Installation
Cutwail tries to drop a device driver into your PC, overwriting the original legitimate driver file. The file name differs depending on your operating system, but Cutwail has been known to use one of the following:
Cutwail then tries to start the corresponding kernel driver by name:
This driver tries to restore various system hooks to their original unhooked state. For example, any System Service Descriptor Table (SSDT) hook will be reverted. By doing this, Cutwail is able to circumvent security applications or even other malware which may be installed on your PC.
Payload
Steals passwords
Cutwail contains a plugin that can steal FTP passwords. The plugin is detected as PWS:Win32/Fareit.gen!C. A full list of FTP clients that it can steal passwords from is in the Fareit description.
Cutwail can also steal passwords you have stored in your browser. It steals stored passwords from these browsers:
- Internet Explorer
- Mozilla Firefox
- Google Chrome
It can also steal user names and passwords from these email clients:
- Windows Live Mail
- Microsoft Outlook
- Becky! Internet Mail
- Barca
- IncrediMail
- The Bat!
- Mozilla Thunderbird
Provides advanced stealth functionality
Cutwail drops a second device driver to disk:
It installs the driver via the following registry changes:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\runtime\
Sets value: "ImagePath"
With data: "\\??\\C:\\WINDOWS\\System32\\drivers\\runtime.sys"
Sets value: "Type"
With data: "0x1"
Sets value: "Start"
With data: "0x3"
It then loads the driver. This driver is able to hide processes for a supplied process id (PID) by directly manipulating the EPROCESS structure.
Cutwail usually downloads an updated version of itself. This updated version drops another driver, which implements additional rootkit functionality. The updater tries to write the device driver to:
It installs this driver via the following registry changes:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\runtime2\
Sets value: "ImagePath"
With data: "\\??\\C:\\WINDOWS\\System32\\drivers\\runtime2.sys"
Sets value: "Type"
With data: "0x1"
Sets value: "ErrorControl"
With data: "0x1"
Sets value: "Start"
With data: "0x3"
It then loads the driver.
If runtime2.sys already exists, the new device driver is written to the alternate location:
The existing device driver is then instructed to update itself with the new copy.
The driver also creates the following registry keys to ensure that is loaded in safe mode:
- HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\runtime2.sys
- HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\runtime2.sys
This driver then drops a file to:
It creates the following registry entry to ensure that the dropped file is run:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Sets value: "startdrv"
With data: "%TEMP%\startdrv.exe"
Inhibits removal
Cutwail is not only able to hide itself; it can prevent the removal of its files and registry entries. To hide and protect its registry entries, it hooks the following functions via SSDT:
- ZwDeleteValueKey()
- ZwEnumerateKey()
- ZwEnumerateValueKey()
- ZwOpenKey()
- ZwSetValueKey()
To protect files on disk it implements a file system filter driver. The IRP handlers IRP_MJ_CREATE and IRP_MJ_DIRECTORY_CONTROL are hooked for the FastFAT or NTFS driver objects, depending on the filesystem type.
Downloads and runs files
Cutwail tries to run Internet Explorer if it exists as this file:
It then injects the downloading component into this process, where it runs. Cutwail instructs runtime.sys to hide the iexplore.exe process. After this, runtime.sys is deleted.
The downloading component creates the mutex: k4j.32H_f7z_Z6e.g8G0.
It tries to connect to one of the following remote hosts to download a software bundle.
- 66.246.72.173
- 67.18.114.98
- 208.66.194.241
- 66.246.252.213
- 66.246.252.215
- 208.66.194.234
Cutwail creates a file during the download process, selecting the name randomly from the following list:
Cutwail might also make the following subkey:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\LastTheme\Last
Executables from within the downloaded software bundle are usually written to disk or injected directly into Internet Explorer. Those which are written to disk are given a random numerical file name and are written to the %TEMP% folder, for example, %TEMP%\1193135.exe.
Analysis by Scott Molenkamp and Shawn Wang