Directional attack research
We recently analyzed four malicious tools that were used in targeted attacks on users in Taiwan and Vietnam. Using our telemetry system, we recorded that this malware was delivered to users through phishing email campaigns. One of the malware files was delivered to the user’s system via a Vietnamese government agency’s webmail interface. The attackers used special phishing email messages that contained persuasive text, as well as special fake documents to lure the user and increase the effect of the attack.
According to the results of this study, we were able to establish the following facts:
')
Fig. Analyzed threats.
The figure above shows that the initial dropper installs two other threats to the system, called Agent.NJK and Terminator RAT .
Further, knowing the characteristics of this dropper, it was not difficult for us to find in our collection other fragments of the malicious code associated with it. The table below shows their characteristics. It can be seen that the attackers specifically chose to disguise their Office files.
Fig. Disguise files disguised as MS Word documents.
During the launch process, these droppers will decrypt their configuration parameters using a simple XOR with a single-byte key. The pseudocode of this algorithm in python is presented below. Configuration data is stored at the end of the last section of the executable file and occupies 32 bytes. A checksum is stored inside this data, some offsets to important parts of the file, as well as their lengths; All this is organized into a structure whose format is presented below. The checksum field from the structure is used for comparison with the value that is hard-wired in the dropper code. Thus, the malicious code checks the integrity of the decrypted data.
Fig. Pseudocode encryption algorithm and format of service structure.
The first thing the dropper does is extract two files from itself, one of them represents the executable file and the other is a fake Word document that will be shown to the user. Both files are placed in the user's temporary folder, each of them is decrypted using a simple XOR, which was given above. After extracting files, the dropper runs the executable file, first copying its body to another directory, and then executing it from there with additional command line parameters. The parameters are the full path to the file of the original dropper and the path to the Word document.
Launched from a new directory, dropper waits for the completion of its parent's process, then deletes its file, and also moves the file of the phishing document to a directory with temporary files. In the last stage, it calls the ShellExecuteW function to open this office document. The document opens with the appropriate program, which is specified in the registry to open .doc files. This function is performed in order to simulate a call to the operation that the user expects, which launched the dropper file disguised as a document.
Fig. Dropper operations.
Such, at first glance, a simple approach to deceive users is quite effective. All processes performed by the dropper occur seamlessly for the user, after which the requested document is opened for him. If the malicious program performs its initial actions with minimal delay, the user may not notice anything at all. A similar tactic of compromising users was used by the APT1 group, reported by Mandiant. Notice, in this case, attackers do not need to resort to the services of exploits to install malicious code.
Fig. Phishing document in Vietnamese language.
Fig. A similar document for users living in Taiwan.
Dropper uses two different methods to hide API function calls: contains its own implementation of GetProcAddress with open strings of function names in the code, and also uses the standard implementation of a function with encrypted names. When analyzing the code, it is clear that it is not written in a high-level language: some objects are used with maximum access rights, copy-paste different parts of the code in its body.
Fig. Metadata Vietnamese and Taiwanese documents.
Win32 / TrojanProxy.Agent.NJK
The first executable file that we analyzed is detected by our products as Win32 / TrojanProxy.Agent.NJK . This malware is written in Visual C ++ and is able to interact with remote C & C servers via the HTTP protocol. In the analyzed modification, the use of three addresses of management servers was discovered, which use the same domain address vietnam.vnptnet.info, but with connection to different ports (80, 443 and 5050).
Work with C & C is organized through a cycle with a 15-minute delay, during which the malicious code tries to contact the server using the three ports mentioned above. Interestingly, the threat does not take any action to ensure its survival after a reboot, that is, on a compromised computer, it will be active only until the end of the work or reboot. The malicious file itself does not contain any obfuscation of the strings it uses.
Fig. The main cycle of the malicious code.
When interacting with the managing server, the malicious code sends some information about the system via the GET HTTP protocol request, using a special string for the User-Agent field. User data is 105 bytes and will be sent as a hex-sequence in the GET component of the query string method. This data contains the following information: ID of the malicious campaign; internal IP address of the host; computer name; Windows Version ID; The name of the account under which the malicious code process runs. Strange is the fact that encryption is not applied to the transmitted data, they are transmitted in open form.
Fig. The format of the data sent by the malicious code to the remote server.
The transmitted data along with the query looks like this.
Fig. An example of a GET request with transmitted data.
The server will respond to this request with a regular header, except for the Accept field added to it with the value “x-wav / y-img”. The malicious program will not accept a response from the server if the response header does not contain this field. Note that the Accept field is usually used in the request headers from the client in regular HTTP requests, but in this case, the opposite is true; the server should respond with a header that contains this field. We noticed that the commands sent by C & C are always 796 bytes in size, with the first integer value in the command data being its identifier (command ID). The following commands are supported by malicious code.
In the Agent.NJK code, there is a funny line “I want to go to THE GREAT WALL, inner Mongolia very much” and credentials for accessing the proxy service somnuek.bu/044253516. At the same time, by analyzing the malicious code, it is clear that these credentials are not used anywhere. A Google search provided us with some information that leads to a person with that name on a social network . We have no data on how it relates to this campaign.
It should be noted that the CPT-NMC string, which identifies the campaign itself (campaign identifier), is sent to the remote server in the future again. CPT stands for Central Post and Telecommunications Department, this institution is a branch of the Vietnamese government . You can also see that the top-level domain for the C & C server URL (vnptnet.info) is very similar to the Vietnamese address vnpt.nv, which belongs to the same CPT institution. Probably this name was chosen to disguise the domain in logs of systems like Intrusion Detection System (IDS), which capture traffic passing through a computer or computers on a network. Phishing documents, which we wrote about at the beginning and which are used to lure users, contain text that deals with telecommunication systems. The documents themselves contain various graphs and diagrams, trying to maximize the attention of the potential victim and convince them that the document is real. It appears that this attack was directed at the Vietnamese CPT institution and Vietnamese officials reported an attack on their infrastructure this year.
We observed how the operator interacts with the infected system. Below are several proofs (log) of such an interaction.
Fig. Commands sent by the operator bot Agent.NJK.
These operations are similar to intelligence, that is, they are related to the collection of data on a compromised system: netsta (t) is used to view current network connections, then information about the logical disks in the system, viewing environment variables, receiving information about the location of some files takes place . A typo in the word netsta, instead of netstat, in the second command indicates that these commands are not sent to the bot by an automated system, and a physical operator is behind them. We have observed this approach before in the case of the Syndicasec targeted attack .
Fig. Bot transmits data about current network connections in the open form.
Fig. Closing a C & C session with a bot.
In the last screenshot under item 2, you can see that the server disconnects by sending the RST (reset) command. After sending the reset command, the server behavior changes and as soon as the client receives it, it will no longer be able to connect to any of the three ports.
Fig. The server refuses to connect to the client, if a TCP connection reset command was sent to them before that.
The absence of survival mechanisms in the malicious code after a reboot strengthens our hypothesis about the direction of such a cyber attack, since attackers are interested in leaving as few traces as possible in the compromised system. A common practice when using such malicious code would be to find out potential victims in the organization, send a phishing email, wait for a response from the bot and at the end investigate compromised computers through it. In our case, the bot supports commands to load other executable files into the system (3004) and their subsequent installation (3011), so it can be used to perform several other actions.
Terminator RAT (aka FAKEM RAT)
It is detected by our anti-virus products like Win32 / Protux.NAR . At the time of the analysis of some of this malware, which implements encryption and is responsible for working with C & C, we found that this threat was analyzed earlier by malware.lu and Trend Micro with the names Terminator RAT and FAKEM RAT. At the same time, the samples we analyzed differed from those with which these companies dealt. It should also be noted that FireEye also released its analysis of one of the modifications of this malware.
Compared to Agent.NJK, this threat is more complex. First, the configuration data and strings are encrypted using a slightly modified version of the XTEA algorithm . XTEA uses a 128-bit key and works with blocks of 64 bits in length.
Fig. XTEA as it is implemented in the Terminator RAT modification under study.
The XTEA implementation is rather naive because it uses the worst block encryption mode, as shown in the screenshot below. 64-bit blocks consisting of zeros are always encrypted into the same ciphertext.
Fig. An example of a cipher text that starts at 0x404198 and contains an obvious pattern.
Fig. Decrypted text at the same address.
Fig. Part of the configuration of malicious code in encrypted form.
(1) XTEA key, (2) two port numbers (9000, 9090) and some other data, (3) different lines obfuscated with intermediate zeros.
Fig. Decrypted configuration data.
(1) the directory where the malware was installed (located in% APPDATA%), (2) the names of the files that are given to the installed components, (3) the C & C domain, (4) the name of the directory in the resources section where the payload is stored, (5) the registry key that is used to run after a reboot (ensures survival).
After starting, Protux.NAR dynamically fills the variable addresses of functions in the body of its file (addresses of functions that were not declared in the import table). This is done using its own implementation of the GetProcAddress function, as is the case with TrojanProxy.Agent.NJK . Strings that are used to obtain addresses of functions are not encrypted and are stored in the body of malicious code in the clear.
Next, Win32 / Protux.NAR changes the value of the variable in the system registry that sets the path to the Startup Folder (“Startup” directory, is used to organize the startup) to the new value “% APP_DATA% \ 2019”, copies the existing files to the new location and provides moving its body to the same new location (“% APP_DATA% \ 2019) under the name“ svchost .exe ”via MoveFileEx with the MOVEFILE_DELAY_UNTIL_REBOOT flag. In addition, he gets another PE file from his body and copies it to the directory under the name “winslogon.ini”, setting his deferred renaming via MOVEFILE_DELAY_UNTIL_REBOOT to the file “winslogon.exe” (used as a component to organize the proxy tunnel).
Fig. The flow of code that demonstrates the above operations.
As you can see, the malicious code relies heavily on the MoveFileEx function's MOVEFILE_DELAY_UNTIL_REBOOT flag . This method is used as an OS mechanism for moving executable files that are running when the function is called. Also, this method helps to prevent the activation of the heuristics of the antivirus product or other technologies for detecting malicious code.
In order to avoid his discovery by security products on subsequent launches, he will try to copy his file into the directory with temporary files (GetTempPath () + "~ 7ti2") and write several random bytes to the end of the file. After these operations, the file rewrites itself using the MoveFileEx function and the MOVEFILE_DELAY_UNTIL_REBOOT, MOVEFILE_REPLACE_EXISTING flags.
Fig. A more visual representation of the malicious code operations described above.
After the reboot, when Windows starts each executable file from the Startup directory, two files of the malicious program “svchost .exe” (main component) and “winslogon.exe” (component of proxy tunnel) will be executed. The main component decrypts the configuration and lines, and also starts an auxiliary stream that performs different functions depending on the directory from which the original file was launched.
Next, the malicious code allocates a memory block, copies the resource section element with the identifier 0x8A in the directory (resources) under the name ACCELORATOR into the allocated memory block and decrypts it through the byte XOR with the 0x32 key. Note that the name of the specified resource directory is ACCELORATOR, and not ACCELERATOR. These decrypted data are executable code that can be executed regardless of its original location (position-independent code). Before directly transferring control to this block of memory, the malicious code gets the current IP address of the computer, encrypts it via XOR and copies it along with the port number 8000 at a given offset in the code. Encryption operations using XOR are performed using the same static key 0x32.
Fig. The process of loading and executing code from the resources section.
Malicious code that has been copied to a memory block makes a nonstandard use of registers, which probably indicates that it was written in assembler. For example, to fill in the addresses of dynamically imported functions, use its own implementation of GetProcAddress with a predefined table of ROR hashes for each of the function names. This method is rarely used for programs compiled in a higher programming language. This link provides more information about using assembler.
The next action that Protux.NAR performs is to create an event named “sxX5 {c4”, which allows it to fix the launch of malicious code to prevent the activity of several copies of it. The organization of work with managers of C & C servers is organized through three domains, which are polled with a 30 second timeout in a cycle. The two domains are located in the configuration data, which is encrypted using XTEA, as shown in the screenshot above. The third address is a pair: the IP of the compromised system and port 8000 (used for proxy tunneling operations). Once the connection to the C & C is established, the malicious code sends information about the compromised system in a 1024-byte packet. The format of such a package is presented below.
Fig. Data sent by a bot to a remote server about a compromised computer.
The main fields in the package are Username and Computer name, the size of each of which is 128 bytes. Another interesting field is the current codepage (Codepage) used in the system, 4 bytes in size. The package also contains three more integer fields: two of them take the values ​​0x130, 0 (1), and the other takes the value 0x30005 (2). These values ​​coincide with the values ​​of similar fields from samples of malicious code that were analyzed by FireEye. Field 3 contains a string and is probably a campaign ID.
The interaction with C & C is encrypted using a simple scheme: the XOR key bytes are applied to each byte of the stream, and then the cyclic right shift (ROR) operation is applied to three positions. The key is static and looks like "YHCRA". The algorithm is presented below.
Fig. Encryption with a management server used in Terminator RAT.
The packet representing the server response contains the command identifier in the first four-byte field. Malicious code uses the following commands.
Our colleagues from Trend Micro managed to fix the fact of the attack and what kind of auxiliary operations the control server sends to the bot on the command 0x211. We are talking about performing operations using: the command line, file manager, process manager, registry editor, screenshot capture module, password theft module, and file upload module.As you can see, the range of actions performed is very extensive.
We detected the following C & C domains in this malicious code.
As can be seen in the table above, the domain (1) contains a space at the end, which means that DNS cannot convert such a domain to its corresponding IP address. Domain (2), as we noted above, was obtained using the gethostname and gethostbyname functions . The domains 25u.com and 4dq.com are managed through the dynamic DNS service changeip.com located in the USA. The address 123.51.208.142 belongs to Taiwan.
The table below shows the differences between the investigated modifications of the malware, referred to by antivirus laboratories.
At the same time, between the modifications that have been analyzed by the above antivirus companies, there are similarities.
It can be stated that Terminator RAT lacks a consistent design in the implementation of malicious code. It is obvious that attackers repeatedly changed it to achieve their chosen goals or use them in corresponding attacks. The presence of several encryption mechanisms and two methods for loading the addresses of functions obviously justifies this assumption. In addition, the malicious code uses encryption for information transmitted to C & C, but at the same time stores them in clear form in position-independent code. This does not indicate the correctness of the chosen approach. Finally, some functions are awkwardly fixed by adding additional features such as encryption / decryption, as shown in the screenshot below.
Fig.Encryption function in Terminator RAT.
The variable xtea_flag (1) is used to determine why the function itself is called: to perform XTEA encryption (2) or encryption via XOR with a fixed one-byte key (3). Obviously, one of the code fragments that implements this algorithm was embedded later.
In fact, it is useful to have several analyzes of the same family of malicious code, since we can see changes in various modifications and in which campaigns they were used. In the case of the Terminator RAR, it can be seen that the components of the malicious code and the components of the infrastructure have been changed in various attacks. Components such as XTEA keys, network packet headers, the name of the executable file that is responsible for the implementation of the proxy tunnel have been changed. In terms of infrastructure, the DDNS provider and C & C IP addresses have been changed.
Now we will focus in more detail on the proxy tunnel component, which has already been described in detail by FireEye as sss.exe. It is used in cases where the malicious code is on a network that does not allow outgoing connections to the server directly (that is, a proxy is used on the network). In this case, the module reserves port 8000 and will send connections through it that use a legitimate proxy configured for the computer. To perform the task of connecting to C & C through this proxy, the HTTP protocol's CONNECT method is used.
In the modification we are studying, the file of this proxy tunnel module is called winslogon.exe. We also found an encrypted log file left by this component in the hard wired path% TEMP% \ ~ DF3bbs.tmp. The file can be decrypted using XOR with the key 0xAB as shown below.
Fig.The function of decrypting the log of the proxy tunnel component.
To prevent multiple copies of this module from running in memory, it uses an event object, whose name contains a non-printable character with code 0x13. Adding such a component to Terminator RAT expands the possibilities of this threat in the field of data theft mechanisms (exfiltration) and since it is actually independent of the RAT component, it can easily be reused in another modification of the malicious code. It can be seen that this component is not easy to detect immediately as malicious because it does not perform explicit malicious functions. In addition, the fact that the payload of malicious code is hidden in the position-independent code makes static RAT analysis quite problematic.
Conclusion
In the process of analyzing the files of a malicious program, it became apparent that none of them was packed in order to prevent the analysis of malicious code. We also did not see a single exploit that could help attackers achieve their goals in the best possible way. In addition, the malicious code itself is not written in the best way, which indicates that the professional level of the attackers themselves is not quite professional. The list of shortcomings can be continued: poorly implemented cryptography algorithms, errors in commands when entered by the operator, errors in the configuration of C & C domains. It seems that the customers of such an attack have allocated a very small budget for the organizational needs of the attack.
Win32 / TrojanDropper.Small.NNK
58e1dfa7ace03a408d2b20c1fab6e127acbdc71f492366622cd5206484443ed7
3f58a0ea8958c5bf88aa9cfcefe457393f0a96bba9f05f301ba6a15b65d5b64a
Win32 / TrojanProxy.Agent.NJK
54c5517541187165fd9720dfe8cff67498d912d189d649cc652d8b113bae8802
Win32 / Protux.NAR (Terminator RAT)
425a919cb5803ce8fabb316f5e1be611f88f5c3813fffd2b40f2369eb7074da9
Win32 / Protux.NAR (Terminator RAT) with tunnel proxy
a6cc9fbcb3d806fefb4d0f2f6d1c04b81316593dfe926b4477ca841ac17354e2
According to the results of this study, we were able to establish the following facts:
')
- The same component of the malicious code was used several times in these campaigns.
- Attacks required manual intervention by an attacker (operator).
- In the attacks found traces of the famous group APT1 (aka Comment crew).
- For the initial attack vector, i.e., to install malicious code, phishing messages were used that allegedly contained important documents.
- Bad preparation of intruders: typos in the configuration, naive implementation of cryptographic algorithms, insufficient practice in writing code.
- Malicious programs with clearly defined behavior: one of the threats does not retain its presence after a reboot, and the other does not do any malicious functions until the reboot.
Fig. Analyzed threats.
The figure above shows that the initial dropper installs two other threats to the system, called Agent.NJK and Terminator RAT .
Further, knowing the characteristics of this dropper, it was not difficult for us to find in our collection other fragments of the malicious code associated with it. The table below shows their characteristics. It can be seen that the attackers specifically chose to disguise their Office files.
Fig. Disguise files disguised as MS Word documents.
During the launch process, these droppers will decrypt their configuration parameters using a simple XOR with a single-byte key. The pseudocode of this algorithm in python is presented below. Configuration data is stored at the end of the last section of the executable file and occupies 32 bytes. A checksum is stored inside this data, some offsets to important parts of the file, as well as their lengths; All this is organized into a structure whose format is presented below. The checksum field from the structure is used for comparison with the value that is hard-wired in the dropper code. Thus, the malicious code checks the integrity of the decrypted data.
Fig. Pseudocode encryption algorithm and format of service structure.
The first thing the dropper does is extract two files from itself, one of them represents the executable file and the other is a fake Word document that will be shown to the user. Both files are placed in the user's temporary folder, each of them is decrypted using a simple XOR, which was given above. After extracting files, the dropper runs the executable file, first copying its body to another directory, and then executing it from there with additional command line parameters. The parameters are the full path to the file of the original dropper and the path to the Word document.
Launched from a new directory, dropper waits for the completion of its parent's process, then deletes its file, and also moves the file of the phishing document to a directory with temporary files. In the last stage, it calls the ShellExecuteW function to open this office document. The document opens with the appropriate program, which is specified in the registry to open .doc files. This function is performed in order to simulate a call to the operation that the user expects, which launched the dropper file disguised as a document.
Fig. Dropper operations.
Such, at first glance, a simple approach to deceive users is quite effective. All processes performed by the dropper occur seamlessly for the user, after which the requested document is opened for him. If the malicious program performs its initial actions with minimal delay, the user may not notice anything at all. A similar tactic of compromising users was used by the APT1 group, reported by Mandiant. Notice, in this case, attackers do not need to resort to the services of exploits to install malicious code.
Fig. Phishing document in Vietnamese language.
Fig. A similar document for users living in Taiwan.
Dropper uses two different methods to hide API function calls: contains its own implementation of GetProcAddress with open strings of function names in the code, and also uses the standard implementation of a function with encrypted names. When analyzing the code, it is clear that it is not written in a high-level language: some objects are used with maximum access rights, copy-paste different parts of the code in its body.
Fig. Metadata Vietnamese and Taiwanese documents.
Win32 / TrojanProxy.Agent.NJK
The first executable file that we analyzed is detected by our products as Win32 / TrojanProxy.Agent.NJK . This malware is written in Visual C ++ and is able to interact with remote C & C servers via the HTTP protocol. In the analyzed modification, the use of three addresses of management servers was discovered, which use the same domain address vietnam.vnptnet.info, but with connection to different ports (80, 443 and 5050).
Work with C & C is organized through a cycle with a 15-minute delay, during which the malicious code tries to contact the server using the three ports mentioned above. Interestingly, the threat does not take any action to ensure its survival after a reboot, that is, on a compromised computer, it will be active only until the end of the work or reboot. The malicious file itself does not contain any obfuscation of the strings it uses.
Fig. The main cycle of the malicious code.
When interacting with the managing server, the malicious code sends some information about the system via the GET HTTP protocol request, using a special string for the User-Agent field. User data is 105 bytes and will be sent as a hex-sequence in the GET component of the query string method. This data contains the following information: ID of the malicious campaign; internal IP address of the host; computer name; Windows Version ID; The name of the account under which the malicious code process runs. Strange is the fact that encryption is not applied to the transmitted data, they are transmitted in open form.
Fig. The format of the data sent by the malicious code to the remote server.
The transmitted data along with the query looks like this.
Fig. An example of a GET request with transmitted data.
The server will respond to this request with a regular header, except for the Accept field added to it with the value “x-wav / y-img”. The malicious program will not accept a response from the server if the response header does not contain this field. Note that the Accept field is usually used in the request headers from the client in regular HTTP requests, but in this case, the opposite is true; the server should respond with a header that contains this field. We noticed that the commands sent by C & C are always 796 bytes in size, with the first integer value in the command data being its identifier (command ID). The following commands are supported by malicious code.
In the Agent.NJK code, there is a funny line “I want to go to THE GREAT WALL, inner Mongolia very much” and credentials for accessing the proxy service somnuek.bu/044253516. At the same time, by analyzing the malicious code, it is clear that these credentials are not used anywhere. A Google search provided us with some information that leads to a person with that name on a social network . We have no data on how it relates to this campaign.
It should be noted that the CPT-NMC string, which identifies the campaign itself (campaign identifier), is sent to the remote server in the future again. CPT stands for Central Post and Telecommunications Department, this institution is a branch of the Vietnamese government . You can also see that the top-level domain for the C & C server URL (vnptnet.info) is very similar to the Vietnamese address vnpt.nv, which belongs to the same CPT institution. Probably this name was chosen to disguise the domain in logs of systems like Intrusion Detection System (IDS), which capture traffic passing through a computer or computers on a network. Phishing documents, which we wrote about at the beginning and which are used to lure users, contain text that deals with telecommunication systems. The documents themselves contain various graphs and diagrams, trying to maximize the attention of the potential victim and convince them that the document is real. It appears that this attack was directed at the Vietnamese CPT institution and Vietnamese officials reported an attack on their infrastructure this year.
We observed how the operator interacts with the infected system. Below are several proofs (log) of such an interaction.
Fig. Commands sent by the operator bot Agent.NJK.
These operations are similar to intelligence, that is, they are related to the collection of data on a compromised system: netsta (t) is used to view current network connections, then information about the logical disks in the system, viewing environment variables, receiving information about the location of some files takes place . A typo in the word netsta, instead of netstat, in the second command indicates that these commands are not sent to the bot by an automated system, and a physical operator is behind them. We have observed this approach before in the case of the Syndicasec targeted attack .
Fig. Bot transmits data about current network connections in the open form.
Fig. Closing a C & C session with a bot.
In the last screenshot under item 2, you can see that the server disconnects by sending the RST (reset) command. After sending the reset command, the server behavior changes and as soon as the client receives it, it will no longer be able to connect to any of the three ports.
Fig. The server refuses to connect to the client, if a TCP connection reset command was sent to them before that.
The absence of survival mechanisms in the malicious code after a reboot strengthens our hypothesis about the direction of such a cyber attack, since attackers are interested in leaving as few traces as possible in the compromised system. A common practice when using such malicious code would be to find out potential victims in the organization, send a phishing email, wait for a response from the bot and at the end investigate compromised computers through it. In our case, the bot supports commands to load other executable files into the system (3004) and their subsequent installation (3011), so it can be used to perform several other actions.
Terminator RAT (aka FAKEM RAT)
It is detected by our anti-virus products like Win32 / Protux.NAR . At the time of the analysis of some of this malware, which implements encryption and is responsible for working with C & C, we found that this threat was analyzed earlier by malware.lu and Trend Micro with the names Terminator RAT and FAKEM RAT. At the same time, the samples we analyzed differed from those with which these companies dealt. It should also be noted that FireEye also released its analysis of one of the modifications of this malware.
Compared to Agent.NJK, this threat is more complex. First, the configuration data and strings are encrypted using a slightly modified version of the XTEA algorithm . XTEA uses a 128-bit key and works with blocks of 64 bits in length.
Fig. XTEA as it is implemented in the Terminator RAT modification under study.
The XTEA implementation is rather naive because it uses the worst block encryption mode, as shown in the screenshot below. 64-bit blocks consisting of zeros are always encrypted into the same ciphertext.
Fig. An example of a cipher text that starts at 0x404198 and contains an obvious pattern.
Fig. Decrypted text at the same address.
Fig. Part of the configuration of malicious code in encrypted form.
(1) XTEA key, (2) two port numbers (9000, 9090) and some other data, (3) different lines obfuscated with intermediate zeros.
Fig. Decrypted configuration data.
(1) the directory where the malware was installed (located in% APPDATA%), (2) the names of the files that are given to the installed components, (3) the C & C domain, (4) the name of the directory in the resources section where the payload is stored, (5) the registry key that is used to run after a reboot (ensures survival).
After starting, Protux.NAR dynamically fills the variable addresses of functions in the body of its file (addresses of functions that were not declared in the import table). This is done using its own implementation of the GetProcAddress function, as is the case with TrojanProxy.Agent.NJK . Strings that are used to obtain addresses of functions are not encrypted and are stored in the body of malicious code in the clear.
Next, Win32 / Protux.NAR changes the value of the variable in the system registry that sets the path to the Startup Folder (“Startup” directory, is used to organize the startup) to the new value “% APP_DATA% \ 2019”, copies the existing files to the new location and provides moving its body to the same new location (“% APP_DATA% \ 2019) under the name“ svchost .exe ”via MoveFileEx with the MOVEFILE_DELAY_UNTIL_REBOOT flag. In addition, he gets another PE file from his body and copies it to the directory under the name “winslogon.ini”, setting his deferred renaming via MOVEFILE_DELAY_UNTIL_REBOOT to the file “winslogon.exe” (used as a component to organize the proxy tunnel).
Fig. The flow of code that demonstrates the above operations.
As you can see, the malicious code relies heavily on the MoveFileEx function's MOVEFILE_DELAY_UNTIL_REBOOT flag . This method is used as an OS mechanism for moving executable files that are running when the function is called. Also, this method helps to prevent the activation of the heuristics of the antivirus product or other technologies for detecting malicious code.
In order to avoid his discovery by security products on subsequent launches, he will try to copy his file into the directory with temporary files (GetTempPath () + "~ 7ti2") and write several random bytes to the end of the file. After these operations, the file rewrites itself using the MoveFileEx function and the MOVEFILE_DELAY_UNTIL_REBOOT, MOVEFILE_REPLACE_EXISTING flags.
Fig. A more visual representation of the malicious code operations described above.
After the reboot, when Windows starts each executable file from the Startup directory, two files of the malicious program “svchost .exe” (main component) and “winslogon.exe” (component of proxy tunnel) will be executed. The main component decrypts the configuration and lines, and also starts an auxiliary stream that performs different functions depending on the directory from which the original file was launched.
Next, the malicious code allocates a memory block, copies the resource section element with the identifier 0x8A in the directory (resources) under the name ACCELORATOR into the allocated memory block and decrypts it through the byte XOR with the 0x32 key. Note that the name of the specified resource directory is ACCELORATOR, and not ACCELERATOR. These decrypted data are executable code that can be executed regardless of its original location (position-independent code). Before directly transferring control to this block of memory, the malicious code gets the current IP address of the computer, encrypts it via XOR and copies it along with the port number 8000 at a given offset in the code. Encryption operations using XOR are performed using the same static key 0x32.
Fig. The process of loading and executing code from the resources section.
Malicious code that has been copied to a memory block makes a nonstandard use of registers, which probably indicates that it was written in assembler. For example, to fill in the addresses of dynamically imported functions, use its own implementation of GetProcAddress with a predefined table of ROR hashes for each of the function names. This method is rarely used for programs compiled in a higher programming language. This link provides more information about using assembler.
The next action that Protux.NAR performs is to create an event named “sxX5 {c4”, which allows it to fix the launch of malicious code to prevent the activity of several copies of it. The organization of work with managers of C & C servers is organized through three domains, which are polled with a 30 second timeout in a cycle. The two domains are located in the configuration data, which is encrypted using XTEA, as shown in the screenshot above. The third address is a pair: the IP of the compromised system and port 8000 (used for proxy tunneling operations). Once the connection to the C & C is established, the malicious code sends information about the compromised system in a 1024-byte packet. The format of such a package is presented below.
Fig. Data sent by a bot to a remote server about a compromised computer.
The main fields in the package are Username and Computer name, the size of each of which is 128 bytes. Another interesting field is the current codepage (Codepage) used in the system, 4 bytes in size. The package also contains three more integer fields: two of them take the values ​​0x130, 0 (1), and the other takes the value 0x30005 (2). These values ​​coincide with the values ​​of similar fields from samples of malicious code that were analyzed by FireEye. Field 3 contains a string and is probably a campaign ID.
The interaction with C & C is encrypted using a simple scheme: the XOR key bytes are applied to each byte of the stream, and then the cyclic right shift (ROR) operation is applied to three positions. The key is static and looks like "YHCRA". The algorithm is presented below.
Fig. Encryption with a management server used in Terminator RAT.
The packet representing the server response contains the command identifier in the first four-byte field. Malicious code uses the following commands.
Our colleagues from Trend Micro managed to fix the fact of the attack and what kind of auxiliary operations the control server sends to the bot on the command 0x211. We are talking about performing operations using: the command line, file manager, process manager, registry editor, screenshot capture module, password theft module, and file upload module.As you can see, the range of actions performed is very extensive.
We detected the following C & C domains in this malicious code.
As can be seen in the table above, the domain (1) contains a space at the end, which means that DNS cannot convert such a domain to its corresponding IP address. Domain (2), as we noted above, was obtained using the gethostname and gethostbyname functions . The domains 25u.com and 4dq.com are managed through the dynamic DNS service changeip.com located in the USA. The address 123.51.208.142 belongs to Taiwan.
The table below shows the differences between the investigated modifications of the malware, referred to by antivirus laboratories.
At the same time, between the modifications that have been analyzed by the above antivirus companies, there are similarities.
- The same traffic encryption algorithm (“ARCHY” [:: - 1] xor / ror3).
- The same set of data transmitted as a payload over the network (1024-byte block).
- Same C & C commands (0x211, etc.).
- Most C & Cs rely on dynamic DNS services.
It can be stated that Terminator RAT lacks a consistent design in the implementation of malicious code. It is obvious that attackers repeatedly changed it to achieve their chosen goals or use them in corresponding attacks. The presence of several encryption mechanisms and two methods for loading the addresses of functions obviously justifies this assumption. In addition, the malicious code uses encryption for information transmitted to C & C, but at the same time stores them in clear form in position-independent code. This does not indicate the correctness of the chosen approach. Finally, some functions are awkwardly fixed by adding additional features such as encryption / decryption, as shown in the screenshot below.
Fig.Encryption function in Terminator RAT.
The variable xtea_flag (1) is used to determine why the function itself is called: to perform XTEA encryption (2) or encryption via XOR with a fixed one-byte key (3). Obviously, one of the code fragments that implements this algorithm was embedded later.
In fact, it is useful to have several analyzes of the same family of malicious code, since we can see changes in various modifications and in which campaigns they were used. In the case of the Terminator RAR, it can be seen that the components of the malicious code and the components of the infrastructure have been changed in various attacks. Components such as XTEA keys, network packet headers, the name of the executable file that is responsible for the implementation of the proxy tunnel have been changed. In terms of infrastructure, the DDNS provider and C & C IP addresses have been changed.
Now we will focus in more detail on the proxy tunnel component, which has already been described in detail by FireEye as sss.exe. It is used in cases where the malicious code is on a network that does not allow outgoing connections to the server directly (that is, a proxy is used on the network). In this case, the module reserves port 8000 and will send connections through it that use a legitimate proxy configured for the computer. To perform the task of connecting to C & C through this proxy, the HTTP protocol's CONNECT method is used.
In the modification we are studying, the file of this proxy tunnel module is called winslogon.exe. We also found an encrypted log file left by this component in the hard wired path% TEMP% \ ~ DF3bbs.tmp. The file can be decrypted using XOR with the key 0xAB as shown below.
Fig.The function of decrypting the log of the proxy tunnel component.
To prevent multiple copies of this module from running in memory, it uses an event object, whose name contains a non-printable character with code 0x13. Adding such a component to Terminator RAT expands the possibilities of this threat in the field of data theft mechanisms (exfiltration) and since it is actually independent of the RAT component, it can easily be reused in another modification of the malicious code. It can be seen that this component is not easy to detect immediately as malicious because it does not perform explicit malicious functions. In addition, the fact that the payload of malicious code is hidden in the position-independent code makes static RAT analysis quite problematic.
Conclusion
In the process of analyzing the files of a malicious program, it became apparent that none of them was packed in order to prevent the analysis of malicious code. We also did not see a single exploit that could help attackers achieve their goals in the best possible way. In addition, the malicious code itself is not written in the best way, which indicates that the professional level of the attackers themselves is not quite professional. The list of shortcomings can be continued: poorly implemented cryptography algorithms, errors in commands when entered by the operator, errors in the configuration of C & C domains. It seems that the customers of such an attack have allocated a very small budget for the organizational needs of the attack.
Win32 / TrojanDropper.Small.NNK
58e1dfa7ace03a408d2b20c1fab6e127acbdc71f492366622cd5206484443ed7
3f58a0ea8958c5bf88aa9cfcefe457393f0a96bba9f05f301ba6a15b65d5b64a
Win32 / TrojanProxy.Agent.NJK
54c5517541187165fd9720dfe8cff67498d912d189d649cc652d8b113bae8802
Win32 / Protux.NAR (Terminator RAT)
425a919cb5803ce8fabb316f5e1be611f88f5c3813fffd2b40f2369eb7074da9
Win32 / Protux.NAR (Terminator RAT) with tunnel proxy
a6cc9fbcb3d806fefb4d0f2f6d1c04b81316593dfe926b4477ca841ac17354e2
Source: https://habr.com/ru/post/205044/
All Articles