Back on some old material, due to a 'recent' compromission of off-sho.re servers, and the circulation between AVs of Cyberbunker sinkholes logs. (Especially the Alina connections was interesting, but that not the topic)
Did you remember Dexter ? nah not the TV Series, but the PoS Malware.
Systems infected by Dexter are various in our case (gas stations, pawn shops, logistics, luxury shops, doctors, clinics, pharma, labs, etc...)
This malware was coded by a guys know as 'dice' (there was an advert on Darkode made by him around November 2012 if i remember, but he requested an admin to remove the thread so it's not anymore available)
Visa USA have released an alert one month after.
Sample who come from the compromised server:
Create a mutex:
WriteProcess Memory on Internet Explorer with the content of the exe:
I've patched the executable by taking some jumps he have not took at the begining to make it think we are in IE and see what's happend.
Create a subkey 'HelperSolutions Software':
Do a RegCreateKey/RegSetValue/RegCloseKey with 'digit' as registry entry and 'cc98afca-1a04-4c5d-80cf-1cc78244b63e' as value for me.
Create a registry persistance 'Sun Java Security Plugin':
Do the same but this time in HKCU:
Create another registry entry but this time:
With 'LowRiskFileTypes' and '.exe;.bat;.reg;.vbs;' as value
The attachment manager in windows can help protect your computer from unsafe attachments that you might receive with an e-mail message and from unsafe files that you might save from the Internet.
Edit a value at HKCU: Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Registry entry '1806' and '0' as value
The value can be zero, one, or three, typically, a setting of zero sets a specific action as permitted, a setting of one causes a prompt to appear and a setting of three prohibits the specific action.
Do the same operation but in HKLM this time:
The file initialyse a thread:
Create a DLL 'SecureDll.dll' with the extracted ressource and attribute Hidden:
'val1' and with value 'C:\Documents and Settings\Administrateur\Bureau\strokes.log'
Create a second reg key at Software\HelperSolutions Software
'val2' and with value 'C:\Documents and Settings\Administrateur\Bureau\tmp.log'
Hook the keyboard:
Okay... let's have a look on what's this SecureDll.dll do, seem it's not that secure.
Look for previous reg key:
val1 and val2.
Look for some specific process who run on the system:
wmiprvse.exe (Microsoft Windows Management Instrumentation)
LogonUI.exe (Windows LogOn User Interface)
svchost.exe (Service Host Process)
iexplore.exe (Internet Explorer)
explorer.exe (generic Windows process)
System (Internal Windows system process)
smss.exe (Session Management Subsystem)
csrss.exe (Client/Server Runtime Subsystem)
winlogon.exe (Windows LogOn Process)
lsass.exe Local (Security Authority Subsystem Service)
spoolsv.exe (Printer Spooler Service)
alg.exe (Application Layer Gateway)
wuauclt.exe (Windows Update client for WindowsME)
devenv.exe (Microsoft Visual Studio)
Then he start to open process and look for track1/2/3
The first will just do a new scan of process.
Second thread make sure everything is ok with the registry key 'run'
Tree do a loop
4 detect if the pc will got shutdown (i've not looked but DetectShutdownClass seem enought explicit)
Then he start to enter in a procedure to call home:
Get the computer name:
Retrieve the string used to identify the machine who was stored on the registry database
Open strokes.log and read it
And delete tmp.log:
Take our hwid and enter on the routine to code it:
From the original source code:
C&C domain and gate path are given via pointers due to the internet explorer injection.
After having called the gateway, then Dexter do a 600000 ms sleep (10 mins):
Now about the C&C responses, i noticed these actions
I've not searched how works the following commands, Josh Grunzweig of SpiderLabs already explained it.
So... enough boring reversing infos, let's have a look on the panel now.
Like Alina, Dexter use colors code, dead bots appear in red and recent dead bots in blue:
Dumps (stolen credit cards):
Keylogger logs (here, that seem to be a UPS dispatch center, or something like this):
Process viewer (not working):
Another but small Dexter panel:
I've found also an older version of Dexter, i thought it was Alina at first but nope, Dexter v1:
Process list (this time it work):
Dexter 'v2' C&C structure:
Get track type function: