MiniDuke: Multi Component info-stealer spreads via Social Engineering

The Dell Sonicwall Threats Research team observed reports of a new multi component bot family named Mini Duke actively spreading in the wild.

These variations have been seen as far back as July 2012 and continue to operate as of September 2014.

Mini Duke steals various data from the infected computer and sends out to a Command & Control server. The stolen data include passwords stored by various Web browsers, Email clients, Instant Messengers, and other applications. The malware also performs key logging, takes screen shots, and steals clipboard data. It may create a scheduled task and a service in order to get started after system reboots.

Infection Cycle:

The Trojan uses the following icons:

Md5: dc6cc442c0900104a5601a6049354fad

The Trojan adds the following file to the file system:

C:Program FilesCommon FilesMicrosoft Sharedynqyyv.exe [Detected as W32/Miniduke .A]

C:WINDOWSsystem32usbnet.exe and %Userprofile%Application DataAdobesyscmvk.exe

%Userprofile% Local SettingsTempynqyyv.dll and C:Program FilesCommon FilesMicrosoft Sharedynqyyv.dll [DLL Module ]

The Trojan adds the following key to the Windows registry to ensure persistence upon reboot:

%Userprofile% Local SettingsTemp ynqyyvreg.reg [Create a Startup Service)

The malware infections starts by Social Engineering victims into opening either a Windows executable file with a fake name making it look like a document/image file, or a PDF file that contains an exploit. Here is an Example of Fake Doc File.

Once the victim opens the file, the malware starts information gathering. The data collection components found in the malware include a keylogger, clipboard stealer, screen Shot, and password stealers for a variety of popular chat, email and web browsing programs. Once the information has been collected, it is sent out to remote servers using FTP.

Rundll32.exe injected by miniduke to copy all its own components on the target system.

The Malware Create two processes usbsrv.exe and syscmvk.exe in C:WINDOWSsystem32usbsrv.exe and %Userprofile%Application DataAdobesyscmvk.exe

All these processes has Copyright(C) NVIDIA Corporation. All rights reserved fake file properties.

The usbsrv.exe registered as Watchmon Service job in Task Scheduler Service and in following key to the Windows registry HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

The syscmvk.exe tries to run these commands on command shell

KeyLogger and Info Stealer

Mini Duke has the Key logger function, it uses GetKeyState and GetKeyboardState to capture the pressed keys on target system Key logging is skipped if one of the following Anti-Virus process is running on infected system:

Here is an Example for Key logger and clipboard data

Mini duke searches the hard drives and network drives for files that match any of the below patterns:

And also it will ignore if patterns files be such as following list:

• *.exe;
• *.ndb;
• *.mp3;

Info Stealer Component:
The malware has the capability to targets the following software:

For example Mini Duke steals Skype login MD5 and then attacker can obtain victims Skype username and password by using a brute-force the MD5 or for other instant messengers could decrypts the hash Algorithms.

It has been observed that the malware had other stealing functionalities that targeted applications such as Chrome, Firefox and Internet Explorer, amongst other things also retrieve / Grabbing List of web logins such as following list:

The malware is to attempt create a file in C:Documents and SettingsAll UsersDocuments folder that follows this format:

ntuser{4CB43D7F-7EEE-4906-8698-<8 Hexadecimal numbers>.pol

Here is an Example of Encrypted data

HTTP POST to Command and Control (C&C)

Mini Duke has the C&C communication over HTTP. Uses HTTP POST requests to one or more statically defined URLs are made on a regular basis. These POST requests such as the following fields in this order:

• m or mgn
• Auth
• Session
• DataID
• FamilyID
• BranchID
• VolumeID
• User
• Query

The first field does not have any value and Auth is the sample ID, this is same 8-character hex digit that can be found in the PDB path such as c:botgenstudiogenerations8f1777b0binBot.pdb

The value of Query depends on the request. The string which is Base64 encoded/RC4 encrypted, the string is composed of a 256-character string that is repeated seven times.

Rundll32.exe injected by Malware and its transfer Malware traffic to C&C Servers.

The C&C Servers are listed but not limited here also mini duke uses FTP server for File Transfer via following IPs & User name

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: MiniDuke.A (Trojan)

Remote Administration Tools (RAT) are quiet common on the Windows platform in the current age but they are a rarity for the Mobile platform. AndroRat is one of the first reported RAT for Android, the next RAT that made news was Dendroid which was first reported in March 2014 and came with a price tag of $300 in underground sites. It gained popularity in a short time owing to its long list of features, but recently it has been making waves again after its source code leaked on GitHub. Dell SonicWALL Threats Research Team obtained a copy of the Dendroid Source Code and in this post we have highlighted some observations from our analysis of this threat.

The leaked code consists of:

• APK Binder
• Dendroid APK
• Dendroid Panel

APK Binder

The binder can be used to fuse a legitimate Android app with the malicious Dendroid app. This modified app can then be used to propagate Dendroid to unsuspecting victims

Dendroid APK

This apk acts as the payload for the RAT. It has capabilities to execute a wide range of commands, some of them are as follows:

Media volume up/down Ringer volume up/down Screen On Record Calls Block SMS Record Audio Take Video Take Photo Send Text Send Contacts Get user accounts		Call Number Delete Call Logs Open Webpage Update the app Delete Files ( audio, video, pictures, calls ) Get Browser History Get Browser Bookmarks Get Call History Open Dialog Box Get Inbox SMS HTTP flood

Dendroid Panel

This is the information console where the attacker can view all the details about his bots, issue commands to them and view results of these commands:

Infection Cycle

The Dendroid apk goes by the package name com.hidden.droidian and requests for the following permissions during installation:

QuickBoot PowerON Internet Access Fine Location Get Tasks Wake Lock Call Phone Write Settings Read Phone State Write External Storage Camera		Read SMS Write SMS Send SMS Receive SMS Get Accounts Read History Bookmarks Access Network State Read Contacts Record Audio Process Outgoing Calls

Once installed it appears in the appdrawer with an Adobe Flash icon. In the recent past there have been a number of Android malwares using the Adobe Flash icon, this one follows suit. Upon clicking the app nothing noticeable happens apart from the icon disappearing from the app drawer, but the app continues to run in the background through its Services:

The app has the following Services that run in the background:

• RecordService
• DroidianService

Droidian Service contains major bulk of the functions present in the malicious app. In addition, it contains details like URL which the Trojan should communicate with, the database password and other configuration options that can be set from the Panel.

Once this service starts it begins gathering information about the device and informs the attacker about successful infection. The following information is sent to the attacker via a get.php GET packet:

• UID – Used to identify the device
• Service provider
• Phone number
• GPS Co-ordinates that display the location of the device on a small worldmap
• Device Model
• SDK Version Information
• Database Password

Once this packet is received by the server, the attacker is able to see an entry in his Dendroid Panel for this infected device. He can then choose from a large arsenal of commands instructing what he wants to do on the victim device. The commands selected by him get queued in the panel, the malicious apk polls the server for a list of commands whenever the receiver ServiceReceiver gets triggered.

ServiceReceiver gets triggered for the following system events:

• Boot Completed
• SMS Received
• Phone State
• Action External Applications Available
• Quickboot PowerON

ServiceReceiver in turn checks and starts DroidianService if it is not already running, DroidianService then sends the get.php mentioned earlier and checks if there are any commands issued by sending get-functions.php

Once the command is executed on the device the malicious app informs the server about the successful execution via message.php. In the below example we initated the “Screen On” command on the Panel and when the device screen was turned on we observed a TCP packet being sent from the device stating “Screen On Complete”

After the source code leak there are a couple of things happening with regards to Dendroid:

• Security Researchers are analyzing and understanding this tool to strengthen protection against this threat. Some researchers have identified critical vulnerabilities in the Dendroid Panel highlighting loopholes towards Input Validation
• Malware writers are using and modifying the dendroid code to further improve/create new threats. There is already a modified APK Binder in the works and the author claims that he is working on a “new dendroid remake”
  

We can expect to see more Android RATs that get spawned off Dendroid code/architecture in the near future. As always be careful about where you download apps for your Android device and check the permissions that the app requests during installation and make an informed decision.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: AndroidOS.Dendroid.EXP (Trojan)
• GAV: Dendroid.Binder (Trojan)