Golroted Trojan sample
IRS_REPORT PDF.scr624023448a39e6eadb9f7722fae2dcd3Subject: Urgent attention is needed!— \_(ʘ_ʘ)_/ (@pollo290987) October 30, 2017
- Process hollowing
- UAC bypass
- Anti-virus checks
- Persistence mechanism
- and others
- Yara signature
I. Process hollowing
The malware starts a process suspended with CreateProcessA(0x4 CREATE_SUSPENDED process creation flag). Ultimately, the malware replaces its content with the content of another. The malware allocates memory for the process replacement via NtAllocateVirtualMemory. Golroted obtains the thread context of the child process’ primary thread via NtGetContextThread, then retrieves the PEB address from the ebx register and reads the base address of the executable image from the PEB via NtUnmapViewOfSection. Then, the malware writes the base address of the injected image into the PEB via NtWriteVirtualMemory and sets the thread context of the child process’ primary thread via NtSetContextThread, which is finally resumed the primary thread via NtResumeThread.
The following native API calls the Golroted malware leverages for process hollowing:
The shortened and simplified process hollowing technique is as follows:
A. “Self injection”
The malware retrieves the path to itself via GetModuleFilenameA call and passes itself as an argument to the process hollowing function.
B. “Default Browser”
Golroted obtains the following browser locations in C:\\Program Files (x86)\\ or %PROGRAMFILES% and passes the output as an argument to the process hollowing function:
- Mozilla Firefox\\firefox.exe
- Internet Explorer\\iexplore.exe
The code blob is as follows:
The malware retrieves the path to notepad.exe in C:\Windows\SysWOW64\ and C:\Windows\system32\ passes itself as an argument to the process hollowing function.
II. UAC bypass
Golroted checks if the victim host has administrator privileges via IsUserAnAdmin API call. Then, if not admin, the malware executes the so-called “fileless” UAC bypass method that exploits Environment variables in Scheduled Tasks. This method is almost identical to the UAC bypass tweeted out in May 2017 by James Forshaw (@tiraniddo).
set a=hkcu\Environment /v windir /
reg add %a%d “cmd /K reg delete %a%f||”
schtasks/Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
— James Forshaw (@tiraniddo) May 15, 2017
The UAC code function is as follows:
III. Anti-virus checks
Golroted checks for the following Bitdefender location:
- C:\Program Files\Bitdefender
B. Kaspersky Anti-Virus
The malware checks for the following Kaspersky AV locations and processes:
- Kaspersky Lab\Kaspersky Anti-Virus
- C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus
- Kaspersky Lab\Kaspersky Internet Security
- C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security
- If the malware finds Kaspersky AV, it shuts down the machine
The C++ code is as follows:
IV. Persistence mechanism
Golroted creates persistence as .lnk in “[USERNAME]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\\Startup\.”
The code blob is C++ is as follows:
V. Delete Zone.Identifier flag using DeleteFile function
The malware deletes the zone identifier flag via DeleteFileA API to avoid being flagged by Explorer and prevent possible alert boxes when launching the executable.
Golroted also has various debug information that was presumably used for internal testing including “Notepad” process hollowing and the following presumably placeholders:
The observed mutex was as follows “UfeRKBdMoE”
5 thoughts on “Let’s Learn: Dissecting Golroted Trojan’s Process Hollowing Technique & UAC Bypass in HKCU\Environment”
Nice work ! Thank you for sharing 🙂
Glad you've enjoyed it.
This comment has been removed by the author.
very detailed. Thanks 🙂
Vitali. wanted to get in touch for some help with an investigation I'm working. firstname.lastname@example.org or on Twitter @mike_eckel. Thanks. Mike RFE/RL. Washington, DC.