in APT

Initial Winnti analysis against Vietnam game company

Abstract:

The malware, designed by human, often inhabits the servers to steal the information and to destroy the computer systems.

This analysis aims to find out, in the case of the company (real name is not exposed by the permission), how the malware infected the server, and to assess the malware’s relationship with external objects.

We conclude that this malware was sophisticatedly designed by some experts on the malware. There are also many evidences of an international cooperation in this attack. For our analysis, one of the difficulties is the lack of exposure to the appropriate execution environment, which made us unable to complete this analysis perfectly.

Feel free to contact us for analysis collaboration: vred(at)vsec.com.vn

Content:

The mechanism of infection:

The malware infected a server through the MSSQL service when this server allowed it to execute a command line from the SQL application.

conmaz_01

Figure 1. A query in the SQL was found.

The data of the malware were written into the database table by the Insert command. The queries were used as follows:

conmaz_02

Figure 2. The data of the malware were written.

After the queries were executed and a file at “C:\users\s.exe” were extracted, the malware was activated by the following a command line and a “0505” parameter.

conmaz_03

The information of which file were extracted:

The mechanism of operation:

The malware checked whether the value of the parameter was “0505” or not. If true, the malware would run.

conmaz_04

Figure 3. The malware checked the value of the parameter.

The malware wrote two files (tmp[random].tmp and tmp[random+1].tmp) at the %APPDATA% folder and used rundll32.exe to perform the tmp[random].tmp file as a DLL.

conmaz_05

Figure 4. The tmp[random].tmp file was executed by rundll32.exe.

The information of these files were written at the %APPDATA% folder.

In the case of our analysis, the name of what two files were: tmpAA8B.tmp and tmp6AFB.tmp. In which, tmpAA8B.tmp was a DLL and tmp6AFB.tmp was a binary file of an unknown structure.

The tmpAA8B.tmp file was executed by rundll32.exe with parameter: “tmpAA8B.tmp, gzopen_r s.exe”, in which, tmpAA8B.tmp was the name of DLL and gzopen_r was a function in the DLL.

The tmp6AFB.tmp file was loaded into the memory and was decrypted by XOR with the 0x36 value.

conmaz_06

Figure 5. The tmp6AFB.tmp file was decrypted on the memory.

The decrypted code was written by Python as follows:

After being decrypted, the malware executed directly on the memory. Thanks to a command (CALL RAX), the EIP register jumped to the Entry Point of the malware. Then, it created a rasppp.dat file at C:\Windows\System32\.

conmaz_07

Figure 6. The EIP register jumped to the Entry Point of the malware.

The malware got the address of the DllUnregisterServer function on the Export table in the rasppp.dat file and executed the DllUnregisterServer function with the various parameters.

The DllUnregisterServer function had ten cases corresponding to ten functions:

Case 15 (A parameter is 0x201410):

conmaz_08

Figure 7. The function executed with the parameter of the 201410h value.

There are two processes, “avp.exe” – the Antivirus of Kaspersky and “msiexec.exe” – the Windows ® Installer process. If they were found, this function would inject a process into the Explorer.exe.

conmaz_09

Figure 8. The process found avp.exe and inject into explorer.exe.

Case 7 (A parameter is 0x201408):

In this case, this function read the data of the tmp6AFB.tmp file, and XOR this data with a 0x90 value to create a configuration to attack. This configured data included the name of the files written on disk, the parameters as “s.exe” was executed and the name of the attacked organization.

conmaz_10

Figure 9. Case 7 was executed with a 0x201408 parameter.

conmaz_11

Figure 10. The tmp6AFB.tmp file was read to create a configuration to attack.

The configured data, of two files (“loadperf.dll” and “rasppp.ini”), was decrypted, in which, tmpAA8B.tmp was copied from %APPDATA% to C:\Windows\System32\rasppp.ini. Then, the Entry Point of the loadperf.dll file was changed, added some code to the end of this executable file and was written into C:\Windows\System32\ to load “rasppp.ini” as a DLL.

The malware took advantage of the process of where the DLL of the Windows was loading. As a result, the malware ran when the system started to run the “wmiApSrv” service.

conmaz_12

Figure 11. The configured data was decrypted (victim name was removed).

conmaz_13

Figure 12. The loadperp.dll file was changed.

Case 4 (A parameter is 0x201405):

In this case, the malware got the link of the running process and found an explorer.exe” string to check whether it was running in the explorer.exe process or not.

conmaz_14

Figure 13. The malware found an “explorer.exe” string.

Case 5 (A parameter is 0x201406):

Similar to Case 4, the malware checked the “sysprep.exe” process.

If the “SYSTEM\CurrentControlSet\Services\WmiApSrv” key query were not existed, the “Start” value would set to 0x02 (Automatic) and the wmiapsrv service would restart.

conmaz_15

Figure 14. The malware found a “sysprep.exe” string and handled the wmiapsrv service.

Case 0 (A parameter is 0x201401):

The malware found the location of the “s.exe” file and then, deleted this file on disk to remove traces of attack.

conmaz_16

Figure 15. The malware deleted the “s.exe” file on disk.

Case 1 (A parameter is 0x201402):

The malware checked the version of the operating system and got the Token of the running process.

conmaz_17

Figure 16. The malware checked the version of the operating system.

conmaz_18

Figure 17. The malware got the Token of the running process.

Case 2 (A parameter is 0x201403):

In this case, the malware found the “avp.exe” process. If the “avp.exe” process were existed, the malware would bypass UAC, otherwise, the malware would inject into the Explorer.exe process.

image19

Figure 18. The malware found the “avp.exe” process.

image20

Figure 19. The malware injected into the Explorer.exe process.

The malware bypassed UAC as follows:

Firstly, the malware found the address of the “lpk.dll” file on Windows XP or Windows Server 2003 and the address of the “cryptbase.dll” file on Windows Vista or Windows Server 2008 or higher.

image21

Figure 20. The malware found the address of lpk.dll file and cryptbase.dll file.

The malware copied [tmpAA8B.tmp] and wrote into C:\Windows\System32\sysprep\ CRYPTBASE.DLL.

After copying successfully, the malware created a [random_name].tmp.dat file at %TEMP% folder and used Winexec to execute. This file was responsible for deleting the .tmp files at the %APPDATA% folder. Besides, the malware deleted the DLL file and payload which had been decrypted on disk.

Case 3 (A parameter is 0x201404):

The malware bypassed UAC the same as in Case 2.

Case 6 (A parameter is 0x201407):

After performing the functions in the previous case, the malware transferred the rasppp.ini file and the rasppp.dat file to C:\Windows\System32\ and set time to write a file at the same time as the rasppp.dll file at C:\Windows\System32\. This was the main goal of this malware after passing the previous tests.

image22

Figure 21. The malware set time for the file.

image23

Figure 22. The malware started the “wmiapsrv” service.

After successfully writing the rasppp.ini file and the rasppp.dat file, the malware deleted two .tmp file at %APPDATA% to erase traces of attack.

The difficulties in the analysis:

In Case 7, the malware fixed the loadperf.dll file at C:\Windows\System32\wbem\ and wrote into C:\Windows\System32\ to run “wmiApSrv” service, which prevent us from debugging to analyze the operation of the malware.

Therefore, the operations of the malware were not analyzed fully.

The additional information:

After decrypting the .INIT Section of the payload, there are two drivers to be used by the malware. In which, the electronic signature of a driver is belongs to “IQ Technology Inc”.

image24

Figure 23. The electronic signature of a driver was found.

Update:

Recently, we have just received a new sample. This sample was provided by a security company called Pontosec in Brazil.

The dropper extracts a loadperf.dll on /wbem/ in order to inject the WmiApSrv. It also creates two files on system32, in their case the name is odbc64.ini and .dat, and they found in some servers files called wow64.ini and .dat.

So here’s what they found it’s doing after the injection:

– WmiApSrv starts. It finds loadperf in /wbem/ and loads it

– Loadperf loads odbc64.ini

– Odbc64.ini reads odbc64.dat

– It probably injects code into svchost

– Injected code in svchost checks some regs, such as network cards entries, O.S language, etc…

– Injected code create a file in C:\Windows\Temp\ with name tmpXXXX.tmp. (It first check if it exists and delete previous in case it exists).

– It writes the rootkit driver into that tmp file.

– It creates a service called Rortal pointing to that .tmp file and loads it.

– It reads some more regs, including windows firewall rules.

– The rootkit driver loads and removes itself from the C:\Windows\temp folder and removes its service from the registry. The only thing that they left behind about the service is ‘System\CurrentControlSet\Enum\ROOT\LEGACY_RORTAL\

– It seems that the code in svchost listens port tcp/65055. The rootkit driver, however, makes it invisible to netstat/tcpview tools.

– It starts running every minute a command to create a rule in windows firewall to allow traffic to 65055 port:

  • exe /C “netsh advfirewall firewall delete rule name=”Windows Management Instrumentation (RPC-In)”” ( to remove previous rules with same name )
  • exe /C “netsh advfirewall firewall add rule name=”Windows Management Instrumentation (RPC-In)” dir=in action=allow localport=65055 protocol=TCP” (to create the new one)

The string on the injected code contains a %d on the port, so we know it can be set dynamically.

Several servers infected, and they escalated to Linux by using bruteforce with logged passwords. They are dropping webshells in some web servers too (some of them in Chinese).

They also found that it’s using DNS to communicate with the C&C server, by using base32 encoded subdomains and TXT lookups.

The domains used in this attack are:  microsoff.net and  msffncsi.com, both pointing to the nameserver ns11.xincache.com and ns12.xincache.com; These NS hosts more than 6000 domains related to malware according to malwareurl.com, and more than 1,487,900 domains according to domaintools. Two confirmed involved IP addresses are: 211.104.160.170 and 27.255.80.42;

Searching for more samples that connects to these domains, they found several on malwr.com that are being detected as Korplug / PlugX apt.

Write a Comment

Comment