Pterodo Malware Analysis

Overview

A new version of the Pterodo Windows backdoor used by Gamaredon threat group targets Ukranian government agency computers. Gamaredon has been tied to Russia’s Federal Security Service, and Cozy Bear[1]. Classified as a Trojan, Pterodo installs a backdoor on the infected machine which allows for the attackers to further install malware, take control of the machine, and collect sensitive information.

The newest version of Pterodo spreads through infected flash drives and other removable media. Pterodo activates on a system if it is using language localization for one of the following languages: “Ukrainian, Belarusian, Russian, Armenian, Aziberjan, Uzbek, Tatar, and others.” [2]

Running this sample through VirusTotal gives a severity score of 42/66:

  [1]https://www.scmagazine.com/home/security-news/gamaredon-like-fancy-bear-and-cozy-bear-steps-up-cyberattacks-against-ukraine-others/ 

  [2]https://translate.google.ca/translate?hl=en&sl=uk&u=https://cert.gov.ua/news/46  

Impact

In this analysis, we are inspecting a 32-bit file that executes Pterodo.  


Here we examine the meta-data of the file:

After executing the file, we are presented with a pop-up where the user must click an option:

The malware creates new files and folders and the original file that was executed is deleted and moved to a new location.

--New Folders and Files Created

--Original File Being Deleted

In the new folder ‘C:\Users\Kyle\AppData\Local\Temp\7ZipSfx.001’ we see the following files:

The file named CookiesERR.cmd contains a bash script that does the following:

1.       Gathers System Information

2.       Waits

3.       Searches for Cookie.exe process

4.       Creates two scheduled tasks (ie_cash_D2D87A8E_01, ie_cash_D2D87A8E_02)

a.       ie_cash_D2D87A8E_01 is created with “an individual directory with a serial number of the drive.”[3]

5.       Copy Cookie.exe to C:\Users\Kyle\AppData\Roaming\Microsoft\IE\ie_cash.exe

---

[3] ^{https://translate.google.ca/translate?hl=en&sl=uk&u=https://cert.gov.ua/news/46}

^{A snippet of the bash file can be seen below:}

--Cookies.cmd Script

The ‘IzeHVKe’ in above contains system information gathered about the device. 

A file named ‘Cookies.exe’ is created in the following location:

C:\Users\Kyle\CookiesERR

There are multiple files created in directory C:\Users\Kyle\AppData\Local\Temp\7ZipSfx.000\ which are eventually deleted. The files included are CookiesERR.cmd, CookiesERR.lnk, Cookies.sys, and tmp.exe.

There are multiple pings out to 8.8.8.8, presumably to check if the machine has internet access:

The Cookies.cmd file is run by cmd.exe:

The Cookie.exe process is killed by the command ‘taskkill /f /im Cookie.exe’:

The Cookie.exe process is relaunched from 

‘C:\Users\Kyle\AppData\Local\Temp\7ZipSfx.001\’ and it is posting system information gathered by CookiesERR.cmd:

The Cookies.exe process is running cmd.exe which starts the Cookie.exe process to post the system information data:

The infected machine connects to IP 185.231.154[.]25 which belongs to URL dataoffice[.]zapto[.]org.

Wireshark shows the detail of the system information sent to 185.231.154[.]25:

The infected machine continues to post the system information to 185.231.154[.]25 and remain connected.

The two scheduled tasks are scheduled to run approximately 5 minutes after the initial infection. Task ‘ie_cash_D2D87A8E_01’ runs every 1 hour and task ‘ie_cash_D2D87A8E_02’ runs every 1 hour 1 minute.

ie_cash_D2D87A8E_01:

ie_cash_D2D87A8E_02:

At the time of writing this analysis, the website http://bitsadmin[.]ddns[.]net is no longer accessible.

Detection

Monitor for the following IOC’s for potential compromise:

Hashes:

c9ac6d5e08c80be4f7b192b5baa9e0b338e2b44789079340cd8f1152038919b2

c4ceb4486f70c6ff244501bb727ae7c9b9a8468f4cd2ced36f0b2e11f275e8f2

17f686c72e588a241f9758ceec770c62ee36b34c5f273be151b416092f4cac64

be18d809058f2733454cf3bcf225de5fd866594a7ee27031bd2ab4c1cb659e96

fd347cb68a35625d61cee7f60e325ca73588f7e23d18fb8fdfbdec8a77b435ca

Inbound/Outbound traffic to IP addresses and websites:

• 185.231.154.25 (dataoffice[.]zapto[.]org)

• bitsadmin[.]ddns[.]net

Dropped Files:

• CookiesERR.cmd

• tmp.exe

• CookiesERR.lnk

• tmp.vbs

• Cookies.sys

• 7ZSfx000.cmd

• Cookie.exe

• Cookies.cmd

• ie_cash.exe

Directories Created:

• C:\Users\Username\AppData\Local\Temp\7ZipSfx.000

• C:\Users\Username\AppData\Local\Temp\7ZipSfx.001

• C:\Users\Username\CookiesERR

• C:\Users\Username\AppData\Roaming\Microsoft\IE

References:

“[Updated on 11/22/2018] Preparation for cyber attack with the use of Pterodo type dummy is revealed.”. Cert-UA, Cert-UA, 2018, https://translate.google.ca/translate?hl=en&sl=uk&u=https://cert.gov.ua/news/46

Robinson, Teri. “Gamaredon, like Fancy Bear and Cozy Bear, steps up cyberattacks against Ukraine, others”. SC Magazine: The CyberSecurity Source, SC Magazine, 2018, https://www.scmagazine.com/home/security-news/gamaredon-like-fancy-bear-and-cozy-bear-steps-up-cyberattacks-against-ukraine-others/