----- ## ASEC REPORT #### VOL.95 [Q2 2019] ###### ASEC (AhnLab Security Emergency Response Center) is a global security response group consisting of malware analysts and security experts. This report is published by ASEC and focuses on the most significant security threats and latest security technologies to guard against such threats. For further details, please visit AhnLab, Inc.’s homepage (www.ahnlab.com). ###### SECURITY TREND OF Q2 2019 ###### Table of Contents ----- ----- ###### Security Issue ### Scheming the Android Malware Related to Cryptocurrency ###### The emergence of cryptocurrency in 2008 made a huge impact on malware. It resulted in the creation of malware related to cryptocurrencies. Cryptocurrency malware exists for various operation systems, but this report looks into the malware designed specifically for Android. Android cryptocurrency malware can be divided into three main categories: Cryptojacking malware for mining cryptocurrency without the user's knowledge, FakeWallet malware that disguises itself as a cryptocurrency wallet, and Clipper malware that intercepts and swaps wallet-related information from the clipboard. Figure 1 | Total malware detected by IRIS using three aliases (until 2019.04.12) ----- ###### Figure 1 shows the changes in the number of the Android Cryptojacking malware. The graph seems to be directly proportional to the price of Bitcoins shown in Figure 2. Figure 2 | BTC chart provided by CoinMarketCap ###### Based on this, we can expect a rise in the number of cryptocurrency-related malware if the cryptocurrency market continues to expand. The next part shows charactersitics of cryptocurrency related malware. Type 1: Cryptojacking Cryptojacking is a malware for Android and is being detected by AhnLab under three aliases, including Android-PUP and CoinMiner. This type of malware secretly uses the infected device for coin mining. It uses significant CPU power and slows down the mobile usage. The malicious code, a miner, shown in Table 1, was embedded in a game called Bug Smasher. Once the game starts, there is a sudden increase in CPU usage as shown in Figure 3. ----- ###### The user is made to believe that this is a genuine game application while the mining secretly takes place in the background. Figure 4 | Screenshot of Bug Smasher ----- ###### The mining methods used by cryptojacking are mainly the native function of the SO file or calling the JavaScript API. The native function of the SO file can be used to run without a user's recognition, because the thread runs as a service type when loaded. Figure 5 | Native function in the SO file ###### The JavaScript API has a code for mining coins in the JavaScript file, as shown in Figure 6. Figure 6 | Code that calls the JavaScript file from the internal html file ###### Coinhive, which is one of the best-known mining services that uses JavaScript, stopped services from March 8, 2019.(https://coinhive.com/blog/en/discontinuation-of-coinhive) However, the end of Coinhive does not necessarily mean the JavaScript mining method is finished. Bad Packets Report 2018 indicated that 81.6% of the detected Cryptojacking malware used Coinhive, but other services also accounted for 18.4%.(https://badpackets.net/ ----- ###### how-to-find-cryptojacking-malware/) Other services included CoinIMP and Crypto-Loot. It is likely that these services will be used for cryptojacking malware. Type2: FakeWallet FakeWallet is currently being detected as V3 alias Android-Trojan/FakeWallet. This malware pretends to be a wallet application for cryptocurrency. Label BTC Blockchain Wallet Package name com.appybuilder.amal_zaki_meka212.BitcoinWallet MD5 2778b8493e0e71e5aa3cf70e3bb2a3d0 Table 2 | Information of BTC Blockchain Wallet malware ###### The application in Table 2 seems to be generating a new wallet address, but it creates a wallet address as shown in Figure 7 that is assumed to be the address of the attacker. The same wallet address is created no matter how many times the wallet is created from different devices. And the transactions that follow lead to the transfer of coins to another wallet address. Figure 7 | Address provided by the malicious application ----- ###### By tracking the above address, it showed that there were 8 transactions to transfer the total amount received on the wallet, 0.5 BTC, to other wallets. Another method of FakeWallet is to impersonate an existing cryptocurrency wallet and get the user to enter their private key. This is shown on Table 3. Label MyEtherWallet Package name com.myetherwalletproject MD5 3f85490f886755b6e1bdeaa4be1f70a4 Table 3 | Information of MyEtherWallet malware ###### MyEtherWallet (MEW) is the most widely used Ethereum (ETH) wallet. This is why there are many malware programs impersonating MEW. The fake MEW application appears to be genuine, as shown in Figure 8, and asks for the user's private key in order to log in. ----- ###### Once a user enters the wallet address and the private key and taps on the LOG IN button, an "invalid address" message appears while the values input by the user are sent to the attacker. 3. Type 3: Clipper type Clipper is currently being detected as V3 alias Android-Trojan/Clipper. It monitors the clipboard on the infected device and checks for a user’s wallet information. Once detected, it sends the information to the attacker and tampers with the address that the user has pasted. This malware was created with the notion that most users are more likely to copy and paste their wallet addresses due to the complexity. Label Intim Package name clipper.abcchannelmc.ru.clipperreborn MD5 85247d1102958d138462137d61fd901a Table 4 | Information of Intim malware ###### An example of a clipper is the Intim application shown in Table 4. This malicious app hides the app icon on the infected device. Once the user taps on the icon, it shows a message saying: "Not supported on your device and deleted." It makes the user to think that the application has been deleted, while it actually runs in the background. Then it monitors the clipboard. Once the characteristics of a wallet are detected, it sends the wallet information to the attacker's server. For example, a Pay-to-PubKey Hash (P2PKH) format of BTC wallets can be distinguished by its characteristics, such as starting with the number 1, and a Pay-to-Script Hash (P2SH) format can be distinguished by starting with a 3 and having a length between 25 and 35 characters. ----- ###### An ETH wallet address can be distinguished, as it starts with “0x” and consists of a 40-digit hex string. After the Intim malware sends the address detected from the clipboard to the server, it receives the fake wallet address. Here, the received wallet address replaces the user's address using setText() within change(). (Currently setText() is deprecated and use of setPrimaryClip() is recommended.) The malware in Table 5 also switches the wallet addresses in a similar way. Label MetaMask Package name com.lemon.metamask MD5 d26881cb84d71cc062e200f6e74e8e31 Table 5 | Information of MetaMask malware ###### The MetaMask malware also detects the BTC address format and the ETH address format in a similar manner to the malware above. When an address is detected, it uses the setPrimaryClip() method to change the clipboard information to the wallet address of the attacker. The difference with the Intim malware is that MetaMask does not send or receive data from the server but uses a fixed address to replace the user's address. 4. Conclusion Users are advised to take a cautious look into the services that allow for the easy mining of cryptocurrency, and those using JavaScript in particular. Until now, most of the cryptojacking malware has been related to Coinhive. Now, new types of malware can appear using the APIs ----- ###### of CoinIMP Crypto-Loot, following the closure of the Coinhive service. So users must take into possibility that any APIs found on the service may be a cryptojacking malware. Also, as we have already seen in FakeWallet or Clipper, and sometimes attackers use a fixed address. These can be used as indicators of compromise (IOC). And it can be determined to be malicious if evidence of such text strings is found. Other information that is used by attackers can also be used as IOC, including the domain of the attacker. 5. Reference https://coinmarketcap.com/currencies/bitcoin : BTC price graph https://coinhive.com/blog/en/discontinuation-of-coinhive : Coinhive blog page. Declaration of official shutdown https://blockchain.com : Provide cryptocurrency transaction information https://badpackets.net/how-to-find-cryptojacking-malware/ : Services frequently used in cryptojacking https://en.bitcoin.it/wiki/Address : BTC address format ----- ----- ###### ANALYSIS-IN-DEPTH ### Analysis Report on Tickusb ###### USB flash drives are widely used data storage devices which replaced the floppy disks that came before them. USB flash drives are used not only by individuals, but also in companies and institutions. They are mainly used to move data and systems that are not connected to a network due to internal security policy. Secure USB flash drives are used to encrypt and save data in places that handle sensitive information. However, Secure USB Flash Drives cannot guarantee the safety of the user's system. If the system is compromised with malware, information can still leak from the secure USB flash drive when the files are opened. As the use of USB flash drives increase, more and more malware creators are leaking data saved in their drives or using the USB flash drive as a propagation path. The group called Tick, which targets companies and institutions in South Korea and Japan, has also created a malware called Tickusb that infects the system via the USB flash drive and steals internal information and has been active since of 2014 – which might be created in 2012. This report is an analysis of Tickusb, a malware designed to steal information from USB flash ----- ###### drives and spread malware. Attacks using Tickusb Tickusb is a malware that was produced by the Tick Group for the purpose of extracting information from a USB flash drive. It was distributed from the spring of 2014 to November 2017. (The Tick Group has been active since 2008. So it is possible that there are other malware that has yet to be discovered.) Some variants of Tickusb exist as stand-alone files, but most consist of DLL and EXE files. The malware is executed as a DLL file. To induce loading of the malicious DLL file, it alters a normal EXE file or disguises itself as a CRYPTBASE.dll, which is the DLL file required to load genuine programs. So, Tickusb is executed not when the PC starts but when a certain program is opened. When the malicious DLL file is executed, it creates a log file in a specific path and checks the USB flash drive connection. If a USB flash drive is connected to the system, it executes the malicious EXE file and downloads additional files. A malicious EXE file performs slightly different functions depending on the variant, but generally collects file information within a USB flash drive. Some variations modify the EXE file in the USB flash drive if it exists. If you insert a USB flash drive with a tampered file into another system and run the modified EXE file, the computer is also infected with Tickusb. ----- ###### The major attacks using Tickusb began at least as early as the spring of 2014. |First Detection|File Content|Description| |---|---|---| |2014.3|?.exe|Assumed to be created in Sept 2012. In 2018, Unit 42 first released their analysis. It is assumed that it is an early version of Tickusb with very different codes for other Tickusb variants.| |2015.4|CRYPTBASE.dll|Assumed to be created in December 2014. Independent DLL type. Collect system information and file information within the USB flash drive.| |2015.6|BrStMonW.exe, BrWeb.dll, wsmt.exe|Alters the BrStMonW.exe file associated with the Brother printer and loads the BrWeb.dll file. Downloads the msupdata.exe file. Alters the EXE file within the USB flash drive and patches the ALYAC25.exe file.| |2015.6|CRYPTBASE.dll, svcmgr.exe|Assumed to be created in February 2015. Checks for a specific secure USB connection. Alters the EXE file within the USB flash drive and patches the ALYAC25. exe file.| |2015.7|?.dll (Unconfirmed), ctfmon.exe|Assumed to be created in Sept 2014. Alters the EXE file within the USB flash drive and patches the ALYAC25.exe file.| |2015.7|CRYPTBASE.dll, svcmgr.exe (Unsecured)|Assumed to be created in November 2014.| |2016.10|Wincrypt.dll, wsmt.exe (Unsecured).|-| |2017.01|Wincrypt.dll, wsmt.exe (Unsecured).|-| |2017.11|Wincrypt.dll|Independent DLL type.| Table 1 | Major attacks using Tickusb ----- ###### The changes to Tickusb are as follows. Figure 2 | Tickusb evolution ###### Early versions were produced before spring 2014 and a variant with the file name cryptbase. dll appeared in 2014. In September 2014, a variant was created that modifies the EXE file in a USB flash drive. In 2015, a variant of the DLL files and EXE files was created. In early June 2015, an external tool was used to patch the files on the system to load malicious DLLs. From October 2016 to November 2017, it changed the filenames to wincrypt.dll. Stage 1 – Dropper, Downloader, Patcher The downloaders and droppers associated with Tickusb have been identified, but no specific infection methods, such as emails, have been identified. However, the comparison of the altered code of the installation file altered by a dropper and the file within the USB flash drive showed by some of the droppers were EXE files altered by Tickusb. The attacker did not automatically run Tickusb malware upon booting, but only when certain files were executed. It makes difficult for the user to discover the malware. 1. Dropper The report from Unit 42 describes that there are several droppers associated with Tickusb. 1 (https://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives target-air-gapped-critical-systems) ----- ###### Aya.exe (b76d2b33366c5ec96bc23a717c421f71) is a Go game file. If executed, an initial version of Tickusb (6f665826f89969f689cba819d626a85b) is created in the temporary folder. AhnLab collected Aya.exe file in March 2014. Figure 3 | Aya.exe execution screen ###### The Secure Unlock win.exe file (bb8c83cfd133ab38f767d39605208a75) started to attack the users from early June 2015. It altered normal programs and created the wsktray.exe file (3c6e 67fc006818363b7ddade90757a84) in the temporary folder. When generating the file, it adds a garbage data at the end of the filename to have a filename of more than 34 megabytes in length. The file generated is a Bisodown variant that downloads other malware. Portable SecretZone.exe (dbc10f9b99cc03e21c033ea97940a8c2), pNDPS(V2.11).exe (c865b 83a2096642b0de3e2880e63ab0e), NEW_GOMPLAYERSETUP.exe (0a4bec5fc88406d126aa1 06a7c0aab87) create the same Bisodown variant (e470b7538dc075294532d8467b1516f8). Among these droppers, SecretZone.exe and pNDPS (V2.11) .exe files appear to be infected by ----- ###### the Tickusb variant. 2. Downloader - Ghostdown A variant of the Ghostdown malware (4868fd194f0448c1f43f37c33935547d, 62ee703bbfbd5 d77ff4266f9038c3c6c) was found on a system infected with Tickusb. Ghostdown is a downloader that was discovered in February 2013 and was active up until February 2018. In Ghostdown, key strings such as APIs and connection addresses are encrypted. Its initial version had applied encryption to addresses and key strings with the XOR 0xDF key. The initial Ghostdown variant used www.poi.cydisk.net and www.kot.gogoblog.net as the C&C server, all of which were created with the www.dnserver.com service. The C&C address of the Ghostdown variant found in the Tickusb infected system in 2016 used the cloud service at www.memsbay.com:443. Figure 4 | Decrypted C2 text strings ###### 3. Patcher - iff.exe The iff.exe (e84f29c45e4fbbce5d32edbfeec11e3a) file alters the EXE file to run a specific EXE file or to load a specific DLL file. This file is found in the Tickusb infected system and is ----- ###### assumed to be a file that is additionally installed once the attacker infiltrates the system. The iff.exe file takes the file alteration, file to be altered, the DLL file to load or run as arguments. Figure 5 | Execution screen of Iff.exe ###### The -b option modifies the executable file by adding an executable file to be run. The -l option alters the target EXE file to load the specific DLL file. The EXE file altered as Iff.exe contains the infection identification string ".texe." Figure 6 | Patch content by iff.exe - 1 ###### It changes the jump command on the entry point of the program so that the command added by iff.exe is executed first. ----- ###### The code added with the -b option is used to obtain the required API address. Then it reads the executable file at the end of the altered file in the temporary folder (% temp%) and the entire executable file to create and run a temporary file. This is for the purpose of adding a downloader for downloading another malware. Figure 8 | Coded added by iff.exe -b ###### At the end of the altered file is an executable file that is run by MZ. Therefore, the total file length increases by the length of the file added to the end of the file. ----- ###### The -l option overwrites the code that finds a blank area in the target EXE file and loads the specified DLL file. Therefore, if there is not an empty area that provides as much space as is needed, file alteration does not occur and the file length of the target EXE file does not change even if file modulation occurs. 4. Tickusb Loader - BrStMonW.exe The attacker used the iff.exe file on June 1, 2015 to patch Brother's BrStMonW.exe file (d536f 5f929ddd2472a95f3356f7d835c) so that the malicious BrWeb.dll file can be loaded if the file runs. The entry is modified so that the code address (in this case 0x004972EF) added by the malicious code is executed first. ----- ###### The arbitrary code is written in the empty area of the file, the file length does not change even after file alteration. Figure 11 | Modified BrStMonW.exe ###### The code added by iff.exe loads a specific DLL (in this case, BrWeb.dll) into memory. ----- ###### Therefore, Tickusb runs only when the printer is used, making it difficult for users to suspect malware infection. Since a patcher program exists like iff.exe, the attacker can select one of the programs in the system after infiltrating the system to run additional malware. Stage 2 – Tickusb Tickusb is usually made up of a DLL file plus an EXE file, but some variants contain a single DLL file or an EXE file. The DLL file checks for a USB flash drive connection. If connected, it runs the malicious EXE. The malicious EXE file takes the role of altering the executable file within the USB flash drive. 1. Tickusb DLL The malicious DLL file used names like BrWeb.dll, CRYPTEBASE.dll, and wincrypt.dll. The CRYPTEBASE.dll file is a file embedded in Windows that provides password-related functions. Tickusb has the same file name as CRYPTBASE.dll and has the same export function as the ----- ###### genuine CRYPTBASE.dll file. A program with a password feature can load the CRYPTBASE.dll file when it is run, so a program that loads malicious CRYPTBASE.dll is expected to use the password feature. Tickusb acts as a loader and contains strings such as the name of the log file to be executed, the path of the EXE file to be executed, and the type of the drive. The CRYPTBASE.dll (bcb56ee8b4f8c3f0dfa6740f80cc8502) found in April 2015 is a DLL only type and no additional EXE file exists. When executed, it creates a Credentials. dat file. It deletes the C:\\WINDOWS\\system32\\CatRoot\\{375EA1F-1CD3-22D3-7602 00D04ED295CC}\\TAG file and collects system information with files like netstat.exe. Then it checks whether VPN_Cliend.exe, incorrectly spelt as Cliend and not Client, and IPPEManager. exe exist in the process. The BrWeb.dll (9b31a5d124621e244cede857300f8aa6) file found in June 2015 was found in the path, C:\Program Files(x86)\browny02\brother C:\Program Files (x86)\ControlCenter4, by disguising as a Brother printer related file. It patched the BrStMon.exe file and loaded it until it was executed. When the BrWeb.dll file is run, it creates a log file in %USERPROFILE%\ AppData\Roaming\Microsoft\Credentials\Credentials.csv. Then it creates a Mutex (WinsMutexIII) and multiple threads. The first thread (0x10004774) runs the file C:\WINDOWS\System32\migration\WSMT\wsmt.exe if a USB flash drive is connected. The second thread (0x100045cd) reads the file C:\Windows\schemas\ AvailableNetwork\basev1.xsd and finds uses FindWindow to search processes. The details of ----- ###### the basev1.xsd file are not yet confirmed. The third thread (0x100035f0) gets the system date, and if it is Monday and Thursday, it downloads the file from http://update.saranmall.com/ script/main.html and creates and runs the MSUPDATA.EXE file. The msupdata.exe file is a file name that is often used by the Tick group for the downloader. The filename was changed to wincrypt.dll after October 2016. This variant was not discovered until November 2017. 2. Tickusb EXE The EXE file Tickusb has filenames like cftmon.exe, svcmgr.exe, wsmt.exe, etc. It collects the file list in the USB flash drive or alters the EXE file. Within the EXE file are the text strings related to the file infection, and the text strings related to the log of the USB flash drive. The variant found in June 2015 (29875836605c26f7c78fc91bb2cff95d) has an additional feature to collect file information within the USB file drive and alter the EXE file. Some variants find and alter the EXE files on USB memory. And it adds a specific system file (e.g., C:\Windows\AppPatch\Custom\Custom64\apihex.dat) to the end of the found EXE file. However, the apihex.dat file has yet to be analyzed. ----- ###### Some Tickusb discovered between 2012 and 2014 read and execute data from a specific area of a USB flash drive if a certain secure USB flash drive from a Korean company is connected. The code used for the USB flash drive has yet to be confirmed. This type of attack is not common and is assumed to be aimed at attacking a system on a separate network. Stage 3 – Modified EXE Tickusb variant finds and alters EXE files in USB flash drives. The entry points of the files are edited to run specific code so that an executable file is created at the end of the file for execution. Unit 42 released a report in 2018 where the droppers Portable SecretZone.exe (dbc10f9b99 cc03e21c033ea97940a8c2) and pNDPS(V2.11).exe(c865b83a2096642b0de3e2880e63ab0e) created the same downloader (e470b7538dc075294532d8467b1516f8). The Tickusb variant found in June 2015 finds the EXE file from the USB flash drive and appends the contents of the C:\Windows\AppPatch\Custom\Custom64\apihex.dat file to the end of the EXE file. The code in the altered EXE file is similar to the code in the file known as the dropper in the Unit 42's report. Therefore, it is highly likely that these files have been altered by the Tickusb variant and not the dropper. ----- ###### The method for infection identification is also similar. EXE files altered by the Tickusb contain .texe within the code. The file (b76d2b33366c5ec96bc23a717c421f71) that drops the early version of Tickusb found in March 2014 contains .ext within the code. Figure 14 | Infection identification string of Initial Tickusb Dropper ###### Therefore, it is highly likely that these files have been altered by the Tickusb variant, not the dropper. ----- ###### Additional Installation Files Keyloggers, port scanners, mimikatz, and ARP spoofers were discovered on the system infected with Tickusb. 1. Keylogger Type C Keyloggers have been found in some of the Tickusb infection systems. This variant was discovered from April 2017 until February 2018. The typical file names for keyloggers include apphelp.dll, linkinfo.dll, and netutils.dll. The key content entered by the user is stored in a file such as debug.log. 2. ARPSpoofer – hwp70.exe The hwp70.exe file (026ae46934eca5862db4dfc8c88c720a) was found in the Hangul folder (C:\HNC\Hwp70) of a Tickusb infected system. The attacker masqueraded as Hancom's Hangul related file. The hijack causes APT spoofing. It is presumed to be aimed at infecting other internal systems. Figure 15 | Execution screen of the hijack ----- ###### 3. ScanLine – l.dat In 2016, the attacker used ScanLine, a port scanner, from Foundstone which has now been acquired by McAfee. The file (a353b591c7598a3ed808980e2b22b2a2) was used on many systems and the filenames used included msp.exe, ls.tmp, and sl-p.exe. Figure 16 | Execution screen ScanLine ###### 4. Mimikatz – mi.exe, mi2.exe The attacker used mimi 2.1 (3fe76cf644e045b8620d577c2366630a) and mimi 2.1.1 (b108df0 bd168684f27b6bddea737535e) variants of the mimikatz variant on the infected system. The filenames used included mi.exe and mi2.exe, which is mainly used by the Tick group. Figure 17 | Execution screen of mimi 2.1 ----- ###### AhnLab’s V3 products detect the Tickusb malware under the following aliases: HackTool/Win32.Hijack HackTool/Win32.Mimikatz HackTool/Win32.Tickpatcher Trojan/Win32.Agent Trojan/Win32.Homamdown Trojan/Win32.Loader Trojan/Win32.Tickusb 7. IoC (Indicators of Compromise) |Major files|Col2|Col3| |---|---|---| |apphelp.dll|BrWeb.dll|CRYPTBASE.dll| |igfext.exe|linkinfo.dll|msupdata.exe| |svcmgr.exe|wincrypt.dll|wsmt.exe| ----- |Hashes (md5)|Col2| |---|---| |Downloader : Bisodown|| |3c6e67fc006818363b7ddade90757a84|e470b7538dc075294532d8467b1516f8| |Downloader : Ghostdown|| |4868fd194f0448c1f43f37c33935547d|62ee703bbfbd5d77ff4266f9038c3c6c| Tickusb |Col1|Tickusb|Col3|Col4| |---|---|---|---| |15e72d83caaf1fe9e72e72b633ec5dfb|16572393021beea366679e80cc78610c||29875836605c26f7c78fc91bb2cff95d| |46c9fb12187c08f9da3429c047a41fd8|4aadf927e5c2aa43b90d4b830c331a69||599c4110aed58aa75d2322b4232a6855| |6f665826f89969f689cba819d626a85b|9b31a5d124621e244cede857300f8aa6||ad33da0d9507e242eb344b313454cea9| |bcb56ee8b4f8c3f0dfa6740f80cc8502|ca99ea5f1ece7430243d8322445d1a1c||dfba5e8019be5e400d53afeba83d6d93| |Keylogger|||| |220bf51185cd7ccc0aa64229c434ce1a||27dbf927e85e00f14ee9be56711a5246|| |7f98ff2b6648bd4fe2fc1503fc56b46d||b79ef5a004e26c3d491eca895c59fb86|| Tools |Col1|Tools|Col3| |---|---|---| |026ae46934eca5862db4dfc8c88c720a|3fe76cf644e045b8620d577c2366630a|a353b591c7598a3ed808980e2b22b2a2| |b108df0bd168684f27b6bddea737535e|e84f29c45e4fbbce5d32edbfeec11e3a|| ###### Domains, URLs and IP address 127.0.0.1/jscript/timepill.html pre.englandprevail.com/km/news/index.htm update.saranmall.com/script/main.html www.memsbay.com:443 8. References [1] Tick Group Weaponized Secure USB Drives to Target Air-Gapped Critical Systems (https://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives target-air-gapped-critical-systems) ----- -----