Fake Volume License Trojan Targets Corporate Users and Evades Sandboxes
Two weeks ago, multiple Cisco Managed Threat Defense (MTD) customers received an email that appeared to come from the Microsoft Volume Licensing Service Center (VLSC). The email shown below is very similar to the real email Microsoft sends. It had a personalized welcome line and appears to contain a link to login to the Volume Licensing Service Center:
The email address of the recipient was in the fake Microsoft.com link to make it look more credible. The real link, that was visible if you hovered with the mouse over the link, went to one of the following domains:
Attack Targeted at Corporate Users
Analysis of what these domains have in common found that they are all compromised WordPress servers. Hackers added extra pages to the legitimate ones at a location like:
Microsoft licenses products like Windows and Office in volume to corporate customers. The VLSC is where customers login to get their licenses, usually in the form of an activation code. If a user clicks on the link in the email, they would see the screenshot below:
Analyst Alerted by a Wonky File
MTD security analysts were first alerted to this attack by Sourcefire file events for a file named 1.php:
To discover the nature of the threat, the analyst grabbed the .ZIP file. Our malware analysis determined that if opened, the .ZIP contained a Windows executable with .SCR extension named, Volume_Licensing_Service_Center_details_7834892334.scr
The file had the following hashes and size:
File Size: 51.9541 KB
Sandbox Evaluation Failed
Initially, the detection by antivirus software was a low 9 out of 57 antivirus programs.
MTD investigators turned to sandbox analysis for the file. Detonating the malware on three commercial and one open source sandbox solution yielded no success. The malware seemed to know it was being analyzed and exited after 20 seconds without doing anything. The name given by antivirus programs was “Chanitor” which is used to download other malware. This downloader has been used in many attacks such as fake fax, fake voicemail, fake invoice and fake purchase order email attacks.
Investigator Used Debugger for Analysis
To analyze the malware completely and determine what command and control servers it connected to, investigators ran the malware on real hardware with network capture, memory capture and file system monitoring software installed. The analysis clearly revealed programmatic delays to prevent the sandbox from detonating the malware.
This produced better results and revealed one of the anti-forensics measures in this variant of Chanitor. This variant of Chanitor goes to sleep for a total of over 30 minutes when first run. Upon execution, Volume_Licensing_Service_Center_details_7834892334.scr unpacks and decodes itself and then starts a process called winlogin.exe. winlogin.exe goes to sleep many times for the times in milliseconds shown below:
winlogin.exe delays execution by calling the sleep function over and over
"winlogin.exe" sleep "00313623" milliseconds "winlogin.exe" sleep "00301713" milliseconds "winlogin.exe" sleep "00289634" milliseconds "winlogin.exe" sleep "00326947" milliseconds "winlogin.exe" sleep "00319869" milliseconds "winlogin.exe" sleep "00290436" milliseconds "winlogin.exe" sleep "00304573" milliseconds "winlogin.exe" sleep "00300983" milliseconds "winlogin.exe" sleep "00300131" milliseconds "winlogin.exe" sleep "00305685" milliseconds
winlogin.exe sleeps to wait out automatic sandbox analysis before starting to communicate on the internet. The program displays no output, but the metadata indicated that it was compiled on a computer using English for output. When launched, the malware creates several files as shown below:
Created Files and Types
- agmas.dll – PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- agmas.msy – binary data
- winlogin.exe – PE32 executable (GUI) Intel 80386, for MS Windows, self-extracting archive
This trojan downloader also copies itself to another file on the disk and then renames that file back to winlogin.exe using the commands shown here:
cmd /D /R type “C:\Users\PSPUBWS\AppData\Roaming\Windows\winlogin.exe” > ___ && move /Y ___ “C:\Users\PSPUBWS\AppData\Roaming\Windows\winlogin.exe”
This is done to cause some sandbox analysis systems to fail.
Investigator Discovered C2 Servers And Method
Monitoring the network activity of Volume_Licensing_Service_Center_details_7834892334.scr found that the following domains are looked up after the winlogin.exe process wakes up:
DNS queries and IP used at the time of analysis:
- api[.]ipify[.]org – 220.127.116.11, 18.104.22.168, 22.214.171.124
- o3qz25zwu4or5mak[.]tor2web[.]org – 126.96.36.199, 188.8.131.52
- o3qz25zwu4or5mak[.]tor2web[.]ru – 184.108.40.206
api[.]ipify[.]org is an online service with an API for allowing applications to learn their IP address.
After the DNS queries, the Chanitor trojan connects to api[.]ipify[.]org first and learns its IP address:
–> 220.127.116.11:443 api[.]ipify[.]org learns its IP
Next, the malware determines if it can connect to the Tor anonymizing network:
–> 18.104.22.168:443 o3qz25zwu4or5mak[.]tor2web[.]org Len=0
–> 22.214.171.124:443 o3qz25zwu4or5mak[.]tor2web[.]ru Len=0
Notice the length of the payload for these connections is 0 since it is just a test.
Investigator Searched NetFlow for C2 and Exfiltration
MTD investigators checked the NetFlow data for connections to the IP addresses found in the malware analysis and were able to determine that, although several customers had downloaded the fake Volume License trojan, no customer systems had opened it and been compromised. Here’s a rundown of the investigations we opened for customers during the early attack.
1 investigation where two hosts downloaded the trojan from:
4 investigations where 1 host had downloaded the trojan from:
and 3 hosts had downloaded the trojan from:
The four websites distributing this malware were online for approximately 6 days. MTD investigators advised customers to block the domains. During that time, MTD continued to monitor for new connections to these domains and the IPs used if the Chanitor trojan was executed.
This malware exemplifies three trends:
- Attackers are targeting corporate users via improved phishing techniques.
- Attackers are building sandbox evasion into their malware; as such you need skilled investigators and a rich security toolbox to catch it.
- Tor is growing more commonplace as a means of c2 and exfiltration.
Are you seeing similar trends? How effective do you believe malware authors are in evading sandboxes today?