Day 60: Windows API Use in SpyEye Banking Trojan

Why am I breaking down Malware API use? Not to get into blue teamwork but to understand how we make our red team endeavours even better. And btw, I got this info from a great write-up!

First, the bot checks if it is running in a directory it wants by using GetModuleFileNameA. GetModuleFileName is a function that retrieves the fully qualified path for the file that contains the specified module.

DWORD GetModuleFileNameA(HMODULE hModule, LPSTR lpFilename, DWORD   nSize);

Next, if it is not running where it wants to it creates a home directory with CreateDirectoryA.

BOOL CreateDirectoryA(LPCSTR lpPathName, LPSECURITY_ATTRIBUTES lpSecurityAttributes);

CreateDirectoryA creates a new directory. If the underlying file system supports security on files and directories, the function applies a specified security descriptor to the new directory.

After this, it downloads the latest executable with:

InternetOpenA(“Microsoft Internet Explorer”), InternetOpenUrlA(INTERNET_FLAG_NO_CACHE_WRITE), InternetQueryDataAvailable, and InternetReadFile.

InternetOpenA initializes an application’s use of the WinINet functions. InternetOpenUrlA opens a resource specified by a complete FTP or HTTP URL. InternetQueryDataAvailable queries the server to determine the amount of data available. InternetReadFile reads data from a handle opened by the InternetOpenUrl, FtpOpenFile, orHttpOpenRequest function.

After the update, the bot calls CreateMutexA in order to force any running instances of the bot to unload.

CreateMutexA("__CLEANSWEEP_UNINSTALL__")

Next, it uses CreateProcessA to launch a new process with the updates binary.

BOOL CreateProcessA(
LPCSTR lpApplicationName,
LPSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCSTR lpCurrentDirectory,
LPSTARTUPINFOA lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation
);

CreateProcessA creates a new process and its primary thread. The new process runs in the security context of the calling process.

Next, or if the bot was running where it wanted to be it discovers processes of interest using CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS), Process32First, and Process32Next.

allProcesses = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

CreateToolhelp32Snapshot takes a snapshot of the specified processes, as well as the heaps, modules, and threads used by these processes.

Process32First retrieves information about the first process encountered in a system snapshot.

Process32Next retrieves information about the next process recorded in a system snapshot.

CreateRemoteThread creates a thread that runs in the virtual address space of another process.

TBC…