Tuesday, July 10, 2012

Dark Comet "PDF" (pdf? - yea, right!)

Last weekend I pulled down "Dark Comet RAT"-related sample from contagio(http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html#more) to look at and found it to be interesting because it was operating under the guise of a PDF.

The malicious file (er PDF), shown below, employs the Right-to-Left Override (RLO) technique in order to mask the actual file type on a victim host susceptible to RLO.  In the case of this file, analysis was conducted from within a Windows XP virtual machine, and since Windows XP doesn’t interpret this RLO technique, the file immediately appeared in its true state, when viewing file extensions (see diagram 1).

Conversely, on a Windows 7 platform, the RLO technique is understood.  Therefor the malicious file would appear to be a regular PDF file to the unsuspecting user (see diagram 2).

Be that as it may, if the user (on whichever platform) were to notice the item type “Screen saver”, when using the Explorer “tiles” view (see diagram 3), an alarm bell should immediately sound since a SCR file is an executable binary.

The RLO technique has been used quite a bit in recent years to obfuscate the name of a malicious file.  It works by inserting Unicode (U+202e) at a desired point, after which everything will appear in reverse (or right to left order).  For example, the Unicode character was placed in front of the letter “f” in fdp.scr (hence the “square” in diagram 1), making it read as “rcs.pdf” (in diagram 2).

Closer examination of the SCR file;  however, revealed it was actually a WinRAR Self-extracting (SFX) compressed archive file containing three objects which would be extracted with the SFX script display in diagram 4.


Upon execution of the "PDF", the contents are automatically extracted to the user’s %temp% directory (see diagram 5).  Notice the lack of icon for “Explorer.exe”


Immediately thereafter, the malicious “Explorer.exe” is launched along with the benign PDF, but all the victim user would see during all this would be the opening of the benign PDF – a portion of which is displayed in diagram 6. 


In addition, the malware injects itself into a “svchost.exe” process which invokes a keylogger straight away that writes unencrypted keylog data to “%temp%\dclogs.sys” (see appendix for an example of the keylog data).

The victim system then connects to "meroo.no-ip.org", however, no specific http request was observed during this analysis.  More importantly, another svchost process is spawned (svcHost.exe – note the upper case “H”) which opens a dedicated backdoor on port 778 (see diagram 7) in which the victim host reaches out to IP address

1688  svcHost        ->  1060  TCP   c:\Windows\system32\svcHost.exe   (capital H)
TCP         SYN_SENT        1688

Since this analysis was conducted from within an enclosed environment, any follow on communication between the victim host and command and control server was not observed during this analysis.

To maintain persistency on the victim host, the following registry key is created:
C:\Documents and Settings\<user>\Start Menu\Programs\Startup
Interestingly, the Startup folder contains a link file "(Empty).lnk" which points to
"C:\Documents and Settings\<user>\Local Settings\Temp\Explorer.exe" (see diagram 9).


Below is a chronological gist of activity as it occurs on a victim host (of note, the malicious dropper was renamed “asfdp.scr” for ease of interpretation):



-> C:\Documents and Settings\<user>\Local Settings\Temp\Explorer.exe

-> C:\Documents and Settings\<user>\Local Settings\Temp\msdlg.ocx

-> C:\Documents and Settings\<user>\Local Settings\Temp\registry:


-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2ae4eccf-38d9-11dd-8e16-806d6172696f}\BaseClass

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2ae4eccd-38d9-11dd-8e16-806d6172696f}\BaseClass

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2ae4eccc-38d9-11dd-8e16-806d6172696f}\BaseClass

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal

-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop

-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Start Menu

-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Start Menu

-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\My Pictures

-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\CommonPictures

-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\CommonMusic

-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\CommonVideo


-> C:\Documents and Settings\<user>\Start Menu\Programs\Startup\(Empty).lnk

registry: SetValueKey

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies

Process: created

-> C:\Documents and Settings\<user>\Local Settings\Temp\Explorer.exe

-> C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe

Explorer.exe (malicious variant in %temp%)

process: terminated

-> C:\Documents and Settings\<user>\Desktop\asfdp.scr

process: created

-> C:\WINDOWS\system32\svchost.exe


-> C:\Documents and Settings\<user>\Local Settings\Temp\~DF8DB9.tmp


process: terminated

-> C:\Documents and Settings\<user>\Local Settings\Temp\Explorer.exe


-> C:\Documents and Settings\<user>\Local Settings\Temp\dclogs.sys

And lastly, here's a sample of the keylogged data:


@ Caption : [C:\WINDOWS\system32\cmd.exe]

@ at 7:42:52 AM the 7/6/2012



@ Caption : [shell]

@ at 7:43:36 AM the 7/6/2012

netstat -ano



@ Caption : [areyoukeylogginme.txt - Notepad]

@ at 7:49:45 AM the 7/6/2012

Seriously????  You're keylogging me????   Ane [<-][<-]d you didn't think I'd notice????  Shame on you :(



@ Caption : [shell]

@ at 7:55:56 AM the 7/6/2012

cd ..

find /i "dclogs" c        [<-][<-][<-][<-][<-][<-]p       | more

find "[<-]/i "explorer.exe" c [<-][<-][<-][<-][<-][<-]pa     [<-]t    | more



@ Caption : [Program Manager]

@ at 7:57:25 AM the 7/6/2012


No comments:

Post a Comment