- #BATTLENET HELPER MAC OS X#
- #BATTLENET HELPER UPDATE#
- #BATTLENET HELPER DOWNLOAD#
- #BATTLENET HELPER WINDOWS#
It also creates a simple Run Key under the name, AhnLab V3Lite Update Process, in the current user s profile to establish persistence. The rund11.exe will copy itself to the location %temp%\v3liverun.exe and delete itself after successful communication with the C2.
#BATTLENET HELPER MAC OS X#
GET /2013/03/kor.html?m=1 HTTP/1.0 User-Agent: Mozilla/5.0 (iPhone:U CPU iPhone OS 4_1 like Mac OS X zh-cn) AppleWebKit/532.9(KHTML,like Gecko)Version/4.0.5 Mobile/8B117 Safari/6531.22.7 Host: Pragma: no-cacheįigure 4: Additional HTTP Request Sent by the Malware This site appears to be some kind of simple counter used by the attackers as no content resided on the webpage. This particular sample also connected to on TCP port 80 after the initial check in using a hardcoded User-Agent. The z.gif file was actually an executable encoded by a single byte XOR against the key 0x95 and renamed with a GIF extension. The malware will then connect to this website and download, decode, and execute the file. Using the decode script above on the string rrrYvkmdghpndxYxjhXuYbda yields the website, It also stores the encoded value retrieved from the page in the registry key HKLM\SOFTWARE\Microsoft\Windows\Help\Help Version. The following python snippet can be used to decode the command above: def decode_url(st): out = '' for i in st: i = ord(i) if i = 0x59: out += chr(0x2E) elif i = 0x58: out += chr(0x2F) else: if i < 0x76: new = i + 0x5 else: new = i - 0x15 out += chr(new) return outįigure 3: Python Snippet to Decode Embedded Instructions The malware checks the tag within the returned HTML and will decode this string for an additional website to contact. The page retrieved will look something like the screenshot below: NET CLR ) Connection: Keep-Alive Cache-Control: no-cache Host: įigure 2: HTTP Request to ""
#BATTLENET HELPER WINDOWS#
GET /users/new-world HTTP/1.1 User-Agent: Mozilla/4.0 (compatible MSIE 6.0 Windows NT 5.1 SV1. It also makes the same request over HTTP using a static User-Agent Mozilla/4.0 (compatible MSIE 6.0 Windows NT 5.1 SV1. Once rund11.exe is executed it checks for Internet connectivity by making a TCP connection to If successful the binary will then connect to the C2,, using standard HTTPS on TCP port 443. The python function below can be used to decode these strings. The binary employs a simple ordinal encoding to obfuscate C2 information and other API functions, which would potentially trigger AV heuristics. HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AhnLab V3Lite Update Process which points to %temp%\v3liverun.exe.Registry Run Key in the Current User s Profile:.HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin -> 0 (Vista and Above).HKLM\Software\Blizzard Entertainment\\Identity (Deletes this Key if Present).HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AhnLab V3Lite Update Process.HKLM\Software\Microsoft\Windows\Help\Help Version (Encoded C2).Note: test.dat is used to test write permission to the system directory %systemroot%\system32\test.dat (deleted).Upon successful exploitation the binary will be written to the user s %temp% folder with the name rund11.exe and executed. The exploit used an embedded malicious Java applet in the HTML, which upon successful exploitation will execute a binary stored as a byte array within the same page. gao200511 was used in one of the very first Sourceforge C2 s and the email address used to make several posts in association with a well-known Chinese hacking group, Ph4nt0m. The nationality of the author is speculative based off of Chinese language resources in 2nd stage payloads as well as the username gao200511. The interesting aspect of these particular samples is the use of Sourceforge account pages as a means of command and control in addition to public blog sites. accounts are also used in other large popular online games including Diablo III and World of Warcraft both of which have substantial online economies built around them where players can buy and sell equipment and resources using actual currency. It seems the author has a bone to pick with Korean gamers for whatever reason based upon targeting, but my current conjecture is it s probably because of their epic dominance of StarCraft.
#BATTLENET HELPER DOWNLOAD#
I recently came across an interesting sample being spread through Java exploits in the wild which appeared to do nothing more than download some additional credential stealing/account harvesting malware and delete a victim s account information.
0 kommentar(er)
