[FireEye report] LATENTBOT: Catch me if you have the skills.

[FireEye report] LATENTBOT: Catch me if you have the skills.

FireEye recently captured a highly obfuscated code Bot named LatentBot, which has been active since 2013. It has the ability to monitor users without being noticed, and can damage hard disks or even computers.

Based on our dynamic threat intelligence (ASD), we can clearly see that it targets the United States, Britain, South Korea, Brazil, the United Arab Emirates, Singapore, and Canada, activities in various industries in Peru and Poland (mainly in financial services and insurance ). It achieves multi-layer fuzzy, unique distribution mechanism, and successful infection of multiple organizations indeed attracts our attention.

The following lists some major features of LATENTBOT:

A) multi-layer obfuscation B) the strings used for decryption in the memory are deleted immediately after they are used. c) Different desktop shadow applications d) Primary Boot Record (MBR) clearing function e) similar to Ransomlock (locked desktop function f) hiding VNC connection g) modular design, which can be easily updated on victim machines h) very concealed bounce traffic, APIs, registry Key value and other dynamic decryption indicators I) Use Pony malware as one module to steal information

Overview

Concealment is one of its features. LATENTBOT's malicious code takes a short time in the memory. Most of the encoding data is stored in program resources and registries. A custom encryption algorithm is shared among different components. Of course, it also includes the encryption of command and control (CnC) communication. Based on this, its family binary file is usually named Trojan. Generic:

www.virustotal.com/en/file/39af310076282129e6a38ec5bf784ff9305b5a1787446f01c06992b359a19c05/analysis/

In fact, LATENTBOT itself is not targeted. Although it is found to be a terrible existence in many industries, it will selectively infect Windows systems, for example, Windows Vista or Server 2008 won't run. LATENBOT also uses the zombie server as the source of infection to simplify the infection and increase the difficulty of detection.

Based on passive DNS information and similar samples captured, LATENBOT may be active from 2013. We observed multiple successful infections in 2015.

 

Infection Vector

The first use of LATENTBOT to infect the victim has already included multiple layers of fuzzy. As shown in: Infection Stage

 

 

Step 1:

A malicious email contains a Word exploit created a long time ago using Microsoft Word Intruder [1] (MWI) builder and then sent to the victim.

Step 2:

When an additional Word file is opened, the embedded malicious execution file starts to run. At the same time, the system sends a prompt to the MWISTAT server to select:

1. Task tracking 2. Entering the second stage: downloading binary files

 

 

In our analysis, this word document downloads a binary file named LuminosityLink. LuminosityLink is a fully functional remote control software that can steal passwords, key records, transfer files, and activate microphones or webcams.

Step 3:

Because LuminosityLink is a fully functional remote control software that can completely control the target of infection, we are surprised that in the second stage, this remote control software will also go from emenike [.] download another payload from no-ip.info (180.74.89.183. This new module is our main character today, LATENTBOT.

Analyze LATENTBOT

Middleware (1dd0854a73288e833966fde139ffe385) is also part of our analysis work. Next we will discuss this very interesting malware in depth.

LATENTBOT is a obfuscated. NET binary file that contains an encoding resource object. This object is used to decode the payload in the fourth stage.

 

 

The payload in Phase 4 is also a. NET Binary Protection, and ConfuserEx v0.5.0-10-g6ebeec5 is used for obfuscation.

The binary file in Stage 4 will open the. Net Program regasm.exeand cvtres.exe from % windir % \ Microsoft. NET \ Framework \ v2.050727 \, and replace malicious code with process hollows in the memory.

The CvTres.exe process is replaced with a binary file packaged with Visual Basic UPX extracted from binary resources.

 

 

This binary file is used to create a registry key named dlrznz68mkaa.exe(aya.exe)

 

 

Afwliivfolder and dlrznz68mkaa.exe file names appear in the Confuser. NET binary format in the resource section in hard encoding. The content of aya_decrypted.exe resource is displayed.

 

RegAsm.exe will be replaced by a shellcode loader in the memory. This shellcode loader will open % windir % \ system32 \ svchost.exe and load the second shellcode loader using the same process hollowing technology. Then decode and execute the fifth-stage Delphi file in the memory.

Speaking of this, let's take a look at the new stage process:

 

Shows the Delphi file in which the decoding function in the second shellcode loader finally decodes the fifth stage:

 

Stage 5 Delphi file:

This is another boot device that uses the routing technology and executes the Phase 6 binary file in an instance named svchost.exe. In the resource part, the binary is encrypted. Only the function shown in figure is used for decryption at runtime:

 

You can see the aya.exe, regasm.exe, and two svchost.exe process trees using the process resource management tool. At this time, the sixth stage is suspended:

 

Stage 6 Delphi file:

The sixth stage is highly obfuscated. It can be seen from multiple encoding strings that represent the API function name, CnC IP address, POST/GET parameter, HTTP headers, process name, and so on. These are all decrypted at runtime.

First, the malware will perform multiple verifications. If the Windows OS version is 6.0 (Windows Vista, Windows Server 20082.16.pdf the parent path of the malware is not svchost.exeor assumer.exe, it will automatically exit.

Power Consumption to death:

If LATENTBOT is running on the notebook, it will query the battery status through GetSystemPowerStatus. If the battery status is low or the alarm value is displayed, it will call SetThreadExecutionState to prevent the system from sleep or disabling display.

 

Whether to install BOT_Engine

Next, LATENTBOT checks whether the downloaded plug-in is installed by querying the registry key. The encryption module should contain the following registry subkeys:

HKCU\Software\Google\Update\network\secure

After finding the plug-in, LATENTBOT will continue to load the BOT_Engine, but it will first verify that the linked CnC server is still alive through the TTP request.

 

LATENTBOT then verifies whether the HTTP response is one of the following:

200: requested resource success 302: Redirection 307: similar to 302

If the received response is not one of the three above, it will connect again in about 20 seconds.

If one of the received responses is received, LATENTBOT will continue to generate a beacon. Generate a URI Based on the infected host information. The following are two examples:

forum?datael=US-20-503634784811&ver=4006&os=2&acs=0&x64=0&gr=load-1.7.1.20&random=wopvrudsks

forum?datael=US-70-347126827175&ver=4006&os=5&acs=0&x64=0&gr=load-1.7.1.20&random=dbvcwhctdn

All GET parameters are decrypted at runtime, such as tgsz0D decodes to & gr.

Datael: - - In Is one of the following:

10 = Windows 2000 (5.0)20 = Windows XP (5.1)30 = Windows XP 64-Bit, Windows Server 2003/R (5.2)40 = Windows Vista, Windows 2008 (6.0)70 = Windows 7, Windows Server 2008 R2 (6.1)80 = Windows 8, Windows Server 201290 = Windows 8.1, Windows Server 2012 R2

The random and All are dynamic settings. Random randomly selects 10 characters from the buffer abcdefghijklmnopqrstuvxyz, and datael selects 12 integers from the buffer 0123456789012345678912345678. Initialize Delphi's Randomize () and call the Random () function in each loop iteration.

Note: Stored in the following registry key (created at runtime)

\ HKCU \ Software \ Adobe Acrobat \ data

OS: Major version of Windows OS. Use the same code as OS _Version. acs: the possible value is 1 or 0. if the malware runs under the SYSTEM permission, it is 1x64: the operating SYSTEM architecture flag recognizes that the ver and gr parameter values are hard-coded.

Then URI performs three-step algorithm encryption. The following describes the process.

Step 1: Customize replacement routine

Use a custom hard-coded search table to replace valid URI characters. Use different search tables according to their usage (encoding/decoding ).

 

At the same time, this routine encodes/decodes a WORD file, and each byte moves to the left or right according to different needs.

 

The result after adding the Moving position

 

Note: For encoding, a replacement routine is selected from three different search tables based on one parameter. In this example, we only use one query table.

Step 2: XOR modifier

Pass the replaced data to XOR modifier

 

The following table shows the use of different XOR modifier:

 

The same XOR modifier algorithm is also used in iBanking/TauSpy Android malware [2].

Step 3: Base64 encoding

The generated encoded URI is base64-encoded.

The entire algorithm can be expressed as follows:

Encryption:

encoded_uri  = base64_encode(substitute (xor_modifier(modifier, plain_text_uri)))

Decryption:

plain_text_uri = xor_modifier(modifier, substitute(base64_decode(encoded_uri)))

Apply the above replacement and XOR algorithm to the original URI:

forum?datael=US-20-503634784811&ver=4006&os=2&acs=&x64=0&gr=load-1.7.1.20&random=wopvrudsks

The following URI encoding:

Adl7k+v9qQGCaZti0LS9v++uFb6axeFE2twthNT9s3K6/oG0xjQS2Gqk+Udja91kch3nwphGANCtdr83tXSAaLJEi/qmG3xmKKPwR8lFncN9i93yfHRxFQ2EBC

The URI is converted to the standard Base64 encoding:

QWRsN2srdjlxUUdDYVp0aTBMUzl2Kyt1RmI2YXhlRkUydHd0aE5UOXMzSzYvb0cweGpRUzJHcWsrVWRqYTkxa2NoM253cGhHQU5DdGRyODN0WFNBYUxKRWkvcW1HM3htS0tQd1I4bEZuY045aTkzeWZIUnhGUTJFQkM=

Beacon ):

 

CnC response:

MDVvWVc2K3J5ZGV4ZlNyM0lycjQ5TFhkSnBmZWJTbms1Zkx0aEQzNWxqaFlqVS9XczN4MTNqV1RQOWtHWUF1ZERidzdkR0ZOdjI1UHAzT1pYcktBM2l5OGlWU04zMjByZDExOFNVREdObDk3QjdPNWtQUjhBU05jcjVybXR1Mkg=

Decoding URI yields:

mod:http://46.165.246.234/m/:Bot_Engine-A35CB08FB078051B27894BCD380EAC43-229376-018701-881384-8;

In fact, this is a module name (Bot_Engine, and a special ID) that will be downloaded during execution)

Download plug-ins

LATENTBOT downloads different plug-ins by sending different beacon:

 

The module name is disguised as a ZIP file, which is actually encoded data and saved to the secure registry key:

 

Use XOR modifier to decrypt the plug-in name. [See the XOR modifier table] to obtain the following module name:

hdtWD3zyxMpSQB = Bot_EngineQdW/DoI2F9J = SecurityRRrIibQs+WzRVv5B+9iIys+17huxID = Remote_desktop_serviceVRWVBM6UtH6F+7UcwkBKPB = Vnc_hide_desktopzRlBb9ofmNVErtdu = Pony_Stealer

The registry value displayed at the bottom has a specific purpose based on the plug-in used. It can be used as a status value, integrity check flag, or used to store binary file encoding.

Shows how the plug-in is loaded:

 

InjectionHelper

A new DLL (InjectionHelper, see) is decoded from the sixth stage Delphi file resource and then loaded to the current process through BTMemoryLoader.

The main purpose of injectionhelperis to merge svchost.exe and replace it in the memory (process hollowing technology ). A new line of injectionhelper1_bot_engineplug-in will be added to a new svchost.exe instance multiple times before it starts.

 

Plug-in description

BOT_ENGINE & SECURITY

BOT_ENGINE is mainly responsible for loading the remaining plug-ins. The loading technology is the same as the method used to use the BTMemoryLoader library. BOT_ENGINE communicates closely with the SECURITY module. The SECURITY Module checks whether anti-virus software is installed in the system (for the default installation path list of anti-virus software, see Appendix 1). This list uses the modifier 0xBB8 Algorithm for encryption.

If anti-virus software is detected in the system, an av = (E.g., Avast will be av = 1 ).

He also checks the video card through EnumDisplayDevice and returns the result through the vidtype parameter:

vidtype=1  for NVidiavidtype=2   for ATI or Radeonvidtype=0 for none of the above

BOT_ENGINE is a Delphi program similar to the sixth-stage Delphi loader. It completes specific tasks based on stub and the new thread. It extracts data from resources and uses the public key embedded in malware to verify the signature.

??

Extract public key:

??

Call the CryptImportKey API to call a key Binary Large Object (BLOB). The Binary large object contains a 2048-bit RSA public key used to verify the signature.

The following is BLOB Header. We can see that 2048 bits RSA public key

 

Other possible GET parameters;

 

After the BOT_ENGINE is successfully installed, all checks are performed. The agent installation status and error information are sent back to the CnC server. The plug-in name is displayed in the GET parameter of the plug-in.

The following is the plaintext beacon after the BOT_ENGINE is successfully installed:

forum?data=US-20-164346373561&ver=4006&os=2&av=19&acs=&x64=0&gr=engine-1.7.1.20-s&li=load-1.7.1.20&plugins=Bot_Engine-881384-8&errcode=0&bk=0¬e=0&dom=1&sockslog=0&vidtype=0&random=deabaotabf

The following table lists the commands supported by BOT_ENGINE:

 

PONY Plugin:

This plugin is the latest version of Pony Stealer 2.0 and supports bitcoin wallet theft.

 

It looks for different cryptocurrency wallets (similar to the VNC plug-in ).

VNC Plugin:

The VNC plug-in has more powerful functions than its name:

Keyboard recorder ICMP request Master Boot Record clear hidden VNC Remote Desktop control desktop intercept mouse events

Commands supported by the VNC module:

 

Note: after each command is executed, the encrypted status result is returned to CnC.

VNC plug-in command: killosanduninstils

After the command is executed, the following steps are sent:

Memory instance. The MBR cleaner will \\. \ Physicaldrive0 overwrites the first 512 bytes on the hard disk, and then exits the injection process. 2. the parent process will continue to delete traces of malware from the registry and file system. 3. the malicious process is terminated. 4. status information "kill OS function started + uninstall + shutdown mashine from 10 sec ..." Send to CnC5. and force restart through ExitWindowsEx API. This process is as follows:

 

MBR Wiper MD5 (4d0b14024d4a7ffcff25f2a3ce337af8) has been submitted seven times on VirusTotal since July 2013.

Run VNC

By running the VNC plug-in module in the system, you can easily see end users. This is different from a normal RDP session. It logs out of the end user and makes the activity easy to recognize.

The encrypted VNC plug-in is stored in the following key of the registry:

HKCU\Software\Google\Update\network\secure\

This key stores multiple encryption registry subkeys. The binary file will be decoded and injected to svchost.exe through injectionhelper.

Before the VNC plug-in is injected, LATENTBOT searches for the following VNC processes running on the system and ends these processes to prevent conflicts:

tvnserver.exe – TightVNC Softwarewinvnc.exe – UltraVNC Softwarevncserver.exe – RealVNC Softwarevncservice.exe – RealVNC Software

Summary

In this paper, we propose multiple plug-ins for applications in LATENTBOT. This design makes updates more convenient, and we will closely track the deployment of other plug-ins.

Despite the high-intensity obfuscation of LATENTBOT, it is not difficult to detect LATENTBOT in memory because multiple processes are injected.

Reference

[1] https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html

[2] Original version can be found here: https: // github [.] com/strazzere/android-scripts/blob/master/Decoders/TauSpy-iBanking/rollingobfuscation. java

Appendix

IOCs:
HBI:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load  = %AppData%\Roaming\aFwLiiV\dlrznz68mkaa.exeThe binary is a copy of aya.exeHKCU\Software\Adobe\Adobe Acrobat\data = 
 
  HKCU\Software\Google\Update\network\secureWith 0 to 5 subkeys representing modules names:HKCU\Software\Google\Update\network\secure\hdtWD3zyxMpSQBHKCU\Software\Google\Update\network\secure\QdW/DoI2F9JHKCU\Software\Google\Update\network\secure\RRrIibQs+WzRVv5B+9iIys+17huxIDHKCU\Software\Google\Update\network\secure\VRWVBM6UtH6F+7UcwkBKPBHKCU\Software\Google\Update\network\secure\zRlBb9ofmNVErtduHKCU\Software\Google\Update\network\updateHKCU\Software\Google\Common\Rlz\Events\UpdateHKCU\Software\Google\Common\Rlz\Events\EventsID
 

NBI:
CnC IPs (Some of them are compromised legitimate websites ):

46.165.246.234209.208.79.114REMOTESUPPORT.AARIVERSIDE.COM83.175.125.15083.175.125.152OFFICE.ONTIMEDATASOLUTIONS.COMESTREAM.HOMELINUX.COM95.211.230.21246.165.246.23437.220.9.229SBA-VIG.VIG.PLSBA2-VIG.VIG.PLITMANAGER.MASPEX.COMGATE.SPACESOFT.KRSUPREMOGW2.NANOSYSTEMS.ITCMC.COUNTERP.COM121.78.119.97136.243.16.249180.71.39.228220.76.17.25195.254.174.7483.13.163.21883.238.72.234155.133.120.21DATAROAD.IPTIME.ORG121.67.110.204

LATENTBOT Samples

1dd0854a73288e833966fde139ffe385 aya.exeaf15076a22576f270af0111b93fe6e03 lssm.exe47f220f6110ecba74a69928c20ce9d3e5446022c6d14a45fd6ef412a2d6601c5a11362a8e32b5641e90920729d61b3d4d349806ea1f2af0f447b2c9e20cb88f06ea9d27d23646fc94e05b8c5e921db9956ba76cf35a1121bf83920003c2af8252d2484d578bfcd983acb151c89e5a12008bb5f82dec4957ad9da12239f606a004135552b0045e7d67b26167f43b88a30af15076a22576f270af0111b93fe6e034d0b14024d4a7ffcff25f2a3ce337af8

BOT_ENGINE Plugin 1: The list of default installation paths of popular AV

Documents and Settings\All Users\Application Data\AgnitumDocuments and Settings\All Users\Application Data\avg10Documents and Settings\All Users\Application Data\avg8Documents and Settings\All Users\Application Data\avg9Documents and Settings\All Users\Application Data\AviraDocuments and Settings\All Users\Application Data\Doctor WebDocuments and Settings\All Users\Application Data\ESETDocuments and Settings\All Users\Application Data\f-secureDocuments and Settings\All Users\Application Data\G DATADocuments and Settings\All Users\Application Data\Kaspersky Lab\Documents and Settings\All Users\Application Data\McAfeeDocuments and Settings\All Users\Application Data\Microsoft\Microsoft AntimalwareDocuments and Settings\All Users\Application Data\PC ToolsDocuments and Settings\All Users\Application Data\SymantecDocuments and Settings\All Users\Application Data\Trend MicroDocuments and Settings\All Users\AVAST SoftwareDocuments and Settings\NetworkService\Local Settings\Application Data\F-SecureProgram Files\AgnitumProgram Files\Alwil SoftwareProgram Files\AVAST SoftwareProgram Files\AVGProgram Files\AviraProgram Files\BitDefender9Program Files\Common Files\Doctor WebProgram Files\Common Files\G DATAProgram Files\Common Files\PC ToolsProgram Files\DrWebProgram Files\ESETProgram Files\F-Secure Internet SecurityProgram Files\FRISK SoftwareProgram Files\Kaspersky LabProgram Files\McAfeeProgram Files\Microsoft Security EssentialsProgram Files\Norton AntiVirusProgram Files\Panda SecurityProgram Files\PC Tools Internet SecurityProgram Files\SymantecProgram Files\Trend MicroProgram Files\Vba32

VNC Plugin:

Searching for malware analyst tools

OLLYDBG

 DBG

W32DSM

 drivers\sice.sys drivers\ntice.sys drivers\syser.sys drivers\winice.sys drivers\sice.vxd drivers\winice.vxd winice.vxd vmm32\winice.vxd sice.vxd hgfs.sys vmhgfs.sys prleth.sys prlfs.sys prlmouse.sys prlvideo.sys prl_pv32.sys vpc-s3.sys vmsrvc.sys vmx86.sys vmnet.sys \\.\SICE \\.\SIWVID \\.\NTICE \\.\TRW \\.\TWX \\.\ICEEXT \\.\Syser \\.\SyserDbgMsg \\.\SyserBoot SbieDll.dll api_log.dll dir_watch.dll dbghelp.dll pstorec.dll Sandbox honeyq vmware nepenthes snort andyd c:\analysis joeboxcontrol.exe wireshark.exe regmon.exe filemon.exe procmon.exe SandboxieRpc SandboxieDcomLaunch.exe VBoxService.exe VMwareTray.exe VMwareService.exe VMwareUser.exe xenservice.exe sniff_hit.exe sysAnalyzer.exe procexp.exe autoruns.exe prl_cc.exe LoadOrd.exe Diskmon.exe RootkitRevealer.exe portmon.exe Tcpview.exe Dbgview.exe procdump.exe cfp.exe

Pony stealer Plugin:

List of Bitcoin Wallets and Currencies 1

Bitcoin Currencies:

BitcoinLitecoinNamecoinTerracoinPPcoinPrimecoinFeathercoinNovacoinFreicoinDevoinFrankoMegacoinQuarkcoinWorldcoinInfinitecoinIxcoinAnoncoinBBQcoinDigitalcoinMincoinGoldcoinYacoinZetacoinFastcoinI0coinTagcoinBytecoinFlorincoinPhoenixcoinLuckycoinCraftcoinJunkcoin

Wallets:

Armory walletElectrum walletMultibit wallet