By: Nirmal Singh

Malicious Office Files Dropping Kasidet And Dridex

Malware

Introduction 

We have covered Dridex Banking Trojan being delivered via various campaigns involving Office documents with malicious VBA macros in the past. However, over the past two weeks we are seeing these malicious VBA macros leveraged to drop Kasidet backdoor in addition to Dridex on the infected systems. These malicious Office documents are being spread as an attachment using spear phishing emails as described here. The malicious macro inside the Office document is obfuscated as shown in the code snapshot below -

Macro code

The macro downloads malware payload from the hardcoded URL. We have seen following URLs used in different document payloads that we captured for this campaign:

  •       armandosofsalem[.]com/l9k7hg4/b4387kfd[.]exe
  •       trinity.ad-ventures[.]es/l9k7hg4/b4387kfd[.]exe
  •       188.226.152[.]172/l9k7hg4/b4387kfd[.]exe

In this blog, we will provide a detailed analysis for the Kasidet variant that we spotted in this campaign.

Kasidet Analysis

Installation: 
Kasidet installs itself into %APPDATA% folder. It creates a new folder there with the name "Y1FeZFVYXllb", this string is hardcoded in the malware. The same string is used as mutex name and in creating a Registry key for ensuring persistence upon system reboot.

AntiVM Check:
Kasidet tries to detect analysis systems during execution through following checks.
Checking Dubugger through "IsDebuggerPresent" and "CheckRemoteDebuggerPresent" Windows APIs. It also checks for the following popular sandbox related strings:

User Name: "MALTEST",  "TEQUILABOOMBOOM", "SANDBOX", "VIRUS", "MALWARE"

File Name: "SAMPLE", "VIRUS", "SANDBOX"

It tries to detect wine software by checking if kernel32.dll is exporting "wine_get_unix_file_name" function or not. It detects Vmware, VirtualBox, QEMU and Bochs by checking for following registry entries:

 
Vmware
"SOFTWARE\\VMware, Inc.\\VMware Tools"
"HARDWARE\DEVICEMAP\Scsi\Scsi Port\Scsi Bus\Target Id\Logical Unit Id", "Identifier" , Vmware"
"HARDWARE\DEVICEMAP\Scsi\Scsi Port\Scsi Bus\Target Id\Logical Unit Id", "Identifier" , "VBOX"
 
VirtualBox
"HARDWARE\\Description\\System", "SystemBiosVersion" , "VBOX"
SOFTWARE\\Oracle\\VirtualBox Guest Additions"
"HARDWARE\\Description\\System", "VideoBiosVersion" , "VIRTUALBOX"
QEMU
"HARDWARE\DEVICEMAP\Scsi\Scsi Port \Scsi Bus \Target Id \Logical Unit Id ", "Identifier" , "QEMU"
"HARDWARE\\Description\\System" , "SystemBiosVersion" , "QEMU"
Bochs
"HARDWARE\\Description\\System" , "SystemBiosVersion" , "BOCHS”


Information Stealing capabilities:

Kasidet uses following two methods for stealing information from the victim's machine:

1. Memory Scraping – This allows Kasidet to steal credit card data from the memory of Point-Of-Sale (POS) systems. It scans the memory of all the running processes except the operating system processes listed below:
System
smss.exe
csrss.exe
winlogon.exe
lsass.exe
spoolsv.exe
devenv.exe

The stolen information is relayed back to the attacker using following URI format – 

d=1&id=<MachineID>&name=<SystemName>&type=<Track1 or Track2 data>&data=<stolen data>&p=< Process elevation status >

2. Browser Hooking –  This allows Kasidet to steal data from Web browsers. It can inject code into FireFox, Chrome, and Internet Explorer (IE). Browser names are not saved in plain text and instead this variant uses the same hash function as used by Carberp malware to encrypt the browser names. The following APIs are hooked in the web browser for stealing sensitive data: 

Browser
API
FireFox
PR_Write
Chrome
WSASend
IE
HttpSendRequestW , InternetWriteFile

The stolen information is relayed back to the attacker using following URI format – 

ff=1&id=<MachineID>&name=<SystemName>&host=<Base64 encoded host name>&form=< Base64 encoded HTTP header data>&browser=<Browser name>
The information stealing feature of this Kasidet variant were deactivated if the system locale or GeoUserID corresponds to Russia.

Network communication:

Kasidet contains a hardcoded list of Command & Control (C&C) server locations. It uses CryptStringToBinary API call to decrypt the embedded C&C URLs as seen below:

Kasidet C&C list
Upon successful infection, Kasidet sends a HTTP POST request with data “enter=1” (without quotes). All HTTP header fields (User-Agent, Content-type and Cookie) are hard coded in the payload itself.
Kasidet Hardcoded HTTP fields

C&C Server will not return required data if HTTP header fields are different.  The server sends a fake 404 response code and html data stating that page is not found but the C&C commands will be hidden in the response HTML comment tag as seen below:

Kasidet - First communication with C&C

Kasidet will request for additional commands from the C&C server with the following POST request:

Kasidet request for additional commands
 
Variable
Descriptions
cmd
Command. It is hardcoded in the malware payload as '1'.
id
MachineGuid value fetched  from Software\Microsoft\Cryptography registry key
name
System Name
os
Operating system version
p
Process elevation status
av
Antivirus installed on the infected system
v
Version of the bot. It is hardcoded in the malware. Current version that we analysed is 4.4
w
Flag that indicates whether the system locale and UserGeoID is Russia

Like browser names, all the command strings are also encrypted using a hash function. Below are some of the important commands:

Command Hash
Description
0x0E587A65 (rate <number>)
It is used in sleep function
0x89127D3
DDOS using HTTP protocol
0x0B37A84B6
Start keylogging and screen capture threads
0x89068E8h
Download and execute additional component. This file can be DLL, EXE or VBS.
0x4A9981B7
Search for given process name in current running processes in the system
0x8D26744
Find given file in system and upload to the server
0CAB1E64A
Drop setting.bin file,  change firewall settings to download and execute plugin component
0x10E6C4
Execute given command using windows cmd.exe
 

Conclusion 

Malicious Office document file is a popular vector for malware authors to deliver their payloads. Dridex authors have leveraged this technique for over a year and it was interesting to see the same campaign and URLs being leveraged to deliver Kasidet payloads. While this does not establish any links between the two malware family authors, it reaffirms the fact that a lot of the underlying infrastructure and delivery mechanisms are often shared by these cyber criminals.

ThreatLabZ is actively monitoring this threat and ensuring signature coverage for Zscaler customers.

Analysis by - Abhay Yadav, Avinash Kumar and Nirmal Singh

Learn more about Zscaler.