Operation Cleaver: Net Crawler

In our recently released report on Operation Cleaver, we detailed a number of malware families developed and used by the Cleaver team. In order to avoid writing a report that even the most dedicated readers would be unable to finish, we decided to instead host a number of these analyses as blog posts. Previously, Derek Soeder covered the Notepad files. In this post, I will cover the Active Directory worm Net Crawler, also known as NetC.

NetC

NetC is a tool developed in C# and has been observed being obfuscated with SmartAssembly, which is a tool used by legitimate businesses as well as .NET malware authors. Both known samples of NetC were compiled in April and May of 2013. It has the capability to run commands on all computers in the domain with credentials extracted from the initially compromised host. This capability allows it to operate as a utility for pivoting once a computer on the network has already been compromised. It also has the functionality to spread to other computers in the network, and then call itself again, worming throughout the network, returning harvested credentials and command results.

Public Tools

In order to spread, NetC utilizes a number of publicly available tools. PsExec is used to execute commands on other computers in the domain utilizing credentials extracted from the infected computer.
These credentials are extracted using Mimikatz, a penetration tester tool which extracts cached credentials as well as many other features (including cheating at Minesweeper). Multiple versions of Mimikatz are stored inside managed resources in the NetC executable, so the correct version can be executed depending on the CPU architecture. CPU architecture is determined purely on the existence of the "SysWOW64" directory.

Out of all the features of Mimikatz, only the "sekurlsa::kerberos" mode is utilized, which attempts to gather credentials used for Active Directory. It then attempts to parse the results of this command with the following code.


public List<Credential> ParseCredentials(string resultString)
{
    List<Credential> users = new List<Credential>();
    string user = "";
    string domain = "";
    string password = "";
    string[] lines = str.Split(new string[] { "\r\n", "\n" }, StringSplitOptions.None);
    foreach (string line in lines)
    {
        if (line.IndexOf(" * U") >= 0)
        {
            user = line.Substring(line.IndexOf(":") + 2);
        }
        if (line.IndexOf(" * Domain : ") >= 0)
        {
            domain = line.Substring(line.IndexOf(":") + 2);
        }
        if (line.IndexOf("* Password : ") >= 0)
        {
            password = line.Substring(line.IndexOf(":") + 2);
            if (user.Equals("(null)"))
            {
                user = "administrator";
            }
            Credential class2 = new Credential(user, domain, password);
            if (!this.IsAlreadyInList(users, class2))
            {
                users.Add(class2);
            }
        }
     }
     return users;
}





Given that the known samples were developed in 2013, the versions of Mimikatz included with these samples are no longer able to extract cached credentials from a fully patched Windows system. The Cleaver team could potentially have updated the versions of Mimikatz included in more recent samples if they continued to develop NetC although there currently is no evidence that they have.

ASCII Art

Somewhat deviating from the Cleaver team's style, both known versions of NetC displayed ASCII art banners when executed. This visual flair is not something we saw often in other tools, but only in NetC, which was developed by "kaJ". In the sample compiled on April 23rd, 2013, we see the following ASCII art.

NetC 1.0 ASCII Art "Zh0up!n"

This ASCII art says "Zh0up!n", a 1337 speak representation of Zhoupin. We believe this to be an alternative name for the group. In the version compiled on May 28th, 2013 we saw the ASCII art abbreviated.

NetC 2.8 ASCII Art (Zh0)

Observed Uses

In following the Cleaver campaign, we were able to see various tools of theirs being used in a variety of ways, NetC was not their most preferred of ways. As mentioned before, we were only able to recover two different samples for NetC, both compiled in April and May of 2013. These versions were recovered from anonymous FTP servers as well as observed during IR engagements. In the IR engagements, it was determined that NetC was downloaded from external FTP servers to already compromised hosts, and then used to gather information from other computers on the network.

We were able to recover a testing configuration from an anonymous FTP server utilized by the Cleaver team which gave us more detail on its developer. This configuration contained details of the local network that NetC was being developed and tested on. The NetC configuration also includes commands to be executed on newly infected machines, and the results are logged.


[UserPass]
test\administrator=Admin123
DEV-CASTLE\kaJ:oaolrJ@vad

[ForceIPList]
192.168.222.*,!192.168.100.*
!192.168.22.22

[Shares]
Root=\\192.168.111.2\myshare$,\\192.168.222.5\myshare$
Parent=\\192.168.111.1\myshare$

[command]
!EXTR=mycmd.bat
!cmd.exe=/c [TEMPFOLDER]\mycmd.bat>outrep
Wmic.exe::8000=logicaldisk get size,freespace,caption,volumename>outrep
cmd.exe=/c dir c:\




From this, we can see that the user "kaJ" is on the computer named "DEV-CASTLE". When analyzing the deobfuscated and decompiled versions of NetC, we can see that "DEV-CASTLE" is also hard coded into NetC.


private static bool isAlreadyInfected()
{
    if (Environment.MachineName.ToLower() != "dev-castle")
    {
        object obj2 = Registry.GetValue(CredentialLoggingClass.infectedRegistryKey, CredentialLoggingClass.RegistryKeyName, "");
        if (obj2 == null)
        {
            Registry.SetValue(CredentialLoggingClass.infectedRegistryKey, CredentialLoggingClass.RegistryKeyName, @"%SYSTEM%\calc.exe");
            return false;
        }
        if (obj2.ToString() == @"%SYSTEM%\calc.exe")
        {
            return true;
        }
        Registry.SetValue(CredentialLoggingClass.infectedRegistryKey, CredentialLoggingClass.RegistryKeyName, @"%SYSTEM%\calc.exe");
    }
    return false;
}






This code is used to determine if the computer being executed on is already infected. If the name of the computer is "DEV-CASTLE", then it is to be treated as if it is not already infected. A computer is marked as infected by a registry key. This key can be changed partially by a command line parameter. In order to determine if a computer has been infected, search all the keys in "HKEY_LOCAL_MACHINE\Software\Microsoft\Direct3D\" for the value "%SYSTEM%\calc.exe". Disabling this detection would be useful to the developer working on this malware so they would not need to disinfect their test victim computer. Granted, most competent developers would be using virtual machines instead.

We were also able to recover a number of results from the anonymous FTP servers which stored compromise data. These results include credentials extracted from a thoroughly compromised Pakistani airline NetC result files from the Pakistani airline on two different internal networks, both of which used the four-letter abbreviation of its name as the domain administrator password.

Functionality

While not as feature rich as a tool such as TinyZBot, NetC is still quite useful allowing for a wide range of controls. Like many other tools, it requires the first argument to be "opensesemi", which was likely a failed attempt at the phrase "open sesame".

Command Line Flags

This is not the only command line flag in use, and since the Operation Cleaver team appeared to have a separation of duty, it makes sense they would have a README document. As luck would have it, we recovered a README document for NetC.


/f
for first Run and read Configs from "LanConfig.ccfg"

/noc
"No Check" for last Run (from Reg Key).

/nec
it means: Not Encoded Config File

/nomove
don't move exe file to %appdata%. 

/mp:
max ping IP counts.
Example : /mp:10 ----> then check only 10 IP in range.

/sout
print save out folders. (only and exit)

/dbg
Run in Debug mode and save Log to Windows Temp Folder.

/reg:
registry key for unique run and remote validation.
Example : /reg:LastItem_4

/fast
run crawler in fast mode

/dinfo
get drives info and add to last report.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
In Configuration File :
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

[command]
cmd.exe="/c dir c:\"
cmd.exe=/c Wmic logicaldisk get size,freespace,caption,volumename
Wmic.exe=logicaldisk get size,freespace,caption,volumename

[command]
EXTR=mycmd.bat
cmd.exe=/c [TEMPFOLDER]\mycmd.bat >outrep





The documentation has somewhat poor English, it’s not particularly verbose, and in some cases just flat out wrong, but still somewhat informative. Here's a more accurate run down of the command line flags.

    - /f - Enables reading of a configuration from LanConfig.ccfg. This configuration is needed for the first instance of NetC to run.

    - /noc - If this flag is supplied, NetC will not check if the host machine is already infected. This would be useful for running NetC multiple times as well as useful for development/debugging.

    - /dinfo - Gathers information about local hard drives. This request is passed on to the following infection instances.

    - /sout - Prints out the directories NetC will use when it executes, then exits. This would be useful if the user was unaware of where output would go.

    - /fast - Limits port scanning during host discovery to only TCP port 445, and increases the maximum number of threads from 30 to 121.

    - /reg - Modifies the registry key name used to identify if a machine is already infected.

    - /write - Writes "Hello new system !! ;) \r\n" to "Crw.txt".

    - /dbg - Saves log file for debugging purposes.

The following command line flags have no effect on functionality but are referenced in either the code or in the README:

    - /nec
    - /nomove
    - /kp
    - /mp

Host Discovery

In order to spread to other hosts, NetC needs to find other hosts which it may be able to authenticate with. To do this, NetC port scans the local IP range for the following TCP ports:

    - 139
    - 389
    - 445
    - 3389

Created Shares

During the spreading process, NetC will create a network share in order to receive the reports from all infected computers. This share has the following naming scheme:

    {MachineName}_AutoShare$





This share is mapped to the following directory:

    {System32}\temp\Links

This share is deleted once the NetC instance is done executing.

Resource Modification

When spreading to another machine, instead of sending a new configuration file, NetC copies itself and adds a resource named "CONFIG" that contains the configuration details. When NetC is unable to locate a configuration file, it will check its resources. This resource based configuration code is also shared with TinyZBot.

Spreading

With the credentials it has gathered from the first infected host, it will attempt to brute force authentication with other computers on the domain by using PsExec. Once it obtains access to another machine, PsExec copies over the modified NetC executable, and runs it. The new NetC instance runs off its resource configuration. This action continues recursively. Once it is complete, it will return its results to its parent infection via the network share mentioned above. A weapon like this could very quickly bring a poorly administered network to its knees. 

Conclusion

NetC is one of the many applications developed and used by the Cleaver team. It utilizes public tools like Mimikatz and PsExec in order to worm through networks, gathering credentials and information from compromised machines. Known samples would be ineffective on Windows installations that are up to date on patches. CylancePROTECT detects and blocks the execution of NetC, not to mention CylancePROTECT's memory protection detects and blocks the method used by Mimikatz in order to gain access to cached credentials. 

Samples

650f143ac0a668536b6750a628ec51e7ca28f5520105eeb87308f557cd74e63c
ac272bd9701c5d9cb7e8d1a4e2a191a894e98aa463fb17628c52da16612627d8