Helpful Navigation Toolbar

Thursday, February 6, 2014

Chewbacca vs. Open Source Tools (maybe this should be a theme?)

You have probably heard of the "Chewbacca" POS malware that uses TOR (The Onion Router) (aka "anonymous web traffic") as a way to exfiltrate data from the system. If you have not read the Securelist blog post I definitely recommend it. It is, by far, the best post that I have seen on this malware to date. While the development of another way of exfiltration is interesting, the RAM scraping and persistence method that the malware used is very basic, and in testing, it did not even run "properly". Attackers will use tactics that are only advanced as they need to be in order to exfiltrate data. In most environments, attackers can probably gain remote access to the system(s) and exfiltration is often nothing more than uploading files to an online storage site like Mega, Dropbox, Box, WeTransfer, etc. Attackers will not use advanced exfiltration mechanisms if they can simply remotely log into a system and upload data to a site like WeTransfer.

I was able to get my hands on a sample of malware thanks to Brian Baskin (malware reverse-engineer extraordinaire, Ghetto Forensics creator, all around good guy, and a HUGE contributor to a lot of the details in this post). After snagging the sample, I performed some basic analysis (using the same methodology that I used for the Target malware). Interestingly enough, the malware would not fully run on my Malware Box of Evil (MBE), which currently runs Windows XP, as consistently got the exception error listed below. It is possible that this is because the malware was designed for a later version of Windows, as both the esteemed Brian Baskin and myself performed a variety of tests and determined that the malware would work on other versions of Windows, including Server 2003, Server 2008, Vista, and Windows 7. (AUTHOR NOTE: Please see "Additional Research" at the end of the post that covers more details of how the malware works on XP/WEPOS.)

I first loaded the malware into PeStudio and found, beyond the basic items of interest, the regular expression the malware uses for searching for Track1 and Track2 data. This regular expression varied slightly compared to previous versions of malware that I have seen (most likely to account for more non-US track data (shorter credit card numbers starting with only 13 digits)) but it still performs the same basic function. 


Chewbacca file info in PeStudio. Note the hashes, as they are the same as in spoolsv.exe

Chewbacca searching for Track1 and Track2 regular expressions. Note the hard-coded URL as well!

Only this time, when the data is found, it is supposed to exfiltrate the data to the hard coded URL automatically via TOR, using tor.exe, which is included with the malware. 


WINDOWS XP TESTING

Once again, because of the unhandled exception I could not get the malware to fully run on the MBE, all it did is made an exact copy of itself  to "%AllUsersProfile%\Start Menu\Programs\Startup\spoolsv.exe"


Windows XP spoolsv.exe startup location
PeStudio 8.05 file information. Hashes are the same on Chewbacca and spoolsv.exe

The expected keylogger file "system.log" was not created (in fact no additional files were created) and there did not appear to be any attempted outbound connections. I verified this by running Noriben (created by the aforementioned Brian Baskin).


Noriben created processes and created files of partially run Chewbacca malware

I even allowed the MBE to connect to the interwebs (through an anonymous connection, of course) in an effort to see if an actual connection was needed and I got the same unhandled exception error.

Unhandled exception error message on Malware Box of Evil when trying to run Chewbacca. RUUUUUrhrGUGUGHRhghghghrRURURUghGHrrrrrr!

WINDOWS 7 TESTING

On Windows 7, the output was more along the lines of what was originally expected after reading the Securelist post. In this instance, the executable again copied itself to spoolsv.exe under "%AllUsersProfile%\Start Menu\Programs\Startup" (which performs the same persistence functionality, but the path is different on newer Windows systems), deleted the original "chewbacca.exe" file (a very common malware characteristic), attempted to connect to "ekiga.net", and created the keylogger file, in the %TEMP% folder (on Windows 7 it is "C:\Users\<USERNAME>\AppData\Local\Temp"). All of this data was easily presented to me, with my limited malware reverse engineering background, by Noriben (thanks again Brian!)

Noriben output of Chewbacca on Windows 7

Windows7 spoolsv.exe startup location
Chewbacca is gone!
Attempted to connect to ekiga.net
system.log keylogger location and file contents

PeStudio Update: I shared some of the strings information with Marc yesterday and he updated PeStudio so now the Track1 and Track2 data regular expressions (and other strings of interest) present in this sample are blacklisted. PeStudio also now pulls out the default icon of a possible malware sample as well, which is one of my "quick triage" tricks to try to determine if any executables on a system might be malicious. Definitely go and download PeStudio 8.06 if you haven't already!!

PeStudio 8.06 blacklisted strings. Some (but not all) of the key ones from Chewbacca are highlighted


ADDITIONAL RESEARCH


Additional research shows the unhandled exception error may have a combination of the malware not running properly and as a result of DeepFreeze, which I run on the MBE in order to get the system back to an original state after looking at malware and other test environment fun! When Chewbacca was run on a Windows XP virtual machine and the WEPOS virtual machine, the malware ran, made a copy of itself named spoolsv.exe the Start Menu folder, attempted to connect to ekiga.net, however, it did not start the system.log keylogger or delete the original chewbacca.exe. After rebooting the systems the keylogging did start, which was saved in system.log, however the original executable remained. Brian also noted that "when the malware sample is run, it does a check to see if it is run with an argument (a file path). If there is no argument, it copies itself to spoolsv.exe and runs the new copy of itself with an argument of the original file's path. If there is an argument, the malware will delete the argument (file path) and continue. It could be crashing before the original running of the chewbacca.exe is complete, or it could be crashing before the deletion of the original file (or argument) is complete."

Thanks to this malware, I also acquired the WEPOS and POSReady2009 operating systems to install on the MBE in order to better replicate a POS environment and watch how malware performs in those environments. It will definitely be interesting to see if more malware is created specifically to target newer operating systems as Windows XP nears the end of life (WEPOS is supposed to be supported through 2020, although Windows XP Embedded and Server 2003 Embedded are supposed to have support only through 2016 and 2018, respectively).

Based on the testing that Brian and I performed, if the environment was running Windows XP or the original Windows Embedded Point of Service (WEPOS) version 1.0 through 1.3, the malware will not fully work (delete the original chewbacca.exe file, start scanning memory for Track1 and Track2 data, etc.) until the system is rebooted. It will only create spoolsv.exe in the "%AllUsersProfile%\Start Menu\Programs\Startup" location, but the system has to be rebooted in order for the malware to create the keylogger and begin scraping memory for Track1 and Track2 data.

Brian also made an interesting comment while reviewing this piece of malware. In his long and illustrious career of reverse engineering malware samples, this is the first piece of malware he has ever personally encountered that was created using Free Pascal Compiler (that used actual Pascal) and was, quote, "definitely weird". So Chewbacca has that going for it, which is nice :) 


Angry Birds Chewbacca, Lego Chewbacca, and dog chew toy Chewbacca.


4 comments:

  1. Hey Brian, nice blog entry and analysis. I just saw this on a PFI and can confirm what you have posted. Chewbacca (spoolsv.exe) was on the POS server (Microsoft Windows Server 2003 Standard Edition SP2) for a couple of months. I didn't see any CHD captured by it or use of tor.exe, but the system.log file had keylogger info - with user names and passwords - that it recorded daily over a one month period. Stephen E.

    ReplyDelete
  2. Thanks Stephen! If the malware was present for a few months, did the keylogger only work for a month or (my guess) the server was rebooted the same time the keylogger file was created? (If you can share that information, of course). Thanks again!!

    Brian

    ReplyDelete
  3. Yes, you got it!

    I checked the System Uptime in the WinAudit output, did a calculation, and the first entry in system.log was 7 minutes after the last reboot.

    ReplyDelete
    Replies
    1. Not a bad hunch based on the testing that Brian and I did, huh? :)

      With the in-frequency that many servers/systems are rebooted, I cannot imagine that Chewbacca is terribly effective on real-world machines running older versions of Windows.

      Delete