Windows Trojan specializes in stealing data from isolated air-gapped computers
Our analysts have discovered an unusual Trojan program for Windows, which specializes in infecting removable USB-drives and differs from other similar malware with interesting features. One of such features of the Trojan is the fact that each of its copies is unique and is directly dependent on the particular drive infected by it, and it leaves no traces of work in the compromised system of the victim. This method is used as a self-defense mechanism against copying your body from a disk with the subsequent analysis of its functions.
In our study, we will present the technical features of this malicious program, which uses a special technique of compromising removable media. This technique differs from the old known method based on the use of autofun.inf files or specially shaped shortcut files. The malicious program resorts to the method of compromising portable (portable) versions of such well-known applications such as Firefox, NotePad ++ and TrueCrypt. When a user starts such an application, it secretly launches this trojan on the user's system.
')
The malware consists of six files. Four files are executable, and the other two are configuration files. To protect files from analytics analysis, the Trojan uses two methods. The first is based on file encryption using the AES-128 algorithm. The second involves the generation of file names using cryptography.
The encryption key of the symmetric AES algorithm is computed from the value of the removable device ID (Device ID), as well as several other disk-dependent values. Thus, the malware can successfully work only with a specific device that has been compromised.
Malware execution is based on the sequential execution of code from various executable files. Since the files can be hidden in a portable version of the above applications, this will not attract the attention of the user. To transfer control to the code in the next file in the chain, the malware calculates its name based on the calculation of the special value (hash), which is formed from the contents of this file and eight bytes of the value of its creation date. Thus, the file names are different for each instance of the malware. In addition, copying the malware to a different location will change the value of the date the file was created, that is, its actions cannot be replicated in another location. For a better understanding of the file naming mechanism, see the image below.
Analyzing this type of malware is quite challenging because we did not have access to one of the infected devices. We also did not have a dropper of malware for infecting a removable drive in appropriate conditions. Thus, we only had files that we found that were uploaded by users. To decrypt the Trojan files, we had to use the brute force method to search for a unique device identifier and combine it with the value of the general properties of removable media. After decrypting the files, we also needed to find out the correct order of the executable files and configuration files, because in the process of copying the malware file to us for analysis, the timestamp of its creation was changed.
The flow of the malicious code is quite simple. Each loader launches the next level loader for execution, the name of the executable file of which is calculated by the hash value in accordance with the algorithm for generating names described above. However, the boot process must begin with the first level loader, otherwise the trojan completes its execution.
First level loader
The first level loader is the starting point of the malicious program execution. He also specializes in deceiving a user in such a way as to draw attention to the launch of a malicious file. The task can be accomplished in several ways, but the most interesting of them is the method based on the use of portable versions of popular applications. We recorded the use for this purpose of the application Notepad ++, which was equipped with a special malicious plug-in, as well as a portable version of the encryption application TrueCrypt, which included a library called “RichEd20.dll”. The loader also checks its launch location and will perform its main launch functions on the execution of the payload file only in the case of removable USB storage media. This check is necessary because the payload component stores the stolen data on the media.
Second level loader
The second level loader file will be detected by the first level loader using a special value based on the hash of the file content (see above) and, further, will be launched for execution. Further, the configuration file of this bootloader will be found using the same hash value of the configuration file. This configuration file contains the encrypted name of the parent process to verify. Such an anti-debugging trick will lead to the completion of a malicious program if another process starts it, for example, the debugger. The last step uses the hash of the contents of the configuration file to calculate the name of the executable file of the third-level loader.
Level 3 loader
The third level loader checks for the presence of anti-virus products in the system. In the case of activity in the system of processes with the names “avpui.exe” (belongs to Kaspersky antivirus) and “AVKTray.exe” (belongs to the antivirus G Data), the execution of the malware code stops. Its configuration file is decrypted in the same way that was mentioned above several times. The loader also creates a named pipe (named pipe) to transfer the configuration file to the payload. The first 30 bytes of the SHA-512 hash calculated from the computer name are used as the channel object name.
Payload
At the last stage, the management receives the payload code that implements the data theft functions. The executable file is embedded in the% windir% \ system32 \ svchost.exe -k netsvcs process created with the following command line. The mentioned configuration data includes information about what data should be collected, how it should be encrypted, and where it should be stored. In any case, the directory for saving files should be located on removable media. In the sample we analyzed, the malware was configured to store files of the following type: images, documents, registry hive files (HKCU), a list of directory files of available disks. Also, attackers are interested in information collected using an open source program called “WinAudit”. This software specializes in data encryption using elliptical cryptography algorithms.
Conclusion
In addition to the interesting self-defense mechanism of this multi-stage malware, the relatively simple functions of stealing payload data are compensated for by the fact that it leaves no trace of its activity on the compromised computer. After disconnecting from the removable storage system, no one will know that data was stolen from the computer.
It should be noted that the task of reorienting malware to a new payload is not difficult and can be used by attackers in future malicious campaigns.
As shown by our statistics on the distribution of this malware, it is not widespread. On the other hand, its likely purpose is to use in directed attacks, especially on air-gapped computers isolated from the global network. This measure is usually used to improve the security of the internal network and the computers connected to it.
Indicators of compromise
Detection names for anti-virus products:
Payload files: Win32 / PSW.Stealer.NAI
Loader files: Win32 / TrojanDropper.Agent.RFT
SHA-1 hashes of decrypted files:
2C188C395AB32EAA00E6B7AA031632248FF38B2E
B03ABE820C0517CCEF98BC1785B7FD4CDF958278
66D169E1E503725A720D903E1DFAF456DB172767
4B2C60D77915C5695EC9D3C4364E6CD6946BD33C
In our study, we will present the technical features of this malicious program, which uses a special technique of compromising removable media. This technique differs from the old known method based on the use of autofun.inf files or specially shaped shortcut files. The malicious program resorts to the method of compromising portable (portable) versions of such well-known applications such as Firefox, NotePad ++ and TrueCrypt. When a user starts such an application, it secretly launches this trojan on the user's system.
')
The malware consists of six files. Four files are executable, and the other two are configuration files. To protect files from analytics analysis, the Trojan uses two methods. The first is based on file encryption using the AES-128 algorithm. The second involves the generation of file names using cryptography.
The encryption key of the symmetric AES algorithm is computed from the value of the removable device ID (Device ID), as well as several other disk-dependent values. Thus, the malware can successfully work only with a specific device that has been compromised.
Malware execution is based on the sequential execution of code from various executable files. Since the files can be hidden in a portable version of the above applications, this will not attract the attention of the user. To transfer control to the code in the next file in the chain, the malware calculates its name based on the calculation of the special value (hash), which is formed from the contents of this file and eight bytes of the value of its creation date. Thus, the file names are different for each instance of the malware. In addition, copying the malware to a different location will change the value of the date the file was created, that is, its actions cannot be replicated in another location. For a better understanding of the file naming mechanism, see the image below.
Analyzing this type of malware is quite challenging because we did not have access to one of the infected devices. We also did not have a dropper of malware for infecting a removable drive in appropriate conditions. Thus, we only had files that we found that were uploaded by users. To decrypt the Trojan files, we had to use the brute force method to search for a unique device identifier and combine it with the value of the general properties of removable media. After decrypting the files, we also needed to find out the correct order of the executable files and configuration files, because in the process of copying the malware file to us for analysis, the timestamp of its creation was changed.
The flow of the malicious code is quite simple. Each loader launches the next level loader for execution, the name of the executable file of which is calculated by the hash value in accordance with the algorithm for generating names described above. However, the boot process must begin with the first level loader, otherwise the trojan completes its execution.
First level loader
The first level loader is the starting point of the malicious program execution. He also specializes in deceiving a user in such a way as to draw attention to the launch of a malicious file. The task can be accomplished in several ways, but the most interesting of them is the method based on the use of portable versions of popular applications. We recorded the use for this purpose of the application Notepad ++, which was equipped with a special malicious plug-in, as well as a portable version of the encryption application TrueCrypt, which included a library called “RichEd20.dll”. The loader also checks its launch location and will perform its main launch functions on the execution of the payload file only in the case of removable USB storage media. This check is necessary because the payload component stores the stolen data on the media.
Second level loader
The second level loader file will be detected by the first level loader using a special value based on the hash of the file content (see above) and, further, will be launched for execution. Further, the configuration file of this bootloader will be found using the same hash value of the configuration file. This configuration file contains the encrypted name of the parent process to verify. Such an anti-debugging trick will lead to the completion of a malicious program if another process starts it, for example, the debugger. The last step uses the hash of the contents of the configuration file to calculate the name of the executable file of the third-level loader.
Level 3 loader
The third level loader checks for the presence of anti-virus products in the system. In the case of activity in the system of processes with the names “avpui.exe” (belongs to Kaspersky antivirus) and “AVKTray.exe” (belongs to the antivirus G Data), the execution of the malware code stops. Its configuration file is decrypted in the same way that was mentioned above several times. The loader also creates a named pipe (named pipe) to transfer the configuration file to the payload. The first 30 bytes of the SHA-512 hash calculated from the computer name are used as the channel object name.
Payload
At the last stage, the management receives the payload code that implements the data theft functions. The executable file is embedded in the% windir% \ system32 \ svchost.exe -k netsvcs process created with the following command line. The mentioned configuration data includes information about what data should be collected, how it should be encrypted, and where it should be stored. In any case, the directory for saving files should be located on removable media. In the sample we analyzed, the malware was configured to store files of the following type: images, documents, registry hive files (HKCU), a list of directory files of available disks. Also, attackers are interested in information collected using an open source program called “WinAudit”. This software specializes in data encryption using elliptical cryptography algorithms.
Conclusion
In addition to the interesting self-defense mechanism of this multi-stage malware, the relatively simple functions of stealing payload data are compensated for by the fact that it leaves no trace of its activity on the compromised computer. After disconnecting from the removable storage system, no one will know that data was stolen from the computer.
It should be noted that the task of reorienting malware to a new payload is not difficult and can be used by attackers in future malicious campaigns.
As shown by our statistics on the distribution of this malware, it is not widespread. On the other hand, its likely purpose is to use in directed attacks, especially on air-gapped computers isolated from the global network. This measure is usually used to improve the security of the internal network and the computers connected to it.
Indicators of compromise
Detection names for anti-virus products:
Payload files: Win32 / PSW.Stealer.NAI
Loader files: Win32 / TrojanDropper.Agent.RFT
SHA-1 hashes of decrypted files:
2C188C395AB32EAA00E6B7AA031632248FF38B2E
B03ABE820C0517CCEF98BC1785B7FD4CDF958278
66D169E1E503725A720D903E1DFAF456DB172767
4B2C60D77915C5695EC9D3C4364E6CD6946BD33C
Source: https://habr.com/ru/post/280085/
All Articles