BokBot Malware

There are public reports about spreading of malware named as BokBot malware. This banking Trojan is modular in nature for performing different malicious activity on the victim machine. The Mode of spreading of this malware is through spear phishing attachment or link or via Emotet malware distribution.

• Once this malware reach on victim machine, it will decode the shell code from it, create its directory (at C:\ProgramData location) and executes from there.
• After malware got installed on victim machine, it will generate the system ID and Collect System information like Windows version information, User name, user SID, Member of a domain, LAN group.
• After that malware tries to build a connection with C2 controlled by the attacker. Once it successfully builds the connection with C2, it registers the victim on C2 with information it gathers from the previous step and starts performing malicious activity based upon the command it received from C2 controlled by attacker like Credential theft, Intercepting proxy, Remote control via VNC, updating of the malicious module of malware etc.
• The attacker used Process injection (i.e. svchost.exe) technique through which they used a legitimate process of system for performing their malicious activity and windows API so that they remain undetected for a long time. The IOC of attack strategy is listed for your action.
• Attacker created the task at system logon on the victim machine so that malware execute automatically whenever the victim logon the system.

Indicators of Compromise:

File Location

• C:\ProgramData\{P6A23L1G-A21G-2389-90A1 95812L5X9AB8}\ruizlfjkex.exe
• C:\ProgramData\yyyyyyyyiu\kthbnvxmadh.dat -- CredTheft Module
• C:\ProgramData\yyyyyyyyiu\qitradnbmxh.dat -- C2 Config
• C:\ProgramData\yyyyyyyyiu\thrfacxvby.dat -- Webinject Config
• C:\ProgramData\yyyyyyyyiu\etfakdexali.dat -- Reporting Config
• C:\ProgramData\yyyyyyyyiu\poqwhgchat.dat -- VNC Module
• C:\ProgramData\yyyyyyyyiu\ltoefacaky.dat -- Proxy Module
• Task Name: {Q6B23L1U-A32L-2389-90A1-95812L5X9AB8} is created at system logon

Hashes

• 87d37bc073d4d045d29e9c95806c7dcf83677697148e6b901c7a46ea7df55
• 2c331edaadd4105ce5302621b9ebe6808aecb787dd73da0b63882c709b63ce48
• 7e05d6bf0a28233aa0d0abfa220ef8834a147f341820d6159518c9f46f5671b7
• 961f7bada0c37c16e5ae7547d9b14b08988942af8d4a155ad28e224ece4fa98e

Best Practise and Recommendations:

• Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization's website directly through the browser.
• Restrict execution of Power shell /WSCRIPT in enterprise environment Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. Script block logging, and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
  Reference: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
• Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
• Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations.

References:

• https://www.crowdstrike.com/blog/digging-into-bokbots-core-module/