Potao Operation: Analysis of cyber espionage malware, part 2

    In terms of its capabilities, the Win32 / Potao malware has many common characteristics with the BlackEnergy Trojan. Before we begin to consider the technical capabilities of Potao, consider the origin of the name of this family of malware.



    The first Potao samples contained the encrypted GlobalPotao string in their body . Other Potao samples that are also detected by ESET antivirus products contain the names Sapotao and node69 . These words were used in the names of DLL files of Potao libraries, as well as in the lines of PDB paths inside executable files. The following are examples of strings with paths to a PDB file with Potao debugging symbols.


    Fig. 21. The path to the PDB file in the body of the malware file.


    Fig. 22. The path to the PDB file in the body of the malware file.


    Fig. 23. The path to the PDB file in the body of the malware file.


    Fig. 24. The path to the PDB file in the body of the malware file.

    The Potao malware family is a typical example of a tool that is used by cybercriminals to cyber espionage and exfiltration various confidential information from an infected computer and then send it to a remote cybercriminal server.

    Like many other malicious programs, Potao is installed on the system through a special malicious file called a dropper. The possible distribution vectors of Potao droppers are re-indicated below.

    • Phishing emails and SMS messages that contain links to dropper files. The dropper executable file is masked using the icon of documents such as Word, Excel, PDF.
    • Infection using a previously compromised removable USB drive.
    • Distribution using malicious modifications of TrueCrypt encryption software (Win32 / FakeTC).

    The dropper Potao is executed in two stages. At the first stage, it extracts the executable PE-file from itself and dumps it into the directory with temporary files% temp%. It also dumps the decoy document file into the current directory and opens it to mask the actions in the OS to install the malicious program in the system. The executable extracted by the dropper extracts the DLL library from itself using the RtlDecompressBuffer API function . The library is flushed to the following location:

    % APPDATA% \ Microsoft \% LUID% .dll

    Then the library will be embedded in the process explorer.exe. Before directly flashing the DLL to disk, the executable file of the malicious program performs special actions. It corrects one of the names of the exported function in the associated element of the export table to the special value of the LUID. The screenshot below shows the function code of the malicious program that performs this operation and renames the specified function name to "_85fc". As a result, each DLL flushed to disk will have a different hash.


    Figure 25. Potao dropper function, which specializes in modifying the name of a DLL export in memory.


    Figure 26. Result of modification of the name of the exported library function.

    To execute its DLL, Potao uses a standard Windows application called rundll32.exe, and to ensure its survival in the system, the following registry key with the% LUID% parameter.

    HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run

    As we have already pointed out, Potao uses a modular architecture and its capabilities can be expanded using additional plug-ins.


    Fig. 27. General architecture of Win32 / Potao.

    During the installation of the malicious program into the system, the dropper will inject the above DLL into the explorer.exe process. After checking the presence of a special mutex in the system, the malicious code will also be embedded in the address space of such working processes as web browsers, Skype, uTorrent. Part of the malicious code embedded in the explorer.exe context will be responsible for downloading and executing Potao plugins, and the code embedded in programs with a network connection will be responsible for interacting with the C & C server. The interaction between these parts is through a named pipe.

    Plugin Overview

    The main DLL mentioned above performs only the most basic functions of a malicious program. Responsibility for implementing the functions of espionage rests with downloadable plugins (modules). Malicious code loads plugins every time it is launched in the system, this indicates that they are not stored on the hard drive. There are two types of plugins, the first Full, and the second Light. Executable files of plug-ins of the first type export a function named Plug , and files of plug-ins of the second type export a function of Scan. The difference between the two types is how each of them collects the necessary information and returns it to the client. Full plugins work continuously until the system reboots, Light plugins finish their work immediately after returning the buffer with the required information.

    In the process of tracking the activities of the Potao botnet, we discovered plugins signed with a digital signature (Fig. 28).


    Fig. 28. Information about the digital certificate with which some Potao plugins have been signed.

    The name of the organization “Grand Torg”, to which the certificate was issued, can be interpreted as “Big Market”. However, we could not find an organization with that name. The Serial Number of the certificate is 0453B96EB039AFD6C9988C8CB698E7C9, and its revocation was carried out at the following time: Aug 19 00:00:00 2014 GMT. Since the revocation date actually coincides with the date of issue, all digital signatures that were made by this certificate were invalid. This fact leads us to the conclusion that the certificate was used by malicious users from the very beginning for malicious purposes and was not stolen from any vendor.

    The table below lists the Potao plugins known to us.





    Interaction with the managing C & C server

    The Win32 / Potao samples we analyzed contained several different IP addresses for the C&C server control. The addresses were encrypted in the body of the malicious program. Below is a list of these addresses.

    87.106.44.200:8080
    62.76.42.14-00-0043
    62.76.42.14:8080
    94.242.199.78:443
    178.239.60.96:8080
    84.234.71.215:8080
    67.103.159.141:8080
    62.76.184.245:80
    62.76.184.245:443
    62.76.184.245:8080

    The malware picks one of these addresses and tries to establish a connection. As you can see from the list of ports used, interaction can be performed both over HTTP and HTTPS. Interaction with the server is accompanied by the use of strong cryptographic algorithms in two stages. At the first stage, the keys are exchanged, and at the second there is a direct data exchange. In fig. 29 this process is presented more clearly.


    Fig. 29. The key exchange processes between the bot and the C & C server, as well as the network interaction between them.

    When the bot first interacts with the C & C server (1), it sends a request in the POST format of the HTTP protocol. Data sent by the bot is encapsulated using the XML-RPC protocol. It is interesting to note that the methodName parameter, equal to the value 10a7d030-1a61-11e3-beea-001c42e2a08b, was always present in the traffic we analyzed.


    Fig. 30. The initial POST request for the HTTP protocol that the bot sends to the server.

    After receiving the above request, the C & C server generates the RSA-2048 (2) public key and signs it with another, RSA-2048 (3) private static key.


    Figure 31. The response of the C&C server to the first bot request, which is the RSA-2048 public key signed with a private key, encoded using base64.

    When the bot receives the RSA-2048 public key signed by the server, it checks its signature (signature) using the corresponding static public key, which is located in the malicious program file (5). If the verification was successful (key signature is valid), the received key (6) will be used to encrypt data in the next step. The public RSA-2048 key, hard-wired into the body of the malware, has the form.



    At the second stage, the bot generates an AES-256 symmetric key (7). This so-called The session key is encrypted using the received RSA-2048 public key (8) and sent to the C&C server (9).

    Data transmitted from the server to the bot is encrypted using the AES-256 key (12) (13) and decrypted by it on the server side (14).

    Leaving aside the technical details of the implementation of the above cryptographic algorithms in the malicious code, let us consider the format of the protocol of interaction between the bot and server. The bot sends the request to the server in encrypted form, the request format is indicated below.

    id = 4699807581825067201mapt & code = 0 & sdata = ver: 5.1.2600 lv: 2.8.0002 comp: COMPUTER adm: 1 x: 0 p: firefox.exe & md5 = & dlen = 0

    It can be seen that the request contains the identifier (ID) of the computer, campaign ID, OS version , malware version, computer name, current privileges of the user account, bit depth of the OS (32 or 64 bits), as well as the name of the current process.
    The server responds with data in the following format.

    code =% CMD% & data =% PAYLOAD_BASE64_ENCODED% & dlen =% PAYLOAD_LENGTH% &

    code represents the type of command the bot should execute. The list of commands that the bot can execute is shown in the table below.



    Distribution via removable USB media

    In several malicious campaigns, the attackers used another Potao distribution vector, using the infection of removable USB drives. Potao uses a different way from other worms (autorun worm) to infect removable media. Instead of creating an autorun.inf file in the root of the drive’s file system, it uses a simple and efficient method of storing its executable file on the media with its subsequent launch. The malicious code that is responsible for infecting removable media copies the dropper to the root directory of all drives connected to the system. In this case, the label of the removable medium is selected as the name of the dropper file, and the system icon of this medium as the icon. The remaining directories and files in the root directory on this media are assigned the Hidden (System) and System (System) attributes. The user is under the impression that he needs to click the icon again to open the disc. As a result of this action, he launches the dropper for execution.


    Fig. 32. The dropper icon and its file name in the root directory of removable media match the same data as removable media.

    Obviously, with the default settings in Windows, which allows you to hide the extension for registered file types, the user will not see the extension of the dropper executable file. He also will not see other files in the root of the disk, as their attributes have been modified. This malware trick can be attributed to the “social engineering” method.

    The malicious program contains in its arsenal special methods of complicating its analysis of the executable file. One of these methods is to use hashes of API function names to call them.


    Fig. 33. Obtaining addresses of WinAPI functions using hash values ​​of their names.

    This practice of obtaining addresses of Windows API functions is used in many malicious programs; it allows the authors of the malicious program not to leave the names of the functions in the body of the malicious program, which significantly complicates the analysis process for antivirus analysts. To calculate the hash values ​​of the names of API functions, the malicious program uses the MurmurHash2 algorithm .

    The authors also used a mechanism to encrypt strings that should have been present in the body of Potao. In fig. 34 shows the function of decrypting strings.


    Fig. 34. The function of decoding strings.

    The strings are encrypted using the XOR operation and a 4-byte key. The key can vary from one malicious file to another.

    Win32 / FakeTC - TrueCrypt malware analysis

    We have already mentioned that attackers used malicious modifications of legitimate TrueCrypt software for their cyber campaigns. This modification is detected by our antivirus products as Win32 / FakeTC and is used by cybercriminals to extract files from the victim’s encrypted drives. FakeTC is associated with Potao only in that the former can, in some cases, download the dropper of the latter to the infected computer.


    Fig. 35. Win32 / FakeTC detection statistics in various countries.

    In fig. Figure 36 shows the interface of the malicious version of TrueCrypt.


    Fig. 36. The interface of the malicious version of TrueCrypt.

    Malicious code is executed in a separate thread from other legitimate TrueCrypt functions. A stream is created at the end of the Mount function.and specializes in obtaining a list of files on an encrypted drive that has been mounted on the system. If certain conditions are met, it connects to the managing C&C server and expects commands from it for execution. Malicious code was only added by malicious users to user-mode TrueCrypt executable files containing digitally signed kernel-mode drivers that were left untouched.

    The following conditions must be met in order to connect the bot to the C&C server.

    • The number of files on an encrypted disk should be more than 10.
    • An encrypted drive must be mounted more than 4 times.

    The list of supported FakeTC commands is shown in the table below.



    As you can see from the list of commands supported by FakeTC, it is used by cybercriminals as spyware and can be expanded by using additional plug-ins. The attackers used special mechanisms to hide FakeTC from prying eyes, distributing it on the website only to selected users. This allowed attackers to go unnoticed for a long time.

    Conclusion

    Above, we presented an analysis of the malware detected by ESET antivirus products like Win32 / Potao and Win32 / FakeTC, as well as examined in detail various cybercampaigns of cybercriminals. We have shown that Win32 / Potao malware is an example of a cyber espionage tool, and cyber attacks using it can be classified as APT, although, at the same time, Potao itself cannot be attributed to sophisticated advanced malware.

    The cybercriminals behind the use of Potao in cyber attacks have demonstrated the effectiveness of using sophisticated social engineering techniques instead of exploits. Such thoughtful tricks include the use of special SMS messages that contain a link to a malicious program file, as well as a special trick to infect removable media. One of the most interesting features of this cybercampaign was the use by attackers of a malicious version of legitimate TrueCrypt encryption software. The malicious program itself was posted on the truecryptrussia.ru website and not all users could receive it. In addition, this site itself acted as the managing C&C server for the malware.

    The above facts characterize the Potao cybercampaign as "purely directional." The question of interest remains open, that is, to whom it was beneficial to conduct such a cyber espionage operation for employees of Ukrainian military and government departments, a news agency, as well as participants in the MMM financial pyramid. The latter is popular both in Ukraine and in Russia. Since we would not want to speculate on the search for an answer to this question, without any solid evidence, this question remains open.

    Below are the comparative specifications of Potao and BlackEnergy.


    Also popular now: