Large Victim Credential Server Uncovered

malware analysis PDF phishing
Today we analyze a seemingly normal PDF Phishing campaign but it soon leads to a very large victim credential server.
Filename
1.pdf
MD5
529F3E3CB0C3C00E98789540BDD9BFB2
Sample
Download Sample
Video


Details

Due to the large infection chain this malware utilizes, we begin today's analysis with a roadmap. During the course of this analysis, it may be useful to reference this image:



We begin by opening the PDF and are greeted with a familiar phishing message stating our document is secured and we must click the link to view the complete document:


Inspecting the PDF with PDFStreamDumper and clicking Search->URLs reveals that the link will attempt to download 1 of several files from an FTP server. Full credentials for the FTP server are provided in the URL:


Since the malware authors were kind enough to provide their credentials, we can fire up our VPN and log in to their server to poke around and see what else they may be hosting.



The hosted files and directories are dated fairly recently and consist mainly of ZIPs. Downloading the ZIPs reveal Executables with PDF logos and "PDF.exe" extensions.



Executing the extracted EXE unleashes the large infection chain mentioned at the head of the article dumping out 4 executables, 3-4 scripts, 2 FTP credential files, 1 template, and 1 blank picture .

This chain begins by launching one of two batch files "abb1.bat" or "havv02.bat" that will then launch "Adob9.vbs" 


They will also display a 0kb picture "245.jpg" to the user as a distraction:


The only purpose of "Adob9.vbs" is to launch the final batch file "hvv03.bat":


Once we finally reach "hvv03.bat", this is where the main functionality begins. The script will launch an FTP client that it dropped named "Adobeta.exe" and issue commands for it to contact the exfiltration server.


"hvv03.bat" also establishes persistence via the CurrentVersion/Run key.


Further down the script the author retrieves the user's IPCONFIG information and writes it to the file "adip2.klc". It also instructs the dropped file "adbr01.exe" to write the credentials to "011.011":


"adip2.klc" contents:
Next the script will disable firewall rules and set the naming scheme for user dumped credentials with the current date:


Lastly the script will issue FTP connect commands to two instances of "Adobeta.exe":


The "-s" option in these commands instructs the client to read in a preset sequence of FTP commands from the "870.afr" and "sun.afr" files. These correspond to two different logins for the exfiltration FTP server:



If we use the credentials so graciously provided to us, we can login and see what the authors are hosting on the FTP servers. We are presented with a very large repository of user credential records:




Opening one of these files reveals the format in which user credentials are stored:



These credentials are also stored on the local machine in the same directory as all the dropped files: C:\user\current\appdata\local\4Adobe\4low . This directory may change per infection.

The programs responsible for the credential stealing and exfiltration are "Breader.exe", "adbr01.exe", and "adbr02.exe" and all are UPX packed. These seem to be individually targeted for specific browsers (Internet Explorer, Chrome, Firefox) although this is just an assumption as analysis was not performed on these files. Due to the high rate of detection for the EXE's, this article focused on dissecting the large infection chain and uncovering the victim data repository rather than reversing the EXEs.

DROPPED FILES

CCGT-NUEVA RENCA-POWER PLANT-PJT-CHILE-REQUEST FOR QUOTATION.zip
CCGT-NUEVA RENCA-POWER PLANT-PJT-CHILE-REQUEST FOR QUOTATION.exe
245.jpg
abb1.bat
sun.afr
870.afr
launch.vbs
hvv02.bat
hvv03.bat
Adob9.vbs
Adobeta.exe
Breader.exe
adbr01.exe
adbr02.exe
112.112


PROTECTION

There are many VirusTotal results for all stages of this file. Your home antivirus solution should detect the majority of this credential stealer and its variants. Network traffic consists of standard FTP communications.

If your email client or server offers attachment blocking by extension, you may want to block emails sent with .EXE, *.BAT, *.CMD, *.SCR and *.JS. files attached.

Make sure your operating system displays file extensions. This helps to identify the true type of a file in case of dual extension spoofing (e.g. “INVOICE.PDF.EXE” is not displayed as “INVOICE.PDF”).

If you frequently and legitimately receive this type of files, check who the sender is and if there is anything suspicious, scan the message and its attachments with reliable security solution.


CONCLUSION

The focus of this article was on the large infection chain stemming from the initial PDF Phishing file. We have seen a very large uptick in Phishing attempts with very similar text to "your secure document can't be viewed, please click the link" that lead to generic trojans, ransomware, or credential stealing software like this one. Be careful out there.