Original release date: August 26, 2020

Notification

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners, DHS, FBI, and DoD identified Remote Access Tool (RAT) malware variants used by the North Korean government. This malware variant has been identified as ECCENTRICBANDWAGON. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https[:]//www[.]us-cert.gov/hiddencobra.

FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. DHS, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.

This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

This report looks at malware samples known as ECCENTRICBANDWAGON. This family of malware is used as a reconnaissance tool. The samples in this report are used for keylogging and screen capture functionality. The samples are very similar, but differ slightly in the location that they store the key logs and screenshots. Some variants have RC4 encrypted strings within the executable and conduct a simple, ineffective cleanup, whereas others do not.

For a downloadable copy of IOCs, see [STIX file].

Submitted Files (4)

32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8 (PSLogger .dll)

9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e (PSLogger .dll)

c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec (PSLogger .dll)

efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e (PSLogger .dll)

Findings

efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e

Tags

HIDDEN-COBRAbackdoorkeyloggerreconnaissancescreen-capturespywaretrojan

Details

Name
PSLogger .dll

Size
138240 bytes

Type
PE32+ executable (DLL) (GUI) x86-64, for MS Windows

MD5
d45931632ed9e11476325189ccb6b530

SHA1
081d5bd155916f8a7236c1ea2148513c0c2c9a33

SHA256
efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e

SHA512
fd1b7ea95f66a660e9183c22755ac7d741823ba45a009bf9929546213308f89fd9ce8fcc2e70b56e427f0daa1b0965817d45dd9c2f5598404bc79c50afc2f818

ssdeep
3072:t+N02CVLOJdCPQhVNRTzcb/YrgHdnG6ioaa5IR:sO2qO3CPkRTz8YrgHdGBoa1

Entropy
6.096739

Antivirus

Ahnlab
Trojan/Win64.Agent

Antiy
Trojan[Spy]/Win64.Agent

Avira
TR/Spy.Agent.ftmjo

BitDefender
Trojan.GenericKD.40337042

Cyren
W64/Trojan.WFEO-4014

ESET
a variant of Win64/Spy.Agent.AP trojan

Emsisoft
Trojan.GenericKD.40337042 (B)

Filseclab
W64.Spy.Agent.AP.feaw

Ikarus
Trojan-Spy.Win64.Agent

K7
Spyware ( 00538f7c1 )

Lavasoft
Trojan.GenericKD.40337042

McAfee
RDN/Generic PWS.nq

Microsoft Security Essentials
Trojan:Win32/Tiggre!plock

NANOAV
Trojan.Win64.Mlw.fgbvfi

NetGate
Trojan.Win32.Malware

Sophos
Troj/Spy-AUK

Symantec
Trojan.Crobaruko

Systweak
malware.agent

TrendMicro
TSPY64_.F7315F7E

TrendMicro House Call
TSPY64_.F7315F7E

Vir.IT eXplorer
Backdoor.Win32.Lazarus.BGM

VirusBlokAda
TrojanSpy.Win64.Agent

Zillya!
Trojan.Agent.Win64.2215

YARA Rules

rule CISA_3P_10301706_01 : HiddenCobra ECCENTRICBANDWAGON backdoor keylogger reconnaissance screencapture spyware trojan
{
   meta:
       Author = “CISA Trusted Third Party”
       Incident = “10301706.r1.v1”
       Date = “2020-08-11”
       Actor = “Hidden Cobra”
       Category = “Backdoor Keylogger Reconnaissance Screen-Capture Spyware Trojan”
       Family = “ECCENTRICBANDWAGON”
       Description = “Detects strings in ECCENTRICBANDWAGON proxy tool”
       MD5_1 = “d45931632ed9e11476325189ccb6b530”
       SHA256_1 = “efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e”
       MD5_2 = “acd15f4393e96fe5eb920727dc083aed”
       SHA256_2 = “32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8”
       MD5_3 = “34404a3fb9804977c6ab86cb991fb130”
       SHA256_3 = “c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec”
       MD5_4 = “3122b0130f5135b6f76fca99609d5cbe”
       SHA256_4 = “9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e”
   strings:
       $sn1 = { FB 19 9D 57 [1-6] 9A D1 D6 D1 [1-6] 42 9E D8 FD }
       $sn2 = { 4F 03 43 83 [1-6] 48 E0 1A 2E [1-6] 3B FD FD FD }
       $sn3 = { 68 56 68 9A [1-12] 4D E1 1F 25 [1-12] 3F 38 54 0F [1-12] 73 30 62 A1 [1-12] DB 39 BD 56 }
       $sn4 = “%s\chromeupdater_ps_%04d%02d%02d_%02d%02d%02d_%03d_%d” wide ascii nocase
       $sn5 = “c:\windows\temp\TMP0389A.tmp” wide ascii nocase
   condition:
       any of them
}

ssdeep Matches

100
32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8

PE Metadata

Compile Date
2018-04-27 22:53:06-04:00

Import Hash
f0faa229b086ea5053b4268855f0c8ba

PE Sections

MD5
Name
Raw Size
Entropy

09745305cbad67b17346f0f6dba1e700
header
1024
2.729080

5c2242b56a31d64b6ce82671d97a82a4
.text
92160
6.415763

0d022eff24bc601d97d2088b4179bd18
.rdata
31232
4.934652

578e5078ccb878f1aa9e309b4cfc2be5
.data
6144
2.115729

09924946b47ef078f7e9af4f4fcb59dc
.pdata
5632
4.803615

7ead0113095bc6cb3b2d82f05fda25f3
.rsrc
512
5.115767

7937397e0a31cdc87f5b79074825e18e
.reloc
1536
2.931043

Description

This file is a 64-bit dynamic link library (DLL). This malware uses 3 files that will be used to store the key logs, screen shots, and log intervals. The location of these logs can be found in C:windowstempTMP0389A.tmp.

–Begin Log Files–
1. Keylog: %temp%GoogleChromechromeupdate_pk
2. Screenshots: %temp%GoogleChromechromeupdate_ps_<YYYMMDD>_<HHMMSS>_<sss>_<ThreadID>
3. Log intervals: C:ProgramData2.dat
–End Log Files–

The malware creates 3 threads to populate the log files listed above. Each one will continue to execute until a global kill variable is set to 1. This variable can only be set to 1 by calling an export called “Process” from within this DLL. When the export is called, the threads will return and the program will exit.

32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8

Tags

HIDDEN-COBRAbackdoorkeyloggerreconnaissancescreen-capturespywaretrojan

Details

Name
PSLogger .dll

Size
138243 bytes

Type
PE32+ executable (DLL) (GUI) x86-64, for MS Windows

MD5
acd15f4393e96fe5eb920727dc083aed

SHA1
c92529097cad8996f3a3c8eb34b56273c29bdce5

SHA256
32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8

SHA512
82a946c2d0c9fffdd23d8e6b34028ac1b0368d4fd78302268aa4d954bead8a82ea15873a28d69946dceaf80fcafd0c52aeb59f47df5a029f77072fa1bc8e0fae

ssdeep
3072:t+N02CVLOJdCPQhVNRTzcb/YrgHdnG6ioaa5IR:sO2qO3CPkRTz8YrgHdGBoa1

Entropy
6.096652

Antivirus

Ahnlab
Trojan/Win64.Agent

Antiy
Trojan[Spy]/Win64.Agent

Avira
TR/Spy.Agent.ftmjo

BitDefender
Trojan.GenericKD.40337042

Comodo
Malware

Cyren
W64/Trojan.WFEO-4014

ESET
a variant of Win64/Spy.Agent.AP trojan

Emsisoft
Trojan.GenericKD.40337042 (B)

Ikarus
Trojan-Spy.Win64.Agent

K7
Spyware ( 00538f7c1 )

Lavasoft
Trojan.GenericKD.40337042

Microsoft Security Essentials
Trojan:Win32/Tiggre!plock

NANOAV
Trojan.Win64.Mlw.fgbtfv

Symantec
Trojan.Crobaruko

Systweak
malware.agent

Vir.IT eXplorer
Backdoor.Win32.Lazarus.BGM

VirusBlokAda
TrojanSpy.Win64.Agent

Zillya!
Trojan.Agent.Win64.2215

YARA Rules

rule CISA_3P_10301706_01 : HiddenCobra ECCENTRICBANDWAGON backdoor keylogger reconnaissance screencapture spyware trojan
{
   meta:
       Author = “CISA Trusted Third Party”
       Incident = “10301706.r1.v1”
       Date = “2020-08-11”
       Actor = “Hidden Cobra”
       Category = “Backdoor Keylogger Reconnaissance Screen-Capture Spyware Trojan”
       Family = “ECCENTRICBANDWAGON”
       Description = “Detects strings in ECCENTRICBANDWAGON proxy tool”
       MD5_1 = “d45931632ed9e11476325189ccb6b530”
       SHA256_1 = “efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e”
       MD5_2 = “acd15f4393e96fe5eb920727dc083aed”
       SHA256_2 = “32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8”
       MD5_3 = “34404a3fb9804977c6ab86cb991fb130”
       SHA256_3 = “c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec”
       MD5_4 = “3122b0130f5135b6f76fca99609d5cbe”
       SHA256_4 = “9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e”
   strings:
       $sn1 = { FB 19 9D 57 [1-6] 9A D1 D6 D1 [1-6] 42 9E D8 FD }
       $sn2 = { 4F 03 43 83 [1-6] 48 E0 1A 2E [1-6] 3B FD FD FD }
       $sn3 = { 68 56 68 9A [1-12] 4D E1 1F 25 [1-12] 3F 38 54 0F [1-12] 73 30 62 A1 [1-12] DB 39 BD 56 }
       $sn4 = “%s\chromeupdater_ps_%04d%02d%02d_%02d%02d%02d_%03d_%d” wide ascii nocase
       $sn5 = “c:\windows\temp\TMP0389A.tmp” wide ascii nocase
   condition:
       any of them
}

ssdeep Matches

100
efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e

PE Metadata

Compile Date
2018-04-27 22:53:06-04:00

Import Hash
f0faa229b086ea5053b4268855f0c8ba

PE Sections

MD5
Name
Raw Size
Entropy

09745305cbad67b17346f0f6dba1e700
header
1024
2.729080

5c2242b56a31d64b6ce82671d97a82a4
.text
92160
6.415763

0d022eff24bc601d97d2088b4179bd18
.rdata
31232
4.934652

578e5078ccb878f1aa9e309b4cfc2be5
.data
6144
2.115729

09924946b47ef078f7e9af4f4fcb59dc
.pdata
5632
4.803615

7ead0113095bc6cb3b2d82f05fda25f3
.rsrc
512
5.115767

7937397e0a31cdc87f5b79074825e18e
.reloc
1536
2.931043

Description

This file is a 64-bit DLL. This sample and “efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e” are nearly identical with the only difference being that this sample has 3 extra NULL bytes at the end of the file.

This malware uses 3 files that will be used to store the key logs, screen shots, and log intervals. The location of these logs can be found in C:windowstempTMP0389A.tmp.

–Begin Log Files–
1. Keylog: %temp%GoogleChromechromeupdate_pk
2. Screenshots: %temp%GoogleChromechromeupdate_ps_<YYYMMDD>_<HHMMSS>_<sss>_<ThreadID>
3. Log intervals: C:ProgramData2.dat
–End Log Files–

The malware creates 3 threads to populate the log files listed above. Each one will continue to execute until a global kill variable is set to 1. This variable can only be set to 1 by calling an export called “Process” from within this DLL. When the export is called, the threads will return and the program will exit.

c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec

Tags

HIDDEN-COBRAbackdoorkeyloggerreconnaissancescreen-capturetrojan

Details

Name
PSLogger .dll

Size
175104 bytes

Type
PE32 executable (GUI) Intel 80386, for MS Windows

MD5
34404a3fb9804977c6ab86cb991fb130

SHA1
b345e6fae155bfaf79c67b38cf488bb17d5be56d

SHA256
c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec

SHA512
01a8c8b66f6895387c6a347d02d00ea09619888f2727096a19d4c4ff50e6bf72367cbd41f09e89a57f7f3862efbb2db8177dbec086c4ce2aca3518d124575033

ssdeep
3072:AeO51bvWZElWhKQGhvNdx2GYZj+utNfBtZl7mGwwZWyNGVxBqu:A77beClWhKQG36UutNfB077Bqu

Entropy
6.491987

Antivirus

Ahnlab
Malware/Gen.Generic

Antiy
GrayWare/Win32.Presenoker

BitDefender
Trojan.GenericKD.43188225

Cyren
W32/Trojan.MZDN-2436

ESET
a variant of Generik.HKZTFCG trojan

Emsisoft
Trojan.GenericKD.43188225 (B)

Ikarus
Trojan.SuspectCRC

K7
Trojan ( 005506c81 )

Lavasoft
Trojan.GenericKD.43188225

NANOAV
Trojan.Win32.KeyLogger.fnwztc

NetGate
Malware.Generic

Symantec
Hacktool.Keylogger

Vir.IT eXplorer
Backdoor.Win32.Lazarus.BGM

VirusBlokAda
TrojanSpy.Keylogger

Zillya!
Trojan.Keylogger.Win32.9

YARA Rules

rule CISA_3P_10301706_01 : HiddenCobra ECCENTRICBANDWAGON backdoor keylogger reconnaissance screencapture spyware trojan
{
   meta:
       Author = “CISA Trusted Third Party”
       Incident = “10301706.r1.v1”
       Date = “2020-08-11”
       Actor = “Hidden Cobra”
       Category = “Backdoor Keylogger Reconnaissance Screen-Capture Spyware Trojan”
       Family = “ECCENTRICBANDWAGON”
       Description = “Detects strings in ECCENTRICBANDWAGON proxy tool”
       MD5_1 = “d45931632ed9e11476325189ccb6b530”
       SHA256_1 = “efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e”
       MD5_2 = “acd15f4393e96fe5eb920727dc083aed”
       SHA256_2 = “32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8”
       MD5_3 = “34404a3fb9804977c6ab86cb991fb130”
       SHA256_3 = “c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec”
       MD5_4 = “3122b0130f5135b6f76fca99609d5cbe”
       SHA256_4 = “9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e”
   strings:
       $sn1 = { FB 19 9D 57 [1-6] 9A D1 D6 D1 [1-6] 42 9E D8 FD }
       $sn2 = { 4F 03 43 83 [1-6] 48 E0 1A 2E [1-6] 3B FD FD FD }
       $sn3 = { 68 56 68 9A [1-12] 4D E1 1F 25 [1-12] 3F 38 54 0F [1-12] 73 30 62 A1 [1-12] DB 39 BD 56 }
       $sn4 = “%s\chromeupdater_ps_%04d%02d%02d_%02d%02d%02d_%03d_%d” wide ascii nocase
       $sn5 = “c:\windows\temp\TMP0389A.tmp” wide ascii nocase
   condition:
       any of them
}

ssdeep Matches

No matches found.

PE Metadata

Compile Date
2018-11-14 09:44:18-05:00

Import Hash
a8623b2da60776df129ebe0430d48d85

PE Sections

MD5
Name
Raw Size
Entropy

37ecb293f01edad89fcee1ce48e4cde3
header
1024
2.949326

36fd9d805b7c591ab71eda922662e30a
.text
124928
6.650973

1d3132305f18961b86c1fda0a2f4eea9
.rdata
38912
5.166660

9e17ac76df46fd523a11378398cf026f
.data
3072
2.367308

bbee55723eaad8c7f73a5fa9bf2159d4
.gfids
512
2.275750

264e317304c9b21a342169b33c0a791a
.rsrc
512
4.717679

a1ab3dce319437b49198eeff43f4d847
.reloc
6144
6.422499

Packers/Compilers/Cryptors

Microsoft Visual C++ ?.?

Description

This sample is nearly identical to “efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e” with the exception that this sample will RC4 encrypt some of its strings and use different log files.

The following strings are RC4 encrypted with the key “key”:

–Begin RC4 encrypted strings–
Downloads
c:windowstempTMP0389A.tmp
c:windowstemptmp1105.tmp
[CLIPBOARD]
[/CLIPBOARD]
–End RC4 encrypted strings–

This malware uses 3 files that will be used to store the key logs, screen shots, and log intervals. The location of these logs can be found in C:windowstempTMP0389A.tmp.

–Begin log files–
1. Keylog: %temp%Downloadstmp_<USERNAME>
2. Screenshots: %temp%Downloadstmp_<USERNAME>_<MMDD>_<HHMMSS>
3. Log intervals: c:windowstemptmp1105.tmp
–End log files–

The malware creates 3 threads to populate the log files listed above. Each one will continue to execute until a global kill variable is set to 1. This variable can only be set to 1 by calling an export called “Process” from within this DLL. When the export is called, the threads will return and the program will exit.

9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e

Tags

HIDDEN-COBRAkeyloggerreconnaissancescreen-capturespywaretrojan

Details

Name
PSLogger .dll

Size
210944 bytes

Type
PE32+ executable (DLL) (GUI) x86-64, for MS Windows

MD5
3122b0130f5135b6f76fca99609d5cbe

SHA1
ce6bc34b887d60f6d416a05d5346504c54cff030

SHA256
9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e

SHA512
788c666efeb664c7691a958d15eac2b80d3d17241f5e7c131e5dec2f761bcb70950018c1f8a85fd6600eff0d0fab0ce31fbcd364d16b6ef8b54deb5e9c215f08

ssdeep
3072:6usGRlrmZ8LP/LqdmpWOY9Y9EbyBFWnqD5W3P4Tp31oItN7W0rVu6eRDP/fJkkj7:67GTjOdCWOKXbyCnCEQTp2CE0/gh2W

Entropy
6.246368

Antivirus

Ahnlab
Trojan/Win64.Redbanc

Antiy
Trojan[Banker]/Win32.Alreay

Avira
TR/Spy.Agent.kdvkr

BitDefender
Trojan.GenericKD.41368668

ESET
a variant of Win64/Spy.Agent.BG trojan

Emsisoft
Trojan.GenericKD.41368668 (B)

Ikarus
Trojan-Spy.Keylogger.Lazarus

K7
Spyware ( 005501401 )

Lavasoft
Trojan.GenericKD.41368668

McAfee
RDN/Generic PWS.tf

NANOAV
Trojan.Win64.Alreay.hoqvyj

Quick Heal
Trojan.Alreay

Sophos
Troj/Alreay-A

TACHYON
Unknown-Type/Alreay.210944

Zillya!
Trojan.Alreay.Win32.91

YARA Rules

rule CISA_3P_10301706_01 : HiddenCobra ECCENTRICBANDWAGON backdoor keylogger reconnaissance screencapture spyware trojan
{
   meta:
       Author = “CISA Trusted Third Party”
       Incident = “10301706.r1.v1”
       Date = “2020-08-11”
       Actor = “Hidden Cobra”
       Category = “Backdoor Keylogger Reconnaissance Screen-Capture Spyware Trojan”
       Family = “ECCENTRICBANDWAGON”
       Description = “Detects strings in ECCENTRICBANDWAGON proxy tool”
       MD5_1 = “d45931632ed9e11476325189ccb6b530”
       SHA256_1 = “efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e”
       MD5_2 = “acd15f4393e96fe5eb920727dc083aed”
       SHA256_2 = “32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8”
       MD5_3 = “34404a3fb9804977c6ab86cb991fb130”
       SHA256_3 = “c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec”
       MD5_4 = “3122b0130f5135b6f76fca99609d5cbe”
       SHA256_4 = “9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e”
   strings:
       $sn1 = { FB 19 9D 57 [1-6] 9A D1 D6 D1 [1-6] 42 9E D8 FD }
       $sn2 = { 4F 03 43 83 [1-6] 48 E0 1A 2E [1-6] 3B FD FD FD }
       $sn3 = { 68 56 68 9A [1-12] 4D E1 1F 25 [1-12] 3F 38 54 0F [1-12] 73 30 62 A1 [1-12] DB 39 BD 56 }
       $sn4 = “%s\chromeupdater_ps_%04d%02d%02d_%02d%02d%02d_%03d_%d” wide ascii nocase
       $sn5 = “c:\windows\temp\TMP0389A.tmp” wide ascii nocase
   condition:
       any of them
}

ssdeep Matches

No matches found.

PE Metadata

Compile Date
2019-04-08 07:26:25-04:00

Import Hash
b113cba285f3c4ed179422f54692f4e3

PE Sections

MD5
Name
Raw Size
Entropy

fd81e5f6ab156dcdba2e2b92826ca192
header
1024
3.015020

88ecd4fac45e45b294de415ca514a93c
.text
137728
6.457660

af0dab081123c1ad835c86f134138e7f
.rdata
57344
5.118317

e7c661026f7ecf701bbcbdd15ff2b825
.data
3584
2.244033

4b406030a4a3dcaea845c14124010691
.pdata
8192
5.172064

f623a10ca467aac404ec6fda8e4810d4
.gfids
512
2.000422

3695113543a23c53791caa70b4bd8874
.rsrc
512
4.724729

f9f31f1689409c8834b7f0c28d948a65
.reloc
2048
4.924204

Description

This sample is nearly identical to “c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec” with the exception that it RC4 encrypts some of its strings, uses different log files, and has a simple cleanup routine.

The following strings are RC4 encrypted with the key “key”:

–Begin RC4 encrypted strings–
TrendMicroUpdate
c:windowstempTMP0389A.tmp
c:windowstemptmp1105.tmp
[CLIPBOARD]
[/CLIPBOARD]
–End RC4 encrypted strings–

This malware uses 3 files that will be used to store the key logs, screen shots, and log intervals. The location of these logs can be found in C:windowstempTMP0389A.tmp.

–Begin log files–
1. Keylog: %temp%TrendMicroUpdateupdate_<USERNAME>
2. Screenshots: %temp%TrendMicroUpdateupdate_<MMDD>_<HHMMSSl>
3. Log Intervals: c:windowstemptmp1105.tmp
–End log files–

This malware creates 3 threads to populate the log files listed above. Each one will continue to execute until the file C:windowstemptmp0207 contains a zero in a particular location. At this point, the program will signal an exit to the other threads and begin a cleanup thread. The cleanup thread will delete C:windowstemptmp0207 and then call WinExec(cmd.exe /c taskkill /f /im explorer.exe). This will crash explorer.exe, which could potentially alert a user who was using the device at the time.

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

Maintain up-to-date antivirus signatures and engines.
Keep operating system patches up-to-date.
Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
Enforce a strong password policy and implement regular password changes.
Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
Scan all software downloaded from the Internet prior to executing.
Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.

Contact Information

1-888-282-0870

CISA Service Desk (UNCLASS)

CISA SIPR (SIPRNET)

CISA IC (JWICS)

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://www.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

Web: https://malware.us-cert.gov

E-Mail: [email protected]

FTP: ftp.malware.us-cert.gov (anonymous)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov.

This product is provided subject to this Notification and this Privacy & Use policy.

Leave a Reply

Verified by MonsterInsights