ptsecurity.com

Mlw #41: a new

sophisticated loader

by APT group TA505

Alexey Vishnyakov

ptsecurity.com

• Senior Specialist at Expert Security Center

• Threat Intelligence

• APT analysis

• Incident response support

• Speaker at infosec conferences (PHDays, AVAR)

Twitter: @Vishnyak0v

Agenda

• Intro

• PE packer

• Prep stage

• Persistence stage

• Payload stage

• C&C plugin stage

• Conclusion

Intro

A few words about group

and sample

Intro

TA505 cybercriminal group

• Since 2014

• More then half of the world targeted

• Huge toolkit: Dridex, Locky, ServHelper and dozens of other families

• Relations with other threat actors: Buhtrap, Silence

Intro

APT?

Sometimes … yes

Intro

• File size: 287440 bytes

• PE32 executable for MS Windows (console) Intel 80386 32-bit

• Microsoft Visual C++

• MD5: 58a875aeaa00ddb684349446ec9d36af

• SHA1: f6d3545a962e88e31365d9218460381d5265025d

• SHA256: d19a8ebbcd0dd9f1f438ac04d510270a135ba4c0c59f3f5eb92ae7e4ea5d8f71

• Imphash: e58e198778a2bd20fd323a8924987ccf

• SSDEEP: 6144:7xohcLcBrQsCSQ+Rd1f4kdn6PAScLl14aG3wUhJzM6rG8mb7+:7s5+sCcLdKM/6r3mbq

Intro

PE packer

First part:

TA505 related packer

PE packer

Useless

instructions before

the main logic

PE packer

“SUB-XOR-ROL7-XOR”

decoding routine

PE packer

Shellcode execution

struct ShellcodeArgs {

HMODULE hkernel32;

void *aEncodedBlob;

unsigned int nEncodedBlobSize;

unsigned int nBlobMagic;

unsigned int nBlobSize;

};

PE packer

Second stage shellcode at the beginning

PE packer

Payload reduction “from

5 to 3 bytes”

“SUB-XOR-ROL7-XOR”

decoding again

PE packer

aPLib decompression

(see FSG packer)

PE packer

Self-entry point

replacement in PEB

PE packer

Second part:

Custom packer

PE packer

C:\_SHARED\mlw41_DNSG\c_drop\Release\c_drop.pdb

PE packer

Custom XOR-based algorithm

PE packer

LZNT1 decompression

Compressed PE

Prep stage

Reconnaissance, DLL

imports, configuration

Prep stage

Self name: pld32.dll

One exported function for

relocation purposes

Prep stage

Determining OS version with

using

KUSER_SHARED_DATA

structure

Prep stage

https://www.geoffchap

pell.com/studies/wind

ows/km/ntoskrnl/struc

ts/kuser_shared_data

/index.htm

Prep stage

Bytes array: function offsets in SDT

Prep stage

eax ==

KeServiceDescriptorTable

index

Prep stage

# 2-bytes value API

0 15 00 NtAllocateVirtualMemory

1 1B 00 NtFreeVirtualMemory

2 52 00 NtCreateFile

3 0C 00 NtClose

4 03 00 NtReadFile

5 0E 00 NtQueryInformationFile

6 4F 00 NtResumeThread

7 50 01 NtSetContextThread

How it looked like in my VM

# 2-bytes value API

8 25 00 NtMapViewOfSection

9 47 00 NtCreateSection

10 34 00 NtOpenSection

11 30 00 NtOpenFile

12 4D 00 NtProtectVirtualMemory

13 33 00 NtQuerySystemInformation

14 3A 00 NtQueryAttributesFile

15 27 00 NtUnmapViewOfSection

Prep stage

FastSysCall in Wow64

Is it x86?

Direct function

invocation via syscall

Prep stage

IMHO: quality in the details

Prep stage

Auxiliary DLLs reading

via fast syscalls

Prep stage

DLL export table

parsing

Prep stage

Function hash calculation algorithm

Prep stage

Resolving function

addresses for

predefined

libraries via

hashes

Prep stage

Function hashes

Prep stage

IDA Python script for

functions resolving, part 1

[Hashes count, Hashes array

, Addresses array]

Prep stage

IDA Python script for

functions resolving, part 2

Prep stage

Bingo!

Prep stage

Check self name

hash against

blacklist

Prep stage

Get volume info

Prep stage

Check AV and

VM process

names

Prep stage

Self compression & encryption

Prep stage

Final recon & configuration structure

Persistence stage

Shellcode, injects, scripts,

tasks, anti DFIR

Persistence stage

Generate an intermediate shellcode

• 420 bytes

• Hardcoded shellcode

• 532 bytes

• Registry path

• Payload size

• ntdll major APIs relative addresses

Persistence stage

Shellcode

Config

Persistence stage

Persistence stage

Persistence stage

Persistence stage

ZwOpenProcess ->

InitializeProcThreadAttributeList ->

UpdateProcThreadAttribute ->

CreateProcessW

Persistence stage

Prepare thread

context with ROP

gadget in ntdll

Persistence stage

Inject via NtSetContextThread with ROP

Persistence stage

Dropping the script to a system

Persistence stage

Generating ps1 launcher

Persistence stage

Execute it finally

Persistence stage

JScript path construction

Persistence stage

JScript path construction

Persistence stage

JScript creating

MAC times?

Persistence stage

Extracting and assigning MAC timestamps from ntdll (Timestomping)

Persistence stage

AddressBook.js

Persistence stage

Task scheduling via COM interface

Persistence stage

Event log cleaning

Payload stage

Remember?

It’s just a loader…

Payload stage

GUID generating,

opening file mapping

Payload stage

Store the payload on disk and execute or …

Payload stage

… inject in msiexec via NtSetContextThread

Payload stage

… inject with LoadLibraryW, wups.dll and splicing

Payload stage

… inject with LoadLibraryW, wups.dll and splicing

Payload stage

Hooked functions

Payload stage

Encrypt and store a payload in registry

C&C plugin stage

C2 interaction, X25

requests, tunneling

C&C plugin stage

Decrypt and launch the plugin

C&C plugin stage

Seems that’s a real timestamp

C&C plugin stage

Encrypted config structure

C&C plugin stage

Encrypted config structure

“check” bytes

C&C plugin stage

Encrypted config structure

“check” bytes RC4 key

C&C plugin stage

Encrypted config structure

“check” bytes RC4 key

config size

C&C plugin stage

Encrypted config structure

“check” bytes RC4 key

config sizeencrypted config

C&C plugin stage

Decrypted config

<a>37.59.52.229</a><b>a12</b><c>zjs4zmhmr2ws</c><d>1</d>

C&C a new RC4 key

C&C plugin stage

Base64 encoding

C&C plugin stage

Symbols replaced in the request

‘+’ -> -11P || -22L

‘/’ -> -33S || -44L

‘=‘ -> -55E || -66Q || -77A || -88L || -99S

C&C plugin stage

Divide data into chunks Split via dots

C&C plugin stage

MD5 checksum generating and custom base64 encoding

C&C plugin stage

Domain name generation:

/[a-z]{2}[0-9]{2}.com/

C&C plugin stage

Header packet structure, 0x18 bytes

struct PacketHeader {

DWORD rand; // rand(0xAAAABBBB) + 0x11111111

BYTE num; // sequence number

BYTE zero; // usually zero, unknown

DWORD xored_volume_info; // volume_info ^ rand

DWORD xored_chunks; // chunks ^ rand

DWORD rand; // usually the same rand

};

C&C plugin stage

Hardcoded UDP request structure

C&C plugin stage

X25 DNS request type

C&C plugin stage

X25 RFC

https://tools.ietf.org/html/rfc1183

C&C plugin stage

70FLQwcAqHfxh-11PlBS0PvQUtD.ol68.com

ivMAAAEAzcW6xIrzAACK8wAA.ol68.com

C&C plugin stage

7ZWPrs2G1tlcONzJnd68Kfb73DYaa0dOB68Dq5djUoy9U

ABYdFhtAeAaTW-

22Lr.1AjwSkBXvVhSlW31sveIvBTvk1TUHtcS6MRj87VIK

kXTlQyFLTcP5Ck0FX-11P.irbmr-

11PhFWVXcPj2BjkAzRWryseAaDlLajqH7kjXjE4Y7fn4RIt-

44LswTTX.BZwPrcF-44LbLn5ZcgT.ySADOwjSjha5-

44L8kgAzvaIeJi.ol68.com

Header

Payload chunk

C&C plugin stage

…

C&C plugin stage

• Get all 6 chunks

• Join them “as is”

• Custom base64 decode

• RC4 decrypt

• Done!

C&C plugin stage

Fu-33S2umvUVm44Ezor-44Lrcw6w-88L-

55E.FoVHKQklUbP97RaFRykL4c1H.ol68.com

Fu-33S2umvUVm44Ezor-44Lrcw6w-88L-

55E.uI6dHQkl-44L7gn2biOnR2l6hdz.ol68.com

C&C plugin stage

… custom base64 decode -> MD5 hash of the payload

Why twice? …

C&C plugin stage

Payload in the response

Header Payload

C&C plugin stage

Malware config

MD5 checksum

again

Conclusion

In the end…

Conclusion

Similar one in Twitter

https://twitter.com/vk_intel/

status/117726976729780

6337

Conclusion

Proofpoint about Snatch

https://www.proofpoint.com/us/th

reat-insight/post/ta505-

distributes-new-sdbbot-remote-

access-trojan-get2-downloader

Conclusion

@tildedennis about

Snatch

https://github.com/tildedennis/ma

lware/blob/master/snatch_loader

/decrypt_cfg.py

Conclusion

The same key generation

Conclusion

Takeaways or blue team tips

• Everybody love tasks

• PowerShell/WScript processes and .ps1/.js files on disk

• msiexec and suspended processes

• Integrity control of system libraries (splicing is still alive)

Conclusion

Takeaways or blue team tips

• Control an execution flow? (ROP gadgets -> kBouncer -> JOP)

• Unusual request types and DNS tunneling

• A lightweight and qualitative trojan downloader is a stable trend

APT != targeted attack

Thank

you

ptsecurity.com

Thanks

for attention

Alexey Vishnyakov

avishnyakov@ptsecurity.com

@Vishnyak0v