lundi 30 janvier 2017


Spambot safari #1 - Bombila


Let's go for a Spambot safari.
There is a lot of malware analysis on the Internet but a very small number about malware used for Spamming (Necurs is a rare exception). But behind every big spam campaign, there is a spambot. And this part of the campaign is often technically weak.

It's easy to find a spambot. Most of the time, botmatsers's do the error of spreading the spambot's binary via the spam botnet itself. Due to the malware's communication, this mistake expose the spambot architecture and allow us to analyze the CNC part.
Looking for malware with SMTP communication on public sandboxes is a another good way to find spambot samples.

Here, I'll try to describe "Bombila" Spambot (БОМБИЛА).
This malware was used for spreading Teslacrypt in 2016 (if you want to understand how weak are spamming campaigns, take a look at:

I'll try to give an overview of this malware.
Sample: 6aa5fd384fbfe271a5000397e2e0c9d9e06dd5d041488e4f2de7ae3a4eb1589d


The malware itself (Silent_SMTP_Bruter) is not really interresting and seems in developpment;
A lot of bugs, poor strings obfuscation, OutputDebugStrings, a log file created in C:\log.txt...
Persistance is done via CurrentVersionRun, there is no self replication or hidden feature (the malware stay where you launch it), after some connection checks, the malware contact the CNC (HTTP). If you kill the process with the task manager, the malware stop working.

Wow! So much obfuscation...

"Silent_SMTP_Bruter" string is present in the PACKAGEINFO

As usual the malware is composed of a SMTP bruteforce module and a SMTP spam module.
The main module try to contacts a gate "cmd.php" in 2 different ways:
  • A POST request $_POST['status'] every 5 minutes for sending bot status
  • a GET request whitout parameter for retrieving new order.

Not so boring malware

But, the best part is not in the malware itself; it's the icon of the malware \o/. You can observe a funny behaviour; when you rename the binary, the binary's icon changes. It take icons already present in system icon cache. The hash is still the same (works on Windows 10 up to date :]).
It can be used to fool victims because the malware takes icon like directory or Word, txt etc

If we extract the icon from resources binary, I reproduce the bug with the .ico icon:

It's a very small icon file (78bytes)

In red, it's the Ico header composed of 2 structures: ICONDIR and ICONDIRENTRY
In green, it's the bitmap header, in the structure BITMAPINFOHEADER
In blue it's the color data RGB

It seems that, after a MapViewOfFile, user32 misparse bitmap data and choose a "random" icon in the icon Cache (C:\Users\login\AppData\Local\Microsoft\Windows\Explorer).
I'm still working on that; I'll try to write a post about how reverse these kinds of UI tricks without getting suicidal tendencies \o/.
Thanks a lot to @Antelox for his precious help :]

Crack the bot

During Teslacrypt analysis I was abble to dump the web panel. So, why not try to patch the bot with my CNC for playing with all the features ?
For that, we have to understand were is stored the CNC in the binary and patch it.
There is a good resource about that on Xylibox But in this case I'll use a easier way :]. In the binary we can see that the CNC is "obfuscated" (loc_4480D3)

It's now easy to make a dirty python script for encoding our CNC and patch the binary (Offset 0x58488)
Due to a stupid parsing error, the CNC must look like "" without the last slash.

You can now control the bot and explore all the features \o/.

Panel Overview

The source code is a real mess. It looks like the panel is a compilation of 2 panels
For example there is 3 footers in index.php:

Some comments refer to other projects:

It's time for a quick overview (I've try to do a quick and dirty english version (thanks @KodaES :D), put your cursor on the image for the translated version):
The home page:

From this page, you can:
  • Upload emails lists
  • Upload subject, messages, "from", header etc
  • retrives statistics about the spam campaign
  • retrives some statistics about infected bots
  • configure the campaing

I cannot found any bot lists or campaigns details directly form the webpanel.
Some page are only accessible by reading the source code.
In fact, index.php is a big switch case:

For example: the bots list (index.php?act=work):

Search engine:

there is no dropping or backdoor feature. This malware is only about spam purpose.

After Teslacrypt ?

I've try to found other sample of this malware after the end of Teslacrypt.
I've found a another panel but nothing else.

I think it can be easy to retrives new sample via VTi.

Some numbers to conclude (based on webstat files found on the CNC):
From December 2015 to February 2016, Bombila :
  • was composed of ~10 000 bots
  • has sent at least 10 millions emails

Thanks for reading :]

vendredi 20 janvier 2017

A journey inside Ursnif campaign

A journey inside Ursnif campaign

Ursnif is a well known bankin trojan. In this blogpost, I'll try to take a look deeper at a recent campaign for understanding how that works.
Let's try to understand all the chain of infection from spambot to Ursnif dropper.

The spambot - Onliner

This Ursnif campaign is based on a SpamBot called "Onliner". As we can see in the C&C Panel, this spambot has 2 main features:
  • Checker: You provide a list of compromised smtp accounts to the spambot and some bots test if credentials are valids.
I've found around 80 millions compromised SMTP accounts on the checker module. Some of them come from public leaks (like badoo, linkedin...) and some other come from unknown sources.
  • Mailer: The spam mailer:

    Mailer requests details:
If we look at the changelog, this spambot seems to be quite young:

As we can see in the PHP source code, it seems that a SMTPBruteForcer exists:

Ursnif spam

Fingerprinting campaign

Let's focus on Ursnif campaign. This campaign is quite interesting. First of all, botmaster(s) starts by a fingerprinting round.
They send some random emails with a hidden image inside:

When a victim open this email, some information are leaked to "{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}.gif?{email}". These information (User Agent, IP etc) are usefull for the botmaster because he can indentify specifics groups of users (Windows users for example).
The script used for victims classification:

Output for Windows users:

This spam campaign is maybe used for tests purpose or for target identification.

Ursnif campaign

After the fingerprinting campaign, the spambot is used for spreading a dropper which leads to Ursnif.
This JScript dropper is spread via fake invoices;
Some example of spams templates used during the campaign:
DHL invoce:

Insurance invoce:

Spam targeting Hotel:

Fake invoice
The first stage is a dropper in JScript - fattura_93785849.js:

The JScript tries to contact r4.php return another JScript code. This is the main component:

eval(r4.php?cmd=d) returns another JScript used for "Drop and Launch" Ursnif. This script can be in 7 differents form:

This dropper is fully in JScript \o/
The C&C part is open, it's possible to retrieves some statistics:

Big picture of this JSDropper:

I've seen some switch between JSDropper and doc+macro during some times (
It's look like Ursnif campaigns are not a so big deal...



Ursnif samples