Nowadays as more and more people are aware of malware infections, untrusted executable file is less likely to be executed by the user. Except when the executable is trusted, signed by a known company, or from a well-known software vendor for example. But even when the executable file is signed it might not be safe to run.

Recently a lot of malware samples in China have been distributed together with third party executable to persuade the user to run it and to avoid detection from HIPS.

This malware consists of three files:

RealImage.exe is originally a part of HaoZip archive utility distribution pack and it is signed by a valid Digital Signature.

Zlib.dll is a dynamic link library (.dll) file which export functions are the same as in the original zlib.dll.

And haotu.dat is file filled with random binary data.

As expected the Zlib.dll is malicious and due to its presence in RealImages’ import table is loaded every time the RealImage.exe is executed. The malicious function code then copies mentioned files into to C:\Program Files\tupian folder, decrpyts .dat file into an executable file, creates suspended notepad.exe process, calls NtUnmapViewOfSection to unload notepad.exe image from process memory to map it with its own decrypted exe image and resumes the process. Result of the action is an online trading trojan running in the system.

Malicious Zlib.dll then needs the RealImage.exe autostarted during the system start so it can resist in the system and due to the RealImage.exe trusted Digital Signature most HIPS allows the registry and file operation without prompting the user until the Zlib.dll is detected.

We can see that this method is a normal .dll hijacking implementation but instead of waiting for another program to load it, it uses a trusted executable as dummy to start malicious code.  And the dummy executable has to be carefully chosen, to have no other dependence and no UI before the malicious code is loaded. Until now several signed executables are used as the tragic dummy. Ironically, one of antivirus vendors’ file is on the list.

The malicious Zlib.dll and payload files are detected as Trojan horse PSW.Agent variants.

Note: HIPS stands for Host Intrusion Prevention System. This technology is inplemented in AVG Identity Protection component.

Franklin Zhao and Hynek Blinka