by Rubio Wu, Anita Hsieh, and Marshall Chen
The Cobalt hacking group was one of the first to promptly and actively exploit CVE-2017-11882 (patched last November) in their cybercriminal campaigns. We uncovered several others following suit in early December, delivering a plethora of threats that included Pony/FAREIT, FormBook, ZBOT, and Ursnif. Another stood out to us: a recent campaign that used the same vulnerability to install a “cracked” version of the information-stealing Loki.
Sold in hacking forums as a password and cryptocurrency wallet stealer, Loki can harvest data from File Transfer Protocol (FTP) clients (i.e., Filezilla), web browsers such as Firefox, Chrome and Safari, and email clients such as Outlook and Thunderbird. It can also pilfer from IT administration tools like PuTTY, a terminal emulator, system console, and network file transfer application. Loki also serves as a malware loader that can record keystrokes.
The use of a pirated malware builder shows how there’s no honor among thieves. Perhaps it was the operators’ cost-saving tactic—a lifetime license for the cracked version, for instance, costs between $60 and $100 in hacking forums. The original service costs between $250 and $450. Buyers need to pay more if they need additional functionalities (like Bitcoin wallet theft) or other services like domain/IP address change.
We also saw advertisements on hacking groups touting an original Loki builder but were actually just cracked versions of it. But despite their use of pirated malware, this specific campaign appears to follow an operation model. This is illustrated by their use of compromised emails to send spammed messages to the account’s contact list. It’s possible that they use Loki as a conduit for further attacks, given Loki’s capability to steal email client credentials. For now, the campaign has specificity in their targets. Affected regions include France, Hong Kong, the U.S., Croatia, India, Australia, South Korea, and Mauritius.
The spam email poses as an Australian shipping company luring would-be victims to download an attached receipt in the form of an Office document. It is actually a dropper; an Object Linking and Embedding (OLE) object embedded in the documents links to another malicious document, hxxp://gamesarena[.]gdn/MS-word2017pa[.]doc. The remote object will be automatically linked and loaded once the victim clicks “Enable Edit” in Microsoft Word.
The remote object is a malformed Rich Text Format (RTF) document (named MS-word-2017pa.doc) that exploits CVE-2017-11882 and downloads an HTML Application (HTA) dropper from hxxp://gamesarena[.]gdn/hta/WqJL[.]hta. The HTA will then retrieve Loki as the final payload from hxxp://gamesarena[.]gdn/games/Pasi[.]exe.
A Cracked Loki
While analyzing one of the final payloads, we saw extra code that tries to overwrite the original command-and-control (C&C) URL soon after the original code decrypts the C&C URL (shown in Figure 5). The added code in the “.x” section decrypts another C&C URL (which we’ve named “Patched C2 URL”) then overwrites the original C&C URL (Figure 6). It seems that the builder generated some extra binary code to overwrite the C&C URL instead of modifying the source code and recompiling the sample. The campaign’s operators likely used a cracked version of the builder.
It appears the campaign’s payload was generated by a builder called “Loki stealer v 1.6 builder”, which has ties to a Russian hacking forum. The builder takes two arguments: a four-character string that serves as the password and the C&C URL. The builder will not create a sample if the password is incorrect; there’s an executable that generates the correct password for the builder. We also found that the password of the builder is generated according to date, which indicates that the “Loki stealer v 1.6 builder” builder provides its service through a daily password update.
The modification process involves inserting the signature “fuckav[.]ru” into the Binary Identifier (BIN_ID) field in the original Loki. The builder then adds the payload which will decrypt the patched URL and overwrite the original C&C URL into a newly created “.x” section. Instructions are appended for hijacking control flow to the “.x” section after Loki decrypts the original URL.
Figure 8: A Loki builder; the banner shows it was reversed engineered, which indicates it’s a cracked builder—note that the sample generated by the builder is version 0x16, so it should be version 1.8, not 1.6
Who’s using the cracked builder?
We found 124 unpacked Loki samples on VirusTotal, generated by the same builder. The first sample had a timestamp 2017/05/02. Some of the C&C URLs share similar path patterns with each other. For instance, we found 21 C&C URLs with paths ending in “/five/fre.php” and 18 C&C URLs with paths ending in “/Panel/five/fre.php”. These C&C panels may have been unzipped from kits sharing the same structure or even the same kit.
We also saw a series of C&C URLs registered by a Nigeria-based threat actor. For instance, the C&C domain “gamesarena[.]gdn”, which started to spread cracked Loki with CVE-2017-11882 in November, was registered November 21, 2017. We also discovered more than one C&C panels on this domain.
The other domains he registered (i.e., “gamezones[.]info” on September 9, 2017) shared an IP address (209[.]182[.]213[.]90) with other URLs. While a hosting service operates the IP address, one of the live domains “gamestoredownload[.]download” is highly related to gamezones[.]info, as their index contents are the same. Both serve as Loki Panels on the same URL paths that don’t appear in other C&C URLs. “gamestoredownload[.]download” began spreading cracked Loki via CVE-2017-11882 from November.
http://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/12... 200w, http://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/12... 300w" sizes="(max-width: 375px) 100vw, 375px" />
http://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/12... 200w, http://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/12... 440w, http://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/12... 380w, http://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/12... 300w" sizes="(max-width: 581px) 100vw, 581px" />
Figure 11: Malicious domains sharing the same IP address on different dates (top); index pages of 2 URLs having the same content (center); and Loki panels sharing the same URL paths (bottom)
C&C URLs on gamesarena[.]gdn and gamestoredownload[.]download also have similar paths. Figure 14 shows the same directory names under these two servers. The cracked Loki is actively distributed on different servers.
Another spamming group reportedly used CVE-2017-11882 to drop Loki, generated by the same cracked builder, via Server Message Block (SMB) protocol. A separate campaign was also recently spotted delivering Loki through malicious Excel scriptlets.
Since the cracked version of Loki only modifies some parts of the binary, some signatures can detect them efficiently. We included a YARA rule in our appendix to help classify and identify the malware. Best practices against this threat include:
The YARA rule for Loki and list of indicators of compromise (IoCs) are in this appendix.
Trend Micro XGen security provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen protects against today’s purpose-built threats that bypass traditional controls, exploit known, unknown, or undisclosed vulnerabilities. Smart, optimized, and connected, XGen powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.
Additional analysis and insights from Fyodor Yarochkin and Joseph C. Chen