Saturday, July 30, 2016

524.dat & chrome_patch.hta [UPDATED]

    A few minutes ago I clicked a link to an article and I noticed something fishy. The new site attempted to automatically redirect my browser to this:


    This piece of garbage phishing page didn't even wait for me to be suckered by their super-convincing download link, and used a setTimeout() call to try to force my browser to download something called `9901224839027/1469890408944162/chrome_patch.hta`. 
    Here is chrome_patch.hta as it is seen in the wild:


    And here is chrome_patch.hta after we apply deobfuscation 101:


    As you can see, chrome_patch.hta downloads a .dat fie `17/524.dat` and creates an executable `g2924808f66985de3a9ad1e3d743e0d.exe` before providing victims with a reassuring "Update completed" window.
    I've been seeing similar versions of this same method to force users to swallow the 524.dat payload, like this:
    I've found some complaints as far back as a month ago. I'm going to try to get my hands on these and look a bit closer as time permits and post the results here. I can't promise it will be all that interesting though as this script was pretty artless & obvious. If anyone's already seen the payload please share! Thanks.

UPDATE: It looks like someone uploaded the payload to malwr last week. Their PE scanner is about as good as it gets for automated scanning. Just looking through malwr's list of registry keys it looks like the payload adds ~5 domains to Windows' URL Security Zones or as I prefer to call it the Circle of Trust:


HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option gets modified also, which is weird. This is the registry key that determines whether the next reboot will put Windows into Safe Mode or not. This could be an attempt to disable antivirus software and is a loud flashing sign that this payload is going to be a loud, obnoxious dick.

I also found a third version of chrome_patch.hta that is significantly different than the one I have and the other version I posted above; I think whoever is responsible for this is making some changes on the fly, or a few different people are tweaking it. The tweaks don't include changing the filenames (although some components have been removed in my version), and I've only seen it use two different domains to download from. Small potatoes.

ANOTHER UPDATE: I think I scared our hacker friend a bit. The domain name registration for the website used to host the phishing script & payload file has disappeared. Those files appear to have been removed from the server also, or at least taken offline or moved somewhere I cant find them. This is a pretty fast reaction from our hacker friend (< 24 hours from my post / reporting the issue to involved parties). It supports the idea I had earlier that hacker friend is actively developing this little project. If you're listening, hacker friend: why did you take your toys and go home?

No comments:

Post a Comment