Suspicious Login Message Faked, Distributes Backdoor

Legitimate services are often used by cybercriminals to try and make their attacks more convincing. Recently, I spotted attacks that used services and platforms like Google Drive and Dropbox in order to look less suspicious to unwary users.

I received a spammed message like the one shown right below that supposedly came from Gmail itself. It warned me that someone logged into my account from an unknown device. However, all of the links in it pointed to a Google Drive URL:

Figure 1. Sample spam email

Even though the email message is similar to a legitimate Gmail message, a careful user will note that the displayed e-mail address and the supposed source address did not match. Further examination of the email’s headers indicates that the email was, in fact, sent via a website’s mail form.

As I mentioned earlier, all the links provided in the email actually go to an HTML file hosted on Google Drive. This HTML file is used to detect the operating system and browser of the user. For example, this particular code is used to determine what operating system the user is running:

function nav() {
var OSName="UnknownOS";
if (navigator.platform.indexOf("Win")!=-1) OSName="W";
if (navigator.platform.indexOf("Mac")!=-1) OSName="M";
if (navigator.platform.indexOf("X11")!=-1) OSName="U";
if (navigator.platform.indexOf("Linux")!=-1) OSName="L";
if (/Android/.test(navigator.userAgent)) OSName="A";
return OSName;

Note that the above code is comprehensive and considers various platforms: Windows, Mac, Unix, Linux, and even mobile platforms (Android). Further code also differentiates what payloads are delivered based on the user’s browser. This is what the user would see (here, running Firefox):

Figure 2. Fake plugin download page

However, while the HTML code can differentiate between different configurations, a relatively limited number of payloads are actually delivered. These are detected as BKDR_PERCS.A.  This backdoor steals email credentials and user names and passwords. It also logs keystrokes as part of its information theft routines. As a backdoor, it can also accept remote commands from the attackers.

Examining the infection chain in Deep Discovery Advisor makes the infection chain a little clearer:

Figure 3. Deep Discover Advisor screen (Click to enlarge)

On systems with Firefox, the backdoor is sent in the form of an XPI file (used by Firefox extensions). This binary file contains the backdoor itself, as well as associated malware components.

The actual malicious payloads are hosted on Google Drive as well. The attackers upload new files to be used in this attack on a fairly regular basis, although the behavior remains the same. For example, on the first day I saw this, this attack distributed files with the following hashes:

  • 012BCE75BCACDAE0CCCB37B6740A925F769F5547
  • D18C7C42236171C37A6A3B7C1DEE6E0A6381AC4E

Two days later, the links were changed and now pointed to files with the following hashes:

  • 711AFD18ACCF650F6AEC42F836380EE158D4F8D5
  • A7F8F8A251534867CC9FE56636CFAB26D12C03C4

Several days after that, the same behavior happened and the new files had the following hashes:

  • 711AFD18ACCF650F6AEC42F836380EE158D4F8D5
  • A7F8F8A251534867CC9FE56636CFAB26D12C03C4

As these files are located on legitimate services, they are also sent via HTTPS, which helps evade some web filtering techniques. In addition, it used a compromised website’s mailer system and an IPv6 address, which can also evade email reputation services.


Figure 4. Screenshot of the email headers of the spam email


Figure 5. Screenshot of the name resolution of the sending email server

Trend Micro protects users from this spam run by detecting malicious files and blocking all related malicious URLs. We also contacted Google about the malicious files that have been uploaded so they can be removed.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Suspicious Login Message Faked, Distributes Backdoor

Read more: Suspicious Login Message Faked, Distributes Backdoor

Story added 14. August 2014, content source with full text you can find at link above.