My first post on the Roboto Condensed social engineering scheme can be seen HERE. BleepingComputer.com also wrote an article on this, which can be seen HERE.
The page presented to both Chrome and Firefox users:
Looking at the page source shows a different .ZIP file for Chrome and Firefox users:
Chrome users download “Chrome_Font.zip”, which is being hosted on a hacked website called ithacafirst.org (resolves to 205.251.94.116).
Chrome_Font.zip contains “Chrome_Font.js”. Pastebin of Chrome_Font.js.
Firefox users download “Mozilla_Font.zip”, which is being hosted on a hacked website called karisandsazii.com (resolves to 198.54.116.36).
Mozilla_Font.zip contains “Mozilla_Font.js”. Pastebin of Mozilla_Font.js.
Executing both JScript downloaders resulted in GET requests for the same file, “Font-update09042017-criticalfix.exe”, which is being hosted on a hacked website called intralynx.net (resolves to 198.54.126.10).
The malware being downloaded by the malicious JScript files is a Trojan downloader called DELoader (aka Terdot). Thanks to @Antelox for identifying the sample!
Something to note, Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729) was the User-Agent string used during the GET request.
TCP event captured during the GET request:
Remote Address : 198.54.126.10 Remote Host Name : host56.registrar-servers.com Remote Port : 80 Process Name : WScript.exe Process Path : C:\Windows\System32\WScript.exe
WScript.exe is used to create the file in C:\Users\[username]\AppData\Roaming\[malware].exe.
I found DNS queries for chinaandkoreacriminalaffairs.kz, which resolved to 185.82.200.159. This is followed by connections to that host via TCP port 443:
TCP event captured during the connections 185.82.200.159:
Remote Address : 185.82.200.159 Remote Port : 443 Process Name : explorer.exe Process Path : C:\Windows\explorer.exe
This is followed by a GET request for checkip.dyndns.com, which checks the external IP address of the infected host:
The GET request for the IP check is also using the same User-Agent string as the GET request for the payload.
TCP event captured during the GET request for the IP check:
Remote Address : 216.146.43.70 Remote Host Name : checkip.dyndns.com Remote Port : 80 Process Name : msiexec.exe Process Path : C:\Windows\system32\msiexec.exe
A copy of the malware is created in a new folder located in %AppData%. Later we see the initial malware payload being deleted %AppData%.
Some registry keys are created in “HKCU\Software\Microsoft\”:
start.lnk is created, for persistence, in “C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\”:
Tor.exe is downloaded and dropped in “C:\Users\[username]\AppData\Roaming\”.
Below are some TCP connections found after Tor.exe was executed:
Remote Address : 188.165.194.195 Remote Host Name : ns3096483.ip-188-165-194.eu Remote Port : 9001 Process Name : tor.exe Process Path : C:\Users\[username]\AppData\Roaming\tor.exeRemote Address : 144.76.26.175
Remote Host Name : liz.dereferenced.net
Remote Port : 9011
Process Name : tor.exe
Process Path : C:\Users[username]\AppData\Roaming\tor.exeRemote Address : 209.141.35.232
Remote Host Name : node2930.dynamic.netjdn.com
Remote Port : 9001
Process Name : tor.exe
Process Path : C:\Users[username]\AppData\Roaming\tor.exeRemote Address : 91.221.66.21
Remote Host Name : mxs1.creanova.org
Remote Port : 444
Process Name : tor.exe
Process Path : C:\Users[username]\AppData\Roaming\tor.exeRemote Address : 62.210.244.146
Remote Host Name : regar42.fr
Remote Port : 9001
Process Name : tor.exe
Process Path : C:\Users[username]\AppData\Roaming\tor.exeRemote Address : 78.47.18.110
Remote Host Name : tor.sebastianhahn.net
Remote Port : 80
Process Name : tor.exe
Process Path : C:\Users[username]\AppData\Roaming\tor.exeRemote Address : 82.223.21.74
Remote Host Name : rocket.plastic-spoon.de
Remote Port : 9001
Process Name : tor.exe
Process Path : C:\Users[username]\AppData\Roaming\tor.exeRemote Address : 141.255.161.167
Remote Host Name : gorgeoustransit.com
Remote Port : 443
Process Name : tor.exe
Process Path : C:\Users[username]\AppData\Roaming\tor.exeRemote Address : 79.137.33.131
Remote Host Name : n6.servbr.net
Remote Port : 443
Process Name : tor.exe
Process Path : C:\Users[username]\AppData\Roaming\tor.exeRemote Address : 176.10.107.180
Remote Host Name : torexit.schokomil.ch
Remote Port : 9001
Process Name : tor.exe
Process Path : C:\Users[username]\AppData\Roaming\tor.exe
Below are images of some files created in %Temp% and %AppData%:
Certutil.exe is downloaded and dropped in %Temp%, along with along with dependencies (legitimate DLLs) and .crt files:
The certificate is installed with the help of the certutil and is used for Man-in-the-Middle attacks.
BoA MITM attack on Internet Explorer:
Chase bank MITM attack on Firefox:
Read more about this at https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/
Hashes:
SHA256: c9c738f58a8f0fde37edea09342e1378e110cfca73ee9244bb065539632ce484
File name: Mozilla_Font.js
SHA256: 1dd41148e5b86cac94363e97b08186ace1a796658101b59a090a763d442ad2a2
File name: Chrome_Font.js
SHA256: ec2f39ba3e4ebcf5af07aa49127a814a06b58d509a0324df6215e7aa3e99af87
File name: Sample.exe
Hybrid-Analysis Report
Malwr Report
Downloads:
Malicious Artifacts.zip
Password is “infected”
Until next time!
Article Link: https://malwarebreakdown.com/2017/09/07/roboto-condensed-social-engineering-scheme-delivers-terdot-zloaderzbot/