Over the past three days, ThreatFire users were being targeted by a higher number of Bredolab downloaders. Bredolab is a nasty, morphing little downloader being spammed out in droves mostly to users in the U.S. and Europe. While it seemed to have been a short term experiment at first, the blasts are continuing throughout the year. At first, the group sent out UPS related attachments (UPSDocs_IN987712001.zip, UPSFile_Nr67721912.exe, UPSNr_76129811.exe, etc) to the community, which were duly prevented when run by the duped user.
The scheme has changed slightly away from the Ups theme to a more generic one. The executable, most likely with its origins in the Russian Federation, currently arrives in a .zip email attachment. Most of the related messages seem to suggest that the soon-to-be-victim has ordered an item:
“Thank you for settling the order No. *insert random number here*.”
The .zip attachment, once extracted, is usually an ~36-40kb executable that maintains an Excel icon, as seen here with a few examples:
A few example names recently prevented in the ThreatFire community:
D6e4c332d.exe
D391d6951.exe
D0193c67c.exe
D0f2984b8.exe
D4fdce55f.exe
The attachments are interesting in that they are packed in layers, with a outer code layer (that changes across binaries) consisting of function-less jumps and garbage code, followed by another layer that decrypts the inner, static, UPX packed payload. This UPX payload contains another layer of encryption that appears to remain static across binaries. This payload contains the unexpected injection and downloader functionality, injecting itself into system components to retrieve more malware from the web. It also overwrites user mode hooks in attempt to evade hook based security solutions with a technique frequently used by game cheats in the past.
At the beginning of the year, the Bredolab downloaders were retrieving Rogueware/Scareware/FakeAv. AV file scanner performance against them was a mixed bag, more often only able to generically detect the changing encryption schemes, and often mixing up identification of what was Bredolab samples with Waledac and their packers and vice versa or missing it altogether (file detection can be a very tricky thing for scanners). On a behavioral level, the current downloaders are attempting to download Rogueware/FakeAv components and are adding a banking password stealing Zbot variant to the mix. However, as of this week, the server that provided the additional payloads continues to be down.
Be cautious of what you open when it arrives in the mail.
