CVE 2014-0322 Malware – Sakurel (Feb 21, 2014)

By

The Dell SonicWall Threats Research Team has spotted the latest malware being served in the recent CVE 2014-0322 attack. We have already shared our analysis on the exploit behavior so we will now discuss the behavior of the malware payload, Sakurel.

This malware has many features and contains multiple levels of embedded files. The malware ultimately seeks to steal information and provide a backdoor to the infected system, and uses different modules to accomplish its tasks.

The file that gets dropped after exploitation, ‘stream.exe’, has fairly basic dropper behavior. The file contains an XOR-encoded binary which gets decoded and executed in memory.

Appended data de-XORed

The decoded malware contains additional embedded modules, including one that provides for privilege escalation if the current user is not an administrator.

IsAnAdmin() Check

After checking if the current process is running as an administrator, the escalation module is extracted and dropped with a .dat extension, then executed via ‘rundll32’.

Execution of the Escalation module

This DLL contains a well-known technique for escalating user privileges via the ‘sysprep’ tool. This uses a UAC bypass which affects 32-bit versions Windows 7 and Windows 8.

Once the malware has administrator privileges, it extracts an OCX file from its resources and moves a copy of its original dropped incarnation into “MicroMedia” underneath “%APPDATA%LocalTemp” and creates the following registry key to execute when the system boots up:

  • ComputerHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunMicroMedia: %APPDATA%LocalTempMicroMediaMediaCenter.exe

Once the malware has acquired sufficient access and achieved peristence on the machine, the Windows ‘hosts’ file is modified to redirect a number of domains to IP addresses controlled by the attackers. These strings from the binary show the domains the attackers are redirecting:

The following strings, which include command and control domains and paths, are encoded in the binary with the XOR key 0x56:

Overall the main motive of this malware is to steal user credentials from the targeted domains. The malware also provides full backdoor access to the system via the command and control structure. We will continue to monitor this threat and provide updates on its capabilities.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Sakurel.EX (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.