Skip to content
September 4, 2013 / Baibhav Singh

The curious case of a password stealer

We recently encountered a piece of malware in the wild that had “Bromium” strings embedded in it, which intrigued us. So, we went ahead and did some analysis of this Trojan to understand its inner workings. Below is the summary of the malware with snippets of our analysis.

Properties of the malware:

–          Multi stage infection vectors

–          Clean itself by self-deleting

–          Install a password/credential stealer Trojan

–          Password brute forcing capabilities

–          Anti-debugging, anti-dumping and packed executables.

–          It targets stored passwords of various browsers and other popular software

–          We found some traces of the remote connection URLs hardcoded.

Sample analyzed:

MD5: 57FF79F6BC746056C16F3693E0C8C4E7

SHA-1: 9B5B365D9B28DB16B7011735B18F352E0EE5E53C

Technical Details

The malware is an executable that is disguised with a PDF icon. For the unsuspecting user who saved the malware on his desktop, it looks like this and can confuse them into believing that it’s a PDF file.

The 1st stager cannot be run inside a debugger and one needs some tricks to bypass these restrictions to reverse engineer the malware.

Following is the Section-information of the executable

The sections looks like standard complier section but the size of resource section is unusually large which hints that the malware might be stored inside the resource section of the executable.

After reverse engineering this section, we uncovered that the sample allocates a huge chuck of memory in the heap and copies chunk of bytes (encoded malware) from the resource section into the heap and then it decodes to get real malware executable.

Then de-coded executable is copied to the location where the current executable is mapped

Once done, the routine is called that resolves the Import address table of the copied malware.

After that, the malware sets the following privileges using AdjustTokenPrivilege API in case these are not set.

The malware has some anti-debugging check using ‘GetTickCount’. This is a well known trick in which the malware tries to detect the presence of an attached debugger by calculating the time taken by certain operations.

After this stage, the malware calls a routine that collects password stored by various applications but before calling this routine – there is one more debugger check that directly accesses the debug flag that is stored inside the PEB

img_6

The main password collector module calls a list of password collection modules to collect passwords stored by different applications within a loop.

The “Bromium” string is added in order to get the credentials stored by something related to “Bromium”.  However, within few minutes it was evident that this aspect of the module is non-functional for Bromium vSentry product as the Bromium system is not designed the way malware expects it to work. In fact Bromium vSentry is designed to protect against such password stealers by not exposing any sensitive information such as passwords inside the micro-VMs. More details are provided below:

img_7

The same logic is used for sniffing passwords from Goggle Chrome

img_8

After collecting this information, it then connects to some servers to send out information using a HTTP POST request. The sites listed below were active at the time of writing this document.

img_9

WireShark capture of the encrypted POST request below

After this, the malware downloads another malware executable from any of the following servers.

img_11

It attempts a brute force attack to steal credential information of other users in the system using following password lists

The list has been truncated for brevity

Then it create a batch file under %User Temp%\{random characters}.bat  to delete itself by running a batch file:

:ktk

del           %1

if  exist %1

goto  ktk

del

It’s obvious that the malware is primarily designed to steal passwords. In fact it executes and tries to detect the following popular web facing clients installed on the victim’s machine. The complete list of targeted products is provided below:

FarManager

Ghisler

WS_FTP

GlobalSCAPE CuteFTP 6 Home

GlobalSCAPE CuteFTP 6 Professional

GlobalSCAPE CuteFTP 7 Home

GlobalSCAPE CuteFTP 7 Professional

GlobalSCAPE CuteFTP 8 Home

GlobalSCAPE CuteFTP 8 Professional

GlobalSCAPE CuteFTP

GlobalSCAPE CuteFTP Pro

GlobalSCAPE CuteFTP Lite

FlashFXP

FileZilla

FTP Navigator

FTP Commander

BulletProof FTP

SmartFTP

TurboFTP

FFFTP

FTPWare

FTP Explorer

UltraFXP

SecureFX

UltraFXP

FTPRush

WebSitePublisher

BitKinex

ExpanDrive

ClassicFTP

Fling FTP

Directory Opus

CoffeeCup Software

LeapWare

WinSCP

32BitFtp

NetDrive

WebDrive

AceBIT

FTPVoyager

RhinoSoft

LeechFTP

Odin Secure FTP Expert

WinFTP

FTPGetter

ALFTP

DeluxeFTP

Staff-FTP

AceFTP

FreshFTP

BlazeFtp

EasyFTP

NetSarang

FTPNow

LinasFTP

PuTTY

NppFTP

FTPShell

MAS-Soft FTPInfo

NexusFile

My FTP

NovaFTP

Robo-FTP 3.7

Cyberduck

Bromium

Opera

Mozilla Firefox

SeaMonkey

Flock

Google Chrome

Chromium

ChromePlus

Nichrome

Comodo

RockMelt

K-Meleon

Epic Browser

FastStone Browser

IE

Outlook

Windows Live Mail

Windows Mail

ThunderBird

BatMail

Pocomail

IncrediMail

In case of browsers like Google Chrome, it tries to locate the Google Chrome directory located in the Web Data and Login Data. Then it tries to get hold of the SQLlite database of the stored passwords by Google Chrome. Similarly, it tries to steal the IE Credential cache from

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2.

Virus Total

Virus Total seems to indicate quite good detection suggesting that this malware is quite well known and has been there for some time,

The “Yandex” – Bromium Connection

After analyzing the malware, it was evident that it wasn’t designed for Bromium vSentry as it couldn’t do much with Bromium vSentry enabled. We looked at applications of similar profile and we think that this malware is targeting Yandex Browser . This is a popular browser in Russia which has the following strings when you install it as shown below:

YandexBrowser/Application/25.0.1364.13754/browser.dll:451580:Bromium\Application\chrome.exe

YandexBrowser/Application/25.0.1364.13754/browser.dll:452047:bromium

YandexBrowser/Application/25.0.1364.13754/browser.dll:452717:Bromium

YandexBrowser/Application/25.0.1364.13754/crash_service.exe:8904:bromium

YandexBrowser/Application/25.0.1364.13754/Installer/browser.7z:454053:Bromium\Application\chrome.exe

YandexBrowser/Application/25.0.1364.13754/Installer/browser.7z:454520:bromium

YandexBrowser/Application/25.0.1364.13754/Installer/browser.7z:455190:Bromium

YandexBrowser/Application/25.0.1364.13754/Installer/browser.7z:1692494:bromium

YandexBrowser/Application/25.0.1364.13754/Installer/browser.7z:1713143:bromium

YandexBrowser/Application/25.0.1364.13754/Installer/browser.7z:1745625:bromium

YandexBrowser/Application/25.0.1364.13754/Installer/setup.exe:11493:Bromium

YandexBrowser/Application/25.0.1364.13754/Installer/setup.exe:12183:bromium

YandexBrowser/Application/25.0.1364.13754/nacl64.exe:26908:bromium

YandexBrowser/Application/browser.exe:9730:bromium

It appears as if the Bromium references within the Yandex browser have nothing to do with Bromium vSentry and are hold overs from an internal Yandex naming convention.

Summary

It turns out that the malware seems to be a widely distributed generic common password stealer Trojan aimed at popular downloaders including browsers and FTP software. The malware has no visibility to sensitive information such as user passwords inside the micro-VM.

Bromium vSentry users are protected from such password stealers.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: