APT sample analysis using NB Exploit Kit attacks
Recently, APT threat analysis equipment Arnhem engineers deployed in a network found in a high-risk warning, the warning includes more suspicious behavior, be included from the start in the sandbox increase runtime environment, create a network socket connection, read network file, disk collection information, obtain the current user name information and other sensitive content, and through the analysis found that the original message link to download the sample there is a big suspicious, after a preliminary analysis of the content of the alarm, which can presumably be one kind of web overflow attacks (also called hanging horse attack):
2, analysis
Infection Process
Then, use the tool to download further alarm pages analysis "index.htm" found that the use of RES protocol ( "res: //") for local file detection.
Target detection include: Jinshan 360 Kaspersky
When a computer user did not install the software, the browser will load one called "win.html" page
Analysis "win.html"
After downloading the code were all found it confusing encryption, looking headache.
Formatting the code, analyzed and found to prevent the crawler to crawl the page, a determination process performed on userAgent, and in order to prevent multiple infections, cookies set specific values.
This is a more classic Exploitkit (overflow kit) inside a common practice, and found a suspicious "NB VIP" string in the code, presumably NB or CKExploit kit.
Continue analysis found that it contains attacks against different versions of java, calling them a jar found in a very famous Pinyin "woyouyizhixiaomaol", "conglaiyebuqi". That is, "I have a little donkey I never ride."
And decompiling jar package also contains similar information:
另外还有针对Flash、Silverligh、IE各个版本的不同Payload攻击,但是笔者在下载时链接无效,不能正常下载。
分析整个代码流程,笔者做了一个流程图:
最后溢出成功后会下载叫“calc.exe”的恶意文件并运行。
在虚拟机中使用浏览器打开恶意页面,并用抓包工具进行抓包,重现了整个过程:
但是抓包的结果显示它还下载了其他的exe程序,所以笔者对下载的程序进行分析。
恶意程序calc.exe分析
分析发现calc.exe主要的功能是使用wmi技术收集用户电脑信息,并发送远程服务器进行统计
读取远程配置文件,下载配置文件中恶意程序并运行。
这个过程和我们抓包看见的结果一样。
分析iexplore.exe
这个木马运行后,它会在内存解密出一段加密url,其实ip就是恶意域名解析后的ip地址
备注:在网址“<|>”之后都是exe程序,它们每个存在服务器上。
接着它会每秒钟检索进程,判断是否存在和解密数据中一样的程序,如果存在,便拼接url后下载程序并运行。即:
url中的程序都是各种游戏的盗号木马。总类比较多,大概有40多个,基本都加壳处理,且每个恶意程序运行后还会释放文件。
盗号的方式各种各样,这里拿恶意的QQ.exe简单程序举例。
假的QQ.exe运行后会关闭正在运行的qq,并从百度图片下载一张伪装的QQ登入截图
通过创建假的qq登入节目进行欺骗攻击
最后把用户输入的qq号和密码发送到如下恶意地址:http://14.***.***.227:8***/xx/fen/ly01/lin.asp
分析smss.exe
它是一个vb的程序,运行后它会收集用户电脑信息,并从链接某mssql数据库,使用sql语句读取远程服务器数据(url),并下载运行。
由于程序硬编码了的用户名和密码,笔者使用工具成功登入了这台数据库服务器:
数据库里存的数据是恶意url和统计url,这样与我们分析的结果相符合。
总结
经过安恒研究团队发现所有样本都存在大量中文编码可以肯定是一起国内团伙所为。在APT攻击趋势越来越普及化的今天,当前网络中面临大量的复杂安全威胁,比如一些新型恶意代码溢出等,这些威胁对于传统的防火墙、杀毒软件都很难有效识别,因此必须采用专用的APT威胁分析产品来弥补传统安全产品的缺陷,及时感知和分析当前网络中存在的各种新型威胁。