Jump to content

Recommended Posts

Posted

It gets weirder. Eset Internet Security is blocking the site as having potentially dangerous content:

Eset_Blocked.thumb.png.731fba0e0fd118844322156804df6a55.png

  • Most Valued Members
Posted

Maybe VirusTotal isn't up-to-date with ESET recent changes? or they work through other ways? , once I scan the IP of the website I get clean results , once I scan the domain name I just get 2 Malicious results , I don't know, Indeed it's weird.

 

Posted (edited)

Below is the Quttera report. I would say at this point the web site is clean. I also scanned the external link on the site and it is clean.

quttera_clean.thumb.png.161927a2ce1cc89d38c503db81f866a9.png

 

Edited by itman
Posted

Getting back on topic, we still need to know what is causing this detection since it appears the URL is being blocked by Eset from a non-browser process.

For anyone using Eset Internet/Smart/Endpoint Security, you can create a user firewall rule to block any outbound TCP/UDP connection to 185.197.74.74 which is the IP address associated with  list-cloud.com. Move that rule to the top of the existing rule set.

Again, we have to verify if RB_1.4.42.60.exe is performing this activity.

Posted

To be honest, I haven't been able to locate this executable in any of the folders mentioned and have even come up empty with a general search of my volumes. I have also tried to pounce on it in Task Manager to locate it, but when I select Open File Location, it kills Task Manager. This definitely seems like a malicious app to me.

Posted

At this point I would say to anyone having this problem, it is best you open a support request with your local in-country Eset representative. In the request, refer to this forum thread. 

  • Administrators
Posted
2 hours ago, itman said:

At this point I would say to anyone having this problem, it is best you open a support request with your local in-country Eset representative. In the request, refer to this forum thread.  

That is not necessary since it's only the security research lab reachable at samples[at]eset.com that can comment on it. However, since we do not know yet what is behind this address, we won't be able to tell you more. I'd prefer not to unblock it unless the purpose of it and the company or person behind it is determined and a malicious or adware relation is ruled out.

Posted

Again, I believe this directory is bogus on Win x(64) installations; C:\Windows\SysWOW64\Microsoft\Protect\. So I guess the first thing that needs to be verified is that assumption.

Also, Emotet malware which is quite active currently is known to use C:\Windows\SysWOW64\ subdirectories. I do hope this is not Emotet based.

  • Administrators
Posted
Quote

12. 10. 2018 13:46:07   https://list-cloud.com  Blocked by internal blacklist    C:\Windows\SysWOW64\Microsoft\Protect\S-1-96-82\RB_1.4.42.60.exe    NT AUTHORITY\SYSTEM    185.197.74.74    4888F9A1EC926E4D2AE847586C0EB43271EED566    
12. 10. 2018 5:27:04   http://list-cloud.com Blocked by internal blacklist    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe    ITEDG25\nwy1    185.197.74.74    D42EA42B362442299195A82CFB998F10B11AF868    
12. 10. 2018 1:03:31   http://intrience.info Blocked by internal blacklist    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe    ITEDG25\nwy1    34.196.124.27    D42EA42B362442299195A82CFB998F10B11AF868    
12. 10. 2018 1:02:34   https://inewcontentdelivery.info Blocked by internal blacklist    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe    ITEDG25\nwy1    52.204.131.244    D42EA42B362442299195A82CFB998F10B11AF868    
12. 10. 2018 1:02:34  https://intrience.info Blocked by internal blacklist    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe    ITEDG25\nwy1    52.206.230.220    D42EA42B362442299195A82CFB998F10B11AF868

An odd thing is that Chrome accesses other suspicious domains under a different account than the one the OP users. @Ian Ng, do you recognize that account? No wonder that the registrant is anonymized:

Registrant Organization: PROTECTSERVICE, LTD.

I'd try uninstalling Chrome and installing it from scratch using a new user profile.

Posted (edited)

Using Robtex:

  • intrience.info - not a valid domain name
  • inewcontentdelivery.info  - resolves to Amazon servers in the U.S.. Looks legit.

As far as the creation of RB_1.4.42.60.exe; its execution; and then subsequent deletion, one possibility is its either consumer or command WMI event based. One poster appears to have verified this activity is not originating from a scheduled task. In any case, I can't fathom such a named executable existing in this C:\Windows\SysWOW64\Microsoft\Protect\S-1-96-82 directory; if the directory is legit in the first place.

Edited by itman
Posted (edited)

This article also confirms to me that that Windows credentials are only stored in two directories:

Quote

dpapi locations

User

<user profile dir>\AppData\Roaming\Microsoft\Protect

Local System

<windir>\System32\Microsoft\Protect\S-1-5-18\User

https://files.sans.org/summit/dfir-prague-summit-2015/PDFs/ReVaulting-Francesco-Picasso.pdf

So it appears something "very bad" is going on here.

Edited by itman
Posted

Some progress on my end... or so it would seem. Now, please understand that I am not shilling for the competition, but I downloaded and ran the trial version of Malwarebytes this morning (full log file available if you want it). It identified two registry-related issues, which were quarantined:

Quote

 

Registry Key: 1
Trojan.BitCoinMiner.BatBitRst, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{51A69099-BB83-4EDA-B253-9EFE17334209}, Quarantined, [6035], [580173],1.0.7389

Registry Value: 1
Trojan.BitCoinMiner.BatBitRst, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{51A69099-BB83-4EDA-B253-9EFE17334209}|PATH, Quarantined, [6035], [580173],1.0.7389

 

Since restarting, I have had zero recurrences of the notification from ESET -- going on a total of four hours of continuously monitored operation. Aware that I am  less qualified to comment on whether this is the solution or just a coincidence, I leave it to the pros. I have also run the ESET Log Collector since I used Malwarebytes if anyone would like to view the post-cleaning ESET log for the purposes of comparison.

Posted
19 hours ago, Marcos said:

 ITEDG25\nwy1  

This account is used to login to my school server. 

For more information, I only have this problem on my Laptop. I use my Laptop at work, so I have to use  "ITEDG25\nwy1" as login ID to access to to server. Sometimes I will login as "LAPTOP-RRGLMU8H\IAN" when I is not in office, this account is my primary account when I setup my Windows 10.

Another odd thing is, I synchronize all Chromes on all computers with my Google accounts.  Therefore, the apps I installed in Chrome on my Laptop will automatically installed on my home computer. But only my laptop shown the warning message.

Attached is log file of my home computer. When I tried to get browser extension log, It can't shown Chromes extensions information. I am using Windows 8.1 on my home computer.

snapshot_001.thumb.JPG.63e82953937238985c0e1257ec2e2069.JPG

 

eis_logs.zip

Posted (edited)

If this bugger is indeed Trojan.BitCoinMiner.BatBitRst, I came across this very recent posting from a Chezsolvokia malware removal site that indicates the Chrome malware component is ScriptMonkey: https://translate.google.com/translate?hl=en&sl=cs&u=https://pc-help.cnews.cz/viewtopic.php%3Ff%3D70%26p%3D1574109&prev=search . Also appears the malware cleaning in this case is still ongoing since RougeKiller appears to have found infected registry TCP keys.

-EDIT- As far as the Chome script extension, ScriptMonkey, goes, here's a few not so nice comments about it in the review section : https://chrome.google.com/webstore/detail/scriptmonkey/lblbnlfhhblmfconjalikamamlgoobbe

Edited by itman
Posted (edited)

Having delved into this in depth,  the RB executable appears to be a clean but obsolete version of Apple Push Service (part of Apple Application Support and mainly used for Apple device management --- Ereporter.exe or YSLoaderW.exe ),  which will connect to a server on port 5223

 

This can be located in the "C:\Windows\SysWOW64\Microsoft\Protect\[FAKESYSTEMSID]" folder where FAKESYSTEMSID is seemingly a virus-generated SID of NTAUTHORITY or ENTERPRISE DOMAIN CONTROLLER

to get access to this folder you will need to browse to it and use icacls and takeown of the files manually to even browse or access them, unless you are running as SYSTEM

There also appears to be botupdate.exe (name gives it away) --- but it's actually a copy of ieinspector (possibly unwanted software)

ieinspector (botupdate.exe) also comes with an inbuilt UPX packed executable named AUUPG_AUUPG.exe , which is also potentially unwanted software... here is an analysis of this file: https://www.hybrid-analysis.com/sample/4de7e69425542f5ccb5df205a278e247ec95ab4e0851a9632a50890e8ef5161d

There also appears to be appleversions.dll (chinese and possibly genuine but probably obsolete Apple versioning information, now labelled Trojan:Win32/Occamy.C by windows defender) and data.dll (russian --- but one resource is ascii encoded, i presume this other resource, encoded in Unknown Apple II format, holds the list-cloud.com and list-cloud.icu information that is loaded into the aforementioned obsolete apple push service (YSLoaderW), the code shows it's been compiled in visual studio 2015 or later by presence of GCTL in the dll header of data.dll )

And... copies of now quite obsolete visual C++ 10 runtimes I presume these are required for the malware to hook into YSLoaderW.exe (RB executable)...

Having a look in overview, the RB executable loads the appleversions.dll for versions of operating systems , so i presume the "app" the loader tries to load is data.dll --- injected by command line i presume

Having a delve into data.dll it shows a single readable string in the resource table RES105 "Since when is pink a shade of gray?" and a GIF89a header! (obtained by PE Explorer and ascii to string)

 

It's mainly being picked up because of a probably compromised version of vestacp running on the connected hosts, which may or may not be related to spectre and meltdown vulnerabilities and an associated APT, there are a fair few variants associated with this malware family.

 

Now lets dirty hack the files so they're at least accessible or viewable: [You'll also need to show hidden AND operating system protected files in the view options of explorer - i presume you already know how to do this]

You can use the icacls and takeown command lines with moderation and caution [DO REPLACE FAKESYSTEMSID with the correct folder name]:

takeown /F C:\Windows\SysWOW64\Microsoft\Protect\[FAKESYSTEMSID] /R

 icacls  C:\Windows\SysWOW64\Microsoft\Protect\[FAKESYSTEMSID] /t /q /c /reset

 

NOTE TO ADMIN: Old versions of IDA pro (even 7.0) cannot decompile the dll's resources because of their encryption/encoding seemingly! it's picking up in data.dll (russian language, I'm still yet to discover the russian content it claims to hold... https://www.virustotal.com/#/file/fc6915cd9721e40ec80a657d7f93f233decd5ff3cf49af802aaf194f2e196b6f/details file dates are 11/04/2018 )

Thank me later, and again if you don't feel comfortable using both these command lines then do not attempt it...

Edited by koolholio
removed whitespace in directory paths, edited coherence in SID consistency, added note to admins, further edits to SID info
Posted (edited)
17 hours ago, koolholio said:

Thank me later

Great analysis!

I suspected that using MBAM which killed the scheduled task really didn't remove the malware. This only prevented its outbound connection processing to a site that Eset had blacklisted. 

I also suspect whatever installed this malware/coin miner also used icacls  to change the C:\Windows\SysWOW64\Microsoft\Protect\[SYSTEMSID] registry key permissions. This would have required at least admin privileges to do so. I will say this in this regard. I know of at least one popular free third party security software that uses icacls via its installer to change registry permissions. And it gets worse in that when the software is uninstalled, those registry permissions are not returned to their default values.  

There is still however one major issue. This directory, C:\Windows\SysWOW64\Microsoft, does not exist on my Win 10 x(64) 1803 build. Others will have to verify the same is true on Win 7/8 x(64). So the simple and desired solution may be to delete the C:\Windows\SysWOW64\Microsoft directory after using icacls or manually to change its permissions to allow this to be done. Also and very important to create the C:\Windows\SysWOW64\Microsoft directory, it appears that C:\Windows\SysWOW64 directory permissions may have been modified.

Have you in anyway modified the contents of the C:\Windows\SysWOW64\Microsoft directory other than changing permissions? If not, I would create a zipped version of the directory and post it for @Marcos to forward to Eset malware researchers.

Edited by itman
Posted

Might I suggest only deleting the protect folder as SysWOW is a 32 bit to 64 bit emulator as there may be other folders if you use compatibility modes... I've deleted C:\Windows\SysWOW64\Microsoft\Protect\ and that can regenerate if it needs to

have a check to see if you're viewing hidden files and protected operating system files in explorer's view options before taking a hammer to it...

Posted

I've already submitted the samples to virustotal, eset and microsoft defender security teams, defender is saying ieinspector is unwanted software... the dll files are pending, it's unlikely that most of it will be picked up because it is heavily anti-stealth with a PE under an MZ file header and it's encrypted and seemingly holding a GIF89a header, infact i'm surprised the code would even work like it's supposed to! some of it is also quite authentic software (obsolete versions of Apple Application support and VC++ 2010 runtimes)

Posted

I didn't find a scheduled task on mine unfortunately, but I am monitoring outbound connections and noticed that the authentic apple push service is now running without being redirected....

Posted (edited)

I only used the takeown and icacls command lines to reset the permissions on the protect folder recursively

I should also add that using the icacls and takeown it doesn't allow ESET access to the files, only the currently logged in user, so manual submission is needed.

Edited by koolholio
Posted (edited)

It does make one wonder if this was a result of either a rogue install or update of iTunes, QuickTime, etc.?

Do any of the affected parties have Apple app software installed on their PCs?

Edited by itman
Posted (edited)

Could be related to the Apple Bonjour Service, it's throwing this error occasionally: "ERROR: handle_resolve_request bad interfaceIndex [interfacenumber]"

Edited by koolholio
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...