RockLoader – New Upatre-like Downloader Pushed by Dridex, Downloads all the Malwares

On 4/6, the Phishing Intelligence team came across a wave of phishing emails that contained a .js file packaged inside of a zip file used to deliver malware. This is nothing new, and has been seen being pushed out by resources associated with the Dridex botnet and the Locky encryption ransomware. The interesting piece is that the attackers are using a new piece of malware called RockLoader to download and install the malware on remote systems. Downloaders are nothing new, as Upatre was used with Dyre and Gameover ZeuS in the past. RockLoader has several tricks up its sleeve.

For this set of phishing emails, the attackers used a Voicemail message theme for their lure.

Figure 1

Figure 1. Voicemail theme for the lure

Once the user opens the zip and executes the .js file, the malware will make a GET request for the RockLoader, the new dropper.

Figure 2

Figure 2. GET request for new dropper

During initial testing, the malware didn’t function as intended, and kept crashing when trying to access different things.

Figure 3

Figure 3. Strange request for DLL

Next, a prompt for the SQL Server Client Network Utility popped up, and explorer.exe crashed, making this particular sample even more curious.

Figure 4

Figure 4. Crashing explorer.exe

Upon further analysis, RockLoader is experimenting with a method for facilitating a Windows User Account Control (UAC) bypass. The compile path for the shellcode can be seen in figure 5. It’s also worth mentioning that the shellcode was compiled as a 64-bit binary, and the original RockLoader is compiled for 32-bit OS’s. If UAC is enabled on a victim’s computer, RockLoader will attempt to bypass it.

Figure 5

Figure 5. UAC bypass attempt

At runtime, once this UAC bypass has been achieved, RockLoader will make HTTP POST requests to the /api/ directory on its command and control host to elicit encoded commands for its next step. By looking at a network packet capture from this C2 callback process, we can see encoded commands sent back and forth between the host and server. Here’s an example of the traffic response:

Figure 6

Figure 6. Encoded traffic

Reversing the binary and stepping through with IDA, reveals how the malware decodes the traffic.

Figure 7

Figure 7. Algorithm for decoding commands from the C2

Since the algorithm uses shifts based on 4, the malware writers have made it easy to understand how the algorithm works. By translating the assembly to something more human readable, here are the steps that you can take to decode the traffic on your network:

  1. Read first and second characters into memory
  2. XOR low-order bits of the first character with the high order bits of the second character.
  3. This value becomes the high-order bits of our decoded value
  4. Combine low-order bits of the second character with high-order bits of decoded value
  5. This is our decoded value

Here’s what a decoded command looks like:

Figure 8

Figure 8. Decoded command

Once decoded, the malware checks the beginning of the decoded data for “true”, “false”, or one of the following several symbols. (figure 9) The ability to look for multiple arguments means the loader can accept several possible commands.

Figure 9

Figure 9. Possible starting decoded messages

For example, the malware has the ability to receive instructions such as “command” and “UPDATE”.

Figure 10

Figure 10. More commands

The “NOTASKS” instruction is a special and interesting case. If “NOTASKS” is set, the malware process will create and run the file “1.bat” in the temp directory in order to try and delete itself.

Figure 11

Figure 11. Batch script for self-deletion

By decoding more commands, we can see that the attackers have the ability to pass multiple arguments and commands to the malware in one request. This vastly increases the economy and extensibility of this malware’s operation. Stacking commands in this way is where this new malware downloader really shines. With this capability, the attackers are able to drop several malware payloads to the system at once, or pass multiple commands to a single victim. By browsing to the /files/ directory, we can see that our attackers left directory open, giving us a list of other files they are installing to victims.

Figure 12

Figure 12. Decoded responses. Many commands can be passed in a single line

Figure 13

Figure 13. Open browsing

One of the files looks to be a calculator using the WinAPI, created by Dem@nXP. (Figure 14) The source code can be downloaded from here. (Figure 15)

Figure 14

Figure 14. Calculator using WinAPI

Figure 15

Figure 15. Source code for calculator found on Russian forum http://www.cyberforum[d]ru/win-api/thread61646.html

RockLoader has also been observed downloading other malware samples as well. In collaborations with Palo-Alto Networks, a3d090f64b9dbca420f232966d65ecdca333cb497308cea94477e5219af685ae was observed to download both the Kegotip and Pony information stealer malware. Examining leaked Pony source code, demonstrates that this malware has the ability to steal credentials as well as steal Bitcoin wallets—a notable functionality when juxtaposed with the delivery of the Locky encryption ransomware which demands a Bitcoin ransom to release victims’ files.

Figure 16

Figure 16. Pony source code to download bitcoin wallets

On 4/7, we saw another wave of emails using .docm phishing to target victims. The malware in this case was a word document with a macro file, which was used to infect users. This phishing email was themed for Angel Springs, a UK supplier of water dispensers.

Figure 17

Figure 17. screenshot of phishing email

The initial spam campaign contains an Office Document with malicious macros that downloaded RockLoader. The RockLoader executable then downloaded several executables from hxxp://185.103.252[.]148/files/. One of these executables is the Locky Loader.

Another executable downloaded was Pony (hxxp://185.103.252[.]148/files/Qlk7Yx[.]exe). It is believed that cybercriminals utilize Pony infostealer in an effort to expand their C2 infrastructure since Pony can also harvest FTP credentials from infected machines. Here is some information about the Pony file:

File type       PE32 executable (GUI) Intel 80386, for MS Windows

File name       Qlk7Yx.exe

File size       213504

Hash MD5       9649061beee87fb3692e02177ad23308

Compile time   2016-04-07 04:30:45

Sections       6 (1 suspicious)

Directories     import, resource, relocation

Detected       packer, antidbg

Import Hash     3fa8e98760e737c8a16039cbce251101

Packer info


Microsoft Visual C++ 8

VC8 -> Microsoft Corporation

Resources info


RT_ICON         1128     ( @t?t?t?t?t?t?t?rrrt?rrrt?RMWOh+R

RT_DIALOG       172     H@>MS Shell DlgP 0(PStaticPF

RT_GROUP_ICON   132       ( h h

RT_VERSION     760     4VS_VERSION_INFO?XStringFileInfo404

Sections suspicious


hash_md5       e93c3c7762b55184b8d224989c05b8c3

virtual_address 0x1f000

name          .reloc8

size_raw_data   105984

suspicious     True

hash_sha1       0086bd086da957aa2cb315c7afb9f3cb51101861

virtual_size   0x1a000

Import function


ADVAPI32.dll   1

KERNEL32.dll   68

USER32.dll     1

Antidbg info








Apialert info
























Filename found


Library         WUSER32.DLL

Library        nKERNEL32.DLL

Library         mscoree.dll

Library         ADVAPI32.dll

Library         USER32.dll

Library         KERNEL32.dll

IP found


Meta info


LegalCopyright Copyright (C) 2016

InternalName   Pchild3.exe


CompanyName     TODO: <Company name>

ProductName     TODO: <Product name>


FileDescription TODO: <File description>

Translation     0x040c 0x04b0

OriginalFilename Pchild3.exe


Here’s a screenshot of the Pony icon:

Figure 18

Figure 18. Icon screenshot

For further clarification, we can look at network data based on Suricata signatures which point to the POST request being Pony check-ins:

Figure 19

Figure 19. Pony Suricata signature

We can also see the POST requests to r56.php by looking at our pcap. (Figures 20 and 21)

Figure 20

Figure 20. Pony POST beacons

Figure 21

Figure 21. Pony POSTing data

For this sample, the following C2 is active.



Historical IP:


By looking at passive DNS for the IP address, we can see other possible domains used by the attackers.

Passive DNS

In yet another wave of attacks, we can see RockLoader used to pull down Locky based on the strings in memory:

The introduction of a new malware downloader demonstrates that these attackers are continuing to innovate and experiment with ways to increase their infection rates. Furthermore, we believe RockLoader is intended to fill the gap left in Upatre’s absence by echoing many of the strengths that made Upatre so successful. However, RockLoader seeks to incorporate additional extensibility and functionality, pursuing the goal of widening the ability for threat actors to leverage infected machines by delivering not just Locky but also the Pony and Kegotip information stealers.

For awareness, a scenario has been added to PhishMe Simulator to train users to spot these types of attacks!

Triage customers are protected against these threats. Here’s an example of one of the macro-based phishing emails.

Figure 22

Figure 22. Triage dashboard

Indicators can be downloaded from here, yara rules can be downloaded from here, and the decoder script can be downloaded from here.

University W2 Phishing and CEO Impersonation
Gone Phishing: 2015 Global Malware Round Up Report – Available Now

Leave a Reply