Funky Malware Formats

Transcript

1. None

2. INTRODUCTION What is this talk about? • Custom PE loaders

   are typical in malware nowadays • How common are custom formats? • We set out to answer this very question • Much like searching for new forms of life • We bring you some of our findings in this talk • But before so…

3. ABOUT US Meet the special agents Mark Lechtik Aleksandra Doniec

   @_marklech_ Check Point Research @hasherezade Malwarebytes
4. None

5. HIDDEN BEE

6. • Distributed by Underminer EK • Chinese miner • High

   and low-level elements: including a bootkit • We will focus on the high-level part: loaders in custom format HIDDEN BEE Profile

7. 23 JULY 2018 MALWAREBYTES SLACK CHANNEL HIDDEN BEE Story

8. • bin/i386/core.sdb bin/i386/core.sdb 52he3kf2g2rr6l5s1as2u0198k.wasm glfw.wasm HIDDEN BEE Story

9. ? This is not how the WASM file looks like...

   ? HIDDEN BEE Story

10. ? UFO… UNIDENTIFIED FILE OBJECT FOUND HIDDEN BEE Story

11. • We don’t have: the initial loader • We have:

    2 files with a consistent format • Let’s try to analyze the headers and guess what each field means • Let’s write our own loader HIDDEN BEE Story

12. typedef struct { WORD func_count; char name; } t_dll_name; ntdll.dll

    HIDDEN BEE Imports 0x13 0x18

13. 0x0d827481 0x60 HIDDEN BEE IAT

14. DWORD checksum(char *func_name) { DWORD result = 0x1505; while (

    *func_name ) result = *func_name++ + 33 * result; return result; } 0x60 0x0d827481 ntdll.dll HIDDEN BEE IAT 0x13

15. DWORD checksum(char *func_name) { DWORD result = 0x1505; while (

    *func_name ) result = *func_name++ + 33 * result; return result; } 0x0d827481 778b81e0 0x0d827481 = checksum("memchr") GetProcAddress(mod, "memchr") 778b81e0 HMODULE mod = LoadLibraryA("ntdll"); HIDDEN BEE IAT 0x60 ntdll.dll 0x13

16. 0x60 0x0d827481 0x13 HIDDEN BEE IAT ntdll.dll 0x13

17. 0x2a62 HIDDEN BEE Entry Point

18. 0x509c HIDDEN BEE File Size . . .

19. offset (0x4D78) size (0x0324) 0x0324 0x0284 HIDDEN BEE Relocations 0x0284:

    field to be relocated

20. https://github.com/hasherezade/bee_parser HIDDEN BEE Profile

21. OCEAN LOTUS

22. • Known as a Vietnamese APT32 group • Distributed mainly

    by phishing and waterholing attacks • Payloads of various types, often composed of multiple files OCEAN LOTUS Profile

23. 49a2505d54c83a65bb4d 716a27438ed8f065c709 OCEAN LOTUS Sample *sample provided by @MinhTrietPT

24. The Alien Files What is this mysterious „blob”? Both files

    seem to be in the same format... But what are they really? SPORDER.cab It doesn’t look like a CAB format! SPORDER.blob OCEAN LOTUS

25. SPORDER.cab SPORDER.blob XOR key? OCEAN LOTUS The Alien Files

26. SPORDER.cab SPORDER.blob OCEAN LOTUS The Alien Files

27. SPORDER.cab <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker"

    uiAccess="false"></requestedExecutionLevel> </requestedPrivileges> </security> </trustInfo> We can find artefacts indicating that this format was converted from a PE file OCEAN LOTUS The Alien Files

28. SPORDER.cab OCEAN LOTUS The Alien Files

29. SPORDER.blob Sections: • not in the same order as typical

    PE • virtual format same as raw • custom headers - stripped in the virtual format OCEAN LOTUS The Alien Files

30. Raw format Header 1 The executable part (shuffled sections, converted

    from a PE file) Header 2 Padding The executable part (shuffled sections, converted from a PE file) Loaded imports Virtual format OCEAN LOTUS The Alien Files

31. SPORDER.dll sporder.exe SPORDER.cab SPORDER.blob hp6000.dll OCEAN LOTUS The Alien Files

    The loader All executables are used as a loading chain

32. We are lucky: we have the loader Let’s just look

    inside and see how it works! hp6000.dll One loading function for both: confirmed consistent format OCEAN LOTUS Approach

33. Header 1: before the executable part val + 0x2000 size

    of executable area XOR OCEAN LOTUS Format Details Allocation of executable area: Key[1] Key[0]

34. Header 2: after the executable part val * 8 +

    0x400 space for loading imports OCEAN LOTUS Format Details Allocation of imports area:

35. Relocations? Imports? Exports? Entry Point? All together? Header 2: after

    the executable part OCEAN LOTUS Format Details What do we have here?

36. Header 2: records OCEAN LOTUS Format Details Type 1: Relocation

37. Relocation Field (0x3cab5) Header 2: records typedef struct { DWORD

    reloc_field; } reloc_t; Type (1) OCEAN LOTUS Format Details Type 1: Relocation

38. Header 2: records Type 2: Entry Point/Export OCEAN LOTUS Format

    Details

39. Header 2: records typedef struct { DWORD count; DWORD func_rva;

    DWORD name_rva; } entry_point_t; OCEAN LOTUS Format Details Type 2: Entry Point/Export Count (1) Function RVA (0x4900) Name RVA (0x10ad9f) IsValidLinkInfo Type (2)

40. Header 2: records Type 3: Import OCEAN LOTUS Format Details

41. Header 2: records typedef struct { DWORD type; DWORD dll_rva;

    DWORD func_rva; DWORD iat_rva; } import_t; OCEAN LOTUS Format Details Type 3: Import Type (3) IAT RVA (0x1000) Import By Name (2) DLL RVA (0x10a8c8) Function RVA (0x10a8aa) RegOpenKeyExW ADAVAPI32.DLL

42. OCEAN LOTUS Format Details Header 2: records Type 3: Import

43. None

44. GOZI PE Like never seen before

45. GOZI PE Like never seen before Overview • A popular

    banking Trojan • Also known as: ISFB, Ursnif • Source code has been leaked and reused across multiple variants • We are going to discuss Gozi version 3 • Paper by Maciek Kotowicz’s (@maciekkotowicz): https://lokalhost.pl/txt/isfbv3.pdf

46. GOZI Unpacking atypical payload Added Header PE-sieve unpacks malware by

    dumping the payload from memory. But unpacking Gozi v3 turned a bit problematic...

47. • In the dumped PE, we are still missing: •

    The Entry Point • Imports • Exports • Relocations • Let’s see how this PE looks in the memory, before it is mapped to the virtual format... GOZI

48. GOZI PE Like never seen before Load Sequence EXE EXE

    1st stage loader 2nd stage loader ?

49. GOZI PE Like never seen before Modified Format Modified DOS

    Header Modified Section Table Original Sections Original NT Headers Original Section Table Modified Data Directories Modified PE Header Modified Headers Original PE Fields

50. GOZI PE Like never seen before Modified Format Modified DOS

    Header Modified Section Table Original Sections Original NT Headers Original Section Table Modified Data Directories Modified PE Header

51. GOZI PE Like never seen before Magic Checksum NT Header

    Offset Image Size Modified Format Magic NT Header Offset “PX” = Portable Xecutable? Modified PE Size Modified DOS Header Modified Section Table Original Sections Original NT Headers Original Section Table Modified Data Directories Modified PE Header Nt Header Size Example: Pointer to the original PE header Original NT Headers 0x958

52. GOZI PE Like never seen before Modified DOS Header Modified

    Format Modified Section Table Original Sections Original NT Headers Original Section Table Import Directory Header Export Directory Header Import Address Table Header Security Directory Header Unknown Directory Header Modified Data Directories Relocation Directory Header Modified PE Header Entry Point Machine ID Sections Count Original Format

53. GOZI PE Like never seen before Modified DOS Header Modified

    Format Modified Section Table Original Sections Original NT Headers Original Section Table Import Directory Header Export Directory Header Import Address Table Header Security Directory Header Unknown Directory Header Modified Data Directories Relocation Directory Header Modified PE Header Entry Point Machine ID Sections Count Original Format Modified Directory Headers • PX format contains only subset of the PE format directory headers • Order of appearance of directory headers is different

54. GOZI PE Like never seen before Original RVA Current RVA

    Modified DOS Header Modified Format Modified Section Table Original Sections Original NT Headers Original Section Table Size Import Directory Header Export Directory Header Import Address Table Header Security Directory Header Unknown Directory Header Modified Data Directories Relocation Directory Header Modified PE Header Original RVA Size Current RVA Entry Point Machine ID Sections Count Entry Point Machine ID Sections Count Example: RVA of directory in original PE (0xBD10) Size of directory (0x41) RVA in PX format (0x3B0) IMAGE_FILE_MACHINE_I386

55. GOZI PE Like never seen before • Attempt to revive

    the PE format with a new “flavor” • To recover the original PE, we need to dump the PX format, and use the converter https://github.com/hasherezade/funky_malware_parsers/ tree/master/isfb_parser EXE PX

56. BACKSWAP BMP with a twist Overview • Banking malware revealed

    by ESET at May 2018 • Known to target banks in Poland, Spain and Czech Republic • Derivative of the Tinba banking malware • Known to use innovative techniques to avoid detection • Comes in an executable that diverts execution to a weird blob

57. BACKSWAP BMP with a twist Bitmap Header Pixel Data File

    Header BMP format outline

58. BACKSWAP BMP with a twist File Header signature size padding

    data start ‘B’‘M’ 00 00 00 00 76 00 00 00 FF004000

59. BACKSWAP BMP with a twist File Header signature size padding

    data start ‘B’ 00 00 00 00 76 00 00 00 FF004000 ‘M’ It is possible to modify the size field so that it will represent a jump instruction!

60. DE 54 E9 42 4D BACKSWAP BMP with a twist

    File Header signature size padding data start INC EDX DEC EBP 00 00 00 00 76 00 00 00 00 00 JMP offset It is possible to modify the size field so that it will represent a jump instruction!

61. BACKSWAP BMP with a twist Loader Code section Custom import

    table resolve decode Function Address Hash Function Address Hash Function Address Hash Function Address Hash Function Address Hash Bitmap Header Pixel Data File Header jump Malware format outline

62. BACKSWAP BMP with a twist Loader Code section Custom import

    table Bitmap Header Pixel Data File Header When we try to visualize the BMP, we realize it’s a polyglot polyglot binary represented by several formats, depending on how you look at it @angealbertini

63. BACKSWAP BMP with a twist Loader Code section Custom import

    table Bitmap Header Pixel Data File Header Malware Payload

64. BACKSWAP BMP with a twist Loader Code section Custom import

    table Bitmap Header Pixel Data File Header Malware Payload Eric Cartmen
65. None

66. ALIENS AMONG US Binary Format you Never Heard of •

    Typical format in AIX • IBM proprietary Unix OS • AIX is Deployed on various platforms, usually as a server • Example: Payment Switch Servers • Transaction processing and routing decisions Auxiliary Header File Header .text .bss Section Raw Data Section Headers .text relocations .loader relocations Relocation data … XCOFF (Extended Common Object File Format) .data .loader Line Number Info Symbol Table String Table

67. ALIENS AMONG US Operation Fast Cash Payment Switch Server Payment

    Switch Application Injected XCOFF Implant XCOFF Malware Hooks (send, recv) Install Compare Request Response applist.dat Encrypted list of attacker controlled Primary Account Numbers Fraudulent Cash Withdrawal Attempt Courtesy of Lazarus Money Mule Credit Card Very nice analysis of the XCOFF malware by Frank Boldewin (@r3c0nst)!
68. None

69. FINAL NOTES Funky formats are a spectrum

70. FINAL NOTES Funky formats are a spectrum

71. FINAL NOTES Custom formats make static detection problematic....

72. FINAL NOTES What does it take to make a custom

    format? What do we need to make code run? • Imports • Relocation If you can make a custom PE loader, you can take a step forward and make a custom format loader

73. THANK YOU Questions? Mark Lechtik Aleksandra Doniec @_marklech_ @hasherezade

74. APPENDIX • Malware analysis of Hidden Bee’s custom format, by

    Aleksandra (@hasherezade): • https://blog.malwarebytes.com/threat-analysis/2018/08/reversing-malware-in-a- custom-format-hidden-bee-elements/ • Paper by Maciek Kotowicz’s (@maciekkotowicz) on Gozi custom format: https://lokalhost.pl/txt/isfbv3.pdf • Backswap publication by Itay Cohen (@megabeets_): • https://research.checkpoint.com/the-evolution-of-backswap/ • Analysis of Lazarus XCOFF malware (Operation Fast Cash) by Frank Boldewin: • https://github.com/fboldewin/FastCashMalwareDissected/blob/master/Operation %20Fast%20Cash%20- %20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected. pdf • Github repository with tools for analyzing the discussed formats: https://github.com/hasherezade/funky_malware_parsers