June 8, 2015
Aaron Shelmire

BePush Python Servant Malware

<h2>Summary</h2><p>Recently the ThreatStream Labs team became aware of Facebook posts linking to decoy page that prompted a user to download a executable masquerading as a “video player” plugin. After some analysis the ThreatStream Labs group found that it belonged to the BePush group. BePush aka Kilim refers to a group of cyber criminals believed to be based in Turkey, based upon the language used in decoy website comments and python program comments. These phishing decoy pages attempt to copy the look and feel of Facebook pages, using sexual themes to lure unwitting users into clicking on the links within the pages which often appear as videos prompting the user to download and execute a video-themed executable ( example filenames include <code>xvplayer.exe</code> or <code>MoviePlayer13.exe</code>). One sample of the BePush groups malware is actually compiled Python code. The actors have named these files Servant. While the executable can be analyzed using a disassembler such as IDAPro, the original Python code can be extracted using pyinstextractor (available at: <a href="https://sourceforge.net/projects/pyinstallerextractor/" target="_blank">https://sourceforge.net/projects/pyinstallerextractor/</a>) After running pyinstextractor via: <code>python pyinstxtractor.py exefilename </code> You will have a representation of the original python script and resources that had been compiled into the executable.</p><h2>Functionality</h2><p>The BePush Python Servant malware’s main purpose is to steal the compromised users Facebook credentials and thoroughly gather nearly all useful information about the compromised Facebook user. That information is then exfiltrated to a C2 server. The Python Servant samples include two C2 servers. In this sample ( md5 of <a href="https://www.virustotal.com/en/file/b91ba9818269c6bf3e1743331e46969b2e9b657c284757ca4c0fcdcb9e99f502/analysis/" target="_blank">9c65353dac99e29abd26fc054a8548e1</a>) the C2 servers are <code>hXXp://www.updatemodule[.]com</code> and <code>hXXp://feedbacksystem[.]info</code>. The BePush Python Servant can also post a link to the decoy page to the compromised users Facebook wall, in an attempt to spread further. The BePush Python Servant malware can perform the following operations: * update - download and execute a new executable * token - retrieve the compromised user’s Facebook token from the Internet Explorer, Chrome, or FireFox browsers. * profilpost - post to the compromised user’s Facebook wall.* * pyrun - execute commands or programs that are accessible to the compromised host. The example Python script analyzed for this TIPS includes commented out logic to direct the compromised host to connect to additional web sites in a function named “remotecon”. This function may have not been completed, and might have been intended to allow the remote operator to use the compromised host as a proxy to remote sites.</p><h2>Host and Network Indicators</h2><p>The BePush Python Servant copies itself to <code>%APPDATA%</code>. Persistence is set via the HKEY Current User registry Run key with a Value of “servant” and the path to the executable in the compromised users <code>%APPDATA%</code>, as seen in the Registry Editor image below.</p><p><img addition="" alt="“Registry" src="https://www.threatstream.com/images/uploads/ServantRegistry.jpg" /></p><p>The malware also sets additional persistence by adding a new scheduled task named <code>winoperatesysschedule</code>, as seen in the Scheduled Tasks output below.</p><p><img alt="“ScheduledTasks" src="https://www.threatstream.com/images/uploads/schtasks_1.jpg" /></p><p>The malware will modify the users `System32driversetchosts` file to route many sites to <code></code> including the Facebook content caching sites on akamai, antivirus sites, technology press websites (including pcworld, krebsonsecurity.com and threatmetrix.com), and law enforcement websites (including cybercrime.gov, met.police.uk, and interpol.int). The Python Servant attempts to steal Facebook credential tokens from <code>iexplore.exe</code>, <code>firefox.exe</code>, and <code>chrome.exe</code>. When the Python Servant attempts to hijack a Facebook session it will post to the compromised user’s Facebook wall with the following User-Agent: <code>Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36</code> The above User-Agent is a known User-Agent from Chrome 38 on Windows 7, however it may not match the installed web browsers on the compromised host. The HTTP traffic to the C2 server utilizes a User-Agent of <code>python-requests/2.7.0 CPython/2.7.9 Windows/7</code> If an error occurs in installation HTTP traffic will be sent to: <code>error=Melting%3A+From%3Ac%3A%5Cusers%5Cusername%5Cdesktop%5Cxvplayer.exe+To%3A%3A%5Cusers%5Cusername%5Cappdata%5Croaming%5Cxvplayer.exe</code> Where "username" is replaced with the username of the compromised user and xvplayer.exe is replaced with the name of the executable. If this sort of work interests you, ThreatStream is <a href="https://www.anomali.com/company/careers">hiring both researchers and engineers</a> and if you want to be protected from threats like this, <a href="https://ui.threatstream.com/registration/" target="_blank">sign up to try ThreatStream Optic</a>.</p><p>* note: profilpost functionality was not implemented in this sample.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.