These are quick first looks and trend and threats

Written by the security and AV professionals from team K7, meant for the general audience
These are usually articles that go into internals of a virus or deal with security issues
Senior managers speak on areas of interest to them, inside and outside the industry

Archive for the ‘Tech articles’ Category

New Trick up the Sleeve: Trickbot Delivered Via Fake Banking Forms

Friday, June 8th, 2018

Trickbot, a banking Trojan family that has been around for some time now, aims at stealing banking credentials from infected victims. This blog post talks about a new variant of this Trojan that (ab)uses PowerShell, MS-Word macros and Office Equation Editor vulnerabilities as its infection vectors.

The document comes via email disguised as a BACS (Bacs Payment Schemes Limited, formerly known as Bankers’ Automated Clearing Services) request form as depicted in Figure 1.

Figure 1: Fake BACS request form that looks identical to the original form

The sender’s email id, “”, is crafted, a common enough social engineering technique to deceive an unsuspecting user into opening the attachment, which then requires the user to enable macros, claiming that this is necessary to auto-fill the form. Figure 2 depicts the flow of execution on opening the malicious DOC attachment and enabling the macros.

Figure 2: Execution flow

Macros contained in the Word document are depicted in Figure 3.

Figure 3: Macros

Once enabled, the macros triggered creates the cmd and PowerShell processes as depicted in Figure 2 to execute the script for downloading the Trickbot binary. Here’s the actual PowerShell script that gets executed:

Figure 4: Actual script (courtesy of

Figure 5: Reformatted form of script for better readability

PowerShell is now one of the most widely abused Windows components by malware authors since it is available by default on modern Windows and interacts easily with the .NET framework. The Trickbot script uses the .NET API “DownloadFile” from a common .NET class (System.Net.Webclient) for downloading the malware’s preliminary binary component. Some thoughts on why this specific API was chosen:

  • The download happens in the background. There is no download progress indicator, i.e. the user is completely unaware of what’s happening
  • The thread cannot be interrupted until the current download is complete or fails.

The script also has a failsafe mechanism by way of a try/catch block which provides alternative download links to the binary component which were specifically created for the purpose of serving this malware:

  • hxxp[:]//interbanx[.]co[.]id/lopagores[.]png
  • hxxp[:]//chimachinenow[.]com/lopagores[.]png

These two domains were also found to host other malicious files as depicted in Figure 6.

Figure 6: Other malicious files hosted (courtesy of VirusTotal)

Once lopagores.png (which is actually a Portable Executable, i.e. PE) is downloaded successfully, the script executes it using the Start-Process command from a hard-coded path that keeps changing from sample to sample (temporary location as shown in Figure 5).

Behavioral analysis of the downloaded binary file

The binary component then copies itself to a sub-folder under the user’s %APPDATA% area along with another file named “client_id”, which contains the system details like the machine name and OS version, as well as an arbitrarily generated string to identify the bot and the campaign to which it belongs as depicted in Figure 7.

Figure 7: Sub-folder under %APPDATA% (NB: sample has been renamed to its SHA256 hash value)

An aptly-named folder “Modules” is also created along with the above files that acts as a placeholder for:

  • Any modules that get downloaded or pushed from the C&C (Command and Control) server
  • Files that are injected into various browsers to scrape user credentials

Persistence is taken care of by a scheduled task with multiple triggers created with the name “MsNetValidator” to masquerade as a legitimate task, a simple but effective way to hide from the average user.

Figure 8: Scheduled task for persistence

Registry modifications are also made (as shown in Figure 9) to exclude its folder from Windows Defender scans.

Figure 9: Registry entry for exclusion from Windows Defender scan

Before contacting any C&C server for downloading additional modules, the malware first retrieves the host IP by simply querying one or more of the following domains until a response is received.

www[.]ipify[.]org      icanhazip[.]com        myextrnalip[.]com
wtfismyip[.]com        ip[.]anysrc[.]net      api[.]ipify[.]org
ipecho[.]net           ipinfo[.]io            checkip[.]amazonaws[.]com

It injects into the legitimate svchost process to modify the scheduled task for the next trigger as depicted in Figure 2.

Inside the code of the downloaded binary file

The main binary component, a Visual C executable, is designed to decrypt the malicious code only at runtime.


This piece of malware performs multiple layers of decryption before the final bad act. For those who are interested here’s a slightly more detailed explanation. The 1st level (bog standard) decryption of some bytes followed by a call to the decrypted bytes is seen in Figure 10.

Figure 10: 1st level of decryption

The 2nd level (evasive action) involves the decrypted code allocating more memory into which further encrypted content is copied and decrypted, and another call is made to that decrypted content as seen in Figure 11.

Figure 11: The 2nd level of decryption

In the 3rd level (definitely bad) this decrypted code allocates even more memory, and more encrypted code is loaded into it and decrypted, which happens to be the “meaningful” malware code.

Figure 12: 3rd level of decryption to “meaningful” malware code

Our analysis also shows that it scans the memory for traces of monitoring tools and/or malware analysis-related processes. The list of processes that it scans for is as follows:


These names are stored in encrypted form without any special character or entropy so as to avoid easy detection based on strings or entropy. If none of the aforementioned process are found active, the malware goes on to copy itself to user’s %APPDATA% folder (as depicted earlier in Figure 7) and launches itself as a new process. This process, after verifying it is in fact running from under the user’s %APPDATA% folder, goes on to decrypt another Visual C binary (as depicted in Figure 13), which does not touch the disk at all, i.e. it is decrypted, read and memory mapped whilst in memory itself.

Figure 13: Final decryption (Trickbot payload)

Before passing on the execution flow to the decrypted file in memory, the malware checks if it is being debugged by calling the function ZwQueyInformationProcess with the parameter ProcessInformationClass set to 0, which retrieves the pointer to the PEB (Process Environment Block) structure, which is in turn read to conclude if the process is being debugged or not as depicted in Figure in 14.

Figure 14: Check if being debugged

This decrypted binary in memory is the actual payload of Trickbot which is responsible for tasks like:

  • Querying the local IP
  • Ensuring persistence (via registry and scheduled tasks)
  • Creating the “Modules” folder
  • Decrypting a configuration file from its resource (as depicted in Figures 15 & 16) using functions from NCrypt.dll or BCrypt.dll
  • Contacting C&C server

Figure 15: Encrypted config file content stored in resources

Figure 16: Retrieving functions from NCrypt.dll or BCrypt.dll

The decrypted resource blob (as depicted in Figure 17) is saved as Config.conf under the user’s %APPDATA% folder.

Figure 17: Content of Config.conf file

<ver> tag indicates the Trickbot version which is 1000166, <gtag>  indicates the campaign ID and <srv> has the list of C&C IPs and ports for downloading additional modules. The C&C pushes custom or specific modules for specific targets which are responsible for code injection, mailcollector, sqlfinder, screenlock, etc. on successful validation of request received from Trickbot payload.

Same malware, different vulnerability

We also saw instances of this malware being served via a crafted MS-Word document which tries to exploit the Office Equation Editor vulnerabilities, i.e. CVE-2017-11882 and CVE-2017-8570 This crafted document, in the guise of a “Payment advice” form from HSBC bank, gets delivered from a typo-squatted domain “” or “” in an attempt to make the email look legitimate. The crafted document probably uses ThreadKit because it drops task.bat under the %Temp% folder and executes it using cmd.exe (typical ThreadKit behaviour) which will be followed by a PowerShell process (as depicted earlier in Figure 2). Figure 18 shows the actual PowerShell script and its reformatted form used to download the executable.

Figure 18: PowerShell Script (courtesy of

From Figure 18, it is evident that both infection vectors use the same domains to download the malware. The file downloaded by the second method is a Microsoft Visual Basic 5.0 compiled binary (the reader may recall that the first method downloaded a Visual C binary), but it drops a similar Trickbot payload during runtime though. Our analysis indicates that this banking Trojan constantly seeks new infection vectors and is still very active. The malware authors are still implementing new functionalities and modules.

Indicators of Compromise (IoCs)

File details

DOC file:

FA9762828CF25F0182CC5A6781E708DA   (fake Lloyds Bank DOC)  Trojan ( 0001140e1 )
5FE7EF0E15A4E9468018E0A76457D159   (fake HSBC bank DOC)	   Trojan ( 0001140e1 )

PowerShell script:

7B177E32052DCF80830A087C9157A598   (Script from Lloyds Bank DOC)  Trojan ( 0001140e1 )
A5E7AF38D0CC548071B1B93731CE2B62   (Script from HSBC bank DOC)	  Trojan ( 0001140e1 )


C4634916686AD740E1D17F23721152E2  (EXE from fake Lloyds DOC)  Trojan ( 0052cf591 )
1E9BC9805114D86B411F5DDEF01C67D0  (EXE from fake HSBC DOC)    EmailWorm ( 003c363a1 )

K7 products also have dynamic detection for the Trickbot variants.

URLs List

hxxp[:]//interbanx[.]co[.]id   (malicious domain blocked by K7SafeSurf)
hxxp[:]//chimachinenow[.]com   (malicious domain blocked by K7SafeSurf)

Lokesh J
Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Don’t Raise Even an IoTa of a Doubt!

Friday, April 6th, 2018

This blog post presents a dissection of a Windows malware that operates via an IoT channel for its Command & Control communication. We are also going to explore this malware’s infection vectors to understand how it gets itself onto a victim’s computer.

Infecting a machine without raising suspicion is only half the challenge, the comparatively easy part. Actively maintaining the state of control is the other, more difficult part of the challenge. Off late threat actors are inclined towards third-party APIs for Command and Control (C&C) services as they are easier to establish, more stable and have the advantage of not being flagged by network monitoring tools. Third-party services are also more difficult to take down. In this blog we are going to look at one such malware which uses the PubNub infrastructure for its C&C needs.

With the increased use of Internet-enabled “smart” devices, also known as “Internet of Things” or IoT for short, and the multitude of services offered for them, cyber criminals have started exploring new waters. The specific malware in question uses PubNub, an infrastructure-as-a-service company, as a channel of communication between the infected devices and its C&C.

PubNub is a global data stream network that provides APIs for real-time applications and IoT devices. It can be used to quickly push small messages to one or more devices like smartphones, tablets, desktops, microcontrollers, etc.”

At the time of writing not many of the available network security products block malicious network traffic over this channel. Let’s start with how this malware infects a device, and then move on to other details.

We believe this malware targets devices in the Chinese geographical region, and here’s why: it masquerades as the security product “360 Total Security” – an offereing from the Chinese company Qihoo 360. In fact it gets downloaded from a fake webpage that poses as Qihoo 360’s official download page: hxxp://ebsmpi[.]com/ipin/360/

We looked at the website itself. As one would expect this website had no connection whatsoever with Qihoo 360, and what’s worse, the website is actually of Korean origin, not Chinese. A quick visit to this website’s homepage told us that it provides standards for psychological examination of school children and that it belongs to the Korean Educational Broadcasting System (EBS). Furthermore, the website was registered more than 3 years ago, meaning it is possibly a legitimate domain (i.e. not a domain registered just to distribute malware) that has probably been compromised, being used to serve up malicious content without the site admin’s knowledge, leave alone consent.

We then compared the file downloaded from the fake page with Qihoo’s legitimate installer. Other than identical icons and file names, the two files were completely different. The file size of the malware sample was less than that of the actual file as it is only a downloader component.

On execution the sample downloaded and installed the actual 360 Total Security to avoid suspicion. A code snippet from the sample (see image below) revealed that the installer is not downloaded from the official page but from another Korean domain which seems to be legitimate, and has been around since 2013, meaning this site is also probably compromised.

In addition the sample does the following in the background:

  • Downloads the final payload (Ant_3.5.exe) and its encrypted configuration file (desktops.ini) at the root of the user’s %AppData% directory (see images below)
  • The downloaded payload is renamed to svchost.exe and executed
  • Registry entry pointing to the payload is created for persistence

While these activities happen in the background, the unsuspecting user is presented with the GUI from the actual 360 Total Security.

The below image, courtesy of, shows the execution flow:

The final payload (svchost.exe) is a .NET compiled binary with no obfuscation whatsoever. A simple .NET de-compiler helped explore the malicious code present within it. It was found that it utilizes PubNub APIs to await remote commands from the bot master(s).

It decrypts its configuration file (desktops.ini) by performing byte wise XOR with 2310.

Desktops.ini referred in final payload

Decryption function inside final payload

As per PubNub: “[PubNub] utilizes a Publish/Subscribe model for real-time data streaming and device signaling which lets you establish and maintain persistent socket connections to any device and push data to global audiences in less than ¼ of a second. You can publish messages to any given channel, and subscribing clients receive only messages associated with that channel. The message payload can be any JSON data including numbers, strings, arrays, and objects.”

The contents of the decrypted configuration file hold the information to perform the above-mentioned communication. We can see the Subscribe key, publish key, origin ( and channel name as PROCESS. The UUID is the machine name + MAC address.

PubNub provides a Subscribe Key and Publish Key on sign-up for using the service. A publishing client pushes messages to his/her respective channel(s), and a subscribing client receives only messages associated with the subscribed channel(s). A PubNub message consists of the channel information and associated data that needs to be carried across.

In this case, the publishing client is the bot master and the subscribing clients are the infected devices. Upon receiving any message from through the PROCESS channel, the function related to the message gets executed on the subscribing client. All messages are sent over SSL, and hence the network traffic grab doesn’t give out any tangible information.

The below image shows the functionality associated with receipt of the “COMMAND_RUN” message present inside the final payload:

Many bot malware related commands were present within the final payload as shown below:


Same malware, different attack vector

The same malware has also been observed to have be delivered as an email attachment. In this case, it is a Korean document about a Chinese commerce meeting. The document exploits the CVE-2018-0802 vulnerability in Microsoft Word to deliver the payload.

The document contains an OLE object embedded inside of it.

Payload: hxxp://cgalim[.]com/admin/hr/hr.doc

The downloaded payload (hr.doc) is actually a malicious executable which downloads the final payload and its configuration file as seen in the previous case.

As always, it is advised to stay up-to-date with a reputed security product like K7 Total Security to ward off such malware infections. K7 Total Security detects and blocks all executables and URLs associated with this malware.

Indicators of Compromise (IoCs)
File details

Downloader (Fake Installer – 360TS_Setup_Mini.exe)

CA282452467647F34D62B46F6F5E3B1E    Trojan-Downloader ( 00524c8e1 )

Other downloaders

24FE3FB56A61AAD6D28CCC58F283017C    Trojan-Downloader ( 005246211 )
97FECA6E73BB787533C6BD17EDA80582    Trojan-Downloader ( 00524c8e1 )
97BA95D3684F460BCFD2EF60494C5F98    Trojan ( 0001140e1 )

Final Payload (Ant_4.5.exe / Ant_3.5.exe)

84CBBB8CDAD90FBA8B964297DD5C648A    Trojan ( 00524e851 )
FF32383F207B6CDD8AB6CBCBA26B1430    Trojan ( 00524e851 )

Email attachment (Invition.doc / bitcoin.doc / hr.doc / 2018버블 전망.doc)

37D82F3D219E96EE9381D6DF93510D1D    Trojan ( 0001140e1 )
7817D9240AB39FE28EDD3A44E468439D    Trojan ( 0001140e1 )
62350386B7F56679A3D7F2C9027A665A    Trojan ( 0051f3601 )

URLs list

hxxp:// ebsmpi[.]com /ipin/360/down.php
hxxp:// ebsmpi[.]com /ipin/360/desktops.ini
hxxp:// ebsmpi[.]com /ipin/360/ant_4.5.exe
hxxp:// ebsmpi[.]com /ipin/360/ant_3.5.exe
hxxp:// cgalim[.]com /admin/1211me/Ant_3.5.exe
hxxp:// cgalim[.]com /admin/1211me/desktops.ini
hxxp:// cgalim[.]com /admin/1211me/Servlet.exe
hxxp:// cgalim[.]com /admin/hr
hxxp:// cgalim[.]com /admin/hr/hr.doc
hxxp:// cgalim[.]com /admin/hr/temp.set

Dinesh D
Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

EXtOrtion Banking bOT – EXOBOT!

Friday, February 23rd, 2018

This blog intends to describe a few new techniques used by the latest versions of Exobot, an Android Banking Trojan. These new techniques have been introduced to complicate the process of reversing engineering and to evade detection by security products.

It is only natural that, with huge increase in the number of Android smartphones users and availability of mobile banking services, cybercriminals have focused on malware targeting banking apps and other apps that enable financial transactions to embezzle funds from victims’ accounts. Devices infected with such malware would subject the users to be victims of the following (non-exhaustive):

• Financial loss
• Loss of Personally Identifiable Information (PII)
• Loss of privacy

Typically, banking Trojans await instructions from remote Command-and-Control (C&C) servers, thus allowing the attacker(s) to potentially turn compromised devices into involuntary but blissful bots. Also, the bad guys tend to keep changing their distribution mechanisms and infection routines (without compromising the severity of intended damage) to evade detection by security products. Unsurprisingly, Android banking Trojans are no exceptions in these aspects.

Exobot is an Android banking Trojan like any other. As described in our previous blog it steals users’ banking credentials from infected devices to enable the attacker(s) to siphon off their funds.

But here’s how this piece of malware is different. Our analysis revealed some interesting implementation techniques employed in recent versions for detection evasion which we have depicted in the following picture:

In case you find the above picture to be not-so-self-explanatory, please read on for a more detailed explanation on the differences between the older (Exobot V1) and newer (Exobot V2) versions.

Technique 1:

Exobot V1’s AndroidManifest.xml file contains all broadcast receivers, permissions and other privileges registered to perform malicious activities. All its eggs in one basket.

Exobot V1 Permissions

Exobot V2, on the other hand, has its requirements spread out. Basic installation and device admin registration are requested in the primary component (earlier available on the Google Play Store, but thankfully not anymore), which then downloads a secondary bot component, the requirements of which are handled within its own AndroidManifest.xml.

Exobot V2 Permissions split between parent and dropped components

The secondary component, downloaded from the URL shown in the following picture, then tries to connect to different C&C servers to receive commands from remote attacker(s).

It is noteworthy that the primary component retries downloading the secondary component multiple times (up to 5 times in the variant we analyzed) at regular intervals in case of failures when connecting to the URL specified. If all attempts to connect to this URL fail, it then tries to connect to other C&C servers from a predefined list.
Technique 2:

Exobot V1 is very trusting. It starts its malicious activities without checking the configuration of the device on which it is running. Exobot V2 is more cautious. It deploys multiple verification mechanisms before behaving badly. Here are the most interesting of such checks it carries out before proceeding with its infection routine.

Checks if device is connected to debugger

n.df + n.fv + n.eF – android.os.Debug + n.eG + n.fu – isDebuggerConnected

Verifies if device configuration does not match any of the below criteria

  • Is the malware running within a test environment, say an emulator? Does any one of the below default values of an emulator match with the extracted values from the device?
    • Build.MODEL is “google_sdk or Emulator or Android SDK built for x86″
    • Build.MANUFACTURER is “Genymotion” (“GenyMotion” is an emulator frequently  used for QA or tests)
    • Build.PRODUCT is “google_sdk or sdk or sdk_x86 or vbox86p”
    • DeviceId is like “000000000000000” or “012345678912345” or “004999010640000″
    • VERSION.RELEASE is “0”
  • Is the compromised device connected to a test network?
    • SIM operator is “android” or “emergency calls only” or “fake carrier”
If any of the above match, execution stops

Checks and sets the malicious app as the default SMSPackage

The Android OS has the flexibility to programmatically set a user app as the default app to handle SMS. Exobot V2 leverages this option to be the first to access incoming SMS, as well as to suppress the messages from other installed apps by aborting the “SMS_Received” broadcast.
Verifies if “MAIN_VERSION_REQUIRED” is less than a specific threshold value to ensure that the bot can run on the device, i.e. on that particular version of Android OS

Where n.aT maps to “Bot is not able to run that command” and n.aU maps to “Command execution system error”.

Technique 3:

Exobot V2 also mimics an anti-reversing technique from its Windows-based counterparts. All the strings in the malware’s code are obfuscated, though with a very simple logic of inserting junk characters in between. For example:

a(“start”) may be converted to something like a(“s**EJz**t**EJz**a**EJz**r**EJz**t**EJz**”)

In the above example, “**EJz**” are the junk characters.

Our lab researchers regularly track Android banking Trojans, especially for their behavioral and technical differences, in order to ensure we are able to block the malware at the earliest with new and updated detection methodologies. K7 Mobile Security users are protected against both the older and newer versions of this malware.

Exobot V1 (example sample hash: b4064f4bca2ac0780a5e557b551a3755) is detected as “Spyware ( 004fdfc01 )”.

Exobot V2: The primary component (example sample hash: 6924d51242386e3c20c84f017f1838b9) is detected as “Trojan-Downloader ( 004f07451 )”, and the secondary component (example sample hash: f66e30974435e5ef092aeb7c9e5cad7a) is detected as “Trojan ( 005243d11 )”.

As always K7 Threat Control Lab makes the following recommendations:
  • Use a highly-reputable mobile security product such as K7 Mobile Security to block any infection
  • Regularly update the mobile OS and security applications installed to be free of mobile malware
  • Refrain from installing apps recommended by strangers
  • Review the reputation of any app before downloading and installing it
  • Choose to download and install apps only from the official Google Play store, as immediate & regular security actions are taken in emergency situations
  • Do not enable “Download from Unknown Sources”

Senior Threat Researcher

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

How Safe is Android Mobile Banking?

Monday, January 8th, 2018
There has been some recent media interest in one variant of Android Banking Trojans, also known as ‘Bankbots’. Bankbots have been around for a pretty long time now, i.e. nothing new, and the variant of unusual interest was already blocked by K7 Mobile Security as Trojan ( 0051c57a1 ).

As the name suggests Banking Trojans help hackers to steal money from a user’s account without his/her knowledge. This particular Android Banking Trojan scans the list of running apps for package names related to popular banking apps from all over the world in order to intercept incoming bank-related SMS messages, suppressing them from the user and redirecting them to a remote hacker. It can accept commands from a C&C server.

This Banking Trojan disguises itself as a Flash Player app hosted on third party markets. In order to carry out its malicious behavior silently the Trojan requests the user to provide device administrator privileges.

For this Trojan to start its malicious behavior it registers many receivers for various actions on the device as listed below:

  • android.provider.Telephony.SMS_DELIVER
  • android.provider.Telephony.WAP_PUSH_DELIVER
  • android.intent.action.BOOT_COMPLETED
  • android.intent.action.QUICKBOOT_POWERON
  • android.intent.action.USER_PRESENT
  • android.intent.action.PACKAGE_ADDED
  • android.intent.action.PACKAGE_REMOVED
  • android.provider.Telephony.SMS_RECEIVED
  • android.intent.action.SCREEN_ON
  • android.intent.category.HOME
  • android.intent.action.DREAMING_STOPPED

One of the receivers “yqyJqWdtdf.UOaOrquyRDgLFgGueha.resiverboot” that is registered for the SMS_Received broadcast is shown below:

The Trojan also requests for the following permissions:

  • android.permission.READ_CONTACTS
  • android.permission.INTERNET
  • android.permission.WAKE_LOCK
  • android.permission.GET_TASKS
  • android.permission.READ_PHONE_STATE
  • android.permission.RECEIVE_SMS
  • android.permission.READ_SMS
  • android.permission.WRITE_SMS
  • android.permission.ACCESS_NETWORK_STATE
  • android.permission.CALL_PHONE
  • android.permission.SEND_SMS
  • android.permission.ACCESS_FINE_LOCATION
  • android.permission.PACKAGE_USAGE_STATS
  • android.permission.SYSTEM_ALERT_WINDOW

Interestingly upon launching this malware, i.e. upon clicking on the Flash Player icon in the app list, the Flash Player icon hides itself so that the user may not be aware of the malicious activity happening in the background.

The main activity class decodes a base64-encoded dex file, budda2.dex which is contained within the class as follows:

The decoded dex file contains the code responsible for incoming SMS interception, sending SMS and other malicious behavior.

Upon following one of the receivers, resiverboot for android.provider.Telephony.SMS_RECEIVED, budda2.dex is called internally as shown in the image below:

RiciverSMS from Budda2.dex file has the code to intercept incoming SMS messages as shown below:

As highlighted above the StopSound function changes the ringer mode to ‘0’ to avoid the user being notified of incoming messages.

DelIndox and DelSent deletes the messages from a particular originating address from the Inbox and sends the items respectively as shown below:

And it sends these to the hacker as per the command shown below:

This malware turns the compromised device into a bot, and the installed malware keeps listening for a command from the C&C server to carry out orders. The C&C can issue commands to the malware to even kill itself as well as shown below:

All the collected information is sent to the hacker including whether the bot is active or not. The hacker’s infection status dashboard is maintained as shown below:

This malware verifies if any one of the below mentioned banking apps or those dealing with financial transactions in the installed on the device. Few of the popular banking apps across the world are listed below:










Please note that apps such as document readers and Flash Players:

  1. Do NOT require device administrator privileges.
  2. Should not typically request for permissions to “SEND, WRITE OR RECEIVE SMS

Please avoid installing such applications.

As always we at K7 Threat Control lab make the following recommendations:
  • Use a top-rated mobile security product such as K7 Mobile Security to block any infection
  • Regularly update the mobile OS and security applications installed to be free of mobile malware
  • Carefully analyze the messages or alerts which apps display before taking any action
  • Refrain from installing apps recommended by strangers
  • Review the reputation of any app before downloading and installing it
  • Choose to download and install apps only from the official Google Play store
  • Do not enable “Download from Unknown Sources”

C&C server Image courtesy:

Dhanalakshmi.V & Baran Kumar.S

K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Stop Lamenting About “WannaCry”

Tuesday, May 16th, 2017

WannaCry ransomware, a security disaster has already infected thousands of computers all over the world, especially in Russia, India and China, and has hit emergency services in various countries, e.g. the UK. There have been images of infected ATMs, gigantic billboards, etc., making this attack a high-profile event.

This attack is a macabre reminder of the ill effects of

  • exploiting a critical vulnerability in the Windows OS
  • using a pirated version of an operating system
  • leaving computer unpatched and connected to the internet, in other words highly vulnerable

In most of the attack scenarios tracked, WannaCry ransomware infects a computer by using the “EternalBlue” exploit (developed by the NSA and released to the public by Shadowbrokers in April 2017), which exploits a critical vulnerability in Microsoft SMBv1 server (CVE-2017-0143 to CVE-2017-0148) by sending a specially-crafted packet. There was a Microsoft patch MS17-010 available to fix this vulnerability released in March 2017. It is also alleged, although without any concrete evidence, that this malware may enter a computer by the common email-borne route.

Please note that K7 security products contains heuristic anti-ransomware functionality which is capable of stopping WannaCry in its tracks without any signatures updates (please read the Virus Bulletin blog which includes a video of K7’s talk from 2015 about fighting back against ransomware). However to ensure stopping all variants of the ransomware before any encryption starts, we at K7 Threat Control Lab have taken the necessary steps to block it at all of its possible execution points. Users of K7 Security products are protected against this ransomware and the detection names at the time of writing are as follows:

Trojan (0050db011)

Trojan (0050d8371)

Trojan (0050d7201)

In addition, K7 blocks this multi-component malware with the behavioral detection as

Suspicious Program ( ID21236 )

Suspicious Program ( ID21237 )

Suspicious Program ( ID21238 )

Before we look at the technical details of this malware and explore how it works we must urge users to apply the latest Windows patches which Microsoft has made available even for the unsupported Windows XP, and may be applicable on pirated versions of Windows too (note, using pirated software is an extremely bad idea). In order to better protect the computer against being exploited from an external source, blocking in-bound connections on TCP ports 139 and 445 and UDP ports 137 and 138 might be an option to carefully consider. The client firewall in K7 Security Products can be configured to restrict traffic as described on the mentioned ports.

In addition there has been some misinformation aggressively disseminated on social media and the news that using a certain password which is embedded in the code can be used to decrypt the encrypted data. This is far from the truth. WannaCry uses the embedded password to decrypt its internal embedded ZIP containing ransomware components. Users are strongly advised to ignore any mention about this password and avoid being influenced by a whole lot of scaremongering junk information being released irresponsibly. There is currently no way to retrieve all the encrypted data barring use of the cyber criminals’ own decryption service at a cost of US$300-US$600.

WannaCry involves multiple executable files to infect an end user.  The main dropper EXE accesses the URL as shown in the images below,

This URL is now known as the “kill switch” since if it is accessible the dropper stops execution. Such a “kill switch” is unprecedented in the history of ubiquitous run-of-the-mill ransomware and raises interesting questions about the true purpose of the attack. Interestingly the above domain has now been registered by researchers, thus stopping the attack at the dropper stage in many situations. There are few recent samples which ignores whether or not the URL connection is successful.

MD5: d724d8cc6420f06e8a48752f0da11c66

MD5: E8089341EE0442A2ECF82E4B70829143

Anyway, let’s assume the executable proceeds with its malicious behavior. The dropper EXE starts itself as a service with the security parameters as “-m security”, service name “mssecsvc2.0” and display name as “Microsoft Security Center (2.0) service”

Then it tries to load the payload executable which it carries within itself under the resource named “R” in the sample which we analyzed (d5dcd28612f4d6ffca0cfeaefd606bcf).

In any PE parsing tool, it shows that the resource contains an embedded PE

It extracts the file with the name “tasksche.exe” under the directory called “windows\<randomname>” as shown below. Note, we have also seen occurrences of this file being dropped under “ProgramData\<randomname>.”

After which the dropper starts the payload “tasksche.exe” using CreateProcessA. The payload tasksche.exe (84C82835A5D21BBCF75A61706D8AB549) contains the required functionality for encrypting data on the computer, and the files to display the ransom notes, etc. It carries within itself a password-protected ZIP in .resource section, as mentioned earlier. Interestingly, the password for the ZIP is plain text and not encrypted.

Upon further research we found that even though the password is in plain text, the password keeps changing. Sample 4da1f312a214c07143abeeafb695d904 uses the password “wcry@123”.

Unzipping the password-protected ZIP drops the following files in the desktop directory,

Folder “msg” contains the rtf files with extension .wnry for different languages.

Here are the details of the other files that are unzipped:

1. b.wnry – BMP image file (desktop background mentioning the decryptor tool @WanaDecryptor@.exe to receive ransom payment)

2. c.wnry – contains Tor browser download link

3. r.wnry – Text Message

4. s.wnry – ZIP file with has tor.exe along with its dependent DLLs

5. t.wnry – Encrypted data which then decrypts itself in memory (it’s a DLL file)

6. u.wnry

7. taskdl.exe

8. taskse.exe

It also unzips a batch file that writes a VBScript file m.vbs, that points to an LNK file to run “@WanaDecryptor@.exe” a shown below,

This @WanaDecryptor@.exe, once run, calls taskdl.exe and displays the below screen to the user,

It also copies itself to other locations like


The following file extensions are susceptible to encryption:

.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .ott, .sxw, .stw, .uot, .3ds, .max, .3dm, .ods, .ots, .sxc, .stc, .dif, .slk, .wb2, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .ps1, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .3gp, .mkv, .3g2, .flv, .wma, .mid, .m3u, .m4u, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .bz2, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .602, .hwp, .snt, .onetoc2, .dwg, .pdf, .wk1, .wks, .123, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc

Encrypted files would have extension .wncry  appended to the user file name, e.g. if the file name is user_pic.jpg, after encryption it would be user_pic.jpg.wncry.  The bytes of encrypted file at offset zero would be ‘0×57 0×41 0x4E 0×41 0×43 0×52 0×59 0×21’ (ASCII “WANACRY!”)

In all the folder locations in which encryption occurs there also two additional files dropped:
@WanaDecryptor@.exe.lnk which points to @WanaDecryptor@.exe and @Please_Read_Me@.txt, which contains the ransom note.

As with all ransomware, and to guard against data loss in general, it is important to maintain regular backups of critical data to be able to retrieve it in the case of file or disk corruption.

What is in store for the world now with respect to WannaCry? Are we going to see a different infection strategy, will the binaries be custom-packed, will strings be encrypted? Or will the attack lie low for a while? We’ll be monitoring the twists and turns in the WannaCry saga over time, and will publish new information as and when required.

K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

DoS Attack: Service Unavailable

Friday, September 30th, 2016

Continuing our series on Cyber Security, this blog post aims to shed some light on a security term that is casually thrown around these days, Denial-of-Service.

As the term conveys a “Denial-of- Service” (DoS) attack aims to cut off the provision of a service. When we speak of it in terms of computing we would generally refer to an online network-based service that is renderred inaccessible to legitimate users during the course of the attack. A successful DoS attack would require a large number of requests being sent to the network service at a specific point in time.

In general for a seamless network communication to happen a “request-acknowledge” signal is essential, i.e. when a user makes a request to a network service his request would first be acknowledged and then data corresponding to his query would be sent back along with a request for acknowledgement once the data is received. The user then sends an acknowledge signal once the requested data has been received. All this happens in the order of milliseconds hence they are barely noticeable.

Every server that hosts a service would have a maximum request-handling capacity, and when that threshold is exceeded the server or the service becomes unavailable. It is this request limit which is exploited and abused by a DoS attack.

When speaking in terms of malware related DoS, malware authors employ their botnet (a collection of computers infected with silently-running backdoor Trojans) to perform this kind of attack. A botnet controller (aka “Bot Master”) can send out instructions to the entire botnet under his command to target a specific service, typically a web service, to effect a DoS on the target website.

Several DoS attacks have been orchestrated targeting organizations along with ransom demands to call off the attack. In the days of e-commerce and online services it is essentials that business organizations keep their services up and running in order to retain their customer base.

In this series we shall have a look at various flavours of DoS attacks and how they are orchestrated.

Image Courtesy of:

K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Interesting Persistence Technique

Thursday, June 16th, 2016

Here is an interesting persistence technique, which I have not seen before, used by a malware which I analyzed last week at K7 Threat Control Lab. It uses a simple RunOnce registry entry to maintain its persistence but in a unique way. I would like to post a complete analysis, albeit brief, of its functionality.

Functionality in a Nutshell

  • Push-Pop-Call
  • Misuse of Process Environment Block (PEB)
  • API Hashing Technique
  • Anti-Debug & Anti-Emulation Techniques
  • Strings Obfuscation Mechanism
  • Registry Abuse
  • Hidden DLL with multiple entrypoints (Export & DLL main) and its role
  • Multiple Injections into explorer.exe
  • Rootkit-like Behavior
  • Persistence Mechanism – RunOnce entry
  • Final Injection to IExplore.exe to act as downloader


This malware uses a Push-Pop-Call sequence at the Entrypoint to change the execution flow of the program as shown in Figure 1. This is not a clever technique since it can be used by Anti-Virus software to flag the malware immediately given that this sequence is unlikely to be found in clean programs.

Figure 1

Misuse of Process Environment Block (PEB)

Not an uncommon technique, this malware uses PEB_LDR_DATA, a member of the PEB structure, to locate InMemoryOrderModuleList LinkedList, which is then used to retrieve names of the loaded modules. It calculates the hash for each of the retrieved module names and compares with that of Kernel32.dll (hardcoded in the code), and extracts the base address of Kernel32.dll when the hashes match as shown in Figure 2.

Figure 2

API Hashing Technique

Using the retrieved Kernel32.dll base address, it enumerates export function names and calculates their hashes, which, in turn, are compared with predefined API hashes (in the data section) to identify the addresses of preferred APIs that are listed below. This common technique is to avoid heuristic detection on import APIs.

  • ConvertThreadToFiber
  • CreateDirectoryA
  • CreateFiber
  • CreateFileA
  • CreateMutexA
  • CreateProcessA
  • CreateThread
  • DeleteFileA
  • GetFileSize
  • GetFileTime
  • GetModuleFilenameA
  • LoadLibraryA
  • MoveFileExA
  • ReadFile
  • ReleaseMutex
  • RemoveDirectoryA
  • SetFileAttributesA
  • SetFilePointer
  • SetFileTime
  • SwitchtoFiber
  • WaitForMultipleObjects
  • WriteFile
  • WritePrivateProfileStringA

The hash calculation algorithm is shown in Figure 3 below.

Figure 3

Anti-Debug & Anti-Emulation Techniques

It implements Anti-Debug & Anti-Emulation techniques to prevent or misguide the reverse engineering process. This malware creates a thread which possesses an Anti-Debug technique of Memory Access Violation Exception (shown in Figure 4 below), thus complicating the analysis flow for researchers.

Figure 4

It also adds additional Exception Handlers in the existing SEH chain, which would be triggered by a memory access violation as shown in Figure 5.

Figure 5

It also uses undocumented ntdll.dll APIs which could act as an anti-emulation technique

  • ZwCreateThread
  • ZwResumeThread

Strings Obfuscation Mechanism

It employs an uncomplicated obfuscation mechanism to hide strings to dodge its presence from Anti-Virus products. Figure 6 shows how it decrypts a string to be used as its mutex.

Figure 6

Registry Abuse

It uses the registry to find the default path of “user\%AppData%” by querying the following registry key:

Subkey : “Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders”
Value    : “AppData”

It uses the registry to find the default browser path:

Subkey : “http\shell\open\command”

It also escalates its privilege under Internet Explorer by adding its path to the following registry key:

SubKey : “Software\Microsoft\Internet Explorer\LowRegistry”
Value    : “ms-ldr”
Data     : “%Malware Path%”

Hidden DLL with Multiple Entrypoints (Export & DLL Main) and its Role

It drops its main payload, ntuser.cpl (a DLL file), extracted and decrypted from its ‘data’ section, under a randomly named folder in the retrieved %APPDATA% directory as exemplified below:

USER/%APPDATA%/ {6JJ0C2I2-2W3D-2P70-7999-9N8KF3N5}/ntuser.cpl

The decryption logic used is shown below in Figure 7:

Figure 7

It tries harder to misguide analysis by executing the DLL with multiple entrypoints. Initially with the help of rundll32 it executes the dropped ntuser.cpl using its export function “_4CDFA75B”. This export function “_4CDFA75B” then injects the entire ntuser.cpl to explorer.exe with “DLLMain” as its new entrypoint. Injection technique 1 uses the following APIs:

  • CreateProcessA
  • GetModuleFileNameA
  • CreateFileMappingA
  • MapViewOfFile
  • UnmapViewOfFile
  • ZwMapViewOfSection
  • CreateRemoteThread

Multiple Injections into Explorer.exe

As ntuser.cpl loads into the memory space of explorer.exe, it uses the ‘ZwQuerySystemInformation’ API to get the snapshot of the current running processes. Now ntuser.cpl injects itself to the running processes that have access to ‘CREATE_THREAD & VM_OPERATION & VM_WRITE & QUERY_INFORMATION’ permissions, including explorer.exe.  But, this time with a new entrypoint being one of its functions. Injection technique 2 uses the following APIs:

  • OpenProcess
  • VirtualFreeEx
  • VirtualAllocEx
  • VirtualQueryEx
  • VirtualProtectEx
  • WriteProcessMemory
  • VirtualQueryEx
  • CreateRemoteThread

The latest injected code in explorer.exe now injects code into IExplore.exe, again with a new entrypoint being one of its functions using a similar injection technique to that described above.

These multiple injections are done just to halt the flow of analysis and to use system processes to download malicious content which will not trigger any alert by Anti-Virus Software, including Firewall.

Rootkit Behavior

It injects all system processes when attempting to act as a rootkit by hooking the following APIs, to maintain its stealth status:

  • NtCreateThread
  • NtEnumerateValueKey
  • NtQueryDirectoryFile
  • NtResumeThread

Persistence Mechanism

The latest injected code in explorer.exe also has the task of maintaining its persistence. This is achieved by creating a thread which checks the availability of mutex (MSCTF.Shared.MUTEX.LDR) and if this fails, it adds the following RunOnce entry:

SubKey : “Software\Microsoft\Windows\CurrentVersion\RunOnce”
Data      : “rundll32 “%APPDATA%\{6JJ0C2I2-2W3D-2P70-7999-9N8KF3N5}\ntuser.cpl”,_4CDFA75B”

Hence during reboot, the mutex gets killed and immediately a RunOnce entry is registered to maintain persistence.

Final Injection into IExplore.exe to Act as Downloader

Using IExplore.exe injected code, it checks for internet connectivity every 5 minutes, and if it has access to the internet, it uses ‘URLDownloadToFileA’ to download malicious content from the following URL

“hxxp: / /″

Post downloading it executes the downloaded content using CreateProcessA.

On final analysis this turns out to be just a mere Downloader, with a high level of obfuscation, injection techniques, and Anti-Debugging/Anti-Emulation tricks along with rootkit behavior.

Sample analyzed:

MD5: 6F14315A8875B1CF04E9FDB963E12966
SHA256: B129D92F6C62B7C81B5EF69FA38194AB3886BA7F18230581BC2D241C997F7FA6

Shiv Chand.K
Senior Threat Researcher

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

K7 Computing’s Security Alpha Geeks Introduce Generic Anti-Ransomware Prototype at VB Conference 2015

Friday, October 9th, 2015

So last week, Samir Mody and Gregory Panakkal, security experts from K7 Computing, showcased a generic anti-ransomware framework at this year’s Virus Bulletin International Conference. It garnered quite an excited bunch of fellow security enthusiasts at Prague, Czech Republic, where the conference was held, to listen to the duo talk about this prototype.

This presentation addressed majorly on file encrypting ransomware variants. A demo followed to display the capability of this generic anti-ransomware prototype in defending ransomware through samples obtained from valid sources.

K7 Computing is extremely proud of the team behind the idea to develop a simple solution to thwart complex ransomware menace. This generic framework is on the process of being incorporated into our products, and we are super excited. We also would take this opportunity to thank our readers, for sending ransomware samples requested by them to test our prototype.

For curious souls who want extensive information on this, please find the complete slides here.

Archana Sangili, Content Writer

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Tearing Down the Wall

Thursday, October 1st, 2015

In all likelihood, the ransom note above is possibly what an already overworked IT technician of a corporate network is staring at at this moment. In addition to their woes, IT administrators are now burdened with the task of dealing with Cryptowall; a troublesome breed of malware which until now restricted itself to infecting mostly home users.

With gigabytes of confidential data available on network storage devices & tormented users willing to do whatever it takes to retrieve the company’s data back, life has never been easier for Cryptowall authors. Needless to say, it is only a matter of time before things take a turn for the worse.

To enlighten our users, we have already dissected the infection vector of this category of malware, discussed the possibility of retrieving the original files, advocated that paying the ransom is a bad idea and advised that prevention is better than cure, through blog entries available here and here.

To assist our customers, researchers at K7 Threat Control Lab have come up with reinforcements in this fight against Cryptowall. We have developed a heuristic anti-ransomware prototype which will allow monitoring, identifying and eliminating this menacing enemy based on run-time behaviour.

Samir Mody and Gregory Panakkal from K7 TCL will be discussing this prototype & presenting their paper titled “Dead and buried in their crypts: defeating modern ransom-ware“ tomorrow, the 2nd of October 2015 at the Virus Bulletin International security conference held at Prague.

We hope to see you all there !!

Lokesh Kumar
K7 TCL Systems Manager

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Let’s Get Edgewise

Friday, August 7th, 2015

This article intends to inform the general public about ‘Edge’, the newest browser from Microsoft shipped with Windows 10. It sheds some light on what’s new, what’s changed and why Edge was considered necessary.

It has been more than a week since Windows 10 started hitting users’ PCs; it has however been around for a couple of months via the Windows Insider program as a public beta. Reviews on the operating system have been trending in the tech review sites. Opinions in general have been on the positive side for Microsoft’s la(te)st operating system. One of the features that is generating interest is the new browser “Edge” offered in Windows 10.

Microsoft finally bid goodbye to its ageing browser, Internet Explorer (‘IE’). Antiquated design, interoperability issues and security holes riddled IE, warranting a better, modernized browser. Codenamed as project Spartan it finally shaped up as Edge. Microsoft reworked its browser almost from scratch, borrowing bits of goodness from its competitors while being unique in its own way by having a personal assistant or being able to annotate on webpages and share them; most important of all, though, improvements to security were made.

Security was probably one of the main concerns that pushed Microsoft to reimagine its browser design. So from a security perspective, Microsoft has got rid of its ActiveX support, infamous for its security vulnerabilities. Added to the “gone” list were BHOs (Browser Helper Objects, which went on to be synonymic to toolbars) and VBScript support. Over the years support for these three features caused numerous security headaches for Internet Explorer.

Edge would remain sandboxed from the rest of the Operating System, hence attempting to prevent any malicious scripts or code from affecting the OS itself. SmartScreen introduced in IE8 is also a part of the Windows 10 shell and is supported by Edge. This can filter out phishing sites by performing reputation checks and blocking them out. The new rendering engine would greatly eliminate interoperability problems for web developers, thereby allowing them to devote more time to security and stability.

Most security features that had been an opt-in in IE until now have been made mandatory and will always be on and protecting users. Though Edge looks promising it is a bit rough-edged at the moment. Microsoft is in the process of embracing the extensions model like its competitors, Google’s Chrome and Mozilla’s Firefox, which is said to roll out by the end of this year. Once this is done, Edge would be in a better position to handle the internet; at least way better than IE, one would hope.

A word of caution to our readers; while you may be impatient to upgrade your operating systems to Windows 10, beware of a new wave of spam emails doing the rounds. These are bogus emails offering users a free Windows 10 upgrade; even if you are not a Windows 7 or 8 user (free upgrades are given by Microsoft to genuine Windows 7 and 8 users only). These mails mostly come with a malware of the nasty ransomware category. Microsoft states that users will be informed of the upgrade on their screens and not via emails. Kindly refrain from clicking on such fraudulent emails.

Some images (adapted to suit the article) are courtesy of several sites.

Kaarthik RM
Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: