martes, 5 de noviembre de 2019

Brief analysis of Redaman Banking Malware (v0.6.0.2) Sample

Redaman is a well-known banking malware, discovered around 2015. Recently I have been analyzing a recent version of the malware (0.6.0.2, not sure if latest version, probably one of the newest). This malware uses some interesting tricks probably introduced in these recent versions. In this post I share some notes about the analysis.



Analysis

  • 1. Anti-analysis tricks
    • 1.1. C2 encoded into bitcoin transactions
    • 1.2. Checks machine name vs user name
    • 1.3. Encrypted strings
    • 1.4. Unpacked module needs correct argument to work properly
    • 1.5. Checks for typical sandboxes files, directories, processes...
    • 1.6. Checks for security products
    • 1.7. Disable Safeboot
  • 2. Bot commands and malware capabilities
  • 3. Yara rules
  • 4. List of encrypted strings


1. Anti-analysis tricks



1.1. C2 encoded into bitcoin transactions


This trick, discovered by checkpoint and explained in this post, is really interesting. The malware gets the C2 addresses from the bitcoin blockchain. The malware doesn't carry C2 addresses into the binary. It carries (in the list of encrypted strings) some urls of some services offering APIs related to bitcoin blockchain:

  • "viabtc.com"
    • "/res/btc/transactions/addressv2?address="
  • "api.blockcypher.com"
    • "/v1/btc/main/addrs/"
    • "?limit=10"
  • "blockchain.info"
    • "/rawaddr/"
  • "blockchain.coinmarketcap.com"
    • "/api/address?address="
    • "&symbol=BTC&start=1&limit=10"

Additionally, it carries another encrypted string with the C2 schema, a bitcoin address and the C2 uri:

  • "http://1N9ALZUgqYzFQGDXvMY5j1c7PGMMGYqUde/index.php" 

Then, the malware composes the blockchain API url, and queries the transactions for the given bitcoin address, for example:




(Find a copy of the json response here: https://pastebin.com/rC9pF2F2)


The malware uses some fields of this json response (exactly the values of the transactions) to compose the C2 addresses, as explained in the following image (click on the image to expand):





The threat actor only needs to perform some new transaction with the given bitcoin address to update the C2 list.

This is quite interesting. A malware could be keeping all kind of information and configs in the blockchain. It could use these APIs such as api.blockcypher.com, etc... or it could download the blockchain to get all the transactions directly from the blockchain and recover all the needed information.

A domain can be sinkholed, but, using this method, it would be hard to forbid the malware to get updates.


1.2. Checks machine name vs user name


This is another trick, quite aggresive, that I hadn't seen before. Basically, the malware gets tthe computer name and the user name. It removes the "-PC" suffix from the computer name, the in compares the computer name (without -PC) with the username (uppercase). If they are the same, exit.




Frequently, real usual users' machines have computer names like DESKTOP-JMP24OS, etc... I suppose with this aggresive trick the malware tries to avoid being executed in sandboxes, AV emulators, etc...


1.3. Encrypted strings


As explained at welivesecurity' article, the malware decrypts the strings that it is going to use by using a custom rc4 algorithm.

Here, Im just going to explain how I got the decrypted urls directly from memory and Im going to share the script that I used to add IDA comments automatically. I used the following Windbg commands to dump all the decrypted strings and their positions in the strings' table:

bp <base_unpacked_mod> + 291F5  (at this point, strings were decrypted a moment ago)

Print decrypted ascii strings:

.for ($t0=0;@$t0<0x18b;r $t0=@$t0+1){ .printf "%d ",4*@$t0; da poi (<base_unpacked_mod>+2C93C+4*@$t0); .printf "\r\n"; }

Print decrypted unicode strings:

.for ($t0=0;@$t0<0xb6;r $t0=@$t0+1){ .printf "%d ",4*@$t0; du poi (<base_unpacked_mod>+2CF68+4*@$t0); .printf "\r\n"; }

With these commands, i got the list of strings (ascii and unicode), and I used the following IDA python script to set comments foreach part of the code where these strings are being used:






1.4. Unpacked module needs correct argument to work properly


Once the malware is unpacked, the real redaman dll is launched with rundll32 and DllGetClassObject method is called, and an argument is given:

rundll32 <redaman dll path>, DllGetClassObject <password>

The given password needs to be correct, if it is not correct, the encrypted strings cant be decrypted and the malware exits.


1.5. Checks for typical sandboxes files, directories, processes...


It checks for the following files or directories at c:\ or d:\ : cuckoo, fake_drive, strawberry, tsl, targets.xls, perl, wget.exe




It checks for the following names in the own module name: myapp.exe, self.exe, t.exe





And for the following processes: vboxservice.exe, python.exe





1.6. Checks for security products


Redaman uses the WbemScripting.SWbemLocator API to search for intalled security products:







1.7. Disable Safeboot



The malware deletes the current safeboot value:




2. Bot commands and malware capabilities



I recommend to read the welivesecurity' article to learn about the protocol and encryption used by Redaman banking malware.

It looks in the newer versions of the malware they have introduced a much longer list of commands that the bot can receive from the C2 and execute. This is the complete list (each command and name is quite self-explanatory):


  • keylogger.last-data
  • keylogger.last-wnd-caption
  • keylogger.last-exe-path
  • botnet-prefix
  • botnet-id
  • cc.connect-interval
  • scan-files
  • post-install-report
  • cc.url
  • modules.
  • modules-data.
  • del-module
  • unload
  • uninstall
  • uninstall-lock
  • find-files
  • download
  • shutdown
  • reboot
  • cc
  • get-cc
  • botnet-id
  • prefix
  • connect-interval
  • hosts-add
  • hosts-clear
  • dbo-scan
  • cfg-set-str-a
  • cfg-set-str-w
  • cfg-set-dw
  • cfg-get-str-a
  • cfg-get-str-w
  • cfg-get-dw
  • cfg-del-param
  • screenshot
  • dns
  • set-dns
  • get-dns
  • kill-process
  • lpe-runas-flags
  • scards.monitoring-interval
  • auto-elevate
  • reload
  • scard-off
  • modules-off
  • dbo-detector-off
  • multiinstance-off
  • keylogger-off
  • dns-servers-changed
  • hosts-file-changed
  • video.refresh-interval
  • video-start
  • video-stop
  • del-files

Additionally, in the list of encrypted strings, the malware carries a list of strings to match against the browser window name. In case of match, it is a target site (most of them bank websites) to steal credentials from. This is the list of urls of the analyzed sample:


  • online.payment.ru
  • bankline.ru
  • /ic/login.zhtml
  • /servlets/ibc
  • faktura.ru
  • /iclient/
  • ibank2
  • bco.vtb24.
  • bo.vtb24.
  • dbo.vtb.
  • elbrus.raiffeisen
  • elba.raiffeisen
  • handybank.
  • wupos.westernunion
  • online.sberbank.
  • minbank.ru
  • e-plat.mdmbank.
  • link.alfabank
  • click.alfabank
  • ib.avangard
  • ibc.vuzbank.
  • ibc.ubrr.
  • my.modulbank.
  • online.centrinvest.
  • cb.mtsbank.
  • vbo.mkb.
  • i.bspb.ru
  • i.vtb.ru
  • bc.rshb.
  • /vpnkeylocal
  • sci.interkassa
  • ibank.mmbank.
  • blockchain.info
  • /wallet/
  • cb.asb.by
  • bps-sberbank.by
  • dbo2.bveb.by
  • ibank.bsb.by
  • corporate.bgpb.by
  • ibank.alfa-bank.by
  • ibank.belinvestbank.by
  • ib2.ideabank.by
  • client.paritetbank.by
  • ibank.priorbank.by
  • client.mybank.by
  • online.stbank.by
  • client.belapb.by
  • Unk
  • SberBank_PC
  • BSS
  • BSS_PC
  • iBank2_PC
  • Faktura
  • PCB
  • InterPro
  • RosBank
  • SBBO
  • INIST
  • Inversion
  • Interbank
  • iBank2
  • BiCrypt
  • VTB24
  • 1C
  • SGB
  • Raiffeisen
  • HandyBank
  • WU
  • SB_Fiz
  • CFT
  • WinPost
  • SBIS
  • ClBank
  • QiwiCashier
  • ISCC
  • WebMoney
  • xTC
  • iFOBS
  • TRANSAQ
  • OSMP
  • MinBank
  • SFT
  • MDM
  • ALBO
  • Alfa_Fiz
  • Avangard
  • Intercassa
  • Amikon
  • Vuzbank
  • UBRR
  • ModulBank
  • CentrInvest
  • MTSBank
  • MKB
  • EL_CLI
  • BSPB
  • IVTB
  • RSHB
  • Infocrypt
  • MMBank
  • BlockchainInfo
  • HBClient
  • ASB
  • BPS_SB
  • BVEB
  • BSB
  • BGPB
  • ALBO_BY
  • BelInvest
  • IdeaBank
  • Paritet
  • PriorBank
  • MyBank
  • StBank
  • BelAPB
  • scDBO
  • AvestCSP


3. Yara rules





4. List of encrypted strings







No hay comentarios:

Publicar un comentario