Last week, in the previous part of this post, we went over the behavior of Control Panel (CPL) malware before the actual infection. In this second part, we go over what happens after the malware has reached a system. (Note: much of this analysis was carried out with Deep Discovery Advisor, so some of the screenshots will have been taken from this product.)
This particular CPL malware (detected as TROJ_BANLOAD.ZAA) appears to be targeted at Windows 7 users – specifically, those using the 32-bit version. How do we know this? Based on previous research, we know that CPL malware is frequently used as a downloader for other malware. We see this behavior in 32-bit Windows 7:
Figure 1. Behavior under 32-bit Windows 7
(Click above image to enlarge)
However, on other platforms (like 64-bit Windows 7), we do not see that behavior.
Figure 2. Behavior under 64-bit Windows 7
So, let’s look into what this malware does when it is run in its “right” target environment.
It accesses four URLs, two of which are non-malicious and Microsoft-related. One is the Compatibility View list for Internet Explorer 9; the other is the browser icon (favicon.ico) for Bing. Two are potentially malicious, with Deep Discovery Advisor flagging one as malicious.
Figure 3. URLs accessed by CPL malware
Let’s look at the first potentially malicious domain. It is a .com domain; the WHOIS records also identify a Spanish man as both the registrant and the technical contact for the domain. It was first registered in 2010.
All this site does is return a simple text string: “NTFD!”. It’s possible that this may be used for command-and-control, although no definitive evidence either way is present. However, by itself, there’s nothing here that indicates malicious behavior, so it is not flagged as such.
The other domain is more interesting. It appears that it is a compromised site belonging to an Israeli company – the domain is under the .co.il top-level domain, it is hosted in Israel, and the content clearly belongs to the company as well.
However, the malware downloaded an executable file directly from this server. While it has a different name – 07-03.exe.exe instead of morph.exe – it has the same hash as the dropped file identified earlier. The file name itself is also intriguing, as if read in a day-month format , it reads “March 7”, which was just days before I actually analyzed this particular attack.
Once on the system, this particular malware drops multiple copies of itself and proceeds to carry out its information theft routines.
Figure 4. Analysis of payload
(Click above image to enlarge)
From there, the usual information theft routines as discussed in our earlier research proceed, targeting the user’s personal information, as outlined in the threat diagram below. We detect this malware as TSPY_BANKER.ZAA.
Figure 5. CPL malware threat diagram
Detection and Prevention
By providing details on how this attack was able to reach user systems, we hope that this can help others from becoming victims of this threat. Our previous research has indicated that Internet users in Brazil are the most common victims of CPL malware, and that has not changed here.
Beyond common best practices, this incident allows us to see some possible defenses against attacks like these. For emails, checking the sender IP address is already standard behavior. However, defenses and policies against attachments should be considered – these should be scanned for malicious content, and some potentially risky tile types can be blocked.
As for the potentially malicious URLs, it may be worth considering to block the download of executable files. In this particular case, doing so would have prevented the download of the main payload by the initial CPL downloader. Failing that, endpoint software should be in place to check the reputation of any downloaded files.
Trend Micro solutions protect against all aspect of this attack, as well as other similar incidents using CPL malware.