In our recent blog, we talked about the delivery of Buhtrap by using compromised website and a recent web exploit. On this blog, we will focus on the second stage payload and the state of Buhtrap operation.

The Buhtrap downloader employs checks before it will infect a system. First, the system must have banking processes or banking software running, mostly Russian. Or the system must have an indication that it is visiting any Russian banks defined on its list.

If the system meets any of the 2 requirements above, it will download and execute the next stage malicious payload, otherwise, it will download a benign sample.

Technical Analysis of Second Stage Payload

cnc_landing

The 2nd stage payload is an NSIS compiled sample as seen on previous Buhtrap samples. This is one way Buhtrap is trying to evade AV detection by disguising as an installer. NSIS is an open source software widely used in installers. Recently, we are seeing a trend where ransomware are adapting this method as the case with Locky and Cerber.

The sample is also digitally signed with a valid digital certificate and also contains file properties and versions.

file_prop

 

Installation

Inside the NSIS package is a 7zip password protected archive. This is where all its components are stored. With this, a command line 7zip tool is also included in the package to unzip the component files. The password is hardcoded on the NSIS script and the password is different from other Buhtrap samples we have seen. For this sample, the password is “p2DP9ENv5bK”. It also modifies the timestamp of the file using a custom file utility FileTouch.exe which is basically similar to the touch utility in Linux

Below are snippets of the NSIS script that we extracted:

 

nsis_2

 

We executed the file on our box but we found that it did not do anything. Inspecting the NSIS script reveals that it is checking if the system language is Russian via GetSystemDefaultLangID.

 

nsis_1

 

We hooked this API and forced the malware to think we are in a Russian system.

 

hook_getsystemdefault

After-which, the following commands and processes were monitored:

attrib  -h -s -r “C:\Users\Administrator\AppData\Roaming\Microsoft\Zerno”

7za.exe  x -p2DP9ENv5bK install.dat dev2055.tmp -aoa

7za.exe  x -p2DP9ENv5bK dev2055.tmp -aoa -o8992023.tmp

7za.exe  x -p2DP9ENv5bK install.dat FileTouch.exe -aoa

C:\Users\Administrator\AppData\Roaming\Microsoft\Zerno\zerno.exe

 

As shown above, the malware components are extracted into  “%AppData%\Microsoft\Zerno”. Then zerno.exe was executed. The Zerno folder has the following files:

zerno_folder

From these files, only the files zerno.exe and msvcr71.dll are malicious. The other files are benign files which are part of Notepad++ software. This is an attempt to obscure its malicious behavior as it tries to pretend to be a legitimate Notepad++ installer.

For persistence, it creates a shortcut link in the start-up folder that will launch zerno.exe at every startup.

zerno_startup

 

What Does this Malware Do?

The main executable is zerno.exe and interestingly its only job is to launch the msvcr71.dll library which performs all the malicious behavior.

Msvcr71.dll

This is where all the malicious routines are compiled. This is a trojan-spyware which has the following functions:

  • Keylogger
  • Get System Info
  • Read Smart Card Info
  • Downloader

Keylogger

The keylogger thread creates an invisible window procedure and retrieves and handles the messages. It logs this information into “uninstall.log” located in %temp% folder. 

uninstall_sample2

The following snapshot illustrates how it implemented the keylogger routine.

 

keylogger

 

Smart Card Reader

One of its interesting payloads is to read smart card information. It lists available smart card readers and their status by using “WinSCard.dll” APIs:

 

winscard

 

It does not actually read what is in the smart card only determine their status. It logs all these information in “uninstall.log”

 

Downloader

It is also capable of downloading additional malware from its CnC server. Another interesting feature of this malware is that it is capable of diskless loading by checking on the response from the server. The first 2 bytes are checked, If the downloaded file starts with ‘MZ’ (0x5A4D), it writes the file into %temp% folder and executes it. If the response starts with “LD” (0x444c), it will only load the malware into the memory.

 

detectedmz

 

Diskless Loading

diskless_loading

 

CnC server

It communicates with its CnC server “quotedb.info” via HTTP Post. All communication we observed is encrypted.

 

capture

State of Buhtrap Operation

 

As stated in our previous blog, the IP of rozhlas.site is 50.7.86.243. We looked into the domain history of this IP and found some interesting information about the current state of Buhtrap.

 

Domain Last Resolved
getadobe.org 5/10/2016
chromelabs.org 5/13/2016
adobelabs.org 5/14/2016
canvaslabs.org 5/22/2016
57569b378f3fb.archive.getadobe.org 6/7/2016
chrome.services 7/2/2016
get.adobelabs.org 7/2/2016
safechrome.services 7/11/2016
www.safechrome.services 7/28/2016
cdn.lidovky.site 8/9/2016
rozhlas.site 8/17/2016
getcanvas.org 9/14/2016
medioca-room02.org 9/28/2016

 

From the history of the domains, it appears they have used this IP from May to September, 2016. But it’s very possible that they are still using the same IP for their operation. If we look into the details of each domain, we can find presence of multiple samples, although with different behavior, but appears related to Buhtrap operation. For instance, 5 samples that were downloaded from getadobe.org differ in behavior from the sample we described in this blog. Those samples are detected by Kaspersky as “Trojan.Win32.Karamanak”, which is also their detection for the sample in this blog.

As seen on the domains, they are also using domain names related to Chrome, Adobe or popular graphics software as a way to stay low.

Chromelabs.org

Using this domain the actors started using CVE-2016-0189 as their method of infection. In fact, they used the same binary exploits found in the github repository of offensive security. The following are the files downloaded in this domain:

 

  • http://chromelabs.org/data/shell32/51d2a95ddc.dll
  • http://chromelabs.org/a3b4x62.exe
  • http://chromelabs.org/blog/dsfsdhdh.vbs
  • http://chromelabs.org/news/dsfsdhdh.exe
  • http://chromelabs.org/track/automate.js

 

Adobelabs.org

 

A similar NSIS compiled payload was downloaded on this domain.

 

 

Also, the following files appearing as installers connects to this domain

Md5 Filename signer
2530a11c4fa57fd3f9cdc30c8fd40878 Shockwave_setup.exe LLC LVIV IT!
ead9344c8022e0479ebe272472d6197a chrome_update_win.exe Bit-Trejd
fda920b3d72728f6a89672e07a900c70 chrome_update.exe LLC LVIV IT!
e5f01322da2b6cda707a8135c7320b79 shockwave_setup_winax.exe Bit-Trejd

 

Getcanvas.org

 

The samples we have seen from getcanvas.org are the same samples we found on rozhlas.site

 

Conclusion

 

It appears based on this research that the actors are using patterns in their attack and they are as follows:

  • Using digitally signed malware
  • Using NSIS and hiding their components in a password protected archive
  • Using domains that are similar to popular softwares, eg. adobe, chrome
  • Constantly changing their CnC domain but using the same IP

 

It is also evident that the actors are still very active. They are clever enough not to infect systems that are not their target which allows them to stay under the radar for as long as possible. These Tactics Techniques and Procedures are the hallmark of Advanced Persistent Threats groups.

 

Analysis by Dhruval Gandhi & Paul Kimayong.