it’s back with a vengeance · 4 suggests that the wiper calls the windows api function...

1 | RESEARCH REPORT : DistTrack

© 2017 TrapX Security, Inc. All Rights Reserved.

DistTrackIt’s Back with a VengeanceHila CohenSecurity ResearcherTrapX Research Labs

RESEARCH REPORT



Contents

Analysis Summary ................................................................................................................................ 3About the DistTrack Malware ............................................................................................................... 4Attack Vector ........................................................................................................................................ 5

Spreading Across the Network .......................................................................................................................................5Destruction of Files .........................................................................................................................................................6Command and Control Communications ........................................................................................................................7

DeceptionGrid in Action ....................................................................................................................... 8Malware Analysis ................................................................................................................................. 10Conclusion ........................................................................................................................................... 12



Analysis Summary

On December 6, 2016, TrapX labs began analyzing the DistTrack malware (also known as Shamoon) to demonstrate how the TrapX DeceptionGrid™ solution could detect, analyze, and report its behavior. DeceptionGrid is designed to create highly convincing fake IT assets (decoys known as “Traps”) within internal networks, luring malware and human attackers to engage with these decoys instead of companies’ real assets.

Each Trap provides various degrees of realism and interaction to the attack/attacker, based on the Trap’s profile (e.g., file server, website, database server, etc). Traps appear as real assets inside the network with real IP addresses, host names, and network services, and simply wait for attacks to occur. Any interaction with a Trap provides high-fidelity alerts; security teams are alerted immediately, and all activity is recorded for remediation and investigation. DeceptionGrid also provides sophisticated analysis of attackers’ tools, tactics, and procedures (TTPs); indicators of lateral movement; and detailed analyses of any payload cap-tured by the DeceptionGrid.

The results of any attack activity are recorded and displayed in the TrapX Security Operation Center (TSOC), which allows analysts to review alerts, get metadata about various attacks against the Traps, and review timelines of events. Using DeceptionGrid to learn about the DistTrack malware has produced unique results, which are presented in this report. TrapX’s findings are detailed within, including the DistTrack malware analyzing the file system, copying additional malicious payload, and creating a scheduled task. This report also includes analysis of the threat, using static and dynamic analysis techniques and an attack timeline.



About the DistTrack Malware

DistTrack was first seen in 2012. Since then, it has been confirmed by the security community to have destroyed more than 30,000 systems. Recently, however, DistTrack has returned in a newer version, which spreads and destroys data faster, and has been observed being used in an attack targeting government systems in Saudi Arabia.

DistTrack is designed to compromise as many systems as possible, bringing them to the point at which they cannot boot-up and load the operating system (OS). Once DistTrack is successfully executed on a system, it attempts to spread across the network using stolen administrator credentials, most likely gathered and hard-coded inside the malware before the attack phase begins.

DistTrack uses three resources during an attack: The first resource is a 64-bit binary version of the malware, which checks the architecture of the compromised system and deploys the necessary BIT version of itself.

The second resource is responsible for communicating with a command and control (C&C) server.

The third resource is the wiper component, which extracts a driver from its resource section. The wiper uses the RawDisk driver to write to protected system locations such as the master boot record (MBR). It overwrites files with a famous picture of a drowned child refugee from Syria. The purpose of this picture is to symbolize Syria’s refugee crisis and underline clearly DistTrack’s political motivations and agenda. DistTrack uses data obfuscation and encryption techniques to make it more difficult to detect and analyze, even by security pro-fessionals. It also uses anti-debugging techniques, calling Windows API functions such as IsDebuggerPresent to determine whether it is being analyzed by a debugger or a sandbox.



The following table contains the IOCs of the DistTrack malware in its components:

Table 1 – Static Indicators of Compromise

MALWARE COMPONENT SHA256

DistTrack malware (x86 version) 394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b

DistTrack malware (x64 version) 47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34

Wiper component 128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd

Communication component 61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842

Drdisk.sys (the driver) 4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6

Attack Vector

Spreading Across the NetworkIn an effort to achieve its mission of infecting and destroying the maximum number of systems, DistTrack uses stolen administrative credentials to spread across the network. As mentioned, these user credentials are hard-coded inside the malware. To achieve this level of destruction, DistTrack attempts to spread via the local network and then disables User Account Control (UAC) on every system by using the Windows API functions RegConnectRegistryW, RegOpenKeyExW, and RegSetValueExW. The IpSubkey is given the value SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy in order to open the subkey using the Windows API function RegOpenKeyExW. Then the RegSetValueExW sets the value “1” in the subkey as shown in figure 1:

Thereafter, DistTrack attempts to connect remote systems with the Windows API function NetUseAdd, using the stolen credentials. After successfully connecting to a remote system, DistTrack attempts to open the csrss.exe process on the affected system to determine whether it has privileges to create a copy of itself to the c:\system\system32 folder. It then copies itself to the remote system under the filename ntssrvr32.exe, and then creates a scheduled task job to execute itself on that system. However, before DistTrack creates the schedule task job, it first checks the local time on the remote system and creates a scheduled task job to run after 90 seconds on the system. Figure 2 shows the corresponding Windows API calls used in executing and accomplishing this activity:

Figure 1



Figure 2

Destruction of FilesDistTrack extracts the wiper component from its resource section and executes it with the argument “1.” The wiper then extracts a driver from its resource section and copies it to the Windows drivers location C:\Windows\System32\Drivers under the filename drdisk.sys, as shown in figure 3:

Figure 3

The wiper component also extracts the image of the drowned Syrian child from its resource section. Figure 4 suggests that the wiper calls the Windows API function LoadResource twice, with the first call extracting the drdisk.sys driver and the second extracting the image.

Figure 4

After driver extraction is completed, the wiper installs it by creating and starting a service called drdisk. Figure 5 shows the commands used to achieve this:

Figure 5



The drdsik.sys driver is a malicious version of the legitimate RawDisk driver, which enables direct access to files, disks, and disk partitions. Using this driver, the wiper overwrites important files on the targeted system with the extracted image of the drowned Syrian child, using the Windows API functions FindFirstFileW and FindNextFileW.

Figure 6 shows the process of the wiper overwriting drivers on the target systems:

Figure 6

The wiper overwrites the files in the computer with the payload image as shown in figure 7:

Figure 7

After overwriting the files, the affected systems are then rebooted by the wiper component. However, given that the disk partitions and numerous key files and resources have been replaced, the affected system will not start properly, and any affected system will need to be reimaged from a well-known baseline image.

Command and Control CommunicationsDistTrack extracts the communication component from its resource section. This component tries to commu-nicate with a C&C server, using the HTTP protocol. However, the configured destination IP address is 1.1.1.1, which does not host any C&C servers. This behavior suggests that DistTrack’s original purpose is to destroy systems across the local network rather than establish an outbound connection for remote access. Figure 8 shows the attempted HTTP connections of this component of the malware to the remote IP address 1.1.1.1:

Figure 8



DeceptionGrid in Action

The TrapX labs team executed DistTrack in an isolated laboratory network, on a full Windows 7, 32-bit OS. The TrapX Trap detected DistTrack attempting to spread across the local network. The TSOC displayed the actual timeline of the attack (as described in the attack vector section) from the moment DistTrack success-fully executed in the Trap until it delivered the payload. The recorded activity includes the following steps:

1. Logging in to the Trap with the stolen credential GACA\gacaadmin15

2. Attempting to open the csrss.exe process to check the availability of administrator privileges

3. Checking to see if the malicious file was already in the system32 folder of the remote system

4. Copying itself to the C:\windows\system32\ folder on the remote system under the name ntssrvr32.exe

5. Creating a scheduled task job to run the payload

6. Deleting the scheduled task job after the execution of the payload

These steps are clearly visible in DeceptionGrid’s UI as shown in figure 9:

Figure 9The DeceptionGrid platform captured the credentials used to log on to the Trap, which clearly shows DistTrack connecting to the administrative share on the system. We can also see that DistTrack attempts to open the csrss.exe file in the system32 folder, and then check the ntssvr32.exe file in the same location.

Note: the timeline is clearly shown for the entire attack vector. TrapX’s unique timeline view is an interactive way of graphically presenting valuable intelligence about attack types and methods, with maximum visibility



of any credentials or other proprietary information used. Also, the TSOC provides a static analysis of any binary landing on the trap resulting from the malware execution. An example of this static information is referenced in the Malware Analysis section, below.

The TSOC also shows that DistTrack then creates itself on the target system as the file ntssvr32.exe, as shown in figure 10. That executable is then executed under a local service account with the identifier “1.” This creates the scheduled task job before being deleted, as is shown at the bottom of figure 10:

Figure 10This clearly demonstrates the high fidelity of TrapX’s decoy traps, which can provide a realistic attack surface for DistTrack, along with the ability to provide detailed insights into the actions that human attackers and malware take when interacting with the DeceptionGrid.

By ensuring that lightweight, patent-protected emulations from TrapX are on each VLAN in the infrastruc-ture, early breach detection can be provided. This includes copies of the malware binaries that are put onto the Traps, offering visibility of not only the attack methods, but also the payload. TrapX emulations are designed to engage and disrupt attackers and are even capable, in this instance, of simulating the successful creation of a scheduled task. This means that DistTrack reveals all of its hidden behavior without threatening any mission-critical infrastructure in the process.



Malware Analysis

Static analysis of the malware reveals the Windows API functions that are called by DistTrack through the Windows DLL files, as shown in figure 11:

Figure 11



As mentioned, this process enables such lateral movement through networked devices and share. DistTrack has sophisticated anti-virtual-machine (VM) capabilities, designed to evade detection by isolated VM environments, such as sandboxes. TrapX was still successful in extracting important artifacts data from the malware.

Note also in figure 12 below that the portable executable (PE) analysis shows the resource sections included in the malware. DistTrack is encrypted to further frustrate any efforts to gather intelligence into its nature. However, despite these advanced countermeasures, TrapX was still able to recognize the signature for DistTrack during our analysis.

Figure 12



About TrapX SecurityTrapX has created a new generation of deception technology that provides real-time breach detection and prevention. Our field proven solution deceives would-be attackers with turn-key decoys (traps) that “imitate” your true assets. Hundreds or thousands of traps can be deployed with little effort, creating a virtual mine field for cyberattacks, alerting you to any malicious activity with actionable intelligence immediately. Our solutions enable our customers to rapidly isolate, fingerprint and disable new zero day attacks and APTs in real-time. Uniquely our automation, innovative protection for your core and extreme accuracy enable us to provide complete and deep insight into malware and malicious activity unseen by other types of cyber defense. TrapX Security has many thousands of government and Global 2000 users around the world, servicing customers in defense, health care, finance, energy, consumer products and other key industries.

TrapX Security, Inc. 1875 S. Grant St., Suite 570San Mateo, CA 94402+1–855–249–4453www.trapx.com [email protected]@[email protected]

TrapX, TrapX Security, DeceptionGrid and CryptoTrap are trademarks or registered trademarks of TrapX Security in the United States and other countries. Other trademarks used in this document are the property of their respective owners. © 2017 TrapX Security. All Rights Reserved.

Conclusion

The information presented in this report provides information about DeceptionGrid’s effectiveness in detecting the spread of malware across networks and describes tools companies can use to combat malware threats.

DistTrack was first seen in 2012, but it has made a comeback with a vengeance, using a new variant that can spread across networks by using hardcoded credentials, disabling Windows UAC protection, overwriting files, and destroying the OS MBR section. This malware wreaks destruction across systems that it attacks.

DistTrack has built-in mechanisms to hide its functionality and prevent analysis via debugger tools and malware sandboxes. TrapX DeceptionGrid helps organizations defend against this highly destructive malware and provides the necessary indicators to prevent further destruction. DeceptionGrid decoys (Traps) are fake IT assets that can be deployed at any segment of the network; hence, if DistTrack spreads across the network, it can be detected immediately once the malware lands on one of the Traps. From that point on, the information and timelines are presented in the TSOC, and appropriate actions can be taken to stop DistTrack’s spread.

This information can be leveraged faster using the TrapX partner ecosystem. We share intelligence and indications of compromise with integrated vendor partners. Key information flowing from DeceptionGrid can also be shared with your network access control (NAC) to immediately isolate offending endpoints and compromised resources. The power of our ecosystem enables you to identify and isolate DistTrack rapidly, stop attacks, and resume normal operations with confidence.

it’s back with a vengeance · 4 suggests that the wiper calls the windows api function...

Documents