Today, I came across a malware which is hosted on several compromised wordpress sites. The PHP script, 1und1.php which triggers the download of the archived malware was found on several wordpress sites.
The name of the archive file is:
Rechnung_Monat_Januar_2014.zip
This archive has the following malicious file:
pdf_Online_Rechnung_Id_9287474290248_fur_den_Monat_Januar_2014_1und1_Telecom_GmbH.exe
It has the icon of a PDF file even though it is an executable.
I performed some quick analysis of this malware to see what activities it performs. So, below is a summary:
1. Makes a copy of itself in the following directory:
C:\Documents and Settings\Administrator\Application Data\KB00119649.exe
The file name is used to spoof the Microsoft Patch Fix names (KB*)
2. Creates a startup registry entry which points to the above file.
HKU\\Software\Microsoft\Windows\CurrentVersion\Run\KB00119649.exe
3. Creates a batch file in the %temp% folder which will delete the original copy of the malware once it has been copied to %AppData% directory.
4. It creates another process to start its replicated copy from the %appdata% directory.
5. Injects code into explorer.exe process. The method used for code injection is very basic.
OpenProcess(), VirtualAllocEx(), WriteProcessMemory() and CreateRemoteThread()
6. It hooks the following APIs (using inline hooks) after injecting the code in explorer.exe process:
LdrLoadDll()
ZwResumeThread()
InitializeSecurityContextA()
SealMessage()
UnsealMessage()
DeleteSecurityContext()
7. Sends an HTTP POST request to: bestofthewest.ru as shown in the screenshot below of network capture.
POST request to: http://bestofthewest.ru/hmW/t/v9kmJCAAAAA/OpVkYDAAAA/
The traffic is encrypted.
8. Creates the registry entry:
HKU\\Software\Microsoft\Windows NT\S%08X\
9. Mutexes created:
XMM00000E38
XMI00000E38
XMR9241752F
10. Directory created:
C:\Documents and Settings\Administrator\Application Data\4CECCBC0
DNS queries were observed to:
onlyproxies.ru
bestofthewest.ru
Below are the list of wordpress sites on which the 1und1.php script is hosted.
http://www.bondibeachradio.com.au/wp-admin/1und1.php/
http://k-masterskaya.ru/wp-content/plugins/1und1.php/
http://www.maxiapps.eu/1und1.php
http://www.anandexports.org/wp-content/plugins/braille/1und1.php
http://swinefluinfluenza.net/generator/1und1.php
http://o365.gr/wp-includes/1und1.php
http://onlineeduchoice.com/wp-content/themes/twentytwelve/1und1.php
http://natalya-emelkina.com/wp-content/uploads/2013/12/1und1.php
http://matteforklaring.no/statistikk/1und1.php
http://luckymobile.ru/wp-includes/1und1.php
http://med-fusion.net/wp-admin/1und1.php
http://mantado.me/1und1.php
http://kylie-walters.com/wp-content/plugins/1und1.php
http://gosmartrepair.com/wp-content/plugins/akismet/1und1.php
http://k-masterskaya.ru/wp-content/plugins/1und1.php
http://hillsbarfoundation.com/hiddenpress/wp-content/themes/1und1.php
http://impresoraytonerxerox.com/wp-content/plugins/wp-post-icon/1und1.php
http://howtobuildaresponder.com/wp-content/themes/1und1.php
http://gosensations.com/libs/spaw2/plugins/core/lib/theme/spaw2/templates/1und1.php
http://o365.gr/wp-includes/1und1.php/
Here is the malicious 1und1.php script obtained from one of the compromised servers:
Directory Listing from one of the compromised wordpress sites:
MD5 hash of the virus: d28899d9ec1d3141ec31604bda6b63ae
c0d3inj3cT
The name of the archive file is:
Rechnung_Monat_Januar_2014.zip
This archive has the following malicious file:
pdf_Online_Rechnung_Id_9287474290248_fur_den_Monat_Januar_2014_1und1_Telecom_GmbH.exe
It has the icon of a PDF file even though it is an executable.
I performed some quick analysis of this malware to see what activities it performs. So, below is a summary:
1. Makes a copy of itself in the following directory:
C:\Documents and Settings\Administrator\Application Data\KB00119649.exe
The file name is used to spoof the Microsoft Patch Fix names (KB*)
2. Creates a startup registry entry which points to the above file.
HKU\
3. Creates a batch file in the %temp% folder which will delete the original copy of the malware once it has been copied to %AppData% directory.
4. It creates another process to start its replicated copy from the %appdata% directory.
5. Injects code into explorer.exe process. The method used for code injection is very basic.
OpenProcess(), VirtualAllocEx(), WriteProcessMemory() and CreateRemoteThread()
6. It hooks the following APIs (using inline hooks) after injecting the code in explorer.exe process:
LdrLoadDll()
ZwResumeThread()
InitializeSecurityContextA()
SealMessage()
UnsealMessage()
DeleteSecurityContext()
7. Sends an HTTP POST request to: bestofthewest.ru as shown in the screenshot below of network capture.
POST request to: http://bestofthewest.ru/hmW/t/v9kmJCAAAAA/OpVkYDAAAA/
The traffic is encrypted.
8. Creates the registry entry:
HKU\
9. Mutexes created:
XMM00000E38
XMI00000E38
XMR9241752F
10. Directory created:
C:\Documents and Settings\Administrator\Application Data\4CECCBC0
DNS queries were observed to:
onlyproxies.ru
bestofthewest.ru
Below are the list of wordpress sites on which the 1und1.php script is hosted.
http://www.bondibeachradio.com.au/wp-admin/1und1.php/
http://k-masterskaya.ru/wp-content/plugins/1und1.php/
http://www.maxiapps.eu/1und1.php
http://www.anandexports.org/wp-content/plugins/braille/1und1.php
http://swinefluinfluenza.net/generator/1und1.php
http://o365.gr/wp-includes/1und1.php
http://onlineeduchoice.com/wp-content/themes/twentytwelve/1und1.php
http://natalya-emelkina.com/wp-content/uploads/2013/12/1und1.php
http://matteforklaring.no/statistikk/1und1.php
http://luckymobile.ru/wp-includes/1und1.php
http://med-fusion.net/wp-admin/1und1.php
http://mantado.me/1und1.php
http://kylie-walters.com/wp-content/plugins/1und1.php
http://gosmartrepair.com/wp-content/plugins/akismet/1und1.php
http://k-masterskaya.ru/wp-content/plugins/1und1.php
http://hillsbarfoundation.com/hiddenpress/wp-content/themes/1und1.php
http://impresoraytonerxerox.com/wp-content/plugins/wp-post-icon/1und1.php
http://howtobuildaresponder.com/wp-content/themes/1und1.php
http://gosensations.com/libs/spaw2/plugins/core/lib/theme/spaw2/templates/1und1.php
http://o365.gr/wp-includes/1und1.php/
Here is the malicious 1und1.php script obtained from one of the compromised servers:
Directory Listing from one of the compromised wordpress sites:
MD5 hash of the virus: d28899d9ec1d3141ec31604bda6b63ae
c0d3inj3cT
0 comments: