Brief Analysis of Common Adware Downloaders
1 BackgroundOn April 2, 2018, Huawei engineers found on a FireHuner6000 sandbox that the user with a specific IP address downloaded the same adware from a server for more than 1700 times within a few hours. The analysis shows that the adware is a downloader that installs many promotional software programs during the installation of a software program required by the user. Through tracing and analysis, it is found that most download websites on the live network use similar downloaders. Therefore, the functions and network flow diagrams of the downloader are briefly analyzed. If there is any error in this article, please point out. 2 Sample AnalysisMD5: e86362323e0678727024c9733c6d277f File name: Pythagorea Download@532_2.exe It is strange that the MD5 values of all downloader sample files are the same, but the download hyperlinks in the files are different. Test the sample file by using reverse analysis and other methods. It is found that the download hyperlinks are distinguished according to file names. Each downloader file name contains an at sign (@). The number following @ indicates the download hyperlink. If the file name does not contain @, the WinRAR file is downloaded by default. The program communicates with three IP addresses (120.26.109.229, 123.57.151.113, and 120.76.122.200). All requests are sent to these IP addresses, but the IP addresses play different roles. The three IP addresses belong to Alibaba Cloud. The downloader first sends information about the local host to one of the IP addresses. The payload is as follows:
The server returns software list data in JSON format, which contains the registry path for uninstallation of the corresponding software. Then the downloader sends another request to the same IP address. The format of the request is similar to that of the previous, as shown in the following figure:
The server returns data in JSON format, including a list of promotional URLs and software programs. The lower part is the detailed information about the software that the user wants to download. The downloader requests resources from 103.15.99.41, which also belongs to Alibaba Cloud. The resources are used to display the download page because the download page is composed of resources requested from the network and contains CNZZ access statistics.
The download page is as follows:
The left part displays software information. The right part lists some promotional software programs. In addition, the program requests promotional hyperlinks, but this behavior is not perceived by users and is completely invisible. After you click the quick installation button, the downloader sends a request to the corresponding software official website to download the installation package to the desktop. At the same time, the background downloads and installs the binding adware. The adware can be installed without any manual operation. After the download task is complete, adware promotional information is still displayed on the page.
Finally, the downloader submits information to one of the three above-mentioned servers in Post mode to report information about successfully installed software for statistics.
3 Network Topology
4 Source TracingMost services are deployed on Alibaba Cloud, and the servers are distributed in Shenzhen, Hangzhou, and Beijing. No valuable information is traced. It is not clear whether these websites are built by individuals or the download websites are built on Alibaba Cloud. On the involved C&C servers, domain names are changed multiple times recently.
You can see that the domain names change frequently and the discrete values of the domain names are large. Based on these domain names, multiple IP addresses and URLs are found, most of which are on Alibaba Cloud. For details, see IOC. A DLL file is found on a C&C server. The reverse analysis result shows that the DLL file is capable of starting the iQIYI player in the system. This file is also an auxiliary tool for the adware.
Trace the signature. The downloader has a valid signature from Suzhou Xingchen Network Technology Co. Ltd.
The company's recruitment information is found on a recruiting website, but the information is untrusted. https://www.liepin.com/company/gs4423322/ The company is not found on TianYanCha.com, which is a commonly used commercial security tool in China. A company with a similar name (Suzhou Xingchen Dahai Network Technology Co. Ltd.) is found, which is probably a shell company: https://www.tianyancha.com/company/3168996732 5 Protective Measures1. Block the connections to C&C servers according to the IOC information provided in the appendix, and block malicious samples to enter your enterprise network. 2. Do not download software from non-official channels. 3. If suspected malicious files are found, submit them to Huawei cloud sandbox for detection and make decisions based on the detection results. Appendix:IOC120.26.109.229 103.15.99.41 123.57.151.113 120.76.122.200 120.26.109.229 222.192.186.19 121.12.98.85 222.186.49.224 140.205.218.72 198.11.136.24 222.192.186.14 140.205.158.4 http:// c.pieshua.com/ http://123.daohang88.com http://hao.faioo.com http://jinmeo.xrbbn.com https://www.baidu.com/link?url=6ts7NuJosrL9wM2NoBWnl7WxAkg_nLna7z2SQfIeSKiRGiAj3lMSVu1b3x3dNoYf http://123.5989456.com http://t.cn/RHQqe6b http://bd.xrbbp.com/ http://19649.xc.gongnou.com/ http://14614.xc.chuairan.com http://xc.cangpie.com/xiaz/ http://19689.xc.cangpie.com/ http://19700.xc.cangpie.com/ http://19690.xc.gongnou.com/ http://19703.xc.cangpie.com/ http://xc.gongnou.com/down/ http://19695.xc.gongnou.com/ http://19695.xc.cangpie.com/ http://19762.xc.cangpie.com/ http://19697.xc.cangpie.com/ http://19699.xc.gongnou.com/ http://19745.xc.cangpie.com/ http://19749.xc.gongnou.com/ http://19751.xc.cangpie.com/ http://14614.xc.chuairan.com/ http://14614.xc.gongnou.com/ http://19760.xc.cangpie.com/ http://19760.xc.gongnou.com/ http://xc.mieseng.com/down/ http://19268.xc.cangpie.com/ http://19653.xc.cangpie.com/ http://19691.xc.gongnou.com/
|
