News

Certego has always been strongly involved in researching new ways to analyze malware.

We have been working for some time on new projects aimed to evolve how the threat intelligence analysts work and what kind of tools they need.

You may have heard of the open source project IntelOwl and the recognition it received by the community: we have just reached 2k stars on Github in less than 2 years!

But it is not the only one! We started experimenting and working closely with the community that develops binary emulation frameworks.

And we came up with a new idea! A next generation malware sandbox built on binary emulation tools. We called it Dragonfly.

Today we are proud to announce that we are finally ready to publish the Alpha release of this project to the community!

“So yeah, this is all very exciting! but how does it work?”

Analysis

The process Dragonfly uses when analyzing a binary can be split in three phases:

1. Environment configuration

The emulation engines that Dragonfly supports at the moment are Qiling and Speakeasy. Both of them allow the configuration of the emulated operating system through a configuration file, a Profile.

Dragonfly differentiates from other sandboxes thanks to the granularity of the customization that its users can do: the emulators, and therefore Dragonfly, allow you to specify which processes are present in the emulated system; which files are where; what system registries have been configured and with what value.

Users can create their own configuration, or use the ones that Certego offers publicly.

Figure A: Profile Creation Modal

2. Sample emulation

The sample is emulated through the engines that the user has selected with the corresponding profile: parallel emulation of more than one configuration is supported by Dragonfly. For each profile, a Report is made, containing every artifact that Dragonfly has been able to retrieve through the emulation process.

All this information is then grouped together and displayed by Dragonfly, allowing users to evaluate every aspect of the emulation.

Figure B: Details of every API called

Each piece of information is accessible either through its detail view, or through the Timeline, where artefacts are grouped together by their timestamp, the moment when they have been retrieved.

Figure C: Details of every artifact for a particular point in time

3. Behaviour evaluation

Dragonfly evaluates the sample behaviour through Rules: a rule is made by Modules; each module matches a particular artifact that has been found during the emulation phase.

Figure D: Rules List

Rules are characterized by a positive or negative weight based on the confidence that the behaviour is malicious or not.

Figure E: Details of the composition of a Rule

A Match is created when the behaviour defined by a rule matches the one expressed by the sample during emulation: according to rules matching a sample, its evaluation will change from clean, to suspicious or even malicious.

Figure F: Example of matched Rules

It is possible to learn more about Dragonfly rules and its modules in the official documentation at readthedocs.

Figure G: Rule Creation Modal

Writing your own rules is encouraged but it is not necessary for using Dragonfly: Certego will continue to improve the builtin set of rules available to every Dragonfly user.

Conclusion

The release of Dragonfly is an important milestone for Certego and its Threat Intelligence Team. Our research and knowledge in the malware analysis field, developed in years of fighting threats, has been leading us to incredible new achievements.

The Alpha version is operated as an invite-only trust group. We encourage all security researchers and threat intelligence analysts to request access here. The next Beta release will provide open registration to everyone.

For more information about Dragonfly, what it offers and how to use it, please refer to the FAQs or send us an email to cti[at]certego.net: we will be more than happy to answer every question that you may have!

Thank you for reading and happy hunting!

PcapMonkey is a project that will provide an easy way to analyze pcap using the latest version of Suricata and Zeek. 

It can also save Suricata and Zeek logs in Elasticsearch using the new Elasticsearch Common Schema or the original field names. PcapMonkey uses official docker containers (when available) for most images and aims to be easy and straightforward to use.

Features

  • PcapMonkey let's you run one or multiple pcaps and imports all logs to elasticsearch.
  • PcapMonkey keeps the "official" Zeek and Suricata fields names so you can look them up on the official documentation
  • It let you edit directly Suricata and Zeek configuration and scripts so you can test quickly new features
  • PcapMonkey comes with some very useful Zeek scripts like Ja3 and File extractor
  • It's possible to enable logging in ECS to leverage all ElasticSerch SIEM features
  • Let's you import also windows event files (BETA)

Installation and Basic Usage

Install Docker-CE and docker-compose:

To start Elasticsearch,Logstash and Kibana run the following command:

sudo docker-compose up -d elasticsearch logstash kibana

Use the following command to check if everything is working properly:

sudo docker-compose ps

The output should be the following:

Name                       Command                       State                    Ports         
---------------------------------------------------------------------------------------------------------
pcapmonkey_elasticsearch   /usr/local/bin/docker-entr ...   Up (health: starting)   9200/tcp, 9300/tcp     
pcapmonkey_logstash        /usr/local/bin/docker-entr ...   Up                                             
pcapmonkey_kibana          /usr/local/bin/dumb-init - ...   Up (health: starting)   127.0.0.1:5601->5601/tcp

Kibana and elasticsearch could take a couple of minutes to start. You can monitor the progress by doing "docker-compose ps" and waiting for starting to go away.

Put one pcap file inside the pcap folder.

Start zeek and suricata containers:

sudo docker-compose up zeek suricata

The containers will print the output on the console and exit when they finish processing the pcap. You can see the results on Kibana: http://localhost:5601

Full documentation

You can read the full documentation on the official github page: https://github.com/certego/PcapMonkey

Video Tutorial

Remember to turn on English Subtitles

About the author

Federico Foschini( Twitter)

  • Introduction
  • Malware
    • Execution
    • Defense Evasion
    • Persistence
    • Payload delivery
    • Dropping malware components
      • Credential Access
      • Lateral Movements
    • Download and Update / C&C
  • Detection
    • Detecting Lateral Movements and persistences
    • Detecting Infected Hosts
  • Response
    • Containment
    • Malware Removal
  • Conclusions
  • IOCs
  • About the author
  • Credits

Introduction

This and last week, the Certego Incident Response team handled a powershell based  Active Directory compromise on multiple of our customer networks. Although the actors seemed to be intent on spreading a Cryptominer malware, due to some technical aspects the campaign could hide a second goal.

Considering that more and more attacks are aimed to making lateral movements to compromise enterprise domains, today we decided to share with you some details of detection and response actions performed by Certego IRT to handle these threats.

Note: to prevent antivirus from blocking this site we are forced to share the code via screenshots, the main samples have been uploaded to virustotal.

Malware

In most of the scenarios observed the threat came from unmonitored Domain Trusts, in the remaining cases we were engaged after the first access was already performed.

We can assume that the attacker established a foothold through  valid domain credentials usage against exposed authenticated services, like RDP terminal server. The attacker may have obtained valid credentials exploiting data breach of third-party sites, phishing or dictionary attack/password spraying. In some cases we have found poor password policies which could motivate the last hypothesis.

Malware was differentiated between domain controllers, 32 and 64 bit hosts. The one installed on domain controllers has the most features.

The behavior identified by the malware is described below with its respective code block.

Execution

The runnig malware is usually found on an infected systems in the form of a powershell.exe or a schtasks.exe process usually spawned by WMI Provider Host ( wmiprvse.exe). The most of executables are loaded into the powershell memory space through a fixed version of ReflectivePEInjection script extracted from Invoke-Mimikatz or they are written into schtasks process via a Process Hollowing injector.

The powershell process is easily recognizable by its base64 encoded commandline. The schtasks process, on the other hand, occurs without any parameters and it's harder to notice.

If the XMRig has been written to the schtasks process you will notice a consumption of the CPU and network connections to suspicious ports. In general, since schtasks.exe without parameters displays basic information of tasks and exits, any schtasks process without parameters is potentially malicious.

Defense Evasion

The noteworthy defense evasion techniques are the following:

1) As shown in some screenshots below,  iex/Invoke-Expression and other dangerous cmdlets used for detection are obfuscated through environment variables.

2) Before making a lateral movement the malware adds an exception for powershell.exe inside Windows Defender through Add-MpPreference cmdlet

3) In-memory execution through powershell ReflectivePEInjection and a libpeconv based Process Hollowing injector.

4) In the most recent malware updates we noticed this powershell amsi bypass.

recent_client_agent_sample

Persistence

In some cases we observed successfully running malware launched from a remote host without a local persistence.

The persistences used by the malware are two WMI event subscription. The filters trigger the payload after 1 minute and about 6.5 or 3.8 hours from the system startup:

Some information used by the malware is inserted into the following custom WMI class:

The payload is a classic base64 powershell encoded command as shown in the screenshot.

Payload delivery

The payload served by the domain controller and the C&C is a powershell module encrypted with TripleDES and ciphermode CBC: 

agen.ps1 sample

The module and the function de is called, the password and the salt are passed as parameters to the function:

The result is a powershell dropper.

Dropping malware components

The powershell dropper is a base64 blob of data containing multiple components:

rein.ps1 sample

Once the content has been decoded, the malware could drop one or more of the following components:

a) An XMRig cryptominer:

A simple XMRIG cryptominer which does not appear to be installed on domain controllers nor on low-performing hosts ( 32bit ).

To make the cryptominer work at its best the attacker disables sleep mode, standby and hibernation via powercfg. It also checks via netstat if there are connections from other previous versions of the cryptominer and stops the processes that make them.

sample

b) A libpeconv based Process Hollowing injector

This component is never dropped on domain controllers,

It was used to write the XMRig into the  schtasks.exe process usually spawned by wmiprvse.exe

sample

c) Re-compiled mimikatz DLL to perform Credential Access:

This component is installed on all hosts. We saw it running on the domain controller for the following steps:

  1. Inject LSA to dump NTDS.dit credentials
  2. DCSync

sample

d) The powershell script funs.ps1: funs_decoded.ps1.

This component is downloaded to any host, but with different functions.

By default it contains ReflectivePEInjection and Lateral Movements capabilities from Empire and PoshC2 projects for:

  1. Remote Service Creation (aka SMBExec)

  2. WMI Win32_Process Remote Process Creation

  3. Remote Task Scheduler Creation:

    This last method leaks the credentials in the commandline twice.
  4. Simple TCP scanner:

  5. EternalBlue Scanner:

  6. test-net function, a multithreaded function to verify that the host is not already infected before a lateral movement:

Through lateral movements the attacker executes a command to download or update the malware. Domain controllers malware are installed or updated via the web resource "/update" of the internal or external C&C.

If the host is not a domain controller the web resource " /sync" is used instead.

The version of the malware is monitored via the web resource " /banner" by comparing the WMI filter name.

In addition, these two functions are also dropped on the domain controller:

  1. testhser:

    This function drops the internal C&C server who will listen on port 49636 , the malware launches it and verifies that it works correctly.

    The rein script adds a rule on Windows firewall to allow server binding:

  2. plant-ags:
    The function used by the domain controller to deploy the malware on targets through internal C&C. To performe the deploy it exploits lateral movements techniques and a powershell module masked as gpt.ini downloaded through SMB.

e) The powershell script agen.ps1:  agen_decoded.ps1:

f) Internal C&C Malware on DC:

A small and simple http server masked as a fake and unsigned  dfsvc.exe process ( a licit Windows Server process )

The server is developed through Mongoose OS "an Internet of Things (IoT) Firmware Development Framework" designed to be small and light.

This server and the plants-ags function are command and control system, by matching the agent on virustotal the server is identified as a cryptominer but this is a false positive.

During the installation phase the malware extract the agent.ps1 script from the server binary, easily viewable between the strings. By matching this code the antivirus incorrectly report the server as a cryptominer malware.

sample

g) A simple shellcode

sample.

h) A vulnerable driver

WinRing0x64.sys

This driver is dropped on all hosts except the domain controller. Even though it is used directly by XMRig, the driver is present in the most common vulnerable drivers blacklists.

This driver allows any user to perform a local privilege escalation and in generally some ring 0 activities:

"WinRing0 allows users to read and write to arbitrary physical memory, read and modify the model specific registers (MSRs), and read/write to IO ports on the host" 2020-14979

Not needing other privileges at these points of the killchain it is likely that the attacker will use it only for XMRig, however leaving the driver there can expose the host to very serious security problems related to LPE and to the execution of ring 0 code.

For example:

  • Privilege escalation in user space
  • Hinder the operation of security products
  • Remove process protection from critical processes and add process protection to malware components
  • Hide traces of malware via a ring 0 rootkit

This technique is called Bring You Own Vulnerable Driver (BYOvD) and allows you to bypass the following Microsoft security measures:

  1. “The 64-bit versions of Vista require that all device drivers be digitally signed, so that the creator of the driver can be identified” wikipedia 2006.
  2. “Starting with new installations of Windows 10, version 1607, the previously defined driver signing rules will be enforced by the Operating System, and Windows 10, version 1607 will not load any new kernel mode drivers which are not signed by the Dev Portal. OS signing enforcement is only for new OS installations; systems upgraded from an earlier OS to Windows 10, version 1607 will not be affected by this change.” techcommunity.microsoft.com Jul 26, 2016

More technical details

Detection

Detecting Lateral Movements and persistences

Due to the complexity of corporate networks it is common to spot an attacker from an unmonitored internal network. The detection carried out in this phase of the killchain is much more complex due to false positives and unknown/poorly documented protocols.

A common approach used is to identify the effects of a lateral movement, therefore the activities of the malware installed on board through blacklisted IOCs, anomalous network and host activities.

So what are the benefits of identifying lateral movements?

  1. The attacker does not necessarily perform the same actions on all machines. In this scenario, for example, some distinctions were made for both domain controllers, 64 and 32-bit hosts.
  2. In the absence of vulnerabilities, lateral movements are carried out through Microsoft internal network protocols, these protocols have in many cases some juicy plain text information.
  3. In some cases it is possible to delete a persistence created remotely on the target before the malware is executed for the first time.
  4. Studying the lateral movement can allow us to contain host infection in the response phase.

Where the detection IOCs produces a high number of false positives it is possible to use these indicators to carry out threat hunting activities.

To detect lateral movements through network traffic it is necessary to receive infralan traffic on a network sensor, this is difficult due to the volume of traffic but theoretically possible through internal network segmentation. However, even if it is only a small part, it is possible to identify the internal traffic passing through the firewall. 

Since the first analyzes we have identified that the attacker used the following MS-RPCE network sub-protocols to perform lateral movements:

  • MS-SCMR, through CreateServiceW,StartServiceW and DeleteService operations. This traffic is completely in plain text if used via named pipe over MS-SMB2. Among the main information in clear text we find the name of the service and the command executed. MS-RPC over TCP traffic is normally preferred over MS-RPC over named pipes but in this case the attacker forces the traffic on the 445.
  • MS-WMI through ExecMethod operation, encrypted by default but traceable through timestamp, authentication and MS-RPC operation names.
  • MS-TSCH through SchRpcRegisterTask, SchRpcRun, SchRpcEnableTask, SchRpcDelete operations, encrypted by default but traceable in the same way of WMI protocol.

Together with  WinRM they are the main protocols used to perform lateral movements, this is because in case the target uses the windows firewall they are often enabled for systemic reasons. For this reasoning, the most widely used protocol, enabled by default in each domain is SCMR, used for example by the PsExec utility and supported by any malware or redteam tool to perform lateral movements

Note: In scenarios where the windows firewall is disabled the possible lateral movement techniques are a lot.

To track this type of activity it is possible to do it over the network or aboard the host.

To correlate information on the host it is possible to proceed with an EDR, with Sysmon or through Windows Eventlogs. Since we do not believe that collecting logs alone without Sysmon is enough, we will assume that either an advanced EDR or Sysmon is present on the machines.

Note: ETW and Audit Policy Windows event logs Categories are considered out of scope since they are not supported by main security tools functions to perform detection and threat hunting.

Through the host it is necessary to correlate the connections of the following processes:

svchost -k RPCSS : MS-RPC over TCP ( 135 TCP , 593 HTTPS )

ntoskrnl.exeMS-RPC over named pipes (139 TCP, 445 TCP)

NB The first phase of an MS-RPC connection, the endpoint mapper (EPM), although reachable through a named pipe is usually available through TCP.

Correlate authenticated sessions and the actions performed by the following processes:

Remote Task Creation

Modifications of this filesystem path by " C:\windows\system32\svchost.exe -k netsvcs ( -p -s Schedule on recent OS)": C:\windows\system32\tasks\*

Modifications of this registry paths by the same process:

software\microsoft\windows\ nt\currentversion\schedule\taskcache\*\path
software\microsoft\windows\ nt\currentversion\schedule\taskcache\tree\*

The task is spawned as a child of one of the following processes depending on the operating system:

  • C:\windows\system32\svchost.exe -k netsvcs -p -s Schedule
  • C:\windows\system32\svchost.exe -k netsvcs
  • C:\windows\system32\taskeng.exe

EventLogs: 4624 and 4672 and from 4698 to 4702

Remote Service Creation

Modifications of this registry paths by services.exe:

System\ControlSet001\Services\*\imagepath

In the registry path before the imagepath there will be the name of the service.

This indicator also allows us to identify a variant of this technique that plans to modify a pre-existing service through ChangeServiceConfig* operations in order to stay under the radar: Remote Service Modification

The malware process, that is the malicious service, will be spawned as a child of services.exe

EventLogs: 4624 and 4672 and 4697 or 7045

Remote Process Creation through Win32_Process and WMI Event Subscription

Since there is no persistence, the creation of the remote process can be identified by directly correlating the child processes of wmiprvse.exe.

In case of persistence it is possible to detect the modification by  C:\Windows\system32\svchost.exe -k netsvcs of the following registry key:

software\microsoft\wbem\ess\*cimv2

The data is saved in these files from C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt:

  1. C:\Windows\System32\wbem\Repository\OBJECTS.DATA
  2. C:\Windows\System32\wbem\Repository\INDEX.BTR
  3. C:\Windows\System32\wbem\Repository\MAPPING*

Unfortunately these files are modified too frequently for other reasons and they make too many false positives also for threat hunting operations, we therefore recommend using the registry key.

Detect malware interactively:

  1. powershell /c "Get-WMIObject -Namespace root\Subscription -Class __EventConsumer | ? { $_.CommandLineTemplate -Match \".*powershell.*-W\ Hidden\ .*\ -E\ \"}"
  2. powershell "Get-CimClass -NameSpace 'root\default' | ? {$_.CimClassName -Match 'systemcore_updater'}"
  3. findstr /i "powershell.exe Event8" C:\Windows\System32\wbem\Repository\OBJECTS.DATA

Sysmon events: from 19 to 21 .

Detecting Infected Hosts

Despite the complexity of the attack in this case it was rather easy to detect infected hosts.

Excluding the most recent versions of the malware, most of the C&C are present in the main blacklists. Through good threat intelligence it is possible to find the indicators automatically and detect these network activities.

Detect at network level hosts where the miners was running via plaintext  json-rpc usage is trivial and it is a very strong indicator for most of the widespread miners.

Response

Containment

Once learned that the malware was a distributed cryptominer worm, for the most critical situations we have decided to apply Certego's lockdown procedures.

These procedures rely on enabling, managing and exploiting windows firewall and some of its dependencies to selectively block the protocols used by the malware to perform lateral movements maintaining proper functioning of Active Directory.

These procedures along with network-wide restrictions on the firewall and our telemetry systems allowed to block lateral movements and C&C activities keeping the network under close monitoring, giving us time to carry out the necessary analysis.

Malware Removal

Once the malware was isolated, it was trivial to remove it. For older versions it was enough to simply manually remove the persistence using the following commands:

  1. powershell /c "Get-WMIObject -Namespace root\Subscription -Class __EventConsumer | ? { $_.CommandLineTemplate -Match \".*powershell.*-W\ Hidden\ .*\ -E\ \"} | Remove-WmiObject -Verbose"
  2. powershell "([WmiClass] 'root\default:systemcore_Updater8') | Remove-WmiObject -Verbose"

Considering that the action is irreversible, we recommend that you first check with the commands present in the detection that it is not a false positive.

Once persistence is removed a good updated antivirus is usually enough to kill most of other malware components. If the components have just been updated it is common that the antivirus is not able to kill them. In that case we recommend that you look for the indicators described in the malware execution part.

Conclusions

Given the rapidity of intervention, we cannot exclude that the malware is able to drop other threats in addition to those observed. However, we have not found any other types of malware other than those listed in this article.

We have handled a large number of Active Directory compromises based on this type of cryptominer worm. The attacker's goal seems to be to periodically update cryptominers on all machines in the domain through domain controllers causing a periodic denial of service on the whole domain.

More and more actors begin to perform lateral movements and to exploit AD mechanisms to achieve their goal. Knowing these mechanisms is now an essential prerequisite for managing this type of threats.

IOCs

Hashes

0367064d9585cc5c8b8eff127d9565d0
52f510d047e6270c9b916d76725529c8
7e0bc1c01f44c7a663d82e4aff71ee6c
91ff884cff84cb44fb259f5caa30e066
98deacafd4a35fc257d2f381f78b9b3b
d129842ccf642d1e71c5e851c0ced337
d1aed5a1726d278d521d320d082c3e1e
fd044540a38b3422abf275af9e6ab3c2

Domains/IPs

profetestruec[.]net
sjjjv[.]xyz
winupdate.firewall-gateway[.]de
dfdfjkbcv[.]net
51.15.65[.]182
51.255.34[.]118
213.32.29[.]143
217.182.169[.]148
45.10.69[.]141
45.140.88[.]145
5.196.23[.]240
51.15.54[.]102
205.209.152[.]78

Ports

3333
5555
7777
8000
14444
14443
49636

Web resources

/update
/sync
/banner

WMI class: root\default:systemcore_Updater8

WMI filter names: "SCM Event8 Log Filter" or "SCM Event8 Log Filter2"

WMI consumer names: "SCM Event8 Log Consumer" or "SCM Event8 Log Consumer2"

Task Name: sysupdater0

About the author

Gabriele Pippi (Twitter)

Credits

Thanks to Davide Setti (Twitter) and Marco Giovanetti (Twitter) for the collaboration.

Summary

  • Introduction
  • Tests scope
  • APT macro analyses
  • Observations
  • Tests carried out:
    • Bypassing CreateObject detection
    • Crafting our easy custom undetected obfuscation
    • Killing ViperMonkey
    • Undetected code execution methods/functions
    • Undetected methods/functions to get our malicious file
    • Undetected autoexec sub events
    • Results
  • Suggestions for improvement
  • Conclusions
  • About the author

Introduction

One of the most common techniques for getting a foothold on a network client is based on  Office files containing a malicious VBA macro.
VBA macros are still widely used in a business context and, despite the mitigations offered by security vendors and Microsoft, it is still essential to detect evasion techniques in order to catch smart attackers.

On the attacker's side, there is plenty of public projects to setup, weaponize and obfuscate a macro while on the defenser's side there is a reasonable number of public projects, among the most famous projects to de-obfuscate and detect malicious VBA macro there are certainly  olevbaMacroRaptor and ViperMonkey. At Certego, we also use these tools to perform automatic static analysis of VBA macro.

Today we would like to share a test carried out last week on the resilience of public logic offered by olevba, mraptor and vipermonkey. These tests were even more motivated by some autoexec sub functions identified in the wild that were not detected by our implementation of olevba.

All the tests carried out are aimed at encouraging the red teams to test new bypass techniques and improving the detection of olevba, mraptor and vipermonkey public projects.

Tests scope

  • All tests were carried out on a fully patched Windows 10 client with last build and version.
  • Macro based PoCs must work with medium integrity level.
  • The tests carried out focus on the static analysis that can be performed by mraptor and olevba; in these tests we will consider out of scope the dynamic analysis from the point of view of a sandbox, an EDR and any ASR bypass.
  • During the tests, we decided to include vipermonkey vba emulator in the scope.
  • All the tests carried out start from the assumption that the latest versions of olevba, mraptor and vmonkey have been implemented out of the box.
  • Common users are not always able to complete certain tasks keeping all ASR rules enabled, for this reason we consider disabled at least the following rules:

APT macro analyses

There are many ways to obfuscate a VBA macro, but how much do I have to obfuscate my macro to completely evade the analyses of a prepared blue team? It is important to know the weak points of a VBA obfuscation/evasion technique in order to detect it.

We started by learning from public examples of high-level attacks, then by analyzing through the tools mentioned above some noteworthy APT macro samples.

We decided to report the following three examples:

1) 2019-06-06 gorodpavlodar.doc from APT28

APT28 is one of the groups with advanced  TTPs.

VBA code:

olevba result:

2019-06-06 graphic.doc, document dropped from the previous sample and called through Word.Application COM.

VBA code:

olevba result:

2) 2016-11-09  election-headlines-FTE2016.docm from APT29

The sample is a CDFV2 Encrypted with password 3209. password source

APT29 is one of the groups with advanced TTPs

VBA code:

olevba result:

3) 2020-03-03  비건미국무부부장관서신20200302.doc from Kimsuky APT


One of the more recent APT macro.

VBA code:

olevba result:

Observations

We have observed that:

  • Some useful functions to obfuscate our macro are used to detect it. Ex: Evilclippy tricks like VBA stomping/pcode obfuscation are currently detected by olevba.
  • There is no known way to obfuscate Sub Events, like AutoExec.
  • There is no known way to obfuscate functions and methods.
  • There are many examples of APT macros that prefer to leave the macro in plain text rather than obfuscate it through a well known technique or suspicious functions.
  • Spotting Win32 Windows API through the Lib Declare Statement is trivial and in some contexts blue teams are beginning to block them through ASR.
  • We also identified the following technical details related to the detection of the examined tools :
    • Obfuscation performed through the Mid and the Array functions is not detected by the examined tools. There are plenty of ways to obfuscate the code and it does not seem worth detecting them all through a static approach.
    • ExecQuery and other dangerous WMI methods to perform code execution like Create are not detected by the examined tools.
    • ExpandEnvironmentStrings method of WScript.Shell Object is an Environ alternative to retrieve environment variables which not trigger by the examined tools:

      Example:

      Other undetected alternatives could be:
  • In the common implementations of these tools some hits are systematically discarded to avoid false positives. Hex string detection in olevba is an example.

    However, in well-managed infrastructures, it is possible to research some mandatory subroutines, methods and functions to systematically detect macros through a static approach, and to engaging an analyst.

Tests carried out

Starting from these osservations we have tried to build at least one PoC that performs 0 hits on olevba and a "macro ok" result in mraptor.

These are three minimum requirements for getting a foothold through a VBA macro:

  1. An Autoexec Sub Event to trigger our macro.
  2. A code execution method/function
  3. Except for some trivial cases, you will normally need at least a COM/OLE/ActiveX Object, so you need to call at least one function like CreateObject.

Bypassing CreateObject detection

Even if performing alerting only on CreateObject is pretty impossible due to FP, it is possible to avoid this hit in some scenarios through  GetObject.

At the time of writing, GetObject is not reported as a suspicious function by olevba.

Some automation servers have a running instance by default. Using one of these objects, it is possible to use GetObject, avoiding the call to CreateObject at all. See: differences between GetObject and CreateObject.

For these tests we decided to start with one of the most common objects with a default instance: Shell.Application.

Crafting our easy custom undetected obfuscation

After a first look we decided to use the  CLSID avoid Shell.Application pattern match detection. 

Here is how to easily get Shell.Application CLSID through powershell:

So instead of:

We used:

However the string was detected in a heuristic way by exchanging the CLSID with a hex string.

As mentioned above, it is a olevba hit that makes tons of FPs like this. 

Despite this fact, we still tried to obfuscate this string creating our own obfuscation technique. It would also come in handy later to obfuscate our exploit.

After some research we discovered that adding chunks of strings to a variable containing an empty string prevents olevba from detecting and deobfuscating the string:

Note: without using a variable olevba detects the technique.

Killing ViperMonkey

After a quick test, we realized that  ViperMonkey is able to decode our obfuscation method.

Despite being a big project, ViperMonkey is a experimental emulator, developers who integrate it into their platform are used to handling considerable number of crashes with legitimate macros, ergo seeing a ViperMonkey crash is not suspicious at all.

To crash vmonkey you need to find some VBA code accepted by our office program that crashes the vmonkey parser.

After some fuzzing we have identified the following simple code:

A declaration of a function with at least one argument inside an if statement will do the job. Microsoft Word will successfully run the macro:

The vmonkey parser will fail:

Undetected code execution methods/functions

We started  digging into the documentation looking for unknown execution methods of Shell.Application Object

This is the section in the olevba code where the suspicious methods/functions list is defined by regex or keyword.

We have identified three interesting examples:

  1. InvokeVerb and InvokeVerbEx: dropping an executable and calling the verb "Open" it is possible to run it. As soon as I spotted these methods I tweeted them.
  2. DoIt: slightly more tricky but same concept of invokeverb.
  3. ControlPanelItem: by dropping a malicious .cpl into the current directory, it is possible to execute malicious code

While we were looking for undetected methods to perform code excecution, we have observed that, surprisingly, the   Create method of Win32_Process, retrievable only through GetObject, is not yet detected by olevba.

However, we decided to avoid it because it has been used in  many opportunistic campaigns and some custom implementations, such as ours, easily detect it.

All other interesting methods of WMI code execution, which are not detected by the analyzed tools, require a  high integrity level, which is out of scope.

Undetected methods/functions to get our malicious file

Since we have identified three methods to launch an executable without arguments, we need a function to get our malicious executables.

In order not to leave our executable embedded in the document we decided to download our sample remotely through an  UNC path

To achieve this task we decided to exploit  SMB redirector or WebDAV redirector, this is because it is not possible to map a UNC resource on a unit or link it with a medium integrity level.

Allowing outbound SMB traffic is a bad practice, so we decided to take advantage of  Webdav over SSL (HTTPS).

So we decided to exploit the  CopyHere Shell.Application method to download our executables via WebDav SSL.

During the tests we also found that:

We decided to avoid FileSystemObject because it didn't work through GetObject, even if it is not enough to detect our samples it was interestingly keeping us on the 0 hits..

Undetected autoexec sub events

This is the section in the olevba code where the autoexec list is defined by regex or keyword

Hunting for undetected autoexec sub event:

https://docs.microsoft.com/en-us/office/vba/api/ov...

Docs/Office/VBA/Reference/<program>/Object model/<object>/Events/<eventname>

We have identified three interesting examples:

  1. Document_ContentControlOnEnter:  it triggers when a user "enters" a content control, there are several content controls that can easily attract a user click.
  2. Worksheet_FollowHyperlink: it triggers when a user clicks on a link inside a worksheet, the link can also point to a worksheet component.
  3. Worksheet_Calculate: "Occurs after the worksheet is recalculated for the Worksheet object", this autoexec sub event is the most interesting we have envied: by using a cell with a formula that points to itself, it is possible to perform an autoexec without user interaction. As shown in the gif of the next section a prompt is shown to the user but, whatever the answer is, the macro is still executed.

Results

The outputs shown below are those of the following command:

 olevba --decode --reveal <doc> # 0.56dev6 on Python 2.7.17

 Document_ContentControlOnEnter.docm:

Worksheet_FollowHyperlink.xlsm:

In this case the VB_Base attribute triggers olevba, olevba exchanges the GUID for a Hex String. This is a known and usually filtered false positive. For this reason we can safely consider this sample as one with 0 hits.

Worksheet_Calculate.xlsm:

Also here as in the previous sample the hit is due to the VB_Base attribute.

Virustotal

For these tests only static analysis is significant, however these are the samples:

 Document_ContentControlOnEnter.docm:

Worksheet_FollowHyperlink.xlsm:

Worksheet_Calculate.xlsm:

As you can see there are few known antivirus and only heuristic signatures.

Suggestions for improvement

In order to detect the techniques proposed through olevba / mraptor, it would be important to note the following:

The previous list was proposed on the public project through the following pull request:  https://github.com/decalage2/oletools/pull/591

Conclusions

  • We have shown that digging in the documentation and with a little fuzzing it is possible to craft a 0 hit macro.
  • Chaining these samples with an unknown sandbox detection check and esoteric COM objects could have really unpleasant effects.
  • Implementing an open-source out-of-the-box solution may not be enough to defend your infrastructure.
  • It is very important to carry out periodic internal tests on all the detection components of your platform.
  • Performing periodic internal tests on all the detection components of the platform could significantly increase the detection capacity of your platform.

About the author

Gabriele Pippi, Threat Research Lead Engineer ( Twitter)



                                                                                                                  Photo by Jr Korpa on Unsplash

Intel Owl is an Open Source Intelligence, or OSINT solution to get threat intelligence data about a specific file, an IP or a domain from a single API at scale. It integrates a number of analyzers available online and is for everyone who needs a single point to query for info about a specific file or observable.

Born at the start of 2020 (announcement), this fresh and new tool was accepted as part of the Google Summer of Code under the hat of The Honeynet Project. Great improvements have been developed since the start of this project.

Now, thanks to the ongoing collaboration with Google Summer of Code and The Honeynet Project, we are excited to announce release 1.0.0, with a completely new and revamped web interface and some new features in our API to help you better manage your threat intelligence data.

You can read some more details about Intel Owl 1.0.0 in the official release announcement, co-authored by Eshaan Bansal (GSoC Student) and his mentor, our own Matteo Lodi, and published on The Honeynet Project's blog.


Certego has always promoted and supported Open Source Development culture. Some of us are active members of the Honeynet Project and have contributed to some famous open source tools like Cuckoo Sandbox or Thug.

With the goal to help the security community to fight cyber threats, we have released two new projects this year: Intel Owl to aid cyber threat intelligence operations and Pcapoptikon2 to help analysts with writing IDS signatures.

Meanwhile we have been focusing our research on finding new ways to analyze complex malware. Our own Simone Berni has been working on the development of a new open source tool and just recently, also thanks to his work, its first 1.0 version was released: Qiling, an advanced binary emulation framework.

On the 25th April 2020, Simone had the opportunity to show the results of his work at the famous Hack In The Box Security Conference together with the Qiling creator, Lau Kai Jern

For those interested in technical details, you can find them in the next section; you may also find the full video of the conference here: Youtube

HITB Conference: Technical details

Qiling is an advanced binary emulation framework that supports Windows, MacOS, Linux and BSD.

Written in Python and based on Unicorn EngineQiling is designed to provide high level APIs and fine-grain instrumentation, allowing you to place hooks at every level.

Certego chose to help the development of Qiling with Simone Berni's work.

During his presentation, Simone showed how it is possible to use Qiling as a sandbox to analyze arbitrary malware.

In particular, he prepared two different demo scenarios: Al-khaser and Gandcrab.

Al-Khaser Demo

The first scenario is a POC malware application that aims to stress an anti-malware system by checking if the sandbox is fortified and stealthy enough.

During the emulation of Al-khaser, it is possible to understand two things mainly: how stealthy Qiling is and how much it is easy to use. Not everything of Al-khaser has been emulated, Simone implemented only the debugger detection task.

Moreover, Qiling does not pass every single test made by Al-khaser (it passes 85% of checks) but the developers are working on them even right now.

The second point of this demonstration is to understand how we can use Qiling to perform a deep analysis: for example, the emulation of the function that prints the output had an issue: thanks to the API offered by Qiling, Simone was able to replace this function entirely with just 3 lines of code, thus obtaining the expected outputs.

GandCrab Demo

Here, we are talking about a famous ransomware, which is very interesting because it uses different sandbox evasion techniques before executing itself.

The demo of Gandcrab shows how powerful Qiling can be when used as a sandbox. Simone, during his work, implemented the concept of "Profiles", later extended by the Qiling team, and the core feature to analyze malware.

The profile is just a configuration file that describes everything about the emulation: it started as a simple file containing only the Windows version that Qiling has to emulate; later, it was extended to contain information about the Volumes, Drives, Permissions and Network configuration. Now it is possible to have a profile for every OS (Linux, BSD e MacOS are supported), and it is even possible to change the emulation parameters from this config file.

Simone demonstrated how much information it is possible to retrieve thanks to Qiling during the analysis of a ransomware like Grandcrab: every registry accessed is stored, every "printf" is saved (so it is possible to retrieve memory that has been copied from one place to another), every syscall and kernel call is stashed for future analysis. With a little bit more details, he explained how Gandcrab tries to retrieve every piece of information about the victim machine and how the malware stores the stolen information.

At the end of the demo, Simone shows how it is possible to change the Profile to change the behaviour of Gandcrab.

For example, you can change its permissions: when Gandcrab is executed as a user, it will spawn a shell to re-execute itself as administrator.

Another strange behaviour Simone discovered can be observed when you apply a russian keyboard layout in Qiling. Again, this is possible to do so by simply adding a registry key and the desired value to the profile. When executed in an environment that has a russian keyboard, Gandcrab would kill itself.

Conclusion

Qiling is a powerful tool, continuously developed and improved every single day: in the future it will be a common framework that malware analysts have to be familiar with.

Certego will continue to contribute to this project to improve the chances of everyone in fighting malware.

Photo by Maximalfocus on Unsplash

We are proud to announce that Certego has joined the community of Contributors to VirusTotal, the biggest aggregator of antivirus engines and website scanners.

VirusTotal is a free service that everyone can use to check for virus or threats in a file, URL, domain or IP address by leveraging more than 70 antivirus scanners, blacklisting services and analysis tools provided by the global security vendors. Founded in 2004 by a Spanish company, VirusTotal was acquired by Google in 2012 and, in 2018, the ownership switched to Chronicle, a subsidiary of Alphabet.

Starting from this week, most of the intelligence data generated by Quokka, the Threat Intelligence Platform developed by Certego, is available to the VirusTotal community.

The Quokka platform was designed by a team of experienced malware analysts with passion and a strong commitment. The Threat Intelligence Team has mixed different tools, including Honeypots, real “traps” for the cyber criminals, and Sandboxes, virtual environments where it is possible to execute and study malware automatically and at scale. The result is a platform that enables Certego to gather relevant information in real time to track cyber criminal activities.

Additional technical details

We would like to show some examples of what kind of information users can find by leveraging together the power of VirusTotal multi scan engine and the Certego Intelligence information.

You could be a tech guy or not. In both cases, it surely happened that you found a strange link inside a suspicious email you received and you wanted to verify it before clicking it. One way could be to go to the VirusTotal website, select the URL scan, insert the suspicious link in the input bar and ask for an analysis.

After some seconds, you would find the results of the analysis.

For this specific example, the Certego engine detected the URL as containing “Phishing”.

This evaluation helps the end user because, if he had visited the site, he would have found an Outlook account phishing page identical to the real one.

Other than “Phishing”, there are other possible evaluations that can be found after an URL analysis.

The “Malicious” and “Malware” detection are used to notify if a specific URL or domain was observed to serve malware or simply it was involved in cyber crime activities. Example:

The “Suspicious” detection is used to notify when a specific URL or domain is or was probably involved in malicious activities. For these cases, the engine does not have a clear evidence so it just suggests that the site should be avoided as a precaution. Example:

The last case is the “Spam” detection that is used to notify when a specific URL or domain was embedded inside a lot of emails that were sent massively to many inboxes so it is a link that you probably do not want to click. Otherwise, IP addresses are tagged as “Spam” when they have been observed to send a lot of spam, so they are probably related to the presence of a spambot. Example:


Certego is proud to contribute to the security of all the users in the world through the VirusTotal community

About the author:

Matteo Lodi, Threat Intelligence Lead Engineer (Twitter).

Hello everyone, this is Gabriele Pippi, from the Certego Purple Team.

Today we are ready to publish the tool we are using to perform digital forensic and incident response on Citrix Netscaler ADC based on FreeBSD.

Our point of view on CVE-2019-19781 exploitation

After the first mad release of the POC for CVE-2019-19781 by the github account @projectzeroindia and first exploitations, trustedsec and other members of the community provided the first details to carry out digital forensic and incident response operations.

Our Incident Response Team from the first engagements has verified the following conditions:

  1. All the Netscaler ADC analyzed run on FreeBSD kernel version. Unlike in FreeBSD core, there were several utilities installed on the machine, such bash2, used for this script.
  2. The code executed remotely with the CVE ran with nobody user, there were no easy privilege escalations and the persistence on the machine was easily circumscribed; we found cronjobs, php webshells and perl scripts.
  3. Some attackers tried to exfiltrate a file called ns.conf, which contains a large number of sensitive information, especially encrypted passwords and hashes. This is an advanced way to exfiltrate ns.conf.

After the first engagements there were some important implications:

  1. The hashes contained in the ns.conf file were already supported and crackable by hashcat since 2014Reference
  2. Some passwords in the ns.conf are encrypted with AES256-CBC or AES256-ECB algorithms using a well-known key, compiled in a library. These passwords can be decrypted immediately. Among these we also found AD domain admin. https://dozer.nz/citrix-decrypt
  3. The default root password of Citrix Netscaler AMIs is set to the instance ID: this makes trivial a privilege escalation on all installations of this type. Reference
  4. Recently, some actors are starting to exploit this CVE for ransomware campaigns. Reference

Certego Netscaler Threathunter

I developed this bash2 compatible script in order to automate all checks and facilitate threat hunting operations.
The script is designed to provide output to an analyst who will then carry out the analysis.

Note #1: we take no responsibility for any improper use of this script. We recommend using it with caution on critical systems in production.

Note #2: except for its optional log file, the script does not perform any writing operations, does not need any installation and can also be launched in fileless mode.

Requirements:

  • Netscaler running on FreeBSD Kernel Version.
  • nsroot or root privileges.

Purposes:

This script aims to:

  • validate patch of CVE-2019-19781.
  • enumerate persistences and artifacts related to CVE-2019-19781.
  • guide users to change ns.conf credentials to avoid future campaigns and to patch quickly.
  • spot possible advanced privilege escalation.

For further technical details and to download the script, please refer to the official github project Netscaler_Theathunter.

All Citrix Official Advisories

About the author

Gabriele Pippi, Threat Research Lead Engineer (Twitter)

Happy new Year to everyone!

We would like to open this new decade by releasing a new tool that is called Intel Owl. We hope that it could help the community, in particular those researchers that can not afford commercial solutions, in the generation of threat intelligence data, in a simple, scalable and reliable way.

Main features:

  • modern Django-Python application: easy to understand and write code upon it
  • it can get data from multiple sources with a single API request
  • 40 available analyzers that you can use to generate or retrieve data about a suspicious file or observable (IP, domain, …)
  • official client available on Github: PyIntelOwl
  • easily integrable with other tools thanks to the REST API framework and to the PyIntelOwl library.
  • easily and completely customizable, both the APIs and the analyzers
  • early compatibility with some of the AWS services. More in the future.
  • fast and reliable deploy: clone the project, set up the configuration and then you are ready to run it via docker-compose

For more information, we invite you to check the documentation and the code available on Github.

Feel free to ask everything it comes to your mind about the project to the author:

Matteo Lodi, Threat Intelligence Lead Engineer (Twitter).

Every suggestion or contribution is really appreciated.

Keep hunting malware! We cheer on you :)

Hi there, this is Gabriele Pippi, from the Certego Purple Team.

I want to share this simple password-based FTCODE decryptor.

Note #1: this must be considered a beta version of the script; the author assumes no responsibility for any damage caused by running it.

Note #2: currently the malware sends the password both as plain and cypher text; we believe the behavior may change soon as the malware is updated, and the plain text form may not be available anymore.

Note #3: decrypting files with an incorrect password may make them unrecoverable; so, we recommend taking a backup of the files before running the script.

Why should a password-based decryptor be useful?

Since the first observed campaigns, documented in this article, we have noticed that FTCODE was sending the password in plaintext within the body of an HTTP post request to the C&C.
Once implemented the relevant Suricata signatures, I decided to develop this tool internally, in order to make the decryption operation feasible.
In all of the cases we had the opportunity to put hands on, we were able to recover the encrypted files up to version 1018.1.

Network Traffic

In order to be able to decrypt the files successfully, it is necessary to intercept the contents of the POST request that the malware sends to the C&C at infection time; an example of such request follows:

ext = extension of encrypted files
ek = password in plain text
r1 = Base64 chunk containing the encrypted password

In order to intercept the POST request, we developed the following Suricata signature, and deployed it to our network monitoring system:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"CERTEGO TROJAN FTCODE Registration Request (m.bompani)"; flow:to_server; content:"POST"; http_method; content:"ext="; http_client_body; content:"guid="; http_client_body; content:"ek="; http_client_body; classtype:trojan-activity; sid:9000931; rev:1;)

What does the tool do?

Given the extension and the password, the tool is able to recursively decrypt the encrypted files in all the mounted disks or in a given path.

It offers the following features.

  • In-memory fileless utilization: it is possible by wrapping the script in a function, leveraging the built-in PowerShell cmdlet Invoke-Expression
  • Logger: it traces the activities carried out, leveraging two cmdlets described at Start/Stop Transcript
  • Backup: it backs up all the files that the tool will try to decrypt.
  • Some options were added to the script for possible future uses.

Additional Details

For further technical details and demonstrations, please refer to the official github project FTdecryptor

For further FTCODE details, please refer to this article FTCODE article

About the author

Gabriele Pippi, Purple Team (LinkedIn)

Hi everyone! Today we are talking about a new ransomware we spotted being distributed in the wild dubbed as FTCODE.

Summary

  1. The Threat
  2. Payload Delivery
  3. Environment Preparation
  4. Ransomware Attack
  5. Version Changes
  6. Conclusion
  7. Suricata Signatures
  8. IoC

1. The Threat

Malicious actors are evolving and trying new ways to infect computers.

At the start of this year, a specific actor started to leverage a legitimate certified mail service, mainly used in Italy, called PEC (Wikipedia). This service is particularly trusted by its users and is commonly used to deliver electronic invoices. Therefore, it’s of special interest because it’s easier to lure potential victims with malicious emails that refer to fake invoices.

Until the last week, the Gootkit banker was delivered as the final payload of the infection chain. (Certego Gootkit analysis)

During this year, the way to deliver this threat changed: they started to leverage a new simple but effective downloader dubbed as JasperLoader to deliver upgrades and additional modules when needed. (Talos research).

However, even if sophisticated, Gootkit is old malware. Also, it does not monetize fast and does require special interaction by the user. So, they have started experimenting with ransomware, maybe to understand if they can get more from this kind of infection.

We are talking about a raw ransomware fully written in Powershell code, called FTCODE.

Even if the name could seem new, the first appearance of this threat was in 2013, as stated by Sophos. Then, almost nothing was seen for about 6 years. Strange, but we have to remember that technology changes. Windows XP was widespread at that time and, by default, Powershell is installed only from Windows 7 on. That can be a problem because actors need to install powershell itself before running ransomware. Also, cyber security was not mature as it is nowadays so, for instance, classic Zeus-like bankers were more effective.

Indeed, last year we saw the arrival of a new downloader and backdoor written in Powershell that was called sLoad and it’s still being actively distributed (Certego sLoad analysis).

KISS (“keep it simple and stupid”) they teach you during software engineering courses. So, why strive with sophisticated malware when with a bunch of code written in Powershell you can perform every kind of wickedness?

So let’s dive in more technical details to understand how FTCODE works.

Mainly we analyzed two samples from two different campaigns:

  • version 930.5, md5: a5af9f4b875be92a79085bb03c46fe5c, day: 01/10/2019
  • version 1001.7, md5: 8d4c81e06b54436160886d78a1fb5c38, day 02/10/2019

2.Payload Delivery

As stated before, the user receives an email that refers to a fake invoice with an attached document called "Fattura-2019-951692.doc". The threat actor leverages a commonly used template to trick the user to disable the “Protected View” mode and to trigger the execution of the malicious macro.

Once enabled, the macro runs and spawns the following Powershell process:

The result is the download of a piece of Powershell code that is run using the "Invoke-Expression" command (“iex”). Note that the function “DownloadString” saves the result of the request only in memory, in an attempt to avoid antivirus detection.

The new Powershell code is FTCODE itself. On execution, it performs the following GET request:

to download a Visual Basic Script file and save it in "C:\Users\Public\Libraries\WindowsIndexingService.vbs".

This is a variant of JasperLoader, a simple backdoor that is able to download further payloads.

Then, it tries to create a shortcut file called "WindowsIndexingService.lnk" in the user's startup folder that runs the JasperLoader. Finally, to achieve persistence after reboot, it creates a scheduled task called "WindowsApplicationService" pointing to the shortcut file.

3. Environment Preparation

After having installed the JasperLoader backdoor, FTCODE starts to prepare the environment for the ransomware attack.

It verifies if the file "C:\Users\Public\OracleKit\w00log03.tmp" exists. If yes, it would check the presence of some files with the extension ".FTCODE" in all the drives with at least a free space of 50 KB. If there are some, it means that the machine was already attacked by the ransomware, maybe by a previous version: therefore, it would exit.

De facto, this indicator can be used to “vaccinate” the endpoints from this threat. It’s enough to create the mentioned file with any kind of content to let FTCODE believe that the computer was already infected.

Afterwards it generates a random globally unique identifier (GUID) and a password consisting of 50 characters with at least 4 non-alphanumeric characters.

Then we found a hardcoded RSA public key that is used to encrypt the password. In this way the password cannot be deciphered without the proper private key controlled by the malicious actor and can be sent, in a secure way, to the attacker’s server.

Surprisingly, the encrypted password, after being generated, is never used elsewhere in the code and, instead, is just sent the basic base64-encoded password to the attacker’s server.

The consequence is that, if the traffic against the attacker’s server is being monitored, it’s possible to retrieve the key that will be used to decipher the files, without paying any ransom.

We believe that this mistake will be corrected in future versions.

After that error, FTCODE performs a POST request to the following URL:

with the following parameters:

  • ver=930.5, version number
  • vid=dpec2, probably to identify the campaign
  • psver=Powershell Major Version, probably to understand if FTCODE needs an update from JasperLoader
  • guid=the GUID generated previously, to identify the victim
  • ek=the previously generated password encoded in base64

if the server response is "ok", it creates the file "C:\Users\Public\OracleKit\w00log03.tmp" containing the GUID. If the server response is different, it would exit. This is another protection mechanism to evade execution in simulated environments.

Afterwards, it tries to run the following commands that are commonly used by almost every ransomware to avoid the chance that the victim can recover the encrypted files without paying:

Similar behaviour is performed by Sodinokibi: Certego blog

4. Ransomware Attack

At this moment, everything is ready to perform the real attack phase.

FTCODE checks for all the drives with at least 50 KB of free space and it looks for all the files with the following extensions:

.sql,.mp4,.7z,.rar,.m4a,.wma,.avi,.wmv,.csv,.d3dbsp,.zip,.sie,.sum,.ibank,.t13,.t12,.qdf,.gdb,.tax,.pkpass,.bc6,.bc7,.bkp,.qic,.bkf,.sidn,.sidd,.mddata,.itl,.itdb,.icxs,.hvpl,.hplg,.hkdb,.mdbackup,.syncdb,.gho,.cas,.svg,.map,.wmo,.itm,.sb,.fos,.mov,.vdf,.ztmp,.sis,.sid,.ncf,.menu,.layout,.dmp,.blob,.esm,.vcf,.vtf,.dazip,.fpk,.mlx,.kf,.iwd,.vpk,.tor,.psk,.rim,.w3x,.fsh,.ntl,.arch00,.lvl,.snx,.cfr,.ff,.vpp_pc,.lrf,.m2,.mcmeta,.vfs0,.mpqge,.kdb,.db0,.dba,.rofl,.hkx,.bar,.upk,.das,.iwi,.lite,.mod,.asset,.forge,.ltx,.bsa,.apk,.re4,.sav,.lbf,.slm,.bik,.epk,.rgss3a,.pak,.big,.wallet,.wotreplay,.xxx,.desc,.py,.m3u,.flv,.js,.css,.rb,.png,.jpeg,.txt,.p7c,.p7b,.p12,.pfx,.pem,.crt,.cer,.der,.x3f,.srw,.pef,.ptx,.r3d,.rw2,.rwl,.raw,.raf,.orf,.nrw,.mrwref,.mef,.erf,.kdc,.dcr,.cr2,.crw,.bay,.sr2,.srf,.arw,.3fr,.dng,.jpe,.jpg,.cdr,.indd,.ai,.eps,.pdf,.pdd,.psd,.dbf,.mdf,.wb2,.rtf,.wpd,.dxg,.xf,.dwg,.pst,.accdb,.mdb,.pptm,.pptx,.ppt,.xlk,.xlsb,.xlsm,.xlsx,.xls,.wps,.docm,.docx,.doc,.odb,.odc,.odm,.odp,.ods,.odt

Then, it encrypts the first 40960 bytes of each of them using the “Rijndael symmetric key encryption”. The key is created based on the previous generated key and the hardcoded string “BXCODE hack your system”. The initialization vector is also based on another hardcoded string ("BXCODE INIT").

Finally it appends the extension ".FTCODE" and creates the file "READ_ME_NOW.htm" in the folders that contain the encrypted files. We are talking about the classic ransom note with instructions on how to recover the encrypted file.

5.Version changes

We believe that this ransomware is in active development. Just one day after the delivery of the version 930.5, we saw another version distributed (1001.7). Malware authors noticed that, in the first version, there was no mechanism to tell the threat actors if the file encryption was successful or not. So, they added other 2 lines of code that trigger other 2 C&C POST requests with the following new parameters:

  • status=”start” or “done”
  • res=number of successfully encrypted files

Conclusion

Actors change their tactics faster and faster. But we understood that they could be lazy and they can make mistakes too. They are humans after all.

Some of them are starting to prefer ransomware like FTCODE over classic infostealers and bankers.

Also, we found that, monitoring the network traffic, it’s possible to retrieve they key used to encrypt the files.

So, it’s important to continuously monitor your own assets, both on a network and an endpoint level, to fight against these kind of threats.

Certego Threat Intelligence Team has been studying upcoming cyber threats for years in order to provide the best protection to their customers.

Suricata IDS signatures

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"CERTEGO TROJAN FTCODE Payload Request"; flow:to_client; content:"FTCODE"; http_server_body; nocase; content:"vssadmin"; http_server_body; nocase; reference:url,www.certego.net/it/news/malware-tales-ftcode/; classtype:trojan-activity; sid:9000999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"CERTEGO TROJAN FTCODE Registration Request"; flow:to_server; content:"POST"; http_method; content:"vid="; http_client_body; content:"psver="; http_client_body; content:"guid="; http_client_body; content:"ek="; http_client_body; reference:url,www.certego.net/it/news/malware-tales-ftcode/; classtype:trojan-activity; sid:9000998; rev:1;)

IoC

C:\Users\Public\OracleKit\w00log03.tmp
C:\Users\Public\OracleKit\AFX50058.tmp
home.southerntransitions[.]net
connect.southerntransitions[.]com
home.selltokengarff[.]com
home.ktxhome[.]com
connect.simplebutmatters[.]com
qvo5sd7p5yazwbrgioky7rdu4vslxrcaeruhjr7ztn3t2pihp56ewlqd[.]onion

About the authors

Matteo Lodi, Threat Intelligence Lead Engineer (Twitter)

Marco Bompani, Security Analyst (Twitter)

License:

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

Hi everyone! Today we are looking at a threat that appeared recently: a new ransomware called Sodinokibi.

Summary

  1. The Threat
  2. The Loader
  3. Mutex and Configuration
  4. Machine information recovery
  5. Encryption preparation inspired by GandCrab
  6. Ransomware attack
  7. C2 Registration
  8. Conclusion

1. The Threat

The first noteworthy appearance was at the end of April (Talos Research).

Then, at the start of this month, we gathered different reports of this threat being spread in Italy (eg: JAMESWT_MHT's tweet), both via malspam and known server vulnerabilities.

Also, there was the announcement of the shutdown of the GandCrab Operation (Bleeping Computer), just some days earlier.

Coincidence? We’ll see.

Our guess is that this new payload could be used as a replacement of GandCrab in the RAAS (Ransomware-as-a-service) panorama.

Therefore, in order to protect our customers effectively, we went deep into the analysis of this ransomware.

Mainly we analyzed two different samples:

  • version 1.01: md5: e713658b666ff04c9863ebecb458f174
  • version 1.00: md5: bf9359046c4f5c24de0a9de28bbabd14

2. The Loader

Like every malware who deserves respect, Sodinokibi is protected by a custom packer that is different for each sample.

The method used by the version 1.01 sample to reconstruct the original payload is called “PE overwrite”.

To perform this technique, the malicious software must allocate a new area inside its process memory and fill it with the code that has the duty to overwrite the mapped image of the original file with the real malware payload. In this case, first the process allocates space in the Heap via LocalAlloc, then it writes the “unpacking stub” code, it signs that space as executable with VirtualProtect and finally it redirects the execution flow to the new memory space

In order to slow the analysis, the loader contains a lot of junk code that will be never executed.

Also, in the following image, we can see that it tries to hide some important strings from the static analysis like “ kernel32.dll”. It leverages “stack strings” plus the randomization of the order of the characters.

At this point, the unpacking stub resolves dynamically the functions that he needs like VirtualAlloc. Then it performs the overwrite of the original image base with the new decrypted payload.

Finally, it transfers the execution to the OEP (Original Entry Point) of the unpacked Sodinokibi payload.

3. Mutex and Configuration

Once unpacked, the sample tries to create a mutex object. It calls CreateMutexW, then, if there was an error, with RtlGetLastWin32Error it would extract the generated error. Indeed, if the mutex already existed, the error would have been “0xB7” ("ERROR_ALREADY_EXISTS" ref docs). In that case a function is called that terminates the process.

We found that the mutex name is different for each sample but following this pattern: “Global\{UUID}”. Therefore it’s a method to detect the malware or to vaccinate the endpoint (Zeltser blog) that is reliable only for a specific sample.

Going forward, we found the configuration in an encrypted form in the section “ .zeacl” for v.1.01 or “.grrr” for v.1.00. Once extracted, we noticed that it’s a JSON file.

These are the keys found in the configuration.

  • pk” -> base64 encoded key used to encrypt files
  • pid” -> personal id of the actor
  • sub” -> another id, maybe related to the specific campaign
  • dbg” -> debug mode
  • fast” -> fast mode
  • wipe” -> enable wipe of specific directories
  • wht” -> whitelist dictionary
    • fld” -> keyword in whitelisted directories
    • fls” -> whitelisted filenames
    • ext” -> whitelisted file extensions
  • wfld” -> directories to wipe
  • prc” -> processes to kill before the encryption
  • dmn” -> domains to contact after encryption
  • net” -> check network resources
  • nbody” -> base64 encoded ransom note body
  • nname” -> ransom note file name
  • exp” -> unknown, expert mode?
  • img” -> base64 encoded message on desktop background

If you are interested in manually checking the configuration files we have extracted in the samples we have analyzed, follow this link and download the archive (password:sodinokibi): sodinokibi_config_files.zip

4. Machine information recovery

Afterwards, Sodinokibi starts to gather information about the infected machine and builds another JSON structure that stores in an encrypted form in the “HKEY_LOCAL_MACHINE\SOFTWARE\recfg\stat” registry key.

Keys:

  • ver”: version (100 or 101)
  • pid”: previous config “pid”
  • sub”: previous config “sub”
  • pk”: previous config “pk”
  • uid”: user ID. It’s a 8 byte hexadecimal value generated with XOR encryption. First 4 bytes are created from the processor name, while the others are created from the volume serial number extracted with a “GetVolumeInformationW” API call.

  • sk”: secondary key, base64 encoded key generated at runtime
  • unm”: username
  • net” : hostname
  • grp”: windows domain

  • lng”: language

  • bro”: brother? Sodinokibi retrieves the keyboard language with GetKeyboardLayoutList. Then it implements an algorithm that gives “True” as value for this key only if the nation code ends with a byte between 0x18 and 0x2c. It’s not odd that inside this range there are the majority of the East-Europe language codes, like Russian, Cyrillic and Romanian. It’s a clear indication of the origin of the malware authors.

  • os”: full OS name

  • bit”: Sodinokibi extracts this value from “GetNativeSystemInfo” then it compares with 9 that corresponds to the x64 architecture. Further processing will generate “40” if the architecture is 64bit, “56” otherwise.

  • dsk”: base64 encoded value generated based on the drives found on the machine.
  • ext”: new in 1.01. The random extension used for encrypted files.

5. Encryption preparation inspired by GandCrab

At this time, before performing the encryption, Sodinokibi replicates a behavior that is very similar to what GandCrab performs, suggesting that Sodinokibi authors learned from GandCrab ones or that they are strictly related.

Sodinokibi extracts the running processes with the combination of CreateToolhelp32Snapshot, Process32First and Process32First and checks if they match the names in the configuration. In that case, those processes are killed. The reason is that these programs could hold write access on files and therefore they could not allow the ransomware to encrypt them.

The list of the version 1.00 contains only the “mysql.exe” process, while the list of the version 1.01 is a lot longer and almost matches the ones used by GandCrab (source: Symantec).

Afterwards, like his predecessor, Sodinokibi deletes the shadow copies with the leverage of the “vssadmin” native utility. In addition, it uses “bcdedit” to disable windows error recovery on reboot.

Another check done by the ransomware is for available network resources with WNetOpenEnumW e WNetEnumResourceW with the aim to find other files to encrypt.

Last operation before the encryption is to find all the directories with a name that matches the configuration key “wfld” and to wipe them. In this case, the list contains only “backup”. So, for example, Sodinokibi deletes Windows Defenders updates backups.

6. Ransomware attack

Finally (or not?) Sodinokibi starts to iterate over the available directories with FindFirstFile and FindNextFile.

It skips files and directories that match conditions on the whitelist configuration. The others are encrypted by the ransomware that adds the random generated key as extension to the name.

In each directory the malware also write the ransom note “{ext}.readme.txt” extracted from the configuration and a lock file.

Then it creates a file with a random name “{random}.bmp” in the %TEMP% which contains the image that will be put as a background with the help of DrawTextW and FillRect functions.

7. C2 Registration

Once the encryption is finished, Sodinokibi starts to iterate through a giant list of domains hardcoded in the configuration (about 1k). These domains are the same across the samples we analyzed but they are ordered differently in order to mislead the analysis.

At a first glance, these domains seem legit and most of them are correctly registered.

This is not a classic DGA but the result is almost the same because the purpose is to hide the real C&C Server used by cyber criminals.

For each domain listed, Sodinokibi generates a random URI. Then it uses the winhttp.dll library functions to perform HTTPS POST requests with the created URLs.

The data sent with the POST request is an encrypted form of the JSON configuration saved on the “HKEY_LOCAL_MACHINE\SOFTWARE\recfg\stat” registry key and described on the “Machine information recovery” section. In this way, malicious actors can collect important information of the infected machine.

The following are examples of some of these URLs:

Looking at an analysis of this sample in a sandbox (AnyRun), we noticed that HTTPS requests where not correctly listed. The malware can avoid traffic interception by proxies like Fiddler or Mitmproxy that are used for manual or automatic analysis.

How? The second parameter of the WinHttpOpen function is 0 which corresponds to “WINHTTP_ACCESS_TYPE_DEFAULT_PROXY”: this means that the configured proxy is skipped and the HTTP connection won’t be logged. This trick could mislead the analysis if not properly handled.

I suggest to read the following blog post where it’s further explained how these URLs are generated and why also this routine is inspired by GandCrab code: Tesorion analysis

8. Conclusion

Sodinokibi could be the heir of GandCrab. It’s still at version 1.01 so maybe it’s not mature yet but is actively developed and updated

Malicious actors have started to use Sodinokibi to generate profit, even in Italy.

It’s important to continuously monitor your own assets, both on a network and an endpoint level, to fight against these kind of threats.

Certego Threat Intelligence Team has been studying upcoming cyber threats for years in order to provide the best protection to their customers.

IOC

HKEY_LOCAL_MACHINE\SOFTWARE\recfg\stat
HKEY_LOCAL_MACHINE\SOFTWARE\recfg\pk_key
decryptor[.]top
aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd[.]onion

About the author

Matteo Lodi, Cyber Threat Intelligence Team Leader

Twitter: https://twitter.com/matte_lodi

License:

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

Today we are going to talk about one of the biggest threats that is spreading in these days, in particular in Italy: Dreambot, the most recent version of a malware also known as Ursnif, or Gozi.

Summary

  1. The Threat
  2. The Check-In phase
  3. Encryption routine
  4. Injected Internet Explorer? Or not?
  5. Conclusion

1. The Threat

Ursnif belongs to the category of Infostealers. It was already analyzed by a lot of skilled researchers. I list just some of the best analysis you could find:

In this article, we'll focus on the initial communication with the Command & Control infrastructure.

2. The Check-In phase

At the time of the compilation of the malware, spreaders can choose a list of domains that will be hardcoded in the sample in an encrypted form.

For example, the following image shows 3 different domains uploaded into the memory of one of the variant that we analyzed.

The malicious agent tries to perform its initial communication with the first of the list, then, if it fails, it would try with the next and so on.

We underline that this "beacon" is always performed via plain HTTP while the following steps of communication are done via SSL encryption and custom certificates.

This is important because, with the right eye, even without SSL interception, we can pretty easily spot if something is going wrong.

The following image shows 3 different attempts to communicate with the C2 server in a sandbox environment. 

If the pattern is not known, an untrained analyst could be misleaded by this behaviour while performing threat hunting on network logs or artifacts.

The file extension ".avi" refers to video files. Also, the path "/images/" is deceptive. In addition, it's performed as a "GET" request. All of this evidence could be seen as a normal download of a video file from a site hosting media.
In fact it's the check-in of the malware that is sending basic information about the compromised machine, hiding them in plain sight in the URI path.

Example:

Decoded data:

  • fjidtflrb -> junk param, always present at the start of the URI to generate randomness (and always different)
  • soft -> major version
  • version -> minor version
  • user -> unique user id
  • server -> unique c2 server id
  • id -> bot group id
  • crc -> payload to retrieve (1-DLL 32bit, 2-DLL64 bit, 3-ps1)
  • uptime -> time elapsed from initial infection (seconds)

The following image represents the phase when the malware creates the first parameter:

After having seen a lot of this kind of patterns on Ursnif samples in last years, I decided to create a simple and raw tool that is able to decrypt the URL created by the malware on the fly.

In this way it's possible to spy the configuration sent to the Command & Control server and, at the same time, to check if the URL is related to this threat. 

All of this without any need of manual reverse engineering.

You can check the simple tool that I created on the following link on: Github

This is an example of how to run the script:

and the related output:

3. Encryption routine

The custom algorithm starts with a symmetric encryption that leverages the Serpent cipher in CBC mode and a null IV (initialization vector). 

Afterwards the result is encoded with a classic base64. Considering that base64 encoding is pretty easy to spot, malware authors decided to change things a little more. They removed padding characters("=") and substituted the other special characters ("+", "/") with the relative ASCII code, after having prepended them by an underscore ("_2f", "_2b"). The last tweak is to add slashes at specified offsets to let the URI to appear like a real one.

Obviously, the Serpent encryption needs a key. We can find it hardcoded on the malware sample. Some code level analysis could be required to get that info.

However, observations led to the fact that the key is usually shared among a lot of samples and rarely changed.

If you don't have one, just run the script: it would try a predefined list of known keys for you.

It's really appreciated if you want to share new keys that you find with us. Feel free to contact us on Twitter or LinkedIn

4. Injected Internet Explorer? Or not?

While investigating the check-in phase, we noticed an unusual fact that we think it's worth to mention.

As you can see from the analysis of AnyRun, the malicious beacon seems to be sent by an Internet Explorer instance after the malware has run.

Considering that Ursnif is known to perform injection on browsers to steal information, an unaware analyst could think that the malware already decided to perform some form of memory injection into a new spawned instance of Internet Explorer to masquerade the communication as a legit one.

However this is unecessary. It's enough to use the COM (Wikipedia) library that is provided by Microsoft.
Looking at the code, we can detect this behaviour with the finding of the function CoCreateInstance that were made just before the network communication.

This one is a stealthy way that could mislead both analysts and security products if it has not been taken in consideration.

If you like to have a more detailed explanation on COM and, in general, on how to detect malware C2 communications while reverse engineering, I suggest the following reading: FireEye Blog

Conclusions

Ursnif has been trying for years to make analysis difficult for people and detection for security products.

We went deep into the communication performed during the check-in phase and created a new tool to help to analyze and detect the malware.

Certego is actively monitoring every day threats to improve its detection and response methods, continuously increasing the effectiveness of the incident response workflow.

Hash
9406ff0da0f238466f7638490ad4335d
8793af5f5ad8a2ca9b2ae6af5e70e63f
8f0195472ede691b129913465eec0c9e

About the author:

Matteo Lodi, Cyber Threat Intelligence Team Leader 

If you know something more about protocols used by Ursnif for C2 communications or if you'd like to improve the tool(Github), feel free to contact me at any time.

Twitter: https://twitter.com/matte_lodi

License:

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

Today we are going to start a new series of blog posts called “Malware tales”: the intent is to go deep on code-level analysis of most widespread malware to allow everyone to get a better picture of everyday cyber threats. Also, we’d like to demystify malware and show that we are just talking about a bunch of code

Summary:

  1. The Threat
  2. Payload delivery
  3. Gootkit executable
  4. Stage 1: Packed Gootkit
  5. Stage 2: Gaining a foothold
  6. Stage 3: Check-in phase
  7. Last stage
  8. Additional findings
  9. Conclusions

The Threat:

Gootkit belongs to the category of Infostealers and Bankers therefore it aims to steal information available on infected machines and to hijack bank accounts to perform unwanted transactions.

It has been around at least since 2014 and it seems being actively distributed in many countries, including Italy.

Previous reports about this threat can be found following this link:Malpedia

Today we are going to dive into the analysis of a particular variant that came up the last week.

Payload Delivery:

The infection vector is an email written in Italian. In this case adversaries used one of the most common social engineering techniques to trigger the user to open the attachment.

The downloaded file is a heavily obfuscated Javascript file called "GLS_Notifica.js". If the user opens it, the native Javascript interpreter wscript.exe would be executed by default and it would perform the following HTTP request:

The result is the download of a cabinet file that is an archive file which can be extracted natively by Windows. Inside there is a Portable Executable file that is saved into the %TEMP% folder (“C:\Users\<username>\AppData\Local\Temp”) and launched.

Javascripts downloaders are a common payload delivery because a little obfuscation can be enough to make them very difficult to be detected by antivirus engines.

Gootkit executable:

First run of the sample in an automated environment revealed that something new was added in this version. As we can see in the following images, malware authors added a new layer of protection to the malicious agent. The comparison has been made with a variant spread during December of 2018 in Italy. (images are from AnyRun)

This means that the original program was “packed” with the aim to slow down reverse engineers and to make ineffective static analysis tools like Yara rules.

Stage 1: Packed Gootkit

In such cases, a malware analyst knows that he has to extract the original payload as fast as possible without losing time to try to understand the inner workings of this stage.

A great open-source tool exists which can resolve the problem in a matter of seconds. It’s called PE-Sieve (Github). Even though it does not always work, in this case it can dump the unmapped version of the original executable because the malicious software uses a technique called Process Hollowing a.k.a. RunPE. This method consists in starting a new process in a suspended state, “hollowing” out the content of the process, replacing it with malicious code and, finally, resuming the thread.

In the image we can see that the 6th parameter of "CreateProcessW" was set to "4", indicating that the process will start in a suspended state.

We are talking about a well known technique that is easily detectable with the monitoring of the Windows API calls that are needed to perform the injection. But here comes the trick.

Following the flow of execution we couldn’t find all the needed API calls: we got NtCreateProcess, NtGetContextThread, NtReadVirtualMemory and NtSetContextThread.

The most important ones that are used by monitoring applications to detect the technique were missing:

  • NtUnmapViewOfSection to “hollow” the target process
  • NtWriteVirtualMemory to write into the target process
  • NtResumeThread to resume the suspended thread

Let’s find out what’s happening!

After some shellcode injections inside its memory space, the process executes a call to IsWow64Process API that is used by the application to understand if the process is running under the WOW64 environment (Wiki): this is a subsystem of the Windows OS that is able to run 32-bit applications, like this one, on 64-bit operating systems.

The result of this check is used to run two different paths of code but with the same scope: run one of the aforementioned missing API calls in the Kernel mode. This means that, in this way, classic user-level monitoring tools would not catch these calls and the RunPE technique would remain unnoticed.

Specifically, in case the process is running in a 32-bit environment, it would use the SYSENTER command to switch into the Kernel mode, while, on the contrary, it would use the SYSCALL command to perform the same operation.

To complicate even further, the SYSCALL command can’t be called in the context of a 32-bit application. This means that the executable needs to perform a “trick-into-the-trick” to execute this operation. We are talking about a technique known as The Heaven’s Gate.

Practically, thanks to the RETF instruction, it’s possible to change the code segment (CS) from 0x23 to 0x33, de facto enabling 64-bit mode on the running process.

In the following image we highlight the entrance and the exit of the “Gate” which contains the 64-bit code that performs the SYSCALL operation.

Instead, in this other image, we can see the process status before opening the gate (grey=suspended process) and after having closed it (orange=running process).

Also, Gootkit takes advantage of The Heaven’s Gate as an anti-debugging technique because the majority of commonly used debuggers can’t properly handle this situation, not allowing the analyst to follow the code of the Gate step-by-step.

For further details, this method was deeply explained in this blog (MalwareBytes)

Going back to the point, the first stage resulted more complicated than expected because it pushed over the limits of obfuscation and stealthiness with the combination of various techniques.

Stage 2: Gaining a foothold

At this point we can proceed with the analysis of the unpacked Gootkit.

The very first considerable finding was the check for the existence of a mutex object named “ServiceEntryPointThread”. If it exists, the process would terminate itself.

But how mutexes works? Mutexes are used as a locking mechanism to serialize access to a resource on the system. Malware sometimes uses it as an “infection marker” to avoid to infect the same machine twice. The fascinating thing about mutexes is that they are a double-edged weapon: security analysts could install the mutex in advance to vaccinate endpoints. (ref: Zeltser blog)

This means that this is a great indicator of compromise that we can use not only to detect the infection but also to prevent it.

Moving on, we found that malware authors implemented a lot of checks to understand if the malware is running inside a virtual environment. Some of them are:

  • It checks if the registry key “HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString” contains the word “Xeon”

  • it checks if the computer name is “7SILVIA” or “SANDBOX”, if the username is “CurrentUser” or “Sandbox” or if “sbiedll.dll” has been loaded.

  • it checks if “HKLM\HARDWARE\Description\System\VideoBiosVersion” contains the word “VirtualBox”

  • it checks “HKLM\Software\Microsoft\Windows\CurrentVersion\SystemBiosVersion” for the string “VBOX”

In the case one of this check fails, the program would execute a Sleep operation in a infinite cycle in the attempt to thwart automated sandbox execution.

After that, we encountered the implementation of a particular persistence mechanism that it seems Gootkit has been using for many months: it’s already documented in various blog posts, for ex. ReaQta blog.

Briefly, the infostealer generates a INF file with the same filename of itself.

Content of the INF file:

Then it creates 3 different registry keys (“Count”, “Path1” and “Section1”) inside “HKCU\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs” with the purpose to allow the threat to execute on reboot.

It seems that this technique was reported to be used only by Gootkit.

Famous security tools still can’t detect this mechanism even if it has been used for months.

For example, the famous SysInternal Autoruns tool, that should be able to show all the programs that are configured to run on system bootup or login, fails the detection of this persistence method.

Stepping through the code, we noticed that, at runtime, Gootkit decrypts the strings it uses with a custom algorithm to evade static analysis detection of anomalous behaviour.

It’s a combination of “stack strings”, XOR commands and the modulo operation.

An exhaustive explanation of the decryption routine can be found here:link

Skipping further, eventually there’s a call to “CreateProcessW” to start a new instance of Gootkit with the following parameter: --vwxyz

Stage 3: Check-in phase

Quickly we found out that executing the malware with the cited parameter allows us to skip all the previous anti-analysis controls to get into the part of the code that starts to contact the Command & Control Server.

The first check-in to home is done to the following URL via HTTPS:

As we can see from the image, many headers were added to the request to send different informations of the infected machine to the C&C Server.

In particular one of the headers caught my attention: “ X-IsTrustedComp”. Digging into the code we found that the value would be set to “1” if an environment variable called “crackmeololo” was found in the host, “0” otherwise.

That seems another “escaping” mechanism implementing by the author, probably to stop the infection chain for his own debugging purposes.

Last stage:

The response that arrives from the previous connection contains the final stage of Gootkit, configured to work properly on the infected machine.

The malware dynamically loaded “RtlDecompressBuffer” call to use it to decompress the payload; then, it injected into an area of the current process memory.

Afterwards the flow of execution is transferred to the start of the injected code.

The final payload is a DLL file that is bigger than 5MB because it contains the Node.js engine which is probably needed to run some embedded javascript files. At this time we decided to stop our analysis and leave the rest to future work.

Additional findings:

While debugging, we noticed that Gootkit does not check only if a parameter called “ --vwxyz” was passed to the command line. Also it checks if other 3 parameters:

  • --reinstall

  • --service

  • -test

Pretty strange thing. We haven’t found the malware to actively use these arguments yet. However, stepping through code we discovered that:

1 - the “--reinstall” command leaded the execution to some curious code. First, the malware used “CreateToolHelp32Snapshot” to retrieve a list of the current running processes.

Then, it iterated through the retrieved list via “ Process32FirstW” and “Process32NextW” with the aim to get a handle to the active “explorer.exe” instance.

At this point it killed “explorer.exe”. The following image shows the process list before the “TerminateProcess” command.

After having executed that command, we found that a new instance of the malware spawned as a child of “explorer.exe”.

What happened? We performed some tests and it seems that “ explorer.exe” was killed and then automatically restarted by “winlogon.exe”. Therefore “explorer.exe” accessed the keys involved in the persistence mechanism previously explained:

Using this trick, the malware is able to “reinstall” itself, without the need to use suspicious API calls like “ CreateProcessW”.

2 - the “ --service” command did not change the flow of execution with the exception of creating a new environment variable called “USERNAME_REQUIRED” and set it to “TRUE”.

Eventually we found that the final stage checks if the aforementioned variable exists.

3 - the “ -test” command just terminate the process. Indeed it’s a test.

Conclusions

We explored some of the functionalities of one of the most widespread Infostealers of these days, revealing new and old tricks that is using to remain undetected as much time as possible.

Certego is actively monitoring every day threats to improve our detection and response methods, continuously increasing the effectiveness of the incident response workflow.

PS: Let us know if you liked this story and feel free to tell us how we can improve it!

Hash:

597f734c780f283d6cd7c7443700a65249b8350ec1ad58b8aa790a32f57eec4d 
GLS_Notifica.js
5ed739855d05d9601ee65e51bf4fec20d9f600e49ed29b7a13d018de7c5d23bc
gootkit 1st stage
e32d72c4ad2b023bf27ee8a79bf82c891c188c9bd7a200bfc987f41397bd61df 
gootkit 2nd stage
0ad2e03b734b6675759526b357788f56594ac900eeb5bd37c67b52241305a10a 
gootkit DLL module

About the author:

Matteo Lodi, Cyber Threat Intelligence Team Leader

Twitter: https://twitter.com/matte_lodi

License:
Licenza Creative Commons
Quest'opera è distribuita con Licenza Creative Commons Attribuzione - Non commerciale - Non opere derivate 4.0 Internazionale.

Hi everyone, here is Matteo Lodi, Threat Intelligence Analyst in Certego.

Recently, we saw a particular new spam campaign targeting italian users with the focus of delivering a downloader known as Sload.

Nowadays, attackers are trying harder and harder to make difficult the analysis and the detection. The most common tool misused in this way is Powershell: it's installed by default in every recent version of Windows and is commonly used to perform administrator tasks.

The infection chain

Let's dig in the infection chain:

1. A user receives an email with subject "<TARGET_COMPANY_NAME> Emissione fattura <random_number>" containing a reference to a fake invoice.

The user is tricked to click on the malicious link that points to a randomly generated domain hosted with HTTPS in 91.218[.]127.189. The following is an example:

2. Once downloaded, if the user opens the archive, it would find two files. The first one is a legit image, while the second one is a .lnk file. We have already seen the misuse of shortcut files with powershell to perform the download of malicious samples. But this time it seemed different: in fact, the .lnk points to the following command:

3. Where is the download? At first glance, that seemed very strange: what is the aim of this execution? After having analyzed the command, the trick was clear. The attackers wants to call "Invoke-Expression" command to run a string hidden inside the zip itself!! But where?

As we can see in the following image, at the end of the original downloaded zip file we can see readable strings that are the real first stage downloader!!

The zip file is still a legit and correctly working archive! Powershell commands are written after the EOCD (End of central directory) which determines the end of a zip file.

This clever trick can deceive many signatures-based detection tools.

4. The extracted command is the following:

5. The result is the download and the execution of another powershell script from a server hosted in 185.17[.]27.108. We saw different domains used but, in the last week, the Dropzone IP never changed. Also, we noted that the CnC server was blocking requests without the "Microsoft BITS/7.5" User-Agent to prevent unwanted download by non-infected machines.

This script was very well detected by antivirus engines as you can see in the following image!

How funny was I? Static analysis is completely useless in such cases.

Going forward, the malware drops the following items before deleting itself:

Therefore it registers a task called "AppRunLog" to maintain persistence

6. At the end, it calls the registered task. This will execute the dropped Visual Basic Script file that, in turn, will execute the dropped Powershell script:

This script parses arguments and it won't execute properly in case they are not what it expects. It needs the numbers from 1 to 16 as arguments because, in fact, they are the key to decrypt the last stage.

7. The final payload is decrypted from the "config.ini" file and is called with "Invoke-Expression". It's loaded directly in memory: this makes very difficult for antivirus products to detect the threat. At the moment, this execution method is widely known as "fileless" because, indeed, the malware is never written on disk.

The payload is the last (finally) powershell script: it is the real Sload downloader which performs various malicious steps that were already explained in details in the article written by Proofpoint.

In few words, Sload can:

  1. Load external binaries
  2. Take screenshots
  3. Update configuration and CnC servers
  4. List running processes
  5. Detect Outlook usage

The variant we spotted in the last week uses the following CnC domains, which resolve in the same IP used by the second downloader stage (185.17[.]27.108)

However, we expect that this configuration won't last long, because, as we said before, Sload is able to update his CnC servers at any time.

Conclusion

We had a fantastic journey that made us understand, hopefully, how powerful can be Powershell and how attackers are misusing this tool to evade analysis detection.

We analyzed 5 different powershell scripts and that was only the "downloader" phase of the infection.

In case of a successfull one, Sload was seen to download known malware like Ramnit, Gootkit, DarkVNC or Ursnif (reference: Proofpoint). At that stage the threat would be really important.

Certego is monitoring the campaign and it's updating its signatures to correctly detect possible infections.

IOC

First stage download: (many and changing fast)
usined[.]com
darrenportermusic[.]com
supporto.eldersonfire[.]com
91.218[.]127.189

Second stage download: (many and changing fast)
firetechnicaladvisor[.]com
cltspine[.]info
185.17[.]27.108

CnC servers: (stable through the last week)
ljfumm[.]me 
hamofgri[.]me
185.17[.]27.108

Hash (sha256):

first stage
7838904c04c8bdf2444a64bd32fa308b6bd248789305e2fe4e91699b5a0a9f99 
8e1271fbb3f21d4c441748488d68636c68e6dbf4a755468da27b210c04ceb9c1

second stage
ee1dbf76665f5c07ba1c453d1890aa93307f759c5cce6f59f225111509482a64

sload
ad50e8ee958cb3f391ecc8e94b1506eba3174d9f08b95b37f616eeba382838b5