Home / malware Win32/Sasquor
First posted on 11 October 2016.
Source: MicrosoftAliases :
There are no other names known for Win32/Sasquor.
Explanation :
Installation
This threat is usually installed through bundlers such as SoftwareBundler:Win32/Mizenota, SoftwareBundler:Win32/Prepscram, SoftwareBundler:Win32/InstallMonster, SoftwareBundler:Win32/ICLoader and SoftwareBundler:Win32/Dartsmound.
There are many variants of Sasquor and the family is regularly updated with new methods of installation and operation.
In general, it installs at least one service and one scheduled task, and changes search and homepage settings in Google Chrome and Mozilla Firefox.
On install, Sasquor usually writes several files to a new folder under %ProgramFiles%, for example:
- %ProgramFiles% \Tilward\Atemuckdrobuge.dll
- %ProgramFiles% \Tilward\gurechmng.dll
- %ProgramFiles% \Tilward\libvlc.dll
- %ProgramFiles% \Tilward\Mutsarurerck.dll
- %ProgramFiles% \Tilward\pherner.exe
- %ProgramFiles% \Tilward\Proxy64.dll
The folder and file names vary from one variant to the next. Often, at least one of the files written may be a clean executable that Sasquor "hijacks", by writing its own code to a DLL that is constructed and named in such a way that the clean executable will load it.
In the example above, pherner.exe is a copy of the VideoLAN file vlc.exe. When run, this looks for a DLL file called libvlc.dll to load, and in doing so unwittingly loads the Sasquor DLL. Because of this, many of Sasquor's functions appear to be performed by a clean vlc.exe process, as they are performed by code in a malware DLL loaded by this process.
Different Sasquor variants use this technique with different clean executable files, not just vlc.exe. Other executables we have seen Sasquor abuse in this way include Stardock Corporation's DeElevate.exe, VersionCheckMe.exe from Apple, and Tencent's QQBrowser.exe.
The "hijacked" executable file is usually registered as a scheduled task, for example:
Name:
Coiqerwardclotugh Cache
Description:
Optimizes performance of Coiqerwardclotugh by caching commonly used font data.
Action:
Run a program - "C\Program Files (x86)\Tilward\pherner.exe" ddf33c6e-b496-4434-b287-560225683f9f
Triggers:
Run every 2 hours
This scheduled task is configured to run from the SYSTEM account.
In addition, Sasquor usually creates one or more services, for example:
Name:
Anovdomgaersy
Description:
Optimizes performance of Coiqerwardclotugh by caching commonly used font data.
Path to executable:
%SystemRoot%\system32\svchost.exe -k Anovdomgaersy
Startup type:
Automatic
In this example, the service is configured to use svchost.exe to load the file C:\Program Files (x86)\Tilward\gurechmng.dll.
Some variants of Sasquor writes an additional DLL that it installs as a "ShellExecuteHook", for example:
%LOCALAPPDATA% \Microsoft\Windows\INetCookies\fhudom.dll
With the following registry entry modifications:
- In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Sets value: "{6710C780-E20E-4C49-A87D-321850ED3D7C}"
With data: ""
- In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "EnableShellExecuteHooks"
With data: "dword:00000001"
- In subkey: HKEY_CLASSES_ROOT\CLSID\{6710C780-E20E-4C49-A87D-321850ED3D7C}\InProcServer32
Sets value: "@"
With data: "C:\\Users\\AdminUser\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\fhudom.dll"
- In subkey: HKEY_CLASSES_ROOT\CLSID\{6710C780-E20E-4C49-A87D-321850ED3D7C}\InProcServer32
Sets value: "ThreadingModel"
With data: "Apartment"
This causes fhudom.dll to be automatically loaded by explorer.exe.
Some variants of Sasquor can also write another DLL file to the Google Chrome folder called wtsapi32.dll, for example:
%ProgramFiles% \Google\Chrome\Application\wtsapi32.dll
When Chrome is loaded it will load this wtsapi32.dll instead of the one it would usually load from the system folder.
Payload
Modifies browser settings
Sasquor modifies browser settings with the aim of changing search engine and home page.
Chrome
The malware directly modifies Chrome's "Secure Preferences" file, usually found at this location:
%LOCALAPPDATA% \Google\Chrome\User Data\ChromeDefaultData\Secure Preferences
Some of the settings it changes include setting the default search provider, home page, startup URLs and enabling the home button. These changes take effect when Chrome is next launched.
Example modifications:
In addition to making these changes, some variants of Sasquor install a ShellExecuteHook DLL that is loaded by Explorer and modifies the command-line parameters passed to Chrome when it is run, adding a URL parameter.
This effectively overrides Chrome's own home page setting, as Chrome will load the URL passed to it through the parameter instead of whatever home page is specified in its settings.
Some variants also write a DLL called wtsapi32.dll to the Chrome application folder so that Chrome will load this when it runs. This DLL modifies the command-line string that Chrome sees when checking for parameters that were passed to it, again adding a URL that Chrome will load instead of the home page specified in Chrome's settings.
Some variants of Sasquor modify browser shortcuts (such as those on the desktop and in the start menu) for Chrome and Firefox.
These modifications can also cause an extra URL parameter to get passed to Chrome or Firefox, again overriding the browser's own home page settings.
Drops additional malware
Some variants of Sasquor carry Trojan:Win32/Suweezy, which they install along with the Sasquor components.
Downloads and executes additional malware
At least one of Sasquor's scheduled tasks and/or services regularly checks for instructions from a remote server through HTTP.
When instructed, Sasquor can download and execute additional files. We have seen Sasquor downloading Trojan:Win32/Xadupi, BrowserModifier:Win32/SupTab and Trojan:Win32/Suweezy.
Analysis by: Hamish O'DeaLast update 11 October 2016
