Hidden in Plain Sight - Uncovering the 'New' Malware.
Over the years I have seen and worked on my share of malware, watched as the vulz and exploits come and go. After a few years in frey, one becomes very attuned to the world that's surrounds them. This sixth sense is an asset and more valuable now than any other time, welcome to the new era of malz. This is a hidden world, where silence, stealth and pure imagination contribute to what is normally a quiet infection. Distinguished with highly-complex coding, persistence and it's signature polymorphic design. Those involved in cybersec know of this new breed, stealth and delivery, as well as those who design and code them.
This is a journey leading to, and the analysis of a recent live malware discovery by myself. This write-up will highlight the importance of a full skill set and how that sixth sense comes into play. I am, however, leaving out some crucial information on certain parts. This is in consideration that the malware and delivery structure is still in the wild. We have taken precautions for the safety of all, and not to have it end in the wrong hands or misused. Just the same, this is not a tutorial (known as a 'tuto'), the anomalies I cover are of an informative nature and not common to any type of page, style or provider.
I was reviewing some older posts (from late last year) and came across a write-up from an event in a popular CTF conference. To those unfamiliar, these normally take place at hacker conferences or sole purpose events. Any 'class' of hacker is welcome to attend and either learn or 'show-off'/test their skills, otherwise known as their Kung-fu or the short; fu. I came across a write-up I remembered well due to the wide range of skills used, and read it again to process his technique once more. This is where things started to take shape for me and able to see beyond just the words, using intuition and other skills along the way, but we'll get to those as they come.
To begin, his publishing of the 'successful' CTF (or capture the flag event) began with a couple anomalies. First, these challenges are normally performed by a team, not an individual. This was suspect that he either knew a lot, or plajorized another team's write-up. I sided on the intelligence factor, which turned out correct. His knowledge and use of various exploits was commendable and he had an in depth knowledge of several types of hexadecimal notation and translation: able to move from hex, octal, ascii, 32 and 64bit float (aka little and big endian) and to write them as memory addresses in literal and instruction all in order to control the stack. Impressive, yes, but what didn't fit next is a couple of things: the blog on his domain was a basic blogpage structure and html, (not even v5), along with no DNS resolution... so just the single page, no actual domain records. This was a big red flag so the next-step was to look at the http request headers. Just as I thought, all the code was being hosted, and served, by a popular open source 'hub' site. We will come back to that in a minute though.
My next stop after uncovering a ninja coder behind lame html code?... check the assets. There was 3 .js files that had names that didn't fit for their implied use. The 'file names' used in my suspicion came from much study about javascript and the different flavors. The logical next step was to get copies of all the assets and start tearing them apart, the logical analysis portion. I'm not an expert at reading compiled js, but I do know what to look for when searching for mal-code, it jumps out at you in a few ways. These were written to look like js library files, which obviously were not, they also contained a large amount of errors and obsfucation. One appeared to have multiple blocks encoded with jjencode using numerous key characters to only further it's obsfucation. The popular online js code inspector; Jlint.com threw dozens of errors before it finally killed it's process. A deeper analysis of the code revealed it as malicious for using getenv() or similar to map a clients local filesystem.
Now I know I've got a true ninja in hiding, so, to an extent, I take his bait. A little SE trick he used to guide visitors along without 'pointing' to the real malz. I visited his 'hub' where I only found more obvious dichotomous signs. I will leave out some of the details here as to not hint to somewhere that can be found with a crafted search. The largest thing that jumped out at me was a 4 page pdf file that didn't belong there. It tried to blend in with the environment, but it's just one of those things you pick up with time in the frey. I was positive that had some serious js embedded in the hex so I took it to examine and analyze. This is where it starts getting good, so if you've read this far, thank you. You will soon see the destructive nature that is and most times will forever remain hidden.
Here's what I found, keep in mind nearly all scans both for integrity/structure and anti-virus/malware came up clean with this file. So I kept on it, positive that it was malicious, and it paid off.
I already know it was filled with encryption and js from examining the hexdump. The malicious started that it wasn't a pdf, like EVERYONE thought it was, it was actually a binary file. One that has a script set to run and in turn execute all other scripts inside on opening the file, a trojan horse of maliciousness if you will. After this was triggered, it dropped various innocent looking tmp and other files you would expect from a software install. Only remember, this wasn't 'software', nor did it have any of the usual dialogue boxes to go with it. Following the trail of dung it left behind, an analysis of on of the tmp files, actually wasn't. It was a windows exe (PE32 file), and it too had a script to auto-extract and stealth install, using all the new ways that malware now uses to evade AV detection. So much more was buried within than just a background install. Some all at the same time, other processes were programmed to sleep for over 800,000 seconds !! What?! In short, it made over 30,000 registry lookups and modifications, collected ALL the \\User\AppData (over 24,000 hits), where much is stored, and the same with your browser history and all your recents. It then configured itself to silently auto start with windows and added hidden add-on code to your browser. Essentially at this point you are completely owned with a constant stream of personal and sensitive data going out and new coming in, and they will technically use your system and life like a puppet. It would be inappropriate foor me to mention all the things pwned devices are used for. One constant, is the victim never being the wiser about it's infection or even able to extract the malz if you did know about it. AV wont pick up on anything because the code is polymorphic, sending data and receiving new instructions and code up to dozens of times per day. It will always persist too, could you repair 30k+ worth of regkeys and multiple processes embedded to run in win startup files? That's some malicious stealth!
The way to notice anything may be amiss is by running a pcap 24x7 and hope you see some anomaly. That even proved difficult though, the role of the new malware is of 3 simple rules: exist, run and persist. It makes it very hard to recognize anything, their coders earn respect in that manner. With the file in question here, I was able to use an online service for an intelligent dynamic analysis. It gave up all the processes it did and included the hard-coded destination IP from inside the catalyst (exe file). The software had 5 connections at once; taking data and receiving new code. A hard pill to swallow, I know, but bear in mind I'm not sharing all the stats and processes. To keep you from a tl;dr, I'll stop there. Safe to say if you come across one of these in a file, web-page or the like, you probably will never know it. And if you do, unless you KNOW what your doing and how to handle them don't bother. They are like time-bombs and if you don't understand every minute process on your PC and networks, it will likely blow up in your hands.
If you have any further questions, I'll be happy to answer them if they are appropriate. Otherwise, the best advice I can give anyone for now... get rid of windows!! Sorry M$, but it's a reality that's unfolding. Linux is much safer by design and most of the new malware and exploits are win-based environments and systems anyway. I have purposely left our any pictures, again because this is live and I have it all neatly tied to accounts and a single IP, along with several critical timestamps. Sorry. Be safe all...
'r3v
This is a journey leading to, and the analysis of a recent live malware discovery by myself. This write-up will highlight the importance of a full skill set and how that sixth sense comes into play. I am, however, leaving out some crucial information on certain parts. This is in consideration that the malware and delivery structure is still in the wild. We have taken precautions for the safety of all, and not to have it end in the wrong hands or misused. Just the same, this is not a tutorial (known as a 'tuto'), the anomalies I cover are of an informative nature and not common to any type of page, style or provider.
I was reviewing some older posts (from late last year) and came across a write-up from an event in a popular CTF conference. To those unfamiliar, these normally take place at hacker conferences or sole purpose events. Any 'class' of hacker is welcome to attend and either learn or 'show-off'/test their skills, otherwise known as their Kung-fu or the short; fu. I came across a write-up I remembered well due to the wide range of skills used, and read it again to process his technique once more. This is where things started to take shape for me and able to see beyond just the words, using intuition and other skills along the way, but we'll get to those as they come.
To begin, his publishing of the 'successful' CTF (or capture the flag event) began with a couple anomalies. First, these challenges are normally performed by a team, not an individual. This was suspect that he either knew a lot, or plajorized another team's write-up. I sided on the intelligence factor, which turned out correct. His knowledge and use of various exploits was commendable and he had an in depth knowledge of several types of hexadecimal notation and translation: able to move from hex, octal, ascii, 32 and 64bit float (aka little and big endian) and to write them as memory addresses in literal and instruction all in order to control the stack. Impressive, yes, but what didn't fit next is a couple of things: the blog on his domain was a basic blogpage structure and html, (not even v5), along with no DNS resolution... so just the single page, no actual domain records. This was a big red flag so the next-step was to look at the http request headers. Just as I thought, all the code was being hosted, and served, by a popular open source 'hub' site. We will come back to that in a minute though.
My next stop after uncovering a ninja coder behind lame html code?... check the assets. There was 3 .js files that had names that didn't fit for their implied use. The 'file names' used in my suspicion came from much study about javascript and the different flavors. The logical next step was to get copies of all the assets and start tearing them apart, the logical analysis portion. I'm not an expert at reading compiled js, but I do know what to look for when searching for mal-code, it jumps out at you in a few ways. These were written to look like js library files, which obviously were not, they also contained a large amount of errors and obsfucation. One appeared to have multiple blocks encoded with jjencode using numerous key characters to only further it's obsfucation. The popular online js code inspector; Jlint.com threw dozens of errors before it finally killed it's process. A deeper analysis of the code revealed it as malicious for using getenv() or similar to map a clients local filesystem.
Now I know I've got a true ninja in hiding, so, to an extent, I take his bait. A little SE trick he used to guide visitors along without 'pointing' to the real malz. I visited his 'hub' where I only found more obvious dichotomous signs. I will leave out some of the details here as to not hint to somewhere that can be found with a crafted search. The largest thing that jumped out at me was a 4 page pdf file that didn't belong there. It tried to blend in with the environment, but it's just one of those things you pick up with time in the frey. I was positive that had some serious js embedded in the hex so I took it to examine and analyze. This is where it starts getting good, so if you've read this far, thank you. You will soon see the destructive nature that is and most times will forever remain hidden.
Here's what I found, keep in mind nearly all scans both for integrity/structure and anti-virus/malware came up clean with this file. So I kept on it, positive that it was malicious, and it paid off.
I already know it was filled with encryption and js from examining the hexdump. The malicious started that it wasn't a pdf, like EVERYONE thought it was, it was actually a binary file. One that has a script set to run and in turn execute all other scripts inside on opening the file, a trojan horse of maliciousness if you will. After this was triggered, it dropped various innocent looking tmp and other files you would expect from a software install. Only remember, this wasn't 'software', nor did it have any of the usual dialogue boxes to go with it. Following the trail of dung it left behind, an analysis of on of the tmp files, actually wasn't. It was a windows exe (PE32 file), and it too had a script to auto-extract and stealth install, using all the new ways that malware now uses to evade AV detection. So much more was buried within than just a background install. Some all at the same time, other processes were programmed to sleep for over 800,000 seconds !! What?! In short, it made over 30,000 registry lookups and modifications, collected ALL the \\User\AppData (over 24,000 hits), where much is stored, and the same with your browser history and all your recents. It then configured itself to silently auto start with windows and added hidden add-on code to your browser. Essentially at this point you are completely owned with a constant stream of personal and sensitive data going out and new coming in, and they will technically use your system and life like a puppet. It would be inappropriate foor me to mention all the things pwned devices are used for. One constant, is the victim never being the wiser about it's infection or even able to extract the malz if you did know about it. AV wont pick up on anything because the code is polymorphic, sending data and receiving new instructions and code up to dozens of times per day. It will always persist too, could you repair 30k+ worth of regkeys and multiple processes embedded to run in win startup files? That's some malicious stealth!
The way to notice anything may be amiss is by running a pcap 24x7 and hope you see some anomaly. That even proved difficult though, the role of the new malware is of 3 simple rules: exist, run and persist. It makes it very hard to recognize anything, their coders earn respect in that manner. With the file in question here, I was able to use an online service for an intelligent dynamic analysis. It gave up all the processes it did and included the hard-coded destination IP from inside the catalyst (exe file). The software had 5 connections at once; taking data and receiving new code. A hard pill to swallow, I know, but bear in mind I'm not sharing all the stats and processes. To keep you from a tl;dr, I'll stop there. Safe to say if you come across one of these in a file, web-page or the like, you probably will never know it. And if you do, unless you KNOW what your doing and how to handle them don't bother. They are like time-bombs and if you don't understand every minute process on your PC and networks, it will likely blow up in your hands.
If you have any further questions, I'll be happy to answer them if they are appropriate. Otherwise, the best advice I can give anyone for now... get rid of windows!! Sorry M$, but it's a reality that's unfolding. Linux is much safer by design and most of the new malware and exploits are win-based environments and systems anyway. I have purposely left our any pictures, again because this is live and I have it all neatly tied to accounts and a single IP, along with several critical timestamps. Sorry. Be safe all...
'r3v
Comments
Post a Comment