Recently, Trend Micro published findings on a new campaign called EvilGrab that typically targets victims in Japan and China. This campaign is still attacking users, and we have now acquired a builder being used to create binaries of this campaign.
EvilGrab Builder In The Wild
What led us to the builder for EvilGrab was a binary file camouflaged as a Microsoft Word file named 最新版本的请愿书-让我们一同为书记呐喊（请修改指正).doc.exe. This is in Simplified Chinese, and roughly translates to The latest version of the petition-let us cry along with Secretary (Please correct the corrections). doc.exe. (Its MD5 hash is b48c06ff59987c8a6c7bda3e1150bea1 and we detect it as BKDR_EVILOGE.SM.) It communicates to command-and-control servers (126.96.36.199 and 188.8.131.52) which are located in Hong Kong and Japan. It also installs copies of itself at startup and makes several changes to the Windows registry. All this is fairly typical for malware of this type.
However, some of the added registry entries were of special relevance:
These registry entries appear to be an attempt to inject itself into the processes of anti-virus products. This malware doesn’t just inject one anti-virus engine; AVG, Trend Micro, Kaspersky, NOD32, Avast, Avira, and Symantec are all affected. Similar to the EvilGrab samples we previously discussed, this malware performs the same checks for Tencent QQ, a popular Chinese instant messaging system.
While the malware in and of itself is not particularly unusual, analyzing it did lead us to find a builder being used to generate these pieces of malware. The builder was identified in the wild and named Property4.exe.
We can see several fields that the attacker can enter in the builder. Some of the fields include:
- Assign C&C server (either IP or domain name) with port and connection interval.
- Choose a file icon (installation package icon, folder icon and document icon)
- Delete itself
- Keyboard logging
- Key logging
In addition, on the second tab of the builder, the attacker can choose which AV product they will attempt to bypass:
Figure 2. Bypassed AV software
Testing With The EvilGrab Builder
At this point, we decided to test the functionality of the builder and compare the generated binary against the versions of EvilGrab we identified earlier.
First, we fired the builder up and entered some basic settings for the test version of EvilGrab that would be generated.
Figure 3. EvilGrab Builder
We selected the output icon to mimic a Microsoft Word document titled New.doc.exe, as seen here. Note that the Microsoft Word document icon is accurately portrayed.
Figure 4. EvilGrab test sample
In addition to the created binary, a configuration file dropped for connection details.
Figure 5. EvilGrab configuration file
We then analyzed the test binary we had just created. We saw the same functionality demonstrated by the EvilGrab malware identified in our original blog post, including the checks for with Tencent QQ checks included. We also saw it injects its code into the legitimate svchost.exe process.
Comparing the EvilGrab samples that were found in the wild with samples generated from the builder shows they are nearly identical in functionality.
The registry entries for instance, are nearly identical. Taking a quick sample of the registry edits shows the similarity between the samples.
Table 1. Edited Windows registry keys
Likewise, both samples prove to have nearly identical import functions. Below, you can see a sample of some of the import functions.
Table 2. Import functions
We’ve found multiple samples of EvilGrab in the wild for some time now. However, with the builder available, we can develop stronger forms of protections and continue to keep our customers protected against this malware family. It also allows us to improve our threat intelligence against the actors that are using and developing it.
Some of the information we previously disclosed about EvilGrab may be found in our previous report on targeted attacks, which also covered EvilGrab.