The Art of Deception: A Deep Dive into Advanced Trojan-Dropper Obfuscation and Their True Intentions
Summary
First
thanks for Szabolcs Schmidt
was calling global malware analysts to analysis the samples on X, I’m really
appreciate his work and he is helping to make cybersecurity more safer and
stronger.
In this report, I do plan to dive deep into more
details of the advanced Trojan dropper;
it looks like obfuscation mechanisms, but until now, their true intentions have been unknown.
The Trojan dropper is
very intriguing and different from other APT groups. If you are keen to learn
from the latest and related report, please click here.
Technical
analysis
Basic info
The
sample hashs:
md5
A699AFD908E0DEC5C96FF7188450B89F
Sha256
f18631344d6f7fc57fd248edce37baeb11976e315b72b68d48311c406ace3f8c
Operation system: Operation system:
Windows(95)[I386, 32-bit, GUI]
(Heur)Packer: Packer detected[High entropy +
Section 1 (".data") compressed]
Advanced
string obfuscation Mechanisms?
The strings in the malware Trojan dropper were obfuscated, so it is a big challenge for only static analysis. It is also not to encode those strings with simple base64 or XOR; It appears that it is a good and User defined advanced string obfuscation techniques. Until now it is not clear, let’s do it.
Fig.1 User defined advanced
strings obfuscation techniques
Three
categories for obfuscation mechanisms
The above string looks
like obfuscation mechanisms can be classified into three categories: the hardcoded prefix with
%s, the hardcoded suffix with %s, and the hardcoded without %s.
The hardcoded prefix with %s
Let’s take the string “%s
lbMG4xVIjgrp99jCpcEHRP2Dk4tuy” as an example: it allocates a memory block of
size a4 + 1 and If the memory
allocation is successful (v5
is not NULL
), the first
byte of the allocated memory is set to the value of aSLbmg4xvijgrp9[0]
.
Fig. 2 the
hardcode prefix
The hardcoded suffix with %s
Let’s take the string “iKutjR2ydZ1tUZPHflBndXLYdaNF%s”
as an example: it allocates a memory block of size a1 + 48239 and Whether the
length of the string "iKutjR2ydZ1tUZPHflBndXLYdaNF%s"
is odd
and Regardless of the conditional check, the function always returns the
pointer v2
.
Fig. 3 the
hardcode suffix
The hardcoded without %s
Let’s take the string “WaioFh2jmJmyIwAM”
and the sub_407FE3 as an example:
1.
The
strings are related to the sub_407F3E
includes
The hardcoded suffix with
the argument 323
,
allocates memory, and immediately frees it;
2.
Attempts
to allocate memory of size a5 + 1
3. If
the allocation fails, retries up to 2060(0x80C) times, sleeping for 72(0x48u) milliseconds between each retry.
4. If
all retries fail, terminates the program using exit
(0)
.
5. Returns the pointer to the allocated memory.
Fig. 4
without %s
The below is another example, and it seems more complicated, but the design is similar when it allocates memory and immediately frees it, sleeping in different times and exiting.
Fig. 5 without %s
What’s the purpose?
What purpose do those three categories serve as obfuscation techniques? Let’s move forward to the type of the hardcoded without %s, which is a little bit different to find when it allocates memory, and v23 points to the 31st byte (offset 31) of the allocated memory block, which points to a new offset within the allocated memory block and then frees it. And the variable v23 is not used for any purpose. It really attracts malware analysts to pay close attention to it; the similar designs are spread in the middle of the code.
Fig. 6 unclear purpose 1
Let’s continue to see more examples. The function sub_424BCE allocates memory and performs a specific initialization on the allocated memory and checks if the first byte is equal to the ASCII49 value for the character '1'). If true, it isv29 incremented by 1. and finally freed. And the variable v29 is not used for any purpose.
Fig. 7 unclear purpose
Seems
to be finding new things
Until now, the purpose of those things is unclear; curiosity drives me to learn more. I am careful to observe the code and find the function ub_407FE3 is used five times (here just showing the snippet), so I am very excited to know what the motivation is for this.
Fig. 8 ub_407FE3 is used
for five times
Let’s move to the first sub_407FE3 and step into the sub_407F3E, and the function allocates 48,562 bytes of memory using the allocated malloc and The expression strlen("iKutjR2ydZ1tUZPHflBndXLYdaNF%s") & 1 checks if the length is odd and always returns v2, which is the memory pointer; the string “iKutjR2ydZ1tUZPHflBndXLYdaNF%s” is used for a condition to calculation.
Fig. 9 sub_407F3E
And then the parameter v56 passed to the next function sub_4149AA(2054, 247, 3125, 722, v56, 1464); and finally create the temp directory "C:\\Users\\xxx\\AppData\\Local\\Temp\\" to the allocated memory. So here we know that the string “iKutjR2ydZ1tUZPHflBndXLYdaNF%s” looks like an obfuscation technique, but in fact it can’t be deobfuscated, and the design is to intentionally mislead analysts who consider it some kind of obfuscation technique.
Fig.10 Trojan dropper
get the temp directory
To continue moving forward and diving deeper into the function sub_410E9D(4552, 0, v55, 9993, 0, 1766, v51, v56, v54) and their parameter, the variable v55 from the function v55 = (void *)sub_407FE3(6897, 41, 862, 0, 2046); the value 003B2AE0 is a pointer address that now seems without any valuable data.
Fig. 11 without any
valuable data
Moving forward to the function sub_421C4C and diving deeper into details and understanding that it will generate random strings as a part of the Trojan dropper file name (e.g, TujxgfVN) that are based on the specific strings “abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789”, but the whole process does not use any obfuscation string. It is really unbelievable that it seems to do mathematical calculations but is actually loading DLLs; it implies that the threat actor has high skills for hidden purposes;.
Fig. 12 the code for generating
a random string
Fig. 13 return a random
string TujxgfVN
The variable v55 is used for many functions as a parameter passed, but let’s focus on the next function, sub_410E9D, to see what’s happened.
Fig. 14 v55 is used many
times
When sub_410E9D finished and the address of memory 003B2AE0 and its values changed to the strings “C:\\Users\\xxx\\AppData\\Local\\Temp\\Verify-TujxgfVN.exe,” it is about to be executed as a new name Trojan dropper in the new directory. Yeah, that’s it! The value of address in memory will pass to the next function as a parameter.
Fig.15 create a new
Trojan dropper in temp directory
When the Trojan dropper Verify-TujxgfVN.exe is created, it will be triggered and executed by the runas a powerful command-line tool that allows you to run programs or commands as a different user, typically with elevated privileges (e.g., as an administrator).
Fig.16 to run the Trojan
dropper Verify-TujxgfVN.exe
Conclusion
From the above process
of analysis, those strings are embedded in Trojan dropper is not obfuscation
techniques but well-designed related to memory allocated and the information
that Trojan dropper will handle with, they don’t need to do a deobfuscation trying
or decoding with them, those strings themselves without any practical
significance, such as prompt information, API or system commands, the design is
very different from other APT group, it seems that the threat actors are good
at math and the Memory data technology processing, and with high programming
skill and understanding how to anti-analysis and protect the malware itself, on
the process of debugging, and finding the command-line instruction “cmd.exe /C
ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q \"%s\"” that
combines several actions to remove itself and anti-debugger. After all, this is
a novel design and a new try for hiding their
true intentions. Very special!
End.
Labels: #Cybersecurity, #InfoSec, #Malware, #ThreatIntel, #TrojanDropper #APT
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home