Wekby Malware Elimination Steps

Last week, some users reported to us that they encountered wekby malware.

This message can also be found in: 日本語 (Japanese)

In the past few weeks, we have seen an attack by the Wekby group targeting a US organization. Wekby is a group that seems to have been around for years and is aimed at various industries including healthcare, telecoms, aerospace, defense and high tech. The group is known for helping you take advantage of newly released exploits shortly after those exploits become available, such as the HackingTeam zero-day flash exploit.

According to the Wekby team, the malware used is related to the HTTPBrowser malware family and uses DNS lookups as a command and control mechanism. In addition, assortment obfuscation techniques are used during the analysis period to interfere with search engines. Based on the metadata found while porting the discussed samples, Palo Alto Networks named this malware “pisloader”.

Infrastructure

The Pisloader malware was distributed by the family over HTTP from the following URL. At the time ofAt the time of writing this article, this URL was still active.

This detected file was likely identified as an instance of the widespread Friends and Family Poison Ivy malware with the following configuration data:

Command and/or control address: intranetbabcam[.]com
Command and control port: Administrator
Mutex: 80
Password: )!VoqA.Domains i5

All witnesses who lived during this attack were recorded shortly before the operation. This attack affected the following domains:

Initial Eyedropper

The following specimen was originally discovered and will be referred to in further analysis:

The following metadata properties are used in this particular file. The “pisload2” identity made it possible to identify this malware family.

A real dropper contains very simple code, which is usually responsible for saving a specific Run registry key, as well as deleting and running the built-in Windows executable. When limited obfuscation occurred, Internet authors broke strings into much more compact substrings and usedomitted the names “strcpy” and “strcat” to recreate them before use. They also used the same approach to generate garbage in which strings that were never used could be found. This is likely to identify and analyze a certain type of sample. The following decompiled code reflects this. Added comments to display fully generated strings.

In the decompiled code above, we see that each pisloader generates the following line, which is eventually called to create the Run registry key.

cmd.exe /c reg lend HKCUSoftwareMicrosoftWindowsCurrentVersionRun Lsm /v /t reg_sz /d “%appdata%lsm.exe” /f

This particular command will most likely set the registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunlsm which contains the value “%appdata%lsm.exe”. Once such a key is set, the malware starts decrypting the two blobs that refer to the data using a one-byte XOR of 0x54. The received data can be written to the archive along the path %appdata%lsm.exe.

After writing this file, the virus executes the newly written lsm file containing a useful attack file.Bottleneck pisloader.

Payload

wekby malware

An upcoming specimen has been discovered and named in the following analysis:

Payloads can be highly obfuscated with the ROP method and your own set of garbage collection instructions. In the example below, the code that is completely red compared to the other codes does little to nothing to prevent the example from being reengineered. This code can be filtered as garbage and ignored. The end of the function is organically highlighted in green, indicating that two function shifts have been pushed onto the stack, followed by a single return statement. This loop first shows the execution code with a null function, which, when all electronics are turned off, usually points the execution code to “next_function”. This method is used during payload execution, which makes static analysis difficult.

wekby malware

Malware is actually quite simple if you ignore obfuscation and unwanted code. It might start by generating a random 10-byte alphanumeric code.head. The rest of the data is actually base32 encoded with padding removed. This information is used to populate each subdomain used in the subsequent DNS query for the TXT record. Use

DNS if the C2 protocol has not been widely used by malware authors in the past. Notable exceptions are:

  • FrameworkPOS
  • C3PRO-raccoon
  • FeederBot
  • Death
  • PlugX variants
  • Using DNS a as C2 allows pisloader to bypass some security products that might not properly inspect this traffic.

    Example Pisloader will probably send a beacon periodically, which should consist of a 4-byte random uppercase string used as the payload. See example below:

    The detected malware expects a combination of aspects of DNS responses to be set in a certain tool, or the pisloader is currently ignoring the DNS response. The following DNS banners must be installed. If additional flags are set, the response will indeed be ignored. Desired

  • Recursion

  • Answer
  • Recursion available
  • Questions career should be set to 0x1. The Response Resource Records field must be any value starting from 0x1. In addition, the subdomain of the problematic query must match the unique DNS requirement.

    Logiciel Malveillant Wekby
    Malware Wekby
    Wekby-Malware
    Wekby Malware
    Wekby Malware
    Wekby-malware
    Złośliwe Oprogramowanie Wekby
    Wekby Malware
    웩비 악성코드
    Wekby вредоносное ПО