ESET Insiders cutting_edgetech 25 Posted October 22, 2018 ESET Insiders Posted October 22, 2018 The directory "C:\Windows\SysWOW64\Microsoft\Protect\S-1-96-82\ " does not exist on my Windows 10 x64 Pro Version 1709 installation. I don't have a Microsoft folder at that directory.
itman 1,806 Posted October 22, 2018 Posted October 22, 2018 (edited) Also of note is this use of this SID "S-1-96-82." Here's a reference to well know system SID's: https://docs.microsoft.com/en-us/windows/desktop/secauthz/well-known-sids When I refer to legit SID based directories listed under C:\Windows\System32\Microsoft\Protect\, they all begin with S-1-5. Also, the only thing that exits in those directories are registry key references. -EDIT- Kaspersky recent published an article in regards to a RID vulnerability that exists on all Win versions here: https://threatpost.com/trivial-post-intrusion-attack-exploits-windows-rid/138448/ with specific attack details here: http://csl.com.co/rid-hijacking/ . This attack would allow for system changes to be made such as what is currently being evidenced in this thread. Edited October 22, 2018 by itman
koolholio 4 Posted October 22, 2018 Posted October 22, 2018 (edited) perhaps they were targeting enterprise domain controllers in my case, but they failed to program the SID properly in visual studio? it's likely the work of a script kiddie, that didn't quite know what they were doing with shellcode and UPX packing Can we check that DEP is turned on in the BIOS? and the OS? also another thing to remember is it's in the syswow64 directory so it's a 32 bit program and it was built for OS version 6 (VIsta) I'm sure when they decompile these files it'll all become clear by some of the ASM that it appears to do... here is a site explaining a couple of things: https://www.exploit-db.com/exploits/41827/ now, just to find out how to do that in Borland delphi 3.0 (released in 1997) and visual studio 2015 but making it compatible with 2010! The updater mechanism for botupdate.exe (ieinspector) pushes at memory address 0C77242Bh using UPX1 packing here's an analysis of botupdate.exe https://www.hybrid-analysis.com/sample/9126c3851393f86973fc4e7b9a9156e20edc489606b94b8847f90e5b0b3809b2 Seemingly it targets VBOX virtualization... and connects to these addresses: https://www.hybrid-analysis.com/sample/9126c3851393f86973fc4e7b9a9156e20edc489606b94b8847f90e5b0b3809b2/5bce13b87ca3e120f04acb8f#signature-ee8357e421efee19e1610c7bc6b56378 Edited October 22, 2018 by koolholio
koolholio 4 Posted October 22, 2018 Posted October 22, 2018 (edited) CRACKED IT! (i think) woo hoo! Further note to admin: The data.dll contains resources that are pure ascii, that, when translated to hex you can disassemble the ASM! but res105 has a gif98a header, which is got from translating ascii to string Edited October 22, 2018 by koolholio
itman 1,806 Posted October 22, 2018 Posted October 22, 2018 (edited) 3 hours ago, koolholio said: The updater mechanism for botupdate.exe (ieinspector) Appears Avast was detecting it last month. Microsoft site is in Chinese. Below is a link to the English translation: Suspicious file botupdate.exe in Windows\SysWOW64\Microsoft\Protect https://translate.google.com/translate?hl=en&sl=zh-TW&u=https://answers.microsoft.com/zh-hant/windows/forum/windows_10-security/windowssyswow64microsoftprotect%E4%B8%AD%E6%9C%89/cb9d2357-3689-447c-9877-d0d933935f59&prev=search Also appears Microsoft wasn't interested in it in the least. To bad for folks infected by this. Also as far as I am aware of IEInspector is legit software: https://www.ieinspector.com/httpanalyzer/index.html Also it does not integrate with Chrome so that aspect is still a mystery. Suspect this bugger is a hacked ver. of IEInspector since the legit version is paid software. BTW - IEInspector does have a silent install option: Quote Silent install. Use /VERYSILENT or /SILENT command-line parameters to install it. https://www.ieinspector.com/httpanalyzer/manual/index.html Edited October 22, 2018 by itman
koolholio 4 Posted October 22, 2018 Posted October 22, 2018 (edited) Avast would detect anything as a virus in my opinion, even authentic files As for Microsoft, here's an update on one of the dll files: https://www.microsoft.com/en-us/wdsi/submission/94b87cd5-95a9-415b-b923-80f55bd8150d Edited October 22, 2018 by koolholio
koolholio 4 Posted October 22, 2018 Posted October 22, 2018 (edited) 55 minutes ago, itman said: Also as far as I am aware of IEInspector is legit software. Also it does not integrate with Chrome so that aspect is still a mystery. Suspect this bugger is a hacked ver. of IEInspector since the legit version is paid software. BTW - IEInspector does have a silent install option. Indeed, but how it updates is through 2 inbuilt UPX files, the software was written in delphi 3.0 and HttpAnalyzerStdV7 appears to be licensed... " - Licence is valid - Delphi Client/Server Suite (Enterprise)" says DVCLAL... see here for the addresses it connects to: https://www.hybrid-analysis.com/sample/9126c3851393f86973fc4e7b9a9156e20edc489606b94b8847f90e5b0b3809b2/5bce13b87ca3e120f04acb8f#signature-ee8357e421efee19e1610c7bc6b56378 Heuristic match: "&2OTbY( .cH" Heuristic match: "Font.Name" Pattern match: "hxxp://www.ieinspector.com" Heuristic match: "support@ieinspector.com" Pattern match: "hxxp://synedit.sourceforge.net" Pattern match: "hxxp://www.jrsoftware.org/tb97info.php" Pattern match: "hxxp://www.jrsoftware.org/isinfo.php" Pattern match: "hxxp://www.mirkes.de/en/delphi/vcls/hexedit.php" Pattern match: "hxxp://www.bsalsa.com/product.html" Pattern match: "hxxp://www.getfirebug.com/" Pattern match: "hxxp://fastcode.sourceforge.net/" Pattern match: "hxxp://andy.jgknet.de/dspeedup/index.php" Heuristic match: "NonPrinted.Font.Name" Heuristic match: "LineNumbers.Font.Name" Heuristic match: "HintProps.Font.Name" Heuristic match: "$DefaultStyles.SelectioMark.Font.Name" Heuristic match: "DefaultStyles.SearchMark.Font.Name" Heuristic match: "#DefaultStyles.CurrentLine.Font.Name" Heuristic match: "$DefaultStyles.CollapseMark.Font.Name" Heuristic match: "$SyncEditing.SyncRangeStyle.Font.Name" Heuristic match: "&SyncEditing.ActiveWordsStyle.Font.Name" Heuristic match: "(SyncEditing.InactiveWordsStyle.Font.Name" Heuristic match: "HorzRuler.Font.Name" Pattern match: "www.ieinspector.com/httpanalyzer/download/HttpAnalyzerFullV2.exe" Heuristic match: "TabFont.Name" Heuristic match: "PrintFont.Name" Pattern match: "hxxp://www.bsalsa.com/" Heuristic match: "PrintOptions.Margins.Top" Heuristic match: "iu verziu tohto programu.IS" Heuristic match: "jP.Ga" Pattern match: "hxxp://\0" Edited October 22, 2018 by koolholio
itman 1,806 Posted October 22, 2018 Posted October 22, 2018 Well, I tried to download IEInspector. The download is zipped. You can't extract it since the only .exe in archive, HttpAnalyzerStd_V7.6.4.exe, is password protected. I assume this is the installer.
koolholio 4 Posted October 22, 2018 Posted October 22, 2018 (edited) 12 minutes ago, itman said: Well, I tried to download IEInspector. The download is zipped. You can't extract it since the only .exe in archive, HttpAnalyzerStd_V7.6.4.exe, is password protected. I assume this is the installer. This is what their download page says, because it is being picked up as a virus, because a virus appears to be using it for HTTP data exfiltration... they also mention on their site about it being picked up as riskware by some "Attention, please!!! ZIP file's password is ieinspector" Edited October 22, 2018 by koolholio
itman 1,806 Posted October 22, 2018 Posted October 22, 2018 The question remains is just how the heck did IEInspector get installed on the posters PC's affected by this? I assume no one manually installed it.
itman 1,806 Posted October 22, 2018 Posted October 22, 2018 10 minutes ago, koolholio said: because it is being picked up as a virus, because a virus appears to be using it for HTTP data exfiltration With a silent installation option, I can see why this is the case.
koolholio 4 Posted October 22, 2018 Posted October 22, 2018 (edited) 13 minutes ago, itman said: The question remains is just how the heck did IEInspector get installed on the posters PC's affected by this? I assume no one manually installed it. Ahhh yes the one billion dollar question... the dll files are seemingly injected... appleversions.dll is loaded by the RB executable (YSLoaderW.exe when it was compiled by Apple)... still awaiting on the data.dll res108, because we know the res105 is supposedly a gif89a with a string of 'since when is pink a shade of gray' Appleversions.dll uses NDIS for networking and is capable of using a proxy setting... Edited October 22, 2018 by koolholio
itman 1,806 Posted October 22, 2018 Posted October 22, 2018 (edited) What I am wondering now is if IEInspector's web/update server is hacked. What the attacker is doing is silently installing the legit version of it to "fly under the AV radar" and then downloading the malicious crap as a product update? Edited October 22, 2018 by itman
koolholio 4 Posted October 22, 2018 Posted October 22, 2018 (edited) 9 minutes ago, itman said: What I am wondering now is if IEInspector's web server is hacked. What the attacker is doing is silently installing the legit version of it to "fly under the AV radar" and then loading the malicious as a product update? I wouldn't consider their server as hacked, I'd say the HTTP analyzer is probably just a tool for HTTP sniffing, I'd be more concerned about any apple devices connected to systems, given it is YSLoaderW with a malware looking appleversions.dll that masquerades as the Apple Push Service to redirect or intercept notifications presumably! luckily Apple is mainly based on Unix Edited October 22, 2018 by koolholio
koolholio 4 Posted October 22, 2018 Posted October 22, 2018 (edited) The malware creator must have been referencing this page: https://en.wikipedia.org/wiki/Shades_of_gray#Warm_grays with their 'since when is pink a shade of gray' comment encoded in ascii in resource105 of the data.dll For ESET malware labs: Here's an online disassembly of the resource108 of data.dll, some interesting asm code! although the start of the original file header starts off like a pcapng capture... but it isn't? (0�0� in ascii and 30 c3 in hex) wireshark picks up the translated ascii to hex format as GMTI format apparently: https://www.wireshark.org/docs/dfref/4/4607.html so I presume it's a native unknown Apple II file in a DLL resource https://onlinedisassembler.com/odaweb/BaIdHvWW (original copy of resource108 binary DLL resource, so it's not translated from ascii like resource105, although if you do manually convert it to hex first, it has more locations and operations and a few bad ones) Update: having researched the file headers, 0A stands for Unknown Apple II File. Interesting, a windows visual studio compiled .dll holding an apple II file in one of it's resources? can this get any weirder? Edited October 25, 2018 by koolholio updated link
itman 1,806 Posted October 22, 2018 Posted October 22, 2018 As far as the legit download of IEInspector, Eset has been detecting it as a PUA since ver. 9: http://www.herdprotect.com/httpanalyzerstd_v7.5.4.exe-4d15d14ae9dcbdbf4b23dfc4afc4569012d43138.aspx Another thing of note is the legit ver. of IEInspector installs itself in either the Program Files or Program Files x(86) directories which is not the case for this malware version. Also saw web evidence that the bogus versions appear to be using WoSign self-signed certificates.
koolholio 4 Posted October 23, 2018 Posted October 23, 2018 3 minutes ago, itman said: IEInspector installs itself in either the Program Files or Program Files x(86) directories which is not the case for this malware version. Also saw web evidence that the bogus versions appear to be using WoSign self-signed certificates. This is because it's the standalone version...
koolholio 4 Posted October 23, 2018 Posted October 23, 2018 (edited) Update for the appleversions.dll file, Microsoft declares it's been detected as Trojan:Win32/Occamy.C The malware sample in it's entirety is defined as Win32/Unwaders.C... more info: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=SoftwareBundler:Win32/Unwaders.C!ml&ThreatID=242858 It's also got a few other labels: https://www.virustotal.com/#/file/32255be2b4c25b5644d61f7de4b1b8d90c43c922fc52fc3b9f2d1c1fb3c47d9f/detection Edited October 23, 2018 by koolholio
itman 1,806 Posted October 23, 2018 Posted October 23, 2018 (edited) 6 hours ago, koolholio said: It's also got a few other labels: Well, it was a zipped archive containing among other things the infamous botupdate.exe. I also found a different variant of appleversions.dll at Hybrid-Analysis detected back in August: https://www.hybrid-analysis.com/sample/1ac9755f2da2773d62cabc944bc592f1456e1dd2d580aa175935ae6d4ca2ba65?environmentId=100 . Again, this one was of Russian origins or targeted at Russian and English speakers. Note that this version was run via rundll32.exe. So what does the legit version of appleversions.dll do? Quote Apple Software Support Version Check is part of the Apple Updater service that checks the current version of installed Apple products against the Apple servers to see if new updates are required. http://www.shouldiblockit.com/appleversions.dll-6c63dc384a15e2afd4a860031ef40267.aspx The common theme to date is a hacked Apple software installation. It would be most beneficial if anyone who has posted to date as being affected by blocked Eset communication detections, reply as to whether they had Apple software installed on their PCs. Edited October 23, 2018 by itman
koolholio 4 Posted October 23, 2018 Posted October 23, 2018 (edited) This malware contains a chinese version of appleversions.dll and russian data.dll according to the content headers in the dll files... Here is an example of what opening a dmp file can do... Updated... https://www.hybrid-analysis.com/sample/e65526f37759c56577550dd4d4fa5568a1167bbdaab90a37cd20f8965d639061/5bcf65e27ca3e16f1d2c9665 submitted a dump sample of botupdate.exe running in a reorganised memory space... hopefully disarmed the files by rearranging their memory space and making it use the system VC runtimes, seemingly botupdate.exe is a standalone, so must be called separately for HTTP data exfiltration. according to another process dump, the masquerading apple push service loads, by handle, appleversions.dll (also submitted a dump of that process) Edited October 23, 2018 by koolholio
itman 1,806 Posted October 23, 2018 Posted October 23, 2018 I am starting to suspect that this malware might be a result of a hacked bonjour64.msi installer download. This installer does create appleversions.dll among other things. For example, there is an older ver. of it on GitHub here: https://github.com/carlipa/public/blob/master/files/Bonjour64.msi . Who knows what its status is. The correct way to download bonjour64.msi is given here: https://brightsign.zendesk.com/hc/en-us/community/posts/115001316374-Where-to-get-BonJour-for-Windows-
koolholio 4 Posted October 23, 2018 Posted October 23, 2018 (edited) Yes it appears to be two of the numerous apple application support files, YSLoaderW and appleversions... the question is how did data.dll get there and who compiled it, because it's compiled in visual studio 2015 or newer and holds two resources: - ascii and seemingly an unknown Apple II file format Presumably they were planning on loading this Apple II file format (presumably an "app") onto attached apple devices still trying to figure out where it was getting list-cloud from... If anyone has the command line arguments for the scheduled task, it might hold some insight into how they operated this hacked together piece of malware Apple.com holds bonjour print services and other products that might also install apple application support Edited October 23, 2018 by koolholio
koolholio 4 Posted October 23, 2018 Posted October 23, 2018 (edited) More info about the vestacp hosts... https://www.welivesecurity.com/2018/10/18/new-linux-chachaddos-malware-distributed-servers-vestacp-installed/ Update about the unknown apple II file format, having downloaded an Apple II emulator from here: hxxp://kegs.sourceforge.net/ It cannot open the file... back to file analysis of resource108 of data.dll then... the hex output of resource 108 is the best i can do, the assembly isn't too shabby, whether it makes any sense at all is another matter, it does reference loc points quite a bit... https://onlinedisassembler.com/odaweb/1GviKcVU Edited October 24, 2018 by koolholio
itman 1,806 Posted October 24, 2018 Posted October 24, 2018 (edited) I have been thinking about this incident a bit. It appears to me we might be dealing with some state sponsored spyware, possibly Chinese based, here. Aside from remote connection activity, I don't believe anyone has found any malicious activity occurring to their devices based on the postings to date in this thread. Case in point: Downloads of Popular Apps Were Silently Swapped For Spyware in Turkey: Citizen Lab https://it.slashdot.org/story/18/03/09/1728209/downloads-of-popular-apps-were-silently-swapped-for-spyware-in-turkey-citizen-lab? Edited October 24, 2018 by itman
Most Valued Members Nightowl 206 Posted October 24, 2018 Most Valued Members Posted October 24, 2018 For anyone interested in what is the browser(website) doing in the background you can download an add-on called uMatrix, it's similiar to NoScript also HTTPSEverywhere does help and improve web browsing.
Recommended Posts