MSRT April release features Bedep detection

January 23, 2017 admin Angler Exploit Kit, Axpergle, backdoor, Bedep, Bedep geodistribution, Dofoil, Macro-based malware, maps, Microsoft Active Protection Service, Microsoft Edge, Microsoft Edge SmartScreen protection, MSRT, smartscreen, Trojan, Ursnif, Win32/Dofoil, Win32/Fareit, Windows Defender, Windows Defender blogs for home users and small businesses, Zemot

As part of our ongoing effort to provide better malware protection, the Microsoft Malicious Software Removal Tool (MSRT) release this April will include detections for:

Win32/Bedep – Trojan family
Win32/Upatre – Trojan family
Ransom:MSIL/Samas – Ransomware family

In this blog, we’ll focus on the Bedep family of trojans.

The bothersome Bedep

Win32/Bedep was first detected in November 25, 2014 as a malware family made up of DLLs which has been distributed by Angler Exploit Kit. Microsoft detects Angler as:

JS/Axpergle and HTML/Axpergle have been known to carry and drop Bedep around by redirecting unsuspecting users to compromised websites.

Bedep is bothersome not only because it is carried around by an exploit kit, but because it also connects to a remote server to do the nasty:

Download other malware, such as:

All of the above malware families have these in common: they steal your personal information and send them to the hacker, watch what you do online, drops other malware onto your PC, and update them too.

Collect information about your PC to send it off to the malware perpetrator
Update the downloaded malware

The good thing is, Windows Defender detects and removes Bedep and its variants.

This threat has been prevalent in North America, and various parts of Latin America, Europe, and Southeast Asia.

Figure 1: The map shows Win32/Bedep’s prevalence in North America, Latin America, Europe, and South East Asia in the last six months.

Figure 2: The pie chart shows the Bedep distribution among the top 10 countries for the past six months

The exploit shellcode sometimes loads Bedep directly in the memory from the Angler Exploit Kit, without being written to disk. However, it gets written to disk at other times.

It can either be installed as 32bit DLL (Backdoor:Win32/Bedep.A) or 64bit DLL (Backdoor:Win64/Bedep.A), depending on the affected Windows OS version.

This threat is initially loaded by shellcode running in an exploited browser process (for example, iexplore.exe). Then, the threat downloads a copy of itself and injects that into explorer.exe.

We have observed that the first exploit is not enough. The attacker needs more exploits to bypass the OS or browser’s layered defenses. As a precaution, you should always be careful on clicking the User Account Control (UAC) prompts.

We’ve also seen that Bedep can drop itself as %ProgramData%<{CLSID}><filename>.dll

Example path and file names: C:ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}acledit.dll.

It then creates the following registry entries:

In subkey: HKEY_CURRENT_USERCLSID%Random CLSID%InprocServer32

Example: HKEY_CURRENT_USERCLSID{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}InprocServer32

Sets value: “ThreadingModel“

With data: “Apartment“

Sets value: “”

With data: %Bedep Filename%

Example: “C:ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}acledit.dll“

In subkey: HKEY_CURRENT_USERDriveShellExFolderExtensions%Random CLSID%

Example: HKEY_CURRENT_USERDriveShellExFolderExtensions{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}

Sets value: “DriveMask“

With data: dword:ffffffff

For details about various Bedep variants, see the following malware encyclopedia entries:

Mitigation and prevention

To help stay protected from Bedep and other threats, use an up-to-date Windows Defender for Windows 10 as your antimalware scanner, and ensure that MAPS has been enabled.

Though trojans have been a permanent fixture in the malware ecosystem, there’s still something that you or your administrators can proactively do:

Block the IP addresses of the corresponding compromised websites soon as the administrator identifies the list of sites that Bedep maliciously redirects into.
Always be careful on clicking the User Account Control (UAC) prompts.
Use Microsoft Edge to get SmartScreen protection. It will prevent you from browsing sites that are known to be hosting exploits, and protect you from socially-engineered attacks such as phishing and malware downloads.
Disable the loading of macros in Office programs
Disable macro loading through the Group Policy settings.
Keep your software up-to-date to mitigate possible software exploits.
Protect derived domain credentials with Credential Guard for Windows 10 Enterprise.
Secure your code integrity with Device Guard for Windows 10 Enterprise.
Secure the lateral account movement in your enterprise.
Use two-factor authentication with Microsoft Passport and Windows Hello.
Ensure that a strong password policy is implemented throughout the enterprise.

Jonathan San Jose

MMPC

https://blogs.technet.microsoft.com/mmpc/feed/