The W32/Worm-AAEH family (aliases: Beebone, VObfus, Changeup) of Trojans/downloaders/worms has been notorious for consistently morphing itself and switching control servers since June 2009. In June 2013, the AAEH worm made its biggest cosmetic change since 2009 by packaging an entire encrypted binary (containing all the malicious W32/Worm-AAEH code) inside its signature cryptor, which previously held only RC4-encrypted strings. Although minor details such as the amount of obfuscation and number of RC4 rounds have changed over time for the outer packed layer, the essential algorithm of using RC4 with a random string concatenated with a 32-bit decimal number as the key for the algorithm remained constant.
However, that changed on July 21, 2014, when we observed the control server shut down temporarily for four and a half hours. When the server returned, it served the malware packed with the new cryptor. Although both cryptors were created with Visual Basic, use RC4 for encryption, and are based on RunPE to inject the decrypted binary, the structure of the packer, code, and obfuscation is quite different. For example, as we see in the following image, the encrypted data in the older packer was randomly inserted within the first section of the file. The new packer stores the encrypted data in the overlay area of the sample and sandwiches all encrypted content and their decryption keys with markers.
The new cryptor (which we have seen before to deliver other malware) used to deliver W32/Worm-AAEH is the same cryptor used by spammer components in the Dofoil family of downloaders. This similarity seems to be more than just chance because both families slightly modified their cryptor samples on July 23 at roughly the same time and with identical changes. Both malware families prefixed the overlay markers with the same byte (0×05 in this case). Both samples are exactly the same and differ only in the RC4 key and (of course) the encrypted content.
Although the cryptor was modified in the same way by both families, the embedded malware samples were unchanged. We don’t know whether the malware operators of both families are working together or use the same source to procure the cryptor. Other malware families, such as Cutwail, also use a similar cryptor.
The new cryptor is straightforward. It surrounds the encrypted content and RC4 keys with a marker. The first block in the overlay contains the key, the second contains encrypted “hexlified” position-independent RunPE injection code, and the final block contains the encrypted binary. The RunPE code uses a familiar injection technique using VirtualAllocEx, WriteProcessMemory, SetThreadContext to original entry point of decrypted binary (OEP), and ResumeThread from OEP.
McAfee customers are protected from both families by Dropper-FIR, Dropper-FJE, and other signatures.
Samples:
W32/Worm-AAEH new cryptor: 52AF3736510FD1A383CB2D0F7607D463
W32/Worm-AAEH old cryptor: 5629A1C24EE44EE771E14E0C21FB5A52
W32/Worm-AAEH padded overlay: 04AD6C631FDA0B7E388FC87F87A6346D
Dofoil padded overlay: AF9D96D85738DBD95974BB6A658B7158
The post W32/Worm-AAEH Replaces Cryptor With One Used by Dofoil Downloaders appeared first on McAfee.