Droppers Gapz and Redyms are based on the Power Loader code
Power Loader is a build bots that are actually downloaders of other malware families. This builder is also another example of a modularity based scheme used in the production of malware. We discovered bots based on the Power Loader in September 2012. ESET defines as Win32 / Agent.UAW unmodified droppers collected using this builder. Our colleague Alexander Matrosov conducted his own investigation and found out that this builder was used to develop Win32 / Gapz droppers , starting in October 2012 . At the same time, since November 2012, the malicious code known as Win32 / Redyms used the Power Loader components in its own dropper . The cost of the Power Loader in the cybercriminal Russian market was around $ 500 for one builder with a C & C control panel.
(The picture above is the logo of the Power Loader product that one of the resellers used to sell it )
Fig. The interface of the builder.
The first version of the Power Loader builder was compiled at the beginning of September 2012. The date of compiling the file from the PE header is presented below.
')
Power Loader uses one main URL for C & C and two more reserved URLs. All configuration service data is stored in the .cfg section of the executable file. These data are presented in text format and are not encrypted.
Bot ID - Bot ID is a unique MachineGuid value that is stored in the registry. This bot ID is used to create a mutex that signals the presence of malicious code in the system.
The various dropper families collected using the Power Loader have different export tables after unpacking the original executable droppers. The export table in the bot created by the first version of the builder looks like this:
In this form, we cannot recognize the code for embedding malicious content in other processes using the HIPS bypass technique, which is used in Gapz. But another modification of malicious code, which was created using a different version of the builder, has special markers for the code being injected. The export table in this case is presented below.
In the case of Win32 / Redyms, the export table looks like this:
This method of embedding code in explorer.exe is used to bypass HIPS and is based on the technique of using a trusted process. More information about this was published by us in this post .
Another interesting fact is that Power Loader uses the open source disassembler Hacker Disassembler Engine (aka HDE) when implementing code. And this engine is used by the Win32 / Gapz bootkit in one of the modules (shellcode). This does not prove that there is one person behind the Power Loader and Gapz, but, nevertheless, this is an interesting find. We are continuing our research and will soon publish even more interesting information.
(The picture above is the logo of the Power Loader product that one of the resellers used to sell it )
Fig. The interface of the builder.
The first version of the Power Loader builder was compiled at the beginning of September 2012. The date of compiling the file from the PE header is presented below.
')
Power Loader uses one main URL for C & C and two more reserved URLs. All configuration service data is stored in the .cfg section of the executable file. These data are presented in text format and are not encrypted.
Bot ID - Bot ID is a unique MachineGuid value that is stored in the registry. This bot ID is used to create a mutex that signals the presence of malicious code in the system.
The various dropper families collected using the Power Loader have different export tables after unpacking the original executable droppers. The export table in the bot created by the first version of the builder looks like this:
In this form, we cannot recognize the code for embedding malicious content in other processes using the HIPS bypass technique, which is used in Gapz. But another modification of malicious code, which was created using a different version of the builder, has special markers for the code being injected. The export table in this case is presented below.
In the case of Win32 / Redyms, the export table looks like this:
This method of embedding code in explorer.exe is used to bypass HIPS and is based on the technique of using a trusted process. More information about this was published by us in this post .
Another interesting fact is that Power Loader uses the open source disassembler Hacker Disassembler Engine (aka HDE) when implementing code. And this engine is used by the Win32 / Gapz bootkit in one of the modules (shellcode). This does not prove that there is one person behind the Power Loader and Gapz, but, nevertheless, this is an interesting find. We are continuing our research and will soon publish even more interesting information.
Source: https://habr.com/ru/post/174169/
All Articles