reverse engineering malware
TRANSCRIPT
Reverse Engineering Malware
Who AM I
Monnappa K A Member of Cysinfo Info Security Investigator @ Cisco Focus on Threat Intelligence Reverse Engineering, Malware Analysis, Memory Forensics Email: [email protected] Twitter: @monnappa22 Blog: http://malware-unplugged.blogspot.in Linkedin: http://in.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8
APT Malware - Etumbot
Etumbot Cyber Espionage Campaign
Demo 1 – Sandbox Analysis of Etumbot dropper
Demo 2 – Reverse Engineering the Communications of Etumbot Backdoor
Demo 3 – Decrypting the Communications of Etumbot Backdoor
References
Contents
APT Malware - Etumbot
Used in APT/Cyber espionage/targeted attacks
Associated with Chinese cyber espionage group (Numbered Panda, APT12, Calc team)
Sent to targets via spear phishing email
Targeted government organizations in Taiwan and Japan
Drops decoy documents of interest to Taiwanese and Japanese population
Also referred to as Exploz, Specfix and RIPTIDE
Etumbot Cyber Espionage Campaign
Demo 1
Sandbox Analysis of Etumbot dropper(5340.exe)
File system and Registry activityEtumbot dropper (5340.exe) drops another file winlogdate.exe (which is Etumbot backdoor). The malware also adds a registry entry so that Etumbot backdoor can persist on the system
Network ActivityEtumbot Backdoor (winlogdate.exe) connects to the C2 server with two communication patterns
First Communication Pattern
In the first communication pattern the malware receives response from the C2 server. The response looks like an encoded string
Second Communication PatternIn the second communication pattern the malware sends a request, which looks like a request to download an image file (.jpg), but the string before .jpg looks like an encrypted string. In order understand these communication patterns, lets reverse engineer the Etumbot backdoor
Demo 2
Reverse Engineering the Communications ofEtumbot Backdoor (winlogdate.exe)
Reversing First Communication patternEtumbot Backdoor calls the below function. This function implements the First Communication pattern, this function calls multiple functions as shown in the call graph below
Reversing First Communication pattern (contd)The malware uses below API call to open an http session with the C2 Server (wwap.publiclol.com)
Reversing First Communication pattern (contd)Etumbot Backdoor uses below API call to create an http handle and the below screenshot shows the object the malware is going to request in the http request.
Reversing First Communication pattern (contd)Etumbot Backdoor uses below API call to send the request and the C2 server sends an encoded response to the backdoor.
Reversing First Communication pattern (contd)Etumbot backdoor receives the encoded response from the C2 using the below API
Reversing First Communication pattern (contd)Etumbot backdoor passes the received content to the custom base64 algorithm which decodes the received content and extracts the RC4 key starting at offset 8. This RC4 key is used to encrypt subsequent communications. It can be deduced that the first communication pattern is used by the malware to receive the RC4 key from the attackers.
Reversing Second Communication patternEtumbot Backdoor calls the below function. This function implements the Second Communication pattern, this function calls multiple functions as shown in the call graph below
Reversing Second Communication pattern (contd)Etumbot Backdoor collects the system information (hostname, username, ip and proxy details) and passes it to the RC4 function (with the RC4 key retrieved from the first communication).
Reversing Second Communication pattern (contd)The collected system information is encrypted with RC4 key which was retrieved from the first communication. Below screenshot shows the RC4 encrypted system information
Reversing Second Communication pattern (contd)The RC4 encrypted system information is then passed to the custom base64 encoding function as shown below
Reversing Second Communication pattern (contd)The RC4 encrypted system information is then encoded with custom base64 encoding algorithm as shown below.
Reversing Second Communication pattern (contd)The base64 encoded string is then concatenated with /image/ and .jpg to form a final string as shown below
Reversing Second Communication pattern (contd)The malware connects to the C2 server (wwap.publiclol.com) using the concatenated string as the http request pattern.
Reversing Second Communication pattern (contd)Malware sends the http request as shown below. As you can see from packet capture the encrypted system information is sent to the attackers this way. Now we know how malware decodes the RC4 key from first communication and how that RC4 key is used to encrypt subsequent communications. We can write decryptors to extract the RC4 key and to decrypt the communications.
Demo 3
Decrypting the communications ofEtumbot Backdoor (winlogdate.exe)
Python script – To extract RC4 keyBelow screenshot shows the python script (get_key.py) which takes encoded response from C2 server as input, then decodes it and extracts the RC4 key
Extracting RC4 key from C2 ResponseBelow screenshot shows the encoded response from C2 server. This encoded response is given to the script which decoded and extracted the RC4 key
Python script – to decrypt communications
Below screenshot shows the script to decrypt subsequent communications using the RC4 key obtained from first communication
Python script – to decrypt communicationsBelow screenshot shows the encrypted string. The script takes the encrypted string and decrypts it. The decrypted output is the information (hostname, username, ip, proxy details) collected from the system, where the malware was run (in this case sandbox machine)
a) ARBOR Networks Report on Etumbot
http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/
b) FireEye’s Blog posthttp://www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html
References
Question & Answer
Thank you