Analyzing Location-Based Malware with Geo Anonymization

Malware authors regularly create campaigns to target victims in specific countries. Recent examples using location-based malware include two campaigns that delivered banking trojans to customers of financial institutions in Brazil and the Danabot malware campaign that targeted users in Australia and Europe. Such attacks are often meticulously crafted. The phishing emails and attachments in regional languages and with references to local brands and organizations. The location of the victims is most often gleaned from their computer’s IP address. There are a number of reasons for targeting users/organizations in a specific geography:

  • To maximize the returns per victim in a financially motivated attack
  • To disrupt important services in a specific country
  • To increase the lifespan of the malware before it is detected.

By revealing its malicious behavior only when executed on systems located in a specific geography, location-based malware can evade cloud-based sandboxes that perform analyses on systems outside that country. In a response to these geo-location evasion techniques, we’ve added geo-anonymization to VMRay Analyzer in order to reveal the full behavior of location-based malware.

In this blog post, we will analyze a malware sample from our archives that exhibits location-based behavior and will show how the sample behaves differently in different geographies.

 

Analyzing Location-Based Malware

The sample is a Word document with a highly obfuscated macro. By deobfuscating the macro, we were able to understand the various sandbox evasion mechanisms and location checks in place.

The sample first tries to determine if it is running inside a sandbox by checking the recent files count. The assumption here is that a normal system will have several recently used files but a sandbox will not.

 

Sample Checking Recent Files - Location-Based Malware

Figure 1: Sample checking the recent files count to determine if it is inside a sandbox

 

The sample proceeds to use a series of API calls to the legitimate IP-Intelligence tool, Maxmind to gather location information.

 

Requesting IP Address from Maxmind - Location-Based Malware

Figure 2: Sample requesting Maxmind for location information based on its IP address

 

Maxmind returns a JSON document with location information associated with the IP address. The typical JSON response is shown in Figure 3.

 

Response with IP Addresses from Maxmind - Geo-located Malware

Figure 3: Typical response by the Maxmind service to a location query based on IP address

 

The sample compares the response with a set of strings which includes names of security companies, countries and some other keywords. Depending on whether or not the string is present in the response, the sample behaves differently.

 

Strings Used - Location-Based Malware

Figure 4: Strings used by the sample to determine behavior

 

One of the strings listed in Figure 4 is “”.  With this information, we can assume that the sample will exhibit different behavior when executed in Russia.

Now we will use VMRay Analyzer’s Geo Anonymization feature to test this theory to see if the sample will indeed behave differently using a Russian based IP.

 

Introducing VMRay Analyzer’s Geo Anonymization

VMRay Analyzer’s Geo Anonymization feature redirects internet traffic through a country specified by the user at the time of submission. Users can choose an exit node from a list of over 40 countries when they submit a sample.

In this analysis, we will analyze the sample with two different countries (Germany and Russia)  as egress points.

 

Submission with Different Egress Points - Location-Based Malware

Figure 5: Submission with different egress points

 

The analysis results reveal that the sample does indeed show different behavior in Russia. When executed in Russia, the sample simply shuts down after obtaining the location information. When executed in a different country (Germany in this case), it goes on to contact a Blacklisted remote server and attempts to download a malicious payload.

 

Network Activity based on Country of Execution - Location-Based Malware

Figure 6: Network activity based on country of execution: Russia (left), Germany (right)

 

We confirm this by re-examining the deobfuscated macro. Figure 7 shows the two checks related to the recently used files count and location. Only when both these conditions are met does the sample go on to download and execute the malicious payload.

 

Sample Functions Check - Location-Based Malware

Figure 7: Sample functions to check the recent files count and location

 

Figure 8 shows the code that downloads the payload from the blacklisted URL.

 

Sample Function Download - Location-Based Malware

Figure 8: Sample function to download the malicious payload from a blacklisted UR

 

This is a good example of a location-based malware sample that exhibits different behavior in a specific country. Analyzing such location-based malware on systems outside the relevant country will not reveal their full behavior, especially when the malware has built in location checks. VMRay Analyzer’s Geo Anonymization feature enables users to route traffic through their country of choice, revealing the full behavior of geo-targeted malware.