“Hi, you can see who is using ProfileVisitor application to visit your personal details!” How would you react when this kind of post appearing on your Facebook feed? Many would be tempted to click on the hyperlink.
This article documented the technical findings performed for this ProfileVisitor attack that came out recently. Let’s see how the attack works!
Part 1: Analysis of HTTP Request and Response
Before clicking on the https://is[.]gd (“malicious link”) on Facebook, Burp Suite, a web proxy server is configured in our lab to intercept all the HTTP request sent from our browser. Each of the HTTP request and response is analyzed manually in Burp Suite to understand the flow of how the malware is obtained from adversary’s server.
By intercepting the HTTP communications, the malicious URLs associated with the malicious link are recorded in HTTP history. As shown in the screenshot below, four (4) HTTP requests are found.
1.2 Blob URL
In variable getBlob, a HTTP fetch is sent to https://pu*****/ajax/7z[.]php. A Binary Large OBject (blob) object is returned from the HTTP response with the MIME type of MP4 movie (video/mp4) and used to generate a hyperlink later.
<body><a href="blob:https://storage.googleapis.com/<UUID>" target="_blank" download="ProfileVisitors (v2.4.7).zip" rel="noreferrer" style="opacity:0;" ></a></body>
Part 2: Analysis of ProfileVisitor Malware
2.1 Identification of File Signature
The file downloaded is a MP4 file. In order to confirm the file type, file signature is analyzed using PowerShell script below.
Format-Hex -Path <path of file> | Select-Object -First 1
First four bytes of file header 50 4B 03 04 from the command output shows that the file should be a ZIP file. The file is renamed to change the file extension to .zip and extracted using WinRAR application.
A file visitors.heru.facebook.com is extracted. 4D 5A in file header shows that the file is a Windows executable file.
2.2 Initial Scanning of Executable File
PEStudio is utilized to perform initial assessment of this executable file. As expected, the findings reported in indicators and VirusTotal shows that the file is a malware. We will name this malware as “ProfileVisitor” in this article.
UNICODE (or ASCII) strings provide juicy information about the executable file. By reading the strings, we’ll be able to gain the knowledge of comments, text, file path and technologies used by the executable file. For example, we can assume the executable file is compiled by using AutoIt because the related strings are appeared in the PEStudio.
2.3 AutoIt v3 De-compilation
Exe2Aut is used to decompile AutoIt scripts, but it only supports 32-bit executable file. Due to ProfileVisitor is a 64-bit executable file, we followed the tutorial written by Hexacorn and run the Perl script provided (autoit64to32.pl) to convert the file to a 32-bit.
Remark: If you don’t want to install Perl in your computer, you may try my PowerShell script to perform the same action.
Now, we will decompile visitors.heru.facebook.com.a32.exe using Exe2Aut to display the plain-text script. The script is also saved as .au3 file automatically after de-compilation is done.
2.4 Manual De-obfuscation
Local $mrxkokz = $vmunqnc("" & $nvywfreslzs & "r" & "" & "i" & "" & ydtkzy() & $nvywfreslzs & "" & "id")
Let’s try to de-obfuscate variable $mrxkokz! The keywords associated with the variable is searched and shown as below:
Local $mrxkokz = Execute(StringMid)
After we have found and replaced the keywords, the value stored in the variable is revealed. Variable $mrxkokz stored the returned value from Execute() method based on a string returned from StringMid() method. But the code above seemed incomplete.
2.5 Detailed Scanning of Executable File
Apart from using PEStudio, ProfileVisitor is also uploaded to Manalyzer and Hybrid Analysis for more detailed scanning of Indicator of Attacks (IoA). The IoA are mapped with MITRE ATT&CK in Hybrid Analysis to highlight the tactics and techniques programmed in ProfileVisitor.
Next, we are going to run ProfileVisitor in our system. At the same time, we will also try to verify some of the findings reported from Hybrid Analysis manually.
2.6 Registry Keys
After the execution of ProfileVisitor, a list of registry keys enumerated are listed in Process Monitor. ProfileVisitor enumerates registry keys (T1012 Query Registry) to identify system information such as computer name and system language.
Process Monitor will log the activities for file system, registry, network connection and process. Due to the activities recorded in Process Monitor for the execution of ProfileVisitor is limited, we will proceed to perform the reverse engineering.
2.7 Reverse Engineering
Although we can’t reveal the AutoIt script above, the program flow can still be identified by doing reverse engineering using Immunity Debugger. ProfileVisitor is now displayed in assembly language and the program flow related to the memory address is illustrated in the flow chart too.
We will not perform debugging for ProfileVisitor here, but instead we will just take a quick glance at how the assembly language and memory address look like. Manual verification are conducted in Immunity Debugger for some of the Hybrid Analysis findings above:
In this article, we had demonstrated some techniques used to perform analysis on web applications and an executable file. In both areas, obfuscation is applied by adversary to evade detection or to prevent reverse engineering for ProfileVisitor.