Blog

Unicorn Just Got Real: Malware Analysis

November 20, 2014 , and

Analysis of the Dropped Malware

Name: v3k.exe

MD5: 74CE6CB9F8B983297F936936BCABC698

SHA1: B76B514707CD560F973DD66124D2C1101D75078A

SHA-2/256: 11F5F243E07BFD173F8EEC248ADF457540926CD7E0725381DA04C46E8C39A15B

The malware is a little different to that which is typically dropped from regular exploit kits and malware campaigns. The difference lies in the way in which this malware is packaged, and in its method of operation.

The packer used within this malware is NSPack, the malware carries an embedded copy of itself for the purpose of dissemination. It uses the infected host as a zombie machine for traffic generation and clickjacking purposes. It sets up a VBScript to use the FSO (FileSystemObject) ActiveX Object scripting method to load MSXML3.HTTPRequest, which generates the request to obtain a list of IPs for the command and control server(s).

The packager itself contains some tricks, but they are trivial for an experienced user. A considerable amount of fake data is embedded to thwart the reverser or to deter users from examining the contents of the package.

In our opinion, the most interesting aspect of this malware is the change of path in embedding of other scripting engines used to deliver malware – a technique that we believe will become more prevalent. Examples would be embedding Java in a C/C++ application and calling back and forth, or LUA, or even JS embedded as a host engine inside the malware itself and not dropped as a script. Traditional antivirus vendors will have a lot of catching up to do.

Overall, the malware itself is not that complex, nor does it require extensive analysis. It certainly provides good insight into the style and signature of the work, and this style hasn’t been seen much in the wild.

NSS Labs is providing an IDA DB to researchers interested in performing further analysis of the malware. Note that this is not a completely reversed version. We focused on the most important aspects of the malware and provided comments for better understanding. Decompilation should be available inside the IDB as well with the recovered data structure. Some parts of the IDB have not been commented on and were left purely for the reader’s and researcher’s interest.