[ad_1]
BumbleBee a New Modular Backdoor Advanced From BookWorm
Malware
In March 2021, we investigated a backdoor with a singular modular structure and referred to as it BumbleBee because of a string embedded within the malware. Nevertheless, in our latest investigations, we’ve got found a controller utility that expands its capabilities.
By: Vickie Su, Ted Lee, Nick Dai
September 02, 2022
Learn time: ( phrases)
In March 2021, we investigated a backdoor with a singular modular structure and referred to as it BumbleBee because of a string embedded within the malware. Its kind of modular framework has made our static evaluation more difficult as a result of it required us to first rebuild its construction or use dynamic evaluation to know its performance and conduct.
Our evaluation discovered that BumbleBee solely had little malicious code in its payload, and what it does on the floor is monitor keys and clipboard content material. Nevertheless, additional investigation revealed a controller utility that expands the malware’s capabilities.
The sort of backdoor is much like one other of its sort referred to as BookWorm, through which it may be inferred that BumbleBee is a refactored model of BookWorm. On the time of writing, BumbleBee has solely been deployed in Taiwan; along with its use of Simplified Chinese language because the language for its consumer interface, this malware could be suspected to be deployed by malicious Chinese language actors. This weblog will deal with BumbleBee’s capabilities and our evaluation of this backdoor.
BumbleBee is a modular backdoor that contains two functions, a server and a consumer utility (a grasp and slaver utility, respectively within the malware’s jargon). As soon as the consumer utility is deployed on the goal laptop (these are generally native authorities units), menace actors can management the machine utilizing the server module. Allow us to take a deeper look into this backdoor.
Layered deployment – consumer utility
We have now encountered the consumer utility in a safety breach incident. Its distinctive “layer-in-layer” structure caught our consideration. The module has a self-extracted file that incorporates three fundamental elements: a professional executable (XcrSvr.exe), side-loaded DLL (XecureIO_v20.dll) and the shellcode binary file (ore) within the file system to execute the professional executable.
Determine 1. Structure of BumbleBee
Determine 2. Metadata of XcrSvr.exe
XCrSvr.exe is the executable within the XecureVistaCryptoSvr module developed by SoftForum. This file is exploited to launch the side-loaded DLL, XecureIO_v20.dll, which is able to work because the next-stage loader that executes the shellcode “ore,” which is the primary part on this backdoor. This shellcode incorporates a number of modules of its personal (proven in Desk 1). Every module has corresponding 32-bit and 64-bit variations of binaries within the shellcode aside from launcher.dll.
Title
Description
launcher.dll
The primary-stage launcher that hundreds all the following modules. It decrypts an inventory of modules in reminiscence and executes every so as.
kernel.dll
The utility part that controls all the opposite modules.
installer.dll
The module used to put in elements within the compromised machine.
keylog.dll
The keylog part screens the keystrokes and clipboard content material of the sufferer, and information actions from the sufferer equivalent to working a course of, getting into a password, and getting the textual content of a window. The stolen information will then be run by means of a XOR logic gate with a two-byte key 0xF29D and saved underneath %temppercentkb[UserName]. The timestamp will probably be used because the file identify.
loader.dll
The module that reads the shellcode.
slaver.dll
The primary module that interacts with the opposite strategies as soon as the backdoor is launched.
Desk 1. BumbleBee’s modules
If a sufferer is compromised for the primary time, launcher.dll hundreds and launches all the opposite modules. The installer modules will probably be answerable for the set up and establishing persistence on the compromised machine through the next steps:
Drop a replica of the XecureIO_v20.dll in %APPDATApercentLOCALTEMP folder.
Encrypt unique shellcode file (to be a “bin” file) and path data (to be a “path” file) by utilizing RC4 algorithm (secret is the worth of “ProductID” from “HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerRegistration”)
Drop bpu.dll (used to bypass UAC) and launched by rundll32.exe.
Set up persistence on compromised machine.
Delete the unique SFX file.
Notably, as XecureIO_v20.dll is loaded by XcrSvr.exe, it should test if the dad or mum course of is “XcrSvr.exe.” In that case, it should patch the entry level of XcrSvr.exe with a protracted soar instruction to direct execution circulate to the malicious code.
Determine 3. XecureIO_v20.dll hooks its dad or mum course of’ entry level
Determine 4. The unique entry level
Determine 5. The patched entry level
Primarily based on our evaluation, we predict the reason being that the malicious code embedded in XecureIO_v20 won’t run if it adopted the traditional execution circulate of XCrSvr.exe. Therefore, as soon as XecureIO_v20.dll is loaded by XCrSvr.exe, it should patch the entry level of XCrSvr.exe and soar to the deal with of the malicious code to verify the code could be executed correctly.After the consumer is put in and the persistence is established, the loader, XecureIO_v20.dll, will retrieve the worth of “ProductID” from the registry key “HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerRegistration” and use it as the important thing to decrypt the encrypted payload (the file “bin”) dropped within the first set up. Utilizing the knowledge on the compromised machine as a key to encrypt the payload makes it rather more troublesome for analysts to decrypt and debug the malware within the evaluation surroundings.
File identify
Description
path
An RC4-encrypted path string used to search out the situation of next-stage shellcode. It could possibly be a file path or a registry path beginning with HKLM or HKCU.
bin
The following-stage RC4-encrypted shellcode payload.
Desk 2. Payload file names
Expanded management – server applicationDue to BumbleBee’s advanced consumer utility, it took a while for us to totally analyze its performance. Whereas doing so, we ran throughout the server utility of the malware that acts as a controller. This offered us with additional understanding on how BumbleBee works.Because the consumer utility is working on the contaminated machine, it should talk with the server utility and present the knowledge of the machine it’s in. Particulars, equivalent to laptop identify, exterior IP deal with, geographic location, OS, CPU, and reminiscence, are collected by the consumer utility.
Determine 6. Connection established
Determine 7. Constructed-in choices in server utility
Primarily based on the choices within the server utility proven in Determine 7, we are able to decide that it helps the next capabilities for controlling the compromised machine:
Features
Description
文件管理 (File administration)
Add/obtain/delete/record information from the sufferer’s surroundings
屏幕控制 (Distant desktop management)
Management the sufferer’s desktop remotely
进程管理 (Course of administration)
Record and handle working processes with the picture names, present folder, course of id and dad or mum course of id
服务管理 (Service administration)
Record and handle present providers standing
注冊表编辑 (Registry editor)
Record and handle the sufferer’s registry key
控制台命令 (Command shell)
Execute the command shell
交互式控制台 (Interactive console)
Execute the command shell
反向代理 (Reverse proxy)
Reverse proxy to assist expose an area server behind a NAT or firewall to the web
键盘记录 (Keylogger)
Log keystrokes and clipboard contents
Desk 3. Supported capabilities
BumbleBee’s modular framework allowed it to embed a small quantity of malicious code that entails stealing keystrokes and clipboard content material within the consumer’s shellcode. Nevertheless, it might increase its capabilities by means of its server utility by loading further modules. This design proves that BumbleBee is versatile, permitting its builders to give attention to the event of further modules as a substitute of getting to rebuild the malware itself. Its construction might additionally scale back the danger of exposing itself to analysts and their very own modules for comparability.
BumbleBee communicates over the HTTP protocol. It first creates an HTTP request that acts as a community beacon to inform the command and management (C&C) server. The POST request with the next URL, http://<C&C server>/replace/, is the preliminary community beacon. The consumer utility will ship data of the compromised machine, which is encrypted by RC4 (see Determine 8 and Determine 9) as soon as the primary connection is established efficiently. All different communication site visitors, aside from the sufferer data, are encrypted between server and consumer functions utilizing the RC4 and compressed by LZO (Lempel–Ziv–Oberhumer) algorithm.
To ensure the acquired payload is appropriate, BumbleBee adopts a CRC32 checksum with reversed-presentation mode to confirm the acquired information. For the CRC32 calculation, a self-defined worth, ”20200105” is used because the preliminary worth (usually, the worth is 0xffffffff) for checksum calculation.
Determine 8. Encrypted data of the compromised machine
Determine 9. Decrypted data (by RC4)
In the course of the investigation, we discovered that BumbleBee adopted a number of methods for persistence. It’ll use totally different methods relying on the configuration. Listed here are the methods adopted by the BumbleBee pattern we discovered:
Abuse registry run key to repeatedly execute the malware as soon as system boot
Create Home windows providers to repeatedly execute malicious payloads
Use Home windows logon scripts mechanically executed at logon initialization to determine persistence through including a Registry key HKEY_CURRENT_USEREnvironment “UserInitMprLogonScript”
As a result of distinctive modular construction and set up procedures, we began to work on a literature assessment to make clear whether it is an unique instrument utilized by a sure menace actor. We discovered an identical backdoor, “BookWorm,” revealed by Palo Alto in 2015. They share the next options:
Each are self-extracted information and abuse professional executables to load self-made malware.
Each use the identical registry worth as RC4 encryption key to encrypt their payload.
Each use modular structure within the conception of the backdoor.
Each appeared in Southeast Asia, concentrating on native government-related organizations (comparable victimology).
Each use RC4 and LZO algorithms in C&C communications (comparable community protocol).
We expect BumbleBee is prone to be the refactored BookWorm backdoor. They’ve comparable ways, methods, and procedures (TTPs), distinctive encryption method, and comparable goal sectors. Based on the language (Simplified Chinese language) proven in server utility, we suspect that the origins and builders of BumbleBee could also be in China and of Chinese language descent.
Since BumbleBee and Bookworm share the identical options, BumbleBee is probably going a refactored type of the latter. Specializing in Asian native authorities targets, all indicators level to a suspect linked to a Chinese language hacker group.
BumbleBee, being a modular framework, just isn’t solely versatile however subtle as it should require analysts to analyze its construction and conduct. One other side of getting a modular framework is that they’ll simply preserve growing further modules since it could possibly simply be built-in with the present model of stated malware.
With its modular capabilities, the menace could deploy further modules that will show harmful. Thus, a complicated layer of safety and fast detection is required to forestall the backdoor from taking root within the system. Pattern Micro Imaginative and prescient One™ provides each inside totally different entry factors of a backdoor.
Trojan.Win32.MULTICOM.ZTIC
f8809c6c56d2a0f8a08fe181614e6d9488eeb6983f044f2e6a8fa6a617ef2475
slaver.exe
Trojan.Win32.REGLOAD.ZTI
ea5db8d658f42acad38106cbc46eea5944607eb709fb00f8adb501d4779fbea0
XecureIO_v20.dll
3fc6c5df4a04d555d5cbf2ca53bed7769b5595fc6143a2599097cb6193ef8810
XecureIO_v20.dll
Backdoor.Win32.BUMBLEB.ZTIC
eeca34fba68754e05e7307de61708e4ce74441754fcc6ae762148edf9e8e2ca0
ore
6690b7ace461b60b7a72613c202d70f4684c8cdc5afbb4267c67b5fe5dbf828e
bin
4ecde81a476f1e4622d192fe2f120f7c5c3ec58bf118b791d5532f3ff61c09ee
bin
8ab8bb836b074e170c129b7f0523d256930fd1f8cf126ca1875b450fdb6c4c05
bin
515cb31b2c89df83ea6d54d5c0c3e4fe9a024319d9bd8fd76ad351860bd67ea3
ore
8e340746339614ca105a1873dad471188b24421648d080e37d52b87f4ced5e6d
bin
C&C:
· http[:]//www[.]synolo[.]ns01[.]biz:80/replace
· http[:]//118[.]163[.]105[.]130:80/replace
Techniques
Strategies
Protection Evasion
T1574.002 – Hijack Execution Move: DLL Aspect-Loading
T1070.004 – Indicator Elimination on Host: File Deletion
T1055 – Course of Injection
T1480.001 – Execution Guardrails: Environmental Keying
Persistence
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1037.001 – Boot or Logon Initialization Scripts: Logon Script (Home windows)
T1548.003 – Create or Modify System Course of: Home windows Service
Privilege Escalation
T1548.002 – Abuse Elevation Management Mechanism: Bypass Person Account Management
Assortment
T1056.001 – Enter Seize: Keylogging
Reconnaissance
T1592 – Collect Sufferer Host Info
Command and Management
T1071.001 – Software Layer Protocol: Internet Protocols
T1090 – Proxy
T1573.001 – Encrypted Channel: Symmetric Cryptography
T1132.001 – Information Encoding: Commonplace Encoding
Useful resource Improvement
T1587.001 – Develop Capabilities: Malware
Tags
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
[ad_2]