Researchers in Zscaler -cyber security firm from US, analyzed a new type of malware named Kasidet. The analysis has been published in ThreadlabZ website by Abhay Yadav, Avinash Kumar and Nirmal Singh.
The malware Kasidet is a variant of Dridex Banking Trojan being delivered via various campaigns involving Office documents with malicious VBA macros in the past. It’s been realized over the past two weeks, these malicious VBA macros leveraged to drop Kasidet backdoor in addition to Dridex on the infected systems. These malicious Office documents are being spread as an attachment using spear phishing emails. Detailed email analysis can be read here.
The malicious macro inside the Office document is obfuscated as shown in the code snapshot below –
It has been stated that the macro downloads malware payload from the hardcoded URL. There are several URLs which is used in different document payloads during this campaign:
Kasidet in Details
Kasidet installs itself into %APPDATA% folder. It creates a new folder there with the name “Y1FeZFVYXllb”, this string is hardcoded in the malware. The same string is used as mutex name and in creating a Registry key for ensuring persistence upon system reboot.
Interestingly, Kasidet has an ability to check whether it runs in a isolated environment like a virtual machine. Kasidet tries to detect analysis systems during execution through following checks.
Checking Dubugger through “IsDebuggerPresent” and “CheckRemoteDebuggerPresent” Windows APIs. It also checks for the following popular sandbox related strings:
User Name: “MALTEST”, “TEQUILABOOMBOOM”, “SANDBOX”, “VIRUS”, “MALWARE”
File Name: “SAMPLE”, “VIRUS”, “SANDBOX”
It tries to detect wine software by checking if kernel32.dll is exporting “wine_get_unix_file_name” function or not. It detects Vmware, VirtualBox, QEMU and Bochs by checking for following registry entries:
|Vmware||“SOFTWARE\\VMware, Inc.\\VMware Tools”|
|“HARDWARE\DEVICEMAP\Scsi\Scsi Port\Scsi Bus\Target Id\Logical Unit Id”, “Identifier” , Vmware”|
|“HARDWARE\DEVICEMAP\Scsi\Scsi Port\Scsi Bus\Target Id\Logical Unit Id”, “Identifier” , “VBOX”|
|VirtualBox||“HARDWARE\\Description\\System”, “SystemBiosVersion” , “VBOX”
SOFTWARE\\Oracle\\VirtualBox Guest Additions”
“HARDWARE\\Description\\System”, “VideoBiosVersion” , “VIRTUALBOX”
|QEMU||“HARDWARE\DEVICEMAP\Scsi\Scsi Port \Scsi Bus \Target Id \Logical Unit Id “, “Identifier” , “QEMU”
“HARDWARE\\Description\\System” , “SystemBiosVersion” , “QEMU”
|Bochs||“HARDWARE\\Description\\System” , “SystemBiosVersion” , “BOCHS”|
More details about Kasider malicious software can be found on ThreadlabZ web site. In the blog post conclusion part, the writers say;
“Malicious Office document file is a popular vector for malware authors to deliver their payloads. Dridex authors have leveraged this technique for over a year and it was interesting to see the same campaign and URLs being leveraged to deliver Kasidet payloads. While this does not establish any links between the two malware family authors, it reaffirms the fact that a lot of the underlying infrastructure and delivery mechanisms are often shared by these cyber criminals.”