Shifu - Advanced Malware

The Shifu Trojan is a recently discovered malware involved in a number targeted attacks involving the Japanese banking sector. What makes this malware interesting is the techniques employed which are typically attributed to other malware families such as Dridex, Zeus, Conficker as well as some others. The utilization of techniques such as Virtual Machine detection and DGA attributed to other malware make the malware a truly advanced threat. In this post, I will explore and attempt to analyze the malware to gain an understanding of how it operates.

Preliminary Analysis

The sample has an md5 hash of b9bc3f1b2aace824482c10ffa422f78b and an embedded timestamp of 'Thu Aug 06 04:56:58 2015'. One of the first artifacts that jumps out during static analysis is a full file path:

c:\oil\feet\Seven\Send\Gather\Dividerail.pdb

The file extension indicates the artifact is a result of the compilation process for the binary. While this may not have any relevance to the behavior of the malware, it could serve as an indicator for detection via a mechanism such as Yara.

Further analysis of the binary produces a few clues in regards to what I can expect during execution.
The following functions appear to be revealing as to the capabilities of the binary:

• GetActiveValue
• IsDebuggerPresent
• Sleep
• WriteFile
• GetStartupInfo

The presence of the above libraries indicate that the malware will likely have the ability to write files to the host but this isn't too surprising when it comes to malicious software. The more interesting functions are 'IsDebuggerPresent', 'Sleep' and 'GetStartupInfo'. To me this indicates that I should expect this malware to attempt to prevent analysis attempts under certain conditions since sleep has the potential to stall execution and IsDebuggerPresent is commonly, although not always, utilized to prevent debugging attempts.

At this point it seems that more information will be derived by simply executing the binary.

Virtual Machine Analysis

Analysis Attempt One
The first attempt at analysis of this file proves to be unsuccessful when ran in a VMWare Windows XP host as seen in this following SysInternals ProcMon output:

Time of Day Process Name    Operation   Path    Result
40:11.9    shifu.exe    QueryOpen    C:\sample\pos.exe    PATH NOT FOUND
40:11.9    shifu.exe    Process Exit        SUCCESS
40:11.9    shifu.exe    Thread Exit        SUCCESS
40:11.9    shifu.exe    CloseFile    C:\Documents and Settings\John\Desktop    SUCCESS  

It is worth noting that a number of queries for local files are attempted throughout the time in which the process runs. All of these queries result in the malware being unable to detect the files being queried. The last of these queries is for full path C:\sample\pos.exe which does not exist on the virtual machine. Directly afterwards, the process exits and closes the the original binary from which it originated. It is unclear why this file is once of such importance but it may be related to Virtual Machine or sandbox installations.

Analysis Attempt Two
The decision is made to remove VMWare Tools from the virtual machine. It could be possible that this and not the lack of pos.exe have caused the previous failure. Hopefully the removal of this component will increase the chance of execution success. Running the malware on a host without VMWare tools however, does not have any effect on the result of the execution. Even though it has been removed, the process still exits after it is unable to find the c:\sample\pos.exe file.

Time of Day Process Name    Operation   Path    Result
28:05.0 shifu.exe   1152    QueryOpen   C:\sample\pos.exe   PATH NOT FOUND
28:05.0 shifu.exe   1152    Thread Exit     SUCCESS
28:05.0 shifu.exe   1152    Process Exit        SUCCESS
28:05.0 shifu.exe   1152    CloseFile   C:\Documents and Settings\John\My Documents\Downloads   SUCCESS

Analysis Attempt Three
This time the decision is made to place a file named pos.exe in the c:\sample\ directory in the hopes that the malware will behave differently. While the associated process does find the file, it still behaves in the same fashion as the previous analysis attempts. This is not unexpected since the presence of this file likely should cause the termination of the shifu.exe process.

Time of Day Process Name    Operation   Path    Result
32:37.9 shifu.exe   QueryOpen   C:\sample\pos.exe   SUCCESS
32:37.9 shifu.exe   Thread Exit     SUCCESS
32:37.9 shifu.exe   Process Exit        SUCCESS
32:37.9 shifu.exe   CloseFile   C:\Documents and Settings\John\Desktop  SUCCESS

Obviously the use of a virtual machine for analysis is ineffective without some type of additional modifications. Instead of continuing to analyze the malware within a standalone virtual machine, I will attempt to see if any progress can be made with a sandbox/emulator instead.

Sandbox Analysis

Executing Shifu in a sandboxed environment finally allows the process to run successfully. Upon execution the malware writes the following files to disk:

c:\Documents and Settings\All Users\Application Data\dbd2hff6h8.exe     
(793bb01102349f366b37da58ddca26ee)  
c:\Documents and Settings\<user>\Local Settings\temp\safari.exe         
(953754424360b90e7dcedd74e448c44d)  
c:\DOCUME~1\<user>\LOCALS~1\Temp\nss3.dll       
(7c87033533235868eccc54c392fa147c)
c:\Documents and Settings\<user>\Local Settings\Temporary Internet Files\BMKNKJ8O\shifu.exe  

The last file is executed after it has been written to the Internet Explorer cache folder. This could be a persistence mechanism but is likely an attempt to hide the file from a user who might stumble across the original shifu.exe file. Additionally the following file is written to disk:

C:\Documents and Settings<user>\Application Data\dli644A.tmp.bat 

The malware appears to perform some other interesting activity which are reminiscent of the previous analysis attempts. Shifu appears to be scanning the host for certain files and directories, all of which are not found. These appear to be more inline with virtual machine detection attempts and even include the c:\sample\pos.exe file that were observed during the virtual machine attempts.

c:\analysis   
c:\analysis\sandboxstarter.exe  
c:\Documents and Settings\All Users\Application Data\dbd2hff6h8.exe    
c:\windows\system32\drivers\vboxmouse.sys    
c:\windows\system32\drivers\vmhgfs.sys    
c:\windows\system32\drivers\vmmouse.sys    
c:\insidetm    
c:\sample\pos.exe  

Another interesting aspect of the Shifu execution is the interaction with the Windows process Explorer.exe, which is a commonly targeted process for injection by malicious software. The interactions with Explorer.exe include the suspension, reading, writing and resuming of the Explorer process. These are typical actions taken when attempting to inject malicious code in to a process. Once injection has successfully occurred the following files are written to the user's 'Application Data' under a subdirectory:

c:\Documents and Settings\<user>\Application Data\7a62af1e\keylog.txt
c:\Documents and Settings\<user>\Application Data\7a62af1e\sysinfo.txt  
c:\Documents and Settings\<user>\Application Data\7a62af1e\cmdline.txt  
c:\Documents and Settings\<user>\Application Data\7a62af1e\1_cert.pfx  
c:\Documents and Settings\<user>\Application Data\7a62af1e\1_info.txt  

Another interesting action is observed which appears to be related to Bitcoin:

c:\Documents and Settings\<user>bitcoin\wallet.dat 

The final noteworthy action that I notice is an attempt to hide the shifu.exe file which was originally written to the Internet Explorer cache directory. This is done using the Windows executable 'attrib.exe':

c:\WINDOWS\system32\attrib.exe attrib -r -s -h "C:\Documents and Settings\<user>\Local Settings\Temporary Internet Files\BMKNKJ8O\shifu.exe"  

Network Analysis
Analyzing the network traffic appears to be a bit more difficult. At first glance it appears that the C2 domain has either been taken down or is being blocked. A DNS request is made for an A record belonging to 'eboduftazce-ru.com' which returns a number of malicious results on VirusTotal.

eboduftazce-ru.com
In order to be thorough, a bit of recon is performed on the host.

eboduftazce-ru.com. 5 IN SOA dns.bizcn.com. dnsconct.bizcn.com. (
            1443758308 ; serial
            28800      ; refresh (8 hours)
            14400      ; retry (4 hours)
            14400      ; expire (4 hours)
            600        ; minimum (10 minutes)
            )
eboduftazce-ru.com. 5 IN NS ns3.cnmsn.com.
eboduftazce-ru.com. 5 IN NS ns4.cnmsn.com.
eboduftazce-ru.com. 5 IN A  188.42.254.65

The lack of valid DNS response records could indicate the domain is no longer available. This could be a result of a number of factors such as fast flux domain changing or dynamically generated domain names being utilized. At first glance the network traffic does not indicate this is the case considering DGA malware typically generates a great deal of DNS traffic. Even after running the binary a second time the same traffic is observed.

Conclusion

The advanced techniques employed by Shifu makes this malware a bit tough to analyze but not impossible. The primary roadblock is the VM detection mechanism which prevented manual dynamic analysis. As a result, sandboxing technologies are employed with great success. While this technique makes analysis difficult, it limits the ability to compromise thin app clients, other virtualized workstations and virtualized servers. This is not a huge loss since there are few client computers which are virtualized but is worth noting.

References

Virus Total
Dark Reading: New Shifu Banking Trojan An ‘Uber Patchwork’ Of Malware Tools
Security Weekly: "Shifu" Trojan Targets Japanese Banks

A Closer Look at DGA Traffic

Our last post explored a technique used by malware authors to subvert Command and Control server discovery. CryptoLocker was one such malware known to employ a Domain Generation Algorithm in order to communicate with its C² servers. In this post we will dive deeper in to what network traffic generated by this particular malware looks like. These characteristics are useful when it comes to identifying whether a particular malware is employing a DGA and determining the actual addresses of C² servers.

In previous posts, I have utilized open source technologies to provide an environment for dynamic analysis of malware. While this provided an excellent alternative to a homemade lab, I was limited in the type of information and artifacts I could obtain. The artifacts produced are typically a network PCAP and a list of modifications made on the machine. Using virtual machines allows a bit more flexibility and additional artifacts such as memory dumps and paging files to be extracted. While this post will not focus on the analysis of these additional artifacts, the choice was made to utilize a VM-based lab to run the malware in favor of the additional information available.

Network Traffic Analysis

An analysis of the traffic using tcpdump shows an accounting of the DNS requests that are made and as would be expected there are many DNS requests from the infected host 192.168.5.71.

A packet capture was run for approximately seven minutes and could have gone longer due to the fact that CryptoLocker servers have been taken down for quite some time. If the servers were still active, the malware would quit attempting to make phone home requests once it found a valid domain. The NX records returned for the non-existent domains are indicators of DGA-based utilization by the infected host.

During the period in which the packet capture is run, 176 NX records are returned. Any system administrator or analyst seeing this many NX requests should be able to determine that the host making the request is likely infected. We should really be concerned with the requests that return valid records, as these will allow us to determine the true C² servers.

A number of valid A records are returned for IP address 212.71.250.4. Some research on the IP address yields the following information.

It should come as no surprise that this IP address is registered to a datacenter as this is a common tactic of malicious parties. Examination of the ensuing HTTP traffic leads us to believe that our IP address has been sinkholed. Sinkholing is a technique that is used to put a stop to active malware campaigns.  This is to be expected considering the C² servers were taken down quite some time ago.

The Sinkholing of this domain essentially allowed researchers and law enforcement to put a stop to the ongoing malware campaign which was used as a means to extort money from individuals and businesses with infected machines. If not for the ability to analyze both the DGA traffic and algorithm, this would not have been possible.

Performing a profile of this traffic using Scapy gives us a breakdown of the type of traffic that has been observed.

The majority of the traffic consisted of port 53/udp (DNS) traffic. This accounted for 417 total packets during this time period, 176 of which resulted in NX records being returned. There were 241 domains which returned valid A records but only 184 requests were made to the malicious IP. The only other valid external IP address that was used for communications is 123.170.185.211, which is owned by Microsoft and used for NTP time server purposes.

A listing of the NX Domains can be found here while the valid domains can be viewed here. Armed with this knowledge, we have a great starting point for creating countermeasures that will be helpful in preventing further damage. It also gives us a template for recognition of this sort of infection on the network.

Malware Technique: DGA

Persistence is key to an adversary's attempts to compromise a target. It is very important to establish a foothold so that continued access to a resource can be used to further exploit the target or exfiltrate data. This typically takes the form of a backdoor or a process starting on the host when it comes to malware. This is important when it comes to host-based persistence but what about server-based persistence? Malware campaigns rely on persistent command and control(C²) infrastructure in order to remain operational. If a C² infrastructure is taken down, the malware operators no longer has a way to control the infected hosts and receive exfiltrated information.

In order to achieve persistence, certain techniques must be used to make it more difficult to stop these campaigns. One way to assist in these techniques is to use a Domain Generation Algorithm(DGA) as in the malware that is deployed in the field. DGA is used by malware to generate domain names that are mapped to C² IP addresses instead of hard-coding them directly in the binary.

This has a couple advantages over other methods such as hard-coding. A hard-coded list such as this would be easily detectable by static analysis techniques. This would make it much easier to track and take down the servers involved in these communications. One example that exhibits this characteristic is the malware used to compromise Sony Entertainment (md5: 2618dd3e5c59ca851f03df12c0cab3b8).

The IP addresses in this binary allow the C² servers to be easily identified. This would allow the malicious servers to more easily be taken down or sinkholed by law enforcement or researchers. Doing so would put a halt to the plans of the malware creator(s). As a result, many strains of malware have moved towards using DGA to mitigate these possibilities.

These algorithms give malware the ability to generate many domain names of which very few are registered to an IP address. The domain names generally are determined by the date and time, also known as a seed, so that all hosts can generate the same domain names in a synchronized fashion. Since the malware author knows the algorithm used to produce these domains, they are able to register the domain names prior to the malware making phone home requests. This allows the hosts to receive configuration files and instructions from the C² server. The hosts can also exfiltrate information to the server. The domain can then quickly be de-registered to avoid C² server detection. As a result, those attempting to discover the IP addresses of the servers are usually unsuccessful unless technology such as passive DNS is utilized for investigation.

An example that can be referenced for illustrative purposes is CryptoLocker. CryptoLocker is a type of ransomware that encrypts certain file types on the infected system and presents the user with a screen requiring payment for decryption. While the malware has been succeeded by new variants such as CryptoWall, it is a relevant example for DGA-based malware. Dynamic analysis of CryptoLocker shows a large number of domain names being requested but a single host IP address being contacted.

Courtesy of Malwr.com

The above figure presents only a truncated list of domains. It is very likely that only a few of the listed domain names would have resolved to the host IP address listed at the time the analysis was performed. Presently, no IP addresses are being resolved because CryptoLocker servers have been taken down.

The main disadvantage to dealing with this type of malware from a network administrator's point of view is that domain blacklisting will be ineffective. The domain names will be not be predictable without reverse engineering the algorithm. Even doing so will not prevent future infections if the algorithm is modified. IP addresses for the C² servers may also change so IP blacklisting isn't an effective countermeasure either.

Clearly, using a technique such as DGA is an effective way to prevent C² takedowns as well as prevent network countermeasures that have been deployed. While IPS and domain whitelisting can be utilized to minimize the damage done by DGA-based malware, they are not always the most practical or effective tactics. Many malware strains have begun to employ this technique as a direct result of these 'benefits' previously mentioned. Other notable malware utilizing DGA include Conficker, Zeus and Pushdo but there are plenty of others.

Malware Technique: DLL Side Loading

Malware authors often rely on vulnerabilities as a stepping stone to infect or compromise the hosts they target. Within the scope of malware, they typically rely on vulnerabilities in software such as Adobe Flash, Java or a number of add-on applications which are used in web browsers. It is easier to exploit an add-on that may not have been updated in many days, months or even years in order to exploit the host in some way. This is a case of picking the lowest hanging fruit. Add-on software and plugins are constantly being updated or patched as a result of vulnerabilities being discovered and exploited.

Many times the functionality of the operating system itself can be used to the malware author's advantage as well. One such functionality within Windows Operating Systems is the side-by-side (WinSXS) feature. WinSXS is a directory on modern Windows Operating Systems, first introduced in Windows 98 SE, that can contain multiple DLL and file versions. It was introduced as a way to reduce dependency issues as well as problems with duplicate DLL files. If, for example, a new software is installed that uses an updated version of a DLL that currently exists on the host, the new version will be added and the old will remain. This reduces conflicts such as deleting the old version that may still be in use by another software component. This feature is a necessity in regards to the operation of the host but malware authors can also utilize it to hijack the flow of an application to ensure that their malicious code is executed.

This technique has gained popularity in APT(Advanced Persistent Threat) malware campaigns. It works in a similar fashion as DLL hijacking. The main difference that exist between DLL highjacking and DLL side loading is that DLL highjacking takes advantage of the load order of legitimate DLLs by placing a spoofed version in a higher load position than the real DLL. This type of vulnerability is documented in various CVEs such as 2014-8398 and 2012-1849.

DLL side loading, however, makes use of the WinSxS directory (C:\Windows\WinSxS). This directory holds multiple versions of DLL files and as stated earlier, resolves many issues that previous incarnations of Windows encountered. An application using this directory to retrieve a DLL will need to have a manifest. The manifest lists the DLL file that the program needs to load at runtime execution and is used by the DLL loader to determine which version should be used. 

Courtesy of Microsoft.com

Additional information about Windows side-by-side can be found here.

A malicious DLL with a spoofed name could be placed in this location due to the lack of verifications that are performed on files in this folder. As a result, a vulnerability similar to the one that allows DLL hijacking exists in the side-by-side feature.

Once an application on the host requests access of the legitimate DLL, the spoofed library is loaded. As I mentioned earlier, this has been observed in APT malware like PlugX. FireEye documented one such APT attack that utilized the DLL Side Loading vulnerability. A phishing email was sent to users that contained an Excel spreadsheet that dropped and executed a file. Once run, the executable created a DLL component on the host which was used by a benign Microsoft Office 2003 Service Pack executable file to load an ISO file. None of these components were considered malicious by antivirus vendors at the time this occurred allowing them to avoid detection. Had the DLL components function imports been verified the attack, it would not likely have succeeded.

The spoofed DLL component contained a modified function that allowed the innocuous service pack executable to load a third component file on to the host system.

The components were combined in the memory space of the benign service pack to create a malicious DLL. The malicious activity started and the system was compromised. This was made possible by taking advantage of the side loading functionality of the operating system. It is still notable that a number of other factors also contributed to the compromise as well such as a benign file being used to start the process of this compromise. This still serves as a great example of how using spoofed DLLs and the side-by-side loading capability can be dangerous for end users and corporate entities.

This particular vulnerability is more likely to be used in APT campaigns, which are highly targeted for specific companies or markets, it is highly unlikely that a typical user would encounter malware utilizing this specific technique. To this point there have been no indications that this will remain the case as time progresses. Regardless, this still serves as a great example of how using spoofed DLLs and the side-by-side loading capability can be dangerous for end users and corporate entities.