{"id":82852,"date":"2016-05-10T11:58:19","date_gmt":"2016-05-10T06:28:19","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=82852"},"modified":"2016-05-10T14:09:00","modified_gmt":"2016-05-10T08:39:00","slug":"bladabindi-virus-abusing-pastebin-com-as-infection-vector","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/bladabindi-virus-abusing-pastebin-com-as-infection-vector\/","title":{"rendered":"Bladabindi Malware Abusing Pastebin.com as Infection Vector"},"content":{"rendered":"

Earlier, malware authors kept their payloads on Command and Control (C&C) servers or compromised websites. And to do this, they had to setup their C&C server or compromise a genuine website. But now, they don\u2019t need to bother about such things, as they have started using genuine file sharing sites like \u201cPastebin.com\u201d which allows user to store malware in plain-text. Pastebin.com is a well-known website where users can store plain text.<\/p>\n

While analyzing malware samples, we found that the malware is downloading the \u201cBase64\u201d encoded text from pastebin.com. On decoding this Base64 data, we received an executable file which is the main payload of the malware. Most of these executables are from \u201cBladabindi\u201d family.<\/p>\n

The downloader enters into the user\u2019s computer using various techniques like spam emails and social engineering. In this report, we will see how pastebin.com is misused with analysis of one malware sample.<\/p>\n

Analysis of <\/strong>Bladabindi (MD5: 0C34D70FF9DD1BA3B7BFE9F4FBA8F010)<\/strong><\/p>\n

The file is an Auto-it installer. On execution, it drops two executable files at “C:\\Documents and Settings\\[user]\\Local Settings” <\/strong>and executes the same. The dropped files are as follows:<\/p>\n

    \n
  1. TempWinToFlash.exe: <\/strong>Genuine tool used to create bootable USB with any Windows Setup from a DVD\/ISO<\/li>\n
  2. TempWindows.exe: <\/strong>Copies itself in \u201c%temp%\u201d as system.exe and executes it. Now this system.exe downloads Base64 encoded file from “pastebin.com\\download.php?i=pejXu40a” decodes it and injects the decoded executable in self-process. Thereafter, all activities are carried out by this downloaded file.<\/li>\n<\/ol>\n

    This Base64 Encoded file on Pastebin.com looks like the below figure 1.<\/p>\n

    \"Figure<\/a>
    Figure 1<\/figcaption><\/figure>\n

    After Base64 decode <\/strong>it is .Net <\/strong>file as below.<\/strong><\/p>\n

    \"Figure<\/a>
    Figure 2<\/figcaption><\/figure>\n

    Activity of Main_Component.exe (In memory component)<\/strong><\/p>\n

    This component is developed using Microsoft Visual Basic.Net.<\/p>\n

    Auto-run<\/strong><\/p>\n

    It copies system.exe in \u201cStartup\u201d folder as 12ce4e06a81e8d54fd01d9b762f1b1bb.exe<\/p>\n

    Registry changes for Auto-run<\/strong><\/p>\n

    It adds the following auto-run registry entry:<\/p>\n

      \n
    1. HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\<\/li>\n<\/ol>\n

      12ce4e06a81e8 d54fd01d9b762f1b1bb:\u00a0 “%temp%\\system.exe”<\/p>\n

        \n
      1. HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\<\/li>\n<\/ol>\n

        12ce4e06a81e8d54fd01d9b762f1b1bb : “%temp%\\system.exe”<\/p>\n

        Other Registry Changes<\/strong><\/p>\n

        It also adds the following registry entry:<\/p>\n

        HKEY_CURRENT_USER\\Environment\\SEE_MASK_NOZONECHECKS = 1<\/p>\n

        Further it saves downloaded Base64 encoded data in registry such as:<\/p>\n

        HKEY_CURRENT_USER\\Software\\12ce4e06a81e8d54fd01d9b762f1b1bb\\f8c065f4e758233f0d12dc9b8cf7a2ce = [Base64_Encoded_Main_Payload]<\/p>\n

        Bypass Firewall:<\/strong><\/p>\n

        It executes the following command to bypass Firewall:<\/p>\n

        netsh firewall add allowedprogram\u00a0 [Path_Of_system.exe] ENABLE<\/p>\n

        Main Activity<\/strong><\/p>\n

        This backdoor gathers the following data and sends it to C&C server:<\/p>\n