Now that we’ve had a good amount of time to work on this project, we’ve been able to analyze multiple samples of Malware. One of the samples we reviewed was a RAT (Remote Access Trojan), commonly referred to as DarkComet. A RAT is software that allows a person to remotely control a system as if they had actual physical access to it. RATs allow a person to interfere with a system with the simple click of a button. The user does not need to understand how the code works to have Skype send out a certain message to all your friends.
The other was a form of what is referred to as “ScareWare,” more specifically a malware known as Hicurdismos, which its purpose is to convince the user that additional support from an external source is required to fix their computer. Hicurdismos displays a fake blue screen crash notification with a tech support number to call, we took it upon ourselves to investigate the procedure behind convincing users of problems with their computers and how these “Microsoft Tech Support” representatives are able to coerce people into paying for their scam service.
Within this project we are using different malware analysis tools. Below is a list of several tools we have been working with.
- CFF Explorer
- Sysinternals Suite
Static Analysis – DarkComet
To begin, we did a few static analyses using CFF Explorer and DiE to learn some basic information about the malware. CFF Explorer revealed that the sample was a 32-bit executable originally named MSRSAAP.EXE, and clearly states that it is a remote service application that was created on our system on March 27th 2017 at 9:37AM. It also showed us hashes for the sample.
Next, we used CFF Explorer to look at the functions being imported by the malware. There were a lot of section headers associated with this malware and as a result, a lot of functions being imported. There were a good amount of suspicious functions so we won’t list them all, but a few interesting ones were ‘ShellExecuteExA’, ‘Raise Exception’, ‘RegDeleteKey’, and ‘RegCreateKey’.
These functions let us know that this sample was going to execute a shell in order to execute commands on our system, raise its exception so that it could have admin privileges, and delete and create registry keys. It can be normal for a program to create registry keys, but deleting as well as creating is usually not. Deleting registry keys could mean the malware is trying to hide its presence and deny you access to your system.
Next, we used DiE to determine if the malware’s code was obfuscated. DiE revealed that the malware was not packed so it was likely it wasn’t obfuscated. Again, we saw the large amount of section headers associated with it, which is something to look out for when analyzing malware. Odd or new headers not associated with a known program can be fishy.
Dynamic Analysis – DarkComet
To perform dynamic analysis we used SysinternalsSuite to monitor all of the malware’s activity and Wireshark to watch its network activity. We executed the malware on our system with our tools up and running and watched as it did its thing. Then we used ThreatAnalyzer to create a report of the activity and ThreatAnalyzer let us know that it was in fact a RAT.
Process Monitor showed us what child processes stemmed from it after it was executed. The malware had opened multiple command prompts, likely in order for the user to execute whatever commands they want.
We already knew what the malware did thanks to our ThreatAnalyzer report and static analysis, so we used that knowledge to look for commands that had been executed. For example, we knew that the malware turns off our firewall, and sure enough when we checked it was no longer on.
Next, we knew that the malware wanted to disable task manager. When we tried to open task manager we got a message telling us that it was disabled. It appears that the malware also disabled any security notifications we might have gotten.
This thought was confirmed by a registry key change that we saw that referenced Microsoft Security Center.
Process Monitor and Wireshark showed that the malware was trying to connect out to an IP address ‘192.168.1.21’, but was unable for whatever reason. The data it was trying to send out was also encrypted. It’s possible the data isn’t being sent because the RAT is not running.
ThreatAnalyzer also let us know that the malware dropped a lot of files in the mt temp, Recent Documents, and Documents folders, but they were all empty. We noticed a second folder called My Documents but our access was denied from looking at it, along with a few other folders, which we thought was suspicious, but we created a new AWS instance and access was still denied. It’s possible the instance is set with those privileges but we will have to do more research.
Before we knew this we tried changing our permissions through the registry, but found out that registry editing has been disabled. We know that the malware drops files because of ThreatAnalyzer, but we couldn’t find any actual instances because of the permission issue. We believe that the malware copies itself to the folders we can’t access and is able to restart itself every time we reboot the system.
After we had received our lock-out message, we set up our physical environment to ensure we could capture data during our conversation with our Tech Support representative. We chose not to record their voice in order to keep their anonymity safe, but we did record the screen while he navigated our system so we could later review what they attempted to do to our system and if they chose to drop any additional malware onto it. Being in a lab environment, we needed a way of conducting this analysis with limited distractions while also making sure our cover was secure, so we utilized a separate office phone and made sure students were quiet during our conversation in order to do that.
First, the tech support representative had us open an HTML Help page, then use that to navigate to the website that houses their remote support application, called fastsupport.com.
We were then provided with a support key so our tech support could access our system to fix our problem. The application is called GoToAssist and has been known in the past to be vulnerable to these types of attacks.
To distract us, they opened up the System Information within Windows Event Viewer and showed us several stopped services that they claimed were due to the malware taking hold of our system. In the background they prepared a Windows Command Prompt with commands entered that were also supposed to indicate the stranglehold this virus had on us.
Anyone that is slightly versed in the syntax for Windows Command Prompt would see this glaring issue in their plan to fool us. The commands they entered literally say “virus found <name of virus>”, with the resulting error message of typing that into the command prompt displayed right below it. Our investigator on the phone with them at the time asked about the error message below, the tech support representative said that was yet another indication of the presence of this malware and quickly changed the subject. To convince us yet again, they opened the template for the HTML Security Risk page before redirecting us to several wikipedia articles describing the nature of the viruses they indicated.
We are currently unsure why they spent nearly an hour reading verbatim the Wikipedia articles on these enumerated viruses, perhaps it was meant to fatigue us into letting them have full control or maybe it was purely for our own education. Finally, the brief of our computers’ viruses was over, the representative opened up Notepad and typed in the services they can provide, pricing, and fields for us to fill our our credit card information. This was followed by setting a password to prevent computer startup, and likely to force us to call them again at a later date.
An alias for this purpose was created by a former Malware Analysis team, so we used the information from that profile to give to our representative so they could begin processing payment and fixing our computer. Once they had received our payment information, the first thing they did was open up Syskey and created a password to encrypt our system on boot. This password was not disclosed to us, this is because they wanted us to eventually restart our computer so we would eventually discover this password prompt and require more support from them, probably at an additional cost.
Near the end of our encounter, they began to install some of the applications they said would strengthen our security. Before doing so they opened up Programs and Features, revealing several things that would indicate our system was not a normal desktop computer. All of the applications we needed to download to make AWS work within our environment were clearly listed within Programs and Features. This seemed to not bother our representative, although it was clear they recognized the strangeness of our file system. They also reviewed our browser history, we are sure they noticed the only listings were from that day and all resulted from searches they made. The representative also opened RegEdit and tried to import a backup registry key that did not exist. The final changes they made to our computer was to install numerous free tools, including CCleaner, MalwareBytes, and Adblock Plus.
We had come to the end of our shift for that day and needed an excuse to suddenly end the phone call. We had another student pretend to be our investigator’s parent in order to provide a quick escape, but we didn’t disconnect our connection with our Tech Support Representative just yet, we left it open to see if they would do anything else without supervision. Since they had already set a password for system startup, they apparently saw no reason to further compromise our system since they thought we would still need their help at a later date. Our final communication with them was when they opened a new Notepad tab to ask us to call them back.
In conclusion, our own analysis, along with Threat Analyzers, proved that the DarkComet malware sample is indeed malicious. We have determined this a remote admin tool that can be used for attacking a system. According to our research, it has the ability to take pictures, listen in on conversations, and gain full access to an infected machine. It will steal information regarding admin rights, username, language, country, operating system information, RAM used, and webcam information. (Source). We could not see DarkComet doing any of this because the user of DarkComet needs to initiate commands. What we did see was DarkComet setting up the power for the user to carry out these commands.
We know fully understand the process behind using a phishing scam in tandem with malware, how they convince people of issues with their computer, and how they can easily extort money from beginners. The best way to defend against this form of attack would be to educate users on this method of attack, and how they can more identify scams based on the actions of another person. By itself, we believe the Hicurdismos malware sample does nothing except convince the user that their system is compromised, the real threat is actually a person that simply wants your money.