CPL malware analysis, part 2

    The fact that in most cases the URLs are stored in plain text, or the decryption key is located in the decryption function itself, allows us to extract these URLs automatically from many CPL malware samples using a special script. In the case of a sample that stores strings in clear text, the string with the address can be extracted directly from the CPL file. Otherwise, that is, in the case when the string with the address is encrypted, the script analyzes the decryption function in which the key is stored. The exception was some malware samples for which the script could not decrypt the encrypted lines. In such samples, the decryption key was not available in the function, but was located in the resources of the CPL file. To extract the key from there, the malicious code uses standard APIs for working with resources:FindResource , LoadResource , SizeofResource and LockResource . The resource itself, in which the decryption key is located, is encrypted.

    Fig. Sample CPL malware with a key to decrypt strings in resources.

    As we mentioned above, the entry point to the DllMain library is executed before the exported CPlApplet function and does not contain any malicious code in most samples. However, in some samples, we found a special Anti-VM code that allowed the malware to detect the virtual machine environment. The screenshot below shows a fragment of such code from DllMain .

    Fig. A code snippet of the CPL malware function that checks the OS environment for a virtual machine.

    The above code is responsible for checking the environment of three different environments: Wine, VMware, Virtual PC. If any of them is present, the save_str function is called . This function stores in memory a string describing the type of medium. Further, the CPlApplet function code will check the contents of this line the first time it is called. The presence of an identifier of one or another medium signals the CPlApplet function code to complete its execution without executing a code block that processes the main message CPL_DBLCLK.

    The figure below shows the code for checking the Wine environment. To do this, the GetProcAddress function is called.to get the addresses of the ntdll! wine_get_version and ntdll! wine_nt_to_unix_file_name functions . Obviously, such exports are absent in the usual system.

    Fig. Wine Environment Verification Code.

    A similar screenshot below shows the CPL malware code from DllMain , which is responsible for checking VMware's environment. The well-known mechanism for obtaining a version of VMware using I / O ports is used for this. This check is possible because the virtual machine code takes control of the in statementthe processor. The instruction is used for interaction between a virtual machine and VMware software running on a user's system (host). The screenshot shows the arguments of this instruction, which lead to the value “VMXh” being returned as the value to the calling code in the ebx register .

    Fig. VMware environment verification code.

    For Virtual PC, the verification is presented below, while it can be seen that it is performed by executing special instructions from the vpcext processor . In a normal OS environment that is not running in a virtual machine, executing this instruction will throw an exception.

    Fig. Virtual PC environment verification code.

    We mentioned that CPL malware is used as downloaders or downloaders to download other malware into the system. In our case, the downloaded malware is a banking trojan, although any other type of malware can be used instead.

    We observed several samples of banking trojans that are loaded with CPL malware. All of them had similar characteristics. One of the banker samples we examined has the following SHA-1: 3C73CA6A3914A6DF29F01A895C4495B19E71A234. This executable file is not packaged and the lines found there directly indicate its functions, they are listed below in the list.

    • Tracking events and mouse cursor movements, keystrokes, and keyboard layouts. For example, “[enter]”, “[esp]”, (spacebar), “[cima]” (up arrow), “[baixo]”, (down).
    • Functions for processing and working with sockets.
    • Functions for interacting with a remote server using an encrypted SSL connection.
    • Processing Portuguese messages related to online banking operations. "Utilize o teclado virtual."
    • Support for various network protocols, for example, “ftpTransfer”, “mailto:”, “: //”, “HTTP / 1.0 200 OK”.
    • Collection of account data for Internet services.
    • Some lines are encrypted using the algorithm used in CPL malware samples. The screenshot below shows such lines.

    Fig. Encrypted strings of banking malware.

    We were able to decipher these lines, and we received additional information about what functions the banking trojan performs and what services it focuses on. Lines contain the following information.

    • Names of Brazilian financial institutions and banks: Sicredi, Banco Itaú, Santander, Bradesco, bb.com.br (Banco do Brasil), Caixa.
    • Support for compromising the following browsers: Chrome, Opera, Firefox, IE, Safari.
    • URLs: "hxxp: //www.sonucilaclama.com.tr/plugins/editors-xtd/pagebreak/oi/html/h/lg.php", "hxxp: //www.cvicak-polanka.cz/b /notify.php "," hxxp: // "
    • Tracking keystrokes such as “[Backspace],” “[Page Up],” “[Page Down].”
    • Data files and temporary files.
    • Rows of various user agents.
    • Commands like "cmd / c taskkill / f / im dwm.exe / t".

    Thus, the analyzed bankers included the following features: introducing malicious code into certain processes, injecting fake forms and text input fields into legitimate web pages, capturing user-typed characters on the keyboard and tracking the mouse cursor, encrypted interaction with a remote C & C server .

    The diagram below shows the dynamics of the prevalence of malicious CPL files, according to the virus laboratory of our Latin American office.

    Fig. Statistics of malicious CPL files in comparison with other DLL and EXE files.

    The graph above shows the dynamics and the relationship between the types of executable files in the interval between 2009 and the first months of 2015. Since mid-2011, the growth of CPL malware files arriving at our virus lab has begun. Then this growth stabilized, but from mid-2013 resumed its trend.

    The chart below shows statistics on the distribution of malicious samples of CPL malware by year. It can be seen that only for 2013 and 2014 the number of such samples was 90% of the total flow of such malicious programs.

    Fig. Distribution of CPL file discoveries by year.

    Of the more than 1,500 CPL malware samples that we observed, 82% of the detections were from the Win32 / TrojanDownloader.Banload bootloader. This malware family has prevailed in Brazil for many years. Our ESET LiveGrid telemetry system also points to Brazil as the country that has suffered the most from the actions of this malware (the largest number of infections).

    Fig. Distribution geography Win32 / TrojanDownloader.Banload .

    In the diagram below you can see the percentage of Win32 / TrojanDownloader.Banload infections in different countries of the total. It can be seen that Brazil accounted for 76% of all detections in 2014. This fact once again confirms the focus of attackers on this region. The second place is taken by Spain, which accounts for 11 times less infections than Brazil.

    Fig. Win32 / TrojanDownloader.Banload detection statistics in the world.

    This malware also ranks first in Brazil among other types of malware. The threat rating for this country for March 2015 is shown

    below. The most common threats in Brazil.

    Over the course of several malicious campaigns that were used by cybercriminals to spread banking Trojans, we discovered 419 URLs that used about 300 different domains. All these addresses pointed to malware files.

    Of the 298 such domains that we observed between 2013 and 2015, 76 belonged to compromised Brazil domains. Some of the malicious links were shortened using a service like bit.ly. Based on the information collected by these services, we were able to obtain statistics on user clicks on these links and, thus, get the potential number of victims of a malicious campaign.

    The attackers themselves used short link services to hide real URLs from the user's eyes that could reveal the intentions of the attackers. The diagram below shows click-through statistics for shortened links from the beginning of March 2014 to February 2015.

    Fig. The number of clicks on shortened malicious links.

    The table below shows the conversion statistics for several shortened links, as well as the malware that spread through them.

    Another feature that we want to highlight for this malicious campaign and for this type of malware like CPL malware is the statistics of packers and protectors used by cybercriminals to complicate the detection of malware samples by antivirus solutions. As you can see, the most common packer is UPX - 27%.

    Fig. The types of packers and protectors that are used in CPL malware.


    We examined the working mechanisms of this type of malware as CPL malware, as well as some banking malware that are downloaded to the user's computer by this type of malware. To spread CPL malware, attackers use the usual methods of delivering malware that are no different from other cases of malicious campaigns.

    Attackers provide this type of malware with special checks to detect the environment of virtual machines. In addition, they use packers and protectors to complicate the detection of CPL malware from AV products.

    Also popular now: