drive by download and hermes 2 · 2018-05-08 · drive by download and hermes 2.1 2018. 04 30...

Drive by Download and Hermes 2.1

2018. 04 30

Malware Analysis Monthly Report (2018-04)

This report describes Hermes 2.1 which is the ransomware making a computer infected just by visiting the site.

It was made by SOOSAN INT’s Security Laboratory, and we allow you to use it for research purpose. But SOOSAN

INT has no responsibility for the use of other purposes.

Please keep in mind that you should have the responsibility in that case.

You can reach us via CERT members’ mails

([email protected] / [email protected] / [email protected])

ⓒ 2018 SOOSAN INT. All Rights Reserved.

SOOSAN INT Security Laboratory (CERT)


1

Contents

1. Abstract.......................................................................................................................... 2

2. Hermes 2.1 including Sundown Exploit Kit ........................................................... 3

2.1 Hermes and Sundown Exploit ............................................................................................................ 3

2.2 Threat Course and Infection Symptom .......................................................................................... 4

3. Analysis Contents (Hermes 2.1) ............................................................................... 6

3.1 Analyzed Malicious File Info ............................................................................................................... 6

3.2 Dynamic Analysis ............................................................................................................................... 10

4. Recommendations ..................................................................................................... 14


2

1. Abstract

We were asked to analyze a ransomware infection in the last month. After analyzing a

threat course and infection symptoms, we concluded that it was Hermes 2.1. This

ransomware is more advanced than Hermes’s previous version, in terms of using Sundown

Exploit Kit. In other words, it was discovered Sundown Exploit Kit was used at Hermes 2.1.

It’s known that Sundown in Hermes 2.1 is targeting the Adobe Flash’s exploit which is

called CVE-2018-48781). Our CERT team evaluated it was very risky because this targeting

would infect a user just by visiting an internet site.

In most sites, some engines often use Adobe Flash to set up contents. So, the hacker can

inject the malware such as Hermes to the content using its vulnerability. Through this way,

the hacker can infect the site visitors. For reference, its attack technique was called ‘Drive-

by-Download’. In reality, we found its usage in Hermes 2.1.

Furthermore, we discovered that Hermes 2.1 attacked 5,100 file types, which is very risky.

For reference, Hermes attack ranges far more widely than WannaCry does2). Also, we

found the malicious behavior of Hermes 2.1 deleting the recovery files which play a role

of recovering the encrypted files from the ransomware attack.

To sum up, we concluded that it was so risky that we analyzed it. The order of this report

is as follow. First, we are going to explain the history of Hermes and the features of

Sundown Exploit Kit. And then we will show you how to infect and to attack your device.

In 3 sections, the behavior of Hermes 2.1 is being introduced. Finally, we will give you the

recommendation to be safe from Hermes 2.1

1) CVE (Common Vulnerabilities and Exposures)

- It’s a list of publicly known security vulnerability; so, it contains the publishing year and

identification number.

2) WannaCry: As it happened on May 2017, it infected 300K devices in 150 nations.


3

2. Hermes 2.1 including Sundown Exploit Kit

Hermes 2.1 is the advanced ransomware attack. In other words, Hermes is the combination

version of the prior version of Hermes with Sundown Exploit Kit. In this section, the original

version of Hermes and Sundown Exploit Kit will be briefly explained. And the we are looking

into the cyber attack feature and risk level of Hermes 2.1.

2.1 Hermes and Sundown Exploit

Hermes is the ransomware known through cyber-attacking FEIB (Far Eastern International

Bank) at October 2017. Lazarus, the North Korean Hacking Group, was suspected to cyber-

attack FEIB. According to FEIB, it was estimated to have incurred 600-billion-dollar loss3). It

was discovered that the amount of money had been transferred to the accounts of the

banks located in several countries including Cambodia, U.S.A, Sri Lanka and etc. It seemed

that Hermes wasn’t used for ransomware purpose. Instead, a cyber security concluded that

this malware had been used to disrupt analysists from figuring out the details of its incident.

An exploit kit (also called exploit pack) is a toolkit that automates the exploitation of client-

side vulnerabilities. In most case, an exploit kit often targets website’s programs such as

Adobe Flash, Java, Browser and etc. in order to carry out Drive-by-Download attack. As

one of type of Exploit Kit, Sundown targets the vulnerability of Adobe Flash to allow a

hacker to inject a malware in the site.

To sum up, making ill use of Sundown Exploit Kit, Hermes 2.1 was maliciously uploaded

on the site, which infected the visitors. This infection process of ransomware was discovered

before. On December 2017, the ransomware ‘Matrix’ was big issue because like Hermes

2.1, it would infect the users though the internet sites. For reference, some security experts

assumed that the Matrix hacker is same to Hermes 2.1 hacker.

3) Bank Info Security (Oct. 9 2017), “Report: Malware-Wielding Hackers Hit Taiwanese Bank”,

https://www.bankinfosecurity.com/report-malware-wielding-hackers-hit-taiwanese-bank-a-10368.


4

2.2 Threat Course and Infection Symptom

Figure 2-1 describes the concept of Hermes 2.1’s threat course and infection symptom:

[Figure 2-1] Hermes 2.1 Attack Process

According to our analysis, the hacker used Drive-by-Download technique to inject Hermes

2.1 using Sundown Exploit Kit. The Sundown was after Flash’s exploit which had been

published as CVE-2018-48784). This exploit was discovered in the previous versions of

Adobe Flash 20.0.0.137. Thus, the sites using these versions have more possibility to be

abused by the hacker. And the site visitors would be infected by Hermes 2.1.

In Hermes 2.1, we discovered the behavior to delete Shadow File Copy5) in Vssadmin6). That

malicious behavior disrupts the file recovery. Next, Hermes 2.1 carries out encrypting the

targeted files using AES/RSA. Finally, Hermes 2.1 made the text to inform that a user was

infected by Hermes 2.1 and to demand the cryptocurrency (DASH coin).

4) CVE-2018-4878: It is the exploit to execute the remote code in Adobe Flash.

5) Shadow File Copy: It’s the file which is temporality saved for the recovery.

6) Vssadmin (Volume Shadow Copy): It’s the storage for shadow copy.


5

We described Hermes and Sundown Exploit Kit above, and concluded as listed below:

1. We concluded that the Sundown Expolit Kit has high diffusion because it can spread

easilty using “Drive-by-Download” technique.

2. Heremes 2.1 is a type of ransomware to attack the files. So, we think that it’s very

risky to the institutions which stores the important files.

3. We evaluated Hermes 2.1’s threat is in the same level of WannaCry’s threat level in

terms of the attack range and the diffusion level.


6

3. Analysis Contents (Hermes 2.1)

Our CERT has analyzed Hermes 2.1. Its contents are described in the following sub sections:

3.1 Analyzed Malicious File Info

The analyzed file name is “[Temporality Saved File].exe”. The file hash is as follows

- MD5: a45c1a696cc5e634c12c2a296966ecb7

- SHA-1: 92d2c2c5ae6d5af7e7723ff1c21c136d4f664daf

- SHA-256: 3f8eef075d1d96c4730bedf5039de9508b3805fbe7cffdcd08b61ea9ec101ed

Table 3-1 introduces the list of APIs which was discovered in Hermes 2.1. Table 3-2 shows

the targeted type of file extension for Hermes 2.1 encryption. Table 3-3 introduces the

command line which disrupts the file recoveries.

[Table 3-1] Hermes 2.1’s API lists

Hermes 2.1’s API lists

kernel32.dll LoadLibraryA GetModuleFileNameW

VirtualFree Wow64DisableWow64FsRedirection

FindFirstFileW SetFileAttributesA

FindNextFileW CopyFileW

GetModuleFileNameA DeleteFileW

Wow64RevertWow64FsRedirection ReadFile

SetFilePointer GetFileSize

CreateFileA GetVersionExW

VirtualAlloc GetFileAttributesW

CloseHandle GetFileAttributesA

GetWindowsDirectoryW FindClose

CreateDirectoryW WinExec

CreateFileW Sleep


7

WriteFile ExitProcess

CreateProcessW GetCurrentProcess

GetModuleHandleA GetLogicalDrives

CreateProcessA SetFileAttributesW

CopyFileA GetStartupInfoW

GetCommandLineW GetTickCount

FreeLibrary GetDriveTypeW

GlobalAlloc GetSystemDefaultLangID

mpr.dll WNetOpenEnumW

WNetEnumResourceW

WNetCloseEnum

advapi32.dll CryptEncrypt GetUserNameA

CryptDecrypt GetUserNameW

CryptGenKey RegOpenKeyExA

CryptDestroyKey RegOpenKeyExW

CryptExportKey RegQueryValueExA

CryptImportKey RegCloseKey

CryptDeriveKey RegDeleteValueW

CryptAcquireContextW RegSetValueExW

ole32.dll CoInitialize

CoCreateInstance

Shell32.dll ShellExecuteW

ShellExecuteA


8

[Table 3-2] Lists of Targeted file types by Hermes 2.1

.tif.php.1cd.7z.cd.1cd.dbf.ai.arw.txt.doc.docm.docx.zip.rar.xlsx.xls.xlsb.xlsm.jpg.jpe.jpeg.bmp.db.eql.s

ql.adp.mdf.frm.mdb.odb.odm.odp.ods.dbc.frx.db2.dbs.pds.pdt.pdf.dt.cf.cfu.mxl.epf.kdbx.erf.vrp.grs.

geo.st.pff.mft.efd.3dm.3ds.rib.ma.max.lwo.lws.m3d.mb.obj.x.x3d.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.

adn.a3d.aft.ahd.alf.ask.awdb.azz.bdb.bib.bnd.bok.btr.bak.cdb.ckp.clkw.cma.crd.dad.daf.db3.dbk.dbt

.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.fcd.fic.fid.fil.fm

5.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdn.mdt.mrg.mud.

mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.oqy.ora.orx.$$$.$01.$db.$efs.$er.__a.__b.{pb.~cw.~h

m.0.00.000.001.002.1.101.103.108.110.113.123.123c.123d.123dx.128.1cd.1pe.1ph.1sp.1st.256.264.2

d.2mg.3.32x.3d.3d2.3d4.3da.3dc.3dd.3df.3df8.3dl.3dm.3dmf.3dmk.3don.3dp.3dr.3ds.3dt.3dv.3dw.3

dx.3dxml.3fr.3g2.3ga.3gp.3gp2.3gpp.3gpp2.3me.3mm.3p2.3pe.3pr.3w.4db.4dd.4dl.4dv.4mp.4th.4w

7.555.602.60d.73b.73c.73l.787.7z.7zip.8.890.89t.89y.8ba.8bc.8be.8bf.8bi.8bi8.8bl.8bs.8bx.8by.8ld.8li.

8pbs.8st.8svx.8xg.8xk.8xs.8xt.8xv.9xt.9xy.a.av.a00.a01.a02.a1wish.a26.a2c.a2l.a2m.a2theme.a2w.a3l.

a3m.a3w.a4l.a4m.a4p.a4w.a52.a5l.a5rpt.a5w.a5wcmp.a65.a8s.aa.aa3.aac.aaf.aah.aam.aao.aaui.ab.ab

1.ab2.ab3.ab4.ab65.aba.abc.abcd.abdata.abf.abi.abk.abkprj.abp.abs.abt.abw.abx.aby.ac2.ac3.ac5.ac

6.aca.acbl.acc.accda.accdb.accdc.accde.accdr.accdt.accdu.accdw.accft.acd.ace.acf.acg.ach.aco.acp.a

cr.acrobatsecuritysettings.acrodata.acroplugin.acrypt.act.actm.actx.acv.acw.acx.ad.ada.adb.adblock.

adc.adcp.add.addin.addon.ade.adf.adi.adn.ado.adobebridge.adoc.ados.adox.adp.adpb.adpp.adr.ad

s.adt.adu.adv.advs.adx.adz.aea.aec.aep.aepx.aes.aet.aetx.aex.afd.afdesign.afe.aff.afm.afp.afs.aft.agb.

agd.agd1.agdl.age3rec.age3sav.age3scn.age3xrec.age3xsav.age3xscn.age3yrec.age3ysav.age3yscn.

agg.aggr.agi.agx.ahd.ahf.ahl.ahs.ahu.ai.aia.aif.aifb.aiff.aim.ain.aip.ais.ait.aiu.aiv.ajp.ak.al.al8.ala.alb.alb

3.alb4.alb5.alb6.alc.ald.ale.alf.ali.allet.alm.alp.alr.alt3.alt5.alv.alx.alz.am.am1.am4.am5.am6.am7.amb.

amc.amf.aml.amm.amp.amr.ams.amsorm.amt.amu.amv.amx.amxx.an.an1.an2.an8.ane.anim.animset

.animset_ingame.anl.anm.anme.ann.ans.ansr.ansym.anx.any.aof.aoi.aois.aom.ap.ap_.apa.apd.ape.ap

f.aph.api.apj.apk.apl.aplg.aplp.apnx.apo.app.applet.application.appref

Ms.approj.appx.appxsym.appxupload.apr.aps.apt.apw.apxl.apz.aqt.ar.arc.arch00.arcut.ard.arena.arf.a

rff.arg.arh.ari.arj.ark.arl.aro.arp.arpack.arr.ars.arsc.artproj.arw.arx.as.as$.as2proj.as3.as3proj.as4.asa.a

sat.asax.asc.ascii.ascm.ascs.ascx.asd.asdb.ase.asef.asf.ash.ashbak.ashdisc.ashprj.ashx.asi.ask.asl.asm.

asmx.asn.asnd.asp.aspx.asr.asset.asstrm.ast.asv.asvf.asvx.aswcs.asws.asx.asy.atc.ate.atf.ath.ati.atl.atm

.atn.atom.atomsvc.atr.ats.att.atw.atx.aty.atz.au3.aut.automaticdestinations.autoplay.aux.av.ava.avb.a

vc.avchd.avd.ave.avhd.avi.avj.avn.avp.avs.avv.avx.aw.awcav.awd.awdb.awe.awg.awlive.awm.awp.aws

.awt.aww.awwp.ax.axd.axe.axm.axp.axt.axx.azf.azs.azw.azw1.azw3.azw4.azz.azzx.b.b1.b27.b2a.b3d.b

5i.b5t.b64.b6i.b6t.ba.bac.back.backup.backupdb.bad.bafl.bak.bak~.bak2.bak3.bakx.bamboopaper.

bank.bar.bas.base.baserproj.basex.bat.bau.bav.bax.bay.bb.bb3.bbb.bbc.bbcd.bbl.bbprojectd.bbs.bb

xt.bbz.bc5.bc6.bc7.bcc.bcd.bci.bck.bckp.bcl.bcm.bcmx.bcp.bcs.bct.bdb.bdb2.bdc.bdf.bdic.bdl.bdm.

bdmv.bdp.bdr.bdsproj.bdt2.bdt3.bean.bed.bet.bf.bfa.bfg.bfm.bfs.bfx.bgi.bgl.bgt.bgv.bgz.bh.bho.bh

x.bi8.bib.bibtex.bic.bif.big.bik.bil.bim.bin.bina.bionix.bip.biq.bit.bitpim.bix.bizdocument.bjl.bjo.bk.b

k!.bk1.bk2.bk3.bk4.bk5.bk6.bk7.bk8.bk9.bkc.bkf.bkg.bkk.bkp.bks.bkup.bkz.blb · · · · · · · · · · · · · · · ·


9

[Table 3-3] Command lines to delete shadow Copy (vssadmin)

CMD’s command line

(Recovery File Deletion)

004054D0 - /for=d: /on=d: storage /for=g: e shadowstorage

vssadmin Delete vssadmin resize .dsk

00405526 - del /s /f .wbcat f:\*.bkf \*.bac h:\*.bak \*.set

h:\*.win bkf h:\Backup*.*ac f:\*.bak f:\*et f:\*.win

f:\*:\backup*.* g:\*/q g:\*.VHD g:\*l /s /f /q c:\*.h:\*.wbcat

h:\*..

004055D5 - "ZW:

004055DC - [#8./for=c: /on=c: / shadowstorage /\*.dsk

00405608 - del /s /h:\*.dsk

0040561A - del %0bcat e:\*.bkf e:.bac g:\*.bak g:.set g:\*.win g:

h:\backup*.* h:f /q h:\*.VHD h:wstorage /for=h:/on=g:

/maxsize=dowstorage /for=: /maxsize=401MBat d:\*.bkf

d:\BVHD c:\*.bac c:\*.* c:\*.set c:\del /s /f /q d:\f:\Backup*.*

f:\\Backup*.* e:\baadmin resize shaor=d: /on=d: /masize

shadowstorasize=401MB

0040574C - vssa f:\*.VHD f:\*.bge /for=c: /on=c c:\*.bkf

c:\Bac:\*.VHD e:\*.bac:\*.bak d:\*.wbc*.VHD d:\*.bac dup*.*

d:\*.set d e:\*.win e:\*.ddmin resize shadunbounded

004057EB - vssad

004057F2 - del /s /f /q e /all /quiet

0040580E - demaxsize=unboundeze shadowstorageiet

00405835 - vssadmin re

00405841 - vssadmin resize /on=h: /maxsizeshadowstorage

/fowstorage /for=ff g:\Backup*.* gsadmin resize shbounded

004058A9 - vssadmid

004058B3 - vssadmin resig: /on=g: /maxsi\*.wbcat

g:\*.bkackup*.* d:\back:\*.win d:\*.dskfor=e: /on=e:

/mze=401MB

0040591A - vssadm=401MB

00405928 - vssadminn=h: /maxsize=unorage /for=h: /omin resize

shadohadowstorage /fokup*.* c:\backupsk

00405984 - del /s /f /qadowstorage /forssadmin resize sbackup*.*

f:\*.se=unbounded

004059CD - vssaxsize=401MB

004059DE - vsn Delete Shadows=e: /on=e: /maxs*.bak

c:\*.wbcatckup*.* e:\*.set resize shadowstShadows /all

/quize=unbounded

00405A4F - v e:\*.bak e:\*.win resize shadowr=f: /on=f: /max

00405A82 - vssadmin resiz: /on=f: /maxsiz


10

3.2 Dynamic Analysis

1. As you can see in fig. 3-1, the assembly MOV command line in “MOV ESI”,

“HerMes.00406218” means to move something. The register of ESI plays a role of data

memory unit of CPU, indicating the target of copy. Therefore, it means copying 00406218

address, the contents at the address 00406218 is file types which is encrypted by Hermes

2.1

[Figure 3-1] Targeted file types

[Figure 3-2] Contents in 00406218 address


11

2. Fig 3-2 shows the evidence that a file was encrypted using RSA and AES encryption

algorithms.

[그림 3-3] RSA/AES

3. We found that Hermes 2.1 had loaded the targeted file types through CreateFileA

function. For reference, the role of CreateFileA is to create, and open I/O or files.

[Figure 3-4] Process of file encryption


12

4. After opening the files through CreateFileA function, Hermes 2.1 started to encrypt the files,

using WriteFile function.

[그림 3-5] Encryption Command line


13

5. Fig. 3-6 describes the changing process of the file extension to .HRM.

[Figure 3-6] Process of file extension change 암호화 진행 과정


14

4. Recommendations

[Figure 4-1] Three Steps for Ransomware Attack Mitigation

1. (First Step) Prevention: Regular update of AV (Anti-Virus) and systems

To prevent against malware, you should regularly update AV and systems at least.

Like Hermes 2.1, the number of cyber-attacks using exploit is on increase.

2. (Second Step) Detection: Detection of Malicious Site with eWalker/ePrism

It’s important not to visit the ransomware-infected site. However, it’s difficult. There

is no way personally to know that’s the infected site. So, we recommend for you to

use eWalker/ePrism. eWalker has more than 400k malicious site DB and updates

30k malicious DB. So, eWalker can prevent you from being infected though Drive-

by-Download. Also, if you use ePrism, you can be safe from the technique to hide

the malware including ransomware through network traffic encryption.

3. (Third Step) Reaction: Securing important assets with eRed introduction

eRed is a security solution to block the unauthorized process from being excuted

based on white-list. You can be safe from the ransomware including Hermes 2.1

because it doesn’t allow the malicious behavior to be run. In reality, we inject

Hermes 2.1 to the server protected by eRed and checked wether eRed prevented

it. It’s apparent that it has the robust security because it’s working on Hypervisor

OS which is under guest OS. Your system can be safe with eRed.


15

2018 SOOAN INT Security Analysis Reports

Malware Analysis Monthly Report

2018-01: Cryptocurrency Mining Malware Analysis (January 2018)

2018-02: UBoat RAT Analysis Report (February 2018)

2018-03 Olympic Destroyer Analysis Report

2018-04 Drive by Download and Hermes 2.1


16

End of Documents

#3F, Suseo Hyundai Venture-ville, 10, Bamgogae-ro 1-gil, Gangnam-gu, Seoul, Korea 06349

Tel +82-2-541-0073 | Fax +82-2-541-0204

E-mail [email protected]

HP http://www.soosanint.com