[ad_1]
We famous layers 3 and 5 as able to anti-analysis strategies. In the meantime, we discovered that not all layers have distinctive packers. The fourth and seventh layers are equivalent, in addition to the tenth and thirteenth. The packing of the eighth and fourteenth layers are additionally related. This repeated use of packers implies that the group is utilizing a separate packing program. We’re persevering with with our evaluation to see if this program is their very own or whether it is outsourced to different teams, as this system will be indicative of the group’s future use of those identical packers. It’s also potential for these identical packers to get replaced with variations in patterns.
On layer 8, the payload loader, the execution splits into two paths. If the malware detects that it’s being analyzed, it hundreds the faux payload. In any other case, it hundreds the true payload.
Faux payload
The faux payload has two layers, the primary of which is a shellcode with an embedded PE file, whereas the second layer is a PE file with the MZ header and PE signature eliminated. The second layer is loaded by the primary layer and jumps into it.
Upon execution, the second layer instantly creates a thread to the place its foremost routine is positioned. It first makes an attempt to learn the registry worth named “Energetic” at <HKEY_CURRENT_USERSOFTWAREMicrosoftMedia>. This serves as an an infection marker. If the learn fails, it proceeds to jot down the string worth “1” into this registry worth, then gathers system data: the pc title, present username, processor model, and show gadget names. In some variations of the faux payload, the info is encrypted utilizing RC4 with a hard-coded key. The system data is then appended to the URL http[:]//{IP handle}:8080/. The complete URL is then accessed, and a file is downloaded. In some variations of the malware, this downloaded file can be executed.
Analyzing different pattern variations of the faux payload, we discovered that if the primary routine is profitable, it checks if the system is linked to a site by checking the existence of the setting variable USERDNSDOMAIN. If this variable doesn’t exist, it drops and executes an adware named BrowserAssistant to %Person Temp%{random quantity}.exe, more likely to make an analyst really feel complacent about allegedly already discovering the payload and subsequently not needing to conduct additional research of the samples.
Actual payload
The true payload is made up of three layers, with the third layer containing the precise payload binary packed twice. Inside the true payload is an embedded customized Tor shopper designed to speak with the true payload utilizing shared reminiscence.
Set up
Its methodology for checking whether or not the malware has been put in on the system entails checking whether it is working in Session 0. Previous to Home windows Vista, companies have been run within the session of the primary consumer to log in to the system, which is named Session 0. Nonetheless, from Home windows Vista onward, Microsoft launched a safety enhancement known as “Session 0 Isolation,” the place Session 0 is now reserved for companies and different non-interactive consumer functions.
With this safety enhancement, the risk actor confirms whether or not the consumer profile is working on administrative privileges or not. If it isn’t in Session 0, it drops a duplicate of itself in <%ProgramData%{random folder title}{random file title}.{extension}> to raise privileges, or <%ProgramDatapercentMicrosoft{random folder title}{random file title}.{extension}> if the consumer is working as an admin. On this method, a safety analyst would view the malicious routine as having been began and run by a respectable Home windows course of, permitting the routine to evade detection.The extension title is randomly chosen among the many following:
.bak
.dat
.db
.dmp
.etl
.idx
.json
.lkg
.lock
log
.man
.tmp
txt
.vdm
.xml
.xsd
It additionally units the next registry entry to allow its automated execution at system startup. If the consumer just isn’t at an admin stage, the malware modifies the registry with
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce{random worth title} = “rundll32 shell32 ShellExec_RunDLLA REGSVR /u /s “{dropped copy path and file title}.””
Inversely, if the consumer’s profile is with admin privileges, the registry is modified with
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnceEx{random key title}{random worth title} = “shell32|ShellExec_RunDLLA|REGSVR /u /s “{dropped copy path and file title}.””
Privilege escalation
After dropping a duplicate of itself, it executes the dropped copy as Administrator utilizing a UAC (Person Account Contorl) bypass approach. It implements a variation of the approach ucmDccwCOMMethod in UACMe, thereby abusing the built-in Home windows AutoElevate backdoor.
It first checks whether or not atcuf32.dll, aswhook.dll, and avp.exe are loaded within the system. These information are from safety defenders BitDefender, Avast, and Kaspersky, respectively. If considered one of these is loaded, it doesn’t proceed to the UAC bypass routine. It then drops a shortcut file to <%Person Temp%{random file title}.lnk> that comprises the command line
rundll32.exe SHELL32,ShellExec_RunDLL “C:Windowssystem32ODBCCONF.EXE” /a {configsysdsn OCNKBENXGMI etba odjcnr} /A {installtranslator fxodi} -a {installdriver qmprmxf} /a {configsdn HHAP} regsvr “{dropped copy path and file title}.” /S /e -s
It then creates an elevated COM object for CMLuaUtil and makes use of it to set a customized show calibrator within the registry that factors to the dropped LNK file. It units the customized show calibrator by setting the registry worth
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionICMCalibrationDisplayCalibrator = “%Person Temp%{random file title}.lnk”
It then creates an elevated COM object for ColorDataProxy and calls its methodology “LaunchDccw” to load the calibrator, thus executing the malicious LNK. Afterward, it units the registry worth DisplayCalibrator to “%SystemRootpercentSystem32DCCW.exe” to cover its exercise.
Predominant routine
Operating in Session 0, the true payload makes an attempt to connect with the hard-coded Tor addresses, the place the connections are made in one other course of. For the true payload to facilitate the change of data and the Tor-connecting course of, a shared-named reminiscence map is created with the next format:
[ad_2]