Thursday, October 4, 2012

Blackhole & Cridex: Season 2 Episode 1: Intuit Spam & SSL traffic analysis

The other day, I received another spam email, this time supposedly from Intuit. Since I know that Blackhole2 is now directing to Bugat/Feodo/Cridex banking malware, I wanted to look more closely and see what might be new.  The "Intuit" email looked like this, and similar text context is shown below:

Dear xxxxxxx,
 Great News! Your order, QG673260, was shipped today (see details below) and will complete shortly. We hope that you will see that it suit your needs. If you requested multiple products, we may ship them in separate boxes (at no additional cost to you) to ensure the fastest possible delivery. 
We will also inform you with the ability to track your parcels via the instructions below.
Thank you for your order.
ORDER DETAILSOrder #: QG673260Order Date: Sep 25, 2012
Item(s) Requested In Your Shipment
Shipping Date: October, 1 2012Ship Method: TNT
Estimated Delivery Date: October, 3 2012 - October 05, 2012
Tracking No.: 8178101777788272988726

The prolific Cutwail spambot sent the spam email with a lure URL of:

This URL path construction has been used as a redirector to Blackhole exploit sites carried by the popular LinkedIn spam runs, as well as others. For example the following URLs have been used by Blackhole:


My downloaded "croconfrm.html" contained the following:
</script><noscript><meta http-equiv="refresh" content="0; url=hxxp://"></noscript>

Note: If you attempt to simply wget the php file from a Blackhole2 kit, you will most likely just receive back a harmless dummy file.  BH2 needs a "referer", and only one request per IP address. In this case, a simple fetch of the php yielded this:

Note the difference when the link is followed via a fresh IP address, and tracked via an intercepting proxy:

I'll make this file available for download at the bottom of the post and leave the decoding as an exercise for the reader. In the meantime, the BH2 kit served up two exploits for me. The first was a PDF file with an MD5 hash of  2d0932026e5a4791ed6fac44df22f91c and report seen here  The second file was a PE32 executable with MD5 hash value of 06c6544f554ea892e86b6c2cb6a1700c and the VirusTotal report here.

PDF file dropped from ''
executable file dropped from ''

Once my test system became infected, it did a DNS query for, which was offline. It then queried for which succesfully resolved to

At that point, my infected host established an HTTPS connection with: hxxps://

DNS queries and beginning of SSL session.
Examining the traffic via Wireshark or similar will yield no joy as the traffic is SSL encrypted. However by using an intercepting proxy as I described in my post "Decoding malware SSL using Burp proxy", I was able to examine the traffic between my infected host and  The first response off the server was very interesting as it contained a large number of references to financial institutions and login URLs, as well as injection code.  This is a much larger list than I saw in my last Cridex analysis, plus the injection code was very comprehensive and again covered a large number of institutions. A snippet of the decoded SSL session is seen below:

SSL Server response
There were several additional POST requests to where it appears that my host's process lists, cookies, bookmarks, form history, and shared objects were sent to the remote server.

A snippet of this decoded traffic is seen below:

SSL Traffic indicating POST of shared objects
 At this point, a message window popped up on the host asking if "I was sure I wanted to navigate away from this page". Selecting "Yes" took me to legitimate


 I suspended my infected virtual machine soon after the SSL traffic to appeared to pause and decided to see what some quick Volatility analysis would yield.

Running 'psscan' against the suspended memory image yielded the output below:

'psscan' output
 Note that there are several unusual processes, notably:

PID 1100 - KB00647877.exe - Terminated
PID 1800 - KB00647877.exe - Terminated
PID 1472 - POS4C.tmp - Terminated
PID 1220 - cmd.exe - Terminated

While 'cmd.exe' is not typically considered an unusual process, note the creation and exit times of this instance are identical, also the parent ID of this process is 1472, "POS4C.tmp".
Examining the network connections via 'connscan', we see the following:

Connections to remote hosts
 Note that PID 1492, 'explorer.exe' showed an established connection to, which is what we noted earlier as being the IP address of  PID 1492 also showed a connection to, which courtesy of Internet Systems Consortium (ISC) Passive DNS, is seen to be associated with the following domain names:

  I next dumped the VAD segments of PID 1492, 'explorer.exe' in order to examine anything associated with these domains and banking URLs.  Running 'strings' on the dumped VAD segments and searching for '' allowed me to locate this string in "explorer.exe.2228418.0x00090000-0x0018ffff.dmp".  I then ran 'strings' on that entire segment and was able to see the same banking URLS and injection scripts that I noted in the SSL stream.

Strings extracted from VAD segment of 'explorer.exe'

Strings extracted from VAD segment of 'explorer.exe'

It's also interesting to learn if these domains appear in any other processes.  The 'yarascan' plugin is excellent for string searching when you know what you are looking for. From the Volatility command reference:  "This plugin can help you locate any sequence of bytes (like assembly instructions with wild cards), regular expressions, ANSI strings, or Unicode strings in user mode or kernel memory."

Running the 'yarascan' plugin against this memory image indicates that the "" domain string is also seen in PID 1056, 'svchost.exe'.  I then dumped the VAD segments of this process for further analysis.

'yarascan' indicating string hit in 'svchost.exe'

 Domains and IP addresses

 There were a number of domains and IP addresses seen in this analysis. Again, courtesy of Internet Systems Consortium (ISC), trusty 'whois', and some other tools:
Domain ID:D45959608-LRMS
Created On:28-Mar-2012 20:08:39 UTC
Last Updated On:27-May-2012 20:39:14 UTC
Expiration Date:28-Mar-2013 20:08:39 UTC
Sponsoring LLC (R171-LRMS
Name Server:NS1.EQVIA.COM
Name Server:NS2.EQVIA.COM

first seen 2012-10-01 14:58:21 -0000
last seen 2012-10-03 00:13:02 -0000 A

Whois Server:
Referral URL:
Status: ok
Updated Date: 27-sep-2012
Creation Date: 17-sep-2012
Expiration Date: 17-sep-2013

first seen 2012-10-01 13:54:08 -0000
last seen 2012-10-01 17:34:18 -0000 A

first seen 2012-10-01 17:35:22 -0000
last seen 2012-10-01 21:48:53 -0000 A was registered with an email address of ''. Other domains registered with that address, and their detected activity include: - Zeus name server - Zeus name server - blackhole exploit kit - Zeus name server - Zeus name server

registrar:     REGRU-REG-RIPN
created:       2012.09.07

first seen 2012-09-16 16:35:07 -0000
last seen 2012-09-29 11:20:07 -0000 A
registrar:     REGRU-REG-RIPN
created:       2012.09.29

first seen 2012-09-29 15:33:13 -0000
last seen 2012-10-02 05:56:28 -0000 A

Also of note were domains seen in the webinject code or in the sections of the VAD segments. These domains were:
Whois Server:
Referral URL:
Status: clientTransferProhibited
Updated Date: 07-sep-2012
Creation Date: 04-sep-2012
Expiration Date: 04-sep-2013

first seen 2012-09-10 16:41:38 -0000
last seen 2012-10-02 01:31:42 -0000 A NS NS NS NS
Whois Server:
Referral URL:
Status: clientTransferProhibited
Updated Date: 14-sep-2012
Creation Date: 14-sep-2012

first seen 2012-10-01 16:32:22 -0000
last seen 2012-10-01 21:10:23 -0000 A NS NS
---------------------------------------- - HOSTVDS-NET - TOV HOST VDS - UA - G-Mobile - G-Mobile, Baga-Toiruu 3/9, Chingeltei district-1 - MN - SE-SMMIAB - Skand Meteorologi och Miljoinstr - SE - mdsru-net - MDS LTD - RU - mdsru-net -MDS LTD - RU - ZAMANHOST-NET - Rusnak Vasil Viktorvich - RO

 There is much more that can be analyzed in the both the memory image and in the dropped files. Correlation of these findings with other similar spam campaigns would also be interesting. The primary goal of this post was to examine the evolution of this banking malware, especially in light of the prolific Blackhole v2 exploit kit.  For obvious reasons, I won't be posting all the webinject URLs, nor will I make the RAM dump publicly available. Notification processes are underway to the affected parties.  I will provide any of the above discussed items in their entirety to qualified institutions.   Feel free to email me if you want further information on anything discussed here.
The following link goes to a ZIP file containing several files associated with this post.
  • stones-instruction_think.php
  • Packet capture of infected host execution run.
  • Initial lure - croconfrm.html
A partial pack of Blackhole 2 is available for researchers for download via Contagio. The pack came from a server with open directories.