söndag 25 maj 2014

Dropnote #2 - Pony changing it's pattern

After the tweet from @malware_traffic I found myself recognizing the callback pattern and thought I would take a look.

The initial callback after the successful exploitation was a POST-request to 'gate.php' togheter with a few GET-requests for executables, both using HTTP/1.0 as shown below:

The first pattern looks alot like Pony (Pony is well documented on other blogs), however, I was expecting the usual "Microsoft 98" user-agent when inspecting the whole request, but instead I found:
Looking at Virustotal results, which at the time of writing is 3/52, it's flagged as "Fareit" by ESET and Kaspersky. So now to the interesting part, what is this Pony up to?

Pony itself is normally around 86kb depending on configuration and the payload itself in this case is 164kb which does suggest that it's either bundled with other malware, heavily modified version of Pony or that it includes alot of junkcode.

After running the sample under a debugger, setting breakpoints on CreateFileA and CreateFileW, I start finding interesting strings for example the "obfuscated" password used for encryption.

Just to mention, Pony stores the password it uses for encryption in an "obfuscated" pattern where each character is rotated two steps to the right. And looking at an unpacked version of Pony you'll find that the password is listed just before the callback server.

The strings above confirm that this is indeed Pony, yet modified. Let's continue with the configuration and encryption.

By letting Pony run, using the same breakpoints we find several interesting URL's:
So now we got the encryption-key, two gates and several executables that will be downloaded. Let's try decrypting the posted data.

Pony 1.9 used two layers of RC4 to protect the data. The key for the first layer is the first four bytes in the POST-data, the second layer is encrypted with the key found in the binary.

Decrypting the first layer gives us the familiar string CRYPTED0:
And the second layer using the key 'guardian1' gives us a compressed report:

So the encryption-scheme is the same, the change up to this point is simply to be harder to detect together with the ability to steal Bitcoin wallets.

EDIT: More coverage on the Pony Loader "2.0" on https://blog.damballa.com/archives/2558.

$ date
Mon May 26 01:33:37 CEST 2014

h00p://ourlittleponic.pw/gate.php - Active
h00p://ourponicjunior.pw/gate.php - Domain doesn't resolve
h00p://softwaregamecenter.eu/store/2.exe - Domain doesn't resolve
h00p://softwaregamecenter.eu/store/3.exe - Domain doesn't resolve
h00p://freepicscenter.pw/store/2.exe - 27ce89cc842baf51de2e08e2baa50b24
h00p://freepicscenter.pw/store/3.exe - c1d40e3677ea39be891550f6b03d112d
h00p://freecenterpics.pw/store/2.exe - Domain doesn't resolve
h00p://freecenterpics.pw/store/3.exe - Domain doesn't resolve
h00p://picsfreecenter.pw/store/2.exe - Domain doesn't resolve
h00p://picsfreecenter.pw/store/3.exe - Domain doesn't resolve

Also found h00p://freepicscenter.pw/store/1.exe (1f195fdf14b2691fcc487f9a474ab443) to be active.

Inga kommentarer:

Skicka en kommentar