We famous layers 3 and 5 as able to anti-analysis strategies. In the meantime, we discovered that not all layers have distinctive packers. The fourth and seventh layers are equivalent, in addition to the tenth and thirteenth. The packing of the eighth and fourteenth layers are additionally related. This repeated use of packers implies that the group is utilizing a separate packing program. We’re persevering with with our evaluation to see if this program is their very own or whether it is outsourced to different teams, as this system will be indicative of the group’s future use of those similar packers. It is usually potential for these similar packers to get replaced with variations in patterns.
On layer 8, the payload loader, the execution splits into two paths. If the malware detects that it’s being analyzed, it masses the faux payload. In any other case, it masses the true payload.
Faux payload
The faux payload has two layers, the primary of which is a shellcode with an embedded PE file, whereas the second layer is a PE file with the MZ header and PE signature eliminated. The second layer is loaded by the primary layer and jumps into it.
Upon execution, the second layer instantly creates a thread to the place its predominant routine is situated. It first makes an attempt to learn the registry worth named “Lively” at <HKEY_CURRENT_USERSOFTWAREMicrosoftMedia>. This serves as an an infection marker. If the learn fails, it proceeds to write down the string worth “1” into this registry worth, then gathers system info: the pc identify, present username, processor model, and show machine names. In some variations of the faux payload, the info is encrypted utilizing RC4 with a hard-coded key. The system info is then appended to the URL http[:]//{IP tackle}:8080/. The complete URL is then accessed, and a file is downloaded. In some variations of the malware, this downloaded file can be executed.
Analyzing different pattern variations of the faux payload, we discovered that if the principle routine is profitable, it checks if the system is linked to a website by checking the existence of the atmosphere variable USERDNSDOMAIN. If this variable doesn’t exist, it drops and executes an adware named BrowserAssistant to %Consumer Temp%{random quantity}.exe, more likely to make an analyst really feel complacent about allegedly already discovering the payload and subsequently now not needing to conduct additional research of the samples.
Actual payload
The true payload is made up of three layers, with the third layer containing the precise payload binary packed twice. Inside the true payload is an embedded customized Tor shopper designed to speak with the true payload utilizing shared reminiscence.
Set up
Its technique for checking whether or not the malware has been put in on the system includes checking whether it is working in Session 0. Previous to Home windows Vista, providers have been run within the session of the primary consumer to log in to the system, which is known as Session 0. Nonetheless, from Home windows Vista onward, Microsoft launched a safety enhancement referred to as “Session 0 Isolation,” the place Session 0 is now reserved for providers and different non-interactive consumer functions.
With this safety enhancement, the menace actor confirms whether or not the consumer profile is working on administrative privileges or not. If it isn’t in Session 0, it drops a replica of itself in <%ProgramData%{random folder identify}{random file identify}.{extension}> to raise privileges, or <%ProgramDatapercentMicrosoft{random folder identify}{random file identify}.{extension}> if the consumer is working as an admin. On this method, a safety analyst would view the malicious routine as having been began and run by a professional Home windows course of, permitting the routine to evade detection.The extension identify is randomly chosen among the many following:
- .bak
- .dat
- .db
- .dmp
- .etl
- .idx
- .json
- .lkg
- .lock
- log
- .man
- .tmp
- txt
- .vdm
- .xml
- .xsd
It additionally units the next registry entry to allow its computerized execution at system startup. If the consumer just isn’t at an admin stage, the malware modifies the registry with
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce
{random worth identify} = “rundll32 shell32 ShellExec_RunDLLA REGSVR /u /s “{dropped copy path and file identify}.””
Inversely, if the consumer’s profile is with admin privileges, the registry is modified with
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnceEx{random key identify}
{random worth identify} = “shell32|ShellExec_RunDLLA|REGSVR /u /s “{dropped copy path and file identify}.””
Privilege escalation
After dropping a replica of itself, it executes the dropped copy as Administrator utilizing a UAC (Consumer Account Management) bypass method. It implements a variation of the method ucmDccwCOMMethod in UACMe, thereby abusing the built-in Home windows AutoElevate backdoor.
It first checks whether or not atcuf32.dll, aswhook.dll, and avp.exe are loaded within the system. These recordsdata are from safety defenders BitDefender, Avast, and Kaspersky, respectively. If considered one of these is loaded, it doesn’t proceed to the UAC bypass routine. It then drops a shortcut file to <%Consumer Temp%{random file identify}.lnk> that accommodates the command line
rundll32.exe SHELL32,ShellExec_RunDLL “C:Windowssystem32ODBCCONF.EXE” /a {configsysdsn OCNKBENXGMI etba odjcnr} /A {installtranslator fxodi} -a {installdriver qmprmxf} /a {configsdn HHAP} regsvr “{dropped copy path and file identify}.” /S /e -s
It then creates an elevated COM object for CMLuaUtil and makes use of it to set a customized show calibrator within the registry that factors to the dropped LNK file. It units the customized show calibrator by setting the registry worth
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionICMCalibration
DisplayCalibrator = “%Consumer Temp%{random file identify}.lnk”
It then creates an elevated COM object for ColorDataProxy and calls its technique “LaunchDccw” to load the calibrator, thus executing the malicious LNK. Afterward, it units the registry worth DisplayCalibrator to “%SystemRootpercentSystem32DCCW.exe” to cover its exercise.
Fundamental routine
Working in Session 0, the true payload makes an attempt to hook up with the hard-coded Tor addresses, the place the connections are made in one other course of. For the true payload to facilitate the alternate of knowledge and the Tor-connecting course of, a shared-named reminiscence map is created with the next format:
