#CryptoWall infection - 2014-05-25 - Angler EK from 184.108.40.206 - denoting.centrixsf[.]com - PCAP/malware/more at: http://t.co/LdEKOD3q0n
— Brad (@malware_traffic) May 25, 2014
The initial callback after the successful exploitation was a POST-request to 'gate.php' togheter with a few GET-requests for executables, both using HTTP/1.0 as shown below:
The first pattern looks alot like Pony (Pony is well documented on other blogs), however, I was expecting the usual "Microsoft 98" user-agent when inspecting the whole request, but instead I found:
Virustotal results, which at the time of writing is 3/52, it's flagged as "Fareit" by ESET and Kaspersky. So now to the interesting part, what is this Pony up to?
Pony itself is normally around 86kb depending on configuration and the payload itself in this case is 164kb which does suggest that it's either bundled with other malware, heavily modified version of Pony or that it includes alot of junkcode.
After running the sample under a debugger, setting breakpoints on CreateFileA and CreateFileW, I start finding interesting strings for example the "obfuscated" password used for encryption.
Just to mention, Pony stores the password it uses for encryption in an "obfuscated" pattern where each character is rotated two steps to the right. And looking at an unpacked version of Pony you'll find that the password is listed just before the callback server.
The strings above confirm that this is indeed Pony, yet modified. Let's continue with the configuration and encryption.
By letting Pony run, using the same breakpoints we find several interesting URL's:
Pony 1.9 used two layers of RC4 to protect the data. The key for the first layer is the first four bytes in the POST-data, the second layer is encrypted with the key found in the binary.
Decrypting the first layer gives us the familiar string CRYPTED0:
So the encryption-scheme is the same, the change up to this point is simply to be harder to detect together with the ability to steal Bitcoin wallets.
EDIT: More coverage on the Pony Loader "2.0" on https://blog.damballa.com/archives/2558.
$ date Mon May 26 01:33:37 CEST 2014 h00p://ourlittleponic.pw/gate.php - Active h00p://ourponicjunior.pw/gate.php - Domain doesn't resolve h00p://softwaregamecenter.eu/store/2.exe - Domain doesn't resolve h00p://softwaregamecenter.eu/store/3.exe - Domain doesn't resolve h00p://freepicscenter.pw/store/2.exe - 27ce89cc842baf51de2e08e2baa50b24 h00p://freepicscenter.pw/store/3.exe - c1d40e3677ea39be891550f6b03d112d h00p://freecenterpics.pw/store/2.exe - Domain doesn't resolve h00p://freecenterpics.pw/store/3.exe - Domain doesn't resolve h00p://picsfreecenter.pw/store/2.exe - Domain doesn't resolve h00p://picsfreecenter.pw/store/3.exe - Domain doesn't resolveAlso found h00p://freepicscenter.pw/store/1.exe (1f195fdf14b2691fcc487f9a474ab443) to be active.