A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #24821  by EP_X0FF
 Sat Jan 03, 2015 3:46 pm
Tigzy wrote:Cool, thanks. :!:
I've looked more on this and these hooks actually comes not from Xwskit but from payload it downloads and executes in explorer address space + lots of certificates.

from module.dll (https://code.google.com/p/v8/source/bro ... 24&r=20624)
Code: Select all
      v5 = GetModuleHandleA("ntdll.dll");
      result = (int)GetProcAddress(v5, "RtlPcToFileHeader");
      RtlPcToFileHeader_original = result;
      if ( result )
      {
        sub_10001FD0();
        v6 = GetCurrentThread();
        global_lock(v6);
        SetHook(&RtlPcToFileHeader_original, RtlPcToFileHeaderHook);
        result = global_unlock();
      }
    }
Code: Select all
HMODULE __stdcall RtlPcToFileHeaderHook(unsigned int a1, int a2)
{
  HMODULE result; // eax@3
  int v3; // esi@3

  if ( a1 < dword_1043864C || a1 >= dword_1043864C + dword_10438648 )
  {
    v3 = a2;
    result = (HMODULE)RtlPcToFileHeader_original(a1, a2);
  }
  else
  {
    result = GetModuleHandleA("ntdll.dll");
    v3 = a2;
    *(_DWORD *)a2 = result;
  }
  *(_DWORD *)v3 = result;
  return result;
}
src_iedriver\SpywareJSWrappers.cc
lol
Code: Select all
 n g _ % s   SocketWatcher   set First arg should be a file descriptor.  Second
 arg should boolean (readable).   Third arg should boolean (writable).    src_i
edriver\socket_watcher.cpp socketwatcher   d e s k t o p . i n i   SpInitialize
    DnsCacheGetDomainByAddr SpHookHttp  SpUnhookHttp    SpInsertInjection   SpI
nsertBlockedUrl  SpResetConfigs  SpHookRecv  SpHookSend  SpHookSockets   SpAddF
ilterRule SpRunVnc    SpTakeScreenshot    SpGetProcessList    GCreateSharedStri
ng GGetSharedString    GSetSharedString    SpGetLocalNetworkNeighborhood   SpGe
tLocalUsersAndGroups    DbgGetLoadedModulesList DbgGetModuleDebugInformation
 SpHookKeyboard  SpHookLsa   SpSetFileWatermark  SpGetFileWatermark  SpGetVendo
r src_iedriver\SpywareJSWrappers.cc   [ C L I P B R D ] % s [ / C L I P B R D ]
   [ E S C A P E ]     [ E N T E R ]   [ T A B ]   [ D E L E T E ]     [ C A P
S   L O C K ]   [ B A C K C P A C E ]   GetClipboardData    user32.dll  PeekMes
sageA    PeekMessageW    ☻▄♣►╡▐♦►Q█♣►Z█♣►}▀♦►RtlRunDecodeUnicodeString   ADVAPI
32.dll    CredIsProtectedW    CredUnprotectW  msv1_0.dll  LsaApLogonUserEx2   ☺
т♣►╡▐♦►Q█♣►.с♣►}▀♦►NtProtectVirtualMemory  LdrGetProcedureAddress  LdrLoadDll
NtMapViewOfSection  RtlNtStatusToDosError   ZwClose NtCreateSection worker  rem
oteAddress   remotePort  %d.%d.%d.%d chrome.exe  firefox.exe mswsock.dll Crypt3
2.dll opera.exe   chrome.dll  xul.dll NtDeviceIoControlFile   DnsQuery_A  dnsap
i.dll  DnsQuery_W  gdiplus.dll GdiplusStartup  GdiplusShutdown GdipCreateBitmap
FromHBITMAP GdipDisposeImage    GdipGetImageEncodersSize    GdipGetImageEncoder
s    GdipSaveImageToStream   ole32.dll   CreateStreamOnHGlobal   gdi32.dll   Cr
eateDCW   CreateCompatibleDC  CreateCompatibleBitmap  GetDeviceCaps   SelectObj
ect    BitBlt  DeleteObject    DeleteDC    i m a g e / j p e g     ╡ф[↔J·-EЬ▌]│ 
Do believe original google code merged with malware.

+ more hooks
Code: Select all
  v4 = GetModuleHandleA("ntdll.dll");
  dword_10438E88 = (int)GetProcAddress(v4, "NtDeviceIoControlFile");
  v5 = LoadLibraryA("dnsapi.dll");
  dword_10438E84 = (int)GetProcAddress(v5, "DnsQuery_A");
  v6 = LoadLibraryA("dnsapi.dll");
  v7 = GetProcAddress(v6, "DnsQuery_W");
  dword_10438FD0 = (int)v7;
  if ( dword_10438E88 && dword_10438E84 && v7 )
  {
    sub_10001FD0();
    v8 = GetCurrentThread();
    global_lock(v8);
    if ( dword_10438E88 )
      SetHook(&dword_10438E88, sub_1005FAB2);
    if ( dword_10438E84 )
      SetHook(&dword_10438E84, sub_1005F86C);
    if ( dword_10438FD0 )
      SetHook(&dword_10438FD0, sub_1005F8D0);
    if ( !global_unlock() )
      v0 = 1;
  }
Attachments
pass: infected
(1.92 MiB) Downloaded 97 times
 #24826  by EP_X0FF
 Sun Jan 04, 2015 4:44 am
We have established timeline

First mention of malware, first simple user mode backdoor, next v2.1 with driver

Win32/Gootkit

Next major version with adapted BkLoader (Cidox/Rovnix)

WinNT/Gootkit

Current fileless version

Win32/Xswkit
 #24827  by EP_X0FF
 Sun Jan 04, 2015 5:04 am
Kafeine wrote:From what i understand the team behind this is the gootkit team and are focused on France since months.
The loader I saw tied to this team were pushed in Angler (directly) or in Bedep (after Angler Fileless).
You were right. This fileless malware is simplified Gootkit previously equiped with Cidox/Rovnix bootkit. They have direct similarities explaining why parts of shellcode looks strange.

For example bootkit version was cross-platform x86-32/64 and used HKLM\Software\CXSW key with values binaryImage32/binaryImage64 to store payload. Plus absolutely the same UAC bypass implementation algorithm, shellcode same style etc.

So we can asume authors of Gootkit dropped BkLoader version (probably they finally realized Windows bootkits are crap by design), copied source from previous versions, tweaked it to Poweliks scheme and pushed to dropzones. All the anomalities in code explained by fast copy-paste method of development.
 #24845  by Tigzy
 Mon Jan 05, 2015 4:51 pm
The customer I was talking about has indeed a strange version of Gootkit.
I found Lsass.exe was also injected, with the regular services.exe / explorer.exe and web browsers.
The Lsass injection performs a hook on LsaLogonUserEx2 API (seen with Gmer), and that infection is able to restart without the RUN key :!: with a method I haven't found yet.
The cxsw registry key is restored after a reboot, and all injected processes are back to business... Autoruns doesn't find anything, the MBR looks clean.

I'm trying to get a virtualized version of that machine, I should be able to get it by tomorrow.
I'm thinking of a patched services.exe / lsass.exe maybe, because it looks like the malware is able to know when a user logs in and restore the payload registry key at this moment.
Ever heard of that kind of hook? (LsaLogonUserEx2)
 #24846  by EP_X0FF
 Mon Jan 05, 2015 4:55 pm
Tigzy wrote:The customer I was talking about has indeed a strange version of Gootkit.
I found Lsass.exe was also injected, with the regular services.exe / explorer.exe and web browsers.
The Lsass injection performs a hook on LsaLogonUserEx2 API (seen with Gmer), and that infection is able to restart without the RUN key :!: with a method I haven't found yet.
The cxsw registry key is restored after a reboot, and all injected processes are back to business... Autoruns doesn't find anything, the MBR looks clean.

I'm trying to get a virtualized version of that machine, I should be able to get it by tomorrow.
I'm thinking of a patched services.exe / lsass.exe maybe, because it looks like the malware is able to know when a user logs in and restore the payload registry key at this moment.
Ever heard of that kind of hook? (LsaLogonUserEx2)
LsaLogonUserEx2 hook this is credentials thief, source code http://alive-green.blogspot.ru/2013/10/ ... win-8.html, asume this is Gootkit developer personal blog (very likely as there number of the same code as that used in Gootkit).

Your customer probably infected not with simple Gootkit but with bootkit version and Gootkit user mode bot you are hunting probably just a independent payload module.
 #24847  by Tigzy
 Mon Jan 05, 2015 4:57 pm
Yeah that's what I thought, but MBR came clean with several tools like awsMBR.
Or maybe this is a really well hidden MBR, but usually they just hook into atapi MJ IRP... :/
I'll double check the MBR from offline read
 #24848  by EP_X0FF
 Mon Jan 05, 2015 4:58 pm
Tigzy wrote:Yeah that's what I thought, but MBR came clean with several tools like awsMBR.
Or maybe this is a really well hidden MBR, but usually they just hook into atapi MJ IRP... :/
I'll double check the MBR from offline read
It is Cidox/Rovnix based, check VBR.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 7