Kronos Banking Trojan and Geo-targeted attacks to Australia, Italy, United Kingdom and United States by Kelihos
I'm happy to welcome back guest-blogger Arsh Arora for another blog about the Kelihos botnet. This research is being conducted in our malware research lab at UAB by Arsh (PhD student) and Max Gannon, a malware researcher at UAB, who is about to graduate at the end of this semester and is looking for a job (hint to employers!)Let’s start the story of the things happening with Kelihos botnet over the past couple of days. After laying low for past couple of weeks, it strikes back with authority. As observed previously http://garwarner.blogspot.com/2016/08/kelihos-botnet-sending-geo-targeted.html, Kelihos continue to geo-target different locations. First and foremost, it started by sending Money Mule spam to users in Italy, Australia, and the United Kingdom, if their email addresses ended with .it, .au, or .uk. Second, it targeted users in the United States to download a social media management tool “Kuku.io.” Because this was based on country-code targeted of ".us" it is more likely to impact people in education and local government, who are the main users of .us email addresses. As all these things were happening, it sneaked a malicious word document from a website and uploaded it on the desktop without any indication to the user of the download. The malicious document eventually delivers Kronos malware which is considered to be same as Zeus malware which was sent by Kelihos in August http://garwarner.blogspot.com/2016/08/kelihos-botnet-sending-panda-zeus-to.html. This behavior was bizarre and never observed before this event.
Money Mule Spam
A brief report of the various geo-targeted spam is provided below.
1. Australia - Spam for email addresses ending with ".au"
Email text is as follows:
Subject: Available PositionHi,
The Successful Company is hiring full/part-time employee for an Administrative Assistant position
(Customer Care Team) who can take a part oversee development projects in AU and NZ. This
opportunity is smart for everybody who ready to work as little as a several hours per weekday,
however you will apply for a full time position as well. Competent training programs are accessible
for the applicants. Work experience isn't required at all.
Please send your confirmation to this email cargoinvestmentmiltonlogistics@gmail[dot]com to get more
details concerning a vacancy.
Best Regards
cargoinvestmentmiltonlogistics@gmail[dot]com
.
An interesting thing to observe in the body of the text is the special reference to development projects in AU and NZ. To infer, the email body and addresses are not random, but specifically targeted towards the Australian users.
Some of the email subjects being used include:
Subject: Available Position
Subject: Employment
Subject: Job Offer
Subject: Open Vacancy
2. Italy - Spam for email addresses ending with ".it"
 |
| <== Italian Money Mule spam || Google Translate ==> |
Original text of the email being spammed is as follows:
Subject: Assunzione al lavoro
Cari Saluti,
Impresa europeo specializzata nella mezzi di trasporto merci per estensione proprio organico
sta ricercando le persone per i nuovi ruoli nella vostra provincia! Stipendio e' da 3002 Euro
al mese piu' bonus. Formazione e' a carico della azienda!
Se hai bisogno di fondi in piu', se sei onesto e coscienzioso dipendente che ha 22 anni
compiuti, ti invitiamo ad inviare il vostro curriculum nel nostro ufficio personale
hr@acigl[dot]net
Distinti saluti
Sandra Trevor,
Responsabile del personale
hr@acigl[dot]net
Cari Saluti,
Impresa europeo specializzata nella mezzi di trasporto merci per estensione proprio organico
sta ricercando le persone per i nuovi ruoli nella vostra provincia! Stipendio e' da 3002 Euro
al mese piu' bonus. Formazione e' a carico della azienda!
Se hai bisogno di fondi in piu', se sei onesto e coscienzioso dipendente che ha 22 anni
compiuti, ti invitiamo ad inviare il vostro curriculum nel nostro ufficio personale
hr@acigl[dot]net
Distinti saluti
Sandra Trevor,
Responsabile del personale
hr@acigl[dot]net
Some of the email subjects being used include
Subject: Assunzione - collocamento al lavoroSubject: Assunzione al lavoro
Subject: Cerchiamo collaboratori in vostra area
Subject: Cerchiamo collaboratori in vostra citta
Subject: Cerchiamo collaboratori in vostra provincia
Subject: Cerchiamo collaboratori in vostra regione
Subject: Lavoro part-time
Subject: Ricerchiamo collaboratori in gruppo operante a livello globale
3. UK - Spam for email addresses ending with".uk"
Subject: Wow amazing girl..Read that articleHey, what's up? Actually, for that long time we haven't been reaching each other, I've discovered a brilliant
reading stuff. By now, 5 days I am stuck to it have already brought about 2,350 pound for me! I am talking about
the soft trading market - it doesn't require any specific skills at it, all is automated.
Flick the article through and write me something as you are in. By the way, get a chance to know how the stuff
works with a demo!
Take the best out of it!
P.s. The article itself: hxxp://newsdep3-telegraph[dot]co/
.
Interesting observation here is the fake url for The Telegraph newspaper. The spammers are trying to trick the user to visit the following link in disguise of telegraph newspaper.
Following Domain name is hosted on 162[.]255[.]119[.]249 and has been dominantly hosting various phishing websites https://www.virustotal.com/en/ip-address/162.255.119.249/information/. Information found on Domain Tools is mentioned below.
 |
| Information from Domain Tools |
Domain Name: NEWSDEP3-TELEGRAPH.CO
Domain ID: D153329223-CO
Sponsoring Registrar: NAMECHEAP, INC.
Sponsoring Registrar IANA ID: 1068
Registrar URL (registration services): http://www.namecheap.com
Domain Status: clientTransferProhibited
Registrant ID: 70G0X0PHDOIUNYLZ
Registrant Name: WhoisGuard Protected
Registrant Organization: WhoisGuard, Inc.
Registrant Address1: P.O. Box 0823-03411
Registrant City: Panama
Registrant State/Province: Panama
Registrant Postal Code: 0
Registrant Country: Panama
Registrant Country Code: PA
Registrant Phone Number: +507.8365503
Registrant Facsimile Number: +51.17057182
Registrant Email: 76fb43b32d694e49a7cf070f148b6aae.protect@whoisguard.com
Some of the email subjects being used include
Subject - Look what i found
Subject - Why work for your money when your money can work for you?
Subject - Wow amazing girl.. Read that article
When visited the URL it redirected to
hxxp://www[dot]talegraph[dot]co[dot]uk/investor/ideas/from-zero-to-hero-mom-vanessa-makes-8000-per-month
As it can be observed it redirects to talegraph[dot]co[dot]uk, not telegraph, which is hosted in Netherlands.
Whois & Quick Stats
DatesCreated on 2016-09-27 - Expires on 2017-09-27 - Updated on 2016-09-27
IP Address185.110.173.76 is hosted on a dedicated server
IP LocationNetherlands - Zuid-holland - Papendrecht - It-ernity Internet Services Bv
ASN Netherlands AS21155 ASN-PROSERVE Amsterdam,, NL (registered Sep 11, 2001)
Whois History4 records have been archived since 2016-10-01
Whois Serverwhois.nic.uk
 |
| Webpage of talegraph As it can be viewed, following is a fake website portraying telegraph newspaper. |
Social Media Management Tool
Kuku.io It is well-known that people of United States are crazy about social media and get super excited whenever a new app or a tool gets launched. Recently, everyone went crazy after the launch of Pokemon Go. This reaction forced the threat actors to change their way of attacks by focusing on the social media market. There were different malware being developed to exploit this weakness of the users. in a recent blog post, I mentioned how scammers were fooling people to buy cheat codes that never existed http://garwarner.blogspot.com/2016/07/pokemon-go-invitation-to-spammers.html. In continuation to these attacks, the Kelihos spammers are now inviting users to download Kuku.io, a social media management tool. The following spam is explicitly targeting email addresses ending with ".us," because of the popularity and use of social media in the United States.
Email being spammed is as follows:
Subject: Need your opinion
Hi,
I'm with Kuku.io, it's a social media management tool the key characteristic of which is to schedule and create
content on various networks at the same time. What's more you also encourage your clients to share, like and
follow your posts.
Since we are connected in LinkedIn I thought it would be a good idea if I asked for your views on our product.
Check us out at: hxxps://kuku[dot]io/a/ms
I appreciate your time. I'm looking forward to receiving any of your comments!
Regards,
Michael
hello@kuku.company
.
Some of the email subjects being used include:
Subject: Need your opinion
Subject: Need your feeback
Subject: Please let me know if this is of any interest
When visited the webpage mentioned.
 |
| Webpage of Kuku[.]io |
Kronos Banking Trojan
Now let's get to the sneaky part performed by Kelihos, which is dropping a malicious word document on the desktop. While doing his daily chores of running Kelihos malware and collecting the spam sent, Max found that a document named 'oldversion' was placed on the desktop. It was strange and we have never seen this behavior previously. |
| Pictorial view of the document icon on the Desktop |
On further scrutiny, we found that during the capture, Kelihos did a GET request to download the document.
hxxp://topswingusa[dot]top/qivi/oldversion[dot]doc - Get request https://www.virustotal.com/en/file/e6071f9205ed8540df9612d3f1a001f497931fc76dee43fee1e77750d00df256/analysis/
IP address of topwingsusa[dot]top - 167.88.160.146 https://www.virustotal.com/en/ip-address/167.88.160.146/information/
Virus total result of topswingusa[dot]top https://www.virustotal.com/en/url/56f79838c296ac58ab81cd6571187bc1abcb33f6cb395bcebfd9db966224d4dc/analysis/
An interesting string found in the process hacker was " UPLD save to: C:\Users\malware\Desktop\oldversion.doc"
Out of curiosity and to do more in-depth research, I decided to click the document. The document did not disappoint and asked for two of my favorite things when viewing a word document.
 |
| Enable Editing |
The document was opened in Protected view and after clicking 'Enable Editing,' it asked to "Enable Content.
 |
| Enable Content |
After clicking 'Enable Content,' It spawns a child process with the name '24580.exe' and then another child process was launched with the name of "svchost.exe". The process killed itself and did not run properly.
Hence, I have to put it into OLLYDBG to get the malware working. On further observations in the debugger, I found that it was checking for virtual machine. Hence, it was vmware aware and killed itself instantaneously. But before it killed itself, I found the following string in the "svchost.exe" in the debugger, which mentioned the malware to be Kronos.
Hence, it can inferred that the following malware is Kronos. In order to be double sure, I repeated the process by downloading the malicious document and running it again.
This time I was able to gather more information, once the document is activated by 'Enable Content,' it grabs the downloader from the following url:
hxxp://topswingusa[dot]top/qivi/mswords2k8[dot]exe,
which is hosted on the same IP 167[.]88[.]160[.]146. Once the file "mswords2k8[dot]exe was obtained, it spawned a third process named as "MSOSQM", which was Kronos malware.
On further scrutiny, I found that both the downloaders "24580.exe" and "mswords2k8[dot]exe" have the same MD5 hash, 547890EA5FD8374383E0663223B5A26F.
 |
| Downloader and Kronos malware |
Another interesting observation found in the debugger is presence of a string named "BOTID"
 |
| BOTID found in OLLYDBG |
Researchers are still working on trying to find more about the significance of BOTID. Hopefully, everyone will be updated soon with the findings.
