Dofoil Hunt with Windows Defender ATP
In March 2018, hundreds of thousands of computers were attacked by Dofoil crypto miner . In previous blog posts, we looked at how we managed to shield users from this massive attack. We also managed to track the origins of the attack until the infection of the software update service that was used by the attackers to spread the malware.
In this publication, we will examine in detail the methods of countering the launch in debugging and analysis mode, which the Dofoil authors resorted to, and describe how the ability of Windows 10 to detect malware can be useful in investigating such attacks.
')
In the course of the investigation, we found out that methods of countering the analysis were built into the Dofoil virus. It checks in which environment it is located and stops working in virtual machines. He also scans the memory for the presence of analysis tools and immediately completes their processes. All this significantly complicates the analysis of malicious code.
The following figure is a diagram of the steps involved in deploying malware. Some of these include an analysis environment check.
Figure 1. Step-by-step execution scheme for shell code and Dofoil attack code
The table below describes the purpose of each stage. Each of the first five stages includes means to counteract the dynamic or static analysis of malicious code.
Table 1. Modules implemented by Dofoil at different stages
The first three steps (that is, the masked shell code, boot module, and anti-debug module) attempt to prevent analysis and recognition by the following methods.
Table 2. Methods of counteracting the analysis
The first stage contains a section with a clean code, followed by a real malicious code. Because of this, executable files may seem safe. In addition, the presence of such code can complicate emulation, since it is not easy to mimic API calls that are rarely found in malware code.
The code of the first stage also checks the registry key for compliance with the expected value. After passing all the checks, the code decrypts the shell code of the second stage and executes it in the marked memory area. A shell code clears the memory layout of the original source module, decrypts the third stage shell code and places it in the same memory location — this procedure is called replacing the code of the own process.
Figure 2. Code mutation depending on the value of PEB.BeingDebugged
The Windows Defender ATP process tree helps expose such anti-debugging mechanisms.
Figure 3. Anti-debugging mechanisms visible in the Windows Defender ATP process tree
Before downloading the attacking code, the Trojan loader module checks the execution environment in various ways, including for virtuality and availability of analysis tools.
Table 3. Methods of countering analysis in the Dofoil trojan downloader module
The names of target processes and Windows classes are stored as a list of specially calculated checksums. The check algorithm looks like this:
Figure 4. Special algorithm for checking checksums based on shift operations and exclusive OR
The use of checksums should have slowed down the investigation and didn’t allow researchers to quickly figure out which analysis tools were determined by malware.
Table 4. Checksum table for Windows process names and classes
Dofoil's work is highly dependent on the process code replacement technique. The main target process is explorer.exe. The shell code Dofoil launches a new instance of explorer.exe, places the shell code in the dynamic memory and modifies the code of the entry point so that the transition to the shell code takes place. Due to this, the malware implements code injection without using the CreateRemoteThread API function.
Figure 5. Changing the entry point code in explorer.exe
Windows Defender ATP can detect the signs of replacing a process code by analyzing operations in memory. In the next process tree, you can see how the malware is embedded in explorer.exe by replacing the process code.
Figure 6. Windows Defender ATP warning process tree: first replacement of process code
When the shellcode loads the next layer of the attacking code, it spawns the next process explorer.exe, into which it then embeds the attacker code by the replacement method. In such cases, Windows Defender ATP significantly speeds up the analysis, accurately identifying malicious operations and indicating the dubious actions of the newly created Windows system processes.
Figure 7. Windows Defender ATP warning process tree: second replacement of process code
For detection of the replacement of the process code is responsible for the component of protection against exploits in Windows Defender Exploit Guard . For this, you need to enable Export Address Filter (EAF) protection for the explorer.exe process. In this case, the component will detect a substitution when the shellcode searches in the modules for the export addresses of the LoadLibraryA and GetProcAddress functions.
Figure 8. EAF event in the event log
Windows Defender Exploit Guard events are also available on the Windows Defender ATP portal:
Figure 9. Windows Defender Exploit Guard event in Windows Defender ATP
When an EAF audit or blocking policy in Windows Defender Exploit Guard covers popular system processes, such as explorer.exe, cmd.exe or verclsid.exe, this makes it easier to detect and block key methods for replacing process code and implementing code used by malware. The policy may affect the operation of third-party programs acting as a shell code, so we recommend testing it in the Windows Defender Exploit Guard audit mode before applying it all the time.
Dofoil handles connection to C & C servers with particular caution. The Trojan code first tries to connect to trusted web pages to make sure that the Internet connection is present and that it is real, and not simulated in a test environment. After confirming the authenticity of the Internet connection, the malware communicates with the real C & C servers via HTTP.
Figure 10. Connecting to known servers to test Internet connectivity
Malicious software accesses the servers with domain names NameCoin. NameCoin is a decentralized DNS server system that provides a high degree of anonymity thanks to blockchain technology. In general, working with it is not particularly different from normal DNS queries, but the DNS client must contact certain NameCoin DNS servers. Since NameCoin relies on the blockchain model, the blocks can be used to track the history of the domain name change.
Figure 11. DNS change record for malicious hosts ( https://namecha.in/name/d/vrubl )
Windows Defender ATP allows you to track the network activity of malware. The following warning process tree shows how the malicious process resolves the names of the .bit domains corresponding to the C & C servers and establishes connections with them. You can also see other actions of the executable file, such as connecting to other servers via SMTP ports.
Figure 12. Windows Defender ATP alert process tree: connecting to C & C servers after name resolution through NameCoin servers
The Windows Defender ATP advanced threat scan feature, while available as an evaluation version, can detect more malicious code samples using NameCoin servers. For example, the following query allows you to see recent connections to them. This may help to obtain information about other threats communicating with the same NameCoin servers.
Figure 13. Advanced search for threats using the same NameCoin servers
The NameCoin system is designed to complicate the interception of domain management (the so-called syncholing). NameCoin domain name records are not controlled by any central regulator, therefore such records cannot be changed at the request of law enforcement agencies. Moreover, malware relies on a number of NameCoin DNS servers and it is extremely difficult to stop them all.
Dofoil is a very quirky malware. Using different methods, it checks the nature of the system environment and the authenticity of the Internet connection in order to work only on real computers and not in the analysis environment or on virtual machines. All this slows down the analysis and confuses research systems.
In Dofoil campaigns, Windows Defender Advanced Threat Protection can help security professionals analyze the order of events on the victim's computer and get detailed information on the steps of the processes, connections to C & C servers, and operations to replace the process code. Windows Defender ATP can act as an analysis platform for setting up detailed tracking of system operations in a test environment. This way, you can save a lot of time and resources on investigating an infection.
In addition, Windows Defender Exploit Guard can assist in detecting malicious shell code that scans export address tables. It is a great tool for detecting and blocking exploit and malware actions.
Windows Defender Exploit Guard events are also visible on the Windows Defender ATP portal, where other Microsoft security solutions are integrated, including Windows Defender Antivirus and Windows Defender Application Guard .
To evaluate in practice how Windows Defender ATP helps detect, analyze and repel attacks of increased complexity, get access to a free trial version .
Matt Oh, Stefan Sellmer, Jonathan Bar Or, Mark Wodrich
Windows Defender ATP Research Team
In this publication, we will examine in detail the methods of countering the launch in debugging and analysis mode, which the Dofoil authors resorted to, and describe how the ability of Windows 10 to detect malware can be useful in investigating such attacks.
')
In the course of the investigation, we found out that methods of countering the analysis were built into the Dofoil virus. It checks in which environment it is located and stops working in virtual machines. He also scans the memory for the presence of analysis tools and immediately completes their processes. All this significantly complicates the analysis of malicious code.
The following figure is a diagram of the steps involved in deploying malware. Some of these include an analysis environment check.
Figure 1. Step-by-step execution scheme for shell code and Dofoil attack code
The table below describes the purpose of each stage. Each of the first five stages includes means to counteract the dynamic or static analysis of malicious code.
| STAGES | DESCRIPTION |
| 1. Disguised Shell Code | Protects against heuristic analysis. Protects against emulation. |
| 2. bootstrap module | Replaces own process code for loading the next module. |
| 3. Anti-debug module | Prevents attempts to run in debug mode. |
| 4. Trojan downloader module | Checks the system environment. Prevents attempts to run inside the virtual machine. Embedded in explorer.exe by replacing the process code. |
| 5. Trojan downloader module in explorer.exe | Communicates with the management and control server to download the trojan and execute it by replacing the process code. |
| 6. Module loader attacker code in explorer.exe | Communicates with the management and control server to load the main attack code. |
| 7. Trojan module | Steals credentials from different application configurations and sends the collected data to the management and control server through the HTTP channel. |
| 8. CoinMiner.D | Performs mining cryptocurrency. |
Table 1. Modules implemented by Dofoil at different stages
Initial stages
The first three steps (that is, the masked shell code, boot module, and anti-debug module) attempt to prevent analysis and recognition by the following methods.
| METHODS OF COUNTERACTION ANALYSIS | DESCRIPTION |
| Embedded clean code | Embeds a huge patch of clean code to confuse heuristic and manual analysis. |
| Emulation check | Selects an arbitrary registry key (HKEY_CLASSES_ROOT \ Interface \ {3050F557-98B5-11CF-BB82-00AA00BDCE0B}) and compares the data with the expected value (DispHTMLCurrentStyle) to find out if the malware is running inside the emulator. |
| Replacing your own process code | Replaces the code of the current process, significantly complicating the analysis due to the changed address marking of the code. |
| Debug check | Checks for debugging tools. Having found them, modifies the code, causing a crash. This mechanism complicates the work of researchers, who can only figure out the reason for this completion. The program checks the PEB.BeingDebugged and PEB.NtGlobalFlag fields in the PEB structure. For example, when a process is running in a debugger, the PEB.BeingDebugged field is set to 1, and PEB.NtGlobalFlag is set to FLG_HEAP_ENABLE_TAIL_CHECK | FLG_HEAP_ENABLE_FREE_CHECK | FLG_HEAP_VALIDATE_PARAMETERS . |
Table 2. Methods of counteracting the analysis
The first stage contains a section with a clean code, followed by a real malicious code. Because of this, executable files may seem safe. In addition, the presence of such code can complicate emulation, since it is not easy to mimic API calls that are rarely found in malware code.
The code of the first stage also checks the registry key for compliance with the expected value. After passing all the checks, the code decrypts the shell code of the second stage and executes it in the marked memory area. A shell code clears the memory layout of the original source module, decrypts the third stage shell code and places it in the same memory location — this procedure is called replacing the code of the own process.
Figure 2. Code mutation depending on the value of PEB.BeingDebugged
The Windows Defender ATP process tree helps expose such anti-debugging mechanisms.
Figure 3. Anti-debugging mechanisms visible in the Windows Defender ATP process tree
Trojan downloader module
Before downloading the attacking code, the Trojan loader module checks the execution environment in various ways, including for virtuality and availability of analysis tools.
| METHODS OF COUNTERACTION ANALYSIS | DESCRIPTION |
| Module name check | Checks whether the name of the main executable file contains the string "sample". |
| Volume Serial Number Check | Checks whether the current volume has a serial number of 0xCD1A40 or 0x70144646 . |
| Module check | Checks for the presence of debug DLLs. |
| Check disks registry keys | It checks the value of the HKLM \ System \ CurrentControlSet \ Services \ Disk \ Enum registry key with the common disk name patterns on virtual machines ( qemu, virtual, vmware, xen, ffffcce24 ). |
| Process check | It checks the running processes and terminates those associated with the analysis tools ( procexp.exe, procexp64.exe, procmon.exe, procmon64.exe, tcpview.exe, wireshark.exe, processhacker.exe, ollydbg.exe, idaq.exe, x32dbg .exe ). |
| Windows class name checking | Checks the current Windows class names and shuts down when it finds common class names associated with parsing and debugging ( Autoruns, PROCEXPL, PROCMON_WINDOW_CLASS, TCPViewClass, ProcessHacker, OllyDbg, WinDbgFrameClass ). |
Table 3. Methods of countering analysis in the Dofoil trojan downloader module
The names of target processes and Windows classes are stored as a list of specially calculated checksums. The check algorithm looks like this:
Figure 4. Special algorithm for checking checksums based on shift operations and exclusive OR
The use of checksums should have slowed down the investigation and didn’t allow researchers to quickly figure out which analysis tools were determined by malware.
| LINE | CHECK SUM |
| Autoruns | 0x0E5C1C5D |
| PROCEXPL | 0x1D421B41 |
| PROCMON_WINDOW_CLASS | 0x4B0C105A |
| TCPViewClass | 0x1D4F5C43 |
| Processhacker | 0x571A415E |
| Ollydbg | 0x4108161D |
| WinDbgFrameClass | 0x054E1905 |
| procexp.exe | 0x19195C02 |
| procexp64.exe | 0x1C0E041D |
| procmon.exe | 0x06185D0B |
| procmon64.exe | 0x1D07120A |
| tcpview.exe | 0x060B5118 |
| wireshark.exe | 0x550E1E0D |
| processhacker.exe | 0x51565C47 |
| ollydbg.exe | 0x04114C14 |
| ollydbg.exe | 0x04114C14 |
| x32dbg.exe | 0x5F4E5C04 |
| idaq.exe | 0x14585A12 |
Table 4. Checksum table for Windows process names and classes
Replacing process code
Dofoil's work is highly dependent on the process code replacement technique. The main target process is explorer.exe. The shell code Dofoil launches a new instance of explorer.exe, places the shell code in the dynamic memory and modifies the code of the entry point so that the transition to the shell code takes place. Due to this, the malware implements code injection without using the CreateRemoteThread API function.
Figure 5. Changing the entry point code in explorer.exe
Windows Defender ATP can detect the signs of replacing a process code by analyzing operations in memory. In the next process tree, you can see how the malware is embedded in explorer.exe by replacing the process code.
Figure 6. Windows Defender ATP warning process tree: first replacement of process code
When the shellcode loads the next layer of the attacking code, it spawns the next process explorer.exe, into which it then embeds the attacker code by the replacement method. In such cases, Windows Defender ATP significantly speeds up the analysis, accurately identifying malicious operations and indicating the dubious actions of the newly created Windows system processes.
Figure 7. Windows Defender ATP warning process tree: second replacement of process code
For detection of the replacement of the process code is responsible for the component of protection against exploits in Windows Defender Exploit Guard . For this, you need to enable Export Address Filter (EAF) protection for the explorer.exe process. In this case, the component will detect a substitution when the shellcode searches in the modules for the export addresses of the LoadLibraryA and GetProcAddress functions.
Figure 8. EAF event in the event log
Windows Defender Exploit Guard events are also available on the Windows Defender ATP portal:
Figure 9. Windows Defender Exploit Guard event in Windows Defender ATP
When an EAF audit or blocking policy in Windows Defender Exploit Guard covers popular system processes, such as explorer.exe, cmd.exe or verclsid.exe, this makes it easier to detect and block key methods for replacing process code and implementing code used by malware. The policy may affect the operation of third-party programs acting as a shell code, so we recommend testing it in the Windows Defender Exploit Guard audit mode before applying it all the time.
Management and Control (C & C) and NameCoin Server Domains
Dofoil handles connection to C & C servers with particular caution. The Trojan code first tries to connect to trusted web pages to make sure that the Internet connection is present and that it is real, and not simulated in a test environment. After confirming the authenticity of the Internet connection, the malware communicates with the real C & C servers via HTTP.
Figure 10. Connecting to known servers to test Internet connectivity
Malicious software accesses the servers with domain names NameCoin. NameCoin is a decentralized DNS server system that provides a high degree of anonymity thanks to blockchain technology. In general, working with it is not particularly different from normal DNS queries, but the DNS client must contact certain NameCoin DNS servers. Since NameCoin relies on the blockchain model, the blocks can be used to track the history of the domain name change.
Figure 11. DNS change record for malicious hosts ( https://namecha.in/name/d/vrubl )
Windows Defender ATP allows you to track the network activity of malware. The following warning process tree shows how the malicious process resolves the names of the .bit domains corresponding to the C & C servers and establishes connections with them. You can also see other actions of the executable file, such as connecting to other servers via SMTP ports.
Figure 12. Windows Defender ATP alert process tree: connecting to C & C servers after name resolution through NameCoin servers
The Windows Defender ATP advanced threat scan feature, while available as an evaluation version, can detect more malicious code samples using NameCoin servers. For example, the following query allows you to see recent connections to them. This may help to obtain information about other threats communicating with the same NameCoin servers.
Figure 13. Advanced search for threats using the same NameCoin servers
The NameCoin system is designed to complicate the interception of domain management (the so-called syncholing). NameCoin domain name records are not controlled by any central regulator, therefore such records cannot be changed at the request of law enforcement agencies. Moreover, malware relies on a number of NameCoin DNS servers and it is extremely difficult to stop them all.
Conclusion
Dofoil is a very quirky malware. Using different methods, it checks the nature of the system environment and the authenticity of the Internet connection in order to work only on real computers and not in the analysis environment or on virtual machines. All this slows down the analysis and confuses research systems.
In Dofoil campaigns, Windows Defender Advanced Threat Protection can help security professionals analyze the order of events on the victim's computer and get detailed information on the steps of the processes, connections to C & C servers, and operations to replace the process code. Windows Defender ATP can act as an analysis platform for setting up detailed tracking of system operations in a test environment. This way, you can save a lot of time and resources on investigating an infection.
In addition, Windows Defender Exploit Guard can assist in detecting malicious shell code that scans export address tables. It is a great tool for detecting and blocking exploit and malware actions.
Windows Defender Exploit Guard events are also visible on the Windows Defender ATP portal, where other Microsoft security solutions are integrated, including Windows Defender Antivirus and Windows Defender Application Guard .
To evaluate in practice how Windows Defender ATP helps detect, analyze and repel attacks of increased complexity, get access to a free trial version .
Matt Oh, Stefan Sellmer, Jonathan Bar Or, Mark Wodrich
Windows Defender ATP Research Team
Source: https://habr.com/ru/post/353250/
All Articles