The previous story described an uncommon approach of distributing malware beneath disguise of an replace for an expired safety certificates. After the story went out, we carried out an in depth evaluation of the samples we had obtained, with some attention-grabbing findings. All of the malware we examined from the marketing campaign was full of the identical packer, which we named Trojan-Dropper.NSIS.Loncom. The malware makes use of respectable NSIS software program for packing and loading shellcode, and Microsoft Crypto API for decrypting the ultimate payload. Just as the sooner discover, this one was not with out its surprises, as one of many packaged samples contained software program utilized by APT teams.
Loncom makes use of NSIS for working shellcode contained in a file with a reputation that consists of numbers. In our instance, the file is called 485101134:
Overview of the NSIS archive contents
Once the shellcode is unpacked to the onerous disk and loaded into the reminiscence, an NSIS script calculates the beginning place and proceeds to the subsequent stage.
What the shellcode does
Before continuing to decrypt the payload, the shellcode begins decrypting itself piece by piece, utilizing the next algorithm:
- Find place for subsequent 0xDEADBEEF dword.
- Read dword: measurement of information to decrypt.
- Read dword: first a part of key.
- Read dword: second a part of key.
- Find appropriate key: test the numbers consequently, beginning at 0, whereas xor(i, second a part of key) != first a part of key. This half is required to maintain up execution and forestall AV detection. After simplification, key = i = xor(first half, second half).
- Decrypt subsequent a part of shellcode (xor), transfer on to it.
Decrypting the subsequent a part of the shellcode
Here’s the code that performs the algorithm described above:
After a number of such iterations of block decryption, the shellcode switches to energetic steps, loading libraries and retrieving the addresses of required features with the assistance of the APIHashing method. This helps keep away from stating the names of requested features straight, offering their hashes as an alternative. When looking for features by hash, a hash will likely be calculated for every factor from the library export desk till it matches the goal.
Then, Loncom decrypts the payload contained in the identical file because the shellcode and proceeds to run it. The payload is encrypted with an AES-256 block cipher. The decryption key’s said within the code, and the payload offset and measurement are handed from the NSIS script.
The most important a part of the shellcode: decrypting the payload
For automated Loncom unpacking, we’d like to learn the way information is saved within the packed NSIS installers, receive the payload offset and measurement from the NSIS script, and pull the important thing from the shellcode.
Unpacking the NSIS
After a quick evaluation, we managed to discover that the NSIS installers have the next construction:
- an MZPE NSIS interpreter containing in its overlay the info to be processed: the flag, the signatures, the dimensions of the unpacked header, and the overall measurement of the info, after which the containers, i.e. the compressed information itself.
- Containers within the following format: dword (information measurement):zlib_deflate(information). The 0th container has the header, the primary container has our file with the shellcode and the payload, and the second has the DLL with the NSIS plugin.
- The header accommodates a desk of operation codes for the NSIS interpreter, a string desk and a language desk.
As we have now obtained the encrypted file, now all we’d like is to discover the payload offset and measurement, and proceed to decrypting the payload and the shellcode.
NSIS information construction
As all arguments within the NSIS operation codes when utilizing plugins are handed as strings, we’d like to retrieve from the header string desk all strings that appear to be numbers inside the logical limits: from 0 to (file measurement – shellcode measurement).
NSIS unpacking code:
To simplify figuring out the payload offset and measurement, we will recall the construction of the file with the shellcode: encrypted blocks are decrypted from the smallest tackle to the most important, high to backside, and the payload is positioned above the shellcode. Thus, we will decide the place of the 0xDEADBEEF byte and take into account it the top of the encrypted information (aligning as required, as a result of AES is a block cipher).
Decrypting the shellcode
To decrypt the payload, we’d like to:
- decrypt the shellcode blocks;
- decide the place the AES key’s;
- retrieve the important thing;
- attempt to decrypt the payload for offsets acquired from the NSIS;
- cease after acquiring the primary two bytes = ‘MZ’.
Step one might be carried out by barely modifying the code that performs the decryption algorithm in IDA Pro. The key might be decided with the assistance of a easy common expression: ‘xC7x45.(….)xC7x45.(….)xC7x45.(….)xC7x45.(….)xE8’ — “mov dword ptr” four occasions, then “call” (pseudocode in the primary a part of the shellcode).
The different steps don’t require an in depth rationalization. We will now describe the precise malware that was full of Loncom.
Besides Mokes and Buerak, which we talked about within the earlier article, we observed packed specimens of Backdoor.Win32.DarkVNC and Trojan-Ransom.Win32.Sodin households, often known as REvil and Sodinokibi. The first is a sort of backdoor used for controlling an contaminated machine by way of the VNC protocol. The second is a ransomware that encrypts the victim’s information and threatens to publish it.
However, essentially the most thrilling discover was the Cobalt Strike utility, used each by authorized pentesters and by varied APT teams. The command heart of the pattern that contained Cobalt Strike had beforehand been seen distributing CactusTorch, a utility for working shellcode current in Cobalt Strike modules, and the identical Cobalt Strike full of a special packer.
We proceed monitoring Trojan-Dropper.NSIS.Loncom and hope to share new findings quickly.
AEF8FBB5C64734093E78EB13E6FA7849 (Cobalt Strike)