Peeling The Layers Of Vawtrak

Transcription

1 Peeling The Layers Of Vawtrak October 20-21, 2015 Raul Alvarez Copyright Fortinet Inc. All rights reserved.

2 About Me

3 About Me Senior Security Fortinet 21 published articles in Virus Bulletin Regular contributor in our company blog 3

4 Agenda

5 Agenda Ø Ø Ø Vawtrak and Tor DGA Tor Tor2Web Vawtrak and its Layers Different features Different layers Multiple armoring strategies within the layers Vawtrak and Volatility Using Volatility Malware as a platform 5

6 Banking Malware

7 Banking Malware and C&C Binary updates/enhancements Operational commands Storage of stolen banking credentials Latest configuration 7

8 Banking Malware Protection Strategy Binary armoring to avoid detection Continuous monitoring of AV detection Using DGA to minimize takedowns Hiding its C&C via Tor 8

9 Vawtrak

10 What is Vawtrak? Also known as Neverquest A banking trojan Uses layering techniques similar to a Matryoshka doll Uses multiple armoring strategies Uses DGA Uses Tor2web 10

11 Vawtrak and Tor

12 DGA Hiding is not enough

13 DGA Ø Ø Ø Ø Ø DGA Domain name Generation Algorithm Also called PrDGA (Pseudo-random DGA) Generates a binary seed Can be a constant value Can be generated from the current time and date Generates a string of random alpha-numeric characters Adds a variation of TLDs, such as com, org, info 13

14 How DGA works Ø Ø Ø Ø Ø Client-side and Server-side uses the same algorithm The server-side registers one or more generated domain names The client-side tries all possible combination of generated domain names The client-side establishes connection to the server-side The server-side un-registers the registered domain to avoid detection 14

15 C&C

16 C&C Not a fixed string Derived from a DWORD value Controlled by 40-byte XOR key Different variants, different domains 16

17 Vawtrak s DGA seed byte generator alphanumeric generator 17

18 Different variants, different domains sample #1 18

19 Different variants, different domains sample #2 19

20 Different variants, different domains sample #3 20

21 Different variants, different domains sample #4 21

22 Tor2Web C&C

23 Vawtrak s DGA 23

24 Tor2Web C&C sample #2 24

25 Tor2Web C&C sample #4 25

26 How Tor Works

27 How Tor Works Image taken from torproject.org 27

28 How Tor Works Image taken from torproject.org 28

29 How Tor Works Image taken from torproject.org 29

30 Tor and Hidden Services

31 Hidden Service: Deep Web Radio 31

32 Hidden Service: Electronic Store 32

33 Hidden Service: Online News 33

34 Hidden Service: Free 34

35 Hidden Service: File Storage 35

36 Hidden Service: Tor Supermarket 36

37 Hidden Service: Chat Rooms 37

38 Hidden Service: The Hidden Wiki 38

39 And so much more q q q q q q q q q q /Messaging Books Financial Audio/Music Domain/Hosting Security Blogs Social networks Forums And so much more 39

40 Tor2Web

41 Tor2Web Ø Browsing hidden services via a normal web browser 41

42 Tor2Web Ø Header page 42

43 Can Vawtrak really use DGA to create a randomized Tor C&Cs?

44 Tor2Web C&C Pre-set.onion domains Pseudorandom DGA will not work Tor2Web C&C is not so random 44

45 Tor2Web C&C sample #2 45

46 Tor2Web C&C otsxxxxgxbcwvrqs 4bpxxxxz4e7n6gnb bc3xxxxf4m3lnw4o sample #4 46

47 Vawtrak and its Layers

48 Armoring Strategies Within The Layers Anti-Emulator Anti-Debugger Anti-Analysis Encryption/ Decryption Garbage Collection Hashing Compression/ Decompression Code injection 48

49 Layers of Vawtrak Layer 1 Anti-Emulator Anti-Debugger Anti-Analysis decryption decoy Layer 2 (encrypted) overlay decryption garbage collection Layer 3 decrypted + compressed Layer 2 Decompression RtlDecompressBuffer Layer 3 decompressed Self-code Injection Anti-Antimalware Layer 3 resource section hashing for validity decryption Layer 4 Layer 2 49

50 Layer 1: Anti-Emulator Layer 1 Anti-Emulator Anti-Debugger Anti-Analysis decryption decoy Layer 2 (encrypted) overlay decryption garbage collection Layer 3 decrypted + compressed Layer 2 Decompression RtlDecompressBuffer Layer 3 decompressed Self-code Injection Anti-Antimalware Layer 3 resource section hashing for validity decryption Layer 4 Layer 2 50

51 Layer 1: Anti-Emulator Hundreds of assembly language instruction 0x00 ADD BYTE PTR DS:[eax],al 51

52 Layer 1: Anti-Debugger Layer 1 Anti-Emulator Anti-Debugger Anti-Analysis decryption decoy Layer 2 (encrypted) overlay decryption garbage collection Layer 3 decrypted + compressed Layer 2 Decompression RtlDecompressBuffer Layer 3 decompressed Self-code Injection Anti-Antimalware Layer 3 resource section hashing for validity decryption Layer 4 Layer 2 52

53 Layer 1: Anti-Debugger PEB(Process Environment Block) BeingDebugged ImageBase FFFFFFFF SpareBool Mutant Stage 1 Stage 2 53

54 Layer 1: Anti-Analysis Layer 1 Anti-Emulator Anti-Debugger Anti-Analysis decryption decoy Layer 2 (encrypted) overlay decryption garbage collection Layer 3 decrypted + compressed Layer 2 Decompression RtlDecompressBuffer Layer 3 decompressed Self-code Injection Anti-Antimalware Layer 3 resource section hashing for validity decryption Layer 4 Layer 2 54

55 Layer 1: Anti-Analysis CreateFileA API using RETN 55

56 Layer 1: Decryption Layer 1 Anti-Emulator Anti-Debugger Anti-Analysis decryption decoy Layer 2 (encrypted) overlay decryption garbage collection Layer 3 decrypted + compressed Layer 2 Decompression RtlDecompressBuffer Layer 3 decompressed Self-code Injection Anti-Antimalware Layer 3 resource section hashing for validity decryption Layer 4 Layer 2 56

57 Layer 1: Decryption filename Layer 2 executable file decoy file 57

58 Layer 2: Decryption + Garbage Collection Layer 1 Anti-Emulator Anti-Debugger Anti-Analysis decryption decoy Layer 2 (encrypted) overlay decryption garbage collection Layer 3 decrypted + compressed Layer 2 Decompression RtlDecompressBuffer Layer 3 decompressed Self-code Injection Anti-Antimalware Layer 3 resource section hashing for validity decryption Layer 4 Layer 2 58

59 Layer 2: Decryption + Garbage Collection garbage code relevant code decryption algorithm decrypted/compressed executable 59

60 Layer 2: Decompression Layer 1 Anti-Emulator Anti-Debugger Anti-Analysis decryption decoy Layer 2 (encrypted) overlay decryption garbage collection Layer 3 decrypted + compressed Layer 2 Decompression RtlDecompressBuffer Layer 3 decompressed Self-code Injection Anti-Antimalware Layer 3 resource section hashing for validity decryption Layer 4 Layer 2 60

61 Layer 2: Decompression RtlDecompressBuffer RtlDecompressBuffer( 0x102,0x1744e8, 0x30e00, 0x1436d0, 0x2F9AE, 0x12fcc4) Syntax: NTSTATUS RtlDecompressBuffer( _In_ USHORT CompressionFormat, _Out_ PUCHAR UncompressedBuffer, _In_ ULONG UncompressedBufferSize, _In_ PUCHAR CompressedBuffer, _In_ ULONG CompressedBufferSize, _Out_ PULONG FinalUncompressedSize ); compressed decompressed 61

62 Layer 2: Self-code Injection Layer 1 Anti-Emulator Anti-Debugger Anti-Analysis decryption decoy Layer 2 (encrypted) overlay decryption garbage collection Layer 3 decrypted + compressed Layer 2 Decompression RtlDecompressBuffer Layer 3 decompressed Self-code Injection Anti-Antimalware Layer 3 resource section hashing for validity decryption Layer 4 Layer 2 62

63 Layer 2: Self-code Injection Steps: 1. Allocates new memory(0x8a0000) 2. Copies the decompressed Layer 3 to 0x8a Zeroes out the original location(0x400000) of Layer 2 4. Copies Layer 3 from 0x8a0000 to 0x Fixes IAT of Layer 3 in 0x Executes Layer 3 63

64 Layer 3: Anti-antimalware Layer 1 Anti-Emulator Anti-Debugger Anti-Analysis decryption decoy Layer 2 (encrypted) overlay decryption garbage collection Layer 3 decrypted + compressed Layer 2 Decompression RtlDecompressBuffer Layer 3 decompressed Self-code Injection Anti-Antimalware Layer 3 resource section hashing for validity decryption Layer 4 Layer 2 64

65 Layer 3: Anti-antimalware 1. Traverses the following folders: Program Files Program Files (x86) %AppData% 2. Creates hash value for the antimalware pathname 3. Creates registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows \Safer\CodeIdentifi ers\0\paths\[hash value] SaferFlags = 0 ItemData = pathname 65

66 Layer 3: Anti-antimalware 66

67 Layer 3: Generating Layer 4 Layer 1 Anti-Emulator Anti-Debugger Anti-Analysis decryption decoy Layer 2 (encrypted) overlay decryption garbage collection Layer 3 decrypted + compressed Layer 2 Decompression RtlDecompressBuffer Layer 3 decompressed Self-code Injection Anti-Antimalware Layer 3 resource section hashing for validity decryption Layer 4 Layer 2 67

68 Layer 3: Generating Layer 4 1. Copies RT_RCDATA from.rscr section to the heap memory 2. Calculates the hash (0x24D2EDEA) of the raw data 3. Decrypts the raw data 4. Calculates the hash(0x ) of the decrypted data(dll) 5. Creates random filename +.dat 6. Copies the decrypted data from heap memory to newly created file (Layer 4) 7. Creates new startup registry key for Layer 4(DLL) 68

69 Demo

70

71 Decoy File 71

72 Vawtrak and Volatility

73 Volatility 73

74 psxview c:\v24 --profile=winxpsp2x86 -f vawtrak.vmem psxview Volatility Foundation Volatility Framework 2.4 Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskth x01b8db28 mainout-crypted 224 True True True True True True True 0x019d4c90 cmd.exe 1420 True True True True True True True 0x01aa01d8 lsass.exe 680 True True True True True True True 0x wscntfy.exe 1672 True True True True True True True 0x0193c8d8 jusched.exe 1832 True True True True True True True 0x018ebda0 winlogon.exe 624 True True True True True True True 0x01aa4a28 svchost.exe 1208 True True True True True True True 0x01aaada0 svchost.exe 1044 True True True True True True True 0x018deac0 explorer.exe 1692 True True True True True True True <<cut>> 74

75 malfind c:\v24 --profile=winxpsp2x86 -f vawtrak.vmem malfind -p 224 Volatility Foundation Volatility Framework 2.4 Process: mainout-crypted Pid: 224 Address: 0x Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6 0x ec b ac USWV...$... 0x c d c fc...$...$. 0x c e f...f..$... 0x e c b 8c n..$8...$8 0x x x x x ec x89000a 8b8424ac x c78424d x89001c c78424fc x c784249e f6e 0x c x89003c 8b 0x89003d 8c2438 PUSH EBP PUSH EBX PUSH EDI PUSH ESI SUB ESP, 0x198 MOV EAX, [ESP+0x1ac] MOV DWORD [ESP+0xd4], 0x0 MOV DWORD [ESP+0xfc], 0x0 MOV WORD [ESP+0x9e], 0x6e0f MOV DWORD [ESP+0x138], 0x1 DB 0x8b MOV [EAX+EDI], FS 75

76 yarascan c:\v24 --profile=winxpsp2x86 -f vawtrak.vmem yarascan -p yara-rules="mz Rule: r1 Owner: Process mainout-crypted Pid 224 0x77dd0000 4d 5a ff ff MZ... 0x77dd0010 b x77dd x77dd f x77dd0040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd !..L.!Th 0x77dd f d e 6e 6f is.program.canno 0x77dd e e f t.be.run.in.dos. 0x77dd0070 6d 6f e 0d 0d 0a mode...$... 0x77dd0080 a8 6a e2 68 ec 0b 8c 3b ec 0b 8c 3b ec 0b 8c 3b.j.h...;...;...; 0x77dd0090 2f 04 d1 3b eb 0b 8c 3b 2f b e1 0b 8c 3b /..;...;/..;...; 0x77dd00a0 3d 07 d3 3b ee 0b 8c 3b ec 0b 8d 3b 54 0a 8c 3b =..;...;...;T..; 0x77dd00b0 2f 04 d0 3b ed 0b 8c 3b 2f 04 d2 3b ed 0b 8c 3b /..;...;/..;...; 0x77dd00c0 2f 04 ec 3b f1 0b 8c 3b 2f 04 d3 3b 7e 0b 8c 3b /..;...;/..;~..; 0x77dd00d0 2f 04 d6 3b ed 0b 8c 3b ec 0b 8c 3b /..;...;Rich...; 0x77dd00e x77dd00f c PE..L...q..I... Rule: r1 Owner: Process mainout-crypted Pid 224 0x77de8218 4d 5a 75 1d 8b 48 3c 8d b da d2 0x77de c f 94 c2 8b c2 5b 5d c2 04.<.PE...[].. 0x77de c0 eb f d 5a MZ... <<next slide>> 76

77 yarascan <<continuation>> 0x77de8248 8b ff 55 8b ec 51 8b f b 0x77de8258 7d fc f d 45 0x77de ff 75 0c ff 15 a8 11 dd f8 0x77de8278 ff f f x77de a ff 75 0c ff 15 0c 12 dd 77 8b d8 0x77de8298 3b de a ff dd 77 0x77de82a ff dd b 0x77de82b b 45 fc 5f 5e 5b c9 c2 0c x77de82c a a ff 75 0x77de82d8 0c ff dd 77 8b d8 83 fb ff ff 75 0x77de82e a 02 e8 57 ff ff ff fc ff x77de82f8 10 dd 77 eb bf ff dd 77 e9 e x77de b ff 55 8b ec 81 ec Rule: r1 Owner: Process mainout-crypted Pid 224 0x77de8240 4d 5a b ff 55 8b ec 51 8b 45 0x77de f b 7d fc x77de8260 0f d ff 75 0c x77de8270 ff 15 a8 11 dd f8 ff f x77de f a ff 75 0c 0x77de8290 ff 15 0c 12 dd 77 8b d8 3b de a 0x77de82a ff dd ff x77de82b0 dd b b 45 fc 5f 0x77de82c0 5e 5b c9 c2 0c a a..U..Q.E.SV3.HW. }..u.tgh..y...e.p.u..u...w....e.t.9u...y...v VVj.V.u...w.. ;.tavvvj.s...w S.G...4..w9w.tF. E...E._^[...Vh...j.Vj.h...u...w...t..u.Sj..W...S.E...4..w...T..w......U...P... MZ...U..Q.E.SV3.HW.}..u.tgH..Y...E.P.u..u....w...E.t.9u...Y...VVVj.V.u....w..;.taVVVj.S...wS.G...4..w9w.tF.E...E._ ^[...Vh...j.Vj 77

78 yarascan Rule: r1 Owner: Process mainout-crypted Pid 224 0x d 5a ff ff MZ... 0x b x x e x e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd !..L.!Th 0x f d e 6e 6f is.program.canno 0x e e f t.be.run.in.dos. 0x d 6f e 0d 0d 0a mode...$... 0x f d7 9a 16 0e b9 c9 16 0e b9 c9 16 0e b9 c9 Ro... 0x f 76 2c c9 17 0e b9 c9 16 0e b9 c9 15 0e b9 c9.v,... 0x004000a0 1f 76 2a c9 1b 0e b9 c9 16 0e b8 c9 4a 0e b9 c9.v*...j... 0x004000b c9 1b 0e b9 c c9 17 0e b9 c9 yx...yx#... 0x004000c c9 17 0e b9 c e b9 c9 yx$...rich... 0x004000d x004000e c PE..L... 0x004000f0 6e 22 2c e n",r... 78

79 yarascan Rule: r1 Owner: Process mainout-crypted Pid 224 0x001436d3 4d 5a ff ff MZ x001436e3 b d e8 00 0c 0e 0x001436f3 00 ba 0e 00 b4 09 cd 21 b c cd !...L.!Th 0x f d e is..program..can 0x e 6f e e 20 not..be.run.i.n. 0x f d 6f e 0d 0d 0a DOS.mo.de...$.. 0x f d7 9a 16 0e b9 c f 76 2c c9.ro...a...v,. 0x b f 2a c9 1b 02 0f b8 c9 4a 11...*...J. 0x f yx...yx#..'yx$ 0x ab c..Ric.h.3..PE..L 0x e 22 2c e b...n",R... 0x a e e 10...B..F...~. 0x b 05 cc x001437a a 00 9a f4 5f c7 02 0f 81...`..._... 0x001437b c c...A..h\... 0x001437c c d E.P... 79

80 yarascan Rule: r1 Owner: Process mainout-crypted Pid 224 0x001744e8 4d 5a ff ff MZ... 0x001744f8 b x x e x e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd !..L.!Th 0x f d e 6e 6f is.program.canno 0x e e f t.be.run.in.dos. 0x d 6f e 0d 0d 0a mode...$... 0x f d7 9a 16 0e b9 c9 16 0e b9 c9 16 0e b9 c9 Ro... 0x f 76 2c c9 17 0e b9 c9 16 0e b9 c9 15 0e b9 c9.v,... 0x f 76 2a c9 1b 0e b9 c9 16 0e b8 c9 4a 0e b9 c9.v*...j... 0x c9 1b 0e b9 c c9 17 0e b9 c9 yx...yx#... 0x001745a c9 17 0e b9 c e b9 c9 yx$...rich... 0x001745b x001745c c PE..L... 0x001745d8 6e 22 2c e n",r... 80

81 yarascan Rule: r1 Owner: Process mainout-crypted Pid 224 0x008a0000 4d 5a ff ff MZ... 0x008a0010 b x008a x008a e x008a0040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd !..L.!Th 0x008a f d e 6e 6f is.program.canno 0x008a e e f t.be.run.in.dos. 0x008a0070 6d 6f e 0d 0d 0a mode...$... 0x008a f d7 9a 16 0e b9 c9 16 0e b9 c9 16 0e b9 c9 Ro... 0x008a0090 1f 76 2c c9 17 0e b9 c9 16 0e b9 c9 15 0e b9 c9.v,... 0x008a00a0 1f 76 2a c9 1b 0e b9 c9 16 0e b8 c9 4a 0e b9 c9.v*...j... 0x008a00b c9 1b 0e b9 c c9 17 0e b9 c9 yx...yx#... 0x008a00c c9 17 0e b9 c e b9 c9 yx$...rich... 0x008a00d x008a00e c PE..L... 0x008a00f0 6e 22 2c e n",r... 81

82 yarascan Rule: r1 Owner: Process mainout-crypted Pid 224 0x00aaa668 4d 5a ff ff MZ... 0x00aaa678 b x00aaa x00aaa d x00aaa6a8 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd !..L.!Th 0x00aaa6b f d e 6e 6f is.program.canno 0x00aaa6c e e f t.be.run.in.dos. 0x00aaa6d8 6d 6f e 0d 0d 0a mode...$... 0x00aaa6e8 8b e6 cf f4 67 b5 cf f4 67 b5 cf f4 67 b5...g...g...g. 0x00aaa6f8 3e 32 a8 b5 d6 f4 67 b5 3e 32 aa b5 c4 f4 67 b5 >2...g.>2...g. 0x00aaa708 3e 32 a9 b5 95 f4 67 b5 c6 8c f4 b5 ca f4 67 b5 >2...g...g. 0x00aaa718 cf f4 66 b5 9c f4 67 b5 54 1f a8 b5 cd f4 67 b5..f...g.t...g. 0x00aaa f ae b5 ce f4 67 b5 54 1f ab b5 ce f4 67 b5 T...g.T...g. 0x00aaa cf f4 67 b c Rich..g.PE..L... 0x00aaa e1 2d e B.-R...! 0x00aaa758 0b

83 yarascan Libraries (DLL) loaded in the memory also have the MZ header. 83

84 Malware As A Platform

85 Malware As A Platform vawtrak vawtrak mainoutcrypted-5.exe decompressed executable encrypted overlay decrypted overlay compressed exe decompressed executable decompressed executable Diana-23.jpg mainoutcrypted-5.exe resource section payload executable 85

86