Reverse Engineering Malware
-
Upload
securityxploded -
Category
Technology
-
view
920 -
download
5
Transcript of Reverse Engineering Malware
![Page 1: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/1.jpg)
Reverse Engineering Malware
![Page 2: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/2.jpg)
APT Malware - Etumbot
Etumbot Cyber Espionage Campaign
Demo 1 – Sandbox Analysis of Etumbot dropper
Demo 2 – Reverse Engineering the Communications of Etumbot Backdoor
Demo 3 – Decrypting the Communications of Etumbot Backdoor
References
Contents
![Page 3: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/3.jpg)
APT Malware - Etumbot
Used in APT/Cyber espionage/targeted attacks
Associated with Chinese cyber espionage group (Numbered Panda, APT12, Calc team)
Sent to targets via spear phishing email
Targeted government organizations in Taiwan and Japan
Drops decoy documents of interest to Taiwanese and Japanese population
Also referred to as Exploz, Specfix and RIPTIDE
![Page 4: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/4.jpg)
Etumbot Cyber Espionage Campaign
![Page 5: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/5.jpg)
Demo 1
Sandbox Analysis of Etumbot dropper(5340.exe)
![Page 6: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/6.jpg)
File system and Registry activityEtumbot dropper (5340.exe) drops another file winlogdate.exe (which is Etumbot backdoor). The malware also adds a registry entry so that Etumbot backdoor can persist on the system
![Page 7: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/7.jpg)
Network ActivityEtumbot Backdoor (winlogdate.exe) connects to the C2 server with two communication patterns
![Page 8: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/8.jpg)
First Communication Pattern
In the first communication pattern the malware receives response from the C2 server. The response looks like an encoded string
![Page 9: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/9.jpg)
Second Communication PatternIn the second communication pattern the malware sends a request, which looks like a request to download an image file (.jpg), but the string before .jpg looks like an encrypted string. In order understand these communication patterns, lets reverse engineer the Etumbot backdoor
![Page 10: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/10.jpg)
Demo 2
Reverse Engineering the Communications ofEtumbot Backdoor (winlogdate.exe)
![Page 11: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/11.jpg)
Reversing First Communication patternEtumbot Backdoor calls the below function. This function implements the First Communication pattern, this function calls multiple functions as shown in the call graph below
![Page 12: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/12.jpg)
Reversing First Communication pattern (contd)The malware uses below API call to open an http session with the C2 Server (wwap.publiclol.com)
![Page 13: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/13.jpg)
Reversing First Communication pattern (contd)Etumbot Backdoor uses below API call to create an http handle and the below screenshot shows the object the malware is going to request in the http request.
![Page 14: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/14.jpg)
Reversing First Communication pattern (contd)Etumbot Backdoor uses below API call to send the request and the C2 server sends an encoded response to the backdoor.
![Page 15: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/15.jpg)
Reversing First Communication pattern (contd)Etumbot backdoor receives the encoded response from the C2 using the below API
![Page 16: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/16.jpg)
Reversing First Communication pattern (contd)Etumbot backdoor passes the received content to the custom base64 algorithm which decodes the received content and extracts the RC4 key starting at offset 8. This RC4 key is used to encrypt subsequent communications. It can be deduced that the first communication pattern is used by the malware to receive the RC4 key from the attackers.
![Page 17: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/17.jpg)
Reversing Second Communication patternEtumbot Backdoor calls the below function. This function implements the Second Communication pattern, this function calls multiple functions as shown in the call graph below
![Page 18: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/18.jpg)
Reversing Second Communication pattern (contd)Etumbot Backdoor collects the system information (hostname, username, ip and proxy details) and passes it to the RC4 function (with the RC4 key retrieved from the first communication).
![Page 19: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/19.jpg)
Reversing Second Communication pattern (contd)The collected system information is encrypted with RC4 key which was retrieved from the first communication. Below screenshot shows the RC4 encrypted system information
![Page 20: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/20.jpg)
Reversing Second Communication pattern (contd)The RC4 encrypted system information is then passed to the custom base64 encoding function as shown below
![Page 21: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/21.jpg)
Reversing Second Communication pattern (contd)The RC4 encrypted system information is then encoded with custom base64 encoding algorithm as shown below.
![Page 22: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/22.jpg)
Reversing Second Communication pattern (contd)The base64 encoded string is then concatenated with /image/ and .jpg to form a final string as shown below
![Page 23: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/23.jpg)
Reversing Second Communication pattern (contd)The malware connects to the C2 server (wwap.publiclol.com) using the concatenated string as the http request pattern.
![Page 24: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/24.jpg)
Reversing Second Communication pattern (contd)Malware sends the http request as shown below. As you can see from packet capture the encrypted system information is sent to the attackers this way. Now we know how malware decodes the RC4 key from first communication and how that RC4 key is used to encrypt subsequent communications. We can write decryptors to extract the RC4 key and to decrypt the communications.
![Page 25: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/25.jpg)
Demo 3
Decrypting the communications ofEtumbot Backdoor (winlogdate.exe)
![Page 26: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/26.jpg)
Python script – To extract RC4 keyBelow screenshot shows the python script (get_key.py) which takes encoded response from C2 server as input, then decodes it and extracts the RC4 key
![Page 27: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/27.jpg)
Extracting RC4 key from C2 ResponseBelow screenshot shows the encoded response from C2 server. This encoded response is given to the script which decoded and extracted the RC4 key
![Page 28: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/28.jpg)
Python script – to decrypt communications
Below screenshot shows the script to decrypt subsequent communications using the RC4 key obtained from first communication
![Page 29: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/29.jpg)
Python script – to decrypt communicationsBelow screenshot shows the encrypted string. The script takes the encrypted string and decrypts it. The decrypted output is the information (hostname, username, ip, proxy details) collected from the system, where the malware was run (in this case sandbox machine)
![Page 30: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/30.jpg)
a) ARBOR Networks Report on Etumbot
http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/
b) FireEye’s Blog posthttp://www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html
References
![Page 31: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/31.jpg)
Question & Answer
![Page 32: Reverse Engineering Malware](https://reader036.fdocuments.in/reader036/viewer/2022062311/58ed45fa1a28ab3c258b4601/html5/thumbnails/32.jpg)
Thank you