These are quick first looks and trend and threats

Written by the security and AV professionals from team K7, meant for the general audience
These are usually articles that go into internals of a virus or deal with security issues
Senior managers speak on areas of interest to them, inside and outside the industry

July 31st, 2018

The traditional method of using macros to deliver malware is common, and quite easy to detect.

Over the past several weeks, however, the bad guys seem to have come up with a new method for delivering a FlawedAmmyy Remote Access Trojan (RAT) payload: Internet QuerY files (.IQY extension)

Simply put, an .IQY file is actually a text file that is used by Microsoft Excel. It carries a URL, and in some cases it might contain optional parameters which are used to make queries over the internet to download content directly.

Here’s our 2-paisa worth on why .IQYs were chosen:

  • Element of surprise: a not-yet-widely-used infection vector
  • .IQY queries can be dynamic (a way to change and handle parameters for web queries), and hence more configurable and sophisticated
  • Parsing and matching on simple text files which can change easily leads to the usual challenges with generically detecting script-based malware
  • Maybe AVs just ain’t ready… yet?!

Here’s a pictorial representation of how the attack unfolds (Figure 1):

(Figure 1: Infection chain)

Please read further for a more detailed code analysis of the attack chain and the resultant payload(s).

The attack starts with a typical social engineering technique, i.e. a spam email that contains an .IQY file as an attachment.

As the .IQY file requires MS Excel, it won’t run as expected on systems without an MS Office installation. When run on systems with MS Excel, it triggers a chain of events that would result in downloading and executing the binary responsible for delivering the RAT.

The .IQY downloads a file called duo.dat using functionality in MS Excel – the 1st file to be downloaded as seen in Figure 2.

(Figure 2: Content of .IQY attachment)

duo.dat in turn downloads uno.dat using PowerShell – the 2nd file to be downloaded (Figure 3).

(Figure 3:”duo.dat” triggers download of “uno.dat”)

uno.dat then downloads dr.png using PowerShell. dr.png is actually a PE executable compiled with an unknown compiler, which gets saved as cmd_.exe in the %temp% location, and is executed with the Start-Process command (Figure 4).

(Figure 4: Code-snippet of “uno.dat” that downloads “dr.png”)

This file, in an attempt to evade detection by appearing legitimate, is signed with a valid digital certificate (Figure 5), and also has an encrypted PE file in the resource section which is responsible for delivering the FlawedAmmy RAT.

(Figure 5: Valid digital certificate)

It allocates heap space at runtime which is used to dynamically decrypt meaningful code from its 2nd section (.jdata), and then transfers control to this decrypted content (Figure 6).

(Figure 6: Calls to create heap space and decrypt content)

This code then decrypts the encrypted PE file from the resource section (Figure 7) and overwrites the original file (cmd_.exe) with the decrypted PE file (Figure 8).

(Figure 7: Decrypting PE file from resource)

(Figure 8: Overwriting base file with decrypted file)

This is the penultimate binary in the chain, and could be considered the weakest link. A quick static analysis of the decrypted PE revealed that it is a Microsoft VC++ 8 compiled binary rife with Unicode strings and suspicious version information (the file description, which contains typos, says “Micropoft Common Protect”, and the original file name is “svchos”), almost begging to be detected (Figure 9).

(Figure 9: Static information from the dumped PE file)

This binary is tasked with downloading and executing the final FlawedAmmyy RAT. To ensure there are no conflicts of interests, so to speak, the following precautions are taken before the final download:

  • Any previous versions of Ammyy RAT found on the system (with the names like wmihost.exe, settings3.bin, wmites.exe, wsus.exe) are deleted (Figure 10)
  • Folders with the following names, if any, are deleted (Figure 11):

(Note: %s is the output from SHGetSpecialFolderPath API referring to the AppData directory)

  • Checks if the user has administrator rights (Figure 12)
  • All Ammyy-related services found to be running using cmd.exe are terminated and removed (Figure 13)

(Figure 10: Delete older version files)

(Figure 11: Remove directories)

(Figure 12: Checks administrator rights)

(Figure 13: Stop and delete services)

Once the older versions are “dealt with”, a new folder is created to download the RAT afresh (Figure 14).

(Figure 14: Creates directory)

Before proceeding with the actual download, it checks for certain active AV processes in the environment (Figure 15).

(Figure 15: Checks for AV processes)

If any is found, it injects itself into the legitimate svchost.exe by creating it in a suspended state and resumes the thread once the injection is complete (Figure 16).

(Figure 16: Injects into svchost.exe)

The final step is to download the RAT itself from here (Figure 17):
hxxp: // thespecsupportservice [.] com / load [.] png

(Figure 17: Download RAT)

The file load.png is initially saved as a .tmp file. This encrypted file which looks like a non-PE, is then decrypted (by the main process cmd_.exe if AV processes are not found) to get the actual PE (Figure 18), after which the .tmp itself gets deleted (Figure 19).

(Figure 18: Decryption of .tmp file to get the executable)

(Figure 19: Delete .tmp file)

Once the decrypted RAT is saved as a separate executable (wsus.exe in this run), it is executed and all “required” services are enabled (Figure 20).

(Figure 20: Enabling services)

The RAT is now up and running to allow remote access, and it immediately commences sending the victim’s system information to the remote attacker over port 80 as a plain TCP packet (Figure 21), e.g.:

id = 56*****
os = 10 x64 (indicates windows 10 x64 bit)
pcname = XYZ
avname = ABC
build_time = mm-dd-yyyy,  hh:mm:ss

(Note: we turned off K7 TS RT scanner for the purpose of analysis)

(Figure 21: Packet capture of victim’s system information being sent to the attacker)

Details about the IP to which this information is sent is shown below (Figure 22):

(Figure 22: Recipient IP address courtesy of proxydocker)

Indicators of Compromise (IoCs)
File details
28EAE907EA38B050CBDCC82BB623C00A (cmd_.exe or dr.png) Riskware ( 0040eff71 )
D920413442ADDE78394077C2BDE093D8 (PE file dumped from memory) Trojan-Downloader ( 00532ae51 )
7920DAED2C352229C479171EE0B29457 (FlawedAmmyy RAT - wsus.exe) Trojan ( 00538c541 )
Non-PE files:
D2CBFE913C6C526FF0BE6030C673DCF0 (.IQY attachment from mail) Trojan ( 0001140e1 )
4AFC6EE5265A10AF09D8479108B3A460 (uno.dat) Trojan ( 0001140e1 )
hxxp: // thespecsupportservice [.] com	(malicious domain, blocked by K7SafeSurf)

Lokesh J
Threat Researcher, K7TCL
If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

June 8th, 2018

Trickbot, a banking Trojan family that has been around for some time now, aims at stealing banking credentials from infected victims. This blog post talks about a new variant of this Trojan that (ab)uses PowerShell, MS-Word macros and Office Equation Editor vulnerabilities as its infection vectors.

The document comes via email disguised as a BACS (Bacs Payment Schemes Limited, formerly known as Bankers’ Automated Clearing Services) request form as depicted in Figure 1.

Figure 1: Fake BACS request form that looks identical to the original form

The sender’s email id, “”, is crafted, a common enough social engineering technique to deceive an unsuspecting user into opening the attachment, which then requires the user to enable macros, claiming that this is necessary to auto-fill the form. Figure 2 depicts the flow of execution on opening the malicious DOC attachment and enabling the macros.

Figure 2: Execution flow

Macros contained in the Word document are depicted in Figure 3.

Figure 3: Macros

Once enabled, the macros triggered creates the cmd and PowerShell processes as depicted in Figure 2 to execute the script for downloading the Trickbot binary. Here’s the actual PowerShell script that gets executed:

Figure 4: Actual script (courtesy of

Figure 5: Reformatted form of script for better readability

PowerShell is now one of the most widely abused Windows components by malware authors since it is available by default on modern Windows and interacts easily with the .NET framework. The Trickbot script uses the .NET API “DownloadFile” from a common .NET class (System.Net.Webclient) for downloading the malware’s preliminary binary component. Some thoughts on why this specific API was chosen:

  • The download happens in the background. There is no download progress indicator, i.e. the user is completely unaware of what’s happening
  • The thread cannot be interrupted until the current download is complete or fails.

The script also has a failsafe mechanism by way of a try/catch block which provides alternative download links to the binary component which were specifically created for the purpose of serving this malware:

  • hxxp[:]//interbanx[.]co[.]id/lopagores[.]png
  • hxxp[:]//chimachinenow[.]com/lopagores[.]png

These two domains were also found to host other malicious files as depicted in Figure 6.

Figure 6: Other malicious files hosted (courtesy of VirusTotal)

Once lopagores.png (which is actually a Portable Executable, i.e. PE) is downloaded successfully, the script executes it using the Start-Process command from a hard-coded path that keeps changing from sample to sample (temporary location as shown in Figure 5).

Behavioral analysis of the downloaded binary file

The binary component then copies itself to a sub-folder under the user’s %APPDATA% area along with another file named “client_id”, which contains the system details like the machine name and OS version, as well as an arbitrarily generated string to identify the bot and the campaign to which it belongs as depicted in Figure 7.

Figure 7: Sub-folder under %APPDATA% (NB: sample has been renamed to its SHA256 hash value)

An aptly-named folder “Modules” is also created along with the above files that acts as a placeholder for:

  • Any modules that get downloaded or pushed from the C&C (Command and Control) server
  • Files that are injected into various browsers to scrape user credentials

Persistence is taken care of by a scheduled task with multiple triggers created with the name “MsNetValidator” to masquerade as a legitimate task, a simple but effective way to hide from the average user.

Figure 8: Scheduled task for persistence

Registry modifications are also made (as shown in Figure 9) to exclude its folder from Windows Defender scans.

Figure 9: Registry entry for exclusion from Windows Defender scan

Before contacting any C&C server for downloading additional modules, the malware first retrieves the host IP by simply querying one or more of the following domains until a response is received.

www[.]ipify[.]org      icanhazip[.]com        myextrnalip[.]com
wtfismyip[.]com        ip[.]anysrc[.]net      api[.]ipify[.]org
ipecho[.]net           ipinfo[.]io            checkip[.]amazonaws[.]com

It injects into the legitimate svchost process to modify the scheduled task for the next trigger as depicted in Figure 2.

Inside the code of the downloaded binary file

The main binary component, a Visual C executable, is designed to decrypt the malicious code only at runtime.


This piece of malware performs multiple layers of decryption before the final bad act. For those who are interested here’s a slightly more detailed explanation. The 1st level (bog standard) decryption of some bytes followed by a call to the decrypted bytes is seen in Figure 10.

Figure 10: 1st level of decryption

The 2nd level (evasive action) involves the decrypted code allocating more memory into which further encrypted content is copied and decrypted, and another call is made to that decrypted content as seen in Figure 11.

Figure 11: The 2nd level of decryption

In the 3rd level (definitely bad) this decrypted code allocates even more memory, and more encrypted code is loaded into it and decrypted, which happens to be the “meaningful” malware code.

Figure 12: 3rd level of decryption to “meaningful” malware code

Our analysis also shows that it scans the memory for traces of monitoring tools and/or malware analysis-related processes. The list of processes that it scans for is as follows:


These names are stored in encrypted form without any special character or entropy so as to avoid easy detection based on strings or entropy. If none of the aforementioned process are found active, the malware goes on to copy itself to user’s %APPDATA% folder (as depicted earlier in Figure 7) and launches itself as a new process. This process, after verifying it is in fact running from under the user’s %APPDATA% folder, goes on to decrypt another Visual C binary (as depicted in Figure 13), which does not touch the disk at all, i.e. it is decrypted, read and memory mapped whilst in memory itself.

Figure 13: Final decryption (Trickbot payload)

Before passing on the execution flow to the decrypted file in memory, the malware checks if it is being debugged by calling the function ZwQueyInformationProcess with the parameter ProcessInformationClass set to 0, which retrieves the pointer to the PEB (Process Environment Block) structure, which is in turn read to conclude if the process is being debugged or not as depicted in Figure in 14.

Figure 14: Check if being debugged

This decrypted binary in memory is the actual payload of Trickbot which is responsible for tasks like:

  • Querying the local IP
  • Ensuring persistence (via registry and scheduled tasks)
  • Creating the “Modules” folder
  • Decrypting a configuration file from its resource (as depicted in Figures 15 & 16) using functions from NCrypt.dll or BCrypt.dll
  • Contacting C&C server

Figure 15: Encrypted config file content stored in resources

Figure 16: Retrieving functions from NCrypt.dll or BCrypt.dll

The decrypted resource blob (as depicted in Figure 17) is saved as Config.conf under the user’s %APPDATA% folder.

Figure 17: Content of Config.conf file

<ver> tag indicates the Trickbot version which is 1000166, <gtag>  indicates the campaign ID and <srv> has the list of C&C IPs and ports for downloading additional modules. The C&C pushes custom or specific modules for specific targets which are responsible for code injection, mailcollector, sqlfinder, screenlock, etc. on successful validation of request received from Trickbot payload.

Same malware, different vulnerability

We also saw instances of this malware being served via a crafted MS-Word document which tries to exploit the Office Equation Editor vulnerabilities, i.e. CVE-2017-11882 and CVE-2017-8570 This crafted document, in the guise of a “Payment advice” form from HSBC bank, gets delivered from a typo-squatted domain “” or “” in an attempt to make the email look legitimate. The crafted document probably uses ThreadKit because it drops task.bat under the %Temp% folder and executes it using cmd.exe (typical ThreadKit behaviour) which will be followed by a PowerShell process (as depicted earlier in Figure 2). Figure 18 shows the actual PowerShell script and its reformatted form used to download the executable.

Figure 18: PowerShell Script (courtesy of

From Figure 18, it is evident that both infection vectors use the same domains to download the malware. The file downloaded by the second method is a Microsoft Visual Basic 5.0 compiled binary (the reader may recall that the first method downloaded a Visual C binary), but it drops a similar Trickbot payload during runtime though. Our analysis indicates that this banking Trojan constantly seeks new infection vectors and is still very active. The malware authors are still implementing new functionalities and modules.

Indicators of Compromise (IoCs)

File details

DOC file:

FA9762828CF25F0182CC5A6781E708DA   (fake Lloyds Bank DOC)  Trojan ( 0001140e1 )
5FE7EF0E15A4E9468018E0A76457D159   (fake HSBC bank DOC)	   Trojan ( 0001140e1 )

PowerShell script:

7B177E32052DCF80830A087C9157A598   (Script from Lloyds Bank DOC)  Trojan ( 0001140e1 )
A5E7AF38D0CC548071B1B93731CE2B62   (Script from HSBC bank DOC)	  Trojan ( 0001140e1 )


C4634916686AD740E1D17F23721152E2  (EXE from fake Lloyds DOC)  Trojan ( 0052cf591 )
1E9BC9805114D86B411F5DDEF01C67D0  (EXE from fake HSBC DOC)    EmailWorm ( 003c363a1 )

K7 products also have dynamic detection for the Trickbot variants.

URLs List

hxxp[:]//interbanx[.]co[.]id   (malicious domain blocked by K7SafeSurf)
hxxp[:]//chimachinenow[.]com   (malicious domain blocked by K7SafeSurf)

Lokesh J
Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

May 7th, 2018
This blog discusses the exploitation of user data as a risk to national security.

The transformation of user data into a point of contention between countries has been precipitated as apps developed in one country are being popularly used by the citizens of other countries and covert agencies becoming increasingly cognizant of the potential of using ‘foreign user’ data for strategic advantage. This has actually been an issue for many years but it is being discussed in the mainstream only now, triggered by the recent Cambridge Analytica controversy and its ramifications.

Smartphone users’ data is juicier than desktop users’ data as it contains more detail on the users’ day-to-day activity, ranging from status updates to taking a selfie to geo tagging. Everything is a point of interest for market analysis, even for entities beyond a country’s borders.

With some countries openly accusing foreign apps of espionage, and many others discreetly suspicious of them, the Indian government has asked its military personnel to uninstall a list of Chinese apps. This is not the first time the Indian government has asked its defence community to be wary of Chinese hardware and software. Some of the apps named in the recent list of blacklisted apps are:

  • Weibo
  • WeChat
  • SHAREit
  • UC Browser
  • Mi Community
  • Mi Store
  • 360 Security

A look at the geolocation of servers that many of these apps connect to showed the following:

SHAREit (com.lenovo.anyshare.gps) ( MD5: CB2C0A445B571035CE38CEAB91E01EBC )

WeChat ( ( MD5: CF237D05AB4782081AC70CBD2210EE3E )

UC Browser (com.UCMobile.intl) ( MD5: CA56AB59D7E6CE87A0B690DBF083487B )

The advantage of having an App’s server in one’s own country is that the data storage and protection is subject to the regulations and policies of the land. Looking at the permissions requested by these apps during installation, some are questionable:
  • android.permission.USE_CREDENTIALS
  • android.permission.MANAGE_ACCOUNTS
  • android.permission.AUTHENTICATE_ACCOUNTS
  • android.permission.READ_CONTACTS
  • android.permission.GET_ACCOUNTS
  • android.permission.ACCESS_FINE_LOCATION
  • android.permission.ACCESS_COARSE_LOCATION

When installing an app, users should always carefully go through the list of access permissions requested by the app and should not just mechanically tap the “Accept” button.

We examined a few of the apps blacklisted by the Indian government to check the kind of information being sent to the parent server. We did not find anything malicious but as seen in the two screenshots below, potentially sensitive information like device-id, build model, android version, etc. are being sent to parent servers located in China. Device-Id, also popularly known as IMEI number, is a common artefact collected by many apps for legitimate purposes. But from a privacy point of view, device-id is a unique and better artefact than IP address to identify an individual device and thereby allowing the tracking an individual user’s habits on the device. This helps marketing agencies to target the individual with tailored ads and certainly helps nations in (psychological) cyberwarfare against each other.

The screenshots presented below show an instance of various data collected by one of the apps we analysed.
Figure1: Snapshot of data enumerated by an app

Figure 2: Snapshot of data enumerated by another app

The image below shows one of the apps sending the data to its server.

Figure3: Data being sent to the parent server in china

Today, as users are already getting used to the intrusion on their privacy and beginning to consider it as  part of normal modern life, it’s getting difficult to come up with a clear demarcation of what’s good app behaviour and what’s not vis-à-vis PII (i.e. “Personally Identifiable Information”).

However the onus of gauging and enforcing data privacy standards and security should not be placed on the user, buried deep inside some EULA (i.e. “End User License Agreement”) full of legalese in small print which most people wouldn’t understand even if they read it. Instead it must be a moral and legal requisite of the app owners to maintain certain minimum standards enforced by regulatory government bodies. This is one of the prominent issues addressed by the European Union’s GDPR whose imminent implementation should be beneficial to users both in the European Union, and elsewhere by proxy.

Users are advised to always install apps only from the official Google Playstore. But given the scenario today that for any popular app on the Google Playstore there are many fake apps and malicious clones on the Playstore itself, an average user has to be all the more careful in selecting the correct app.

Baran Kumar.S & Sunil
Threat Research Team

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

April 6th, 2018

This blog post presents a dissection of a Windows malware that operates via an IoT channel for its Command & Control communication. We are also going to explore this malware’s infection vectors to understand how it gets itself onto a victim’s computer.

Infecting a machine without raising suspicion is only half the challenge, the comparatively easy part. Actively maintaining the state of control is the other, more difficult part of the challenge. Off late threat actors are inclined towards third-party APIs for Command and Control (C&C) services as they are easier to establish, more stable and have the advantage of not being flagged by network monitoring tools. Third-party services are also more difficult to take down. In this blog we are going to look at one such malware which uses the PubNub infrastructure for its C&C needs.

With the increased use of Internet-enabled “smart” devices, also known as “Internet of Things” or IoT for short, and the multitude of services offered for them, cyber criminals have started exploring new waters. The specific malware in question uses PubNub, an infrastructure-as-a-service company, as a channel of communication between the infected devices and its C&C.

PubNub is a global data stream network that provides APIs for real-time applications and IoT devices. It can be used to quickly push small messages to one or more devices like smartphones, tablets, desktops, microcontrollers, etc.”

At the time of writing not many of the available network security products block malicious network traffic over this channel. Let’s start with how this malware infects a device, and then move on to other details.

We believe this malware targets devices in the Chinese geographical region, and here’s why: it masquerades as the security product “360 Total Security” – an offereing from the Chinese company Qihoo 360. In fact it gets downloaded from a fake webpage that poses as Qihoo 360’s official download page: hxxp://ebsmpi[.]com/ipin/360/

We looked at the website itself. As one would expect this website had no connection whatsoever with Qihoo 360, and what’s worse, the website is actually of Korean origin, not Chinese. A quick visit to this website’s homepage told us that it provides standards for psychological examination of school children and that it belongs to the Korean Educational Broadcasting System (EBS). Furthermore, the website was registered more than 3 years ago, meaning it is possibly a legitimate domain (i.e. not a domain registered just to distribute malware) that has probably been compromised, being used to serve up malicious content without the site admin’s knowledge, leave alone consent.

We then compared the file downloaded from the fake page with Qihoo’s legitimate installer. Other than identical icons and file names, the two files were completely different. The file size of the malware sample was less than that of the actual file as it is only a downloader component.

On execution the sample downloaded and installed the actual 360 Total Security to avoid suspicion. A code snippet from the sample (see image below) revealed that the installer is not downloaded from the official page but from another Korean domain which seems to be legitimate, and has been around since 2013, meaning this site is also probably compromised.

In addition the sample does the following in the background:

  • Downloads the final payload (Ant_3.5.exe) and its encrypted configuration file (desktops.ini) at the root of the user’s %AppData% directory (see images below)
  • The downloaded payload is renamed to svchost.exe and executed
  • Registry entry pointing to the payload is created for persistence

While these activities happen in the background, the unsuspecting user is presented with the GUI from the actual 360 Total Security.

The below image, courtesy of, shows the execution flow:

The final payload (svchost.exe) is a .NET compiled binary with no obfuscation whatsoever. A simple .NET de-compiler helped explore the malicious code present within it. It was found that it utilizes PubNub APIs to await remote commands from the bot master(s).

It decrypts its configuration file (desktops.ini) by performing byte wise XOR with 2310.

Desktops.ini referred in final payload

Decryption function inside final payload

As per PubNub: “[PubNub] utilizes a Publish/Subscribe model for real-time data streaming and device signaling which lets you establish and maintain persistent socket connections to any device and push data to global audiences in less than ¼ of a second. You can publish messages to any given channel, and subscribing clients receive only messages associated with that channel. The message payload can be any JSON data including numbers, strings, arrays, and objects.”

The contents of the decrypted configuration file hold the information to perform the above-mentioned communication. We can see the Subscribe key, publish key, origin ( and channel name as PROCESS. The UUID is the machine name + MAC address.

PubNub provides a Subscribe Key and Publish Key on sign-up for using the service. A publishing client pushes messages to his/her respective channel(s), and a subscribing client receives only messages associated with the subscribed channel(s). A PubNub message consists of the channel information and associated data that needs to be carried across.

In this case, the publishing client is the bot master and the subscribing clients are the infected devices. Upon receiving any message from through the PROCESS channel, the function related to the message gets executed on the subscribing client. All messages are sent over SSL, and hence the network traffic grab doesn’t give out any tangible information.

The below image shows the functionality associated with receipt of the “COMMAND_RUN” message present inside the final payload:

Many bot malware related commands were present within the final payload as shown below:


Same malware, different attack vector

The same malware has also been observed to have be delivered as an email attachment. In this case, it is a Korean document about a Chinese commerce meeting. The document exploits the CVE-2018-0802 vulnerability in Microsoft Word to deliver the payload.

The document contains an OLE object embedded inside of it.

Payload: hxxp://cgalim[.]com/admin/hr/hr.doc

The downloaded payload (hr.doc) is actually a malicious executable which downloads the final payload and its configuration file as seen in the previous case.

As always, it is advised to stay up-to-date with a reputed security product like K7 Total Security to ward off such malware infections. K7 Total Security detects and blocks all executables and URLs associated with this malware.

Indicators of Compromise (IoCs)
File details

Downloader (Fake Installer – 360TS_Setup_Mini.exe)

CA282452467647F34D62B46F6F5E3B1E    Trojan-Downloader ( 00524c8e1 )

Other downloaders

24FE3FB56A61AAD6D28CCC58F283017C    Trojan-Downloader ( 005246211 )
97FECA6E73BB787533C6BD17EDA80582    Trojan-Downloader ( 00524c8e1 )
97BA95D3684F460BCFD2EF60494C5F98    Trojan ( 0001140e1 )

Final Payload (Ant_4.5.exe / Ant_3.5.exe)

84CBBB8CDAD90FBA8B964297DD5C648A    Trojan ( 00524e851 )
FF32383F207B6CDD8AB6CBCBA26B1430    Trojan ( 00524e851 )

Email attachment (Invition.doc / bitcoin.doc / hr.doc / 2018버블 전망.doc)

37D82F3D219E96EE9381D6DF93510D1D    Trojan ( 0001140e1 )
7817D9240AB39FE28EDD3A44E468439D    Trojan ( 0001140e1 )
62350386B7F56679A3D7F2C9027A665A    Trojan ( 0051f3601 )

URLs list

hxxp:// ebsmpi[.]com /ipin/360/down.php
hxxp:// ebsmpi[.]com /ipin/360/desktops.ini
hxxp:// ebsmpi[.]com /ipin/360/ant_4.5.exe
hxxp:// ebsmpi[.]com /ipin/360/ant_3.5.exe
hxxp:// cgalim[.]com /admin/1211me/Ant_3.5.exe
hxxp:// cgalim[.]com /admin/1211me/desktops.ini
hxxp:// cgalim[.]com /admin/1211me/Servlet.exe
hxxp:// cgalim[.]com /admin/hr
hxxp:// cgalim[.]com /admin/hr/hr.doc
hxxp:// cgalim[.]com /admin/hr/temp.set

Dinesh D
Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

February 23rd, 2018

This blog intends to describe a few new techniques used by the latest versions of Exobot, an Android Banking Trojan. These new techniques have been introduced to complicate the process of reversing engineering and to evade detection by security products.

It is only natural that, with huge increase in the number of Android smartphones users and availability of mobile banking services, cybercriminals have focused on malware targeting banking apps and other apps that enable financial transactions to embezzle funds from victims’ accounts. Devices infected with such malware would subject the users to be victims of the following (non-exhaustive):

• Financial loss
• Loss of Personally Identifiable Information (PII)
• Loss of privacy

Typically, banking Trojans await instructions from remote Command-and-Control (C&C) servers, thus allowing the attacker(s) to potentially turn compromised devices into involuntary but blissful bots. Also, the bad guys tend to keep changing their distribution mechanisms and infection routines (without compromising the severity of intended damage) to evade detection by security products. Unsurprisingly, Android banking Trojans are no exceptions in these aspects.

Exobot is an Android banking Trojan like any other. As described in our previous blog it steals users’ banking credentials from infected devices to enable the attacker(s) to siphon off their funds.

But here’s how this piece of malware is different. Our analysis revealed some interesting implementation techniques employed in recent versions for detection evasion which we have depicted in the following picture:

In case you find the above picture to be not-so-self-explanatory, please read on for a more detailed explanation on the differences between the older (Exobot V1) and newer (Exobot V2) versions.

Technique 1:

Exobot V1’s AndroidManifest.xml file contains all broadcast receivers, permissions and other privileges registered to perform malicious activities. All its eggs in one basket.

Exobot V1 Permissions

Exobot V2, on the other hand, has its requirements spread out. Basic installation and device admin registration are requested in the primary component (earlier available on the Google Play Store, but thankfully not anymore), which then downloads a secondary bot component, the requirements of which are handled within its own AndroidManifest.xml.

Exobot V2 Permissions split between parent and dropped components

The secondary component, downloaded from the URL shown in the following picture, then tries to connect to different C&C servers to receive commands from remote attacker(s).

It is noteworthy that the primary component retries downloading the secondary component multiple times (up to 5 times in the variant we analyzed) at regular intervals in case of failures when connecting to the URL specified. If all attempts to connect to this URL fail, it then tries to connect to other C&C servers from a predefined list.
Technique 2:

Exobot V1 is very trusting. It starts its malicious activities without checking the configuration of the device on which it is running. Exobot V2 is more cautious. It deploys multiple verification mechanisms before behaving badly. Here are the most interesting of such checks it carries out before proceeding with its infection routine.

Checks if device is connected to debugger

n.df + n.fv + n.eF – android.os.Debug + n.eG + n.fu – isDebuggerConnected

Verifies if device configuration does not match any of the below criteria

  • Is the malware running within a test environment, say an emulator? Does any one of the below default values of an emulator match with the extracted values from the device?
    • Build.MODEL is “google_sdk or Emulator or Android SDK built for x86″
    • Build.MANUFACTURER is “Genymotion” (“GenyMotion” is an emulator frequently  used for QA or tests)
    • Build.PRODUCT is “google_sdk or sdk or sdk_x86 or vbox86p”
    • DeviceId is like “000000000000000” or “012345678912345” or “004999010640000″
    • VERSION.RELEASE is “0”
  • Is the compromised device connected to a test network?
    • SIM operator is “android” or “emergency calls only” or “fake carrier”
If any of the above match, execution stops

Checks and sets the malicious app as the default SMSPackage

The Android OS has the flexibility to programmatically set a user app as the default app to handle SMS. Exobot V2 leverages this option to be the first to access incoming SMS, as well as to suppress the messages from other installed apps by aborting the “SMS_Received” broadcast.
Verifies if “MAIN_VERSION_REQUIRED” is less than a specific threshold value to ensure that the bot can run on the device, i.e. on that particular version of Android OS

Where n.aT maps to “Bot is not able to run that command” and n.aU maps to “Command execution system error”.

Technique 3:

Exobot V2 also mimics an anti-reversing technique from its Windows-based counterparts. All the strings in the malware’s code are obfuscated, though with a very simple logic of inserting junk characters in between. For example:

a(“start”) may be converted to something like a(“s**EJz**t**EJz**a**EJz**r**EJz**t**EJz**”)

In the above example, “**EJz**” are the junk characters.

Our lab researchers regularly track Android banking Trojans, especially for their behavioral and technical differences, in order to ensure we are able to block the malware at the earliest with new and updated detection methodologies. K7 Mobile Security users are protected against both the older and newer versions of this malware.

Exobot V1 (example sample hash: b4064f4bca2ac0780a5e557b551a3755) is detected as “Spyware ( 004fdfc01 )”.

Exobot V2: The primary component (example sample hash: 6924d51242386e3c20c84f017f1838b9) is detected as “Trojan-Downloader ( 004f07451 )”, and the secondary component (example sample hash: f66e30974435e5ef092aeb7c9e5cad7a) is detected as “Trojan ( 005243d11 )”.

As always K7 Threat Control Lab makes the following recommendations:
  • Use a highly-reputable mobile security product such as K7 Mobile Security to block any infection
  • Regularly update the mobile OS and security applications installed to be free of mobile malware
  • Refrain from installing apps recommended by strangers
  • Review the reputation of any app before downloading and installing it
  • Choose to download and install apps only from the official Google Play store, as immediate & regular security actions are taken in emergency situations
  • Do not enable “Download from Unknown Sources”

Senior Threat Researcher

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

January 8th, 2018
There has been some recent media interest in one variant of Android Banking Trojans, also known as ‘Bankbots’. Bankbots have been around for a pretty long time now, i.e. nothing new, and the variant of unusual interest was already blocked by K7 Mobile Security as Trojan ( 0051c57a1 ).

As the name suggests Banking Trojans help hackers to steal money from a user’s account without his/her knowledge. This particular Android Banking Trojan scans the list of running apps for package names related to popular banking apps from all over the world in order to intercept incoming bank-related SMS messages, suppressing them from the user and redirecting them to a remote hacker. It can accept commands from a C&C server.

This Banking Trojan disguises itself as a Flash Player app hosted on third party markets. In order to carry out its malicious behavior silently the Trojan requests the user to provide device administrator privileges.

For this Trojan to start its malicious behavior it registers many receivers for various actions on the device as listed below:

  • android.provider.Telephony.SMS_DELIVER
  • android.provider.Telephony.WAP_PUSH_DELIVER
  • android.intent.action.BOOT_COMPLETED
  • android.intent.action.QUICKBOOT_POWERON
  • android.intent.action.USER_PRESENT
  • android.intent.action.PACKAGE_ADDED
  • android.intent.action.PACKAGE_REMOVED
  • android.provider.Telephony.SMS_RECEIVED
  • android.intent.action.SCREEN_ON
  • android.intent.category.HOME
  • android.intent.action.DREAMING_STOPPED

One of the receivers “yqyJqWdtdf.UOaOrquyRDgLFgGueha.resiverboot” that is registered for the SMS_Received broadcast is shown below:

The Trojan also requests for the following permissions:

  • android.permission.READ_CONTACTS
  • android.permission.INTERNET
  • android.permission.WAKE_LOCK
  • android.permission.GET_TASKS
  • android.permission.READ_PHONE_STATE
  • android.permission.RECEIVE_SMS
  • android.permission.READ_SMS
  • android.permission.WRITE_SMS
  • android.permission.ACCESS_NETWORK_STATE
  • android.permission.CALL_PHONE
  • android.permission.SEND_SMS
  • android.permission.ACCESS_FINE_LOCATION
  • android.permission.PACKAGE_USAGE_STATS
  • android.permission.SYSTEM_ALERT_WINDOW

Interestingly upon launching this malware, i.e. upon clicking on the Flash Player icon in the app list, the Flash Player icon hides itself so that the user may not be aware of the malicious activity happening in the background.

The main activity class decodes a base64-encoded dex file, budda2.dex which is contained within the class as follows:

The decoded dex file contains the code responsible for incoming SMS interception, sending SMS and other malicious behavior.

Upon following one of the receivers, resiverboot for android.provider.Telephony.SMS_RECEIVED, budda2.dex is called internally as shown in the image below:

RiciverSMS from Budda2.dex file has the code to intercept incoming SMS messages as shown below:

As highlighted above the StopSound function changes the ringer mode to ‘0’ to avoid the user being notified of incoming messages.

DelIndox and DelSent deletes the messages from a particular originating address from the Inbox and sends the items respectively as shown below:

And it sends these to the hacker as per the command shown below:

This malware turns the compromised device into a bot, and the installed malware keeps listening for a command from the C&C server to carry out orders. The C&C can issue commands to the malware to even kill itself as well as shown below:

All the collected information is sent to the hacker including whether the bot is active or not. The hacker’s infection status dashboard is maintained as shown below:

This malware verifies if any one of the below mentioned banking apps or those dealing with financial transactions in the installed on the device. Few of the popular banking apps across the world are listed below:










Please note that apps such as document readers and Flash Players:

  1. Do NOT require device administrator privileges.
  2. Should not typically request for permissions to “SEND, WRITE OR RECEIVE SMS

Please avoid installing such applications.

As always we at K7 Threat Control lab make the following recommendations:
  • Use a top-rated mobile security product such as K7 Mobile Security to block any infection
  • Regularly update the mobile OS and security applications installed to be free of mobile malware
  • Carefully analyze the messages or alerts which apps display before taking any action
  • Refrain from installing apps recommended by strangers
  • Review the reputation of any app before downloading and installing it
  • Choose to download and install apps only from the official Google Play store
  • Do not enable “Download from Unknown Sources”

C&C server Image courtesy:

Dhanalakshmi.V & Baran Kumar.S

K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

October 27th, 2017

It is the era of Ransomware and Halloween is just around the corner. We have witnessed yet another ransomware outbreak for the calendar year, lashing eastern European countries and Russia.

This ransomware dubbed “BadRabbit” hit systems in Ukraine, Russia, Bulgaria, Turkey, Germany and even Japan and South Korea, as per news agency reports. Russia and Ukraine have been the worst hit countries, with Kiev Metro and the Odessa airport in the Ukraine being early casualties. An official statement to this effect was released by CERT Ukraine.

It appears the initial outbreak for this ransomware was via drive-by downloads from hacked news agency sites in Russia. The dropper ransomware was served up as an “update for Flash Player installer”, duly named install_flash_player.exe (FBBDC39AF1139AEBBA4DA004475E8839). Ah, social engineering does still work a treat, doesn’t it?

The infected sites contained a script which resolved to the following URL:

The domain 1dnscontrol[.]com was been taken down pretty quickly.

BadRabbit, similar to WannaCry and NotPetya, in the sense that it is multi-component, using several complimentary executable files to infect the user machine. There are even code (none of them employ any form of code obfuscation) and filename similarities between these families. In BadRabbit and NotPetya the main infection modules are actually DLL files but have a ‘.dat’ extension.

The main dropper masquerading as a Flash Player installer must be run with admin privileges since its components are to be written to the C:\Windows directory as follows:

  • c:\windows\infpub.dat -> Main encryption and infection module : DLL (2FE32D2A6BFC72D215496B055E5A53AD)
  • c:\windows\cscc.dat -> Driver file from : SYS (B4E6D97DAFD9224ED9A547D52C26CE02)
  • c:\windows\dispci.exe -> Part of the disk encryption module and responsible for the MBR infection : EXE (B14D8FAF7F0CBCFAD051CEFE5F39645F)
  • c:\Readme.txt -> Text file with information about the encrypted files and how to get them back

Scheduled tasks are created to initiate other modules of the infection and to reboot the system. Unusually, the system reboots twice during the entire infection cycle.

Once the main dropper is executed it drops a DLL file which is the file encryption module. It gets initiated using rundll32.exe as shown below:

The argument passed to the infpub.dat denotes that the first export function is referenced by ordinal number followed by the number 15, which is the time until reboot.

As shown in the code snippet below, the main dropper creates infpub.dat in the Windows directory and then calls CreateProcessW to invoke it. Once the DLL is initiated the process of encryption begins.

infpub.dat is in charge of the following:

  • User file encryption
  • Adding scheduled tasks to reboot the machine and initiate the next module
  • Looking for infection targets on the local network

For encryption the ransomware looks for specific extensions:

3ds 7z accdb ai asm asp aspx avhd back bak bmp brw c cab
cc cer cfg conf cpp crt cs ctl cxx dbf der dib disk djvu
doc docx dwg eml fdb gz h hdd hpp hxx iso java jfif jpe
jpeg jpg js kdbx key mail mdb msg nrg odc odf odg odi odm
odp ods odt ora ost ova ovf p12 p7b p7c pdf pem pfx php
pmf png ppt pptx ps1 pst pvi py pyc pyw qcow qcow2 rar rb
rtf scm sln sql tar tib tif tiff vb vbox vbs vcb vdi vfd
vhd vhdx vmc vmdk vmsd vmtm vmx vsdx vsv work xls xlsx
xml xvd zip

One of the scheduled tasks is to reboot the computer at an elapsed time (NB: this can vary depending on the number and size of files that are to be encrypted) mentioned by the main module. The other is to initiate the diskcrypter executable named as dispci.exe:

There are several references to the “Game of Thrones” TV series, e.g. the scheduled tasks are called “drogon”, “Rhaegal” and “viserion”, and the diskcryptor exe is called “GrayWorm” in the version strings in the resources.

The ransom note is dropped in c:\Readme.txt informing the user of the infection and how the files cannot be retrieved without the ransomware author’s help.

Once the encryption is done. The ransomware goes on to scan the LAN for possible infection targets. This is done by sending out requests to look for SMB shares. It uses the Mimikatz tool to scan for any traces of user credentials in memory. The ransomware then uses a list of hardcoded usernames and passwords to bruteforce into any available machine on the LAN.

This list is made up of weak and frequently-used passwords. For better insight on choosing strong passwords one can refer to one of our earlier blog posts.

Shown above is a network capture of the attempted spread to SMB shares. Once the ransomware has bruteforced into any network machine it tries to place the DLL component infpub.dat on those systems and initiates that ransomware module using Service Control Manager.

Once this is done the system gets rebooted and the diskcryptor module dispci.exe takes over. The other file dropped, cscc.dat, is actually a driver that can perform disk encryption. Note, however, that it is a legitimate file. At this point in time another schedule task gets added which is also for a reboot.

The time for triggering this task is updated several times before the scheduled task is finally executed.

Before going for the reboot the ransomware performs one final task which is to overwrite the MBR of the system. It uses CreateFileW on GLOBALROOT\ArcName\multi(0)disk(0)rdisk(0)partition(1) to get a handle to the MBR.

Once this is done the system reboots and displays the following message informing the user that they have wasted a lot of time trying to decrypt the files by other means.

The user is forced to retrieve their files only by paying the ransom within the timeframe given by the ransomware author. However, we at K7 Threat Control Lab urge users to refrain from paying the ransom for several reasons, including:

  1. Payment of the ransom increases the profitability of ransomware, thus fueling further attacks
  2. There is no guarantee that paying the ransom would result in getting your files back

Shown below is the onion site that displays the custom message for each user depending on their personal installation key#1. The ransom starts with 0.05 bitcoins and keeps increasing with time.

The various malicious components of the ransomware are detected by K7 as follows:

install_flash_player.exe	- Trojan ( 0051a3031 )
dispci.exe 			- Trojan ( 0051a3031 )
infpub.dat			- Trojan ( 0051a2c11 )
16605a4a29a101208457c47ebfde788487be788d – mimikatz 32-bit module - Riskware ( 0051a31b1 )
413eba3973a15c1a6429d9f170f3e8287f98c21c - mimikatz 64-bit module - Trojan ( 0051a5241 )

Apart from this the ransomware’s attempt to encrypt files is completely blocked by K7’s Ransomware Protection feature:

Kaarthik RM, Senior Threat Researcher, K7TCL
Lokesh J, Threat Researcher, K7TCL
Gladis Brinda R, Threat Researcher, K7TCL
Rajesh Kumar R, Threat Researcher, K7TCL
Mary Muthu Fransisca, Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

July 6th, 2017

In our last blog we assured users of K7 Security products that they are protected against the destructive Petya ransomware. The good news is that we’ve just tightened the noose even further! Now, not only Petya but also other malware which may exhibit similar modus operandi are going to be robustly and proactively blocked. This is an effort to safeguard our users from any such ransomware attacks in future.

Let’s have a gander through what we have done:

  • Blocking the Petya ransomware at the very early stages, even before it enters a computer by including an IDS signature to block all currently known versions of EternalBlue type packets attempting to exploit MS17-010.

  • In order to tackle a situation where a malware like Petya attempts to affect the boot area, we have reinforced a protection rule in our security products to block unauthorized writes to the Master Boot Record (MBR).

  • Last but not least, we tweaked our “Ransomware Protection” logic to block the encryption procedure peculiar to Petya.

As always, we at K7 Engineering focus on complete protection at multiple layers for our users so as to safeguard them from any (new) malware occurrences.

K7 Engineering

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

July 3rd, 2017

Post WannaCry the world witnessed yet another brutal ransomware-style attack last week by Petya. Yet not a single user of a K7 Security Product reported any issue to K7 Technical Support, although Petya is known to have hit several Indian computers.

We at K7TCL constantly monitor for any new instances of malware, especially destructive ones like Petya. K7 Security Products protect their users by detecting Petya component files from the ransomware’s release time till date, as

  • Trojan (0001140e1)
  • Trojan (00510cfe1)

Unlike WannaCry, in addition to encrypting user’s data files, Petya ransomware may also modify the Master Boot Record (MBR) of the user’s machine as well, complicating the scenario still further.

The image shown above is the screen displayed on an infected computer demanding a ransom of “$300 worth of bitcoin”. However there is reason to believe that the real objective of this variant of Petya was not to make money but just to destroy data in an irreversible way.

Anyway the “ransom screen” appears after a sequence of malicious activities are performed. Let us take a quick look at the technical details of Petya and how it infects a user’s machine.

Petya ransomware comes in as a DLL file (Dynamic Link Library) and is executed as follows:

Rundll32.exe “<path to Petya.dll>” #1

Note: Petya.dll is the pseudo name of the sample executed.

Petya has several spreading techniques. One of these employs the same method as that used by WannaCry ransomware to enter a victim’s machine by exploiting a critical SMB RCE vulnerability, i.e. using EternalBlue to exploit vulnerabilities covered in the MS17-010 update. Petya is also capable of worm-like activity to spread across the systems in a network, remotely executed using PsExec.

As this malware is executed, it first checks if the following privileges are available

  1. SeShutdownPrivilege – Required to shut down a local system
  2. SeDebugPrivilege – Required to debug and adjust the memory of a process owned by another account
  3. SeTcbPrivilege – This privilege identifies its holder as part of the trusted computer base. Some trusted protected subsystems are granted this privilege

Once the Petya DLL confirms that the required privileges are available, it enumerates all the running process in the system to verify if any of the following Anti-Virus programs are installed in that system by using its own XOR encryption routine to determine a hash value.

Hash Value Process Name AV Product
0x2E214B44 avp.exe Kaspersky
0x6403527E ccSvcHst.exe Symantec
0x651B3005 NS.exe Norton

The results of both privileges checks and Anti-Virus process check are stored as bit-masked global variables that affect the flow in which this Petya malware executes on a system.

Assuming that the required checks are satisfied to run, this malware copies the entire file into virtual memory using “VirtualAlloc” and “MemCpy” APIs, so that it can delete the main file using the “DeleteFileA” API, and then jump to a new entry point in the newly created virtual space.

Then by using “LoadLibraryA” and “GetProcAddress” it dynamically rebuilds the import table of the file in virtual space. It also checks for the presence of “perfc.dat” in the Windows folder, and if found exits execution completely.

Otherwise it infects the MBR by opening a handle to logical volume \.\C:, retrieving the drive geometry and overwrites sectors at 0×200 from the start. In the same way, it also retrieves the geometry of \.\PhysicalDrive0 and overwrites sectors on that drive with malicious code.

After infecting the MBR this malware creates a scheduled task to perform a system restart after 15 minutes.

This time is utilized by malware to drop and execute a file from its resource section into the Temp folder which acts as an infostealer, and also tries to spread itself by creating threads which attempt to enumerate all subnets of the local network, then trying to connect to each IP to test its SMB ports.

As the restart task triggers, it displays a fake Chkdsk.exe repair screen as it tries to encrypt the hard drive as shown below

Once the encryption is done, as the final step it shows a ransom note demanding $300 as shown earlier.

Apart from the continuous protection from K7 Security products against malware, we recommend users to regularly and urgently deploy security updates for the operating system as soon as available.

Shiv Chand
Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

June 1st, 2017


One year ago we at K7 affirmed our deep commitment to education. Since then, in addition to the official, successful delivery of our multi-module K7 Security Academy training programme to several universities, it is with utmost pleasure that we also formally announce that we have signed an MoU with Teach for India.

Over the past decade Teach for India has done a sterling job across several parts of the country in delivering top-quality education to thousands of children from the lower income strata of our society. This work is a national priority, of course, and we at K7 are extremely proud to contribute to this great cause.

It is with much hope and excitement that we stand at the threshold of a new era of didactic activity on many fronts for K7 Computing. Join us, learn, teach!

Image courtesy of

Samir Mody

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: