Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec...
Transcript of Mlw #41: a new sophisticated loader by APT group TA505 #41: a new... · • Speaker at infosec...
ptsecurity.com
Mlw #41: a new
sophisticated loader
by APT group TA505
Alexey Vishnyakov
ptsecurity.com
• Senior Specialist at Expert Security Center
• Threat Intelligence
• APT analysis
• Incident response support
• Speaker at infosec conferences (PHDays, AVAR)
Twitter: @Vishnyak0v
Agenda
• Intro
• PE packer
• Prep stage
• Persistence stage
• Payload stage
• C&C plugin stage
• Conclusion
Intro
A few words about group
and sample
Intro
TA505 cybercriminal group
• Since 2014
• More then half of the world targeted
• Huge toolkit: Dridex, Locky, ServHelper and dozens of other families
• Relations with other threat actors: Buhtrap, Silence
Intro
APT?
Sometimes … yes
Intro
• File size: 287440 bytes
• PE32 executable for MS Windows (console) Intel 80386 32-bit
• Microsoft Visual C++
• MD5: 58a875aeaa00ddb684349446ec9d36af
• SHA1: f6d3545a962e88e31365d9218460381d5265025d
• SHA256: d19a8ebbcd0dd9f1f438ac04d510270a135ba4c0c59f3f5eb92ae7e4ea5d8f71
• Imphash: e58e198778a2bd20fd323a8924987ccf
• SSDEEP: 6144:7xohcLcBrQsCSQ+Rd1f4kdn6PAScLl14aG3wUhJzM6rG8mb7+:7s5+sCcLdKM/6r3mbq
Intro
PE packer
First part:
TA505 related packer
PE packer
Useless
instructions before
the main logic
PE packer
“SUB-XOR-ROL7-XOR”
decoding routine
PE packer
Shellcode execution
struct ShellcodeArgs {
HMODULE hkernel32;
void *aEncodedBlob;
unsigned int nEncodedBlobSize;
unsigned int nBlobMagic;
unsigned int nBlobSize;
};
PE packer
Second stage shellcode at the beginning
PE packer
Payload reduction “from
5 to 3 bytes”
“SUB-XOR-ROL7-XOR”
decoding again
PE packer
aPLib decompression
(see FSG packer)
PE packer
Self-entry point
replacement in PEB
PE packer
Second part:
Custom packer
PE packer
C:\_SHARED\mlw41_DNSG\c_drop\Release\c_drop.pdb
PE packer
Custom XOR-based algorithm
PE packer
LZNT1 decompression
Compressed PE
Prep stage
Reconnaissance, DLL
imports, configuration
Prep stage
Self name: pld32.dll
One exported function for
relocation purposes
Prep stage
Determining OS version with
using
KUSER_SHARED_DATA
structure
Prep stage
https://www.geoffchap
pell.com/studies/wind
ows/km/ntoskrnl/struc
ts/kuser_shared_data
/index.htm
Prep stage
Bytes array: function offsets in SDT
Prep stage
eax ==
KeServiceDescriptorTable
index
Prep stage
# 2-bytes value API
0 15 00 NtAllocateVirtualMemory
1 1B 00 NtFreeVirtualMemory
2 52 00 NtCreateFile
3 0C 00 NtClose
4 03 00 NtReadFile
5 0E 00 NtQueryInformationFile
6 4F 00 NtResumeThread
7 50 01 NtSetContextThread
How it looked like in my VM
# 2-bytes value API
8 25 00 NtMapViewOfSection
9 47 00 NtCreateSection
10 34 00 NtOpenSection
11 30 00 NtOpenFile
12 4D 00 NtProtectVirtualMemory
13 33 00 NtQuerySystemInformation
14 3A 00 NtQueryAttributesFile
15 27 00 NtUnmapViewOfSection
Prep stage
FastSysCall in Wow64
Is it x86?
Direct function
invocation via syscall
Prep stage
IMHO: quality in the details
Prep stage
Auxiliary DLLs reading
via fast syscalls
Prep stage
DLL export table
parsing
Prep stage
Function hash calculation algorithm
Prep stage
Resolving function
addresses for
predefined
libraries via
hashes
Prep stage
Function hashes
Prep stage
IDA Python script for
functions resolving, part 1
[Hashes count, Hashes array
, Addresses array]
Prep stage
IDA Python script for
functions resolving, part 2
Prep stage
Bingo!
Prep stage
Check self name
hash against
blacklist
Prep stage
Get volume info
Prep stage
Check AV and
VM process
names
Prep stage
Self compression & encryption
Prep stage
Final recon & configuration structure
Persistence stage
Shellcode, injects, scripts,
tasks, anti DFIR
Persistence stage
Generate an intermediate shellcode
• 420 bytes
• Hardcoded shellcode
• 532 bytes
• Registry path
• Payload size
• ntdll major APIs relative addresses
Persistence stage
Shellcode
Config
Persistence stage
Persistence stage
Persistence stage
Persistence stage
ZwOpenProcess ->
InitializeProcThreadAttributeList ->
UpdateProcThreadAttribute ->
CreateProcessW
Persistence stage
Prepare thread
context with ROP
gadget in ntdll
Persistence stage
Inject via NtSetContextThread with ROP
Persistence stage
Dropping the script to a system
Persistence stage
Generating ps1 launcher
Persistence stage
Execute it finally
Persistence stage
JScript path construction
Persistence stage
JScript path construction
Persistence stage
JScript creating
MAC times?
Persistence stage
Extracting and assigning MAC timestamps from ntdll (Timestomping)
Persistence stage
AddressBook.js
Persistence stage
Task scheduling via COM interface
Persistence stage
Event log cleaning
Payload stage
Remember?
It’s just a loader…
Payload stage
GUID generating,
opening file mapping
Payload stage
Store the payload on disk and execute or …
Payload stage
… inject in msiexec via NtSetContextThread
Payload stage
… inject with LoadLibraryW, wups.dll and splicing
Payload stage
… inject with LoadLibraryW, wups.dll and splicing
Payload stage
Hooked functions
Payload stage
Encrypt and store a payload in registry
C&C plugin stage
C2 interaction, X25
requests, tunneling
C&C plugin stage
Decrypt and launch the plugin
C&C plugin stage
Seems that’s a real timestamp
C&C plugin stage
Encrypted config structure
C&C plugin stage
Encrypted config structure
“check” bytes
C&C plugin stage
Encrypted config structure
“check” bytes RC4 key
C&C plugin stage
Encrypted config structure
“check” bytes RC4 key
config size
C&C plugin stage
Encrypted config structure
“check” bytes RC4 key
config sizeencrypted config
C&C plugin stage
Decrypted config
<a>37.59.52.229</a><b>a12</b><c>zjs4zmhmr2ws</c><d>1</d>
C&C a new RC4 key
C&C plugin stage
Base64 encoding
C&C plugin stage
Symbols replaced in the request
‘+’ -> -11P || -22L
‘/’ -> -33S || -44L
‘=‘ -> -55E || -66Q || -77A || -88L || -99S
C&C plugin stage
Divide data into chunks Split via dots
C&C plugin stage
MD5 checksum generating and custom base64 encoding
C&C plugin stage
Domain name generation:
/[a-z]{2}[0-9]{2}.com/
C&C plugin stage
Header packet structure, 0x18 bytes
struct PacketHeader {
DWORD rand; // rand(0xAAAABBBB) + 0x11111111
BYTE num; // sequence number
BYTE zero; // usually zero, unknown
DWORD xored_volume_info; // volume_info ^ rand
DWORD xored_chunks; // chunks ^ rand
DWORD rand; // usually the same rand
};
C&C plugin stage
Hardcoded UDP request structure
C&C plugin stage
X25 DNS request type
C&C plugin stage
70FLQwcAqHfxh-11PlBS0PvQUtD.ol68.com
ivMAAAEAzcW6xIrzAACK8wAA.ol68.com
C&C plugin stage
7ZWPrs2G1tlcONzJnd68Kfb73DYaa0dOB68Dq5djUoy9U
ABYdFhtAeAaTW-
22Lr.1AjwSkBXvVhSlW31sveIvBTvk1TUHtcS6MRj87VIK
kXTlQyFLTcP5Ck0FX-11P.irbmr-
11PhFWVXcPj2BjkAzRWryseAaDlLajqH7kjXjE4Y7fn4RIt-
44LswTTX.BZwPrcF-44LbLn5ZcgT.ySADOwjSjha5-
44L8kgAzvaIeJi.ol68.com
Header
Payload chunk
C&C plugin stage
…
C&C plugin stage
• Get all 6 chunks
• Join them “as is”
• Custom base64 decode
• RC4 decrypt
• Done!
C&C plugin stage
Fu-33S2umvUVm44Ezor-44Lrcw6w-88L-
55E.FoVHKQklUbP97RaFRykL4c1H.ol68.com
Fu-33S2umvUVm44Ezor-44Lrcw6w-88L-
55E.uI6dHQkl-44L7gn2biOnR2l6hdz.ol68.com
C&C plugin stage
… custom base64 decode -> MD5 hash of the payload
Why twice? …
C&C plugin stage
Payload in the response
Header Payload
C&C plugin stage
Malware config
MD5 checksum
again
Conclusion
In the end…
Conclusion
Similar one in Twitter
https://twitter.com/vk_intel/
status/117726976729780
6337
Conclusion
Proofpoint about Snatch
https://www.proofpoint.com/us/th
reat-insight/post/ta505-
distributes-new-sdbbot-remote-
access-trojan-get2-downloader
Conclusion
@tildedennis about
Snatch
https://github.com/tildedennis/ma
lware/blob/master/snatch_loader
/decrypt_cfg.py
Conclusion
The same key generation
Conclusion
Takeaways or blue team tips
• Everybody love tasks
• PowerShell/WScript processes and .ps1/.js files on disk
• msiexec and suspended processes
• Integrity control of system libraries (splicing is still alive)
Conclusion
Takeaways or blue team tips
• Control an execution flow? (ROP gadgets -> kBouncer -> JOP)
• Unusual request types and DNS tunneling
• A lightweight and qualitative trojan downloader is a stable trend
APT != targeted attack