Chinese botnet leaks sensitive system info and awaits instructions

April 4, 2013

The Dell SonicWALL Threats Research team has discovered a new botnet originating from China. Apart from leaking sensitive system information and its potential click-fraud capability, the purpose of the botnet is not known at this time. It does however, contain the ability to receive instructions from a remote C&C server and download and run additional malicious executable files.

Infection Cycle:

Below is a sample of the DNS queries that the Trojan performed during analysis:

  • kjuwqnbv.com
  • sd.newaot.com
  • kfdsalete.com
  • towtags.com
  • tl.extreme-dm.com
  • el.extreme-dm.com
  • script.opentracker.net
  • atl.opentracker.net
  • www.statcounter.com
  • www.google.com
  • www.fondauto.com
  • jsfeedget.com
  • funnygusta.com

The Trojan creates the following files on the filesystem:

  • %USERPROFILE%kuswowugwize.exe [Detected as GAV: Pushdo.PVO (Trojan)]
  • %WINDOWS%msisvc.exe [Detected as GAV: Wagiclas.AA (Trojan)]

The Trojan creates the following keys in the Windows registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun kuswowugwize "%USERPROFILE%kuswowugwize.exe"
  • HKEY_LOCAL_MACHINESOFTWAREmsisvc.exe
  • HKEY_LOCAL_MACHINESOFTWAREmsisvc.exe GUID "530baa6df9246225b5ebcd3165946288"
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion AppManagement hex:56,1f,42,65,88,38,e7,0b,a1,38,5b,0b,2e,51,74,24,
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion kuswowugwizezap hex:5c,98,2f,52,e8,7f,a2,39,5c,f2,89,ac,43,66,fc,20,
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WMIADAPTER000 Service "WMIAdapter"
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WMIADAPTER000 ClassGUID "{8ECC055D-047F-11D1-A537-0000F8753ED1}"

The Trojan attempts to hide its activity from static analysis by encrypting important Windows API calls that it uses. We were able to locate the decryption routine which revealed the calls during runtime:

The Trojan uses the following 5 Windows API's from wininet.dll for querying HTTP URL's and downloading additional malicious files.

It uses the decrypted WinInet API's to download a file (saq.jpg) with a JPEG extension. It uses the user agent string "NC2E" in the request. The file downloaded is not a JPEG image. It is an encrypted executable [Detected as GAV: Wagiclas.AA_2 (Trojan)] that is decrypted and run by the Trojan. It moves this file to %WINDOWS%msisvc.exe and executes it before terminating:

The Trojan uses a server running a copy of Mentalis Proxy Server to validate certificates:

The Trojan communicates to a remote C&C server in order to report infection and obtain further instructions. In this case it was instructed to wait. It sends sensitive information such as the Network Interface Card MAC address, Windows OS version and the external IP address of the compromised machine. The Trojan build version number is sent as the User Agent:

The Trojan was observed receiving the following response from a remote server. The response indicates that the bot is instructed to download and verify a file (qqka0328.jpg) from the specified URL and also simulate webpage visits to the specified URL. It provides a hash for verifying the file:

The msisvc.exe executable contains a valid certificate signed by a trusted authority (WoSign) located in China issued to a company named Taihu county mianyang information and technology Inc:

A quick look up of the e-mail address associated with the Digital Signature - 532476028@qq.com came up with the following job postings by the same e-mail user for the same company:

Dell SonicWALL UTM appliance provides protection against this threat with the following signatures:

  • GAV: DarkMoon.B_2 (Trojan)
  • GAV: Wagiclas.AA (Trojan)
  • GAV: Wagiclas.AA_2 (Trojan)
  • GAV: Pushdo.PVO (Trojan)
  • IPS: 9782 Darkmoon C&C activity 1
  • IPS: 9783 Darkmoon C&C activity 2