Overview
Trojan Swizzor variants having detection since early 2004 and it works by downloading and executing malicious files from the Internet on the infected machine. The primary channel of infection for Swizzor family is the internet. And it is known for stealing of personal data. In this case, our researcher monitored a malicious traffic and spotted the Swizzor binary as the downloaded file.Analysis
While monitoring the traffic, we got an alert triggered by suspicious website communication. The suspicious websites are stored in our threat intelligence malicious website list which triggered by our rule.Our rule picked the communication happened in the following URL:
hxxp://Judoalmoradi(.)com/LOGOS/puttyupdate45
So we managed to perform incident response activity in the host machine which connects to the malicious URL. We gathered the timeline analysis information from the host machine. During the timeline analysis, we spotted the process puttyupdate459.exe is found in the memory. The sample is taken for malware analysis:
File Hash: d85fa670e482083d83c7cfdea08b65729378b02b2dc31f009350f6385a459809
File Size: 227.5 KB
 |
Figure 1 Compiled using VC++
|
We are done with the execution of the specimen in the controlled environment and observer its behavior. The malicious process started querying general information on the file system and registry system.
 |
Figure 2 Execution of malware - loaded in memory and starts querying
|
 |
Figure 3 Thread creation
|
 |
Figure 4 Thread creation event
|
 |
Figure 5 puttyupdate459.exe queries the computer name details and it creates a file in Temp location
|
puttyupdate459.exe 992 RegOpenKey HKCU\Software\Classes\AppID\puttyupdate459.exe
NAME NOT FOUND Desired Access: Read
puttyupdate459.exe 992 RegOpenKey HKCR\AppID\puttyupdate459.exe
NAME NOT FOUND Desired Access: Read
 |
Figure 6 A45F.bin file in the temp location
|
It keeps gets incremented the lines ‘LdrLoadFile’ and also we noticed each time iexplorer.exe loaded in the memory and get terminated. Each time the termination happen the increment of lines in bin file at temp location.
Timeline analysis
With this analysis, we unable to observe complete behavior. So our incident response team run the redline script and collected the analysis session of the infected machine. During the redline analysis, we found the parent file which contains the above malicious URL:
hxxp://Judoalmoradi(.)com/LOGOS/puttyupdate459
This malicious URL was used to download the puttyupdate459.exe file. The parent file details are:
SHA256: 21fc447f95143fd8595d364e526bb726d2e3e52983aebe2c1ae5d49d4e6e96f5
 |
Figure 7 Parent file - Ursnif/Swizzor/Password Stealer
|
The parent file got password stealer, Pws (PSW), Swizzor and Ursnif detection. It is very much clear that our team made better incident response activity and found the file.
Reason for file not detected by AV?
Most of the AV vendors are detecting the parent file (SHA256: 21fc447f95143fd8595d364e526bb726d2e3e52983aebe2c1ae5d49d4e6e96f5) and downloaded file (puttyupdate459.exe). But when we found that the infected network infrastructure didn’t follow many best practices and the AV database where failed in definition update for several weeks. And we also collected their AV logs for log analysis, the AV actually triggered the alert on termination of on-access scan and AV shield processes.
If they followed the best practices and proper monitoring facility, this infection could be avoided.
Research and post were done by
IOC details:
URL
- Judoalmoradi(.)com/LOGOS/puttyupdate45
File Hashes
- 21fc447f95143fd8595d364e526bb726d2e3e52983aebe2c1ae5d49d4e6e96f5
- d85fa670e482083d83c7cfdea08b65729378b02b2dc31f009350f6385a459809
No comments:
Post a Comment