While “APTs” are sexy, they are not the only threat organizations face. Another threat that many, if not all, organizations are facing is adware. In this post we’ll take an in-depth look at some PUP/adware that has been around for a while. In this post we’ll explore one sample in our data set. (NOTE: We found 185 other samples that exhibit similar behavior.)
This piece of adware we’ll tackle today arrives in a validly signed NullSoft installer. Valid signatures are pretty common with PUP. Needless to say, just because software has a valid signature doesn’t mean it belongs in your environment.
A few things about the signature should stand out. The “Name” looks a bit odd, as does the lack of “E-mail” and “Signing time.”
It looks equally suspicious in Carbon Black:
To get through the execution you’d have to be brave enough to click on the following “Accept” button:
When running the sample through Carbon Black we get an execution chain of:
The sample drops another file (befcfbhddd.exe), which in turns calls wmic.exe. Since the initial file (ca6884685f44aed2dd4733d8845bf233.exe) is just an installer, we’ll turn our attention to the befcfbhddd.exe, which is dropped by several samples but not all. This binary is responsible for profiling the system and network communication. Profiling is done by running wmic.exe with SELECT SerialNumber FROM Win32_BIOS as the command line. Other profiling actions include looking at what web browsers and versions are installed, OS version, and MAC address. All of that information is then sent/leaked back to the app company including the IP address of the system it was run on and other system variables. This type of behavior is very common amongst PUP, as profiling a system provides valuable insight to environment and user behavior.
A sample request can be seen below:
From a network analysis perspective, this sample is interesting for several reasons. A couple are: the faked user-agent string, and that the server says it’s returning a HTML document but instead other data is returned.
There are several ways to find this type of behavior in your environment. A list of hashes of both installers and the dropped file are at the end of this write up (as well as the domains that these samples contacted.)
In addition, there are various Carbon Black queries you can run to detect this specific sample and other similarly suspicious behaviors. The queries also help highlight why focusing on dynamic behaviors vs. static attributes can help find additional instances in an enterprise, and why hunting with more general queries can provide some interesting results.
Carbon Black Queries
- Find all binaries signed by this Publisher (note: there are 40 of the 185 binaries that don’t contain any publisher information)
- digsig_publisher:”trusted apPs dDD”
- Find most dropped executables (note: may not be a very performant query)
- Find all processes spawning wmic.exe
- Find all processes that don’t have Company Name metadata and are signed
- -company_name:* digsig_result:signed
While malware should certainly be a focus, adware can leak sensitive information and be a potential attack vector. Often, adware can exploit existing vulnerabilities and be part of a larger attack campaign. Just because software begins as adware doesn’t mean it will stay as adware. Organizations need to get their hygiene in order. Adware is a major component of that.