Distribution of Malware Exploiting Vulnerable Innorix: Andariel

Malware Analysis
1

The ASEC (AhnLab Security Emergency response Center) analysis team has discovered the distribution of malware targeting users with vulnerable versions of Innorix Agent. The collected malware is a backdoor that attempts to connect to a C&C server.

Figure 1. Vulnerability security update notice from Korea Internet & Security Agency[1]

The exploited Innorix Agent is a file transfer solution client. Details about the vulnerability were posted by the Korea Internet & Security Agency (KISA)[1] where the INNORIX Agent versions that required the security updates were identified as version 9.2.18.450 and an earlier version, 9.2.18.418. 

Figure 2. Detection log from ASD infrastructure

The detected backdoor attempts to connect to a C&C server. Major features include collecting and forwarding user PC information, as well as capturing screenshots, file creation, and file execution.

Figure 3. Detection report from ASD infrastructure

The discovered backdoor had two appearances. It was confirmed to have been developed with C/C++ when it was initially found while the recently detected sample was created with .NET. There are no differences in features between the two forms. Some detection reports show that it attempted to conceal itself by using the name AhnLab when registering itself to the task scheduler.

Figure 4. Encoding and decoding routines

This backdoor-classified malware uses the routine shown in Figure 4 when receiving and using data, and the same routine is used similarly when sending data. Based on AhnLab’s diagnosis, encrypting data through the encoding and decoding routine and bypassing the packet-level monitoring are features that can be seen as characteristics of Andardoor. The key value is 74615104773254458995125212023273 and is the same as the XOR key value in the CISA report [2] posted in 2016.

Companies and regular users are advised to be particularly cautious as this malware has recently been distributed in the form of a software vulnerability. Software still in vulnerable versions must be managed so that they are only used after being updated.

[File Detection]

  • Backdoor/Win.Andardoor.R558252
  • Backdoor/Win.Andardoor.C5381120
  • Backdoor/Win.Andardoor.C5382662
  • Backdoor/Win.Andardoor.C5382103
  • Backdoor/Win.Andardoor.C5382101

[IOC]

  • bcac28919fa33704a01d7a9e5e3ddf3f
  • 1ffccc23fef2964e9b1747098c19d956
  • 9112efb49cae021abebd3e9a564e6ca4
  • 0a09b7f2317b3d5f057180be6b6d0755
  • 0211a3160cc5871cbcd4e5514449162b
  • ac0ada011f1544aa3a1cf27a26f2e288
  • c892c60817e6399f939987bd2bf5dee0
  • 6dd579cfa0cb4a0eb79414de6fc1d147
  • 88a7c84ac7f7ed310b5ee791ec8bd6c5
  • e5410abaaac69c88db84ab3d0e9485ac
  • 4.246.144.112:443
  • 139.177.190.243:443
  • 27.102.107.224:5443
  • 27.102.107.234:8443
  • 27.102.113.88:5443
  • 27.102.113.88:21
  • 109.248.150.179:443

[References]

[1] Security Vulnerability Information Portal (krcert.or.kr)

[2] CISA Analysis Report 

The post Distribution of Malware Exploiting Vulnerable Innorix: Andariel appeared first on ASEC BLOG.

Article Link: Distribution of Malware Exploiting Vulnerable Innorix: Andariel - ASEC BLOG