The Art of Deception: A Deep Dive into Advanced Trojan-Dropper Obfuscation and Their True Intentions

Summary

 

First thanks for Szabolcs Schmidt was calling global malware analysts to analysis the samples on X, I’m really appreciate his work and he is helping to make cybersecurity more safer and stronger.

In this report, I do plan to dive deep into more details of the advanced Trojan dropper; it looks like obfuscation mechanisms, but until now, their true intentions have been unknown.

The Trojan dropper is very intriguing and different from other APT groups. If you are keen to learn from the latest and related report, please click here.

 

Technical analysis

 

Basic info

The sample hashs:

md5 A699AFD908E0DEC5C96FF7188450B89F

Sha256
f18631344d6f7fc57fd248edce37baeb11976e315b72b68d48311c406ace3f8c

 

Operation system: Operation system: Windows(95)[I386, 32-bit, GUI]

(Heur)Packer: Packer detected[High entropy + Section 1 (".data") compressed]

 

 

Advanced string obfuscation Mechanisms?

The strings in the malware Trojan dropper were obfuscated, so it is a big challenge for only static analysis. It is also not to encode those strings with simple base64 or XOR; It appears that it is a good and User defined advanced string obfuscation techniques. Until now it is not clear, let’s do it.

Fig.1 User defined advanced strings obfuscation techniques

 

Three categories for obfuscation mechanisms

The above string looks like obfuscation mechanisms can be classified into three categories: the hardcoded prefix with %s, the hardcoded suffix with %s, and the hardcoded without %s.

The hardcoded prefix with %s

Let’s take the string “%s lbMG4xVIjgrp99jCpcEHRP2Dk4tuy” as an example: it allocates a memory block of size a4 + 1 and If the memory allocation is successful (v5 is not NULL), the first byte of the allocated memory is set to the value of aSLbmg4xvijgrp9[0].

Fig. 2 the hardcode prefix

 

 

The hardcoded suffix with %s

Let’s take the string “iKutjR2ydZ1tUZPHflBndXLYdaNF%s” as an example: it allocates a memory block of size a1 + 48239 and Whether the length of the string "iKutjR2ydZ1tUZPHflBndXLYdaNF%s" is odd and Regardless of the conditional check, the function always returns the pointer v2.

Fig. 3 the hardcode suffix

 

 

The hardcoded without %s

Let’s take the string “WaioFh2jmJmyIwAM” and the sub_407FE3 as an example:

1.      The strings are related to the sub_407F3E includes The hardcoded suffix with the argument 323, allocates memory, and immediately frees it;

2.      Attempts to allocate memory of size a5 + 1

3.      If the allocation fails, retries up to 2060(0x80C) times, sleeping for 72(0x48u) milliseconds between each retry.

4.      If all retries fail, terminates the program using exit(0).

5.      Returns the pointer to the allocated memory.

Fig. 4 without %s

 

The below is another example, and it seems more complicated, but the design is similar when it allocates memory and immediately frees it, sleeping in different times and exiting.

Fig. 5 without %s

 

 

 

What’s the purpose?

What purpose do those three categories serve as obfuscation techniques? Let’s move forward to the type of the hardcoded without %s, which is a little bit different to find when it allocates memory, and v23 points to the 31st byte (offset 31) of the allocated memory block, which points to a new offset within the allocated memory block and then frees it. And the variable v23 is not used for any purpose. It really attracts malware analysts to pay close attention to it; the similar designs are spread in the middle of the code.

Fig. 6 unclear purpose 1

 

Let’s continue to see more examples. The function sub_424BCE allocates memory and performs a specific initialization on the allocated memory and checks if the first byte is equal to the ASCII49 value for the character '1'). If true, it isv29 incremented by 1. and finally freed. And the variable v29 is not used for any purpose.

Fig. 7 unclear purpose

 

 

 

Seems to be finding new things

Until now, the purpose of those things is unclear; curiosity drives me to learn more. I am careful to observe the code and find the function ub_407FE3 is used five times (here just showing the snippet), so I am very excited to know what the motivation is for this.

Fig. 8 ub_407FE3 is used for five times

 

Let’s move to the first sub_407FE3 and step into the sub_407F3E, and the function allocates 48,562 bytes of memory using the allocated malloc and The expression strlen("iKutjR2ydZ1tUZPHflBndXLYdaNF%s") & 1 checks if the length is odd and always returns v2, which is the memory pointer; the string “iKutjR2ydZ1tUZPHflBndXLYdaNF%s” is used for a condition to calculation.

Fig. 9 sub_407F3E

 

And then the parameter v56 passed to the next function sub_4149AA(2054, 247, 3125, 722, v56, 1464); and finally create the temp directory "C:\\Users\\xxx\\AppData\\Local\\Temp\\" to the allocated memory. So here we know that the string “iKutjR2ydZ1tUZPHflBndXLYdaNF%s” looks like an obfuscation technique, but in fact it can’t be deobfuscated, and the design is to intentionally mislead analysts who consider it some kind of obfuscation technique.

Fig.10 Trojan dropper get the temp directory

 

To continue moving forward and diving deeper into the function sub_410E9D(4552, 0, v55, 9993, 0, 1766, v51, v56, v54) and their parameter, the variable v55 from the function v55 = (void *)sub_407FE3(6897, 41, 862, 0, 2046); the value 003B2AE0 is a pointer address that now seems without any valuable data.

Fig. 11 without any valuable data

 

Moving forward to the function sub_421C4C and diving deeper into details and understanding that it will generate random strings as a part of the Trojan dropper file name (e.g, TujxgfVN) that are based on the specific strings “abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789”, but the whole process does not use any obfuscation string. It is really unbelievable that it seems to do mathematical calculations but is actually loading DLLs; it implies that the threat actor has high skills for hidden purposes;.

Fig. 12 the code for generating a random string

Fig. 13 return a random string TujxgfVN

 

The variable v55 is used for many functions as a parameter passed, but let’s focus on the next function, sub_410E9D, to see what’s happened.

Fig. 14 v55 is used many times

 

When sub_410E9D finished and the address of memory 003B2AE0 and its values changed to the strings “C:\\Users\\xxx\\AppData\\Local\\Temp\\Verify-TujxgfVN.exe,” it is about to be executed as a new name Trojan dropper in the new directory. Yeah, that’s it! The value of address in memory will pass to the next function as a parameter.

Fig.15 create a new Trojan dropper in temp directory

 

When the Trojan dropper Verify-TujxgfVN.exe is created, it will be triggered and executed by the runas a powerful command-line tool that allows you to run programs or commands as a different user, typically with elevated privileges (e.g., as an administrator).

Fig.16 to run the Trojan dropper Verify-TujxgfVN.exe

 

Conclusion

From the above process of analysis, those strings are embedded in Trojan dropper is not obfuscation techniques but well-designed related to memory allocated and the information that Trojan dropper will handle with, they don’t need to do a deobfuscation trying or decoding with them, those strings themselves without any practical significance, such as prompt information, API or system commands, the design is very different from other APT group, it seems that the threat actors are good at math and the Memory data technology processing, and with high programming skill and understanding how to anti-analysis and protect the malware itself, on the process of debugging, and finding the command-line instruction “cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q \"%s\"” that combines several actions to remove itself and anti-debugger. After all, this is a novel design and a new try for hiding their true intentions. Very special!

 

End.