Win32/Potukorp (BlackMoon - Internet Bank Pharming)

Forum for analysis and discussion about malware.

Win32/Potukorp (BlackMoon - Internet Bank Pharming)

Postby unixfreaxjp » Mon Mar 24, 2014 2:08 pm

I think I found a "suspected" Chinese bad actor starts an HFS Web server to serve this Trojan in our network in Japan.
Image
The user that got infected will run the localhost (127.0.0.1) proxy and hits the S. Korean Bank url.
A splendid scheme to provoke a war between JP & KR by this malware, so I feel I should make analysis of it.
Code: Select all
// IP extracted from binary:
27.114.98.151 standardchartered.co.kr equals www.standardchartered.com (Standard Chartered Bank)
27.114.98.151 www.standardchartered.co.kr equals www.standardchartered.com (Standard Chartered Bank)

Sadly, the crypto file used to decrypt is not downloadable, somehow, so I couldn't decrypt it,
but there are enough data in forensics and behaviour test to make the right verdict.
Image
The attempt to download (was fail) the crypto file..sigh..
Image

Since there is no reference of this malware yet, I dare myself to open new post in here.

I fetch this hosts data with Volatility & compares it with sandbox, perfect match..
Image

I am sorry no energy for writing (I am in hospital now), so only to make the Japanese analysis in here: http://blog.0day.jp/2014/03/ocjp-126-kddidion.html
The sample is in VT here: https://www.virustotal.com/en/file/9b3e ... 395652253/

Samples and drops data are attached. Please add your comment or thought, I don't have much reference on this now.
FYI: the malware server is still up and running until to the next 24hrs I suppose.
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: TrojanProxy:Win32/Potukorp.A

Postby Xylitol » Mon Mar 24, 2014 7:46 pm

ctldl.windowsupdate.com traffic usually come from wuauclt.exe
User avatar
Xylitol
Global Moderator
 
Posts: 1614
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 476

Re: TrojanProxy:Win32/Potukorp.A

Postby unixfreaxjp » Tue Mar 25, 2014 2:23 am

Inspire me more, Xyli. :)) I couldn't decrypt this one.. hands up...
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: TrojanProxy:Win32/Potukorp.A

Postby unixfreaxjp » Tue Mar 25, 2014 2:38 am

But wait up, Xyli, look at this code in the binary of this trojan↓
Image
90% sure this function is responsible to exec the download..
To go further.. I hardly see wuauclt.exe MS downloads returned in 404, no?

As per I explained.. no decrypting effort success from my side..sigh.. so I just can't say much,
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89


Re: TrojanProxy:Win32/Potukorp.A

Postby EP_X0FF » Tue Mar 25, 2014 5:13 pm

Nothing interesting. Set break on CreateProcess to catch browser launch (hardcoded iexplore) and dump this piece of sh~~

Code: Select all
ђ@Session Manager       SeDebugPrivilege CommonProgramFiles \       @9HLOB>>RQLRM ?JM          9   0LCQT>OB9*F@OLPLCQ94FKALTP9 ROOBKQ3BOPFLK9/RK9HLOB>>RQLRM   K   0LCQT>OB9*F@OLPLCQ94FKALTP9 ROOBKQ3BOPFLK9&KQBOKBQэ0BQQFKDP9!KP >@EB"K>?IBA   K   0LCQT>OB9*F@OLPLCQ94FKALTP9 ROOBKQ3BOPFLK9&KQBOKBQэ0BQQFKDP9!KP >@EB1FJBLRQ   M   0LCQT>OB9*F@OLPLCQ94FKALTP9 ROOBKQ3BOPFLK9&KQBOKBQэ0BQQFKDP90BOSBO&KCL1FJB,RQ   4   0LCQT>OB9*F@OLPLCQ9&KQBOKBQэ"UMILOBO9*>FK90Q>OQэ->DB      EQQM TTT K>SBO @LJ     €ГА\....\ \....\TemporaryFile \TemporaryFile ProgramFiles http://ssapong.mireene.kr/ssd.html                                          \Internet Explorer\iexplore.exe     #   EQQM RPBO NWLKB NN @LJ # POST GET User-Agent:
 Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) http= https HTTP/1.1 Referer: Referer: 
Referer:  Accept:
Accept: */* Accept-Language:
Accept-Language: zh-cn Content-Type:
Content-Type: application/x-www-form-urlencoded
Cookie:  Location: Set-Cookie ; Set-Cookie: ;         @" #ТэєЕ : / https:// http:// .       р?=deleted = www.woridank.com
www.wooribank.com
www.standardchartered.co.kr
www.shinhan.com
www.scfiirstdank.com
www.nonghyup.com
www.naver.com
www.kfcc.co.kr
www.keb.co.kr
www.kbstar.com
www.ibk.co.kr
www.hanadank.com
www.hanacbs.com
www.hanabank.com
www.epostdank.go.kr
www.epostbank.kr
www.epostbank.go.kr
www.epostbank.co.kr
www.daum.net
u.wooribank.com
standardchartered.co.kr
shinhan.com
scfirstdank.com
scfirstbank.com
pib.wooribank.com
open.wooridank.com
open.wooribank.com
open.shinhan.com
open.scfirstdank.com
open.nonghyup.com
open.kfcc.co.kr
open.keb.co.kr
open.kbstar.com
open.ibk.co.kr
open.hanadank.com
open.hanabank.com
online.keb.co.kr
odank1.kdstar.com
odank.kdstar.com
obank1.kbstar.com
obank.kbstar.com
nonghyup.com
naver.com
mydank.ibk.go.kr
mybank.ibk.co.kr
kiup.ibk.co.kr
kfcc.co.kr
keb.co.kr
kbstar.com
ibz.nonghyup.com
ibs.kfcc.co.kr
ibk.co.kr
ib.scfirstbank.com
hanmail.net
hanabank.com
epostdank.go.kr
epostbank.go.kr
edank.keb.co.kr
ebank.keb.co.kr
daum.net
danking.sinhan.com
danking.nonghuyp.com
bizbank.shinhan.com
banking.shinhan.com
banking.nonghyup.com      
   0601"*/,,1      90VPQBJ9AOFSBOP9BQ@9ELPQP      90VPQBJ9AOFSBOP9BQ@9ELPQP F@P# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost
        AYAgent.aye
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4721
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 554

Re: TrojanProxy:Win32/Potukorp.A

Postby unixfreaxjp » Wed Mar 26, 2014 12:30 am

EP_X0FF wrote:Nothing interesting. Set break on CreateProcess to catch browser launch (hardcoded iexplore) and dump this piece of sh~~

Thank you! Great tips! Magic!!! I just NEVER understand windows operating system as well as you :)
Last edited by unixfreaxjp on Wed Mar 26, 2014 12:35 am, edited 1 time in total.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: TrojanProxy:Win32/Potukorp.A

Postby unixfreaxjp » Wed Mar 26, 2014 12:34 am

If anyone can actually decrypt this binary, will be very very VERY appreciate it. It will help the additional effort of cyber crime evidence collecting.
With thanks in advance, this crook is aiming Korean banks as they can switch to any Asian banks in no time, the threat is important to us, and without mistake, the origin is China, I am on to their CNC tracing now.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: TrojanProxy:Win32/Potukorp.A

Postby EP_X0FF » Wed Mar 26, 2014 4:01 am

What exactly do you want to know about it?

All what it does:
replace Windows hosts file with it own and thus redirecting set of sites to malware IP.
run iexplore copy to access malware site.

btw, everything described in PDF papers in the 360Tencent links.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4721
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 554

Re: Win32/Potukorp (BlackMoon - Internet Bank Pharming)

Postby unixfreaxjp » Wed Mar 26, 2014 10:04 am

@EP_X0FF Thank you very much. The PDF and the link from @360Tencent is excellent!
I am asking the police to stop this actor using national network for this evil purpose.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89


Return to Malware

Who is online

Users browsing this forum: No registered users and 5 guests