December 6, 2013 at 16:17Directed Attack Research
We recently analyzed four malicious tools that were used in targeted attacks against users in Taiwan and Vietnam. Using our telemetry system, we recorded that this malware was delivered to users through phishing email campaigns. One of the malware files was delivered to the user’s system via a web-based email interface of a Vietnamese government agency. The attackers used special phishing e-mail messages that contained convincing text, as well as special fake documents to lure the user and enhance the effect of the attack.
Based on the results of this study, we were able to establish the following facts:
Fig. The analyzed threats.
The figure above shows that the initial dropper installs two other threats, called Agent.NJK and Terminator RAT, into the system .
Further, knowing the characteristics of this dropper, it was not difficult for us to find other fragments of the malicious code associated with it in our collection. The table below gives their characteristics. It can be seen that the attackers specifically chose to mask Office files for them.
Fig. Executable threat files disguised as MS Word documents.
During the launch process, these droppers will decrypt their configuration parameters using a simple XOR with a single-byte key. The pseudocode of this algorithm in python is presented below. The configuration data is stored at the end of the last section of the executable file and occupies 32 bytes. The checksum, some offsets to important parts of the file, as well as their length, are stored inside this data; all this is organized in a structure the format of which is presented below. The checksum field from the structure is used for comparison with a value that is hardwired into the dropper code. Thus, the malicious code checks the integrity of the decrypted data.
Fig. Pseudocode of the encryption algorithm and service structure format.
The first thing a dropper does is extract two files from itself, one of them is an executable file, and the other is a fake Word document that will be shown to the user. Both files are placed in the user's temporary folder, and each of them is decrypted using a simple XOR, which was given above. After extracting the files, the dropper launches the executable file, before copying its body to another directory, and then executes it from there with additional command line parameters. The parameters are the full path to the file of the original dropper and the path to the Word document.
A dropper running from a new directory waits for its parent to complete the process, after which it deletes its file and also moves the phishing document file to a directory with temporary files. At the last stage, it calls the ShellExecuteW function to open this office document. The document is opened with the appropriate program, which is indicated in the registry for opening .doc files. A similar function is performed to simulate the invocation of an operation that is expected by a user who has launched a dropper file disguised as a document.
Fig. The operations performed by the dropper.
Such, at first glance, a simple approach for deceiving users is quite effective. All processes performed by the dropper occur unnoticed by the user, after which the requested document is opened for him. If a malicious program performs its initial actions with a minimum delay, then the user may not notice anything at all. A similar user compromise tactic was used by the APT1 team, which was reported by Mandiant. Note that in this case, attackers do not need to resort to exploit services to install malicious code.
Fig. Vietnamese phishing document.
Fig. A similar document for users residing in Taiwan.
Dropper uses two different methods to hide API function calls: it contains its own GetProcAddress implementation with open lines of function names in the code, and it also uses a standard function implementation with encrypted names. When analyzing the code, it is clear that it is not written in a high-level language: some objects are used with maximum access rights, copy-paste of various parts of the code in its body.
Fig. Metadata of Vietnamese and Taiwanese documents.
Win32 / TrojanProxy.Agent.NJK
The first executable file that we analyzed is detected by our products as Win32 / TrojanProxy.Agent.NJK. This malware is written in Visual C ++ and is able to communicate with remote C&C servers via the HTTP protocol. In the analyzed modification, it was found that three management server addresses are used that use the same domain address vietnam.vnptnet.info, but with connection to different ports (80, 443 and 5050).
Work with C&C is organized through a cycle with a 15-minute delay, during which the malicious code tries to contact the server using the three ports above. Interestingly, the threat does not take any action to ensure its survival after a reboot, i.e., on a compromised computer, it will be active only until the operation is completed or rebooted. The malicious file itself does not contain any obfuscation of the lines it uses.
Fig. The main cycle of malicious code.
When interacting with the control server, the malicious code sends some information about the system via the GET request for the HTTP protocol, using a special line for the User-Agent field. The user data is 105 bytes and will be sent in the component of the query string of the GET method as a hex sequence. This data contains the following information: identifier of the malicious campaign; The host’s internal IP address computer name Windows Version ID; The name of the account under which the malicious code process is executed. Strange is the fact that encryption is not applied to the transmitted data, they are transmitted in the clear.
Fig. The format of data sent by malicious code to a remote server.
The transmitted data along with the request look like this.
Fig. An example of a GET request with transmitted data.
The server will respond to this request with the usual header, with the exception of the Accept field with the value “x-wav / y-img” added to it. The malicious program will not accept a response from the server if this field is not in the response header. Note that the Accept field is usually used in client request headers in regular HTTP requests, but in this case the opposite is true, the server should respond with a header that contains this field. We noticed that the commands sent by C&C always have a size of 796 bytes, while the first integer value in the command data is its identifier (command ID). The following commands are supported by malicious code.
The Agent.NJK code contains a funny line “I want to go to THE GREAT WALL, inner Mongolia very much” and credentials for accessing the somnuek.bu / 044253516 proxy service. At the same time, analyzing the malicious code shows that these credentials are not used anywhere. A Google search provided us with some information that leads to a person with that name on a social network . We have no data on how it relates to this campaign.
It should be noted that the CPT-NMC line, which identifies the campaign itself (campaign identifier), is sent to the remote server again later. CPT stands for Central Post and Telecommunications Department. This institution is a branch of the Vietnamese government.. You can also see that the top-level domain for the C&C server URL (vnptnet.info) is very similar to the Vietnamese address vnpt.nv, which belongs to the same CPT institution. Most likely this name was chosen to mask the domain in the logs of systems like the Intrusion Detection System (IDS), which record traffic passing through a computer or computers on the network. Phishing documents, which we wrote about at the beginning and which are used to lure users, contain text that refers to telecommunication systems. The documents themselves contain various graphs and charts, trying as much as possible to lull the attention of the potential victim and to convince that the document is real. It appears that this attack was aimed at the Vietnamese CPT institution and Vietnamese officials reportedabout an attack on their infrastructure this year.
We observed how the operator interacts with the infected system. The following is some evidence (log) of such an interaction.
Fig. Commands sent by the operator to the Agent.NJK bot.
These operations are similar to reconnaissance ones, that is, they relate to collecting data about a compromised system: netsta (t) is used to view current network connections, then information about logical disks in the system is received, environment variables are viewed, information about the location of some files is received . A typo in the word netsta, instead of netstat, in the second command, indicates that these commands are not sent to the bot by an automated system, but a physical operator is behind them. We have observed this approach before in the case ofdirected attack Syndicasec .
Fig. The bot transmits data on current network connections in the clear.
Fig. Closing session of C&C with the bot.
In the last screenshot under point 2, it can be seen that the server disconnects by sending the RST (reset) command. After sending the reset command, the server behavior changes and as soon as the client receives it, it will no longer be able to connect to any of the three ports.
Fig. The server denies the connection to the client if before it was sent a command to reset the TCP connection.
The absence of survival mechanisms in the malicious code after a reboot reinforces our hypothesis about the direction of such a cyber attack, since attackers are interested in leaving as few traces as possible in a compromised system. A common practice when using such malicious code would be to find out potential victims in the organization, send a phishing email, wait for a response from the bot, and finally examine the compromised computers through it. In our case, the bot supports commands for downloading other executable files to the system (3004) and their subsequent installation (3011), so it can be used to perform several other actions.
Terminator RAT (aka FAKEM RAT)
Detected by our antivirus products as Win32 / Protux.NAR. At the time of analysis of the part of this malware that implements encryption and is responsible for working with C&C, we found that this threat was previously analyzed by malware.lu and Trend Micro with the names Terminator RAT and FAKEM RAT. At the same time, the samples we analyzed were different from those with which these companies dealt. It should also be noted that FireEye also released its analysis of one of the modifications of this malware.
Compared to Agent.NJK, this threat is more complex. First, configuration data and strings are encrypted using a slightly modified version of the XTEA algorithm . XTEA uses a 128-bit key and works with blocks of 64 bits.
Fig. XTEA as it is implemented in the studied modification of Terminator RAT.
The XTEA implementation is pretty naive as it uses the worst block encryption mode, as shown in the screenshot below. 64-bit blocks of zeros are always encrypted into the same encrypted text.
Fig. An example of encrypted text that starts at 0x404198 and contains an obvious template.
Fig. Decrypted text at the same address.
Fig. Part of the configuration of the malicious code is encrypted.
(1) XTEA key, (2) two port numbers (9000, 9090) and some other data, (3) different lines obfuscated by intermediate zeros.
Fig. Decrypted configuration data.
(1) the directory in which the malware was installed (located in% APPDATA%), (2) the names of the files that are given to the installed components, (3) the C&C domain, (4) the name of the directory in the resources section where the payload is stored, (5) a registry key that is used to start after a reboot (ensures survival).
After starting Protux.NAR dynamically fills the function address variables in the body of its file (addresses of functions that were not declared in the import table). For this, a custom implementation of the GetProcAddress function is used , as is the case with TrojanProxy.Agent.NJK . The strings that are used to obtain the addresses of functions are not encrypted and are stored in the body of malicious code in the clear.
Next, Win32 / Protux.NAR changes the value of the variable in the system registry that sets the path to the Startup Folder (the directory “Startup”, used to organize startup) to the new value “% APP_DATA% \ 2019”, copies the existing files to the new location in the old path and ensures that his body is moved to the same new location ("% APP_DATA% \ 2019) under the name" svchost .exe "through MoveFileEx with the flag MOVEFILE_DELAY_UNTIL_REBOOT. In addition, he extracts another PE-file from his body and copies it to a directory under the name “winslogon.ini”, setting its delayed renaming through MOVEFILE_DELAY_UNTIL_REBOOT to the file “winslogon.exe” (used as a component for organizing proxy tunnel).
Fig. A code execution thread that demonstrates the above operations.
As you can see the malicious code is largely based on the flag MOVEFILE_DELAY_UNTIL_REBOOT features the MoveFileEx . This method is used as an OS mechanism for moving executable files that were running at the time the function was called. Also, this method helps to prevent activation of the heuristic of an anti-virus product or other technologies for detecting malicious code.
In order to avoid his detection by security products during subsequent launches, he will try to copy his file to a directory with temporary files (GetTempPath () + "~ 7ti2") and write a few random bytes to the end of the file. After these operations, the file overwrites using the MoveFileEx function .and flags MOVEFILE_DELAY_UNTIL_REBOOT, MOVEFILE_REPLACE_EXISTING.
Fig. A more visual representation of the malicious code operations described above.
After the reboot, when Windows launches each executable file from the Startup directory, two files of the malicious program svchost .exe (the main component) and winslogon.exe (the proxy tunnel component) will be executed. The main component decrypts the configuration and lines, and also launches an auxiliary stream, which performs different functions depending on which directory the original file was launched from.
Next, the malicious code allocates a memory block, copies the element of the resource section with identifier 0x8A in the directory (resources) under the name ACCELORATOR to the allocated memory block, and decrypts it via byte XOR with the key 0x32. Note that the name of the specified resource directory is ACCELORATOR, not ACCELERATOR. This decrypted data is an executable code that can be executed regardless of its initial position (position-independent code). Before direct transfer of control to this memory unit, the malicious code receives the current IP address of the computer, encrypts it via XOR and copies it along with port number 8000 at the specified offset in the code. XOR encryption operations are performed using the same 0x32 static key.
Fig. The process of loading and executing code from a resource section.
Malicious code that was copied to the memory block makes non-standard use of registers; this probably indicates that it was written in assembler. For example, to fill in the addresses of dynamically imported functions, its own implementation GetProcAddress is used with a predefined table of ROR hashes for each function name. This method is rarely used for programs compiled in a higher programming language. This link provides more information on using assembler.
The next action that Protux.NAR performs is to create an event with the name “sxX5 {c4”, which allows it to record the launch of malicious code to prevent the activity of several copies of it. Organization of work with managing C&C servers is organized through three domains, which are polled with a 30-second timeout in a cycle. The two domains are located in configuration data that is encrypted using XTEA, as shown in the screenshot above. The third address is a pair: the IP of the compromised system and port 8000 (used for proxy tunneling operations). As soon as a connection with C&C is established, the malicious code sends information about the compromised system in a packet of 1024 bytes. The format of such a package is presented below.
Fig. Data sent by the bot to the remote server about the compromised computer.
The main fields in the package are Username and Computer name, each of which is 128 bytes in size. Another interesting field is the current codepage (Codepage) used in the system, 4 bytes in size. The package also contains three more integer fields: two of them take the values 0x130, 0 (1), and the other takes the value 0x30005 (2). These values coincide with the values of similar fields from the malware samples analyzed by FireEye. Field 3 contains a string and is possibly a campaign ID.
The interaction with C&C is encrypted using a simple scheme: bytes of the XOR key are applied to each byte from the stream, and then the cyclic right shift operation (ROR) by three positions is applied. The key is static and looks like "YHCRA". The algorithm is presented below.
Fig. Encryption when working with the management server used in Terminator RAT.
The packet representing the server response contains the command identifier in the first four-byte field. Malicious code uses the following commands.
Our colleagues from Trend Micro managed to fix the fact of the attack itself and what auxiliary operations does the management server transmitbot on command 0x211. It is about performing operations using: command line, file manager, process manager, registry editor, screenshot capture module, password theft module and file upload module. As you can see, the range of actions performed is very extensive.
We have detected the following C&C domains in this malicious code.
As you can see in the table above, domain (1) contains a space at the end, which means that the DNS service will not be able to translate such a domain into its corresponding IP address. Domain (2), as we noted above, was obtained using the gethostname and gethostbyname functions . The domains 25u.com and 4dq.com are managed through changeip.com dynamic DNS service located in the USA. The address 123.51.208.142 belongs to Taiwan.
The table below shows the differences between the studied modifications of the malware mentioned by anti-virus laboratories.
At the same time, there are similarities between the modifications that were analyzed by the above anti-virus companies.
It can be stated that Terminator RAT lacks a consistent design in the implementation of malicious code. Obviously, the attackers repeatedly changed it to achieve their goals or use them in the corresponding attacks. The presence of several encryption mechanisms and two methods for loading function addresses obviously justify this assumption. In addition, the malicious code uses encryption for information transmitted to C&C, but at the same time stores them in clear text in position-independent code. This does not indicate the correctness of the chosen approach. Finally, some functions are embarrassingly fixed by adding auxiliary features, such as encryption / decryption, as shown in the screenshot below.
Fig. Encryption function in Terminator RAT.
The variable xtea_flag (1) is used to determine for what purpose the function itself is called: to perform XTEA encryption (2) or encryption via XOR with a fixed one-byte key (3). Obviously, one of the code fragments that implements this algorithm was built in later.
In fact, it is useful to have several analyzes of the same family of malicious code, since we can see the changes in various modifications and in which campaigns they were used. In the case of Terminator RAR, it can be seen that in various attacks the components of the malicious code and the components of the infrastructure have been changed. Components such as XTEA keys, network packet headers, the name of the executable file that is responsible for the proxy tunnel implementation have been changed. From an infrastructure point of view, the DDNS provider and C&C IP addresses have been changed.
Now we will dwell in more detail on the proxy tunnel component, which FireEye has already described in detail as sss.exe. It is used in cases where the malicious code appeared on the network, which does not allow outgoing connections to be established directly with the server (i.e., the proxy is used on the network). In this case, the module reserves port 8000 and will forward connections through it that use the legitimate proxy configured for the computer. To perform the task of connecting to C&C through this proxy, the HTTP protocol CONNECT method is used.
In the modification we are investigating, the file of this proxy tunnel module is called winslogon.exe. We also found the encrypted log file left by this component on the hard-wired path% TEMP% \ ~ DF3bbs.tmp. The file can be decrypted using XOR with the key 0xAB as shown below.
Fig. The log decryption function of the proxy tunnel component.
To prevent multiple copies of this module from running in memory, it uses an event object whose name contains an unprintable character with code 0x13. Adding such a component to the Terminator RAT expands the possibilities of this threat in the field of data theft mechanisms (exfiltration) and since it is actually a component independent of the RAT, it can be easily reused in another modification of the malicious code. It can be seen that this component is not easy to immediately detect as malicious because it does not perform obvious malicious functions. Moreover, the fact that the malicious code payload is hidden in position-independent code makes static RAT analysis quite problematic.
Conclusion
In the process of analyzing malware files, it became apparent that none of them were packaged in order to interfere with the analysis of malicious code. We also did not see a single exploit that could help attackers achieve their goals in the best way. In addition, the malicious code itself is not written in the best way, which indicates a not very professional level of training of the attackers themselves. The list of shortcomings can be continued: poorly implemented cryptography algorithms, errors in commands when they are entered by the operator, errors in the configuration of C&C domains. It seems that the customers of such an attack allocated a very small budget for the organizational needs of the attack.
Win32 / TrojanDropper.Small.NNK
58e1dfa7ace03a408d2b20c1fab6e127acbdc71f492366622cd5206484443ed7
3f58a0ea8958c5bf88aa9cfcefe457393f0a96bba9f05f301ba6a15b65d5b64a
Win32 / TrojanProxy.Agent.NJK
54c5517541187165fd9720dfe8cff67498d912d189d649cc652d8b113bae8802
Win32 / Protux.NAR (Terminator RAT)
425a919cb5803ce8fabb316f5e1be611f88f5c3813fffd2b40f2369eb7074da9
Win32 / Protux.NAR (Terminator RAT) with tunnel proxy
a6cc9fbcb3d806fefb4d0f2f6d1c04b81316593dfe926b4477ca841ac17354e2
Based on the results of this study, we were able to establish the following facts:
- The same component of malicious code has been used several times in these campaigns.
- The attacks required manual intervention by the attacker (operator).
- The attacks revealed traces of the famous group APT1 (aka Comment crew).
- For the initial attack vector, i.e., to install malicious code, phishing messages were used that allegedly contained important documents.
- Poor preparation of intruders: typos in the configuration, naive implementation of cryptographic algorithms, insufficient practice in writing code.
- Malicious programs with clearly defined behavior: one of the threats does not remain present after a reboot, and the other does not do any malicious functions until the reboot.
Fig. The analyzed threats.
The figure above shows that the initial dropper installs two other threats, called Agent.NJK and Terminator RAT, into the system .
Further, knowing the characteristics of this dropper, it was not difficult for us to find other fragments of the malicious code associated with it in our collection. The table below gives their characteristics. It can be seen that the attackers specifically chose to mask Office files for them.
Fig. Executable threat files disguised as MS Word documents.
During the launch process, these droppers will decrypt their configuration parameters using a simple XOR with a single-byte key. The pseudocode of this algorithm in python is presented below. The configuration data is stored at the end of the last section of the executable file and occupies 32 bytes. The checksum, some offsets to important parts of the file, as well as their length, are stored inside this data; all this is organized in a structure the format of which is presented below. The checksum field from the structure is used for comparison with a value that is hardwired into the dropper code. Thus, the malicious code checks the integrity of the decrypted data.
Fig. Pseudocode of the encryption algorithm and service structure format.
The first thing a dropper does is extract two files from itself, one of them is an executable file, and the other is a fake Word document that will be shown to the user. Both files are placed in the user's temporary folder, and each of them is decrypted using a simple XOR, which was given above. After extracting the files, the dropper launches the executable file, before copying its body to another directory, and then executes it from there with additional command line parameters. The parameters are the full path to the file of the original dropper and the path to the Word document.
A dropper running from a new directory waits for its parent to complete the process, after which it deletes its file and also moves the phishing document file to a directory with temporary files. At the last stage, it calls the ShellExecuteW function to open this office document. The document is opened with the appropriate program, which is indicated in the registry for opening .doc files. A similar function is performed to simulate the invocation of an operation that is expected by a user who has launched a dropper file disguised as a document.
Fig. The operations performed by the dropper.
Such, at first glance, a simple approach for deceiving users is quite effective. All processes performed by the dropper occur unnoticed by the user, after which the requested document is opened for him. If a malicious program performs its initial actions with a minimum delay, then the user may not notice anything at all. A similar user compromise tactic was used by the APT1 team, which was reported by Mandiant. Note that in this case, attackers do not need to resort to exploit services to install malicious code.
Fig. Vietnamese phishing document.
Fig. A similar document for users residing in Taiwan.
Dropper uses two different methods to hide API function calls: it contains its own GetProcAddress implementation with open lines of function names in the code, and it also uses a standard function implementation with encrypted names. When analyzing the code, it is clear that it is not written in a high-level language: some objects are used with maximum access rights, copy-paste of various parts of the code in its body.
Fig. Metadata of Vietnamese and Taiwanese documents.
Win32 / TrojanProxy.Agent.NJK
The first executable file that we analyzed is detected by our products as Win32 / TrojanProxy.Agent.NJK. This malware is written in Visual C ++ and is able to communicate with remote C&C servers via the HTTP protocol. In the analyzed modification, it was found that three management server addresses are used that use the same domain address vietnam.vnptnet.info, but with connection to different ports (80, 443 and 5050).
Work with C&C is organized through a cycle with a 15-minute delay, during which the malicious code tries to contact the server using the three ports above. Interestingly, the threat does not take any action to ensure its survival after a reboot, i.e., on a compromised computer, it will be active only until the operation is completed or rebooted. The malicious file itself does not contain any obfuscation of the lines it uses.
Fig. The main cycle of malicious code.
When interacting with the control server, the malicious code sends some information about the system via the GET request for the HTTP protocol, using a special line for the User-Agent field. The user data is 105 bytes and will be sent in the component of the query string of the GET method as a hex sequence. This data contains the following information: identifier of the malicious campaign; The host’s internal IP address computer name Windows Version ID; The name of the account under which the malicious code process is executed. Strange is the fact that encryption is not applied to the transmitted data, they are transmitted in the clear.
Fig. The format of data sent by malicious code to a remote server.
The transmitted data along with the request look like this.
Fig. An example of a GET request with transmitted data.
The server will respond to this request with the usual header, with the exception of the Accept field with the value “x-wav / y-img” added to it. The malicious program will not accept a response from the server if this field is not in the response header. Note that the Accept field is usually used in client request headers in regular HTTP requests, but in this case the opposite is true, the server should respond with a header that contains this field. We noticed that the commands sent by C&C always have a size of 796 bytes, while the first integer value in the command data is its identifier (command ID). The following commands are supported by malicious code.
The Agent.NJK code contains a funny line “I want to go to THE GREAT WALL, inner Mongolia very much” and credentials for accessing the somnuek.bu / 044253516 proxy service. At the same time, analyzing the malicious code shows that these credentials are not used anywhere. A Google search provided us with some information that leads to a person with that name on a social network . We have no data on how it relates to this campaign.
It should be noted that the CPT-NMC line, which identifies the campaign itself (campaign identifier), is sent to the remote server again later. CPT stands for Central Post and Telecommunications Department. This institution is a branch of the Vietnamese government.. You can also see that the top-level domain for the C&C server URL (vnptnet.info) is very similar to the Vietnamese address vnpt.nv, which belongs to the same CPT institution. Most likely this name was chosen to mask the domain in the logs of systems like the Intrusion Detection System (IDS), which record traffic passing through a computer or computers on the network. Phishing documents, which we wrote about at the beginning and which are used to lure users, contain text that refers to telecommunication systems. The documents themselves contain various graphs and charts, trying as much as possible to lull the attention of the potential victim and to convince that the document is real. It appears that this attack was aimed at the Vietnamese CPT institution and Vietnamese officials reportedabout an attack on their infrastructure this year.
We observed how the operator interacts with the infected system. The following is some evidence (log) of such an interaction.
Fig. Commands sent by the operator to the Agent.NJK bot.
These operations are similar to reconnaissance ones, that is, they relate to collecting data about a compromised system: netsta (t) is used to view current network connections, then information about logical disks in the system is received, environment variables are viewed, information about the location of some files is received . A typo in the word netsta, instead of netstat, in the second command, indicates that these commands are not sent to the bot by an automated system, but a physical operator is behind them. We have observed this approach before in the case ofdirected attack Syndicasec .
Fig. The bot transmits data on current network connections in the clear.
Fig. Closing session of C&C with the bot.
In the last screenshot under point 2, it can be seen that the server disconnects by sending the RST (reset) command. After sending the reset command, the server behavior changes and as soon as the client receives it, it will no longer be able to connect to any of the three ports.
Fig. The server denies the connection to the client if before it was sent a command to reset the TCP connection.
The absence of survival mechanisms in the malicious code after a reboot reinforces our hypothesis about the direction of such a cyber attack, since attackers are interested in leaving as few traces as possible in a compromised system. A common practice when using such malicious code would be to find out potential victims in the organization, send a phishing email, wait for a response from the bot, and finally examine the compromised computers through it. In our case, the bot supports commands for downloading other executable files to the system (3004) and their subsequent installation (3011), so it can be used to perform several other actions.
Terminator RAT (aka FAKEM RAT)
Detected by our antivirus products as Win32 / Protux.NAR. At the time of analysis of the part of this malware that implements encryption and is responsible for working with C&C, we found that this threat was previously analyzed by malware.lu and Trend Micro with the names Terminator RAT and FAKEM RAT. At the same time, the samples we analyzed were different from those with which these companies dealt. It should also be noted that FireEye also released its analysis of one of the modifications of this malware.
Compared to Agent.NJK, this threat is more complex. First, configuration data and strings are encrypted using a slightly modified version of the XTEA algorithm . XTEA uses a 128-bit key and works with blocks of 64 bits.
Fig. XTEA as it is implemented in the studied modification of Terminator RAT.
The XTEA implementation is pretty naive as it uses the worst block encryption mode, as shown in the screenshot below. 64-bit blocks of zeros are always encrypted into the same encrypted text.
Fig. An example of encrypted text that starts at 0x404198 and contains an obvious template.
Fig. Decrypted text at the same address.
Fig. Part of the configuration of the malicious code is encrypted.
(1) XTEA key, (2) two port numbers (9000, 9090) and some other data, (3) different lines obfuscated by intermediate zeros.
Fig. Decrypted configuration data.
(1) the directory in which the malware was installed (located in% APPDATA%), (2) the names of the files that are given to the installed components, (3) the C&C domain, (4) the name of the directory in the resources section where the payload is stored, (5) a registry key that is used to start after a reboot (ensures survival).
After starting Protux.NAR dynamically fills the function address variables in the body of its file (addresses of functions that were not declared in the import table). For this, a custom implementation of the GetProcAddress function is used , as is the case with TrojanProxy.Agent.NJK . The strings that are used to obtain the addresses of functions are not encrypted and are stored in the body of malicious code in the clear.
Next, Win32 / Protux.NAR changes the value of the variable in the system registry that sets the path to the Startup Folder (the directory “Startup”, used to organize startup) to the new value “% APP_DATA% \ 2019”, copies the existing files to the new location in the old path and ensures that his body is moved to the same new location ("% APP_DATA% \ 2019) under the name" svchost .exe "through MoveFileEx with the flag MOVEFILE_DELAY_UNTIL_REBOOT. In addition, he extracts another PE-file from his body and copies it to a directory under the name “winslogon.ini”, setting its delayed renaming through MOVEFILE_DELAY_UNTIL_REBOOT to the file “winslogon.exe” (used as a component for organizing proxy tunnel).
Fig. A code execution thread that demonstrates the above operations.
As you can see the malicious code is largely based on the flag MOVEFILE_DELAY_UNTIL_REBOOT features the MoveFileEx . This method is used as an OS mechanism for moving executable files that were running at the time the function was called. Also, this method helps to prevent activation of the heuristic of an anti-virus product or other technologies for detecting malicious code.
In order to avoid his detection by security products during subsequent launches, he will try to copy his file to a directory with temporary files (GetTempPath () + "~ 7ti2") and write a few random bytes to the end of the file. After these operations, the file overwrites using the MoveFileEx function .and flags MOVEFILE_DELAY_UNTIL_REBOOT, MOVEFILE_REPLACE_EXISTING.
Fig. A more visual representation of the malicious code operations described above.
After the reboot, when Windows launches each executable file from the Startup directory, two files of the malicious program svchost .exe (the main component) and winslogon.exe (the proxy tunnel component) will be executed. The main component decrypts the configuration and lines, and also launches an auxiliary stream, which performs different functions depending on which directory the original file was launched from.
Next, the malicious code allocates a memory block, copies the element of the resource section with identifier 0x8A in the directory (resources) under the name ACCELORATOR to the allocated memory block, and decrypts it via byte XOR with the key 0x32. Note that the name of the specified resource directory is ACCELORATOR, not ACCELERATOR. This decrypted data is an executable code that can be executed regardless of its initial position (position-independent code). Before direct transfer of control to this memory unit, the malicious code receives the current IP address of the computer, encrypts it via XOR and copies it along with port number 8000 at the specified offset in the code. XOR encryption operations are performed using the same 0x32 static key.
Fig. The process of loading and executing code from a resource section.
Malicious code that was copied to the memory block makes non-standard use of registers; this probably indicates that it was written in assembler. For example, to fill in the addresses of dynamically imported functions, its own implementation GetProcAddress is used with a predefined table of ROR hashes for each function name. This method is rarely used for programs compiled in a higher programming language. This link provides more information on using assembler.
The next action that Protux.NAR performs is to create an event with the name “sxX5 {c4”, which allows it to record the launch of malicious code to prevent the activity of several copies of it. Organization of work with managing C&C servers is organized through three domains, which are polled with a 30-second timeout in a cycle. The two domains are located in configuration data that is encrypted using XTEA, as shown in the screenshot above. The third address is a pair: the IP of the compromised system and port 8000 (used for proxy tunneling operations). As soon as a connection with C&C is established, the malicious code sends information about the compromised system in a packet of 1024 bytes. The format of such a package is presented below.
Fig. Data sent by the bot to the remote server about the compromised computer.
The main fields in the package are Username and Computer name, each of which is 128 bytes in size. Another interesting field is the current codepage (Codepage) used in the system, 4 bytes in size. The package also contains three more integer fields: two of them take the values 0x130, 0 (1), and the other takes the value 0x30005 (2). These values coincide with the values of similar fields from the malware samples analyzed by FireEye. Field 3 contains a string and is possibly a campaign ID.
The interaction with C&C is encrypted using a simple scheme: bytes of the XOR key are applied to each byte from the stream, and then the cyclic right shift operation (ROR) by three positions is applied. The key is static and looks like "YHCRA". The algorithm is presented below.
Fig. Encryption when working with the management server used in Terminator RAT.
The packet representing the server response contains the command identifier in the first four-byte field. Malicious code uses the following commands.
Our colleagues from Trend Micro managed to fix the fact of the attack itself and what auxiliary operations does the management server transmitbot on command 0x211. It is about performing operations using: command line, file manager, process manager, registry editor, screenshot capture module, password theft module and file upload module. As you can see, the range of actions performed is very extensive.
We have detected the following C&C domains in this malicious code.
As you can see in the table above, domain (1) contains a space at the end, which means that the DNS service will not be able to translate such a domain into its corresponding IP address. Domain (2), as we noted above, was obtained using the gethostname and gethostbyname functions . The domains 25u.com and 4dq.com are managed through changeip.com dynamic DNS service located in the USA. The address 123.51.208.142 belongs to Taiwan.
The table below shows the differences between the studied modifications of the malware mentioned by anti-virus laboratories.
At the same time, there are similarities between the modifications that were analyzed by the above anti-virus companies.
- The same traffic encryption algorithm (“ARCHY” [:: - 1] xor / ror3).
- The same set of data transmitted as a payload over the network (1024 byte block).
- The same C&C teams (0x211, etc.).
- Most C&C relies on a dynamic DNS service.
It can be stated that Terminator RAT lacks a consistent design in the implementation of malicious code. Obviously, the attackers repeatedly changed it to achieve their goals or use them in the corresponding attacks. The presence of several encryption mechanisms and two methods for loading function addresses obviously justify this assumption. In addition, the malicious code uses encryption for information transmitted to C&C, but at the same time stores them in clear text in position-independent code. This does not indicate the correctness of the chosen approach. Finally, some functions are embarrassingly fixed by adding auxiliary features, such as encryption / decryption, as shown in the screenshot below.
Fig. Encryption function in Terminator RAT.
The variable xtea_flag (1) is used to determine for what purpose the function itself is called: to perform XTEA encryption (2) or encryption via XOR with a fixed one-byte key (3). Obviously, one of the code fragments that implements this algorithm was built in later.
In fact, it is useful to have several analyzes of the same family of malicious code, since we can see the changes in various modifications and in which campaigns they were used. In the case of Terminator RAR, it can be seen that in various attacks the components of the malicious code and the components of the infrastructure have been changed. Components such as XTEA keys, network packet headers, the name of the executable file that is responsible for the proxy tunnel implementation have been changed. From an infrastructure point of view, the DDNS provider and C&C IP addresses have been changed.
Now we will dwell in more detail on the proxy tunnel component, which FireEye has already described in detail as sss.exe. It is used in cases where the malicious code appeared on the network, which does not allow outgoing connections to be established directly with the server (i.e., the proxy is used on the network). In this case, the module reserves port 8000 and will forward connections through it that use the legitimate proxy configured for the computer. To perform the task of connecting to C&C through this proxy, the HTTP protocol CONNECT method is used.
In the modification we are investigating, the file of this proxy tunnel module is called winslogon.exe. We also found the encrypted log file left by this component on the hard-wired path% TEMP% \ ~ DF3bbs.tmp. The file can be decrypted using XOR with the key 0xAB as shown below.
Fig. The log decryption function of the proxy tunnel component.
To prevent multiple copies of this module from running in memory, it uses an event object whose name contains an unprintable character with code 0x13. Adding such a component to the Terminator RAT expands the possibilities of this threat in the field of data theft mechanisms (exfiltration) and since it is actually a component independent of the RAT, it can be easily reused in another modification of the malicious code. It can be seen that this component is not easy to immediately detect as malicious because it does not perform obvious malicious functions. Moreover, the fact that the malicious code payload is hidden in position-independent code makes static RAT analysis quite problematic.
Conclusion
In the process of analyzing malware files, it became apparent that none of them were packaged in order to interfere with the analysis of malicious code. We also did not see a single exploit that could help attackers achieve their goals in the best way. In addition, the malicious code itself is not written in the best way, which indicates a not very professional level of training of the attackers themselves. The list of shortcomings can be continued: poorly implemented cryptography algorithms, errors in commands when they are entered by the operator, errors in the configuration of C&C domains. It seems that the customers of such an attack allocated a very small budget for the organizational needs of the attack.
Win32 / TrojanDropper.Small.NNK
58e1dfa7ace03a408d2b20c1fab6e127acbdc71f492366622cd5206484443ed7
3f58a0ea8958c5bf88aa9cfcefe457393f0a96bba9f05f301ba6a15b65d5b64a
Win32 / TrojanProxy.Agent.NJK
54c5517541187165fd9720dfe8cff67498d912d189d649cc652d8b113bae8802
Win32 / Protux.NAR (Terminator RAT)
425a919cb5803ce8fabb316f5e1be611f88f5c3813fffd2b40f2369eb7074da9
Win32 / Protux.NAR (Terminator RAT) with tunnel proxy
a6cc9fbcb3d806fefb4d0f2f6d1c04b81316593dfe926b4477ca841ac17354e2