Looking for Trouble: Windows Troubleshooting Platform Leveraged to Deliver Malware

October 06, 2016
Matthew Mesa, Axel F, Proofpoint Staff

Overview

Proofpoint researchers have uncovered a new technique of attachment-based delivery. In the observed campaign, the attackers abuse a feature in Windows called the Windows Troubleshooting Platform (WTP), intended for troubleshooting problems, to socially engineer the recipients into executing malware.

This attack is particularly effective since execution of WTP is not accompanied by a security warning and users have been conditioned to run the troubleshooter when it appears in Windows. In this case, though, running the troubleshooter leads to the installation of LatentBot [4], a well-documented modular bot used for surveillance, information stealing, and remote access.

Figure 1: Diagram of the Windows Troubleshooting Platform [5]

Analysis

The lure document in this case was delivered as an email attachment, although this technique could be used with any delivery technique for malicious documents. When the user opens the file, they are presented with a document that has a lure asking the user to “double-click to auto detect charset”. If the recipient complies, they are really opening an embedded OLE object. This object is a digitally signed DIAGCAB file, which is the Windows extension for a Troubleshooting pack [1][2][3]. When the crafted pack is opened, the user is presented with another convincingly realistic window (Figure 2). If the user clicks "Next" in this dialog, the application launches the scripts associated with the troubleshooting package. In this case a PowerShell command will be executed to download and launch the payload.

Figure 2: The document lure; note the social engineering convincing the user to double-click and inadvertently launch the OLE object

Figure 3: The code-signed troubleshooting pack; note that the publisher specified by the certificate was uninvolved but rather a valid certificate was compromised and used for delivering this attack

Figure 4: The Troubleshooting Pack downloads the malware payload in the background using a PowerShell script without user awareness

As can be seen in Figures 3 and 4, the troubleshooting package allows customization of the dialog's appearance, actions it performs, and scripts it runs, via XML formatting. For example, XML formatting sets the dialog title “Encoding detection” and specifies the “Troubleshooter” to be a PowerShell script “TS_1.ps1” with following directives:

Figure 5: Diagnostic pack referencing a malicious PowerShell file as a script

The PowerShell script responsible for downloading payload in this campaign is shown in Figure 6:

Figure 6: PowerShell command used to download payload

This method of malware execution bypasses observation by many existing sandbox products because the malicious activity is carried out outside of the msdt.exe binary loading the .diagcab file.  This continues the trend of malware authors seeking new sandbox evasion methods via COM-based non-standard execution flow; previous examples of these methods are WMI, Office Interoperability, Background Intelligent Transfer Service, and the Task Scheduler.  In this instance, via the creation of an IScriptedDiagnosticHost COM object in msdt.exe, the DcomLaunch service starts the Scripted Diagnostics Host (sdiagnhost.exe) which will launch the command shell and PowerShell commands shown above.

The payload in this case is a modular backdoor known as LatentBot [4], analyzed in detail by FireEye in late 2015. During our analysis of this case, we observed the following bot plugins being loaded for exfiltration and remote access:

  • Bot_Engine
  • remote_desktop_service
  • send_report
  • security
  • vnc_hide_desktop

Conclusion

Attackers continue to find new ways to take advantage of built-in Microsoft Windows features in order to provide a seamless and low-resistance process for their victims to execute the intended payloads. In this case the attackers provide a very natural “Windows” experience that could fool even experienced users. In addition, this technique provides an unusual execution chain which bypasses observation by many sandbox products, making detection considerably more difficult.

References:

  1. https://msdn.microsoft.com/en-us/library/windows/desktop/dd323778(v=vs.85).aspx
  2. https://msdn.microsoft.com/en-us/library/windows/desktop/dd323712(v=vs.85).aspx
  3. https://msdn.microsoft.com/en-us/library/windows/desktop/dd323781(v=vs.85).aspx
  4. https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html
  5. https://msdn.microsoft.com/en-us/library/windows/desktop/dd323706(v=vs.85).aspx

Indicators of Compromise (IOCs)

IOC

IOC Type

Description

5cb5cfaec916d00dee34eb1b940f99a1a132307efea3a6315c81c82cf7844c91

SHA256

Document

0c3378468fecaf7885f15be0aed9b3a369d4aa66a0b0600c4362defa6997061d

SHA256

Document

ad15caf6071c5da93233a13806077ac82a5f9217d58cc2f3e08338574f5e79af

SHA256

Document

ec079e8946d1109395f230220d5cf9fcb93f98052edfe4eb11fe0da952843653

SHA256

Document

aadaf09aabd2825feb493320b2a1989e776f7dd5aa9f0e3680911bdf0a2cf4c1

SHA256

Document

hxxp://mnmassagetherapy[.]com/wp-content/uploads/2016/04/88th0310_nw.exe

URL

Payload URL

hxxp://vipfarma[.]ru/images/tab/vip_upd/like/zlib.exe

URL

Payload URL

hxxp://mnmassagetherapy[.]com/wp-content/uploads/2016/04/lib.exe'

URL

Payload URL

b8561613832dce2f24b39dedeae3d66d4269f8ca0e8f490a64a1901303b77fcd

SHA256

LatentBot

89.35.178[.]112

IP

LatentBot C2

2021697: ET TROJAN EXE Download Request To Wordpress Folder Likely MaliciousSelect ET Signatures that would fire on such traffic:

2022239: ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious
2019714: ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
2020821: ET TROJAN Win32/Hyteod CnC Beacon
2814214: ETPRO TROJAN GrayBird Module Download
2814213: ETPRO TROJAN GrayBird CnC Checkin
2821712: ETPRO TROJAN LatentBot HTTP POST Checkin
2013926: ET POLICY HTTP traffic on port 443 (POST)

ClamAV 0.99 rules

#OleNative DiagCab Specific
MiscreantPunch.OleNativePackageDiagCab;Target:2;(0);006c006500310030004e00610074006900760065*6469616763616200*4d534346*446961675061636b6167652e63617400::iwa

#OleNative Various EXE Extensions
MiscreantPunch.OleNativePackageEXEExt.InsideOLE;Target:2;(0&1&2);006c006500310030004e00610074006900760065;000200;1/\x00\x02\x00[^\x00]+\x00(?:[a-z]\x3a\x5c|\x5c\x5c)[^\x00]*\.(?:c(?:[ho]m|md|pl|rt)|m(?:s[cipt]|d[be])|p(?:yw?|cd|if|s1)|s(?:c[rt]|h[bs])|v(?:b(?:e|s(?:cript)?)?|xd)|a(?:d[de]|sp)|i(?:n[fs]|s[pu]|nx)|r(?:eg|gs|b)|j(?:se?|ar|ob)|3(?:86|gr)|d(?:iagcab|bx|ll)|h(?:lp|ta)|ws[cfh]?|ba[st]|gadget|exe|fon|lnk|ocx|u(?:3p|rl))\x00\x00\x00\x03\x00.{4}(?:[a-z]\x3a\x5c|\x5c\x5c)[^\x00]*\.(?:c(?:[ho]m|md|pl|rt)|m(?:s[cipt]|d[be])|p(?:yw?|cd|if|s1)|s(?:c[rt]|h[bs])|v(?:b(?:e|s(?:cript)?)?|xd)|a(?:d[de]|sp)|i(?:n[fs]|s[pu]|nx)|r(?:eg|gs|b)|j(?:se?|ar|ob)|3(?:86|gr)|d(?:iagcab|bx|ll)|h(?:lp|ta)|ws[cfh]?|ba[st]|gadget|exe|fon|lnk|ocx|u(?:3p|rl))\x00/si