Tuesday, 6 June 2017

Chthonic Trojan is back in nation-state cyberattack against Ukraine

Recently, we discovered a nation-state cyber attack against one government institution in Ukraine. 
The attackers sent a spear phishing email that contained the archived JavaScript used to download and execute the Chthonic backdoor that belongs to the Zeus family.

Delivery

The 'Scan_CK17.js' is obfuscated.


Once a victim starts JS, it downloads the Chthonic backdoor as text.


Then, the script saves the backdoor as:
%TEMP%\<4 random characters>.exe
and executes the backdoor through cmd:


The backdoor is packed using polymorphic encryptor UPolyX and, therefore, has a low detection rate on Virustotal (8/62):


Installation

The trojan drops and executes the following file:
%Application Data%\Identities\AgentIdentities.exe (MD5: b9e73cfcef3b10eff211d97c790512bf)
Then, the backdoors's code is injected into the 'Explorer.exe' process.


С&C connection

The spyware sends an encrypted check-in request to the C&C server. According to WhoIs, the C&С domain was registered on June 1, 2017.
http://nicoraguanetingfromsallercigar.com/ (13.58.7.176) 
The resolved IP belongs to Amazon EC2 (WhoIs), which means the attacker runs C&C server in the Amazon Cloud.



Attribution

Because of using Amazon EC2 to run the virtual C&C instance, it is hard to attribute the attack to some party. However, the domain registered in RU TLD, which the script resolves to download the backdoor, points to the Russia as well as the email written in Russian.

Backdoor capabilities

The Chthonic backdoor may have the following capabilities implemented as the separate modules:
  • Collecting of system information
  • Passwords stealing 
  • Web injecting and grabbing of web forms
  • Remote access (VNC)
  • Proxy server
  • Video recording from a web camera
The current version of the Chthonic backdoor installs user-mode hooks to WININET.dll, CRYPT32.dll, USER32.dll, WS2_32.dll, ntdll.dll that enables the following spying capabilities:
  • Sniffing network traffic
  • Intercepting Windows messages (keylogger)
  • Grabbing screenshots
  • Getting clipboard data
  • Stealing imported certificates (private keys)

Nioguard Analysis Report

You can find the detailed analysis report of the used Chthonic backdoor in Nioguard Analysis System by MD5: 25301c72a08aad8cfcc3490e227842c8.

Existing Zeus/Chthonic Yara and ET rules can be used to detect the running attack.
  • ET TROJAN Chthonic CnC Beacon 6
  • ET TROJAN Chthonic Check-in
  • Yara: TrojanPSWZbot
Network IoCs

http://avakovinfoword5manager.ru/
http://omcrl.zp.ua/
http://nicoraguanetingfromsallercigar.com/ - C&C
13.58.7.176

UPDATE:
Analyzing the targeted attack with Maltego, Virustotal, and Nioguard Analysis System

No comments:

Post a comment