New Malware Targets Financial Data

File Name: cclub14.exe
File Size: 1081833 byte
Compile Time: 2015-06-17 08:36:37
Sections: 4
Hash MD5: 29cf881ca840424f2dba7c0952a94cfe
Hash SHA-1: 85461a14c12a2e3f3f0f1f10a8d68d73e4e891b4
Imphash : 7ee226ca53c7ca1c7999e440384c5b89

Summary:

New malware that is not yet detected by most antivirus products was identified and studied by Nettitude yesterday. It targets financial information (in this case Bitcoin’s wallets). The malware has been designed to perform three key functions:

  1. Steal Bitcoin wallets
  2. It will attempt to steal login credentials from a large selection of file transfer software applications;
  3. The malware will also attempt to send large numbers of SPAM messages from the infected machine.

As a consequence of the large number of SPAM messages it generates, the IP of the victim is at high risk of being backlisted.

The download and execution of unknown files should be controlled in corporate environments, while home users should restrain themselves from downloading files that look suspicious.  It is believed that the file was received as an email attachment.

Investigation Log:

Nettitude’s CERT team investigated a customer who suspected they were under attack. At the time all actions on the host were being monitored and a copy of the recent network traffic was captured prior to the host being disconnected from the network.

The first immediately obviously thing the malware tried to do was access common locations for Bitcoin wallets  for every user profile present in the victims computer:

  • “C:UsersDefaultAppDataRoamingBitcoinwallet.dat”
  • “C:UsersPublicAppDataRoamingBitcoinwallet.dat”
  • “C:UsersXXXXXXAppDataRoamingBitcoinwallet.dat”
  • “C:UsersAll UsersAppDataRoamingBitcoinwallet.dat”
  • “C:UsersDefaultAppDataRoamingBitcoinwallet.dat”
  • “C:UsersPublicAppDataRoamingBitcoinwallet.dat”
  • “C:UsersXXXXXXAppDataRoamingBitcoinwallet.dat”
  • “C:UsersAll UsersAppDataRoamingBitcoinwallet.dat”

The malware then attempted to steal user credentials from a range of specific file transfer programs, including:

  • TurboFTP
  • FTPGetter
  • Estsoft
  • Ghisler Total Commander
  • COREFTP
  • LinasFTP
  • Robo-FTP 3.8
  • Robo-FTP 3.7
  • Far2 (Far manager)
  • BlazeFtp
  • 3D-FTP
  • Cyberduck
  • FlashFXP
  • BulletProof Software
  • GPSoftware
  • Background Intelligent Transfer Service
  • SiteDesigner
  • NetSarang

Following the failed attempt to steal credentials, another file was downloaded from the web. A large number of repetitive DNS queries were made to well-known websites including popular email servers.

If this was not enough abuse, a large number of emails were sent from the victim IP in a very short period of time.

If this was not enough abuse, a large number of emails were sent from the victim IP in a very short period of time. We observed up to 5 emails sent per second. The title of email was “Big News Released Yesterday”

The message in the SPAM message was:

I discovered the stock that big investors strive to add. Verde Science, Inc. (VR CI) is gaining active interest recently! The exposure just began the price could be exploding! Start VR CI on Tuesday October 13 under $0.13

The message of the SPAM makes indirect reference to the stock market. Strangely, the message did not have a link to follow.  We could assume that another message would be sent with the link?

It was only a matter of time for the victim IP to be blacklisted

It was only a matter of time for the victim IP to be blacklisted

The IP was then verified in Spamhaus and it was clearly blacklisted.

The IP was then verified in Spamhaus and it was clearly blacklisted.

Fortunately, a process to remove an IP that is blacklisted is not so difficult.

Fortunately, a process to remove an IP that is blacklisted is not so difficult.

The IP of the victim machine was successfully remove from the blacklist

The IP of the victim machine was successfully remove from the blacklist

CBL Removel

Recommendations:

Although the malware is not that sophisticated, it does remind us that basic hygiene around malware is vital. The 3 key takeaways from this are:

  1. Question all email links and attachments – period: Just because it arrived in your inbox, home or corporate account, does not mean that it’s legitimate. Although many detection systems are in place they are not infallible. Most malware when first created and used will evade detection at first. For example, at the time of analysis of this event, there was no entry in virus total.
  2. Do not click on suspicious attachments: Again, systems can be implement at a corporate level that will ‘sandbox’ or isolate attachments so they cannot steal or gain access to your core systems, but these may not be in place and must be configured correctly. Remain vigilant and question everything.
  3.  Remember – If you click, you can be owned.

If you do click or open something you think you may not have, make sure you know your companies Incident Response process and reporting structure. If there isn’t one, ask why not and what you should do if this occurs?