Extracting Encrypted KPOT Malware Pushed via COVID-19 Malspam

Email Details:

File Name: "covid34_form.vbs"

SHA256: "d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c"

Subject Line: "Coronavirus: All 50 States Report Cases"

Originating Email: office@pahoworks[.]xyz

https://www.virustotal.com/gui/file/d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c/detection

Domain Whois Info:

Domain Name: PAHOWORKS[.]XYZ

Updated Date: 2020-03-18T23:17:30.0Z

Creation Date: 2020-03-18T23:17:26.0Z

Registry Expiry Date: 2021-03-18T23:59:59.0Z

Registrar: Namecheap

*The domain is recently registered and currently resolves to the IP address “192.162.244[.]180”.

Message shown in Browser:

"covid34_form.vbs":

Base64 Decoded:

PowerShell Downloader:

URLs from PowerShell Downloader:

hxxp://show1[.]website/OerAS.dat (Obfuscated AutoIt script, Base64 encoded as a certificate)

SHA256: "3d6fdcf27f2f439532ab83510d951cff428cc7f31637d455d937fb3cb079d6f9"

hxxp://show1[.]website/HeyaL.dat (AutoIt Interpreter) – Legitimate

SHA256: “237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d”

hxxp://show1[.]website/iPYOy.dat (Encrypted KPOT Malware)

SHA256: “f41fbd380e418e75476d8c377a4956451989e926c702eea86f821da5891f8612”

At the time of investigation, the domain "show1[.]website" no longer had an A record. Luckily, all of the files have been submitted to VirusTotal allowing for further analysis. This has also been recently documented by ISC Handler Didier Stevens (ISC Links below).

ISC Links:

- https://isc.sans.edu/forums/diary/More+COVID19+Themed+Malware/25930/

- https://isc.sans.edu/forums/diary/KPOT+Deployed+via+AutoIt+Script/25934/

The PowerShell downloader saves the contents of "hxxp://show1[.]website/HeyaL.dat" to the directory location "$env:TEMP\jkezt". Certutil is used to decode the Base64 and save the output to the file “i8ek7”.

HeyaL.dat:

Obfuscated sample from Base64 decoded AutoIt script(‘i8ek7’):

Decode function at the bottom of AutoIt script:

The string is split from ‘*’ and then each encoded character is subtracted from the number after the comma($integer) before being converted from Unicode.

Decoded sample:

Obfuscated Sample:

Decoded Sample:

All files necessary in the same folder ‘Temp’ – Windows 7 Virtual Machine:

Utilizing PowerShell to initiate infection chain:

Process chain showing ‘dllhost.exe’ process hollowing:

CreateProcess: powershell.exe:2428 > "%UserProfile%\Downloads\Temp\r17mi.com i8ek7 "

- [Child PID: 2452]

CreateProcess: r17mi.com:2452 > "%UserProfile%\Downloads\Temp\r17mi.com i8ek7 "

- [Child PID: 2064]

CreateProcess: r17mi.com:2064 > "%WinDir%\SysWOW64\dllhost.exe"

- [Child PID: 2244]

CreateProcess: dllhost.exe:2244 > "%WinDir%\system32\cmd.exe /c ping 127.0.0.1 && del %WinDir%\SysWOW64\dllhost.exe"

- [Child PID: 536]

CreateProcess: cmd.exe:536 > "ping 127.0.0.1 "

“dllhost.exe” process dump via Task Manager:

String analysis via “strings” show command and control (C2) servers:

Extract executables via “foremost”:

The decrypted KPOT malware has the SHA256 Hash “3fd4aa339bdfee23684ff495d884aa842165e61af85fd09411abfd64b9780146” and the VT score 34/71.

https://www.virustotal.com/gui/file/3fd4aa339bdfee23684ff495d884aa842165e61af85fd09411abfd64b9780146/detection

Sampled VirusTotal signatures:

String analysis of KPOT malware via “FLOSS”:

Strings indicative of information stealer:

KPOT Malware behavior: Reads the cookies of Mozilla Firefox and Google Chrome:

C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cookies

Connection to CnC Server:

hxxp://krt3[.]site/

hxxp://krt3[.]site/uhGaUGnzIIOPpoP9/conf.php

HTTP POST/GET traffic to “conf.php”: