Unmasking the Threat: Understanding Sophisticated Trojan-Dropper Mechanisms

 

Summary

 

First thanks for Szabolcs Schmidt was calling global malware analysts to analysis the samples on X, I’m really appreciate his work and he is helping to make cybersecurity more safer and stronger, I have no other words, you are doing an amazing work.

Abuse.ch's Malware Bazaar is an excellent platform for sharing and analyzing malware samples. By contributing to the community, I’m helping to improve global cybersecurity defenses and I’ve uploaded the sample to share.

 

In this report, I do not plan to dive deep into all the details of the technique, but it is possible to make it up when having enough time to analyze; I would like to do that. In fact, it will learn more when diving deeper into the malware itself.

 

 

Technical analysis

 

Basic info

 

The sample hashs:

md5 A699AFD908E0DEC5C96FF7188450B89F

Sha256
f18631344d6f7fc57fd248edce37baeb11976e315b72b68d48311c406ace3f8c

 

Operation system: Operation system: Windows(95)[I386, 32-bit, GUI]

(Heur)Packer: Packer detected[High entropy + Section 1 (".data") compressed]

 

 

To observe the timeline and activities of the malware running in the sandbox, which created many files, such as DLLs and XML files, which created a task and connected to C2, from their behavior being checked, it is highly confident the malware is the type of Trojan dropper. After all, a logic flow graphic is as follows.

Fig.1 Trojan-Dropper Mechanisms

 

In the first stage, the Trojan dropper constantly tries to escalate privileges to execute malicious actions with the “runas” command in Windows, triggering a UAC prompt with a program name like “%sVerify-%s.exe,” which is created on the temp path like “C:\\Users\\XXX\\AppData\\Local\\Temp\\Verify-VBmJOhWZBbsNCmG.exe,” and once it is allowed to execute, it will drop a DLL file (e.g., eHMuMPu.dll). The eHMuMPu.dll will create a new XML file (e.g., dAdyJ6J.xml) and create the Trojan dropper itself with a new name (e.g., HfNUDO.exe) in the path like “C:\Program Files (x86)\Common Files\SpeechEngines\CSXW942RQP4MrCBvYGRyLsGsK\HfNUDO.exe.”. On the next step, it will continue to use the command line “schtasks /create /tn qb8iA2pa3SXfu /XML %AllUsersProfile%\Start Menu\6MGmiTas9Ndu41eCYbw\dAdyJ6J.xml /F” to create a new task named qb8iA2pa3SXfu with XML, which will execute the task every five minutes.

Fig.2 the first stage

 

In the second stage, the Trojan dropper HfNUDO.exe creates the DLL XSei1gC.dll on the “%AppData%\Media Center Programs\5xHEBJtPlIJ2Ifh\XSei1gC.dll”, and runs it with rundll32.dll in cmd.exe, which can query the details of the task qb8iA2pa3SXfu and create a new DLL BJtPlI.dll on the “%ProgramFiles% (x86)\Common Files\WanNengSoftManager\hI5sEDIwfuuZzva7AiY5A75x\BJtPlI.dll”. Because the Trojan dropper executes the task to do persistence every five minutes, which will create the two DLLs; they have the same abilities but different file names, so the DLLs can be observed in different directories. It is so crazy!

Fig.3 create DLLs with persistence task

 

When the BJtPlI.dll is created by XSei1gC.dll, it will go to the third stage, which will do antivirus and remove the Windows Defender as follows.

Fig.4 Anti Windows Defender

 

In the fourth stage, BJtPlI.dll will connect to the C2 server and execute the attacking campaign.

Fig.5 connect to C2 server

 

The C2 server can be accessed until the write-up is finished. Hunting down the IP 188[.]166.28.204, we can collect many attacking samples deployed by the threat actor. It seems that very hot attacking activities, maybe that’s why Szabolcs Schmidt was calling malware analysts, I’m really appreciate it again and I now do not dive deeper into the sample.

Fig.6 C2 server still working and hot attacking activities

Conclusion

From the above analysis, it appears that the malware is the type of Trojan dropper. It is a little bit new to use XML to create a task as a technique, and with multi-stage DLL techniques, it is highly confident that it is a skilled and experienced APT group, a more hidden threat around the digital world; let’s pay close attention.

 

 

IoCs

Files:

Trojan-Dropper Md5 A699AFD908E0DEC5C96FF7188450B89F

Sha256
f18631344d6f7fc57fd248edce37baeb11976e315b72b68d48311c406ace3f8c

 

Dropped by Trojan-Dropper:

dAdyJ6J.Xml md5 621d17a2e9562fb63248edec813fd481

Sha256

1853cc36050f36dc525ab479c77846e976525269066a6cf4bacc4e25eb55d465

 

eHMuMPu.dll md5 3c46ae847e57438d551ad2e5dceaa100

Sha256

107deecec00a31402430a813be00534e4a3cfc4ac5ded872caf4d2c50d117c25

 

BJtPlI.dll md5 056f31e74efa70a140105fdd74cff033

Sha256

6a66672beba2df1babb7801f63f3e171cf09b0807e1f7be86b42617a29eb983b

 

XSei1gC.dll md5 7c88d53706449de3a09dfd1ca60e81cb

Sha256

80c7d43c40872ff4b3a88f6d1dfe57c9facf9544eedfe08e7db7057e953eec9d

 

 

 

Host:

HKCU\Software\Microsoft\CTF\TOZYHhZP7JrXsnrqoh9bsgGED9aA

\SOFTWARE\Conexant\SAII\Controllayer\Si5cETIwNH7RbB7KQWrrV

cmd.exe /c rundll32 %ProgramFiles% (x86)\Common Files\SpeechEngines\GRyLsGsKSP7YyVjekJtym08\eHMuMPu.dll,

A31RU8dofhmCksIVB0GquGp0C8FYekLqp2qvDoSbkisXSjuqUyxv6KG2aaSOGLRUN

schtasks /query /tn qb8iA2pa3SXfu

schtasks /create /tn qb8iA2pa3SXfu /XML %AllUsersProfile%\Start Menu

\6MGmiTas9Ndu41eCYbw\dAdyJ6J.xml /F

%ProgramFiles% (x86)\Common Files\SpeechEngines\CSXW942RQP4MrCBvYGRyLsGsK\HfNUDO.exe

cmd.exe /c rundll32 %AppData%\Media Center Programs\5xHEBJtPlIJ2Ifh\XSei1gC.dll,

A31RU8dofhmCksIVB0GquGp0C8FYekLqp2qvDoSbkisXSjuqUyxv6KG2aaSOGLRUN

rundll32  %AppData%\Media Center Programs\5xHEBJtPlIJ2Ifh\XSei1gC.dll,

A31RU8dofhmCksIVB0GquGp0C8FYekLqp2qvDoSbkisXSjuqUyxv6KG2aaSOGLRUN

schtasks /query /tn qb8iA2pa3SXfu

schtasks /query /tn qb8iA2pa3SXfu /FO LIST /V

HKCU\Software\Microsoft\CTF\TOZYHhZP7JrXsnrqoh9bsgGED9aA

HKCU\Software\Microsoft\Sensors\aFIYzgtmOjU2vEv\XJkYu2C7y3NPUVxpnW5WxGs0ISC

rundll32 %ProgramFiles% (x86)\Common Files\WanNengSoftManager\hI5sEDIwfuuZzva7AiY5A75x\BJtPlI.dll,cmlPc6dI8

cmd.exe /c rd /q /s %ProgramFiles%\Windows Defender

cmd.exe /c rd /q /s %ProgramFiles% (x86)\Windows Defender

cmd.exe /c rd /q /s %AllUsersProfile%\Microsoft\Windows Defender

cmd.exe /c rd /q /s %ProgramFiles%\Windows Defender Advanced Threat Protection

cmd.exe /c rd /q /s %ProgramFiles% (x86)\Windows Defender Advanced Threat Protection

cmd.exe /c del %WinDir%\System32\MRT.exe /q /s /f

cmd.exe /c del %WinDir%\SysWOW64\MRT.exe /q /s /f

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA

HKLM\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\DisableAntiVirus

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\ServiceKeepAlive

HKCU\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks

\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0\CheckSetting

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableSpecialRunningModes

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableRealtimeMonitoring

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates\ForceUpdateFromMU

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\DisableBlockAtFirstSeen

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Features\TamperProtection

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Antivirus\Cloud Delivered Protection\DisableCloudProtection

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

HKLM\SOFTWARE\Policies\Microsoft\Windows\System\EnableSmartScreen

%ProgramFiles% (x86)\Common Files\SpeechEngines\GRyLsGsKSP7YyVjekJtym08\eHMuMPu.dll

%ProgramFiles% (x86)\Common Files\SpeechEngines\CSXW942RQP4MrCBvYGRyLsGsK\HfNUDO.exe

%AllUsersProfile%\Microsoft\Windows\Start Menu\6MGmiTas9Ndu41eCYbw\dAdyJ6J.xml

%ProgramFiles% (x86)\Common Files\WanNengSoftManager\hI5sEDIwfuuZzva7AiY5A75x\BJtPlI.dll

 

Network:

TCP 188[.]166.28.204:80

UDP 188[.]166.28.204:137 

End.