Tuesday, 6 August 2013

Point-of-Sale Malware: Infostealer.Dexter

Haven't posted since a while so let's do something...
Back on some old material, due to a 'recent' compromission of off-sho.re servers, and the circulation between AVs of Cyberbunker sinkholes logs. (Especially the Alina connections was interesting, but that not the topic)
Did you remember Dexter ? nah not the TV Series, but the PoS Malware.
Systems infected by Dexter are various in our case (gas stations, pawn shops, logistics, luxury shops, doctors, clinics, pharma, labs,  etc...)
This malware was coded by a guys know as 'dice' (there was an advert on Darkode made by him around November 2012 if i remember, but he requested an admin to remove the thread so it's not anymore available)
Visa USA have released an alert one month after.

 Sample who come from the compromised server:
Let's see so, i will avoid you the Visual Basic 6 unpacking step, if you want the hashs.
Original: bb0b17c2f66a868cf1e8a46626366a32
Depack: e74593552b66a4638b80a4fbf2fb7438

Create a mutex:

Determine if we are under x64:

Creat a suspended process of IE:

Copy the EXE in memory:

WriteProcess Memory on Internet Explorer with the content of the exe:

Then he a do a CreateRemoteThread on IE and ExitThread on this process.
 Ok, what's happend with the injected IE ?

I've patched the executable by taking some jumps he have not took at the begining to make it think we are in IE and see what's happend.

Create a subkey 'HelperSolutions Software':

Create a folder %APPDATA%/Java Security Plugin then CopyFile and do a DeleteFile on the original exe.

Do a RegCreateKey/RegSetValue/RegCloseKey with 'digit' as registry entry and 'cc98afca-1a04-4c5d-80cf-1cc78244b63e' as value for me.

Create a registry persistance 'Sun Java Security Plugin':

Do the same but this time in HKCU:

Create another registry entry but this time:
HKCU Software\Microsoft\Windows\CurrentVersion\Policies\Associations
With 'LowRiskFileTypes' and '.exe;.bat;.reg;.vbs;' as value
The 'Policies\Associations' subkey lets you manage the default risk level for file attachments (Low-risk/Medium-risk/High-risk file types)
The attachment manager in windows can help protect your computer from unsafe attachments that you might receive with an e-mail message and from unsafe files that you might save from the Internet.

Edit a value at HKCU: Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Registry entry '1806' and '0' as value
'1806' is the registry entry about launching applications and unsafe files in internet explorer.
The value can be zero, one, or three, typically, a setting of zero sets a specific action as permitted, a setting of one causes a prompt to appear and a setting of three prohibits the specific action.

Do the same operation but in HKLM this time:

The file initialyse a thread:

Extract a ressource:

Create a DLL 'SecureDll.dll' with the extracted ressource and attribute Hidden:

Load the dll:

Create a path:

Create a reg key at Software\HelperSolutions Software
'val1' and with value 'C:\Documents and Settings\Administrateur\Bureau\strokes.log'

Create a second reg key at Software\HelperSolutions Software
 'val2' and with value 'C:\Documents and Settings\Administrateur\Bureau\tmp.log'

Hook the keyboard:
 Refer to the MSDN for explanation:

Okay... let's have a look on what's this SecureDll.dll do, seem it's not that secure.
Look for previous reg key:

 val1 and val2.

Look for some specific process who run on the system:
 Here is a list:
wmiprvse.exe (Microsoft Windows Management Instrumentation)
LogonUI.exe (Windows LogOn User Interface)
svchost.exe (Service Host Process)
iexplore.exe (Internet Explorer)
explorer.exe (generic Windows process)
System (Internal Windows system process)
smss.exe (Session Management Subsystem)
csrss.exe (Client/Server Runtime Subsystem)
winlogon.exe (Windows LogOn Process)
lsass.exe Local (Security Authority Subsystem Service)
spoolsv.exe (Printer Spooler Service)
alg.exe (Application Layer Gateway)
wuauclt.exe (Windows Update client for WindowsME)
firefox.exe
chrome.exe
devenv.exe (Microsoft Visual Studio)

Then he start to open process and look for track1/2/3

And when finaly something is detected:

 Make it as string:

After looking at all process he will create some threads:

The first will just do a new scan of process.
Second thread make sure everything is ok with the registry key 'run'
Tree do a loop
4 detect if the pc will got shutdown (i've not looked but DetectShutdownClass seem enought explicit)

Then he start to enter in a procedure to call home:

Get user name:

Get the computer name:

Get the OS version:

Architecture:

Retrieve the string used to identify the machine who was stored on the registry database
(cc98afca-1a04-4c5d-80cf-1cc78244b63e)
Open strokes.log and read it

Then Delete it:

Read the content of tmp.log:

Enter in a decode routine:

Create a file Debug.log:

Write it:

And delete tmp.log:

Take our hwid and enter on the routine to code it:

Then he will do that again but with the process name he grabbed tracks info, take also pc infos etc...

From the original source code:
At the end we have a huge strings like:
page=RUUZTk9FSURRTk1OHVFIGBhJUUQYRUpRSkQaTUwYSUhNTx0f&ump=ACgZHREqFRkLGQ4jLxkOChUfGVIZBBlGR0hNTU1NTU1NTU1NTU1NTU1BTU9MS01MTUxMTExMTExMTExKSkpDWT5ITU1NTU1NTU1NTU1NTU1NIiQlMDU+MyRTMD0+L1wxLiJNT0xLTUxNTExMTExMTExMTExMTExMTExMTExKSkpMTE
C&C domain and gate path are given via pointers due to the internet explorer injection.

After having called the gateway, then Dexter do a 600000 ms sleep (10 mins):

And do the shit again, then re-call home each 10 mins.

Now about the C&C responses, i noticed these actions
update-
chekin:
scanin:
unistall
download-

I've not searched how works the following commands, Josh Grunzweig of SpiderLabs already explained it.
So... enough boring reversing infos, let's have a look on the panel now.

Login:

Dashboard:
More than 3000 bots, most of them are commercial machines.

Like Alina, Dexter use colors code, dead bots appear in red and recent dead bots in blue:

Dumps (stolen credit cards):

Keylogger logs (here, that seem to be a UPS dispatch center, or something like this):

Process viewer (not working):

Another but small Dexter panel:

I've found also an older version of Dexter, i thought it was Alina at first but nope, Dexter v1:

Dashboard:

Dumps:

Bots:

Process list (this time it work):

Uploader was not found due to a programming error:

Dexter 'v2' C&C structure:
Just ignore the 'installer' folder that something homemade for a video PoC.

Get track type function:
That even grab track3.



600 posts reached ;)

13 comments:

  1. Replies
    1. loop on the code or mistake can't remember i will check it later

      Delete
  2. C'est vraiment du beau boulot :)
    Et GG pour le 600ème!

    ReplyDelete
  3. Congratulation for 600.
    enough boring reversing infos // That never boring to read you :)

    ReplyDelete
  4. REDcrew is official dead?

    ReplyDelete
  5. Where can I find some Ollydbg or just general Debugger tutorials. I want to be like you. :(

    ReplyDelete
  6. Very nice, I like you exposing the undernet.

    ReplyDelete
  7. @Dave: Here's a link, you can google, "ollydbg tuts tutorials" 1st hit

    http://tuts4you.com/download.php?list.29

    ReplyDelete
  8. Is an antivirus protection enough for this kind of threat ? Couldn't AV-s make a system witch has the same functionality only when it detects a valid number to 0 it up ?
    Just saying ... the malware isn't complex and a solution for defeating it it's pretty simple.

    Thank you for your blog keep it up!

    ReplyDelete
    Replies
    1. Sorry, man, but it's not that simple. It's impossible for antiviruses to detect ramscrapers, because listing all processes that read the memory of another processes as viruses would hit lots of legitimate software like debuggers.

      Delete
  9. Please, give me the link of Builder!!!!
    I have the panel!!

    ReplyDelete