Reversing and Decrypting the Communications of APT Malware

Monnappa KA – Info Security Investigator

Disclaimer

The Content, Demonstration, Source Code and Programs

presented here is "AS IS" without any warranty or conditions

of any kind. Also the views/ideas/knowledge expressed here are

solely of the mine and nothing to do with the company or the

organization in which I am currently working.

However in no circumstances neither I or SecurityXploded is

responsible for any damage or loss caused due to use or misuse

of the information presented here

Who AM I

Monnappa KA Member of SecurityXploded Info Security Investigator @ Cisco Focus on Threat Intelligence Reverse Engineering, Malware Analysis, Memory Forensics Email: monnappa22@gmail.com Twitter: @monnappa22 Linkedin: http://in.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8

APT Malware - Etumbot

Etumbot Cyber Espionage Campaign

Demo 1 – Sandbox Analysis of Etumbot dropper

Demo 2 – Reverse Engineering the Communications of Etumbot Backdoor

Demo 3 – Decrypting the Communications of Etumbot Backdoor

References

Contents

APT Malware - Etumbot

Used in APT/Cyber espionage/targeted attacks Associated with Chinese cyber espionage group (Numbered Panda, APT12, Calc team) Sent to targets via spear phishing email Targeted government organizations in Taiwan and Japan Drops decoy documents of interest to Taiwanese and Japanese population Also referred to as Exploz, Specfix and RIPTIDE Ref link1: http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/ Ref link2:

http://www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html

Etumbot Cyber Espionage Campaign

Demo 1

Sandbox Analysis of Etumbot dropper(5340.exe)

File system and Registry activityEtumbot dropper (5340.exe) drops another file winlogdate.exe (which is Etumbot backdoor). The malware also adds a registry entry so that Etumbot backdoor can persist on the system

Network ActivityEtumbot Backdoor (winlogdate.exe) connects to the C2 server with two communication patterns

First Communication Pattern

In the first communication pattern the malware receives response from the C2 server. The response looks like an encoded string

Second Communication PatternIn the second communication pattern the malware sends a request, which looks like a request to download an image file (.jpg), but the string before .jpg looks like an encrypted string. In order understand these communication patterns, lets reverse engineer the Etumbot backdoor

Demo 2

Reverse Engineering the Communications ofEtumbot Backdoor (winlogdate.exe)

Reversing First Communication patternEtumbot Backdoor calls the below function. This function implements the First Communication pattern, this function calls multiple functions as shown in the call graph below

Reversing First Communication pattern (contd)

The malware uses below API call to open an http session with the C2 Server (wwap.publiclol.com)

Reversing First Communication pattern (contd)

Etumbot Backdoor uses below API call to create an http handle and the below screenshot shows the object the malware is going to request in the http request.

Reversing First Communication pattern (contd)Etumbot Backdoor uses below API call to send the request and the C2 server sends an encoded response to the backdoor.

Reversing First Communication pattern (contd)Etumbot backdoor receives the encoded response from the C2 using the below API

Reversing First Communication pattern (contd)Etumbot backdoor passes the received content to the custom base64 algorithm which decodes the received content and extracts the RC4 key starting at offset 8. This RC4 key is used to encrypt subsequent communications. It can be deduced that the first communication pattern is used by the malware to receive the RC4 key from the attackers.

Reversing Second Communication patternEtumbot Backdoor calls the below function. This function implements the Second Communication pattern, this function calls multiple functions as shown in the call graph below

Reversing Second Communication pattern (contd)Etumbot Backdoor collects the system information (hostname, username, ip and proxy details) and passes it to the RC4 function (with the RC4 key retrieved from the first communication).

Reversing Second Communication pattern (contd)The collected system information is encrypted with RC4 key which was retrieved from the first communication. Below screenshot shows the RC4 encrypted system information

Reversing Second Communication pattern (contd)The RC4 encrypted system information is then passed to the custom base64 encoding function as shown below

Reversing Second Communication pattern (contd)The RC4 encrypted system information is then encoded with custom base64 encoding algorithm as shown below.

Reversing Second Communication pattern (contd)The base64 encoded string is then concatenated with /image/ and .jpg to form a final string as shown below

Reversing Second Communication pattern (contd)

The malware connects to the C2 server (wwap.publiclol.com) using the concatenated string as the http request pattern.

Reversing Second Communication pattern (contd)Malware sends the http request as shown below. As you can see from packet capture the encrypted system information is sent to the attackers this way. Now we know how malware decodes the RC4 key from first communication and how that RC4 key is used to encrypt subsequent communications. We can write decryptors to extract the RC4 key and to decrypt the communications.

Demo 3

Decrypting the communications ofEtumbot Backdoor (winlogdate.exe)

Python script – To extract RC4 key

Below screenshot shows the python script (get_key.py) which takes encoded response from C2 server as input, then decodes it and extracts the RC4 key

Extracting RC4 key from C2 ResponseBelow screenshot shows the encoded response from C2 server. This encoded response is given to the script which decoded and extracted the RC4 key

Python script – to decrypt communications

Below screenshot shows the script to decrypt subsequent communications using the RC4 key obtained from first communication

Python script – to decrypt communications

Below screenshot shows the encrypted string. The script takes the encrypted string and decrypts it. The decrypted output is the information (hostname, username, ip, proxy details) collected from the system, where the malware was run (in this case sandbox machine)

a) ARBOR Networks Report on Etumbot

http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/

b) FireEye’s Blog post

http://www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.h

tml

References

Question & Answer

Thank you