A recently discovered malware dropper employs heavy obfuscation and poses as a virtual coin wallet, in an attempt to deliver a Netwire payload, Avast’s security researchers reveal.
Dubbed WiryJMPer, the dropper appears as a regular WinBin2Iso binary (an app to convert CD/DVD/Blu-ray images to ISO), but has a file size three times as big as it should, due to a suspiciously large .rsrc section.
Its JMP instruction, normally meant to handle window messages, jumps into the .rsrc section, which results in an unresponsive WinBin2Iso window to appear briefly before the ABBC Coin wallet window takes over. Because the window is always shown at startup, it is a clear sign of infection.
“While this functionality isn’t novel in any sense and no sandbox evasion was utilized, the obfuscation was uncommon enough to gain our attention. The combination of control flow obfuscation and low level code abstraction made the analysis of the malware’s workflow rather tedious,” Avast’s security researchers explain.
The binary had a low detection rate on VirusTotal when first analyzed and the researchers also discovered that the obfuscated loader also utilizes a (possibly) custom stack-based virtual machine during the RC4 key schedule.
The WinBin2Iso binary has a patched jump that leads to the .rsrc section, where a loader is decrypted, loaded into memory and relocations are made.
The loader handles the rest of the infection process: it loads ntdll.dll into the memory, decrypts auxiliary data such as LNK filename or RC4 decryption password, and then decrypts the Netwire malware and the “decoy” binary (ABBC Coin wallet).
The Netwire malware is loaded into memory and the decoy saved onto the disk. The loader also attempts to achieve persistence by copying the original binary to %APPDATA%abbcdriver.exe and creating a LNK file leading to it in the startup folder.
Next, the control flow is redirected into Netwire (also known as Wirenet), a remote access tool. The malware first emerged in 2012, packing password-stealing capabilities. A recently discovered version, however, allows attackers to completely take over the infected systems.
WiryJMPer’s functionality isn’t very innovative, but the malware did manage to pass under the radar for some time, likely due to obfuscation and rather low prevalence.
“Rather slow setup of the decoy showing multiple windows with unrelated titles may be suspicious enough for power-users, on the other hand, providing the ‘decoy’ binary might be comforting enough for ordinary users,” Avast concludes.
Related: Mac Malware Delivered via Firefox Exploits Analyzed
Related: Attackers Use Steganography to Obfuscate PDF Exploits