Archive

Author Archive

Digging deep for PLATINUM

There is no shortage of headlines about cybercriminals launching large-scale attacks against organizations. For us, the activity groups that pose the most danger are the ones who selectively target organizations and desire to stay undetected, protect their investment, and maximize their ROI. That’s what motivated us – the Windows Defender Advanced Threat Hunting team, known as hunters – when we recently discovered a novel technique being used by one such activity group.

We have code named this group PLATINUM, following our internal practice of assigning rogue actors chemical element names. Based on our investigations, we know PLATINUM has been active since 2009 and primarily targets governmental organizations, defense institutes, intelligence agencies, and telecommunication providers in South and Southeast Asia. The group has gone to great lengths to develop covert techniques that allow them to conduct cyber-espionage campaigns for years without being detected.

Uncovering these kinds of techniques is true detective work, and finding them in the wild is a challenge, but with the wealth of anonymized information we can utilize from over 1 billion Windows devices, a broad spectrum of services, Microsoft’s intelligent security graph as well as advanced analytics and machine algorithms to surface suspicious behaviors, Microsoft is in the best position to do so.

Digging up the nugget

Through our advanced and persistent hunting, we discovered PLATINUM is using hotpatching as a technique to attempt to cloak a backdoor they use. Using hotpatching in the malicious context has been theorized [1], [2], but has not been observed in the wild before. Finding such techniques is a focus of the Microsoft APT hunter team, and we want to provide some brief insights on how the team dug up this PLATINUM “nugget”.

In the first part of this methodology, a hunter carves out some rough data sets from existing information and data that can be further analyzed. This could be based on rough heuristics, such as looking for files with high entropy, that were first observed recently, and that are confined to a geographic region that fits the profile of the activity group being investigated.

Carving the data still yields large data sets that can’t be manually analyzed, and advanced threat analytics can help in sorting through the data for meaningful information in the second step. Graph inferences through the Microsoft intelligent security graph can bubble pieces of information to the top of the queue for a hunter to choose from. In the PLATINUM investigation, we identified 31 files.

Lastly, the hunter works directly with the resulting set. During this stage of the PLATINUM investigation, a hunter found a file with unusual string (“.hotp1”). The hunter’s experience and intuition drove him to dig deeper. In this case, that further investigation led us to the malicious use of hotpatching by this activity group and the “nugget” was uncovered.

Deconstructing the attack

So what is hotpatching? Hotpatching is a previously supported OS feature for installing updates without having to reboot or restart a process. It requires administrator-level permissions, and at a high level, a hotpatcher can transparently apply patches to executables and DLLs in actively running processes.

Using hotpatching in a malicious context is a technique that can be used to avoid being detected, as many antimalware solutions monitor non-system processes for regular injection methods, such as CreateRemoteThread. Hotpatching originally shipped with Windows Server 2003 and was used to ship 10 patches to Windows Server 2003. Windows 10, our most secure operating system ever, is not susceptible to this and many other techniques and attack vectors.

What this means in practical terms is that PLATINUM was able to abuse this feature to hide their backdoor from the behavioral sensors of many host security products. We first observed a sample employing the hotpatching technique on a machine in Malaysia. This allowed PLATINUM to gain persistent access to the networks of companies it targeted and victimized over a long period without being detected.

Thwarting the bad guys

The Microsoft APT hunter team actively tracks activity groups like PLATINUM. We proactively identify these groups and the techniques they use and work to address vulnerabilities and implement security mitigations. The team builds detections and threat intelligence that are utilized by many of our products and services. Beta users of Windows Defender ATP can take advantage of this additional layer of protection and intelligence for a broad set of activity groups.

We’ve included a more technical exploration of  our research and detection of the hotpatching technique in the remainder of this blog.

You can also see a closer look at the PLATINUM activity group in our report PLATINUM: Targeted attacks in South and Southeast Asia. Windows Defender Advanced Threat Protection beta and preview users can also find the report, along with other APT activity group reports, in the Windows Defender ATP portal.

We continue to dig for PLATINUM.

The Windows Defender Advanced Threat Hunting Team

Hotpatching – a case study

We first observed the sample (Sample1) that is capable of utilizing hotpatching on a machine in Malaysia (which matches the general target profile of PLATINUM) on January 28, 2016 . The portable executable (PE) timestamp, which can be arbitrarily set by the adversary, dates back to August 9, 2015, while the unpacked version contains a PE timestamp for November 26, 2015.

It is a DLL that runs as a service and serves as an injector component of a backdoor. Interestingly, this sample not only supported the hotpatching technique described in this post, but was able to apply more common code-injection techniques, including the following, into common Windows processes (primarily targeting winlogon.exe, lsass.exe and svchost.exe):

  • CreateRemoteThread
  • NtQueueApcThread to run an APC in a thread in the target process
  • RtlCreatUserThread
  • NtCreateThreadEx

Hotpatching technique

For hotpatching, the sample goes through the following steps:

  1. It patches the loader with a proper hotpatch to treat injected DLLs with execute page permissions. This step is required for DLLs loaded from memory (in an attempt to further conceal the malicious code).
  2. The backdoor is injected into svchost using the hotpatch API.

Patching the loader is done by creating a section named “knowndllsmstbl.dll”. This DLL does not reside on-disk, but is rather treated as a cached DLL by the session manager.

It then proceeds to write a PE file within that section. The PE file will have one section (“.hotp1 “) with the hotpatch header structure. This structure contains all the information necessary to perform the patching of the function “ntdll!LdrpMapViewOfSection” used by the loader, such that the loader will treat created sections as PAGE_EXECUTE_READWRITE instead of PAGE_READWRITE. The patch is successfully applied by invoking NtSetSystemInformation.

The malware builds the information describing the first patch

Figure 1: The malware builds the information describing the first patch

 

The highlighted "push 4" is patched to "push 0x40", meaning that the parameter for the following API call NtMapViewOfSection is changed from PAGE_READWRITE to PAGE_EXECUTE_READWRITE.

Figure 2: The highlighted “push 4″ is patched to “push 0x40″, meaning that the parameter for the following API call NtMapViewOfSection is changed from PAGE_READWRITE to PAGE_EXECUTE_READWRITE.

Now that the memory permission issue has been solved, the injector can proceed with injecting the malicious DLL into svchost. Again, it creates a (now executable) section named “knowndllsfgrps.dll” and invokes NtSetSystemInformation, causing the final payload to be loaded and executed within the target process (svchost).

Trying to hide the payload using hotpatching also falls in line with the last functional insights we have on the sample. It seems to have an expiry date of January 15, 2017 – at that point in time, the DLL will no longer perform the injection, but rather execute another PLATINUM implant:

C:program filesWindows JournalTemplatesCpljnwmon.exe –ua

This implant may be related to an uninstall routine. Note that we observed the sample last on the machine on September 3, 2015, which may indicate PLATINUM pulled the trigger earlier.

 


 

[1] http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Sotirov.pdf

[2] https://www.yumpu.com/en/document/view/14255220/alexsyscan13

Digging deep for PLATINUM

There is no shortage of headlines about cybercriminals launching large-scale attacks against organizations. For us, the activity groups that pose the most danger are the ones who selectively target organizations and desire to stay undetected, protect their investment, and maximize their ROI. That’s what motivated us – the Windows Defender Advanced Threat Hunting team, known as hunters – when we recently discovered a novel technique being used by one such activity group.

We have code named this group PLATINUM, following our internal practice of assigning rogue actors chemical element names. Based on our investigations, we know PLATINUM has been active since 2009 and primarily targets governmental organizations, defense institutes, intelligence agencies, and telecommunication providers in South and Southeast Asia. The group has gone to great lengths to develop covert techniques that allow them to conduct cyber-espionage campaigns for years without being detected.

Uncovering these kinds of techniques is true detective work, and finding them in the wild is a challenge, but with the wealth of anonymized information we can utilize from over 1 billion Windows devices, a broad spectrum of services, Microsoft’s intelligent security graph as well as advanced analytics and machine algorithms to surface suspicious behaviors, Microsoft is in the best position to do so.

Digging up the nugget

Through our advanced and persistent hunting, we discovered PLATINUM is using hotpatching as a technique to attempt to cloak a backdoor they use. Using hotpatching in the malicious context has been theorized [1], [2], but has not been observed in the wild before. Finding such techniques is a focus of the Microsoft APT hunter team, and we want to provide some brief insights on how the team dug up this PLATINUM “nugget”.

In the first part of this methodology, a hunter carves out some rough data sets from existing information and data that can be further analyzed. This could be based on rough heuristics, such as looking for files with high entropy, that were first observed recently, and that are confined to a geographic region that fits the profile of the activity group being investigated.

Carving the data still yields large data sets that can’t be manually analyzed, and advanced threat analytics can help in sorting through the data for meaningful information in the second step. Graph inferences through the Microsoft intelligent security graph can bubble pieces of information to the top of the queue for a hunter to choose from. In the PLATINUM investigation, we identified 31 files.

Lastly, the hunter works directly with the resulting set. During this stage of the PLATINUM investigation, a hunter found a file with unusual string (“.hotp1”). The hunter’s experience and intuition drove him to dig deeper. In this case, that further investigation led us to the malicious use of hotpatching by this activity group and the “nugget” was uncovered.

Deconstructing the attack

So what is hotpatching? Hotpatching is a previously supported OS feature for installing updates without having to reboot or restart a process. It requires administrator-level permissions, and at a high level, a hotpatcher can transparently apply patches to executables and DLLs in actively running processes.

Using hotpatching in a malicious context is a technique that can be used to avoid being detected, as many antimalware solutions monitor non-system processes for regular injection methods, such as CreateRemoteThread. Hotpatching originally shipped with Windows Server 2003 and was used to ship 10 patches to Windows Server 2003. Windows 10, our most secure operating system ever, is not susceptible to this and many other techniques and attack vectors.

What this means in practical terms is that PLATINUM was able to abuse this feature to hide their backdoor from the behavioral sensors of many host security products. We first observed a sample employing the hotpatching technique on a machine in Malaysia. This allowed PLATINUM to gain persistent access to the networks of companies it targeted and victimized over a long period without being detected.

Thwarting the bad guys

The Microsoft APT hunter team actively tracks activity groups like PLATINUM. We proactively identify these groups and the techniques they use and work to address vulnerabilities and implement security mitigations. The team builds detections and threat intelligence that are utilized by many of our products and services. Beta users of Windows Defender ATP can take advantage of this additional layer of protection and intelligence for a broad set of activity groups.

We’ve included a more technical exploration of  our research and detection of the hotpatching technique in the remainder of this blog.

You can also see a closer look at the PLATINUM activity group in our report PLATINUM: Targeted attacks in South and Southeast Asia. Windows Defender Advanced Threat Protection beta and preview users can also find the report, along with other APT activity group reports, in the Windows Defender ATP portal.

We continue to dig for PLATINUM.

The Windows Defender Advanced Threat Hunting Team

Hotpatching – a case study

We first observed the sample (Sample1) that is capable of utilizing hotpatching on a machine in Malaysia (which matches the general target profile of PLATINUM) on January 28, 2016 . The portable executable (PE) timestamp, which can be arbitrarily set by the adversary, dates back to August 9, 2015, while the unpacked version contains a PE timestamp for November 26, 2015.

It is a DLL that runs as a service and serves as an injector component of a backdoor. Interestingly, this sample not only supported the hotpatching technique described in this post, but was able to apply more common code-injection techniques, including the following, into common Windows processes (primarily targeting winlogon.exe, lsass.exe and svchost.exe):

  • CreateRemoteThread
  • NtQueueApcThread to run an APC in a thread in the target process
  • RtlCreatUserThread
  • NtCreateThreadEx

Hotpatching technique

For hotpatching, the sample goes through the following steps:

  1. It patches the loader with a proper hotpatch to treat injected DLLs with execute page permissions. This step is required for DLLs loaded from memory (in an attempt to further conceal the malicious code).
  2. The backdoor is injected into svchost using the hotpatch API.

Patching the loader is done by creating a section named “knowndllsmstbl.dll”. This DLL does not reside on-disk, but is rather treated as a cached DLL by the session manager.

It then proceeds to write a PE file within that section. The PE file will have one section (“.hotp1 “) with the hotpatch header structure. This structure contains all the information necessary to perform the patching of the function “ntdll!LdrpMapViewOfSection” used by the loader, such that the loader will treat created sections as PAGE_EXECUTE_READWRITE instead of PAGE_READWRITE. The patch is successfully applied by invoking NtSetSystemInformation.

The malware builds the information describing the first patch

Figure 1: The malware builds the information describing the first patch

 

The highlighted "push 4" is patched to "push 0x40", meaning that the parameter for the following API call NtMapViewOfSection is changed from PAGE_READWRITE to PAGE_EXECUTE_READWRITE.

Figure 2: The highlighted “push 4″ is patched to “push 0x40″, meaning that the parameter for the following API call NtMapViewOfSection is changed from PAGE_READWRITE to PAGE_EXECUTE_READWRITE.

Now that the memory permission issue has been solved, the injector can proceed with injecting the malicious DLL into svchost. Again, it creates a (now executable) section named “knowndllsfgrps.dll” and invokes NtSetSystemInformation, causing the final payload to be loaded and executed within the target process (svchost).

Trying to hide the payload using hotpatching also falls in line with the last functional insights we have on the sample. It seems to have an expiry date of January 15, 2017 – at that point in time, the DLL will no longer perform the injection, but rather execute another PLATINUM implant:

C:program filesWindows JournalTemplatesCpljnwmon.exe –ua

This implant may be related to an uninstall routine. Note that we observed the sample last on the machine on September 3, 2015, which may indicate PLATINUM pulled the trigger earlier.

 


 

[1] http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Sotirov.pdf

[2] https://www.yumpu.com/en/document/view/14255220/alexsyscan13

A brief discourse on ‘Changing browsing experience’

In response to questions we’ve received from the software distribution and monetization industry, and following our blog announcing our browser modifier policy update, we’d like to provide some details on what we refer to in our policy as “changing browsing experience”.

For us, “changing browsing experience” means behaviors that modify the content of webpages.

We consider programs installed and running on a PC that make webpages look differently than they would on the same browser had those programs not been installed, to be programs that change browsing experience.  These programs are required to use the browsers’ extensibility models.

Browsers’ extensibility models ensure user choice and control.  Extensible browsers present consent prompts that ensure users are asked to grant permission for an extension to be enabled.  It is done using a consistent language and placement that is straightforward and clear.

By requiring programs that change browsing experience to use the extensibility models, we ensure that users are kept at the helm of their choice and control.  Programs can only make such alterations to webpages when users grant them the permission to do so, using the browsers’ consistent and reliable consent prompting.

Some programs modify browsing access in ways that don’t insert or change web content.  We don’t consider these as changing the browsing experience.

Examples of programs that modify browsing access include:

  • VPNs – software type that provides access
  • Parental control programs – software type that restricts access

If these programs don’t insert or change web content, then they are not changing browsing experiences. Therefore, they are not required to use the browsers’ extensibility models.

Our intent with this policy is clear: we are determined to protect our customers’ choice and browsing experience control.  The requirement to use the browsers’ supported extensibility models is an important pillar in achieving this goal.

 

Barak Shein and Michael Johnson

MMPC

A brief discourse on ‘Changing browsing experience’

In response to questions we’ve received from the software distribution and monetization industry, and following our blog announcing our browser modifier policy update, we’d like to provide some details on what we refer to in our policy as “changing browsing experience”.

For us, “changing browsing experience” means behaviors that modify the content of webpages.

We consider programs installed and running on a PC that make webpages look differently than they would on the same browser had those programs not been installed, to be programs that change browsing experience.  These programs are required to use the browsers’ extensibility models.

Browsers’ extensibility models ensure user choice and control.  Extensible browsers present consent prompts that ensure users are asked to grant permission for an extension to be enabled.  It is done using a consistent language and placement that is straightforward and clear.

By requiring programs that change browsing experience to use the extensibility models, we ensure that users are kept at the helm of their choice and control.  Programs can only make such alterations to webpages when users grant them the permission to do so, using the browsers’ consistent and reliable consent prompting.

Some programs modify browsing access in ways that don’t insert or change web content.  We don’t consider these as changing the browsing experience.

Examples of programs that modify browsing access include:

  • VPNs – software type that provides access
  • Parental control programs – software type that restricts access

If these programs don’t insert or change web content, then they are not changing browsing experiences. Therefore, they are not required to use the browsers’ extensibility models.

Our intent with this policy is clear: we are determined to protect our customers’ choice and browsing experience control.  The requirement to use the browsers’ supported extensibility models is an important pillar in achieving this goal.

 

Barak Shein and Michael Johnson

MMPC

JavaScript-toting spam emails: What should you know and how to avoid them?

We have recently observed that spam campaigns are now using JavaScript attachments aside from Office files. The purpose of the code is straightforward. It downloads and runs other malware.

Some of the JavaScript downloaders that we’ve seen are:

The same JavaScript downloaders are also responsible for spreading the following ransomware:

The spam email contains a .zip or .rar file attachment which carries a malicious JavaScript. The JavaScript attachment mostly has the following icon, depending on the system’s script software. The file names are either related to the spam campaign, or completely random:

JS1

Figure 1: Examples of JavaScript attachments from spam email campaigns

Not your favorite Java

Just like a typical email campaign, the JavaScript-toting spam finds its way in your PC after a successful social engineering trick. In bag of tricks are attachment file names intentionally crafted to pique any person’s curiosity (finance-related, etc.).

The JavaScript attachments are heavily-obfuscated to avoid antivirus software detections. It consists of a download and execute function paired with one or two URLs hosting the malware.

JS2

Figure 2: Sample code and URL

 

JS3

Figure 3: Another code sample

 

JS4

Figure 4: Another code sample

 

JS5

Figure 5: Another code sample

 

In some cases, the malicious JavaScript attachment is bundled with a dummy file to evade email rules.

JS6

Figure 6: An example of a JavaScript attachment and a dummy file

 

JS7

Figure 7: Another example of a JavaScript attachment and a dummy file

 

These URLs are mostly short-lived. But when successfully downloaded, the malware, in this case Ransom:Win32/Locky, enters the system and proceeds in its destructive mission.

It is interesting to note that an Office attachment with malicious macros typically requires two or more clicks on the document to run it. One click to open the document, and another click to enable the macros.

On the other hand, the JavaScript attachments only takes one or two clicks for it to start executing.

It is uncommon and quite suspicious for people to send legitimate applications in pure JavaScript file format (files with .js or .jse extension) via email. You should be wary of it and should not click or open it.

 

JS8

Figure 8: A screenshot of how the JavaScript attachment gets executed.

 

Same stuff, new package

It has been a common vector for malware to spread through email attachment. In the past months, we have seen Office file attachments that contains malicious macro. The code is simple and straightforward, it’s main objective is to download and execute other malware, such as password stealers, backdoors and ransomwares.

The JavaScript-toting email spam is no different.

These malicious email attachments are distributed through spam campaigns. Spam campaigns range from different social engineering areas that appeal to people’s curiosity – enough for them to take action and click what shouldn’t be clicked: from finance-related subjects like receipts, invoice and bank accounts, to resumes and shipment notifications.

 

JS9

Figure 9: A screenshot of a sample bank-related email spam.

 

JS10

Figure 10: A screenshot of a sample remittance-themed email spam.

 

JS11

Figure 11: A screenshot of a sample invoice-themed email spam.

 

JS12

Figure 12: A screenshot of a sample resume-themed email spam.

 

JS13

Figure 13: A screenshot of a shipment notification-themed email spam.

 

JS14

Figure 14: A screenshot of a sample debt case-themed email spam.

Mitigation and prevention

To avoid falling prey from those JavaScript-toting-emails’ social engineering tricks

See some of the related blogs and threat reports:

 

Alden Pornasdoro

MMPC

JavaScript-toting spam emails: What should you know and how to avoid them?

We have recently observed that spam campaigns are now using JavaScript attachments aside from Office files. The purpose of the code is straightforward. It downloads and runs other malware.

Some of the JavaScript downloaders that we’ve seen are:

The same JavaScript downloaders are also responsible for spreading the following ransomware:

The spam email contains a .zip or .rar file attachment which carries a malicious JavaScript. The JavaScript attachment mostly has the following icon, depending on the system’s script software. The file names are either related to the spam campaign, or completely random:

JS1

Figure 1: Examples of JavaScript attachments from spam email campaigns

Not your favorite Java

Just like a typical email campaign, the JavaScript-toting spam finds its way in your PC after a successful social engineering trick. In bag of tricks are attachment file names intentionally crafted to pique any person’s curiosity (finance-related, etc.).

The JavaScript attachments are heavily-obfuscated to avoid antivirus software detections. It consists of a download and execute function paired with one or two URLs hosting the malware.

JS2

Figure 2: Sample code and URL

 

JS3

Figure 3: Another code sample

 

JS4

Figure 4: Another code sample

 

JS5

Figure 5: Another code sample

 

In some cases, the malicious JavaScript attachment is bundled with a dummy file to evade email rules.

JS6

Figure 6: An example of a JavaScript attachment and a dummy file

 

JS7

Figure 7: Another example of a JavaScript attachment and a dummy file

 

These URLs are mostly short-lived. But when successfully downloaded, the malware, in this case Ransom:Win32/Locky, enters the system and proceeds in its destructive mission.

It is interesting to note that an Office attachment with malicious macros typically requires two or more clicks on the document to run it. One click to open the document, and another click to enable the macros.

On the other hand, the JavaScript attachments only takes one or two clicks for it to start executing.

It is uncommon and quite suspicious for people to send legitimate applications in pure JavaScript file format (files with .js or .jse extension) via email. You should be wary of it and should not click or open it.

 

JS8

Figure 8: A screenshot of how the JavaScript attachment gets executed.

 

Same stuff, new package

It has been a common vector for malware to spread through email attachment. In the past months, we have seen Office file attachments that contains malicious macro. The code is simple and straightforward, it’s main objective is to download and execute other malware, such as password stealers, backdoors and ransomwares.

The JavaScript-toting email spam is no different.

These malicious email attachments are distributed through spam campaigns. Spam campaigns range from different social engineering areas that appeal to people’s curiosity – enough for them to take action and click what shouldn’t be clicked: from finance-related subjects like receipts, invoice and bank accounts, to resumes and shipment notifications.

 

JS9

Figure 9: A screenshot of a sample bank-related email spam.

 

JS10

Figure 10: A screenshot of a sample remittance-themed email spam.

 

JS11

Figure 11: A screenshot of a sample invoice-themed email spam.

 

JS12

Figure 12: A screenshot of a sample resume-themed email spam.

 

JS13

Figure 13: A screenshot of a shipment notification-themed email spam.

 

JS14

Figure 14: A screenshot of a sample debt case-themed email spam.

Mitigation and prevention

To avoid falling prey from those JavaScript-toting-emails’ social engineering tricks

See some of the related blogs and threat reports:

 

Alden Pornasdoro

MMPC

MSRT April release features Bedep detection

As part of our ongoing effort to provide better malware protection, the Microsoft Malicious Software Removal Tool (MSRT) release this April will include detections for:

In this blog, we’ll focus on the Bedep family of trojans.

 

The bothersome Bedep

Win32/Bedep was first detected in November 25, 2014 as a malware family made up of DLLs which has been distributed by Angler Exploit Kit. Microsoft detects Angler as:

JS/Axpergle and HTML/Axpergle have been known to carry and drop Bedep around by redirecting unsuspecting users to compromised websites.

Bedep is bothersome not only because it is carried around by an exploit kit, but because it also connects to a remote server to do the nasty:

All of the above malware families have these in common: they steal your personal information and send them to the hacker, watch what you do online, drops other malware onto your PC, and update them too.

  • Collect information about your PC to send it off to the malware perpetrator
  • Update the downloaded malware

The good thing is, Windows Defender detects and removes Bedep and its variants.

This threat has been prevalent in North America, and various parts of Latin America, Europe, and Southeast Asia.

BedepGeoDist3

Figure 1: The map shows Win32/Bedep’s prevalence in North America, Latin America, Europe, and South East Asia in the last six months.

 

BedepPie 

Figure 2: The pie chart shows the Bedep distribution among the top 10 countries for the past six months

 

The exploit shellcode sometimes loads Bedep directly in the memory from the Angler Exploit Kit, without being written to disk. However, it gets written to disk at other times.

It can either be installed as 32bit DLL (Backdoor:Win32/Bedep.A) or 64bit DLL (Backdoor:Win64/Bedep.A), depending on the affected Windows OS version.

This threat is initially loaded by shellcode running in an exploited browser process (for example, iexplore.exe). Then, the threat downloads a copy of itself and injects that into explorer.exe.

We have observed that the first exploit is not enough. The attacker needs more exploits to bypass the OS or browser’s layered defenses. As a precaution, you should always be careful on clicking the User Account Control (UAC) prompts.

We’ve also seen that Bedep can drop itself as %ProgramData%<{CLSID}><filename>.dll

Example path and file names: C:ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}acledit.dll.

It then creates the following registry entries:

In subkey: HKEY_CURRENT_USERCLSID%Random CLSID%InprocServer32

Example: HKEY_CURRENT_USERCLSID{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}InprocServer32

Sets value: “ThreadingModel

With data: “Apartment

Sets value: “”

With data: %Bedep Filename%

Example: “C:ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}acledit.dll

In subkey: HKEY_CURRENT_USERDriveShellExFolderExtensions%Random CLSID%

Example: HKEY_CURRENT_USERDriveShellExFolderExtensions{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}

Sets value: “DriveMask

With data: dword:ffffffff

 

For details about various Bedep variants, see the following malware encyclopedia entries:

 

Mitigation and prevention

To help stay protected from Bedep and other threats, use an up-to-date Windows Defender for Windows 10 as your antimalware scanner, and ensure that MAPS has been enabled.

Though trojans have been a permanent fixture in the malware ecosystem, there’s still something that you or your administrators can proactively do:

 

Jonathan San Jose

MMPC

MSRT April release features Bedep detection

As part of our ongoing effort to provide better malware protection, the Microsoft Malicious Software Removal Tool (MSRT) release this April will include detections for:

In this blog, we’ll focus on the Bedep family of trojans.

 

The bothersome Bedep

Win32/Bedep was first detected in November 25, 2014 as a malware family made up of DLLs which has been distributed by Angler Exploit Kit. Microsoft detects Angler as:

JS/Axpergle and HTML/Axpergle have been known to carry and drop Bedep around by redirecting unsuspecting users to compromised websites.

Bedep is bothersome not only because it is carried around by an exploit kit, but because it also connects to a remote server to do the nasty:

All of the above malware families have these in common: they steal your personal information and send them to the hacker, watch what you do online, drops other malware onto your PC, and update them too.

  • Collect information about your PC to send it off to the malware perpetrator
  • Update the downloaded malware

The good thing is, Windows Defender detects and removes Bedep and its variants.

This threat has been prevalent in North America, and various parts of Latin America, Europe, and Southeast Asia.

BedepGeoDist3

Figure 1: The map shows Win32/Bedep’s prevalence in North America, Latin America, Europe, and South East Asia in the last six months.

 

BedepPie 

Figure 2: The pie chart shows the Bedep distribution among the top 10 countries for the past six months

 

The exploit shellcode sometimes loads Bedep directly in the memory from the Angler Exploit Kit, without being written to disk. However, it gets written to disk at other times.

It can either be installed as 32bit DLL (Backdoor:Win32/Bedep.A) or 64bit DLL (Backdoor:Win64/Bedep.A), depending on the affected Windows OS version.

This threat is initially loaded by shellcode running in an exploited browser process (for example, iexplore.exe). Then, the threat downloads a copy of itself and injects that into explorer.exe.

We have observed that the first exploit is not enough. The attacker needs more exploits to bypass the OS or browser’s layered defenses. As a precaution, you should always be careful on clicking the User Account Control (UAC) prompts.

We’ve also seen that Bedep can drop itself as %ProgramData%<{CLSID}><filename>.dll

Example path and file names: C:ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}acledit.dll.

It then creates the following registry entries:

In subkey: HKEY_CURRENT_USERCLSID%Random CLSID%InprocServer32

Example: HKEY_CURRENT_USERCLSID{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}InprocServer32

Sets value: “ThreadingModel

With data: “Apartment

Sets value: “”

With data: %Bedep Filename%

Example: “C:ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}acledit.dll

In subkey: HKEY_CURRENT_USERDriveShellExFolderExtensions%Random CLSID%

Example: HKEY_CURRENT_USERDriveShellExFolderExtensions{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}

Sets value: “DriveMask

With data: dword:ffffffff

 

For details about various Bedep variants, see the following malware encyclopedia entries:

 

Mitigation and prevention

To help stay protected from Bedep and other threats, use an up-to-date Windows Defender for Windows 10 as your antimalware scanner, and ensure that MAPS has been enabled.

Though trojans have been a permanent fixture in the malware ecosystem, there’s still something that you or your administrators can proactively do:

 

Jonathan San Jose

MMPC