WinNT/Turla (WinNT/Pfinet, Uroburos rootkit)

Forum for analysis and discussion about malware.
frz
Posts: 8
Joined: Fri Jun 19, 2015 10:05 am

Re: WinNT/Turla (WinNT/Pfinet, Uroburos rootkit)

Post by frz » Wed Mar 30, 2016 4:08 pm

@rinn - can you please provide the md5 of the sample you extracted the config information from? I know your writeup mentions " Turla 2013 sample provided by R136a1" but I don't know which sample your post reflects. BTW - great work!

frz

User avatar
EP_X0FF
Global Moderator
Posts: 4811
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: WinNT/Turla (WinNT/Pfinet, Uroburos rootkit)

Post by EP_X0FF » Fri Apr 01, 2016 1:46 am

Ring0 - the source of inspiration

frz
Posts: 8
Joined: Fri Jun 19, 2015 10:05 am

Re: WinNT/Turla (WinNT/Pfinet, Uroburos rootkit)

Post by frz » Fri Apr 01, 2016 12:12 pm

:)

User avatar
R136a1
Forum Admin
Posts: 218
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

Re: WinNT/Turla (WinNT/Pfinet, Uroburos rootkit)

Post by R136a1 » Sun Apr 03, 2016 2:14 pm

Two days ago, I have started to analyse an unusual Turla dropper which adds an extra layer to the already known dropper and which pretends to be compiled in 2013 according to its time stamp. However, some of its final payloads have a newer compilation time stamp from 2014, leading to the assumption that this new dropper's time stamp is faked. Another indication that this new dropper is not from 2013 is the fact that it was first submitted to Virustotal in March 2016.

This new dropper is disguised as a legit JPEGView version, since it mixes some of the code with its own. Also, the file description corresponds to an old version of this image viewer. Its payload - an old Turla dropper from 2014 - is split up in 3 PNG files inside the resource section. So, it uses the same method for hiding its payload inside PNG files as the recently discovered ZeroAccess 3 dropper, although the implementation is a bit different. One can think that this new dropper seems to be inspired by ZeroAccess 3, but I don't think this is from the people behind Turla. Why should somebody disguise on old dropper inside an image viewer?

Recently, someone added an old Turla dropper which was crypted with VMProtect and an old Wipbot sample which was crypted with Enigma Protector. The latter when decrypted contains a resource named "TURLA" which would be quite unusual if it should be from the people behind Turla. It looks more like someone is experimenting with some old Turla samples to make them undetected to some security software.

At the end of 2014, CrySys Lab released two blog posts in which they write about testing the detection of APT tools by available security solutions. They also released a test tool named BAB0 which hides a payload inside a PNG file similar to ZeroAccess 3 dropper (ZA inspired by this?) and decrypts it with help of Javascript code. This new Turla dropper could be the advancement of this BAB0 tool created for detection purposes, but who knows... On the other side, there were some Turla samples uploaded to Virustotal recently with a compilation time stamp from 2016 (if not faked):
https://virustotal.com/en/file/2dc0f9e0 ... /analysis/
https://virustotal.com/en/file/9184be43 ... /analysis/
https://virustotal.com/en/file/af0e455f ... /analysis/
https://virustotal.com/en/file/d581b95b ... /analysis/

The decrypted old Turla dropper has a compilation time stamp from August 2014, so shortly before the latest known dropper (I have mistyped the year, it should be 2014). What is unusual about this version is that it has both versions (x86/x64) of the vulnerable VirtualBox driver on board and loads the appropriate file according to the used Windows platform. A possible explanation why they have done this could be that since Windows 8 also the 32-bit version requires kernelmode drivers to be signed if Secure Boot is enabled.

New Turla dropper: https://virustotal.com/en/file/b5228539 ... /analysis/
New Turla dropper decrypted (old dropper): https://virustotal.com/en/file/f697aa0b ... 459692191/

Payloads of old dropper attached.

That's all so far
You do not have the required permissions to view the files attached to this post.

a.falcon09
Posts: 1
Joined: Tue Apr 05, 2016 4:32 pm

Re: WinNT/Turla (WinNT/Pfinet, Uroburos rootkit)

Post by a.falcon09 » Wed Apr 13, 2016 4:58 pm

R136a1 wrote:Two days ago, ...
Hey,
Thanks for sharing this, I was wondering if anyone digged in further to see how the PNG bytes are being mapped into the extracted dropper code.
I see its happening with:

Code: Select all

                        .text:0041BB28                 mov     [ebp+var_pBitMapData_pBitMapBuf], eax
			.text:0041BB2B                 lea     eax, [ebp+var_pBitMapData]
			.text:0041BB2E                 push    eax
			.text:0041BB2F                 push    61007h
			.text:0041BB34                 push    7               ; read write lock, buffer allocated by user
			.text:0041BB36                 lea     ecx, [ebp+var_3C]
			.text:0041BB39                 mov     [ebp+var_40], edi
			.text:0041BB3C                 mov     edx, [esi+4]
			.text:0041BB3F                 push    ecx
			.text:0041BB40                 push    edx
			.text:0041BB41                 call    GdipBitmapLockBits 


Munsta
Posts: 21
Joined: Tue Sep 30, 2014 6:52 pm

Re: WinNT/Turla (WinNT/Pfinet, Uroburos rootkit)

Post by Munsta » Mon May 23, 2016 8:28 pm

From Swiss, https://www.melani.admin.ch/melani/en/h ... _ruag.html

TL;DR They made small mistake in paper, they wrote that it abuses VMWare instead of VBox.

User avatar
EP_X0FF
Global Moderator
Posts: 4811
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: WinNT/Turla (WinNT/Pfinet, Uroburos rootkit)

Post by EP_X0FF » Tue May 24, 2016 2:58 am

Not a single interesting word. What is the point of reinventing this "super-duper" wheel every year? PR itself?
Ring0 - the source of inspiration

Post Reply