Cidox Trojan Spoofs HTTP Host Header to Avoid Detection

Lately, we have seen a good number of samples generating some interesting network traffic through our automated framework. The HTTP network pattern generated contains a few interesting parameters, names like “&av” (for antivirus?) and “&vm=”(VMware?), The response received looked to be encrypted, which drew my attention. Also, all the network traffic contained the same host header pointing to metrika.yandex.ru. These samples turned out to be related to the Cidox Trojan family. Here is the Wireshark packet capture of the Get request:

cidox_http_traffic

One might immediately conclude that the host name in the Get request is the culprit and may be compromised, or it is an attacker’s domain that isn’t correct for this sample. The domain looked to be legitimate because yandex.ru is the largest search engine in Russia. To confirm, I quickly checked the packet capture for the DNS request and IP address (where the Get request was sent); it differs from the IP address of metrika.yandex.ru. This tells me that the host header in the Get request is spoofed and must be hard-coded in these samples.

We have seen this trick used recently by malware authors in which HTTP host headers are spoofed to point to legitimate domains to evade detection based on host headers or to evade researchers or automated tools. The response from remote server was encrypted, so I decided to look into it.

The malicious binary used a custom packer and wasn’t difficult to unpack.

unpack_data_mz

Once unpacked, you can see several interesting strings in the binary, below:

cidox_strings_unpacked

This binary checks whether the sample is running under VMware and also looks for antimalware services. Remember, the network traffic shown earlier contains “&vm=” and “&av=” parameters. We can conclude this binary sets those parameters based on the preceding checks. I could go on and on in this blog, but for your sake I will focus only on a couple of important items. The binary starts its main operation by the process replacement method to overwrite the memory space of a running process with a malicious executable. The binary creates an “explorer.exe” process in suspended mode and maps the process memory with its own code, as shown next:

cidox_create_process

It then executes the mapped binary code with the “ResumeThread” procedure. The binary next drops a few files:

dropped_explorer

It sets a registry key with the value that is the path to a DLL, so that each process using user32.dll will load this DLL. Also it drops some configuration files under the Cookies directory:

dropped_cf_files

The cf file is encrypted and we will look into the encrypted file shortly, but first we need to see the HTTP header generated by this binary. The binary collects information such as browser, operating system, antimalware and VMware checks, OS version (32 or 64 bit) etc. and prepares the HTTP Get request. Here is screenshot of the Get request header in process:

cidox_get_request_header

As we suspected, the binary has a hard-coded host header, which points to metrika.yandex.ru, but the actual domain is different. It may come from a dropped encrypted configuration file. The response from server is encrypted as follows:

cidox_encryted_response

The binary uses custom Tiny Encryption Algorithm (TEA) to encrypt and decrypt the data. Here the call has been made to decrypt the response from the server:

cidox_tea_call

TEA uses a 128-bit key for its encryption and decryption routine. The binary uses two hard-coded keys: one for decrypting the data comes from the server and the second stores the data in encrypted format, as shown in the preceding image. It is easy to identify the encryption method used based on few constant values found in the algorithm. Here is snapshot of the TEA code:

tea_decryption_code

Once decrypted, the response turns out to be a configuration file containing domain names, as seen below:

cidox_decrypted_config

The binary stores this information in encrypted format in the file cf, as we saw earlier. The binary then downloads and installs another malicious program from a different server named in the configuration file. Here is the request:

http_objects

The request to dldc.php sends an encrypted response that contains another executable file.

dldc_exe

We won’t go into the details of the downloaded binary. The attacker behind this Trojan collects a lot of information through the Get request, including antimalware or VMware checks. The binary makes detection difficult for automated processes or intrusion detection or prevention systems by using spoofed host header names and custom TEAs for encrypting data. As we have learned, we can’t rely solely on the HTTP header host to judge whether the domain name used in an HTTP header is malicious.

Futuristic bracelet uses heartbeats as a password—but is it secure?

Bionym

A security startup has unveiled a wearable device that's designed to replace the hassle of passwords by using a person's unique heartbeat signature to log on to computers and unlock car doors. While the device is intriguing, the dearth of key technical details makes it impossible to assess the marketers' promise that it provides "complete security without compromising convenience."

The Nymi is a small bracelet equipped with a sensor that reads the electrocardiogram (ECG) of the person wearing it. Once it has verified that the heart signature belongs to the person who registered it, it provides a means of authentication that can in theory be used to access a virtually endless supply of electronic devices, including airport kiosks, hotel room doors, and sensitive computer networks. It relies on three factors of authentication—that is, two things the user has in the form of the bracelet and a paired mobile device, and one thing the user has in the form of a verified ECG. A slick promotional video shows someone gliding from bed to airports to hotels to cafes, effortlessly logging into devices and unlocking doors without once having to enter a password or procure a key. Sure sounds tempting.

Nymi by Bionym.

Alas, there's not enough information available about the Nymi's inner workings to know if it is truly groundbreaking or another dose of the kind of snake oil that's all too common in the security circuit. Karl Martin, CEO of the Nymi creator Bionym, said the device hasn't yet undergone a formal security audit. That means even he can't say just how impervious it is to the kinds of sophisticated attacks that would inevitably target a universal sign-on gizmo, although he gave some high-level details that are encouraging. That said, there are several classes of hacks that might be used to compromise the security assurances of the device.

Read 10 remaining paragraphs | Comments


    






G20 Summit Used as Bait to Deliver Backdoor.Darkmoon

Ahead of this week's G20 summit in Saint Petersburg, Russia, attackers are leveraging the meeting's visibility in targeted attacks.

One particular campaign we have identified is targeting multiple groups. They include financial institutions, financial services companies, government organizations, and organizations involved in economic development.
 

image1_11.png

Figure 1. Email purporting to be from G20 Representative
 

The email purports to be sent on behalf of a G20 representative. The email continues:
 

Many thanks for circulating these updated building blocks. Please find the UK comments on these attached. I look forward to seeing you in St Petersburg soon.
 

The ‘building blocks’ mentioned are the theme of multiple documents, which discuss the UK government’s feedback on a series of building blocks to address development, anti-corruption, and employment.
 

image2_6.png

Figure 2. File listing for malicious attachment
 

Attached to the email is a RAR archive file. The archive contains five files. Of the five files, two of them masquerade as different file types. One of the documents is actually an executable, while the .msg file is a .lnk file, which we have seen used in attacks before. If the victim tries to run the .msg file, it will run both the malicious executable and one of the non-malicious documents. The five files contained in the archive, and their MD5s, are as follows:
 

File name

MD5

UKcomments.msg.lnk

7960F23DC79D75005C1C98D430FAC39B

UK_Building_block_TRADE.docx

53C60480254BCEB41660BD40AA12CECB

UK_Building_block_ANTICORRUPTION.doc

099A1C43677FD1286B380BCBF9BE90F4

UK - Building block_EMPLOYMENT - Aug.docx

05BC1C528E6CD49C9B311C25039FC700

UK - Building block_DEVELOPMENT - Aug.docx

C9F0DFAD687F5700325C4F8AEAEFC5F8

 

image3_6.png

Figure 3. Non-malicious document presented to the victim
 

The victim will be shown a non-malicious document. What is interesting about these documents is that each of them has track changes enabled and contains the reported comments from the UK called out in the original e-mail. At this time, we cannot verify the authenticity of these documents, but from our observation, modifications were made to them earlier this month, which states that they were last modified by a user named “UK Government.”
 

image4_2.png

Figure 4. Author information from the document
 

The malicious executable that runs in the background is known as Poison Ivy. Symantec detects this executable as Backdoor.Darkmoon.

Backdoor.Darkmoon is a well-known remote access Trojan (RAT) that has been used in various targeted attack campaigns over the years, including The Nitro Attacks which we reported on in 2011.

When executed, this version of Backdoor.Darkmoon will copy itself to %Windir% as winupdsvc.exe. It will then attempt to connect to the following URLs on ports 80, 8080, or 443:

  • [http://]www.verizon.itemdb.com
  • [http://]www.verizon.dynssl.com
  • [http://]www.verizon.proxydns.com

While this particular campaign leverages Darkmoon, we have found other campaigns from the same group using different threats. Last month, we found them using Java remote access tools (jRAT) that we identify as Backdoor.Jeetrat and Backdoor.Opsiness, also known as Frutas RAT.

Security Response is aware of other groups using the G20 Summit as a theme in targeted attacks, which showcases how this particular meeting is ripe for attackers to use as bait.