ESET: Analyzing New Zebrocy Components
Cyborg Sednit has been active for at least 2004 since and regularly appears in the news. It is believed that Sednit (better known as Fancy Bear) are behind the burglary of the National Committee of the US Democratic Party before the elections of 2016, the World Anti-Doping Agency (WADA), the TV5Monde television network and other attacks. The group has a set of malicious tools in the group’s arsenal, some of which we have documented in the last report .
We recently released a report on LoJax - a UEFI rootkit, which is also related to Sednit and was used in attacks in the Balkans, in Central and Eastern Europe.
In August 2018, Sednit operators deployed two new Zebrocy components, and from this point on we see a surge in the use of this tool. Zebrocy - a set of loaders, droppers and backdoors. Loaders and droppers are meant for intelligence, while backdoors provide persistence and spyware. These new components have an unusual way to exfiltrate the collected data through the SMTP and POP3 protocols associated with the postal services.
The victims of the new tools remind the victims mentioned in our previous post about Zebrocy , as well as at Kaspersky Lab . The targets of the attacks are in Central Asia, Central and Eastern Europe, mainly embassies, foreign ministries and diplomats.
Figure 1. Diagram of old and new Zebrocy components
For two years, the Sednit cybergroup has used phishing emails as a vector for infecting Zebrocy (variants 1 and 2 in the table above). After a compromise, the attackers used various first-stage loaders to gather information about the victim and, if interested, after a few hours or days, they deployed one of the second-level backdoors.
The classic scheme of the campaign Zebrocy - getting the victim archive in the attachment to the letter. The archive contains two files, one of which is a harmless document, and the second is an executable file. Attackers try to deceive the victim by calling the second file a name typical of the document or image and using the “double extension”.
In the new campaign (option 3 in the table) a more complicated scheme is used - we will analyze it below.
The first binary file is Delphi-dropper, which is quite unusual for the Zebrocy campaign. In most cases, it is rather a bootloader installed on the victim’s system at the first stage of the attack.
With the help of several methods, the dropper complicates reverse engineering. In the samples examined, he uses the liver keyword to indicate the beginning and end of key elements, as shown below.
The YARA rule above looks for the liver row. The first line of the liver is used in the code, but does not share anything, while the rest share the key descriptor, the image (its hexdump is shown below) and the encrypted component in the dropper.
First, the data is saved in a picture with the file name C: \ Users \ public \ Pictures \ scanPassport.jpg , if such file does not already exist.
Interestingly, the dropper file is called SCANPASS_QXWEGRFGCVT_323803488900X_jpeg.exe , which also suggests phishing schemes related to passports and travel information. This may mean that the operator could know the purpose of the phishing message. Dropper opens the image and, if the file already exists, stops execution. Otherwise, it opens it and gets the OpenAir39045_Bayren_Munchen key handle . The image is missing, although the format is correct - see the picture below.
Figure 2. ScanPassport.jpg
The key descriptor string contains Bayren_Munchen - most likely, it is a reference to the FC Bayern Munich football team. In any case, it is not the content of the descriptor that is important, but its length, with which you can get the XOR key to decrypt the component.
To get the XOR key, the dropper looks for the last liver keyword and indents it for the length of the descriptor. The key length of the XOR is 27 (0x1b) bytes (identical to the key descriptor length).
Using the XOR key and a simple loop, the dropper decrypts the last part - an encrypted component immediately after the last tag to the end of the file. Note that the MZ header of the executable component starts right after the liver keyword, and the XOR key is obtained from the PE header part, usually being a sequence of 0x00 bytes, restored after the component is decrypted, as shown in the figure below.
Figure 3. Encrypted component (left) compared to decrypted component (right)
The component is reset to C: \ Users \ Public \ Documents \ AcrobatReader.txt and converts the file to C: \ Users \ Public \ Documents \ AcrobatReader.exe .
Perhaps this is an attempt to bypass the protection of the PC, issuing a warning when a binary file flushes an .exe file to disk.
Once again, the operator tries to deceive the victim, and if she pays attention to the directory, she will see the picture as in the following image:
Figure 4. Component looks like a PDF file
By default, Windows hides the extension, and this is used by the attacker who dumps the executable file into the Documents folder and disguises it as PDF.
Finally, the dropper performs the hosted component and exits.
Delivered component of the previous dropper - packaged with UPX loader MSIL. For a better understanding, the process logic is described below, then the source code is presented and the control scheme is considered.
The main method calls Run to run the application, which then creates Form1 .
Form1 assigns many variables, including the new Timer for seven of them.
The Timer object has three important fields:
Fields are labeled as follows:
Interval is set for each object from 8 seconds to 2 minutes. Callback is added to the event handler. Note that only start sets the value “true” to Enabled , which means that after 2 minutes (12,000 milliseconds = 120 seconds), start_Tick will be called by the event handler.
Then each method demonstrates identical behavior - changes the value of Enabled to false at the beginning. The method is executed, and then changes the value of the Enabled next object to true , which activates the next timer. The variable Enabled is used by the operator to create something like a state machine - if the function fails, the mechanism repeats its execution until it receives a positive result. The time between executions of two functions can be used as an attempt to bypass anti-virus protection by adding delay.
Now, after describing the structure of each method, we turn to the control algorithm. Below is an overview of the steps in the form of email exchange between mailboxes.
Figure 5. Email exchange
Malware checks the existence of a specific path used to reset each of the files in the execution process. Whenever possible, use C: \ Users \ Public \ Videos \ , otherwise - C: \ Documents and Settings \ All Users \ Documents \ as the default directory. Please note that the second path is specific to Windows XP, while the first is for Vista and higher.
A 16-byte id is generated by concatenating the serial number of the C volume: and the user name; It is stored in the audev.txt file.
The loader collects the following information:
- current application path
- operating system version
- system directory
- user domain
- car name
- Username
- current time zone
- The current date
- a list of logical drives and information about each of them (model, serial number, etc.)
- listing directory C: \ Program Files \ and C: \ Program Files (x86) \
- process list
This data is stored in the file C: \ Users \ Public \ Videos \ si.ini and sent by letter in an attachment via SMTPS using the default port 465. The message body contains the string SI (which may mean System Information), the recipient of the letter is sym777. g@post.cz . For the entire exchange of information, the subject of letters is designated as id .
The operator decided to have several spare addresses and sends the same letter to two other recipients, most likely in case the main address does not work. After sending the letter, the loader deletes the si.ini file.
During the first launch of the malware, a set.txt file is created with the text {System_Parametrs = 10} inside and an entry in the Windows registry key.
Figure 6. Registry Persistence
One screenshot is taken under the name scx.bin from the victim's computer and is sent as an attachment via e-mail with the text SC (which may mean Screenshot) in the body of the letter.
After sending, the malware contacts the mailbox kae.mezhnosh@post.cz via POP3 protocol over SSL (port 995) and searches for messages with a subject that corresponds to id . If such a message exists and the body is not empty, the malware decrypts it and sends a message with okey in the body to sym777.g@post.cz . The content of the previously received message is cleared and parsed as follows:
Two lines are obtained: the first is the password and the second is the username for the mail address.
New credentials are used to connect to the received mailbox, search for messages in it with a topic that matches the id of the malware, and applications with the string audev in the file name. If both conditions are met, the malware saves the application and deletes the message from the server.
The message log is sent to sym777.g@post.cz , and messages received via POP3 come from the addressee with recently received user data.
The attacker's scheme complicates the investigation. First, if you have a loader with letters, you can not connect to the mailbox containing the next step.
Secondly, if you receive mail credentials, you still cannot get the next payload, because it is deleted upon receipt.
When the loader successfully writes the attachment to disk, it sends a message in the mail with okey2 in the body and an attachment l.txt containing 090 . The same file is overwritten with zeros, and the malware tries to get another message. If this works, the l.txt file is sent with okey3 in the body. The content of the attachment is the directory and file name. Malware moves the audev file to this address. Finally, the malware sends a letter with okey4 in the body and l.txt in the attachment. This launches the executable file audev.exe and checks in the process list the presence of the string audev .
If such a name is found, the last letter will be sent, containing okey5 and l.txt in the attachment. Finally, l.txt and set.txt are deleted, the created Windows registry key is deleted, and the program is terminated.
The main role of the loader is to assess the importance of the compromised system and, if it seems interesting, to download and execute the latest Zebrocy loader.
The binary file is written in Delphi and packaged with UPX. The full definition of the TForm1 object can be found in the section with its resources, it lists some of the configuration parameters used. The following sections describe the initialization, capabilities, and bootloader network protocol.
First, the set of strings, which are email addresses and passwords, is decrypted. The operator applies the AES ECB encryption algorithm. Each line is decrypted in hexadecimal, where the first four bytes correspond to the final size of the decrypted line (the decrypted lines at the end may contain some indents). The TForm1 object contains two AES keys: the first is used to encrypt data, and the second is used to decrypt them.
Mail addresses and passwords are used by the operator to send commands for Malvari, as well as to obtain information collected from the victim’s computer. The communication protocols are SMTP and POP3 - both over SSL. To use OpenSSL, malware removes and applies two OpenSSL dynamic libraries: libeay32.dll (98c348cab0f835d6cf17c3a31cd5811f86c0388b) and ssleay32.dll (6d981d71895581dfb103170486b8614f7f203bdc) .
Figure 7. OpenSSL DLL properties
Please note that all files are dumped into the working directory of C: \ Users \ Public \ .
Persistence is ensured during the first execution of the Malvari through the well-known technique of the entry script scripts. A file is created with the registration.bat script and several lines are written from the TForm1 object. The final script looks like this:
Last but not least, the malware queue creates an id , in the same way as in the previously described Zebrocy binary files. It gets the username using the GetUserNameW Windows API and adds the serial number of the C: \ drive to the beginning.
Given that there are several conditions and procedures for collecting information about a victim, a description of its various capabilities is given below. The scan configuration is stored in the TForm1 object, where seven different possibilities are grouped to collect information from the victim's computer.
Starting with a simple scan, the first information that malware can get is related to files with the following extensions: .docx, .xlsx, .pdf, .pptx, .rar, .zip, .jpg, .bmp, .tiff . For each of the files found on the disk, the malware receives the full path and the last modified date. This information is encrypted using the AES key, which we talked about earlier, and is stored in the 0.txt file. Other scans are aimed at .dat, .json, .db extensions and, as in the previous case, get the full path and the last date the file was changed. Then encrypts them and stores in the file 57.txt .
Listing of running processes is another possibility for Malvari, which allows storing information in the 08.txt file. It looks like this:
The i.txt file contains general information about the victim’s computer, as well as some information about the malware (the version number and the path it takes). See example below:
Malware can take screenshots, which are saved in the format 2 \ [YYYY-mm-dd HH-MM-SS] -Image_001.jpg , and generate another file 2 \ sa.bin , filled with the list of paths to the files of all the screenshots taken. The last possibility is the transfer of network components and system data, the result is recorded in 4.txt .
The Delphi mail downloader is a relatively new addition to the Zebrocy toolkit, it provides a new way to exfiltrate data and receive commands from the operator. Exfiltration is fairly simple, but produces a lot of noise on the network, as previously collected encrypted files are sent via SMTPS, each version of the file three times.
The subject of the letter is the victim's id , and the file is sent as an application with a keyword matching the contents of the file. Please note that for each file there is an encrypted version sent.
Screenshots and files for both scans are also sent, but with different keywords.
Figure 8. An example of a letter with transmitted data
While exfiltration of data uses the SMTP protocol, the binary file is associated with the email address tomasso25@ambcomission.com via POP3 and parsit letters. The body of the letter contains various keywords that are interpreted by Malware as commands.
After execution, the debugger log and the result of the commands (if any) are sent back to the operator. For example, after a scan command, the operator receives a file containing a list of files with matching extensions along with each such file.
While this bootloader has backdoor functions, it drops the Delphi bootloader into the system, already associated with this group, which we described in a previous article on Zebrocy.
In the past, we have seen the intersection of Zebrocy and the traditional Sednit malware. We caught Zebrocy on dumping into the XAgent system - the flagship backdoor Sednit, so with a high degree of confidence we attribute the authorship of Zebrocy to this cyber group.
However, the analysis of binary files revealed errors at the language level, as well as a development indicating a different skill level of the authors. Both boot loaders use mail protocols for exfiltration of data and identical mechanisms for collecting the same information. However, they create a lot of noise in the network and the system, creating many files and sending them. In the process of analyzing the mail loader on Delphi, it seemed to us that some functions were missing, but the lines still remained in the binary file. This toolkit is used by the Sednit group, but we believe that it is being developed by another team — a less experienced one, compared to the creators of the traditional Sednit components.
Zebrocy components are a complement to the Sednit toolkit, and recent events may explain the increased active use of Zebrocy binary files instead of traditional Malvari.
File names, SHA-1 and detection by ESET products
1. SCANPASS_QXWEGRFGCVT_323803488900X_jpeg.exe - 7768fd2812ceff05db8f969a7bed1de5615bfc5a - Win32 / Sednit.ORQ
2. C: \ Users \ public \ Pictures \ scanPassport.jpg - da70c54a8b9fd236793bb2ab3f8a50e6cd37e2df
3. C: \ Users \ Public \ Documents \ AcrobatReader. {Exe, txt} - a225d457c3396e647ffc710cd1edd4c74dc57152 - MSIL / Sednit.D
4. C: \ Users \ Public \ Videos \ audev.txt - a659a765536d2099ecbde988d6763028ff92752e - Win32 / Sednit.CH
5.% TMP% \ Indy0037C632.tmp - 20954fe36388ae8b1174424c8e4996ea2689f747 - Win32 / TrojanDownloader.Sednit.CMR
6.% TMP% \ Indy01863A21.tmp - e0d8829d2e76e9bb02e3b375981181ae02462c43 - Win32 / TrojanDownloader.Sednit.CMQ
Email
carl.dolzhek17@post.cz
shinina.lezh@post.cz
P0tr4h4s7a@post.cz
carl.dolzhek17@post.cz
sym777.g@post.cz
kae.mezhnosh@post.cz
tomasso25@ambcomission.com
kevin30@ambcomission.com
salah444@ambcomission.com
karakos3232@seznam.cz
rishit333@ambcomission.com
antony.miloshevich128@seznam.cz
We recently released a report on LoJax - a UEFI rootkit, which is also related to Sednit and was used in attacks in the Balkans, in Central and Eastern Europe.
In August 2018, Sednit operators deployed two new Zebrocy components, and from this point on we see a surge in the use of this tool. Zebrocy - a set of loaders, droppers and backdoors. Loaders and droppers are meant for intelligence, while backdoors provide persistence and spyware. These new components have an unusual way to exfiltrate the collected data through the SMTP and POP3 protocols associated with the postal services.
The victims of the new tools remind the victims mentioned in our previous post about Zebrocy , as well as at Kaspersky Lab . The targets of the attacks are in Central Asia, Central and Eastern Europe, mainly embassies, foreign ministries and diplomats.
Overview
Figure 1. Diagram of old and new Zebrocy components
For two years, the Sednit cybergroup has used phishing emails as a vector for infecting Zebrocy (variants 1 and 2 in the table above). After a compromise, the attackers used various first-stage loaders to gather information about the victim and, if interested, after a few hours or days, they deployed one of the second-level backdoors.
The classic scheme of the campaign Zebrocy - getting the victim archive in the attachment to the letter. The archive contains two files, one of which is a harmless document, and the second is an executable file. Attackers try to deceive the victim by calling the second file a name typical of the document or image and using the “double extension”.
In the new campaign (option 3 in the table) a more complicated scheme is used - we will analyze it below.
Delphi dropper
The first binary file is Delphi-dropper, which is quite unusual for the Zebrocy campaign. In most cases, it is rather a bootloader installed on the victim’s system at the first stage of the attack.
With the help of several methods, the dropper complicates reverse engineering. In the samples examined, he uses the liver keyword to indicate the beginning and end of key elements, as shown below.
$ yara -s tag_yara.yar SCANPASS_QXWEGRFGCVT_323803488900X_jpeg.exe find_tag SCANPASS_QXWEGRFGCVT_323803488900X_jpeg.exe 0x4c260:$tag: l\x00i\x00v\x00e\x00r\x00 0x6f000:$tag: liver 0x6f020:$tag: liver 0x13ab0c:$tag: liver The YARA rule above looks for the liver row. The first line of the liver is used in the code, but does not share anything, while the rest share the key descriptor, the image (its hexdump is shown below) and the encrypted component in the dropper.
$ hexdump -Cn 48 -s 0x6f000 SCANPASS_QXWEGRFGCVT_323803488900X_jpeg.exe 0006f000 6c 69 76 65 72 4f 70 65 6e 41 69 72 33 39 30 34 |liverOpenAir3904| 0006f010 35 5f 42 61 79 72 65 6e 5f 4d 75 6e 63 68 65 6e |5_Bayren_Munchen| 0006f020 6c 69 76 65 72 ff d8 ff e0 00 10 4a 46 49 46 00 |liver……JFIF.| First, the data is saved in a picture with the file name C: \ Users \ public \ Pictures \ scanPassport.jpg , if such file does not already exist.
Interestingly, the dropper file is called SCANPASS_QXWEGRFGCVT_323803488900X_jpeg.exe , which also suggests phishing schemes related to passports and travel information. This may mean that the operator could know the purpose of the phishing message. Dropper opens the image and, if the file already exists, stops execution. Otherwise, it opens it and gets the OpenAir39045_Bayren_Munchen key handle . The image is missing, although the format is correct - see the picture below.
Figure 2. ScanPassport.jpg
The key descriptor string contains Bayren_Munchen - most likely, it is a reference to the FC Bayern Munich football team. In any case, it is not the content of the descriptor that is important, but its length, with which you can get the XOR key to decrypt the component.
To get the XOR key, the dropper looks for the last liver keyword and indents it for the length of the descriptor. The key length of the XOR is 27 (0x1b) bytes (identical to the key descriptor length).
Using the XOR key and a simple loop, the dropper decrypts the last part - an encrypted component immediately after the last tag to the end of the file. Note that the MZ header of the executable component starts right after the liver keyword, and the XOR key is obtained from the PE header part, usually being a sequence of 0x00 bytes, restored after the component is decrypted, as shown in the figure below.
Figure 3. Encrypted component (left) compared to decrypted component (right)
The component is reset to C: \ Users \ Public \ Documents \ AcrobatReader.txt and converts the file to C: \ Users \ Public \ Documents \ AcrobatReader.exe .
Perhaps this is an attempt to bypass the protection of the PC, issuing a warning when a binary file flushes an .exe file to disk.
Once again, the operator tries to deceive the victim, and if she pays attention to the directory, she will see the picture as in the following image:
Figure 4. Component looks like a PDF file
By default, Windows hides the extension, and this is used by the attacker who dumps the executable file into the Documents folder and disguises it as PDF.
Finally, the dropper performs the hosted component and exits.
MSIL Mail Downloader
Delivered component of the previous dropper - packaged with UPX loader MSIL. For a better understanding, the process logic is described below, then the source code is presented and the control scheme is considered.
The main method calls Run to run the application, which then creates Form1 .
{ Application.EnableVisualStyles(); Application.SetCompatibleTextRenderingDefault(false); Application.Run((Form) new Form1()); } Form1 assigns many variables, including the new Timer for seven of them.
this.start = new Timer(this.components); this.inf = new Timer(this.components); this.txt = new Timer(this.components); this.subject = new Timer(this.components); this.run = new Timer(this.components); this.load = new Timer(this.components); this.screen = new Timer(this.components); The Timer object has three important fields:
- Enabled: indicates the enabled timer state
- Interval: time between events in milliseconds
- Tick: callback is performed after the timer interval expires and in the case of the included timer
Fields are labeled as follows:
this.start.Enabled = true; this.start.Interval = 120000; this.start.Tick += new EventHandler(this.start_Tick); this.inf.Interval = 10000; this.inf.Tick += new EventHandler(this.inf_Tick); this.txt.Interval = 120000; this.txt.Tick += new EventHandler(this.txt_Tick); this.subject.Interval = 120000; this.subject.Tick += new EventHandler(this.subject_Tick); this.run.Interval = 60000; this.run.Tick += new EventHandler(this.run_Tick); this.load.Interval = 120000; this.load.Tick += new EventHandler(this.load_Tick); this.screen.Interval = 8000; this.screen.Tick += new EventHandler(this.screen_Tick); Interval is set for each object from 8 seconds to 2 minutes. Callback is added to the event handler. Note that only start sets the value “true” to Enabled , which means that after 2 minutes (12,000 milliseconds = 120 seconds), start_Tick will be called by the event handler.
private void start_Tick(object sender, EventArgs e) { try { this.start.Enabled = false; Lenor lenor = new Lenor(); this.dir = !Directory.Exists(this.label15.Text.ToString()) ? this.label16.Text.ToString() + "\" : this.label15.Text.ToString() + "\"; this.att = this.dir + "audev.txt"; this._id = lenor.id(this.dir); this.inf.Enabled = true; } Then each method demonstrates identical behavior - changes the value of Enabled to false at the beginning. The method is executed, and then changes the value of the Enabled next object to true , which activates the next timer. The variable Enabled is used by the operator to create something like a state machine - if the function fails, the mechanism repeats its execution until it receives a positive result. The time between executions of two functions can be used as an attempt to bypass anti-virus protection by adding delay.
Now, after describing the structure of each method, we turn to the control algorithm. Below is an overview of the steps in the form of email exchange between mailboxes.
Figure 5. Email exchange
Malware checks the existence of a specific path used to reset each of the files in the execution process. Whenever possible, use C: \ Users \ Public \ Videos \ , otherwise - C: \ Documents and Settings \ All Users \ Documents \ as the default directory. Please note that the second path is specific to Windows XP, while the first is for Vista and higher.
A 16-byte id is generated by concatenating the serial number of the C volume: and the user name; It is stored in the audev.txt file.
The loader collects the following information:
- current application path
- operating system version
- system directory
- user domain
- car name
- Username
- current time zone
- The current date
- a list of logical drives and information about each of them (model, serial number, etc.)
- listing directory C: \ Program Files \ and C: \ Program Files (x86) \
- process list
This data is stored in the file C: \ Users \ Public \ Videos \ si.ini and sent by letter in an attachment via SMTPS using the default port 465. The message body contains the string SI (which may mean System Information), the recipient of the letter is sym777. g@post.cz . For the entire exchange of information, the subject of letters is designated as id .
The operator decided to have several spare addresses and sends the same letter to two other recipients, most likely in case the main address does not work. After sending the letter, the loader deletes the si.ini file.
During the first launch of the malware, a set.txt file is created with the text {System_Parametrs = 10} inside and an entry in the Windows registry key.
Figure 6. Registry Persistence
One screenshot is taken under the name scx.bin from the victim's computer and is sent as an attachment via e-mail with the text SC (which may mean Screenshot) in the body of the letter.
After sending, the malware contacts the mailbox kae.mezhnosh@post.cz via POP3 protocol over SSL (port 995) and searches for messages with a subject that corresponds to id . If such a message exists and the body is not empty, the malware decrypts it and sends a message with okey in the body to sym777.g@post.cz . The content of the previously received message is cleared and parsed as follows:
string[] strArray = this._adr.Replace("B&", "").Replace("Db", "").Split('%'); string str1 = strArray[0]; string str2 = strArray[1]; Two lines are obtained: the first is the password and the second is the username for the mail address.
New credentials are used to connect to the received mailbox, search for messages in it with a topic that matches the id of the malware, and applications with the string audev in the file name. If both conditions are met, the malware saves the application and deletes the message from the server.
The message log is sent to sym777.g@post.cz , and messages received via POP3 come from the addressee with recently received user data.
The attacker's scheme complicates the investigation. First, if you have a loader with letters, you can not connect to the mailbox containing the next step.
Secondly, if you receive mail credentials, you still cannot get the next payload, because it is deleted upon receipt.
When the loader successfully writes the attachment to disk, it sends a message in the mail with okey2 in the body and an attachment l.txt containing 090 . The same file is overwritten with zeros, and the malware tries to get another message. If this works, the l.txt file is sent with okey3 in the body. The content of the attachment is the directory and file name. Malware moves the audev file to this address. Finally, the malware sends a letter with okey4 in the body and l.txt in the attachment. This launches the executable file audev.exe and checks in the process list the presence of the string audev .
Process.Start(this.rn); foreach (Process process in Process.GetProcesses()) { if (process.ProcessName.Contains("audev")) } If such a name is found, the last letter will be sent, containing okey5 and l.txt in the attachment. Finally, l.txt and set.txt are deleted, the created Windows registry key is deleted, and the program is terminated.
Mail loader on Delphi
The main role of the loader is to assess the importance of the compromised system and, if it seems interesting, to download and execute the latest Zebrocy loader.
The binary file is written in Delphi and packaged with UPX. The full definition of the TForm1 object can be found in the section with its resources, it lists some of the configuration parameters used. The following sections describe the initialization, capabilities, and bootloader network protocol.
Initialization
First, the set of strings, which are email addresses and passwords, is decrypted. The operator applies the AES ECB encryption algorithm. Each line is decrypted in hexadecimal, where the first four bytes correspond to the final size of the decrypted line (the decrypted lines at the end may contain some indents). The TForm1 object contains two AES keys: the first is used to encrypt data, and the second is used to decrypt them.
Mail addresses and passwords are used by the operator to send commands for Malvari, as well as to obtain information collected from the victim’s computer. The communication protocols are SMTP and POP3 - both over SSL. To use OpenSSL, malware removes and applies two OpenSSL dynamic libraries: libeay32.dll (98c348cab0f835d6cf17c3a31cd5811f86c0388b) and ssleay32.dll (6d981d71895581dfb103170486b8614f7f203bdc) .
Figure 7. OpenSSL DLL properties
Please note that all files are dumped into the working directory of C: \ Users \ Public \ .
Persistence is ensured during the first execution of the Malvari through the well-known technique of the entry script scripts. A file is created with the registration.bat script and several lines are written from the TForm1 object. The final script looks like this:
reg add HKCU\Environment /v "UserInitMprLogonScript" /t REG_EXPAND_SZ /d "C:\Users\Public\Videos\audev.exe" /f del C:\Users\Public\Videos\registr.bat exit Last but not least, the malware queue creates an id , in the same way as in the previously described Zebrocy binary files. It gets the username using the GetUserNameW Windows API and adds the serial number of the C: \ drive to the beginning.
Opportunities
Given that there are several conditions and procedures for collecting information about a victim, a description of its various capabilities is given below. The scan configuration is stored in the TForm1 object, where seven different possibilities are grouped to collect information from the victim's computer.
Starting with a simple scan, the first information that malware can get is related to files with the following extensions: .docx, .xlsx, .pdf, .pptx, .rar, .zip, .jpg, .bmp, .tiff . For each of the files found on the disk, the malware receives the full path and the last modified date. This information is encrypted using the AES key, which we talked about earlier, and is stored in the 0.txt file. Other scans are aimed at .dat, .json, .db extensions and, as in the previous case, get the full path and the last date the file was changed. Then encrypts them and stores in the file 57.txt .
Listing of running processes is another possibility for Malvari, which allows storing information in the 08.txt file. It looks like this:
======Listing_of_processes======= [System Process] System smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe […] The i.txt file contains general information about the victim’s computer, as well as some information about the malware (the version number and the path it takes). See example below:
v7.00 C:\Users\Public\Videos\audev.txt ============================================ Log_Drivers: C: fixed; size= 102297 Mb, free=83927 Mb S/N: [redacted] ================================================== OSV: Windows 7 WinType: 32 WinDir: C:\Windows Lang: English (United States) TZ: UTC1:0 Romance Standard Time HostN: [redacted]-PC User: [redacted] ===============S_LIST===================== C:\Program Files\Common Files C:\Program Files\desktop.ini C:\Program Files\DVD Maker C:\Program Files\Internet Explorer C:\Program Files\Microsoft.NET C:\Program Files\MSBuild C:\Program Files\Reference Assemblies C:\Program Files\Uninstall Information C:\Program Files\Windows Defender […] Malware can take screenshots, which are saved in the format 2 \ [YYYY-mm-dd HH-MM-SS] -Image_001.jpg , and generate another file 2 \ sa.bin , filled with the list of paths to the files of all the screenshots taken. The last possibility is the transfer of network components and system data, the result is recorded in 4.txt .
Network protocol
The Delphi mail downloader is a relatively new addition to the Zebrocy toolkit, it provides a new way to exfiltrate data and receive commands from the operator. Exfiltration is fairly simple, but produces a lot of noise on the network, as previously collected encrypted files are sent via SMTPS, each version of the file three times.
The subject of the letter is the victim's id , and the file is sent as an application with a keyword matching the contents of the file. Please note that for each file there is an encrypted version sent.
Screenshots and files for both scans are also sent, but with different keywords.
Figure 8. An example of a letter with transmitted data
While exfiltration of data uses the SMTP protocol, the binary file is associated with the email address tomasso25@ambcomission.com via POP3 and parsit letters. The body of the letter contains various keywords that are interpreted by Malware as commands.
After execution, the debugger log and the result of the commands (if any) are sent back to the operator. For example, after a scan command, the operator receives a file containing a list of files with matching extensions along with each such file.
While this bootloader has backdoor functions, it drops the Delphi bootloader into the system, already associated with this group, which we described in a previous article on Zebrocy.
Conclusion
In the past, we have seen the intersection of Zebrocy and the traditional Sednit malware. We caught Zebrocy on dumping into the XAgent system - the flagship backdoor Sednit, so with a high degree of confidence we attribute the authorship of Zebrocy to this cyber group.
However, the analysis of binary files revealed errors at the language level, as well as a development indicating a different skill level of the authors. Both boot loaders use mail protocols for exfiltration of data and identical mechanisms for collecting the same information. However, they create a lot of noise in the network and the system, creating many files and sending them. In the process of analyzing the mail loader on Delphi, it seemed to us that some functions were missing, but the lines still remained in the binary file. This toolkit is used by the Sednit group, but we believe that it is being developed by another team — a less experienced one, compared to the creators of the traditional Sednit components.
Zebrocy components are a complement to the Sednit toolkit, and recent events may explain the increased active use of Zebrocy binary files instead of traditional Malvari.
Indicators of compromise
File names, SHA-1 and detection by ESET products
1. SCANPASS_QXWEGRFGCVT_323803488900X_jpeg.exe - 7768fd2812ceff05db8f969a7bed1de5615bfc5a - Win32 / Sednit.ORQ
2. C: \ Users \ public \ Pictures \ scanPassport.jpg - da70c54a8b9fd236793bb2ab3f8a50e6cd37e2df
3. C: \ Users \ Public \ Documents \ AcrobatReader. {Exe, txt} - a225d457c3396e647ffc710cd1edd4c74dc57152 - MSIL / Sednit.D
4. C: \ Users \ Public \ Videos \ audev.txt - a659a765536d2099ecbde988d6763028ff92752e - Win32 / Sednit.CH
5.% TMP% \ Indy0037C632.tmp - 20954fe36388ae8b1174424c8e4996ea2689f747 - Win32 / TrojanDownloader.Sednit.CMR
6.% TMP% \ Indy01863A21.tmp - e0d8829d2e76e9bb02e3b375981181ae02462c43 - Win32 / TrojanDownloader.Sednit.CMQ
carl.dolzhek17@post.cz
shinina.lezh@post.cz
P0tr4h4s7a@post.cz
carl.dolzhek17@post.cz
sym777.g@post.cz
kae.mezhnosh@post.cz
tomasso25@ambcomission.com
kevin30@ambcomission.com
salah444@ambcomission.com
karakos3232@seznam.cz
rishit333@ambcomission.com
antony.miloshevich128@seznam.cz
Source: https://habr.com/ru/post/437236/