NanoCore Variant Delivered Through UUE Files

Over the past few weeks, our Phishing Defense Center has observed several emails with malicious PDF attachments that prompt the user to download a .UUE file from Dropbox. UUE files (Unix to Unix Encoding) are files encoded with uuencode, a program that converts binary files to text format for easy transfer while still allowing for the files to be easily opened using Winzip or similar un-archiving applications. When file extensions are not displayed in Windows, the downloaded file looks like any other compressed file (as shown in Figure 1), which makes it harder to spot that this file is indeed malicious.

Figure 1 – Ordy Compressed File Icon

All emails contain the same message body shown in Figure 2, asking users to confirm the payment and customer details as outlined in the attached copy of the Swift advice.

Figure 2 – Email body

The messages had a PDF attachment named “MensajeSWIFTMT103.pdf” (MD5: 8b9a5e36cd1e1ec7dfd7801bfa5afa86, SHA256: 743c9ffe67a80ac84385efc8dc78c84f7b38805285dda49ac6459d17008daa17). The PDF only contains one page, characteristic of malicious PDF documents, and the PDF does not contain any text but only a link to “View File” (as shown in Figure 3).

Figure 3 – PDF Document – View File

The link takes the user to the Dropbox site hxxps://www[.]dropbox.com/s/2dwqt0x2s0l0rr6/Ordy[.]uue?dl=1 to download Ordy.uue (MD5: 673d3a374900a23ecec3acc092fe8dba, SHA256: d476a35f392a1c616f045418ce9c3c6645ac6886a6195ef1ec578e6bbe15a48b). After downloading the file, it appears that a compressed file has been downloaded, as previously discussed. Unpacking the file extracts the executable Ordy.exe (MD5: 1A9E533E870C4B0B5D6126A3E7609601, SHA256: F76A8BED84ED4177626A4B7B3ECED4AEABE93BE8CB500A1B2D5F3A662539C98D), with an Acrobat PDF icon (as shown in Figure 4), which tricks the user in thinking that this is a genuine PDF file.

After executing Ordy.exe, it creates a copy of itself in \AppData\Roaming\taskprocess.exe while Ordy.exe hides itself, and it adds taskprocess.exe to the scheduled tasks (as shown in Figure 5).

Figure 5 – Scheduled Tasks

Additionally, it creates a Registry entry to start itself automatically when Windows starts (as shown in Figure 6).

Figure 6 – Registry Key Entry

The malware reads the machine GUUID and creates a directory in \AppData\Roaming with the GUUID as well as two subfolders: \DPI Subsystem and \Logs. The directory \DPI Subsystem contains a copy of Ordy.exe called dpiss.exe which gets executed after reboot.

The logs directory contains a .dat file with the naming convention of KB_XXXXXXX.dat. Opening the .dat file reveals some hexadecimal values (as shown in Figure 7).

Figure 7 – Hex contents in .dat file

After converting the hexadecimal values from the .dat file to ASCII, it becomes apparent that the malware captures keystrokes and stores them in the .dat file (as shown in Figure 8).

Figure 8 – Ascii decoded hex from .dat file

Analysing the malicious network traffic reveals active communication with IP 154.16.63.108 over TCP port 6777 (as shown in Figure 9). After a three-way handshake is completed, the host and server exchange a PSH, ACK, ACK communication sequence a few times per second. Often, keylogger and remote access trojan malware will communicate using HTTP requests sent to a webserver. However, this TCP communication indicates a different, perhaps more difficult to stop, means for exfiltration.

Figure 9 – Wireshark Capture

Figure 10 – TCPView Outbound Connection to malicious IP

After reboot, dpiss.exe is executed instead of Ordy.exe and a new .dat file is created in \AppData\Roaming\{machineID}\Logs.

This malware application also reveals analysis and sandbox evasion characteristics in which a functional Internet connection is verified and will not attempt to make any outbound connections when executed in a sandboxed environment with restricted Internet access. It still copies itself and adds itself to the registry and scheduled tasks as well as capturing keystrokes, but it only tries to communicate to the server once a valid Internet connection has been established.

This malware contains a keylogger that actively captures keystrokes and transfers them to the server in the hope of capturing login details and other valuable information. While delivery using .UUE files has been around for a while, it is not commonly used at this point, and, to end users, these files appear as genuine compressed files. Most firewalls and endpoint security solutions only alert on or block .zip or .rar file extensions, ignoring .UUE and making it easier for attackers to bypass security solutions.

During analysis, we have observed this malware behaving like NanoCore. NanoCore is a remote access trojan (RAT) that is used to steal sensitive information such as passwords from victim computers.

However, Ordy.exe doesn’t contain any hardcoded “NanoCore” strings which is the reason why current NanoCore Yara rules will not detect this variant of NanoCore. Figure 11 shows the strings typically found in NanoCore samples, while Figure 11 shows the ones found in Ordy.exe.

Figure 11 – Identifiable NanoCore strings

Figure 12 – Ordy.exe strings

NanoCore first appeared in 2013 and has since gained popularity due to its modularity, which allows attackers to expand its functionality and performance. Several cracked versions of NanoCore exist in the wild, allowing attackers to use and modify the core functions to create new variants, and Ordy.exe is no exception. As our research suggests, Ordy closely resembles NanoCore, but the delivery through .UUE files is still very rare and can be seen as an attempt to bypass malware defences. Attackers will continue to create new malware as well as modify existing malware to pass through security perimeters; so, always act on the side of caution and only open links and attachments you trust.

Don’t miss another threat – stay on top of emerging phishing and malware threats and attacks, all delivered straight to your inbox completely free. Subscribe to PhishMe® Threat Alerts today.

PhishMe Triage Catches and Mitigates a Phishing Attack on Day 1
Latest Phishing Trends Report Reveals 90% of IT Executives Worry Most About Email-Related Threats

Leave a Reply