C2 Malware Targets Battle.Net Accounts

Police? Yes, I lost my lvl 100 mage...

Executive Summary

I recently came across an interesting sample being spread through Java exploits in the wild which appeared to do nothing more than download some additional credential stealing/account harvesting malware and delete a victim s Battle.net account information. It seems the author has a bone to pick with Korean gamers for whatever reason based upon targeting, but my current conjecture is it s probably because of their epic dominance of StarCraft. Battle.net accounts are also used in other large popular online games including Diablo III and World of Warcraft both of which have substantial online economies built around them where players can buy and sell equipment and resources using actual currency. The interesting aspect of these particular samples is the use of Sourceforge account pages as a means of command and control in addition to public blog sites. The nationality of the author is speculative based off of Chinese language resources in 2nd stage payloads as well as the username gao200511gao200511 was used in one of the very first Sourceforge C2 s and the email address gao200511@gmail.com was used to make several posts in association with a well-known Chinese hacking group, Ph4nt0m.

 

Details

The exploit used an embedded malicious Java applet in the HTML, which upon successful exploitation will execute a binary stored as a byte array within the same page. Upon successful exploitation the binary will be written to the user s %temp% folder with the name rund11.exe and executed.

<applet archive="game.jar" code="MainCls.class" width="0" height="0">
<param name="datas" value="4D5A900003…" />

Binary Details:
MD5: 147A7E889B2CCE1E46DF8B041B6A3D74
File Size: 53,760 Bytes

File System Changes:

  • %temp%\v3liverun.exe

Volatile Evidence:

  • %systemroot%\system32\test.dat (deleted)
    Note: test.dat is used to test write permission to the system directory
  • %temp%\rund11.exe (deleted)

Registry Changes:

  • HKLM\Software\Microsoft\Windows\Help\Help Version (Encoded C2)
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AhnLab V3Lite Update Process
  • HKLM\Software\Blizzard Entertainment\Battle.net\Identity (Deletes this Key if Present)
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin -> 0 (Vista and Above)

Persistence Mechanism:

  • Registry Run Key in the Current User s Profile:
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AhnLab V3Lite Update Process which points to %temp%\v3liverun.exe

The binary employs a simple ordinal encoding to obfuscate C2 information and other API functions, which would potentially trigger AV heuristics. The python function below can be used to decode these strings.

def decode_easy(st):
    out = ''
    for i in range(0,len(st)/3):
        num = st[(i*3):(i*3)+3]
        out += chr(int(num))
    return out

Figure 1: Python Script to Decode Strings in Binary

For example, using the script above on the following string104116116112115058047047115111117114099101102111114103101046110101116047117115101114115047110101119045119111114108100 decodes to https://sourceforge.net/users/new-world. Once rund11.exe is executed it checks for Internet connectivity by making a TCP connection towww.naver.com. If successful the binary will then connect to the C2,https://sourceforge.net/users/new-world, using standard HTTPS on TCP port 443. It also makes the same request over HTTP using a static User-Agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322).

    GET /users/new-world HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: sourceforge.net

Figure 2: HTTP Request to "sourceforge.net"

The page retrieved will look something like the screenshot below:

Figure 1

The malware checks the <title> tag within the returned HTML and will decode this string for an additional website to contact. The following python snippet can be used to decode the command above:

def decode_url(st):
    out = ''
    for i in st:
        i = ord(i)
        if i == 0x59:
            out += chr(0x2E)
        elif i == 0x58:
            out += chr(0x2F)
        else:
            if i < 0x76:
                new = i + 0x5
            else:
                new = i - 0x15
            out += chr(new)
    return out

Figure 3: Python Snippet to Decode Embedded Instructions

Using the decode script above on the string rrrYvkmdghpndxYxjhXuYbda yields the website,www.aprilmusic.com/z.gif. It also stores the encoded value retrieved from the page in the registry key HKLM\SOFTWARE\Microsoft\Windows\Help\Help Version. The malware will then connect to this website and download, decode, and execute the file. The z.gif file was actually an executable encoded by a single byte XOR against the key 0x95 and renamed with a GIF extension. This particular sample also connected to kooor1.blogspot.kr on TCP port 80 after the initial check in using a hardcoded User-Agent. This site appears to be some kind of simple counter used by the attackers as no content resided on the webpage.

GET /2013/03/kor.html?m=1 HTTP/1.0
User-Agent: Mozilla/5.0 (iPhone:U;CPU iPhone OS 4_1 like Mac OS X;zh-cn) AppleWebKit/532.9(KHTML,like Gecko)Version/4.0.5 Mobile/8B117 Safari/6531.22.7
Host: kooor1.blogspot.kr
Pragma: no-cache

Figure 4: Additional HTTP Request Sent by the Malware

The rund11.exe will copy itself to the location %temp%\v3liverun.exe and delete itself after successful communication with the C2. It also creates a simple Run Key under the name, AhnLab V3Lite Update Process, in the current user s profile to establish persistence.

Z.gif Details:
MD5: E971CB0728BE598EC4E5BB4CF4C866D2
File Size: 189,952 Bytes
MD5 After XOR: F77B6F92909FB7B9F223279D76DE49BE

Y.gif Details:
MD5: 4C4766CF77FCD49EAC1A589A75507BC2
File Size: 145,408 Bytes
MD5 After XOR: 85A4A9CF756B751A1C986CEE76485929

Numerous other binaries were also stored on the compromised aprilmusic.com website as one letter GIF files. The site appears to be a legitimate Korean audio equipment dealer. It should also be noted that between the time of initial analysis and this write-up the command was also changed torrrYvkmdghpndxYxjhXtYbda which decodes to www.aprilmusic.com/y.gif. The two binaries were substantially different. z.gif dropped a keylogger implemented as a kernel driver that was only activated once a user visited specific websites while y.gif dropped a browser helper object that harvested credentials from Paypal, MtGox (bitcoin), and two popular online game trading platforms. Cylance Labs is continuing to investigate and will post any interesting details as they arise.

Prior C2 Information

Sourceforge.net C2 Pages:

  • http://sourceforge.net/users/findjob
  • http://sourceforge.net/users/jjyy123
  • http://sourceforge.net/users/live123
  • http://sourceforge.net/users/donews
  • http://sourceforge.net/users/gao200511

All of these user accounts have been shut down by Sourceforge at the time of this write-up, but were actively used in similar samples in the past as well as the following blog sites:

Blog Page Counters:

  • blog.yahoo.com/fuckkorea
  • sun0shine.blogspot.com
  • krembay.blogspot.kr
  • get2help.blogspot.kr
  • new7788.blogspot.kr
  • hi.baidu.com/justest
  • xokorea.i.sohu.com/blog

Additional Encoded GIF Malware Sites:

  • www.issuejeju.com/data/
  • www.gosogobal.co.kr/
  • mail.ddaily.co.kr/
  • down.oimf.info/
  • zvnf.info/
  • open.onedaynet.co.kr/files/
  • it.moyiza.com/files/
  • gstar.dreamwiz.com/m/