeleteC'est vraiment du beau boulot :)
ReplyDeleteEt GG pour le 600ème!
Congratulation for 600.
ReplyDeleteenough boring reversing infos // That never boring to read you :)
REDcrew is official dead?
ReplyDeleteWhere can I find some Ollydbg or just general Debugger tutorials. I want to be like you. :(
ReplyDeletereally nice
ReplyDeleteVery nice, I like you exposing the undernet.
ReplyDelete@Dave: Here's a link, you can google, "ollydbg tuts tutorials" 1st hit
ReplyDeletehttp://tuts4you.com/download.php?list.29
Is an antivirus protection enough for this kind of threat ? Couldn't AV-s make a system witch has the same functionality only when it detects a valid number to 0 it up ?
ReplyDeleteJust saying ... the malware isn't complex and a solution for defeating it it's pretty simple.
Thank you for your blog keep it up!
Sorry, man, but it's not that simple. It's impossible for antiviruses to detect ramscrapers, because listing all processes that read the memory of another processes as viruses would hit lots of legitimate software like debuggers.
DeletePlease, give me the link of Builder!!!!
ReplyDeleteI have the panel!!
Mdrr !! tu veux une bimbo et un pack de bierre avec ? non mais serieux fait le moi savoir hein
DeleteMdrr !! Tu veux une bimbo et un pack de bierre avec ? sérieux les mec arreter avec vos question bidon, remercier le au lieu de voir une mine d'or en xyli sa lui donne meme plus envie de continuer le super boulot qui fait !!!
DeleteTo Anonymous
ReplyDeleteWhat can you tell me about this POS software?
http://smile-pos.com/ca/
What do you think about this POS system?