Elusive HanJuan EK Drops New Tinba Version (updated)

Thursday, June 25, 2015



UpdateDutch security firm Fox-IT has identified the payload as a new version of Tinba, a well-known banking piece of malware.

In this post, we describe a malvertising attack spread via a URL shortener leading to HanJuan EK, a rather elusive exploit kit which in the past was used to deliver a Flash Player zero-day.

Often times cyber-criminals will use URL shorteners to disguise malicious links. However, in this particular case, it is embedded advertisement within the URL shortener service that leads to the malicious site.

It all begins with Adf.ly which uses interstitial advertising, a technique where adverts are displayed on the page for a few seconds before the user is taken to the actual content.


Following a complex malvertising redirection chain, the HanJuan EK is loaded and fires Flash Player and Internet Explorer exploits before dropping a payload onto disk.

The payload we collected uses several layers of encryption within the binary itself but also in its communications with its Command and Control server.

The purpose of this Trojan is information stealing performed by hooking the browser to act as a man-in-the-middle and grab passwords and other sensitive data.

Technical details Malvertising chain


The first four sessions load the interstitial ad via an encoded JavaScript blurb:


Google Chrome’s JavaScript console can help us quickly identify the redirection call without going through a painful decoding process:


Subsequent redirections:




The next three sessions were somewhat different from the rest and an actual connection between them could not be established right away. A deeper look revealed that the intended URL was loaded via Cross Origin Resource Sharing (CORS).

Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources (e.g. fonts, JavaScript, etc.) on a web page to be requested from another domain outside the domain from which the resource originated. Wikipedia


Content is retrieved from the adk2.com ad network via the Access-Control-Allow-Origin request.

This takes us to the actual malvertising brought by youradexchange.com:


The inserted URL may look benign and it is indeed a genuine Joomla website but it has one caveat: It has been compromised and is used as the gate to the exploit kit.


Exploit kit

The exploit kit pushed here looked different than what we are used to seeing (Angler EK, Fiesta EK, Magnitude EK, etc.). After some analysis and comparisons, we believe it is the HanJuan EK.

We have talked about HanJuan EK only very few times before because little is known about it. What we once described as the Unknown exploit kit, was in fact HanJuan and it has been extremely stealthy and evasive ever since.

And yet, here we found HanJuan EK hosted on a compromised website and with an easy way to trigger it on demand.


The landing page is divided into two main parts:

  • Code to launch a Flash exploit
  • Code to launch an Internet Explorer exploit

The filename for the Flash exploit is randomly generated each time using close patterns to the original HanJuan we’ve observed before.

However a new GET request session containing the Flash version used is inserted right after the exploit is delivered.

Finally, the payload is delivered via another randomly generated URL and filename with a .dat extension. Contrary to previous versions of HanJuan where the payload was fileless, this one drops an actual binary to disk.

Fiddler traffic:


Landing page (raw):


Flash exploit: (up to -> CVE-2015-0359)


The exploit performs a memory stack pivoting attack using the VirtualAllocEx API.

Internet Explorer exploit (CVE-2014-1776):


In this case we also have a memory stack pivoting exploit but in the undocumented NtProtectVirtualMemory API.

Malwarebytes Anti-Exploit users were already protected against both these exploits:


Malware payload

The malware payload delivered has been identified by our research team as Trojan.Agent.Fobber. This name was derived from a folder called “Fobber” that’s used to store the malware along with its associated files.


Unlike a normal Windows program, Fobber makes it a habit to “hop” between different programs. The flow of execution for Fobber looks something like that seen below:


From what we have observed in our research, the purpose of the Fobber malware appears to be stealing user credentials for various accounts. While we have not confirmed any ties between Fobber and other known malware as of yet, we suspect it may be related to other information-stealing Trojans, like Carberp or Tinba.


This is the original file dropped by the exploit kit in the user’s temporary directory. The file itself has a random name, but will be referred to as fobber.exe in this article.

Fobber.exe is mildly obfuscated program. The samples we have observed always attempt to open random registry keys and then the malware performs a long sequence of jumps in an effort to create something like a “rabbit hole” for analysts to follow, slowing down analysis.


At the end of the jumps, the program decodes additional shellcode and creates a suspended instance of verclsid.exe. Verclsid.exe is a legitimate Microsoft program that is part of Windows, used to verify a Class ID. The shellcode is in injected into verclsid.exe and fobber.exe resumes execution of verclsid.exe. Below is an API trace of this behavior.


At this point fobber.exe terminates and the malware execution continues in verclsid.exe.

Verclsid.exe (Fobber shellcode)

The main purpose of the Fobber shellcode inside of this process is to retrieve the process ID (PID) of Windows Explorer (explorer.exe) and inject a thread into the process. Injecting code into Windows Explorer is a very common stealth technique that’s been used in malware for many years.

It is also worth nothing that, starting with the Fobber shellcode inside of the verclsid process, the malware begins using an interesting unpacking technique designed to slow analysis that is exhibited throughout the remainder of the Fobber malware’s operation.

Before a function can be executed, its code is first decrypted, as seen in the image below (notice the junk instructions following “decode_more”).


And then after the call, the instructions become clear.


Eventually, when the function wants to return, it calls a special procedure that uses a ROP gadget.


In side the call seen above (“return_caller”), the return pointer is overwritten to point to the return pointer of the parent function (in this case, sub_41B21A). In addition, all the bytes of the function that was just executed have been re-encrypted, as seen below.


Such techniques can make the Fobber malware more difficult to analyze than traditional malware that unpack the entire binary image. Similar functionality is also seen in many commercial protectors, like Themida.

In order to locate the PID of Explorer, the malware searches for a known window name of “Shell_TrayWnd” that’s used by the Explorer process.


The shellcode uses the undocumented function RtlAdjustPrivilege to grant vercslid.exe theSE_DEBUG_PRIVILEGE. This will allow verclsid.exe to inject code into Windows Explorer without any issues. Following this function, more shellcode is decrypted in memory and a remote thread is created inside Explorer.


Following successful injection, verclsid.exe terminates and the malware continues inside of Windows Explorer

Explorer.exe (Fobber shellcode)

At this point the Fobber malware begins its main operations, to include establishing persistence on the victim computer, contacting the C&C server, and many more actions.

Fobber keeps a foothold on the victim computer by copying itself (fobber.exe) into an AppData folder called “Fobber” using the name nemre.exe. On a typical computer, this path might look like:


The binary is launched when a user logs in using a traditional “Run” key method in the registry.

Operating Systems SPAM Viruses & Malware
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.