Infostealer.Nemim: How a Pervasive Infostealer Continues to Evolve

Contributor: Satnam Narang

Previously we blogged about Backdoor.Egobot and outlined how it targets specific industries while maintaining a low profile. The cybercriminals behind Egobot may also have developed Infostealer.Nemim for a more widespread and prevalent campaign. Despite a difference in scope, both threats steal information from compromised computers and there are indications these two threats originate from the same source.
 

Nemim components

Symantec detected Nemim in the wild as early as the fall of 2006. One of the earliest samples contained a timer mechanism to determine when to remove itself from the compromised computer. Removal was conditional and tied to a fixed date or based on the number of times the sample was executed. The timer mechanism feature was also found in samples of Egobot.

The Nemim samples we analyzed were digitally signed with stolen certificates and, over time, the malware was updated with three components:

  1. Infector component
  2. Downloader component
  3. Information stealer component
     

Infector component

The infector component is designed to infect executables in specific folders. In particular, the infector targets the %UserProfile% folder and all of its subfolders.

Infection is not sophisticated. Nemim copies itself into a new section named .rdat added at the bottom of the infected file. The original entry point of the infected file is altered in order to point to the Nemim code in the .rdat section. The infection code is responsible for decrypting, dropping, and running an embedded executable file in the following path:

  • %AllUsersProfile%\Application Data\Microsoft\Display\igfxext.exe

This executed file is the downloader component.
 

Downloader component

The downloader component acts as a wrapper for an encrypted executable. After decryption, the encrypted executable is loaded dynamically. This encrypted executable file contains the actual downloader functionality. However, before downloading, the malware harvests the following system information from the compromised computer:

  • Computer name
  • User name
  • CPU name
  • Operating system version
  • Number of USB devices
  • Local IP address
  • MAC address
     

image1_13.png

Figure 1. System information harvested by Infostealer.Nemim from compromised computers
 

This harvested information is encrypted, converted to Base64, and sent to the command-and-control (C&C) server, just like Egobot. The harvested information is viewable on the C&C server in an unencrypted format. For instance, the P2Pdetou variable shows computer name and user name: [COMPUTER NAME]@[USER NAME]. The server then responds with basic commands, including a payload that is dropped and executed. The downloader then expects the server to respond with a "minmei" string accompanied by the following commands:

  • up
  • re
  • no

The up command, for instance, indicates that the downloaded data contains an executable payload that the downloader will decrypt and run.
 

Information stealer component

The Information stealer component can steal stored account credentials from the following applications:

  • Internet Explorer
  • Mozilla Firefox
  • Google Chrome
  • Microsoft Outlook
  • Outlook Express
  • Windows Mail
  • Windows Live Mail
  • Gmail Notifier
  • Google Desktop
  • Google Talk
  • MSN Messenger

The information stealer sends stolen data back to the C&C server and, like the downloader, expects a "minmei" string in response.
 

Geographical distribution and protection

Japan and the United States are the main targets of Nemim, followed by India and the United Kingdom.
 

image2_3.jpeg

Figure 2. Infostealer.Nemim geographical distribution
 

Symantec detects all the components of these threats to protect customers from attacks:

Nemim and Egobot connection

Analysis of the Nemim binaries revealed a connection to Backdoor.Egobot due to several similarities found in both threats.
 

 

Nemim

Egobot

Information gathered in specific formats using specific tags

[email protected] : %[email protected]%s (%s)
C P U : %s
System OS: %s (%s)
Net card : %s(%s)

[email protected] : %[email protected]%s (%s)
C P U : %s
System OS: %s (%s)
Net card : %s(%s)

Information encryption

Encrypted and Base64 encoded

Encrypted and Base64 encoded

C&C communication format

[URL/IP]/[PATH]/[FILE].php?a1=
%s&a2=%s&a3=%s

[URL/IP]/[PATH]/[FILE].php?arg1=
%s&arg2=%s&arg3=%s

Code injection technique

Microsoft Detours functionality
(early versions)

Microsoft Detours functionality
(all versions)

Table 1. Similarities between Nemim and Egobot
 

Based on these similarities and the overlapping timelines of both the campaigns it is apparent that Nemim and Egobot come from the same source.
 

Potential for a new campaign

Nemim continues to operate today and has effectively evolved over time. For instance, the string encryption has become non-trivial, stolen digital certificates have been upgraded with newer ones, and there are now checks in place to detect common virtual machines. Indeed, for the last seven years the attackers have shown an unwavering commitment to innovation and have developed malware that is adaptable to fit the needs of two different attack campaigns. We expect this innovate trend will continue with a high potential for new campaigns.

Backdoor.Egobot: How to Effectively Execute a Targeted Campaign

Contributor: Satnam Narang

Backdoor.Egobot is a Trojan used in campaigns targeting Korean interests. The execution of the campaigns is straightforward and effective. Symantec data indicates the campaigns have been in operation since 2009. Egobot has continuously evolved by adding newer functionalities. The attackers use the four golden rules of a targeted campaign:

  1. Identify targets
  2. Exploit targets (in order to drop the payload)
  3. Perform malicious activity (in this case, stealing information)
  4. Remain undetected

We have also uncovered a parallel campaign that has been in operation as early as 2006, which we will cover in another blog.
 

Egobot targets

Egobot is targeted at executives working for Korean companies and also at executives doing business with Korea. Industries targeted with Egobot include:

  • Finance and investment
  • Infrastructure and development
  • Government agencies
  • Defense contractors

Targets are located around the globe and include Korea, Australia, Russia, Brazil, and the United States.
 

image1_12.png

Figure 1. Countries targeted with Backdoor.Egobot
 

The aim of the Egobot campaign is to steal confidential information from compromised computers.
 

Exploitation

The attackers gather information about their targets using social engineering techniques prior to luring them into the trap. The targets are sent a spear phishing email, often pretending to be sent from a person they already know. The spear phishing email contains a relevant or enticing message to the target, prompting them to open the malicious attachment. The malicious attachment may be a shortcut .lnk file that points to a file hosted on GeoCities Japan.
 

image2_7.png

Figure 2. Egobot spear phishing email with malicious shortcut attachment
 

Various malicious attachments have been used in this campaign:

When attachments are opened it triggers the following three-stage download process:

Stage 1: Download obfuscated HTML file

Each of the attachments downloads malware from sites hosted on GeoCities Japan. The files vary, but are usually named update[YYYYMM].xml which is  an obfuscated HTML file that drops an executable on the system.

Stage 2: Download RAR archive

The dropped executable from Stage 1 then retrieves another file from GeoCities Japan. This file is hotfix[YYYYMM].xml, which is an executable RAR file. Both downloaded files in the first two stages are disguised as XML documents in an attempt to pass as a clean file.

Stage 3: Download back door component

The executable RAR file is responsible for preparing the system. It drops a set of files which are responsible for moving files around, injecting a component into processes, and stealing the following system information:

  • Windows version
  • Installed service pack version
  • Install language
  • User name
     

image3_7.png

Figure 3. Stolen system information found in Egobot strings
 

Stolen information is sent to Egobot's command-and-control (C&C) server in the following format:

  • /micro/advice.php?arg1=1irst&arg2=[BASE64 ENCODED STRING]
  • /micro/advice.php?arg1=1irst&arg2=[HASH]&arg3=[BASE64 ENCODED STRING]
     

image4_3.png

Figure 4. Communication back to C&C server, arg1 value highlighted
 

Data that is sent back to the C&C is encrypted using a rotating key embedded within the malware. We observed the following two specific keys:

  • youareveryverygoodthing
  • allmyshitisveryverymuch

Finally, the executable RAR file downloads one last component from GeoCities Japan. This downloaded file is named using the value of arg1 in the GET command sent to the C&C. In this case, Egobot attempts to download a file called 1irst.tmp, which is the main payload.
 

Stealing information

The main payload has specific functions that are potentially disastrous for targeted business executives. These functions include:

  • Recording video
  • Recording audio
  • Taking screenshots
  • Uploading files to a remote server
  • Obtaining a recent document list
  • Searching for a string or pattern in a file
  • Deleting and setting restore points

The stolen information is uploaded to remote servers hosted in Malaysia, Hong Kong, and Canada. The attackers have also updated their code to include 64-bit versions to work seamlessly across 64-bit platforms.
 

Staying under the radar

Egobot is downloaded onto a system as a bundled RAR archive with various components packed using commercial packers exe32pack and UPX. These following components are used to mask the presence of the malware:

  1. Detoured component: Backdoor.Egobot is compiled using an older version of Microsoft's Detours software package functionality, which includes the detoured.dll file. This file is used to attach malicious .dll files to legitimate Win32 binaries. Egobot can use this file to run itself in the memory of a legitimate process, masquerading as a clean process.
  2. Coordinator component: Prepares files by moving them into the appropriate folders and injecting them into legitimate processes. Backdoor.Egobot is typically injected into the explorer.exe, subst.exe, and alg.exe processes.
  3. Timer functionality: Some versions of the back door component include a timer functionality so the Trojan can delete itself after a certain date. This feature removes any traces of Backdoor.Egobot.
     

image5_3.png

Figure 5. Backdoor.Egobot components
 

Symantec customers are protected by Symantec Email Security.cloud. Malicious samples from this campaign are detected as Trojan Horse, Trojan.Dropper, Trojan.Mdropper, and Backdoor.Egobot.

And, unfortunately, there is more to this story. Through our research into Egobot, Symantec has identified a parallel operation related to Egobot that has been active since 2006, about three years before Egobot. Further details on the Nemim campaign—including its relation to the Egobot campaign—are explained in a separate blog, Infostealer.Nemim: How a Pervasive Infostealer Continues to Evolve.

Stealthy technique fingerprints smartphones by measuring users’ movements

Computer scientists have devised a technique that could one day allow advertisers or law enforcement organizations to surreptitiously fingerprint smartphones.

The attack, recently unveiled by a team of researchers from Stanford University, could be attractive because it works against virtually any smartphone equipped with an "accelerometer." That's the sensor that determines the tilt a person is using to orient a smartphone and shifts the display to either landscape or vertical, accordingly. No special apps or permissions are required beyond a standard browser running with default settings. The technique leaves no browser cookies or other files on the device disk, making it hard for end users to detect using any security or privacy software available today.

The technique works when a smartphone visits a website that hosts JavaScript code that queries the accelerometer for its orientation. This proof of concept site requires the phone to be held face up on a flat surface and a few moments later for it to be tapped and then turned face down. While the z coordinates measured by the sensor should in theory measure -1 and 1 respectively, most smartphones inevitably report miniscule variations—0.71217 and 0.99324 for example on a test device, rounded down for purposes of anonymity. The precise coordinates, according to the site, were unique among 5,000 records.

Read 3 remaining paragraphs | Comments


    






How NSA breakthrough may allow tracking of “burner” cell phones

In the HBO hit series The Wire, disposable cell phones were the bane of detectives' lives. Drug dealers obtained these prepaid "burners" in mass quantities with cash at multiple stores hundreds of miles away from where they were used. After a week or two of use, a crook would destroy one cheap handset and fetch a new one. The Baltimore Police detectives' inability to tap the phones stymied their investigation into one of the city's most ruthless crime families—until they found a way to track the devices.

The National Security Agency may have made a similar breakthrough. Cato Institute researcher and Ars alum Julian Sanchez recently pulled a few sentences from a 2009 declaration by NSA Director Keith Alexander. They describe an unnamed tool that routinely accessed the vast database of call records assembled by the NSA. Sanchez argues that the purpose may be to identify burner phones used by NSA targets. The tool, according to Alexander's declaration:

was automatically invoked to support certain types of analytical research. Specifically, to help analysts identify a phone number of interest. If an analyst conducted research supported by [REDACTED] the analyst would receive a generic notification that NSA’s signals intelligence (“SIGINT”) databases contained one or more references to the telephone identifier in which the analyst was interested; a count of how many times the identifier was present in SIGINT databases; the dates of the first and last call events associated with the identifier; a count of how many other unique telephone identifiers had direct contact with the identifier that was the subject of the analyst’s research; the total number of calls made to or from the telephone identifier that was the subject of the analyst’s research; the ratio of the count of total calls to the count of unique contacts; and the amount of time it took to process the analyst’s query. [REDACTED] did not return to the analyst the actual telephone identifier(s) that were in contact with the telephone identifier that was the subject of the analyst’s research and the analyst did not receive a listing of the individual NSA databases that were queried by [REDACTED].

Sanchez writes:

Read 2 remaining paragraphs | Comments