Thursday 7 June 2012

Win32/Weelsof: Smoke Loader, Zeus, Ransomware... juicy business

My interest come from a simple 56kb file posted by Blaze on a forum.

The winlock was deployed from
http://volvo.picturefont.in/sofosfuckoff.php?page=anime&u=4f57927d606042b359000001&s=4f7dc3844c8635f52e000085&t=4fbbbd7fd82d96662c053c3e&java=1.6.0.17&pdf=7.0.0.0 4 739 
http://volvo.picturefont.in/loadorrndname.php?x=x&u=4f57927d606042b359000001&s=4f7dc3844c8635f52e000085&id=4fbbbd80d82d96662c053c42&spl=emailInf_7
A little 'hello' to Sophos guys ?

Traffic screenshots courtesy of Malekal:


Also not related to this winlock but... lovecamplanet.com
Hey AV guys.. it's time to wake up, this domain delivers ransom malvertising since April.

So, to get back on our winlock, based on your configuration (GetUserGeoID) this ransomware will download a rar archive who contain the theme:

Other examples:



Unpacking


This winlock is very primitive, it download a archive package, decompress, and load the design
Then it download a Ukash pins blacklist.
http://police-center.in/bbac/arch/design_54000000 (for the french package)
http://police-center.in/bbac/black.dat (Ukash pins blacklist)
And a cool php file "BBAC" statistics of our winlock, with a fopen() error fixed at ~18:00 GMT+1 the same day

17k installs, 65k eurs.

This panel is coded in php and don't use a mysql database, ukash codes are stored on a plaintext file in the server like this:
[IP] [GEOID] [AMOUNT] [PIN]
the php just retrieve and parse.


Found also a Smoke Loader,
Stats:

Bots:

EXE:

Options:

Logs:

The exe distributed via Smoke Loader is know as "Trojan.MBRlock.16" by drWeb but so far according to VirusTotal just one AV on 42 detect it. (And the AV detect it as 'unknown virus' :))
File reported to Vxvault and MDL.

Time/DateStamp of the MBRLock: 4F3BDB61 - 16:20:49 - 15 Feb 2012
Found on May with a low detection rate, did the ransom guys even used the bin ?
Also probably not related but we got a wave of "Trojan.MBRlock.16" (bootkitlock.gen32) in France on Feb.
Smoke Ldr latest bots activity: 26 Feb.



ICQ:

But... there is not only a Smoke Loader....

Zeus:

Statistics: (3480k reports, bbq!)

OS:

Bots:


Scripts:

Search in db:

Search in files:

Informations:

Options:

User:

Users:

No Zeus sample found... just some config files and.. the cryptkey found inside doesn't match with configs :(
Zeus reports stopped the 2 April 2012, and first bins of weelsof was found the 10 April.

The 22 may, a new DNS appeared with also a new build of the winlock.

With also a new gate...

The new panel have now a pchart, admin login, and use a MySQL database.



Login:

Dashboard:

Pins:

Stats:

Blacklist:

4 days after (approx), more C&C directories was spawn, with the 'blacklist' feature replaced with a 'clear tables' function, pchart was removed, and they added a install date column.



This winlock is identified by Microsoft as "Win32/Weelsof"
I've searched on my dbs all files tagged as *Weelsof* removed/junk unpacked things for finally build a approximate timeline.



[Dumped] 9bdeb633a449443d088fc2bb325f43e1a952526291d26568949fcd657483fa1f  • 4F828F57 (07:27:19 09/04/2012) » weelsoffortune.infoPacked: 3752687d4611cc8ce35086750c4f8601eaf21afe389d41d426345e009ff92dc7 • 4F837195 (23:32:37 09/04/2012)

[Dumped] 8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f • 4F83FCDA (09:26:50 - 10/04/2012) » weelsoffortune.info
Packed: 8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f • 4F84A969 (21:43:05 - 10/04/2012)

[Dumped] 62ebcfeeff976f3635e36544b9f6d6282a565ea6a0b4d8319d9831ce68ef26df • 4F854EC3 (09:28:35 - 11/04/2012) » weelsoffortune.info
Packed: 62ebcfeeff976f3635e36544b9f6d6282a565ea6a0b4d8319d9831ce68ef26df • 4F8644BB (02:58:03 - 12/04/2012)

[Dumped] 73c3d88d0d9d1c73080bcdda423879ce9eff3aa1f26cc93d120f596091825960 • 4F8C315F 14:49:03 - 16/04/2012) » trybesmart.in
Packed: 73c3d88d0d9d1c73080bcdda423879ce9eff3aa1f26cc93d120f596091825960 • 4F8DFBBF (23:24:47 - 17/04/2012)
Packed: be03e43db0b190b879c893102a76183231ea39ec51206d25651a3cacffa8d81d • 4F90A68A (23:58:02 - 19/04/2012)
Packed: 61318fa1f1db342045573d584badc254c9e2578db916594dc749d8cc44ce8ac4 • 4F91F15B (23:29:31 - 20/04/2012)
Packed: 425c42d6108db6b6b5cbda7a5417b5f55225c47ac588f5f0a293c2b07a78d14b • 4F9906FF (08:27:43 - 26/04/2012)

[Dumped] 4f0b6605434c1355b10950024eaa9f695822278f57c29275706c0e5b29b369b0 • 4F9911B3 09:13:23 - 26/04/2012) » trybesmart.in
Packed: 19ec0d0e5143940492a1c79c06eb8f18aa9feb356e41b8b79fdc6a16a3bcd7bf • 4F9B33C5 (00:03:17 - 28/04/2012)
Packed: 78d4cf8df6fe5717a0f4bad6cbfce6546fb59a45ee0ac3797b264b28e24ddc0b • 4FA04B59 (20:45:13 - 01/05/2012)
Packed: d0a5cfec8e80622b3e194b5ee03e93d78c7ef3478bead6a039d213caaaa58523 • 4FA478A6 (00:47:34 - 05/05/2012)
Packed: 4f0b6605434c1355b10950024eaa9f695822278f57c29275706c0e5b29b369b0 • 4FA6FBBB (22:31:23 - 06/05/2012)
Packed: 80eb72d78175761e34378e06a5ca13b26edd6c47ee18e0d222fa068a249785f2 • 4FAAF59A (22:54:18 - 09/05/2012)
Packed: ccc71c83c8d9895ef0b375273f9f185dfac63ecd01775e2dc705afe4d48c95e2 • 4FAD9768 (22:49:12 - 11/05/2012)

[Dumped] d2164cdbc9c78db0115f382a139ccd758f8a25ebfc5ab3e0034e7aef0fe0b6b4 • 4FB252FB 12:58:35 - 15/05/2012) » police-center.in
Packed: d2164cdbc9c78db0115f382a139ccd758f8a25ebfc5ab3e0034e7aef0fe0b6b4 • 4FB30D08 (02:12:24 - 16/05/2012)
Packed: 46ca6b1972c81eab77202146184afe95b797bd4e3788c59e8036e748b55fc28c • 4FB566FC (21:00:44 - 17/05/2012)

[Dumped] 3e3f980ab668ccde6aafee60ce16e3c35cd91e9b59bff20ce1615d5fb362a458 • 4FBA3695 12:35:33 - 21/05/2012) » euro-police.in
Packed: 3e3f980ab668ccde6aafee60ce16e3c35cd91e9b59bff20ce1615d5fb362a458 • 4FBADA26 (00:13:26 - 22/05/2012)

---
• dns: 1 ›› ip: 62.76.41.126 - adresse: WEELSOFFORTUNE.INFO
• dns: 1 ›› ip: 62.76.41.126 - adresse: TRYBESMART.IN
• dns: 1 ›› ip: 62.76.41.126 - adresse: POLICE-CENTER.IN
• dns: 1 ›› ip: 62.76.47.158 - adresse: EURO-POLICE.IN

The first version of the ransom used a "Windows XP JPEG" icon, latest versions have no icon.

And used the dns weelsoffortune.info, that probably for that AV detect these lockers as "Win32/Weelsof"

Old design download are also based on user configuration:

Other examples:



They also used embarked languages:
They leaved also a PaysafeCard/Ukash choice for infected user, actual samples want only Ukash pins.

Embeds absolute PDB path (found in old and new samples):
..\..\sources\projects\locker.cpp
..\..\sources\includes\gui_lib\gui_lib.cpp
D:\my projects\dilly\output\Release\locker.pdb
D:\my projects\bbac\output\Release\bbac.pdb

Weelsof sample found the 26 May use a new IP/C&C:
[Dumped] 86a4ec02684bfd8a055929b0aa6f687bd54e80da0ed689be4e315adf76edbbcb • 4FBF2E76 (07:02:14 - 25/05/012) » dolores.cursopersona.com
[Packed] c3dd2e3cf0ebeec7a6c280e187a044a32b54b369a78aaaa89c600a0767b49704 • 4FC0D14D (2:49:17 - 26/05/2012)
[Packed] 7e3061f5df2549d415e01e0e1eee27d8fb786faf54f78ece43ae8a8b69908d50 • 4FC58DCE (03:02:38 - 30/05/2012)
[Packed] c3ce4f9b159c5ccb7e4276a0e7952dd1eec1789a7b12416bc46dc942e8c4ae80 • 4FC58965 (02:43:49 - 30/05/2012)
[Packed] f25296744471f5f29718832998c20ac15bb968f426ae2259b5bdcb57a249d47f • 4FC8951F (10:10:39 - 01/06/2012)
[Packed] ccc4bd9fed66ce832118316c1726a75a46c29ba4c21c2dc9aea1bdc8c7d8d63b • 4FC9352D (21:33:33 - 01/06/2012)
[Packed] cded6e6767567464d9edd38457121b67efa607595e6b097e36f38b9822ba42b7 • 4FCAA54B (23:44:11 - 02/06/2012)

---
• dns: 1 ›› ip: 95.163.104.89 - adresse: DOLORES.CURSOPERSONA.COM

They leaved clodo.ru for cursopersona.com or it's just a test ?


---

Two sample found the 29 may still use the old IP and surprise.. a fresh DNS
Packed: 3dd58f7d4448eb74d1a3fecd9426cd7b72695043ef59d79674a57cfc3d8f97bc • 4FC49BF4 (09:50:44 - 29/05/2012) » police-central.in
Packed: d3bbe389c0e40142199b664c4b4ffd95236fa9447709b90aef2378a0e91a18f8 • 4FC4B3ED (11:33:01 - 29/05/2012) » police-central.in

---
• dns: 1 ›› ip: 62.76.47.158 - adresse: POLICE-CENTRAL.IN 

Seem they moved definitely on dolores.cursopersona.com, i will continue to watch them for see what's going on.

They have actually 2 C&C, and do the usual business with no new modification on the panel.
http://dolores.cursopersona.com/cp.php
http://dolores.cursopersona.com/bs/cp.php


Weelsof bins can be downloaded here and here
Ransomware theme here

Stay safe.

6 comments:

  1. Very informative as always.

    ReplyDelete
  2. Да бросай ты свои автомобили...Смело иди в AV компанию.
    Жаль если мы тебя потеряем

    ReplyDelete
  3. А лучше в фейк-ав-компанию. 80К евро с 17К инсталлов ололо))

    ReplyDelete
  4. cool! we need more cyber worriers like you!

    ReplyDelete
  5. Interesting bot I wonder how can you login those smoke and zeus panel???

    ReplyDelete
    Replies
    1. If you already have access to the account hosting the bot controller then you can simply change the password manually from mysql.

      Delete