Tribal Chicken

Security. Malware Research. Digital Forensics.

Monday Malware analysis #1: Zemot/Rerdom (Part 1)

Apparently the Russians need me to “Appear in court”… Of course they kindly zipped the notice for me to save my bandwidth… not.

I received this phishing email with an attachment the other day – In fact I have been receiving a few of this type lately so thought I would check it out.

**Disclaimer: This is all carried out in a controlled, isolated environment. Do not try this at home. Seriously. I will not be held responsible if you infect yourself, chances are all sorts of nasty things will happen (E.G. the theft of your online banking details). **

Screen Shot 2014-04-07 at 8.54.10 pm

What’s the logical thing to do? Open the attachment of course! (Don’t try this at home). VirusTotal gives a 9/25 detection ratio, detecting as a Trojan Dropper – no real surprises there. This dropper program will download the ‘real’ malware.

Screen Shot 2014-04-07 at 8.58.58 pm

So lets give it a crack. This is a Windows 7 Virtual Machine running in a DMZ isolated from the rest of the network, but still with a (firewalled) internet connection. Snort IDS is running on the DMZ interface as well as a packet tracer. No Antivirus is running on the system.

Extracting the zip file reveals an executable file disguised as a Microsoft Word document which is typical of these kinds of phishing attacks. Without checking the file extension it looks legitimate, but don’t let that deceive you.

Screen Shot 2014-04-07 at 9.07.43 pm

The good news is that when I try to execute the file Windows Defender picks up on it:

Screen Shot 2014-04-07 at 9.17.09 pm

I’m going to do something silly and allow the program to run and see what happens. Straight away after telling Windows to “Allow” I get a UAC authorisation prompt asking if I wanted to run “update_flash_player_[random characters].exe” (Which I didn’t get a screenshot of).

Hitting yes immediately triggered a reboot of the system.

Upon rebooting there is actually nothing immediately suspicious. Nothing showing up in task manager or process explorer, however the system is now listening on some suspicious ports, as well as has established a connection to a system traced to Russia.  (Indicates signs of a potential rootkit, since we know we executed something dodgy and there are now dodgy connections, but now processes listed in memory).

Screen Shot 2014-04-07 at 9.24.03 pm

After a minute or two I then get a prompt to allow “xenis.exe”… “Reverse Graphics Desktop Engine” (Doesn’t sound dodgy at all) outbound through the Windows Firewall.

Screen Shot 2014-04-07 at 9.23.48 pm

Once I allow that we now have the “xenis.exe” process running in memory.

On a side note process explorer contains a wicked “Submit to VirusTotal” feature. Interestingly enough though, the only suspicious executable failed to be analysed… hmmm…

Now there are a bucket load of connections going out – All to different AS numbers within Russia. Whois results show addresses within network blocks allocated to SevStar Networks, Sibirtelecom, NCNET, Yandex as well as some without full allocation details.

Screen Shot 2014-04-07 at 9.26.32 pm

Lets now shutdown the system and take a look at the packet capture.

The first suspicious activity on the packet trace is when the system begins making DNS requests for hostnames such as:

NOTE: I strongly recommend you do not visit these!

  • (Russia)
  • (Russia)

Again, generic or nonsensical names like these are typical.

The system makes a request to the second site for /libk25.98/jquery, which the server replies with a fair chunk of data. This is where it reboots.

Once it comes back up about a minute later the system makes a request to the same server, this time downloading the file /p59.12/soft64.dll. Once complete, it looks up the DNS name, which is linked to a few addresses:

Screen Shot 2014-04-07 at 10.26.35 pm

Some of these addresses may look familiar from the netstat output.

After the initial download it begins making numerous DNS lookups for seemingly arbitrary hostnames and initiating conversations with such (I see a lot of POST data going out).

There is a lot of data to sift through so I won’t be doing it tonight, however I did noticed a  communication between this system and an IP address which turns out is hosted here in Perth… At first look, I thought it was encrypted but that’s just how Wireshark interpreted it due to the communication being on port 443. Once decoded properly I can see it is a POST request, but I still cannot see the data being sent – It may be encrypted or obfuscated.

Screen Shot 2014-04-07 at 10.44.04 pm

There seems to be a perfectly legitimate website running, so I would imagine it has been compromised. I have sent an email to the listed abuse address.

In part 2 I will attempt to disassemble the Malware and further analyse the system to see if I can figure out exactly what the purpose of the malware is.