Showing posts with label magistr. Show all posts
Showing posts with label magistr. Show all posts

Tuesday, March 31, 2015

Wikileaks Malware Analysis Continued

Yesterday I released a blog post in which I explained that at least one Wikileaks property,, is distributing a series of malicious programs as part of a torrent file dump related to the Global Intelligence Files retrieved from Stratfor by Jeremy Hammond and several others.

I am slowly going through the malicious files in order to better understand what they are attempting to do. The work primarily involves extracting Visual Basic macros and OBE structures from documents, disassembling executables that are thus scraped from the payload document. Even for files using well documented exploits, as many of these files are, this is slow-going and tedious work that I invite readers experienced in security research to contact me about to offer assistance.

One such executable retrieved from the Stratfor files is gifiles-2014\gifiles\attach\151\ As with the files reviewed yesterday, this was retrieved from the gifiles-2014.tar.gz.torrent file downloaded from, which resides on the same servers as I have disassembled this executable using Heaven Tools' PE Explorer and Hex-Rays IDA. Accordingly I have determined that the file contains a variant of the Magistr worm. However, this version seems to have a number of unique features that I have not seen in the literature concerning Magistr (NOTE there are numerous versions of this worm, and this one has likely been seen before by someone).

The program makes use of the following DLL's to call its various functions:


The program adds an entry for itself in the Microsoft Connection Manager Phone Books and uses that entry to establish both FTP and HTTP connections. I am still working on where the connections head to.
Josh Wieder, Wikileaks, Global Intelligence Files, malware, MSCM Phone Book
The program loads the MSCM Phone Book
Josh Wieder, Wikileaks, Global Intelligence Files, FTP, Connection Manager
Connection Manager is used to establish an FTP connection and transfer files
Josh Wieder, Wikileaks, Global Intelligence Files, malware, HTTP Connections
HTTP connections are established as well
The malicious program appears to pass itself of as a program called iPassConnect by creating references to the following:


Here is one such reference:

Josh Wieder, Wikileaks, Global Intelligence Files, iPassConnect, PBUPDATE,EXE
PBUPDATE.EXE is associated with iPassConnect
I will continue the testing of this application and update this post when I nail down where these connections are going to.

I am more than happy to share more comprehensive information concerning my research, so feel free to email me if you would like to help out.

I have also contacted Wikileaks (to the best of my ability) to warn them of the dangerous files being distributed on For a number of reasons they are not the easiest people to get ahold of, particularly in relation to technical issues, and I do not know anyone directly affiliated with the group. If someone reading this post does have a more direct means of communication with Wikileaks, please provide them with this information ASAP!

RAT Bastard

Earlier this week, several servers I maintain were targeted by automated attempts to upload a remote access trojan (RAT). The RAT is a simpl...