Wednesday, February 01, 2017

Kelihos infection spreading by Thumb Drive and continues geo-targeting

I've mentioned before how proud I am that my students are extremely passionate about CyberCrime. My guest blogger 'Arsh Arora' is on a visit to his hometown New Delhi, India to attend a wedding. Instead of having fun, he is monitoring Kelihos botnet from a different geographical location than US to determine if the behavior is any different. Seems fairly consistent, but Arsh explains more in this next edition of his Kelihos guest-blogging:

Kelihos botnet geo-targeting Canada and Kazakhstan 

After laying low for a while, the Kelihos botnet is back to its business of providing 'spam as a service'. The Kelihos botnet continues "geo-targeting" based on the ccTLD portion of email addresses. Today, those recipients whose email address ends in ".ca" are receiving links to web pages of Tangerine Bank Phish websites. While recipients whose email address ends in ".kz" are receiving a link to the Ecstasy website.

Tangerine Bank Phish geo-targeted to Canadians

The spam body consists of a webpage that will be displayed as a webpage, seeking the user to click a button with the subject line of "TANGERINE online account has been suspended". Tangerine is internet/telephone base bank formerly known as ING Direct (Tangerine).

Fig. 1 Raw Text of  Spam message

The html version is displayed to the victim receiving the email. Thus, instigating the victim to click on the "Learn More" Button (link is "hxxp://tangeerine[dot]com/InitialTangerine/index.php"). Once clicked the victim is redirected to a phishing site, seeking the user to enter  "Enter your Client Number, Card Number or Username".

Fig. 2 Html version of the Phish
Fig. 3 Redirected link seeking user to enter details

Second version of the similar-themed message was with the subject line of "Your account is disabled. Please verify your information is correct" and the corresponding redirect link once you hit the start button was "hxxp://sec-tangrene[dot]online/". 

Fig. 4 Raw Text of second spam message

Fig. 5 Html version of Tangerine Phish
Unfortunately, the following link was down and not accessible.

Canadian Banks take great pride in their infrastructure and preventive measures. This gives the attackers an extra challenge of trying to penetrate inside these banks. Therefore, targeting them like in previous instances, one such case of Desjardins phish. 

Fcuk Spam geo-targeted to Kazakhstan 

This behavior is never observed before as Kelihos botnet was geo-targeting email addresses ending with ".kz". The spam message contained a link (www[dot]almatinki[dot]com) to a Fcuk website with the subject line in Russian "Глубокий м" when translated it is stated as"Deep m". Attached are the screenshot of email message and website.

Fig. 6 Email message of the spam
Fig. 7 Website

Kelihos spreading via executables copied to flash drives

There is a saying that when an Academic has an accident we call it "research!"  After completing a successful infection of Kelihos, a thumb drive was accidentally connected to the virtual machine instead of the host machine. Upon inspection, the thumb drive appeared to have acquired a new hidden executable name “porn.exe”, as well as a few shortcuts that were not there before. On further analysis of the file "porn.exe", it revealed that it was a copy of the original Kelihos binary. 

Fig. 8 VT analysis of porn.exe

By repeating the process with ProcMon running, we found the Create File function linked to the E:\porn.exe. In the moments leading up to this, several other file names are tried with CreateFile, in an attempt to open them. It appears that if none of these files are opened, then it defaults to creating a porn.exe file, and then writing the binary to this file. After binary creation, the shortcuts for the hidden directories, and executables are created.

Fig. 9 Create File of porn.exe
Fig. 10 Various instances of trying to Create File

An Autorun.inf is not created to run this file, however, a shortcut to the file with the command C:\WINDOWS\system32\cmd.exe F/c "start %cd%\porn.exe" can be found on the drive, as well as shortcut to several other hidden directories on the drive (not malicious).

Fig. 11 Executable and shortcut placed on thumb drive
Running porn.exe works like a normal Kelihos run, however, we were unable to infect a thumb drive with this binary. Further analysis is required to determine the mechanism by which thumb drive infection occurs, as this executable appears to be identical to the original binary.

Thanks a lot Eli Brown for sharing great insights on the infection behavior of Kelihos. 

We continue our research on the Kelihos botnet and try to provide as much insights about the botnet.