Recently, Xshell official issued a notice that there is a backdoor in its software. Our intern classmates made a detailed analysis of the backdoor, confirming that this is a high-level trojan with the ability to perform malicious code download and data backhaul.
Backdoor code exists nssock2.dll in, the use of multi-layer encryption shellcode, flower instructions, thread injection and other ways to avoid killing soft kill and combat artificial analysis. The overall process is as follows
nssock2.dllIt is easy to find a function that decrypts shellcode by comparing Bindiff with the latest version.
Remove the flower instruction analysis, enter into the shellcode after the main function is to query HKCU\SOFTWARE\%d or HKLM\SOFTWARE\%d Data whether the value is present, %d is the hard disk's serial number is different or0xD592FC92
If Data the value exists to decrypt the second layer of shellcode and execute it with the key, the DNS request is sent to get the configuration information stored to the Data key to decrypt the second layer of shellcode and execute
When obtaining configuration information, a domain name is generated first by DGA (Domain name generation algorithm) based on the current year and years, with the following algorithm
It then generates a prefix based on information such as GUIDs, host names, and user names to encrypt and send DNS requests and obtain configuration information after stitching with the previously generated domain name
Encryption is divided into two main steps, the first step is as follows
The second step is as follows
DNS server for 8.8.8.8 ,,, 8.8.4.4 4.2.2.1 4.2.2.2 and the current host DNS server, after receiving key to decrypt the second layer of Shellcode code as follows
Here is very interesting, the algorithm follows the DLL into the first layer shellcode when the decryption algorithm consistent, think of the CTF's routines try to set the same key,key1 for 0xC9BED351 , Key2 for 0xA85DA1C9 , and then successfully decrypted the second layer shellcode.
According to Kaspersky's report, the second layer of shellcode is a Root plugin, and the entry function looks likeDllMain
The main function is to set the exception handler first, and will log the exception %ALLUSERSPROFILE%\error.log , and then initialize the function pointer table (will be called in other plugins), and load 5 plug-ins
Dynamic debugging step load_plugin into the function can be 5 plug-in Shellcode dump out, after loading 5 plug-ins will call the ID 103 of the plug-in (Install) of the second function
The main function is to modify the current process permissions before calling the 102 second function with the ID of the plug-in (Config)
In addition, the process will be created with the permissions of the process for winlogon.exe svchost.exe thread injection, the debug thread injection shellcode can VirtualAllocEx get to the virtual address in the corresponding process after the next break, and then at the moment ResumeThread , the interruption after attaching the corresponding process and the previous acquisition of the virtual address down, ResumeThreadafter execution will be interrupted at the previous virtual address, then you can continue debugging, the initial analysis injected Shellcode is the Root plug-in
Create a mutex based on the disk serial number:Global\% 16-48 random latin characters%
The main function is to listen for registry keys generated from the disk serial number HKLM orHKCU\SOFTWARE\Microsoft\%5-12 random characters%
When the supervisor hears a value change, it decrypts and verifies whether it is a legitimate plug-in and loads and initializes
2.3.3 Config plug-in (102)This plug-in is mainly related to the configuration information read and write, its path based on the disk serial number generation, the machine is C:\ProgramData\MQGOMQQ\TOYMWGMQ\UMGSAIE\DIWEYK , each time the plug-in is rewritten
The default C&C address isdns://www.notped.com
This plug-in is mainly C&C to communicate with the server and distribute the command to the appropriate plug-in execution, first select the request to send the plug-in according to the protocol type
If it is, URL it will send a request to the domain name generated by DGA to HTTP get a real C&C server address.
In addition, this plugin collects more detailed host information, which is called,,,,,,,,,,,,,,,,,, GetSystemTime gethostbyname GlobalMemroryStatusEx GetNativeSystemInfo GetDiskFreeSpaceExA EnumDisplaySettingsW GetSystemDefaultLCID QueryPerformanceFrequency QueryPerformanceCounter GetCurrentProcessId RtlGetVersion GetSystemMetrics GetNetworkParams andGetAccountSid
This plug-in is primarily used for DNS protocol-based C&C communication
Since then the door with a variety of means to increase the difficulty of analysis, is a plug-based perfect attack platform, please upgrade to the latest version as soon as possible. If the above analysis is false, welcome to treatise.
4. Appendix 4.1 Shellcode String Decryption scriptfrom idaapi import *from ctypes import *addr = 0x274DFC8seed = c_uint(Byte(addr) | (Byte(addr + 1) << 8))result = [None] * 4096for i in range(4090):Result[i] = chr(seed. Value & 0xff) ^ Byte(addr + 2 + i< c33>)) Seed=C_uint(C_uint(C_uint(0x41120000 *Seed.value). value - C_uint ( 0x434cbeee * Span class= "pun" > (seed. value >> 16value). value - 0x2f878e0f end = result.index(‘\x00‘)print ‘‘.join(result[:end])| Domain name | Date |
|---|---|
| Ribotqtonut.com | July 2017 |
| Nylalobghyhirgh.com | August 2017 |
| Jkvmdmjyfcvkf.com | September 2017 |
| Bafyvoruzgjitwr.com | October 2017 |
| Xmponmzmxkxkh.com | November 2017 |
| Notped.com | Default C&C domain name |
Xshell Advanced Backdoor Complete Analysis report (ZT)
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
