Last Updated: 2016-01-13 15:00:03 UTC
by Alex Stanford (Version: 1)
[Guest Diary by Pasquale Stirparo]
Few weeks ago we witnessed a quite significant wave of email carrying with them a zip file containing an executable.
The only common thing among all the emails was that the sender name (not the sender email address) appeared to be "Whatsapp" or "Facebook" all the times, while the subject was always referring, in different languages (and sometimes terms), that "You got a new audio (or video) message". Some of the subjects I saw are:
- Subject: Sie haben einen Videohinweis erhalten!
- Subject: Ein Hörbeleg ist versäumt worden!
- Subject: Di recente, hai raccolto un avviso video
- Subject: Du hast eine Hörakte.
- Subject: You recently got an audible message!
- Subject: Ein akustisches Dokument wurde bloß übergetragen
On the sample side, the extracted exe has usually the name of a person like jack.exe or brent.exe and the malware seems to be a variant of Nivdort (also named Bayrob in some reports), which once installed it allows backdoor access. This malware family is not new (it has been around since April 2013 ), but anti-virus tools were apparently lagging behind this last Nidvort email wave, and most did not provide realtime protection. However, once installed it should be still relatively easy to detect, here some indicators:
- Once executed, it creates a random folder under C:\, where it drops several executables, also them with random alphanumeric names, e.g.:
- It then tries to resolve about 40/50 domain names (on average), >90% of which appeared to be not registered. If not yet done, you may want to have in place some alerts when one of your clients fails so many DNS requests in a row
- When connecting to the C2, it performs HTTP requests to /index.php
- Do not get fooled by the eventual "404" reply you may see in your logs. The 404 reply comes with a body, which turns out to be in json format and containing Base64 encoded instructions on where to connect for the next stage
the Base64 encoded value contains the information for the next address to contact via POST request, in the previous case we can easily decode it
Incidentally this very same response, as well as the server IP to contact, appears also in the report of "f0xy" malware, a CPU miner uncovered last year by WebSense . However, the two samples are completely different.
- The malware will later upload some information about the files dropped and the email address of the victim, again base64 encoded.
In case any of you may want to try to analyze the sample, be aware that the binary will also implement some anti-debugging techniques as detected also by running Yara against the Yara Rules from the official repository 
I'm not sharing MD5 of the samples collected since all of them are different and would not be a much actionable information. However, you can find below a list of C2 domains which the samples tried to contact. Looking at them one may think that Nivdort does not use any DGA, instead it does use a particular DGA based on a dictionary, which makes the domains not looking random and able to bypass many DGA checks used by some filters. If you are interested to know more about it, there is a nice write up by NeutralizeThreat  who reverse engineered the sample and described its functionalities in details.
againstangry.net againstarticle.net againstdried.net againstfifteen.net betterbehind.net betterbroad.net betterbutter.net betterunderstand.net breadbehind.net breadbroad.net breadbutter.net breadunderstand.net captainangry.net captainarticle.net captainbehind.net captaindried.net captainfifteen.net decideangry.net decidearticle.net decidedried.net decidefifteen.net doubtangry.net doubtarticle.net doubtdried.net doubtfifteen.net electricbehind.net electricbroad.net electricbutter.net electricdried.net electricunderstand.net flierbehind.net flierbroad.net flierbutter.net flierunderstand.net gatherbehind.net gatherbroad.net gatherbutter.net gatherunderstand.net largeangry.net largearticle.net largebutter.net largedried.net largefifteen.net nightangry.net nightarticle.net nightdried.net nightfifteen.net quietbehind.net quietbroad.net quietbutter.net quietunderstand.net recordbehind.net recordbroad.net recordbutter.net recorddried.net recordunderstand.net seasonbehind.net seasonbroad.net seasonbutter.net seasondried.net seasonunderstand.net streetbehind.net streetbroad.net streetbutter.net streetunderstand.net tradebehind.net tradebroad.net tradebutter.net Reference:  https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanSpy:Win32/Nivdort.AL#tab-link-3  https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy:Win32/Nivdort.A  http://community.websense.com/blogs/securitylabs/archive/2015/01/30/new-f0xy-malware-employs-cunning-stealth-amp-trickery.aspx  https://github.com/Yara-Rules/rules/  http://www.neutralizethreat.com/2015/12/nivdort-code-obfuscation-and-dga.html
Alex Stanford - GIAC GWEB & GSEC,
Research Operations Manager,
SANS Internet Storm Center