Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
     123456
    78910111213
    14151617181920
    21222324252627
    282930  
  • About Us

    Recently, we have observed a new backdoor family which we’ve called BLYPT. This family is called BLYPT because of its use of binary large objects (blob) stored in the registry, as well as encryption. Currently, this backdoor is installed using Java exploits; either drive-by downloads or compromised web sites may be used to deliver these exploits to user systems. Our research shows that the servers behind these attacks are mainly centered in Romania and Turkey.

    Currently, this threat is primarily hitting users in the United States; however it seems that consumers (as opposed to businesses) are the most affected.

    Arrival and Installation

    In one case, we found a Java exploit that was used to spread this attack. This particular exploit, detected as JAVA_EXPLOYT.HI, can be used to run arbitrary code. It exploits a vulnerability, CVE-2013-1493, that has been exploited since February 2013. It was patched in March.

    The exploit is used to download an installer (saved as ~tmp{random values}.tmp), which is responsible for downloading and installing the main BLYPT component onto the affected system. It is named logo32.png or logo64.png, depending on whether the user is running a 32-bit or 64-bit version of Windows, respectively. The installer attempts to connect to three servers every 3 seconds, until it successfully downloads the backdoor component. If it fails, it will retry up to 32 times before it gives up.

    We have identified two BLYPT variants, which can be identified based on the file name used to save the main BLYPT component. In both cases, they are saved in the %App Data%\Microsoft\Crypto\RSA directory. One variant is saved as NTCRYPT{random values}.TPL; the second variant is saved as CERTV{random values}.TPL. Both variants have 32- and 64-bit versiosons, and their behavior is mostly identical. (We detect these variants as BKDR_BLYPT.ABKDR_BLYPT.B and BKDR64_BLYPT.B.)

    Figure 1. Infection diagram for BKDR_BLYPT

    Figure 1. Infection diagram for BKDR_BLYPT

    One difference between the two is where their C&C server information is stored. The NTCRYPT{random values}.TPL variants do not actually contain any C&C information on their own; the installer instead saves C&C information in the registry that the BLYPT backdoor uses. The CERTV{random values}.TPL variants have their C&C server information embedded in the file itself. In both cases, the C&C information is stored in the registry under the HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\
    5A82739996ED9EBA18F1BBCDCCA62D2C1D670C\Blob
    key.

     

    While the C&C server information is stored in the same key, their formatting is different. For the first variant, once decoded, the information is in plain text and in the following format:

    <ip1>#:<port1>#:#:<server page1>#;<ip2>#:<port2>#:#:<server page2 >#;<ipN>#:<portN>#:#:<server pageN>#;

    The second variant stores its information in binary format, and once decoded has the following format:

    struct
    {
    DWORD ip;
    WORD  port;
    } cncServer;

    cncServer cncList[];

    Raw Data Format Example:
    <(DWORD)ip1><(WORD)port1><(DWORD)ip2><(WORD)port2><(DWORD)ipN><(WORD)portN>

    Both variants encrypt their information using alleged (arc4) and use “http://microsoft.com” as the decryption key.

    One more note about the installer: it provides instant feedback on the status of the install by accessing a URL on the malicious server, which actually serves as a status report. The URL would be: http://{malicious server}/index.aspx?info=<status keyword>. The status keyword can be any of the following:

    • startupkey_%d where %d = RegCreateKeyW return
    • reuse
    • configkey_%d where %d = RegCreateKeyA return
    • configkeyvalue_%d where %d = RegSetValueExA return
    • tserror_4_%d where %d = GetLastError from call to connect
    • createproc_%d where %d = GetLastError from call to CreateProcessW
    • reusereboot_%d_%d_%d

    C&C Server Attribution

    By decoding the configuration files used by this malware, we were able to determine the distribution of the C&C servers used by this threat, as seen in the chart below:

    Targeted Attacks By Industry-copy

    Figure 2. Location of BLYPT C&C Servers

    Other Behavior

    In addition to the C&C info mentioned earlier, BLYPT stores other information in the registry in the form of embedded “blobs”. These are as follows:

    BLYPT_backdoor-table-1

    Table 1. Blobs used by BLYPT

    As a backdoor, BLYPT also allows an attacker to send commands to an affected system. Among the commands than can be executed are:

    • Receive updated DLL binary
    • Receive updated configuration
    • Receive HTTP request commands, such as:
      • Send GET request to http://103.31.186.19:1000/FetchIP.aspx to retrieve public IP of affected machine

    Trend Micro Smart Protection Network protects users from this threat by blocking the related sites and detecting the malware. In addition, Deep Discovery protects users by detecting the downloaded files from the malicious C&C servers, while Deep Security covers the related vulnerability via DPI rule 1005410 – Oracle Java Runtime Environment Remote Code Execution Vulnerability (CVE-2013-1493).

     

    With additional information from Darin Dutcher and Jayronn Christian Bucu. 

    Update as of September 26, 2013

    The SHA1 hashes of the BLYPT samples are:

    • 0d1b43e7bce02a90350881f98a6b124b7bd2b62c
    • 10c70cfc19e7b26193c30dd4b02adfa316c4ef4c
    • 50b5d5707b3891dfb53041e79844b64f40b6d807
    • 572343b7021f53d8a9acd726dea677dfe606f5b2
    • 84ab637055892f8b237e9af51337a0e2c7d9e36b
    • 8c11ce39f88012dbf00d9e4ef24f47af7f319db5
    • c43c84480f672212181e24a70247982d60efcac5
    • f14d9a11b193b7a2e59f160d42bde2b55a92b945




    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    • Paul

      Could you share a list of IoC’s (MD5, full URL), please?
      Thanks!



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice