Hikit backdoor used in APT attacks

Forum for analysis and discussion about malware.

Hikit backdoor used in APT attacks

Postby frank_boldewin » Wed Aug 22, 2012 8:04 pm

Details to this malware are here:

The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1)
https://blog.mandiant.com/archives/3155

The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2)
https://blog.mandiant.com/archives/3189

further infos can be added to the above blog informations:

- the NDIS Intermediate Driver used as backdoor is based on public source code from 2009. see ( http://code.google.com/p/passthruivi/ )

- Driver code is available from Windows NT - Win7 (x86 + x64)

- the driver add its self signed cert (GlobalSign) to the windows certstore, because the cat/inf files are signed with the GlobalSign cert, thus to avoid the user interactive dialog asking if this should really be installed.

- they disable the code signing in registry to get properly loaded on x64 systems.

- the driver accepts the following commands:

shell <command> --------> executes a command on the cmd shell and pipes its return buffer to the driver

file <code> -----> depending on the code several files operations are executed and the output is send to the driver. operations can be files reading (even at special offsets), attribute changing, writing to a file, directory creation and enumeration of files as well as finding directories by name.

proxy <code> ----> depending on the code several operations are allowing, e.g. termination of the proxy, connect to host:port and recv + forward as well as forward data to a special host

connect <host> <port> <cookie-value> ----> sends a GET request to a given host:port

exit ---> ends a backdoor operation
You do not have the required permissions to view the files attached to this post.
User avatar
frank_boldewin
 
Posts: 115
Joined: Thu Apr 22, 2010 8:59 am
Location: germany
Reputation point: 89

Re: Hikit backdoor used in APT attacks

Postby dumb110 » Thu Aug 23, 2012 7:35 am

Interesting! Anybody has a copy of the infected W7fw.sys and infected sethc.exe please :|
dumb110
 
Posts: 105
Joined: Tue Jun 05, 2012 1:29 pm
Reputation point: 5

Re: Hikit backdoor used in APT attacks

Postby frank_boldewin » Thu Aug 23, 2012 4:13 pm

dumb110 wrote:Interesting! Anybody has a copy of the infected W7fw.sys and infected sethc.exe please :|


there is no infected W7fw.sys. The hikit driver IS the W7fw.sys. the different driver files (depending what windows OS gets infected) are all in the zip file attached in my first post. look in the directory: Dropped-Ressources

further the replaced sethc.exe is nothing more than a plain cmd.exe
User avatar
frank_boldewin
 
Posts: 115
Joined: Thu Apr 22, 2010 8:59 am
Location: germany
Reputation point: 89

Re: Hikit backdoor used in APT attacks

Postby dumb110 » Thu Aug 23, 2012 4:45 pm

https://www.virustotal.com/file/76efffa ... 345740007/
First seen by VirusTotal
2011-12-13 22:32:38 UTC ( 8 months, 1 week ago )

https://www.virustotal.com/file/3406cfe ... 345740193/
First seen by VirusTotal
2011-11-09 19:01:53 UTC ( 9 months, 2 weeks ago )

https://www.virustotal.com/file/565da8f ... 345740219/
First seen by VirusTotal
2012-08-23 07:06:50 UTC ( 9 hours, 38 minutes ago )

https://www.virustotal.com/file/8a830c4 ... 345740120/
First seen by VirusTotal
2009-04-22 16:59:20 UTC ( 3 years, 4 months ago )

This is epic! :lol:
dumb110
 
Posts: 105
Joined: Tue Jun 05, 2012 1:29 pm
Reputation point: 5

Re: Hikit backdoor used in APT attacks

Postby frank_boldewin » Thu Aug 23, 2012 7:38 pm

and Kaspersky only detects

https://www.virustotal.com/file/565da8f ... 345740219/

because the rescan is 1 day old and the files were shared lately. remember the files are over 9 months old.
this is not epic, this is business as usual.
so don't rely on your AV product, rely on your brain and skills.
User avatar
frank_boldewin
 
Posts: 115
Joined: Thu Apr 22, 2010 8:59 am
Location: germany
Reputation point: 89


Re: Hikit backdoor used in APT attacks

Postby djnemo » Sun Aug 26, 2012 8:55 pm

when i was reading analysis of hikit i didnt understand one thing , hikit add cert with certmgr.exe to system
Code: Select all
certmgr.exe -add GlobalSign.cer -c -s -r localMachine Root
certmgr.exe -add GlobalSign.cer -c -s -r localMachineTrustedPublisher

as far as i know only this two command and some registry change will not stop driver signing protection, there is some Authenticode needed to be used !
How hikit deal with Microsoft Authenticode ?

thanks
djnemo
 
Posts: 4
Joined: Sun Aug 26, 2012 8:33 pm
Reputation point: 0


Return to Malware

Who is online

Users browsing this forum: No registered users and 11 guests