reverse engineering malware

Download Reverse Engineering Malware

Post on 12-Apr-2017

909 views

Category:

Technology

4 download

Embed Size (px)

TRANSCRIPT

Application Virtualization

Reverse Engineering Malware

1

APT Malware - EtumbotEtumbot Cyber Espionage CampaignDemo 1 Sandbox Analysis of Etumbot dropperDemo 2 Reverse Engineering the Communications of Etumbot Backdoor Demo 3 Decrypting the Communications of Etumbot BackdoorReferences

Contents

APT Malware - Etumbot

Used in APT/Cyber espionage/targeted attacks

Associated with Chinese cyber espionage group (Numbered Panda, APT12, Calc team)

Sent to targets via spear phishing email

Targeted government organizations in Taiwan and Japan

Drops decoy documents of interest to Taiwanese and Japanese population

Also referred to as Exploz, Specfix and RIPTIDE

3

Etumbot Cyber Espionage Campaign

Demo 1

Sandbox Analysis of Etumbot dropper(5340.exe)

File system and Registry activityEtumbot dropper (5340.exe) drops another file winlogdate.exe (which is Etumbot backdoor). The malware also adds a registry entry so that Etumbot backdoor can persist on the system

Network ActivityEtumbot Backdoor (winlogdate.exe) connects to the C2 server with two communication patterns

First Communication PatternIn the first communication pattern the malware receives response from the C2 server. The response looks like an encoded string

Second Communication PatternIn the second communication pattern the malware sends a request, which looks like a request to download an image file (.jpg), but the string before .jpg looks like an encrypted string. In order understand these communication patterns, lets reverse engineer the Etumbot backdoor

Demo 2

Reverse Engineering the Communications ofEtumbot Backdoor (winlogdate.exe)

Reversing First Communication patternEtumbot Backdoor calls the below function. This function implements the First Communication pattern, this function calls multiple functions as shown in the call graph below

Reversing First Communication pattern (contd)The malware uses below API call to open an http session with the C2 Server (wwap.publiclol.com)

Reversing First Communication pattern (contd)Etumbot Backdoor uses below API call to create an http handle and the below screenshot shows the object the malware is going to request in the http request.

Reversing First Communication pattern (contd)Etumbot Backdoor uses below API call to send the request and the C2 server sends an encoded response to the backdoor.

Reversing First Communication pattern (contd)Etumbot backdoor receives the encoded response from the C2 using the below API

Reversing First Communication pattern (contd)Etumbot backdoor passes the received content to the custom base64 algorithm which decodes the received content and extracts the RC4 key starting at offset 8. This RC4 key is used to encrypt subsequent communications. It can be deduced that the first communication pattern is used by the malware to receive the RC4 key from the attackers.

Reversing Second Communication patternEtumbot Backdoor calls the below function. This function implements the Second Communication pattern, this function calls multiple functions as shown in the call graph below

Reversing Second Communication pattern (contd)Etumbot Backdoor collects the system information (hostname, username, ip and proxy details) and passes it to the RC4 function (with the RC4 key retrieved from the first communication).

Reversing Second Communication pattern (contd)The collected system information is encrypted with RC4 key which was retrieved from the first communication. Below screenshot shows the RC4 encrypted system information

Reversing Second Communication pattern (contd)The RC4 encrypted system information is then passed to the custom base64 encoding function as shown below

Reversing Second Communication pattern (contd)The RC4 encrypted system information is then encoded with custom base64 encoding algorithm as shown below.

Reversing Second Communication pattern (contd)The base64 encoded string is then concatenated with /image/ and .jpg to form a final string as shown below

Reversing Second Communication pattern (contd)The malware connects to the C2 server (wwap.publiclol.com) using the concatenated string as the http request pattern.

Reversing Second Communication pattern (contd)Malware sends the http request as shown below. As you can see from packet capture the encrypted system information is sent to the attackers this way. Now we know how malware decodes the RC4 key from first communication and how that RC4 key is used to encrypt subsequent communications. We can write decryptors to extract the RC4 key and to decrypt the communications.

Demo 3

Decrypting the communications ofEtumbot Backdoor (winlogdate.exe)

Python script To extract RC4 keyBelow screenshot shows the python script (get_key.py) which takes encoded response from C2 server as input, then decodes it and extracts the RC4 key

Extracting RC4 key from C2 ResponseBelow screenshot shows the encoded response from C2 server. This encoded response is given to the script which decoded and extracted the RC4 key

Python script to decrypt communicationsBelow screenshot shows the script to decrypt subsequent communications using the RC4 key obtained from first communication

Python script to decrypt communicationsBelow screenshot shows the encrypted string. The script takes the encrypted string and decrypts it. The decrypted output is the information (hostname, username, ip, proxy details) collected from the system, where the malware was run (in this case sandbox machine)

a) ARBOR Networks Report on Etumbothttp://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/

b) FireEyes Blog posthttp://www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.htmlReferences

Question & Answer

Thank you

Recommended

View more >