We received an interesting piece of malware from one of our friends, Darkman.
Two properties of the malware infrastructure made this sample interesting: the protection of the malware with Captcha and the tricky DNS infrastructure.
The victim receives a DHL delivery spam, pointing to the following URL:
hxxp:// dhlcarrier . com / nextt-on
As you can see on the screenshot, before the victim could download the malware, the victim has to solve a Captcha. As always, the Captcha is there to protect the resource from automated bots, but in this particular case, the resource is the evil (the malware), and the bots are the good (automatized URL crawlers working from spam trap outputs).
Looking at the Captcha I noticed two weaknesses:
1. The Captcha itself is not very sophisticated, and it can be easily broken with the most simple OCR technologies.
2. The Captcha is a static image, it is statically linked to a static jpeg file.
But contrary to these weaknesses, we believe that the Captcha itself is effective against URL crawlers which extract the link from the spam and visit the site to get infected. But the EXE itself also has a static link, so when the URL crawler works based on web proxy logs, it can easily download the malware.
By solving the Captcha one can download a ZIP file: info_c253ef02e2d46ccb780c7f0aabf0914f.zip
The zip file contains an executable file with a PDF icon
MD-5 hash: 777c0c28bc51052b811f49d3e0cc8af1
The SHA-256 hash of the sample: 1777ea43f1fb843f070a847f1da900c00e3328529f476930b03def12dc097d2f
The sample has been previously uploaded to Virustotal:
And here is a malwr report:
Now move on to the next interesting piece, the DNS infrastructure.
Most of the DNS analysis has been done by our friend, Darkman:
The malware tries to connect to the following two C&C servers:
hxxps://imgsecurehost5 . net/fro
hxxps://updatesecurehost1 . ru
Let’s focus on the second C&C hostname. If you try to resolve the IP for this address, you won’t get any answers. Either trying online services you get nothing. But setting a DNS resolver from Austria (e.g. DNS server 126.96.36.199), one can resolve the DNS name to the IP 188.8.131.52. It is a common trick to filter the C&C traffic based on the IP address, but it is not that common to see this at the DNS level.
HTTPS based C&C
Also, notice the HTTPS in the C&C protocol. The certificate for updatesecurehost1 . ru is a self signed certificate with the following details:
E = [email protected]
CN = localhost
O = Mojolicious
L = Hambergen
S = Niedersachsen
C = DE
The certificate for the imgsecurehost5 . net server is the following:
E = [email protected]
CN = VMware
OU = VMware
L = Palo Alto
C = US
Quick analysis of the malware indicates it is a variant of the Hesper bot, similar to this sample:
This is a pretty new banking trojan (compared to Zeus), doing webinjects and password stealing. A great analysis about this bot family can be found here:
Quick Googling for Captcha protected malware showed that although this is not something new, but rare. There were examples in 2011.
Also, the following analysis is connected to the same campaign, based on the certificate and Captcha:
Lessons learned: attackers are always putting resources to protect their malware against automated scanners, and when you can’t resolve an IP for a domain, it makes sense to change the DNS server.