Threat Intel | Web Crew
It's been a while since I've done a threat intel piece, so I wanted to put together a new one to show off some new methods and tips. This piece is called Web Crew due to the names of some malware they were hosting on some of their servers. So, let's get to it!
Discovery
I started my search for new work by firing up Threat Inc.'s Tango app to see if there was anything new and exciting going on, on our honeypots. There's always usually something happening, so I just grabbed one incident that seemed pretty active at the time.
I started looking at this incident, since there were three sessions, all originating from the same attacker, going to two different honeypots in a short amount of time. The attacker in this case was 61.174.49.51, an IP based out of China. So, let's start digging...
Initial Investigation
I noticed that in each of the three sessions, the attacker was doing different things in each. For example, in the first session, 06/11/2015 14:07:02, he ran about 10 commands, whereas the other two sessions, 06/11/2015 14:11:14 and 06/11/2015 14:29:01 he ran 3 and 8 respectively. Also peculiar is the fact that in the first session he was grabbing the malware from a completly different domain, hxxp://183.60.223.169:8889, as opposed to the other two sessions where they reached out to hxxp://61.174.49.51:6664. At the time of the my investgation, the 183.60.223.169 domain was down, however, the files seemed to be similar to the ones hosted on the 61.174.49.51 address, with names such as www2.6, www2.4, wwwarm, wwwwrt indicating malware designged for various architectures.
61.174.49.51
Checking out the webserver for this address on port 6664 turns up the typical HFS server, however, surprisingly it was in Chinese. There are a few files being hosted on this server, most of which were being requested in the sessions seen in Tango.
For the three original sessions I started looking at, I noticed requests for files from that server that looked something like kkk_
Here's the Whois information for the host:
inetnum: 61.174.48.0 - 61.174.49.255
netname: HANGZHOU-SRT-TECHNOLOGY-CO-LTD
country: CN
descr: HANGZHOU SRT TECHNOLOGY CO., LTD
descr:
admin-c: BB324-AP
tech-c: CH119-AP
mnt-irt: IRT-CHINANET-ZJ
status: ASSIGNED NON-PORTABLE
changed: zjnoc_ip_1@163.com 20120730
mnt-by: MAINT-CN-CHINANET-ZJ-HU
source: APNIC
All three sessions lasted under 3 seconds each, and the attacker was seen using two different SSH clients, SSH-2.0-PuTTY_Local:_May_14_2009_21:12:18 and SSH-2.0-libssh2_1.4.3. We also have sessions from this host going back to June 2nd, with the latest attack being the 6/11/15 14:29:01 session.
If we wanted to build a timeline of events for this host, we can run a Splunk query like this:
Trying to build a timeline of their attack history, we can run a search like this in our Splunk logs:
sourcetype=kippojson [ search sourcetype=kippojson src_ip="61.174.49.51"
| stats count by session | fields session ]
| transaction session | search shasum=*
| stats count by url, _time
The above will give us all the URL's they attempted to download malware from, as well as the time they tried to download the malware.
Besides the two IP's we've found so far, if we go back to the 2nd of June, where the first attack happened from this host, we can see the attacker attempting to download malware from hxxp://222.186.21.103:10086, with the two files being:
hxxp://61.174.49.51:8088/mf222
hxxp://61.174.49.51:9999/sssssa
Again, at the time of my investigation, this domain was offline.
The attacker waited a few days, then started back up again on the 8th, using the 61.174.49.51 domain for hosting the malware they tried to grab. There were 2 sessions on the 8th, grabbing the following files:
hxxp://61.174.49.51:8088/mf222
hxxp://61.174.49.51:9999/sssssa
Throughout 9th, 10th, and 11th of June, they switched between both malware domains (61.174.49.51 and 222.186.21.103), both hosting files using the .htm extension.
File Analysis
Next, let's look at the files being downloaded on the honeypots. There's definitely overlap in the files, since it seems a lot of the files produce the same hash, even for ones which would look like they are for different architectures. In total, there are 13 different hashes being produced, for 41 different URLs.
Knowing all the different file hashes of this malware, I then looked at if anyone else was downloading these files. Turns out there were three total attackers:
- 61.174.49.51
- 222.186.21.103
- 183.60.223.169
One thing to note, they were all grabbing the malware from each of the IP's we know about (ex. 61.174.49.51 grabbing malware from each of the other two IP's, and the same for each other IP).
Let's take a look at the other hosts involved...
183.60.223.169
Again, this IP was located in China and had the following Whois data:
inetnum: 183.0.0.0 - 183.63.255.255
netname: CHINANET-GD
descr: CHINANET Guangdong province network
descr: Data Communication Division
descr: China Telecom
country: CN
admin-c: IC83-AP
tech-c: IC83-AP
status: ALLOCATED PORTABLE
remarks: service provider
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: hm-changed@apnic.net 20091009
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-GD
source: APNIC
This host also used the same two SSH clients as our first IP:
- SSH-2.0-PuTTY_Local:_May_14_2009_21:12:18
- SSH-2.0-libssh2_1.4.3
Looking through the sessions that this host was seen in, we were able to acquire a new indicator, which was mjg.f3322.org. They were seen attempting to download the file User2.htm from mjg.f3322.org on port 8888.
Using the site detux.org, we were able to see that this domain resolved to 61.174.49.51, which was our first indicator and our initial IP we started investigating, what a coincidence! More information can be found here.
This host was seen attempting to grab malware from the f3322.org domain (which resolved to the 61.174.49.51 host at the time), as well as their own IP.
222.186.21.103
Next up on our list is the 222.186.21.103 host, which again, was located in China.
inetnum: 222.184.0.0 - 222.191.255.255
netname: CHINANET-JS
descr: CHINANET jiangsu province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
admin-c: CH93-AP
tech-c: CJ186-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-JS
mnt-routes: MAINT-CHINANET-JS
remarks: This object can only modify by APNIC hostmaster
remarks: If you wish to modify this object details please
remarks: send email to hostmaster@apnic.net with your
remarks: organisation account name in the subject line.
changed: hm-changed@apnic.net 20040223
status: ALLOCATED PORTABLE
This host was seen a lot earlier than the other two, with attacks dating back to 03/02/2015. We also noted some more SSH clients in use:
- SSH-2.0-PuTTY_Local:_May_14_2009_21:12:18
- SSH-2.0-libssh2_1.4.3
- SSH-2.0-libssh2_1.4.2
- SSH-2.0-paramiko_1.8.1
One thing to note about all our attackers so far, is, while some of the sessions vary by activity and time, they all seem to use SSH libraries to connect to our honeypots, which are a good indicator that these hosts are bots and not manually controlled. libssh is a common used SSH library, and Paramiko is a "Native Python SSHv2 protocol library", meaning these are definitely scripts doing the work for them.
mjg.f3322.org
Using passivetotal, we can see the mjg.f3322.org domain resolved to 183.60.233.169 on 06-11-2015. So, this tells us they've switched the DNS records for this domain at some point, since it resolved to the 183.60.233.169 host, and the 61.174.49.51 host. As of right now, this domain still resolves to the 183.60.233.169 host.
I checked out the registrar details for this domain and pulled back the following:
Email ppyy@astpbx.com (a,t,r)
Name peng yong (a,t,r)
Organization Bitcomm ltd. (a,t,r)
Street yinyuan building (a,t,r)
City changzhou (a,t,r)
State Jiangsu (a,t,r)
Postal 213002 (a,t,r)
Country CN (a,t,r)
Phone 8651968887168 (a,t,r)
Fax 8651968887169 (a,t,r)
Indicator Analysis
Utilizing virustotal, I searched for all four of our attackers/domains:
- 61.174.49.51 previously resolved to lengker.com on 12-13-2014
- No Further Information (NFI) on 222.186.21.103
- 183.60.233.169 resolved to mjg.f3322.org on 6-12-15 and to tgmmh.com on 10-27-13
Nothing of value could be gleaned from the WHOIS of tgmmh.com except for the registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
With what we know right now, we can almost say with a fact, that all three of these IP's and one domain are all related to the same actor/group of actors operating out of China.
One quick note, the best thing about all the work done so far has all been passive research, we haven't even touched their actual infrastructure, which is great. I will make a note here though, that before we continue, we may not have all the malware samples from each of these sites. That's where TOR/proxychains can come into play.
Since we'd want to grab all their malware, we don't want to give up who we are by browsing their sites (although I'm sure they wouldn't notice...). Anyways, we can fire up the TOR browser bundle and hit up our command line with something like:
proxychains4 wget -r https://<badguyip>:<port>
The above will use TOR to mask our source IP and grab all the files hosted on the sites we've seen above. If we can't do passive, we might as well be sneaky as possible...
Now that we have a good baseline of our attackers, we can start digging more into the malware to see it's purpose and to possibly glean any more useful information from the malware.
Malware Analysis
Alright, let's start looking at our files, first let's see what type of files we're dealing with:
brian@nullsecure ~/Desktop/61.174.49.51:6664 > file *
123.rar: RAR archive data, v1d, os: Win32
KKK_htm: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, stripped
KKSS.rh: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
kkk_3.htm: ELF 32-bit LSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, stripped
kkk_4.htm: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
kkk_6.htm: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
rrrr.1: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
Now let's get their hashes:
brian@nullsecure ~/Desktop/61.174.49.51:6664 > md5 *
MD5 (123.rar) = 040e679028b1dde876bb49b09e43509d
MD5 (KKK_htm) = e1d69b8c480cc2a50c94255e8bc5fba6
MD5 (KKSS.rh) = f59b74fbe80b0f48fcfb192d9f28c4d0
MD5 (kkk_3.htm) = 6c7734cad8e0fc1d1b52087b9d09610b
MD5 (kkk_4.htm) = 89ed34683d2b81d9e5cde1c1ad97710a
MD5 (kkk_6.htm) = 51e7501e9a04d3eb7f90d1b1dd1b3f37
MD5 (rrrr.1) = b1acbefac08d5ed3c2aa2f6d62e7c93d
brian@nullsecure ~/Desktop/61.174.49.51:6664 > shasum -a 256 *
863cbf4ff59624e0df8c3d71664917e0820597df306743d93cf79907997044f9 123.rar
2ba446d48141b19921e1c623c610eccb021c8b20f05fdcd2baeeb8be80645fe3 KKK_htm
b0f3adc6eceee2d198c94a21484bf94c848533f9efe9748e2a94a13ed805e92b KKSS.rh
6d4f38761039a2f064b57b29e1f0a0575866adf8be157b5e9d9c386798fe66c1 kkk_3.htm
7d25523aa0b857a262953c281a92ae9c759f7f79dde244bf7c161c0b08cc678d kkk_4.htm
8f915e4777daba125de5d2c6ec2aa70bf2af65985c8c1fb8b8a55817470faafc kkk_6.htm
5962c55404cd55e5fca4e0daadd6c1d9e249e4b849d271bb83441d91b314e52d rrrr.1
And lastly, file sizes:
brian@nullsecure ~/Desktop/61.174.49.51:6664 > ls -alh
drwxr-xr-x 4 Brian staff 136B Jun 12 10:36 123
-rw-r-----@ 1 Brian staff 442K Jun 11 21:30 KKK_htm
-rw-r-----@ 1 Brian staff 385K Jun 11 21:30 KKSS.rh
-rw-r-----@ 1 Brian staff 444K Jun 11 21:30 kkk_3.htm
-rw-r-----@ 1 Brian staff 348K Jun 11 21:30 kkk_4.htm
-rw-r-----@ 1 Brian staff 734K Jun 11 21:30 kkk_6.htm
-rw-r-----@ 1 Brian staff 474K Jun 11 21:30 rrrr.1
Next, let's submit these to VirusTotal to see what's been seen before and what hasn't.
123.rar was not submitted previously, and had no hits. We open the .rar file and notice why...it's just two text files with Chinese filenames containing a list of IP's, ports, usernames and passwords, most likely a list of potential victims.
The first file contained a list of 254,293 hosts, the second one contained the same results, just formatted a little differently.
Next, KKK_htm was analyzed for the first time as well in VT, and produced some hits. Looks like a file from the MrBLack malware family.
KKSS.rh was analyzed about a week ago, and had 8/56 hits, which were:
| Antivirus | Result | Update |
|---|---|---|
| Ikarus | Trojan.Linux.Setag | 20150531 |
| ESET-NOD32 | Linux/Setag.B.Gen | 20150531 |
| AVG | Linux/BackDoor_c.CK | 20150530 |
| AhnLab-V3 | Linux/Backdoor.393728 | 20150530 |
| DrWeb | Linux.BackDoor.Gates.6 | 20150531 |
| Kaspersky | HEUR:Backdoor.Linux.Ganiw.a | 20150531 |
| Avast | ELF:Elknot-AY [Cryp] | 20150531 |
| Jiangmin | Backdoor/Linux.ab | 20150529 |
kkk_3.htm, kkk_4.htm and kkk_6.htm were all analyzed for the first time and had signatures for MrBlack and Dofloo.
rrrr.1 had a little less hits than the others, with only 7 out of 57. It's hits were for:
| Antivirus | Result | Update |
|---|---|---|
| AVG | Linux/Backdoor.A | 20150612 |
| Avast | ELF:Elknot-BL [Cryp] | 20150612 |
| DrWeb | Linux.BackDoor.Gates.7 | 20150612 |
| ESET-NOD32 | Linux/Setag.B | 20150612 |
| Ikarus | Backdoor/Linux.ky | 20150612 |
| Jiangmin | HEUR:Backdoor.Linux.Ganiw.a | 20150610 |
| Kaspersky | HEUR:Backdoor.Linux.Ganiw.a | 20150612 |
Next, let's see if these files are packed. There are a few ways to do this, but, let's start with something basic.
I started by running strings on rrrr.1 to see if it was unpacked, since if a file was packed, we wouldn't be able to make out many of the strings. Looking through the file, everything is complete gibberish, most likely meaning it was packed. I get about 3/4 of the way through the file and notice this string:
$Info: This file is packed with the UPX executable packer http://upx.sf.net $
$Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $
So, if the gibberish ASCII strings were any indication that it was packed, this surely tells us it was packed. Next thing to do is unpack it:
brian@nullsecure ~/Desktop/61.174.49.51:6664 > upx -d rrrr.1
Now, when we run strings, we can see a lot more legiable strings in the file, things such as:
9CAttackIe
9CAttackCc
10CTcpAttack
15CAttackCompress
10CAttackPrx
10CAttackAmp
10CAttackDns
11CAttackIcmp
10CAttackSyn
10CAttackUdp
13CPacketAttack
11CAttackBase
7CSerial
The above strings go along with the fact that these are DDoS files, and the above are various types of DDos attacks.
Next, I found the following strings, which would indicate some sort of HTTP requests:
Keep-Alive
Connection
User-Agent
image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg,
application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint,
application/msword, */*
Accept
zh-CN
Accept-Language
gzip, deflate
Accept-Encoding
CONTENT-LENGTH
Along with some user-agents:
Mozilla/5.0 (|S|) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/|D&23&25|.
|D&0&9|.|D&1000&9000|.|D&10&99| Safari/537.17
Mozilla/5.0 (|S|; rv:18.0) Gecko/20100101 Firefox/18.0
Opera/|D&7&9|.
|D&70&90| (|S|) Presto/2.|D&8&18|.|D&90&890| Version/|D&11&12|.|D&10&19|
We can also see a large amount of hardcoded IP address in here. We can use a function that @Andrew__morris wrote called ipgrab, to just run a regex on the output of strings to look for anything that is an IP address.
strings rrrr.1 | ipgrab > ips.txt
The code for the function below, for anyone interested:
function ipgrab()
{
read line; echo $line | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}';
while read line; do echo $line | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'; done
echo $line | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}';
}
Just plop that in your .bashrc file and you should be good to go.
After running the ipgrab function on the file and piping that to ips.txt file, we can check the file out. Turns out there are 356 IP Addresses in rrrr.1.
Running cat ips.txt | sort -u | wc -lleaves us with 348 IP's after sorting
We can use a quick little python script to spit out the network description and country code to get a better list of the IP's in this file.
from ipwhois import IPWhois
from pprint import pprint
with open('ips.txt') as f:
for ip in f:
try:
obj = IPWhois(ip.strip())
results = obj.lookup()
print results['nets'][0]['description'], results['asn_country_code']
except:
pass
With this script we can run python resolve.py > filtered.txt
Then, with our finalized list of IP's, we can run something like cat filtered.txt | sort | uniq -c | sort -n and be left with a sorted list of unique networks, which gives us the top networks targeted:
10 CHINANET jiangsu province network
14 A12,Xin-Jie-Kou-Wai Street
14 Beijing 100088 CN
17 China Mobile Communications Corporation
17 Internet Service Provider in China CN
17 Mobile Communications Network Operator in China
24 China Telecom
37 China Telecom CN
37 Data Communication Division
51 China Unicom CN
Given the above list, we can clearly see this is targeting a good bit of IP's in China.
Dynamic Analysis
Next, let's go ahead and run this file inside a Vagrant VM to see what's going on...
First, we make the rrrr.1 file executable chmod +x rrrr.1, then run it ./rrrr.1
In another terminal, we'll run tcpdump to see what type of traffic we're seeing:
tcpdump -i eth0 -nnvvXS port not 22
We run the malware, and start noticing it's sending traffic to one of the three known hosts - 183.60.233.169 over port 36000
Just like my last post on MrBlack, we can see some identifying traffic being transmitted, like:
0x0000: 4500 009c c6ab 4000 4006 c6bb 0a00 020f E.....@.@.......
0x0010: b73c e9a9 b661 8ca0 c1cb 7078 1944 c002 .<...a....px.D..
0x0020: 5018 7210 ad83 0000 0100 0000 6c00 0000 P.r.........l...
0x0030: 00f4 0100 0032 0000 00e8 0300 0000 0000 .....2..........
0x0040: 0000 0000 0000 0000 0000 0101 0200 0000 ................
0x0050: 0100 0000 0a00 020f 0a00 020f 0a00 020f ................
0x0060: 0a00 020f 0a00 020f ffff 0100 0000 0000 ................
0x0070: 3a00 0100 0000 0909 0000 e901 0000 4c69 :.............Li
0x0080: 6e75 7820 332e 3133 2e30 2d34 352d 6765 nux.3.13.0-45-ge
0x0090: 6e65 7269 6300 4733 2e31 3100 neric.G3.11.
We'll let this run for a while and then open it up in Wireshark to see what we found out...
After letting this run for a good bit, we fire up wireshark. Let's see what IP's this box was communicating with during this time. By going to Statistics -> Endpoints -> IPv4, we can see there were only three hosts involved: my Vagrant machine, my host machine and the attacking machine.
Looking at the traffic, we see the same type of traffic being sent around 30 to 40 seconds to the attacking host. It's 116 bytes of data being sent along with the 54 bytes for headers resulting in packets 170 bytes in size, with the data never changing and always looking like the following:
This is different from when I looked at the other Mr. Black samples in the past, since they would have pipe delimted fields with the string MrBlack in the actual sample. I'm sure they realized that wasn't the smartest idea to include the name of their malware in traffic since that could easily be picked up by any IDS.
So, besides trying to dig deeper into this malware, which I don't feel confident enough to do yet, we can try to generate some YARA rules to scan for this type of malware on other systems.
YARA Signatures
I just started messing around with an awesome tool called yarGen which can take a malicious file and compare the strings found to known good strings from goodware files, which leaves us with strings that are probably bad. To run this, we simply run:
python yarGen.py -m ~/vagrant/ubuntu_64_analysis/rr/
The above will recursively scan the rr directory for files, then read in the good-strings.db file and then produce a YARA rules file to be used to search for this malware.
Here it is in action:
Reading goodware strings from database 'good-strings.db'...
Processing malware files ...
Processing: /Users/Brian/vagrant/ubuntu_64_analysis/rr/rrrr.1
Generating statistical data ...
Generating Super Rules ... (a lot of foo magic)
Applying intelligent filters to string findings ...
Filtering string set for /Users/Brian/vagrant/ubuntu_64_analysis/rr/rrrr.1 ...
Generating simple rules ...
Generating super rules ...
Generated 1 SIMPLE rules.
Generated 0 SUPER rules.
All rules written to yargen_rules.yar
Bam! Rule created.
Let's check out yargen_rules.yar to see what it came up with:
brian@nullsecure ~/Desktop/yarGen-master > cat yargen_rules.yar
/*
Yara Rule Set
Author: YarGen Rule Generator
Date: 2015-06-12
Identifier:
*/
/* Global Rule -------------------------------------------------------------- */
/* Will be evaluated first, speeds up scanning process, remove at will */
global private rule gen_characteristics {
condition:
uint16(0) == 0x457f and filesize < 7429KB
}
/* Rule Set ----------------------------------------------------------------- */
rule _Users_Brian_vagrant_ubuntu_64_analysis_rr_rrrr {
meta:
description = "Auto-generated rule - file rrrr.1"
author = "YarGen Rule Generator"
reference = "not set"
date = "2015-06-12"
hash = "536b282fb9990451fc08a7a827c688c6c385bf63"
strings:
$s0 = "_ZN14CThreadHttpGet11ProcessMainEv" fullword ascii
$s1 = "_ZN19CThreadFXConnection17GetFakeDetectPortEv" fullword ascii
$s2 = "_ZN17CThreadConnection17GetFakeDetectPortEv" fullword ascii
$s3 = "_ZN17CThreadFakeDetect11ProcessMainEv" fullword ascii
$s4 = "ThreadHttpGet.cpp" fullword ascii
$s5 = "_ZN14CThreadRecycle11ProcessMainEv" fullword ascii
$s6 = "_ZN19CThreadShellRecycle11ProcessMainEv" fullword ascii
$s7 = "_ZN8CManager19RecycleShellProcessEv" fullword ascii
$s8 = "_ZN15CFakeDetectInfo17GetFakeDetectPortEv" fullword ascii
$s9 = "_ZN14CThreadLoopCmd11ProcessMainEv" fullword ascii
$s10 = "_ZNSt18_Vector_alloc_baseIP14CThreadHttpGetSaIS1_ELb1EEC2ERKS2_" fullword ascii
$s11 = "_ZN8CManager19DoFakeDetectCommandEP7CCmdMsg" fullword ascii
$s12 = "_ZN17CThreadFakeDetect16SetFakeDetectCmdER15CFakeDetectInfo" fullword ascii
$s13 = "_ZSt11__copy_aux2IP14CThreadHttpGetEPT_S3_S3_S3_11__true_type" fullword ascii
$s14 = "_ZSt19__copy_backward_auxIPP14CThreadHttpGetS2_ET0_T_S4_S3_" fullword ascii
$s15 = "_ZSt13__destroy_auxIPP14CThreadHttpGetEvT_S3_11__true_type" fullword ascii
$s16 = "relocation processing: %s%s" fullword ascii
$s17 = "%s%s%s:%u: %s%sAssertion `%s' failed." fullword ascii
$s18 = "ELF load command address/offset not properly aligned" fullword ascii
$s19 = "_ZN8CManager14RecycleProcessEv" fullword ascii
$s20 = "_ZNSt12_Vector_baseIP14CThreadHttpGetSaIS1_EED2Ev" fullword ascii
condition:
uint16(0) == 0x457f and filesize < 7429KB and all of them
}
For those who haven't messed with YARA rules before, I'll try to break out what it's searching for:
The top section between the /* and */ are just comments we can put in. Next is a global rule which looks for a certain condition. The condition is stating that there is an unsigned integer that is 16 bits long at offset 0 which is 0x457f in hexadecimal, and that the filesize is less than 7.5MB (7,429KB). The uint16(0) == 0x457f part I mentioned above, is looking for the Executable and Linkable Format (ELF) "magic number" which indicates that it is an ELF file.
To verify that the magic number is present, we can run something like hexdump and check it out for ourselves.
brian@nullsecure ~/Desktop/yarGen-master > hexdump ~/vagrant/ubuntu_64_analysis/rr/rrrr.1 | head
0000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
0000010 02 00 03 00 01 00 00 00 e0 80 04 08 34 00 00 00
0000020 38 03 12 00 00 00 00 00 34 00 20 00 03 00 28 00
0000030 1f 00 1c 00 01 00 00 00 00 00 00 00 00 80 04 08
0000040 00 80 04 08 e8 68 11 00 e8 68 11 00 05 00 00 00
0000050 00 10 00 00 01 00 00 00 00 70 11 00 00 f0 15 08sa
We can see right there at offset 0 is 7f 45, which as you'll notice is reversed from what we are searching for. That's because we look for them in YARA as little-endian format, which means the least signficant bits first, so, if you were to take 7f45, the "least signficant" bits would be 45 since they are not as valuable as 7F. For example, 0x7f45 in decimal is 32,581, which is 0111111101000101 in binary, meaning the farthest left bit that is a 1 equals 16,384, thus making it a lot larger than the farthest right bit, which is equal to 1.
I went ahead and tried making my own YARA rule before I messed with yarGen, and produced something like the following:
rule MrBlack
meta:
description = "MrBlack Malware Family"
author = "Brian Warehime"
date = "2015-06-12"
{
strings:
$attack_string1 = "9CAttackIe"
$attack_string2 = "9CAttackCc"
$attack_string3 = "10CTcpAttack"
$attack_string4 = "15CAttackCompress"
$attack_string5 = "10CAttackPrx"
$attack_string6 = "10CAttackAmp"
$attack_string7 = "10CAttackDns"
$attack_string8 = "11CAttackIcmp"
$attack_string9 = "10CAttackSyn"
$attack_string10 = "10CAttackUdp"
$attack_string11 = "13CPacketAttack"
$attack_string12 = "11CAttackBase"
$attack_string13 = "7CSerial"
$user_agent1 = "Mozilla/5.0 (|S|) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/|D&23&25|.
|D&0&9|.|D&1000&9000|.|D&10&99| Safari/537.17"
$user_agent2 = "Mozilla/5.0 (|S|; rv:18.0) Gecko/20100101 Firefox/18.0"
$user_agent3 = "Opera/|D&7&9|.|D&70&90| (|S|) Presto/2.|D&8&18|.
|D&90&890| Version/|D&11&12|.|D&10&19|"
condition:
all of them
Looking at what yarGen produced versus what I produced turned me on to some new things to implement in the future, things like the "magic number" and filesize. In my rule, I just searched for specific attack strings seen as well as the user agents noted in the malware. I'm sure both would work equally well, however, I enjoyed the practice of trying to make my own.
Once we have the rules created, we can go ahead and scan our system like so:
brian@nullsecure ~/Desktop > yara -r mrblack.yara ~/vagrant/ubuntu_64_analysis/
MrBlack /Users/Brian/vagrant/ubuntu_64_analysis/cywlooxx11
MrBlack /Users/Brian/vagrant/ubuntu_64_analysis/rr/rrrr.1
So, we can see our rrrr.1 file got picked up, as well as another file I had sitting around that was another MrBlack sample.
Next up, let's put together a Maltego graph illustrating their attacker/domain infrastructure. We can see a lot of overlap between the filenames and hashes associated with each domain. Here's a screenshot of what it looks like, but, feel free to play around with the maltego graph here as well.
Conclusion
Well, that about covers it. I'm sure there was a lot more I could have done, but, I think this touched on a few new things that I've been doing lately and hopefully was educational for some.
If you have any questions or thoughts about this post, feel free to message me on Twitter, @brian_warehime.