<<<
Tuesday, April 1, 2014
>>>
 
Coremex Innovates Search Engine Hijacking Posted by FSLabs @ 13:58 GMT

Malware that targets search engine results is nothing new. Malicious browser extensions are also familiar (which typically contribute to stuff such as Facebook scam campaigns). But very recently, we've identified a noteworthy malware family that attempts to do both. We've named it: Coremex. It takes advantage of plugin functionality provided by browsers to hijack different search engine results taking on online advertising giants such as Google and Yahoo.

Coremex comes as a single NullsoftInstaller executable file which acts as both dropper and downloader. Upon execution of the executable, the downloader will start collecting basic information from the infected machine. For example: the username, the infected workstation name, processor, memory, et cetera. The information will be sent to a command-and-control (C&C) server address, 178.86.17.32, which is hard-coded in the binary. The information is encrypted with RC4 with a key of "2AJQ8NA4" and the final result will be encoded with Base64.

There are some anti-sandbox features implemented by Coremex that prevents it from downloading the main payloads, such as the browser extension scripts, from the C&C server. These features consist of checking blacklisted process names and looking for well-known sandbox fingerprints such as a "VMware" string on the infected machine by using Windows Management Instrumentation (WMI).

Figure 1. Blacklisted process name in hash:

Coremex_Blacklisted_ProcessName_By_Hash

Figure 2. Anti-Sandbox name in hash:

Coremex_AntiSandbox_By_Hash

If the anti-sandbox component does not raise a red alert, Coremex will then proceed to download additional payloads from the C&C server. However, the author uses a different C&C server to download payloads (at least during the time of our analysis).

The C&C server addresses consist of:

  •  178.250.245.198
  •  174.127.82.213
  •  192.154.94.253

After the payload is downloaded successfully, they will be silently installed by Coremex. Afterwards, the browser extension will reside in the browser process whenever the victim opens Chrome or Firefox.

Coremex's JavaScript is highly obfuscated with 3 layers of obfuscation to make the analysis harder. Behind the scenes, Coremex's JavaScript will register a couple of events using the API provided by the browser and wait for these events to be triggered.

Figure 3. Malicious browser extension register multiple event listeners:

Coremex_Scripts_Event_Listener

One of the event listeners will be run once in an hour. Upon execution of the event callback function, it will start connecting to the following bogus search engine websites:

  •  onlinetrack.org
  •  zvtracker.com

While the other event listeners are responsible to parse the URL that the affected browser is going to visit. The callback function of these event listeners will look for the search query entered to the following search engine platforms:

  •  Google
  •  Bing
  •  Yahoo
  •  ASK
  •  AOL
  •  AVG
  •  MyWebSearch
  •  Search-Results
  •  Comcast
  •  Delta-Search

Figure 4. A list of search engine platforms targeted by Coremex:

Coremex_Search_Engine_Hijack

When a targeted search engine platform is found and after successfully parsing the search query from the URL, Coremex first transforms the victim's entered search query into a JSON format:

Coremex_yoursearchquery

The JSON object will then be encrypted with RC4 algorithm with key "http" and the result will be encoded with Base64. The Base64 encoded string will be sent to presumably the author's controlled search engine platform:

Coremex_RC4

In the server's response, it contains an encrypted JSON object with a list of destination website that will determine where a webpage that has ads-like URL will be redirected to. An example of Google AdWords URL might look like this:

Google Adwords URL

Figure 5. Code responsible to parse Google AdWords URL pattern:

Coremex_Google_Ads_URL_Hijacked

The decrypted JSON object might look like:

decrypted JSON objet

The following screenshot shows Coremex script in action when an ad's URL is clicked by the victim which leads to the ad's page being hijacked and redirected to author's intended destination website.

Figure 6. Google AdWord URL is being hijacked:

Coremex_Google_Ads_Url_Car_For_Sale_768x335
Click image to embiggen.

Figure 7. Google AdWord page is hijacked with IFRAME:

Coremex_Google_Ads_Page_Hijacking_With_IFrame_768x333
Click image to embiggen.

Regarding the injected IFRAME to the hijacked ad's page: during analysis, the server never replied with the destination website. So we have not yet seen examples of where the hijacked Ad will be redirected. But it is clear that the author's intention is to take advantage of popular online advertising services.

SHA1: 62b5427b10f70aeac835a20e71ab0d22dd313e71

—————

Post by — Wayne












<<< Targeted Attacks and Ukraine
|
April 8th: Not Just About XP >>>