A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #31421  by Aura
 Sat Apr 07, 2018 4:15 pm
That rootkit has been running rampant for a bit over a year now I would say. There's still no real technical write up of it, and the only articles about it can be found on BleepingComputer.

https://www.bleepingcomputer.com/virus- ... -use-error
https://www.bleepingcomputer.com/news/s ... -software/
https://www.bleepingcomputer.com/virus- ... ce-rootkit

SmartService prevents any security software from running: Antivirus, Antimalware, Firewall, you name it. You can get some programs to run, but they won't detect anything (it's a rootkit after all).

IOCs:
Code: Select all
Multiple randomly named folders in %LocalAppData%, following this pattern:
%LocalAppData%\$7_RAND_CHAR
Examples:
%LocalAppData%\cgkepoh
%LocalAppData%\pwnzghb
%LocalAppData%\upsciml

%LocalAppData%\wmcagent
%LocalAppData%\wmcagent\wmcagent.exe
%LocalAppData%\wmcagent\wow_helper.exe
%AppData%\et
C:\Windows\System32\drivers\$8_RAND_CHAR.sys (ie: wimbehlo.sys)
C:\Windows\System32\drivers\msidntfs.sys
C:\Windows\System32\*******svc.exe (ie: msapibhsvc.exe)
C:\Windows\System32\$RAND_FOLDER
C:\Windows\SysWoW64\$RAND_FOLDER

HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\$6_RAND_CHAR (calls the $8_RAND_CHAR.sys driver)
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\msidntfs
IOCs from a FRST log:
https://www.bleepingcomputer.com/forums ... oval-help/
Code: Select all
(TOSHIBA CORPORATION) C:\Windows\System32\msapibhsvc.exe
() C:\Users\netdisk\AppData\Local\wmcagent\wmcagent.exe
() C:\Users\netdisk\AppData\Local\upsciml\iacdkvb.exe
HKLM\SYSTEM\CurrentControlSet\Services\klgpmctx <==== ATTENTION (Rootkit!)
2018-03-23 14:38 - 2018-03-23 14:38 - 000145232 ____N C:\WINDOWS\system32\Drivers\wimbehlo.sys
2018-03-23 10:08 - 2018-03-23 10:09 - 000000000 ____D C:\Users\netdisk\AppData\Local\wmcagent
2018-03-09 11:55 - 2018-03-10 19:49 - 000000000 ____D C:\Users\netdisk\AppData\Local\pwnzghb
2018-02-26 18:00 - 2018-03-23 15:10 - 000000000 ____D C:\Users\netdisk\AppData\Local\upsciml
2018-02-26 18:00 - 2018-02-26 18:00 - 000000000 ____D C:\Users\netdisk\AppData\Local\cgkepoh
2018-02-26 17:58 - 2018-03-23 14:39 - 002888704 _____ (TOSHIBA CORPORATION) C:\WINDOWS\system32\msapibhsvc.exe
2018-02-26 17:58 - 2018-02-26 17:58 - 000000000 ____D C:\WINDOWS\SysWOW64\dwhkoea
2018-02-26 17:58 - 2018-02-26 17:58 - 000000000 ____D C:\WINDOWS\system32\dwhkoea
2018-02-26 17:58 - 2018-02-26 17:58 - 000000000 ____D C:\Users\netdisk\AppData\Roaming\et
C:\WINDOWS\system32\drivers\wimbehlo.sys -> Access Denied <======= ATTENTION
The driver gets renamed on every restart, but the first three letters of the driver filename always stays the same (so in the example I provided above, it'll be renamed to wim****.sys).

Note that SmartService is almost always delivered with Trojan.Yelloader (Malwarebytes definition), so some folders belongs to it (the ones in %LocalAppData%, which contains a Chromium-based program used as a clicker).

Of all the threads I've worked on with this infection, I can almost never find a dropper for it. Though I'll keep an eye open and provide one if I can.

This being said, I'm just creating this thread to start a discussion about this rootkit, since there's not a lot of information about it and I think there should be, as the malware removal forums are flooded with SmartService infection.

I'm currently working on a few threads with SmartService and I'll grab fresh samples of all the files I listed above and attach them here. If there's anything specific you need, just let me know.

Edit: Just saw that Windows Defender is flagging SmartService as Trojan:Win64/Detrahere. The Technical information tab provides more information.

https://www.microsoft.com/en-us/wdsi/th ... /Detrahere
Last edited by Aura on Sat Apr 07, 2018 8:32 pm, edited 1 time in total.
 #31422  by Aura
 Sat Apr 07, 2018 8:23 pm
Alright, here are some samples for you guys.

%LocalAppData%\$7_RAND_CHAR
redcxgb.exe: https://www.virustotal.com/#/file/07dea ... /detection (Trojan.Yelloader)

%LocalAppData%\wmcagent
wmcagent.exe: https://www.virustotal.com/#/file/b7821 ... /detection
wow_helper.exe: https://www.virustotal.com/#/file/1f910 ... /detection

C:\Windows\System32\*******svc.exe
uprhcldsvc.exe: https://www.virustotal.com/#/file/bbd8f ... /detection

All these were located inside the C:\Windows\system32\$RAND_FOLDER
coihbpz.exe: https://www.virustotal.com/#/file/2b713 ... /detection
coihbpz.sys: https://www.virustotal.com/#/file/175a2 ... /detection
coihbpzdrv.sys: https://www.virustotal.com/#/file/54470 ... /detection

Apparently the user isn't able to get the main .sys driver (SmartService). Working with him to get it.

Also, here's a list of the whole FRST Quarantine I got from that system, if it gives you more insight. Be aware that there were other payloads on the system other than SmartService and Yelloader.

Usual password for the archive.

Edit: And we finally have the driver!

iahzcfim.sys: https://www.virustotal.com/#/file/75e76 ... /detection
Attachments
(54.4 KiB) Downloaded 43 times
(1.19 MiB) Downloaded 28 times
(2.7 MiB) Downloaded 51 times