3 months since the last blogpost, it's time for an update \o.
By looking at some public sandbox feeds (ping @fumik0_) I've found an unusual patterns, reminding me old stuff:
[+] e2dbbc71f807717a49b74d19c155a0ae9cce7d6e74f24c63ea5d0ed81ddb24d6 GET -> rpc2.gdn/start/includes/tasks.php?hwid=71D7D653-460A-8BE7-264F6AF5
[+] e2dbbc71f807717a49b74d19c155a0ae9cce7d6e74f24c63ea5d0ed81ddb24d6 POST -> rpc2.gdn/start/inc.php/start/inc.php
[+] 0c4d34cd4a11960ff3f7d205a0196084700f8d6f171ea052f8c9563f9ddc2e2e GET -> rpc2.gdn/start/includes/tasks.php?hwid=49C78CBD-165E-D0CF-474D92B
[+] 0c4d34cd4a11960ff3f7d205a0196084700f8d6f171ea052f8c9563f9ddc2e2e POST -> rpc2.gdn/start/inc.php/start/inc.php
This is a "rat" (I don't know the name) that uses TeamViewer for spying on victims.
Panel overview
Let's start with a usual panel overview.The interface is very simple, main page (click to enlarge):
With that, the botmaster can see when somebody is connected to the infected machine or not, if he has webcam or mic and basics system information.
There was 125 bots in this CNC.
The only other page is a quick settings:
This is very basic but enough for spying on people.
Now look at the interesting part: the binary.
TeamViewer_Test_Pub
The sample came from email with an attachment named probably "invoice.js" (e2dbbc71f807717a49b74d19c155a0ae9cce7d6e74f24c63ea5d0ed81ddb24d6) that drops the RAT viastore4caroption-support.info/KKK.exe (0c4d34cd4a11960ff3f7d205a0196084700f8d6f171ea052f8c9563f9ddc2e2e) The sample is a big package used to deploy TeamViewer and the RAT in
%APPDATA\WebNet\ as hidden files:
SensApi.dll (833ff902452e5fb10b39ef90c2f1ec96beb0d8d0486dc378eb07c10b3672276c) is the RAT controller.
A quick static analyze with PEBear show us that this dll as 4 exports:
- Entrypoint
- IsDestinationReachableA
- IsDestinationReachableW
- isNetworkAlive.
Before jumping into the EntryPoint let's have a quick look at the strings:
rpc2.gdn
num1.gdn
process call create "%s"
runas
wmic
TV started from Admin!!!
uac
This OS is not supported!!!
\Policies\System
\CurrentVersion
\Windows
\Microsoft
Software
%s%s%s%s%s
EnableLUA
Off
High (Always Notify)
Medium (Default Notification)
Low (Default Notification)
N/A
error args
Request successfully!!!
cmdshow
cmd
COMSPEC
/C
run error
wait...
error
closed. exitcode: %d (%s)
tasklist
(x64)
(Win32)
%s PID:%d%s
plugin_start
tiff
plugin_del
%s\%s.%s
admin
Yes
UAC LVL: %s
Elevated: %s
RunAsAdmin: %s
AdminGroup: %s
webcam
mic
device is missing
device is available
off
*.tiff
Command not found!!!
Error
%s%s%s
%06lX-%04lX-%04lX-%06lX
%s%s
HTTP/1.0
Windows Server 2016
Windows 10
Windows Server 2012 R2
Windows 8.1
Windows Server 2012
Windows 8
Windows Server 2008 R2
Windows 7
Windows Server 2008
Windows Vista
Windows XP x64
Windows Server 2003
Windows XP
Windows 2000
unknown
TeamViewer
/start/includes/tasks.php?hwid=
hwid=%s
Content-Type: application/x-www-form-urlencoded
start/includes/act_user.php
hwid=%s&tv_id=%s&tv_pass=%s
start/includes/pass_tv.php
uuid=%s&tv_id=%s&tv_pass=%s&winver=%s&username=%s&webcam=%sµ=%s
start/inc.php
\start
.exe
open
IsDestinationReachableA
SensApi.dll
IsDestinationReachableW
IsNetworkAlive
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TeamViewer_Desktop.exe
Windows Core Services
%s\%s
.log
.txt
.tmp
resource DLL
TeamViewer
TV_Marker
TVWidget
ATL:00BDE7D8
ATL:00BE38B8
This binary seems very verbose with some recurrent patterns like "!!!".
I don't think it's common for skid to deal with TeamViewer so before reversing let's have a look on Google if the dev hasn't copy paste some functions from stackoverflow.
By searching strings like "High (Always Notify)" I've found some matching source code from a curious Github account:
Commands
After looking deeper in this github account and in the RAT, it look like the RAT is a fork, or an update of the source code in the github account.We can found a lot for similar functions: (click to enlarge)
The RAT execute commands from CNC via the function RunCmd() in main.cpp. There is the available cmd in both version:
| Github | IDA | Details |
| setinterval | Set new interval for CNC ping | |
| setserver | Set new CNC | |
| setpass | Set new crypt config password | |
| kill | Kill TeamViewer | |
| runexe | Download and run exes | |
| deldll | Delete dll | |
| update | Update | |
| rundll | Download and run dlls | |
| reboot | Restart PC | |
| poweroff | Shut down PC | |
| restart | Restart Process | |
| terminate | Kill process | |
| mydir | Return current dir | |
| admin | admin | Is process admin ? |
| tasklist | tasklist | Send tasks list |
| cmdwnd | cmdwnd | Run hidden cmd |
| cmd | cmd | Run cmd |
| uac | Re-run itself elevated via wmic process call create | |
| plugin_start | Download, copy as .tiff and run an exe | |
| plugin_del | Delete a file | |
| webcam | Webcam on/off | |
| mic | Mic on/off |
CNC communication
The in the wild rat seems to have a different way to communicate with CNC. It communicate over HTTP in plain text (The github version used obfuscated HTTP requests)./includes/tasks.php - GET hwid=%s/includes/act_user.php - POST hwid=%s&tv_id=%s&tv_pass=%s/includes/inc.php - POST uuid=%s&tv_id=%s&tv_pass=%s&winver=%s&username=%s&webcam=%s&mic=%s
There is 2 domains as CNC: rpc2.gdn and num1.gdn
Notes
The Teamviewer part and the global architecture of the code are the same but that "in the wild" version looks like an updated light version.This is a very basic malware but it work and it's very easy to use.
The Readme.md of the github version mention a forum post:
http://ander-pub.cc/forum/threads/isxodniki-skrytogo-teamviewer.73/ that is actually down. If someone here has more information about this forum I'm very curious :)Victims overview
In this campaign, crooks are targeting small company in different country (CN, AU, US, RU...).I've found call centers, accounting etc.
Example of call center:
I don't think that victims are targeted by country but more by business or "money capacity"
Conclusion
I don't know if it's a fork or a copy pasta but i'm curious to know the story behind this malware and this campaign.Code not packed, few victims, screencasting, all these stuff reminds me a targetted attack more than typical mass cybercrime.
Yara rules
Happy Hunting !
