Report an incident
Back
  • About us
  • For experts
Report an incident
About us
About our team Contact
Baza wiedzy
Fałszywe inwestycje Uważaj na fałszywe sklepy online (Nie)bezpieczne płatności Fałszywi konsultanci Zadbaj o bezpieczne hasła i logowanie Fałszywe załączniki w mailach Fałszywe prośby o szybki przelew Fałszywe SMSy - plaga ostatnich miesięcy Bezpieczny telefon
Biuletyn OUCH!
Porady bezpieczeństwa OUCH!
Tools
n6 Artemis MWDB
CVD program
CVD policy Advisories

AutoIt scripts are the new black for malware startups
04 July 2014 | CERT Polska | #malware

PL_malwareAutoIt scripts use becomes more and more fashionable for malware obfuscators, cryptors and alike. Especially among the not-so-sophisticated malicious software. Recently we described the phishing attack targeted at Polish users using Booking.com and Allegro.pl. This attacked used AutoIt script (called RazorCrypt) in one of its stages in order to pack the final malware. We observed a somewhat similar campaign (although there are no conclusions about the authors this time) that also used a very interesting AutoIt script and also was targeting Polish users of an auction website Allegro.pl.

You bought a laptop, here’s your Bitcoin miner invoice

We have received an information from users about the new malware campaign, which again uses Allegro.pl (Polish online auction website) to encourage users to click in a link. This e-mail informed that user won an auction for

ASUS G750 ROG I7-4700HQ 4x3.4G 16G F.HD 1TB 256SSD

and referred to an auction number

45845221547

. Screenshot of an e-mail message is provided below.

allegro-kup-teraz

Message contained two links – one to a supposed “invoice” and a second one to the auction. Both were leading to a

.pdf.exe

file and had an icon representing a PDF file. Additionally, it also opened a real PDF file containing a real-looking invoice (presented below). Unfortunately, a malware, used to mine Bitcoins, was also being run in the background.

faktura-allegro

PDF metadata contained an IP address

62.210.74.137

in the

Author

field and hostname

exit4.telostor.ca

in the

Creator

field. Creation date is set to 30th June and the PDF title is

Faktura 01/06/2014

.

Your invoice is conveniently provided in PDF, AutoIt, PE, VBS, COM and BAT simultaneously

The “invoice” exe file is actually an SFX file, which unpacks several files. The main file is

f.pdf

, which contains a invoice presented above. This PDF file does not contain any exploit. Instead of exploiting software, it unpacked few other files in the

C:\Users\<username>\<random_name>

directory.

    • VBS (Visual Basic Script) file, which runs a batch file.
    • BAT file, which runs AutoIt script from an interpreter.
    • AutoIt interpreter with COM file extension.
    • AutoIt script.
    • INI file used by the AutoIt script.
    • Encrypted (using RC2) PE file, which contains cpuminer – CPU-based Bitcoin miner.

    Despite realizing relatively trivial task, it uses a lot of different file formats. This may be in order to make the analysis harder for the researchers. Cpuminer logged to

    api.bitcoin.cz

    using a

    workus.worker1

    login.

    AutoIt script – so many possibilities, none of them used

    AutoIt script was the most interesting from all of the dropped files. It was obfuscated by adding a lines starting with white characters and

    ;

    character, which is how comments are written in AutoIt scripts. When these lines were stripped, a readable script was obtained, with descriptive variable names and comments.

    This campaign used only one of this script possibilities – running a RC2 encrypted PE file as another process, using a technique called “process hollowing”. This means that a benign process is created (in this case 32bit

    svchost.exe

    ) in a suspended state. Then, decrypted PE is written to a process memory. Then process is resumed and continues running a malware. In this case identification of the malicious process was straightforward, because it was run with a very unusual parameters, at least for Service Host:

    svchost -a sha256d -o  http://api.bitcoin.cz:8332 -u workus.worker1 -p BoZQ[xxx]

    However, script has a vast number of features, including:

    • Turning off “System Recovery” service.
    • Creating BSOD (Blue Screen of Death) using an undocumented, but known call to the WinAPI
      NtSetInformationProcess

      function.

    • Prevention from malware removal. Some deleted files were recreated (e.g. VBS, BAT) and the registry key
      HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

      was also recreated.

    • Appending additional text to the messages sent using IM and social networks like: Facebook, Skype, Omegle, Steam, Tinychat or Runescape.
    • Downloading and running additional software.
    • Detecting virtualization by checking if
      VboxService.exe

      or

      VMwaretray.exe

      is running.

    • Controlling the different malware instances using mutex.
    • Turning off User Access Control (UAC) by using a registry modifications.
    • Turning off the display of hidden and system files.
    • Displaying a message box to the user.

    All of these options were configurable using a INI configuration file.

Summary

Campaign was made in a really convincing way – the notifications looked like real e-mails from Allegro.pl (sans the invoice). The message also used links instead of attachments – probably to bypass some spam/AV filters.

AutoIt scripts are used to conceal malware for some time. Popularity makes them a good product and they become even more sophisticated. They are used not only to decrypt and run the PE file, but also have additional functionalities, like the ones desribed above

Hashes of samples

Below are included MD5 haseshes of some of the analyzed samples.

7410ae3a677bea363fab6902fb0dd473 Faktura_Vat.2014-06-30[xxx].pdf.exe
1f5a9caa675eb71e3767f765fe0a21a8 run.bat
8e14f298b25e60ebf4d7d9c7787b3aff run.vbs
48b8ade376a44ef498bcd3fec0f96d76 script.autoit
f0b0c815ab1c01c336ccc6147253ed0c settings.ini
Share: