The e-mail lures we are seeing for this campaign have a consistent fax-related theme:
fig 1. E-mail lure
UPDATE: (January 25, 2016) We are now able to disclose that the open redirect is located on a Google sub-domain. We are working with Google who are currently addressing the issue.
fig 2. ZIP file containing malicious JS file.
Forcepoint has notified the 'Alexa top 10 site' regarding the open redirect abuse.
The malicious JS file inside the ZIP files for this campaign are obfuscated malware downloaders. When the script is deobfuscated it is clear that the intention is to download and run 3 executables:
fig 3. Deobfuscated malicious JS downloader
Typically, we see the Kovter and Miuref malware families downloaded by these scripts, but in this instance once of the executables that we saw was a new, albeit primitive malware, that we are naming "PGDownloader".
PGDownloader & ProxyGate Installation
When PGDownloader is executed it will begin logging events to its command-and-control (C&C) server, while downloading and silently installing the ProxyGate software in order to turn our machine into a zombie. This is not a new concept from malware actors, and we have blogged on the topic in the past in relation to the Bunitu malware.
Here is the full log that it sent to its C&C when we analyzed the malware:
StartDownloadThread i am in DownloadThread Thread Download Complete! DownloadThread done!check file... CreateNewDesktop CreateProcessInNewDesktop Start Install Thread SetThreadDesktop [PageIndex:0] Click NextButton [PageIndex:1] Click 'accept the agreement' [PageIndex:1] Click NextButton [PageIndex:2] Click NextButton [PageIndex:3] Click 'Don't create a Start Menu folder' [PageIndex:3] Click NextButton [PageIndex:4] Click NextButton [PageIndex:5] Click InstallButton [PageIndex:7] Click FinishButton [PageIndex:7] Done! Initialize Run cloud... SendReport everything is done!delete me now..
Each log event is a unique HTTP request to the C&C server with a user-agent of "reportlog" or "f[redacted]ing", making this quite a noisy piece of malware:
fig 4. PGDownloader network traffic
As shown in fig 4, PGDownloader downloads an executable named pgppi.exe which is the ProxyGate software that will be installed. This is actually a graphical installer wizard:
fig 5. ProxyGate setup wizard
However, PGDownloader silently installs the software by creating a new and invisible desktop with the CreateDesktop Windows API, and then finds and clicks the buttons on the wizard automatically.
After installation PGDownloader launches the Cloud.exe component of ProxyGate which will automatically register the machine as part of the ProxyGate network. This means that any users of ProxyGate can now use our machine in order to browse the Internet, which of course includes the ability to conduct illegal activity.
At the time of this blog there are over 7,000 IP addresses available to use on the ProxyGate network, although it is unknown how many of these were registered on the network as a result of PGDownloader.
Forecepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:
- Stage 2 (Lure) - Malicious e-mails associated with this attack are identified and blocked.
- Stage 5 (Dropper) - The malware is prevented from being downloaded from the malicious URLs.
- Stage 6 (Backchannel Traffic) - Attempts by the malware to contact its command-and-control server are detected and blocked.
Malware actors are always seeking new opportunities and new malware that can improve their success rates. PGDownloader provides an easy way for these actors to expand their infrastructure in order to use more machines for malicious purposes, and in turn hide the attackers' identities behind other machines. It is important to remain vigilent when receiving suspicious e-mails, making sure not to run any files unless you are absolutely sure that the e-mail comes from a trusted source and that you have the appropriate security products installed that can identify threats such as these.