Hikit backdoor used in APT attacks

Forum for analysis and discussion about malware.
Post Reply
User avatar
frank_boldewin
Posts: 116
Joined: Thu Apr 22, 2010 8:59 am
Location: germany
Contact:

Hikit backdoor used in APT attacks

Post by frank_boldewin » Wed Aug 22, 2012 8:04 pm

Details to this malware are here:

The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1)
https://blog.mandiant.com/archives/3155

The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2)
https://blog.mandiant.com/archives/3189

further infos can be added to the above blog informations:

- the NDIS Intermediate Driver used as backdoor is based on public source code from 2009. see ( http://code.google.com/p/passthruivi/ )

- Driver code is available from Windows NT - Win7 (x86 + x64)

- the driver add its self signed cert (GlobalSign) to the windows certstore, because the cat/inf files are signed with the GlobalSign cert, thus to avoid the user interactive dialog asking if this should really be installed.

- they disable the code signing in registry to get properly loaded on x64 systems.

- the driver accepts the following commands:

shell <command> --------> executes a command on the cmd shell and pipes its return buffer to the driver

file <code> -----> depending on the code several files operations are executed and the output is send to the driver. operations can be files reading (even at special offsets), attribute changing, writing to a file, directory creation and enumeration of files as well as finding directories by name.

proxy <code> ----> depending on the code several operations are allowing, e.g. termination of the proxy, connect to host:port and recv + forward as well as forward data to a special host

connect <host> <port> <cookie-value> ----> sends a GET request to a given host:port

exit ---> ends a backdoor operation
You do not have the required permissions to view the files attached to this post.

dumb110
Posts: 107
Joined: Tue Jun 05, 2012 1:29 pm

Re: Hikit backdoor used in APT attacks

Post by dumb110 » Thu Aug 23, 2012 7:35 am

Interesting! Anybody has a copy of the infected W7fw.sys and infected sethc.exe please :|

User avatar
frank_boldewin
Posts: 116
Joined: Thu Apr 22, 2010 8:59 am
Location: germany
Contact:

Re: Hikit backdoor used in APT attacks

Post by frank_boldewin » Thu Aug 23, 2012 4:13 pm

dumb110 wrote:Interesting! Anybody has a copy of the infected W7fw.sys and infected sethc.exe please :|
there is no infected W7fw.sys. The hikit driver IS the W7fw.sys. the different driver files (depending what windows OS gets infected) are all in the zip file attached in my first post. look in the directory: Dropped-Ressources

further the replaced sethc.exe is nothing more than a plain cmd.exe

dumb110
Posts: 107
Joined: Tue Jun 05, 2012 1:29 pm

Re: Hikit backdoor used in APT attacks

Post by dumb110 » Thu Aug 23, 2012 4:45 pm

https://www.virustotal.com/file/76efffa ... 345740007/
First seen by VirusTotal
2011-12-13 22:32:38 UTC ( 8 months, 1 week ago )

https://www.virustotal.com/file/3406cfe ... 345740193/
First seen by VirusTotal
2011-11-09 19:01:53 UTC ( 9 months, 2 weeks ago )

https://www.virustotal.com/file/565da8f ... 345740219/
First seen by VirusTotal
2012-08-23 07:06:50 UTC ( 9 hours, 38 minutes ago )

https://www.virustotal.com/file/8a830c4 ... 345740120/
First seen by VirusTotal
2009-04-22 16:59:20 UTC ( 3 years, 4 months ago )

This is epic! :lol:

User avatar
frank_boldewin
Posts: 116
Joined: Thu Apr 22, 2010 8:59 am
Location: germany
Contact:

Re: Hikit backdoor used in APT attacks

Post by frank_boldewin » Thu Aug 23, 2012 7:38 pm

and Kaspersky only detects

https://www.virustotal.com/file/565da8f ... 345740219/

because the rescan is 1 day old and the files were shared lately. remember the files are over 9 months old.
this is not epic, this is business as usual.
so don't rely on your AV product, rely on your brain and skills.


djnemo
Posts: 4
Joined: Sun Aug 26, 2012 8:33 pm

Re: Hikit backdoor used in APT attacks

Post by djnemo » Sun Aug 26, 2012 8:55 pm

when i was reading analysis of hikit i didnt understand one thing , hikit add cert with certmgr.exe to system

Code: Select all

certmgr.exe -add GlobalSign.cer -c -s -r localMachine Root
certmgr.exe -add GlobalSign.cer -c -s -r localMachineTrustedPublisher
as far as i know only this two command and some registry change will not stop driver signing protection, there is some Authenticode needed to be used !
How hikit deal with Microsoft Authenticode ?

thanks

Post Reply