Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us

    Recently, Trend Micro published findings on a new campaign called EvilGrab that typically targets victims in Japan and China. This campaign is still attacking users, and we have now acquired a builder being used to create binaries of this campaign.

    EvilGrab Builder In The Wild

    What led us to the builder for EvilGrab was a binary file camouflaged as a Microsoft Word file named 最新版本的请愿书-让我们一同为书记呐喊(请修改指正).doc.exe. This is in Simplified Chinese, and roughly translates to The latest version of the petition-let us cry along with Secretary (Please correct the corrections). doc.exe. (Its MD5 hash is b48c06ff59987c8a6c7bda3e1150bea1 and we detect it as BKDR_EVILOGE.SM.) It communicates to command-and-control servers (203.186.75.184 and 182.54.177.4) which are located in Hong Kong and Japan. It also installs copies of itself at startup and makes several changes to the Windows registry. All this is fairly typical for malware of this type.

    However, some of the added registry entries were of special relevance:

    HKEY_LOCAL_MACHINE\SOFTWARE\{AV vendor}\settings
    HKEY_LOCAL_MACHINE\SOFTWARE\{AV vendor}\environment

    These registry entries appear to be an attempt to inject itself into the processes of anti-virus products. This malware doesn’t just inject one anti-virus engine; AVG, Trend Micro, Kaspersky, NOD32, Avast, Avira, and Symantec are all affected. Similar to the EvilGrab samples we previously discussed, this malware performs the same checks for Tencent QQ, a popular Chinese instant messaging system.

    While the malware in and of itself is not particularly unusual, analyzing it did lead us to find a builder being used to generate these pieces of malware. The builder was identified in the wild and named Property4.exe.

    evilgrab1

    We can see several fields that the attacker can enter in the builder. Some of the fields include:

    • Assign C&C server (either IP or domain name) with port and connection interval.
    • Choose a file icon (installation package icon, folder icon and document icon)
    • Delete itself
    • Keyboard logging
    • Key logging

    In addition, on the second tab of the builder, the attacker can choose which AV product they will attempt to bypass:

    evilgrab2

    Figure 2. Bypassed AV software

    Testing With The EvilGrab Builder

    At this point, we decided to test the functionality of the builder and compare the generated binary against the versions of EvilGrab we identified earlier.

    First, we fired the builder up and entered some basic settings for the test version of EvilGrab that would be generated.

    evilgrab_screenshot_3

    Figure 3. EvilGrab Builder

    We selected the output icon to mimic a Microsoft Word document titled New.doc.exe, as seen here. Note that the Microsoft Word document icon is accurately portrayed.

    Figure 4. EvilGrab test sample

    In addition to the created binary,  a configuration file dropped for connection details.

    Figure 5. EvilGrab configuration file

    We then analyzed the test binary we had just created. We saw the same functionality demonstrated by the EvilGrab malware identified in our original blog post, including the checks for with Tencent QQ checks included. We also saw it injects its code into the legitimate svchost.exe process.

    Similarities

    Comparing the EvilGrab samples that were found in the wild with samples generated from the builder shows they are nearly identical in functionality.

    The registry entries for instance, are nearly identical. Taking a quick sample of the registry edits  shows the similarity between the samples.

    evilgrab6

    Table 1. Edited Windows registry keys

    Likewise, both samples prove to have nearly identical import functions. Below, you can see a sample of some of the import functions.

    evilgrab7

    Table 2. Import functions

    Conclusion

    We’ve found multiple samples of EvilGrab in the wild for some time now. However, with the builder available, we can develop stronger forms of protections and continue to keep our customers protected against this malware family. It also allows us to improve our threat intelligence against the actors that are using and developing it.

    Some of the information we previously disclosed about EvilGrab may be found in our previous report on targeted attacks, which also covered EvilGrab.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice